Import IPFilter 3.4.28

2002-06-07 08:58:22 +00:00 · 2002-06-07 08:58:22 +00:00 · aafab58b58
commit aafab58b58
parent 635ff71d68
11 changed files with 80 additions and 36 deletions
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@ -97,7 +97,7 @@

 #if !defined(lint)
 static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $";
 #endif

 #ifndef	_KERNEL
@ -1501,7 +1501,7 @@ tcphdr_t *tcp;
 * SUCH DAMAGE.
 *
 *	@(#)uipc_mbuf.c	8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $
 */
 /*
 * Copy data from an mbuf chain starting "off" bytes from the beginning,
@ -1616,7 +1616,6 @@ frgroup_t ***fgpp;
 		fgp = &ipfgroups[0][set];
 	else
 		return NULL;
-	num &= 0xffff;

 	while ((fg = *fgp))
 		if (fg->fg_num == num)
--- a/sys/contrib/ipfilter/netinet/ip_auth.c
+++ b/sys/contrib/ipfilter/netinet/ip_auth.c
@ -104,7 +104,7 @@ extern struct ifqueue   ipintrq;		/* ip packet input queue */
 #endif

 #if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $";
 #endif


@ -615,7 +615,10 @@ void fr_authexpire()
 		} else
 			faep = &fae->fae_next;
 	}
-	ipauth = &fae_list->fae_fr;
+	if (fae_list != NULL)
+		ipauth = &fae_list->fae_fr;
+	else
+		ipauth = NULL;

 	for (frp = &fr_authlist; (fr = *frp); ) {
 		if (fr->fr_ref == 1) {
--- a/sys/contrib/ipfilter/netinet/ip_compat.h
+++ b/sys/contrib/ipfilter/netinet/ip_compat.h
@ -4,7 +4,7 @@
 * See the IPFILTER.LICENCE file for details on licencing.
 *
 * @(#)ip_compat.h	1.8 1/14/96
- * $Id: ip_compat.h,v 2.26.2.44 2002/04/25 16:32:15 darrenr Exp $
+ * $Id: ip_compat.h,v 2.26.2.45 2002/06/04 14:40:54 darrenr Exp $
 */

 #ifndef	__IP_COMPAT_H__
@ -213,7 +213,11 @@ typedef	 int	minor_t;
 #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
 # include <sys/param.h>
 # ifndef __FreeBSD_version
-#  include <sys/osreldate.h>
+#  ifdef IPFILTER_LKM
+#   include <osreldate.h>
+#  else
+#   include <sys/osreldate.h>
+#  endif
 # endif
 # ifdef IPFILTER_LKM
 #  define       ACTUALLY_LKM_NOT_KERNEL
--- a/sys/contrib/ipfilter/netinet/ip_fil.c
+++ b/sys/contrib/ipfilter/netinet/ip_fil.c
@ -120,7 +120,7 @@ extern	int	ip_optcopy __P((struct ip *, struct ip *));

 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.58 2002/06/06 10:47:27 darrenr Exp $";
 #endif


@ -643,6 +643,9 @@ int mode;
 	unit = dev;
 #endif

+	if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
+		return ENODEV;
+
 	SPL_NET(s);

 	if (unit == IPL_LOGNAT) {
@ -887,7 +890,8 @@ caddr_t data;
 	 * Check that the group number does exist and that if a head group
 	 * has been specified, doesn't exist.
 	 */
-	if ((req != SIOCZRLST) && fp->fr_grhead &&
+	if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
+	     (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
 	    fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
 		return EEXIST;
 	if ((req != SIOCZRLST) && fp->fr_group &&
@ -1221,13 +1225,18 @@ fr_info_t *fin;
 struct mbuf **mp;
 {
 	struct mbuf *m = *mp;
-	char *dpsave;
-	int error;
+	int error, hlen;
+	fr_info_t frn;
 	ip_t *ip;

-	dpsave = fin->fin_dp;
+	bzero((char *)&frn, sizeof(frn));
+	frn.fin_ifp = fin->fin_ifp;
+	frn.fin_v = fin->fin_v;
+	frn.fin_out = fin->fin_out;
+	frn.fin_mp = fin->fin_mp;

 	ip = mtod(m, ip_t *);
+	hlen = sizeof(*ip);

 	ip->ip_v = fin->fin_v;
 	if (ip->ip_v == 4) {
@ -1242,21 +1251,24 @@ struct mbuf **mp;
 		ip->ip_ttl = ip_defttl;
 # endif
 		ip->ip_sum = 0;
-		fin->fin_dp = (char *)(ip + 1);
+		frn.fin_dp = (char *)(ip + 1);
 	}
 # ifdef	USE_INET6
 	else if (ip->ip_v == 6) {
 		ip6_t *ip6 = (ip6_t *)ip;

+		hlen = sizeof(*ip6);
 		ip6->ip6_hlim = 127;
-		fin->fin_dp = (char *)(ip6 + 1);
+		frn.fin_dp = (char *)(ip6 + 1);
 	}
 # endif
 # ifdef	IPSEC
 	m->m_pkthdr.rcvif = NULL;
 # endif
-	error = ipfr_fastroute(m, mp, fin, NULL);
-	fin->fin_dp = dpsave;
+
+	fr_makefrip(hlen, ip, &frn);
+
+	error = ipfr_fastroute(m, mp, &frn, NULL);
 	return error;
 }

@ -1563,6 +1575,9 @@ frdest_t *fdp;
 	/*
 	 * Route packet.
 	 */
+#ifdef	__sgi
+	ROUTE_RDLOCK();
+#endif
 	bzero((caddr_t)ro, sizeof (*ro));
 	dst = (struct sockaddr_in *)&ro->ro_dst;
 	dst->sin_family = AF_INET;
@ -1599,6 +1614,11 @@ frdest_t *fdp;
 # else
 	rtalloc(ro);
 # endif
+
+#ifdef	__sgi
+	ROUTE_UNLOCK();
+#endif
+
 	if (!ifp) {
 		if (!fr || !(fr->fr_flags & FR_FASTROUTE)) {
 			error = -2;
@ -2098,7 +2118,7 @@ int code;
 fr_info_t *fin;
 int dst;
 {
-	verbose("- ICMP UNREACHABLE RST sent\n");
+	verbose("- ICMP UNREACHABLE sent\n");
 	return 0;
 }

--- a/sys/contrib/ipfilter/netinet/ip_fil.h
+++ b/sys/contrib/ipfilter/netinet/ip_fil.h
@ -4,7 +4,7 @@
 * See the IPFILTER.LICENCE file for details on licencing.
 *
 * @(#)ip_fil.h	1.35 6/5/96
- * $Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp $
+ * $Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp $
 */

 #ifndef	__IP_FIL_H__
@ -508,6 +508,7 @@ extern	int	send_reset __P((ip_t *, fr_info_t *));
 extern	int	send_icmp_err __P((ip_t *, int, fr_info_t *, int));
 extern	int	ipf_log __P((void));
 extern	struct	ifnet *get_unit __P((char *, int));
+extern	int	mbuflen __P((mb_t *));
 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
 	  (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
 extern	int	iplioctl __P((dev_t, u_long, caddr_t, int));
--- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
@ -2,7 +2,7 @@
 * Simple FTP transparent proxy for in-kernel use.  For use with the NAT
 * code.
 *
- * $Id: ip_ftp_pxy.c,v 2.7.2.34 2002/04/26 10:22:45 darrenr Exp $
+ * $Id: ip_ftp_pxy.c,v 2.7.2.36 2002/06/06 10:44:40 darrenr Exp $
 */
 #if SOLARIS && defined(_KERNEL)
 extern	kmutex_t	ipf_rw;
@ -766,10 +766,10 @@ int rv;
 	i = 0;
 	sel = nat->nat_aps->aps_sel[1 - rv];
 	if (rv) {
-		if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq))
+		if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq))
 			i = nat->nat_aps->aps_ackoff[sel];
 	} else {
-		if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq))
+		if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq))
 			i = nat->nat_aps->aps_seqoff[sel];
 	}
 	/*
@ -781,6 +781,10 @@ int rv;
 		f->ftps_seq = ntohl(tcp->th_seq);
 	else {
 		inc = ntohl(tcp->th_seq) - f->ftps_seq;
+		if (inc < 0)
+			inc = -inc;
+		if (i < 0)
+			i = -i;
 		if (inc > i) {
 			return APR_ERR(1);
 		}
--- a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c
@ -52,7 +52,7 @@ unsigned char *data;
 int datlen, *off;
 unsigned short *port;
 {
-	u_32_t addr;
+	u_32_t addr, netaddr;
 	u_char *dp;
 	int offset;

@ -62,10 +62,11 @@ unsigned short *port;
 	*port = 0;
 	offset = *off;
 	dp = (u_char *)data;
+	netaddr = ntohl(ipaddr);

 	for (offset = 0; offset <= datlen - 6; offset++, dp++) {
 		addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3];
-		if (ipaddr == addr)
+		if (netaddr == addr)
 		{
 			*port = (*(dp + 4) << 8) | *(dp + 5);
 			break;
--- a/sys/contrib/ipfilter/netinet/ip_nat.c
+++ b/sys/contrib/ipfilter/netinet/ip_nat.c
@ -109,7 +109,7 @@ extern struct ifnet vpnif;

 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_nat.c	1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.67 2002/04/27 15:23:39 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.68 2002/06/04 14:46:08 darrenr Exp $";
 #endif

 nat_t	**nat_table[2] = { NULL, NULL },
@ -469,8 +469,12 @@ int mode;
 		}
 		for (np = &nat_list; (n = *np); np = &n->in_next)
 			if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
-					IPN_CMPSIZ))
+					IPN_CMPSIZ)) {
+				if (n->in_redir == NAT_REDIRECT &&
+				    n->in_pnext != nat->in_pnext)
+					continue;
 				break;
+			}
 	}

 	switch (cmd)
--- a/sys/contrib/ipfilter/netinet/ip_proxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_proxy.c
@ -75,7 +75,7 @@
 #endif

 #if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.22 2002/04/26 10:23:17 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $";
 #endif

 #if defined(_KERNEL) && (SOLARIS || defined(__sgi))
@ -122,7 +122,7 @@ aproxy_t	ap_proxies[] = {
 	  ippr_ipsec_match },
 #endif
 #ifdef	IPF_NETBIOS_PROXY
-	{ NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL,
+	{ NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL,
 	  NULL, NULL, NULL, ippr_netbios_out, NULL },
 #endif
 #ifdef  IPF_H323_PROXY
@ -421,11 +421,14 @@ int inc;
 	int sel, ch = 0, out, nlen;
 	u_32_t seq1, seq2;
 	tcphdr_t *tcp;
+	short inc2;

 	tcp = (tcphdr_t *)fin->fin_dp;
 	out = fin->fin_out;
 	nlen = ip->ip_len;
 	nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
+	inc2 = inc;
+	inc = (int)inc2;

 	if (out != 0) {
 		seq1 = (u_32_t)ntohl(tcp->th_seq);
--- a/sys/contrib/ipfilter/netinet/ip_state.c
+++ b/sys/contrib/ipfilter/netinet/ip_state.c
@ -93,7 +93,7 @@

 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.70 2002/04/27 16:06:15 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.71 2002/05/29 14:23:05 darrenr Exp $";
 #endif

 #ifndef	MIN
@ -575,9 +575,9 @@ u_int flags;
 	register u_int hv;
 	struct icmp *ic;
 	ipstate_t ips;
+	int out, ws;
 	u_int pass;
 	void *ifp;
-	int out;

 	if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) ||
 	    (fin->fin_misc & FM_BADSTATE))
@ -691,8 +691,11 @@ u_int flags;
 			is->is_maxsend = is->is_send;

 			if ((tcp->th_flags & TH_SYN) &&
-			    ((tcp->th_off << 2) >= (sizeof(*tcp) + 4)))
-				is->is_swscale = fr_tcpoptions(tcp);
+			    ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) {
+				ws = fr_tcpoptions(tcp);
+				if (ws >= 0)
+					is->is_swscale = ws;
+			}
 		}

 		is->is_maxdwin = 1;
@ -900,6 +903,7 @@ tcphdr_t *tcp;
 		fdata->td_wscale = wscale;
 	else if (wscale == -2)
 		fdata->td_wscale = tdata->td_wscale = 0;
+	win <<= fdata->td_wscale;

 	if ((fdata->td_end == 0) &&
 	    (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) {
@ -908,7 +912,9 @@ tcphdr_t *tcp;
 		 */
 		fdata->td_end = end;
 		fdata->td_maxwin = 1;
-		fdata->td_maxend = end + 1;
+		fdata->td_maxend = end + win;
+		if (win == 0)
+			fdata->td_maxend++;
 	}

 	if (!(tcp->th_flags & TH_ACK)) {  /* Pretend an ack was sent */
@ -922,7 +928,6 @@ tcphdr_t *tcp;
 	if (seq == end)
 		seq = end = fdata->td_end;

-	win <<= fdata->td_wscale;
 	maxwin = tdata->td_maxwin;
 	ackskew = tdata->td_end - ack;

@ -1457,7 +1462,7 @@ fr_info_t *fin;
 				rev = fin->fin_rev;
 				if (is->is_frage[rev] != 0)
 					is->is_age = is->is_frage[rev];
-				else if (fin->fin_rev)
+				else if (rev != 0)
 					is->is_age = fr_icmpacktimeout;
 				else
 					is->is_age = fr_icmptimeout;
--- a/sys/contrib/ipfilter/netinet/ipl.h
+++ b/sys/contrib/ipfilter/netinet/ipl.h
@ -4,12 +4,12 @@
 * See the IPFILTER.LICENCE file for details on licencing.
 *
 * @(#)ipl.h	1.21 6/5/96
- * $Id: ipl.h,v 2.15.2.33 2002/04/27 14:53:48 darrenr Exp $
+ * $Id: ipl.h,v 2.15.2.34 2002/06/06 11:11:45 darrenr Exp $
 */

 #ifndef	__IPL_H__
 #define	__IPL_H__

-#define	IPL_VERSION	"IP Filter: v3.4.27"
+#define	IPL_VERSION	"IP Filter: v3.4.28"

 #endif