From 49c8a23224d88e6d6d3be39c5024f4a7ba105108 Mon Sep 17 00:00:00 2001 From: darrenr Date: Thu, 25 Apr 2002 03:34:26 +0000 Subject: Import IPFilter 3.4.26 --- contrib/ipfilter/BSD/Makefile | 20 ++-- contrib/ipfilter/BSD/kupgrade | 9 ++ contrib/ipfilter/FreeBSD-4.0/kinstall | 4 +- contrib/ipfilter/HISTORY | 53 +++++++++ contrib/ipfilter/fil.c | 9 +- contrib/ipfilter/fils.c | 16 +-- contrib/ipfilter/ip_auth.c | 8 +- contrib/ipfilter/ip_compat.h | 82 ++++++------- contrib/ipfilter/ip_fil.c | 11 +- contrib/ipfilter/ip_fil.h | 27 +++-- contrib/ipfilter/ip_frag.c | 4 +- contrib/ipfilter/ip_h323_pxy.c | 40 +++++-- contrib/ipfilter/ip_log.c | 3 +- contrib/ipfilter/ip_nat.c | 122 ++++++++++++++----- contrib/ipfilter/ip_nat.h | 4 +- contrib/ipfilter/ip_sfil.c | 22 +++- contrib/ipfilter/ip_state.c | 218 ++++++++++++++++++++++++---------- contrib/ipfilter/ip_state.h | 27 +++-- contrib/ipfilter/ipf.c | 4 +- contrib/ipfilter/ipfs.c | 4 +- contrib/ipfilter/ipl.h | 4 +- contrib/ipfilter/ipmon.c | 2 +- contrib/ipfilter/ipsend/ipsend.c | 3 +- contrib/ipfilter/ipt.c | 8 +- contrib/ipfilter/kmem.c | 28 ++--- contrib/ipfilter/l4check/l4check.c | 5 +- contrib/ipfilter/man/ipmon.8 | 3 +- contrib/ipfilter/man/ipnat.5 | 9 +- contrib/ipfilter/mlf_ipl.c | 18 +-- contrib/ipfilter/mls_ipl.c | 3 +- contrib/ipfilter/natparse.c | 45 ++++--- contrib/ipfilter/printnat.c | 30 +++-- contrib/ipfilter/printstate.c | 13 +- contrib/ipfilter/solaris.c | 6 +- contrib/ipfilter/test/Makefile | 27 ++++- contrib/ipfilter/test/expected/f11 | 47 ++++++++ contrib/ipfilter/test/expected/l1 | 72 +++++------ contrib/ipfilter/test/expected/l1.b | 72 +++++------ contrib/ipfilter/test/input/f11 | 5 + contrib/ipfilter/test/logtest | 8 +- contrib/ipfilter/test/regress/f11 | 1 + 41 files changed, 734 insertions(+), 362 deletions(-) diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index 8d2b28d..afa9e52 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -7,6 +7,8 @@ # BINDEST=/usr/sbin SBINDEST=/sbin +SEARCHDIRS=$(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin \ + /usr/local/bin /usr/local/sbin MANDIR=/usr/share/man CC=cc -Wall -Wstrict-prototypes -Wuninitialized -O CFLAGS=-g -I$(TOP) @@ -49,6 +51,14 @@ IPNAT=ipnat.o kmem.o natparse.o common.o printnat.o FILS=fils.o parse.o kmem.o opt.o facpri.o common.o printstate.o build all: ipf ipfs ipfstat ipftest ipmon ipnat $(LKM) + /bin/rm -f $(TOP)/ipf + ln -s `pwd`/ipf $(TOP) + /bin/rm -f $(TOP)/ipftest + ln -s `pwd`/ipftest $(TOP) + /bin/rm -f $(TOP)/ipmon + ln -s `pwd`/ipmon $(TOP) + /bin/rm -f $(TOP)/ipnat + ln -s `pwd`/ipnat $(TOP) ipfstat: $(FILS) $(CC) -static $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \ @@ -56,13 +66,9 @@ ipfstat: $(FILS) ipf: $(IPF) $(CC) -static $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipf - ln -s `pwd`/ipf $(TOP) ipftest: $(IPT) $(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipftest - ln -s `pwd`/ipftest $(TOP) ipnat: $(IPNAT) $(CC) -static $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm @@ -220,8 +226,6 @@ facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h ipmon: $(TOP)/ipmon.c $(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipmon - ln -s `pwd`/ipmon $(TOP) clean: ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ @@ -250,8 +254,8 @@ install: ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \ def="`expr $$i : '[^:]*:\(.*\)'`"; \ p="`expr $$i : '\([^:]*\):.*'`"; \ - for d in $(BINDEST) $(SBINDEST); do \ - if [ -f $$d/$$i ] ; then \ + for d in $(SEARCHDIRS); do \ + if [ -f $$d/$$p ] ; then \ echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \ $(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \ dd=$$d; \ diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade index 092f3ab..4d8573d 100644 --- a/contrib/ipfilter/BSD/kupgrade +++ b/contrib/ipfilter/BSD/kupgrade @@ -8,6 +8,15 @@ set -e argv0=`basename $0` dir=`pwd` karch=`uname -m` +os=`uname -s` +if [ $os = FreeBSD ] ; then + rev=`uname -r` + rev=`expr $rev : '\([0-9]*\)\..*'` + if [ $rev = 2 ] ; then + echo "Copying /usr/include/osreldate.h to /sys/sys" + cp /usr/include/osreldate.h /sys/sys + fi +fi archdir="/sys/arch/$karch" ipfdir=/sys/netinet if [ -d /sys/contrib/ipfilter ] ; then diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall index 9e34e33..2598c6c 100755 --- a/contrib/ipfilter/FreeBSD-4.0/kinstall +++ b/contrib/ipfilter/FreeBSD-4.0/kinstall @@ -28,11 +28,13 @@ echo "" echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" ln -s /usr/include/osreldate.h /sys/sys/osreldate.h -patchfile=FreeBSd-4.0/ipv6-patch-$krev +set patchfile=FreeBSd-4.0/ipv6-patch-$krev if ( -f $patchfile ) then echo "" echo "Patching ip6_input.c and ip6_output.c" cat $patchfile | (cd /sys/netinet6; patch) +else + echo "IPv6 patching not required for your OS version" endif set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 80632b4..ec317dc 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,59 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.26 25/04/2002 - Released + +fix parsing and printing of NAT rules with regression tests. + +add code to adjust TCP checksums inside ICMP errors where present and as +required for NAT. + +fix documentation problems in instal documents + +fix locking problem with auth code on Solaris + +fix use of version macros for FreeBSD and make the use of __FreeBSD_version +override previous hacks except when not present + +fix the macros defined for SIOCAUTHR and SIOCAUTHW + +fix the H.323 proxy so it no longer panics (multiple issues: re-entry into +nat_ioctl with lock held on Solaris, trying to copy data from kernel space +with copyin, unaligned access to get 32bit & 16bit numbers) + +use the ip_ttl ndd parameter on Solaris to fill in ip_ttl for packets +generated by IPFilter + +fix comparing state information to delete state table entries + +flag packets as being "bad state" if they're outside the window and prevent +them from being able to cause new state to be created - except for SYN packets + +be stricter about what packets match a TCP state table entry if its creation +was triggered by a SYN packet. + +add patches to handle TCP window scaling + +don't update TCP state table entries if the packet is not considered to be +part of the connection + +ipfs wasn't allowing -i command line option in getopt + +IRIX: fix kvm interface, fix compile warnings, compile the kernel with -O2 + regardless of user compile, fix the getkflags script to prune down the + output more so it is acceptable + +change building in Makefiles to create links to the application in $(TOP) +at the end of "build" rather than when each is created. + +update BSD/kupgrade for FreeBSD + +l4check wasn't properly closing things when a connection fails + +man page updates for ipmon(8) and ipnat(5) + +more regression tests added. + 3.4.25 13/03/2002 - Released retain rule # in state information diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index 06623c3..3ce8131 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -97,7 +97,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.58 2002/03/13 02:23:13 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $"; #endif #ifndef _KERNEL @@ -211,9 +211,7 @@ fr_info_t *fin; fin->fin_data[1] = 0; fin->fin_rule = -1; fin->fin_group = -1; -#ifdef _KERNEL fin->fin_icode = ipl_unreach; -#endif v = fin->fin_v; fi->fi_v = v; fin->fin_hlen = hlen; @@ -263,6 +261,7 @@ fr_info_t *fin; fin->fin_off = off; fin->fin_plen = plen; fin->fin_dp = (char *)tcp; + fin->fin_misc = 0; off <<= 3; switch (p) @@ -295,7 +294,7 @@ fr_info_t *fin; } } - if (!(plen >= hlen + minicmpsz)) + if (!(plen >= minicmpsz)) fi->fi_fl |= FI_SHORT; break; @@ -1496,7 +1495,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.58 2002/03/13 02:23:13 darrenr Exp $ + * $Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index b3bfae2..dcf74e5 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -94,7 +94,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.34 2002/02/22 15:32:45 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp $"; #endif extern char *optarg; @@ -1200,15 +1200,15 @@ int topclosed; if (c == ERR) continue; - if (tolower(c) == 'l') { + if (isalpha(c) && isupper(c)) + c = tolower(c); + if (c == 'l') { redraw = 1; - } else if (tolower(c) == 'q') { - nocbreak(); - endwin(); - exit(0); - } else if (tolower(c) == 'r') { + } else if (c == 'q') { + break; /* exits while() loop */ + } else if (c == 'r') { reverse = !reverse; - } else if (tolower(c) == 's') { + } else if (c == 's') { sorting++; if (sorting > STSORT_MAX) sorting = 0; diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c index e4ad347..2a73079 100644 --- a/contrib/ipfilter/ip_auth.c +++ b/contrib/ipfilter/ip_auth.c @@ -104,7 +104,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.17 2002/03/06 09:44:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp $"; #endif @@ -405,6 +405,7 @@ fr_authioctlloop: RWLOCK_EXIT(&ipf_auth); return 0; } + RWLOCK_EXIT(&ipf_auth); #ifdef _KERNEL # if SOLARIS mutex_enter(&ipf_authmx); @@ -417,7 +418,6 @@ fr_authioctlloop: error = SLEEP(&fr_authnext, "fr_authnext"); # endif #endif - RWLOCK_EXIT(&ipf_auth); if (!error) goto fr_authioctlloop; break; @@ -447,7 +447,7 @@ fr_authioctlloop: #ifdef _KERNEL if (m && au->fra_info.fin_out) { # if SOLARIS - error = fr_qout(fra->fra_q, m); + error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0; # else /* SOLARIS */ struct route ro; @@ -469,7 +469,7 @@ fr_authioctlloop: fr_authstats.fas_sendok++; } else if (m) { # if SOLARIS - error = fr_qin(fra->fra_q, m); + error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0; # else /* SOLARIS */ ifq = &ipintrq; if (IF_QFULL(ifq)) { diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 4eab541..d0dc859 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.39 2002/03/13 03:54:34 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.43 2002/04/23 16:08:50 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -103,7 +103,6 @@ struct ether_addr { # include #endif - /* * This is a workaround for troubles on FreeBSD and OpenBSD. */ @@ -197,10 +196,6 @@ typedef int minor_t; #endif /* SOLARIS */ #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) -#if defined(__FreeBSD__) && (__FreeBSD__ >= 5) && defined(_KERNEL) -# include -#endif - #ifndef IP_OFFMASK #define IP_OFFMASK 0x1fff #endif @@ -215,6 +210,30 @@ typedef int minor_t; #endif /* BSD > 199306 */ +#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) +# include +# ifndef __FreeBSD_version +# include +# endif +# ifdef IPFILTER_LKM +# define ACTUALLY_LKM_NOT_KERNEL +# endif +# if defined(__FreeBSD_version) && (__FreeBSD_version < 300000) +# include +# else +# if (__FreeBSD_version >= 300000) && (__FreeBSD_version < 400000) +# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL) +# define ACTUALLY_LKM_NOT_KERNEL +# endif +# endif +# endif +#endif /* __FreeBSD__ && KERNEL */ + +#if defined(__FreeBSD_version) && (__FreeBSD_version >= 500000) && \ + defined(_KERNEL) +# include +#endif + /* * These operating systems already take care of the problem for us. */ @@ -230,6 +249,13 @@ typedef u_int32_t u_32_t; # include "opt_inet6.h" # endif # ifdef INET6 +# define USE_INET6 +# endif +# endif +# if !defined(_KERNEL) && !defined(IPFILTER_LKM) +# if (defined(__FreeBSD_version) && (__FreeBSD_version >= 400000)) || \ + (defined(OpenBSD) && (OpenBSD >= 200111)) || \ + (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000)) # define USE_INET6 # endif # endif @@ -341,40 +367,9 @@ union i6addr { #define IPOPT_EIP 145 /* EIP */ #define IPOPT_FINN 205 /* FINN */ - -#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) -# ifdef IPFILTER_LKM -# ifndef __FreeBSD_cc_version -# include -# else -# if __FreeBSD_cc_version < 430000 -# include -# else -# include -# endif -# endif -# define ACTUALLY_LKM_NOT_KERNEL -# else -# ifndef __FreeBSD_cc_version -# include -# else -# if __FreeBSD_cc_version < 430000 -# include -# else -# include -# endif -# endif -# endif -# if __FreeBSD__ < 3 -# include -# else -# if __FreeBSD__ == 3 -# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL) -# define ACTUALLY_LKM_NOT_KERNEL -# endif -# endif -# endif -#endif /* __FreeBSD__ && KERNEL */ +#ifndef TCPOPT_WSCALE +# define TCPOPT_WSCALE 3 +#endif /* * Build some macros and #defines to enable the same code to compile anywhere @@ -580,7 +575,8 @@ extern void m_copyback __P((struct mbuf *, int, int, caddr_t)); defined(__FreeBSD__) || defined(__OpenBSD__) || defined(_BSDI_VERSION) # include # endif -# if !defined(__FreeBSD__) || (defined (__FreeBSD__) && __FreeBSD__>=3) +# if !defined(__FreeBSD__) || (defined (__FreeBSD_version) && \ + (__FreeBSD_version >= 300000)) # if (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105180000)) || \ (defined(OpenBSD) && (OpenBSD >= 200111)) # include @@ -589,9 +585,9 @@ extern void m_copyback __P((struct mbuf *, int, int, caddr_t)); extern vm_map_t kmem_map; # endif # include -# else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */ +# else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */ # include -# endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */ +# endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */ # ifdef M_PFIL # define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_PFIL, M_NOWAIT) # define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 1cac072..2aeeaf8 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -25,6 +25,7 @@ # endif #endif #ifdef __sgi +# define _KMEMUSER # include #endif #ifndef _KERNEL @@ -119,7 +120,7 @@ extern int ip_optcopy __P((struct ip *, struct ip *)); #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.53 2002/03/13 02:29:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp $"; #endif @@ -359,7 +360,7 @@ int iplattach() } # ifdef NETBSD_PF -# if __NetBSD_Version__ >= 104200000 +# if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) # if __NetBSD_Version__ >= 105110000 if ( !(ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET)) @@ -526,7 +527,7 @@ int ipldetach() fr_running = 0; # ifdef NETBSD_PF -# if __NetBSD_Version__ >= 104200000 +# if ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)) # if __NetBSD_Version__ >= 105110000 if (ph_inet != NULL) error = pfil_remove_hook((void *)fr_check_wrapper, NULL, @@ -2136,8 +2137,8 @@ struct uio *uio; num = io->iov_len; if (num > left) num = left; - start = io->iov_base + offset; - if (start > io->iov_base + io->iov_len) { + start = (char *)io->iov_base + offset; + if (start > (char *)io->iov_base + io->iov_len) { offset -= io->iov_len; ioc++; continue; diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index 96a8f4b..82deef5 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.29.2.29 2002/03/13 03:56:46 darrenr Exp $ + * $Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -55,8 +55,8 @@ # define SIOCFRSYN _IOW('r', 73, u_int) # define SIOCFRZST _IOWR('r', 74, struct friostat *) # define SIOCZRLST _IOWR('r', 75, struct frentry *) -# define SIOCAUTHW _IOWR('r', 76, struct frauth_t *) -# define SIOCAUTHR _IOWR('r', 77, struct frauth_t *) +# define SIOCAUTHW _IOWR('r', 76, struct frauth *) +# define SIOCAUTHR _IOWR('r', 77, struct frauth *) # define SIOCATHST _IOWR('r', 78, struct fr_authstat *) # define SIOCSTLCK _IOWR('r', 79, u_int) # define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *) @@ -80,8 +80,8 @@ # define SIOCFRSYN _IOW(r, 73, u_int) # define SIOCFRZST _IOWR(r, 74, struct friostat *) # define SIOCZRLST _IOWR(r, 75, struct frentry *) -# define SIOCAUTHW _IOWR(r, 76, struct frauth_t *) -# define SIOCAUTHR _IOWR(r, 77, struct frauth_t *) +# define SIOCAUTHW _IOWR(r, 76, struct frauth *) +# define SIOCAUTHR _IOWR(r, 77, struct frauth *) # define SIOCATHST _IOWR(r, 78, struct fr_authstat *) # define SIOCSTLCK _IOWR(r, 79, u_int) # define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *) @@ -135,12 +135,11 @@ typedef struct fr_info { void *fin_ifp; /* interface packet is `on' */ struct fr_ip fin_fi; /* IP Packet summary */ u_short fin_data[2]; /* TCP/UDP ports, ICMP code/type */ - u_char fin_out; /* in or out ? 1 == out, 0 == in */ - u_char fin_rev; /* state only: 1 = reverse */ + u_int fin_out; /* in or out ? 1 == out, 0 == in */ u_short fin_hlen; /* length of IP header in bytes */ + u_char fin_rev; /* state only: 1 = reverse */ u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */ - /* From here on is packet specific */ - u_char fin_icode; /* ICMP error to return */ + u_int fin_icode; /* ICMP error to return */ u_32_t fin_rule; /* rule # last matched */ u_32_t fin_group; /* group number, -1 for none */ struct frentry *fin_fr; /* last matching rule */ @@ -149,6 +148,7 @@ typedef struct fr_info { u_short fin_off; u_short fin_dlen; /* length of data portion of packet */ u_short fin_id; /* IP packet id field */ + u_int fin_misc; void *fin_mp; /* pointer to pointer to mbuf */ #if SOLARIS void *fin_qfm; /* pointer to mblk where pkt starts */ @@ -171,6 +171,11 @@ typedef struct fr_info { #define FI_LCSIZE offsetof(fr_info_t, fin_dp) /* + * For fin_misc + */ +#define FM_BADSTATE 0x00000001 + +/* * Size for copying cache fr_info structure */ #define FI_COPYSIZE offsetof(fr_info_t, fin_dp) @@ -421,10 +426,10 @@ typedef struct iplog { typedef struct ipflog { #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) - u_char fl_ifname[LIFNAMSIZ]; + char fl_ifname[LIFNAMSIZ]; #else u_int fl_unit; - u_char fl_ifname[LIFNAMSIZ]; + char fl_ifname[LIFNAMSIZ]; #endif u_char fl_plen; /* extra data after hlen */ u_char fl_hlen; /* length of IP headers saved */ diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index abc0faa8..f240cd9 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -90,7 +90,7 @@ extern struct timeout ipfr_slowtimer_ch; #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.20 2002/03/06 09:44:11 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.21 2002/04/10 04:56:10 darrenr Exp $"; #endif @@ -584,9 +584,9 @@ void ipfr_slowtimer() if (fr_running <= 0) return; + READ_ENTER(&ipf_solaris); #endif - READ_ENTER(&ipf_solaris); #if defined(__sgi) && defined(_KERNEL) ipfilter_sgi_intfsync(); #endif diff --git a/contrib/ipfilter/ip_h323_pxy.c b/contrib/ipfilter/ip_h323_pxy.c index 14aa47b..a61b040 100644 --- a/contrib/ipfilter/ip_h323_pxy.c +++ b/contrib/ipfilter/ip_h323_pxy.c @@ -52,18 +52,27 @@ unsigned char *data; int datlen, *off; unsigned short *port; { + u_32_t addr; + u_char *dp; + int offset; + if (datlen < 6) return -1; *port = 0; - for (*off = 0; *off <= datlen - 6; *off = *off + 1) { - if (ipaddr == *(int *)(data + *off)) + offset = *off; + dp = (u_char *)data; + + for (offset = 0; offset <= datlen - 6; offset++, dp++) { + addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3]; + if (ipaddr == addr) { - *port = (*(data + *off + 4) << 8) + *(data + *off +5); + *port = (*(dp + 4) << 8) | *(dp + 5); break; } } - return (*off > datlen - 6) ? -1 : 0; + *off = offset; + return (offset > datlen - 6) ? -1 : 0; } /* @@ -109,11 +118,15 @@ ap_session_t *aps; * We are lucky here because this function is not * called with ipf_nat locked. */ - if (nat_ioctl((caddr_t)ipn, SIOCRMNAT, FWRITE) == -1) { + if (nat_ioctl((caddr_t)ipn, SIOCRMNAT, NAT_SYSSPACE| + NAT_LOCKHELD|FWRITE) == -1) { /* log the error */ } } KFREES(aps->aps_data, aps->aps_psiz); + /* avoid double free */ + aps->aps_data = NULL; + aps->aps_psiz = 0; } return; } @@ -144,7 +157,7 @@ nat_t *nat; ipaddr = ip->ip_src.s_addr; data = (unsigned char *)tcp + (tcp->th_off << 2); - datlen = ip->ip_len - (ip->ip_hl << 2) - (tcp->th_off << 2); + datlen = fin->fin_dlen - (tcp->th_off << 2); if (find_port(ipaddr, data, datlen, &off, &port) == 0) { ipnat_t *ipn; char *newarray; @@ -177,13 +190,16 @@ nat_t *nat; * of calling nat_ioctl(), we add the nat rule ourself. */ RWLOCK_EXIT(&ipf_nat); - if (nat_ioctl((caddr_t)ipn, SIOCADNAT, FWRITE) == -1) { + if (nat_ioctl((caddr_t)ipn, SIOCADNAT, + NAT_SYSSPACE|FWRITE) == -1) { READ_ENTER(&ipf_nat); return -1; } READ_ENTER(&ipf_nat); - bcopy(aps->aps_data, newarray, aps->aps_psiz); - KFREES(aps->aps_data, aps->aps_psiz); + if (aps->aps_data != NULL && aps->aps_psiz > 0) { + bcopy(aps->aps_data, newarray, aps->aps_psiz); + KFREES(aps->aps_data, aps->aps_psiz); + } aps->aps_data = newarray; aps->aps_psiz += sizeof(*ipn); } @@ -256,8 +272,10 @@ nat_t *nat; #ifdef IPFILTER_LOG nat_log(ipn, (u_int)(nat->nat_ptr->in_redir)); #endif - *(int *)(data + off) = ip->ip_src.s_addr; - *(short *)(data + off + 4) = ipn->nat_outport; + bcopy((u_char*)&ip->ip_src.s_addr, + data + off, 4); + bcopy((u_char*)&ipn->nat_outport, + data + off + 4, 2); } } } diff --git a/contrib/ipfilter/ip_log.c b/contrib/ipfilter/ip_log.c index e56c602..45bc74c 100644 --- a/contrib/ipfilter/ip_log.c +++ b/contrib/ipfilter/ip_log.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_log.c,v 2.5.2.17 2002/03/13 03:57:05 darrenr Exp $ + * $Id: ip_log.c,v 2.5.2.18 2002/03/26 15:54:40 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) @@ -84,6 +84,7 @@ # include # include # ifdef __sgi +# define _KMEMUSER # include # ifdef IFF_DRVRLOCK /* IRIX6 */ # include diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index 5c10bc4..e0d5951 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -109,7 +109,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.63 2002/03/06 09:44:11 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.66 2002/04/23 14:58:27 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, @@ -425,7 +425,7 @@ caddr_t data; int mode; { register ipnat_t *nat, *nt, *n = NULL, **np = NULL; - int error = 0, ret, arg; + int error = 0, ret, arg, getlock; ipnat_t natd; u_32_t i, j; @@ -436,9 +436,15 @@ int mode; nat = NULL; /* XXX gcc -Wuninitialized */ KMALLOC(nt, ipnat_t *); - if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) - error = IRCOPYPTR(data, (char *)&natd, sizeof(natd)); - else if (cmd == SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */ + getlock = (mode & NAT_LOCKHELD) ? 0 : 1; + if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { + if (mode & NAT_SYSSPACE) { + bcopy(data, (char *)&natd, sizeof(natd)); + error = 0; + } else { + error = IRCOPYPTR(data, (char *)&natd, sizeof(natd)); + } + } else if (cmd == SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */ error = IRCOPY(data, (char *)&arg, sizeof(arg)); if (error) error = EFAULT; @@ -450,7 +456,8 @@ int mode; /* * For add/delete, look to see if the NAT entry is already present */ - WRITE_ENTER(&ipf_nat); + if (getlock == 1) + WRITE_ENTER(&ipf_nat); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { nat = &natd; nat->in_flags &= IPN_USERFLAGS; @@ -715,7 +722,8 @@ int mode; error = EINVAL; break; } - RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ + if (getlock == 1) + RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ done: if (nt) KFREE(nt); @@ -831,7 +839,7 @@ caddr_t data; return ENOMEM; bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn)); - bcopy((char *)aps, ipnn->ipn_data, sizeof(*aps)); + bcopy((char *)aps, (char *)ipnn->ipn_data, sizeof(*aps)); if (aps->aps_data) { bcopy(aps->aps_data, ipnn->ipn_data + sizeof(*aps), aps->aps_psiz); @@ -1650,11 +1658,12 @@ int dir; { u_32_t sum1, sum2, sumd, sumd2 = 0; struct in_addr in; + int flags, dlen; icmphdr_t *icmp; udphdr_t *udp; + tcphdr_t *tcp; nat_t *nat; ip_t *oip; - int flags; if ((fin->fin_fl & FI_SHORT) || (fin->fin_off != 0)) return NULL; @@ -1673,6 +1682,13 @@ int dir; else if (oip->ip_p == IPPROTO_UDP) flags = IPN_UDP; udp = (udphdr_t *)((((char *)oip) + (oip->ip_hl << 2))); + dlen = ip->ip_len - ((char *)udp - (char *)ip); + /* + * XXX - what if this is bogus hl and we go off the end ? + * In this case, nat_icmplookup() will have returned NULL. + */ + tcp = (tcphdr_t *)udp; + /* * Need to adjust ICMP header to include the real IP#'s and * port #'s. Only apply a checksum change relative to the @@ -1695,8 +1711,6 @@ int dir; * change in the UDP and TCP checksums require yet another * adjustment of the ICMP checksum of the ICMP error message. * - * For the moment we forget about TCP, because that checksum is not - * in the first 8 bytes, so it will not be available in most cases. */ if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) { @@ -1754,15 +1768,25 @@ int dir; sumd2 = sumd; } -#if 0 +#if 1 /* * Fix TCP pseudo header checksum to compensate for the * IP address change. Before we can do the change, we * must make sure that oip is sufficient large to hold * the TCP checksum (normally it does not!). */ - if (oip->ip_p == IPPROTO_TCP) { + if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { + sum1 = ntohs(tcp->th_sum); + fix_datacksum(&tcp->th_sum, sumd); + sum2 = ntohs(tcp->th_sum); + + /* + * Fix ICMP checksum to compensate the TCP + * checksum adjustment. + */ + CALC_SUMD(sum1, sum2, sumd); + sumd2 = sumd; } #endif } else { @@ -1813,15 +1837,25 @@ int dir; sumd2 = sumd; } -#if 0 +#if 1 /* * Fix TCP pseudo header checksum to compensate for the * IP address change. Before we can do the change, we * must make sure that oip is sufficient large to hold * the TCP checksum (normally it does not!). */ - if (oip->ip_p == IPPROTO_TCP) { + if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { + sum1 = ntohs(tcp->th_sum); + fix_datacksum(&tcp->th_sum, sumd); + sum2 = ntohs(tcp->th_sum); + + /* + * Fix ICMP checksum to compensate the TCP + * checksum adjustment. + */ + CALC_SUMD(sum1, sum2, sumd); + sumd2 = sumd; }; #endif @@ -1829,14 +1863,6 @@ int dir; } if ((flags & IPN_TCPUDP) != 0) { - tcphdr_t *tcp; - - /* - * XXX - what if this is bogus hl and we go off the end ? - * In this case, nat_icmpinlookup() will have returned NULL. - */ - tcp = (tcphdr_t *)udp; - /* * Step 2 : * For offending TCP/UDP IP packets, translate the ports as @@ -1852,8 +1878,9 @@ int dir; * * To further complicate: the TCP checksum is not in the first * 8 bytes of the offending ip packet, so it most likely is not - * available (we might have to fix that if the encounter a - * device that returns more than 8 data bytes on icmp error) + * available. Some OSses like Solaris return enough bytes to + * include the TCP checksum. So we have to check if the + * ip->ip_len actually holds the TCP checksum of the oip! */ if (nat->nat_oport == tcp->th_dport) { @@ -1891,6 +1918,27 @@ int dir; CALC_SUMD(sum1, sum2, sumd); sumd2 += sumd; } + + /* + * Fix tcp checksum (if present) to compensate + * port adjustment. NOTE : the offending IP + * packet flows the other direction compared to + * the ICMP message. + */ + if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { + + sum1 = ntohs(tcp->th_sum); + fix_datacksum(&tcp->th_sum, sumd); + sum2 = ntohs(tcp->th_sum); + + /* + * Fix ICMP checksum to + * compensate TCP checksum + * adjustment. + */ + CALC_SUMD(sum1, sum2, sumd); + sumd2 += sumd; + } } } else { if (tcp->th_dport != nat->nat_outport) { @@ -1926,6 +1974,26 @@ int dir; CALC_SUMD(sum1, sum2, sumd); sumd2 += sumd; } + + /* + * Fix tcp checksum (if present) to compensate + * port adjustment. NOTE : the offending IP + * packet flows the other direction compared to + * the ICMP message. + */ + if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { + + sum1 = ntohs(tcp->th_sum); + fix_datacksum(&tcp->th_sum, sumd); + sum2 = ntohs(tcp->th_sum); + + /* + * Fix ICMP checksum to compensate + * UDP checksum adjustment. + */ + CALC_SUMD(sum1, sum2, sumd); + sumd2 += sumd; + } } } if (sumd2) { @@ -2435,7 +2503,7 @@ maskloop: csump = &tcp->th_sum; MUTEX_ENTER(&nat->nat_lock); fr_tcp_age(&nat->nat_age, - nat->nat_tcpstate, fin, 1); + nat->nat_tcpstate, fin, 1, 0); if (nat->nat_age < fr_defnaticmpage) nat->nat_age = fr_defnaticmpage; #ifdef LARGE_NAT @@ -2643,7 +2711,7 @@ maskloop: csump = &tcp->th_sum; MUTEX_ENTER(&nat->nat_lock); fr_tcp_age(&nat->nat_age, - nat->nat_tcpstate, fin, 0); + nat->nat_tcpstate, fin, 0, 0); if (nat->nat_age < fr_defnaticmpage) nat->nat_age = fr_defnaticmpage; #ifdef LARGE_NAT diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index 4b2acc4..b3b0b27 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.17.2.25 2002/01/01 15:10:49 darrenr Exp $ + * $Id: ip_nat.h,v 2.17.2.26 2002/04/20 16:42:05 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -276,6 +276,8 @@ typedef struct natlog { (sd) = (s2) - (s1); \ (sd) = ((sd) & 0xffff) + ((sd) >> 16); } +#define NAT_SYSSPACE 0x80000000 +#define NAT_LOCKHELD 0x40000000 extern u_int ipf_nattable_sz; extern u_int ipf_natrules_sz; diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index e134f65..a00d8fd 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.15 2001/12/26 22:28:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.16 2002/04/05 08:43:25 darrenr Exp $"; #endif #include @@ -61,6 +61,7 @@ int fr_running = 0; int ipl_unreach = ICMP_UNREACH_HOST; u_long ipl_frouteok[2] = {0, 0}; static int frzerostats __P((caddr_t)); +static u_long *ip_ttl_ptr; static int frrequest __P((minor_t, int, caddr_t, int)); static int send_ip __P((fr_info_t *fin, mblk_t *m)); @@ -107,6 +108,8 @@ int ipldetach() int iplattach __P((void)) { + int i; + #ifdef IPFDEBUG cmn_err(CE_CONT, "iplattach()\n"); #endif @@ -133,6 +136,19 @@ int iplattach __P((void)) return -1; if (appr_init() == -1) return -1; + + ip_ttl_ptr = NULL; + /* + * XXX - There is no terminator for this array, so it is not possible + * to tell if what we are looking for is missing and go off the end + * of the array. + */ + for (i = 0; ; i++) { + if (!strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl")) { + ip_ttl_ptr = &ip_param_arr[i].ip_param_value; + break; + } + } return 0; } @@ -774,7 +790,7 @@ mblk_t *m; ip = (ip_t *)m->b_rptr; ip->ip_v = IPVERSION; - ip->ip_ttl = 60; + ip->ip_ttl = (u_char)(*ip_ttl_ptr); ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m); } READ_ENTER(&ipf_solaris); @@ -894,7 +910,7 @@ int dst; ip->ip_p = IPPROTO_ICMP; ip->ip_id = oip->ip_id; ip->ip_sum = 0; - ip->ip_ttl = 60; + ip->ip_ttl = (u_char)(*ip_ttl_ptr); ip->ip_tos = oip->ip_tos; ip->ip_len = (u_short)htons(sz); if (dst == 0) { diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index 255bdad..2e8b8f3 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -93,7 +93,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.61 2002/03/06 14:07:36 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.66 2002/04/15 12:14:03 darrenr Exp $"; #endif #ifndef MIN @@ -123,6 +123,7 @@ static ips_stat_t *fr_statetstats __P((void)); static void fr_delstate __P((ipstate_t *)); static int fr_state_remove __P((caddr_t)); static void fr_ipsmove __P((ipstate_t **, ipstate_t *, u_int)); +static int fr_tcpoptions __P((tcphdr_t *)); int fr_stputent __P((caddr_t)); int fr_stgetent __P((caddr_t)); void fr_stinsert __P((ipstate_t *)); @@ -298,7 +299,7 @@ caddr_t data; if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) && !bcmp((char *)&sp->is_src, (char *)&st.is_src, sizeof(st.is_src)) && - !bcmp((char *)&sp->is_dst, (char *)&st.is_src, + !bcmp((char *)&sp->is_dst, (char *)&st.is_dst, sizeof(st.is_dst)) && !bcmp((char *)&sp->is_ps, (char *)&st.is_ps, sizeof(st.is_ps))) { @@ -578,7 +579,8 @@ u_int flags; void *ifp; int out; - if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT)) + if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) || + (fin->fin_misc & FM_BADSTATE)) return NULL; if (ips_num == fr_statemax) { ips_stats.iss_max++; @@ -619,6 +621,8 @@ u_int flags; switch (is->is_p) { + int off; + #ifdef USE_INET6 case IPPROTO_ICMPV6 : ic = (struct icmp *)fin->fin_dp; @@ -680,15 +684,22 @@ u_int flags; hv += is->is_dport; } is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen - - (tcp->th_off << 2) + + (off = (tcp->th_off << 2)) + ((tcp->th_flags & TH_SYN) ? 1 : 0) + ((tcp->th_flags & TH_FIN) ? 1 : 0); is->is_maxsend = is->is_send; - is->is_dend = 0; is->is_maxdwin = 1; is->is_maxswin = ntohs(tcp->th_win); if (is->is_maxswin == 0) is->is_maxswin = 1; + + if ((tcp->th_flags & TH_OPENING) == TH_SYN) + is->is_fsm = 1; + + if ((tcp->th_flags & TH_SYN) && + ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) + is->is_swscale = fr_tcpoptions(tcp); + /* * If we're creating state for a starting connection, start the * timer on it as we'll never see an error if it fails to @@ -785,7 +796,7 @@ u_int flags; is->is_me = stsave; if (is->is_p == IPPROTO_TCP) { fr_tcp_age(&is->is_age, is->is_state, fin, - 0); /* 0 = packet from the source */ + 0, is->is_fsm); /* 0 = packet from the source */ } #ifdef IPFILTER_LOG ipstate_log(is, ISL_NEW); @@ -798,6 +809,46 @@ u_int flags; } +static int fr_tcpoptions(tcp) +tcphdr_t *tcp; +{ + u_char *opt, *last; + int wscale; + + opt = (u_char *) (tcp + 1); + last = ((u_char *)tcp) + (tcp->th_off << 2); + + /* If we don't find wscale here, we need to clear it */ + wscale = -2; + + /* Termination condition picked such that opt[0 .. 2] exist */ + while ((opt < last - 2) && (*opt != TCPOPT_EOL)) { + switch (*opt) { + case TCPOPT_NOP: + opt++; + continue; + case TCPOPT_WSCALE: + /* Proper length ? */ + if (opt[1] == 3) { + if (opt[2] > 14) + wscale = 14; + else + wscale = opt[2]; + } + break; + default: + /* Unknown options must be two bytes+ */ + if (opt[1] < 2) + break; + opt += opt[1]; + continue; + } + break; + } + return wscale; +} + + /* * check to see if a packet with TCP headers fits within the TCP window. @@ -813,9 +864,10 @@ tcphdr_t *tcp; register tcp_seq seq, ack, end; register int ackskew; tcpdata_t *fdata, *tdata; - u_short win, maxwin; - int ret = 0; + u_32_t win, maxwin; + int ret = 0, off; int source; + int wscale; /* * Find difference between last checked packet and this packet. @@ -825,15 +877,29 @@ tcphdr_t *tcp; source = 0; fdata = &is->is_tcp.ts_data[!source]; tdata = &is->is_tcp.ts_data[source]; + off = tcp->th_off << 2; seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); win = ntohs(tcp->th_win); - end = seq + fin->fin_dlen - (tcp->th_off << 2) + + end = seq + fin->fin_dlen - off + ((tcp->th_flags & TH_SYN) ? 1 : 0) + ((tcp->th_flags & TH_FIN) ? 1 : 0); + + if ((tcp->th_flags & TH_SYN) && (off >= sizeof(*tcp) + 4)) + wscale = fr_tcpoptions(tcp); + else + wscale = -1; + MUTEX_ENTER(&is->is_lock); - if (fdata->td_end == 0) { + + if (wscale >= 0) + fdata->td_wscale = wscale; + else if (wscale == -2) + fdata->td_wscale = tdata->td_wscale = 0; + + if ((fdata->td_end == 0) && + (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) { /* * Must be a (outgoing) SYN-ACK in reply to a SYN. */ @@ -853,6 +919,7 @@ tcphdr_t *tcp; if (seq == end) seq = end = fdata->td_end; + win <<= fdata->td_wscale; maxwin = tdata->td_maxwin; ackskew = tdata->td_end - ack; @@ -878,29 +945,33 @@ tcphdr_t *tcp; * Thus, when ackskew is negative but still seems to belong * to this session, we bump up the destinations end value. */ - if (ackskew < 0) - tdata->td_end = ack; - - /* update max window seen */ - if (fdata->td_maxwin < win) - fdata->td_maxwin = win; - if (SEQ_GT(end, fdata->td_end)) - fdata->td_end = end; - if (SEQ_GE(ack + win, tdata->td_maxend)) { - tdata->td_maxend = ack + win; - if (win == 0) - tdata->td_maxend++; - } - - ATOMIC_INCL(ips_stats.iss_hits); /* * Nearing end of connection, start timeout. */ /* source ? 0 : 1 -> !source */ - fr_tcp_age(&is->is_age, is->is_state, fin, !source); - ret = 1; + if (fr_tcp_age(&is->is_age, is->is_state, fin, !source, + (int)is->is_fsm) == 0) { + if (ackskew < 0) + tdata->td_end = ack; + + /* update max window seen */ + if (fdata->td_maxwin < win) + fdata->td_maxwin = win; + if (SEQ_GT(end, fdata->td_end)) + fdata->td_end = end; + if (SEQ_GE(ack + win, tdata->td_maxend)) { + tdata->td_maxend = ack + win; + if (win == 0) + tdata->td_maxend++; + } + + ATOMIC_INCL(ips_stats.iss_hits); + ret = 1; + } } MUTEX_EXIT(&is->is_lock); + if ((ret == 0) && (tcp->th_flags != TH_SYN)) + fin->fin_misc |= FM_BADSTATE; return ret; } @@ -1079,9 +1150,9 @@ fr_info_t *fin; register ipstate_t *is, **isp; register u_short sport, dport; register u_char pr; + u_short savelen, ohlen; union i6addr dst, src; struct icmp *ic; - u_short savelen; icmphdr_t *icmp; fr_info_t ofin; int type, len; @@ -1110,14 +1181,15 @@ fr_info_t *fin; return NULL; oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN); - if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) + ohlen = oip->ip_hl << 2; + if (fin->fin_plen < ICMPERR_MAXPKTLEN + ohlen - sizeof(*oip)) return NULL; /* * Sanity checks. */ len = fin->fin_dlen - ICMPERR_ICMPHLEN; - if ((len <= 0) || ((oip->ip_hl << 2) > len)) + if ((len <= 0) || (ohlen > len)) return NULL; /* @@ -1157,7 +1229,7 @@ fr_info_t *fin; switch (oip->ip_p) { case IPPROTO_ICMP : - icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2)); + icmp = (icmphdr_t *)((char *)oip + ohlen); /* * a ICMP error can only be generated as a result of an @@ -1187,7 +1259,7 @@ fr_info_t *fin; savelen = oip->ip_len; oip->ip_len = len; ofin.fin_v = 4; - fr_makefrip(oip->ip_hl << 2, oip, &ofin); + fr_makefrip(ohlen, oip, &ofin); oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; @@ -1209,12 +1281,14 @@ fr_info_t *fin; case IPPROTO_TCP : case IPPROTO_UDP : + if (fin->fin_plen < ICMPERR_MAXPKTLEN) + return NULL; break; default : return NULL; } - tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); + tcp = (tcphdr_t *)((char *)oip + ohlen); dport = tcp->th_dport; sport = tcp->th_sport; @@ -1239,7 +1313,7 @@ fr_info_t *fin; savelen = oip->ip_len; oip->ip_len = len; ofin.fin_v = 4; - fr_makefrip(oip->ip_hl << 2, oip, &ofin); + fr_makefrip(ohlen, oip, &ofin); oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; @@ -1481,9 +1555,8 @@ retry_tcpudp: fr_matchsrcdst(is, src, dst, fin, tcp)) { rev = fin->fin_rev; if ((pr == IPPROTO_TCP)) { - if (!fr_tcpstate(is, fin, ip, tcp)) { - continue; - } + if (!fr_tcpstate(is, fin, ip, tcp)) + is = NULL; } else if ((pr == IPPROTO_UDP)) { if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; @@ -1504,6 +1577,7 @@ retry_tcpudp: } break; } + RWLOCK_EXIT(&ipf_state); if (!tryagain && ips_wild) { hv -= dport; @@ -1703,15 +1777,16 @@ void fr_timeoutstate() * dir == 1 : a packet from dest to source * */ -void fr_tcp_age(age, state, fin, dir) +int fr_tcp_age(age, state, fin, dir, fsm) u_long *age; u_char *state; fr_info_t *fin; -int dir; +int dir, fsm; { tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; u_char flags = tcp->th_flags; int dlen, ostate; + u_long newage; ostate = state[1 - dir]; @@ -1725,10 +1800,10 @@ int dir; *age = fr_tcpclosewait; state[dir] = TCPS_CLOSE_WAIT; } - return; + return 0; } - *age = fr_tcptimeout; /* default 4 mins */ + newage = 0; switch(state[dir]) { @@ -1739,11 +1814,11 @@ int dir; * CLOSED -> SYN_RECEIVED */ state[dir] = TCPS_SYN_RECEIVED; - *age = fr_tcptimeout; - } else if ((flags & (TH_SYN|TH_ACK)) == TH_SYN) { + newage = fr_tcptimeout; + } else if ((flags & TH_OPENING) == TH_SYN) { /* 'dir' sent S, CLOSED -> SYN_SENT */ state[dir] = TCPS_SYN_SENT; - *age = fr_tcptimeout; + newage = fr_tcptimeout; } /* * The next piece of code makes it possible to get @@ -1752,12 +1827,12 @@ int dir; * does not work when a strict 'flags S keep state' is * used for tcp connections of course */ - if ((flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) { + if (!fsm && (flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) { /* we saw an A, guess 'dir' is in ESTABLISHED mode */ if (state[1 - dir] == TCPS_CLOSED || state[1 - dir] == TCPS_ESTABLISHED) { state[dir] = TCPS_ESTABLISHED; - *age = fr_tcpidletimeout; + newage = fr_tcpidletimeout; } } /* @@ -1772,14 +1847,24 @@ int dir; break; case TCPS_SYN_SENT: /* 2 */ - if ((flags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) { + if (flags == TH_SYN) { + /* + * A retransmitted SYN packet. We do not reset the + * timeout here to fr_tcptimeout because a connection + * connect timeout does not renew after every packet + * that is sent. We need to set newage to something + * to indicate the packet has passed the check for its + * flags being valid in the TCP FSM. + */ + newage = *age; + } else if ((flags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) { /* * We see an A from 'dir' which is in SYN_SENT * state: 'dir' sent an A in response to an SA * which it received, SYN_SENT -> ESTABLISHED */ state[dir] = TCPS_ESTABLISHED; - *age = fr_tcpidletimeout; + newage = fr_tcpidletimeout; } else if (flags & TH_FIN) { /* * We see an F from 'dir' which is in SYN_SENT @@ -1787,7 +1872,7 @@ int dir; * connection; SYN_SENT -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; - *age = fr_tcpidletimeout; /* or fr_tcptimeout? */ + newage = fr_tcpidletimeout; /* or fr_tcptimeout? */ } else if ((flags & TH_OPENING) == TH_OPENING) { /* * We see an SA from 'dir' which is already in @@ -1795,7 +1880,7 @@ int dir; * simultaneous open; SYN_SENT -> SYN_RECEIVED */ state[dir] = TCPS_SYN_RECEIVED; - *age = fr_tcptimeout; + newage = fr_tcptimeout; } break; @@ -1807,7 +1892,7 @@ int dir; * SYN_RECEIVED -> ESTABLISHED */ state[dir] = TCPS_ESTABLISHED; - *age = fr_tcpidletimeout; + newage = fr_tcpidletimeout; } else if (flags & TH_FIN) { /* * We see an F from 'dir' which is in SYN_RECEIVED @@ -1815,7 +1900,7 @@ int dir; * SYN_RECEIVED -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; - *age = fr_tcpidletimeout; + newage = fr_tcpidletimeout; } break; @@ -1827,7 +1912,7 @@ int dir; * ESTABLISHED -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; - *age = fr_tcphalfclosed; + newage = fr_tcphalfclosed; } else if (flags & TH_ACK) { /* an ACK, should we exclude other flags here? */ if (ostate == TCPS_FIN_WAIT_1) { @@ -1839,13 +1924,13 @@ int dir; * a half-closed connection */ state[dir] = TCPS_CLOSE_WAIT; - *age = fr_tcphalfclosed; + newage = fr_tcphalfclosed; } else if (ostate < TCPS_CLOSE_WAIT) /* * Still a fully established connection, * reset timeout */ - *age = fr_tcpidletimeout; + newage = fr_tcpidletimeout; } break; @@ -1855,7 +1940,7 @@ int dir; * Application closed and 'dir' sent a FIN, we're now * going into LAST_ACK state */ - *age = fr_tcplastack; + newage = fr_tcplastack; state[dir] = TCPS_LAST_ACK; } else { /* @@ -1863,7 +1948,7 @@ int dir; * closed already and we did not close our side yet; * reset timeout */ - *age = fr_tcphalfclosed; + newage = fr_tcphalfclosed; } break; @@ -1880,14 +1965,14 @@ int dir; * packet here? does the window code guarantee that? */ state[dir] = TCPS_TIME_WAIT; - *age = fr_tcptimeout; + newage = fr_tcptimeout; } else /* * We closed our side of the connection already but the * other side is still active (ESTABLISHED/CLOSE_WAIT); * continue with this half-closed connection */ - *age = fr_tcphalfclosed; + newage = fr_tcphalfclosed; break; case TCPS_CLOSING: /* 7 */ @@ -1901,7 +1986,7 @@ int dir; * There is still data to be delivered, reset * timeout */ - *age = fr_tcplastack; + newage = fr_tcplastack; } /* * We cannot detect when we go out of LAST_ACK state to CLOSED @@ -1916,9 +2001,16 @@ int dir; break; case TCPS_TIME_WAIT: /* 10 */ + newage = fr_tcptimeout; /* default 4 mins */ /* we're in 2MSL timeout now */ break; } + + if (newage != 0) { + *age = newage; + return 0; + } + return -1; } @@ -2068,8 +2160,14 @@ fr_info_t *fin; hv = (pr = oip->ip6_nxt); src.in6 = oip->ip6_src; hv += src.in4.s_addr; + hv += src.i6[1]; + hv += src.i6[2]; + hv += src.i6[3]; dst.in6 = oip->ip6_dst; hv += dst.in4.s_addr; + hv += dst.i6[1]; + hv += dst.i6[2]; + hv += dst.i6[3]; hv += dport; hv += sport; hv %= fr_statesize; diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h index fe6a505..01b1256 100644 --- a/contrib/ipfilter/ip_state.h +++ b/contrib/ipfilter/ip_state.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.13.2.10 2002/03/06 14:07:38 darrenr Exp $ + * $Id: ip_state.h,v 2.13.2.12 2002/03/25 11:14:55 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -42,7 +42,8 @@ typedef struct icmpstate { typedef struct tcpdata { u_32_t td_end; u_32_t td_maxend; - u_short td_maxwin; + u_32_t td_maxwin; + u_char td_wscale; } tcpdata_t; typedef struct tcpstate { @@ -58,20 +59,22 @@ typedef struct ipstate { struct ipstate *is_hnext; struct ipstate **is_phnext; struct ipstate **is_me; - u_long is_age; - u_int is_frage[2]; /* age from filter rule, forward & reverse */ - u_int is_pass; + frentry_t *is_rule; U_QUAD_T is_pkts; U_QUAD_T is_bytes; - void *is_ifp[4]; - frentry_t *is_rule; union i6addr is_src; union i6addr is_dst; + void *is_ifp[4]; + u_long is_age; + u_int is_frage[2]; /* age from filter rule, forward & reverse */ + u_int is_pass; u_char is_p; /* Protocol */ - u_char is_v; - u_int is_hv; + u_char is_v; /* IP version */ + u_char is_fsm; /* 1 = following FSM, 0 = not */ + u_char is_xxx; /* pad */ + u_int is_hv; /* hash value for this in the table */ u_32_t is_rulen; /* rule number */ - u_32_t is_flags; + u_32_t is_flags; /* flags for this structure */ u_32_t is_opt; /* packet options set */ u_32_t is_optmsk; /* " " mask */ u_short is_sec; /* security options set */ @@ -100,6 +103,8 @@ typedef struct ipstate { #define is_dend is_tcp.ts_data[1].td_end #define is_maxswin is_tcp.ts_data[0].td_maxwin #define is_maxdwin is_tcp.ts_data[1].td_maxwin +#define is_swscale is_tcp.ts_data[0].td_wscale +#define is_dwscale is_tcp.ts_data[1].td_wscale #define is_maxsend is_tcp.ts_data[0].td_maxend #define is_maxdend is_tcp.ts_data[1].td_maxend #define is_sport is_tcp.ts_sport @@ -191,7 +196,7 @@ extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, ipstate_t **, u_int)); extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); extern void ip_statesync __P((void *)); extern void fr_timeoutstate __P((void)); -extern void fr_tcp_age __P((u_long *, u_char *, fr_info_t *, int)); +extern int fr_tcp_age __P((u_long *, u_char *, fr_info_t *, int, int)); extern void fr_stateunload __P((void)); extern void ipstate_log __P((struct ipstate *, u_int)); #if defined(__NetBSD__) || defined(__OpenBSD__) diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index b983781..fc35b31 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -50,7 +50,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.13 2002/02/22 15:32:53 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.14 2002/04/10 04:56:36 darrenr Exp $"; #endif #if SOLARIS @@ -225,7 +225,7 @@ u_int enable; if (ioctl(fd, SIOCFRENB, &enable) == -1) { if (errno == EBUSY) fprintf(stderr, - "IP FIlter: already initialized\n"); + "IP Filter: already initialized\n"); else perror("SIOCFRENB"); } diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c index b111bfd..a2ccf89 100644 --- a/contrib/ipfilter/ipfs.c +++ b/contrib/ipfilter/ipfs.c @@ -45,7 +45,7 @@ #include "ipf.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.8 2001/09/14 18:52:21 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.9 2002/04/17 17:42:59 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR @@ -208,7 +208,7 @@ char *argv[]; int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0; char *dirname = NULL, *filename = NULL, *ifs = NULL; - while ((c = getopt(argc, argv, "d:f:lNnSRruvWw")) != -1) + while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1) switch (c) { case 'd' : diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index 75f9d67..2e99b65 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -4,12 +4,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.31 2002/03/13 03:57:42 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.32 2002/04/23 14:59:13 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.25" +#define IPL_VERSION "IP Filter: v3.4.26" #endif diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index 6a89403..3e8707b 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -68,7 +68,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.32 2002/03/13 03:30:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.34 2002/03/22 10:27:16 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index 86a1e3f..4dc5e97 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -31,11 +31,10 @@ #include #endif #include "ipsend.h" -#include "ipf.h" #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.4 2002/02/22 15:32:57 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.5 2002/04/23 14:58:57 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c index 189e35f..0c3b50c 100644 --- a/contrib/ipfilter/ipt.c +++ b/contrib/ipfilter/ipt.c @@ -13,6 +13,7 @@ # endif #endif #ifdef __sgi +# define _KMEMUSER # include #endif #include @@ -63,7 +64,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.19 2002/03/11 03:30:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.21 2002/03/26 15:54:40 darrenr Exp $"; #endif extern char *optarg; @@ -113,10 +114,13 @@ char *argv[]; while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1) switch (c) { -#ifdef USE_INET6 case '6' : +#ifdef USE_INET6 use_inet6 = 1; break; +#else + fprintf(stderr, "IPv6 not supported\n"); + exit(1); #endif case 'b' : opts |= OPT_BRIEF; diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c index eec8b3c..254bbf9 100644 --- a/contrib/ipfilter/kmem.c +++ b/contrib/ipfilter/kmem.c @@ -46,18 +46,13 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.12 2002/03/06 09:44:16 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp $"; #endif -#ifndef __sgi +#ifdef __sgi +typedef int kvm_t; -static kvm_t *kvm_f = NULL; - -#else - -typedef int kvm_t; - -static kvm_t kvm_f = -1; +static int kvm_fd = -1; static char *kvm_errstr; kvm_t kvm_open(kernel, core, swap, mode, errstr) @@ -65,12 +60,12 @@ char *kernel, *core, *swap; int mode; char *errstr; { - kvm_t fd; - kvm_errstr = errstr; - fd = open(core, mode); - return fd; + if (core == NULL) + core = "/dev/kmem"; + kvm_fd = open(core, mode); + return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL; } int kvm_read(kvm, pos, buffer, size) @@ -82,21 +77,22 @@ size_t size; int r, left; char *bufp; - if (lseek(kvm, pos, 0) == -1) { + if (lseek(*kvm, pos, 0) == -1) { fprintf(stderr, "%s", kvm_errstr); perror("lseek"); return -1; } for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) { - r = read(kvm, bufp, 1); + r = read(*kvm, bufp, 1); if (r <= 0) return -1; } - return 0; + return size; } #endif +static kvm_t *kvm_f = NULL; int openkmem(kern, core) char *kern, *core; diff --git a/contrib/ipfilter/l4check/l4check.c b/contrib/ipfilter/l4check/l4check.c index 6945b1c..23ac79a 100644 --- a/contrib/ipfilter/l4check/l4check.c +++ b/contrib/ipfilter/l4check/l4check.c @@ -141,7 +141,8 @@ void closel4(l4, dead) l4cfg_t *l4; int dead; { - close(l4->l4_fd); + if (l4->l4_fd != -1) + close(l4->l4_fd); l4->l4_fd = -1; l4->l4_rw = -1; if (dead && l4->l4_alive) { @@ -307,7 +308,7 @@ int runconfig() if (opts & OPT_VERBOSE) fprintf(stderr, "failed\n"); perror("connect"); - close(fd); + closel4(l4, 1); fd = -1; } else { if (opts & OPT_VERBOSE) diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 386f3a2..0ec7854 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -46,7 +46,8 @@ long). 4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be viewed with \fBipfstat -n\fP. .LP -5. The action: \fBp\fP for passed or \fBb\fP for blocked. +5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short +packet, \fBn\fP did not match any rules or \fBL\fP for a log rule. .LP 6. The addresses. This is actually three fields: the source address and port diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index 7fb2e90..16c1752 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -7,8 +7,8 @@ The format for files accepted by ipnat is described by the following grammar: .nf ipmap :: = mapblock | redir | map . -map ::= mapit ifname ipmask "->" ipmask [ mapport ] . -map ::= mapit ifname fromto "->" ipmask [ mapport ] . +map ::= mapit ifname ipmask "->" dstipmask [ mapport ] . +map ::= mapit ifname fromto "->" dstipmask [ mapport ] . mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options . @@ -18,6 +18,7 @@ rdrport ::= "port" portnum . mapit ::= "map" | "bimap" . fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . +dstipmask ::= ipmask | "range" ip "-" ip . mapport ::= "portmap" tcpudp portnumber ":" portnumber . options ::= [ tcpudp ] [ rr ] . @@ -34,6 +35,10 @@ ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . .fi .PP +In addition to this, # is used to mark the start of a comment and may +appear at the end of a line with a NAT rule (as described above) or on its +own lines. Blank lines are ignored. +.PP For standard NAT functionality, a rule should start with \fBmap\fP and then proceeds to specify the interface for which outgoing packets will have their source address rewritten. diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index 00f7d22..84d2a95 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -12,23 +12,11 @@ #include #if defined(__FreeBSD__) +# ifndef __FreeBSD_version +# include +# endif # ifdef IPFILTER_LKM -# ifndef __FreeBSD_cc_version -# include -# else -# if __FreeBSD_cc_version < 430000 -# include -# endif -# endif # define ACTUALLY_LKM_NOT_KERNEL -# else -# ifndef __FreeBSD_cc_version -# include -# else -# if __FreeBSD_cc_version < 430000 -# include -# endif -# endif # endif #endif #include diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c index bc8f3ed..5a70ab9 100644 --- a/contrib/ipfilter/mls_ipl.c +++ b/contrib/ipfilter/mls_ipl.c @@ -40,7 +40,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.2 2002/04/10 05:05:54 darrenr Exp $"; #endif extern int ipldetach __P((void)); @@ -49,6 +49,7 @@ extern int ipldetach __P((void)); #endif extern int nulldev __P((void)); extern int errno; +extern int iplidentify __P((char *)); extern int nodev __P((void)); diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c index e484316..e1c3a49 100644 --- a/contrib/ipfilter/natparse.c +++ b/contrib/ipfilter/natparse.c @@ -56,7 +56,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.23 2002/02/22 15:32:55 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.24 2002/04/24 17:30:51 darrenr Exp $"; #endif @@ -394,15 +394,24 @@ int linenum; cpp++; if (ipn.in_redir & NAT_MAPBLK) { - if (*cpp && strcasecmp(*cpp, "ports")) { - fprintf(stderr, - "%d: expected \"ports\" - got \"%s\"\n", - linenum, *cpp); - return NULL; - } - cpp++; if (*cpp) { - ipn.in_pmin = atoi(*cpp); + if (strcasecmp(*cpp, "ports")) { + fprintf(stderr, + "%d: expected \"ports\" - got \"%s\"\n", + linenum, *cpp); + return NULL; + } + cpp++; + if (*cpp == NULL) { + fprintf(stderr, + "%d: missing argument to \"ports\"\n", + linenum); + return NULL; + } + if (!strcasecmp(*cpp, "auto")) + ipn.in_flags |= IPN_AUTOPORTMAP; + else + ipn.in_pmin = atoi(*cpp); cpp++; } else ipn.in_pmin = 0; @@ -483,6 +492,10 @@ int linenum; ipn.in_p = atoi(proto); } } + if ((ipn.in_flags & IPN_TCPUDP) == 0) { + port1a = "0"; + port2a = "0"; + } if (*cpp && !strcasecmp(*cpp, "round-robin")) { cpp++; @@ -548,7 +561,7 @@ int linenum; if ((ipn.in_redir & NAT_MAPBLK) != 0) nat_setgroupmap(&ipn); - if (*cpp && !strcasecmp(*cpp, "frag")) { + if (*cpp && !*(cpp+1) && !strcasecmp(*cpp, "frag")) { cpp++; ipn.in_flags |= IPN_FRAG; } @@ -618,12 +631,6 @@ int linenum; (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel)); cpp++; - if (*cpp) { - fprintf(stderr, - "%d: too many parameters for \"proxy\"\n", - linenum); - return NULL; - } } else if (!strcasecmp(*cpp, "portmap")) { if (ipn.in_redir == NAT_BIMAP) { fprintf(stderr, "%d: cannot use portmap with bimap\n", @@ -683,6 +690,11 @@ int linenum; } } + if (*cpp && !strcasecmp(*cpp, "frag")) { + cpp++; + ipn.in_flags |= IPN_FRAG; + } + if (*cpp && !strcasecmp(*cpp, "age")) { cpp++; if (!*cpp) { @@ -690,6 +702,7 @@ int linenum; linenum); return NULL; } + ipn.in_age[0] = atoi(*cpp); s = index(*cpp, '/'); if (s != NULL) ipn.in_age[1] = atoi(s + 1); diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c index 647c92e..dd59272 100644 --- a/contrib/ipfilter/printnat.c +++ b/contrib/ipfilter/printnat.c @@ -58,7 +58,7 @@ extern char *sys_errlist[]; #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.6 2002/02/22 15:32:56 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.7 2002/04/24 17:35:37 darrenr Exp $"; #endif @@ -298,6 +298,9 @@ int opts; struct servent *sv; int bits; + if (np->in_p != 0) + pr = getprotobynumber(np->in_p); + switch (np->in_redir) { case NAT_REDIRECT : @@ -372,12 +375,18 @@ int opts; printf(" udp"); else if (np->in_p == 0) printf(" ip"); - else if (np->in_p != 0) - printf(" %d", np->in_p); + else if (np->in_p != 0) { + if (pr != NULL) + printf(" %s", pr->p_name); + else + printf(" %d", np->in_p); + } if (np->in_flags & IPN_ROUNDR) printf(" round-robin"); if (np->in_flags & IPN_FRAG) printf(" frag"); + if (np->in_age[0]) + printf(" age %d/%d", np->in_age[0], np->in_age[1]); printf("\n"); if (opts & OPT_DEBUG) printf("\tspc %lu flg %#x max %u use %d\n", @@ -389,7 +398,7 @@ int opts; printf("%s/", inet_ntoa(np->in_in[0])); bits = countbits(np->in_in[1].s_addr); if (bits != -1) - printf("%d ", bits); + printf("%d", bits); else printf("%s", inet_ntoa(np->in_in[1])); } @@ -401,12 +410,11 @@ int opts; printf("%s/", inet_ntoa(np->in_out[0])); bits = countbits(np->in_out[1].s_addr); if (bits != -1) - printf("%d ", bits); + printf("%d", bits); else printf("%s", inet_ntoa(np->in_out[1])); } if (*np->in_plabel) { - pr = getprotobynumber(np->in_p); printf(" proxy port"); if (np->in_dport != 0) { if (pr != NULL) @@ -426,8 +434,12 @@ int opts; else printf("%d", np->in_p); } else if (np->in_redir == NAT_MAPBLK) { - printf(" ports %d", np->in_pmin); - if (opts & OPT_VERBOSE) + if ((np->in_pmin == 0) && + (np->in_flags & IPN_AUTOPORTMAP)) + printf(" ports auto"); + else + printf(" ports %d", np->in_pmin); + if (opts & OPT_DEBUG) printf("\n\tip modulous %d", np->in_pmax); } else if (np->in_pmin || np->in_pmax) { printf(" portmap"); @@ -451,6 +463,8 @@ int opts; } if (np->in_flags & IPN_FRAG) printf(" frag"); + if (np->in_age[0]) + printf(" age %d/%d", np->in_age[0], np->in_age[1]); printf("\n"); if (opts & OPT_DEBUG) { printf("\tspace %lu nextip %s pnext %d", np->in_space, diff --git a/contrib/ipfilter/printstate.c b/contrib/ipfilter/printstate.c index 16bda9b..d462a22 100644 --- a/contrib/ipfilter/printstate.c +++ b/contrib/ipfilter/printstate.c @@ -15,6 +15,9 @@ #include #include #include +#if __FreeBSD_version >= 300000 +# include +#endif #include "kmem.h" #include "netinet/ip_compat.h" #include "ipf.h" @@ -47,15 +50,17 @@ int opts; if (ips.is_p == IPPROTO_TCP) #if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ (__FreeBSD_version >= 220000) || defined(__OpenBSD__) - PRINTF("\t%hu -> %hu %x:%x %hu:%hu", + PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_maxdwin); + ips.is_maxswin>>ips.is_swscale, ips.is_swscale, + ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale); #else - PRINTF("\t%hu -> %hu %x:%x %hu:%hu", + PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_maxdwin); + ips.is_maxswin>>ips.is_swscale, ips.is_swscale, + ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale); #endif else if (ips.is_p == IPPROTO_UDP) PRINTF(" %hu -> %hu", ntohs(ips.is_sport), diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index 4ff13df..aa139d3 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.15.2.29 2002/01/15 14:36:54 darrenr Exp $" +#pragma ident "@(#)$Id: solaris.c,v 2.15.2.30 2002/04/23 14:57:51 darrenr Exp $" #include #include @@ -1112,7 +1112,7 @@ again: freemsg(mb); } RWLOCK_EXIT(&ipf_solaris); - return 0; + return 1; } @@ -1263,7 +1263,7 @@ again: freemsg(mb); } RWLOCK_EXIT(&ipf_solaris); - return 0; + return 1; } diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index 2d93c7f..334abc2 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -9,23 +9,27 @@ BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/share/man -tests: first 0 ftests ptests ntests nitests logtests +tests: first 0 ftests ptests ntests nitests logtests ipv6 intests first: -mkdir -p results # Filtering tests -ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 +ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 ntests: n1 n2 n3 n4 n5 n6 n7 -nitests: ni1 ni2 +nitests: ni1 ni2 ni3 ni4 + +intests: in1 in2 in3 in4 logtests: l1 +ipv6: ipv6.1 ipv6.2 + 0: @(cd ..; make ipftest; ) @@ -38,22 +42,33 @@ f12 f13: f15 f16: @/bin/sh ./mtest $@ +f17: + @/bin/sh ./mhtest $@ + i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: @/bin/sh ./itest $@ n1 n2 n3 n4 n5 n6 n7: @/bin/sh ./nattest $@ -ni1 ni2: +ni1 ni2 ni3 ni4: @/bin/sh ./natipftest $@ +in1 in2 in3 in4: + @/bin/sh ./intest $@ + l1: @/bin/sh ./logtest $@ +ipv6.1 ipv6.2: + @/bin/sh ./dotest6 $@ + clean: - /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 + /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 f17 /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 - /bin/rm -f ni1 ni2 + /bin/rm -f ni1 ni2 ni3 ni4 + /bin/rm -f in1 in2 in3 in4 /bin/rm -f l1 + /bin/rm -f ipv6.1 ipv6.2 /bin/rm -f results/* diff --git a/contrib/ipfilter/test/expected/f11 b/contrib/ipfilter/test/expected/f11 index ac37783..b977e41 100644 --- a/contrib/ipfilter/test/expected/f11 +++ b/contrib/ipfilter/test/expected/f11 @@ -1,6 +1,11 @@ pass +nomatch +nomatch +pass pass +nomatch pass +nomatch pass nomatch nomatch @@ -11,8 +16,13 @@ nomatch nomatch -------- block +nomatch +nomatch +block block +nomatch block +nomatch block nomatch nomatch @@ -28,6 +38,11 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch +nomatch +nomatch +nomatch pass pass nomatch @@ -40,6 +55,11 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch +nomatch +nomatch +nomatch block block nomatch @@ -52,6 +72,11 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch +nomatch +nomatch +nomatch pass pass pass @@ -64,9 +89,31 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch +nomatch +nomatch +nomatch block block block nomatch nomatch -------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/l1 b/contrib/ipfilter/test/expected/l1 index c158752..dbd6b01 100644 --- a/contrib/ipfilter/test/expected/l1 +++ b/contrib/ipfilter/test/expected/l1 @@ -1,49 +1,49 @@ log in all -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- pass in on anon0 all head 100 -------- pass in log quick from 3.3.3.3 to any group 100 -------- pass in log body quick from 2.2.2.2 to any -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN -01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN +01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -------- pass in log quick proto tcp from 1.1.1.1 to any flags S keep state -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN -01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN +01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN -------- pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -------- -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN -01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN +01/01/1970 00:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- diff --git a/contrib/ipfilter/test/expected/l1.b b/contrib/ipfilter/test/expected/l1.b index eef3660..e5c1077 100644 --- a/contrib/ipfilter/test/expected/l1.b +++ b/contrib/ipfilter/test/expected/l1.b @@ -1,47 +1,47 @@ -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- -------- -------- -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN -01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN +01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d ............ -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -------- -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN -01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN +01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN -------- -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -------- -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN -01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN +01/01/1970 00:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d ............ -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d 0e 0f 40 61 ..............@a 42 63 44 65 46 67 48 69 4a 6b 4c 6d BcDeFgHiJkLm -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- diff --git a/contrib/ipfilter/test/input/f11 b/contrib/ipfilter/test/input/f11 index 4eda58e..25c670d 100644 --- a/contrib/ipfilter/test/input/f11 +++ b/contrib/ipfilter/test/input/f11 @@ -1,6 +1,11 @@ in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S +in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA +in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA +in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A +in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A +in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A diff --git a/contrib/ipfilter/test/logtest b/contrib/ipfilter/test/logtest index 0600056..38d93ee 100755 --- a/contrib/ipfilter/test/logtest +++ b/contrib/ipfilter/test/logtest @@ -22,15 +22,15 @@ echo "$1..."; /bin/rm -f logout exit 1 fi - ../ipmon -P /dev/null -f logout >> results/$1 + TZ=GMT ../ipmon -P /dev/null -f logout >> results/$1 echo "--------" >> results/$1 - ../ipmon -P /dev/null -bf logout >> results/$1.b + TZ=GMT ../ipmon -P /dev/null -bf logout >> results/$1.b echo "--------" >> results/$1.b done ) < regress/$1 ../ipftest -br regress/$1 -Hi input/$1 -l logout > /dev/null -../ipmon -P /dev/null -f logout >> results/$1 +TZ=GMT ../ipmon -P /dev/null -f logout >> results/$1 echo "--------" >> results/$1 -../ipmon -P /dev/null -bf logout >> results/$1.b +TZ=GMT ../ipmon -P /dev/null -bf logout >> results/$1.b echo "--------" >> results/$1.b cmp expected/$1 results/$1 diff --git a/contrib/ipfilter/test/regress/f11 b/contrib/ipfilter/test/regress/f11 index 0bf0a2a..a71e528 100644 --- a/contrib/ipfilter/test/regress/f11 +++ b/contrib/ipfilter/test/regress/f11 @@ -4,3 +4,4 @@ pass in proto udp from any to any port = 53 keep frags block in proto udp from any to any port = 53 keep frags pass in proto udp from any to any port = 53 keep state block in proto udp from any to any port = 53 keep state +pass in on e0 proto tcp from any to any port = 25 keep state -- cgit v1.1