From 0be1832174307c242b42db3dac9d7e762f0c693b Mon Sep 17 00:00:00 2001 From: Guido van Rooij Date: Wed, 16 Aug 2006 11:51:32 +0000 Subject: [PATCH 1/2] Import IP Filter 4.1.13 --- sys/contrib/ipfilter/netinet/IPFILTER.LICENCE | 57 ++--- sys/contrib/ipfilter/netinet/fil.c | 222 +++++++++--------- sys/contrib/ipfilter/netinet/ip_auth.c | 58 +++-- sys/contrib/ipfilter/netinet/ip_auth.h | 4 +- sys/contrib/ipfilter/netinet/ip_compat.h | 14 +- sys/contrib/ipfilter/netinet/ip_fil.h | 20 +- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c | 47 ++-- sys/contrib/ipfilter/netinet/ip_frag.c | 12 +- sys/contrib/ipfilter/netinet/ip_ftp_pxy.c | 19 +- sys/contrib/ipfilter/netinet/ip_h323_pxy.c | 4 +- sys/contrib/ipfilter/netinet/ip_log.c | 26 +- sys/contrib/ipfilter/netinet/ip_nat.c | 215 ++++++++--------- sys/contrib/ipfilter/netinet/ip_pptp_pxy.c | 18 +- sys/contrib/ipfilter/netinet/ip_proxy.c | 25 +- sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c | 4 +- sys/contrib/ipfilter/netinet/ip_scan.c | 11 +- sys/contrib/ipfilter/netinet/ip_state.c | 120 ++++++---- sys/contrib/ipfilter/netinet/ip_sync.c | 23 +- sys/contrib/ipfilter/netinet/ip_sync.h | 4 +- sys/contrib/ipfilter/netinet/ipl.h | 6 +- sys/contrib/ipfilter/netinet/mlfk_ipl.c | 62 ++++- 21 files changed, 563 insertions(+), 408 deletions(-) diff --git a/sys/contrib/ipfilter/netinet/IPFILTER.LICENCE b/sys/contrib/ipfilter/netinet/IPFILTER.LICENCE index 2b4b67e86fd9..41c151ccdedb 100644 --- a/sys/contrib/ipfilter/netinet/IPFILTER.LICENCE +++ b/sys/contrib/ipfilter/netinet/IPFILTER.LICENCE @@ -1,28 +1,29 @@ -Copyright (C) 1993-2002 by Darren Reed. - -The author accepts no responsibility for the use of this software and -provides it on an ``as is'' basis without express or implied warranty. - -Redistribution and use, with or without modification, in source and binary -forms, are permitted provided that this notice is preserved in its entirety -and due credit is given to the original author and the contributors. - -The licence and distribution terms for any publically available version or -derivative of this code cannot be changed. i.e. this code cannot simply be -copied, in part or in whole, and put under another distribution licence -[including the GNU Public Licence.] - -THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -I hate legalese, don't you ? - +/* + * Copyright (C) 1993-2001 by Darren Reed. + * + * The author accepts no responsibility for the use of this software and + * provides it on an ``as is'' basis without express or implied warranty. + * + * Redistribution and use, with or without modification, in source and binary + * forms, are permitted provided that this notice is preserved in its entirety + * and due credit is given to the original author and the contributors. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied, in part or in whole, and put under another distribution licence + * [including the GNU Public Licence.] + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * I hate legalese, don't you ? + */ diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index c8c1b55074f4..8f911e6043c2 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -137,7 +137,7 @@ struct file; #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.70 2005/12/07 08:15:16 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.78 2006/03/29 11:19:54 darrenr Exp $"; #endif #ifndef _KERNEL @@ -145,12 +145,6 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.70 2005/12/07 08:15:16 dar # include "ipt.h" # include "bpf-ipf.h" extern int opts; - -# define FR_VERBOSE(verb_pr) verbose verb_pr -# define FR_DEBUG(verb_pr) debug verb_pr -#else /* #ifndef _KERNEL */ -# define FR_VERBOSE(verb_pr) -# define FR_DEBUG(verb_pr) #endif /* _KERNEL */ @@ -1972,24 +1966,23 @@ u_32_t pass; * it, except for increasing the hit counter. */ if ((passt & FR_CALLNOW) != 0) { + frentry_t *frs; + ATOMIC_INC64(fr->fr_hits); if ((fr->fr_func != NULL) && - (fr->fr_func != (ipfunc_t)-1)) { - frentry_t *frs; + (fr->fr_func == (ipfunc_t)-1)) + continue; - frs = fin->fin_fr; - fin->fin_fr = fr; - fr = (*fr->fr_func)(fin, &passt); - if (fr == NULL) { - fin->fin_fr = frs; - continue; - } - passt = fr->fr_flags; - fin->fin_fr = fr; - } - } else { + frs = fin->fin_fr; fin->fin_fr = fr; + fr = (*fr->fr_func)(fin, &passt); + if (fr == NULL) { + fin->fin_fr = frs; + continue; + } + passt = fr->fr_flags; } + fin->fin_fr = fr; #ifdef IPFILTER_LOG /* @@ -2021,18 +2014,20 @@ u_32_t pass; (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN); if (fr->fr_grp != NULL) { fin->fin_fr = *fr->fr_grp; - pass = fr_scanlist(fin, pass); + passt = fr_scanlist(fin, pass); if (fin->fin_fr == NULL) { fin->fin_rule = rulen; (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN); fin->fin_fr = fr; + passt = pass; } if (fin->fin_flx & FI_DONTCACHE) logged = 1; + pass = passt; } - if (pass & FR_QUICK) { + if (passt & FR_QUICK) { /* * Finally, if we've asked to track state for this * packet, set it up. Add state for "quick" rules @@ -2044,6 +2039,7 @@ u_32_t pass; !(fin->fin_flx & FI_STATE)) { int out = fin->fin_out; + fin->fin_fr = fr; if (fr_addstate(fin, NULL, 0) != NULL) { ATOMIC_INCL(frstats[out].fr_ads); } else { @@ -2193,7 +2189,8 @@ u_32_t *passp; if (FR_ISAUTH(pass)) { if (fr_newauth(fin->fin_m, fin) != 0) { #ifdef _KERNEL - fin->fin_m = *fin->fin_mp = NULL; + if ((pass & FR_RETMASK) == 0) + fin->fin_m = *fin->fin_mp = NULL; #else ; #endif @@ -2233,21 +2230,6 @@ u_32_t *passp; } } - /* - * Finally, if we've asked to track state for this packet, set it up. - */ - if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) { - if (fr_addstate(fin, NULL, 0) != NULL) { - ATOMIC_INCL(frstats[out].fr_ads); - } else { - ATOMIC_INCL(frstats[out].fr_bads); - if (FR_ISPASS(pass)) { - pass &= ~FR_CMDMASK; - pass |= FR_BLOCK; - } - } - } - fr = fin->fin_fr; if (passp != NULL) @@ -2313,8 +2295,6 @@ int out; #ifdef USE_INET6 ip6_t *ip6; #endif - SPL_INT(s); - /* * The first part of fr_check() deals with making sure that what goes * into the filtering engine makes some sense. Information about the @@ -2328,6 +2308,8 @@ int out; if ((u_int)ip & 0x3) return 2; +# else + SPL_INT(s); # endif READ_ENTER(&ipf_global); @@ -2493,6 +2475,23 @@ int out; if ((pass & FR_NOMATCH) || (fr == NULL)) fr = fr_firewall(fin, &pass); + /* + * If we've asked to track state for this packet, set it up. + * Here rather than fr_firewall because fr_checkauth may decide + * to return a packet for "keep state" + */ + if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) { + if (fr_addstate(fin, NULL, 0) != NULL) { + ATOMIC_INCL(frstats[out].fr_ads); + } else { + ATOMIC_INCL(frstats[out].fr_bads); + if (FR_ISPASS(pass)) { + pass &= ~FR_CMDMASK; + pass |= FR_BLOCK; + } + } + } + fin->fin_fr = fr; /* @@ -2547,7 +2546,7 @@ int out; RWLOCK_EXIT(&ipf_mutex); - if (pass & (FR_RETRST|FR_RETICMP)) { + if ((pass & FR_RETMASK) != 0) { /* * Should we return an ICMP packet to indicate error * status passing through the packet filter ? @@ -2573,6 +2572,14 @@ int out; ATOMIC_INCL(frstats[1].fr_ret); } } + + /* + * When using return-* with auth rules, the auth code + * takes over disposing of this packet. + */ + if (FR_ISAUTH(pass) && (fin->fin_m != NULL)) { + fin->fin_m = *fin->fin_mp = NULL; + } } else { if (pass & FR_RETRST) fin->fin_error = ECONNRESET; @@ -2786,10 +2793,10 @@ int len; /* */ /* Expects ip_len to be in host byte order when called. */ /* ------------------------------------------------------------------------ */ -u_short fr_cksum(m, ip, l4proto, l4hdr) +u_short fr_cksum(m, ip, l4proto, l4hdr, l3len) mb_t *m; ip_t *ip; -int l4proto; +int l4proto, l3len; void *l4hdr; { u_short *sp, slen, sumsave, l4hlen, *csump; @@ -2814,7 +2821,7 @@ void *l4hdr; if (IP_V(ip) == 4) { #endif hlen = IP_HL(ip) << 2; - slen = ip->ip_len - hlen; + slen = l3len - hlen; sum = htons((u_short)l4proto); sum += htons(slen); sp = (u_short *)&ip->ip_src; @@ -2826,9 +2833,9 @@ void *l4hdr; } else if (IP_V(ip) == 6) { ip6 = (ip6_t *)ip; hlen = sizeof(*ip6); - slen = ntohs(ip6->ip6_plen); + slen = ntohs(l3len); sum = htons((u_short)l4proto); - sum += htons(slen); + sum += slen; sp = (u_short *)&ip6->ip6_src; sum += *sp++; /* ip6_src */ sum += *sp++; @@ -3059,7 +3066,7 @@ void *l4hdr; * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.243.2.70 2005/12/07 08:15:16 darrenr Exp $ + * $Id: fil.c,v 2.243.2.78 2006/03/29 11:19:54 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -3472,7 +3479,7 @@ int proto, flags; char *memstr(src, dst, slen, dlen) const char *src; char *dst; -int slen, dlen; +size_t slen, dlen; { char *s = NULL; @@ -3760,13 +3767,7 @@ size_t size; caddr_t ca; int err; -# if SOLARIS - err = COPYIN(dst, (caddr_t)&ca, sizeof(ca)); - if (err != 0) - return err; -# else bcopy(dst, (caddr_t)&ca, sizeof(ca)); -# endif err = COPYOUT(src, ca, size); return err; } @@ -4886,7 +4887,7 @@ ipftq_t *ifq; ifq->ifq_next->ifq_pnext = ifq->ifq_pnext; MUTEX_DESTROY(&ifq->ifq_lock); - fr_userifqs--; + ATOMIC_DEC(fr_userifqs); KFREE(ifq); } @@ -4908,8 +4909,6 @@ ipftqent_t *tqe; ipftq_t *ifq; ifq = tqe->tqe_ifq; - if (ifq == NULL) - return; MUTEX_ENTER(&ifq->ifq_lock); @@ -4981,24 +4980,21 @@ ipftqent_t *tqe; tqe->tqe_die = fr_ticks + ifq->ifq_ttl; MUTEX_ENTER(&ifq->ifq_lock); - if (tqe->tqe_next == NULL) { /* at the end already ? */ - MUTEX_EXIT(&ifq->ifq_lock); - return; + if (tqe->tqe_next != NULL) { /* at the end already ? */ + /* + * Remove from list + */ + *tqe->tqe_pnext = tqe->tqe_next; + tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; + + /* + * Make it the last entry. + */ + tqe->tqe_next = NULL; + tqe->tqe_pnext = ifq->ifq_tail; + *ifq->ifq_tail = tqe; + ifq->ifq_tail = &tqe->tqe_next; } - - /* - * Remove from list - */ - *tqe->tqe_pnext = tqe->tqe_next; - tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; - - /* - * Make it the last entry. - */ - tqe->tqe_next = NULL; - tqe->tqe_pnext = ifq->ifq_tail; - *ifq->ifq_tail = tqe; - ifq->ifq_tail = &tqe->tqe_next; MUTEX_EXIT(&ifq->ifq_lock); } @@ -5050,46 +5046,44 @@ ipftq_t *oifq, *nifq; * Is the operation here going to be a no-op ? */ MUTEX_ENTER(&oifq->ifq_lock); - if (oifq == nifq && *oifq->ifq_tail == tqe) { - MUTEX_EXIT(&oifq->ifq_lock); - return; + if ((oifq != nifq) || (*oifq->ifq_tail != tqe)) { + /* + * Remove from the old queue + */ + *tqe->tqe_pnext = tqe->tqe_next; + if (tqe->tqe_next) + tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; + else + oifq->ifq_tail = tqe->tqe_pnext; + tqe->tqe_next = NULL; + + /* + * If we're moving from one queue to another, release the + * lock on the old queue and get a lock on the new queue. + * For user defined queues, if we're moving off it, call + * delete in case it can now be freed. + */ + if (oifq != nifq) { + tqe->tqe_ifq = NULL; + + (void) fr_deletetimeoutqueue(oifq); + + MUTEX_EXIT(&oifq->ifq_lock); + + MUTEX_ENTER(&nifq->ifq_lock); + + tqe->tqe_ifq = nifq; + nifq->ifq_ref++; + } + + /* + * Add to the bottom of the new queue + */ + tqe->tqe_die = fr_ticks + nifq->ifq_ttl; + tqe->tqe_pnext = nifq->ifq_tail; + *nifq->ifq_tail = tqe; + nifq->ifq_tail = &tqe->tqe_next; } - - /* - * Remove from the old queue - */ - *tqe->tqe_pnext = tqe->tqe_next; - if (tqe->tqe_next) - tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; - else - oifq->ifq_tail = tqe->tqe_pnext; - tqe->tqe_next = NULL; - - /* - * If we're moving from one queue to another, release the lock on the - * old queue and get a lock on the new queue. For user defined queues, - * if we're moving off it, call delete in case it can now be freed. - */ - if (oifq != nifq) { - tqe->tqe_ifq = NULL; - - (void) fr_deletetimeoutqueue(oifq); - - MUTEX_EXIT(&oifq->ifq_lock); - - MUTEX_ENTER(&nifq->ifq_lock); - - tqe->tqe_ifq = nifq; - nifq->ifq_ref++; - } - - /* - * Add to the bottom of the new queue - */ - tqe->tqe_die = fr_ticks + nifq->ifq_ttl; - tqe->tqe_pnext = nifq->ifq_tail; - *nifq->ifq_tail = tqe; - nifq->ifq_tail = &tqe->tqe_next; MUTEX_EXIT(&nifq->ifq_lock); } @@ -5573,7 +5567,7 @@ fr_info_t *fin; if (dosum) sum = fr_cksum(fin->fin_m, fin->fin_ip, - fin->fin_p, fin->fin_dp); + fin->fin_p, fin->fin_dp, fin->fin_plen); #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID) } #endif diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index b6f0844354bf..0f0c2ff8007d 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -117,12 +117,13 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ /* END OF INCLUDES */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.5 2005/06/12 07:18:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.13 2006/03/29 11:19:55 darrenr Exp $"; #endif -#if SOLARIS +#if SOLARIS && defined(_KERNEL) extern kcondvar_t ipfauthwait; +extern struct pollhead iplpollhead[IPL_LOGSIZE]; #endif /* SOLARIS */ #if defined(linux) && defined(_KERNEL) wait_queue_head_t fr_authnext_linux; @@ -317,7 +318,7 @@ fr_info_t *fin; fra = fr_auth + i; fra->fra_index = i; - fra->fra_pass = 0; + fra->fra_pass = fin->fin_fr->fr_flags; fra->fra_age = fr_defaultauthage; bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); #if !defined(sparc) && !defined(m68k) @@ -339,17 +340,15 @@ fr_info_t *fin; } #endif #if SOLARIS && defined(_KERNEL) + COPYIFNAME(fin->fin_ifp, fra->fra_info.fin_ifname); m->b_rptr -= qpi->qpi_off; fr_authpkts[i] = *(mblk_t **)fin->fin_mp; fra->fra_q = qpi->qpi_q; /* The queue can disappear! */ + fra->fra_m = *fin->fin_mp; + fra->fra_info.fin_mp = &fra->fra_m; cv_signal(&ipfauthwait); + pollwakeup(&iplpollhead[IPL_LOGAUTH], POLLIN|POLLRDNORM); #else -# if defined(BSD) && !defined(sparc) && (BSD >= 199306) - if (!fin->fin_out) { - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); - } -# endif fr_authpkts[i] = m; WAKEUP(&fr_authnext,0); #endif @@ -362,15 +361,15 @@ caddr_t data; ioctlcmd_t cmd; int mode; { + frauth_t auth, *au = &auth, *fra; + int i, error = 0, len; + char *t; mb_t *m; #if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \ (!defined(__FreeBSD_version) || (__FreeBSD_version < 501000)) struct ifqueue *ifq; SPL_INT(s); #endif - frauth_t auth, *au = &auth, *fra; - int i, error = 0, len; - char *t; switch (cmd) { @@ -399,10 +398,14 @@ int mode; case SIOCAUTHW: fr_authioctlloop: error = fr_inobj(data, au, IPFOBJ_FRAUTH); + if (error != 0) + break; READ_ENTER(&ipf_auth); if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { error = fr_outobj(data, &fr_auth[fr_authnext], IPFOBJ_FRAUTH); + if (error != 0) + break; if (auth.fra_len != 0 && auth.fra_buf != NULL) { /* * Copy packet contents out to user space if @@ -416,11 +419,12 @@ int mode; for (t = auth.fra_buf; m && (len > 0); ) { i = MIN(M_LEN(m), len); error = copyoutptr(MTOD(m, char *), - t, i); + &t, i); len -= i; t += i; if (error != 0) break; + m = m->m_next; } } RWLOCK_EXIT(&ipf_auth); @@ -473,10 +477,8 @@ int mode; #endif MUTEX_EXIT(&ipf_authmx); READ_ENTER(&ipf_global); - if (error == 0) { - READ_ENTER(&ipf_auth); + if (error == 0) goto fr_authioctlloop; - } break; case SIOCAUTHR: @@ -487,6 +489,7 @@ int mode; WRITE_ENTER(&ipf_auth); i = au->fra_index; fra = fr_auth + i; + error = 0; if ((i < 0) || (i >= fr_authsize) || (fra->fra_info.fin_id != au->fra_info.fin_id)) { RWLOCK_EXIT(&ipf_auth); @@ -501,7 +504,11 @@ int mode; #ifdef _KERNEL if ((m != NULL) && (au->fra_info.fin_out != 0)) { # ifdef MENTAT - error = !putq(fra->fra_q, m); + error = ipf_inject(&fra->fra_info); + if (error != 0) { + FREE_MB_T(m); + error = ENOBUFS; + } # else /* MENTAT */ # if defined(linux) || defined(AIX) # else @@ -521,7 +528,11 @@ int mode; fr_authstats.fas_sendok++; } else if (m) { # ifdef MENTAT - error = !putq(fra->fra_q, m); + error = ipf_inject(&fra->fra_info); + if (error != 0) { + FREE_MB_T(m); + error = ENOBUFS; + } # else /* MENTAT */ # if defined(linux) || defined(AIX) # else @@ -552,10 +563,6 @@ int mode; fr_authstats.fas_queok++; } else error = EINVAL; -# ifdef MENTAT - if (error != 0) - error = EINVAL; -# else /* MENTAT */ /* * If we experience an error which will result in the packet * not being processed, make sure we advance to the next one. @@ -579,7 +586,6 @@ int mode; } } } -# endif /* MENTAT */ #endif /* _KERNEL */ SPL_X(s); break; @@ -794,3 +800,9 @@ int fr_authflush() return num_flushed; } + + +int fr_auth_waiting() +{ + return (fr_authnext != fr_authend) && fr_authpkts[fr_authnext]; +} diff --git a/sys/contrib/ipfilter/netinet/ip_auth.h b/sys/contrib/ipfilter/netinet/ip_auth.h index 389277827009..22c69b77c684 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.h +++ b/sys/contrib/ipfilter/netinet/ip_auth.h @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_auth.h,v 2.16 2003/07/25 12:29:56 darrenr Exp $ + * $Id: ip_auth.h,v 2.16.2.2 2006/03/16 06:45:49 darrenr Exp $ * */ #ifndef __IP_AUTH_H__ @@ -20,6 +20,7 @@ typedef struct frauth { char *fra_buf; #ifdef MENTAT queue_t *fra_q; + mb_t *fra_m; #endif } frauth_t; @@ -60,5 +61,6 @@ extern mb_t **fr_authpkts; extern int fr_newauth __P((mb_t *, fr_info_t *)); extern int fr_preauthcmd __P((ioctlcmd_t, frentry_t *, frentry_t **)); extern int fr_auth_ioctl __P((caddr_t, ioctlcmd_t, int)); +extern int fr_auth_waiting __P((void)); #endif /* __IP_AUTH_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index f48a98dbfda3..0a294cff58d8 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.142.2.33 2005/12/04 23:40:17 darrenr Exp $ + * $Id: ip_compat.h,v 2.142.2.36 2006/03/26 05:50:29 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -441,6 +441,7 @@ extern void *get_unit __P((char *, int)); wakeup(id + x); \ spinunlock(_l); \ } +# define POLLWAKEUP(x) ; # define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_IOSYS, M_NOWAIT) # define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_IOSYS, M_NOWAIT) # define KFREE(x) kmem_free((char *)(x), sizeof(*(x))) @@ -578,6 +579,7 @@ typedef struct { # define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d) # define SLEEP(id, n) sleep((id), PZERO+1) # define WAKEUP(id,x) wakeup(id+x) +# define POLLWAKEUP(x) ; # define KFREE(x) kmem_free((char *)(x), sizeof(*(x))) # define KFREES(x,s) kmem_free((char *)(x), (s)) # define GETIFP(n,v) ifunit(n) @@ -659,6 +661,7 @@ typedef struct mbuf mb_t; # define GETIFP(n, v) ifunit(n) # define GET_MINOR getminor # define WAKEUP(id,x) wakeup(id + x) +# define POLLWAKEUP(x) ; # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) # define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) @@ -1029,6 +1032,7 @@ typedef u_int32_t u_32_t; # define KFREES(x,s) kmem_free((char *)(x), (s)) # define SLEEP(id, n) sleep((id), PZERO+1) # define WAKEUP(id,x) wakeup(id + x) +# define POLLWAKEUP(x) ; # define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d) # define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); } @@ -1074,6 +1078,7 @@ struct ip6_ext { # define FREE_MB_T(m) kfree_skb(m) # define GETKTIME(x) do_gettimeofday((struct timeval *)x) # define SLEEP(x,s) 0, interruptible_sleep_on(x##_linux) +# define POLLWAKEUP(x) ; # define WAKEUP(x,y) wake_up(x##_linux + y) # define UIOMOVE(a,b,c,d) uiomove(a,b,c,d) # define USE_MUTEXES @@ -1265,6 +1270,7 @@ extern void* getifp __P((char *, int)); # define GET_MINOR minor # define SLEEP(id, n) sleepx((id), PZERO+1, 0) # define WAKEUP(id,x) wakeup(id) +# define POLLWAKEUP(x) ; # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) # define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) @@ -1429,6 +1435,7 @@ typedef struct mb_s { # define FREE_MB_T(x) # define SLEEP(x,y) 1; # define WAKEUP(x,y) ; +# define POLLWAKEUP(y) ; # define IPF_PANIC(x,y) ; # define PANIC(x,y) ; # define SPL_NET(x) ; @@ -1451,6 +1458,7 @@ typedef struct mb_s { # define UIOMOVE(a,b,c,d) ipfuiomove(a,b,c,d) extern void m_copydata __P((mb_t *, int, int, caddr_t)); extern int ipfuiomove __P((caddr_t, int, int, struct uio *)); +extern int bcopywrap __P((void *, void *, size_t)); # ifndef CACHE_HASH # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) @@ -1529,6 +1537,9 @@ typedef struct ip6_hdr ip6_t; #endif #if defined(_KERNEL) +# ifdef BSD +extern struct selinfo ipfselwait[]; +# endif # ifdef MENTAT # define COPYDATA mb_copydata # define COPYBACK mb_copyback @@ -1578,6 +1589,7 @@ MALLOC_DECLARE(M_IPFILTER); # define UIOMOVE(a,b,c,d) uiomove(a,b,d) # define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0) # define WAKEUP(id,x) wakeup(id+x) +# define POLLWAKEUP(x) selwakeup(ipfselwait+x) # define GETIFP(n, v) ifunit(n) # endif /* (Free)BSD */ diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index 45d5bb4734c8..5a13993d4168 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.170.2.23 2005/12/04 23:39:28 darrenr Exp $ + * $Id: ip_fil.h,v 2.170.2.29 2006/03/29 11:19:55 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -305,6 +305,7 @@ typedef struct fr_info { #ifdef MENTAT mb_t *fin_qfm; /* pointer to mblk where pkt starts */ void *fin_qpi; + char fin_ifname[LIFNAMSIZ]; #endif #ifdef __sgi void *fin_hbuf; @@ -1133,6 +1134,17 @@ typedef struct ipftune { # endif #endif +#ifdef _KERNEL +# define FR_VERBOSE(verb_pr) +# define FR_DEBUG(verb_pr) +#else +extern void debug __P((char *, ...)); +extern void verbose __P((char *, ...)); +# define FR_VERBOSE(verb_pr) verbose verb_pr +# define FR_DEBUG(verb_pr) debug verb_pr +#endif + + #ifndef _KERNEL extern int fr_check __P((struct ip *, int, void *, int, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); @@ -1148,6 +1160,7 @@ extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int)); extern int iplopen __P((dev_t, int)); extern int iplclose __P((dev_t, int)); extern void m_freem __P((mb_t *)); +extern int bcopywrap __P((void *, void *, size_t)); #else /* #ifndef _KERNEL */ # if defined(__NetBSD__) && defined(PFIL_HOOKS) extern void ipfilterattach __P((int)); @@ -1259,7 +1272,7 @@ extern ipfrwlock_t ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag; extern ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; extern ipfrwlock_t ipf_frcache; -extern char *memstr __P((const char *, char *, int, int)); +extern char *memstr __P((const char *, char *, size_t, size_t)); extern int count4bits __P((u_32_t)); extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int)); extern char *getifname __P((struct ifnet *)); @@ -1316,6 +1329,7 @@ extern void fr_delgroup __P((char *, minor_t, int)); extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***)); extern int fr_loginit __P((void)); +extern int ipflog_canread __P((int)); extern int ipflog_clear __P((minor_t)); extern int ipflog_read __P((minor_t, uio_t *)); extern int ipflog __P((fr_info_t *, u_int)); @@ -1324,7 +1338,7 @@ extern void fr_logunload __P((void)); extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *)); extern int fr_copytolog __P((int, char *, int)); -extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *)); +extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *, int)); extern void fr_deinitialise __P((void)); extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *)); extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *)); diff --git a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c index 760122e393b3..d361beaa5710 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c +++ b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c @@ -5,7 +5,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.27 2005/08/20 13:48:19 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.32 2006/03/25 13:03:01 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) @@ -55,6 +55,7 @@ static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.27 2005/08/20 13 #endif #include #include +#include #include #if __FreeBSD_version >= 300000 @@ -131,6 +132,7 @@ int ipf_locks_done = 0; #if (__FreeBSD_version >= 300000) struct callout_handle fr_slowtimer_ch; #endif +struct selinfo ipfselwait[IPL_LOGSIZE]; #if (__FreeBSD_version >= 500011) # include @@ -300,6 +302,7 @@ int iplattach() fr_checkp = fr_check; } + bzero((char *)ipfselwait, sizeof(ipfselwait)); bzero((char *)frcache, sizeof(frcache)); fr_running = 1; @@ -476,9 +479,11 @@ int mode; } SPL_NET(s); + READ_ENTER(&ipf_global); error = fr_ioctlswitch(unit, data, cmd, mode); if (error != -1) { + RWLOCK_EXIT(&ipf_global); SPL_X(s); return error; } @@ -619,7 +624,10 @@ int mode; error = EINVAL; break; } + + RWLOCK_EXIT(&ipf_global); SPL_X(s); + return error; } @@ -742,14 +750,18 @@ dev_t dev; #endif register struct uio *uio; { + u_int xmin = GET_MINOR(dev); + + if (xmin < 0) + return ENXIO; # ifdef IPFILTER_SYNC - if (GET_MINOR(dev) == IPL_LOGSYNC) + if (xmin == IPL_LOGSYNC) return ipfsync_read(uio); # endif #ifdef IPFILTER_LOG - return ipflog_read(GET_MINOR(dev), uio); + return ipflog_read(xmin, uio); #else return ENXIO; #endif @@ -1155,6 +1167,8 @@ frdest_t *fdp; u_short ip_off; frentry_t *fr; + ro = NULL; + #ifdef M_WRITABLE /* * HOT FIX/KLUDGE: @@ -1168,15 +1182,15 @@ frdest_t *fdp; * problem. */ if (M_WRITABLE(m) == 0) { - if ((m0 = m_dup(m, M_DONTWAIT)) != 0) { + m0 = m_dup(m, M_DONTWAIT); + if (m0 != 0) { FREE_MB_T(m); m = m0; *mpp = m; } else { error = ENOBUFS; FREE_MB_T(m); - *mpp = NULL; - fr_frouteok[1]++; + goto done; } } #endif @@ -1218,18 +1232,8 @@ frdest_t *fdp; goto bad; } - /* - * In case we're here due to "to " being used with "keep state", - * check that we're going in the correct direction. - */ - if ((fr != NULL) && (fin->fin_rev != 0)) { - if ((ifp != NULL) && (fdp == &fr->fr_tif)) - return -1; - } - if (fdp != NULL) { - if (fdp->fd_ip.s_addr != 0) - dst->sin_addr = fdp->fd_ip; - } + if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0)) + dst->sin_addr = fdp->fd_ip; dst->sin_len = sizeof(*dst); rtalloc(ro); @@ -1346,6 +1350,7 @@ frdest_t *fdp; else mhip->ip_off |= IP_MF; mhip->ip_len = htons((u_short)(len + mhlen)); + *mnext = m; m->m_next = m_copy(m0, off, len); if (m->m_next == 0) { error = ENOBUFS; /* ??? */ @@ -1356,7 +1361,6 @@ frdest_t *fdp; mhip->ip_off = htons((u_short)mhip->ip_off); mhip->ip_sum = 0; mhip->ip_sum = in_cksum(m, mhlen); - *mnext = m; mnext = &m->m_act; } /* @@ -1385,7 +1389,7 @@ frdest_t *fdp; else fr_frouteok[1]++; - if (ro->ro_rt) { + if ((ro != NULL) && (ro->ro_rt != NULL)) { RTFREE(ro->ro_rt); } *mpp = NULL; @@ -1488,6 +1492,9 @@ struct in_addr *inp, *inpmask; else if (atype == FRI_PEERADDR) sock = ifa->ifa_dstaddr; + if (sock == NULL) + return -1; + #ifdef USE_INET6 if (v == 6) { return fr_ifpfillv6addr(atype, (struct sockaddr_in6 *)sock, diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c index db1a0afbd8db..18360cee09c6 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.c +++ b/sys/contrib/ipfilter/netinet/ip_frag.c @@ -100,7 +100,7 @@ extern struct timeout fr_slowtimer_ch; #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.77.2.4 2005/08/20 13:48:21 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.77.2.5 2006/02/26 08:26:54 darrenr Exp $"; #endif @@ -224,6 +224,7 @@ ipfr_t *table[]; { ipfr_t *fra, frag; u_int idx, off; + frentry_t *fr; ip_t *ip; if (ipfr_inuse >= IPFT_SIZE) @@ -275,12 +276,9 @@ ipfr_t *table[]; return NULL; } - fra->ipfr_rule = fin->fin_fr; - if (fra->ipfr_rule != NULL) { - - frentry_t *fr; - - fr = fin->fin_fr; + fr = fin->fin_fr; + fra->ipfr_rule = fr; + if (fr != NULL) { MUTEX_ENTER(&fr->fr_lock); fr->fr_ref++; MUTEX_EXIT(&fr->fr_lock); diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index 860d75ecb80d..e72d6fec2280 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -6,7 +6,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.88.2.16 2005/12/04 23:39:27 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.88.2.19 2006/04/01 10:14:53 darrenr Exp $ */ #define IPF_FTP_PROXY @@ -366,7 +366,7 @@ int dlen; fi.fin_fi.fi_daddr = nat->nat_inip.s_addr; ip->ip_dst = nat->nat_inip; } - (void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT); + (void) fr_addstate(&fi, NULL, SI_W_DPORT); if (fi.fin_state != NULL) fr_statederef(&fi, (ipstate_t **)&fi.fin_state); } @@ -728,7 +728,7 @@ u_int data_ip; fi.fin_fi.fi_daddr = nat->nat_inip.s_addr; ip->ip_dst = nat->nat_inip; } - (void) fr_addstate(&fi, &nat2->nat_state, sflags); + (void) fr_addstate(&fi, NULL, sflags); if (fi.fin_state != NULL) fr_statederef(&fi, (ipstate_t **)&fi.fin_state); } @@ -1027,13 +1027,14 @@ int rv; if (ippr_ftp_debug > 4) printf("ippr_ftp_process: mlen %d\n", mlen); - if (mlen <= 0) { - if ((tcp->th_flags & TH_OPENING) == TH_OPENING) { - f->ftps_seq[0] = thseq + 1; - t->ftps_seq[0] = thack; - } + if ((mlen == 0) && ((tcp->th_flags & TH_OPENING) == TH_OPENING)) { + f->ftps_seq[0] = thseq + 1; + t->ftps_seq[0] = thack; + return 0; + } else if (mlen < 0) { return 0; } + aps = nat->nat_aps; sel = aps->aps_sel[1 - rv]; @@ -1423,7 +1424,7 @@ int dlen; ap += *s++ - '0'; } - if (!s) + if (!*s) return 0; if (*s == '|') diff --git a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c index 1933203e05cd..7fc62276c597 100644 --- a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c @@ -1,5 +1,3 @@ -/* $FreeBSD$ */ - /* * Copyright 2001, QNX Software Systems Ltd. All Rights Reserved * @@ -248,7 +246,7 @@ nat_t *nat; tcp = (tcphdr_t *)fin->fin_dp; ipaddr = nat->nat_inip.s_addr; data = (caddr_t)tcp + (TCP_OFF(tcp) << 2); - datlen = ip->ip_len - fin->fin_hlen - (TCP_OFF(tcp) << 2); + datlen = fin->fin_dlen - (TCP_OFF(tcp) << 2); if (find_port(ipaddr, data, datlen, &off, &port) == 0) { fr_info_t fi; nat_t *nat2; diff --git a/sys/contrib/ipfilter/netinet/ip_log.c b/sys/contrib/ipfilter/netinet/ip_log.c index 6618c6d6d841..550855709d02 100644 --- a/sys/contrib/ipfilter/netinet/ip_log.c +++ b/sys/contrib/ipfilter/netinet/ip_log.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_log.c,v 2.75.2.7 2005/06/11 07:47:44 darrenr Exp $ + * $Id: ip_log.c,v 2.75.2.11 2006/03/26 13:50:47 darrenr Exp $ */ #include #if defined(KERNEL) || defined(_KERNEL) @@ -65,6 +65,10 @@ struct file; # include # endif # include +# include +# if __FreeBSD_version >= 500000 +# include +# endif #else # if !defined(__hpux) && defined(_KERNEL) # include @@ -145,6 +149,7 @@ wait_queue_head_t iplh_linux[IPL_LOGSIZE]; # endif # if SOLARIS extern kcondvar_t iplwait; +extern struct pollhead iplpollhead[IPL_LOGSIZE]; # endif iplog_t **iplh[IPL_LOGSIZE], *iplt[IPL_LOGSIZE], *ipll[IPL_LOGSIZE]; @@ -503,9 +508,11 @@ int *types, cnt; # if SOLARIS && defined(_KERNEL) cv_signal(&iplwait); MUTEX_EXIT(&ipl_mutex); + pollwakeup(&iplpollhead[dev], POLLRDNORM); # else MUTEX_EXIT(&ipl_mutex); - WAKEUP(iplh,dev); + WAKEUP(iplh, dev); + POLLWAKEUP(dev); # endif SPL_X(s); # ifdef IPL_SELECT @@ -663,4 +670,19 @@ minor_t unit; SPL_X(s); return used; } + + +/* ------------------------------------------------------------------------ */ +/* Function: ipflog_canread */ +/* Returns: int - 0 == no data to read, 1 = data present */ +/* Parameters: unit(I) - device we are reading from */ +/* */ +/* Returns an indication of whether or not there is data present in the */ +/* current buffer for the selected ipf device. */ +/* ------------------------------------------------------------------------ */ +int ipflog_canread(unit) +int unit; +{ + return iplt[unit] != NULL; +} #endif /* IPFILTER_LOG */ diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index 30bba0787643..af73ebf03643 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -107,7 +107,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.47 2005/11/14 17:13:35 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.56 2006/04/01 10:15:34 darrenr Exp $"; #endif @@ -191,7 +191,7 @@ static int nat_siocaddnat __P((ipnat_t *, ipnat_t **, int)); static void nat_siocdelnat __P((ipnat_t *, ipnat_t **, int)); static int nat_finalise __P((fr_info_t *, nat_t *, natinfo_t *, tcphdr_t *, nat_t **, int)); -static void nat_resolverule __P((ipnat_t *)); +static int nat_resolverule __P((ipnat_t *)); static nat_t *fr_natclone __P((fr_info_t *, nat_t *)); static void nat_mssclamp __P((tcphdr_t *, u_32_t, fr_info_t *, u_short *)); static int nat_wildok __P((nat_t *, int, int, int, int)); @@ -865,11 +865,8 @@ int getlock; { int error = 0, i, j; - nat_resolverule(n); - if (n->in_plabel[0] != '\0') { - if (n->in_apr == NULL) - return ENOENT; - } + if (nat_resolverule(n) != 0) + return ENOENT; if ((n->in_age[0] == 0) && (n->in_age[1] != 0)) return EINVAL; @@ -994,7 +991,7 @@ int getlock; /* from information passed to the kernel, then add it to the appropriate */ /* NAT rule table(s). */ /* ------------------------------------------------------------------------ */ -static void nat_resolverule(n) +static int nat_resolverule(n) ipnat_t *n; { n->in_ifnames[0][LIFNAMSIZ - 1] = '\0'; @@ -1005,12 +1002,15 @@ ipnat_t *n; (void) strncpy(n->in_ifnames[1], n->in_ifnames[0], LIFNAMSIZ); n->in_ifps[1] = n->in_ifps[0]; } else { - n->in_ifps[1] = fr_resolvenic(n->in_ifnames[0], 4); + n->in_ifps[1] = fr_resolvenic(n->in_ifnames[1], 4); } if (n->in_plabel[0] != '\0') { n->in_apr = appr_lookup(n->in_p, n->in_plabel); + if (n->in_apr == NULL) + return -1; } + return 0; } @@ -1338,23 +1338,31 @@ int getlock; ATOMIC_INC(nat_stats.ns_rules); - nat_resolverule(in); + if (nat_resolverule(in) != 0) { + error = ESRCH; + goto junkput; + } } /* * Check that the NAT entry doesn't already exist in the kernel. + * + * For NAT_OUTBOUND, we're lookup for a duplicate MAP entry. To do + * this, we check to see if the inbound combination of addresses and + * ports is already known. Similar logic is applied for NAT_INBOUND. + * */ bzero((char *)&fin, sizeof(fin)); fin.fin_p = nat->nat_p; + fin.fin_ifp = nat->nat_ifps[0]; if (nat->nat_dir == NAT_OUTBOUND) { fin.fin_data[0] = ntohs(nat->nat_oport); fin.fin_data[1] = ntohs(nat->nat_outport); - fin.fin_ifp = nat->nat_ifps[1]; if (getlock) { READ_ENTER(&ipf_nat); } - n = nat_inlookup(&fin, 0, fin.fin_p, nat->nat_oip, - nat->nat_inip); + n = nat_inlookup(&fin, nat->nat_flags, fin.fin_p, + nat->nat_oip, nat->nat_inip); if (getlock) { RWLOCK_EXIT(&ipf_nat); } @@ -1365,12 +1373,11 @@ int getlock; } else if (nat->nat_dir == NAT_INBOUND) { fin.fin_data[0] = ntohs(nat->nat_outport); fin.fin_data[1] = ntohs(nat->nat_oport); - fin.fin_ifp = nat->nat_ifps[0]; if (getlock) { READ_ENTER(&ipf_nat); } - n = nat_outlookup(&fin, 0, fin.fin_p, nat->nat_outip, - nat->nat_oip); + n = nat_outlookup(&fin, nat->nat_flags, fin.fin_p, + nat->nat_outip, nat->nat_oip); if (getlock) { RWLOCK_EXIT(&ipf_nat); } @@ -1435,6 +1442,12 @@ int getlock; fr->fr_ref = 1; (void) fr_outobj(data, ipnn, IPFOBJ_NATSAVE); bcopy((char *)&ipnn->ipn_fr, (char *)fr, sizeof(*fr)); + + fr->fr_ref = 1; + fr->fr_dsize = 0; + fr->fr_data = NULL; + fr->fr_type = FR_T_NONE; + MUTEX_NUKE(&fr->fr_lock); MUTEX_INIT(&fr->fr_lock, "nat-filter rule lock"); } else { @@ -1574,6 +1587,9 @@ int logtype; MUTEX_EXIT(&ipf_nat_new); return; } + /* + * At this point, nat_ref can be either 0 or -1 + */ #ifdef IPFILTER_SYNC if (nat->nat_sync) @@ -2152,6 +2168,9 @@ natinfo_t *ni; /* structure for a "MAP" rule (outgoing NAT translation); (2) deal with */ /* creating a new NAT structure for a "RDR" rule (incoming NAT translation) */ /* and (3) building that structure and putting it into the NAT table(s). */ +/* */ +/* NOTE: natsave should NOT be used top point back to an ipstate_t struct */ +/* as it can result in memory being corrupted. */ /* ------------------------------------------------------------------------ */ nat_t *nat_new(fin, np, natsave, flags, direction) fr_info_t *fin; @@ -2245,6 +2264,7 @@ int direction; natl = nat_outlookup(fin, nflags, (u_int)fin->fin_p, fin->fin_src, fin->fin_dst); if (natl != NULL) { + KFREE(nat); nat = natl; goto done; } @@ -2262,6 +2282,7 @@ int direction; natl = nat_inlookup(fin, nflags, (u_int)fin->fin_p, fin->fin_src, fin->fin_dst); if (natl != NULL) { + KFREE(nat); nat = natl; goto done; } @@ -2375,7 +2396,12 @@ int direction; np = ni->nai_np; - COPYIFNAME(fin->fin_ifp, nat->nat_ifnames[0]); + if (np->in_ifps[0] != NULL) { + COPYIFNAME(np->in_ifps[0], nat->nat_ifnames[0]); + } + if (np->in_ifps[1] != NULL) { + COPYIFNAME(np->in_ifps[1], nat->nat_ifnames[1]); + } #ifdef IPFILTER_SYNC if ((nat->nat_flags & SI_CLONE) == 0) nat->nat_sync = ipfsync_new(SMC_NAT, fin, nat); @@ -2383,7 +2409,8 @@ int direction; nat->nat_me = natsave; nat->nat_dir = direction; - nat->nat_ifps[0] = fin->fin_ifp; + nat->nat_ifps[0] = np->in_ifps[0]; + nat->nat_ifps[1] = np->in_ifps[1]; nat->nat_ptr = np; nat->nat_p = fin->fin_p; nat->nat_mssclamp = np->in_mssclamp; @@ -2470,7 +2497,7 @@ int rev; nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0'; nat->nat_ifps[0] = fr_resolvenic(nat->nat_ifnames[0], 4); - if (nat->nat_ifnames[1][0] !='\0') { + if (nat->nat_ifnames[1][0] != '\0') { nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0'; nat->nat_ifps[1] = fr_resolvenic(nat->nat_ifnames[1], 4); } else { @@ -2818,8 +2845,9 @@ int dir; * * Since the port fields are part of the TCP/UDP checksum * of the offending IP packet, you need to adjust that checksum - * as well... but, if you change, you must change the icmp - * checksum *again*, to reflect that change. + * as well... except that the change in the port numbers should + * be offset by the checksum change, so we only need to change + * the ICMP checksum if we only change the ports. * * To further complicate: the TCP checksum is not in the first * 8 bytes of the offending ip packet, so it most likely is not @@ -2854,21 +2882,14 @@ int dir; * The UDP checksum is optional, only adjust it if * it has been set. */ - if ((oip->ip_p == IPPROTO_UDP) && - (dlen >= 8) && (*csump != 0)) { + if (oip->ip_p == IPPROTO_UDP) { sumd = sum1 - sum2; - sumd2 += sumd; - sum1 = ntohs(*csump); - fix_datacksum(csump, sumd); - sum2 = ntohs(*csump); - - /* - * Fix ICMP checksum to compenstate - * UDP checksum adjustment. - */ - CALC_SUMD(sum1, sum2, sumd); - sumd2 += sumd; + if ((dlen >= 8) && (*csump != 0)) { + fix_datacksum(csump, sumd); + } else { + sumd2 += sumd; + } } /* @@ -2877,20 +2898,10 @@ int dir; * the other direction compared to the ICMP message. */ if (oip->ip_p == IPPROTO_TCP) { + sumd = sum1 - sum2; + if (dlen >= 18) { - sumd = sum1 - sum2; - sumd2 += sumd; - - sum1 = ntohs(*csump); fix_datacksum(csump, sumd); - sum2 = ntohs(*csump); - - /* - * Fix ICMP checksum to compensate - * TCP checksum adjustment. - */ - CALC_SUMD(sum1, sum2, sumd); - sumd2 += sumd; } else { sumd = sum2 - sum1 + 1; sumd2 += sumd; @@ -2910,21 +2921,14 @@ int dir; * The UDP checksum is optional, only adjust * it if it has been set. */ - if ((oip->ip_p == IPPROTO_UDP) && - (dlen >= 8) && (*csump != 0)) { + if (oip->ip_p == IPPROTO_UDP) { sumd = sum1 - sum2; - sumd2 += sumd; - sum1 = ntohs(*csump); - fix_datacksum(csump, sumd); - sum2 = ntohs(*csump); - - /* - * Fix ICMP checksum to compensate - * UDP checksum adjustment. - */ - CALC_SUMD(sum1, sum2, sumd); - sumd2 += sumd; + if ((dlen >= 8) && (*csump != 0)) { + fix_datacksum(csump, sumd); + } else { + sumd2 += sumd; + } } /* @@ -2933,20 +2937,10 @@ int dir; * the other direction compared to the ICMP message. */ if (oip->ip_p == IPPROTO_TCP) { + sumd = sum1 - sum2; + if (dlen >= 18) { - sumd = sum1 - sum2; - sumd2 += sumd; - - sum1 = ntohs(*csump); fix_datacksum(csump, sumd); - sum2 = ntohs(*csump); - - /* - * Fix ICMP checksum to compensate - * TCP checksum adjustment. - */ - CALC_SUMD(sum1, sum2, sumd); - sumd2 += sumd; } else { if (nat->nat_dir == NAT_INBOUND) sumd = sum2 - sum1; @@ -3039,10 +3033,7 @@ struct in_addr src , mapdst; void *ifp; u_int hv; - if (fin != NULL) - ifp = fin->fin_ifp; - else - ifp = NULL; + ifp = fin->fin_ifp; sport = 0; dport = 0; gre = NULL; @@ -3074,17 +3065,13 @@ struct in_addr src , mapdst; hv = NAT_HASH_FN(src.s_addr, hv + sport, ipf_nattable_sz); nat = nat_table[1][hv]; for (; nat; nat = nat->nat_hnext[1]) { - nflags = nat->nat_flags; + if (nat->nat_ifps[0] != NULL) { + if ((ifp != NULL) && (ifp != nat->nat_ifps[0])) + continue; + } else if (ifp != NULL) + nat->nat_ifps[0] = ifp; - if (ifp != NULL) { - if (nat->nat_dir == NAT_REDIRECT) { - if (ifp != nat->nat_ifps[0]) - continue; - } else { - if (ifp != nat->nat_ifps[1]) - continue; - } - } + nflags = nat->nat_flags; if (nat->nat_oip.s_addr == src.s_addr && nat->nat_outip.s_addr == dst && @@ -3149,15 +3136,11 @@ struct in_addr src , mapdst; nat = nat_table[1][hv]; for (; nat; nat = nat->nat_hnext[1]) { - if (ifp != NULL) { - if (nat->nat_dir == NAT_REDIRECT) { - if (ifp != nat->nat_ifps[0]) - continue; - } else { - if (ifp != nat->nat_ifps[1]) - continue; - } - } + if (nat->nat_ifps[0] != NULL) { + if ((ifp != NULL) && (ifp != nat->nat_ifps[0])) + continue; + } else if (ifp != NULL) + nat->nat_ifps[0] = ifp; if (nat->nat_p != fin->fin_p) continue; @@ -3324,17 +3307,13 @@ struct in_addr src , dst; hv = NAT_HASH_FN(dst.s_addr, hv + dport, ipf_nattable_sz); nat = nat_table[0][hv]; for (; nat; nat = nat->nat_hnext[0]) { - nflags = nat->nat_flags; + if (nat->nat_ifps[1] != NULL) { + if ((ifp != NULL) && (ifp != nat->nat_ifps[1])) + continue; + } else if (ifp != NULL) + nat->nat_ifps[1] = ifp; - if (ifp != NULL) { - if (nat->nat_dir == NAT_REDIRECT) { - if (ifp != nat->nat_ifps[1]) - continue; - } else { - if (ifp != nat->nat_ifps[0]) - continue; - } - } + nflags = nat->nat_flags; if (nat->nat_inip.s_addr == srcip && nat->nat_oip.s_addr == dst.s_addr && @@ -3389,15 +3368,11 @@ struct in_addr src , dst; nat = nat_table[0][hv]; for (; nat; nat = nat->nat_hnext[0]) { - if (ifp != NULL) { - if (nat->nat_dir == NAT_REDIRECT) { - if (ifp != nat->nat_ifps[1]) - continue; - } else { - if (ifp != nat->nat_ifps[0]) - continue; - } - } + if (nat->nat_ifps[1] != NULL) { + if ((ifp != NULL) && (ifp != nat->nat_ifps[1])) + continue; + } else if (ifp != NULL) + nat->nat_ifps[1] = ifp; if (nat->nat_p != fin->fin_p) continue; @@ -3446,6 +3421,16 @@ struct in_addr src , dst; /* entry for. */ /* */ /* Lookup the NAT tables to search for a matching redirect */ +/* The contents of natlookup_t should imitate those found in a packet that */ +/* would be translated - ie a packet coming in for RDR or going out for MAP.*/ +/* We can do the lookup in one of two ways, imitating an inbound or */ +/* outbound packet. By default we assume outbound, unless IPN_IN is set. */ +/* For IN, the fields are set as follows: */ +/* nl_real* = source information */ +/* nl_out* = destination information (translated) */ +/* For an out packet, the fields are set like this: */ +/* nl_in* = source information (untranslated) */ +/* nl_out* = destination information (translated) */ /* ------------------------------------------------------------------------ */ nat_t *nat_lookupredir(np) natlookup_t *np; @@ -3707,7 +3692,7 @@ u_32_t *passp; hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz); for (np = nat_rules[hv]; np; np = np->in_mnext) { - if ((np->in_ifps[0] && (np->in_ifps[0] != ifp))) + if ((np->in_ifps[1] && (np->in_ifps[1] != ifp))) continue; if (np->in_v != fin->fin_v) continue; @@ -4346,8 +4331,8 @@ void fr_natexpire() { ipftq_t *ifq, *ifqnext; ipftqent_t *tqe, *tqn; - SPL_INT(s); int i; + SPL_INT(s); SPL_NET(s); WRITE_ENTER(&ipf_nat); diff --git a/sys/contrib/ipfilter/netinet/ip_pptp_pxy.c b/sys/contrib/ipfilter/netinet/ip_pptp_pxy.c index 0047e1032acf..2ef2e17dc5dc 100644 --- a/sys/contrib/ipfilter/netinet/ip_pptp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_pptp_pxy.c @@ -4,7 +4,7 @@ * Simple PPTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_pptp_pxy.c,v 2.10.2.11 2005/12/04 23:39:27 darrenr Exp $ + * $Id: ip_pptp_pxy.c,v 2.10.2.13 2006/03/17 10:40:05 darrenr Exp $ * */ #define IPF_PPTP_PROXY @@ -93,7 +93,8 @@ nat_t *nat; if (nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_inip, ip->ip_dst) != NULL) { if (ippr_pptp_debug > 0) - printf("ippr_pptp_new: GRE session already exists\n"); + printf("ippr_pptp_new: GRE session %s\n", + "already exists"); return -1; } @@ -101,7 +102,8 @@ nat_t *nat; KMALLOCS(aps->aps_data, pptp_pxy_t *, sizeof(*pptp)); if (aps->aps_data == NULL) { if (ippr_pptp_debug > 0) - printf("ippr_pptp_new: malloc for aps_data failed\n"); + printf("ippr_pptp_new: malloc for aps_data %s\n", + "failed"); return -1; } @@ -208,10 +210,12 @@ pptp_pxy_t *pptp; RWLOCK_EXIT(&ipf_state); } else { RWLOCK_EXIT(&ipf_state); - if (nat->nat_dir == NAT_INBOUND) - fi.fin_fi.fi_daddr = nat2->nat_inip.s_addr; - else - fi.fin_fi.fi_saddr = nat2->nat_inip.s_addr; + if (nat2 != NULL) { + if (nat->nat_dir == NAT_INBOUND) + fi.fin_fi.fi_daddr = nat2->nat_inip.s_addr; + else + fi.fin_fi.fi_saddr = nat2->nat_inip.s_addr; + } fi.fin_ifp = NULL; pptp->pptp_state = fr_addstate(&fi, &pptp->pptp_state, 0); diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index 60b6ac04af21..8fdd98cc3984 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -103,7 +103,7 @@ struct file; /* END OF INCLUDES */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.14 2005/06/18 02:41:33 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.16 2006/03/29 11:19:56 darrenr Exp $"; #endif static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); @@ -323,8 +323,7 @@ int mode; if (error == 0) error = appr_ctl(&ctl); - if ((ctl.apc_dsize > 0) && (ptr != NULL) && - (ctl.apc_data == ptr)) { + if (ptr != NULL) { KFREES(ptr, ctl.apc_dsize); } break; @@ -563,8 +562,8 @@ nat_t *nat; if (err != 0) { short adjlen = err & 0xffff; - s1 = LONG_SUM(ip->ip_len - adjlen); - s2 = LONG_SUM(ip->ip_len); + s1 = LONG_SUM(fin->fin_plen - adjlen); + s2 = LONG_SUM(fin->fin_plen); CALC_SUMD(s1, s2, sd); fix_outcksum(fin, &ip->ip_sum, sd); } @@ -584,19 +583,23 @@ nat_t *nat; #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) if (dosum) tcp->th_sum = fr_cksum(fin->fin_qfm, ip, - IPPROTO_TCP, tcp); + IPPROTO_TCP, tcp, + fin->fin_plen); #else tcp->th_sum = fr_cksum(fin->fin_m, ip, - IPPROTO_TCP, tcp); + IPPROTO_TCP, tcp, + fin->fin_plen); #endif } else if ((udp != NULL) && (udp->uh_sum != 0)) { #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) if (dosum) udp->uh_sum = fr_cksum(fin->fin_qfm, ip, - IPPROTO_UDP, udp); + IPPROTO_UDP, udp, + fin->fin_plen); #else udp->uh_sum = fr_cksum(fin->fin_m, ip, - IPPROTO_UDP, udp); + IPPROTO_UDP, udp, + fin->fin_plen); #endif } aps->aps_bytes += fin->fin_plen; @@ -687,9 +690,9 @@ int inc; tcp = (tcphdr_t *)fin->fin_dp; out = fin->fin_out; /* - * ip_len has already been adjusted by 'inc'. + * fin->fin_plen has already been adjusted by 'inc'. */ - nlen = ip->ip_len; + nlen = fin->fin_plen; nlen -= (IP_HL(ip) << 2) + (TCP_OFF(tcp) << 2); inc2 = inc; diff --git a/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c b/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c index 1782064ed0a2..c93207e006e1 100644 --- a/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_rcmd_pxy.c,v 1.41.2.5 2005/10/02 04:20:07 darrenr Exp $ + * $Id: ip_rcmd_pxy.c,v 1.41.2.6 2006/04/01 10:14:54 darrenr Exp $ * * Simple RCMD transparent proxy for in-kernel use. For use with the NAT * code. @@ -202,7 +202,7 @@ nat_t *nat; fi.fin_fi.fi_daddr = nat->nat_inip.s_addr; ip->ip_dst = nat->nat_inip; } - (void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT); + (void) fr_addstate(&fi, NULL, SI_W_DPORT); if (fi.fin_state != NULL) fr_statederef(&fi, (ipstate_t **)&fi.fin_state); } diff --git a/sys/contrib/ipfilter/netinet/ip_scan.c b/sys/contrib/ipfilter/netinet/ip_scan.c index 73977c7d224e..13a5a60210e1 100644 --- a/sys/contrib/ipfilter/netinet/ip_scan.c +++ b/sys/contrib/ipfilter/netinet/ip_scan.c @@ -58,7 +58,7 @@ struct file; #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40.2.4 2005/08/20 13:48:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40.2.6 2006/03/26 23:06:49 darrenr Exp $"; #endif #ifdef IPFILTER_SCAN /* endif at bottom of file */ @@ -84,18 +84,23 @@ int ipsc_matchstr __P((sinfo_t *, char *, int)); int ipsc_matchisc __P((ipscan_t *, ipstate_t *, int, int, int *)); int ipsc_match __P((ipstate_t *)); +static int ipsc_inited = 0; int ipsc_init() { RWLOCK_INIT(&ipsc_rwlock, "ip scan rwlock"); + ipsc_inited = 1; return 0; } void fr_scanunload() { - RW_DESTROY(&ipsc_rwlock); + if (ipsc_inited == 1) { + RW_DESTROY(&ipsc_rwlock); + ipsc_inited = 0; + } } @@ -431,6 +436,8 @@ ipstate_t *is; } if (k == 1) isc = lm; + if (isc == NULL) + return 0; /* * No matches or partial matches, so reset the respective diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index b0bf74245f2a..32aa80591ded 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -107,7 +107,7 @@ struct file; #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.36 2005/12/04 22:25:36 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.41 2006/04/01 10:16:28 darrenr Exp $"; #endif static ipstate_t **ips_table = NULL; @@ -668,6 +668,7 @@ caddr_t data; fr->fr_ref = 0; fr->fr_dsize = 0; fr->fr_data = NULL; + fr->fr_type = FR_T_NONE; fr_resolvedest(&fr->fr_tif, fr->fr_v); fr_resolvedest(&fr->fr_dif, fr->fr_v); @@ -801,6 +802,11 @@ int rev; /* Inserts it into the state table and appends to the bottom of the active */ /* list. If the capacity of the table has reached the maximum allowed then */ /* the call will fail and a flush is scheduled for the next timeout call. */ +/* */ +/* NOTE: The use of stsave to point to nat_state will result in memory */ +/* corruption. It should only be used to point to objects that will */ +/* either outlive this (not expired) or will deref the ip_state_t */ +/* when they are deleted. */ /* ------------------------------------------------------------------------ */ ipstate_t *fr_addstate(fin, stsave, flags) fr_info_t *fin; @@ -823,28 +829,30 @@ u_int flags; if ((fin->fin_flx & FI_OOW) && !(fin->fin_tcpf & TH_SYN)) return NULL; - fr = fin->fin_fr; - if ((fr->fr_statemax == 0) && (ips_num == fr_statemax)) { - ATOMIC_INCL(ips_stats.iss_max); - fr_state_doflush = 1; - return NULL; - } - /* * If a "keep state" rule has reached the maximum number of references * to it, then schedule an automatic flush in case we can clear out - * some "dead old wood". + * some "dead old wood". Note that because the lock isn't held on + * fr it is possible that we could overflow. The cost of overflowing + * is being ignored here as the number by which it can overflow is + * a product of the number of simultaneous threads that could be + * executing in here, so a limit of 100 won't result in 200, but could + * result in 101 or 102. */ - MUTEX_ENTER(&fr->fr_lock); - if ((fr != NULL) && (fr->fr_statemax != 0) && - (fr->fr_statecnt >= fr->fr_statemax)) { - MUTEX_EXIT(&fr->fr_lock); - ATOMIC_INCL(ips_stats.iss_maxref); - fr_state_doflush = 1; - return NULL; + fr = fin->fin_fr; + if (fr != NULL) { + if ((ips_num == fr_statemax) && (fr->fr_statemax == 0)) { + ATOMIC_INCL(ips_stats.iss_max); + fr_state_doflush = 1; + return NULL; + } + if ((fr->fr_statemax != 0) && + (fr->fr_statecnt >= fr->fr_statemax)) { + ATOMIC_INCL(ips_stats.iss_maxref); + fr_state_doflush = 1; + return NULL; + } } - fr->fr_statecnt++; - MUTEX_EXIT(&fr->fr_lock); pass = (fr == NULL) ? 0 : fr->fr_flags; @@ -1046,16 +1054,16 @@ u_int flags; break; } if (is != NULL) - goto cantaddstate; + return NULL; if (ips_stats.iss_bucketlen[hv] >= fr_state_maxbucket) { ATOMIC_INCL(ips_stats.iss_bucketfull); - goto cantaddstate; + return NULL; } KMALLOC(is, ipstate_t *); if (is == NULL) { ATOMIC_INCL(ips_stats.iss_nomem); - goto cantaddstate; + return NULL; } bcopy((char *)&ips, (char *)is, sizeof(*is)); /* @@ -1140,6 +1148,7 @@ u_int flags; is->is_optmsk[0] &= ~0x8; is->is_optmsk[1] &= ~0x8; } + is->is_me = stsave; is->is_sec = fin->fin_secmsk; is->is_secmsk = 0xffff; is->is_auth = fin->fin_auth; @@ -1154,7 +1163,6 @@ u_int flags; is->is_pass &= ~(FR_LOGFIRST|FR_LOG); READ_ENTER(&ipf_state); - is->is_me = stsave; fr_stinsert(is, fin->fin_rev); @@ -1188,14 +1196,6 @@ u_int flags; (void) fr_newfrag(fin, pass ^ FR_KEEPSTATE); return is; - -cantaddstate: - if (fr != NULL) { - MUTEX_ENTER(&fr->fr_lock); - fr->fr_statecnt--; - MUTEX_EXIT(&fr->fr_lock); - } - return NULL; } @@ -1455,18 +1455,6 @@ int flags; win = ntohs(tcp->th_win); else win = ntohs(tcp->th_win) << fdata->td_winscale; -#if 0 - /* - * XXX - This is a kludge is here because IPFilter doesn't track SACK - * options in TCP packets. This is not a trivial to do if one is to - * consider the performance impact of it. So instead, if the - * receiver has said SACK is ok, double the allowed window size. - * This is disabled for testing of another workaround for a problem - * with Microsoft Windows - see below. - */ - if ((tdata->td_winflags & TCP_SACK_PERMIT) != 0) - win *= 2; -#endif /* * A window of 0 produces undesirable behaviour from this function. @@ -1553,6 +1541,39 @@ int flags; (fdata->td_winflags & TCP_SACK_PERMIT) && (tdata->td_winflags & TCP_SACK_PERMIT)) { inseq = 1; + /* + * Sometimes a TCP RST will be generated with only the ACK field + * set to non-zero. + */ + } else if ((seq == 0) && (tcpflags == (TH_RST|TH_ACK)) && + (ackskew >= -1) && (ackskew <= 1)) { + inseq = 1; + } else if (!(flags & IS_TCPFSM)) { + int i; + + i = (fin->fin_rev << 1) + fin->fin_out; + +#if 0 + if (is_pkts[i]0 == 0) { + /* + * Picking up a connection in the middle, the "next" + * packet seen from a direction that is new should be + * accepted, even if it appears out of sequence. + */ + inseq = 1; + } else +#endif + if (!(fdata->td_winflags & + (TCP_WSCALE_SEEN|TCP_WSCALE_FIRST))) { + /* + * No TCPFSM and no window scaling, so make some + * extra guesses. + */ + if ((seq == fdata->td_maxend) && (ackskew == 0)) + inseq = 1; + else if (SEQ_GE(seq + maxwin, fdata->td_end - maxwin)) + inseq = 1; + } } if (inseq) { @@ -2339,7 +2360,8 @@ ipftq_t **ifqp; if ((is->is_p != pr) || (is->is_v != v)) continue; is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP); - if (is != NULL && + if ((is != NULL) && + (ic->icmp_id == is->is_icmp.ici_id) && fr_matchicmpqueryreply(v, &is->is_icmp, ic, fin->fin_rev)) { if (fin->fin_rev) @@ -2432,11 +2454,13 @@ ipftq_t **ifqp; break; } - if ((is != NULL) && ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0) && - (is->is_tqehead[fin->fin_rev] != NULL)) - ifq = is->is_tqehead[fin->fin_rev]; - if (ifq != NULL && ifqp != NULL) - *ifqp = ifq; + if (is != NULL) { + if (((is->is_sti.tqe_flags & TQE_RULEBASED) != 0) && + (is->is_tqehead[fin->fin_rev] != NULL)) + ifq = is->is_tqehead[fin->fin_rev]; + if (ifq != NULL && ifqp != NULL) + *ifqp = ifq; + } return is; } diff --git a/sys/contrib/ipfilter/netinet/ip_sync.c b/sys/contrib/ipfilter/netinet/ip_sync.c index 768d1c538e60..b5b811b7619c 100644 --- a/sys/contrib/ipfilter/netinet/ip_sync.c +++ b/sys/contrib/ipfilter/netinet/ip_sync.c @@ -96,7 +96,7 @@ struct file; /* END OF INCLUDES */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_sync.c,v 2.40.2.5 2005/09/04 12:51:12 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sync.c,v 2.40.2.7 2006/03/19 14:59:39 darrenr Exp $"; #endif #define SYNC_STATETABSZ 256 @@ -702,7 +702,6 @@ int ipfsync_nat(sp, data) synchdr_t *sp; void *data; { - synclogent_t sle; syncupdent_t su; nat_t *n, *nat; synclist_t *sl; @@ -714,8 +713,6 @@ void *data; switch (sp->sm_cmd) { case SMC_CREATE : - bcopy(data, &sle, sizeof(sle)); - KMALLOC(n, nat_t *); if (n == NULL) { err = ENOMEM; @@ -729,9 +726,7 @@ void *data; break; } - WRITE_ENTER(&ipf_nat); - - nat = &sle.sle_un.sleu_ipn; + nat = (nat_t *)data; bzero((char *)n, offsetof(nat_t, nat_age)); bcopy((char *)&nat->nat_age, (char *)&n->nat_age, sizeof(*n) - offsetof(nat_t, nat_age)); @@ -741,6 +736,8 @@ void *data; sl->sl_idx = -1; sl->sl_ipn = n; sl->sl_num = ntohl(sp->sm_num); + + WRITE_ENTER(&ipf_nat); sl->sl_pnext = syncstatetab + hv; sl->sl_next = syncstatetab[hv]; if (syncstatetab[hv] != NULL) @@ -1005,4 +1002,16 @@ int mode; { return EINVAL; } + + +int ipfsync_canread() +{ + return !((sl_tail == sl_idx) && (su_tail == su_idx)); +} + + +int ipfsync_canwrite() +{ + return 1; +} #endif /* IPFILTER_SYNC */ diff --git a/sys/contrib/ipfilter/netinet/ip_sync.h b/sys/contrib/ipfilter/netinet/ip_sync.h index 8a62192dbfb0..76862f7534a1 100644 --- a/sys/contrib/ipfilter/netinet/ip_sync.h +++ b/sys/contrib/ipfilter/netinet/ip_sync.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_sync.h,v 2.11.2.2 2004/11/04 19:29:07 darrenr Exp $ + * $Id: ip_sync.h,v 2.11.2.3 2006/03/19 14:59:39 darrenr Exp $ */ #ifndef __IP_SYNC_H__ @@ -111,5 +111,7 @@ extern int ipfsync_nat __P((synchdr_t *sp, void *data)); extern int ipfsync_state __P((synchdr_t *sp, void *data)); extern int ipfsync_read __P((struct uio *uio)); extern int ipfsync_write __P((struct uio *uio)); +extern int ipfsync_canread __P((void)); +extern int ipfsync_canwrite __P((void)); #endif /* IP_SYNC */ diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h index ee9a9550b884..28b9e0cfdfe3 100644 --- a/sys/contrib/ipfilter/netinet/ipl.h +++ b/sys/contrib/ipfilter/netinet/ipl.h @@ -4,14 +4,14 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.52.2.11 2005/12/04 22:37:24 darrenr Exp $ + * $Id: ipl.h,v 2.52.2.14 2006/04/01 20:09:42 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v4.1.10" +#define IPL_VERSION "IP Filter: v4.1.13" -#define IPFILTER_VERSION 4011000 +#define IPFILTER_VERSION 4011300 #endif diff --git a/sys/contrib/ipfilter/netinet/mlfk_ipl.c b/sys/contrib/ipfilter/netinet/mlfk_ipl.c index 26a51aa69feb..e4c5ccb9e146 100644 --- a/sys/contrib/ipfilter/netinet/mlfk_ipl.c +++ b/sys/contrib/ipfilter/netinet/mlfk_ipl.c @@ -12,6 +12,10 @@ #include #include #include +#include +#if __FreeBSD_version >= 500000 +# include +#endif #include #include #include @@ -24,6 +28,9 @@ #include #include #include +#include + +extern struct selinfo ipfselwait[IPL_LOGSIZE]; #if __FreeBSD_version >= 502116 static struct cdev *ipf_devs[IPL_LOGSIZE]; @@ -92,6 +99,10 @@ SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, ""); #define CDEV_MAJOR 79 #if __FreeBSD_version >= 501000 +# include +# include +static int iplpoll(struct cdev *dev, int events, struct thread *td); + static struct cdevsw ipl_cdevsw = { # if __FreeBSD_version >= 502103 .d_version = D_VERSION, @@ -103,6 +114,7 @@ static struct cdevsw ipl_cdevsw = { .d_write = iplwrite, .d_ioctl = iplioctl, .d_name = "ipl", + .d_poll = iplpoll, # if __FreeBSD_version < 600000 .d_maj = CDEV_MAJOR, # endif @@ -114,7 +126,7 @@ static struct cdevsw ipl_cdevsw = { /* read */ iplread, /* write */ iplwrite, /* ioctl */ iplioctl, - /* poll */ nopoll, + /* poll */ iplpoll, /* mmap */ nommap, /* strategy */ nostrategy, /* name */ "ipl", @@ -270,3 +282,51 @@ sysctl_ipf_int ( SYSCTL_HANDLER_ARGS ) return (error); } #endif + + +#if __FreeBSD_version >= 501000 +static int +iplpoll(struct cdev *dev, int events, struct thread *td) +{ + u_int xmin = GET_MINOR(dev); + int revents; + + if (xmin < 0 || xmin > IPL_LOGMAX) + return 0; + + revents = 0; + + switch (xmin) + { + case IPL_LOGIPF : + case IPL_LOGNAT : + case IPL_LOGSTATE : +#ifdef IPFILTER_LOG + if ((events & (POLLIN | POLLRDNORM)) && ipflog_canread(xmin)) + revents |= events & (POLLIN | POLLRDNORM); +#endif + break; + case IPL_LOGAUTH : + if ((events & (POLLIN | POLLRDNORM)) && fr_auth_waiting()) + revents |= events & (POLLIN | POLLRDNORM); + break; + case IPL_LOGSYNC : +#ifdef IPFILTER_SYNC + if ((events & (POLLIN | POLLRDNORM)) && ipfsync_canread()) + revents |= events & (POLLIN | POLLRDNORM); + if ((events & (POLLOUT | POLLWRNORM)) && ipfsync_canwrite()) + revents |= events & (POLLOUT | POLLWRNORM); +#endif + break; + case IPL_LOGSCAN : + case IPL_LOGLOOKUP : + default : + break; + } + + if ((revents == 0) && ((events & (POLLIN|POLLRDNORM)) != 0)) + selrecord(td, &ipfselwait[xmin]); + + return revents; +} +#endif From 4e39c44e098b5b1cd335a424201f3dec049c4f73 Mon Sep 17 00:00:00 2001 From: Guido van Rooij Date: Wed, 16 Aug 2006 11:51:32 +0000 Subject: [PATCH 2/2] Import IP Filter 4.1.13 --- contrib/ipfilter/BSD/Makefile | 9 +- contrib/ipfilter/HISTORY | 82 ++++++++++++ contrib/ipfilter/Makefile | 5 +- contrib/ipfilter/bpf_filter.c | 135 ++++++++++++++----- contrib/ipfilter/ip_fil.c | 43 ++++++- contrib/ipfilter/ipf.h | 3 +- contrib/ipfilter/iplang/iplang_y.y | 4 +- contrib/ipfilter/ipmon.h | 3 +- contrib/ipfilter/ipsd/sbpf.c | 16 ++- contrib/ipfilter/ipsend/.OLD/ip_compat.h | 2 - contrib/ipfilter/ipsend/ipsend.c | 4 +- contrib/ipfilter/ipsend/iptests.c | 33 ++++- contrib/ipfilter/ipsend/lsock.c | 4 +- contrib/ipfilter/ipsend/resend.c | 7 +- contrib/ipfilter/ipsend/sbpf.c | 16 ++- contrib/ipfilter/ipsend/sock.c | 42 +++++- contrib/ipfilter/ipt.h | 2 +- contrib/ipfilter/lib/Makefile | 4 - contrib/ipfilter/lib/addicmp.c | 75 +---------- contrib/ipfilter/lib/facpri.c | 32 ++--- contrib/ipfilter/lib/getport.c | 27 ++++ contrib/ipfilter/lib/icmpcode.c | 27 +--- contrib/ipfilter/lib/ipft_tx.c | 35 +---- contrib/ipfilter/lib/optprint.c | 6 +- contrib/ipfilter/lib/printfr.c | 30 ++--- contrib/ipfilter/lib/printlog.c | 11 +- contrib/ipfilter/man/ipmon.8 | 7 +- contrib/ipfilter/radix.c | 2 +- contrib/ipfilter/samples/proxy.c | 1 - contrib/ipfilter/test/Makefile | 15 ++- contrib/ipfilter/test/expected/f20 | 3 + contrib/ipfilter/test/expected/i1 | 4 +- contrib/ipfilter/test/expected/i10 | 1 + contrib/ipfilter/test/expected/i11 | 3 +- contrib/ipfilter/test/expected/i18 | 3 +- contrib/ipfilter/test/expected/i5 | 4 + contrib/ipfilter/test/expected/i8 | 2 + contrib/ipfilter/test/expected/i9 | 7 +- contrib/ipfilter/test/expected/in2 | 2 +- contrib/ipfilter/test/expected/in5 | 3 +- contrib/ipfilter/test/expected/ni19 | 25 ++++ contrib/ipfilter/test/expected/ni20 | 25 ++++ contrib/ipfilter/test/expected/ni21 | 4 + contrib/ipfilter/test/input/f2 | 4 +- contrib/ipfilter/test/input/f20 | 2 + contrib/ipfilter/test/input/ni19 | 157 +++++++++++++++++++++++ contrib/ipfilter/test/input/ni20 | 157 +++++++++++++++++++++++ contrib/ipfilter/test/input/ni21 | 3 + contrib/ipfilter/test/regress/f20 | 4 + contrib/ipfilter/test/regress/i1 | 4 +- contrib/ipfilter/test/regress/i10 | 1 + contrib/ipfilter/test/regress/i11 | 3 +- contrib/ipfilter/test/regress/i15 | 1 - contrib/ipfilter/test/regress/i17 | 2 + contrib/ipfilter/test/regress/i18 | 3 +- contrib/ipfilter/test/regress/i5 | 4 + contrib/ipfilter/test/regress/i8 | 2 + contrib/ipfilter/test/regress/i9 | 7 +- contrib/ipfilter/test/regress/in2 | 2 +- contrib/ipfilter/test/regress/in5 | 3 +- contrib/ipfilter/test/regress/ni19.ipf | 3 + contrib/ipfilter/test/regress/ni19.nat | 1 + contrib/ipfilter/test/regress/ni20.ipf | 3 + contrib/ipfilter/test/regress/ni20.nat | 1 + contrib/ipfilter/test/regress/ni21.ipf | 1 + contrib/ipfilter/test/regress/ni21.nat | 1 + contrib/ipfilter/test/test.format | 4 + contrib/ipfilter/todo | 98 ++++++++++++++ contrib/ipfilter/tools/ipf.c | 4 +- contrib/ipfilter/tools/ipf_y.y | 59 ++++++--- contrib/ipfilter/tools/ipfcomp.c | 4 +- contrib/ipfilter/tools/ipfs.c | 55 +++++--- contrib/ipfilter/tools/ipfstat.c | 4 +- contrib/ipfilter/tools/ipftest.c | 6 +- contrib/ipfilter/tools/ipmon.c | 56 ++++---- contrib/ipfilter/tools/ipnat_y.y | 63 +++++++-- contrib/ipfilter/tools/ipsyncm.c | 9 +- contrib/ipfilter/tools/ipsyncs.c | 18 +-- contrib/ipfilter/tools/lexer.c | 2 + 79 files changed, 1160 insertions(+), 359 deletions(-) create mode 100644 contrib/ipfilter/test/expected/f20 create mode 100644 contrib/ipfilter/test/expected/ni19 create mode 100644 contrib/ipfilter/test/expected/ni20 create mode 100644 contrib/ipfilter/test/expected/ni21 create mode 100644 contrib/ipfilter/test/input/f20 create mode 100644 contrib/ipfilter/test/input/ni19 create mode 100644 contrib/ipfilter/test/input/ni20 create mode 100644 contrib/ipfilter/test/input/ni21 create mode 100644 contrib/ipfilter/test/regress/f20 create mode 100644 contrib/ipfilter/test/regress/ni19.ipf create mode 100644 contrib/ipfilter/test/regress/ni19.nat create mode 100644 contrib/ipfilter/test/regress/ni20.ipf create mode 100644 contrib/ipfilter/test/regress/ni20.nat create mode 100644 contrib/ipfilter/test/regress/ni21.ipf create mode 100644 contrib/ipfilter/test/regress/ni21.nat create mode 100644 contrib/ipfilter/todo diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index 9a2158bcf47a..1bce4f4d331f 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -3,12 +3,13 @@ # # See the IPFILTER.LICENCE file for details on licencing. # +TOP=../.. BINDEST=/usr/sbin SBINDEST=/sbin MANDIR=/usr/share/man SEARCHDIRS!=echo $(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin | awk '{for(i=1;i&1 | sed -n 's/.*devfs.*/-DDEVFS/p' CPU!=uname -m INC=-I/usr/include -I/sys -I/sys/sys -I/sys/arch -DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS) +DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS) -fno-builtin IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST VNODESHDIR=/sys/kern MLD=$(ML) @@ -516,8 +517,8 @@ install: (cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP)) coverage: - ksh -c 'for i in *.da; do j=$${i%%.da}.c; gcov $$j 2>&1 | egrep -v "y.tab.c|Could|Creating|_l\.c|\.h"; done' | sort -n > report - sort -n report | perl -e 'while(<>) { next if (/^0.00/); s/\%//g; @F=split;$$lc+=$$F[2];$$t += $$F[0]/100*$$F[2];} printf "%d of %d = %d%%\n", $$t, $$lc,$$t/$$lc*100;' >> report + ksh -c 'for i in *.da; do j=$${i%%.da}.c; gcov $$j 2>&1 | egrep -v "y.tab.c|Could|Creating|_l\.c|\.h"; done' | sort -k 1n -k 3n > report + sort -k 1n -k 3n report | perl -e 'while(<>) { next if (/^0.00/); s/\%//g; @F=split;$$lc+=$$F[2];$$t += ($$F[0]/100)*$$F[2];} printf "%d of %d = %d%%\n", $$t, $$lc,($$t/$$lc)*100;' >> report clean-coverage: /bin/rm -f *.gcov *.da diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 32daed422bb3..996f883501f4 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -10,6 +10,88 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +4.1.13 - Released 4 April 2006 + +fix bug where null pointers introduced by proxies could cause a crash + +pass out the rule flags with SIOCAUTHW + +force loading NAT rules with bad proxy labels to cause an error + +nat_state is used unsafely in calls to fr_addstate + +make return-rst and return-icmp* work with auth rules + +4.1.12 - Released 28 March 2006 + +poll support on FreeBSD/NetBSD needs to use selrecord/selwakeup + +make the fastroute code used by ipftest invoke state/NAT + +move verbose/debug macros out of fil.c and into ip_fil.h (for wider use) + +remove unused code in fr_fastroute + +fix NAT with rules that specify forward and reverise interfaces + +add missing ipfsync_canread() and ipfsync_canwrite() + +behaviour of \ on the end of a line in ipf.conf does not match older behaviour + +remove duplicate statistics line output with "ipfstat -s" +4.1.11 - Released 19 March 2006 + +Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org + +NetBSD coverity report fixes (from run 5) + +Possible to reacquire ipf_auth without releasing it in some circumstances + +Locking in FreeBSD's iplioctl for ipf_global isn't present like it shoudl be + +Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux + +Using auth rules to return "keep state" got broken with pushing fr_addstate +call into fr_firewall + +all use of '!' in map/rdr rules to match use in ipf configs + +add -L command line option to ipmon to set the default syslog facility + +looking up a port number is more complex than needed in ipft_tx.c + +allow lib/getport to work when neither tcp or udp are specified in a rule + +remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c + +program in some more cases where TCP packets fail an initial in-window +check but should be allowed to match + +filter rule added with NAT/state handling of SIOCSTPUT doesn't properly +initialise all fields, making it possible to panic + +simplify NAT ICMP error handling where it updates checksums + +rename "min" variables to "xmin" on NetBSD to avoid problems with the +macro "min" + +#ifdef's for NetBSD compile incorrect for pfil interface + +support select/poll on NetBSD + +copying out a packet with an auth rule fails (EFAULT) because the wrong +pointer is passed to copyoutptr + +ip_len/ip_off where byte swapped twice instead of once for packets +going to be stored on the auth queue + +change timeout queue manipulation functions to make fewer mutex calls + +fix use of skip rules with groups +fix coding problems discovered by the coverity project for FreeBSD + +update BPF program validation with FreeBSD changes + 4.1.10 - Released 6 December 2005 Expand regression testing to cover more features diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 59fb797a54ea..b5451c627565 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -5,7 +5,7 @@ # provided that this notice is preserved and due credit is given # to the original author and the contributors. # -# $Id: Makefile,v 2.76.2.18 2005/12/04 23:41:22 darrenr Exp $ +# $Id: Makefile,v 2.76.2.19 2006/03/17 10:38:38 darrenr Exp $ # SHELL=/bin/sh BINDEST=/usr/local/bin @@ -134,6 +134,7 @@ all: @echo "freebsd3 - compile for FreeBSD-3.x" @echo "freebsd4 - compile for FreeBSD-4.x" @echo "freebsd5 - compile for FreeBSD-5.x" + @echo "freebsd6 - compile for FreeBSD-6.x" @echo "bsd - compile for generic 4.4BSD systems" @echo "bsdi - compile for BSD/OS" @echo "irix - compile for SGI IRIX" @@ -186,7 +187,7 @@ freebsd22: include fi make freebsd20 -freebsd5: include +freebsd5 freebsd6: include if [ x$(INET6) = x ] ; then \ echo "#undef INET6" > opt_inet6.h; \ else \ diff --git a/contrib/ipfilter/bpf_filter.c b/contrib/ipfilter/bpf_filter.c index c4ca42fc906f..6949b33cbe75 100644 --- a/contrib/ipfilter/bpf_filter.c +++ b/contrib/ipfilter/bpf_filter.c @@ -40,7 +40,7 @@ #if !(defined(lint) || defined(KERNEL) || defined(_KERNEL)) static const char rcsid[] = - "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.1 2005/06/18 02:41:30 darrenr Exp $ (LBL)"; + "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.2 2005/12/30 12:57:28 darrenr Exp $ (LBL)"; #endif #include @@ -466,9 +466,10 @@ bpf_filter(pc, p, wirelen, buflen) /* * Return true if the 'fcode' is a valid filter program. * The constraints are that each jump be forward and to a valid - * code. The code must terminate with either an accept or reject. - * 'valid' is an array for use by the routine (it must be at least - * 'len' bytes long). + * code, that memory accesses are within valid ranges (to the + * extent that this can be checked statically; loads of packet + * data have to be, and are, also checked at run time), and that + * the code terminates with either an accept or reject. * * The kernel needs to be able to verify an application's filter code. * Otherwise, a bogus program could easily crash the system. @@ -478,38 +479,114 @@ bpf_validate(f, len) struct bpf_insn *f; int len; { - register int i; - register struct bpf_insn *p; + u_int i, from; + const struct bpf_insn *p; + + if (len == 0) + return 1; + + if (len < 1 || len > BPF_MAXINSNS) + return 0; for (i = 0; i < len; ++i) { - /* - * Check that that jumps are forward, and within - * the code block. - */ p = &f[i]; - if (BPF_CLASS(p->code) == BPF_JMP) { - register int from = i + 1; - - if (BPF_OP(p->code) == BPF_JA) { - if (from + p->k >= (unsigned)len) - return 0; - } - else if (from + p->jt >= len || from + p->jf >= len) - return 0; - } + switch (BPF_CLASS(p->code)) { /* * Check that memory operations use valid addresses. */ - if ((BPF_CLASS(p->code) == BPF_ST || - (BPF_CLASS(p->code) == BPF_LD && - (p->code & 0xe0) == BPF_MEM)) && - (p->k >= BPF_MEMWORDS || p->k < 0)) - return 0; - /* - * Check for constant division by 0. - */ - if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0) + case BPF_LD: + case BPF_LDX: + switch (BPF_MODE(p->code)) { + case BPF_IMM: + break; + case BPF_ABS: + case BPF_IND: + case BPF_MSH: + /* + * More strict check with actual packet length + * is done runtime. + */ +#if 0 + if (p->k >= bpf_maxbufsize) + return 0; +#endif + break; + case BPF_MEM: + if (p->k >= BPF_MEMWORDS) + return 0; + break; + case BPF_LEN: + break; + default: + return 0; + } + break; + case BPF_ST: + case BPF_STX: + if (p->k >= BPF_MEMWORDS) + return 0; + break; + case BPF_ALU: + switch (BPF_OP(p->code)) { + case BPF_ADD: + case BPF_SUB: + case BPF_OR: + case BPF_AND: + case BPF_LSH: + case BPF_RSH: + case BPF_NEG: + break; + case BPF_DIV: + /* + * Check for constant division by 0. + */ + if (BPF_RVAL(p->code) == BPF_K && p->k == 0) + return 0; + default: + return 0; + } + break; + case BPF_JMP: + /* + * Check that jumps are within the code block, + * and that unconditional branches don't go + * backwards as a result of an overflow. + * Unconditional branches have a 32-bit offset, + * so they could overflow; we check to make + * sure they don't. Conditional branches have + * an 8-bit offset, and the from address is <= + * BPF_MAXINSNS, and we assume that BPF_MAXINSNS + * is sufficiently small that adding 255 to it + * won't overflow. + * + * We know that len is <= BPF_MAXINSNS, and we + * assume that BPF_MAXINSNS is < the maximum size + * of a u_int, so that i + 1 doesn't overflow. + */ + from = i + 1; + switch (BPF_OP(p->code)) { + case BPF_JA: + if (from + p->k < from || from + p->k >= len) + return 0; + break; + case BPF_JEQ: + case BPF_JGT: + case BPF_JGE: + case BPF_JSET: + if (from + p->jt >= len || from + p->jf >= len) + return 0; + break; + default: + return 0; + } + break; + case BPF_RET: + break; + case BPF_MISC: + break; + default: return 0; + } } return BPF_CLASS(f[len - 1].code) == BPF_RET; } diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 57425ec438b4..6934bbe092d5 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -5,7 +5,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.9 2005/01/08 14:22:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.11 2006/03/25 11:15:30 darrenr Exp $"; #endif #ifndef SOLARIS @@ -136,7 +136,7 @@ struct rtentry; #include "md5.h" -#if !defined(__osf__) +#if !defined(__osf__) && !defined(__linux__) extern struct protosw inetsw[]; #endif @@ -716,13 +716,45 @@ frdest_t *fdp; { struct ifnet *ifp = fdp->fd_ifp; ip_t *ip = fin->fin_ip; + int error = 0; + frentry_t *fr; + void *sifp; if (!ifp) return 0; /* no routing table out here */ - ip->ip_len = htons((u_short)ip->ip_len); - ip->ip_off = htons((u_short)(ip->ip_off | IP_MF)); + fr = fin->fin_fr; ip->ip_sum = 0; + + if (fin->fin_out == 0) { + sifp = fin->fin_ifp; + fin->fin_ifp = ifp; + fin->fin_out = 1; + (void) fr_acctpkt(fin, NULL); + fin->fin_fr = NULL; + if (!fr || !(fr->fr_flags & FR_RETMASK)) { + u_32_t pass; + + (void) fr_checkstate(fin, &pass); + } + + switch (fr_checknatout(fin, NULL)) + { + case 0 : + break; + case 1 : + ip->ip_sum = 0; + break; + case -1 : + error = -1; + goto done; + break; + } + + fin->fin_ifp = sifp; + fin->fin_out = 0; + } + #if defined(__sgi) && (IRIX < 60500) (*ifp->if_output)(ifp, (void *)ip, NULL); # if TRU64 >= 1885 @@ -731,7 +763,8 @@ frdest_t *fdp; (*ifp->if_output)(ifp, (void *)m, NULL, 0); # endif #endif - return 0; +done: + return error; } diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index 3cf0ffb06238..aef610f9a942 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 2.71.2.7 2005/06/12 07:18:31 darrenr Exp $ + * $Id: ipf.h,v 2.71.2.8 2005/12/30 07:03:21 darrenr Exp $ */ #ifndef __IPF_H__ @@ -182,7 +182,6 @@ extern struct ipopt_names v6ionames[]; extern int addicmp __P((char ***, struct frentry *, int)); extern int addipopt __P((char *, struct ipopt_names *, int, char *)); extern int addkeep __P((char ***, struct frentry *, int)); -extern int bcopywrap __P((void *, void *, size_t)); extern void binprint __P((void *, size_t)); extern void initparse __P((void)); extern u_32_t buildopts __P((char *, char *, int)); diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y index 4d494fb44ebf..2b69e8852287 100644 --- a/contrib/ipfilter/iplang/iplang_y.y +++ b/contrib/ipfilter/iplang/iplang_y.y @@ -4,7 +4,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: iplang_y.y,v 2.9.2.3 2005/10/17 17:25:04 darrenr Exp $ + * $Id: iplang_y.y,v 2.9.2.4 2006/03/17 12:11:29 darrenr Exp $ */ #include @@ -1646,7 +1646,7 @@ void *ptr; for (sto = toipopts; sto->sto_st; sto++) if (sto->sto_st == state) break; - if (!sto || !sto->sto_st) { + if (!sto->sto_st) { fprintf(stderr, "No mapping for state %d to IP option\n", state); return; diff --git a/contrib/ipfilter/ipmon.h b/contrib/ipfilter/ipmon.h index 765a6469540f..5c6f8c5a5f2a 100644 --- a/contrib/ipfilter/ipmon.h +++ b/contrib/ipfilter/ipmon.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ipmon.h,v 2.8 2003/07/25 22:16:20 darrenr Exp $ + * $Id: ipmon.h,v 2.8.2.1 2006/03/21 16:13:31 darrenr Exp $ */ @@ -92,3 +92,4 @@ extern int load_config __P((char *)); extern void dumphex __P((FILE *, int, char *, int)); extern int check_action __P((char *, char *, int, int)); extern char *getword __P((int)); +extern int fac_findname __P((char *)); diff --git a/contrib/ipfilter/ipsd/sbpf.c b/contrib/ipfilter/ipsd/sbpf.c index 97bb4ce0ff3a..457891b78104 100644 --- a/contrib/ipfilter/ipsd/sbpf.c +++ b/contrib/ipfilter/ipsd/sbpf.c @@ -9,6 +9,9 @@ #include #include #include +#ifdef __NetBSD__ +# include +#endif #include #include #include @@ -121,8 +124,18 @@ int tout; struct bpf_version bv; struct timeval to; struct ifreq ifr; +#ifdef _PATH_BPF + char *bpfname = _PATH_BPF; + int fd; + + if ((fd = open(bpfname, O_RDWR)) < 0) + { + fprintf(stderr, "no bpf devices available as /dev/bpfxx\n"); + return -1; + } +#else char bpfname[16]; - int fd, i; + int fd = -1, i; for (i = 0; i < 16; i++) { @@ -135,6 +148,7 @@ int tout; fprintf(stderr, "no bpf devices available as /dev/bpfxx\n"); return -1; } +#endif if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { diff --git a/contrib/ipfilter/ipsend/.OLD/ip_compat.h b/contrib/ipfilter/ipsend/.OLD/ip_compat.h index 3b62be1dff3e..c38fa59ed3c7 100644 --- a/contrib/ipfilter/ipsend/.OLD/ip_compat.h +++ b/contrib/ipfilter/ipsend/.OLD/ip_compat.h @@ -1,5 +1,3 @@ -/* $NetBSD$ */ - /* * (C)opyright 1995 by Darren Reed. * diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index a3cc1dc22d5e..dcd897ccdda7 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -5,7 +5,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.2 2004/11/13 16:50:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.3 2006/03/17 13:45:34 darrenr Exp $"; #endif #include #include @@ -154,6 +154,8 @@ struct in_addr gwip; int wfd; wfd = initdevice(dev, 5); + if (wfd == -1) + return -1; return send_packet(wfd, mtu, ip, gwip); } diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index 434b010a50e9..9329c225354b 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -6,10 +6,18 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.4 2005/06/12 07:18:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.7 2006/03/21 16:10:55 darrenr Exp $"; #endif #include #include +#if defined(__NetBSD__) && defined(__vax__) +/* + * XXX need to declare boolean_t for _KERNEL + * which ends up including for vax. See PR#32907 + * for further details. + */ +typedef int boolean_t; +#endif #include #if !defined(__osf__) # define _KERNEL @@ -134,7 +142,10 @@ int ptest; u->uh_ulen = htons(sizeof(*u) + 4); ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen); len = ip->ip_len; + nfd = initdevice(dev, 1); + if (nfd == -1) + return; if (!ptest || (ptest == 1)) { /* @@ -468,11 +479,14 @@ int ptest; int nfd; u_char *s; - s = (u_char *)(ip + 1); + nfd = initdevice(dev, 1); + if (nfd == -1) + return; IP_HL_A(ip, 6); ip->ip_len = IP_HL(ip) << 2; + s = (u_char *)(ip + 1); s[IPOPT_OPTVAL] = IPOPT_NOP; s++; if (!ptest || (ptest == 1)) { @@ -572,7 +586,10 @@ int ptest; ip->ip_sum = 0; ip->ip_len = sizeof(*ip) + sizeof(*icp); icp = (struct icmp *)((char *)ip + (IP_HL(ip) << 2)); + nfd = initdevice(dev, 1); + if (nfd == -1) + return; if (!ptest || (ptest == 1)) { /* @@ -771,7 +788,10 @@ int ptest; u->uh_sport = htons(1); u->uh_dport = htons(1); u->uh_ulen = htons(sizeof(*u) + 4); + nfd = initdevice(dev, 1); + if (nfd == -1) + return; if (!ptest || (ptest == 1)) { /* @@ -934,7 +954,10 @@ int ptest; t->th_seq = htonl(1); t->th_ack = 0; ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); + nfd = initdevice(dev, 1); + if (nfd == -1) + return; if (!ptest || (ptest == 1)) { /* @@ -1279,6 +1302,9 @@ int ptest; u->uh_sum = 0; nfd = initdevice(dev, 1); + if (nfd == -1) + return; + u->uh_ulen = htons(7168); printf("6. Exhaustive mbuf test.\n"); @@ -1348,6 +1374,9 @@ int ptest; u_char *s; nfd = initdevice(dev, 1); + if (nfd == -1) + return; + pip = (ip_t *)tbuf; srand(time(NULL) ^ (getpid() * getppid())); diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c index 825495eab7db..7163ea7db5fd 100644 --- a/contrib/ipfilter/ipsend/lsock.c +++ b/contrib/ipfilter/ipsend/lsock.c @@ -6,7 +6,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3 2001/06/09 17:09:26 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3.4.1 2006/03/17 13:45:34 darrenr Exp $"; #endif #include #include @@ -225,6 +225,8 @@ struct in_addr gwip; ti->ti_sport = lsin.sin_port; printf("sport %d\n", ntohs(lsin.sin_port)); nfd = initdevice(dev, 0); + if (nfd == -1) + return -1; if (!(s = find_tcp(fd, ti))) return -1; diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index 9c782ac77d8d..b51ba0602a93 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -6,7 +6,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.8 2004/01/08 13:34:31 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.2 2006/03/17 13:45:34 darrenr Exp $"; #endif #include #include @@ -79,6 +79,9 @@ char *datain; ip_t *ip; int fd, wfd = initdevice(dev, 5), len, i; + if (wfd == -1) + return -1; + if (datain) fd = (*r->r_open)(datain); else @@ -99,6 +102,7 @@ char *datain; if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1)) { perror("arp"); + free(eh); return -2; } @@ -135,5 +139,6 @@ char *datain; } } (*r->r_close)(); + free(eh); return 0; } diff --git a/contrib/ipfilter/ipsend/sbpf.c b/contrib/ipfilter/ipsend/sbpf.c index 16a6e7ff7836..374b7ed6ad9b 100644 --- a/contrib/ipfilter/ipsend/sbpf.c +++ b/contrib/ipfilter/ipsend/sbpf.c @@ -36,6 +36,9 @@ #include #include #include +#ifdef __NetBSD__ +# include +#endif #include #include #include @@ -44,7 +47,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5 2002/02/24 07:30:03 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5.4.1 2006/03/21 16:32:58 darrenr Exp $"; #endif /* @@ -61,6 +64,16 @@ int tout; struct bpf_version bv; struct timeval to; struct ifreq ifr; +#ifdef _PATH_BPF + char *bpfname = _PATH_BPF; + int fd; + + if ((fd = open(bpfname, O_RDWR)) < 0) + { + fprintf(stderr, "no bpf devices available as /dev/bpfxx\n"); + return -1; + } +#else char bpfname[16]; int fd = 0, i; @@ -75,6 +88,7 @@ int tout; fprintf(stderr, "no bpf devices available as /dev/bpfxx\n"); return -1; } +#endif if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index 45e7a0d0e779..09d808d1ea44 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -6,12 +6,20 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.1 2004/03/23 12:58:06 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.4 2006/03/21 16:10:56 darrenr Exp $"; #endif #include #include #include #include +#if defined(__NetBSD__) && defined(__vax__) +/* + * XXX need to declare boolean_t for _KERNEL + * which ends up including for vax. See PR#32907 + * for further details. + */ +typedef int boolean_t; +#endif #ifndef ultrix #include #endif @@ -301,19 +309,25 @@ struct tcpiphdr *ti; } #endif + o = NULL; + f = NULL; + s = NULL; + i = NULL; + t = NULL; + o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1)); if (KMCPY(o, fd->fd_ofiles, (fd->fd_lastfile + 1) * sizeof(*o)) == -1) { fprintf(stderr, "read(%#lx,%#lx,%lu) - u_ofile - failed\n", (u_long)fd->fd_ofiles, (u_long)o, (u_long)sizeof(*o)); - return NULL; + goto finderror; } f = (struct file *)calloc(1, sizeof(*f)); if (KMCPY(f, o[tfd], sizeof(*f)) == -1) { fprintf(stderr, "read(%#lx,%#lx,%lu) - o[tfd] - failed\n", (u_long)o[tfd], (u_long)f, (u_long)sizeof(*f)); - return NULL; + goto finderror; } s = (struct socket *)calloc(1, sizeof(*s)); @@ -321,7 +335,7 @@ struct tcpiphdr *ti; { fprintf(stderr, "read(%#lx,%#lx,%lu) - f_data - failed\n", (u_long)f->f_data, (u_long)s, (u_long)sizeof(*s)); - return NULL; + goto finderror; } i = (struct inpcb *)calloc(1, sizeof(*i)); @@ -329,7 +343,7 @@ struct tcpiphdr *ti; { fprintf(stderr, "kvm_read(%#lx,%#lx,%lu) - so_pcb - failed\n", (u_long)s->so_pcb, (u_long)i, (u_long)sizeof(*i)); - return NULL; + goto finderror; } t = (struct tcpcb *)calloc(1, sizeof(*t)); @@ -337,9 +351,22 @@ struct tcpiphdr *ti; { fprintf(stderr, "read(%#lx,%#lx,%lu) - inp_ppcb - failed\n", (u_long)i->inp_ppcb, (u_long)t, (u_long)sizeof(*t)); - return NULL; + goto finderror; } return (struct tcpcb *)i->inp_ppcb; + +finderror: + if (o != NULL) + free(o); + if (f != NULL) + free(f); + if (s != NULL) + free(s); + if (i != NULL) + free(i); + if (t != NULL) + free(t); + return NULL; } #endif /* BSD < 199301 */ @@ -381,7 +408,10 @@ struct in_addr gwip; (void) getsockname(fd, (struct sockaddr *)&lsin, &len); ti->ti_sport = lsin.sin_port; printf("sport %d\n", ntohs(lsin.sin_port)); + nfd = initdevice(dev, 1); + if (nfd == -1) + return -1; if (!(t = find_tcp(fd, ti))) return -1; diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h index 938e40041e95..43b9a6d1c68f 100644 --- a/contrib/ipfilter/ipt.h +++ b/contrib/ipfilter/ipt.h @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipt.h,v 2.6 2003/02/16 02:33:09 darrenr Exp $ + * $Id: ipt.h,v 2.6.4.2 2006/03/26 23:42:04 darrenr Exp $ */ #ifndef __IPT_H__ diff --git a/contrib/ipfilter/lib/Makefile b/contrib/ipfilter/lib/Makefile index a6e9cc47842d..3dcf3a16b66e 100644 --- a/contrib/ipfilter/lib/Makefile +++ b/contrib/ipfilter/lib/Makefile @@ -2,7 +2,6 @@ INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/addipopt.o \ - $(DEST)/addkeep.o \ $(DEST)/bcopywrap.o \ $(DEST)/binprint.o \ $(DEST)/buildopts.o \ @@ -47,7 +46,6 @@ LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/load_pool.o \ $(DEST)/load_poolnode.o \ $(DEST)/loglevel.o \ - $(DEST)/make_range.o \ $(DEST)/mutex_emul.o \ $(DEST)/nametokva.o \ $(DEST)/nat_setgroupmap.o \ @@ -108,8 +106,6 @@ $(DEST)/addicmp.o: $(LIBSRC)/addicmp.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/addicmp.c -o $@ $(DEST)/addipopt.o: $(LIBSRC)/addipopt.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/addipopt.c -o $@ -$(DEST)/addkeep.o: $(LIBSRC)/addkeep.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/addkeep.c -o $@ $(DEST)/bcopywrap.o: $(LIBSRC)/bcopywrap.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/bcopywrap.c -o $@ $(DEST)/binprint.o: $(LIBSRC)/binprint.c $(INCDEP) diff --git a/contrib/ipfilter/lib/addicmp.c b/contrib/ipfilter/lib/addicmp.c index e18a787a0a59..c83ecfedaeef 100644 --- a/contrib/ipfilter/lib/addicmp.c +++ b/contrib/ipfilter/lib/addicmp.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: addicmp.c,v 1.10.2.1 2004/12/09 19:41:16 darrenr Exp $ + * $Id: addicmp.c,v 1.10.2.4 2006/02/25 17:41:57 darrenr Exp $ */ #include @@ -17,76 +17,3 @@ char *icmptypes[MAX_ICMPTYPE + 1] = { "routersol", "timex", "paramprob", "timest", "timestrep", "inforeq", "inforep", "maskreq", "maskrep", "END" }; - -/* - * set the icmp field to the correct type if "icmp" word is found - */ -int addicmp(cp, fp, linenum) -char ***cp; -struct frentry *fp; -int linenum; -{ - char **t; - int i; - - (*cp)++; - if (!**cp) - return -1; - if (!fp->fr_proto) /* to catch lusers */ - fp->fr_proto = IPPROTO_ICMP; - if (ISDIGIT(***cp)) { - if (!ratoi(**cp, &i, 0, 255)) { - fprintf(stderr, - "%d: Invalid icmp-type (%s) specified\n", - linenum, **cp); - return -1; - } - } else { - for (t = icmptypes, i = 0; ; t++, i++) { - if (!*t) - continue; - if (!strcasecmp("END", *t)) { - i = -1; - break; - } - if (!strcasecmp(*t, **cp)) - break; - } - if (i == -1) { - fprintf(stderr, - "%d: Unknown icmp-type (%s) specified\n", - linenum, **cp); - return -1; - } - } - fp->fr_icmp = (u_short)(i << 8); - fp->fr_icmpm = (u_short)0xff00; - (*cp)++; - if (!**cp) - return 0; - - if (**cp && strcasecmp("code", **cp)) - return 0; - (*cp)++; - if (ISDIGIT(***cp)) { - if (!ratoi(**cp, &i, 0, 255)) { - fprintf(stderr, - "%d: Invalid icmp code (%s) specified\n", - linenum, **cp); - return -1; - } - } else { - i = icmpcode(**cp); - if (i == -1) { - fprintf(stderr, - "%d: Unknown icmp code (%s) specified\n", - linenum, **cp); - return -1; - } - } - i &= 0xff; - fp->fr_icmp |= (u_short)i; - fp->fr_icmpm = (u_short)0xffff; - (*cp)++; - return 0; -} diff --git a/contrib/ipfilter/lib/facpri.c b/contrib/ipfilter/lib/facpri.c index 2fc0a78f82c5..c438a1c62ef9 100644 --- a/contrib/ipfilter/lib/facpri.c +++ b/contrib/ipfilter/lib/facpri.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: facpri.c,v 1.6.2.1 2005/11/14 17:45:06 darrenr Exp $ + * $Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $ */ #include @@ -20,7 +20,7 @@ #include "facpri.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.1 2005/11/14 17:45:06 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $"; #endif @@ -79,13 +79,13 @@ fac_toname(facpri) fac = facpri & LOG_FACMASK; j = fac >> 3; - if (j < 24) { + if (j < (sizeof(facs)/sizeof(facs[0]))) { if (facs[j].value == fac) return facs[j].name; - for (i = 0; facs[i].name; i++) - if (fac == facs[i].value) - return facs[i].name; } + for (i = 0; facs[i].name; i++) + if (fac == facs[i].value) + return facs[i].name; return NULL; } @@ -94,11 +94,11 @@ fac_toname(facpri) /* * map a facility name to its number */ -int +int fac_findname(name) char *name; { - int i; + int i; for (i = 0; facs[i].name; i++) if (!strcmp(facs[i].name, name)) @@ -116,22 +116,6 @@ table_t pris[] = { }; -/* - * map a priority name to its number - */ -int -pri_findname(name) - char *name; -{ - int i; - - for (i = 0; pris[i].name; i++) - if (!strcmp(pris[i].name, name)) - return pris[i].value; - return -1; -} - - /* * map a priority number to its name */ diff --git a/contrib/ipfilter/lib/getport.c b/contrib/ipfilter/lib/getport.c index 03fcd179f6dd..bb14fb300680 100644 --- a/contrib/ipfilter/lib/getport.c +++ b/contrib/ipfilter/lib/getport.c @@ -18,6 +18,33 @@ u_short *port; return -1; } + /* + * Some people will use port names in rules without specifying + * either TCP or UDP because it is implied by the group head. + * If we don't know the protocol, then the best we can do here is + * to take either only the TCP or UDP mapping (if one or the other + * is missing) or make sure both of them agree. + */ + if (fr->fr_proto == 0) { + s = getservbyname(name, "tcp"); + if (s != NULL) + p1 = s->s_port; + else + p1 = 0; + s = getservbyname(name, "udp"); + if (s != NULL) { + if (p1 != s->s_port) + return -1; + } + if ((p1 == 0) && (s == NULL)) + return -1; + if (p1) + *port = p1; + else + *port = s->s_port; + return 0; + } + if ((fr->fr_flx & FI_TCPUDP) != 0) { /* * If a rule is "tcp/udp" then check that both TCP and UDP diff --git a/contrib/ipfilter/lib/icmpcode.c b/contrib/ipfilter/lib/icmpcode.c index fd1e647687ec..b60d2477a5f4 100644 --- a/contrib/ipfilter/lib/icmpcode.c +++ b/contrib/ipfilter/lib/icmpcode.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: icmpcode.c,v 1.7.2.1 2004/12/09 19:41:20 darrenr Exp $ + * $Id: icmpcode.c,v 1.7.2.4 2006/02/25 17:40:22 darrenr Exp $ */ #include @@ -20,28 +20,3 @@ char *icmpcodes[MAX_ICMPCODE + 1] = { "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib", "net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff", NULL }; - -/* - * Return the number for the associated ICMP unreachable code. - */ -int icmpcode(str) -char *str; -{ - char *s; - int i, len; - - if ((s = strrchr(str, ')'))) - *s = '\0'; - if (ISDIGIT(*str)) { - if (!ratoi(str, &i, 0, 255)) - return -1; - else - return i; - } - len = strlen(str); - for (i = 0; icmpcodes[i]; i++) - if (!strncasecmp(str, icmpcodes[i], MIN(len, - strlen(icmpcodes[i])) )) - return i; - return -1; -} diff --git a/contrib/ipfilter/lib/ipft_tx.c b/contrib/ipfilter/lib/ipft_tx.c index 0432c08449ac..04c2dab8777e 100644 --- a/contrib/ipfilter/lib/ipft_tx.c +++ b/contrib/ipfilter/lib/ipft_tx.c @@ -3,11 +3,11 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_tx.c,v 1.15.2.6 2005/12/04 10:07:22 darrenr Exp $ + * $Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.6 2005/12/04 10:07:22 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $"; #endif #include @@ -73,36 +73,15 @@ int *resolved; static u_short tx_portnum(name) char *name; { - struct servent *sp, *sp2; - u_short p1 = 0; + struct servent *sp; if (ISDIGIT(*name)) return (u_short)atoi(name); - if (!tx_proto) - tx_proto = "tcp/udp"; - if (strcasecmp(tx_proto, "tcp/udp")) { - sp = getservbyname(name, tx_proto); - if (sp) - return ntohs(sp->s_port); - (void) fprintf(stderr, "unknown service \"%s\".\n", name); - return 0; - } - sp = getservbyname(name, "tcp"); + sp = getservbyname(name, tx_proto); if (sp) - p1 = sp->s_port; - sp2 = getservbyname(name, "udp"); - if (!sp || !sp2) { - (void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n", - name); - return 0; - } - if (p1 != sp2->s_port) { - (void) fprintf(stderr, "%s %d/tcp is a different port to ", - name, p1); - (void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port); - return 0; - } - return ntohs(p1); + return ntohs(sp->s_port); + (void) fprintf(stderr, "unknown service \"%s\".\n", name); + return 0; } diff --git a/contrib/ipfilter/lib/optprint.c b/contrib/ipfilter/lib/optprint.c index 42c161837e04..ec94bbbec181 100644 --- a/contrib/ipfilter/lib/optprint.c +++ b/contrib/ipfilter/lib/optprint.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: optprint.c,v 1.6 2002/07/13 15:59:49 darrenr Exp $ + * $Id: optprint.c,v 1.6.4.1 2005/12/18 14:51:28 darrenr Exp $ */ #include "ipf.h" @@ -23,6 +23,10 @@ u_long optmsk, optbits; if ((io->on_value != IPOPT_SECURITY) || (!secmsk && !secbits)) { printf("%s%s", s, io->on_name); + /* + * Because the ionames table has this entry + * twice. + */ if (io->on_value == IPOPT_SECURITY) io++; s = ","; diff --git a/contrib/ipfilter/lib/printfr.c b/contrib/ipfilter/lib/printfr.c index f893ebb35636..6e7a405ecf7f 100644 --- a/contrib/ipfilter/lib/printfr.c +++ b/contrib/ipfilter/lib/printfr.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printfr.c,v 1.43.2.15 2005/11/14 17:45:06 darrenr Exp $ + * $Id: printfr.c,v 1.43.2.16 2006/03/29 11:19:59 darrenr Exp $ */ #include "ipf.h" @@ -120,20 +120,6 @@ ioctlfunc_t iocfunc; printf("pass"); else if (FR_ISBLOCK(fp->fr_flags)) { printf("block"); - if (fp->fr_flags & FR_RETICMP) { - if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) - printf(" return-icmp-as-dest"); - else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) - printf(" return-icmp"); - if (fp->fr_icode) { - if (fp->fr_icode <= MAX_ICMPCODE) - printf("(%s)", - icmpcodes[(int)fp->fr_icode]); - else - printf("(%d)", fp->fr_icode); - } - } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) - printf(" return-rst"); } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { printlog(fp); } else if (FR_ISACCOUNT(fp->fr_flags)) @@ -149,6 +135,20 @@ ioctlfunc_t iocfunc; else { printf("%x", fp->fr_flags); } + if (fp->fr_flags & FR_RETICMP) { + if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) + printf(" return-icmp-as-dest"); + else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) + printf(" return-icmp"); + if (fp->fr_icode) { + if (fp->fr_icode <= MAX_ICMPCODE) + printf("(%s)", + icmpcodes[(int)fp->fr_icode]); + else + printf("(%d)", fp->fr_icode); + } + } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) + printf(" return-rst"); if (fp->fr_flags & FR_OUTQUE) printf(" out "); diff --git a/contrib/ipfilter/lib/printlog.c b/contrib/ipfilter/lib/printlog.c index 1445971ad833..bf84eee87831 100644 --- a/contrib/ipfilter/lib/printlog.c +++ b/contrib/ipfilter/lib/printlog.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printlog.c,v 1.6.4.1 2005/11/14 17:45:06 darrenr Exp $ + * $Id: printlog.c,v 1.6.4.2 2005/12/18 14:49:06 darrenr Exp $ */ #include "ipf.h" @@ -26,14 +26,11 @@ frentry_t *fp; if (fp->fr_loglevel != 0xffff) { printf(" level "); s = fac_toname(fp->fr_loglevel); - if (s == NULL) + if (s == NULL || *s == '\0') s = "!!!"; u = pri_toname(fp->fr_loglevel); - if (u == NULL) + if (u == NULL || *u == '\0') u = "!!!"; - if (*s) - printf("%s.%s", s, u); - else - printf("%s", u); + printf("%s.%s", s, u); } } diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 1ddc307a9fe5..03ffc81e584f 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -8,6 +8,8 @@ ipmon \- monitors /dev/ipl for logged packets ] [ .B "\-N " ] [ +.B "\-L " +] [ .B "\-o [NSI]" ] [ .B "\-O [NSI]" @@ -72,7 +74,7 @@ In order for \fBipmon\fP to properly work, the kernel option \fBIPFILTER_LOG\fP must be turned on in your kernel. Please see \fBoptions(4)\fP for more details. .LP -\fBipmon\fP reopns its log file(s) and rereads its configuration file +\fBipmon\fP reopens its log file(s) and rereads its configuration file when it receives a SIGHUP signal. .SH OPTIONS .TP @@ -101,6 +103,9 @@ for normal IP Filter log records. Flush the current packet log buffer. The number of bytes flushed is displayed, even should the result be zero. .TP +.B \-L +Using this option allows you to change the default syslog facility that +ipmon uses for syslog messages. The default is local0. .B \-n IP addresses and port numbers will be mapped, where possible, back into hostnames and service names. diff --git a/contrib/ipfilter/radix.c b/contrib/ipfilter/radix.c index 69b50c062a60..4614f1da5d1b 100644 --- a/contrib/ipfilter/radix.c +++ b/contrib/ipfilter/radix.c @@ -137,7 +137,7 @@ struct radix_node *rn_addmask __P((int, int, void *)); * node as high in the tree as we can go. * * The present version of the code makes use of normal routes in short- - * circuiting an explict mask and compare operation when testing whether + * circuiting an explicit mask and compare operation when testing whether * a key satisfies a normal route, and also in remembering the unique leaf * that governs a subtree. */ diff --git a/contrib/ipfilter/samples/proxy.c b/contrib/ipfilter/samples/proxy.c index 3a3d039ea964..f2063ecde813 100644 --- a/contrib/ipfilter/samples/proxy.c +++ b/contrib/ipfilter/samples/proxy.c @@ -55,7 +55,6 @@ char *argv[]; struct sockaddr_in sin, sloc, sout; ipfobj_t obj; natlookup_t natlook; - natlookup_t *natlookp = &natlook; char buffer[512]; int namelen, fd, n; diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index 16535bf265ee..192390801708 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -21,7 +21,7 @@ first: -mkdir -p results # Filtering tests -ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 +ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \ @@ -29,7 +29,8 @@ ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \ ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 -nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16 +nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 \ + ni16 ni19 ni20 ni21 intests: in1 in2 in3 in4 in5 in6 @@ -44,7 +45,7 @@ bpf: bpf1 bpf-f1 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f19: @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` -f15 f16 f17 f18: +f15 f16 f17 f18 f20: @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 bpf1: @@ -53,10 +54,10 @@ i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 bpf1: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14: @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` -ni1 ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16: +ni1 ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20: @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` -ni6: +ni6 ni21: @/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format` in1 in2 in3 in4 in5 in6: @@ -78,11 +79,11 @@ bpf-f1: /bin/sh ./bpftest `awk "/^$@ / { print; } " test.format` clean: - /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 + /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 /bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 - /bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 + /bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20 ni21 /bin/rm -f in1 in2 in3 in4 in5 in6 /bin/rm -f p1 p2 p3 ip1 /bin/rm -f l1 diff --git a/contrib/ipfilter/test/expected/f20 b/contrib/ipfilter/test/expected/f20 new file mode 100644 index 000000000000..86308a0f1a41 --- /dev/null +++ b/contrib/ipfilter/test/expected/f20 @@ -0,0 +1,3 @@ +pass +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/i1 b/contrib/ipfilter/test/expected/i1 index c012af8b711b..74d0f309b616 100644 --- a/contrib/ipfilter/test/expected/i1 +++ b/contrib/ipfilter/test/expected/i1 @@ -3,12 +3,12 @@ block out all log in all log body in all count in from any to any -pass in from !any to any +pass in from !any to any pps 10 block in from any to !any pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32 pass in on ed0(!),vx0(!) from 127.0.0.1/32 to 127.0.0.1/32 block in log first on lo0(!) from any to any -pass in log body quick from any to any +pass in log body or-block quick from any to any block return-rst in quick on le0(!) proto tcp from any to any block return-icmp in on qe0(!) from any to any block return-icmp(host-unr) in on qe0(!) from any to any diff --git a/contrib/ipfilter/test/expected/i10 b/contrib/ipfilter/test/expected/i10 index 57bd4ef6867f..9e0a5d5ab8ba 100644 --- a/contrib/ipfilter/test/expected/i10 +++ b/contrib/ipfilter/test/expected/i10 @@ -1,4 +1,5 @@ pass in from 127.0.0.1/32 to 127.0.0.1/32 with opt sec +pass in from 127.0.0.1/32 to 127.0.0.1/32 with opt lsrr not opt sec block in from any to any with not opt sec-class topsecret block in from any to any with not opt sec-class topsecret,secret pass in from any to any with opt sec-class topsecret,confid not opt sec-class unclass diff --git a/contrib/ipfilter/test/expected/i11 b/contrib/ipfilter/test/expected/i11 index 26b8b78fade9..d4a6ec41abb0 100644 --- a/contrib/ipfilter/test/expected/i11 +++ b/contrib/ipfilter/test/expected/i11 @@ -7,4 +7,5 @@ pass in on ed0(!) out-via vx0(!) proto udp from any to any keep state pass out on ppp0(!) in-via le0(!) proto tcp from any to any keep state pass in on ed0(!),vx0(!) out-via vx0(!),ed0(!) proto udp from any to any keep state pass in proto tcp from any port > 1024 to 127.0.0.1/32 port = 1024 keep state -pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,strict,newisn,no-icmp-err) +pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,strict,newisn,no-icmp-err,age 600/600) +pass in proto udp from any to any keep state (sync,age 10/20) diff --git a/contrib/ipfilter/test/expected/i18 b/contrib/ipfilter/test/expected/i18 index 1aaa04f1c84f..88fca4744c46 100644 --- a/contrib/ipfilter/test/expected/i18 +++ b/contrib/ipfilter/test/expected/i18 @@ -1,6 +1,7 @@ pass in tos 0x50 from any to any pass in tos 0x80 from any to any -pass in tos 0x28 from any to any +pass in tos 0x80 from any to any +pass in tos 0x50 from any to any block in ttl 0 from any to any block in ttl 1 from any to any block in ttl 2 from any to any diff --git a/contrib/ipfilter/test/expected/i5 b/contrib/ipfilter/test/expected/i5 index 6947ad341719..edf986558f26 100644 --- a/contrib/ipfilter/test/expected/i5 +++ b/contrib/ipfilter/test/expected/i5 @@ -3,3 +3,7 @@ count in tos 0x80 from any to any pass in on ed0(!) tos 0x40 from 127.0.0.1/32 to 127.0.0.1/32 block in log on lo0(!) ttl 0 from any to any pass in quick ttl 1 from any to any +skip 3 out from 127.0.0.1/32 to any +auth out on foo0(!) proto tcp from any to any port = 80 +preauth out on foo0(!) proto tcp from any to any port = 22 +nomatch out on foo0(!) proto tcp from any port < 1024 to any diff --git a/contrib/ipfilter/test/expected/i8 b/contrib/ipfilter/test/expected/i8 index 5533a7dceff3..f033e6b8d891 100644 --- a/contrib/ipfilter/test/expected/i8 +++ b/contrib/ipfilter/test/expected/i8 @@ -31,3 +31,5 @@ pass in proto icmp from any to any icmp-type squench pass in proto icmp from any to any icmp-type timest pass in proto icmp from any to any icmp-type timestrep pass in proto icmp from any to any icmp-type timex +pass in proto icmp from any to any icmp-type 254 +pass in proto icmp from any to any icmp-type 253 code 254 diff --git a/contrib/ipfilter/test/expected/i9 b/contrib/ipfilter/test/expected/i9 index bb4e54f703ff..2d464543f177 100644 --- a/contrib/ipfilter/test/expected/i9 +++ b/contrib/ipfilter/test/expected/i9 @@ -5,8 +5,13 @@ pass in from any to any with opt nop,rr,zsu not opt lsrr,ssrr pass in from 127.0.0.1/32 to 127.0.0.1/32 with not frag pass in from 127.0.0.1/32 to 127.0.0.1/32 with frag,frag-body pass in proto tcp from any to any flags S/FSRPAU with not oow keep state +block in proto tcp from any to any with oow pass in proto tcp from any to any flags S/FSRPAU with not bad,bad-src,bad-nat +block in proto tcp from any to any flags S/FSRPAU with bad,not bad-src,not bad-nat +pass in quick from any to any with not short block in quick from any to any with not nat +pass in quick from any to any with not frag-body block in quick from any to any with not lowttl -pass in from any to any with mbcast,not bcast,mcast,not state +pass in from any to any with not ipopts,mbcast,not bcast,mcast,not state +block in from any to any with not mbcast,bcast,not mcast,state pass in from any to any with opt mtup,mtur,encode,ts,tr,sec,e-sec,cipso,satid,ssrr,addext,visa,imitd,eip,finn,dps,sdb,nsapa,rtralrt,ump diff --git a/contrib/ipfilter/test/expected/in2 b/contrib/ipfilter/test/expected/in2 index 1dc7b68dd783..f1239b122137 100644 --- a/contrib/ipfilter/test/expected/in2 +++ b/contrib/ipfilter/test/expected/in2 @@ -1,5 +1,5 @@ rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip +rdr le0 9.8.7.6/32 -> 1.1.1.1 255 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp rdr le0 9.8.7.6/32 -> 1.1.1.1 ip rdr le0 9.0.0.0/8 -> 1.1.1.1 ip diff --git a/contrib/ipfilter/test/expected/in5 b/contrib/ipfilter/test/expected/in5 index f371b358eece..e77de714a90d 100644 --- a/contrib/ipfilter/test/expected/in5 +++ b/contrib/ipfilter/test/expected/in5 @@ -1,7 +1,8 @@ map le0 from 9.8.7.6/32 port > 1024 to any -> 1.1.1.1/32 portmap tcp 10000:20000 +map le0 from 9.8.7.6/32 port > 1024 ! to 1.2.3.4/32 -> 1.1.1.1/32 portmap tcp 10000:20000 rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp +rdr le0 ! from 1.2.3.4/32 to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp diff --git a/contrib/ipfilter/test/expected/ni19 b/contrib/ipfilter/test/expected/ni19 new file mode 100644 index 000000000000..a75c583e27b3 --- /dev/null +++ b/contrib/ipfilter/test/expected/ni19 @@ -0,0 +1,25 @@ +4500 0040 e3fc 4000 4006 40b5 0a01 0101 0a01 0104 03f1 0202 6523 90b2 0000 0000 b002 8000 a431 0000 0204 05b4 0103 0300 0402 0101 0101 080a 0000 0000 0000 0000 +4500 0034 0000 4000 4006 fe13 0a01 0104 c0a8 7103 0202 03f1 915a a5c4 6523 90b3 8012 16d0 e89c 0000 0204 05b4 0101 0402 0103 0302 +4500 0028 e3fd 4000 4006 40cc 0a01 0101 0a01 0104 03f1 0202 6523 90b3 915a a5c5 5010 832c e3b7 0000 +4500 002d e3fe 4000 4006 40c6 0a01 0101 0a01 0104 03f1 0202 6523 90b3 915a a5c5 5018 832c 8242 0000 3130 3038 00 +4500 0028 7ce5 4000 4006 813a 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90b8 5010 05b4 3a81 0000 +4500 003c 1186 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a2 0000 0000 a002 16d0 b8c0 0000 0204 05b4 0402 080a 0039 d924 0000 0000 0103 0302 +4500 0040 e3ff 4000 4006 40b2 0a01 0101 0a01 0104 03f0 03ff 66e5 b810 91d4 c8a3 b012 8000 452f 0000 0204 05b4 0103 0300 0101 080a 0000 0000 0039 d924 0402 0101 +4500 0034 1188 4000 4006 ec8b 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8010 05b4 d99b 0000 0101 080a 0039 d925 0000 0000 +4500 0030 e400 4000 4006 40c1 0a01 0101 0a01 0104 03f1 0202 6523 90b8 915a a5c5 5018 832c 3560 0000 6461 7272 656e 7200 +4500 0028 7ce7 4000 4006 8138 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90c0 5010 05b4 3a79 0000 +4500 0053 e401 4000 4006 409d 0a01 0101 0a01 0104 03f1 0202 6523 90c0 915a a5c5 5018 832c cce7 0000 6461 7272 656e 7200 7368 202d 6320 2265 6368 6f20 666f 6f20 3e26 313b 2065 6368 6f20 6261 7220 3e26 3222 00 +4500 0028 7ce9 4000 4006 8136 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5010 05b4 3a4e 0000 +4500 0029 7ceb 4000 4006 8133 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5018 05b4 3a45 0000 00 +4500 0028 e403 4000 4006 40c6 0a01 0101 0a01 0104 03f1 0202 6523 90eb 915a a5c6 5010 832c e37e 0000 +4500 002c 7ced 4000 4006 812e 0a01 0104 c0a8 7103 0202 03f1 915a a5c6 6523 90eb 5018 05b4 64c7 0000 666f 6f0a +4500 0038 118a 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8018 05b4 00dd 0000 0101 080a 0039 dd6c 0000 0000 6261 720a +4500 0028 7cef 4000 4006 8130 0a01 0104 c0a8 7103 0202 03f1 915a a5ca 6523 90eb 5011 05b4 3a48 0000 +4500 0034 118c 4000 4006 ec87 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811 8011 05b4 d54e 0000 0101 080a 0039 dd6d 0000 0000 +4500 0028 e404 4000 4006 1a1b c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5cb 5010 8328 bcd3 0000 +4500 0034 e405 4000 4006 1a0e c0a8 7103 0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 8010 8328 57d7 0000 0101 080a 0000 0004 0039 dd6c +4500 0028 e40a 4000 4006 1a15 c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5cb 5011 832c bcce 0000 +4500 0034 e40b 4000 4006 1a08 c0a8 7103 0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 8011 832c 57d2 0000 0101 080a 0000 0004 0039 dd6c +4500 0028 0004 4000 4006 fe1b 0a01 0104 c0a8 7103 0202 03f1 915a a5cb 6523 90ec 5010 05b4 3a47 0000 +4500 0034 118e 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812 8010 05b4 d548 0000 0101 080a 0039 dd6e 0000 0004 +------------------------------- diff --git a/contrib/ipfilter/test/expected/ni20 b/contrib/ipfilter/test/expected/ni20 new file mode 100644 index 000000000000..46833bd2eaf2 --- /dev/null +++ b/contrib/ipfilter/test/expected/ni20 @@ -0,0 +1,25 @@ +4500 0040 e3fc 4000 4006 f362 c0a8 7103 c0a8 7104 03f1 0202 6523 90b2 0000 0000 b002 8000 56df 0000 0204 05b4 0103 0300 0402 0101 0101 080a 0000 0000 0000 0000 +4500 0034 0000 4000 4006 fe13 0a01 0104 c0a8 7103 0202 03f1 915a a5c4 6523 90b3 8012 16d0 e89c 0000 0204 05b4 0101 0402 0103 0302 +4500 0028 e3fd 4000 4006 f379 c0a8 7103 c0a8 7104 03f1 0202 6523 90b3 915a a5c5 5010 832c 9665 0000 +4500 002d e3fe 4000 4006 f373 c0a8 7103 c0a8 7104 03f1 0202 6523 90b3 915a a5c5 5018 832c 34f0 0000 3130 3038 00 +4500 0028 7ce5 4000 4006 813a 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90b8 5010 05b4 3a81 0000 +4500 003c 1186 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a2 0000 0000 a002 16d0 b8c0 0000 0204 05b4 0402 080a 0039 d924 0000 0000 0103 0302 +4500 0040 e3ff 4000 4006 f35f c0a8 7103 c0a8 7104 03f0 03ff 66e5 b810 91d4 c8a3 b012 8000 f7dc 0000 0204 05b4 0103 0300 0101 080a 0000 0000 0039 d924 0402 0101 +4500 0034 1188 4000 4006 ec8b 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8010 05b4 d99b 0000 0101 080a 0039 d925 0000 0000 +4500 0030 e400 4000 4006 f36e c0a8 7103 c0a8 7104 03f1 0202 6523 90b8 915a a5c5 5018 832c e80d 0000 6461 7272 656e 7200 +4500 0028 7ce7 4000 4006 8138 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90c0 5010 05b4 3a79 0000 +4500 0053 e401 4000 4006 f34a c0a8 7103 c0a8 7104 03f1 0202 6523 90c0 915a a5c5 5018 832c 7f95 0000 6461 7272 656e 7200 7368 202d 6320 2265 6368 6f20 666f 6f20 3e26 313b 2065 6368 6f20 6261 7220 3e26 3222 00 +4500 0028 7ce9 4000 4006 8136 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5010 05b4 3a4e 0000 +4500 0029 7ceb 4000 4006 8133 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5018 05b4 3a45 0000 00 +4500 0028 e403 4000 4006 f373 c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5c6 5010 832c 962c 0000 +4500 002c 7ced 4000 4006 812e 0a01 0104 c0a8 7103 0202 03f1 915a a5c6 6523 90eb 5018 05b4 64c7 0000 666f 6f0a +4500 0038 118a 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8018 05b4 00dd 0000 0101 080a 0039 dd6c 0000 0000 6261 720a +4500 0028 7cef 4000 4006 8130 0a01 0104 c0a8 7103 0202 03f1 915a a5ca 6523 90eb 5011 05b4 3a48 0000 +4500 0034 118c 4000 4006 ec87 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811 8011 05b4 d54e 0000 0101 080a 0039 dd6d 0000 0000 +4500 0028 e404 4000 4006 f372 c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5cb 5010 8328 962b 0000 +4500 0034 e405 4000 4006 f365 c0a8 7103 c0a8 7104 03f0 03ff 66e5 b811 91d4 c8a8 8010 8328 312f 0000 0101 080a 0000 0004 0039 dd6c +4500 0028 e40a 4000 4006 f36c c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5cb 5011 832c 9626 0000 +4500 0034 e40b 4000 4006 f35f c0a8 7103 c0a8 7104 03f0 03ff 66e5 b811 91d4 c8a8 8011 832c 312a 0000 0101 080a 0000 0004 0039 dd6c +4500 0028 0004 4000 4006 d773 c0a8 7104 c0a8 7103 0202 03f1 915a a5cb 6523 90ec 5010 05b4 139f 0000 +4500 0034 118e 4000 4006 c5dd c0a8 7104 c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812 8010 05b4 aea0 0000 0101 080a 0039 dd6e 0000 0004 +------------------------------- diff --git a/contrib/ipfilter/test/expected/ni21 b/contrib/ipfilter/test/expected/ni21 new file mode 100644 index 000000000000..349ae2391cc0 --- /dev/null +++ b/contrib/ipfilter/test/expected/ni21 @@ -0,0 +1,4 @@ +ip #0 20(20) 0 4.4.4.4 > 3.3.3.3 +ip #0 20(20) 0 3.3.3.3 > 2.2.2.2 +ip #0 20(20) 0 4.4.4.4 > 3.3.3.3 +------------------------------- diff --git a/contrib/ipfilter/test/input/f2 b/contrib/ipfilter/test/input/f2 index d168af0c716a..f4e9d23f1cf6 100644 --- a/contrib/ipfilter/test/input/f2 +++ b/contrib/ipfilter/test/input/f2 @@ -1,5 +1,5 @@ -in tcp 127.0.0.1,1 127.0.0.1,21 -in tcp 1.1.1.1,1 1.2.1.1,21 +in tcp 127.0.0.1,1 127.0.0.1,ftp +in tcp 1.1.1.1,1 1.2.1.1,ftp in udp 127.0.0.1,1 127.0.0.1,21 in udp 1.1.1.1,1 1.2.1.1,21 in icmp 127.0.0.1 127.0.0.1 diff --git a/contrib/ipfilter/test/input/f20 b/contrib/ipfilter/test/input/f20 new file mode 100644 index 000000000000..605ba7c236f0 --- /dev/null +++ b/contrib/ipfilter/test/input/f20 @@ -0,0 +1,2 @@ +out on de0 1.1.1.1 2.2.2.2 +out on ab0 1.1.1.1 2.2.2.2 diff --git a/contrib/ipfilter/test/input/ni19 b/contrib/ipfilter/test/input/ni19 new file mode 100644 index 000000000000..d95e68afc7b1 --- /dev/null +++ b/contrib/ipfilter/test/input/ni19 @@ -0,0 +1,157 @@ +# 192.168.113.3.1009 > 10.1.1.4.shell: SYN win 32768 +[out,bge0] +4500 0040 e3fc 4000 4006 1a0b c0a8 7103 +0a01 0104 03f1 0202 6523 90b2 0000 0000 +b002 8000 7d87 0000 0204 05b4 0103 0300 +0402 0101 0101 080a 0000 0000 0000 0000 + +# 10.1.1.4.shell > 10.1.1.1.1009: SYN win 5840 +[in,bge0] +4500 0034 0000 4000 4006 24be 0a01 0104 +0a01 0101 0202 03f1 915a a5c4 6523 90b3 +8012 16d0 0f47 0000 0204 05b4 0101 0402 +0103 0302 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[out,bge0] +4500 0028 e3fd 4000 4006 1a22 c0a8 7103 +0a01 0104 03f1 0202 6523 90b3 915a a5c5 +5010 832c bd0d 0000 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[out,bge0] +4500 002d e3fe 4000 4006 1a1c c0a8 7103 +0a01 0104 03f1 0202 6523 90b3 915a a5c5 +5018 832c 5b98 0000 3130 3038 00 + +# 10.1.1.4.shell > 10.1.1.1.1009 +[in,bge0] +4500 0028 7ce5 4000 4006 a7e4 0a01 0104 +0a01 0101 0202 03f1 915a a5c5 6523 90b8 +5010 05b4 612b 0000 0000 0000 0000 + +# 10.1.1.4.1023 > 10.1.1.1.1008: SYN win 5840 +[in,bge0] +4500 003c 1186 4000 4006 1330 0a01 0104 +0a01 0101 03ff 03f0 91d4 c8a2 0000 0000 +a002 16d0 df6a 0000 0204 05b4 0402 080a +0039 d924 0000 0000 0103 0302 + +# 192.168.113.3.1008 > 10.1.1.4.1023: SYN win 32768 +[out,bge0] +4500 0040 e3ff 4000 4006 1a08 c0a8 7103 +0a01 0104 03f0 03ff 66e5 b810 91d4 c8a3 +b012 8000 1e85 0000 0204 05b4 0103 0300 +0101 080a 0000 0000 0039 d924 0402 0101 + +# 10.1.1.4.1023 > 10.1.1.1.1008 +[in,bge0] +4500 0034 1188 4000 4006 1336 0a01 0104 +0a01 0101 03ff 03f0 91d4 c8a3 66e5 b811 +8010 05b4 0046 0000 0101 080a 0039 d925 +0000 0000 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[out,bge0] +4500 0030 e400 4000 4006 1a17 c0a8 7103 +0a01 0104 03f1 0202 6523 90b8 915a a5c5 +5018 832c 0eb6 0000 6461 7272 656e 7200 + +# 10.1.1.4.shell > 10.1.1.1.1009 +[in,bge0] +4500 0028 7ce7 4000 4006 a7e2 0a01 0104 +0a01 0101 0202 03f1 915a a5c5 6523 90c0 +5010 05b4 6123 0000 0000 0000 0000 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[out,bge0] +4500 0053 e401 4000 4006 19f3 c0a8 7103 +0a01 0104 03f1 0202 6523 90c0 915a a5c5 +5018 832c a63d 0000 6461 7272 656e 7200 +7368 202d 6320 2265 6368 6f20 666f 6f20 +3e26 313b 2065 6368 6f20 6261 7220 3e26 +3222 00 + +# 10.1.1.4.shell > 10.1.1.1.1009 +[in,bge0] +4500 0028 7ce9 4000 4006 a7e0 0a01 0104 +0a01 0101 0202 03f1 915a a5c5 6523 90eb +5010 05b4 60f8 0000 0000 0000 0000 + +# 10.1.1.4.shell > 10.1.1.1.1009 +[in,bge0] +4500 0029 7ceb 4000 4006 a7dd 0a01 0104 +0a01 0101 0202 03f1 915a a5c5 6523 90eb +5018 05b4 60ef 0000 0000 0000 0000 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[out,bge0] +4500 0028 e403 4000 4006 1a1c c0a8 7103 +0a01 0104 03f1 0202 6523 90eb 915a a5c6 +5010 832c bcd4 0000 + +# 10.1.1.4.shell > 10.1.1.1.1009 +[in,bge0] +4500 002c 7ced 4000 4006 a7d8 0a01 0104 +0a01 0101 0202 03f1 915a a5c6 6523 90eb +5018 05b4 8b71 0000 666f 6f0a 0000 + +# 10.1.1.4.1023 > 10.1.1.1.1008 +[in,bge0] +4500 0038 118a 4000 4006 1330 0a01 0104 +0a01 0101 03ff 03f0 91d4 c8a3 66e5 b811 +8018 05b4 2787 0000 0101 080a 0039 dd6c +0000 0000 6261 720a + +# 10.1.1.4.shell > 10.1.1.1.1009 +[in,bge0] +4500 0028 7cef 4000 4006 a7da 0a01 0104 +0a01 0101 0202 03f1 915a a5ca 6523 90eb +5011 05b4 60f2 0000 0000 0000 0000 + +# 10.1.1.4.1023 > 10.1.1.1.1008 +[in,bge0] +4500 0034 118c 4000 4006 1332 0a01 0104 +0a01 0101 03ff 03f0 91d4 c8a7 66e5 b811 +8011 05b4 fbf8 0000 0101 080a 0039 dd6d +0000 0000 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[out,bge0] +4500 0028 e404 4000 4006 1a1b c0a8 7103 +0a01 0104 03f1 0202 6523 90eb 915a a5cb +5010 8328 bcd3 0000 + +# 192.168.113.3.1008 > 10.1.1.4.1023 +[out,bge0] +4500 0034 e405 4000 4006 1a0e c0a8 7103 +0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 +8010 8328 57d7 0000 0101 080a 0000 0004 +0039 dd6c + +# 192.168.113.3.1009 > 10.1.1.4.shell +[out,bge0] +4500 0028 e40a 4000 4006 1a15 c0a8 7103 +0a01 0104 03f1 0202 6523 90eb 915a a5cb +5011 832c bcce 0000 + +# 192.168.113.3.1008 > 10.1.1.4.1023 +[out,bge0] +4500 0034 e40b 4000 4006 1a08 c0a8 7103 +0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 +8011 832c 57d2 0000 0101 080a 0000 0004 +0039 dd6c + +# 10.1.1.4.shell > 10.1.1.1.1009 +[in,bge0] +4500 0028 0004 4000 4006 24c6 0a01 0104 +0a01 0101 0202 03f1 915a a5cb 6523 90ec +5010 05b4 60f1 0000 0000 0000 0000 + +# 10.1.1.4.1023 > 10.1.1.1.1008 +[in,bge0] +4500 0034 118e 4000 4006 1330 0a01 0104 +0a01 0101 03ff 03f0 91d4 c8a8 66e5 b812 +8010 05b4 fbf2 0000 0101 080a 0039 dd6e +0000 0004 + diff --git a/contrib/ipfilter/test/input/ni20 b/contrib/ipfilter/test/input/ni20 new file mode 100644 index 000000000000..4c2b87e4de34 --- /dev/null +++ b/contrib/ipfilter/test/input/ni20 @@ -0,0 +1,157 @@ +# 192.168.113.3.1009 > 10.1.1.4.shell: SYN win 32768 +[in,bge0] +4500 0040 e3fc 4000 4006 1a0b c0a8 7103 +0a01 0104 03f1 0202 6523 90b2 0000 0000 +b002 8000 7d87 0000 0204 05b4 0103 0300 +0402 0101 0101 080a 0000 0000 0000 0000 + +# 192.168.113.4.shell > 192.168.113.3.1009: SYN win 5840 +[out,bge0] +4500 0034 0000 4000 4006 d76b c0a8 7104 +c0a8 7103 0202 03f1 915a a5c4 6523 90b3 +8012 16d0 c1f4 0000 0204 05b4 0101 0402 +0103 0302 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[in,bge0] +4500 0028 e3fd 4000 4006 1a22 c0a8 7103 +0a01 0104 03f1 0202 6523 90b3 915a a5c5 +5010 832c bd0d 0000 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[in,bge0] +4500 002d e3fe 4000 4006 1a1c c0a8 7103 +0a01 0104 03f1 0202 6523 90b3 915a a5c5 +5018 832c 5b98 0000 3130 3038 00 + +# 192.168.113.4.shell > 192.168.113.3.1009 +[out,bge0] +4500 0028 7ce5 4000 4006 5a92 c0a8 7104 +c0a8 7103 0202 03f1 915a a5c5 6523 90b8 +5010 05b4 13d9 0000 0000 0000 0000 + +# 192.168.113.4.1023 > 192.168.113.3.1008: SYN win 5840 +[out,bge0] +4500 003c 1186 4000 4006 c5dd c0a8 7104 +c0a8 7103 03ff 03f0 91d4 c8a2 0000 0000 +a002 16d0 9218 0000 0204 05b4 0402 080a +0039 d924 0000 0000 0103 0302 + +# 192.168.113.3.1008 > 10.1.1.4.1023: SYN win 32768 +[in,bge0] +4500 0040 e3ff 4000 4006 1a08 c0a8 7103 +0a01 0104 03f0 03ff 66e5 b810 91d4 c8a3 +b012 8000 1e85 0000 0204 05b4 0103 0300 +0101 080a 0000 0000 0039 d924 0402 0101 + +# 192.168.113.4.1023 > 192.168.113.3.1008 +[out,bge0] +4500 0034 1188 4000 4006 c5e3 c0a8 7104 +c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 +8010 05b4 b2f3 0000 0101 080a 0039 d925 +0000 0000 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[in,bge0] +4500 0030 e400 4000 4006 1a17 c0a8 7103 +0a01 0104 03f1 0202 6523 90b8 915a a5c5 +5018 832c 0eb6 0000 6461 7272 656e 7200 + +# 192.168.113.4.shell > 192.168.113.3.1009 +[out,bge0] +4500 0028 7ce7 4000 4006 5a90 c0a8 7104 +c0a8 7103 0202 03f1 915a a5c5 6523 90c0 +5010 05b4 13d1 0000 0000 0000 0000 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[in,bge0] +4500 0053 e401 4000 4006 19f3 c0a8 7103 +0a01 0104 03f1 0202 6523 90c0 915a a5c5 +5018 832c a63d 0000 6461 7272 656e 7200 +7368 202d 6320 2265 6368 6f20 666f 6f20 +3e26 313b 2065 6368 6f20 6261 7220 3e26 +3222 00 + +# 192.168.113.4.shell > 192.168.113.3.1009 +[out,bge0] +4500 0028 7ce9 4000 4006 5a8e c0a8 7104 +c0a8 7103 0202 03f1 915a a5c5 6523 90eb +5010 05b4 13a6 0000 0000 0000 0000 + +# 192.168.113.4.shell > 192.168.113.3.1009 +[out,bge0] +4500 0029 7ceb 4000 4006 5a8b c0a8 7104 +c0a8 7103 0202 03f1 915a a5c5 6523 90eb +5018 05b4 139d 0000 0000 0000 0000 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[in,bge0] +4500 0028 e403 4000 4006 1a1c c0a8 7103 +0a01 0104 03f1 0202 6523 90eb 915a a5c6 +5010 832c bcd4 0000 + +# 192.168.113.4.shell > 192.168.113.3.1009 +[out,bge0] +4500 002c 7ced 4000 4006 5a86 c0a8 7104 +c0a8 7103 0202 03f1 915a a5c6 6523 90eb +5018 05b4 3e1f 0000 666f 6f0a 0000 + +# 192.168.113.4.1023 > 192.168.113.3.1008 +[out,bge0] +4500 0038 118a 4000 4006 c5dd c0a8 7104 +c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 +8018 05b4 da34 0000 0101 080a 0039 dd6c +0000 0000 6261 720a + +# 192.168.113.4.shell > 192.168.113.3.1009 +[out,bge0] +4500 0028 7cef 4000 4006 5a88 c0a8 7104 +c0a8 7103 0202 03f1 915a a5ca 6523 90eb +5011 05b4 13a0 0000 0000 0000 0000 + +# 192.168.113.4.1023 > 192.168.113.3.1008 +[out,bge0] +4500 0034 118c 4000 4006 c5df c0a8 7104 +c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811 +8011 05b4 aea6 0000 0101 080a 0039 dd6d +0000 0000 + +# 192.168.113.3.1009 > 10.1.1.4.shell +[in,bge0] +4500 0028 e404 4000 4006 1a1b c0a8 7103 +0a01 0104 03f1 0202 6523 90eb 915a a5cb +5010 8328 bcd3 0000 + +# 192.168.113.3.1008 > 10.1.1.4.1023 +[in,bge0] +4500 0034 e405 4000 4006 1a0e c0a8 7103 +0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 +8010 8328 57d7 0000 0101 080a 0000 0004 +0039 dd6c + +# 192.168.113.3.1009 > 10.1.1.4.shell +[in,bge0] +4500 0028 e40a 4000 4006 1a15 c0a8 7103 +0a01 0104 03f1 0202 6523 90eb 915a a5cb +5011 832c bcce 0000 + +# 192.168.113.3.1008 > 10.1.1.4.1023 +[in,bge0] +4500 0034 e40b 4000 4006 1a08 c0a8 7103 +0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 +8011 832c 57d2 0000 0101 080a 0000 0004 +0039 dd6c + +# 192.168.113.4.shell > 192.168.113.3.1009 +[out,bge0] +4500 0028 0004 4000 4006 d773 c0a8 7104 +c0a8 7103 0202 03f1 915a a5cb 6523 90ec +5010 05b4 139f 0000 0000 0000 0000 + +# 192.168.113.4.1023 > 192.168.113.3.1008 +[out,bge0] +4500 0034 118e 4000 4006 c5dd c0a8 7104 +c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812 +8010 05b4 aea0 0000 0101 080a 0039 dd6e +0000 0004 + diff --git a/contrib/ipfilter/test/input/ni21 b/contrib/ipfilter/test/input/ni21 new file mode 100644 index 000000000000..daf741e59439 --- /dev/null +++ b/contrib/ipfilter/test/input/ni21 @@ -0,0 +1,3 @@ +out on lan0 2.2.2.2 3.3.3.3 +in on lan0 3.3.3.3 4.4.4.4 +out on lan0 2.2.2.2 3.3.3.3 diff --git a/contrib/ipfilter/test/regress/f20 b/contrib/ipfilter/test/regress/f20 new file mode 100644 index 000000000000..279523e4a9f5 --- /dev/null +++ b/contrib/ipfilter/test/regress/f20 @@ -0,0 +1,4 @@ +block out quick on de0 head 100 +skip 1 out group 100 +block out quick group 100 +pass out quick group 100 diff --git a/contrib/ipfilter/test/regress/i1 b/contrib/ipfilter/test/regress/i1 index c86c3208eded..0fd2c6e0c39a 100644 --- a/contrib/ipfilter/test/regress/i1 +++ b/contrib/ipfilter/test/regress/i1 @@ -4,12 +4,12 @@ all log in all log body in all count in from any to any -pass in from !any to any +pass in from !any to any pps 10 block in from any to !any pass in on ed0 from localhost to localhost pass in on ed0,vx0 from localhost to localhost block in log first on lo0 from any to any -pass in log body quick from any to any +pass in log body or-block quick from any to any block return-rst in quick on le0 proto tcp from any to any block return-icmp in on qe0 from any to any block return-icmp(1) in on qe0 from any to any diff --git a/contrib/ipfilter/test/regress/i10 b/contrib/ipfilter/test/regress/i10 index ece27126f0af..640ac84ad2af 100644 --- a/contrib/ipfilter/test/regress/i10 +++ b/contrib/ipfilter/test/regress/i10 @@ -1,4 +1,5 @@ pass in from localhost to localhost with opt sec +pass in from localhost to localhost with opt lsrr not opt sec block in from any to any with not opt sec-class topsecret block in from any to any with not opt sec-class topsecret,secret pass in from any to any with opt sec-class topsecret,confid not opt sec-class unclass diff --git a/contrib/ipfilter/test/regress/i11 b/contrib/ipfilter/test/regress/i11 index 89b35898594b..cb7d68389993 100644 --- a/contrib/ipfilter/test/regress/i11 +++ b/contrib/ipfilter/test/regress/i11 @@ -7,4 +7,5 @@ pass in on ed0 out-via vx0 proto udp from any to any keep state pass out on ppp0 in-via le0 proto tcp from any to any keep state pass in on ed0,vx0 out-via vx0,ed0 proto udp from any to any keep state pass in proto tcp from any port gt 1024 to localhost port eq 1024 keep state -pass in proto tcp all flags S keep state(strict,newisn,no-icmp-err,limit 101) +pass in proto tcp all flags S keep state(strict,newisn,no-icmp-err,limit 101,age 600) +pass in proto udp all keep state(age 10/20,sync) diff --git a/contrib/ipfilter/test/regress/i15 b/contrib/ipfilter/test/regress/i15 index 5268ec3562b1..0e6b0d12cd59 100644 --- a/contrib/ipfilter/test/regress/i15 +++ b/contrib/ipfilter/test/regress/i15 @@ -2,4 +2,3 @@ pass out on fxp0 all set-tag(log=100) pass out on fxp0 all set-tag(nat=foo) pass out on fxp0 all set-tag(log=100, nat=200) pass out on fxp0 all set-tag(log=2147483648, nat=overtherainbowisapotof) - diff --git a/contrib/ipfilter/test/regress/i17 b/contrib/ipfilter/test/regress/i17 index a995ae59f860..e399248222a6 100644 --- a/contrib/ipfilter/test/regress/i17 +++ b/contrib/ipfilter/test/regress/i17 @@ -9,3 +9,5 @@ pass in from localhost to any @0 pass in from 1.1.1.1 to any @1 110 pass in from 2.2.2.2 to any @2 pass in from 3.3.3.3 to any +call fr_srcgrpmap/100 out from 10.1.0.0/16 to any +call now fr_dstgrpmap/200 in from 10.2.0.0/16 to any diff --git a/contrib/ipfilter/test/regress/i18 b/contrib/ipfilter/test/regress/i18 index c2845d1d6c2d..03ce713b4a54 100644 --- a/contrib/ipfilter/test/regress/i18 +++ b/contrib/ipfilter/test/regress/i18 @@ -1,2 +1,3 @@ -pass in tos (80,0x80,40) all +pass in tos (80,0x80) all +pass in tos (0x80,80) all block in ttl (0,1,2,3,4,5,6) all diff --git a/contrib/ipfilter/test/regress/i5 b/contrib/ipfilter/test/regress/i5 index 38482f3a584e..788f971ae18f 100644 --- a/contrib/ipfilter/test/regress/i5 +++ b/contrib/ipfilter/test/regress/i5 @@ -3,3 +3,7 @@ count in tos 0x80 from any to any pass in on ed0 tos 64 from localhost to localhost block in log on lo0 ttl 0 from any to any pass in quick ttl 1 from any to any +skip 3 out from 127.0.0.1 to any +auth out on foo0 proto tcp from any to any port = 80 +preauth out on foo0 proto tcp from any to any port = 22 +nomatch out on foo0 proto tcp from any port < 1024 to any diff --git a/contrib/ipfilter/test/regress/i8 b/contrib/ipfilter/test/regress/i8 index cc984b275cd2..c30f8bdbd90e 100644 --- a/contrib/ipfilter/test/regress/i8 +++ b/contrib/ipfilter/test/regress/i8 @@ -29,3 +29,5 @@ pass in proto icmp all icmp-type squench pass in proto icmp all icmp-type timest pass in proto icmp all icmp-type timestrep pass in proto icmp all icmp-type timex +pass in proto icmp all icmp-type 254 +pass in proto icmp all icmp-type 253 code 254 diff --git a/contrib/ipfilter/test/regress/i9 b/contrib/ipfilter/test/regress/i9 index a966bed72f8a..441cfa9a16b6 100644 --- a/contrib/ipfilter/test/regress/i9 +++ b/contrib/ipfilter/test/regress/i9 @@ -5,8 +5,13 @@ pass in from any to any with opt nop,rr,zsu not opt ssrr,lsrr pass in from localhost to localhost and not frag pass in from localhost to localhost with frags,frag-body pass in proto tcp all flags S with not oow keep state +block in proto tcp all with oow pass in proto tcp all flags S with not bad,bad-src,bad-nat +block in proto tcp all flags S with bad,not bad-src,not bad-nat +pass in quick all with not short block in quick all with not nat +pass in quick all with not frag-body block in quick all with not lowttl -pass in all with mbcast,not bcast,multicast,not state +pass in all with mbcast,not bcast,multicast,not state,not ipopts +block in all with not mbcast,bcast,not multicast,state pass in from any to any with opt mtur,mtup,encode,ts,tr,sec,cipso,satid,ssrr,visa,imitd,eip,finn,dps,sdb,nsapa,rtralrt,ump,addext,e-sec diff --git a/contrib/ipfilter/test/regress/in2 b/contrib/ipfilter/test/regress/in2 index 4a86de736ce4..83a2ca5acc3c 100644 --- a/contrib/ipfilter/test/regress/in2 +++ b/contrib/ipfilter/test/regress/in2 @@ -1,5 +1,5 @@ rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp -rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip +rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 255 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp rdr le0 9.8.7.6/32 -> 1.1.1.1 ip rdr le0 9.8.7.6/0xff000000 -> 1.1.1.1 ip diff --git a/contrib/ipfilter/test/regress/in5 b/contrib/ipfilter/test/regress/in5 index c539b03f3e5d..766c3e3df104 100644 --- a/contrib/ipfilter/test/regress/in5 +++ b/contrib/ipfilter/test/regress/in5 @@ -1,7 +1,8 @@ map le0 from 9.8.7.6/32 port > 1024 to any -> 1.1.1.1 portmap 10000:20000 tcp +map le0 from 9.8.7.6/32 port > 1024 to ! 1.2.3.4 -> 1.1.1.1 portmap 10000:20000 tcp rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp rdr le0 from any to 9.8.7.6/0xffffffff port = 0 -> 1.1.1.1 port 0 ip -rdr le0 from any to 9.8.7.6 port = 8888 -> 1.1.1.1 port 888 tcp +rdr le0 ! from 1.2.3.4 to 9.8.7.6 port = 8888 -> 1.1.1.1 port 888 tcp rdr le0 from any to 9.8.7.6/255.255.255.255 port = 8888 -> 1.1.1.1 port 888 ip rdr le0 from any to 9.8.7.6 mask 0xffffffff port = 8888 -> 1.1.1.1 port 888 tcp rdr le0 from any to 9.8.7.6 mask 255.255.255.255 port = 8888 -> 1.1.1.1 port 888 udp diff --git a/contrib/ipfilter/test/regress/ni19.ipf b/contrib/ipfilter/test/regress/ni19.ipf new file mode 100644 index 000000000000..c6fcec1c32f3 --- /dev/null +++ b/contrib/ipfilter/test/regress/ni19.ipf @@ -0,0 +1,3 @@ +block in all +pass out quick on bge0 proto tcp from any to any port = shell flags S keep state +block out all diff --git a/contrib/ipfilter/test/regress/ni19.nat b/contrib/ipfilter/test/regress/ni19.nat new file mode 100644 index 000000000000..56b81a9e0cb9 --- /dev/null +++ b/contrib/ipfilter/test/regress/ni19.nat @@ -0,0 +1 @@ +map bge0 192.168.113.0/24 -> 10.1.1.1/32 proxy port shell rcmd/tcp diff --git a/contrib/ipfilter/test/regress/ni20.ipf b/contrib/ipfilter/test/regress/ni20.ipf new file mode 100644 index 000000000000..c6f6d8444c41 --- /dev/null +++ b/contrib/ipfilter/test/regress/ni20.ipf @@ -0,0 +1,3 @@ +block in all +pass in quick on bge0 proto tcp from any to any port = shell flags S keep state +block out all diff --git a/contrib/ipfilter/test/regress/ni20.nat b/contrib/ipfilter/test/regress/ni20.nat new file mode 100644 index 000000000000..f2dd0a7e729d --- /dev/null +++ b/contrib/ipfilter/test/regress/ni20.nat @@ -0,0 +1 @@ +rdr bge0 10.1.1.4/32 port shell -> 192.168.113.4 port shell tcp proxy rcmd diff --git a/contrib/ipfilter/test/regress/ni21.ipf b/contrib/ipfilter/test/regress/ni21.ipf new file mode 100644 index 000000000000..6d6ed081787f --- /dev/null +++ b/contrib/ipfilter/test/regress/ni21.ipf @@ -0,0 +1 @@ +pass out on lan0 to eri0:1.1.1.1 from 2.2.2.2 to any diff --git a/contrib/ipfilter/test/regress/ni21.nat b/contrib/ipfilter/test/regress/ni21.nat new file mode 100644 index 000000000000..6b2d46a9fb99 --- /dev/null +++ b/contrib/ipfilter/test/regress/ni21.nat @@ -0,0 +1 @@ +map lan0,eri0 2.2.2.2 -> 4.4.4.4 diff --git a/contrib/ipfilter/test/test.format b/contrib/ipfilter/test/test.format index f284542201e6..4bb18515e39c 100644 --- a/contrib/ipfilter/test/test.format +++ b/contrib/ipfilter/test/test.format @@ -20,6 +20,7 @@ f16 text text f17 hex hex f18 text text f19 text text fr_statemax=3 +f20 text text i1 text ipf i2 text ipf i3 text ipf @@ -82,6 +83,9 @@ ni13 hex hex fr_update_ipid=1 ni14 hex hex fr_update_ipid=1 ni15 hex hex fr_update_ipid=1 ni16 hex hex fr_update_ipid=1 +ni19 hex hex fr_update_ipid=0 +ni20 hex hex fr_update_ipid=0 +ni21 text text p1 text text p2 text text p3 text text diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo new file mode 100644 index 000000000000..5b2c05905214 --- /dev/null +++ b/contrib/ipfilter/todo @@ -0,0 +1,98 @@ +BUGS: +----- +* fix "to " bug on FreeBSD 2.2.8 +fastroute works + +=============================================================================== +GENERAL: +-------- + +* support redirection like "rdr tun0 0/32 port 80 ..." + +* use fr_tcpstate() with NAT code for increased NAT usage security or even + fr_checkstate() - suspect this is not possible. + +* add another alias for for interfaces ? as well as + all IP#'s associated with the box ? + +time permitting: + +* load balancing across interfaces + +* record buffering for TCP/UDP + +* modular application proxying +-done + +* allow multiple ip addresses in a source route list for ipsend + +* port IP Filter to Linux +Not in this century. + +* document bimap + +* document NAT rule order processing + +* add more docs +in progress + +3.4: +XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA +traffic priorization) should be *TOP* in the TO DO list. + +* Bandwidth limiting!!! +maybe for solaris, otherwise "ALTQ" +* More examples +* More documentation +* Load balancing features added to the NAT code, so that I can have +something coming in for 20.20.20.20:80 and it gets shuffled around between +internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever. +- done, stage 1 (round robin/split) +The one thing that Cisco's PIX has on IPF that I can see is that +rewrites the sequence numbers with semi-random ones. +- done + +I would also love to see a more extensive NAT. It can choose to do +rdr and map based on saddr, daddr, sport and dport. (Does the kernel +module already have functionality for that and it just needs support in +the userland ipnat?) +-sort of done + + * intrusion detection + detection of port scans + detection of multiple connection attempts + + * support for multiple log files + i.e. all connections to ftp and telnet logged to + a seperate log file + + * multiple levels of log severity with E-mail notification + of intrusion alerts or other high priority errors + + * poison pill facility + after detection of a port scan, start sending back + large packets of garbage or other packets to + otherwise confuse the intruder (ping of death?) + +IPv6: +----- +* NAT is yet not available, either as a null proxy or address translation + +BSD: +* "to " and "to :" are not supported, but "fastroute" is. + +Solaris: +* "to :" is not supported, but "fastroute" is and "to " are. + +Tru64: +------ +* IPv6 checksum calculation for RST's and ICMP packets is not done (there + are routines in the Tru64 kernel to do this but what is the interface?) + +does bimap allow equal sized subnets? + +make return-icmp 'intelligent' if no type is given about what type to use? + +reply-to - enforce packets to pass through interfaces in particular +combinations - opposite to "to", set reverse path interface + diff --git a/contrib/ipfilter/tools/ipf.c b/contrib/ipfilter/tools/ipf.c index 245412445adf..8e352a9049c6 100644 --- a/contrib/ipfilter/tools/ipf.c +++ b/contrib/ipfilter/tools/ipf.c @@ -19,7 +19,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.3 2004/12/15 18:27:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.4 2006/03/17 11:48:08 darrenr Exp $"; #endif #if !defined(__SVR4) && defined(__GNUC__) @@ -196,7 +196,7 @@ static void closedevice() static int get_flags() { - int i; + int i = 0; if ((opendevice(ipfname, 1) != -2) && (ioctl(fd, SIOCGETFF, &i) == -1)) { diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y index a65a2e2b7933..d03887c4c6ed 100644 --- a/contrib/ipfilter/tools/ipf_y.y +++ b/contrib/ipfilter/tools/ipf_y.y @@ -79,6 +79,10 @@ static struct wordtab logwords[33]; union i6addr m; } ipp; union i6addr ip6; + struct { + char *if1; + char *if2; + } ifs; }; %type portnum @@ -91,6 +95,7 @@ static struct wordtab logwords[33]; %type servicename name interfacename %type portrange portcomp %type addrlist poollist +%type onname %token YY_NUMBER YY_HEX %token YY_STR @@ -99,7 +104,7 @@ static struct wordtab logwords[33]; %token YY_RANGE_OUT YY_RANGE_IN %token YY_IPV6 -%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL +%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST %token IPFY_IN IPFY_OUT %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA @@ -176,7 +181,7 @@ line: xx rule { while ((fr = frtop) != NULL) { | YY_COMMENT ; -xx: { newrule(); } +xx: { newrule(); } ; assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); @@ -255,6 +260,7 @@ collection: action: block | IPFY_PASS { fr->fr_flags |= FR_PASS; } + | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; } | log | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } | auth @@ -284,7 +290,7 @@ log: IPFY_LOG { fr->fr_flags |= FR_LOG; } ; auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } - | IPFY_AUTH IPFY_RETRST { fr->fr_flags |= (FR_AUTH|FR_RETRST);} + | IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;} | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } ; @@ -465,18 +471,41 @@ quick: ; on: IPFY_ON onname + | IPFY_ON lstart onlist lend | IPFY_ON onname IPFY_INVIA vianame | IPFY_ON onname IPFY_OUTVIA vianame ; +onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \ + sizeof(fr->fr_ifnames[0])); \ + if ($1.if2 != NULL) { \ + strncpy(fr->fr_ifnames[1], \ + $1.if2, \ + sizeof(fr->fr_ifnames[1]));\ + } \ + ) } + | onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \ + sizeof(fr->fr_ifnames[0])); \ + if ($3.if2 != NULL) { \ + strncpy(fr->fr_ifnames[1], \ + $3.if2, \ + sizeof(fr->fr_ifnames[1]));\ + } \ + ) } + ; + onname: interfacename { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); + $$.if1 = fr->fr_ifnames[0]; + $$.if2 = NULL; free($1); } | interfacename ',' interfacename { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); + $$.if1 = fr->fr_ifnames[0]; free($1); strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); + $$.if1 = fr->fr_ifnames[1]; free($3); } ; @@ -1025,7 +1054,8 @@ codelist: icmpcode { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) } | codelist lmore icmpcode - { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) } + { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \ + fr->fr_icmpm |= htons(0xff);) } ; age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ @@ -1085,7 +1115,11 @@ stateopt: | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } - age; + | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ + fr->fr_age[1] = $2;) } + | IPFY_AGE YY_NUMBER '/' YY_NUMBER + { DOALL(fr->fr_age[0] = $2; \ + fr->fr_age[1] = $4;) } ; portnum: @@ -1443,6 +1477,7 @@ static struct wordtab ipfwords[95] = { { "newisn", IPFY_NEWISN }, { "no", IPFY_NO }, { "no-icmp-err", IPFY_NOICMPERR }, + { "nomatch", IPFY_NOMATCH }, { "now", IPFY_NOW }, { "not", IPFY_NOT }, { "oow", IPFY_OOW }, @@ -1751,18 +1786,6 @@ static frentry_t *addrule() ; count = nrules; - if (count == 0) { - f = (frentry_t *)calloc(sizeof(*f), 1); - added++; - f2->fr_next = f; - bcopy(f2, f, sizeof(*f)); - if (f2->fr_caddr != NULL) { - f->fr_caddr = malloc(f->fr_dsize); - bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize); - } - f->fr_next = NULL; - return f; - } f = f2; for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { f->fr_next = (frentry_t *)calloc(sizeof(*f), 1); @@ -2033,7 +2056,7 @@ void *ptr; del = SIOCRMAFR; } - if (fr && (opts & OPT_OUTQUE)) + if ((opts & OPT_OUTQUE) != 0) fr->fr_flags |= FR_OUTQUE; if (fr->fr_hits) fr->fr_hits--; diff --git a/contrib/ipfilter/tools/ipfcomp.c b/contrib/ipfilter/tools/ipfcomp.c index f09bfd314fd2..0362877fd011 100644 --- a/contrib/ipfilter/tools/ipfcomp.c +++ b/contrib/ipfilter/tools/ipfcomp.c @@ -5,7 +5,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.2 2004/04/28 10:34:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.3 2006/03/17 22:31:57 darrenr Exp $"; #endif #include "ipf.h" @@ -1222,7 +1222,7 @@ frgroup_t *grp; char *instr; group = grp->fg_name; - dogrp = 0; + dogrp = *group ? 1 : 0; if (in && out) { fprintf(stderr, diff --git a/contrib/ipfilter/tools/ipfs.c b/contrib/ipfilter/tools/ipfs.c index 767dffb74df6..4479d19e3539 100644 --- a/contrib/ipfilter/tools/ipfs.c +++ b/contrib/ipfilter/tools/ipfs.c @@ -458,21 +458,19 @@ char *file; i = read(sfd, &ips, sizeof(ips)); if (i == -1) { perror("read"); - close(sfd); - return 1; + goto freeipshead; } if (i == 0) break; if (i != sizeof(ips)) { fprintf(stderr, "state:incomplete read: %d != %d\n", i, (int)sizeof(ips)); - close(sfd); - return 1; + goto freeipshead; } is = (ipstate_save_t *)malloc(sizeof(*is)); - if(!is) { + if (is == NULL) { fprintf(stderr, "malloc failed\n"); - return 1; + goto freeipshead; } bcopy((char *)&ips, (char *)is, sizeof(ips)); @@ -510,7 +508,7 @@ char *file; obj.ipfo_size = sizeof(*is); obj.ipfo_type = IPFOBJ_STATESAVE; - for (is = ipshead; is; is = is->ips_next) { + while ((is = ipshead) != NULL) { if (opts & OPT_VERBOSE) printf("Loading new state table entry\n"); if (is->ips_is.is_flags & SI_NEWFR) { @@ -522,7 +520,7 @@ char *file; if (!(opts & OPT_DONOTHING)) if (ioctl(fd, SIOCSTPUT, &obj)) { perror("SIOCSTPUT"); - return 1; + goto freeipshead; } if (is->ips_is.is_flags & SI_NEWFR) { @@ -532,9 +530,21 @@ char *file; if (is1->ips_rule == (frentry_t *)&is->ips_rule) is1->ips_rule = is->ips_rule; } + + ipshead = is->ips_next; + free(is); } return 0; + +freeipshead: + while ((is = ipshead) != NULL) { + ipshead = is->ips_next; + free(is); + } + if (sfd != -1) + close(sfd); + return 1; } @@ -573,21 +583,21 @@ char *file; i = read(nfd, &ipn, sizeof(ipn)); if (i == -1) { perror("read"); - close(nfd); - return 1; + goto freenathead; } if (i == 0) break; if (i != sizeof(ipn)) { fprintf(stderr, "nat:incomplete read: %d != %d\n", i, (int)sizeof(ipn)); - close(nfd); - return 1; + goto freenathead; } in = (nat_save_t *)malloc(ipn.ipn_dsize); - if (!in) - break; + if (in == NULL) { + fprintf(stderr, "nat:cannot malloc nat save atruct\n"); + goto freenathead; + } if (ipn.ipn_dsize > sizeof(ipn)) { n = ipn.ipn_dsize - sizeof(ipn); @@ -600,8 +610,7 @@ char *file; fprintf(stderr, "nat:incomplete read: %d != %d\n", i, n); - close(nfd); - return 1; + goto freenathead; } } } @@ -643,7 +652,7 @@ char *file; obj.ipfo_rev = IPFILTER_VERSION; obj.ipfo_type = IPFOBJ_NATSAVE; - for (in = ipnhead; in; in = in->ipn_next) { + while ((in = ipnhead) != NULL) { if (opts & OPT_VERBOSE) printf("Loading new NAT table entry\n"); nat = &in->ipn_nat; @@ -668,9 +677,21 @@ char *file; if (in1->ipn_rule == &in->ipn_fr) in1->ipn_rule = nat->nat_fr; } + + ipnhead = in->ipn_next; + free(in); } return 0; + +freenathead: + while ((in = ipnhead) != NULL) { + ipnhead = in->ipn_next; + free(in); + } + if (nfd != -1) + close(nfd); + return 1; } diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c index fb0c43383de0..5745f137a4a7 100644 --- a/contrib/ipfilter/tools/ipfstat.c +++ b/contrib/ipfilter/tools/ipfstat.c @@ -68,7 +68,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.13 2005/10/17 17:26:32 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.14 2006/03/21 16:09:58 darrenr Exp $"; #endif #ifdef __hpux @@ -923,8 +923,6 @@ ips_stat_t *ipsp; ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, ipsp->iss_miss); - PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu max bucket\n", - ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_bucketfull); PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n", ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n", diff --git a/contrib/ipfilter/tools/ipftest.c b/contrib/ipfilter/tools/ipftest.c index 913f756cfa4f..ec78d0d58370 100644 --- a/contrib/ipfilter/tools/ipftest.c +++ b/contrib/ipfilter/tools/ipftest.c @@ -10,7 +10,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.7 2005/12/07 08:29:19 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.9 2006/03/29 11:21:13 darrenr Exp $"; #endif extern char *optarg; @@ -210,7 +210,7 @@ char *argv[]; ip = MTOD(m, ip_t *); while ((i = (*r->r_readip)(MTOD(m, char *), sizeof(m->mb_buf), &iface, &dir)) > 0) { - if (iface == NULL || *iface == '\0') + if ((iface == NULL) || (*iface == '\0')) iface = ifname; ifp = get_unit(iface, IP_V(ip)); if (!use_inet6) { @@ -797,6 +797,6 @@ ip_t *ip; } if (hdr != NULL) { *csump = 0; - *(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr); + *(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr, ip->ip_len); } } diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c index 1ef3351e98bd..58a4390661ba 100644 --- a/contrib/ipfilter/tools/ipmon.c +++ b/contrib/ipfilter/tools/ipmon.c @@ -76,7 +76,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.10 2005/06/18 02:41:35 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.15 2006/03/18 06:59:39 darrenr Exp $"; #endif @@ -189,6 +189,7 @@ static char *conf_file = NULL; #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 #endif +int logfac = LOGFAC; static icmp_subtype_t icmpunreachnames[] = { @@ -648,10 +649,10 @@ int len; if (j && !(j & 0xf)) { *t++ = '\n'; *t = '\0'; - if (!(dopts & OPT_SYSLOG)) - fputs(hline, log); - else + if ((dopts & OPT_SYSLOG)) syslog(LOG_INFO, "%s", hline); + else if (log != NULL) + fputs(hline, log); t = (u_char *)hline; *t = '\0'; } @@ -684,11 +685,12 @@ int len; *t++ = '\n'; *t = '\0'; } - if (!(dopts & OPT_SYSLOG)) { + if ((dopts & OPT_SYSLOG) != 0) + syslog(LOG_INFO, "%s", hline); + else if (log != NULL) { fputs(hline, log); fflush(log); - } else - syslog(LOG_INFO, "%s", hline); + } } @@ -782,7 +784,7 @@ int blen; *t++ = '\0'; if (opts & OPT_SYSLOG) syslog(LOG_INFO, "%s", line); - else + else if (log != NULL) (void) fprintf(log, "%s", line); } @@ -899,7 +901,7 @@ int blen; *t++ = '\0'; if (opts & OPT_SYSLOG) syslog(LOG_INFO, "%s", line); - else + else if (log != NULL) (void) fprintf(log, "%s", line); } @@ -1030,12 +1032,7 @@ int blen; (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit); t += strlen(t); #endif -#if defined(__sgi) || defined(_AIX51) || defined(__powerpc__) || \ - defined(__arm__) - if ((ipf->fl_group[0] == 255) && (ipf->fl_group[1] == '\0')) -#else - if ((ipf->fl_group[0] == -1) && (ipf->fl_group[1] == '\0')) -#endif + if ((ipf->fl_group[0] == (char)~0) && (ipf->fl_group[1] == '\0')) strcat(t, " @-1:"); else if (ipf->fl_group[0] == '\0') (void) strcpy(t, " @0:"); @@ -1305,8 +1302,9 @@ int blen; if (defaction == 0) { if (opts & OPT_SYSLOG) syslog(lvl, "%s", line); - else + else if (log != NULL) (void) fprintf(log, "%s", line); + if (opts & OPT_HEXHDR) dumphex(log, opts, buf, sizeof(iplog_t) + sizeof(*ipf)); @@ -1369,11 +1367,12 @@ FILE *log; (void) close(fd); if (flushed) { - if (opts & OPT_SYSLOG) + if (opts & OPT_SYSLOG) { syslog(LOG_INFO, "%d bytes flushed from log\n", flushed); - else if (log != stdout) + } else if ((log != stdout) && (log != NULL)) { fprintf(log, "%d bytes flushed from log\n", flushed); + } } } @@ -1431,7 +1430,8 @@ char *argv[]; iplfile[1] = IPNAT_NAME; iplfile[2] = IPSTATE_NAME; - while ((c = getopt(argc, argv, "?abB:C:Df:FhnN:o:O:pP:sS:tvxX")) != -1) + while ((c = getopt(argc, argv, + "?abB:C:Df:FhL:nN:o:O:pP:sS:tvxX")) != -1) switch (c) { case 'a' : @@ -1463,6 +1463,15 @@ char *argv[]; flushlogs(iplfile[1], log); flushlogs(iplfile[2], log); break; + case 'L' : + logfac = fac_findname(optarg); + if (logfac == -1) { + fprintf(stderr, + "Unknown syslog facility '%s'\n", + optarg); + exit(1); + } + break; case 'n' : opts |= OPT_RESOLVE; break; @@ -1493,7 +1502,7 @@ char *argv[]; s = argv[0]; else s++; - openlog(s, LOG_NDELAY|LOG_PID, LOGFAC); + openlog(s, LOG_NDELAY|LOG_PID, logfac); s = NULL; opts |= OPT_SYSLOG; log = NULL; @@ -1588,8 +1597,8 @@ char *argv[]; #endif /* !BSD */ close(0); close(1); + write_pid(pidfile); } - write_pid(pidfile); signal(SIGHUP, handlehup); @@ -1625,7 +1634,8 @@ char *argv[]; fclose(log); log = fp; } - if (binarylogfile && (fp = fopen(binarylogfile, "a"))) { + if (binarylogfile && + (fp = fopen(binarylogfile, "a"))) { fclose(binarylog); binarylog = fp; } @@ -1647,7 +1657,7 @@ char *argv[]; case 1 : if (opts & OPT_SYSLOG) syslog(LOG_CRIT, "aborting logging\n"); - else + else if (log != NULL) fprintf(log, "aborting logging\n"); doread = 0; break; diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y index ddd431115eb7..095b29437871 100644 --- a/contrib/ipfilter/tools/ipnat_y.y +++ b/contrib/ipfilter/tools/ipnat_y.y @@ -52,6 +52,7 @@ static ipnat_t *nat = NULL; static int natfd = -1; static ioctlfunc_t natioctlfunc = NULL; static addfunc_t nataddfunc = NULL; +static int suggest_port = 0; static void newnatrule __P((void)); static void setnatproto __P((int)); @@ -170,6 +171,9 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions strncpy(nat->in_ifnames[1], nat->in_ifnames[0], sizeof(nat->in_ifnames[0])); + if ((suggest_port == 1) && + (nat->in_flags & IPN_TCPUDP) == 0) + nat->in_flags |= IPN_TCPUDP; if ((nat->in_flags & IPN_TCPUDP) == 0) setnatproto(nat->in_p); if (((nat->in_redir & NAT_MAPBLK) != 0) || @@ -184,6 +188,9 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions strncpy(nat->in_ifnames[1], nat->in_ifnames[0], sizeof(nat->in_ifnames[0])); + if ((suggest_port == 1) && + (nat->in_flags & IPN_TCPUDP) == 0) + nat->in_flags |= IPN_TCPUDP; if (((nat->in_redir & NAT_MAPBLK) != 0) || ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) nat_setgroupmap(nat); @@ -222,7 +229,7 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions (nat->in_pmin != 0 || nat->in_pmax != 0 || nat->in_pnext != 0)) - setnatproto(IPPROTO_TCP); + setnatproto(IPPROTO_TCP); } | rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions { nat->in_v = 4; @@ -232,6 +239,9 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions nat->in_pmax != 0 || nat->in_pnext != 0)) setnatproto(IPPROTO_TCP); + if ((suggest_port == 1) && + (nat->in_flags & IPN_TCPUDP) == 0) + nat->in_flags |= IPN_TCPUDP; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], nat->in_ifnames[0], @@ -246,9 +256,19 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions nat->in_ifnames[0], sizeof(nat->in_ifnames[0])); } + | rdrit ifnames rdrfrom IPNY_TLATE dip setproto rdroptions + { nat->in_v = 4; + if ((suggest_port == 1) && + (nat->in_flags & IPN_TCPUDP) == 0) + nat->in_flags |= IPN_TCPUDP; + if (nat->in_ifnames[1][0] == '\0') + strncpy(nat->in_ifnames[1], + nat->in_ifnames[0], + sizeof(nat->in_ifnames[0])); + } ; -proxy: | IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto +proxy: | IPNY_PROXY port portspec YY_STR '/' proto { strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); if (nat->in_dcmp == 0) { nat->in_dport = htons($3); @@ -258,7 +278,7 @@ proxy: | IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto setnatproto($6); free($4); } - | IPNY_PROXY IPNY_PORT YY_STR YY_STR '/' proto + | IPNY_PROXY port YY_STR YY_STR '/' proto { int pnum; strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); pnum = getportproto($3, $6); @@ -310,6 +330,9 @@ dip: nat->in_inmsk = $3.s_addr; } ; +port: IPNY_PORT { suggest_port = 1; } + ; + portspec: YY_NUMBER { if ($1 > 65535) /* Unsigned */ yyerror("invalid port number"); @@ -322,16 +345,16 @@ portspec: } ; -dport: | IPNY_PORT portspec { nat->in_pmin = htons($2); +dport: | port portspec { nat->in_pmin = htons($2); nat->in_pmax = htons($2); } - | IPNY_PORT portspec '-' portspec { nat->in_pmin = htons($2); + | port portspec '-' portspec { nat->in_pmin = htons($2); nat->in_pmax = htons($4); } - | IPNY_PORT portspec ':' portspec { nat->in_pmin = htons($2); + | port portspec ':' portspec { nat->in_pmin = htons($2); nat->in_pmax = htons($4); } ; -nport: IPNY_PORT portspec { nat->in_pnext = htons($2); } - | IPNY_PORT '=' portspec { nat->in_pnext = htons($3); +nport: port portspec { nat->in_pnext = htons($2); } + | port '=' portspec { nat->in_pnext = htons($3); nat->in_flags |= IPN_FIXEDDPORT; } ; @@ -355,12 +378,16 @@ mapfrom: from sobject IPNY_TO dobject | from sobject '!' IPNY_TO dobject { nat->in_flags |= IPN_NOTDST; } + | from sobject IPNY_TO '!' dobject + { nat->in_flags |= IPN_NOTDST; } ; rdrfrom: from sobject IPNY_TO dobject | '!' from sobject IPNY_TO dobject { nat->in_flags |= IPN_NOTSRC; } + | from '!' sobject IPNY_TO dobject + { nat->in_flags |= IPN_NOTSRC; } ; from: IPNY_FROM { nat->in_flags |= IPN_FILTER; } @@ -413,7 +440,7 @@ mapport: sobject: saddr - | saddr IPNY_PORT portstuff { nat->in_sport = $3.p1; + | saddr port portstuff { nat->in_sport = $3.p1; nat->in_stop = $3.p2; nat->in_scmp = $3.pc; } ; @@ -430,7 +457,7 @@ saddr: addr { if (nat->in_redir == NAT_REDIRECT) { dobject: daddr - | daddr IPNY_PORT portstuff { nat->in_dport = $3.p1; + | daddr port portstuff { nat->in_dport = $3.p1; nat->in_dtop = $3.p2; nat->in_dcmp = $3.pc; if (nat->in_redir == NAT_REDIRECT) @@ -535,10 +562,18 @@ rdrproxy: } ; -proto: YY_NUMBER { $$ = $1; } +proto: YY_NUMBER { $$ = $1; + if ($$ != IPPROTO_TCP && + $$ != IPPROTO_UDP) + suggest_port = 0; + } | IPNY_TCP { $$ = IPPROTO_TCP; } | IPNY_UDP { $$ = IPPROTO_UDP; } - | YY_STR { $$ = getproto($1); free($1); } + | YY_STR { $$ = getproto($1); free($1); + if ($$ != IPPROTO_TCP && + $$ != IPPROTO_UDP) + suggest_port = 0; + } ; hexnumber: @@ -706,6 +741,8 @@ static void newnatrule() nat->in_next = n; nat = n; } + + suggest_port = 0; } @@ -782,7 +819,7 @@ void *ptr; del = SIOCRMNAT; } - if (ipn && (opts & OPT_VERBOSE)) + if ((opts & OPT_VERBOSE) != 0) printnat(ipn, opts); if (opts & OPT_DEBUG) diff --git a/contrib/ipfilter/tools/ipsyncm.c b/contrib/ipfilter/tools/ipsyncm.c index 8a8797475dff..abc48fe1f6ea 100644 --- a/contrib/ipfilter/tools/ipsyncm.c +++ b/contrib/ipfilter/tools/ipsyncm.c @@ -5,7 +5,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.4 2006/03/27 02:09:46 darrenr Exp $"; #endif #include #include @@ -20,7 +20,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 da #include #include #include -#include +#include #include #include @@ -32,6 +32,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 da int main __P((int, char *[])); +void usage __P((const char *)); int terminate = 0; @@ -39,10 +40,12 @@ void usage(const char *progname) { fprintf(stderr, "Usage: %s \n", progname); } +#if 0 static void handleterm(int sig) { terminate = sig; } +#endif /* should be large enough to hold header + any datatype */ @@ -115,7 +118,7 @@ char *argv[]; goto tryagain; } - syslog(LOG_INFO, "Established connection to %s", + syslog(LOG_INFO, "Sending data to %s", inet_ntoa(sin.sin_addr)); inbuf = 0; diff --git a/contrib/ipfilter/tools/ipsyncs.c b/contrib/ipfilter/tools/ipsyncs.c index 29c63af0c7ef..0d95a9dc5061 100644 --- a/contrib/ipfilter/tools/ipsyncs.c +++ b/contrib/ipfilter/tools/ipsyncs.c @@ -5,7 +5,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.3 2006/03/27 02:09:47 darrenr Exp $"; #endif #include #include @@ -19,7 +19,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 da #include #include #include -#include +#include #include #include #include @@ -32,6 +32,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 da #include "netinet/ip_sync.h" int main __P((int, char *[])); +void usage __P((const char *progname)); int terminate = 0; @@ -41,11 +42,12 @@ void usage(const char *progname) { progname); } +#if 0 static void handleterm(int sig) { terminate = sig; - } +#endif #define BUFFERLEN 1400 @@ -130,8 +132,7 @@ char *argv[]; goto tryagain; } - syslog(LOG_INFO, "Established connection to %s", - inet_ntoa(sin.sin_addr)); + syslog(LOG_INFO, "Listening to %s", inet_ntoa(sin.sin_addr)); inbuf = 0; while (1) { @@ -223,14 +224,15 @@ char *argv[]; n2 = sizeof(*sh) + len; n3 = write(lfd, buff, n2); if (n3 <= 0) { - syslog(LOG_ERR, "Write error: %m"); + syslog(LOG_ERR, "%s: Write error: %m", + IPSYNC_NAME); goto tryagain; } if (n3 != n2) { - syslog(LOG_ERR, "Incomplete write (%d/%d)", - n3, n2); + syslog(LOG_ERR, "%s: Incomplete write (%d/%d)", + IPSYNC_NAME, n3, n2); goto tryagain; } diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c index 66de8fcc4118..49eeb51ef2ad 100644 --- a/contrib/ipfilter/tools/lexer.c +++ b/contrib/ipfilter/tools/lexer.c @@ -170,6 +170,8 @@ int yylex() switch (c) { case '\n' : + lnext = 0; + nokey = 0; case '\t' : case '\r' : case ' ' :