Resolve conflicts

MFC after:	1 weeks

contrib/ipfilter/Makefile

@@ -6,7 +6,7 @@
 # to the original author and the contributors.
 #
 # $FreeBSD$
-# Id: Makefile,v 2.76.2.13 2004/11/08 18:42:40 darrenr Exp
+# Id: Makefile,v 2.76.2.19 2006/03/17 10:38:38 darrenr Exp $
 #
 SHELL=/bin/sh
 BINDEST=/usr/local/bin
@@ -135,6 +135,7 @@ all:
 	@echo "freebsd3	- compile for FreeBSD-3.x"
 	@echo "freebsd4	- compile for FreeBSD-4.x"
 	@echo "freebsd5 - compile for FreeBSD-5.x"
+	@echo "freebsd6 - compile for FreeBSD-6.x"
 	@echo "bsd	- compile for generic 4.4BSD systems"
 	@echo "bsdi	- compile for BSD/OS"
 	@echo "irix	- compile for SGI IRIX"
@@ -187,7 +188,7 @@ freebsd22: include
 	fi
 	make freebsd20
 
-freebsd5: include
+freebsd5 freebsd6: include
 	if [ x$(INET6) = x ] ; then \
 		echo "#undef INET6" > opt_inet6.h; \
 	else \

contrib/ipfilter/bpf_filter.c

@@ -42,7 +42,7 @@
 
 #if !(defined(lint) || defined(KERNEL) || defined(_KERNEL))
 static const char rcsid[] =
-    "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.1 2005/06/18 02:41:30 darrenr Exp $ (LBL)";
+    "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.2 2005/12/30 12:57:28 darrenr Exp $ (LBL)";
 #endif
 
 #include <sys/param.h>
@@ -468,9 +468,10 @@ bpf_filter(pc, p, wirelen, buflen)
 /*
  * Return true if the 'fcode' is a valid filter program.
  * The constraints are that each jump be forward and to a valid
- * code.  The code must terminate with either an accept or reject.
+ * code, that memory accesses are within valid ranges (to the
- * 'valid' is an array for use by the routine (it must be at least
+ * extent that this can be checked statically; loads of packet
- * 'len' bytes long).
+ * data have to be, and are, also checked at run time), and that
+ * the code terminates with either an accept or reject.
  *
  * The kernel needs to be able to verify an application's filter code.
  * Otherwise, a bogus program could easily crash the system.
@@ -480,38 +481,114 @@ bpf_validate(f, len)
 	struct bpf_insn *f;
 	int len;
 {
-	register int i;
+	u_int i, from;
-	register struct bpf_insn *p;
+	const struct bpf_insn *p;
+
+	if (len == 0)
+		return 1;
+
+	if (len < 1 || len > BPF_MAXINSNS)
+		return 0;
 
 	for (i = 0; i < len; ++i) {
-		/*
-		 * Check that that jumps are forward, and within
-		 * the code block.
-		 */
 		p = &f[i];
-		if (BPF_CLASS(p->code) == BPF_JMP) {
+		switch (BPF_CLASS(p->code)) {
-			register int from = i + 1;
-
-			if (BPF_OP(p->code) == BPF_JA) {
-				if (from + p->k >= (unsigned)len)
-					return 0;
-			}
-			else if (from + p->jt >= len || from + p->jf >= len)
-				return 0;
-		}
 		/*
 		 * Check that memory operations use valid addresses.
 		 */
-		if ((BPF_CLASS(p->code) == BPF_ST ||
+		case BPF_LD:
-		     (BPF_CLASS(p->code) == BPF_LD &&
+		case BPF_LDX:
-		      (p->code & 0xe0) == BPF_MEM)) &&
+			switch (BPF_MODE(p->code)) {
-		    (p->k >= BPF_MEMWORDS || p->k < 0))
+			case BPF_IMM:
-			return 0;
+				break;
-		/*
+			case BPF_ABS:
-		 * Check for constant division by 0.
+			case BPF_IND:
-		 */
+			case BPF_MSH:
-		if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0)
+				/*
+				 * More strict check with actual packet length
+				 * is done runtime.
+				 */
+#if 0
+				if (p->k >= bpf_maxbufsize)
+					return 0;
+#endif
+				break;
+			case BPF_MEM:
+				if (p->k >= BPF_MEMWORDS)
+					return 0;
+				break;
+			case BPF_LEN:
+				break;
+			default:
+				return 0;
+			}
+			break;
+		case BPF_ST:
+		case BPF_STX:
+			if (p->k >= BPF_MEMWORDS)
+				return 0;
+			break;
+		case BPF_ALU:
+			switch (BPF_OP(p->code)) {
+			case BPF_ADD:
+			case BPF_SUB:
+			case BPF_OR:
+			case BPF_AND:
+			case BPF_LSH:
+			case BPF_RSH:
+			case BPF_NEG:
+				break;
+			case BPF_DIV:
+				/*
+				 * Check for constant division by 0.
+				 */
+				if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
+					return 0;
+			default:
+				return 0;
+			}
+			break;
+		case BPF_JMP:
+			/*
+			 * Check that jumps are within the code block,
+			 * and that unconditional branches don't go
+			 * backwards as a result of an overflow.
+			 * Unconditional branches have a 32-bit offset,
+			 * so they could overflow; we check to make
+			 * sure they don't.  Conditional branches have
+			 * an 8-bit offset, and the from address is <=
+			 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
+			 * is sufficiently small that adding 255 to it
+			 * won't overflow.
+			 *
+			 * We know that len is <= BPF_MAXINSNS, and we
+			 * assume that BPF_MAXINSNS is < the maximum size
+			 * of a u_int, so that i + 1 doesn't overflow.
+			 */
+			from = i + 1;
+			switch (BPF_OP(p->code)) {
+			case BPF_JA:
+				if (from + p->k < from || from + p->k >= len)
+					return 0;
+				break;
+			case BPF_JEQ:
+			case BPF_JGT:
+			case BPF_JGE:
+			case BPF_JSET:
+				if (from + p->jt >= len || from + p->jf >= len)
+					return 0;
+				break;
+			default:
+				return 0;
+			}
+			break;
+		case BPF_RET:
+			break;
+		case BPF_MISC:
+			break;
+		default:
 			return 0;
+		}
 	}
 	return BPF_CLASS(f[len - 1].code) == BPF_RET;
 }

contrib/ipfilter/ip_fil.c

@@ -7,7 +7,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.9 2005/01/08 14:22:18 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.11 2006/03/25 11:15:30 darrenr Exp $";
 #endif
 
 #ifndef	SOLARIS
@@ -138,7 +138,7 @@ struct rtentry;
 #include "md5.h"
 
 
-#if !defined(__osf__)
+#if !defined(__osf__) && !defined(__linux__)
 extern	struct	protosw	inetsw[];
 #endif
 
@@ -718,13 +718,45 @@ frdest_t *fdp;
 {
 	struct ifnet *ifp = fdp->fd_ifp;
 	ip_t *ip = fin->fin_ip;
+	int error = 0;
+	frentry_t *fr;
+	void *sifp;
 
 	if (!ifp)
 		return 0;	/* no routing table out here */
 
-	ip->ip_len = htons((u_short)ip->ip_len);
+	fr = fin->fin_fr;
-	ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
 	ip->ip_sum = 0;
+
+	if (fin->fin_out == 0) {
+		sifp = fin->fin_ifp;
+		fin->fin_ifp = ifp;
+		fin->fin_out = 1;
+		(void) fr_acctpkt(fin, NULL);
+		fin->fin_fr = NULL;
+		if (!fr || !(fr->fr_flags & FR_RETMASK)) {
+			u_32_t pass;
+
+			(void) fr_checkstate(fin, &pass);
+		}
+
+		switch (fr_checknatout(fin, NULL))
+		{
+		case 0 :
+			break;
+		case 1 :
+			ip->ip_sum = 0;
+			break;
+		case -1 :
+			error = -1;
+			goto done;
+			break;
+		}
+
+		fin->fin_ifp = sifp;
+		fin->fin_out = 0;
+	}
+
 #if defined(__sgi) && (IRIX < 60500)
 	(*ifp->if_output)(ifp, (void *)ip, NULL);
 # if TRU64 >= 1885
@@ -733,7 +765,8 @@ frdest_t *fdp;
 	(*ifp->if_output)(ifp, (void *)m, NULL, 0);
 # endif
 #endif
-	return 0;
+done:
+	return error;
 }
 
 

contrib/ipfilter/ipf.h

@@ -6,7 +6,7 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ipf.h	1.12 6/5/96
- * $Id: ipf.h,v 2.71.2.7 2005/06/12 07:18:31 darrenr Exp $
+ * $Id: ipf.h,v 2.71.2.8 2005/12/30 07:03:21 darrenr Exp $
  */
 
 #ifndef	__IPF_H__
@@ -184,7 +184,6 @@ extern	struct ipopt_names v6ionames[];
 extern int addicmp __P((char ***, struct frentry *, int));
 extern int addipopt __P((char *, struct ipopt_names *, int, char *));
 extern int addkeep __P((char ***, struct frentry *, int));
-extern int bcopywrap __P((void *, void *, size_t));
 extern void binprint __P((void *, size_t));
 extern void initparse __P((void));
 extern u_32_t buildopts __P((char *, char *, int));

contrib/ipfilter/iplang/iplang_y.y

@@ -6,7 +6,7 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * Id: iplang_y.y,v 2.9.2.2 2004/12/09 19:41:10 darrenr Exp
+ * Id: iplang_y.y,v 2.9.2.4 2006/03/17 12:11:29 darrenr Exp $
  * $FreeBSD$
  */
 
@@ -1649,7 +1649,7 @@ void *ptr;
 	for (sto = toipopts; sto->sto_st; sto++)
 		if (sto->sto_st == state)
 			break;
-	if (!sto || !sto->sto_st) {
+	if (!sto->sto_st) {
 		fprintf(stderr, "No mapping for state %d to IP option\n",
 			state);
 		return;

contrib/ipfilter/ipmon.h

@@ -6,7 +6,7 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ip_fil.h	1.35 6/5/96
- * $Id: ipmon.h,v 2.8 2003/07/25 22:16:20 darrenr Exp $
+ * $Id: ipmon.h,v 2.8.2.1 2006/03/21 16:13:31 darrenr Exp $
  */
 
 
@@ -94,3 +94,4 @@ extern	int	load_config __P((char *));
 extern	void	dumphex __P((FILE *, int, char *, int));
 extern	int	check_action __P((char *, char *, int, int));
 extern	char	*getword __P((int));
+extern	int	fac_findname __P((char *));

contrib/ipfilter/ipsd/sbpf.c

@@ -11,6 +11,9 @@
 #include <ctype.h>
 #include <signal.h>
 #include <errno.h>
+#ifdef __NetBSD__
+# include <paths.h>
+#endif
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/mbuf.h>
@@ -123,8 +126,18 @@ int	tout;
 	struct	bpf_version bv;
 	struct	timeval to;
 	struct	ifreq ifr;
+#ifdef _PATH_BPF
+	char 	*bpfname = _PATH_BPF;
+	int	fd;
+
+	if ((fd = open(bpfname, O_RDWR)) < 0)
+	    {
+		fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
+		return -1;
+	    }
+#else
 	char	bpfname[16];
-	int	fd, i;
+	int	fd = -1, i;
 
 	for (i = 0; i < 16; i++)
 	    {
@@ -137,6 +150,7 @@ int	tout;
 		fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
 		return -1;
 	    }
+#endif
 
 	if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0)
 	    {

contrib/ipfilter/ipsend/ipsend.c

@@ -6,7 +6,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipsend.c	1.5 12/10/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.2 2004/11/13 16:50:10 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.3 2006/03/17 13:45:34 darrenr Exp $";
 #endif
 #include <sys/param.h>
 #include <sys/types.h>
@@ -155,6 +155,8 @@ struct in_addr gwip;
 	int wfd;
 
 	wfd = initdevice(dev, 5);
+	if (wfd == -1)
+		return -1;
 	return send_packet(wfd, mtu, ip, gwip);
 }
 

contrib/ipfilter/ipsend/iptests.c

@@ -8,10 +8,18 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.4 2005/06/12 07:18:39 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.7 2006/03/21 16:10:55 darrenr Exp $";
 #endif
 #include <sys/param.h>
 #include <sys/types.h>
+#if defined(__NetBSD__) && defined(__vax__)
+/*
+ * XXX need to declare boolean_t for _KERNEL <sys/files.h>
+ * which ends up including <sys/device.h> for vax.  See PR#32907
+ * for further details.
+ */
+typedef	int	boolean_t;
+#endif
 #include <sys/time.h>
 #if !defined(__osf__)
 # define _KERNEL
@@ -136,7 +144,10 @@ int	ptest;
 	u->uh_ulen = htons(sizeof(*u) + 4);
 	ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen);
 	len = ip->ip_len;
+
 	nfd = initdevice(dev, 1);
+	if (nfd == -1)
+		return;
 
 	if (!ptest || (ptest == 1)) {
 		/*
@@ -470,11 +481,14 @@ int	ptest;
 	int	nfd;
 	u_char	*s;
 
-	s = (u_char *)(ip + 1);
+
 	nfd = initdevice(dev, 1);
+	if (nfd == -1)
+		return;
 
 	IP_HL_A(ip, 6);
 	ip->ip_len = IP_HL(ip) << 2;
+	s = (u_char *)(ip + 1);
 	s[IPOPT_OPTVAL] = IPOPT_NOP;
 	s++;
 	if (!ptest || (ptest == 1)) {
@@ -574,7 +588,10 @@ int	ptest;
 	ip->ip_sum = 0;
 	ip->ip_len = sizeof(*ip) + sizeof(*icp);
 	icp = (struct icmp *)((char *)ip + (IP_HL(ip) << 2));
+
 	nfd = initdevice(dev, 1);
+	if (nfd == -1)
+		return;
 
 	if (!ptest || (ptest == 1)) {
 		/*
@@ -773,7 +790,10 @@ int	ptest;
 	u->uh_sport = htons(1);
 	u->uh_dport = htons(1);
 	u->uh_ulen = htons(sizeof(*u) + 4);
+
 	nfd = initdevice(dev, 1);
+	if (nfd == -1)
+		return;
 
 	if (!ptest || (ptest == 1)) {
 		/*
@@ -936,7 +956,10 @@ int	ptest;
 	t->th_seq = htonl(1);
 	t->th_ack = 0;
 	ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
+
 	nfd = initdevice(dev, 1);
+	if (nfd == -1)
+		return;
 
 	if (!ptest || (ptest == 1)) {
 		/*
@@ -1281,6 +1304,9 @@ int	ptest;
 	u->uh_sum = 0;
 
 	nfd = initdevice(dev, 1);
+	if (nfd == -1)
+		return;
+
 	u->uh_ulen = htons(7168);
 
 	printf("6. Exhaustive mbuf test.\n");
@@ -1350,6 +1376,9 @@ int	ptest;
 	u_char	*s;
 
 	nfd = initdevice(dev, 1);
+	if (nfd == -1)
+		return;
+
 	pip = (ip_t *)tbuf;
 
 	srand(time(NULL) ^ (getpid() * getppid()));

contrib/ipfilter/ipsend/lsock.c

@@ -8,7 +8,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)lsock.c	1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3 2001/06/09 17:09:26 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3.4.1 2006/03/17 13:45:34 darrenr Exp $";
 #endif
 #include <stdio.h>
 #include <unistd.h>
@@ -227,6 +227,8 @@ struct	in_addr	gwip;
 	ti->ti_sport = lsin.sin_port;
 	printf("sport %d\n", ntohs(lsin.sin_port));
 	nfd = initdevice(dev, 0);
+	if (nfd == -1)
+		return -1;
 
 	if (!(s = find_tcp(fd, ti)))
 		return -1;

contrib/ipfilter/ipsend/resend.c

@@ -8,7 +8,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)resend.c	1.3 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: resend.c,v 2.8 2004/01/08 13:34:31 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.2 2006/03/17 13:45:34 darrenr Exp $";
 #endif
 #include <sys/param.h>
 #include <sys/types.h>
@@ -81,6 +81,9 @@ char	*datain;
 	ip_t	*ip;
 	int	fd, wfd = initdevice(dev, 5), len, i;
 
+	if (wfd == -1)
+		return -1;
+
 	if (datain)
 		fd = (*r->r_open)(datain);
 	else
@@ -101,6 +104,7 @@ char	*datain;
 	if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1))
 	    {
 		perror("arp");
+		free(eh);
 		return -2;
 	    }
 
@@ -137,5 +141,6 @@ char	*datain;
 		    }
 	    }
 	(*r->r_close)();
+	free(eh);
 	return 0;
 }

contrib/ipfilter/ipsend/sbpf.c

@@ -37,6 +37,9 @@
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
+#ifdef __NetBSD__
+# include <paths.h>
+#endif
 #include <ctype.h>
 #include <signal.h>
 #include <errno.h>
@@ -45,7 +48,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)sbpf.c	1.3 8/25/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5 2002/02/24 07:30:03 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5.4.1 2006/03/21 16:32:58 darrenr Exp $";
 #endif
 
 /*
@@ -62,6 +65,16 @@ int	tout;
 	struct	bpf_version bv;
 	struct	timeval to;
 	struct	ifreq ifr;
+#ifdef _PATH_BPF
+	char	*bpfname = _PATH_BPF;
+	int	fd;
+
+	if ((fd = open(bpfname, O_RDWR)) < 0)
+	    {
+		fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
+		return -1;
+	    }
+#else
 	char	bpfname[16];
 	int	fd = 0, i;
 
@@ -76,6 +89,7 @@ int	tout;
 		fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
 		return -1;
 	    }
+#endif
 
 	if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0)
 	    {

contrib/ipfilter/ipsend/sock.c

@@ -7,12 +7,20 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)sock.c	1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.1 2004/03/23 12:58:06 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.4 2006/03/21 16:10:56 darrenr Exp $";
 #endif
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/stat.h>
+#if defined(__NetBSD__) && defined(__vax__)
+/*
+ * XXX need to declare boolean_t for _KERNEL <sys/files.h>
+ * which ends up including <sys/device.h> for vax.  See PR#32907
+ * for further details.
+ */
+typedef int     boolean_t;
+#endif
 #ifndef	ultrix
 #include <fcntl.h>
 #endif
@@ -302,28 +310,33 @@ struct	tcpiphdr *ti;
 	    }
 #endif
 
+	o = NULL;
+	f = NULL;
+	s = NULL;
+	i = NULL;
+	t = NULL;
+
 	o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1));
 	if (KMCPY(o, fd->fd_ofiles, (fd->fd_lastfile + 1) * sizeof(*o)) == -1)
 	    {
 		fprintf(stderr, "read(%#lx,%#lx,%lu) - u_ofile - failed\n",
 			(u_long)fd->fd_ofiles, (u_long)o, (u_long)sizeof(*o));
-		return NULL;
+		goto finderror;
 	    }
 	f = (struct file *)calloc(1, sizeof(*f));
 	if (KMCPY(f, o[tfd], sizeof(*f)) == -1)
 	    {
 		fprintf(stderr, "read(%#lx,%#lx,%lu) - o[tfd] - failed\n",
 			(u_long)o[tfd], (u_long)f, (u_long)sizeof(*f));
-		return NULL;
+		goto finderror;
 	    }
 
 	s = (struct socket *)calloc(1, sizeof(*s));
 	if (KMCPY(s, f->f_data, sizeof(*s)) == -1)
 	    {
 		fprintf(stderr, "read(%#lx,%#lx,%lu) - f_data - failed\n",
-			(u_long)f->f_data, (u_long)s,
+			(u_long)f->f_data, (u_long)s, (u_long)sizeof(*s));
-			(u_long)sizeof(*s));
+		goto finderror;
-		return NULL;
 	    }
 
 	i = (struct inpcb *)calloc(1, sizeof(*i));
@@ -331,7 +344,7 @@ struct	tcpiphdr *ti;
 	    {
 		fprintf(stderr, "kvm_read(%#lx,%#lx,%lu) - so_pcb - failed\n",
 			(u_long)s->so_pcb, (u_long)i, (u_long)sizeof(*i));
-		return NULL;
+		goto finderror;
 	    }
 
 	t = (struct tcpcb *)calloc(1, sizeof(*t));
@@ -339,9 +352,22 @@ struct	tcpiphdr *ti;
 	    {
 		fprintf(stderr, "read(%#lx,%#lx,%lu) - inp_ppcb - failed\n",
 			(u_long)i->inp_ppcb, (u_long)t, (u_long)sizeof(*t));
-		return NULL;
+		goto finderror;
 	    }
 	return (struct tcpcb *)i->inp_ppcb;
+
+finderror:
+	if (o != NULL)
+		free(o);
+	if (f != NULL)
+		free(f);
+	if (s != NULL)
+		free(s);
+	if (i != NULL)
+		free(i);
+	if (t != NULL)
+		free(t);
+	return NULL;
 }
 #endif /* BSD < 199301 */
 
@@ -383,7 +409,10 @@ struct	in_addr	gwip;
 	(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
 	ti->ti_sport = lsin.sin_port;
 	printf("sport %d\n", ntohs(lsin.sin_port));
+
 	nfd = initdevice(dev, 1);
+	if (nfd == -1)
+		return -1;
 
 	if (!(t = find_tcp(fd, ti)))
 		return -1;

contrib/ipfilter/ipt.h

@@ -5,7 +5,7 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * $Id: ipt.h,v 2.6 2003/02/16 02:33:09 darrenr Exp $
+ * $Id: ipt.h,v 2.6.4.2 2006/03/26 23:42:04 darrenr Exp $
  */
 
 #ifndef	__IPT_H__

contrib/ipfilter/lib/addicmp.c

@@ -5,7 +5,7 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * $Id: addicmp.c,v 1.10.2.1 2004/12/09 19:41:16 darrenr Exp $
+ * $Id: addicmp.c,v 1.10.2.4 2006/02/25 17:41:57 darrenr Exp $
  */
 
 #include <ctype.h>
@@ -19,76 +19,3 @@ char	*icmptypes[MAX_ICMPTYPE + 1] = {
 	"routersol", "timex", "paramprob", "timest", "timestrep",
 	"inforeq", "inforep", "maskreq", "maskrep", "END"
 };
-
-/*
- * set the icmp field to the correct type if "icmp" word is found
- */
-int	addicmp(cp, fp, linenum)
-char	***cp;
-struct	frentry	*fp;
-int     linenum;
-{
-	char	**t;
-	int	i;
-
-	(*cp)++;
-	if (!**cp)
-		return -1;
-	if (!fp->fr_proto)	/* to catch lusers */
-		fp->fr_proto = IPPROTO_ICMP;
-	if (ISDIGIT(***cp)) {
-		if (!ratoi(**cp, &i, 0, 255)) {
-			fprintf(stderr,
-				"%d: Invalid icmp-type (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	} else {
-		for (t = icmptypes, i = 0; ; t++, i++) {
-			if (!*t)
-				continue;
-			if (!strcasecmp("END", *t)) {
-				i = -1;
-				break;
-			}
-			if (!strcasecmp(*t, **cp))
-				break;
-		}
-		if (i == -1) {
-			fprintf(stderr,
-				"%d: Unknown icmp-type (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	}
-	fp->fr_icmp = (u_short)(i << 8);
-	fp->fr_icmpm = (u_short)0xff00;
-	(*cp)++;
-	if (!**cp)
-		return 0;
-
-	if (**cp && strcasecmp("code", **cp))
-		return 0;
-	(*cp)++;
-	if (ISDIGIT(***cp)) {
-		if (!ratoi(**cp, &i, 0, 255)) {
-			fprintf(stderr,
-				"%d: Invalid icmp code (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	} else {
-		i = icmpcode(**cp);
-		if (i == -1) {
-			fprintf(stderr,
-				"%d: Unknown icmp code (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	}
-	i &= 0xff;
-	fp->fr_icmp |= (u_short)i;
-	fp->fr_icmpm = (u_short)0xffff;
-	(*cp)++;
-	return 0;
-}

contrib/ipfilter/lib/addkeep.c

@@ -1,86 +0,0 @@
-/*	$FreeBSD$	*/
-
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: addkeep.c,v 1.12 2003/12/01 01:59:42 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-/*
- * Parses "keep state" and "keep frags" stuff on the end of a line.
- */
-int	addkeep(cp, fp, linenum)
-char	***cp;
-struct	frentry	*fp;
-int     linenum;
-{
-	char *s;
-
-	(*cp)++;
-	if (!**cp) {
-		fprintf(stderr, "%d: Missing state/frag after keep\n",
-			linenum);
-		return -1;
-	}
-
-	if (!strcasecmp(**cp, "state")) {
-		fp->fr_flags |= FR_KEEPSTATE;
-		(*cp)++;
-		if (**cp && !strcasecmp(**cp, "limit")) {
-			(*cp)++;
-			fp->fr_statemax = atoi(**cp);
-			(*cp)++;
-		}
-		if (**cp && !strcasecmp(**cp, "scan")) {
-			(*cp)++;
-			if (!strcmp(**cp, "*")) {
-				fp->fr_isc = NULL;
-				fp->fr_isctag[0] = '\0';
-			} else {
-				strncpy(fp->fr_isctag, **cp,
-					sizeof(fp->fr_isctag));
-				fp->fr_isctag[sizeof(fp->fr_isctag)-1] = '\0';
-				fp->fr_isc = NULL;
-			}
-			(*cp)++;
-		} else
-			fp->fr_isc = (struct ipscan *)-1;
-	} else if (!strncasecmp(**cp, "frag", 4)) {
-		fp->fr_flags |= FR_KEEPFRAG;
-		(*cp)++;
-	} else if (!strcasecmp(**cp, "state-age")) {
-		if (fp->fr_ip.fi_p == IPPROTO_TCP) {
-			fprintf(stderr, "%d: cannot use state-age with tcp\n",
-				linenum);
-			return -1;
-		}
-		if ((fp->fr_flags & FR_KEEPSTATE) == 0) {
-			fprintf(stderr, "%d: state-age with no 'keep state'\n",
-				linenum);
-			return -1;
-		}
-		(*cp)++;
-		if (!**cp) {
-			fprintf(stderr, "%d: state-age with no arg\n",
-				linenum);
-			return -1;
-		}
-		fp->fr_age[0] = atoi(**cp);
-		s = strchr(**cp, '/');
-		if (s != NULL) {
-			s++;
-			fp->fr_age[1] = atoi(s);
-		} else
-			fp->fr_age[1] = fp->fr_age[0];
-	} else {
-		fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n",
-			linenum, **cp);
-		return -1;
-	}
-	return 0;
-}

contrib/ipfilter/lib/facpri.c

@@ -5,7 +5,7 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * $Id: facpri.c,v 1.6.2.1 2005/11/14 17:45:06 darrenr Exp $
+ * $Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $
  */
 
 #include <stdio.h>
@@ -22,7 +22,7 @@
 #include "facpri.h"
 
 #if !defined(lint)
-static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.1 2005/11/14 17:45:06 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $";
 #endif
 
 
@@ -81,13 +81,13 @@ fac_toname(facpri)
 
 	fac = facpri & LOG_FACMASK;
 	j = fac >> 3;
-	if (j < 24) {
+	if (j < (sizeof(facs)/sizeof(facs[0]))) {
 		if (facs[j].value == fac)
 			return facs[j].name;
-		for (i = 0; facs[i].name; i++)
-			if (fac == facs[i].value)
-				return facs[i].name;
 	}
+	for (i = 0; facs[i].name; i++)
+		if (fac == facs[i].value)
+			return facs[i].name;
 
 	return NULL;
 }
@@ -96,11 +96,11 @@ fac_toname(facpri)
 /*
  * map a facility name to its number
  */
-int
+int     
 fac_findname(name)
 	char *name;
 {
-	int	i;
+	int     i;
 
 	for (i = 0; facs[i].name; i++)
 		if (!strcmp(facs[i].name, name))
@@ -118,22 +118,6 @@ table_t	pris[] = {
 };
 
 
-/*
- * map a priority name to its number
- */
-int
-pri_findname(name)
-	char *name;
-{
-	int	i;
-
-	for (i = 0; pris[i].name; i++)
-		if (!strcmp(pris[i].name, name))
-			return pris[i].value;
-	return -1;
-}
-
-
 /*
  * map a priority number to its name
  */

contrib/ipfilter/lib/getport.c

@@ -20,6 +20,33 @@ u_short *port;
 		return -1;
 	}
 
+	/*
+	 * Some people will use port names in rules without specifying
+	 * either TCP or UDP because it is implied by the group head.
+	 * If we don't know the protocol, then the best we can do here is
+	 * to take either only the TCP or UDP mapping (if one or the other
+	 * is missing) or make sure both of them agree.
+	 */
+	if (fr->fr_proto == 0) {
+		s = getservbyname(name, "tcp");
+		if (s != NULL)
+			p1 = s->s_port;
+		else
+			p1 = 0;
+		s = getservbyname(name, "udp");
+		if (s != NULL) {
+			if (p1 != s->s_port)
+				return -1;
+		}
+		if ((p1 == 0) && (s == NULL))
+			return -1;
+		if (p1)
+			*port = p1;
+		else
+			*port = s->s_port;
+		return 0;
+	}
+
 	if ((fr->fr_flx & FI_TCPUDP) != 0) {
 		/*
 		 * If a rule is "tcp/udp" then check that both TCP and UDP

contrib/ipfilter/lib/icmpcode.c

@@ -5,7 +5,7 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * $Id: icmpcode.c,v 1.7.2.1 2004/12/09 19:41:20 darrenr Exp $
+ * $Id: icmpcode.c,v 1.7.2.4 2006/02/25 17:40:22 darrenr Exp $
  */
 
 #include <ctype.h>
@@ -22,28 +22,3 @@ char	*icmpcodes[MAX_ICMPCODE + 1] = {
 	"net-unk", "host-unk", "isolate", "net-prohib", "host-prohib",
 	"net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff",
 	NULL };
-
-/*
- * Return the number for the associated ICMP unreachable code.
- */
-int icmpcode(str)
-char *str;
-{
-	char	*s;
-	int	i, len;
-
-	if ((s = strrchr(str, ')')))
-		*s = '\0';
-	if (ISDIGIT(*str)) {
-		if (!ratoi(str, &i, 0, 255))
-			return -1;
-		else
-			return i;
-	}
-	len = strlen(str);
-	for (i = 0; icmpcodes[i]; i++)
-		if (!strncasecmp(str, icmpcodes[i], MIN(len,
-				 strlen(icmpcodes[i])) ))
-			return i;
-	return -1;
-}

contrib/ipfilter/lib/ipft_tx.c

@@ -5,11 +5,11 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * $Id: ipft_tx.c,v 1.15.2.6 2005/12/04 10:07:22 darrenr Exp $
+ * $Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipft_tx.c	1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.6 2005/12/04 10:07:22 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $";
 #endif
 
 #include <ctype.h>
@@ -75,36 +75,15 @@ int	*resolved;
 static	u_short	tx_portnum(name)
 char	*name;
 {
-	struct	servent	*sp, *sp2;
+	struct	servent	*sp;
-	u_short	p1 = 0;
 
 	if (ISDIGIT(*name))
 		return (u_short)atoi(name);
-	if (!tx_proto)
+	sp = getservbyname(name, tx_proto);
-		tx_proto = "tcp/udp";
-	if (strcasecmp(tx_proto, "tcp/udp")) {
-		sp = getservbyname(name, tx_proto);
-		if (sp)
-			return ntohs(sp->s_port);
-		(void) fprintf(stderr, "unknown service \"%s\".\n", name);
-		return 0;
-	}
-	sp = getservbyname(name, "tcp");
 	if (sp)
-		p1 = sp->s_port;
+		return ntohs(sp->s_port);
-	sp2 = getservbyname(name, "udp");
+	(void) fprintf(stderr, "unknown service \"%s\".\n", name);
-	if (!sp || !sp2) {
+	return 0;
-		(void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n",
-			name);
-		return 0;
-	}
-	if (p1 != sp2->s_port) {
-		(void) fprintf(stderr, "%s %d/tcp is a different port to ",
-			name, p1);
-		(void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port);
-		return 0;
-	}
-	return ntohs(p1);
 }
 
 

contrib/ipfilter/lib/make_range.c

@@ -1,26 +0,0 @@
-/*	$FreeBSD$	*/
-
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: make_range.c,v 1.2 2002/05/18 07:27:52 darrenr Exp $
- */
-#include "ipf.h"
-
-
-alist_t	*make_range(not, a1, a2)
-int not;
-struct in_addr a1, a2;
-{
-	alist_t *a;
-
-	a = (alist_t *)calloc(1, sizeof(*a));
-	if (a != NULL) {
-		a->al_1 = a1.s_addr;
-		a->al_2 = a2.s_addr;
-		a->al_not = not;
-	}
-	return a;
-}

contrib/ipfilter/lib/optprint.c

@@ -5,7 +5,7 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * $Id: optprint.c,v 1.6 2002/07/13 15:59:49 darrenr Exp $
+ * $Id: optprint.c,v 1.6.4.1 2005/12/18 14:51:28 darrenr Exp $
  */
 #include "ipf.h"
 
@@ -25,6 +25,10 @@ u_long optmsk, optbits;
 			if ((io->on_value != IPOPT_SECURITY) ||
 			    (!secmsk && !secbits)) {
 				printf("%s%s", s, io->on_name);
+				/*
+				 * Because the ionames table has this entry
+				 * twice.
+				 */
 				if (io->on_value == IPOPT_SECURITY)
 					io++;
 				s = ",";

contrib/ipfilter/lib/printfr.c

@@ -5,7 +5,7 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * $Id: printfr.c,v 1.43.2.15 2005/11/14 17:45:06 darrenr Exp $
+ * $Id: printfr.c,v 1.43.2.16 2006/03/29 11:19:59 darrenr Exp $
  */
 
 #include "ipf.h"
@@ -122,20 +122,6 @@ ioctlfunc_t	iocfunc;
 		printf("pass");
 	else if (FR_ISBLOCK(fp->fr_flags)) {
 		printf("block");
-		if (fp->fr_flags & FR_RETICMP) {
-			if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
-				printf(" return-icmp-as-dest");
-			else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
-				printf(" return-icmp");
-			if (fp->fr_icode) {
-				if (fp->fr_icode <= MAX_ICMPCODE)
-					printf("(%s)",
-						icmpcodes[(int)fp->fr_icode]);
-				else
-					printf("(%d)", fp->fr_icode);
-			}
-		} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
-			printf(" return-rst");
 	} else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
 		printlog(fp);
 	} else if (FR_ISACCOUNT(fp->fr_flags))
@@ -151,6 +137,20 @@ ioctlfunc_t	iocfunc;
 	else {
 		printf("%x", fp->fr_flags);
 	}
+	if (fp->fr_flags & FR_RETICMP) {
+		if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
+			printf(" return-icmp-as-dest");
+		else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
+			printf(" return-icmp");
+		if (fp->fr_icode) {
+			if (fp->fr_icode <= MAX_ICMPCODE)
+				printf("(%s)",
+					icmpcodes[(int)fp->fr_icode]);
+			else
+				printf("(%d)", fp->fr_icode);
+		}
+	} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
+		printf(" return-rst");
 
 	if (fp->fr_flags & FR_OUTQUE)
 		printf(" out ");

contrib/ipfilter/lib/printlog.c

@@ -5,7 +5,7 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * $Id: printlog.c,v 1.6.4.1 2005/11/14 17:45:06 darrenr Exp $
+ * $Id: printlog.c,v 1.6.4.2 2005/12/18 14:49:06 darrenr Exp $
  */
 
 #include "ipf.h"
@@ -28,14 +28,11 @@ frentry_t *fp;
 	if (fp->fr_loglevel != 0xffff) {
 		printf(" level ");
 		s = fac_toname(fp->fr_loglevel);
-		if (s == NULL)
+		if (s == NULL || *s == '\0')
 			s = "!!!";
 		u = pri_toname(fp->fr_loglevel);
-		if (u == NULL)
+		if (u == NULL || *u == '\0')
 			u = "!!!";
-		if (*s)
+		printf("%s.%s", s, u);
-			printf("%s.%s", s, u);
-		else
-			printf("%s", u);
 	}
 }

contrib/ipfilter/man/ipmon.8

@@ -9,6 +9,8 @@ ipmon \- monitors /dev/ipl for logged packets
 ] [
 .B "\-N <device>"
 ] [
+.B "\-L <facility>"
+] [
 .B "\-o [NSI]"
 ] [
 .B "\-O [NSI]"
@@ -73,7 +75,7 @@ In order for \fBipmon\fP to properly work, the kernel option
 \fBIPFILTER_LOG\fP must be turned on in your kernel.  Please see
 \fBoptions(4)\fP for more details.
 .LP
-\fBipmon\fP reopns its log file(s) and rereads its configuration file
+\fBipmon\fP reopens its log file(s) and rereads its configuration file
 when it receives a SIGHUP signal.
 .SH OPTIONS
 .TP
@@ -102,6 +104,9 @@ for normal IP Filter log records.
 Flush the current packet log buffer.  The number of bytes flushed is displayed,
 even should the result be zero.
 .TP
+.B \-L <facility>
+Using this option allows you to change the default syslog facility that
+ipmon uses for syslog messages.  The default is local0.
 .B \-n
 IP addresses and port numbers will be mapped, where possible, back into
 hostnames and service names.

contrib/ipfilter/radix.c

@@ -139,7 +139,7 @@ struct radix_node *rn_addmask __P((int, int, void *));
  * node as high in the tree as we can go.
  *
  * The present version of the code makes use of normal routes in short-
- * circuiting an explict mask and compare operation when testing whether
+ * circuiting an explicit mask and compare operation when testing whether
  * a key satisfies a normal route, and also in remembering the unique leaf
  * that governs a subtree.
  */

contrib/ipfilter/samples/proxy.c

@@ -57,7 +57,6 @@ char *argv[];
 	struct	sockaddr_in	sin, sloc, sout;
 	ipfobj_t	obj;
 	natlookup_t	natlook;
-	natlookup_t	*natlookp = &natlook;
 	char	buffer[512];
 	int	namelen, fd, n;
 

contrib/ipfilter/tools/ipf.c

@@ -21,7 +21,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipf.c	1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.3 2004/12/15 18:27:17 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.4 2006/03/17 11:48:08 darrenr Exp $";
 #endif
 
 #if !defined(__SVR4) && defined(__GNUC__)
@@ -198,7 +198,7 @@ static void closedevice()
 
 static	int	get_flags()
 {
-	int i;
+	int i = 0;
 
 	if ((opendevice(ipfname, 1) != -2) &&
 	    (ioctl(fd, SIOCGETFF, &i) == -1)) {

contrib/ipfilter/tools/ipf_y.y

@@ -81,6 +81,10 @@ static	struct	wordtab logwords[33];
 		union	i6addr	m;
 	} ipp;
 	union	i6addr	ip6;
+	struct	{
+		char	*if1;
+		char	*if2;
+	} ifs;
 };
 
 %type	<port>	portnum
@@ -93,6 +97,7 @@ static	struct	wordtab logwords[33];
 %type	<str>	servicename name interfacename
 %type	<pc>	portrange portcomp
 %type	<alist>	addrlist poollist
+%type	<ifs>	onname
 
 %token	<num>	YY_NUMBER YY_HEX
 %token	<str>	YY_STR
@@ -101,7 +106,7 @@ static	struct	wordtab logwords[33];
 %token		YY_RANGE_OUT YY_RANGE_IN
 %token	<ip6>	YY_IPV6
 
-%token	IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
+%token	IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
 %token	IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
 %token	IPFY_IN IPFY_OUT
 %token	IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
@@ -178,7 +183,7 @@ line:	xx rule		{ while ((fr = frtop) != NULL) {
 	| YY_COMMENT
 	;
 
-xx:	{ newrule(); }
+xx:					{ newrule(); }
 	;
 
 assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
@@ -257,6 +262,7 @@ collection:
 
 action:	block
 	| IPFY_PASS			{ fr->fr_flags |= FR_PASS; }
+	| IPFY_NOMATCH			{ fr->fr_flags |= FR_NOMATCH; }
 	| log
 	| IPFY_COUNT			{ fr->fr_flags |= FR_ACCOUNT; }
 	| auth
@@ -286,7 +292,7 @@ log:	IPFY_LOG			{ fr->fr_flags |= FR_LOG; }
 	;
 
 auth:	IPFY_AUTH			{ fr->fr_flags |= FR_AUTH; }
-	| IPFY_AUTH IPFY_RETRST		{ fr->fr_flags |= (FR_AUTH|FR_RETRST);}
+	| IPFY_AUTH blockreturn		{ fr->fr_flags |= FR_AUTH;}
 	| IPFY_PREAUTH			{ fr->fr_flags |= FR_PREAUTH; }
 	;
 
@@ -467,18 +473,41 @@ quick:
 	;
 
 on:	IPFY_ON onname
+	| IPFY_ON lstart onlist lend
 	| IPFY_ON onname IPFY_INVIA vianame
 	| IPFY_ON onname IPFY_OUTVIA vianame
 	;
 
+onlist:	onname			{ DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \
+					sizeof(fr->fr_ifnames[0])); 	   \
+					if ($1.if2 != NULL) {		   \
+						strncpy(fr->fr_ifnames[1], \
+							$1.if2,		   \
+						sizeof(fr->fr_ifnames[1]));\
+					}				   \
+					) }
+	| onlist lmore onname	{ DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \
+					sizeof(fr->fr_ifnames[0])); 	   \
+					if ($3.if2 != NULL) {		   \
+						strncpy(fr->fr_ifnames[1], \
+							$3.if2,		   \
+						sizeof(fr->fr_ifnames[1]));\
+					}				   \
+					) }
+	;
+
 onname:	interfacename
 		{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
+		  $$.if1 = fr->fr_ifnames[0];
+		  $$.if2 = NULL;
 		  free($1);
 		}
 	| interfacename ',' interfacename
 		{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
+		  $$.if1 = fr->fr_ifnames[0];
 		  free($1);
 		  strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
+		  $$.if1 = fr->fr_ifnames[1];
 		  free($3);
 		}
 	;
@@ -1027,7 +1056,8 @@ codelist:
 	icmpcode
 	{ DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
 	| codelist lmore icmpcode
-	{ DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) }
+	{ DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \
+		fr->fr_icmpm |= htons(0xff);) }
 	;
 
 age:	| IPFY_AGE YY_NUMBER		{ DOALL(fr->fr_age[0] = $2; \
@@ -1087,7 +1117,11 @@ stateopt:
 	| IPFY_NOICMPERR	{ DOALL(fr->fr_flags |= FR_NOICMPERR;) }
 
 	| IPFY_SYNC		{ DOALL(fr->fr_flags |= FR_STATESYNC;) }
-	age;
+	| IPFY_AGE YY_NUMBER		{ DOALL(fr->fr_age[0] = $2; \
+						fr->fr_age[1] = $2;) }
+	| IPFY_AGE YY_NUMBER '/' YY_NUMBER
+					{ DOALL(fr->fr_age[0] = $2; \
+						fr->fr_age[1] = $4;) }
 	;
 
 portnum:
@@ -1445,6 +1479,7 @@ static	struct	wordtab ipfwords[95] = {
 	{ "newisn",			IPFY_NEWISN },
 	{ "no",				IPFY_NO },
 	{ "no-icmp-err",		IPFY_NOICMPERR },
+	{ "nomatch",			IPFY_NOMATCH },
 	{ "now",			IPFY_NOW },
 	{ "not",			IPFY_NOT },
 	{ "oow",			IPFY_OOW },
@@ -1753,18 +1788,6 @@ static frentry_t *addrule()
 		;
 
 	count = nrules;
-	if (count == 0) {
-		f = (frentry_t *)calloc(sizeof(*f), 1);
-		added++;
-		f2->fr_next = f;
-		bcopy(f2, f, sizeof(*f));
-		if (f2->fr_caddr != NULL) {
-			f->fr_caddr = malloc(f->fr_dsize);
-			bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize);
-		}
-		f->fr_next = NULL;
-		return f;
-	}
 	f = f2;
 	for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
 		f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
@@ -2035,7 +2058,7 @@ void *ptr;
 		del = SIOCRMAFR;
 	}
 
-	if (fr && (opts & OPT_OUTQUE))
+	if ((opts & OPT_OUTQUE) != 0)
 		fr->fr_flags |= FR_OUTQUE;
 	if (fr->fr_hits)
 		fr->fr_hits--;

contrib/ipfilter/tools/ipfcomp.c

@@ -7,7 +7,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.2 2004/04/28 10:34:44 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.3 2006/03/17 22:31:57 darrenr Exp $";
 #endif
 
 #include "ipf.h"
@@ -1224,7 +1224,7 @@ frgroup_t *grp;
 	char *instr;
 
 	group = grp->fg_name;
-	dogrp = 0;
+	dogrp = *group ? 1 : 0;
 
 	if (in && out) {
 		fprintf(stderr,

contrib/ipfilter/tools/ipfs.c

@@ -460,21 +460,19 @@ char *file;
 		i = read(sfd, &ips, sizeof(ips));
 		if (i == -1) {
 			perror("read");
-			close(sfd);
+			goto freeipshead;
-			return 1;
 		}
 		if (i == 0)
 			break;
 		if (i != sizeof(ips)) {
 			fprintf(stderr, "state:incomplete read: %d != %d\n",
 				i, (int)sizeof(ips));
-			close(sfd);
+			goto freeipshead;
-			return 1;
 		}
 		is = (ipstate_save_t *)malloc(sizeof(*is));
-		if(!is) {
+		if (is == NULL) {
 			fprintf(stderr, "malloc failed\n");
-			return 1;
+			goto freeipshead;
 		}
 
 		bcopy((char *)&ips, (char *)is, sizeof(ips));
@@ -512,7 +510,7 @@ char *file;
 	obj.ipfo_size = sizeof(*is);
 	obj.ipfo_type = IPFOBJ_STATESAVE;
 
-	for (is = ipshead; is; is = is->ips_next) {
+	while ((is = ipshead) != NULL) {
 		if (opts & OPT_VERBOSE)
 			printf("Loading new state table entry\n");
 		if (is->ips_is.is_flags & SI_NEWFR) {
@@ -524,7 +522,7 @@ char *file;
 		if (!(opts & OPT_DONOTHING))
 			if (ioctl(fd, SIOCSTPUT, &obj)) {
 				perror("SIOCSTPUT");
-				return 1;
+				goto freeipshead;
 			}
 
 		if (is->ips_is.is_flags & SI_NEWFR) {
@@ -534,9 +532,21 @@ char *file;
 				if (is1->ips_rule == (frentry_t *)&is->ips_rule)
 					is1->ips_rule = is->ips_rule;
 		}
+
+		ipshead = is->ips_next;
+		free(is);
 	}
 
 	return 0;
+
+freeipshead:
+	while ((is = ipshead) != NULL) {
+		ipshead = is->ips_next;
+		free(is);
+	}
+	if (sfd != -1)
+		close(sfd);
+	return 1;
 }
 
 
@@ -575,21 +585,21 @@ char *file;
 		i = read(nfd, &ipn, sizeof(ipn));
 		if (i == -1) {
 			perror("read");
-			close(nfd);
+			goto freenathead;
-			return 1;
 		}
 		if (i == 0)
 			break;
 		if (i != sizeof(ipn)) {
 			fprintf(stderr, "nat:incomplete read: %d != %d\n",
 				i, (int)sizeof(ipn));
-			close(nfd);
+			goto freenathead;
-			return 1;
 		}
 
 		in = (nat_save_t *)malloc(ipn.ipn_dsize);
-		if (!in)
+		if (in == NULL) {
-			break;
+			fprintf(stderr, "nat:cannot malloc nat save atruct\n");
+			goto freenathead;
+		}
 
 		if (ipn.ipn_dsize > sizeof(ipn)) {
 			n = ipn.ipn_dsize - sizeof(ipn);
@@ -602,8 +612,7 @@ char *file;
 					fprintf(stderr,
 					    "nat:incomplete read: %d != %d\n",
 					    i, n);
-					close(nfd);
+					goto freenathead;
-					return 1;
 				}
 			}
 		}
@@ -645,7 +654,7 @@ char *file;
 	obj.ipfo_rev = IPFILTER_VERSION;
 	obj.ipfo_type = IPFOBJ_NATSAVE;
 
-	for (in = ipnhead; in; in = in->ipn_next) {
+	while ((in = ipnhead) != NULL) {
 		if (opts & OPT_VERBOSE)
 			printf("Loading new NAT table entry\n");
 		nat = &in->ipn_nat;
@@ -670,9 +679,21 @@ char *file;
 				if (in1->ipn_rule == &in->ipn_fr)
 					in1->ipn_rule = nat->nat_fr;
 		}
+
+		ipnhead = in->ipn_next;
+		free(in);
 	}
 
 	return 0;
+
+freenathead:
+	while ((in = ipnhead) != NULL) {
+		ipnhead = in->ipn_next;
+		free(in);
+	}
+	if (nfd != -1)
+		close(nfd);
+	return 1;
 }
 
 

contrib/ipfilter/tools/ipfstat.c

@@ -70,7 +70,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)fils.c	1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.13 2005/10/17 17:26:32 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.14 2006/03/21 16:09:58 darrenr Exp $";
 #endif
 
 #ifdef __hpux
@@ -925,8 +925,6 @@ ips_stat_t *ipsp;
 			ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
 		PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits,
 			ipsp->iss_miss);
-		PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu max bucket\n",
-			ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_bucketfull);
 		PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n",
 			ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
 		PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",

contrib/ipfilter/tools/ipftest.c

@@ -12,7 +12,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipt.c	1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.7 2005/12/07 08:29:19 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.9 2006/03/29 11:21:13 darrenr Exp $";
 #endif
 
 extern	char	*optarg;
@@ -212,7 +212,7 @@ char *argv[];
 	ip = MTOD(m, ip_t *);
 	while ((i = (*r->r_readip)(MTOD(m, char *), sizeof(m->mb_buf),
 				    &iface, &dir)) > 0) {
-		if (iface == NULL || *iface == '\0')
+		if ((iface == NULL) || (*iface == '\0'))
 			iface = ifname;
 		ifp = get_unit(iface, IP_V(ip));
 		if (!use_inet6) {
@@ -799,6 +799,6 @@ ip_t *ip;
 	}
 	if (hdr != NULL) {
 		*csump = 0;
-		*(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr);
+		*(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr, ip->ip_len);
 	}
 }

contrib/ipfilter/tools/ipmon.c

@@ -78,7 +78,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.10 2005/06/18 02:41:35 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.15 2006/03/18 06:59:39 darrenr Exp $";
 #endif
 
 
@@ -191,6 +191,7 @@ static	char	*conf_file = NULL;
 #ifndef	LOGFAC
 #define	LOGFAC	LOG_LOCAL0
 #endif
+int	logfac = LOGFAC;
 
 
 static icmp_subtype_t icmpunreachnames[] = {
@@ -650,10 +651,10 @@ int	len;
 		if (j && !(j & 0xf)) {
 			*t++ = '\n';
 			*t = '\0';
-			if (!(dopts & OPT_SYSLOG))
+			if ((dopts & OPT_SYSLOG))
-				fputs(hline, log);
-			else
 				syslog(LOG_INFO, "%s", hline);
+			else if (log != NULL)
+				fputs(hline, log);
 			t = (u_char *)hline;
 			*t = '\0';
 		}
@@ -686,11 +687,12 @@ int	len;
 		*t++ = '\n';
 		*t = '\0';
 	}
-	if (!(dopts & OPT_SYSLOG)) {
+	if ((dopts & OPT_SYSLOG) != 0)
+		syslog(LOG_INFO, "%s", hline);
+	else if (log != NULL) {
 		fputs(hline, log);
 		fflush(log);
-	} else
+	}
-		syslog(LOG_INFO, "%s", hline);
 }
 
 
@@ -784,7 +786,7 @@ int	blen;
 	*t++ = '\0';
 	if (opts & OPT_SYSLOG)
 		syslog(LOG_INFO, "%s", line);
-	else
+	else if (log != NULL)
 		(void) fprintf(log, "%s", line);
 }
 
@@ -901,7 +903,7 @@ int	blen;
 	*t++ = '\0';
 	if (opts & OPT_SYSLOG)
 		syslog(LOG_INFO, "%s", line);
-	else
+	else if (log != NULL)
 		(void) fprintf(log, "%s", line);
 }
 
@@ -1032,12 +1034,7 @@ int	blen;
 	(void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
 	t += strlen(t);
 #endif
-#if defined(__sgi) || defined(_AIX51) || defined(__powerpc__) || \
+	if ((ipf->fl_group[0] == (char)~0) && (ipf->fl_group[1] == '\0'))
-    defined(__arm__)
-	if ((ipf->fl_group[0] == 255) && (ipf->fl_group[1] == '\0'))
-#else
-	if ((ipf->fl_group[0] == -1) && (ipf->fl_group[1] == '\0'))
-#endif
 		strcat(t, " @-1:");
 	else if (ipf->fl_group[0] == '\0')
 		(void) strcpy(t, " @0:");
@@ -1307,8 +1304,9 @@ printipflog:
 	if (defaction == 0) {
 		if (opts & OPT_SYSLOG)
 			syslog(lvl, "%s", line);
-		else
+		else if (log != NULL)
 			(void) fprintf(log, "%s", line);
+
 		if (opts & OPT_HEXHDR)
 			dumphex(log, opts, buf,
 				sizeof(iplog_t) + sizeof(*ipf));
@@ -1371,11 +1369,12 @@ FILE *log;
 	(void) close(fd);
 
 	if (flushed) {
-		if (opts & OPT_SYSLOG)
+		if (opts & OPT_SYSLOG) {
 			syslog(LOG_INFO, "%d bytes flushed from log\n",
 				flushed);
-		else if (log != stdout)
+		} else if ((log != stdout) && (log != NULL)) {
 			fprintf(log, "%d bytes flushed from log\n", flushed);
+		}
 	}
 }
 
@@ -1433,7 +1432,8 @@ char *argv[];
 	iplfile[1] = IPNAT_NAME;
 	iplfile[2] = IPSTATE_NAME;
 
-	while ((c = getopt(argc, argv, "?abB:C:Df:FhnN:o:O:pP:sS:tvxX")) != -1)
+	while ((c = getopt(argc, argv,
+			   "?abB:C:Df:FhL:nN:o:O:pP:sS:tvxX")) != -1)
 		switch (c)
 		{
 		case 'a' :
@@ -1465,6 +1465,15 @@ char *argv[];
 			flushlogs(iplfile[1], log);
 			flushlogs(iplfile[2], log);
 			break;
+		case 'L' :
+			logfac = fac_findname(optarg);
+			if (logfac == -1) {
+				fprintf(stderr,
+					"Unknown syslog facility '%s'\n",
+					 optarg);
+				exit(1);
+			}
+			break;
 		case 'n' :
 			opts |= OPT_RESOLVE;
 			break;
@@ -1495,7 +1504,7 @@ char *argv[];
 				s = argv[0];
 			else
 				s++;
-			openlog(s, LOG_NDELAY|LOG_PID, LOGFAC);
+			openlog(s, LOG_NDELAY|LOG_PID, logfac);
 			s = NULL;
 			opts |= OPT_SYSLOG;
 			log = NULL;
@@ -1590,8 +1599,8 @@ char *argv[];
 #endif /* !BSD */
 		close(0);
 		close(1);
+		write_pid(pidfile);
 	}
-	write_pid(pidfile);
 
 	signal(SIGHUP, handlehup);
 
@@ -1627,7 +1636,8 @@ char *argv[];
 					fclose(log);
 					log = fp;
 				}
-				if (binarylogfile && (fp = fopen(binarylogfile, "a"))) {
+				if (binarylogfile &&
+				    (fp = fopen(binarylogfile, "a"))) {
 					fclose(binarylog);
 					binarylog = fp;
 				}
@@ -1649,7 +1659,7 @@ char *argv[];
 			case 1 :
 				if (opts & OPT_SYSLOG)
 					syslog(LOG_CRIT, "aborting logging\n");
-				else
+				else if (log != NULL)
 					fprintf(log, "aborting logging\n");
 				doread = 0;
 				break;

contrib/ipfilter/tools/ipnat_y.y

@@ -54,6 +54,7 @@ static	ipnat_t		*nat = NULL;
 static	int		natfd = -1;
 static	ioctlfunc_t	natioctlfunc = NULL;
 static	addfunc_t	nataddfunc = NULL;
+static	int		suggest_port = 0;
 
 static	void	newnatrule __P((void));
 static	void	setnatproto __P((int));
@@ -172,6 +173,9 @@ map:	mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions
 					strncpy(nat->in_ifnames[1],
 						nat->in_ifnames[0],
 						sizeof(nat->in_ifnames[0]));
+				  if ((suggest_port == 1) &&
+				      (nat->in_flags & IPN_TCPUDP) == 0)
+					nat->in_flags |= IPN_TCPUDP;
 				  if ((nat->in_flags & IPN_TCPUDP) == 0)
 					setnatproto(nat->in_p);
 				  if (((nat->in_redir & NAT_MAPBLK) != 0) ||
@@ -186,6 +190,9 @@ map:	mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions
 					strncpy(nat->in_ifnames[1],
 						nat->in_ifnames[0],
 						sizeof(nat->in_ifnames[0]));
+				  if ((suggest_port == 1) &&
+				      (nat->in_flags & IPN_TCPUDP) == 0)
+					nat->in_flags |= IPN_TCPUDP;
 				  if (((nat->in_redir & NAT_MAPBLK) != 0) ||
 				      ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
 					nat_setgroupmap(nat);
@@ -224,7 +231,7 @@ redir:	rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
 				      (nat->in_pmin != 0 ||
 				       nat->in_pmax != 0 ||
 				       nat->in_pnext != 0))
-						setnatproto(IPPROTO_TCP);
+					setnatproto(IPPROTO_TCP);
 				}
 	| rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions
 				{ nat->in_v = 4;
@@ -234,6 +241,9 @@ redir:	rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
 				       nat->in_pmax != 0 ||
 				       nat->in_pnext != 0))
 					setnatproto(IPPROTO_TCP);
+				  if ((suggest_port == 1) &&
+				      (nat->in_flags & IPN_TCPUDP) == 0)
+					nat->in_flags |= IPN_TCPUDP;
 				  if (nat->in_ifnames[1][0] == '\0')
 					strncpy(nat->in_ifnames[1],
 						nat->in_ifnames[0],
@@ -248,9 +258,19 @@ redir:	rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
 						nat->in_ifnames[0],
 						sizeof(nat->in_ifnames[0]));
 				}
+	| rdrit ifnames rdrfrom IPNY_TLATE dip setproto rdroptions
+				{ nat->in_v = 4;
+				  if ((suggest_port == 1) &&
+				      (nat->in_flags & IPN_TCPUDP) == 0)
+					nat->in_flags |= IPN_TCPUDP;
+				  if (nat->in_ifnames[1][0] == '\0')
+					strncpy(nat->in_ifnames[1],
+						nat->in_ifnames[0],
+						sizeof(nat->in_ifnames[0]));
+				}
 	;
 
-proxy:	| IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto
+proxy:	| IPNY_PROXY port portspec YY_STR '/' proto
 			{ strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
 			  if (nat->in_dcmp == 0) {
 				nat->in_dport = htons($3);
@@ -260,7 +280,7 @@ proxy:	| IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto
 			  setnatproto($6);
 			  free($4);
 			}
-	| IPNY_PROXY IPNY_PORT YY_STR YY_STR '/' proto
+	| IPNY_PROXY port YY_STR YY_STR '/' proto
 			{ int pnum;
 			  strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
 			  pnum = getportproto($3, $6);
@@ -312,6 +332,9 @@ dip:
 					  nat->in_inmsk = $3.s_addr; }
 	;
 
+port:	IPNY_PORT			{ suggest_port = 1; }
+	;
+
 portspec:
 	YY_NUMBER			{ if ($1 > 65535)	/* Unsigned */
 						yyerror("invalid port number");
@@ -324,16 +347,16 @@ portspec:
 					}
 	;
 
-dport:	| IPNY_PORT portspec			{ nat->in_pmin = htons($2);
+dport:	| port portspec			{ nat->in_pmin = htons($2);
 						  nat->in_pmax = htons($2); }
-	| IPNY_PORT portspec '-' portspec	{ nat->in_pmin = htons($2);
+	| port portspec '-' portspec	{ nat->in_pmin = htons($2);
 						  nat->in_pmax = htons($4); }
-	| IPNY_PORT portspec ':' portspec	{ nat->in_pmin = htons($2);
+	| port portspec ':' portspec	{ nat->in_pmin = htons($2);
 						  nat->in_pmax = htons($4); }
 	;
 
-nport:	IPNY_PORT portspec		{ nat->in_pnext = htons($2); }
+nport:	port portspec			{ nat->in_pnext = htons($2); }
-	| IPNY_PORT '=' portspec	{ nat->in_pnext = htons($3);
+	| port '=' portspec		{ nat->in_pnext = htons($3);
 					  nat->in_flags |= IPN_FIXEDDPORT;
 					}
 	;
@@ -357,12 +380,16 @@ mapfrom:
 	from sobject IPNY_TO dobject
 	| from sobject '!' IPNY_TO dobject
 					{ nat->in_flags |= IPN_NOTDST; }
+	| from sobject IPNY_TO '!' dobject
+					{ nat->in_flags |= IPN_NOTDST; }
 	;
 
 rdrfrom:
 	from sobject IPNY_TO dobject
 	| '!' from sobject IPNY_TO dobject
 					{ nat->in_flags |= IPN_NOTSRC; }
+	| from '!' sobject IPNY_TO dobject
+					{ nat->in_flags |= IPN_NOTSRC; }
 	;
 
 from:	IPNY_FROM			{ nat->in_flags |= IPN_FILTER; }
@@ -415,7 +442,7 @@ mapport:
 
 sobject:
 	saddr
-	| saddr IPNY_PORT portstuff	{ nat->in_sport = $3.p1;
+	| saddr port portstuff	{ nat->in_sport = $3.p1;
 					  nat->in_stop = $3.p2;
 					  nat->in_scmp = $3.pc; }
 	;
@@ -432,7 +459,7 @@ saddr:	addr				{ if (nat->in_redir == NAT_REDIRECT) {
 
 dobject:
 	daddr
-	| daddr IPNY_PORT portstuff	{ nat->in_dport = $3.p1;
+	| daddr port portstuff	{ nat->in_dport = $3.p1;
 					  nat->in_dtop = $3.p2;
 					  nat->in_dcmp = $3.pc;
 					  if (nat->in_redir == NAT_REDIRECT)
@@ -537,10 +564,18 @@ rdrproxy:
 					}
 	;
 
-proto:	YY_NUMBER			{ $$ = $1; }
+proto:	YY_NUMBER			{ $$ = $1;
+					  if ($$ != IPPROTO_TCP &&
+					      $$ != IPPROTO_UDP)
+						suggest_port = 0;
+					}
 	| IPNY_TCP			{ $$ = IPPROTO_TCP; }
 	| IPNY_UDP			{ $$ = IPPROTO_UDP; }
-	| YY_STR			{ $$ = getproto($1); free($1); }
+	| YY_STR			{ $$ = getproto($1); free($1);
+					  if ($$ != IPPROTO_TCP &&
+					      $$ != IPPROTO_UDP)
+						suggest_port = 0;
+					}
 	;
 
 hexnumber:
@@ -708,6 +743,8 @@ static void newnatrule()
 		nat->in_next = n;
 		nat = n;
 	}
+
+	suggest_port = 0;
 }
 
 
@@ -784,7 +821,7 @@ void *ptr;
 		del = SIOCRMNAT;
 	}
 
-	if (ipn && (opts & OPT_VERBOSE))
+	if ((opts & OPT_VERBOSE) != 0)
 		printnat(ipn, opts);
 
 	if (opts & OPT_DEBUG)

contrib/ipfilter/tools/ipsyncm.c

@@ -7,7 +7,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.4 2006/03/27 02:09:46 darrenr Exp $";
 #endif
 #include <sys/types.h>
 #include <sys/time.h>
@@ -22,7 +22,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 da
 #include <stdlib.h>
 #include <fcntl.h>
 #include <unistd.h>
-#include <strings.h>
+#include <string.h>
 #include <syslog.h>
 #include <signal.h>
 
@@ -34,6 +34,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 da
 
 
 int	main __P((int, char *[]));
+void	usage __P((const char *));
 
 int	terminate = 0;
 
@@ -41,10 +42,12 @@ void usage(const char *progname) {
 	fprintf(stderr, "Usage: %s <destination IP> <destination port>\n", progname);
 }
 
+#if 0
 static void handleterm(int sig)
 {
 	terminate = sig;
 }
+#endif
 
  
 /* should be large enough to hold header + any datatype */
@@ -117,7 +120,7 @@ char *argv[];
 			goto tryagain;
 		}
 
-		syslog(LOG_INFO, "Established connection to %s",
+		syslog(LOG_INFO, "Sending data to %s",
 		       inet_ntoa(sin.sin_addr));
 	
 		inbuf = 0;	

contrib/ipfilter/tools/ipsyncs.c

@@ -7,7 +7,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.3 2006/03/27 02:09:47 darrenr Exp $";
 #endif
 #include <sys/types.h>
 #include <sys/time.h>
@@ -21,7 +21,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 da
 #include <stdio.h>
 #include <stdlib.h>
 #include <fcntl.h>
-#include <strings.h>
+#include <string.h>
 #include <unistd.h>
 #include <syslog.h>
 #include <errno.h>
@@ -34,6 +34,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 da
 #include "netinet/ip_sync.h"
 
 int	main __P((int, char *[]));
+void	usage __P((const char *progname));
 
 int	terminate = 0;
 
@@ -43,11 +44,12 @@ void usage(const char *progname) {
 		progname);
 }
 
+#if 0
 static void handleterm(int sig)
 {
 	terminate = sig;
-
 }
+#endif
 
 #define BUFFERLEN 1400
 
@@ -132,8 +134,7 @@ char *argv[];
 			goto tryagain;
 		}
 
-		syslog(LOG_INFO, "Established connection to %s",
+		syslog(LOG_INFO, "Listening to %s", inet_ntoa(sin.sin_addr));
-		       inet_ntoa(sin.sin_addr));
 	
 		inbuf = 0;	
 		while (1) {
@@ -225,14 +226,15 @@ moreinbuf:
 			n2 = sizeof(*sh) + len;
 			n3 = write(lfd, buff, n2);
 			if (n3 <= 0) {
-				syslog(LOG_ERR, "Write error: %m");
+				syslog(LOG_ERR, "%s: Write error: %m",
+				       IPSYNC_NAME);
 				goto tryagain;
 			}
 
 			
 			if (n3 != n2) {
-				syslog(LOG_ERR, "Incomplete write (%d/%d)",
+				syslog(LOG_ERR, "%s: Incomplete write (%d/%d)",
-				       n3, n2);
+				       IPSYNC_NAME, n3, n2);
 				goto tryagain;
 			}
 

contrib/ipfilter/tools/lexer.c

@@ -172,6 +172,8 @@ nextchar:
 	switch (c)
 	{
 	case '\n' :
+		lnext = 0;
+		nokey = 0;
 	case '\t' :
 	case '\r' :
 	case ' ' :