diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 7cbd4478665f..4b45a0a538f5 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -6,7 +6,7 @@ # to the original author and the contributors. # # $FreeBSD$ -# Id: Makefile,v 2.76.2.13 2004/11/08 18:42:40 darrenr Exp +# Id: Makefile,v 2.76.2.19 2006/03/17 10:38:38 darrenr Exp $ # SHELL=/bin/sh BINDEST=/usr/local/bin @@ -135,6 +135,7 @@ all: @echo "freebsd3 - compile for FreeBSD-3.x" @echo "freebsd4 - compile for FreeBSD-4.x" @echo "freebsd5 - compile for FreeBSD-5.x" + @echo "freebsd6 - compile for FreeBSD-6.x" @echo "bsd - compile for generic 4.4BSD systems" @echo "bsdi - compile for BSD/OS" @echo "irix - compile for SGI IRIX" @@ -187,7 +188,7 @@ freebsd22: include fi make freebsd20 -freebsd5: include +freebsd5 freebsd6: include if [ x$(INET6) = x ] ; then \ echo "#undef INET6" > opt_inet6.h; \ else \ diff --git a/contrib/ipfilter/bpf_filter.c b/contrib/ipfilter/bpf_filter.c index 730e6f83d3df..9291163f62ca 100644 --- a/contrib/ipfilter/bpf_filter.c +++ b/contrib/ipfilter/bpf_filter.c @@ -42,7 +42,7 @@ #if !(defined(lint) || defined(KERNEL) || defined(_KERNEL)) static const char rcsid[] = - "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.1 2005/06/18 02:41:30 darrenr Exp $ (LBL)"; + "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.2 2005/12/30 12:57:28 darrenr Exp $ (LBL)"; #endif #include @@ -468,9 +468,10 @@ bpf_filter(pc, p, wirelen, buflen) /* * Return true if the 'fcode' is a valid filter program. * The constraints are that each jump be forward and to a valid - * code. The code must terminate with either an accept or reject. - * 'valid' is an array for use by the routine (it must be at least - * 'len' bytes long). + * code, that memory accesses are within valid ranges (to the + * extent that this can be checked statically; loads of packet + * data have to be, and are, also checked at run time), and that + * the code terminates with either an accept or reject. * * The kernel needs to be able to verify an application's filter code. * Otherwise, a bogus program could easily crash the system. @@ -480,38 +481,114 @@ bpf_validate(f, len) struct bpf_insn *f; int len; { - register int i; - register struct bpf_insn *p; + u_int i, from; + const struct bpf_insn *p; + + if (len == 0) + return 1; + + if (len < 1 || len > BPF_MAXINSNS) + return 0; for (i = 0; i < len; ++i) { - /* - * Check that that jumps are forward, and within - * the code block. - */ p = &f[i]; - if (BPF_CLASS(p->code) == BPF_JMP) { - register int from = i + 1; - - if (BPF_OP(p->code) == BPF_JA) { - if (from + p->k >= (unsigned)len) - return 0; - } - else if (from + p->jt >= len || from + p->jf >= len) - return 0; - } + switch (BPF_CLASS(p->code)) { /* * Check that memory operations use valid addresses. */ - if ((BPF_CLASS(p->code) == BPF_ST || - (BPF_CLASS(p->code) == BPF_LD && - (p->code & 0xe0) == BPF_MEM)) && - (p->k >= BPF_MEMWORDS || p->k < 0)) - return 0; - /* - * Check for constant division by 0. - */ - if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0) + case BPF_LD: + case BPF_LDX: + switch (BPF_MODE(p->code)) { + case BPF_IMM: + break; + case BPF_ABS: + case BPF_IND: + case BPF_MSH: + /* + * More strict check with actual packet length + * is done runtime. + */ +#if 0 + if (p->k >= bpf_maxbufsize) + return 0; +#endif + break; + case BPF_MEM: + if (p->k >= BPF_MEMWORDS) + return 0; + break; + case BPF_LEN: + break; + default: + return 0; + } + break; + case BPF_ST: + case BPF_STX: + if (p->k >= BPF_MEMWORDS) + return 0; + break; + case BPF_ALU: + switch (BPF_OP(p->code)) { + case BPF_ADD: + case BPF_SUB: + case BPF_OR: + case BPF_AND: + case BPF_LSH: + case BPF_RSH: + case BPF_NEG: + break; + case BPF_DIV: + /* + * Check for constant division by 0. + */ + if (BPF_RVAL(p->code) == BPF_K && p->k == 0) + return 0; + default: + return 0; + } + break; + case BPF_JMP: + /* + * Check that jumps are within the code block, + * and that unconditional branches don't go + * backwards as a result of an overflow. + * Unconditional branches have a 32-bit offset, + * so they could overflow; we check to make + * sure they don't. Conditional branches have + * an 8-bit offset, and the from address is <= + * BPF_MAXINSNS, and we assume that BPF_MAXINSNS + * is sufficiently small that adding 255 to it + * won't overflow. + * + * We know that len is <= BPF_MAXINSNS, and we + * assume that BPF_MAXINSNS is < the maximum size + * of a u_int, so that i + 1 doesn't overflow. + */ + from = i + 1; + switch (BPF_OP(p->code)) { + case BPF_JA: + if (from + p->k < from || from + p->k >= len) + return 0; + break; + case BPF_JEQ: + case BPF_JGT: + case BPF_JGE: + case BPF_JSET: + if (from + p->jt >= len || from + p->jf >= len) + return 0; + break; + default: + return 0; + } + break; + case BPF_RET: + break; + case BPF_MISC: + break; + default: return 0; + } } return BPF_CLASS(f[len - 1].code) == BPF_RET; } diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index a4ec02c3dc51..2bb4f5a517f4 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.9 2005/01/08 14:22:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.11 2006/03/25 11:15:30 darrenr Exp $"; #endif #ifndef SOLARIS @@ -138,7 +138,7 @@ struct rtentry; #include "md5.h" -#if !defined(__osf__) +#if !defined(__osf__) && !defined(__linux__) extern struct protosw inetsw[]; #endif @@ -718,13 +718,45 @@ frdest_t *fdp; { struct ifnet *ifp = fdp->fd_ifp; ip_t *ip = fin->fin_ip; + int error = 0; + frentry_t *fr; + void *sifp; if (!ifp) return 0; /* no routing table out here */ - ip->ip_len = htons((u_short)ip->ip_len); - ip->ip_off = htons((u_short)(ip->ip_off | IP_MF)); + fr = fin->fin_fr; ip->ip_sum = 0; + + if (fin->fin_out == 0) { + sifp = fin->fin_ifp; + fin->fin_ifp = ifp; + fin->fin_out = 1; + (void) fr_acctpkt(fin, NULL); + fin->fin_fr = NULL; + if (!fr || !(fr->fr_flags & FR_RETMASK)) { + u_32_t pass; + + (void) fr_checkstate(fin, &pass); + } + + switch (fr_checknatout(fin, NULL)) + { + case 0 : + break; + case 1 : + ip->ip_sum = 0; + break; + case -1 : + error = -1; + goto done; + break; + } + + fin->fin_ifp = sifp; + fin->fin_out = 0; + } + #if defined(__sgi) && (IRIX < 60500) (*ifp->if_output)(ifp, (void *)ip, NULL); # if TRU64 >= 1885 @@ -733,7 +765,8 @@ frdest_t *fdp; (*ifp->if_output)(ifp, (void *)m, NULL, 0); # endif #endif - return 0; +done: + return error; } diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index a492eaad7395..25401c45f963 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 2.71.2.7 2005/06/12 07:18:31 darrenr Exp $ + * $Id: ipf.h,v 2.71.2.8 2005/12/30 07:03:21 darrenr Exp $ */ #ifndef __IPF_H__ @@ -184,7 +184,6 @@ extern struct ipopt_names v6ionames[]; extern int addicmp __P((char ***, struct frentry *, int)); extern int addipopt __P((char *, struct ipopt_names *, int, char *)); extern int addkeep __P((char ***, struct frentry *, int)); -extern int bcopywrap __P((void *, void *, size_t)); extern void binprint __P((void *, size_t)); extern void initparse __P((void)); extern u_32_t buildopts __P((char *, char *, int)); diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y index 65266513fb29..34a980ff61ff 100644 --- a/contrib/ipfilter/iplang/iplang_y.y +++ b/contrib/ipfilter/iplang/iplang_y.y @@ -6,7 +6,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Id: iplang_y.y,v 2.9.2.2 2004/12/09 19:41:10 darrenr Exp + * Id: iplang_y.y,v 2.9.2.4 2006/03/17 12:11:29 darrenr Exp $ * $FreeBSD$ */ @@ -1649,7 +1649,7 @@ void *ptr; for (sto = toipopts; sto->sto_st; sto++) if (sto->sto_st == state) break; - if (!sto || !sto->sto_st) { + if (!sto->sto_st) { fprintf(stderr, "No mapping for state %d to IP option\n", state); return; diff --git a/contrib/ipfilter/ipmon.h b/contrib/ipfilter/ipmon.h index e297e10d6330..afee1f4fb3f7 100644 --- a/contrib/ipfilter/ipmon.h +++ b/contrib/ipfilter/ipmon.h @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ipmon.h,v 2.8 2003/07/25 22:16:20 darrenr Exp $ + * $Id: ipmon.h,v 2.8.2.1 2006/03/21 16:13:31 darrenr Exp $ */ @@ -94,3 +94,4 @@ extern int load_config __P((char *)); extern void dumphex __P((FILE *, int, char *, int)); extern int check_action __P((char *, char *, int, int)); extern char *getword __P((int)); +extern int fac_findname __P((char *)); diff --git a/contrib/ipfilter/ipsd/sbpf.c b/contrib/ipfilter/ipsd/sbpf.c index 6d4f83d2bbf6..a724ba5dbfeb 100644 --- a/contrib/ipfilter/ipsd/sbpf.c +++ b/contrib/ipfilter/ipsd/sbpf.c @@ -11,6 +11,9 @@ #include #include #include +#ifdef __NetBSD__ +# include +#endif #include #include #include @@ -123,8 +126,18 @@ int tout; struct bpf_version bv; struct timeval to; struct ifreq ifr; +#ifdef _PATH_BPF + char *bpfname = _PATH_BPF; + int fd; + + if ((fd = open(bpfname, O_RDWR)) < 0) + { + fprintf(stderr, "no bpf devices available as /dev/bpfxx\n"); + return -1; + } +#else char bpfname[16]; - int fd, i; + int fd = -1, i; for (i = 0; i < 16; i++) { @@ -137,6 +150,7 @@ int tout; fprintf(stderr, "no bpf devices available as /dev/bpfxx\n"); return -1; } +#endif if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index 9994db8f67eb..06191ec054b9 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -6,7 +6,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.2 2004/11/13 16:50:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.3 2006/03/17 13:45:34 darrenr Exp $"; #endif #include #include @@ -155,6 +155,8 @@ struct in_addr gwip; int wfd; wfd = initdevice(dev, 5); + if (wfd == -1) + return -1; return send_packet(wfd, mtu, ip, gwip); } diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index 90cbd62ddeee..ea358df36516 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -8,10 +8,18 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.4 2005/06/12 07:18:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.7 2006/03/21 16:10:55 darrenr Exp $"; #endif #include #include +#if defined(__NetBSD__) && defined(__vax__) +/* + * XXX need to declare boolean_t for _KERNEL + * which ends up including for vax. See PR#32907 + * for further details. + */ +typedef int boolean_t; +#endif #include #if !defined(__osf__) # define _KERNEL @@ -136,7 +144,10 @@ int ptest; u->uh_ulen = htons(sizeof(*u) + 4); ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen); len = ip->ip_len; + nfd = initdevice(dev, 1); + if (nfd == -1) + return; if (!ptest || (ptest == 1)) { /* @@ -470,11 +481,14 @@ int ptest; int nfd; u_char *s; - s = (u_char *)(ip + 1); + nfd = initdevice(dev, 1); + if (nfd == -1) + return; IP_HL_A(ip, 6); ip->ip_len = IP_HL(ip) << 2; + s = (u_char *)(ip + 1); s[IPOPT_OPTVAL] = IPOPT_NOP; s++; if (!ptest || (ptest == 1)) { @@ -574,7 +588,10 @@ int ptest; ip->ip_sum = 0; ip->ip_len = sizeof(*ip) + sizeof(*icp); icp = (struct icmp *)((char *)ip + (IP_HL(ip) << 2)); + nfd = initdevice(dev, 1); + if (nfd == -1) + return; if (!ptest || (ptest == 1)) { /* @@ -773,7 +790,10 @@ int ptest; u->uh_sport = htons(1); u->uh_dport = htons(1); u->uh_ulen = htons(sizeof(*u) + 4); + nfd = initdevice(dev, 1); + if (nfd == -1) + return; if (!ptest || (ptest == 1)) { /* @@ -936,7 +956,10 @@ int ptest; t->th_seq = htonl(1); t->th_ack = 0; ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); + nfd = initdevice(dev, 1); + if (nfd == -1) + return; if (!ptest || (ptest == 1)) { /* @@ -1281,6 +1304,9 @@ int ptest; u->uh_sum = 0; nfd = initdevice(dev, 1); + if (nfd == -1) + return; + u->uh_ulen = htons(7168); printf("6. Exhaustive mbuf test.\n"); @@ -1350,6 +1376,9 @@ int ptest; u_char *s; nfd = initdevice(dev, 1); + if (nfd == -1) + return; + pip = (ip_t *)tbuf; srand(time(NULL) ^ (getpid() * getppid())); diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c index 27cc37e1d08b..a76bbbb15221 100644 --- a/contrib/ipfilter/ipsend/lsock.c +++ b/contrib/ipfilter/ipsend/lsock.c @@ -8,7 +8,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3 2001/06/09 17:09:26 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3.4.1 2006/03/17 13:45:34 darrenr Exp $"; #endif #include #include @@ -227,6 +227,8 @@ struct in_addr gwip; ti->ti_sport = lsin.sin_port; printf("sport %d\n", ntohs(lsin.sin_port)); nfd = initdevice(dev, 0); + if (nfd == -1) + return -1; if (!(s = find_tcp(fd, ti))) return -1; diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index 9290693855fe..da5c2bfb03ee 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -8,7 +8,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.8 2004/01/08 13:34:31 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.2 2006/03/17 13:45:34 darrenr Exp $"; #endif #include #include @@ -81,6 +81,9 @@ char *datain; ip_t *ip; int fd, wfd = initdevice(dev, 5), len, i; + if (wfd == -1) + return -1; + if (datain) fd = (*r->r_open)(datain); else @@ -101,6 +104,7 @@ char *datain; if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1)) { perror("arp"); + free(eh); return -2; } @@ -137,5 +141,6 @@ char *datain; } } (*r->r_close)(); + free(eh); return 0; } diff --git a/contrib/ipfilter/ipsend/sbpf.c b/contrib/ipfilter/ipsend/sbpf.c index 78b75b3157d9..b8778c669167 100644 --- a/contrib/ipfilter/ipsend/sbpf.c +++ b/contrib/ipfilter/ipsend/sbpf.c @@ -37,6 +37,9 @@ #include #include #include +#ifdef __NetBSD__ +# include +#endif #include #include #include @@ -45,7 +48,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5 2002/02/24 07:30:03 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5.4.1 2006/03/21 16:32:58 darrenr Exp $"; #endif /* @@ -62,6 +65,16 @@ int tout; struct bpf_version bv; struct timeval to; struct ifreq ifr; +#ifdef _PATH_BPF + char *bpfname = _PATH_BPF; + int fd; + + if ((fd = open(bpfname, O_RDWR)) < 0) + { + fprintf(stderr, "no bpf devices available as /dev/bpfxx\n"); + return -1; + } +#else char bpfname[16]; int fd = 0, i; @@ -76,6 +89,7 @@ int tout; fprintf(stderr, "no bpf devices available as /dev/bpfxx\n"); return -1; } +#endif if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index 8c7bfcc5fd50..f6edbd2d148f 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -7,12 +7,20 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.1 2004/03/23 12:58:06 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.4 2006/03/21 16:10:56 darrenr Exp $"; #endif #include #include #include #include +#if defined(__NetBSD__) && defined(__vax__) +/* + * XXX need to declare boolean_t for _KERNEL + * which ends up including for vax. See PR#32907 + * for further details. + */ +typedef int boolean_t; +#endif #ifndef ultrix #include #endif @@ -302,28 +310,33 @@ struct tcpiphdr *ti; } #endif + o = NULL; + f = NULL; + s = NULL; + i = NULL; + t = NULL; + o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1)); if (KMCPY(o, fd->fd_ofiles, (fd->fd_lastfile + 1) * sizeof(*o)) == -1) { fprintf(stderr, "read(%#lx,%#lx,%lu) - u_ofile - failed\n", (u_long)fd->fd_ofiles, (u_long)o, (u_long)sizeof(*o)); - return NULL; + goto finderror; } f = (struct file *)calloc(1, sizeof(*f)); if (KMCPY(f, o[tfd], sizeof(*f)) == -1) { fprintf(stderr, "read(%#lx,%#lx,%lu) - o[tfd] - failed\n", (u_long)o[tfd], (u_long)f, (u_long)sizeof(*f)); - return NULL; + goto finderror; } s = (struct socket *)calloc(1, sizeof(*s)); if (KMCPY(s, f->f_data, sizeof(*s)) == -1) { fprintf(stderr, "read(%#lx,%#lx,%lu) - f_data - failed\n", - (u_long)f->f_data, (u_long)s, - (u_long)sizeof(*s)); - return NULL; + (u_long)f->f_data, (u_long)s, (u_long)sizeof(*s)); + goto finderror; } i = (struct inpcb *)calloc(1, sizeof(*i)); @@ -331,7 +344,7 @@ struct tcpiphdr *ti; { fprintf(stderr, "kvm_read(%#lx,%#lx,%lu) - so_pcb - failed\n", (u_long)s->so_pcb, (u_long)i, (u_long)sizeof(*i)); - return NULL; + goto finderror; } t = (struct tcpcb *)calloc(1, sizeof(*t)); @@ -339,9 +352,22 @@ struct tcpiphdr *ti; { fprintf(stderr, "read(%#lx,%#lx,%lu) - inp_ppcb - failed\n", (u_long)i->inp_ppcb, (u_long)t, (u_long)sizeof(*t)); - return NULL; + goto finderror; } return (struct tcpcb *)i->inp_ppcb; + +finderror: + if (o != NULL) + free(o); + if (f != NULL) + free(f); + if (s != NULL) + free(s); + if (i != NULL) + free(i); + if (t != NULL) + free(t); + return NULL; } #endif /* BSD < 199301 */ @@ -383,7 +409,10 @@ struct in_addr gwip; (void) getsockname(fd, (struct sockaddr *)&lsin, &len); ti->ti_sport = lsin.sin_port; printf("sport %d\n", ntohs(lsin.sin_port)); + nfd = initdevice(dev, 1); + if (nfd == -1) + return -1; if (!(t = find_tcp(fd, ti))) return -1; diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h index 958c46518691..f3074a8dc9b9 100644 --- a/contrib/ipfilter/ipt.h +++ b/contrib/ipfilter/ipt.h @@ -5,7 +5,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipt.h,v 2.6 2003/02/16 02:33:09 darrenr Exp $ + * $Id: ipt.h,v 2.6.4.2 2006/03/26 23:42:04 darrenr Exp $ */ #ifndef __IPT_H__ diff --git a/contrib/ipfilter/lib/addicmp.c b/contrib/ipfilter/lib/addicmp.c index 884da7ba84d2..39b6fd4e8e46 100644 --- a/contrib/ipfilter/lib/addicmp.c +++ b/contrib/ipfilter/lib/addicmp.c @@ -5,7 +5,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: addicmp.c,v 1.10.2.1 2004/12/09 19:41:16 darrenr Exp $ + * $Id: addicmp.c,v 1.10.2.4 2006/02/25 17:41:57 darrenr Exp $ */ #include @@ -19,76 +19,3 @@ char *icmptypes[MAX_ICMPTYPE + 1] = { "routersol", "timex", "paramprob", "timest", "timestrep", "inforeq", "inforep", "maskreq", "maskrep", "END" }; - -/* - * set the icmp field to the correct type if "icmp" word is found - */ -int addicmp(cp, fp, linenum) -char ***cp; -struct frentry *fp; -int linenum; -{ - char **t; - int i; - - (*cp)++; - if (!**cp) - return -1; - if (!fp->fr_proto) /* to catch lusers */ - fp->fr_proto = IPPROTO_ICMP; - if (ISDIGIT(***cp)) { - if (!ratoi(**cp, &i, 0, 255)) { - fprintf(stderr, - "%d: Invalid icmp-type (%s) specified\n", - linenum, **cp); - return -1; - } - } else { - for (t = icmptypes, i = 0; ; t++, i++) { - if (!*t) - continue; - if (!strcasecmp("END", *t)) { - i = -1; - break; - } - if (!strcasecmp(*t, **cp)) - break; - } - if (i == -1) { - fprintf(stderr, - "%d: Unknown icmp-type (%s) specified\n", - linenum, **cp); - return -1; - } - } - fp->fr_icmp = (u_short)(i << 8); - fp->fr_icmpm = (u_short)0xff00; - (*cp)++; - if (!**cp) - return 0; - - if (**cp && strcasecmp("code", **cp)) - return 0; - (*cp)++; - if (ISDIGIT(***cp)) { - if (!ratoi(**cp, &i, 0, 255)) { - fprintf(stderr, - "%d: Invalid icmp code (%s) specified\n", - linenum, **cp); - return -1; - } - } else { - i = icmpcode(**cp); - if (i == -1) { - fprintf(stderr, - "%d: Unknown icmp code (%s) specified\n", - linenum, **cp); - return -1; - } - } - i &= 0xff; - fp->fr_icmp |= (u_short)i; - fp->fr_icmpm = (u_short)0xffff; - (*cp)++; - return 0; -} diff --git a/contrib/ipfilter/lib/addkeep.c b/contrib/ipfilter/lib/addkeep.c deleted file mode 100644 index 2ec8dde62d54..000000000000 --- a/contrib/ipfilter/lib/addkeep.c +++ /dev/null @@ -1,86 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: addkeep.c,v 1.12 2003/12/01 01:59:42 darrenr Exp $ - */ - -#include "ipf.h" - - -/* - * Parses "keep state" and "keep frags" stuff on the end of a line. - */ -int addkeep(cp, fp, linenum) -char ***cp; -struct frentry *fp; -int linenum; -{ - char *s; - - (*cp)++; - if (!**cp) { - fprintf(stderr, "%d: Missing state/frag after keep\n", - linenum); - return -1; - } - - if (!strcasecmp(**cp, "state")) { - fp->fr_flags |= FR_KEEPSTATE; - (*cp)++; - if (**cp && !strcasecmp(**cp, "limit")) { - (*cp)++; - fp->fr_statemax = atoi(**cp); - (*cp)++; - } - if (**cp && !strcasecmp(**cp, "scan")) { - (*cp)++; - if (!strcmp(**cp, "*")) { - fp->fr_isc = NULL; - fp->fr_isctag[0] = '\0'; - } else { - strncpy(fp->fr_isctag, **cp, - sizeof(fp->fr_isctag)); - fp->fr_isctag[sizeof(fp->fr_isctag)-1] = '\0'; - fp->fr_isc = NULL; - } - (*cp)++; - } else - fp->fr_isc = (struct ipscan *)-1; - } else if (!strncasecmp(**cp, "frag", 4)) { - fp->fr_flags |= FR_KEEPFRAG; - (*cp)++; - } else if (!strcasecmp(**cp, "state-age")) { - if (fp->fr_ip.fi_p == IPPROTO_TCP) { - fprintf(stderr, "%d: cannot use state-age with tcp\n", - linenum); - return -1; - } - if ((fp->fr_flags & FR_KEEPSTATE) == 0) { - fprintf(stderr, "%d: state-age with no 'keep state'\n", - linenum); - return -1; - } - (*cp)++; - if (!**cp) { - fprintf(stderr, "%d: state-age with no arg\n", - linenum); - return -1; - } - fp->fr_age[0] = atoi(**cp); - s = strchr(**cp, '/'); - if (s != NULL) { - s++; - fp->fr_age[1] = atoi(s); - } else - fp->fr_age[1] = fp->fr_age[0]; - } else { - fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n", - linenum, **cp); - return -1; - } - return 0; -} diff --git a/contrib/ipfilter/lib/facpri.c b/contrib/ipfilter/lib/facpri.c index a1f9f6bec571..a9bae6dce68e 100644 --- a/contrib/ipfilter/lib/facpri.c +++ b/contrib/ipfilter/lib/facpri.c @@ -5,7 +5,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: facpri.c,v 1.6.2.1 2005/11/14 17:45:06 darrenr Exp $ + * $Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $ */ #include @@ -22,7 +22,7 @@ #include "facpri.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.1 2005/11/14 17:45:06 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $"; #endif @@ -81,13 +81,13 @@ fac_toname(facpri) fac = facpri & LOG_FACMASK; j = fac >> 3; - if (j < 24) { + if (j < (sizeof(facs)/sizeof(facs[0]))) { if (facs[j].value == fac) return facs[j].name; - for (i = 0; facs[i].name; i++) - if (fac == facs[i].value) - return facs[i].name; } + for (i = 0; facs[i].name; i++) + if (fac == facs[i].value) + return facs[i].name; return NULL; } @@ -96,11 +96,11 @@ fac_toname(facpri) /* * map a facility name to its number */ -int +int fac_findname(name) char *name; { - int i; + int i; for (i = 0; facs[i].name; i++) if (!strcmp(facs[i].name, name)) @@ -118,22 +118,6 @@ table_t pris[] = { }; -/* - * map a priority name to its number - */ -int -pri_findname(name) - char *name; -{ - int i; - - for (i = 0; pris[i].name; i++) - if (!strcmp(pris[i].name, name)) - return pris[i].value; - return -1; -} - - /* * map a priority number to its name */ diff --git a/contrib/ipfilter/lib/getport.c b/contrib/ipfilter/lib/getport.c index 99e1d4f62600..51c39b1bd3b1 100644 --- a/contrib/ipfilter/lib/getport.c +++ b/contrib/ipfilter/lib/getport.c @@ -20,6 +20,33 @@ u_short *port; return -1; } + /* + * Some people will use port names in rules without specifying + * either TCP or UDP because it is implied by the group head. + * If we don't know the protocol, then the best we can do here is + * to take either only the TCP or UDP mapping (if one or the other + * is missing) or make sure both of them agree. + */ + if (fr->fr_proto == 0) { + s = getservbyname(name, "tcp"); + if (s != NULL) + p1 = s->s_port; + else + p1 = 0; + s = getservbyname(name, "udp"); + if (s != NULL) { + if (p1 != s->s_port) + return -1; + } + if ((p1 == 0) && (s == NULL)) + return -1; + if (p1) + *port = p1; + else + *port = s->s_port; + return 0; + } + if ((fr->fr_flx & FI_TCPUDP) != 0) { /* * If a rule is "tcp/udp" then check that both TCP and UDP diff --git a/contrib/ipfilter/lib/icmpcode.c b/contrib/ipfilter/lib/icmpcode.c index ac4501d01ba2..864fac178bbc 100644 --- a/contrib/ipfilter/lib/icmpcode.c +++ b/contrib/ipfilter/lib/icmpcode.c @@ -5,7 +5,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: icmpcode.c,v 1.7.2.1 2004/12/09 19:41:20 darrenr Exp $ + * $Id: icmpcode.c,v 1.7.2.4 2006/02/25 17:40:22 darrenr Exp $ */ #include @@ -22,28 +22,3 @@ char *icmpcodes[MAX_ICMPCODE + 1] = { "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib", "net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff", NULL }; - -/* - * Return the number for the associated ICMP unreachable code. - */ -int icmpcode(str) -char *str; -{ - char *s; - int i, len; - - if ((s = strrchr(str, ')'))) - *s = '\0'; - if (ISDIGIT(*str)) { - if (!ratoi(str, &i, 0, 255)) - return -1; - else - return i; - } - len = strlen(str); - for (i = 0; icmpcodes[i]; i++) - if (!strncasecmp(str, icmpcodes[i], MIN(len, - strlen(icmpcodes[i])) )) - return i; - return -1; -} diff --git a/contrib/ipfilter/lib/ipft_tx.c b/contrib/ipfilter/lib/ipft_tx.c index 17bc6de67a4e..36d89be2f388 100644 --- a/contrib/ipfilter/lib/ipft_tx.c +++ b/contrib/ipfilter/lib/ipft_tx.c @@ -5,11 +5,11 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_tx.c,v 1.15.2.6 2005/12/04 10:07:22 darrenr Exp $ + * $Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.6 2005/12/04 10:07:22 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $"; #endif #include @@ -75,36 +75,15 @@ int *resolved; static u_short tx_portnum(name) char *name; { - struct servent *sp, *sp2; - u_short p1 = 0; + struct servent *sp; if (ISDIGIT(*name)) return (u_short)atoi(name); - if (!tx_proto) - tx_proto = "tcp/udp"; - if (strcasecmp(tx_proto, "tcp/udp")) { - sp = getservbyname(name, tx_proto); - if (sp) - return ntohs(sp->s_port); - (void) fprintf(stderr, "unknown service \"%s\".\n", name); - return 0; - } - sp = getservbyname(name, "tcp"); + sp = getservbyname(name, tx_proto); if (sp) - p1 = sp->s_port; - sp2 = getservbyname(name, "udp"); - if (!sp || !sp2) { - (void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n", - name); - return 0; - } - if (p1 != sp2->s_port) { - (void) fprintf(stderr, "%s %d/tcp is a different port to ", - name, p1); - (void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port); - return 0; - } - return ntohs(p1); + return ntohs(sp->s_port); + (void) fprintf(stderr, "unknown service \"%s\".\n", name); + return 0; } diff --git a/contrib/ipfilter/lib/make_range.c b/contrib/ipfilter/lib/make_range.c deleted file mode 100644 index 716cc5a74cac..000000000000 --- a/contrib/ipfilter/lib/make_range.c +++ /dev/null @@ -1,26 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 2002 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: make_range.c,v 1.2 2002/05/18 07:27:52 darrenr Exp $ - */ -#include "ipf.h" - - -alist_t *make_range(not, a1, a2) -int not; -struct in_addr a1, a2; -{ - alist_t *a; - - a = (alist_t *)calloc(1, sizeof(*a)); - if (a != NULL) { - a->al_1 = a1.s_addr; - a->al_2 = a2.s_addr; - a->al_not = not; - } - return a; -} diff --git a/contrib/ipfilter/lib/optprint.c b/contrib/ipfilter/lib/optprint.c index 7b5c3c60511b..7f18318866d8 100644 --- a/contrib/ipfilter/lib/optprint.c +++ b/contrib/ipfilter/lib/optprint.c @@ -5,7 +5,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: optprint.c,v 1.6 2002/07/13 15:59:49 darrenr Exp $ + * $Id: optprint.c,v 1.6.4.1 2005/12/18 14:51:28 darrenr Exp $ */ #include "ipf.h" @@ -25,6 +25,10 @@ u_long optmsk, optbits; if ((io->on_value != IPOPT_SECURITY) || (!secmsk && !secbits)) { printf("%s%s", s, io->on_name); + /* + * Because the ionames table has this entry + * twice. + */ if (io->on_value == IPOPT_SECURITY) io++; s = ","; diff --git a/contrib/ipfilter/lib/printfr.c b/contrib/ipfilter/lib/printfr.c index fb267950340d..6ad81e135566 100644 --- a/contrib/ipfilter/lib/printfr.c +++ b/contrib/ipfilter/lib/printfr.c @@ -5,7 +5,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printfr.c,v 1.43.2.15 2005/11/14 17:45:06 darrenr Exp $ + * $Id: printfr.c,v 1.43.2.16 2006/03/29 11:19:59 darrenr Exp $ */ #include "ipf.h" @@ -122,20 +122,6 @@ ioctlfunc_t iocfunc; printf("pass"); else if (FR_ISBLOCK(fp->fr_flags)) { printf("block"); - if (fp->fr_flags & FR_RETICMP) { - if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) - printf(" return-icmp-as-dest"); - else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) - printf(" return-icmp"); - if (fp->fr_icode) { - if (fp->fr_icode <= MAX_ICMPCODE) - printf("(%s)", - icmpcodes[(int)fp->fr_icode]); - else - printf("(%d)", fp->fr_icode); - } - } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) - printf(" return-rst"); } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { printlog(fp); } else if (FR_ISACCOUNT(fp->fr_flags)) @@ -151,6 +137,20 @@ ioctlfunc_t iocfunc; else { printf("%x", fp->fr_flags); } + if (fp->fr_flags & FR_RETICMP) { + if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) + printf(" return-icmp-as-dest"); + else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) + printf(" return-icmp"); + if (fp->fr_icode) { + if (fp->fr_icode <= MAX_ICMPCODE) + printf("(%s)", + icmpcodes[(int)fp->fr_icode]); + else + printf("(%d)", fp->fr_icode); + } + } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) + printf(" return-rst"); if (fp->fr_flags & FR_OUTQUE) printf(" out "); diff --git a/contrib/ipfilter/lib/printlog.c b/contrib/ipfilter/lib/printlog.c index 31399204c7fb..dd18e981f673 100644 --- a/contrib/ipfilter/lib/printlog.c +++ b/contrib/ipfilter/lib/printlog.c @@ -5,7 +5,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printlog.c,v 1.6.4.1 2005/11/14 17:45:06 darrenr Exp $ + * $Id: printlog.c,v 1.6.4.2 2005/12/18 14:49:06 darrenr Exp $ */ #include "ipf.h" @@ -28,14 +28,11 @@ frentry_t *fp; if (fp->fr_loglevel != 0xffff) { printf(" level "); s = fac_toname(fp->fr_loglevel); - if (s == NULL) + if (s == NULL || *s == '\0') s = "!!!"; u = pri_toname(fp->fr_loglevel); - if (u == NULL) + if (u == NULL || *u == '\0') u = "!!!"; - if (*s) - printf("%s.%s", s, u); - else - printf("%s", u); + printf("%s.%s", s, u); } } diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 44ef53a3271c..2a35d16b970a 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -9,6 +9,8 @@ ipmon \- monitors /dev/ipl for logged packets ] [ .B "\-N " ] [ +.B "\-L " +] [ .B "\-o [NSI]" ] [ .B "\-O [NSI]" @@ -73,7 +75,7 @@ In order for \fBipmon\fP to properly work, the kernel option \fBIPFILTER_LOG\fP must be turned on in your kernel. Please see \fBoptions(4)\fP for more details. .LP -\fBipmon\fP reopns its log file(s) and rereads its configuration file +\fBipmon\fP reopens its log file(s) and rereads its configuration file when it receives a SIGHUP signal. .SH OPTIONS .TP @@ -102,6 +104,9 @@ for normal IP Filter log records. Flush the current packet log buffer. The number of bytes flushed is displayed, even should the result be zero. .TP +.B \-L +Using this option allows you to change the default syslog facility that +ipmon uses for syslog messages. The default is local0. .B \-n IP addresses and port numbers will be mapped, where possible, back into hostnames and service names. diff --git a/contrib/ipfilter/radix.c b/contrib/ipfilter/radix.c index c2d3eaf1ea76..e0c69edef048 100644 --- a/contrib/ipfilter/radix.c +++ b/contrib/ipfilter/radix.c @@ -139,7 +139,7 @@ struct radix_node *rn_addmask __P((int, int, void *)); * node as high in the tree as we can go. * * The present version of the code makes use of normal routes in short- - * circuiting an explict mask and compare operation when testing whether + * circuiting an explicit mask and compare operation when testing whether * a key satisfies a normal route, and also in remembering the unique leaf * that governs a subtree. */ diff --git a/contrib/ipfilter/samples/proxy.c b/contrib/ipfilter/samples/proxy.c index fcf000f75915..471cc736506a 100644 --- a/contrib/ipfilter/samples/proxy.c +++ b/contrib/ipfilter/samples/proxy.c @@ -57,7 +57,6 @@ char *argv[]; struct sockaddr_in sin, sloc, sout; ipfobj_t obj; natlookup_t natlook; - natlookup_t *natlookp = &natlook; char buffer[512]; int namelen, fd, n; diff --git a/contrib/ipfilter/tools/ipf.c b/contrib/ipfilter/tools/ipf.c index 53c4c5af9bda..b923f580f67f 100644 --- a/contrib/ipfilter/tools/ipf.c +++ b/contrib/ipfilter/tools/ipf.c @@ -21,7 +21,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.3 2004/12/15 18:27:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.4 2006/03/17 11:48:08 darrenr Exp $"; #endif #if !defined(__SVR4) && defined(__GNUC__) @@ -198,7 +198,7 @@ static void closedevice() static int get_flags() { - int i; + int i = 0; if ((opendevice(ipfname, 1) != -2) && (ioctl(fd, SIOCGETFF, &i) == -1)) { diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y index 302b9cc0f876..5a24592b3173 100644 --- a/contrib/ipfilter/tools/ipf_y.y +++ b/contrib/ipfilter/tools/ipf_y.y @@ -81,6 +81,10 @@ static struct wordtab logwords[33]; union i6addr m; } ipp; union i6addr ip6; + struct { + char *if1; + char *if2; + } ifs; }; %type portnum @@ -93,6 +97,7 @@ static struct wordtab logwords[33]; %type servicename name interfacename %type portrange portcomp %type addrlist poollist +%type onname %token YY_NUMBER YY_HEX %token YY_STR @@ -101,7 +106,7 @@ static struct wordtab logwords[33]; %token YY_RANGE_OUT YY_RANGE_IN %token YY_IPV6 -%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL +%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST %token IPFY_IN IPFY_OUT %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA @@ -178,7 +183,7 @@ line: xx rule { while ((fr = frtop) != NULL) { | YY_COMMENT ; -xx: { newrule(); } +xx: { newrule(); } ; assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); @@ -257,6 +262,7 @@ collection: action: block | IPFY_PASS { fr->fr_flags |= FR_PASS; } + | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; } | log | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } | auth @@ -286,7 +292,7 @@ log: IPFY_LOG { fr->fr_flags |= FR_LOG; } ; auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } - | IPFY_AUTH IPFY_RETRST { fr->fr_flags |= (FR_AUTH|FR_RETRST);} + | IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;} | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } ; @@ -467,18 +473,41 @@ quick: ; on: IPFY_ON onname + | IPFY_ON lstart onlist lend | IPFY_ON onname IPFY_INVIA vianame | IPFY_ON onname IPFY_OUTVIA vianame ; +onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \ + sizeof(fr->fr_ifnames[0])); \ + if ($1.if2 != NULL) { \ + strncpy(fr->fr_ifnames[1], \ + $1.if2, \ + sizeof(fr->fr_ifnames[1]));\ + } \ + ) } + | onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \ + sizeof(fr->fr_ifnames[0])); \ + if ($3.if2 != NULL) { \ + strncpy(fr->fr_ifnames[1], \ + $3.if2, \ + sizeof(fr->fr_ifnames[1]));\ + } \ + ) } + ; + onname: interfacename { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); + $$.if1 = fr->fr_ifnames[0]; + $$.if2 = NULL; free($1); } | interfacename ',' interfacename { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); + $$.if1 = fr->fr_ifnames[0]; free($1); strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); + $$.if1 = fr->fr_ifnames[1]; free($3); } ; @@ -1027,7 +1056,8 @@ codelist: icmpcode { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) } | codelist lmore icmpcode - { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) } + { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \ + fr->fr_icmpm |= htons(0xff);) } ; age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ @@ -1087,7 +1117,11 @@ stateopt: | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } - age; + | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ + fr->fr_age[1] = $2;) } + | IPFY_AGE YY_NUMBER '/' YY_NUMBER + { DOALL(fr->fr_age[0] = $2; \ + fr->fr_age[1] = $4;) } ; portnum: @@ -1445,6 +1479,7 @@ static struct wordtab ipfwords[95] = { { "newisn", IPFY_NEWISN }, { "no", IPFY_NO }, { "no-icmp-err", IPFY_NOICMPERR }, + { "nomatch", IPFY_NOMATCH }, { "now", IPFY_NOW }, { "not", IPFY_NOT }, { "oow", IPFY_OOW }, @@ -1753,18 +1788,6 @@ static frentry_t *addrule() ; count = nrules; - if (count == 0) { - f = (frentry_t *)calloc(sizeof(*f), 1); - added++; - f2->fr_next = f; - bcopy(f2, f, sizeof(*f)); - if (f2->fr_caddr != NULL) { - f->fr_caddr = malloc(f->fr_dsize); - bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize); - } - f->fr_next = NULL; - return f; - } f = f2; for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { f->fr_next = (frentry_t *)calloc(sizeof(*f), 1); @@ -2035,7 +2058,7 @@ void *ptr; del = SIOCRMAFR; } - if (fr && (opts & OPT_OUTQUE)) + if ((opts & OPT_OUTQUE) != 0) fr->fr_flags |= FR_OUTQUE; if (fr->fr_hits) fr->fr_hits--; diff --git a/contrib/ipfilter/tools/ipfcomp.c b/contrib/ipfilter/tools/ipfcomp.c index a16e87bab445..da80da8032a3 100644 --- a/contrib/ipfilter/tools/ipfcomp.c +++ b/contrib/ipfilter/tools/ipfcomp.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.2 2004/04/28 10:34:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.3 2006/03/17 22:31:57 darrenr Exp $"; #endif #include "ipf.h" @@ -1224,7 +1224,7 @@ frgroup_t *grp; char *instr; group = grp->fg_name; - dogrp = 0; + dogrp = *group ? 1 : 0; if (in && out) { fprintf(stderr, diff --git a/contrib/ipfilter/tools/ipfs.c b/contrib/ipfilter/tools/ipfs.c index a587a4261628..a89ea0b0ab55 100644 --- a/contrib/ipfilter/tools/ipfs.c +++ b/contrib/ipfilter/tools/ipfs.c @@ -460,21 +460,19 @@ char *file; i = read(sfd, &ips, sizeof(ips)); if (i == -1) { perror("read"); - close(sfd); - return 1; + goto freeipshead; } if (i == 0) break; if (i != sizeof(ips)) { fprintf(stderr, "state:incomplete read: %d != %d\n", i, (int)sizeof(ips)); - close(sfd); - return 1; + goto freeipshead; } is = (ipstate_save_t *)malloc(sizeof(*is)); - if(!is) { + if (is == NULL) { fprintf(stderr, "malloc failed\n"); - return 1; + goto freeipshead; } bcopy((char *)&ips, (char *)is, sizeof(ips)); @@ -512,7 +510,7 @@ char *file; obj.ipfo_size = sizeof(*is); obj.ipfo_type = IPFOBJ_STATESAVE; - for (is = ipshead; is; is = is->ips_next) { + while ((is = ipshead) != NULL) { if (opts & OPT_VERBOSE) printf("Loading new state table entry\n"); if (is->ips_is.is_flags & SI_NEWFR) { @@ -524,7 +522,7 @@ char *file; if (!(opts & OPT_DONOTHING)) if (ioctl(fd, SIOCSTPUT, &obj)) { perror("SIOCSTPUT"); - return 1; + goto freeipshead; } if (is->ips_is.is_flags & SI_NEWFR) { @@ -534,9 +532,21 @@ char *file; if (is1->ips_rule == (frentry_t *)&is->ips_rule) is1->ips_rule = is->ips_rule; } + + ipshead = is->ips_next; + free(is); } return 0; + +freeipshead: + while ((is = ipshead) != NULL) { + ipshead = is->ips_next; + free(is); + } + if (sfd != -1) + close(sfd); + return 1; } @@ -575,21 +585,21 @@ char *file; i = read(nfd, &ipn, sizeof(ipn)); if (i == -1) { perror("read"); - close(nfd); - return 1; + goto freenathead; } if (i == 0) break; if (i != sizeof(ipn)) { fprintf(stderr, "nat:incomplete read: %d != %d\n", i, (int)sizeof(ipn)); - close(nfd); - return 1; + goto freenathead; } in = (nat_save_t *)malloc(ipn.ipn_dsize); - if (!in) - break; + if (in == NULL) { + fprintf(stderr, "nat:cannot malloc nat save atruct\n"); + goto freenathead; + } if (ipn.ipn_dsize > sizeof(ipn)) { n = ipn.ipn_dsize - sizeof(ipn); @@ -602,8 +612,7 @@ char *file; fprintf(stderr, "nat:incomplete read: %d != %d\n", i, n); - close(nfd); - return 1; + goto freenathead; } } } @@ -645,7 +654,7 @@ char *file; obj.ipfo_rev = IPFILTER_VERSION; obj.ipfo_type = IPFOBJ_NATSAVE; - for (in = ipnhead; in; in = in->ipn_next) { + while ((in = ipnhead) != NULL) { if (opts & OPT_VERBOSE) printf("Loading new NAT table entry\n"); nat = &in->ipn_nat; @@ -670,9 +679,21 @@ char *file; if (in1->ipn_rule == &in->ipn_fr) in1->ipn_rule = nat->nat_fr; } + + ipnhead = in->ipn_next; + free(in); } return 0; + +freenathead: + while ((in = ipnhead) != NULL) { + ipnhead = in->ipn_next; + free(in); + } + if (nfd != -1) + close(nfd); + return 1; } diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c index 8cf03edc8cd3..85eba20dbb1e 100644 --- a/contrib/ipfilter/tools/ipfstat.c +++ b/contrib/ipfilter/tools/ipfstat.c @@ -70,7 +70,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.13 2005/10/17 17:26:32 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.14 2006/03/21 16:09:58 darrenr Exp $"; #endif #ifdef __hpux @@ -925,8 +925,6 @@ ips_stat_t *ipsp; ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, ipsp->iss_miss); - PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu max bucket\n", - ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_bucketfull); PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n", ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n", diff --git a/contrib/ipfilter/tools/ipftest.c b/contrib/ipfilter/tools/ipftest.c index bbc8bbf5bbf8..3b99a0bd919e 100644 --- a/contrib/ipfilter/tools/ipftest.c +++ b/contrib/ipfilter/tools/ipftest.c @@ -12,7 +12,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.7 2005/12/07 08:29:19 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.9 2006/03/29 11:21:13 darrenr Exp $"; #endif extern char *optarg; @@ -212,7 +212,7 @@ char *argv[]; ip = MTOD(m, ip_t *); while ((i = (*r->r_readip)(MTOD(m, char *), sizeof(m->mb_buf), &iface, &dir)) > 0) { - if (iface == NULL || *iface == '\0') + if ((iface == NULL) || (*iface == '\0')) iface = ifname; ifp = get_unit(iface, IP_V(ip)); if (!use_inet6) { @@ -799,6 +799,6 @@ ip_t *ip; } if (hdr != NULL) { *csump = 0; - *(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr); + *(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr, ip->ip_len); } } diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c index ec76acaa7b3c..fea09f35fbf2 100644 --- a/contrib/ipfilter/tools/ipmon.c +++ b/contrib/ipfilter/tools/ipmon.c @@ -78,7 +78,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.10 2005/06/18 02:41:35 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.15 2006/03/18 06:59:39 darrenr Exp $"; #endif @@ -191,6 +191,7 @@ static char *conf_file = NULL; #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 #endif +int logfac = LOGFAC; static icmp_subtype_t icmpunreachnames[] = { @@ -650,10 +651,10 @@ int len; if (j && !(j & 0xf)) { *t++ = '\n'; *t = '\0'; - if (!(dopts & OPT_SYSLOG)) - fputs(hline, log); - else + if ((dopts & OPT_SYSLOG)) syslog(LOG_INFO, "%s", hline); + else if (log != NULL) + fputs(hline, log); t = (u_char *)hline; *t = '\0'; } @@ -686,11 +687,12 @@ int len; *t++ = '\n'; *t = '\0'; } - if (!(dopts & OPT_SYSLOG)) { + if ((dopts & OPT_SYSLOG) != 0) + syslog(LOG_INFO, "%s", hline); + else if (log != NULL) { fputs(hline, log); fflush(log); - } else - syslog(LOG_INFO, "%s", hline); + } } @@ -784,7 +786,7 @@ int blen; *t++ = '\0'; if (opts & OPT_SYSLOG) syslog(LOG_INFO, "%s", line); - else + else if (log != NULL) (void) fprintf(log, "%s", line); } @@ -901,7 +903,7 @@ int blen; *t++ = '\0'; if (opts & OPT_SYSLOG) syslog(LOG_INFO, "%s", line); - else + else if (log != NULL) (void) fprintf(log, "%s", line); } @@ -1032,12 +1034,7 @@ int blen; (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit); t += strlen(t); #endif -#if defined(__sgi) || defined(_AIX51) || defined(__powerpc__) || \ - defined(__arm__) - if ((ipf->fl_group[0] == 255) && (ipf->fl_group[1] == '\0')) -#else - if ((ipf->fl_group[0] == -1) && (ipf->fl_group[1] == '\0')) -#endif + if ((ipf->fl_group[0] == (char)~0) && (ipf->fl_group[1] == '\0')) strcat(t, " @-1:"); else if (ipf->fl_group[0] == '\0') (void) strcpy(t, " @0:"); @@ -1307,8 +1304,9 @@ printipflog: if (defaction == 0) { if (opts & OPT_SYSLOG) syslog(lvl, "%s", line); - else + else if (log != NULL) (void) fprintf(log, "%s", line); + if (opts & OPT_HEXHDR) dumphex(log, opts, buf, sizeof(iplog_t) + sizeof(*ipf)); @@ -1371,11 +1369,12 @@ FILE *log; (void) close(fd); if (flushed) { - if (opts & OPT_SYSLOG) + if (opts & OPT_SYSLOG) { syslog(LOG_INFO, "%d bytes flushed from log\n", flushed); - else if (log != stdout) + } else if ((log != stdout) && (log != NULL)) { fprintf(log, "%d bytes flushed from log\n", flushed); + } } } @@ -1433,7 +1432,8 @@ char *argv[]; iplfile[1] = IPNAT_NAME; iplfile[2] = IPSTATE_NAME; - while ((c = getopt(argc, argv, "?abB:C:Df:FhnN:o:O:pP:sS:tvxX")) != -1) + while ((c = getopt(argc, argv, + "?abB:C:Df:FhL:nN:o:O:pP:sS:tvxX")) != -1) switch (c) { case 'a' : @@ -1465,6 +1465,15 @@ char *argv[]; flushlogs(iplfile[1], log); flushlogs(iplfile[2], log); break; + case 'L' : + logfac = fac_findname(optarg); + if (logfac == -1) { + fprintf(stderr, + "Unknown syslog facility '%s'\n", + optarg); + exit(1); + } + break; case 'n' : opts |= OPT_RESOLVE; break; @@ -1495,7 +1504,7 @@ char *argv[]; s = argv[0]; else s++; - openlog(s, LOG_NDELAY|LOG_PID, LOGFAC); + openlog(s, LOG_NDELAY|LOG_PID, logfac); s = NULL; opts |= OPT_SYSLOG; log = NULL; @@ -1590,8 +1599,8 @@ char *argv[]; #endif /* !BSD */ close(0); close(1); + write_pid(pidfile); } - write_pid(pidfile); signal(SIGHUP, handlehup); @@ -1627,7 +1636,8 @@ char *argv[]; fclose(log); log = fp; } - if (binarylogfile && (fp = fopen(binarylogfile, "a"))) { + if (binarylogfile && + (fp = fopen(binarylogfile, "a"))) { fclose(binarylog); binarylog = fp; } @@ -1649,7 +1659,7 @@ char *argv[]; case 1 : if (opts & OPT_SYSLOG) syslog(LOG_CRIT, "aborting logging\n"); - else + else if (log != NULL) fprintf(log, "aborting logging\n"); doread = 0; break; diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y index 53cbbaf72980..a01ec56abd8e 100644 --- a/contrib/ipfilter/tools/ipnat_y.y +++ b/contrib/ipfilter/tools/ipnat_y.y @@ -54,6 +54,7 @@ static ipnat_t *nat = NULL; static int natfd = -1; static ioctlfunc_t natioctlfunc = NULL; static addfunc_t nataddfunc = NULL; +static int suggest_port = 0; static void newnatrule __P((void)); static void setnatproto __P((int)); @@ -172,6 +173,9 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions strncpy(nat->in_ifnames[1], nat->in_ifnames[0], sizeof(nat->in_ifnames[0])); + if ((suggest_port == 1) && + (nat->in_flags & IPN_TCPUDP) == 0) + nat->in_flags |= IPN_TCPUDP; if ((nat->in_flags & IPN_TCPUDP) == 0) setnatproto(nat->in_p); if (((nat->in_redir & NAT_MAPBLK) != 0) || @@ -186,6 +190,9 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions strncpy(nat->in_ifnames[1], nat->in_ifnames[0], sizeof(nat->in_ifnames[0])); + if ((suggest_port == 1) && + (nat->in_flags & IPN_TCPUDP) == 0) + nat->in_flags |= IPN_TCPUDP; if (((nat->in_redir & NAT_MAPBLK) != 0) || ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) nat_setgroupmap(nat); @@ -224,7 +231,7 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions (nat->in_pmin != 0 || nat->in_pmax != 0 || nat->in_pnext != 0)) - setnatproto(IPPROTO_TCP); + setnatproto(IPPROTO_TCP); } | rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions { nat->in_v = 4; @@ -234,6 +241,9 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions nat->in_pmax != 0 || nat->in_pnext != 0)) setnatproto(IPPROTO_TCP); + if ((suggest_port == 1) && + (nat->in_flags & IPN_TCPUDP) == 0) + nat->in_flags |= IPN_TCPUDP; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], nat->in_ifnames[0], @@ -248,9 +258,19 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions nat->in_ifnames[0], sizeof(nat->in_ifnames[0])); } + | rdrit ifnames rdrfrom IPNY_TLATE dip setproto rdroptions + { nat->in_v = 4; + if ((suggest_port == 1) && + (nat->in_flags & IPN_TCPUDP) == 0) + nat->in_flags |= IPN_TCPUDP; + if (nat->in_ifnames[1][0] == '\0') + strncpy(nat->in_ifnames[1], + nat->in_ifnames[0], + sizeof(nat->in_ifnames[0])); + } ; -proxy: | IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto +proxy: | IPNY_PROXY port portspec YY_STR '/' proto { strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); if (nat->in_dcmp == 0) { nat->in_dport = htons($3); @@ -260,7 +280,7 @@ proxy: | IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto setnatproto($6); free($4); } - | IPNY_PROXY IPNY_PORT YY_STR YY_STR '/' proto + | IPNY_PROXY port YY_STR YY_STR '/' proto { int pnum; strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); pnum = getportproto($3, $6); @@ -312,6 +332,9 @@ dip: nat->in_inmsk = $3.s_addr; } ; +port: IPNY_PORT { suggest_port = 1; } + ; + portspec: YY_NUMBER { if ($1 > 65535) /* Unsigned */ yyerror("invalid port number"); @@ -324,16 +347,16 @@ portspec: } ; -dport: | IPNY_PORT portspec { nat->in_pmin = htons($2); +dport: | port portspec { nat->in_pmin = htons($2); nat->in_pmax = htons($2); } - | IPNY_PORT portspec '-' portspec { nat->in_pmin = htons($2); + | port portspec '-' portspec { nat->in_pmin = htons($2); nat->in_pmax = htons($4); } - | IPNY_PORT portspec ':' portspec { nat->in_pmin = htons($2); + | port portspec ':' portspec { nat->in_pmin = htons($2); nat->in_pmax = htons($4); } ; -nport: IPNY_PORT portspec { nat->in_pnext = htons($2); } - | IPNY_PORT '=' portspec { nat->in_pnext = htons($3); +nport: port portspec { nat->in_pnext = htons($2); } + | port '=' portspec { nat->in_pnext = htons($3); nat->in_flags |= IPN_FIXEDDPORT; } ; @@ -357,12 +380,16 @@ mapfrom: from sobject IPNY_TO dobject | from sobject '!' IPNY_TO dobject { nat->in_flags |= IPN_NOTDST; } + | from sobject IPNY_TO '!' dobject + { nat->in_flags |= IPN_NOTDST; } ; rdrfrom: from sobject IPNY_TO dobject | '!' from sobject IPNY_TO dobject { nat->in_flags |= IPN_NOTSRC; } + | from '!' sobject IPNY_TO dobject + { nat->in_flags |= IPN_NOTSRC; } ; from: IPNY_FROM { nat->in_flags |= IPN_FILTER; } @@ -415,7 +442,7 @@ mapport: sobject: saddr - | saddr IPNY_PORT portstuff { nat->in_sport = $3.p1; + | saddr port portstuff { nat->in_sport = $3.p1; nat->in_stop = $3.p2; nat->in_scmp = $3.pc; } ; @@ -432,7 +459,7 @@ saddr: addr { if (nat->in_redir == NAT_REDIRECT) { dobject: daddr - | daddr IPNY_PORT portstuff { nat->in_dport = $3.p1; + | daddr port portstuff { nat->in_dport = $3.p1; nat->in_dtop = $3.p2; nat->in_dcmp = $3.pc; if (nat->in_redir == NAT_REDIRECT) @@ -537,10 +564,18 @@ rdrproxy: } ; -proto: YY_NUMBER { $$ = $1; } +proto: YY_NUMBER { $$ = $1; + if ($$ != IPPROTO_TCP && + $$ != IPPROTO_UDP) + suggest_port = 0; + } | IPNY_TCP { $$ = IPPROTO_TCP; } | IPNY_UDP { $$ = IPPROTO_UDP; } - | YY_STR { $$ = getproto($1); free($1); } + | YY_STR { $$ = getproto($1); free($1); + if ($$ != IPPROTO_TCP && + $$ != IPPROTO_UDP) + suggest_port = 0; + } ; hexnumber: @@ -708,6 +743,8 @@ static void newnatrule() nat->in_next = n; nat = n; } + + suggest_port = 0; } @@ -784,7 +821,7 @@ void *ptr; del = SIOCRMNAT; } - if (ipn && (opts & OPT_VERBOSE)) + if ((opts & OPT_VERBOSE) != 0) printnat(ipn, opts); if (opts & OPT_DEBUG) diff --git a/contrib/ipfilter/tools/ipsyncm.c b/contrib/ipfilter/tools/ipsyncm.c index 3e0c1e22ec24..c712435fdc1f 100644 --- a/contrib/ipfilter/tools/ipsyncm.c +++ b/contrib/ipfilter/tools/ipsyncm.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.4 2006/03/27 02:09:46 darrenr Exp $"; #endif #include #include @@ -22,7 +22,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 da #include #include #include -#include +#include #include #include @@ -34,6 +34,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 da int main __P((int, char *[])); +void usage __P((const char *)); int terminate = 0; @@ -41,10 +42,12 @@ void usage(const char *progname) { fprintf(stderr, "Usage: %s \n", progname); } +#if 0 static void handleterm(int sig) { terminate = sig; } +#endif /* should be large enough to hold header + any datatype */ @@ -117,7 +120,7 @@ char *argv[]; goto tryagain; } - syslog(LOG_INFO, "Established connection to %s", + syslog(LOG_INFO, "Sending data to %s", inet_ntoa(sin.sin_addr)); inbuf = 0; diff --git a/contrib/ipfilter/tools/ipsyncs.c b/contrib/ipfilter/tools/ipsyncs.c index 72da15b98023..c6662b738e66 100644 --- a/contrib/ipfilter/tools/ipsyncs.c +++ b/contrib/ipfilter/tools/ipsyncs.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.3 2006/03/27 02:09:47 darrenr Exp $"; #endif #include #include @@ -21,7 +21,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 da #include #include #include -#include +#include #include #include #include @@ -34,6 +34,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 da #include "netinet/ip_sync.h" int main __P((int, char *[])); +void usage __P((const char *progname)); int terminate = 0; @@ -43,11 +44,12 @@ void usage(const char *progname) { progname); } +#if 0 static void handleterm(int sig) { terminate = sig; - } +#endif #define BUFFERLEN 1400 @@ -132,8 +134,7 @@ char *argv[]; goto tryagain; } - syslog(LOG_INFO, "Established connection to %s", - inet_ntoa(sin.sin_addr)); + syslog(LOG_INFO, "Listening to %s", inet_ntoa(sin.sin_addr)); inbuf = 0; while (1) { @@ -225,14 +226,15 @@ moreinbuf: n2 = sizeof(*sh) + len; n3 = write(lfd, buff, n2); if (n3 <= 0) { - syslog(LOG_ERR, "Write error: %m"); + syslog(LOG_ERR, "%s: Write error: %m", + IPSYNC_NAME); goto tryagain; } if (n3 != n2) { - syslog(LOG_ERR, "Incomplete write (%d/%d)", - n3, n2); + syslog(LOG_ERR, "%s: Incomplete write (%d/%d)", + IPSYNC_NAME, n3, n2); goto tryagain; } diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c index 14882e4e5066..3969a5fea564 100644 --- a/contrib/ipfilter/tools/lexer.c +++ b/contrib/ipfilter/tools/lexer.c @@ -172,6 +172,8 @@ nextchar: switch (c) { case '\n' : + lnext = 0; + nokey = 0; case '\t' : case '\r' : case ' ' :