Import IPFilter 3.4.28

svn path=/vendor/ipfilter/dist/; revision=98005

contrib/ipfilter/BSD/Makefile

@@ -231,6 +231,7 @@ clean:
 	${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \
 	vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h \
 	y.tab.? lex.yy.c ipfs
+	${RM} -f ../opt_inet6.h
 
 	${MAKE} -f Makefile.ipsend ${MFLAGS} clean
 	-(for i in *; do \

contrib/ipfilter/FreeBSD-4.0/kinstall

@@ -28,7 +28,7 @@ echo ""
 echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
 ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
 
-set patchfile=FreeBSd-4.0/ipv6-patch-$krev
+set patchfile=FreeBSD-4.0/ipv6-patch-$krev
 if ( -f $patchfile ) then
 	echo ""
 	echo "Patching ip6_input.c and ip6_output.c"

contrib/ipfilter/HISTORY

@@ -22,6 +22,45 @@
 # and especially those who have found the time to port IP Filter to new
 # platforms.
 #
+3.4.28	6/6/2002 - Released
+
+Fix for H.323 proxy to work on little endian boxes
+
+IRIX: Update installation documentation
+      add route lock patch
+
+allow use of groups > 65535
+
+create a new packet info summary for packets going through ipfr_fastroute()
+so that where details are different (RST/ICMP errors), the packet now gets
+correctly NAT'd, etc.
+
+fix the FTP proxy so that checks for TCP sequence numbers outside the
+normal offset due to data changes use absolute numbers
+
+make it possible to remove rules in ipftest
+
+Update installing onto OpenBSD and split into two directories:
+OpenBSD-2 and OpenBSD-3
+
+fix error in printout out the protocol in NAT rules
+
+always unlock ipfilter if locking fails half way through in ipfs
+
+fix problems with TCP window scaling
+
+update of man pages for ipnat(4) and ipftest(1)
+
+3.4.27	28/04/2002 - Released
+
+fix calculation of 2's complmenent 16 bit checksum for user space
+
+add mbuflen() to usespace compiles.
+
+add more #ifdef complexity for platform portability
+
+add OpenBSD 3.1 diffs
+
 3.4.26	25/04/2002 - Released
 
 fix parsing and printing of NAT rules with regression tests.

contrib/ipfilter/fil.c

@@ -97,7 +97,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $";
 #endif
 
 #ifndef	_KERNEL
@@ -1501,7 +1501,7 @@ tcphdr_t *tcp;
  * SUCH DAMAGE.
  *
  *	@(#)uipc_mbuf.c	8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $
  */
 /*
  * Copy data from an mbuf chain starting "off" bytes from the beginning,
@@ -1616,7 +1616,6 @@ frgroup_t ***fgpp;
 		fgp = &ipfgroups[0][set];
 	else
 		return NULL;
-	num &= 0xffff;
 
 	while ((fg = *fgp))
 		if (fg->fg_num == num)

contrib/ipfilter/ip_auth.c

@@ -104,7 +104,7 @@ extern struct ifqueue   ipintrq;		/* ip packet input queue */
 #endif
 
 #if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $";
 #endif
 
 
@@ -615,7 +615,10 @@ void fr_authexpire()
 		} else
 			faep = &fae->fae_next;
 	}
-	ipauth = &fae_list->fae_fr;
+	if (fae_list != NULL)
+		ipauth = &fae_list->fae_fr;
+	else
+		ipauth = NULL;
 
 	for (frp = &fr_authlist; (fr = *frp); ) {
 		if (fr->fr_ref == 1) {

contrib/ipfilter/ip_compat.h

@@ -4,7 +4,7 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ip_compat.h	1.8 1/14/96
- * $Id: ip_compat.h,v 2.26.2.44 2002/04/25 16:32:15 darrenr Exp $
+ * $Id: ip_compat.h,v 2.26.2.45 2002/06/04 14:40:54 darrenr Exp $
  */
 
 #ifndef	__IP_COMPAT_H__
@@ -213,7 +213,11 @@ typedef	 int	minor_t;
 #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
 # include <sys/param.h>
 # ifndef __FreeBSD_version
-#  include <sys/osreldate.h>
+#  ifdef IPFILTER_LKM
+#   include <osreldate.h>
+#  else
+#   include <sys/osreldate.h>
+#  endif
 # endif
 # ifdef IPFILTER_LKM
 #  define       ACTUALLY_LKM_NOT_KERNEL

contrib/ipfilter/ip_fil.c

@@ -120,7 +120,7 @@ extern	int	ip_optcopy __P((struct ip *, struct ip *));
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.58 2002/06/06 10:47:27 darrenr Exp $";
 #endif
 
 
@@ -643,6 +643,9 @@ int mode;
 	unit = dev;
 #endif
 
+	if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
+		return ENODEV;
+
 	SPL_NET(s);
 
 	if (unit == IPL_LOGNAT) {
@@ -887,7 +890,8 @@ caddr_t data;
 	 * Check that the group number does exist and that if a head group
 	 * has been specified, doesn't exist.
 	 */
-	if ((req != SIOCZRLST) && fp->fr_grhead &&
+	if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
+	     (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
 	    fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
 		return EEXIST;
 	if ((req != SIOCZRLST) && fp->fr_group &&
@@ -1221,13 +1225,18 @@ fr_info_t *fin;
 struct mbuf **mp;
 {
 	struct mbuf *m = *mp;
-	char *dpsave;
-	int error;
+	int error, hlen;
+	fr_info_t frn;
 	ip_t *ip;
 
-	dpsave = fin->fin_dp;
+	bzero((char *)&frn, sizeof(frn));
+	frn.fin_ifp = fin->fin_ifp;
+	frn.fin_v = fin->fin_v;
+	frn.fin_out = fin->fin_out;
+	frn.fin_mp = fin->fin_mp;
 
 	ip = mtod(m, ip_t *);
+	hlen = sizeof(*ip);
 
 	ip->ip_v = fin->fin_v;
 	if (ip->ip_v == 4) {
@@ -1242,21 +1251,24 @@ struct mbuf **mp;
 		ip->ip_ttl = ip_defttl;
 # endif
 		ip->ip_sum = 0;
-		fin->fin_dp = (char *)(ip + 1);
+		frn.fin_dp = (char *)(ip + 1);
 	}
 # ifdef	USE_INET6
 	else if (ip->ip_v == 6) {
 		ip6_t *ip6 = (ip6_t *)ip;
 
+		hlen = sizeof(*ip6);
 		ip6->ip6_hlim = 127;
-		fin->fin_dp = (char *)(ip6 + 1);
+		frn.fin_dp = (char *)(ip6 + 1);
 	}
 # endif
 # ifdef	IPSEC
 	m->m_pkthdr.rcvif = NULL;
 # endif
-	error = ipfr_fastroute(m, mp, fin, NULL);
-	fin->fin_dp = dpsave;
+
+	fr_makefrip(hlen, ip, &frn);
+
+	error = ipfr_fastroute(m, mp, &frn, NULL);
 	return error;
 }
 
@@ -1563,6 +1575,9 @@ frdest_t *fdp;
 	/*
 	 * Route packet.
 	 */
+#ifdef	__sgi
+	ROUTE_RDLOCK();
+#endif
 	bzero((caddr_t)ro, sizeof (*ro));
 	dst = (struct sockaddr_in *)&ro->ro_dst;
 	dst->sin_family = AF_INET;
@@ -1599,6 +1614,11 @@ frdest_t *fdp;
 # else
 	rtalloc(ro);
 # endif
+
+#ifdef	__sgi
+	ROUTE_UNLOCK();
+#endif
+
 	if (!ifp) {
 		if (!fr || !(fr->fr_flags & FR_FASTROUTE)) {
 			error = -2;
@@ -2098,7 +2118,7 @@ int code;
 fr_info_t *fin;
 int dst;
 {
-	verbose("- ICMP UNREACHABLE RST sent\n");
+	verbose("- ICMP UNREACHABLE sent\n");
 	return 0;
 }
 

contrib/ipfilter/ip_fil.h

@@ -4,7 +4,7 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ip_fil.h	1.35 6/5/96
- * $Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp $
+ * $Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp $
  */
 
 #ifndef	__IP_FIL_H__
@@ -508,6 +508,7 @@ extern	int	send_reset __P((ip_t *, fr_info_t *));
 extern	int	send_icmp_err __P((ip_t *, int, fr_info_t *, int));
 extern	int	ipf_log __P((void));
 extern	struct	ifnet *get_unit __P((char *, int));
+extern	int	mbuflen __P((mb_t *));
 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
 	  (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
 extern	int	iplioctl __P((dev_t, u_long, caddr_t, int));

contrib/ipfilter/ip_ftp_pxy.c

@@ -2,7 +2,7 @@
  * Simple FTP transparent proxy for in-kernel use.  For use with the NAT
  * code.
  *
- * $Id: ip_ftp_pxy.c,v 2.7.2.34 2002/04/26 10:22:45 darrenr Exp $
+ * $Id: ip_ftp_pxy.c,v 2.7.2.36 2002/06/06 10:44:40 darrenr Exp $
  */
 #if SOLARIS && defined(_KERNEL)
 extern	kmutex_t	ipf_rw;
@@ -766,10 +766,10 @@ int rv;
 	i = 0;
 	sel = nat->nat_aps->aps_sel[1 - rv];
 	if (rv) {
-		if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq))
+		if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq))
 			i = nat->nat_aps->aps_ackoff[sel];
 	} else {
-		if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq))
+		if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq))
 			i = nat->nat_aps->aps_seqoff[sel];
 	}
 	/*
@@ -781,6 +781,10 @@ int rv;
 		f->ftps_seq = ntohl(tcp->th_seq);
 	else {
 		inc = ntohl(tcp->th_seq) - f->ftps_seq;
+		if (inc < 0)
+			inc = -inc;
+		if (i < 0)
+			i = -i;
 		if (inc > i) {
 			return APR_ERR(1);
 		}

contrib/ipfilter/ip_h323_pxy.c

@@ -52,7 +52,7 @@ unsigned char *data;
 int datlen, *off;
 unsigned short *port;
 {
-	u_32_t addr;
+	u_32_t addr, netaddr;
 	u_char *dp;
 	int offset;
 
@@ -62,10 +62,11 @@ unsigned short *port;
 	*port = 0;
 	offset = *off;
 	dp = (u_char *)data;
+	netaddr = ntohl(ipaddr);
 
 	for (offset = 0; offset <= datlen - 6; offset++, dp++) {
 		addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3];
-		if (ipaddr == addr)
+		if (netaddr == addr)
 		{
 			*port = (*(dp + 4) << 8) | *(dp + 5);
 			break;

contrib/ipfilter/ip_nat.c

@@ -109,7 +109,7 @@ extern struct ifnet vpnif;
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_nat.c	1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.67 2002/04/27 15:23:39 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.68 2002/06/04 14:46:08 darrenr Exp $";
 #endif
 
 nat_t	**nat_table[2] = { NULL, NULL },
@@ -469,8 +469,12 @@ int mode;
 		}
 		for (np = &nat_list; (n = *np); np = &n->in_next)
 			if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
-					IPN_CMPSIZ))
+					IPN_CMPSIZ)) {
+				if (n->in_redir == NAT_REDIRECT &&
+				    n->in_pnext != nat->in_pnext)
+					continue;
 				break;
+			}
 	}
 
 	switch (cmd)

contrib/ipfilter/ip_proxy.c

@@ -75,7 +75,7 @@
 #endif
 
 #if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.22 2002/04/26 10:23:17 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $";
 #endif
 
 #if defined(_KERNEL) && (SOLARIS || defined(__sgi))
@@ -122,7 +122,7 @@ aproxy_t	ap_proxies[] = {
 	  ippr_ipsec_match },
 #endif
 #ifdef	IPF_NETBIOS_PROXY
-	{ NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL,
+	{ NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL,
 	  NULL, NULL, NULL, ippr_netbios_out, NULL },
 #endif
 #ifdef  IPF_H323_PROXY
@@ -421,11 +421,14 @@ int inc;
 	int sel, ch = 0, out, nlen;
 	u_32_t seq1, seq2;
 	tcphdr_t *tcp;
+	short inc2;
 
 	tcp = (tcphdr_t *)fin->fin_dp;
 	out = fin->fin_out;
 	nlen = ip->ip_len;
 	nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
+	inc2 = inc;
+	inc = (int)inc2;
 
 	if (out != 0) {
 		seq1 = (u_32_t)ntohl(tcp->th_seq);

contrib/ipfilter/ip_sfil.c

@@ -7,7 +7,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.16 2002/04/05 08:43:25 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.18 2002/06/06 10:47:26 darrenr Exp $";
 #endif
 
 #include <sys/types.h>
@@ -61,7 +61,11 @@ int	fr_running = 0;
 int	ipl_unreach = ICMP_UNREACH_HOST;
 u_long	ipl_frouteok[2] = {0, 0};
 static	int	frzerostats __P((caddr_t));
+#if SOLARIS2 >= 7
+static	u_int	*ip_ttl_ptr;
+#else
 static	u_long	*ip_ttl_ptr;
+#endif
 
 static	int	frrequest __P((minor_t, int, caddr_t, int));
 static	int	send_ip __P((fr_info_t *fin, mblk_t *m));
@@ -196,6 +200,9 @@ int *rp;
 	if (IPL_LOGMAX < unit)
 		return ENXIO;
 
+	if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
+		return ENODEV;
+
 	if (fr_running <= 0)
 		return 0;
 
@@ -422,7 +429,8 @@ caddr_t data;
 	 * Check that the group number does exist and that if a head group
 	 * has been specified, doesn't exist.
 	 */
-	if ((req != SIOCZRLST) && fp->fr_grhead &&
+	if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
+	     (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
 	    fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) {
 		error = EEXIST;
 		goto out;

contrib/ipfilter/ip_state.c

@@ -93,7 +93,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.70 2002/04/27 16:06:15 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.71 2002/05/29 14:23:05 darrenr Exp $";
 #endif
 
 #ifndef	MIN
@@ -575,9 +575,9 @@ u_int flags;
 	register u_int hv;
 	struct icmp *ic;
 	ipstate_t ips;
+	int out, ws;
 	u_int pass;
 	void *ifp;
-	int out;
 
 	if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) ||
 	    (fin->fin_misc & FM_BADSTATE))
@@ -691,8 +691,11 @@ u_int flags;
 			is->is_maxsend = is->is_send;
 
 			if ((tcp->th_flags & TH_SYN) &&
-			    ((tcp->th_off << 2) >= (sizeof(*tcp) + 4)))
-				is->is_swscale = fr_tcpoptions(tcp);
+			    ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) {
+				ws = fr_tcpoptions(tcp);
+				if (ws >= 0)
+					is->is_swscale = ws;
+			}
 		}
 
 		is->is_maxdwin = 1;
@@ -900,6 +903,7 @@ tcphdr_t *tcp;
 		fdata->td_wscale = wscale;
 	else if (wscale == -2)
 		fdata->td_wscale = tdata->td_wscale = 0;
+	win <<= fdata->td_wscale;
 
 	if ((fdata->td_end == 0) &&
 	    (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) {
@@ -908,7 +912,9 @@ tcphdr_t *tcp;
 		 */
 		fdata->td_end = end;
 		fdata->td_maxwin = 1;
-		fdata->td_maxend = end + 1;
+		fdata->td_maxend = end + win;
+		if (win == 0)
+			fdata->td_maxend++;
 	}
 
 	if (!(tcp->th_flags & TH_ACK)) {  /* Pretend an ack was sent */
@@ -922,7 +928,6 @@ tcphdr_t *tcp;
 	if (seq == end)
 		seq = end = fdata->td_end;
 
-	win <<= fdata->td_wscale;
 	maxwin = tdata->td_maxwin;
 	ackskew = tdata->td_end - ack;
 
@@ -1457,7 +1462,7 @@ fr_info_t *fin;
 				rev = fin->fin_rev;
 				if (is->is_frage[rev] != 0)
 					is->is_age = is->is_frage[rev];
-				else if (fin->fin_rev)
+				else if (rev != 0)
 					is->is_age = fr_icmpacktimeout;
 				else
 					is->is_age = fr_icmptimeout;

contrib/ipfilter/ipf.c

@@ -50,7 +50,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipf.c	1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.14 2002/04/10 04:56:36 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.16 2002/06/06 10:48:35 darrenr Exp $";
 #endif
 
 #if	SOLARIS
@@ -193,8 +193,11 @@ char *ipfdev;
 
 	if (!(opts & OPT_DONOTHING) && fd == -1)
 		if ((fd = open(ipfdev, O_RDWR)) == -1)
-			if ((fd = open(ipfdev, O_RDONLY)) == -1)
+			if ((fd = open(ipfdev, O_RDONLY)) == -1) {
 				perror("open device");
+				if (errno == ENODEV)
+					fprintf(stderr, "IPFilter enabled?\n");
+			}
 	return fd;
 }
 

contrib/ipfilter/ipfs.c

@@ -45,7 +45,7 @@
 #include "ipf.h"
 
 #if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.9 2002/04/17 17:42:59 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.11 2002/06/04 14:44:05 darrenr Exp $";
 #endif
 
 #ifndef	IPF_SAVEDIR
@@ -733,16 +733,16 @@ char *dirname;
 
 	devfd = opendevice(IPL_STATE);
 	if (devfd == -1)
-		return 1;
+		goto bad;
 	if (writestate(devfd, NULL))
-		return 1;
+		goto bad;
 	close(devfd);
 
 	devfd = opendevice(IPL_NAT);
 	if (devfd == -1)
-		return 1;
+		goto bad;
 	if (writenat(devfd, NULL))
-		return 1;
+		goto bad;
 	close(devfd);
 
 	if (setlock(fd, 0)) {
@@ -751,6 +751,11 @@ char *dirname;
 	}
 
 	return 0;
+
+bad:
+	setlock(fd, 0);
+	close(fd);
+	return 1;
 }
 
 

contrib/ipfilter/ipl.h

@@ -4,12 +4,12 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ipl.h	1.21 6/5/96
- * $Id: ipl.h,v 2.15.2.33 2002/04/27 14:53:48 darrenr Exp $
+ * $Id: ipl.h,v 2.15.2.34 2002/06/06 11:11:45 darrenr Exp $
  */
 
 #ifndef	__IPL_H__
 #define	__IPL_H__
 
-#define	IPL_VERSION	"IP Filter: v3.4.27"
+#define	IPL_VERSION	"IP Filter: v3.4.28"
 
 #endif

contrib/ipfilter/ipmon.c

@@ -68,7 +68,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.34 2002/03/22 10:27:16 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.35 2002/06/04 14:43:49 darrenr Exp $";
 #endif
 
 
@@ -1252,14 +1252,15 @@ int main(argc, argv)
 int argc;
 char *argv[];
 {
-	struct	stat	sb;
-	FILE	*log = stdout;
-	int	fd[3], doread, n, i;
-	int	tr, nr, regular[3], c;
 	int	fdt[3], devices = 0, make_daemon = 0;
 	char	buf[IPLLOGSIZE], *iplfile[3], *s;
-	extern	int	optind;
+	int	fd[3], doread, n, i;
 	extern	char	*optarg;
+	extern	int	optind;
+	int	regular[3], c;
+	FILE	*log = stdout;
+	struct	stat	sb;
+	size_t	nr, tr;
 
 	fd[0] = fd[1] = fd[2] = -1;
 	fdt[0] = fdt[1] = fdt[2] = -1;

contrib/ipfilter/ipnat.c

@@ -60,7 +60,7 @@ extern	char	*sys_errlist[];
 
 #if !defined(lint)
 static const char sccsid[] ="@(#)ipnat.c	1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.20 2002/02/22 15:32:55 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.21 2002/06/06 10:49:19 darrenr Exp $";
 #endif
 
 
@@ -175,6 +175,8 @@ char *argv[];
 		    ((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
 			(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
 				STRERROR(errno));
+			if (errno == ENODEV)
+				fprintf(stderr, "IPFilter enabled?\n");
 			exit(1);
 		}
 		if (ioctl(fd, SIOCGNATS, &nsp) == -1) {

contrib/ipfilter/ipsend/ip_var.h

@@ -44,7 +44,7 @@ struct ipq {
  * Note: ipf_next must be at same offset as ipq_next above
  */
 struct	ipasfrag {
-#if defined(vax) || defined(i386)
+#if defined(vax) || defined(i386) || defined(__i386__)
 	u_char	ip_hl:4,
 		ip_v:4;
 #endif

contrib/ipfilter/ipt.c

@@ -64,7 +64,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipt.c	1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.21 2002/03/26 15:54:40 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.22 2002/06/04 14:52:58 darrenr Exp $";
 #endif
 
 extern	char	*optarg;
@@ -76,6 +76,7 @@ extern	ipnat_t	*natparse __P((char *, int));
 extern	int	fr_running;
 
 int	opts = 0;
+int	rremove = 0;
 int	use_inet6 = 0;
 int	main __P((int, char *[]));
 int	loadrules __P((char *));
@@ -111,7 +112,7 @@ char *argv[];
 	ipflog_init();
 	fr_running = 1;
 
-	while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1)
+	while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:RSTvxX")) != -1)
 		switch (c)
 		{
 		case '6' :
@@ -163,6 +164,9 @@ char *argv[];
 		case 'P' :
 			r = &pcap;
 			break;
+		case 'R' :
+			rremove = 1;
+			break;
 		case 'S' :
 			r = &snoop;
 			break;
@@ -330,20 +334,44 @@ char *file;
 			if (!(fr = natparse(line, linenum)))
 				continue;
 
-			i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
-					      (caddr_t)&fr, FWRITE|FREAD);
-			if (opts & OPT_DEBUG)
-				fprintf(stderr, "iplioctl(ADNAT,%p,1) = %d\n",
-					fr, i);
+			if (rremove == 0) {
+				i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
+						      (caddr_t)&fr,
+						      FWRITE|FREAD);
+				if (opts & OPT_DEBUG)
+					fprintf(stderr,
+						"iplioctl(ADNAT,%p,1) = %d\n",
+						fr, i);
+			} else {
+				i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCRMNAT,
+						      (caddr_t)&fr,
+						      FWRITE|FREAD);
+				if (opts & OPT_DEBUG)
+					fprintf(stderr,
+						"iplioctl(RMNAT,%p,1) = %d\n",
+						fr, i);
+			}
 		} else {
 			if (!(fr = parse(line, linenum)))
 				continue;
 
-			i = IPL_EXTERN(ioctl)(0, SIOCADAFR, (caddr_t)&fr,
-					      FWRITE|FREAD);
-			if (opts & OPT_DEBUG)
-				fprintf(stderr, "iplioctl(ADAFR,%p,1) = %d\n",
-					fr, i);
+			if (rremove == 0) {
+				i = IPL_EXTERN(ioctl)(0, SIOCADAFR,
+						      (caddr_t)&fr,
+						      FWRITE|FREAD);
+				if (opts & OPT_DEBUG)
+					fprintf(stderr,
+						"iplioctl(ADAFR,%p,1) = %d\n",
+						fr, i);
+			} else {
+				i = IPL_EXTERN(ioctl)(0, SIOCRMAFR,
+						      (caddr_t)&fr,
+						      FWRITE|FREAD);
+				if (opts & OPT_DEBUG)
+					fprintf(stderr,
+						"iplioctl(RMAFR,%p,1) = %d\n",
+						fr, i);
+			}
 		}
 	}
 	(void)fclose(fp);

contrib/ipfilter/man/ipftest.1

@@ -4,7 +4,7 @@ ipftest \- test packet filter rules with arbitary input.
 .SH SYNOPSIS
 .B ipftest
 [
-.B \-vbdPSTEHX
+.B \-vbdPRSTEHX
 ] [
 .B \-I
 interface
@@ -76,6 +76,10 @@ The input file specified by \fB\-i\fP is a binary file produced using libpcap
 (i.e., tcpdump version 3).  Packets are read from this file as being input
 (for rule purposes).  An interface maybe specified using \fB\-I\fP.
 .TP
+.B \-R
+Remove rules rather than load them.  This is not a toggle option, so once
+set, it cannot be reset by further use of -R.
+.TP
 .B \-S
 The input file is to be in "snoop" format (see RFC 1761).  Packets are read
 from this file and used as input from any interface.  This is perhaps the
@@ -98,7 +102,12 @@ option combinations:
 .B \-H
 The input file is to be hex digits, representing the binary makeup of the
 packet.  No length correction is made, if an incorrect length is put in
-the IP header.
+the IP header.  A packet may be broken up over several lines of hex digits,
+a blank line indicating the end of the packet.  It is possible to specify
+both the interface name and direction of the packet (for filtering purposes)
+at the start of the line using this format: [direction,interface]  To define
+a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
+and part of the input syntax.
 .TP
 .B \-X
 The input file is composed of text descriptions of IP packets.

contrib/ipfilter/man/ipnat.4

@@ -31,7 +31,7 @@ being that the fd must be that of the device associated with the module
 (i.e., /dev/ipl).
 .LP
 .PP
-The strcture used with the NAT interface is described below:
+The structure used with the NAT interface is described below:
 .LP
 .nf
 typedef struct  ipnat   {

contrib/ipfilter/man/ipnat.5

@@ -19,17 +19,19 @@ mapit ::= "map" | "bimap" .
 fromto ::= "from" object "to" object .
 ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
 dstipmask ::= ipmask | "range" ip "-" ip .
-mapport ::= "portmap" tcpudp portnumber ":" portnumber .
+mapport ::= "portmap" tcpudp portspec .
 options ::= [ tcpudp ] [ rr ] .
 
-object  = addr [ port-comp | port-range ] .
-addr    = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp = "port" compare port-num .
-port-range = "port" port-num range port-num .
+object  :: = addr [ port-comp | port-range ] .
+addr    :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
+port-comp :: = "port" compare port-num .
+port-range :: = "port" port-num range port-num .
 
 rr ::= "round-robin" .
+nummask = host-name [ "/" decnumber ] .
 tcpudp ::= "tcp" | "udp" | "tcp/udp" .
-portnumber ::= number { numbers } | "auto" .
+portspec ::= "auto" | portnumber ":" portnumber .
+portnumber ::= number { numbers } .
 ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
 
 numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .

contrib/ipfilter/mlf_ipl.c

@@ -13,7 +13,11 @@
 
 #if defined(__FreeBSD__)
 # ifndef __FreeBSD_version
-#  include <sys/osreldate.h>
+#  ifdef IPFILTER_LKM
+#   include <osreldate.h>
+#  else
+#   include <sys/osreldate.h>
+#  endif
 # endif
 # ifdef	IPFILTER_LKM
 #  define	ACTUALLY_LKM_NOT_KERNEL

contrib/ipfilter/parse.c

@@ -147,7 +147,7 @@ int     linenum;
 				}
 				fil.fr_icode = j;
 			}
-		} else if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
+		} else if (!strcasecmp(*(cpp+1), "return-rst")) {
 			fil.fr_flags |= FR_RETRST;
 			cpp++;
 		}

contrib/ipfilter/printnat.c

@@ -58,7 +58,7 @@ extern	char	*sys_errlist[];
 #endif
 
 #if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.8 2002/04/25 16:44:13 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.9 2002/05/03 11:48:49 darrenr Exp $";
 #endif
 
 
@@ -442,6 +442,12 @@ int opts;
 				printf("\n\tip modulous %d", np->in_pmax);
 		} else if (np->in_pmin || np->in_pmax) {
 			printf(" portmap");
+			if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
+				printf(" tcp/udp");
+			else if (np->in_flags & IPN_TCP)
+				printf(" tcp");
+			else if (np->in_flags & IPN_UDP)
+				printf(" udp");
 			if (np->in_flags & IPN_AUTOPORTMAP) {
 				printf(" auto");
 				if (opts & OPT_DEBUG)
@@ -450,12 +456,6 @@ int opts;
 					       ntohs(np->in_pmax),
 					       np->in_ippip, np->in_ppip);
 			} else {
-				if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
-					printf(" tcp/udp");
-				else if (np->in_flags & IPN_TCP)
-					printf(" tcp");
-				else if (np->in_flags & IPN_UDP)
-					printf(" udp");
 				printf(" %d:%d", ntohs(np->in_pmin),
 				       ntohs(np->in_pmax));
 			}

contrib/ipfilter/test/Makefile

@@ -18,7 +18,7 @@ first:
 ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17
 
 # Rule parsing tests
-ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
+ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12
 
 ntests: n1 n2 n3 n4 n5 n6 n7
 
@@ -45,7 +45,7 @@ f15 f16:
 f17:
 	@/bin/sh ./mhtest $@
 
-i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
+i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12:
 	@/bin/sh ./itest $@
 
 n1 n2 n3 n4 n5 n6 n7:
@@ -65,7 +65,7 @@ ipv6.1 ipv6.2:
 
 clean:
 	/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 f17
-	/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
+	/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12
 	/bin/rm -f n1 n2 n3 n4 n5 n6 n7
 	/bin/rm -f ni1 ni2 ni3 ni4 ni5
 	/bin/rm -f in1 in2 in3 in4

contrib/ipfilter/test/expected/in1

@@ -7,9 +7,9 @@ map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45
 map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999
 map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp 20000:29999
 map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 30000:39999
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto
+map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp auto
+map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp auto
+map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
 map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
 map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 1010 ftp/tcp
 map le0 0.0.0.0/0 -> 0.0.0.0/32 frag