From a9f147caaadd791ad3fc10878ab229652fb4f8a7 Mon Sep 17 00:00:00 2001 From: darrenr Date: Sat, 27 Apr 2002 16:52:49 +0000 Subject: Import version 3.4.27 --- sys/contrib/ipfilter/netinet/fil.c | 24 ++++++++-- sys/contrib/ipfilter/netinet/ip_compat.h | 7 +-- sys/contrib/ipfilter/netinet/ip_ftp_pxy.c | 75 +++++++++++++++++++++---------- sys/contrib/ipfilter/netinet/ip_log.c | 5 ++- sys/contrib/ipfilter/netinet/ip_nat.c | 9 +--- sys/contrib/ipfilter/netinet/ip_proxy.c | 4 +- sys/contrib/ipfilter/netinet/ip_state.c | 68 +++++++++++++++------------- sys/contrib/ipfilter/netinet/ipl.h | 4 +- 8 files changed, 123 insertions(+), 73 deletions(-) (limited to 'sys/contrib') diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 3ce8131..92d82f1 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -97,7 +97,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $"; #endif #ifndef _KERNEL @@ -1454,7 +1454,13 @@ nodata: # endif /* defined(BSD) || defined(sun) */ # endif /* SOLARIS */ #else /* KERNEL */ - sum2 = 0; + for (; slen > 1; slen -= 2) + sum += *sp++; + if (slen) + sum += ntohs(*(u_char *)sp << 8); + while (sum > 0xffff) + sum = (sum & 0xffff) + (sum >> 16); + sum2 = (u_short)(~sum & 0xffff); #endif /* KERNEL */ tcp->th_sum = ts; return sum2; @@ -1495,7 +1501,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $ + * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -2160,3 +2166,15 @@ int icmptoicmp6unreach[ICMP_MAX_UNREACH] = { ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */ }; #endif + + +#ifndef _KERNEL +int mbuflen(buf) +mb_t *buf; +{ + ip_t *ip; + + ip = (ip_t *)buf; + return ip->ip_len; +} +#endif diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index d0dc859..3b1b980 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.43 2002/04/23 16:08:50 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.44 2002/04/25 16:32:15 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -252,7 +252,7 @@ typedef u_int32_t u_32_t; # define USE_INET6 # endif # endif -# if !defined(_KERNEL) && !defined(IPFILTER_LKM) +# if !defined(_KERNEL) && !defined(IPFILTER_LKM) && !defined(USE_INET6) # if (defined(__FreeBSD_version) && (__FreeBSD_version >= 400000)) || \ (defined(OpenBSD) && (OpenBSD >= 200111)) || \ (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000)) @@ -572,7 +572,8 @@ extern void m_copyback __P((struct mbuf *, int, int, caddr_t)); # endif # if (BSD >= 199306) || defined(__FreeBSD__) # if (defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105180000)) || \ - defined(__FreeBSD__) || defined(__OpenBSD__) || defined(_BSDI_VERSION) + defined(__FreeBSD__) || (defined(OpenBSD) && (OpenBSD < 200206)) || \ + defined(_BSDI_VERSION) # include # endif # if !defined(__FreeBSD__) || (defined (__FreeBSD_version) && \ diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index 0968b10..2411bd9 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.33 2002/02/15 14:48:38 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.34 2002/04/26 10:22:45 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -184,7 +184,11 @@ int dlen; if ((inc + ip->ip_len) > 65535) return 0; -#if SOLARIS +#if !defined(_KERNEL) + m = *((mb_t **)fin->fin_mp); + bcopy(newbuf, (char *)m + off, nlen); +#else +# if SOLARIS m = fin->fin_qfm; for (m1 = m; m1->b_cont; m1 = m1->b_cont) ; @@ -210,19 +214,20 @@ int dlen; m1->b_wptr += inc; } copyin_mblk(m, off, nlen, newbuf); -#else +# else m = *((mb_t **)fin->fin_mp); if (inc < 0) m_adj(m, inc); /* the mbuf chain will be extended if necessary by m_copyback() */ m_copyback(m, off, nlen, newbuf); -# ifdef M_PKTHDR +# ifdef M_PKTHDR if (!(m->m_flags & M_PKTHDR)) m->m_pkthdr.len += inc; +# endif # endif #endif if (inc != 0) { -#if SOLARIS || defined(__sgi) +#if (SOLARIS || defined(__sgi)) && defined(_KERNEL) register u_32_t sum1, sum2; sum1 = ip->ip_len; @@ -269,6 +274,7 @@ int dlen; tcp2->th_win = htons(8192); tcp2->th_sport = htons(sp); tcp2->th_off = 5; + tcp2->th_flags = TH_SYN; tcp2->th_dport = 0; /* XXX - don't specify remote port */ fi.fin_data[1] = 0; fi.fin_dlen = sizeof(*tcp2); @@ -452,7 +458,11 @@ int dlen; if ((inc + ip->ip_len) > 65535) return 0; -#if SOLARIS +#if !defined(_KERNEL) + m = *((mb_t **)fin->fin_mp); + m_copyback(m, off, nlen, newbuf); +#else +# if SOLARIS m = fin->fin_qfm; for (m1 = m; m1->b_cont; m1 = m1->b_cont) ; @@ -475,15 +485,16 @@ int dlen; m1->b_wptr += inc; } /*copyin_mblk(m, off, nlen, newbuf);*/ -#else /* SOLARIS */ +# else /* SOLARIS */ m = *((mb_t **)fin->fin_mp); if (inc < 0) m_adj(m, inc); /* the mbuf chain will be extended if necessary by m_copyback() */ /*m_copyback(m, off, nlen, newbuf);*/ -#endif /* SOLARIS */ +# endif /* SOLARIS */ +#endif /* _KERNEL */ if (inc != 0) { -#if SOLARIS || defined(__sgi) +#if (SOLARIS || defined(__sgi)) && defined(_KERNEL) register u_32_t sum1, sum2; sum1 = ip->ip_len; @@ -520,6 +531,7 @@ int dlen; tcp2->th_win = htons(8192); tcp2->th_sport = 0; /* XXX - fake it for nat_new */ tcp2->th_off = 5; + tcp2->th_flags = TH_SYN; fi.fin_data[1] = a5 << 8 | a6; fi.fin_dlen = sizeof(*tcp2); tcp2->th_dport = htons(fi.fin_data[1]); @@ -721,17 +733,22 @@ int rv; tcp = (tcphdr_t *)fin->fin_dp; off = fin->fin_hlen + (tcp->th_off << 2); -#if SOLARIS +#if SOLARIS && defined(_KERNEL) m = fin->fin_qfm; #else m = *((mb_t **)fin->fin_mp); #endif -#if SOLARIS - mlen = msgdsize(m) - off; +#ifndef _KERNEL + mlen = mbuflen(m); #else - mlen = mbufchainlen(m) - off; +# if SOLARIS + mlen = msgdsize(m); +# else + mlen = mbufchainlen(m); +# endif #endif + mlen -= off; t = &ftp->ftp_side[1 - rv]; f = &ftp->ftp_side[rv]; @@ -743,15 +760,18 @@ int rv; return 0; } - inc = 0; rptr = f->ftps_rptr; wptr = f->ftps_wptr; + i = 0; sel = nat->nat_aps->aps_sel[1 - rv]; - if (rv) - i = nat->nat_aps->aps_ackoff[sel]; - else - i = nat->nat_aps->aps_seqoff[sel]; + if (rv) { + if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq)) + i = nat->nat_aps->aps_ackoff[sel]; + } else { + if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq)) + i = nat->nat_aps->aps_seqoff[sel]; + } /* * XXX - Ideally, this packet should get dropped because we now know * that it is out of order (and there is no real danger in doing so @@ -759,18 +779,26 @@ int rv; */ if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq)) f->ftps_seq = ntohl(tcp->th_seq); - else if (ntohl(tcp->th_seq) + i != f->ftps_seq) { - return APR_ERR(1); + else { + inc = ntohl(tcp->th_seq) - f->ftps_seq; + if (inc > i) { + return APR_ERR(1); + } } + inc = 0; f->ftps_len = mlen; while (mlen > 0) { len = MIN(mlen, FTP_BUFSZ / 2); -#if SOLARIS - copyout_mblk(m, off, len, wptr); +#if !defined(_KERNEL) + bcopy((char *)m + off, wptr, len); #else +# if SOLARIS + copyout_mblk(m, off, len, wptr); +# else m_copydata(m, off, len, wptr); +# endif #endif mlen -= len; off += len; @@ -800,8 +828,9 @@ int rv; * Off to a bad start so lets just forget about using the * ftp proxy for this connection. */ - if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) + if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) { return APR_ERR(2); + } while ((f->ftps_junk == 1) && (rptr < wptr)) { while ((rptr < wptr) && (*rptr != '\r')) diff --git a/sys/contrib/ipfilter/netinet/ip_log.c b/sys/contrib/ipfilter/netinet/ip_log.c index 45bc74c..6bf7a4d 100644 --- a/sys/contrib/ipfilter/netinet/ip_log.c +++ b/sys/contrib/ipfilter/netinet/ip_log.c @@ -3,13 +3,14 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_log.c,v 2.5.2.18 2002/03/26 15:54:40 darrenr Exp $ + * $Id: ip_log.c,v 2.5.2.19 2002/04/25 16:32:48 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif -#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ + defined(_KERNEL) # include "opt_ipfilter_log.h" #endif #ifdef __FreeBSD__ diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index e0d5951..bf34661 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -109,7 +109,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.66 2002/04/23 14:58:27 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.67 2002/04/27 15:23:39 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, @@ -1768,7 +1768,6 @@ int dir; sumd2 = sumd; } -#if 1 /* * Fix TCP pseudo header checksum to compensate for the * IP address change. Before we can do the change, we @@ -1788,7 +1787,6 @@ int dir; CALC_SUMD(sum1, sum2, sumd); sumd2 = sumd; } -#endif } else { /* @@ -1837,7 +1835,6 @@ int dir; sumd2 = sumd; } -#if 1 /* * Fix TCP pseudo header checksum to compensate for the * IP address change. Before we can do the change, we @@ -1856,9 +1853,7 @@ int dir; */ CALC_SUMD(sum1, sum2, sumd); sumd2 = sumd; - }; -#endif - + } #endif } diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index a4ce80a..2bc32d4 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -75,7 +75,7 @@ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.21 2002/03/06 09:44:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.22 2002/04/26 10:23:17 darrenr Exp $"; #endif #if defined(_KERNEL) && (SOLARIS || defined(__sgi)) @@ -91,8 +91,8 @@ static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); #define AP_SESS_SIZE 53 -#if defined(_KERNEL) #include "netinet/ip_ftp_pxy.c" +#if defined(_KERNEL) #include "netinet/ip_rcmd_pxy.c" #include "netinet/ip_raudio_pxy.c" #include "netinet/ip_netbios_pxy.c" diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index 2e8b8f3..a6d1773 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -93,7 +93,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.66 2002/04/15 12:14:03 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.70 2002/04/27 16:06:15 darrenr Exp $"; #endif #ifndef MIN @@ -683,11 +683,18 @@ u_int flags; hv += is->is_sport; hv += is->is_dport; } - is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen - - (off = (tcp->th_off << 2)) + - ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); - is->is_maxsend = is->is_send; + if ((flags & FI_IGNOREPKT) == 0) { + is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen - + (off = (tcp->th_off << 2)) + + ((tcp->th_flags & TH_SYN) ? 1 : 0) + + ((tcp->th_flags & TH_FIN) ? 1 : 0); + is->is_maxsend = is->is_send; + + if ((tcp->th_flags & TH_SYN) && + ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) + is->is_swscale = fr_tcpoptions(tcp); + } + is->is_maxdwin = 1; is->is_maxswin = ntohs(tcp->th_win); if (is->is_maxswin == 0) @@ -696,10 +703,6 @@ u_int flags; if ((tcp->th_flags & TH_OPENING) == TH_SYN) is->is_fsm = 1; - if ((tcp->th_flags & TH_SYN) && - ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) - is->is_swscale = fr_tcpoptions(tcp); - /* * If we're creating state for a starting connection, start the * timer on it as we'll never see an error if it fails to @@ -970,7 +973,7 @@ tcphdr_t *tcp; } } MUTEX_EXIT(&is->is_lock); - if ((ret == 0) && (tcp->th_flags != TH_SYN)) + if ((ret == 0) && ((tcp->th_flags & TH_OPENING) != TH_SYN)) fin->fin_misc |= FM_BADSTATE; return ret; } @@ -1224,6 +1227,10 @@ fr_info_t *fin; */ bzero((char *)&src, sizeof(src)); bzero((char *)&dst, sizeof(dst)); + bzero((char *)&ofin, sizeof(ofin)); + ofin.fin_ifp = fin->fin_ifp; + ofin.fin_out = !fin->fin_out; + ofin.fin_v = 4; fr = NULL; switch (oip->ip_p) @@ -1258,12 +1265,8 @@ fr_info_t *fin; savelen = oip->ip_len; oip->ip_len = len; - ofin.fin_v = 4; fr_makefrip(ohlen, oip, &ofin); oip->ip_len = savelen; - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) @@ -1312,12 +1315,8 @@ fr_info_t *fin; */ savelen = oip->ip_len; oip->ip_len = len; - ofin.fin_v = 4; fr_makefrip(ohlen, oip, &ofin); oip->ip_len = savelen; - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) { /* @@ -1847,7 +1846,7 @@ int dir, fsm; break; case TCPS_SYN_SENT: /* 2 */ - if (flags == TH_SYN) { + if ((flags & ~(TH_ECN|TH_CWR)) == TH_SYN) { /* * A retransmitted SYN packet. We do not reset the * timeout here to fr_tcptimeout because a connection @@ -1893,6 +1892,12 @@ int dir, fsm; */ state[dir] = TCPS_ESTABLISHED; newage = fr_tcpidletimeout; + } else if ((flags & ~(TH_ECN|TH_CWR)) == TH_OPENING) { + /* + * We see an SA from 'dir' which is already in + * SYN_RECEIVED state. + */ + newage = fr_tcptimeout; } else if (flags & TH_FIN) { /* * We see an F from 'dir' which is in SYN_RECEIVED @@ -1987,6 +1992,8 @@ int dir, fsm; * timeout */ newage = fr_tcplastack; + else + newage = *age; } /* * We cannot detect when we go out of LAST_ACK state to CLOSED @@ -2094,6 +2101,15 @@ fr_info_t *fin; if (fin->fin_plen < sizeof(*oip)) return NULL; + if ((oip->ip6_nxt != IPPROTO_TCP) && (oip->ip6_nxt != IPPROTO_UDP) && + (oip->ip6_nxt != IPPROTO_ICMPV6)) + return NULL; + + bzero((char *)&ofin, sizeof(ofin)); + ofin.fin_out = !fin->fin_out; + ofin.fin_ifp = fin->fin_ifp; + ofin.fin_v = 6; + if (oip->ip6_nxt == IPPROTO_ICMPV6) { oic = (struct icmp6_hdr *)(oip + 1); /* @@ -2119,12 +2135,8 @@ fr_info_t *fin; hv %= fr_statesize; oip->ip6_plen = ntohs(oip->ip6_plen); - ofin.fin_v = 6; fr_makefrip(sizeof(*oip), (ip_t *)oip, &ofin); oip->ip6_plen = htons(oip->ip6_plen); - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) @@ -2149,10 +2161,8 @@ fr_info_t *fin; RWLOCK_EXIT(&ipf_state); return NULL; - }; + } - if ((oip->ip6_nxt != IPPROTO_TCP) && (oip->ip6_nxt != IPPROTO_UDP)) - return NULL; tcp = (tcphdr_t *)(oip + 1); dport = tcp->th_dport; sport = tcp->th_sport; @@ -2183,12 +2193,8 @@ fr_info_t *fin; */ savelen = oip->ip6_plen; oip->ip6_plen = ip->ip6_plen - sizeof(*ip) - ICMPERR_ICMPHLEN; - ofin.fin_v = 6; fr_makefrip(sizeof(*oip), (ip_t *)oip, &ofin); oip->ip6_plen = savelen; - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) { /* diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h index 2e99b65..0fc3a8d 100644 --- a/sys/contrib/ipfilter/netinet/ipl.h +++ b/sys/contrib/ipfilter/netinet/ipl.h @@ -4,12 +4,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.32 2002/04/23 14:59:13 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.33 2002/04/27 14:53:48 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.26" +#define IPL_VERSION "IP Filter: v3.4.27" #endif -- cgit v1.1 From 09b4027f13b09dedea4e76f08d6bbe525dd0626f Mon Sep 17 00:00:00 2001 From: darrenr Date: Fri, 7 Jun 2002 08:58:22 +0000 Subject: Import IPFilter 3.4.28 --- sys/contrib/ipfilter/netinet/fil.c | 5 ++-- sys/contrib/ipfilter/netinet/ip_auth.c | 7 ++++-- sys/contrib/ipfilter/netinet/ip_compat.h | 8 ++++-- sys/contrib/ipfilter/netinet/ip_fil.c | 40 ++++++++++++++++++++++-------- sys/contrib/ipfilter/netinet/ip_fil.h | 3 ++- sys/contrib/ipfilter/netinet/ip_ftp_pxy.c | 10 +++++--- sys/contrib/ipfilter/netinet/ip_h323_pxy.c | 5 ++-- sys/contrib/ipfilter/netinet/ip_nat.c | 8 ++++-- sys/contrib/ipfilter/netinet/ip_proxy.c | 7 ++++-- sys/contrib/ipfilter/netinet/ip_state.c | 19 ++++++++------ sys/contrib/ipfilter/netinet/ipl.h | 4 +-- 11 files changed, 80 insertions(+), 36 deletions(-) (limited to 'sys/contrib') diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 92d82f1..ed319d4 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -97,7 +97,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $"; #endif #ifndef _KERNEL @@ -1501,7 +1501,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $ + * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1616,7 +1616,6 @@ frgroup_t ***fgpp; fgp = &ipfgroups[0][set]; else return NULL; - num &= 0xffff; while ((fg = *fgp)) if (fg->fg_num == num) diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index 2a73079..efe2e99 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -104,7 +104,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $"; #endif @@ -615,7 +615,10 @@ void fr_authexpire() } else faep = &fae->fae_next; } - ipauth = &fae_list->fae_fr; + if (fae_list != NULL) + ipauth = &fae_list->fae_fr; + else + ipauth = NULL; for (frp = &fr_authlist; (fr = *frp); ) { if (fr->fr_ref == 1) { diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index 3b1b980..81690a7 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.44 2002/04/25 16:32:15 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.45 2002/06/04 14:40:54 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -213,7 +213,11 @@ typedef int minor_t; #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) # include # ifndef __FreeBSD_version -# include +# ifdef IPFILTER_LKM +# include +# else +# include +# endif # endif # ifdef IPFILTER_LKM # define ACTUALLY_LKM_NOT_KERNEL diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c index 2aeeaf8..5238356 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.c +++ b/sys/contrib/ipfilter/netinet/ip_fil.c @@ -120,7 +120,7 @@ extern int ip_optcopy __P((struct ip *, struct ip *)); #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.58 2002/06/06 10:47:27 darrenr Exp $"; #endif @@ -643,6 +643,9 @@ int mode; unit = dev; #endif + if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF)) + return ENODEV; + SPL_NET(s); if (unit == IPL_LOGNAT) { @@ -887,7 +890,8 @@ caddr_t data; * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ - if ((req != SIOCZRLST) && fp->fr_grhead && + if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) || + (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead && fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) return EEXIST; if ((req != SIOCZRLST) && fp->fr_group && @@ -1221,13 +1225,18 @@ fr_info_t *fin; struct mbuf **mp; { struct mbuf *m = *mp; - char *dpsave; - int error; + int error, hlen; + fr_info_t frn; ip_t *ip; - dpsave = fin->fin_dp; + bzero((char *)&frn, sizeof(frn)); + frn.fin_ifp = fin->fin_ifp; + frn.fin_v = fin->fin_v; + frn.fin_out = fin->fin_out; + frn.fin_mp = fin->fin_mp; ip = mtod(m, ip_t *); + hlen = sizeof(*ip); ip->ip_v = fin->fin_v; if (ip->ip_v == 4) { @@ -1242,21 +1251,24 @@ struct mbuf **mp; ip->ip_ttl = ip_defttl; # endif ip->ip_sum = 0; - fin->fin_dp = (char *)(ip + 1); + frn.fin_dp = (char *)(ip + 1); } # ifdef USE_INET6 else if (ip->ip_v == 6) { ip6_t *ip6 = (ip6_t *)ip; + hlen = sizeof(*ip6); ip6->ip6_hlim = 127; - fin->fin_dp = (char *)(ip6 + 1); + frn.fin_dp = (char *)(ip6 + 1); } # endif # ifdef IPSEC m->m_pkthdr.rcvif = NULL; # endif - error = ipfr_fastroute(m, mp, fin, NULL); - fin->fin_dp = dpsave; + + fr_makefrip(hlen, ip, &frn); + + error = ipfr_fastroute(m, mp, &frn, NULL); return error; } @@ -1563,6 +1575,9 @@ frdest_t *fdp; /* * Route packet. */ +#ifdef __sgi + ROUTE_RDLOCK(); +#endif bzero((caddr_t)ro, sizeof (*ro)); dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; @@ -1599,6 +1614,11 @@ frdest_t *fdp; # else rtalloc(ro); # endif + +#ifdef __sgi + ROUTE_UNLOCK(); +#endif + if (!ifp) { if (!fr || !(fr->fr_flags & FR_FASTROUTE)) { error = -2; @@ -2098,7 +2118,7 @@ int code; fr_info_t *fin; int dst; { - verbose("- ICMP UNREACHABLE RST sent\n"); + verbose("- ICMP UNREACHABLE sent\n"); return 0; } diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index 82deef5..56175f2 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp $ + * $Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -508,6 +508,7 @@ extern int send_reset __P((ip_t *, fr_info_t *)); extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int)); extern int ipf_log __P((void)); extern struct ifnet *get_unit __P((char *, int)); +extern int mbuflen __P((mb_t *)); # if defined(__NetBSD__) || defined(__OpenBSD__) || \ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index 2411bd9..f2603e0 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.34 2002/04/26 10:22:45 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.36 2002/06/06 10:44:40 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -766,10 +766,10 @@ int rv; i = 0; sel = nat->nat_aps->aps_sel[1 - rv]; if (rv) { - if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq)) + if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq)) i = nat->nat_aps->aps_ackoff[sel]; } else { - if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq)) + if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq)) i = nat->nat_aps->aps_seqoff[sel]; } /* @@ -781,6 +781,10 @@ int rv; f->ftps_seq = ntohl(tcp->th_seq); else { inc = ntohl(tcp->th_seq) - f->ftps_seq; + if (inc < 0) + inc = -inc; + if (i < 0) + i = -i; if (inc > i) { return APR_ERR(1); } diff --git a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c index a61b040..ec9b2fe 100644 --- a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c @@ -52,7 +52,7 @@ unsigned char *data; int datlen, *off; unsigned short *port; { - u_32_t addr; + u_32_t addr, netaddr; u_char *dp; int offset; @@ -62,10 +62,11 @@ unsigned short *port; *port = 0; offset = *off; dp = (u_char *)data; + netaddr = ntohl(ipaddr); for (offset = 0; offset <= datlen - 6; offset++, dp++) { addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3]; - if (ipaddr == addr) + if (netaddr == addr) { *port = (*(dp + 4) << 8) | *(dp + 5); break; diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index bf34661..da5235a 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -109,7 +109,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.67 2002/04/27 15:23:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.68 2002/06/04 14:46:08 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, @@ -469,8 +469,12 @@ int mode; } for (np = &nat_list; (n = *np); np = &n->in_next) if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, - IPN_CMPSIZ)) + IPN_CMPSIZ)) { + if (n->in_redir == NAT_REDIRECT && + n->in_pnext != nat->in_pnext) + continue; break; + } } switch (cmd) diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index 2bc32d4..2051f2a 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -75,7 +75,7 @@ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.22 2002/04/26 10:23:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $"; #endif #if defined(_KERNEL) && (SOLARIS || defined(__sgi)) @@ -122,7 +122,7 @@ aproxy_t ap_proxies[] = { ippr_ipsec_match }, #endif #ifdef IPF_NETBIOS_PROXY - { NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL, + { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL, NULL, NULL, NULL, ippr_netbios_out, NULL }, #endif #ifdef IPF_H323_PROXY @@ -421,11 +421,14 @@ int inc; int sel, ch = 0, out, nlen; u_32_t seq1, seq2; tcphdr_t *tcp; + short inc2; tcp = (tcphdr_t *)fin->fin_dp; out = fin->fin_out; nlen = ip->ip_len; nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); + inc2 = inc; + inc = (int)inc2; if (out != 0) { seq1 = (u_32_t)ntohl(tcp->th_seq); diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index a6d1773..f4dac8a 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -93,7 +93,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.70 2002/04/27 16:06:15 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.71 2002/05/29 14:23:05 darrenr Exp $"; #endif #ifndef MIN @@ -575,9 +575,9 @@ u_int flags; register u_int hv; struct icmp *ic; ipstate_t ips; + int out, ws; u_int pass; void *ifp; - int out; if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) || (fin->fin_misc & FM_BADSTATE)) @@ -691,8 +691,11 @@ u_int flags; is->is_maxsend = is->is_send; if ((tcp->th_flags & TH_SYN) && - ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) - is->is_swscale = fr_tcpoptions(tcp); + ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) { + ws = fr_tcpoptions(tcp); + if (ws >= 0) + is->is_swscale = ws; + } } is->is_maxdwin = 1; @@ -900,6 +903,7 @@ tcphdr_t *tcp; fdata->td_wscale = wscale; else if (wscale == -2) fdata->td_wscale = tdata->td_wscale = 0; + win <<= fdata->td_wscale; if ((fdata->td_end == 0) && (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) { @@ -908,7 +912,9 @@ tcphdr_t *tcp; */ fdata->td_end = end; fdata->td_maxwin = 1; - fdata->td_maxend = end + 1; + fdata->td_maxend = end + win; + if (win == 0) + fdata->td_maxend++; } if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ @@ -922,7 +928,6 @@ tcphdr_t *tcp; if (seq == end) seq = end = fdata->td_end; - win <<= fdata->td_wscale; maxwin = tdata->td_maxwin; ackskew = tdata->td_end - ack; @@ -1457,7 +1462,7 @@ icmp6again: rev = fin->fin_rev; if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; - else if (fin->fin_rev) + else if (rev != 0) is->is_age = fr_icmpacktimeout; else is->is_age = fr_icmptimeout; diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h index 0fc3a8d..6cd868d 100644 --- a/sys/contrib/ipfilter/netinet/ipl.h +++ b/sys/contrib/ipfilter/netinet/ipl.h @@ -4,12 +4,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.33 2002/04/27 14:53:48 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.34 2002/06/06 11:11:45 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.27" +#define IPL_VERSION "IP Filter: v3.4.28" #endif -- cgit v1.1 From 3b0944d7d8baa1478dc2bf42feb9040e7163fb81 Mon Sep 17 00:00:00 2001 From: darrenr Date: Wed, 28 Aug 2002 13:34:58 +0000 Subject: 3rd time lucky, i hope. --- sys/contrib/ipfilter/netinet/fil.c | 17 ++- sys/contrib/ipfilter/netinet/ip_compat.h | 5 +- sys/contrib/ipfilter/netinet/ip_fil.c | 23 +++- sys/contrib/ipfilter/netinet/ip_frag.c | 21 ++-- sys/contrib/ipfilter/netinet/ip_frag.h | 6 +- sys/contrib/ipfilter/netinet/ip_ftp_pxy.c | 190 ++++++++++++++++++++++++----- sys/contrib/ipfilter/netinet/ip_h323_pxy.c | 1 + sys/contrib/ipfilter/netinet/ip_nat.c | 13 +- sys/contrib/ipfilter/netinet/ip_nat.h | 3 +- sys/contrib/ipfilter/netinet/ip_proxy.c | 94 +++++++++++--- sys/contrib/ipfilter/netinet/ip_proxy.h | 4 +- sys/contrib/ipfilter/netinet/ip_state.c | 14 ++- sys/contrib/ipfilter/netinet/ip_state.h | 5 +- sys/contrib/ipfilter/netinet/ipl.h | 4 +- 14 files changed, 313 insertions(+), 87 deletions(-) (limited to 'sys/contrib') diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index ed319d4..146e70a 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -97,7 +97,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $"; #endif #ifndef _KERNEL @@ -1076,7 +1076,7 @@ int out; fin->fin_fr = fr; if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { if (fin->fin_fl & FI_FRAG) { - if (ipfr_newfrag(ip, fin, pass) == -1) { + if (ipfr_newfrag(ip, fin) == -1) { ATOMIC_INCL(frstats[out].fr_bnfr); } else { ATOMIC_INCL(frstats[out].fr_nfr); @@ -1191,7 +1191,16 @@ logit: * some operating systems. */ if (!out) { - if (pass & FR_RETICMP) { + if (changed == -1) + /* + * If a packet results in a NAT error, do not + * send a reset or ICMP error as it may disrupt + * an existing flow. This is the proxy saying + * the content is bad so just drop the packet + * silently. + */ + ; + else if (pass & FR_RETICMP) { int dst; if ((pass & FR_RETMASK) == FR_FAKEICMP) @@ -1501,7 +1510,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $ + * $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index 81690a7..4d8cfaf 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.45 2002/06/04 14:40:54 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.46 2002/06/27 14:39:40 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -186,6 +186,9 @@ typedef struct qif { */ size_t qf_hl; /* header length */ int qf_sap; +# if SOLARIS2 >= 8 + int qf_tunoff; /* tunnel offset */ +#endif size_t qf_incnt; size_t qf_outcnt; } qif_t; diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c index 5238356..90bcb82 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.c +++ b/sys/contrib/ipfilter/netinet/ip_fil.c @@ -120,7 +120,7 @@ extern int ip_optcopy __P((struct ip *, struct ip *)); #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.58 2002/06/06 10:47:27 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp $"; #endif @@ -157,6 +157,7 @@ static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **, fr_info_t *, frdest_t *)); # endif # ifdef __sgi +extern int tcp_mtudisc; extern kmutex_t ipf_rw; extern KRWLOCK_T ipf_mutex; # endif @@ -482,7 +483,7 @@ int ipl_disable() int ipldetach() # endif { - int s, i = FR_INQUE|FR_OUTQUE; + int s, i; #if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000) int error = 0; # if __NetBSD_Version__ >= 105150000 @@ -523,7 +524,8 @@ int ipldetach() printf("%s unloaded\n", ipfilter_version); fr_checkp = fr_savep; - i = frflush(IPL_LOGIPF, i); + i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); fr_running = 0; # ifdef NETBSD_PF @@ -1244,7 +1246,17 @@ struct mbuf **mp; ip->ip_v = IPVERSION; ip->ip_tos = oip->ip_tos; ip->ip_id = oip->ip_id; - ip->ip_off = 0; + +# if defined(__NetBSD__) || defined(__OpenBSD__) + if (ip_mtudisc != 0) + ip->ip_off = IP_DF; +# else +# if defined(__sgi) + if (ip->ip_p == IPPROTO_TCP && tcp_mtudisc != 0) + ip->ip_off = IP_DF; +# endif +# endif + # if (BSD < 199306) || defined(__sgi) ip->ip_ttl = tcp_ttl; # else @@ -1671,7 +1683,8 @@ frdest_t *fdp; */ if (ip->ip_len <= ifp->if_mtu) { # ifndef sparc -# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) +# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) && \ + !(__NetBSD_Version__ >= 105110000) ip->ip_id = htons(ip->ip_id); # endif ip->ip_len = htons(ip->ip_len); diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c index f240cd9..bed47b7 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.c +++ b/sys/contrib/ipfilter/netinet/ip_frag.c @@ -90,7 +90,7 @@ extern struct timeout ipfr_slowtimer_ch; #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.21 2002/04/10 04:56:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.24 2002/08/28 12:41:04 darrenr Exp $"; #endif @@ -120,7 +120,7 @@ extern kmutex_t ipf_rw; #endif -static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, u_int, ipfr_t **)); +static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, ipfr_t **)); static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **)); static void ipfr_delete __P((ipfr_t *)); @@ -138,10 +138,9 @@ ipfrstat_t *ipfr_fragstats() * add a new entry to the fragment cache, registering it as having come * through this box, with the result of the filter operation. */ -static ipfr_t *ipfr_new(ip, fin, pass, table) +static ipfr_t *ipfr_new(ip, fin, table) ip_t *ip; fr_info_t *fin; -u_int pass; ipfr_t *table[]; { ipfr_t **fp, *fra, frag; @@ -198,7 +197,7 @@ ipfr_t *table[]; /* * Instert the fragment into the fragment table, copy the struct used * in the search using bcopy rather than reassign each field. - * Set the ttl to the default and mask out logging from "pass" + * Set the ttl to the default. */ if ((fra->ipfr_next = table[idx])) table[idx]->ipfr_prev = fra; @@ -220,17 +219,16 @@ ipfr_t *table[]; } -int ipfr_newfrag(ip, fin, pass) +int ipfr_newfrag(ip, fin) ip_t *ip; fr_info_t *fin; -u_int pass; { ipfr_t *ipf; if ((ip->ip_v != 4) || (fr_frag_lock)) return -1; WRITE_ENTER(&ipf_frag); - ipf = ipfr_new(ip, fin, pass, ipfr_heads); + ipf = ipfr_new(ip, fin, ipfr_heads); RWLOCK_EXIT(&ipf_frag); if (ipf == NULL) { ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr); @@ -241,10 +239,9 @@ u_int pass; } -int ipfr_nat_newfrag(ip, fin, pass, nat) +int ipfr_nat_newfrag(ip, fin, nat) ip_t *ip; fr_info_t *fin; -u_int pass; nat_t *nat; { ipfr_t *ipf; @@ -256,10 +253,10 @@ nat_t *nat; off = fin->fin_off; off <<= 3; if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0)) - return NULL; + return -1; WRITE_ENTER(&ipf_natfrag); - ipf = ipfr_new(ip, fin, pass, ipfr_nattab); + ipf = ipfr_new(ip, fin, ipfr_nattab); if (ipf != NULL) { ipf->ipfr_data = nat; nat->nat_data = ipf; diff --git a/sys/contrib/ipfilter/netinet/ip_frag.h b/sys/contrib/ipfilter/netinet/ip_frag.h index 03f41f8..4bd6b52 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.h +++ b/sys/contrib/ipfilter/netinet/ip_frag.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.4.2.6 2002/01/01 15:09:38 darrenr Exp $ + * $Id: ip_frag.h,v 2.4.2.7 2002/07/06 14:17:51 darrenr Exp $ */ #ifndef __IP_FRAG_H__ @@ -48,8 +48,8 @@ typedef struct ipfrstat { extern int fr_ipfrttl; extern int fr_frag_lock; extern ipfrstat_t *ipfr_fragstats __P((void)); -extern int ipfr_newfrag __P((ip_t *, fr_info_t *, u_int)); -extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *)); +extern int ipfr_newfrag __P((ip_t *, fr_info_t *)); +extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, struct nat *)); extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *)); extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *)); extern void ipfr_forget __P((void *)); diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index f2603e0..a5a27be 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.36 2002/06/06 10:44:40 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.38 2002/08/28 12:45:47 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -294,7 +294,7 @@ int dlen; ip->ip_len = slen; ip->ip_src = swip; } - return APR_INC(inc); + return inc; } @@ -577,7 +577,7 @@ int dlen; wptr = f->ftps_wptr; if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2))) - return inc; + return 0; if (ftp->ftp_passok == FTPXY_GO) { if (!strncmp(rptr, "227 ", 4)) inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); @@ -717,6 +717,10 @@ size_t len; } +/* + * rv == 0 for outbound processing, + * rv == 1 for inbound processing. + */ int ippr_ftp_process(fin, ip, nat, ftp, rv) fr_info_t *fin; ip_t *ip; @@ -724,15 +728,16 @@ nat_t *nat; ftpinfo_t *ftp; int rv; { - int mlen, len, off, inc, i, sel; + int mlen, len, off, inc, i, sel, sel2, ok, ackoff, seqoff; + u_32_t thseq, thack; char *rptr, *wptr; + ap_session_t *aps; ftpside_t *f, *t; tcphdr_t *tcp; mb_t *m; tcp = (tcphdr_t *)fin->fin_dp; off = fin->fin_hlen + (tcp->th_off << 2); - #if SOLARIS && defined(_KERNEL) m = fin->fin_qfm; #else @@ -750,46 +755,149 @@ int rv; #endif mlen -= off; + aps = nat->nat_aps; t = &ftp->ftp_side[1 - rv]; f = &ftp->ftp_side[rv]; - if (!mlen) { - if (!t->ftps_seq || - (int)ntohl(tcp->th_ack) - (int)t->ftps_seq > 0) - t->ftps_seq = ntohl(tcp->th_ack); - f->ftps_len = 0; - return 0; - } - - rptr = f->ftps_rptr; - wptr = f->ftps_wptr; - - i = 0; - sel = nat->nat_aps->aps_sel[1 - rv]; - if (rv) { - if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq)) - i = nat->nat_aps->aps_ackoff[sel]; + thseq = ntohl(tcp->th_seq); + thack = ntohl(tcp->th_ack); + + sel = aps->aps_sel[1 - rv]; + sel2 = aps->aps_sel[rv]; + if (rv == 0) { + seqoff = aps->aps_seqoff[sel]; + if (aps->aps_seqmin[sel] > seqoff + thseq) + seqoff = aps->aps_seqoff[!sel]; + ackoff = aps->aps_ackoff[sel2]; + if (aps->aps_ackmin[sel2] > ackoff + thack) + ackoff = aps->aps_ackoff[!sel2]; } else { - if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq)) - i = nat->nat_aps->aps_seqoff[sel]; +#if PROXY_DEBUG + printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq, + aps->aps_ackmin[sel]); +#endif + seqoff = aps->aps_ackoff[sel]; + if (aps->aps_ackmin[sel] > seqoff + thseq) + seqoff = aps->aps_ackoff[!sel]; + +#if PROXY_DEBUG + printf("ackoff %d thack %x seqmin %x\n", ackoff, thack, + aps->aps_seqmin[sel2]); +#endif + ackoff = aps->aps_seqoff[sel2]; + if (ackoff > 0) { + if (aps->aps_seqmin[sel2] > ackoff + thack) + ackoff = aps->aps_seqoff[!sel2]; + } else { + if (aps->aps_seqmin[sel2] > thack) + ackoff = aps->aps_seqoff[!sel2]; + } } +#if PROXY_DEBUG + printf("%s: %x seq %x/%d ack %x/%d len %d\n", rv ? "IN" : "OUT", + tcp->th_flags, thseq, seqoff, thack, ackoff, mlen); + printf("sel %d seqmin %x/%x offset %d/%d\n", sel, + aps->aps_seqmin[sel], aps->aps_seqmin[sel2], + aps->aps_seqoff[sel], aps->aps_seqoff[sel2]); + printf("sel %d ackmin %x/%x offset %d/%d\n", sel2, + aps->aps_ackmin[sel], aps->aps_ackmin[sel2], + aps->aps_ackoff[sel], aps->aps_ackoff[sel2]); +#endif + /* * XXX - Ideally, this packet should get dropped because we now know * that it is out of order (and there is no real danger in doing so * apart from causing packets to go through here ordered). */ - if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq)) - f->ftps_seq = ntohl(tcp->th_seq); +#if PROXY_DEBUG + printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n", + rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff); +#endif + + ok = 0; + if (t->ftps_seq[0] == 0) + t->ftps_seq[0] = thack, ok = 1; else { - inc = ntohl(tcp->th_seq) - f->ftps_seq; - if (inc < 0) - inc = -inc; - if (i < 0) - i = -i; - if (inc > i) { + if (ackoff == 0) { + if (t->ftps_seq[0] == thack) + ok = 1; + else if (t->ftps_seq[1] == thack) { + t->ftps_seq[0] = thack; + ok = 1; + } + } else { + if (t->ftps_seq[0] + ackoff == thack) + ok = 1; + else if (t->ftps_seq[0] == thack + ackoff) + ok = 1; + else if (t->ftps_seq[1] + ackoff == thack) { + t->ftps_seq[0] = thack - ackoff; + ok = 1; + } else if (t->ftps_seq[1] == thack + ackoff) { + t->ftps_seq[0] = thack - ackoff; + ok = 1; + } + } + } + +#if PROXY_DEBUG + if (!ok) + printf("not ok\n"); +#endif + + if (!mlen) { + if (t->ftps_seq[0] + ackoff != thack) return APR_ERR(1); + +#if PROXY_DEBUG + printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]); +#endif + if (tcp->th_flags & TH_FIN) { + if (thseq + seqoff == f->ftps_seq[0] + 1 || + f->ftps_seq[0] + seqoff + 1 == thseq || + thseq + seqoff == f->ftps_seq[0] || + thseq == f->ftps_seq[0] + seqoff) + ; + else { +#if PROXY_DEBUG + printf("FIN: thseq %x seqoff %d ftps_seq %x\n", + thseq, seqoff, f->ftps_seq[0]); +#endif + return APR_ERR(1); + } } + f->ftps_len = 0; + return 0; } + + ok = 0; + if (thseq == f->ftps_seq[0] || thseq == f->ftps_seq[1]) + ok = 1; + /* + * Retransmitted data packet. + */ + else if (thseq + mlen == f->ftps_seq[0] || + thseq + mlen == f->ftps_seq[1]) + ok = 1; + if (ok == 0) { + inc = thseq - f->ftps_seq[0]; +#if PROXY_DEBUG + printf("inc %d sel %d rv %d\n", inc, sel, rv); + printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0], + f->ftps_seq[1]); + printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel], + aps->aps_ackoff[sel]); + printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel], + aps->aps_seqoff[sel]); +#endif + + return APR_ERR(1); + } + inc = 0; + rptr = f->ftps_rptr; + wptr = f->ftps_wptr; + f->ftps_seq[0] = thseq; + f->ftps_seq[1] = f->ftps_seq[0] + mlen; f->ftps_len = mlen; while (mlen > 0) { @@ -833,6 +941,7 @@ int rv; * ftp proxy for this connection. */ if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) { + /* f->ftps_seq[1] += inc; */ return APR_ERR(2); } @@ -873,7 +982,24 @@ int rv; } } - t->ftps_seq = ntohl(tcp->th_ack); + /* f->ftps_seq[1] += inc; */ + if (tcp->th_flags & TH_FIN) + f->ftps_seq[1]++; +#ifndef _KERNEL + mlen = mbuflen(m); +#else +# if SOLARIS + mlen = msgdsize(m); +# else + mlen = mbufchainlen(m); +# endif +#endif + off = fin->fin_hlen + (tcp->th_off << 2); + mlen -= off; +#if PROXY_DEBUG + printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen); +#endif + f->ftps_rptr = rptr; f->ftps_wptr = wptr; return APR_INC(inc); diff --git a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c index ec9b2fe..8d8ef92 100644 --- a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c @@ -9,6 +9,7 @@ * authorized by a written license agreement from QSSL. For more information, * please email licensing@qnx.com. * + * For more details, see QNX_OCL.txt provided with this distribution. */ /* diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index da5235a..854c68d 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -109,7 +109,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.68 2002/06/04 14:46:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, @@ -2265,8 +2265,8 @@ register natlookup_t *np; fr_info_t fi; bzero((char *)&fi, sizeof(fi)); - fi.fin_data[0] = np->nl_inport; - fi.fin_data[1] = np->nl_outport; + fi.fin_data[0] = ntohs(np->nl_inport); + fi.fin_data[1] = ntohs(np->nl_outport); /* * If nl_inip is non null, this is a lookup based on the real @@ -2448,7 +2448,7 @@ maskloop: if (nat) { np = nat->nat_ptr; if (natadd && (fin->fin_fl & FI_FRAG) && np) - ipfr_nat_newfrag(ip, fin, 0, nat); + ipfr_nat_newfrag(ip, fin, nat); MUTEX_ENTER(&nat->nat_lock); if (fin->fin_p != IPPROTO_TCP) { if (np && np->in_age[1]) @@ -2540,6 +2540,8 @@ maskloop: i = appr_check(ip, fin, nat); if (i == 0) i = 1; + else if (i == -1) + nat->nat_drop[1]++; } else i = 1; ATOMIC_INCL(nat_stats.ns_mapped[1]); @@ -2664,11 +2666,12 @@ maskloop: np = nat->nat_ptr; fin->fin_fr = nat->nat_fr; if (natadd && (fin->fin_fl & FI_FRAG) && np) - ipfr_nat_newfrag(ip, fin, 0, nat); + ipfr_nat_newfrag(ip, fin, nat); if (np && (np->in_apr != NULL) && (np->in_dport == 0 || (tcp != NULL && sport == np->in_dport))) { i = appr_check(ip, fin, nat); if (i == -1) { + nat->nat_drop[0]++; RWLOCK_EXIT(&ipf_nat); return i; } diff --git a/sys/contrib/ipfilter/netinet/ip_nat.h b/sys/contrib/ipfilter/netinet/ip_nat.h index b3b0b27..e1b160f 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.h +++ b/sys/contrib/ipfilter/netinet/ip_nat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.17.2.26 2002/04/20 16:42:05 darrenr Exp $ + * $Id: ip_nat.h,v 2.17.2.27 2002/08/28 12:45:51 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -77,6 +77,7 @@ typedef struct nat { struct in_addr nat_oip; /* other ip */ U_QUAD_T nat_pkts; U_QUAD_T nat_bytes; + u_int nat_drop[2]; u_short nat_oport; /* other port */ u_short nat_inport; u_short nat_outport; diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index 2051f2a..f36753a 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -75,7 +75,7 @@ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp $"; #endif #if defined(_KERNEL) && (SOLARIS || defined(__sgi)) @@ -89,6 +89,8 @@ extern KRWLOCK_T ipf_nat, ipf_state; static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); +#define PROXY_DEBUG 0 + #define AP_SESS_SIZE 53 #include "netinet/ip_ftp_pxy.c" @@ -313,9 +315,19 @@ nat_t *nat; sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif if (sum != tcp->th_sum) { +#if PROXY_DEBUG + printf("proxy tcp checksum failure\n"); +#endif frstats[fin->fin_out].fr_tcpbad++; return -1; } + + /* + * Don't both the proxy with these...or in fact, should + * we free up proxy stuff when seen? + */ + if ((tcp->th_flags & TH_RST) != 0) + return 0; } apr = aps->aps_apr; @@ -329,9 +341,16 @@ nat_t *nat; } rv = APR_EXIT(err); - if (rv == 1) + if (rv == 1) { +#if PROXY_DEBUG + printf("proxy says bad packet received\n"); +#endif return -1; + } if (rv == 2) { +#if PROXY_DEBUG + printf("proxy says free app proxy data\n"); +#endif appr_free(apr); nat->nat_aps = NULL; return -1; @@ -412,6 +431,9 @@ ap_session_t *aps; } +/* + * returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise + */ static int appr_fixseqack(fin, ip, aps, inc) fr_info_t *fin; ip_t *ip; @@ -425,8 +447,12 @@ int inc; tcp = (tcphdr_t *)fin->fin_dp; out = fin->fin_out; + /* + * ip_len has already been adjusted by 'inc'. + */ nlen = ip->ip_len; nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); + inc2 = inc; inc = (int)inc2; @@ -436,8 +462,13 @@ int inc; /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && - (seq1 > aps->aps_seqmin[!sel])) + (seq1 > aps->aps_seqmin[!sel])) { +#if PROXY_DEBUG + printf("proxy out switch set seq %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_seqmin[!sel]); +#endif sel = aps->aps_sel[out] = !sel; +} if (aps->aps_seqoff[sel]) { seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; @@ -450,8 +481,13 @@ int inc; } if (inc && (seq1 > aps->aps_seqmin[!sel])) { - aps->aps_seqmin[!sel] = seq1 + nlen - 1; - aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc; + aps->aps_seqmin[sel] = seq1 + nlen - 1; + aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc; +#if PROXY_DEBUG + printf("proxy seq set %d at %x to %d + %d\n", sel, + aps->aps_seqmin[sel], aps->aps_seqoff[sel], + inc); +#endif } /***/ @@ -461,8 +497,13 @@ int inc; /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && - (seq1 > aps->aps_ackmin[!sel])) + (seq1 > aps->aps_ackmin[!sel])) { +#if PROXY_DEBUG + printf("proxy out switch set ack %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_ackmin[!sel]); +#endif sel = aps->aps_sel[1 - out] = !sel; +} if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { seq2 = aps->aps_ackoff[sel]; @@ -475,12 +516,16 @@ int inc; /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && - (seq1 > aps->aps_ackmin[!sel])) + (seq1 > aps->aps_ackmin[!sel])) { +#if PROXY_DEBUG + printf("proxy in switch set ack %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_ackmin[!sel]); +#endif sel = aps->aps_sel[out] = !sel; +} if (aps->aps_ackoff[sel]) { - seq2 = aps->aps_ackmin[sel] - - aps->aps_ackoff[sel]; + seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel]; if (seq1 > seq2) { seq2 = aps->aps_ackoff[sel]; seq1 += seq2; @@ -492,6 +537,11 @@ int inc; if (inc && (seq1 > aps->aps_ackmin[!sel])) { aps->aps_ackmin[!sel] = seq1 + nlen - 1; aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; +#if PROXY_DEBUG + printf("proxy ack set %d at %x to %d + %d\n", !sel, + aps->aps_seqmin[!sel], aps->aps_seqoff[sel], + inc); +#endif } /***/ @@ -501,15 +551,31 @@ int inc; /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && - (seq1 > aps->aps_seqmin[!sel])) + (seq1 > aps->aps_seqmin[!sel])) { +#if PROXY_DEBUG + printf("proxy in switch set seq %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_seqmin[!sel]); +#endif sel = aps->aps_sel[1 - out] = !sel; +} - if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) { - seq2 = aps->aps_seqoff[sel]; - tcp->th_ack = htonl(seq1 - seq2); - ch = 1; + if (aps->aps_seqoff[sel] != 0) { +#if PROXY_DEBUG + printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel, + aps->aps_seqoff[sel], seq1, + aps->aps_seqmin[sel]); +#endif + if (seq1 > aps->aps_seqmin[sel]) { + seq2 = aps->aps_seqoff[sel]; + tcp->th_ack = htonl(seq1 - seq2); + ch = 1; + } } } +#if PROXY_DEBUG + printf("appr_fixseqack: seq %x ack %x\n", ntohl(tcp->th_seq), + ntohl(tcp->th_ack)); +#endif return ch ? 2 : 0; } diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.h b/sys/contrib/ipfilter/netinet/ip_proxy.h index 0f1ab84..fad791d 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.h +++ b/sys/contrib/ipfilter/netinet/ip_proxy.h @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_proxy.h,v 2.8.2.12 2002/01/01 13:41:43 darrenr Exp $ + * $Id: ip_proxy.h,v 2.8.2.13 2002/07/04 11:07:37 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -95,7 +95,7 @@ typedef struct aproxy { typedef struct ftpside { char *ftps_rptr; char *ftps_wptr; - u_32_t ftps_seq; + u_32_t ftps_seq[2]; u_32_t ftps_len; int ftps_junk; int ftps_cmds; diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index f4dac8a..43fe820 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -93,7 +93,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.71 2002/05/29 14:23:05 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.74 2002/07/27 15:58:10 darrenr Exp $"; #endif #ifndef MIN @@ -741,6 +741,7 @@ u_int flags; is->is_hv = hv; is->is_rule = fin->fin_fr; if (is->is_rule != NULL) { + is->is_group = is->is_rule->fr_group; ATOMIC_INC32(is->is_rule->fr_ref); pass = is->is_rule->fr_flags; is->is_frage[0] = is->is_rule->fr_age[0]; @@ -810,7 +811,7 @@ u_int flags; RWLOCK_EXIT(&ipf_state); fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst); if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) - ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); + ipfr_newfrag(ip, fin); return is; } @@ -1066,7 +1067,7 @@ tcphdr_t *tcp; } else { is->is_src = fin->fin_fi.fi_dst; } - } else if ((flags & FI_W_DPORT) != 0) { + } else if ((flags & FI_W_DADDR) != 0) { if (rev == 0) { is->is_dst = fin->fin_fi.fi_dst; } else { @@ -1402,7 +1403,8 @@ fr_info_t *fin; tcphdr_t *tcp; int rev; - if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT)) + if ((ips_list == NULL) || (fin->fin_off != 0) || fr_state_lock || + (fin->fin_fl & FI_SHORT)) return NULL; is = NULL; @@ -1633,7 +1635,7 @@ retry_tcpudp: pass = is->is_pass; RWLOCK_EXIT(&ipf_state); if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) - ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); + ipfr_newfrag(ip, fin); #ifndef _KERNEL if ((tcp != NULL) && (tcp->th_flags & TCP_CLOSE)) fr_delstate(is); @@ -2044,6 +2046,8 @@ u_int type; ipsl.isl_p = is->is_p; ipsl.isl_v = is->is_v; ipsl.isl_flags = is->is_flags; + ipsl.isl_rulen = is->is_rulen; + ipsl.isl_group = is->is_group; if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) { ipsl.isl_sport = is->is_sport; ipsl.isl_dport = is->is_dport; diff --git a/sys/contrib/ipfilter/netinet/ip_state.h b/sys/contrib/ipfilter/netinet/ip_state.h index 01b1256..35368c4 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.h +++ b/sys/contrib/ipfilter/netinet/ip_state.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.13.2.12 2002/03/25 11:14:55 darrenr Exp $ + * $Id: ip_state.h,v 2.13.2.13 2002/06/27 14:40:29 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -86,6 +86,7 @@ typedef struct ipstate { tcpstate_t is_ts; udpstate_t is_us; } is_ps; + u_32_t is_group; char is_ifname[4][IFNAMSIZ]; #if SOLARIS || defined(__sgi) kmutex_t is_lock; @@ -147,6 +148,8 @@ typedef struct ipslog { u_char isl_p; u_char isl_flags; u_char isl_state[2]; + u_32_t isl_rulen; + u_32_t isl_group; } ipslog_t; #define isl_sport isl_ps.isl_ports[0] diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h index 6cd868d..ced3e56 100644 --- a/sys/contrib/ipfilter/netinet/ipl.h +++ b/sys/contrib/ipfilter/netinet/ipl.h @@ -4,12 +4,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.34 2002/06/06 11:11:45 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.35 2002/08/28 13:00:50 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.28" +#define IPL_VERSION "IP Filter: v3.4.29" #endif -- cgit v1.1 From 6c914c7379a092da784f7d28d9a2f92e5cc0fc87 Mon Sep 17 00:00:00 2001 From: darrenr Date: Sat, 15 Feb 2003 06:18:25 +0000 Subject: Import IPFilter 3.4.31 into -current --- sys/contrib/ipfilter/netinet/fil.c | 65 +++++-- sys/contrib/ipfilter/netinet/ip_auth.c | 122 ++++++++----- sys/contrib/ipfilter/netinet/ip_auth.h | 8 +- sys/contrib/ipfilter/netinet/ip_compat.h | 4 +- sys/contrib/ipfilter/netinet/ip_fil.c | 113 +++++++++--- sys/contrib/ipfilter/netinet/ip_fil.h | 18 +- sys/contrib/ipfilter/netinet/ip_frag.c | 4 +- sys/contrib/ipfilter/netinet/ip_ftp_pxy.c | 278 ++++++++++++++++++++++------- sys/contrib/ipfilter/netinet/ip_log.c | 29 ++- sys/contrib/ipfilter/netinet/ip_nat.c | 88 ++++++++- sys/contrib/ipfilter/netinet/ip_nat.h | 4 +- sys/contrib/ipfilter/netinet/ip_proxy.c | 24 +-- sys/contrib/ipfilter/netinet/ip_proxy.h | 3 +- sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c | 3 +- sys/contrib/ipfilter/netinet/ip_state.c | 49 +++-- sys/contrib/ipfilter/netinet/ipl.h | 4 +- sys/contrib/ipfilter/netinet/y | 12 ++ sys/contrib/ipfilter/netinet/y.pub | 1 + 18 files changed, 622 insertions(+), 207 deletions(-) create mode 100644 sys/contrib/ipfilter/netinet/y create mode 100644 sys/contrib/ipfilter/netinet/y.pub (limited to 'sys/contrib') diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 146e70a..a981fcb 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -97,7 +97,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $"; #endif #ifndef _KERNEL @@ -699,7 +699,8 @@ void *m; if (!fr_tcpudpchk(&fr->fr_tuc, fin)) continue; } else if (fr->fr_icmpm || fr->fr_icmp) { - if ((fi->fi_p != IPPROTO_ICMP) || off || + if (((fi->fi_p != IPPROTO_ICMP) && + (fi->fi_p != IPPROTO_ICMPV6)) || off || (fin->fin_dlen < 2)) continue; if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) { @@ -814,6 +815,26 @@ int out; # endif int up; +# if !SOLARIS && !defined(NETBSD_PF) && \ + ((defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \ + defined(__OpenBSD__) || defined(_BSDI_VERSION)) + if (fr_checkp != fr_check && fr_running > 0) { + static int counter = 0; + + if (counter == 0) { + printf("WARNING: fr_checkp corrupt: value %lx\n", + (u_long)fr_checkp); + printf("WARNING: fr_checkp should be %lx\n", + (u_long)fr_check); + printf("WARNING: fixing fr_checkp\n"); + } + fr_checkp = fr_check; + counter++; + if (counter == 10000) + counter = 0; + } +# endif + # ifdef M_CANFASTFWD /* * XXX For now, IP Filter and fast-forwarding of cached flows @@ -1510,7 +1531,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $ + * $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1716,9 +1737,9 @@ frentry_t **listp; } -int frflush(unit, flags) +int frflush(unit, proto, flags) minor_t unit; -int flags; +int proto, flags; { int flushed = 0, set; @@ -1733,19 +1754,35 @@ int flags; if (flags & FR_OUTQUE) { #ifdef USE_INET6 - (void) frflushlist(set, unit, &flushed, &ipfilter6[1][set]); - (void) frflushlist(set, unit, &flushed, &ipacct6[1][set]); + if (proto == 0 || proto == 6) { + (void) frflushlist(set, unit, + &flushed, &ipfilter6[1][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct6[1][set]); + } #endif - (void) frflushlist(set, unit, &flushed, &ipfilter[1][set]); - (void) frflushlist(set, unit, &flushed, &ipacct[1][set]); + if (proto == 0 || proto == 4) { + (void) frflushlist(set, unit, + &flushed, &ipfilter[1][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct[1][set]); + } } if (flags & FR_INQUE) { #ifdef USE_INET6 - (void) frflushlist(set, unit, &flushed, &ipfilter6[0][set]); - (void) frflushlist(set, unit, &flushed, &ipacct6[0][set]); + if (proto == 0 || proto == 6) { + (void) frflushlist(set, unit, + &flushed, &ipfilter6[0][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct6[0][set]); + } #endif - (void) frflushlist(set, unit, &flushed, &ipfilter[0][set]); - (void) frflushlist(set, unit, &flushed, &ipacct[0][set]); + if (proto == 0 || proto == 4) { + (void) frflushlist(set, unit, + &flushed, &ipfilter[0][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct[0][set]); + } } RWLOCK_EXIT(&ipf_mutex); return flushed; diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index efe2e99..604d754 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -104,7 +104,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.24 2002/12/06 11:40:21 darrenr Exp $"; #endif @@ -292,9 +292,9 @@ ip_t *ip; cv_signal(&ipfauthwait); #else # if defined(BSD) && !defined(sparc) && (BSD >= 199306) - if (!fin->fin_out) { - HTONS(ip->ip_len); - HTONS(ip->ip_off); + if (fin->fin_out == 0) { + ip->ip_len = htons(ip->ip_len); + ip->ip_off = htons(ip->ip_off); } # endif fr_authpkts[i] = m; @@ -304,7 +304,7 @@ ip_t *ip; } -int fr_auth_ioctl(data, mode, cmd, fr, frptr) +int fr_auth_ioctl(data, mode, cmd) caddr_t data; int mode; #if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003) @@ -312,7 +312,6 @@ u_long cmd; #else int cmd; #endif -frentry_t *fr, **frptr; { mb_t *m; #if defined(_KERNEL) && !SOLARIS @@ -320,12 +319,15 @@ frentry_t *fr, **frptr; int s; #endif frauth_t auth, *au = &auth, *fra; - frauthent_t *fae, **faep; int i, error = 0; switch (cmd) { case SIOCSTLCK : + if (!(mode & FWRITE)) { + error = EPERM; + break; + } error = fr_lock(data, &fr_auth_lock); break; case SIOCINIFR : @@ -338,45 +340,8 @@ frentry_t *fr, **frptr; break; case SIOCRMAFR : case SIOCADAFR : - for (faep = &fae_list; (fae = *faep); ) - if (&fae->fae_fr == fr) - break; - else - faep = &fae->fae_next; - if (cmd == SIOCRMAFR) { - if (!fr || !frptr) - error = EINVAL; - else if (!fae) - error = ESRCH; - else { - WRITE_ENTER(&ipf_auth); - SPL_NET(s); - *faep = fae->fae_next; - *frptr = fr->fr_next; - SPL_X(s); - RWLOCK_EXIT(&ipf_auth); - KFREE(fae); - } - } else if (fr && frptr) { - KMALLOC(fae, frauthent_t *); - if (fae != NULL) { - bcopy((char *)fr, (char *)&fae->fae_fr, - sizeof(*fr)); - WRITE_ENTER(&ipf_auth); - SPL_NET(s); - fae->fae_age = fr_defaultauthage; - fae->fae_fr.fr_hits = 0; - fae->fae_fr.fr_next = *frptr; - *frptr = &fae->fae_fr; - fae->fae_next = *faep; - *faep = fae; - ipauth = &fae_list->fae_fr; - SPL_X(s); - RWLOCK_EXIT(&ipf_auth); - } else - error = ENOMEM; - } else - error = EINVAL; + /* These commands go via request to fr_preauthcmd */ + error = EINVAL; break; case SIOCATHST: fr_authstats.fas_faelist = fae_list; @@ -630,3 +595,66 @@ void fr_authexpire() RWLOCK_EXIT(&ipf_auth); SPL_X(s); } + +int fr_preauthcmd(cmd, fr, frptr) +#if defined(__NetBSD__) || defined(__OpenBSD__) || \ + (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) +u_long cmd; +#else +int cmd; +#endif +frentry_t *fr, **frptr; +{ + frauthent_t *fae, **faep; + int error = 0; +#if defined(KERNEL) && !SOLARIS + int s; +#endif + + if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { + /* Should not happen */ + printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd); + return EIO; + } + + for (faep = &fae_list; (fae = *faep); ) + if (&fae->fae_fr == fr) + break; + else + faep = &fae->fae_next; + if (cmd == SIOCRMAFR) { + if (!fr || !frptr) + error = EINVAL; + else if (!fae) + error = ESRCH; + else { + WRITE_ENTER(&ipf_auth); + SPL_NET(s); + *faep = fae->fae_next; + *frptr = fr->fr_next; + SPL_X(s); + RWLOCK_EXIT(&ipf_auth); + KFREE(fae); + } + } else if (fr && frptr) { + KMALLOC(fae, frauthent_t *); + if (fae != NULL) { + bcopy((char *)fr, (char *)&fae->fae_fr, + sizeof(*fr)); + WRITE_ENTER(&ipf_auth); + SPL_NET(s); + fae->fae_age = fr_defaultauthage; + fae->fae_fr.fr_hits = 0; + fae->fae_fr.fr_next = *frptr; + *frptr = &fae->fae_fr; + fae->fae_next = *faep; + *faep = fae; + ipauth = &fae_list->fae_fr; + SPL_X(s); + RWLOCK_EXIT(&ipf_auth); + } else + error = ENOMEM; + } else + error = EINVAL; + return error; +} diff --git a/sys/contrib/ipfilter/netinet/ip_auth.h b/sys/contrib/ipfilter/netinet/ip_auth.h index cb168c4..e0cbf04 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.h +++ b/sys/contrib/ipfilter/netinet/ip_auth.h @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_auth.h,v 2.3.2.5 2001/11/04 13:15:51 darrenr Exp $ + * $Id: ip_auth.h,v 2.3.2.6 2002/10/26 07:03:00 darrenr Exp $ * */ #ifndef __IP_AUTH_H__ @@ -54,8 +54,10 @@ extern mb_t *fr_authpkts[]; extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *)); #if defined(__NetBSD__) || defined(__OpenBSD__) || \ (__FreeBSD_version >= 300003) -extern int fr_auth_ioctl __P((caddr_t, int, u_long, frentry_t *, frentry_t **)); +extern int fr_preauthcmd __P((u_long, frentry_t *, frentry_t **)); +extern int fr_auth_ioctl __P((caddr_t, int, u_long)); #else -extern int fr_auth_ioctl __P((caddr_t, int, int, frentry_t *, frentry_t **)); +extern int fr_preauthcmd __P((int, frentry_t *, frentry_t **)); +extern int fr_auth_ioctl __P((caddr_t, int, int)); #endif #endif /* __IP_AUTH_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index 4d8cfaf..3eacc73 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.46 2002/06/27 14:39:40 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.47 2002/10/26 06:24:42 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -532,6 +532,7 @@ extern ill_t *get_unit __P((char *, int)); # ifdef sun # if !SOLARIS +# include # include # define GETUNIT(n, v) ifunit(n, IFNAMSIZ) # define IFNAME(x) ((struct ifnet *)x)->if_name @@ -654,6 +655,7 @@ extern vm_map_t kmem_map; # define IWCOPYPTR iwcopyptr # define IFNAME(x) get_ifname((struct ifnet *)x) # define UIOMOVE(a,b,c,d) ipfuiomove(a,b,c,d) +# include extern void m_copydata __P((mb_t *, int, int, caddr_t)); extern int ipfuiomove __P((caddr_t, int, int, struct uio *)); #endif /* KERNEL */ diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c index 90bcb82..8fcd05d 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.c +++ b/sys/contrib/ipfilter/netinet/ip_fil.c @@ -24,7 +24,7 @@ # include # endif #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # define _KMEMUSER # include #endif @@ -117,10 +117,14 @@ # include extern int ip_optcopy __P((struct ip *, struct ip *)); #endif +#if defined(OpenBSD) && (OpenBSD >= 200211) && defined(_KERNEL) +extern int ip6_getpmtu(struct route_in6 *, struct route_in6 *, + struct ifnet *, struct in6_addr *, u_long *); +#endif #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.64 2002/12/06 11:45:45 darrenr Exp $"; #endif @@ -192,6 +196,15 @@ struct timeout ipfr_slowtimer_ch; toid_t ipfr_slowtimer_ch; #endif +#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \ + defined(_KERNEL) +# include +const struct cdevsw ipl_cdevsw = { + iplopen, iplclose, iplread, nowrite, iplioctl, + nostop, notty, nopoll, nommap, +}; +#endif + #if (_BSDI_VERSION >= 199510) && defined(_KERNEL) # include # include @@ -319,7 +332,7 @@ int count; # endif -# if defined(__NetBSD__) +# if defined(__NetBSD__) || defined(__OpenBSD__) int ipl_enable() # else int iplattach() @@ -363,10 +376,13 @@ int iplattach() # ifdef NETBSD_PF # if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) # if __NetBSD_Version__ >= 105110000 - if ( - !(ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET)) + ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); +# ifdef USE_INET6 + ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); +# endif + if (ph_inet == NULL # ifdef USE_INET6 - && !(ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6)) + && ph_inet6 == NULL # endif ) return ENODEV; @@ -484,7 +500,8 @@ int ipldetach() # endif { int s, i; -#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000) +#if defined(NETBSD_PF) && \ + ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)) int error = 0; # if __NetBSD_Version__ >= 105150000 struct pfil_head *ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); @@ -524,8 +541,8 @@ int ipldetach() printf("%s unloaded\n", ipfilter_version); fr_checkp = fr_savep; - i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); - i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); + i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE); fr_running = 0; # ifdef NETBSD_PF @@ -670,7 +687,16 @@ int mode; if (!fr_running) error = EIO; else - error = fr_auth_ioctl(data, mode, cmd, NULL, NULL); + if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) { + if (!(mode & FWRITE)) { + error = EPERM; + } else { + error = frrequest(unit, cmd, data, + fr_active); + } + } else { + error = fr_auth_ioctl(data, mode, cmd); + } SPL_X(s); return error; } @@ -694,7 +720,7 @@ int mode; if (error) break; if (enable) -# if defined(__NetBSD__) +# if defined(__NetBSD__) || defined(__OpenBSD__) error = ipl_enable(); # else error = iplattach(); @@ -767,12 +793,26 @@ int mode; else { error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); if (!error) { - tmp = frflush(unit, tmp); + tmp = frflush(unit, 4, tmp); error = IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); } } break; +#ifdef USE_INET6 + case SIOCIPFL6 : + if (!(mode & FWRITE)) + error = EPERM; + else { + error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); + if (!error) { + tmp = frflush(unit, 6, tmp); + error = IWCOPY((caddr_t)&tmp, data, + sizeof(tmp)); + } + } + break; +#endif case SIOCSTLCK : error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); if (!error) { @@ -797,12 +837,6 @@ int mode; if (error) error = EFAULT; break; - case SIOCAUTHW : - case SIOCAUTHR : - if (!(mode & FWRITE)) { - error = EPERM; - break; - } case SIOCFRSYN : if (!(mode & FWRITE)) error = EPERM; @@ -1008,6 +1042,9 @@ caddr_t data; return EBUSY; if (fg && fg->fg_head) fg->fg_head->fr_ref--; + if (unit == IPL_LOGAUTH) { + return fr_preauthcmd(req, f, ftail); + } if (f->fr_grhead) fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, unit, set); @@ -1022,6 +1059,9 @@ caddr_t data; if (f) error = EEXIST; else { + if (unit == IPL_LOGAUTH) { + return fr_preauthcmd(req, fp, ftail); + } KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) @@ -1247,7 +1287,8 @@ struct mbuf **mp; ip->ip_tos = oip->ip_tos; ip->ip_id = oip->ip_id; -# if defined(__NetBSD__) || defined(__OpenBSD__) +# if defined(__NetBSD__) || \ + (defined(__OpenBSD__) && (OpenBSD >= 200012)) if (ip_mtudisc != 0) ip->ip_off = IP_DF; # else @@ -1482,7 +1523,7 @@ void iplinit() { -# if defined(__NetBSD__) +# if defined(__NetBSD__) || defined(__OpenBSD__) if (ipl_enable() != 0) # else if (iplattach() != 0) @@ -1587,7 +1628,7 @@ frdest_t *fdp; /* * Route packet. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX >= 605) ROUTE_RDLOCK(); #endif bzero((caddr_t)ro, sizeof (*ro)); @@ -1627,7 +1668,7 @@ frdest_t *fdp; rtalloc(ro); # endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) ROUTE_UNLOCK(); #endif @@ -1898,6 +1939,12 @@ frdest_t *fdp; struct route_in6 *ro; struct ifnet *ifp; frentry_t *fr; +#if defined(OpenBSD) && (OpenBSD >= 200211) + struct route_in6 *ro_pmtu = NULL; + struct in6_addr finaldst; + ip6_t *ip6; +#endif + u_long mtu; int error; ifp = NULL; @@ -1935,11 +1982,23 @@ frdest_t *fdp; dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway; ro->ro_rt->rt_use++; - if (m0->m_pkthdr.len <= nd_ifinfo[ifp->if_index].linkmtu) - error = nd6_output(ifp, fin->fin_ifp, m0, dst6, - ro->ro_rt); - else - error = EMSGSIZE; +#if defined(OpenBSD) && (OpenBSD >= 200211) + ip6 = mtod(m0, ip6_t *); + ro_pmtu = ro; + finaldst = ip6->ip6_dst; + error = ip6_getpmtu(ro_pmtu, ro, ifp, &finaldst, &mtu); + if (error == 0) { +#else + mtu = nd_ifinfo[ifp->if_index].linkmtu; +#endif + if (m0->m_pkthdr.len <= mtu) + error = nd6_output(ifp, fin->fin_ifp, m0, + dst6, ro->ro_rt); + else + error = EMSGSIZE; +#if defined(OpenBSD) && (OpenBSD >= 200211) + } +#endif } if (ro->ro_rt != NULL) { diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index 56175f2..b97c796 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp $ + * $Id: ip_fil.h,v 2.29.2.34 2002/10/01 15:23:37 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -63,6 +63,7 @@ # define SIOCSTGET _IOWR('r', 81, struct ipstate_save *) # define SIOCSTGSZ _IOWR('r', 82, struct natget) # define SIOCGFRST _IOWR('r', 83, struct ipfrstat *) +# define SIOCIPFL6 _IOWR('r', 84, int) #else # define SIOCADAFR _IOW(r, 60, struct frentry *) # define SIOCRMAFR _IOW(r, 61, struct frentry *) @@ -88,6 +89,7 @@ # define SIOCSTGET _IOWR(r, 81, struct ipstate_save *) # define SIOCSTGSZ _IOWR(r, 82, struct natget) # define SIOCGFRST _IOWR(r, 83, struct ipfrstat *) +# define SIOCIPFL6 _IOWR(r, 84, int) #endif #define SIOCADDFR SIOCADAFR #define SIOCDELFR SIOCRMAFR @@ -412,14 +414,16 @@ typedef struct frgroup { * structure which is then followed by any packet data. */ typedef struct iplog { - u_32_t ipl_magic; - u_int ipl_count; - u_long ipl_sec; - u_long ipl_usec; - size_t ipl_dsize; + u_32_t ipl_magic; + u_int ipl_count; + struct timeval ipl_tv; + size_t ipl_dsize; struct iplog *ipl_next; } iplog_t; +#define ipl_sec ipl_tv.tv_sec +#define ipl_usec ipl_tv.tv_usec + #define IPL_MAGIC 0x49504c4d /* 'IPLM' */ #define IPLOG_SIZE sizeof(iplog_t) @@ -612,7 +616,7 @@ extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *)); extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int)); extern int ipflog_read __P((minor_t, struct uio *)); -extern int frflush __P((minor_t, int)); +extern int frflush __P((minor_t, int, int)); extern void frsync __P((void)); extern frgroup_t *fr_addgroup __P((u_32_t, frentry_t *, minor_t, int)); extern void fr_delgroup __P((u_32_t, u_32_t, minor_t, int)); diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c index bed47b7..0f3b818 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.c +++ b/sys/contrib/ipfilter/netinet/ip_frag.c @@ -7,7 +7,7 @@ # define _KERNEL #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -90,7 +90,7 @@ extern struct timeout ipfr_slowtimer_ch; #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.24 2002/08/28 12:41:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.25 2002/12/06 11:40:21 darrenr Exp $"; #endif diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index a5a27be..0108410 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.38 2002/08/28 12:45:47 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.42 2002/11/25 21:42:35 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -39,24 +39,30 @@ extern kmutex_t ipf_rw; #define FTPXY_PASS_2 14 #define FTPXY_PAOK_2 15 +/* + * Values for FTP commands. Numerics cover 0-999 + */ +#define FTPXY_C_PASV 1000 + int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); int ippr_ftp_complete __P((char *, size_t)); int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); int ippr_ftp_init __P((void)); int ippr_ftp_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); -int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int)); +int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); int ippr_ftp_port __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int)); int ippr_ftp_process __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); int ippr_ftp_server __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); -int ippr_ftp_valid __P((int, char *, size_t)); -int ippr_ftp_server_valid __P((char *, size_t)); -int ippr_ftp_client_valid __P((char *, size_t)); +int ippr_ftp_valid __P((ftpinfo_t *, int, char *, size_t)); +int ippr_ftp_server_valid __P((ftpside_t *, char *, size_t)); +int ippr_ftp_client_valid __P((ftpside_t *, char *, size_t)); u_short ippr_ftp_atoi __P((char **)); static frentry_t ftppxyfr; int ippr_ftp_pasvonly = 0; int ippr_ftp_insecure = 0; +int ippr_ftp_forcepasv = 0; /* @@ -123,8 +129,13 @@ int dlen; /* * Check for client sending out PORT message. */ - if (dlen < IPF_MINPORTLEN) + if (dlen < IPF_MINPORTLEN) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n", dlen); +#endif return 0; + } off = fin->fin_hlen + (tcp->th_off << 2); /* * Skip the PORT command + space @@ -134,23 +145,39 @@ int dlen; * Pick out the address components, two at a time. */ a1 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(1) failed\n"); +#endif return 0; + } a2 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(2) failed\n"); +#endif return 0; + } /* * check that IP address in the PORT/PASV reply is the same as the * sender of the command - prevents using PORT for port scanning. */ a1 <<= 16; a1 |= a2; - if (a1 != ntohl(nat->nat_inip.s_addr)) + if (a1 != ntohl(nat->nat_inip.s_addr)) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:a1 != nat->nat_inip\n"); +#endif return 0; + } a5 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(3) failed\n"); +#endif return 0; + } if (*s == ')') s++; @@ -162,8 +189,12 @@ int dlen; if ((*s == '\r') && (*(s + 1) == '\n')) { s += 2; a6 = a5 & 0xff; - } else + } else { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:missing cr-lf\n"); +#endif return 0; + } a5 >>= 8; a5 &= 0xff; /* @@ -181,8 +212,13 @@ int dlen; nlen = strlen(newbuf); inc = nlen - olen; - if ((inc + ip->ip_len) > 65535) + if ((inc + ip->ip_len) > 65535) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n", inc); +#endif return 0; + } #if !defined(_KERNEL) m = *((mb_t **)fin->fin_mp); @@ -253,8 +289,13 @@ int dlen; * Don't allow the PORT command to specify a port < 1024 due to * security crap. */ - if (sp < 1024) + if (sp < 1024) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:sp(%d) < 1024\n", sp); +#endif return 0; + } + /* * The server may not make the connection back from port 20, but * it is the most likely so use it here to check for a conflicting @@ -369,11 +410,11 @@ int dlen; } -int ippr_ftp_pasv(fin, ip, nat, f, dlen) +int ippr_ftp_pasv(fin, ip, nat, ftp, dlen) fr_info_t *fin; ip_t *ip; nat_t *nat; -ftpside_t *f; +ftpinfo_t *ftp; int dlen; { tcphdr_t *tcp, tcph, *tcp2 = &tcph; @@ -381,23 +422,45 @@ int dlen; u_int a1, a2, a3, a4; u_short a5, a6, dp; fr_info_t fi; + ftpside_t *f; nat_t *ipn; int inc; char *s; + if (ippr_ftp_forcepasv != 0 && + ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n", + ftp->ftp_side[0].ftps_cmds); +#endif + return 0; + } + + f = &ftp->ftp_side[1]; + #define PASV_REPLEN 24 /* * Check for PASV reply message. */ - if (dlen < IPF_MIN227LEN) + if (dlen < IPF_MIN227LEN) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n", dlen); +#endif return 0; - else if (strncmp(f->ftps_rptr, "227 Entering Passive Mod", PASV_REPLEN)) + } else if (strncmp(f->ftps_rptr, + "227 Entering Passive Mod", PASV_REPLEN)) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:227 reply wrong\n"); +#endif return 0; + } tcp = (tcphdr_t *)fin->fin_dp; /* - * Skip the PORT command + space + * Skip the PASV reply + space */ s = f->ftps_rptr + PASV_REPLEN; while (*s && !isdigit(*s)) @@ -406,11 +469,19 @@ int dlen; * Pick out the address components, two at a time. */ a1 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(1) failed\n"); +#endif return 0; + } a2 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(2) failed\n"); +#endif return 0; + } /* * check that IP address in the PORT/PASV reply is the same as the @@ -418,12 +489,20 @@ int dlen; */ a1 <<= 16; a1 |= a2; - if (a1 != ntohl(nat->nat_oip.s_addr)) + if (a1 != ntohl(nat->nat_oip.s_addr)) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:a1 != nat->nat_oip\n"); +#endif return 0; + } a5 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(3) failed\n"); +#endif return 0; + } if (*s == ')') s++; @@ -437,8 +516,12 @@ int dlen; if ((*s == '\r') && (*(s + 1) == '\n')) { s += 2; a6 = a5 & 0xff; - } else + } else { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:missing cr-lf\n"); +#endif return 0; + } a5 >>= 8; /* * Calculate new address parts for 227 reply @@ -580,9 +663,9 @@ int dlen; return 0; if (ftp->ftp_passok == FTPXY_GO) { if (!strncmp(rptr, "227 ", 4)) - inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); + inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen); } else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) { - inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); + inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen); } else if (*rptr == '5' || *rptr == '4') ftp->ftp_passok = FTPXY_INIT; else if (ftp->ftp_incok) { @@ -608,6 +691,7 @@ int dlen; } } ftp->ftp_incok = 0; + while ((*rptr++ != '\n') && (rptr < wptr)) ; f->ftps_rptr = rptr; @@ -619,100 +703,150 @@ int dlen; * Look to see if the buffer starts with something which we recognise as * being the correct syntax for the FTP protocol. */ -int ippr_ftp_client_valid(buf, len) +int ippr_ftp_client_valid(ftps, buf, len) +ftpside_t *ftps; char *buf; size_t len; { register char *s, c; register size_t i = len; + char cmd[5]; - if (i < 5) + if (i < 5) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_client_valid:i(%d) < 5\n", i); +#endif return 2; + } s = buf; c = *s++; i--; if (isalpha(c)) { + cmd[0] = toupper(c); c = *s++; i--; if (isalpha(c)) { + cmd[1] = toupper(c); c = *s++; i--; if (isalpha(c)) { + cmd[2] = toupper(c); c = *s++; i--; if (isalpha(c)) { + cmd[3] = toupper(c); c = *s++; i--; if ((c != ' ') && (c != '\r')) - return 1; + goto bad_client_command; } else if ((c != ' ') && (c != '\r')) - return 1; + goto bad_client_command; } else - return 1; + goto bad_client_command; } else - return 1; - } else + goto bad_client_command; + } else { +bad_client_command: +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_client_valid:bad cmd:len %d i %d c 0x%x\n", + i, len, c); +#endif return 1; + } + for (; i; i--) { c = *s++; - if (c == '\n') + if (c == '\n') { + cmd[4] = '\0'; + if (!strcmp(cmd, "PASV")) + ftps->ftps_cmds = FTPXY_C_PASV; + else + ftps->ftps_cmds = 0; return 0; + } } +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_client_valid:junk after cmd[%s]\n", buf); +#endif return 2; } -int ippr_ftp_server_valid(buf, len) +int ippr_ftp_server_valid(ftps, buf, len) +ftpside_t *ftps; char *buf; size_t len; { register char *s, c; register size_t i = len; + int cmd; if (i < 5) return 2; s = buf; c = *s++; + cmd = 0; i--; if (isdigit(c)) { + cmd = (c - '0') * 100; c = *s++; i--; if (isdigit(c)) { + cmd += (c - '0') * 10; c = *s++; i--; if (isdigit(c)) { + cmd += (c - '0'); c = *s++; i--; if ((c != '-') && (c != ' ')) - return 1; + goto bad_server_command; } else - return 1; + goto bad_server_command; } else - return 1; - } else + goto bad_server_command; + } else { +bad_server_command: +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_server_valid:bad cmd:len %d i %d c 0x%x\n", + i, len, c); +#endif return 1; + } + for (; i; i--) { c = *s++; - if (c == '\n') + if (c == '\n') { + ftps->ftps_cmds = cmd; return 0; + } } +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_server_valid:junk after cmd[%s]\n", buf); +#endif return 2; } -int ippr_ftp_valid(side, buf, len) +int ippr_ftp_valid(ftp, side, buf, len) +ftpinfo_t *ftp; int side; char *buf; size_t len; { + ftpside_t *ftps; int ret; + ftps = &ftp->ftp_side[side]; + if (side == 0) - ret = ippr_ftp_client_valid(buf, len); + ret = ippr_ftp_client_valid(ftps, buf, len); else - ret = ippr_ftp_server_valid(buf, len); + ret = ippr_ftp_server_valid(ftps, buf, len); return ret; } @@ -814,9 +948,10 @@ int rv; #endif ok = 0; - if (t->ftps_seq[0] == 0) - t->ftps_seq[0] = thack, ok = 1; - else { + if (t->ftps_seq[0] == 0) { + t->ftps_seq[0] = thack; + ok = 1; + } else { if (ackoff == 0) { if (t->ftps_seq[0] == thack) ok = 1; @@ -845,20 +980,24 @@ int rv; #endif if (!mlen) { - if (t->ftps_seq[0] + ackoff != thack) + if (t->ftps_seq[0] + ackoff != thack) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_process:seq[0](%x) + ackoff(%x) != thack(%x)\n", + t->ftps_seq[0], ackoff, thack); +#endif return APR_ERR(1); + } #if PROXY_DEBUG printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]); #endif if (tcp->th_flags & TH_FIN) { - if (thseq + seqoff == f->ftps_seq[0] + 1 || - f->ftps_seq[0] + seqoff + 1 == thseq || - thseq + seqoff == f->ftps_seq[0] || - thseq == f->ftps_seq[0] + seqoff) - ; - else { -#if PROXY_DEBUG + if (thseq == f->ftps_seq[1]) { + f->ftps_seq[0] = f->ftps_seq[1] - seqoff; + f->ftps_seq[1] = thseq + 1 - seqoff; + } else { +#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) printf("FIN: thseq %x seqoff %d ftps_seq %x\n", thseq, seqoff, f->ftps_seq[0]); #endif @@ -870,17 +1009,19 @@ int rv; } ok = 0; - if (thseq == f->ftps_seq[0] || thseq == f->ftps_seq[1]) + if ((thseq == f->ftps_seq[0]) || (thseq == f->ftps_seq[1])) { ok = 1; /* * Retransmitted data packet. */ - else if (thseq + mlen == f->ftps_seq[0] || - thseq + mlen == f->ftps_seq[1]) + } else if ((thseq + mlen == f->ftps_seq[0]) || + (thseq + mlen == f->ftps_seq[1])) { ok = 1; + } + if (ok == 0) { inc = thseq - f->ftps_seq[0]; -#if PROXY_DEBUG +#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) printf("inc %d sel %d rv %d\n", inc, sel, rv); printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0], f->ftps_seq[1]); @@ -917,10 +1058,12 @@ int rv; wptr += len; f->ftps_wptr = wptr; if (f->ftps_junk == 2) - f->ftps_junk = ippr_ftp_valid(rv, rptr, wptr - rptr); + f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, + wptr - rptr); while ((f->ftps_junk == 0) && (wptr > rptr)) { - f->ftps_junk = ippr_ftp_valid(rv, rptr, wptr - rptr); + f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, + wptr - rptr); if (f->ftps_junk == 0) { f->ftps_cmds++; len = wptr - rptr; @@ -942,6 +1085,10 @@ int rv; */ if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) { /* f->ftps_seq[1] += inc; */ +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_process:cmds == 0 junk == 1\n"); +#endif return APR_ERR(2); } @@ -985,18 +1132,17 @@ int rv; /* f->ftps_seq[1] += inc; */ if (tcp->th_flags & TH_FIN) f->ftps_seq[1]++; -#ifndef _KERNEL +#if PROXY_DEBUG +# ifndef _KERNEL mlen = mbuflen(m); -#else -# if SOLARIS - mlen = msgdsize(m); # else +# if SOLARIS + mlen = msgdsize(m); +# else mlen = mbufchainlen(m); +# endif # endif -#endif - off = fin->fin_hlen + (tcp->th_off << 2); mlen -= off; -#if PROXY_DEBUG printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen); #endif diff --git a/sys/contrib/ipfilter/netinet/ip_log.c b/sys/contrib/ipfilter/netinet/ip_log.c index 6bf7a4d..e57bd69 100644 --- a/sys/contrib/ipfilter/netinet/ip_log.c +++ b/sys/contrib/ipfilter/netinet/ip_log.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_log.c,v 2.5.2.19 2002/04/25 16:32:48 darrenr Exp $ + * $Id: ip_log.c,v 2.5.2.21 2002/10/26 06:21:30 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) @@ -99,6 +99,9 @@ # include # include # include +# ifdef USE_INET6 +# include +# endif # include # ifndef _KERNEL # include @@ -211,6 +214,26 @@ mb_t *m; break; } } +#ifdef USE_INET6 + else if (p == IPPROTO_ICMPV6) { + struct icmp6_hdr *icmp; + + icmp = (struct icmp6_hdr *)fin->fin_dp; + + /* + * For ICMPV6, if the packet is an error packet, also + * include the information about the packet which + * caused the error. + */ + if (icmp->icmp6_type < 128) { + hlen += MIN(sizeof(struct icmp6_hdr) + 8, + fin->fin_dlen); + } else { + hlen += MIN(sizeof(struct icmp6_hdr), + fin->fin_dlen); + } + } +#endif } /* * Get the interface number and name to which this packet is @@ -334,10 +357,10 @@ int *types, cnt; ipl->ipl_dsize = len; # ifdef _KERNEL # if SOLARIS || defined(sun) - uniqtime((struct timeval *)&ipl->ipl_sec); + uniqtime(&ipl->ipl_tv); # else # if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) - microtime((struct timeval *)&ipl->ipl_sec); + microtime(&ipl->ipl_tv); # endif # endif # else diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index 854c68d..d8c8622 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -9,7 +9,7 @@ #define _KERNEL #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -109,7 +109,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.74 2002/12/06 11:40:21 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, @@ -148,6 +148,7 @@ static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *)); static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr, struct in_addr)); static void nat_hostmapdel __P((struct hostmap *)); +static void nat_mssclamp __P((tcphdr_t *, u_32_t, fr_info_t *, u_short *)); int nat_init() @@ -456,8 +457,9 @@ int mode; /* * For add/delete, look to see if the NAT entry is already present */ - if (getlock == 1) + if (getlock == 1) { WRITE_ENTER(&ipf_nat); + } if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { nat = &natd; nat->in_flags &= IPN_USERFLAGS; @@ -726,8 +728,9 @@ int mode; error = EINVAL; break; } - if (getlock == 1) + if (getlock == 1) { RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ + } done: if (nt) KFREE(nt); @@ -1465,6 +1468,7 @@ int direction; nat->nat_p = fin->fin_p; nat->nat_bytes = 0; nat->nat_pkts = 0; + nat->nat_mssclamp = np->in_mssclamp; nat->nat_fr = fin->fin_fr; if (nat->nat_fr != NULL) { ATOMIC_INC32(nat->nat_fr->fr_ref); @@ -2517,6 +2521,16 @@ maskloop: */ if (nat->nat_age == fr_tcpclosed) nat->nat_age = fr_tcplastack; + + /* + * Do a MSS CLAMPING on a SYN packet, + * only deal IPv4 for now. + */ + if (nat->nat_mssclamp && + (tcp->th_flags & TH_SYN) != 0) + nat_mssclamp(tcp, nat->nat_mssclamp, + fin, csump); + MUTEX_EXIT(&nat->nat_lock); } else if (fin->fin_p == IPPROTO_UDP) { udphdr_t *udp = (udphdr_t *)tcp; @@ -2728,6 +2742,15 @@ maskloop: */ if (nat->nat_age == fr_tcpclosed) nat->nat_age = fr_tcplastack; + /* + * Do a MSS CLAMPING on a SYN packet, + * only deal IPv4 for now. + */ + if (nat->nat_mssclamp && + (tcp->th_flags & TH_SYN) != 0) + nat_mssclamp(tcp, nat->nat_mssclamp, + fin, csump); + MUTEX_EXIT(&nat->nat_lock); } else if (fin->fin_p == IPPROTO_UDP) { udphdr_t *udp = (udphdr_t *)tcp; @@ -2927,3 +2950,60 @@ void *ifp; return; } #endif + + +/* + * Check for MSS option and clamp it if necessary. + */ +static void nat_mssclamp(tcp, maxmss, fin, csump) +tcphdr_t *tcp; +u_32_t maxmss; +fr_info_t *fin; +u_short *csump; +{ + u_char *cp, *ep, opt; + int hlen, advance; + u_32_t mss, sumd; + u_short v; + + hlen = tcp->th_off << 2; + if (hlen > sizeof(*tcp)) { + cp = (u_char *)tcp + sizeof(*tcp); + ep = (u_char *)tcp + hlen; + + while (cp < ep) { + opt = cp[0]; + if (opt == TCPOPT_EOL) + break; + else if (opt == TCPOPT_NOP) { + cp++; + continue; + } + + if (&cp[1] >= ep) + break; + advance = cp[1]; + if (&cp[advance] >= ep) + break; + switch (opt) { + case TCPOPT_MAXSEG: + if (advance != 4) + break; + bcopy(&cp[2], &v, sizeof(v)); + mss = ntohs(v); + if (mss > maxmss) { + v = htons(maxmss); + bcopy(&v, &cp[2], sizeof(v)); + CALC_SUMD(mss, maxmss, sumd); + fix_outcksum(fin, csump, sumd); + } + break; + default: + /* ignore unknown options */ + break; + } + + cp += advance; + } + } +} diff --git a/sys/contrib/ipfilter/netinet/ip_nat.h b/sys/contrib/ipfilter/netinet/ip_nat.h index e1b160f..e052449 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.h +++ b/sys/contrib/ipfilter/netinet/ip_nat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.17.2.27 2002/08/28 12:45:51 darrenr Exp $ + * $Id: ip_nat.h,v 2.17.2.28 2002/11/03 13:06:21 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -84,6 +84,7 @@ typedef struct nat { u_short nat_use; u_char nat_tcpstate[2]; u_char nat_p; /* protocol for NAT */ + u_32_t nat_mssclamp; /* if != zero clamp MSS to this */ struct ipnat *nat_ptr; /* pointer back to the rule */ struct hostmap *nat_hm; struct nat *nat_next; @@ -113,6 +114,7 @@ typedef struct ipnat { u_short in_pnext; u_short in_ippip; /* IP #'s per IP# */ u_32_t in_flags; /* From here to in_dport must be reflected */ + u_32_t in_mssclamp; /* if != zero clamp MSS to this */ u_short in_spare; u_short in_ppip; /* ports per IP */ u_short in_port[2]; /* correctly in IPN_CMPSIZ */ diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index f36753a..f3b2cd5 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -7,7 +7,7 @@ # define _KERNEL #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -75,7 +75,7 @@ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.26 2002/12/06 11:40:23 darrenr Exp $"; #endif #if defined(_KERNEL) && (SOLARIS || defined(__sgi)) @@ -315,7 +315,7 @@ nat_t *nat; sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif if (sum != tcp->th_sum) { -#if PROXY_DEBUG +#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) printf("proxy tcp checksum failure\n"); #endif frstats[fin->fin_out].fr_tcpbad++; @@ -323,8 +323,8 @@ nat_t *nat; } /* - * Don't both the proxy with these...or in fact, should - * we free up proxy stuff when seen? + * Don't bother the proxy with these...or in fact, + * should we free up proxy stuff when seen? */ if ((tcp->th_flags & TH_RST) != 0) return 0; @@ -342,13 +342,13 @@ nat_t *nat; rv = APR_EXIT(err); if (rv == 1) { -#if PROXY_DEBUG +#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) printf("proxy says bad packet received\n"); #endif return -1; } if (rv == 2) { -#if PROXY_DEBUG +#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) printf("proxy says free app proxy data\n"); #endif appr_free(apr); @@ -424,7 +424,7 @@ ap_session_t *aps; apr = aps->aps_apr; if ((apr != NULL) && (apr->apr_del != NULL)) (*apr->apr_del)(aps); - + if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) KFREES(aps->aps_data, aps->aps_psiz); KFREE(aps); @@ -468,7 +468,7 @@ int inc; sel, !sel, seq1, aps->aps_seqmin[!sel]); #endif sel = aps->aps_sel[out] = !sel; -} + } if (aps->aps_seqoff[sel]) { seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; @@ -503,7 +503,7 @@ int inc; sel, !sel, seq1, aps->aps_ackmin[!sel]); #endif sel = aps->aps_sel[1 - out] = !sel; -} + } if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { seq2 = aps->aps_ackoff[sel]; @@ -522,7 +522,7 @@ int inc; sel, !sel, seq1, aps->aps_ackmin[!sel]); #endif sel = aps->aps_sel[out] = !sel; -} + } if (aps->aps_ackoff[sel]) { seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel]; @@ -557,7 +557,7 @@ int inc; sel, !sel, seq1, aps->aps_seqmin[!sel]); #endif sel = aps->aps_sel[1 - out] = !sel; -} + } if (aps->aps_seqoff[sel] != 0) { #if PROXY_DEBUG diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.h b/sys/contrib/ipfilter/netinet/ip_proxy.h index fad791d..50b0559 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.h +++ b/sys/contrib/ipfilter/netinet/ip_proxy.h @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_proxy.h,v 2.8.2.13 2002/07/04 11:07:37 darrenr Exp $ + * $Id: ip_proxy.h,v 2.8.2.14 2002/09/02 12:19:26 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -99,6 +99,7 @@ typedef struct ftpside { u_32_t ftps_len; int ftps_junk; int ftps_cmds; + int ftps_cmd; char ftps_buf[FTP_BUFSZ]; } ftpside_t; diff --git a/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c b/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c index 641d303..3fecf49 100644 --- a/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c @@ -1,5 +1,5 @@ /* - * $Id: ip_rcmd_pxy.c,v 1.4.2.5 2001/10/30 16:38:14 darrenr Exp $ + * $Id: ip_rcmd_pxy.c,v 1.4.2.6 2002/10/01 15:24:59 darrenr Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT @@ -143,6 +143,7 @@ nat_t *nat; tcp2->th_sport = htons(sp); tcp2->th_dport = 0; /* XXX - don't specify remote port */ tcp2->th_off = 5; + tcp2->th_flags = TH_SYN; fi.fin_data[1] = 0; fi.fin_dp = (char *)tcp2; fi.fin_dlen = sizeof(*tcp2); diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index 43fe820..5ab78cc 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -93,7 +93,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.74 2002/07/27 15:58:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.77 2002/12/06 11:40:24 darrenr Exp $"; #endif #ifndef MIN @@ -117,8 +117,8 @@ static frentry_t *fr_checkicmp6matchingstate __P((ip6_t *, fr_info_t *)); static int fr_matchsrcdst __P((ipstate_t *, union i6addr, union i6addr, fr_info_t *, tcphdr_t *)); static frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *)); -static int fr_matchicmpqueryreply __P((int, ipstate_t *, icmphdr_t *)); -static int fr_state_flush __P((int)); +static int fr_matchicmpqueryreply __P((int, ipstate_t *, icmphdr_t *, int)); +static int fr_state_flush __P((int, int)); static ips_stat_t *fr_statetstats __P((void)); static void fr_delstate __P((ipstate_t *)); static int fr_state_remove __P((caddr_t)); @@ -203,8 +203,8 @@ static ips_stat_t *fr_statetstats() * starting at > 4 days idle and working back in successive half- * days to at most 12 hours old. */ -static int fr_state_flush(which) -int which; +static int fr_state_flush(which, proto) +int which, proto; { ipstate_t *is, **isp; #if defined(_KERNEL) && !SOLARIS @@ -216,6 +216,9 @@ int which; for (isp = &ips_list; (is = *isp); ) { delete = 0; + if ((proto != 0) && (is->is_v != proto)) + continue; + switch (which) { case 0 : @@ -337,12 +340,26 @@ int mode; break; if (arg == 0 || arg == 1) { WRITE_ENTER(&ipf_state); - ret = fr_state_flush(arg); + ret = fr_state_flush(arg, 4); RWLOCK_EXIT(&ipf_state); error = IWCOPY((caddr_t)&ret, data, sizeof(ret)); } else error = EINVAL; break; +#ifdef USE_INET6 + case SIOCIPFL6 : + error = IRCOPY(data, (caddr_t)&arg, sizeof(arg)); + if (error) + break; + if (arg == 0 || arg == 1) { + WRITE_ENTER(&ipf_state); + ret = fr_state_flush(arg, 6); + RWLOCK_EXIT(&ipf_state); + error = IWCOPY((caddr_t)&ret, data, sizeof(ret)); + } else + error = EINVAL; + break; +#endif #ifdef IPFILTER_LOG case SIOCIPFFB : if (!(mode & FWRITE)) @@ -1118,7 +1135,7 @@ tcphdr_t *tcp; return 1; } -static int fr_matchicmpqueryreply(v, is, icmp) +static int fr_matchicmpqueryreply(v, is, icmp, rev) int v; ipstate_t *is; icmphdr_t *icmp; @@ -1128,8 +1145,8 @@ icmphdr_t *icmp; * If we matched its type on the way in, then when going out * it will still be the same type. */ - if (((icmp->icmp_type == is->is_type) || - (icmpreplytype4[is->is_type] == icmp->icmp_type))) { + if ((!rev && (icmp->icmp_type == is->is_type)) || + (rev && (icmpreplytype4[is->is_type] == icmp->icmp_type))) { if (icmp->icmp_type != ICMP_ECHOREPLY) return 1; if ((icmp->icmp_id == is->is_icmp.ics_id) && @@ -1139,8 +1156,8 @@ icmphdr_t *icmp; } #ifdef USE_INET6 else if (is->is_v == 6) { - if (((icmp->icmp_type == is->is_type) || - (icmpreplytype6[is->is_type] == icmp->icmp_type))) { + if ((!rev && (icmp->icmp_type == is->is_type)) || + (rev && (icmpreplytype6[is->is_type] == icmp->icmp_type))) { if (icmp->icmp_type != ICMP6_ECHO_REPLY) return 1; if ((icmp->icmp_id == is->is_icmp.ics_id) && @@ -1278,7 +1295,7 @@ fr_info_t *fin; for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) if ((is->is_p == pr) && (is->is_v == 4) && fr_matchsrcdst(is, src, dst, &ofin, NULL) && - fr_matchicmpqueryreply(is->is_v, is, icmp)) { + fr_matchicmpqueryreply(is->is_v, is, icmp, fin->fin_rev)) { ips_stats.iss_hits++; is->is_pkts++; is->is_bytes += ip->ip_len; @@ -1460,7 +1477,7 @@ icmp6again: for (isp = &ips_table[hvm]; (is = *isp); isp = &is->is_hnext) if ((is->is_p == pr) && (is->is_v == v) && fr_matchsrcdst(is, src, dst, fin, NULL) && - fr_matchicmpqueryreply(v, is, ic)) { + fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) { rev = fin->fin_rev; if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; @@ -1515,7 +1532,7 @@ icmp6again: for (isp = &ips_table[hvm]; (is = *isp); isp = &is->is_hnext) if ((is->is_p == pr) && (is->is_v == v) && fr_matchsrcdst(is, src, dst, fin, NULL) && - fr_matchicmpqueryreply(v, is, ic)) { + fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) { rev = fin->fin_rev; if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; @@ -1750,7 +1767,7 @@ void fr_timeoutstate() } else isp = &is->is_next; if (fr_state_doflush) { - (void) fr_state_flush(2); + (void) fr_state_flush(2, 0); fr_state_doflush = 0; } RWLOCK_EXIT(&ipf_state); diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h index ced3e56..2a23a44 100644 --- a/sys/contrib/ipfilter/netinet/ipl.h +++ b/sys/contrib/ipfilter/netinet/ipl.h @@ -4,12 +4,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.35 2002/08/28 13:00:50 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.38 2002/12/07 02:40:05 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.29" +#define IPL_VERSION "IP Filter: v3.4.31" #endif diff --git a/sys/contrib/ipfilter/netinet/y b/sys/contrib/ipfilter/netinet/y new file mode 100644 index 0000000..d9aa671 --- /dev/null +++ b/sys/contrib/ipfilter/netinet/y @@ -0,0 +1,12 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIBuwIBAAKBgQCXGsxsgDt2euTDP/IQGY4O4CsKH9NXzI3dQ44L0w3PLYr/JQuY +kB8TLuCFZPIO/nlkubnCQGNnmcyUBlIA654Y7FEPBhLa4BWT6cpF4rfVzCQMq4W9 +ZqXv549OZ0Ejg6ciJ/Udhhjx/TMn6sIojEZmHBdToTtK54119hC6eOxnQwIVAIO3 +p+t6ASypQY8M+h96GZlVmkHRAoGAfK41snqWLcHspLYsIHu2tUwip7GqPPNe7Iej +CX17PiPbt9S5ph8aI6hPVmAUoKpfEb8OMDak3sFAFoDnve/FgOsZS+HKRpJRqUtW +PbBrhvRkQ5N4SWOzK54GXt/aWRTcUoVDz29QiakTfrZtdHeiJTbVNR36JdQ/nIHO +VWTWpcMCgYA4oHMrfK7/LMrjKWOLW8bXanvgL+nMoFVChYqzfBptvd492chAokKa +cr8NJDeT10i98TYooi0AvEthor9PVBDFMA0fj+LdM95HZTr6NIMAtxik8Ici4e7X +S4xWlsjTJQO6Kx7Hfuyt9EH2QkraLXFiFFKudGdvHqHeZ0q3iJ5JXwIVAIGBuoE0 +wrpIyJQuIMYL5HJxQ8wt +-----END DSA PRIVATE KEY----- diff --git a/sys/contrib/ipfilter/netinet/y.pub b/sys/contrib/ipfilter/netinet/y.pub new file mode 100644 index 0000000..a225f39 --- /dev/null +++ b/sys/contrib/ipfilter/netinet/y.pub @@ -0,0 +1 @@ +ssh-dss AAAAB3NzaC1kc3MAAACBAJcazGyAO3Z65MM/8hAZjg7gKwof01fMjd1DjgvTDc8tiv8lC5iQHxMu4IVk8g7+eWS5ucJAY2eZzJQGUgDrnhjsUQ8GEtrgFZPpykXit9XMJAyrhb1mpe/nj05nQSODpyIn9R2GGPH9MyfqwiiMRmYcF1OhO0rnjXX2ELp47GdDAAAAFQCDt6fregEsqUGPDPofehmZVZpB0QAAAIB8rjWyepYtweyktiwge7a1TCKnsao8817sh6MJfXs+I9u31LmmHxojqE9WYBSgql8Rvw4wNqTewUAWgOe978WA6xlL4cpGklGpS1Y9sGuG9GRDk3hJY7MrngZe39pZFNxShUPPb1CJqRN+tm10d6IlNtU1Hfol1D+cgc5VZNalwwAAAIA4oHMrfK7/LMrjKWOLW8bXanvgL+nMoFVChYqzfBptvd492chAokKacr8NJDeT10i98TYooi0AvEthor9PVBDFMA0fj+LdM95HZTr6NIMAtxik8Ici4e7XS4xWlsjTJQO6Kx7Hfuyt9EH2QkraLXFiFFKudGdvHqHeZ0q3iJ5JXw== darrenr@freefall.freebsd.org -- cgit v1.1