diff --git a/contrib/ipfilter/FWTK/Index b/contrib/ipfilter/FWTK/Index new file mode 100644 index 000000000000..f5d7043ca39c --- /dev/null +++ b/contrib/ipfilter/FWTK/Index @@ -0,0 +1,3 @@ +README - Readme for ftp-gw.diff and fwtkp +README.ipfilter - README for fwtk_transparent.diff +fwtk_transparent.diff - patches for 2.0beta diff --git a/contrib/ipfilter/FWTK/README.ipfilter b/contrib/ipfilter/FWTK/README.ipfilter new file mode 100644 index 000000000000..fd461cc6cfd8 --- /dev/null +++ b/contrib/ipfilter/FWTK/README.ipfilter @@ -0,0 +1,20 @@ + +there was a patch for fwtk with ip_filter 3.1.5 from James B. Croall +(thanx for his work) which I put onto fwtk 2.0beta. + +Now, if you decide to do transparent proxying with ip-filter you +have to put -DUSE_IP_FILTER to COPTS in Makefile.config. +With Solaris 2.x you have to correctly replace the path to your +ip_filter sources. (lib/hnam.c needs ip_nat.h) + +I also patched plug-gw to be configured to accept not only one +destination with the parameter "-all-destinations" in netperm-table. +Perhaps this is a security hole... + +The patched fwtk worked fine for me with linux (kernel 2.0.28 and ipfadm 2.1) +and Solaris 2.5 (ip_filter 3.1.5). + +If you try to enhance the transparent proxy features for other +architectures, see lib/hnam.c (getdsthost). + +Michael Kutzner, Michael.Kutzner@paderlinx.de diff --git a/contrib/ipfilter/FWTK/fwtk_transparent.diff b/contrib/ipfilter/FWTK/fwtk_transparent.diff new file mode 100644 index 000000000000..4fe58087e4fe --- /dev/null +++ b/contrib/ipfilter/FWTK/fwtk_transparent.diff @@ -0,0 +1,1025 @@ +diff -cr ../TIS.orig/fwtk/Makefile.config.linux fwtk/Makefile.config.linux +*** ../TIS.orig/fwtk/Makefile.config.linux Sat Sep 7 05:58:21 1996 +--- fwtk/Makefile.config.linux Sun Feb 2 05:48:01 1997 +*************** +*** 13,19 **** + + + # Your C compiler (eg, "cc" or "gcc") +! CC= cc + + + # program to use for installation -- this may or may not preserve +--- 13,19 ---- + + + # Your C compiler (eg, "cc" or "gcc") +! CC= gcc + + + # program to use for installation -- this may or may not preserve +*************** +*** 24,37 **** + + # Defines for your operating system + # +! DEFINES=-DLINUX + #DEFINES=-DSYSV -DSOLARIS + + # Options for your compiler (eg, "-g" for debugging, "-O" for + # optimizing, or "-g -O" for both under GCC) + #COPT= -g -traditional $(DEFINES) +! COPT= -g $(DEFINES) +! #COPT= -O $(DEFINES) + + # Version of "make" you want to use + #MAKE= gnumake +--- 24,37 ---- + + # Defines for your operating system + # +! DEFINES=-DLINUX -DUSE_IP_FILTER + #DEFINES=-DSYSV -DSOLARIS + + # Options for your compiler (eg, "-g" for debugging, "-O" for + # optimizing, or "-g -O" for both under GCC) + #COPT= -g -traditional $(DEFINES) +! #COPT= -g $(DEFINES) +! COPT= -O $(DEFINES) + + # Version of "make" you want to use + #MAKE= gnumake +*************** +*** 44,50 **** + + + # Destination directory for installation of binaries +! DEST= /usr/local/etc + + + # Destination directory for installation of man pages +--- 44,50 ---- + + + # Destination directory for installation of binaries +! DEST= /usr/local/sbin + + + # Destination directory for installation of man pages +*************** +*** 72,78 **** + # or -Bstatic for static binaries under SunOS 4.1.x) + #LDFL= -Bstatic + #LDFL= +! LDFL= -g + + + # Location of the fwtk sources [For #include by any external tools needing it] +--- 72,79 ---- + # or -Bstatic for static binaries under SunOS 4.1.x) + #LDFL= -Bstatic + #LDFL= +! #LDFL= -g +! LDFL= -O + + + # Location of the fwtk sources [For #include by any external tools needing it] +*************** +*** 81,87 **** + + + # Location of X libraries for X-gw +! XLIBDIR=/usr/X11/lib + #XLIBDIR=/usr/local/X11R5/lib + + # X Libraries +--- 82,88 ---- + + + # Location of X libraries for X-gw +! XLIBDIR=/usr/X11R6/lib + #XLIBDIR=/usr/local/X11R5/lib + + # X Libraries +*************** +*** 96,102 **** + #XLIBS = -L$(XLIBDIR) -lXaw -lXmu -lXt -lXext -lX11 + + # Location of X include files +! XINCLUDE=/usr/X11/include + #XINCLUDE=/usr/local/X11R5/include + + # Objects to include in libfwall for SYSV +--- 97,103 ---- + #XLIBS = -L$(XLIBDIR) -lXaw -lXmu -lXt -lXext -lX11 + + # Location of X include files +! XINCLUDE=/usr/X11R6/include + #XINCLUDE=/usr/local/X11R5/include + + # Objects to include in libfwall for SYSV +diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris +*** ../TIS.orig/fwtk/Makefile.config.solaris Sat Sep 7 06:14:13 1996 +--- fwtk/Makefile.config.solaris Sun Feb 2 06:09:19 1997 +*************** +*** 11,30 **** + # + # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.1.1 1997/02/19 13:02:37 darrenr Exp $" + + + # Your C compiler (eg, "cc" or "gcc") +! CC= cc + + + # program to use for installation -- this may or may not preserve + # old versions (or whatever). assumes that it takes parameters: + # copy source dest +! CP= cp + + + # Defines for your operating system + # +! DEFINES=-DSYSV -DSOLARIS + + #DEFINES=-DSYSV -DSOLARIS -Dgethostbyname=res_gethostbyname \ + -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \ +--- 11,34 ---- + # + # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.1.1 1997/02/19 13:02:37 darrenr Exp $" + ++ # ++ # Path to sources of ip_filter (ip_nat.h required in lib/hnam.c) ++ # ++ IPFPATH=/src/unpacked/firewall/ip_fil3.1.5 + + # Your C compiler (eg, "cc" or "gcc") +! CC= gcc + + + # program to use for installation -- this may or may not preserve + # old versions (or whatever). assumes that it takes parameters: + # copy source dest +! CP= /usr/ucb/install -c -s + + + # Defines for your operating system + # +! DEFINES=-DSYSV -DSOLARIS -DUSE_IP_FILTER -I$(IPFPATH) + + #DEFINES=-DSYSV -DSOLARIS -Dgethostbyname=res_gethostbyname \ + -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \ +*************** +*** 45,52 **** + + + # Your ranlib utility (use "touch" if you don't have ranlib) +! RANLIB= ranlib +! #RANLIB= touch + + + # Destination directory for installation of binaries +--- 49,56 ---- + + + # Your ranlib utility (use "touch" if you don't have ranlib) +! # RANLIB= ranlib +! RANLIB= touch + + + # Destination directory for installation of binaries +diff -cr ../TIS.orig/fwtk/firewall.h fwtk/firewall.h +*** ../TIS.orig/fwtk/firewall.h Sun Sep 8 05:55:26 1996 +--- fwtk/firewall.h Sun Feb 2 05:23:33 1997 +*************** +*** 47,53 **** + system. + */ + #ifndef PERMFILE +! #define PERMFILE "/usr/local/etc/netperm-table" + #endif + + /* +--- 47,53 ---- + system. + */ + #ifndef PERMFILE +! #define PERMFILE "/etc/fwtk/netperm-table" + #endif + + /* +*************** +*** 67,73 **** + + /* Choose a system logging facility for the firewall toolkit. */ + #ifndef LFAC +! #define LFAC LOG_DAEMON + #endif + + +--- 67,73 ---- + + /* Choose a system logging facility for the firewall toolkit. */ + #ifndef LFAC +! #define LFAC LOG_LOCAL5 + #endif + + +*************** +*** 215,220 **** + #define PERM_ALLOW 01 + #define PERM_DENY 02 + +! + #define _INCL_FWALL_H + #endif +--- 215,222 ---- + #define PERM_ALLOW 01 + #define PERM_DENY 02 + +! #ifdef USE_IP_FILTER +! extern char *getdsthost(int, int*); +! #endif + #define _INCL_FWALL_H + #endif +diff -cr ../TIS.orig/fwtk/ftp-gw/ftp-gw.c fwtk/ftp-gw/ftp-gw.c +*** ../TIS.orig/fwtk/ftp-gw/ftp-gw.c Fri Sep 6 18:55:05 1996 +--- fwtk/ftp-gw/ftp-gw.c Sat Feb 1 06:49:13 1997 +*************** +*** 50,55 **** +--- 50,59 ---- + #ifndef FTPPORT + #define FTPPORT 21 + #endif ++ #ifdef USE_IP_FILTER ++ static int do_transparent=0; ++ static int connectdest(); ++ #endif + + static Cfg *confp; + static char **validests = (char **)0; +*************** +*** 170,175 **** +--- 174,182 ---- + char xuf[1024]; + char huf[128]; + char *passuser = (char *)0; /* passed user as av */ ++ #ifdef USE_IP_FILTER ++ char *psychic, *hotline; ++ #endif + + #ifndef LOG_DAEMON + openlog("ftp-gw",LOG_PID); +*************** +*** 313,320 **** + } + } else + timeout = 60*60; + +- + /* display a welcome file or message */ + if(passuser == (char *)0) { + if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) { +--- 320,330 ---- + } + } else + timeout = 60*60; ++ #ifdef USE_IP_FILTER ++ psychic=getdsthost(0,NULL); ++ if(psychic) { do_transparent++; } ++ #endif + + /* display a welcome file or message */ + if(passuser == (char *)0) { + if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) { +*************** +*** 322,327 **** +--- 332,345 ---- + syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln); + exit(1); + } ++ #ifdef USE_IP_FILTER ++ if(do_transparent) { ++ if(sayfile2(0,cf->argv[0],220)) { ++ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]); ++ exit(1); ++ } ++ } else ++ #endif /* USE_IP_FILTER */ + if(sayfile(0,cf->argv[0],220)) { + syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]); + exit(1); +*************** +*** 332,338 **** + if(authallflg) + if(say(0,"220-Proxy first requires authentication")) + exit(1); +! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR); + if(say(0,xuf)) + exit(1); + } +--- 350,361 ---- + if(authallflg) + if(say(0,"220-Proxy first requires authentication")) + exit(1); +! #ifdef USE_IP_FILTER +! if(do_transparent) +! sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR); +! else +! #endif +! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR); + if(say(0,xuf)) + exit(1); + } +*************** +*** 352,358 **** + if(cmd_user(2,fakav,"user internal")) + exit(1); + } +! + /* main loop */ + while(1) { + FD_ZERO(&rdy); +--- 375,386 ---- + if(cmd_user(2,fakav,"user internal")) + exit(1); + } +! #ifdef USE_IP_FILTER +! if(do_transparent) { +! connectdest(psychic,21); +! } +! #endif +! + /* main loop */ + while(1) { + FD_ZERO(&rdy); +*************** +*** 676,681 **** +--- 704,719 ---- + return(sayn(0,noad,sizeof(noad)-1)); + } + ++ #ifdef USE_IP_FILTER ++ if(do_transparent) { ++ if((rfd==(-1)) && (x=connectdest(dest,port))) return x; ++ sprintf(buf,"USER %s",user); ++ if(say(rfd,buf)) return(1); ++ x=getresp(rfd,buf,sizeof(buf),1); ++ if(sendsaved(0,x)) return(1); ++ return(say(0,buf)); ++ } ++ #endif + if(*dest == '\0') + dest = "localhost"; + +*************** +*** 717,723 **** + char ebuf[512]; + + strcpy(ebuf,buf); +! sprintf(buf,"521 %s: %s",dest,ebuf); + rfd = -1; + return(say(0,buf)); + } +--- 755,766 ---- + char ebuf[512]; + + strcpy(ebuf,buf); +! #ifdef USE_IP_FILTER +! if(do_transparent) { +! sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf); +! } else +! #endif +! sprintf(buf,"521 %s: %s",dest,ebuf); + rfd = -1; + return(say(0,buf)); + } +*************** +*** 1874,1876 **** +--- 1917,2036 ---- + dup(nread); + } + #endif ++ ++ #ifdef USE_IP_FILTER ++ static int connectdest(dest, port) ++ char *dest; ++ short port; ++ { ++ char buf[1024], mbuf[512]; ++ int msg_int, x; ++ ++ if(*dest == '\0') ++ dest = "localhost"; ++ ++ if(validests != (char **)0) { ++ char **xp; ++ int x; ++ ++ for(xp = validests; *xp != (char *)0; xp++) { ++ if(**xp == '!' && hostmatch(*xp + 1,dest)) { ++ return(baddest(0,dest)); ++ } else { ++ if(hostmatch(*xp,dest)) ++ break; ++ } ++ } ++ if(*xp == (char *)0) ++ return(baddest(0,dest)); ++ } ++ ++ /* Extended permissions processing goes in here for destination */ ++ if(extendperm) { ++ msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0); ++ if(msg_int == 1) { ++ sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest); ++ syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser); ++ say(0,mbuf); ++ return(1); ++ } else { ++ if(msg_int == -1) { ++ sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest); ++ say(0,mbuf); ++ return(1); ++ } ++ } ++ } ++ ++ syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest); ++ ++ if((rfd = conn_server(dest,port,0,buf)) < 0) { ++ char ebuf[512]; ++ ++ strcpy(ebuf,buf); ++ sprintf(buf,"521 %s: %s",dest,ebuf); ++ rfd = -1; ++ return(say(0,buf)); ++ } ++ if(!do_transparent) { ++ sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest); ++ saveline(buf); ++ } ++ ++ /* we are now connected and need to try the autologin thing */ ++ x = getresp(rfd,buf,sizeof(buf),1); ++ if(x / 100 != COMPLETE) { ++ sendsaved(0,-1); ++ return(say(0,buf)); ++ } ++ saveline(buf); ++ ++ sendsaved(0,-1); ++ return 0; ++ } ++ ++ ++ /* ok, so i'm in a hurry. english paper due RSN. */ ++ sayfile2(fd,fn,code) ++ int fd; ++ char *fn; ++ int code; ++ { ++ FILE *f; ++ char buf[BUFSIZ]; ++ char yuf[BUFSIZ]; ++ char *c; ++ int x; ++ int saidsomething = 0; ++ ++ if((f = fopen(fn,"r")) == (FILE *)0) ++ return(1); ++ while(fgets(buf,sizeof(buf),f) != (char *)0) { ++ if((c = index(buf,'\n')) != (char *)0) ++ *c = '\0'; ++ x = fgetc(f); ++ if(feof(f)) ++ sprintf(yuf,"%3.3d-%s",code,buf); ++ else { ++ sprintf(yuf,"%3.3d-%s",code,buf); ++ ungetc(x,f); ++ } ++ if(say(fd,yuf)) { ++ fclose(f); ++ return(1); ++ } ++ saidsomething++; ++ } ++ fclose(f); ++ if (!saidsomething) { ++ syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code); ++ sprintf(yuf, "%3.3d The file to display is empty",code); ++ if(say(fd,yuf)) { ++ fclose(f); ++ return(1); ++ } ++ } ++ return(0); ++ } ++ ++ #endif /* USE_IP_FILTER */ +diff -cr ../TIS.orig/fwtk/http-gw/http-gw.c fwtk/http-gw/http-gw.c +*** ../TIS.orig/fwtk/http-gw/http-gw.c Mon Sep 9 20:40:53 1996 +--- fwtk/http-gw/http-gw.c Sun Feb 2 06:41:18 1997 +*************** +*** 27,32 **** +--- 27,35 ---- + static char http_buffer[8192]; + static char reason[8192]; + static int checkBrowserType = 1; ++ #ifdef USE_IP_FILTER ++ static int do_transparent=0; ++ #endif + + static void do_logging() + { char *proto = "GOPHER"; +*************** +*** 422,427 **** +--- 425,441 ---- + /*(NOT A SPECIAL FORM)*/ + + if((rem_type & TYPE_LOCAL)== 0){ ++ #ifdef USE_IP_FILTER ++ char *psychic=getdsthost(sockfd,&def_port); ++ if(psychic) { ++ if(strlen(psychic)<=MAXHOSTNAMELEN) { ++ do_transparent++; ++ strncpy(def_httpd,psychic,strlen(psychic)); ++ strncpy(def_server,psychic,strlen(psychic)); ++ } ++ } ++ ++ #endif /* USE_IP_FILTER */ + /* See if it can be forwarded */ + + if( can_forward(buf)){ +*************** +*** 1513,1518 **** +--- 1527,1537 ---- + parse_vec[0], + parse_vec[1], + ourname, ourport); ++ } ++ #ifdef USE_IP_FILTER ++ else if(do_transparent) { ++ sprintf(new_reply,"%s\t%s\t%s\t%s",parse_vec[0],parse_vec[1],parse_vec[2],parse_vec[3]); ++ #endif /* USE_IP_FILTER */ + }else{ + sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u", + parse_vec[0], parse_vec[2], +diff -cr ../TIS.orig/fwtk/lib/hnam.c fwtk/lib/hnam.c +*** ../TIS.orig/fwtk/lib/hnam.c Sat Nov 5 00:30:19 1994 +--- fwtk/lib/hnam.c Sat Feb 1 08:17:46 1997 +*************** +*** 20,25 **** +--- 20,37 ---- + + extern char *inet_ntoa(); + ++ #if defined(USE_IP_FILTER) ++ #include ++ #ifndef LINUX ++ #include "ip_nat.h" ++ #endif ++ #if defined(SOLARIS) ++ #include ++ #include ++ #include ++ #include ++ #endif ++ #endif /* IP_FILTER */ + + #include "firewall.h" + +*************** +*** 45,47 **** +--- 57,158 ---- + bcopy(hp->h_addr,&sin.sin_addr,hp->h_length); + return(inet_ntoa(sin.sin_addr)); + } ++ ++ ++ ++ #ifdef USE_IP_FILTER ++ char *getdsthost(fd, ptr) ++ int fd; ++ int *ptr; ++ { ++ struct sockaddr_in sin; ++ struct hostent *hp; ++ int sl=sizeof(struct sockaddr_in), err=0, local_h=0, i=0; ++ static char buf[255], hostbuf[255]; ++ #if defined(__FreeBSD__) || defined(SOLARIS) ++ struct sockaddr_in rsin; ++ struct natlookup natlookup; ++ int natfd; ++ #endif ++ ++ #ifdef linux ++ /* This should also work for UDP. Unfortunately, it doesn't. ++ Maybe when the Linux UDP proxy code gets a little cleaner. ++ */ ++ if(!(err=getsockname(0,&sin,&sl))) { ++ if(ptr) *ptr=ntohs(sin.sin_port); ++ sprintf(buf,"%s",inet_ntoa(sin.sin_addr)); ++ gethostname(hostbuf,254); ++ hp=gethostbyname(hostbuf); ++ while(hp->h_addr_list[i]) { ++ bzero(&sin,&sl); ++ memcpy(&sin.sin_addr,hp->h_addr_list[i++],sizeof(hp->h_addr_list[i++])); ++ if(!strcmp(buf,inet_ntoa(sin.sin_addr))) local_h++; ++ } ++ if(local_h) { /* syslog(LLEV,"DEBUG: hnam.c: non-transparent."); */ return(NULL); } ++ else { return(buf); } ++ } ++ #endif ++ ++ #if defined(__FreeBSD__) ++ /* The basis for this block of code is Darren Reed's ++ patches to the TIS ftwk's ftp-gw. ++ */ ++ bzero((char*)&sin,sizeof(sin)); ++ bzero((char*)&rsin,sizeof(rsin)); ++ if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) { ++ return NULL; ++ } ++ sl=sizeof(rsin); ++ if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) { ++ return NULL; ++ } ++ natlookup.nl_inport=sin.sin_port; ++ natlookup.nl_outport=rsin.sin_port; ++ natlookup.nl_inip=sin.sin_addr; ++ natlookup.nl_outip=rsin.sin_addr; ++ if((natfd=open("/dev/ipl",O_RDONLY))<0) { ++ return(NULL); ++ } ++ if(ioctl(natfd,SIOCGNATL,&natlookup)==(-1)) { ++ return(NULL); ++ } ++ close(natfd); ++ if(ptr) *ptr=ntohs(natlookup.nl_inport); ++ sprintf(buf,"%s",inet_ntoa(natlookup.nl_inip)); ++ #endif ++ ++ #if defined(SOLARIS) /* for Solaris */ ++ /* The basis for this block of code is Darren Reed's ++ * patches to the TIS ftwk's ftp-gw. ++ * modified for Solaris from Michael Kutzner, Michael.Kutzner@paderlinx.de ++ */ ++ memset((char*)&sin, 0, sizeof(sin)); ++ memset((char*)&rsin, 0, sizeof(rsin)); ++ ++ if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) { ++ return NULL; ++ } ++ sl=sizeof(rsin); ++ if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) { ++ return NULL; ++ } ++ natlookup.nl_inport=sin.sin_port; ++ natlookup.nl_outport=rsin.sin_port; ++ natlookup.nl_inip=sin.sin_addr; ++ natlookup.nl_outip=rsin.sin_addr; ++ if( (natfd=open("/dev/ipl",O_RDONLY)) < 0) { ++ return(NULL); ++ } ++ if(ioctl(natfd, SIOCGNATL, &natlookup) == -1) { ++ return(NULL); ++ } ++ close(natfd); ++ if(ptr) *ptr=ntohs(natlookup.nl_inport); ++ sprintf(buf,"%s",inet_ntoa(natlookup.nl_inip)); ++ #endif ++ ++ /* No transparent proxy support */ ++ return(NULL); ++ } ++ #endif /* USE_IP_FILTER */ +diff -cr ../TIS.orig/fwtk/plug-gw/plug-gw.c fwtk/plug-gw/plug-gw.c +*** ../TIS.orig/fwtk/plug-gw/plug-gw.c Thu Sep 5 21:36:33 1996 +--- fwtk/plug-gw/plug-gw.c Sun Feb 2 04:50:40 1997 +*************** +*** 38,44 **** + static int timeout = PROXY_TIMEOUT; + static char **validdests = (char **)0; + static Cfg *confp; +! + main(ac,av) + int ac; + char *av[]; +--- 38,46 ---- + static int timeout = PROXY_TIMEOUT; + static char **validdests = (char **)0; + static Cfg *confp; +! #ifdef USE_IP_FILTER +! static int do_transparent=0; +! #endif + main(ac,av) + int ac; + char *av[]; +*************** +*** 189,201 **** + static char buf[1024 * 4]; + void (*op)(); + char *dhost = NULL; + char hostport[1024 * 4]; + char *ptr; + int state = 0; + int ssl_plug = 0; +! + struct timeval timo; + + if(c->flags & PERM_DENY) { + if (p == -1) + syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr); +--- 191,215 ---- + static char buf[1024 * 4]; + void (*op)(); + char *dhost = NULL; ++ char *transhost = NULL; + char hostport[1024 * 4]; + char *ptr; + int state = 0; + int ssl_plug = 0; +! #ifdef USE_IP_FILTER +! int pport; +! #endif + struct timeval timo; + ++ #ifdef USE_IP_FILTER ++ /* Transparent plug-gw is probably a bad idea, but hey .. */ ++ transhost=getdsthost(0,&pport); ++ if(transhost) { ++ do_transparent++; ++ portid=pport; ++ } ++ #endif ++ + if(c->flags & PERM_DENY) { + if (p == -1) + syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr); +*************** +*** 223,229 **** + privport = 1; + continue; + } +! + if (!strcmp(av[x], "-port")) { + if (++x >= ac) { + syslog(LLEV,"fwtkcfgerr: -port takes an argument, line %d",c->ln); +--- 237,248 ---- + privport = 1; + continue; + } +! #ifdef USE_IP_FILTER +! if (!strcmp(av[x],"-all-destinations")) { +! dhost = transhost; +! continue; +! } +! #endif + if (!strcmp(av[x], "-port")) { + if (++x >= ac) { + syslog(LLEV,"fwtkcfgerr: -port takes an argument, line %d",c->ln); +diff -cr ../TIS.orig/fwtk/rlogin-gw/rlogin-gw.c fwtk/rlogin-gw/rlogin-gw.c +*** ../TIS.orig/fwtk/rlogin-gw/rlogin-gw.c Fri Sep 6 18:56:33 1996 +--- fwtk/rlogin-gw/rlogin-gw.c Sun Feb 2 06:26:04 1997 +*************** +*** 40,46 **** + + extern char *maphostname(); + +! + static int cmd_quit(); + static int cmd_help(); + static int cmd_connect(); +--- 40,48 ---- + + extern char *maphostname(); + +! #ifdef USE_IP_FILTER +! static int do_transparent=0; +! #endif + static int cmd_quit(); + static int cmd_help(); + static int cmd_connect(); +*************** +*** 120,125 **** +--- 122,130 ---- + static char *tokav[56]; + int tokac; + struct timeval timo; ++ #ifdef USE_IP_FILTER ++ char *psychic; ++ #endif + + #ifndef LOG_NDELAY + openlog("rlogin-gw",LOG_PID); +*************** +*** 186,192 **** + } + + +! + if((cf = cfg_get("directory",confp)) != (Cfg *)0) { + if(cf->argc != 1) { + syslog(LLEV,"fwtkcfgerr: chroot must have one parameter, line %d",cf->ln); +--- 191,204 ---- + } + + +! #ifdef USE_IP_FILTER +! psychic=getdsthost(0,NULL); +! if(psychic) { +! do_transparent++; +! strncpy(dest,psychic,511); +! dest[511]='\0'; +! } +! #endif /* USE_IP_FILTER */ + if((cf = cfg_get("directory",confp)) != (Cfg *)0) { + if(cf->argc != 1) { + syslog(LLEV,"fwtkcfgerr: chroot must have one parameter, line %d",cf->ln); +*************** +*** 260,269 **** + } + + /* if present a host name, chop and save username and hostname */ +- dest[0] = '\0'; + if((p = index(rusername,'@')) != (char *)0) { + char *namp; + + *p++ = '\0'; + if(*p == '\0') + p = "localhost"; +--- 272,281 ---- + } + + /* if present a host name, chop and save username and hostname */ + if((p = index(rusername,'@')) != (char *)0) { + char *namp; + ++ dest[0] = '\0'; + *p++ = '\0'; + if(*p == '\0') + p = "localhost"; +*************** +*** 532,539 **** +--- 544,557 ---- + sprintf(ebuf,"Trying %s@%s...",rusername,namp); + else + sprintf(ebuf,"Trying %s...",namp); ++ #ifdef USE_IP_FILTER ++ if(!do_transparent) { ++ #endif + if(say(0,ebuf)) + return(1); ++ #ifdef USE_IP_FILTER ++ } ++ #endif + } else + syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,av[1]); + if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) { +diff -cr ../TIS.orig/fwtk/tn-gw/tn-gw.c fwtk/tn-gw/tn-gw.c +*** ../TIS.orig/fwtk/tn-gw/tn-gw.c Fri Sep 6 18:55:48 1996 +--- fwtk/tn-gw/tn-gw.c Sun Feb 2 06:06:33 1997 +*************** +*** 97,102 **** +--- 97,106 ---- + static int timeout = PROXY_TIMEOUT; + static char timed_out_msg[] = "\r\nConnection closed due to inactivity"; + ++ #ifdef USE_IP_FILTER ++ static int do_transparent=0; ++ #endif ++ + typedef struct { + char *name; + char *hmsg; +*************** +*** 140,145 **** +--- 144,153 ---- + char tokbuf[BSIZ]; + char *tokav[56]; + int tokac; ++ #ifdef USE_IP_FILTER ++ int port; ++ char *psychic; ++ #endif + + #ifndef LOG_DAEMON + openlog("tn-gw",LOG_PID); +*************** +*** 307,313 **** + exit(1); + } + } +! + while (argc > 1) { + argc--; + argv++; +--- 315,349 ---- + exit(1); + } + } +! #ifdef USE_IP_FILTER +! psychic=getdsthost(0,&port); +! if(psychic) { +! if((strlen(psychic) + 10) < 510) { +! do_transparent++; +! if(port) +! sprintf(dest,"%s:%d",psychic,port); +! else +! sprintf(dest,"%s",psychic); +! +! +! if(!welcomedone) +! if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) { +! if(cf->argc != 1) { +! syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln); +! exit(1); +! } +! if(sayfile(0,cf->argv[0])) { +! syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]); +! exit(1); +! } +! welcomedone = 1; +! } +! +! +! } +! } +! +! #endif /* USE_IP_FILTER */ + while (argc > 1) { + argc--; + argv++; +*************** +*** 870,877 **** + + syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp); + sprintf(ebuf,"Trying %s port %d...",namp,port); +! if(say(0,ebuf)) +! return(1); + } else + syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]); + +--- 906,920 ---- + + syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp); + sprintf(ebuf,"Trying %s port %d...",namp,port); +! #ifdef USE_IP_FILTER +! if(!do_transparent) { +! sprintf(ebuf,"Trying %s port %d...",namp,port); +! #endif +! if(say(0,ebuf)) +! return(1); +! #ifdef USE_IP_FILTER +! } +! #endif + } else + syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]); + +*************** +*** 903,910 **** + + syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]); + strncpy(dest,av[1], 511); +! sprintf(buf, "Connected to %s.", dest); + say(0, buf); + return(2); + } + +--- 946,959 ---- + + syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]); + strncpy(dest,av[1], 511); +! #ifdef USE_IP_FILTER +! if(!do_transparent) { +! sprintf(buf, "Connected to %s.", dest); +! say(0, buf); +! } +! #else + say(0, buf); ++ #endif + return(2); + } + +diff -cr ../TIS.orig/fwtk/x-gw/socket.c fwtk/x-gw/socket.c +*** ../TIS.orig/fwtk/x-gw/socket.c Sat Sep 7 05:16:35 1996 +--- fwtk/x-gw/socket.c Sun Feb 2 05:26:44 1997 +*************** +*** 212,218 **** + case AF_UNIX: un_name = (struct sockaddr_un *)addr; + len = sizeof(un_name->sun_family) + + sizeof(un_name->sun_path) +! #ifdef SCM_RIGHTS /* 4.3BSD Reno and later */ + + sizeof(un_name->sun_len) + 1 + #endif + ; +--- 212,218 ---- + case AF_UNIX: un_name = (struct sockaddr_un *)addr; + len = sizeof(un_name->sun_family) + + sizeof(un_name->sun_path) +! #if defined(SCM_RIGHTS) && !defined(LINUX)/* 4.3BSD Reno and later */ + + sizeof(un_name->sun_len) + 1 + #endif + ; +Only in fwtk/x-gw: socket.c.bak diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 7cd91069beb4..41c94d120394 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -5,6 +5,15 @@ # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # +prevent use of return-rst and return-icmp with rules blocking packets going +out, preventing panics in certain situations. + +loop forms in frag cache table - Yury Pshenychny + +should use SPLNET/SPLX around expire routines in NAT/frag/state code. + +redeclared malloc in 44arp.c - + 3.1.7 8/2/97 - Released Macros used for ntohs/htons supplied with gcc don't always work very well diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index d0d5309d98e6..258074aa301a 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -5,7 +5,7 @@ # and is not changed in any way. The author accepts no responsibility # for the use of this software. I hate legaleese, don't you ? # -# $Id: Makefile,v 2.0.1.4 1997/02/08 06:39:28 darrenr Exp $ +# $Id: Makefile,v 2.0.1.5 1997/02/16 06:17:04 darrenr Exp $ # # where to put things. # @@ -35,7 +35,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0 # results: pass, block and nomatch. This is the sort of "block unless # explicitly allowed" type #define switch. # -POLICY=-DNOMATCH=FR_PASS +POLICY=-DIPF_DEFAULT_PASS=FR_PASS # MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ "CC=$(CC)" 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index de776f9fc5c8..9f953614e42d 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: fil.c,v 2.0.1.4 1997/02/04 13:59:41 darrenr Exp $"; +static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $"; #endif #include @@ -97,10 +97,19 @@ extern int ipl_unreach, ipllog(); # endif #endif +#ifndef IPF_LOGGING +#define IPF_LOGGING 0 +#endif +#ifdef IPF_DEFAULT_PASS +#define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH) +#else +#define IPF_NOMATCH (FR_NOMATCH) +#endif + struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } }; -int fr_flags = 0, fr_active = 0; +int fr_flags = IPF_LOGGING, fr_active = 0; fr_info_t frcache[2]; @@ -573,16 +582,12 @@ int out; frstats[out].fr_chit++; pass = fin->fin_fr->fr_flags; } else { - pass = FR_NOMATCH; + pass = IPF_NOMATCH; if ((fin->fin_fr = ipfilter[out][fr_active])) - pass = FR_SCANLIST(FR_NOMATCH, ip, fin, m); + pass = FR_SCANLIST(IPF_NOMATCH, ip, fin, m); bcopy((char *)fin, (char *)fc, FI_CSIZE); - if (pass & FR_NOMATCH) { + if (pass & FR_NOMATCH) frstats[out].fr_nom++; -#ifdef NOMATCH - pass |= NOMATCH; -#endif - } } fr = fin->fin_fr; @@ -651,34 +656,40 @@ int out; /* * Should we return an ICMP packet to indicate error * status passing through the packet filter ? + * WARNING: ICMP error packets AND TCP RST packets should + * ONLY be sent in repsonse to incoming packets. Sending them + * in response to outbound packets can result in a panic on + * some operating systems. */ + if (!out) { #ifdef _KERNEL - if (pass & FR_RETICMP) { + if (pass & FR_RETICMP) { # if SOLARIS - ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode, - qif, ip->ip_src); + ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode, + qif, ip->ip_src); # else - ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode, - ifp, ip->ip_src); - m = NULL; /* freed by icmp_error() */ + ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode, + ifp, ip->ip_src); + m = *mp = NULL; /* freed by icmp_error() */ # endif - frstats[0].fr_ret++; - } else if ((pass & FR_RETRST) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - if (SEND_RESET(ip, qif, q) == 0) - frstats[1].fr_ret++; - } + frstats[0].fr_ret++; + } else if ((pass & FR_RETRST) && + !(fin->fin_fi.fi_fl & FI_SHORT)) { + if (SEND_RESET(ip, qif, q) == 0) + frstats[1].fr_ret++; + } #else - if (pass & FR_RETICMP) { - verbose("- ICMP unreachable sent\n"); - frstats[0].fr_ret++; - } else if ((pass & FR_RETRST) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - verbose("- TCP RST sent\n"); - frstats[1].fr_ret++; - } + if (pass & FR_RETICMP) { + verbose("- ICMP unreachable sent\n"); + frstats[0].fr_ret++; + } else if ((pass & FR_RETRST) && + !(fin->fin_fi.fi_fl & FI_SHORT)) { + verbose("- TCP RST sent\n"); + frstats[1].fr_ret++; + } #endif + } } #ifdef _KERNEL # if !SOLARIS @@ -691,7 +702,6 @@ int out; (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { ipfr_fastroute(m, fin, fdp); m = *mp = NULL; - pass = 0; } if (mc) ipfr_fastroute(mc, fin, &fr->fr_dif); diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 7a244345640e..fec484670f4b 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.5 1997/01/29 13:41:45 darrenr Exp $"; +static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $"; #endif #include @@ -70,7 +70,7 @@ static int iplused = 0; #endif /* IPFILTER_LOG */ static void frflush(); static int frrequest(); -static int (*fr_savep)(); +static int (*fr_savep)() = NULL; #if _BSDI_VERSION >= 199501 # include @@ -732,6 +732,9 @@ frdest_t *fdp; dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst; +#ifdef __bsdi__ + dst->sin_len = sizeof(*dst); +#endif #if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) # ifdef RTF_CLONING rtalloc_ign(ro, RTF_CLONING); @@ -780,7 +783,6 @@ frdest_t *fdp; #if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); - #else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); #endif diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index 6665404b9830..7ed97ceb56fd 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; +static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -127,7 +127,6 @@ int pass; fr->ipfr_ttl = fr_ipfrttl; fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG); fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3); - *fp = fr; ipfr_stats.ifs_new++; ipfr_inuse++; MUTEX_EXIT(&ipf_frag); diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index afe9761bc093..ee59a6cda1dd 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -9,7 +9,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.10 1997/02/08 06:38:49 darrenr Exp $"; +static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -155,12 +155,13 @@ int cmd, mode; { register ipnat_t *nat, *n = NULL, **np = NULL; ipnat_t natd; - int error = 0, ret; + int error = 0, ret, s; /* * For add/delete, look to see if the NAT entry is already present */ MUTEX_ENTER(&ipf_nat); + SPLNET(s); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { IRCOPY(data, (char *)&natd, sizeof(natd)); nat = &natd; @@ -260,6 +261,7 @@ int cmd, mode; IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; } + SPLX(s); MUTEX_EXIT(&ipf_nat); return error; } @@ -857,11 +859,13 @@ fr_info_t *fin; */ void ip_natunload() { - MUTEX_ENTER(&ipf_nat); + int s; + MUTEX_ENTER(&ipf_nat); + SPLNET(s); (void) clear_natlist(); (void) flush_nattable(); - + SPLX(s) MUTEX_EXIT(&ipf_nat); } @@ -873,14 +877,19 @@ void ip_natunload() void ip_natexpire() { register struct nat *nat, **natp; + int s; MUTEX_ENTER(&ipf_nat); - for (natp = &nat_instances; (nat = *natp); natp = &nat->nat_next) { - if (--nat->nat_age) + SPLNET(s); + for (natp = &nat_instances; (nat = *natp); ) { + if (--nat->nat_age) { + natp = &nat->nat_next; continue; + } *natp = nat->nat_next; nat_delete(nat); nat_stats.ns_expire++; } + SPLX(s); MUTEX_EXIT(&ipf_nat); } diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index 62a49aa250ed..2643ce95a633 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_state.c,v 2.0.1.2 1997/01/09 15:22:45 darrenr Exp $"; +static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -411,13 +411,16 @@ void fr_stateunload() { register int i; register ipstate_t *is, **isp; + int s; MUTEX_ENTER(&ipf_state); + SPLNET(s); for (i = 0; i < IPSTATE_SIZE; i++) for (isp = &ips_table[i]; (is = *isp); ) { *isp = is->is_next; KFREE(is); } + SPLX(s); MUTEX_EXIT(&ipf_state); } @@ -430,8 +433,10 @@ void fr_timeoutstate() { register int i; register ipstate_t *is, **isp; + int s; MUTEX_ENTER(&ipf_state); + SPLNET(s); for (i = 0; i < IPSTATE_SIZE; i++) for (isp = &ips_table[i]; (is = *isp); ) if (is->is_age && !--is->is_age) { @@ -444,6 +449,7 @@ void fr_timeoutstate() ips_num--; } else isp = &is->is_next; + SPLX(s); MUTEX_EXIT(&ipf_state); } diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index 6458cde86b92..d7592284de14 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -51,7 +51,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static char rcsid[] = "$Id: ipnat.c,v 2.0.1.7 1997/01/30 12:02:32 darrenr Exp $"; +static char rcsid[] = "$Id: ipnat.c,v 2.0.1.8 1997/02/16 21:23:40 darrenr Exp $"; #endif #if SOLARIS @@ -190,7 +190,7 @@ void *ptr; printf(" udp"); printf("\n"); if (verbose) - printf("\t%x %u %x %u %x %d\n", (u_int)np->in_ifp, + printf("\t%p %u %x %u %x %d\n", (u_int)np->in_ifp, np->in_space, np->in_flags, np->in_pnext, np, np->in_use); } else { @@ -220,7 +220,7 @@ void *ptr; } printf("\n"); if (verbose) - printf("\t%x %u %s %d %x\n", (u_int)np->in_ifp, + printf("\t%p %u %s %d %x\n", (u_int)np->in_ifp, np->in_space, inet_ntoa(np->in_nextip), np->in_pnext, np->in_flags); } @@ -264,7 +264,7 @@ int fd, opts; ns.ns_added, ns.ns_expire); printf("inuse\t%lu\n", ns.ns_inuse); if (opts & OPT_VERBOSE) - printf("table %#x list %#x\n", + printf("table %p list %p\n", (u_int)ns.ns_table, (u_int)ns.ns_list); } if (opts & OPT_LIST) { @@ -384,7 +384,7 @@ int *resolved; struct netent *np; *resolved = 0; - if (!strcasecmp("any",host)) + if (!strcasecmp("any", host)) return 0L; if (isdigit(*host)) return inet_addr(host); diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c index 621d84c86d5b..aa428593b57e 100644 --- a/contrib/ipfilter/ipsend/44arp.c +++ b/contrib/ipfilter/ipsend/44arp.c @@ -52,7 +52,7 @@ char *addr, *eaddr; { int mib[6]; size_t needed; - char *malloc(), *lim, *buf, *next; + char *lim, *buf, *next; struct rt_msghdr *rtm; struct sockaddr_inarp *sin; struct sockaddr_dl *sdl; diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 1c463e86eb37..023605399d73 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -33,7 +33,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: parse.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; +static char rcsid[] = "$Id: parse.c,v 2.0.1.2 1997/02/17 13:59:44 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; @@ -143,9 +143,18 @@ char *line; } cpp++; - if (!strcasecmp("in", *cpp)) + if (!strcasecmp("in", *cpp)) { fil.fr_flags |= FR_INQUE; - else if (!strcasecmp("out", *cpp)) + if (fil.fr_flags & FR_RETICMP) { + (void)fprintf(stderr, + "Can only use return-icmp with 'in'\n"); + return NULL; + } else if (fil.fr_flags & FR_RETRST) { + (void)fprintf(stderr, + "Can only use return-rst with 'in'\n"); + return NULL; + } + } else if (!strcasecmp("out", *cpp)) fil.fr_flags |= FR_OUTQUE; else { (void)fprintf(stderr,