This commit was generated by cvs2svn to compensate for changes in r102521,

which included commits to RCS files with non-trunk default branches.

contrib/ipfilter/BSD/Makefile

@@ -231,7 +231,7 @@ clean:
 	${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \
 	vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h \
 	y.tab.? lex.yy.c ipfs
-	${RM} -f ../opt_inet6.h
+	${RM} -f ../opt_inet6.h ../ipftest ../ipmon ../ipf ../ipnat
 
 	${MAKE} -f Makefile.ipsend ${MFLAGS} clean
 	-(for i in *; do \
@@ -243,8 +243,11 @@ clean:
 	done)
 
 install:
-	-$(CP) $(TOP)/ip_fil.h /usr/include/netinet/ip_fil.h
-	-$(CHMOD) 444 /usr/include/netinet/ip_fil.h
+	for i in ip_compat.h ip_fil.h ip_nat.h ip_state.h ip_proxy.h \
+		ip_frag.h ip_auth.h; do \
+		/bin/cp $(TOP)/$$i /usr/include/netinet/; \
+		-$(CHMOD) 444 /usr/include/netinet/$$i; \
+	done
 	-if [ -d /lkm -a -f if_ipl.o ] ; then \
 		cp if_ipl.o /lkm; \
 	fi

contrib/ipfilter/HISTORY

@@ -22,6 +22,29 @@
 # and especially those who have found the time to port IP Filter to new
 # platforms.
 #
+3.4.29	28/8/2002 - Released
+
+Make substantial changes to the FTP proxy to improve reliability, security
+and functionality.
+
+don't send ICMP errors/TCP RST's in response to blocked proxy packets
+
+fix potential memory leaks when unloading ipfilter from kernel
+
+fix bug in SIOCGNATL handler that did not preserve the expected
+byte order from earlier versions in the port number
+
+set do not fragment flag in generated packets according to system flags,
+where available.
+
+preserve filter rule number and group number in state structure
+
+fix bug in ipmon printing of p/P/b/B
+
+make some changes to the kmem.c code for IRIX compatibility
+
+add code to specifically handle ip.tun* interfaces on Solaris
+
 3.4.28	6/6/2002 - Released
 
 Fix for H.323 proxy to work on little endian boxes

contrib/ipfilter/fils.c

@@ -94,7 +94,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)fils.c	1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.36 2002/06/27 14:29:16 darrenr Exp $";
 #endif
 
 extern	char	*optarg;
@@ -197,7 +197,7 @@ char *argv[];
 	ipfrstat_t *ifrstp = &ifrst;
 	char	*device = IPL_NAME, *memf = NULL;
 	char	*kern = NULL;
-	int	c, fd, myoptind;
+	int	c, myoptind;
 	struct protoent *proto;
 
 	int protocol = -1;		/* -1 = wild card for any protocol */
@@ -354,8 +354,8 @@ char *argv[];
 		bzero((char *)&ipsst, sizeof(ipsst));
 		bzero((char *)&ifrst, sizeof(ifrst));
 
-		fd = ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
-				   &frauthstp, &frf);
+		ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
+			      &frauthstp, &frf);
 	} else
 		ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
 

contrib/ipfilter/ip_sfil.c

@@ -7,7 +7,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.18 2002/06/06 10:47:26 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.20 2002/08/28 12:42:44 darrenr Exp $";
 #endif
 
 #include <sys/types.h>
@@ -63,8 +63,10 @@ u_long	ipl_frouteok[2] = {0, 0};
 static	int	frzerostats __P((caddr_t));
 #if SOLARIS2 >= 7
 static	u_int	*ip_ttl_ptr;
+static	u_int	*ip_mtudisc;
 #else
 static	u_long	*ip_ttl_ptr;
+static	u_long	*ip_mtudisc;
 #endif
 
 static	int	frrequest __P((minor_t, int, caddr_t, int));
@@ -86,8 +88,8 @@ int ipldetach()
 	for (i = IPL_LOGMAX; i >= 0; i--)
 		ipflog_clear(i);
 #endif
-	i = FR_INQUE|FR_OUTQUE;
-	(void) frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
+	i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
+	i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
 	ipfr_unload();
 	fr_stateunload();
 	ip_natunload();
@@ -142,16 +144,22 @@ int iplattach __P((void))
 		return -1;
 
 	ip_ttl_ptr = NULL;
+	ip_mtudisc = NULL;
 	/*
 	 * XXX - There is no terminator for this array, so it is not possible
 	 * to tell if what we are looking for is missing and go off the end
 	 * of the array.
 	 */
 	for (i = 0; ; i++) {
-		if (!strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl")) {
+		if (strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl") == 0) {
 			ip_ttl_ptr = &ip_param_arr[i].ip_param_value;
-			break;
+		} else if (strcmp(ip_param_arr[i].ip_param_name,
+				  "ip_path_mtu_discovery") == 0) {
+			ip_mtudisc = &ip_param_arr[i].ip_param_value;
 		}
+
+		if (ip_mtudisc != NULL && ip_ttl_ptr != NULL)
+			break;
 	}
 	return 0;
 }
@@ -799,6 +807,7 @@ mblk_t *m;
 		ip = (ip_t *)m->b_rptr;
 		ip->ip_v = IPVERSION;
 		ip->ip_ttl = (u_char)(*ip_ttl_ptr);
+		ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0);
 		ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
 	}
 	READ_ENTER(&ipf_solaris);

contrib/ipfilter/ipf.c

@@ -50,7 +50,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipf.c	1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.16 2002/06/06 10:48:35 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.17 2002/06/27 14:29:17 darrenr Exp $";
 #endif
 
 #if	SOLARIS
@@ -389,7 +389,7 @@ int	*linenum;
 static void packetlogon(opt)
 char	*opt;
 {
-	int	flag, err;
+	int	flag;
 
 	flag = get_flags();
 	if (flag != 0) {
@@ -415,7 +415,7 @@ char	*opt;
 			printf("set log flag: block\n");
 	}
 
-	if (opendevice(ipfname) != -2 && (err = ioctl(fd, SIOCSETFF, &flag)))
+	if (opendevice(ipfname) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0))
 		perror("ioctl(SIOCSETFF)");
 
 	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {

contrib/ipfilter/ipft_ef.c

@@ -52,7 +52,7 @@ etherfind -n -t
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipft_ef.c	1.6 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.2 2002/02/22 15:32:53 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $";
 #endif
 
 static	int	etherf_open __P((char *));
@@ -97,7 +97,7 @@ int	cnt, *dir;
 	struct	protoent *p = NULL;
 	char	src[16], dst[16], sprt[16], dprt[16];
 	char	lbuf[128], len[8], prot[8], time[8], *s;
-	int	slen, extra = 0, i, n;
+	int	slen, extra = 0, i;
 
 	if (!fgets(lbuf, sizeof(lbuf) - 1, efp))
 		return 0;
@@ -108,10 +108,10 @@ int	cnt, *dir;
 
 	bzero(&pkt, sizeof(pkt));
 
-	if ((n = sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst,
-			sprt, dprt)) != 6)
-		if ((n = sscanf(lbuf, "%s %s %s %s %s %s %s", time,
-				len, prot, src, dst, sprt, dprt)) != 7)
+	if (sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst,
+		   sprt, dprt) != 6)
+		if (sscanf(lbuf, "%s %s %s %s %s %s %s", time,
+			   len, prot, src, dst, sprt, dprt) != 7)
 			return -1;
 
 	ip->ip_p = atoi(prot);

contrib/ipfilter/ipft_td.c

@@ -61,7 +61,7 @@ tcpdump -nqte
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipft_td.c	1.8 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.2 2002/02/22 15:32:54 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $";
 #endif
 
 static	int	tcpd_open __P((char *));
@@ -120,7 +120,7 @@ int	cnt, *dir;
 	struct	protoent *p;
 	char	src[32], dst[32], misc[256], time[32], link1[32], link2[32];
 	char	lbuf[160], *s;
-	int	n, dots, slen, extra = 0;
+	int	n, slen, extra = 0;
 
 	if (!fgets(lbuf, sizeof(lbuf) - 1, tfp))
 		return 0;
@@ -142,7 +142,7 @@ int	cnt, *dir;
 					return -1;
 			}
 
-	if ((dots = count_dots(dst)) == 4) {
+	if (count_dots(dst) == 4) {
 		s = strrchr(src, '.');
 		*s++ = '\0';
 		(void) inet_aton(src, &ip->ip_src);

contrib/ipfilter/ipft_tx.c

@@ -44,7 +44,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipft_tx.c	1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.6 2002/03/13 03:55:15 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.7 2002/06/27 14:29:17 darrenr Exp $";
 #endif
 
 extern	int	opts;
@@ -177,10 +177,8 @@ char	*buf, **ifn;
 int	cnt, *dir;
 {
 	register char *s;
-	ip_t *ip;
 	char	line[513];
 
- 	ip = (ip_t *)buf;
 	*ifn = NULL;
 	while (fgets(line, sizeof(line)-1, tfp)) {
 		if ((s = index(line, '\n')))
@@ -197,7 +195,7 @@ int	cnt, *dir;
 		*dir = 0;
 		if (!parseline(line, (ip_t *)buf, ifn, dir))
 #if 0
-			return sizeof(*ip) + sizeof(tcphdr_t);
+			return sizeof(ip_t) + sizeof(tcphdr_t);
 #else
 			return sizeof(ip_t);
 #endif

contrib/ipfilter/kmem.c

@@ -46,7 +46,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)kmem.c	1.4 1/12/96 (C) 1992 Darren Reed";
-static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.15 2002/07/27 15:59:37 darrenr Exp $";
 #endif
 
 #ifdef	__sgi
@@ -55,7 +55,7 @@ typedef	int 	kvm_t;
 static	int	kvm_fd = -1;
 static	char	*kvm_errstr;
 
-kvm_t kvm_open(kernel, core, swap, mode, errstr)
+kvm_t *kvm_open(kernel, core, swap, mode, errstr)
 char *kernel, *core, *swap;
 int mode;
 char *errstr;
@@ -65,17 +65,18 @@ char *errstr;
 	if (core == NULL)
 		core = "/dev/kmem";
 	kvm_fd = open(core, mode);
-	return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL;
+	return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL;
 }
 
 int kvm_read(kvm, pos, buffer, size)
-kvm_t kvm;
+kvm_t *kvm;
 u_long pos;
 char *buffer;
 size_t size;
 {
-	int r, left;
+	size_t left;
 	char *bufp;
+	int r;
 
 	if (lseek(*kvm, pos, 0) == -1) {
 		fprintf(stderr, "%s", kvm_errstr);
@@ -97,13 +98,19 @@ static	kvm_t	*kvm_f = NULL;
 int	openkmem(kern, core)
 char	*kern, *core;
 {
+	union {
+		int ui;
+		kvm_t *uk;
+	} k;
+
 	kvm_f = kvm_open(kern, core, NULL, O_RDONLY, "");
 	if (kvm_f == NULL)
 	    {
 		perror("openkmem:open");
 		return -1;
 	    }
-	return (int)kvm_f;
+	k.uk = kvm_f;
+	return k.ui;
 }
 
 int	kmemcpy(buf, pos, n)
@@ -120,7 +127,7 @@ register int	n;
 		if (openkmem(NULL, NULL) == -1)
 			return -1;
 
-	while ((r = kvm_read(kvm_f, pos, buf, n)) < n)
+	while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n)
 		if (r <= 0)
 		    {
 			fprintf(stderr, "pos=0x%x ", (u_int)pos);
@@ -152,7 +159,7 @@ register int	n;
 
 	while (n > 0)
 	    {
-		r = kvm_read(kvm_f, pos, buf, 1);
+		r = kvm_read(kvm_f, pos, buf, (size_t)1);
 		if (r <= 0)
 		    {
 			fprintf(stderr, "pos=0x%x ", (u_int)pos);

contrib/ipfilter/man/ipnat.5

@@ -96,6 +96,15 @@ or as
 map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
 .fi
 .LP
+For even greater control, one may negate either of the "from" or "to" clauses
+with a preceding exclamation mark ("!").  Please note that one may not use a
+negated "from" within a \fBmap\fP rule or a negated "to" within a \fBrdr\fP
+rule.  Such a rule might look like the following:
+.LP
+.nf
++map de0 from 10.1.0.0/16 ! to 10.1.0.0/16 -> 201.2.3.4/32
+.fi
+.PP
 Only IP address and port numbers can be compared against.  This is available
 with all NAT rules.
 .SH TRANSLATION

contrib/ipfilter/parse.c

@@ -935,7 +935,6 @@ u_long optmsk, optbits;
 	u_short secmsk = sec[0], secbits = sec[1];
 	struct ipopt_names *io, *so;
 	char *s;
-	int secflag = 0;
 
 	s = " opt ";
 	for (io = ionames; io->on_name; io++)
@@ -947,8 +946,7 @@ u_long optmsk, optbits;
 				if (io->on_value == IPOPT_SECURITY)
 					io++;
 				s = ",";
-			} else
-				secflag = 1;
+			}
 		}
 
 

contrib/ipfilter/printnat.c

@@ -58,7 +58,7 @@ extern	char	*sys_errlist[];
 #endif
 
 #if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.9 2002/05/03 11:48:49 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.10 2002/08/28 12:45:51 darrenr Exp $";
 #endif
 
 
@@ -242,9 +242,10 @@ int opts;
 				  0xffffffff),
 		hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
 				  NAT_TABLE_SZ),
-		printf("%s pr %u bkt %d/%d flags %x\n",
+		printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n",
 			getsumd(nat->nat_sumd[1]), nat->nat_p,
-			hv1, hv2, nat->nat_flags);
+			hv1, hv2, nat->nat_flags,
+			nat->nat_drop[0], nat->nat_drop[1]);
 		printf("\tifp %s ", getifname(nat->nat_ifp));
 #ifdef	USE_QUAD_T
 		printf("bytes %qu pkts %qu",

contrib/ipfilter/rules/example.9

@@ -4,7 +4,7 @@
 block in all
 pass in all with opt sec
 #
-# only allow packets in and out on le0 which are top secret
+# only allow packets in and out on le1 which are top secret
 #
 block out on le1 all
 pass out on le1 all with opt sec-class topsecret

contrib/ipfilter/test/expected/f13

@@ -9,6 +9,8 @@ nomatch
 nomatch
 nomatch
 nomatch
+nomatch
+nomatch
 --------
 block
 nomatch
@@ -21,6 +23,8 @@ nomatch
 nomatch
 nomatch
 nomatch
+nomatch
+nomatch
 --------
 nomatch
 nomatch
@@ -32,6 +36,8 @@ nomatch
 pass
 pass
 nomatch
+nomatch
+nomatch
 pass
 --------
 nomatch
@@ -44,6 +50,8 @@ nomatch
 block
 block
 nomatch
+nomatch
+nomatch
 block
 --------
 pass
@@ -57,6 +65,8 @@ nomatch
 nomatch
 nomatch
 nomatch
+nomatch
+nomatch
 --------
 block
 nomatch
@@ -69,4 +79,6 @@ nomatch
 nomatch
 nomatch
 nomatch
+nomatch
+nomatch
 --------

contrib/ipfilter/test/input/f13

@@ -29,15 +29,23 @@
 45 00 0018 0007 2000 3f 11 0000 01010101 02010101
 0035 0035
 
-# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0
+# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
 45 00 001c 0008 2000 3f 11 0000 01010101 02010101
 0035003500040000
 
-# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 (short)
+# 1.1.1.1,53 -> 2.1.1.1,54 TTL=63 UDP MF FO=0 (short)
 45 00 0018 0008 2000 3f 11 0000 01010101 02010101
 00350036
 
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1
+# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 UDP MF FO=0
+45 00 001c 0008 2000 3f 11 0000 01010101 02010101
+0015003600040000
+
+# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 TCP MF FO=0
+45 00 001c 0008 2000 3f 06 0000 01010101 02010101
+0015 0036 00000000 00000000 50 02 2000 0000 0000
+
+# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP FO=1
 45 00 001c 0008 0001 3f 11 0000 01010101 02010101
 0000000000000000