diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index d34c7b077d9a..bdb3d2f77a30 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -274,6 +274,16 @@ fr_info_t *fin; int minicmpsz = sizeof(struct icmp); icmphdr_t *icmp; + if (fin->fin_dlen > 1) + fin->fin_data[0] = *(u_short *)tcp; + + if ((!(plen >= hlen + minicmpsz) && !off) || + (off && off < sizeof(struct icmp))) { + fi->fi_fl |= FI_SHORT; + if (fin->fin_dlen < 2) + break; + } + icmp = (icmphdr_t *)tcp; if (!off && (icmp->icmp_type == ICMP_ECHOREPLY || @@ -291,11 +301,6 @@ fr_info_t *fin; icmp->icmp_type == ICMP_MASKREPLY)) minicmpsz = 12; - if ((!(plen >= hlen + minicmpsz) && !off) || - (off && off < sizeof(struct icmp))) - fi->fi_fl |= FI_SHORT; - if (fin->fin_dlen > 1) - fin->fin_data[0] = *(u_short *)tcp; break; } case IPPROTO_TCP : @@ -740,6 +745,7 @@ int out; #ifdef _KERNEL mb_t *mc = NULL; + int p, len; # if !defined(__SVR4) && !defined(__svr4__) # ifdef __sgi char hbuf[(0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8]; @@ -764,13 +770,26 @@ int out; } # endif /* CSUM_DELAY_DATA */ +# ifdef USE_INET6 + if (v == 6) { + len = ntohs(((ip6_t*)ip)->ip6_plen); + p = ((ip6_t *)ip)->ip6_nxt; + } else +# endif + { + p = ip->ip_p; + len = ip->ip_len; + } - if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP || - ip->ip_p == IPPROTO_ICMP)) { + if ((p == IPPROTO_TCP || p == IPPROTO_UDP || p == IPPROTO_ICMP +# ifdef USE_INET6 + || (v == 6 && p == IPPROTO_ICMPV6) +# endif + )) { int plen = 0; - if ((ip->ip_off & IP_OFFMASK) == 0) - switch(ip->ip_p) + if ((v == 6) || (ip->ip_off & IP_OFFMASK) == 0) + switch(p) { case IPPROTO_TCP: plen = sizeof(tcphdr_t); @@ -780,10 +799,13 @@ int out; break; /* 96 - enough for complete ICMP error IP header */ case IPPROTO_ICMP: +# ifdef USE_INET6 + case IPPROTO_ICMPV6 : +# endif plen = ICMPERR_MAXPKTLEN - sizeof(ip_t); break; } - up = MIN(hlen + plen, ip->ip_len); + up = MIN(hlen + plen, len); if (up > m->m_len) { # ifdef __sgi @@ -830,8 +852,8 @@ int out; ip->ip_id = ntohs(ip->ip_id); changed = 0; - fin->fin_v = v; fin->fin_ifp = ifp; + fin->fin_v = v; fin->fin_out = out; fin->fin_mp = mp; fr_makefrip(hlen, ip, fin); @@ -1376,7 +1398,7 @@ tcphdr_t *tcp; * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.20 2000/08/13 04:15:43 darrenr Exp $ + * $Id: fil.c,v 2.35.2.26 2000/10/24 11:58:17 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1855,7 +1877,7 @@ size_t c; int err; #if SOLARIS - if (copyin(a, &ca, sizeof(ca))) + if (copyin(a, (char *)&ca, sizeof(ca))) return EFAULT; #else bcopy(a, &ca, sizeof(ca)); @@ -1875,7 +1897,7 @@ size_t c; int err; #if SOLARIS - if (copyin(b, &ca, sizeof(ca))) + if (copyin(b, (char *)&ca, sizeof(ca))) return EFAULT; #else bcopy(b, &ca, sizeof(ca)); @@ -1969,6 +1991,15 @@ friostat_t *fiop; fiop->f_acctin6[1] = ipacct6[0][1]; fiop->f_acctout6[0] = ipacct6[1][0]; fiop->f_acctout6[1] = ipacct6[1][1]; +#else + fiop->f_fin6[0] = NULL; + fiop->f_fin6[1] = NULL; + fiop->f_fout6[0] = NULL; + fiop->f_fout6[1] = NULL; + fiop->f_acctin6[0] = NULL; + fiop->f_acctin6[1] = NULL; + fiop->f_acctout6[0] = NULL; + fiop->f_acctout6[1] = NULL; #endif fiop->f_active = fr_active; fiop->f_froute[0] = ipl_frouteok[0]; diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index 9b645da7e064..ebc67a366feb 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -692,7 +692,7 @@ int blen; p = (u_short)ip->ip_p; s = (u_32_t *)&ip->ip_src; d = (u_32_t *)&ip->ip_dst; - plen = ntohs(ip->ip_len); + plen = ip->ip_len; } else { goto printipflog; } diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4 index b281c36a0fbc..dfef858d5dd8 100644 --- a/contrib/ipfilter/man/ipf.4 +++ b/contrib/ipfilter/man/ipf.4 @@ -12,33 +12,33 @@ To add and delete rules to the filter list, three 'basic' ioctls are provided for use. The ioctl's are called as: .LP .nf - ioctl(fd, SIOCADDFR, struct frentry *) - ioctl(fd, SIOCDELFR, struct frentry *) + ioctl(fd, SIOCADDFR, struct frentry **) + ioctl(fd, SIOCDELFR, struct frentry **) ioctl(fd, SIOCIPFFL, int *) .fi .PP However, the full complement is as follows: .LP .nf - ioctl(fd, SIOCADAFR, struct frentry *) (same as SUICADDFR) - ioctl(fd, SIOCRMAFR, struct frentry *) (same as SUICDELFR) - ioctl(fd, SIOCADIFR, struct frentry *) - ioctl(fd, SIOCRMIFR, struct frentry *) - ioctl(fd, SIOCINAFR, struct frentry *) - ioctl(fd, SIOCINIFR, struct frentry *) + ioctl(fd, SIOCADAFR, struct frentry **) (same as SIOCADDFR) + ioctl(fd, SIOCRMAFR, struct frentry **) (same as SIOCDELFR) + ioctl(fd, SIOCADIFR, struct frentry **) + ioctl(fd, SIOCRMIFR, struct frentry **) + ioctl(fd, SIOCINAFR, struct frentry **) + ioctl(fd, SIOCINIFR, struct frentry **) ioctl(fd, SIOCSETFF, u_int *) ioctl(fd, SIOGGETFF, u_int *) - ioctl(fd, SIOCGETFS, struct friostat *) + ioctl(fd, SIOCGETFS, struct friostat **) ioctl(fd, SIOCIPFFL, int *) ioctl(fd, SIOCIPFFB, int *) ioctl(fd, SIOCSWAPA, u_int *) ioctl(fd, SIOCFRENB, u_int *) ioctl(fd, SIOCFRSYN, u_int *) - ioctl(fd, SIOCFRZST, struct friostat *) - ioctl(fd, SIOCZRLST, struct frentry *) - ioctl(fd, SIOCAUTHW, struct fr_info *) - ioctl(fd, SIOCAUTHR, struct fr_info *) - ioctl(fd, SIOCATHST, struct fr_authstat *) + ioctl(fd, SIOCFRZST, struct friostat **) + ioctl(fd, SIOCZRLST, struct frentry **) + ioctl(fd, SIOCAUTHW, struct fr_info **) + ioctl(fd, SIOCAUTHR, struct fr_info **) + ioctl(fd, SIOCATHST, struct fr_authstat **) .fi .PP The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists, @@ -108,7 +108,7 @@ filter list, the number of the rule which it is to be inserted before must be put in the "fr_hits" field (the first rule is number 0). .LP .PP -Flags which are recognised in fr_pass: +Flags which are recognised in fr_flags: .nf FR_BLOCK 0x000001 /* do not allow packet to pass */ diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index d9e99923931d..bc84d6d8af03 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -32,7 +32,7 @@ proto = "proto" protocol . ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . group = [ "head" decnumber ] [ "group" decnumber ] . -block = "block" [ icmp[return-code] | "return-rst" ] . +block = "block" [ return-icmp[return-code] | "return-rst" ] . auth = "auth" | "preauth" . log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . call = "call" [ "now" ] function-name . @@ -43,7 +43,7 @@ protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" [ "!" ] object "to" [ "!" ] object . -icmp = "return-icmp" | "return-icmp-as-dest" . +return-icmp = "return-icmp" | "return-icmp-as-dest" . object = addr [ port-comp | port-range ] . addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . port-comp = "port" compare port-num . diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index dbe9dc6dc0cb..076c2766be86 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -150,7 +150,7 @@ show the packet data in hex. show the log header record data in hex. .SH DIAGNOSTICS \fBipmon\fP expects data that it reads to be consistent with how it should be -saved and will abort if it fails an assertion which detects an anomoly in the +saved and will abort if it fails an assertion which detects an anomaly in the recorded data. .SH FILES /dev/ipl diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4 index cde26396fce8..095e4e5e1904 100644 --- a/contrib/ipfilter/man/ipnat.4 +++ b/contrib/ipfilter/man/ipnat.4 @@ -16,8 +16,10 @@ To add and delete rules to the NAT list, two 'basic' ioctls are provided for use. The ioctl's are called as: .LP .nf - ioctl(fd, SIOCADNAT, struct ipnat *) - ioctl(fd, SIOCRMNAT, struct ipnat *) + ioctl(fd, SIOCADNAT, struct ipnat **) + ioctl(fd, SIOCRMNAT, struct ipnat **) + ioctl(fd, SIOCGNATS, struct natstat **) + ioctl(fd, SIOCGNATL, struct natlookup **) .fi .PP Unlike \fBipf(4)\fP, there is only a single list supported by the kernel NAT