diff options
| author | Darren Reed <darrenr@FreeBSD.org> | 2000-10-29 08:07:08 +0000 |
|---|---|---|
| committer | Darren Reed <darrenr@FreeBSD.org> | 2000-10-29 08:07:08 +0000 |
| commit | 801aabae69beeda563d17b48dd776f039ffaf378 (patch) | |
| tree | e416fe3d7a717216f4b6a27a302dec6d07f42d42 | |
| parent | 7aba7e7040be6e4db42a5dc35a78c32cd21b1880 (diff) | |
| download | src-test2-801aabae69beeda563d17b48dd776f039ffaf378.tar.gz src-test2-801aabae69beeda563d17b48dd776f039ffaf378.zip | |
Import IP Filter 3.4.13 into src/contrib, not src/contirb
Notes
Notes:
svn path=/vendor/ipfilter/dist/; revision=67855
| -rw-r--r-- | contrib/ipfilter/BSD/Makefile | 3 | ||||
| -rw-r--r-- | contrib/ipfilter/HISTORY | 7 | ||||
| -rw-r--r-- | contrib/ipfilter/fil.c | 47 | ||||
| -rw-r--r-- | contrib/ipfilter/ip_ftp_pxy.c | 4 | ||||
| -rw-r--r-- | contrib/ipfilter/ip_nat.c | 39 | ||||
| -rw-r--r-- | contrib/ipfilter/ip_nat.h | 3 | ||||
| -rw-r--r-- | contrib/ipfilter/ip_raudio_pxy.c | 3 | ||||
| -rw-r--r-- | contrib/ipfilter/ip_rcmd_pxy.c | 3 | ||||
| -rw-r--r-- | contrib/ipfilter/ip_state.c | 3 | ||||
| -rw-r--r-- | contrib/ipfilter/ipl.h | 4 | ||||
| -rw-r--r-- | contrib/ipfilter/iplang/Makefile | 3 | ||||
| -rw-r--r-- | contrib/ipfilter/ipnat.c | 3 |
12 files changed, 73 insertions, 49 deletions
diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index f34acddc0206..5f1cbc02c2ec 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -228,6 +228,9 @@ install: -if [ -d /lkm -a -f if_ipl.o ] ; then \ cp if_ipl.o /lkm; \ fi + -if [ -d /modules -a -f ipf.ko ] ; then \ + cp ipf.ko /modules; \ + fi -$(INSTALL) -cs -g wheel -m 755 -o root ipf $(SBINDEST) -$(INSTALL) -cs -g wheel -m 755 -o root ipfs $(SBINDEST) -$(INSTALL) -cs -g wheel -m 755 -o root ipnat $(SBINDEST) diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 09f21ee2d7b1..279372bd3b66 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,13 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.13 28/10/2000 - Released + +fix introduced bug with ICMP packets being rejected when valid + +fix bug with proxy's that don't set fin_dlen correctly when calling +fr_addstate() + 3.4.12 26/10/2000 - Released fix installing into FreeBSD-4.1 diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index b85dcf41658a..e0a5ed59240b 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.26 2000/10/24 11:58:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.27 2000/10/26 21:20:54 darrenr Exp $"; #endif #include <sys/errno.h> @@ -274,32 +274,35 @@ fr_info_t *fin; int minicmpsz = sizeof(struct icmp); icmphdr_t *icmp; - if (fin->fin_dlen > 1) + if (!off && (fin->fin_dlen > 1)) { fin->fin_data[0] = *(u_short *)tcp; - if ((!(plen >= hlen + minicmpsz) && !off) || - (off && off < sizeof(struct icmp))) { - fi->fi_fl |= FI_SHORT; - if (fin->fin_dlen < 2) - break; - } + icmp = (icmphdr_t *)tcp; - icmp = (icmphdr_t *)tcp; + if (icmp->icmp_type == ICMP_ECHOREPLY || + icmp->icmp_type == ICMP_ECHO) + minicmpsz = ICMP_MINLEN; - if (!off && (icmp->icmp_type == ICMP_ECHOREPLY || - icmp->icmp_type == ICMP_ECHO)) - minicmpsz = ICMP_MINLEN; + /* + * type(1) + code(1) + cksum(2) + id(2) seq(2) + + * 3*timestamp(3*4) + */ + else if (icmp->icmp_type == ICMP_TSTAMP || + icmp->icmp_type == ICMP_TSTAMPREPLY) + minicmpsz = 20; - /* type(1) + code(1) + cksum(2) + id(2) seq(2) + - * 3*timestamp(3*4) */ - else if (!off && (icmp->icmp_type == ICMP_TSTAMP || - icmp->icmp_type == ICMP_TSTAMPREPLY)) - minicmpsz = 20; + /* + * type(1) + code(1) + cksum(2) + id(2) seq(2) + + * mask(4) + */ + else if (icmp->icmp_type == ICMP_MASKREQ || + icmp->icmp_type == ICMP_MASKREPLY) + minicmpsz = 12; + } - /* type(1) + code(1) + cksum(2) + id(2) seq(2) + mask(4) */ - else if (!off && (icmp->icmp_type == ICMP_MASKREQ || - icmp->icmp_type == ICMP_MASKREPLY)) - minicmpsz = 12; + if ((!(plen >= hlen + minicmpsz) && !off) || + (off && off < sizeof(struct icmp))) + fi->fi_fl |= FI_SHORT; break; } @@ -1398,7 +1401,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.26 2000/10/24 11:58:17 darrenr Exp $ + * $Id: fil.c,v 2.35.2.27 2000/10/26 21:20:54 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index ffa7c1bbb340..653bbfe1386d 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.17 2000/10/19 15:40:40 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.18 2000/10/27 14:02:10 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -252,6 +252,7 @@ int dlen; tcp2->th_dport = 0; /* XXX - don't specify remote port */ fi.fin_data[0] = ntohs(sp); fi.fin_data[1] = 0; + fi.fin_dlen = sizeof(*tcp2); fi.fin_dp = (char *)tcp2; swip = ip->ip_src; ip->ip_src = nat->nat_inip; @@ -467,6 +468,7 @@ int dlen; tcp2->th_sport = 0; /* XXX - fake it for nat_new */ tcp2->th_off = 5; fi.fin_data[0] = a5 << 8 | a6; + fi.fin_dlen = sizeof(*tcp2); tcp2->th_dport = htons(fi.fin_data[0]); fi.fin_data[1] = 0; fi.fin_dp = (char *)tcp2; diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index d52f48d46e05..4f6921d3f3de 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.25 2000/10/25 10:38:47 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.26 2000/10/27 14:06:48 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -118,7 +118,6 @@ u_int ipf_nattable_sz = NAT_TABLE_SZ; u_int ipf_natrules_sz = NAT_SIZE; u_int ipf_rdrrules_sz = RDR_SIZE; u_int ipf_hostmap_sz = HOSTMAP_SIZE; -int nat_wilds = 0; u_32_t nat_masks = 0; u_32_t rdr_masks = 0; ipnat_t **nat_rules = NULL; @@ -144,7 +143,7 @@ static void nat_delnat __P((struct ipnat *)); static int fr_natgetent __P((caddr_t)); static int fr_natgetsz __P((caddr_t)); static int fr_natputent __P((caddr_t)); -static void nat_tabmove __P((nat_t *, u_int)); +static void nat_tabmove __P((nat_t *)); static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *)); static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr, struct in_addr)); @@ -1004,7 +1003,7 @@ struct nat *natd; struct ipnat *ipn; if (natd->nat_flags & FI_WILDP) - nat_wilds--; + nat_stats.ns_wilds--; if (natd->nat_hnext[0]) natd->nat_hnext[0]->nat_phnext[0] = natd->nat_phnext[0]; *natd->nat_phnext[0] = natd->nat_hnext[0]; @@ -1148,7 +1147,7 @@ int direction; bzero((char *)nat, sizeof(*nat)); nat->nat_flags = flags; if (flags & FI_WILDP) - nat_wilds++; + nat_stats.ns_wilds++; /* * Search the current table for a match. */ @@ -1916,7 +1915,7 @@ u_32_t ports; ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))))) return nat; } - if (!nat_wilds || !(flags & IPN_TCPUDP)) + if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP)) return NULL; RWLOCK_EXIT(&ipf_nat); hv = NAT_HASH_FN(dst, 0, ipf_nattable_sz); @@ -1935,8 +1934,7 @@ u_32_t ports; continue; if (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) && ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))) { - hv = NAT_HASH_FN(dst, dport, ipf_nattable_sz); - nat_tabmove(nat, hv); + nat_tabmove(nat); break; } } @@ -1945,11 +1943,11 @@ u_32_t ports; } -static void nat_tabmove(nat, hv) +static void nat_tabmove(nat) nat_t *nat; -u_int hv; { nat_t **natp; + u_int hv; /* * Remove the NAT entry from the old location @@ -1959,9 +1957,14 @@ u_int hv; *nat->nat_phnext[0] = nat->nat_hnext[0]; if (nat->nat_hnext[1]) - nat->nat_hnext[0]->nat_phnext[1] = nat->nat_phnext[1]; + nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1]; *nat->nat_phnext[1] = nat->nat_hnext[1]; + /* + * Add into the NAT table in the new position + */ + hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport, + ipf_nattable_sz); natp = &nat_table[0][hv]; if (*natp) (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; @@ -1969,9 +1972,8 @@ u_int hv; nat->nat_hnext[0] = *natp; *natp = nat; - /* - * Add into the NAT table in the new position - */ + hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport, + ipf_nattable_sz); natp = &nat_table[1][hv]; if (*natp) (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; @@ -2018,7 +2020,7 @@ u_32_t ports; (nat->nat_oport == dport || nflags & FI_W_DPORT)))) return nat; } - if (!nat_wilds || !(flags & IPN_TCPUDP)) + if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP)) return NULL; RWLOCK_EXIT(&ipf_nat); hv = NAT_HASH_FN(srcip, 0, ipf_nattable_sz); @@ -2037,8 +2039,7 @@ u_32_t ports; continue; if (((nat->nat_inport == sport) || (nflags & FI_W_DPORT)) && ((nat->nat_oport == dport) || (nflags & FI_W_SPORT))) { - hv = NAT_HASH_FN(srcip, sport, ipf_nattable_sz); - nat_tabmove(nat, hv); + nat_tabmove(nat); break; } } @@ -2179,7 +2180,7 @@ fr_info_t *fin; nat->nat_outport = sport; nat->nat_flags &= ~(FI_W_DPORT|FI_W_SPORT); nflags = nat->nat_flags; - nat_wilds--; + nat_stats.ns_wilds--; } } else { RWLOCK_EXIT(&ipf_nat); @@ -2392,7 +2393,7 @@ fr_info_t *fin; nat->nat_outport = dport; nat->nat_flags &= ~(FI_W_SPORT|FI_W_DPORT); nflags = nat->nat_flags; - nat_wilds--; + nat_stats.ns_wilds--; } } else { RWLOCK_EXIT(&ipf_nat); diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index c2ff10012034..8e166df6148d 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.17.2.9 2000/10/19 15:44:04 darrenr Exp $ + * $Id: ip_nat.h,v 2.17.2.10 2000/10/27 14:06:51 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -207,6 +207,7 @@ typedef struct natstat { u_int ns_rultab_sz; u_int ns_rdrtab_sz; nat_t *ns_instances; + u_int ns_wilds; } natstat_t; #define IPN_ANY 0x000 diff --git a/contrib/ipfilter/ip_raudio_pxy.c b/contrib/ipfilter/ip_raudio_pxy.c index d8014106cf1b..9ea437c6a4cd 100644 --- a/contrib/ipfilter/ip_raudio_pxy.c +++ b/contrib/ipfilter/ip_raudio_pxy.c @@ -1,5 +1,5 @@ /* - * $Id: ip_raudio_pxy.c,v 1.7.2.2 2000/09/03 00:23:12 darrenr Exp $ + * $Id: ip_raudio_pxy.c,v 1.7.2.3 2000/10/27 22:54:04 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -265,6 +265,7 @@ nat_t *nat; tcp2->th_off = 5; fi.fin_dp = (char *)tcp2; fi.fin_fr = &raudiofr; + fi.fin_dlen = sizeof(*tcp2); tcp2->th_win = htons(8192); slen = ip->ip_len; ip->ip_len = fin->fin_hlen + sizeof(*tcp); diff --git a/contrib/ipfilter/ip_rcmd_pxy.c b/contrib/ipfilter/ip_rcmd_pxy.c index 1d6264d5cc15..e311b168139b 100644 --- a/contrib/ipfilter/ip_rcmd_pxy.c +++ b/contrib/ipfilter/ip_rcmd_pxy.c @@ -1,5 +1,5 @@ /* - * $Id: ip_rcmd_pxy.c,v 1.4.2.2 2000/07/15 12:38:30 darrenr Exp $ + * $Id: ip_rcmd_pxy.c,v 1.4.2.3 2000/10/27 22:54:04 darrenr Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT @@ -146,6 +146,7 @@ nat_t *nat; fi.fin_data[0] = ntohs(sp); fi.fin_data[1] = 0; fi.fin_dp = (char *)tcp2; + fi.fin_dlen = sizeof(*tcp2); swip = ip->ip_src; ip->ip_src = nat->nat_inip; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index 4f7460e75e09..7499bfd72378 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.22 2000/10/26 10:41:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.23 2000/10/27 14:06:08 darrenr Exp $"; #endif #include <sys/errno.h> @@ -1188,6 +1188,7 @@ u_int hv; * ...and put the hash in the new one. */ hvm = hv % fr_statesize; + is->is_hv = hvm; isp = &ips_table[hvm]; if (*isp) (*isp)->is_phnext = &is->is_hnext; diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index cfec7343ad66..b54d6f905a74 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -6,12 +6,12 @@ * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.13 2000/10/25 11:08:41 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.14 2000/10/27 22:54:41 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.12" +#define IPL_VERSION "IP Filter: v3.4.13" #endif diff --git a/contrib/ipfilter/iplang/Makefile b/contrib/ipfilter/iplang/Makefile index 32ae8e3bc204..f97bf1901307 100644 --- a/contrib/ipfilter/iplang/Makefile +++ b/contrib/ipfilter/iplang/Makefile @@ -11,6 +11,9 @@ all: $(DESTDIR)/y.tab.o $(DESTDIR)/lex.yy.o $(DESTDIR)/y.tab.o: $(DESTDIR)/y.tab.c $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/y.tab.c -o $@ +$(DESTDIR)/$(OBJ)/y.tab.o: $(DESTDIR)/y.tab.c + $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/y.tab.c -o $@ + $(DESTDIR)/lex.yy.o: $(DESTDIR)/lex.yy.c $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/lex.yy.c -o $@ diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index d1f8ed388c9d..18b88193837a 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -57,7 +57,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.3 2000/07/27 13:07:13 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.4 2000/10/27 14:06:47 darrenr Exp $"; #endif @@ -309,6 +309,7 @@ int fd, opts; printf("no memory\t%lu\tbad nat\t%lu\n", ns.ns_memfail, ns.ns_badnat); printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules); + printf("wilds\t%u\n", ns.ns_wilds); if (opts & OPT_VERBOSE) printf("table %p list %p\n", ns.ns_table, ns.ns_list); } |