d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

With a bit of luck, this will be a first-time right import of ipfilter 3.4.29

Browse Source 
on to the vendor branch.
This commit is contained in:
Darren Reed 2002-08-28 13:42:48 +00:00
parent a8e3e73627
commit f7a96e18f1
31 changed files with 435 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
contrib/ipfilter/BSD/Makefile
View File

@ -231,7 +231,7 @@ clean:
${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \
vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h \ vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h \
y.tab.? lex.yy.c ipfs y.tab.? lex.yy.c ipfs
${RM} -f ../opt_inet6.h ${RM} -f ../opt_inet6.h ../ipftest ../ipmon ../ipf ../ipnat
${MAKE} -f Makefile.ipsend ${MFLAGS} clean ${MAKE} -f Makefile.ipsend ${MFLAGS} clean
-(for i in *; do \ -(for i in *; do \
@ -243,8 +243,11 @@ clean:
done) done)
install: install:
-$(CP) $(TOP)/ip_fil.h /usr/include/netinet/ip_fil.h for i in ip_compat.h ip_fil.h ip_nat.h ip_state.h ip_proxy.h \
-$(CHMOD) 444 /usr/include/netinet/ip_fil.h ip_frag.h ip_auth.h; do \
/bin/cp $(TOP)/$$i /usr/include/netinet/; \
-$(CHMOD) 444 /usr/include/netinet/$$i; \
done
-if [ -d /lkm -a -f if_ipl.o ] ; then \ -if [ -d /lkm -a -f if_ipl.o ] ; then \
cp if_ipl.o /lkm; \ cp if_ipl.o /lkm; \
fi fi

23
contrib/ipfilter/HISTORY
View File

@ -22,6 +22,29 @@
# and especially those who have found the time to port IP Filter to new # and especially those who have found the time to port IP Filter to new
# platforms. # platforms.
# #
3.4.29 28/8/2002 - Released
Make substantial changes to the FTP proxy to improve reliability, security
and functionality.
don't send ICMP errors/TCP RST's in response to blocked proxy packets
fix potential memory leaks when unloading ipfilter from kernel
fix bug in SIOCGNATL handler that did not preserve the expected
byte order from earlier versions in the port number
set do not fragment flag in generated packets according to system flags,
where available.
preserve filter rule number and group number in state structure
fix bug in ipmon printing of p/P/b/B
make some changes to the kmem.c code for IRIX compatibility
add code to specifically handle ip.tun* interfaces on Solaris
3.4.28 6/6/2002 - Released 3.4.28 6/6/2002 - Released
Fix for H.323 proxy to work on little endian boxes Fix for H.323 proxy to work on little endian boxes

17
contrib/ipfilter/fil.c
View File

@ -97,7 +97,7 @@
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $";
#endif #endif
#ifndef _KERNEL #ifndef _KERNEL
@ -1076,7 +1076,7 @@ int out;
fin->fin_fr = fr; fin->fin_fr = fr;
if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
if (fin->fin_fl & FI_FRAG) { if (fin->fin_fl & FI_FRAG) {
if (ipfr_newfrag(ip, fin, pass) == -1) { if (ipfr_newfrag(ip, fin) == -1) {
ATOMIC_INCL(frstats[out].fr_bnfr); ATOMIC_INCL(frstats[out].fr_bnfr);
} else { } else {
ATOMIC_INCL(frstats[out].fr_nfr); ATOMIC_INCL(frstats[out].fr_nfr);
@ -1191,7 +1191,16 @@ logit:
* some operating systems. * some operating systems.
*/ */
if (!out) { if (!out) {
if (pass & FR_RETICMP) { if (changed == -1)
/*
* If a packet results in a NAT error, do not
* send a reset or ICMP error as it may disrupt
* an existing flow. This is the proxy saying
* the content is bad so just drop the packet
* silently.
*/
;
else if (pass & FR_RETICMP) {
int dst; int dst;
if ((pass & FR_RETMASK) == FR_FAKEICMP) if ((pass & FR_RETMASK) == FR_FAKEICMP)
@ -1501,7 +1510,7 @@ nodata:
* SUCH DAMAGE. * SUCH DAMAGE.
* *
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $ * $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $
*/ */
/* /*
* Copy data from an mbuf chain starting "off" bytes from the beginning, * Copy data from an mbuf chain starting "off" bytes from the beginning,

8
contrib/ipfilter/fils.c
View File

@ -94,7 +94,7 @@
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.36 2002/06/27 14:29:16 darrenr Exp $";
#endif #endif
extern char *optarg; extern char *optarg;
@ -197,7 +197,7 @@ char *argv[];
ipfrstat_t *ifrstp = &ifrst; ipfrstat_t *ifrstp = &ifrst;
char *device = IPL_NAME, *memf = NULL; char *device = IPL_NAME, *memf = NULL;
char *kern = NULL; char *kern = NULL;
int c, fd, myoptind; int c, myoptind;
struct protoent *proto; struct protoent *proto;
int protocol = -1; /* -1 = wild card for any protocol */ int protocol = -1; /* -1 = wild card for any protocol */
@ -354,8 +354,8 @@ char *argv[];
bzero((char *)&ipsst, sizeof(ipsst)); bzero((char *)&ipsst, sizeof(ipsst));
bzero((char *)&ifrst, sizeof(ifrst)); bzero((char *)&ifrst, sizeof(ifrst));
fd = ipfstate_live(device, &fiop, &ipsstp, &ifrstp, ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
&frauthstp, &frf); &frauthstp, &frf);
} else } else
ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);

5
contrib/ipfilter/ip_compat.h
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing. * See the IPFILTER.LICENCE file for details on licencing.
* *
* @(#)ip_compat.h 1.8 1/14/96 * @(#)ip_compat.h 1.8 1/14/96
* $Id: ip_compat.h,v 2.26.2.45 2002/06/04 14:40:54 darrenr Exp $ * $Id: ip_compat.h,v 2.26.2.46 2002/06/27 14:39:40 darrenr Exp $
*/ */
#ifndef __IP_COMPAT_H__ #ifndef __IP_COMPAT_H__
@ -186,6 +186,9 @@ typedef struct qif {
*/ */
size_t qf_hl; /* header length */ size_t qf_hl; /* header length */
int qf_sap; int qf_sap;
# if SOLARIS2 >= 8
int qf_tunoff; /* tunnel offset */
#endif
size_t qf_incnt; size_t qf_incnt;
size_t qf_outcnt; size_t qf_outcnt;
} qif_t; } qif_t;

23
contrib/ipfilter/ip_fil.c
View File

@ -120,7 +120,7 @@ extern int ip_optcopy __P((struct ip *, struct ip *));
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.58 2002/06/06 10:47:27 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp $";
#endif #endif
@ -157,6 +157,7 @@ static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **,
fr_info_t *, frdest_t *)); fr_info_t *, frdest_t *));
# endif # endif
# ifdef __sgi # ifdef __sgi
extern int tcp_mtudisc;
extern kmutex_t ipf_rw; extern kmutex_t ipf_rw;
extern KRWLOCK_T ipf_mutex; extern KRWLOCK_T ipf_mutex;
# endif # endif
@ -482,7 +483,7 @@ int ipl_disable()
int ipldetach() int ipldetach()
# endif # endif
{ {
int s, i = FR_INQUE|FR_OUTQUE; int s, i;
#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000) #if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
int error = 0; int error = 0;
# if __NetBSD_Version__ >= 105150000 # if __NetBSD_Version__ >= 105150000
@ -523,7 +524,8 @@ int ipldetach()
printf("%s unloaded\n", ipfilter_version); printf("%s unloaded\n", ipfilter_version);
fr_checkp = fr_savep; fr_checkp = fr_savep;
i = frflush(IPL_LOGIPF, i); i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
fr_running = 0; fr_running = 0;
# ifdef NETBSD_PF # ifdef NETBSD_PF
@ -1244,7 +1246,17 @@ struct mbuf **mp;
ip->ip_v = IPVERSION; ip->ip_v = IPVERSION;
ip->ip_tos = oip->ip_tos; ip->ip_tos = oip->ip_tos;
ip->ip_id = oip->ip_id; ip->ip_id = oip->ip_id;
ip->ip_off = 0;
# if defined(__NetBSD__) || defined(__OpenBSD__)
if (ip_mtudisc != 0)
ip->ip_off = IP_DF;
# else
# if defined(__sgi)
if (ip->ip_p == IPPROTO_TCP && tcp_mtudisc != 0)
ip->ip_off = IP_DF;
# endif
# endif
# if (BSD < 199306) || defined(__sgi) # if (BSD < 199306) || defined(__sgi)
ip->ip_ttl = tcp_ttl; ip->ip_ttl = tcp_ttl;
# else # else
@ -1671,7 +1683,8 @@ frdest_t *fdp;
*/ */
if (ip->ip_len <= ifp->if_mtu) { if (ip->ip_len <= ifp->if_mtu) {
# ifndef sparc # ifndef sparc
# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) # if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) && \
!(__NetBSD_Version__ >= 105110000)
ip->ip_id = htons(ip->ip_id); ip->ip_id = htons(ip->ip_id);
# endif # endif
ip->ip_len = htons(ip->ip_len); ip->ip_len = htons(ip->ip_len);

21
contrib/ipfilter/ip_frag.c
View File

@ -90,7 +90,7 @@ extern struct timeout ipfr_slowtimer_ch;
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.21 2002/04/10 04:56:10 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.24 2002/08/28 12:41:04 darrenr Exp $";
#endif #endif
@ -120,7 +120,7 @@ extern kmutex_t ipf_rw;
#endif #endif
static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, u_int, ipfr_t **)); static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, ipfr_t **));
static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **)); static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **));
static void ipfr_delete __P((ipfr_t *)); static void ipfr_delete __P((ipfr_t *));
@ -138,10 +138,9 @@ ipfrstat_t *ipfr_fragstats()
* add a new entry to the fragment cache, registering it as having come * add a new entry to the fragment cache, registering it as having come
* through this box, with the result of the filter operation. * through this box, with the result of the filter operation.
*/ */
static ipfr_t *ipfr_new(ip, fin, pass, table) static ipfr_t *ipfr_new(ip, fin, table)
ip_t *ip; ip_t *ip;
fr_info_t *fin; fr_info_t *fin;
u_int pass;
ipfr_t *table[]; ipfr_t *table[];
{ {
ipfr_t **fp, *fra, frag; ipfr_t **fp, *fra, frag;
@ -198,7 +197,7 @@ ipfr_t *table[];
/* /*
* Instert the fragment into the fragment table, copy the struct used * Instert the fragment into the fragment table, copy the struct used
* in the search using bcopy rather than reassign each field. * in the search using bcopy rather than reassign each field.
* Set the ttl to the default and mask out logging from "pass" * Set the ttl to the default.
*/ */
if ((fra->ipfr_next = table[idx])) if ((fra->ipfr_next = table[idx]))
table[idx]->ipfr_prev = fra; table[idx]->ipfr_prev = fra;
@ -220,17 +219,16 @@ ipfr_t *table[];
} }
int ipfr_newfrag(ip, fin, pass) int ipfr_newfrag(ip, fin)
ip_t *ip; ip_t *ip;
fr_info_t *fin; fr_info_t *fin;
u_int pass;
{ {
ipfr_t *ipf; ipfr_t *ipf;
if ((ip->ip_v != 4) || (fr_frag_lock)) if ((ip->ip_v != 4) || (fr_frag_lock))
return -1; return -1;
WRITE_ENTER(&ipf_frag); WRITE_ENTER(&ipf_frag);
ipf = ipfr_new(ip, fin, pass, ipfr_heads); ipf = ipfr_new(ip, fin, ipfr_heads);
RWLOCK_EXIT(&ipf_frag); RWLOCK_EXIT(&ipf_frag);
if (ipf == NULL) { if (ipf == NULL) {
ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr); ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr);
@ -241,10 +239,9 @@ u_int pass;
} }
int ipfr_nat_newfrag(ip, fin, pass, nat) int ipfr_nat_newfrag(ip, fin, nat)
ip_t *ip; ip_t *ip;
fr_info_t *fin; fr_info_t *fin;
u_int pass;
nat_t *nat; nat_t *nat;
{ {
ipfr_t *ipf; ipfr_t *ipf;
@ -256,10 +253,10 @@ nat_t *nat;
off = fin->fin_off; off = fin->fin_off;
off <<= 3; off <<= 3;
if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0)) if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
return NULL; return -1;
WRITE_ENTER(&ipf_natfrag); WRITE_ENTER(&ipf_natfrag);
ipf = ipfr_new(ip, fin, pass, ipfr_nattab); ipf = ipfr_new(ip, fin, ipfr_nattab);
if (ipf != NULL) { if (ipf != NULL) {
ipf->ipfr_data = nat; ipf->ipfr_data = nat;
nat->nat_data = ipf; nat->nat_data = ipf;

6
contrib/ipfilter/ip_frag.h
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing. * See the IPFILTER.LICENCE file for details on licencing.
* *
* @(#)ip_frag.h 1.5 3/24/96 * @(#)ip_frag.h 1.5 3/24/96
* $Id: ip_frag.h,v 2.4.2.6 2002/01/01 15:09:38 darrenr Exp $ * $Id: ip_frag.h,v 2.4.2.7 2002/07/06 14:17:51 darrenr Exp $
*/ */
#ifndef __IP_FRAG_H__ #ifndef __IP_FRAG_H__
@ -48,8 +48,8 @@ typedef struct ipfrstat {
extern int fr_ipfrttl; extern int fr_ipfrttl;
extern int fr_frag_lock; extern int fr_frag_lock;
extern ipfrstat_t *ipfr_fragstats __P((void)); extern ipfrstat_t *ipfr_fragstats __P((void));
extern int ipfr_newfrag __P((ip_t *, fr_info_t *, u_int)); extern int ipfr_newfrag __P((ip_t *, fr_info_t *));
extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *)); extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, struct nat *));
extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *)); extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *));
extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *)); extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *));
extern void ipfr_forget __P((void *)); extern void ipfr_forget __P((void *));

190
contrib/ipfilter/ip_ftp_pxy.c
View File

@ -2,7 +2,7 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT * Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code. * code.
* *
* $Id: ip_ftp_pxy.c,v 2.7.2.36 2002/06/06 10:44:40 darrenr Exp $ * $Id: ip_ftp_pxy.c,v 2.7.2.38 2002/08/28 12:45:47 darrenr Exp $
*/ */
#if SOLARIS && defined(_KERNEL) #if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw; extern kmutex_t ipf_rw;
@ -294,7 +294,7 @@ int dlen;
ip->ip_len = slen; ip->ip_len = slen;
ip->ip_src = swip; ip->ip_src = swip;
} }
return APR_INC(inc); return inc;
} }
@ -577,7 +577,7 @@ int dlen;
wptr = f->ftps_wptr; wptr = f->ftps_wptr;
if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2))) if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2)))
return inc; return 0;
if (ftp->ftp_passok == FTPXY_GO) { if (ftp->ftp_passok == FTPXY_GO) {
if (!strncmp(rptr, "227 ", 4)) if (!strncmp(rptr, "227 ", 4))
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
@ -717,6 +717,10 @@ size_t len;
} }
/*
* rv == 0 for outbound processing,
* rv == 1 for inbound processing.
*/
int ippr_ftp_process(fin, ip, nat, ftp, rv) int ippr_ftp_process(fin, ip, nat, ftp, rv)
fr_info_t *fin; fr_info_t *fin;
ip_t *ip; ip_t *ip;
@ -724,15 +728,16 @@ nat_t *nat;
ftpinfo_t *ftp; ftpinfo_t *ftp;
int rv; int rv;
{ {
int mlen, len, off, inc, i, sel; int mlen, len, off, inc, i, sel, sel2, ok, ackoff, seqoff;
u_32_t thseq, thack;
char *rptr, *wptr; char *rptr, *wptr;
ap_session_t *aps;
ftpside_t *f, *t; ftpside_t *f, *t;
tcphdr_t *tcp; tcphdr_t *tcp;
mb_t *m; mb_t *m;
tcp = (tcphdr_t *)fin->fin_dp; tcp = (tcphdr_t *)fin->fin_dp;
off = fin->fin_hlen + (tcp->th_off << 2); off = fin->fin_hlen + (tcp->th_off << 2);
#if SOLARIS && defined(_KERNEL) #if SOLARIS && defined(_KERNEL)
m = fin->fin_qfm; m = fin->fin_qfm;
#else #else
@ -750,46 +755,149 @@ int rv;
#endif #endif
mlen -= off; mlen -= off;
aps = nat->nat_aps;
t = &ftp->ftp_side[1 - rv]; t = &ftp->ftp_side[1 - rv];
f = &ftp->ftp_side[rv]; f = &ftp->ftp_side[rv];
if (!mlen) { thseq = ntohl(tcp->th_seq);
if (!t->ftps_seq || thack = ntohl(tcp->th_ack);
(int)ntohl(tcp->th_ack) - (int)t->ftps_seq > 0)
t->ftps_seq = ntohl(tcp->th_ack);
f->ftps_len = 0;
return 0;
}
rptr = f->ftps_rptr; sel = aps->aps_sel[1 - rv];
wptr = f->ftps_wptr; sel2 = aps->aps_sel[rv];
if (rv == 0) {
i = 0; seqoff = aps->aps_seqoff[sel];
sel = nat->nat_aps->aps_sel[1 - rv]; if (aps->aps_seqmin[sel] > seqoff + thseq)
if (rv) { seqoff = aps->aps_seqoff[!sel];
if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq)) ackoff = aps->aps_ackoff[sel2];
i = nat->nat_aps->aps_ackoff[sel]; if (aps->aps_ackmin[sel2] > ackoff + thack)
ackoff = aps->aps_ackoff[!sel2];
} else { } else {
if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq)) #if PROXY_DEBUG
i = nat->nat_aps->aps_seqoff[sel]; printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq,
aps->aps_ackmin[sel]);
#endif
seqoff = aps->aps_ackoff[sel];
if (aps->aps_ackmin[sel] > seqoff + thseq)
seqoff = aps->aps_ackoff[!sel];
#if PROXY_DEBUG
printf("ackoff %d thack %x seqmin %x\n", ackoff, thack,
aps->aps_seqmin[sel2]);
#endif
ackoff = aps->aps_seqoff[sel2];
if (ackoff > 0) {
if (aps->aps_seqmin[sel2] > ackoff + thack)
ackoff = aps->aps_seqoff[!sel2];
} else {
if (aps->aps_seqmin[sel2] > thack)
ackoff = aps->aps_seqoff[!sel2];
}
} }
#if PROXY_DEBUG
printf("%s: %x seq %x/%d ack %x/%d len %d\n", rv ? "IN" : "OUT",
tcp->th_flags, thseq, seqoff, thack, ackoff, mlen);
printf("sel %d seqmin %x/%x offset %d/%d\n", sel,
aps->aps_seqmin[sel], aps->aps_seqmin[sel2],
aps->aps_seqoff[sel], aps->aps_seqoff[sel2]);
printf("sel %d ackmin %x/%x offset %d/%d\n", sel2,
aps->aps_ackmin[sel], aps->aps_ackmin[sel2],
aps->aps_ackoff[sel], aps->aps_ackoff[sel2]);
#endif
/* /*
* XXX - Ideally, this packet should get dropped because we now know * XXX - Ideally, this packet should get dropped because we now know
* that it is out of order (and there is no real danger in doing so * that it is out of order (and there is no real danger in doing so
* apart from causing packets to go through here ordered). * apart from causing packets to go through here ordered).
*/ */
if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq)) #if PROXY_DEBUG
f->ftps_seq = ntohl(tcp->th_seq); printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n",
rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff);
#endif
ok = 0;
if (t->ftps_seq[0] == 0)
t->ftps_seq[0] = thack, ok = 1;
else { else {
inc = ntohl(tcp->th_seq) - f->ftps_seq; if (ackoff == 0) {
if (inc < 0) if (t->ftps_seq[0] == thack)
inc = -inc; ok = 1;
if (i < 0) else if (t->ftps_seq[1] == thack) {
i = -i; t->ftps_seq[0] = thack;
if (inc > i) { ok = 1;
return APR_ERR(1); }
} else {
if (t->ftps_seq[0] + ackoff == thack)
ok = 1;
else if (t->ftps_seq[0] == thack + ackoff)
ok = 1;
else if (t->ftps_seq[1] + ackoff == thack) {
t->ftps_seq[0] = thack - ackoff;
ok = 1;
} else if (t->ftps_seq[1] == thack + ackoff) {
t->ftps_seq[0] = thack - ackoff;
ok = 1;
}
} }
} }
#if PROXY_DEBUG
if (!ok)
printf("not ok\n");
#endif
if (!mlen) {
if (t->ftps_seq[0] + ackoff != thack)
return APR_ERR(1);
#if PROXY_DEBUG
printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]);
#endif
if (tcp->th_flags & TH_FIN) {
if (thseq + seqoff == f->ftps_seq[0] + 1 ||
f->ftps_seq[0] + seqoff + 1 == thseq ||
thseq + seqoff == f->ftps_seq[0] ||
thseq == f->ftps_seq[0] + seqoff)
;
else {
#if PROXY_DEBUG
printf("FIN: thseq %x seqoff %d ftps_seq %x\n",
thseq, seqoff, f->ftps_seq[0]);
#endif
return APR_ERR(1);
}
}
f->ftps_len = 0;
return 0;
}
ok = 0;
if (thseq == f->ftps_seq[0] || thseq == f->ftps_seq[1])
ok = 1;
/*
* Retransmitted data packet.
*/
else if (thseq + mlen == f->ftps_seq[0] ||
thseq + mlen == f->ftps_seq[1])
ok = 1;
if (ok == 0) {
inc = thseq - f->ftps_seq[0];
#if PROXY_DEBUG
printf("inc %d sel %d rv %d\n", inc, sel, rv);
printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0],
f->ftps_seq[1]);
printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel],
aps->aps_ackoff[sel]);
printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel],
aps->aps_seqoff[sel]);
#endif
return APR_ERR(1);
}
inc = 0; inc = 0;
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
f->ftps_seq[0] = thseq;
f->ftps_seq[1] = f->ftps_seq[0] + mlen;
f->ftps_len = mlen; f->ftps_len = mlen;
while (mlen > 0) { while (mlen > 0) {
@ -833,6 +941,7 @@ int rv;
* ftp proxy for this connection. * ftp proxy for this connection.
*/ */
if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) { if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) {
/* f->ftps_seq[1] += inc; */
return APR_ERR(2); return APR_ERR(2);
} }
@ -873,7 +982,24 @@ int rv;
} }
} }
t->ftps_seq = ntohl(tcp->th_ack); /* f->ftps_seq[1] += inc; */
if (tcp->th_flags & TH_FIN)
f->ftps_seq[1]++;
#ifndef _KERNEL
mlen = mbuflen(m);
#else
# if SOLARIS
mlen = msgdsize(m);
# else
mlen = mbufchainlen(m);
# endif
#endif
off = fin->fin_hlen + (tcp->th_off << 2);
mlen -= off;
#if PROXY_DEBUG
printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen);
#endif
f->ftps_rptr = rptr; f->ftps_rptr = rptr;
f->ftps_wptr = wptr; f->ftps_wptr = wptr;
return APR_INC(inc); return APR_INC(inc);

1
contrib/ipfilter/ip_h323_pxy.c
View File

@ -9,6 +9,7 @@
* authorized by a written license agreement from QSSL. For more information, * authorized by a written license agreement from QSSL. For more information,
* please email licensing@qnx.com. * please email licensing@qnx.com.
* *
* For more details, see QNX_OCL.txt provided with this distribution.
*/ */
/* /*

13
contrib/ipfilter/ip_nat.c
View File

@ -109,7 +109,7 @@ extern struct ifnet vpnif;
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.68 2002/06/04 14:46:08 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp $";
#endif #endif
nat_t **nat_table[2] = { NULL, NULL }, nat_t **nat_table[2] = { NULL, NULL },
@ -2265,8 +2265,8 @@ register natlookup_t *np;
fr_info_t fi; fr_info_t fi;
bzero((char *)&fi, sizeof(fi)); bzero((char *)&fi, sizeof(fi));
fi.fin_data[0] = np->nl_inport; fi.fin_data[0] = ntohs(np->nl_inport);
fi.fin_data[1] = np->nl_outport; fi.fin_data[1] = ntohs(np->nl_outport);
/* /*
* If nl_inip is non null, this is a lookup based on the real * If nl_inip is non null, this is a lookup based on the real
@ -2448,7 +2448,7 @@ maskloop:
if (nat) { if (nat) {
np = nat->nat_ptr; np = nat->nat_ptr;
if (natadd && (fin->fin_fl & FI_FRAG) && np) if (natadd && (fin->fin_fl & FI_FRAG) && np)
ipfr_nat_newfrag(ip, fin, 0, nat); ipfr_nat_newfrag(ip, fin, nat);
MUTEX_ENTER(&nat->nat_lock); MUTEX_ENTER(&nat->nat_lock);
if (fin->fin_p != IPPROTO_TCP) { if (fin->fin_p != IPPROTO_TCP) {
if (np && np->in_age[1]) if (np && np->in_age[1])
@ -2540,6 +2540,8 @@ maskloop:
i = appr_check(ip, fin, nat); i = appr_check(ip, fin, nat);
if (i == 0) if (i == 0)
i = 1; i = 1;
else if (i == -1)
nat->nat_drop[1]++;
} else } else
i = 1; i = 1;
ATOMIC_INCL(nat_stats.ns_mapped[1]); ATOMIC_INCL(nat_stats.ns_mapped[1]);
@ -2664,11 +2666,12 @@ maskloop:
np = nat->nat_ptr; np = nat->nat_ptr;
fin->fin_fr = nat->nat_fr; fin->fin_fr = nat->nat_fr;
if (natadd && (fin->fin_fl & FI_FRAG) && np) if (natadd && (fin->fin_fl & FI_FRAG) && np)
ipfr_nat_newfrag(ip, fin, 0, nat); ipfr_nat_newfrag(ip, fin, nat);
if (np && (np->in_apr != NULL) && (np->in_dport == 0 || if (np && (np->in_apr != NULL) && (np->in_dport == 0 ||
(tcp != NULL && sport == np->in_dport))) { (tcp != NULL && sport == np->in_dport))) {
i = appr_check(ip, fin, nat); i = appr_check(ip, fin, nat);
if (i == -1) { if (i == -1) {
nat->nat_drop[0]++;
RWLOCK_EXIT(&ipf_nat); RWLOCK_EXIT(&ipf_nat);
return i; return i;
} }

3
contrib/ipfilter/ip_nat.h
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing. * See the IPFILTER.LICENCE file for details on licencing.
* *
* @(#)ip_nat.h 1.5 2/4/96 * @(#)ip_nat.h 1.5 2/4/96
* $Id: ip_nat.h,v 2.17.2.26 2002/04/20 16:42:05 darrenr Exp $ * $Id: ip_nat.h,v 2.17.2.27 2002/08/28 12:45:51 darrenr Exp $
*/ */
#ifndef __IP_NAT_H__ #ifndef __IP_NAT_H__
@ -77,6 +77,7 @@ typedef struct nat {
struct in_addr nat_oip; /* other ip */ struct in_addr nat_oip; /* other ip */
U_QUAD_T nat_pkts; U_QUAD_T nat_pkts;
U_QUAD_T nat_bytes; U_QUAD_T nat_bytes;
u_int nat_drop[2];
u_short nat_oport; /* other port */ u_short nat_oport; /* other port */
u_short nat_inport; u_short nat_inport;
u_short nat_outport; u_short nat_outport;

94
contrib/ipfilter/ip_proxy.c
View File

@ -75,7 +75,7 @@
#endif #endif
#if !defined(lint) #if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp $";
#endif #endif
#if defined(_KERNEL) && (SOLARIS || defined(__sgi)) #if defined(_KERNEL) && (SOLARIS || defined(__sgi))
@ -89,6 +89,8 @@ extern KRWLOCK_T ipf_nat, ipf_state;
static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
#define PROXY_DEBUG 0
#define AP_SESS_SIZE 53 #define AP_SESS_SIZE 53
#include "netinet/ip_ftp_pxy.c" #include "netinet/ip_ftp_pxy.c"
@ -313,9 +315,19 @@ nat_t *nat;
sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
#endif #endif
if (sum != tcp->th_sum) { if (sum != tcp->th_sum) {
#if PROXY_DEBUG
printf("proxy tcp checksum failure\n");
#endif
frstats[fin->fin_out].fr_tcpbad++; frstats[fin->fin_out].fr_tcpbad++;
return -1; return -1;
} }
/*
* Don't both the proxy with these...or in fact, should
* we free up proxy stuff when seen?
*/
if ((tcp->th_flags & TH_RST) != 0)
return 0;
} }
apr = aps->aps_apr; apr = aps->aps_apr;
@ -329,9 +341,16 @@ nat_t *nat;
} }
rv = APR_EXIT(err); rv = APR_EXIT(err);
if (rv == 1) if (rv == 1) {
#if PROXY_DEBUG
printf("proxy says bad packet received\n");
#endif
return -1; return -1;
}
if (rv == 2) { if (rv == 2) {
#if PROXY_DEBUG
printf("proxy says free app proxy data\n");
#endif
appr_free(apr); appr_free(apr);
nat->nat_aps = NULL; nat->nat_aps = NULL;
return -1; return -1;
@ -412,6 +431,9 @@ ap_session_t *aps;
} }
/*
* returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise
*/
static int appr_fixseqack(fin, ip, aps, inc) static int appr_fixseqack(fin, ip, aps, inc)
fr_info_t *fin; fr_info_t *fin;
ip_t *ip; ip_t *ip;
@ -425,8 +447,12 @@ int inc;
tcp = (tcphdr_t *)fin->fin_dp; tcp = (tcphdr_t *)fin->fin_dp;
out = fin->fin_out; out = fin->fin_out;
/*
* ip_len has already been adjusted by 'inc'.
*/
nlen = ip->ip_len; nlen = ip->ip_len;
nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
inc2 = inc; inc2 = inc;
inc = (int)inc2; inc = (int)inc2;
@ -436,8 +462,13 @@ int inc;
/* switch to other set ? */ /* switch to other set ? */
if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
(seq1 > aps->aps_seqmin[!sel])) (seq1 > aps->aps_seqmin[!sel])) {
#if PROXY_DEBUG
printf("proxy out switch set seq %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_seqmin[!sel]);
#endif
sel = aps->aps_sel[out] = !sel; sel = aps->aps_sel[out] = !sel;
}
if (aps->aps_seqoff[sel]) { if (aps->aps_seqoff[sel]) {
seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel];
@ -450,8 +481,13 @@ int inc;
} }
if (inc && (seq1 > aps->aps_seqmin[!sel])) { if (inc && (seq1 > aps->aps_seqmin[!sel])) {
aps->aps_seqmin[!sel] = seq1 + nlen - 1; aps->aps_seqmin[sel] = seq1 + nlen - 1;
aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc; aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc;
#if PROXY_DEBUG
printf("proxy seq set %d at %x to %d + %d\n", sel,
aps->aps_seqmin[sel], aps->aps_seqoff[sel],
inc);
#endif
} }
/***/ /***/
@ -461,8 +497,13 @@ int inc;
/* switch to other set ? */ /* switch to other set ? */
if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
(seq1 > aps->aps_ackmin[!sel])) (seq1 > aps->aps_ackmin[!sel])) {
#if PROXY_DEBUG
printf("proxy out switch set ack %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_ackmin[!sel]);
#endif
sel = aps->aps_sel[1 - out] = !sel; sel = aps->aps_sel[1 - out] = !sel;
}
if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) {
seq2 = aps->aps_ackoff[sel]; seq2 = aps->aps_ackoff[sel];
@ -475,12 +516,16 @@ int inc;
/* switch to other set ? */ /* switch to other set ? */
if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
(seq1 > aps->aps_ackmin[!sel])) (seq1 > aps->aps_ackmin[!sel])) {
#if PROXY_DEBUG
printf("proxy in switch set ack %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_ackmin[!sel]);
#endif
sel = aps->aps_sel[out] = !sel; sel = aps->aps_sel[out] = !sel;
}
if (aps->aps_ackoff[sel]) { if (aps->aps_ackoff[sel]) {
seq2 = aps->aps_ackmin[sel] - seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel];
aps->aps_ackoff[sel];
if (seq1 > seq2) { if (seq1 > seq2) {
seq2 = aps->aps_ackoff[sel]; seq2 = aps->aps_ackoff[sel];
seq1 += seq2; seq1 += seq2;
@ -492,6 +537,11 @@ int inc;
if (inc && (seq1 > aps->aps_ackmin[!sel])) { if (inc && (seq1 > aps->aps_ackmin[!sel])) {
aps->aps_ackmin[!sel] = seq1 + nlen - 1; aps->aps_ackmin[!sel] = seq1 + nlen - 1;
aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc;
#if PROXY_DEBUG
printf("proxy ack set %d at %x to %d + %d\n", !sel,
aps->aps_seqmin[!sel], aps->aps_seqoff[sel],
inc);
#endif
} }
/***/ /***/
@ -501,15 +551,31 @@ int inc;
/* switch to other set ? */ /* switch to other set ? */
if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
(seq1 > aps->aps_seqmin[!sel])) (seq1 > aps->aps_seqmin[!sel])) {
#if PROXY_DEBUG
printf("proxy in switch set seq %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_seqmin[!sel]);
#endif
sel = aps->aps_sel[1 - out] = !sel; sel = aps->aps_sel[1 - out] = !sel;
}
if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) { if (aps->aps_seqoff[sel] != 0) {
seq2 = aps->aps_seqoff[sel]; #if PROXY_DEBUG
tcp->th_ack = htonl(seq1 - seq2); printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel,
ch = 1; aps->aps_seqoff[sel], seq1,
aps->aps_seqmin[sel]);
#endif
if (seq1 > aps->aps_seqmin[sel]) {
seq2 = aps->aps_seqoff[sel];
tcp->th_ack = htonl(seq1 - seq2);
ch = 1;
}
} }
} }
#if PROXY_DEBUG
printf("appr_fixseqack: seq %x ack %x\n", ntohl(tcp->th_seq),
ntohl(tcp->th_ack));
#endif
return ch ? 2 : 0; return ch ? 2 : 0;
} }

4
contrib/ipfilter/ip_proxy.h
View File

@ -3,7 +3,7 @@
* *
* See the IPFILTER.LICENCE file for details on licencing. * See the IPFILTER.LICENCE file for details on licencing.
* *
* $Id: ip_proxy.h,v 2.8.2.12 2002/01/01 13:41:43 darrenr Exp $ * $Id: ip_proxy.h,v 2.8.2.13 2002/07/04 11:07:37 darrenr Exp $
*/ */
#ifndef __IP_PROXY_H__ #ifndef __IP_PROXY_H__
@ -95,7 +95,7 @@ typedef struct aproxy {
typedef struct ftpside { typedef struct ftpside {
char *ftps_rptr; char *ftps_rptr;
char *ftps_wptr; char *ftps_wptr;
u_32_t ftps_seq; u_32_t ftps_seq[2];
u_32_t ftps_len; u_32_t ftps_len;
int ftps_junk; int ftps_junk;
int ftps_cmds; int ftps_cmds;

19
contrib/ipfilter/ip_sfil.c
View File

@ -7,7 +7,7 @@
*/ */
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.18 2002/06/06 10:47:26 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.20 2002/08/28 12:42:44 darrenr Exp $";
#endif #endif
#include <sys/types.h> #include <sys/types.h>
@ -63,8 +63,10 @@ u_long ipl_frouteok[2] = {0, 0};
static int frzerostats __P((caddr_t)); static int frzerostats __P((caddr_t));
#if SOLARIS2 >= 7 #if SOLARIS2 >= 7
static u_int *ip_ttl_ptr; static u_int *ip_ttl_ptr;
static u_int *ip_mtudisc;
#else #else
static u_long *ip_ttl_ptr; static u_long *ip_ttl_ptr;
static u_long *ip_mtudisc;
#endif #endif
static int frrequest __P((minor_t, int, caddr_t, int)); static int frrequest __P((minor_t, int, caddr_t, int));
@ -86,8 +88,8 @@ int ipldetach()
for (i = IPL_LOGMAX; i >= 0; i--) for (i = IPL_LOGMAX; i >= 0; i--)
ipflog_clear(i); ipflog_clear(i);
#endif #endif
i = FR_INQUE|FR_OUTQUE; i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
(void) frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
ipfr_unload(); ipfr_unload();
fr_stateunload(); fr_stateunload();
ip_natunload(); ip_natunload();
@ -142,16 +144,22 @@ int iplattach __P((void))
return -1; return -1;
ip_ttl_ptr = NULL; ip_ttl_ptr = NULL;
ip_mtudisc = NULL;
/* /*
* XXX - There is no terminator for this array, so it is not possible * XXX - There is no terminator for this array, so it is not possible
* to tell if what we are looking for is missing and go off the end * to tell if what we are looking for is missing and go off the end
* of the array. * of the array.
*/ */
for (i = 0; ; i++) { for (i = 0; ; i++) {
if (!strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl")) { if (strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl") == 0) {
ip_ttl_ptr = &ip_param_arr[i].ip_param_value; ip_ttl_ptr = &ip_param_arr[i].ip_param_value;
break; } else if (strcmp(ip_param_arr[i].ip_param_name,
"ip_path_mtu_discovery") == 0) {
ip_mtudisc = &ip_param_arr[i].ip_param_value;
} }
if (ip_mtudisc != NULL && ip_ttl_ptr != NULL)
break;
} }
return 0; return 0;
} }
@ -799,6 +807,7 @@ mblk_t *m;
ip = (ip_t *)m->b_rptr; ip = (ip_t *)m->b_rptr;
ip->ip_v = IPVERSION; ip->ip_v = IPVERSION;
ip->ip_ttl = (u_char)(*ip_ttl_ptr); ip->ip_ttl = (u_char)(*ip_ttl_ptr);
ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0);
ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m); ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
} }
READ_ENTER(&ipf_solaris); READ_ENTER(&ipf_solaris);

14
contrib/ipfilter/ip_state.c
View File

@ -93,7 +93,7 @@
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.71 2002/05/29 14:23:05 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.74 2002/07/27 15:58:10 darrenr Exp $";
#endif #endif
#ifndef MIN #ifndef MIN
@ -741,6 +741,7 @@ u_int flags;
is->is_hv = hv; is->is_hv = hv;
is->is_rule = fin->fin_fr; is->is_rule = fin->fin_fr;
if (is->is_rule != NULL) { if (is->is_rule != NULL) {
is->is_group = is->is_rule->fr_group;
ATOMIC_INC32(is->is_rule->fr_ref); ATOMIC_INC32(is->is_rule->fr_ref);
pass = is->is_rule->fr_flags; pass = is->is_rule->fr_flags;
is->is_frage[0] = is->is_rule->fr_age[0]; is->is_frage[0] = is->is_rule->fr_age[0];
@ -810,7 +811,7 @@ u_int flags;
RWLOCK_EXIT(&ipf_state); RWLOCK_EXIT(&ipf_state);
fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst); fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst);
if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG))
ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); ipfr_newfrag(ip, fin);
return is; return is;
} }
@ -1066,7 +1067,7 @@ tcphdr_t *tcp;
} else { } else {
is->is_src = fin->fin_fi.fi_dst; is->is_src = fin->fin_fi.fi_dst;
} }
} else if ((flags & FI_W_DPORT) != 0) { } else if ((flags & FI_W_DADDR) != 0) {
if (rev == 0) { if (rev == 0) {
is->is_dst = fin->fin_fi.fi_dst; is->is_dst = fin->fin_fi.fi_dst;
} else { } else {
@ -1402,7 +1403,8 @@ fr_info_t *fin;
tcphdr_t *tcp; tcphdr_t *tcp;
int rev; int rev;
if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT)) if ((ips_list == NULL) || (fin->fin_off != 0) || fr_state_lock ||
(fin->fin_fl & FI_SHORT))
return NULL; return NULL;
is = NULL; is = NULL;
@ -1633,7 +1635,7 @@ retry_tcpudp:
pass = is->is_pass; pass = is->is_pass;
RWLOCK_EXIT(&ipf_state); RWLOCK_EXIT(&ipf_state);
if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG))
ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); ipfr_newfrag(ip, fin);
#ifndef _KERNEL #ifndef _KERNEL
if ((tcp != NULL) && (tcp->th_flags & TCP_CLOSE)) if ((tcp != NULL) && (tcp->th_flags & TCP_CLOSE))
fr_delstate(is); fr_delstate(is);
@ -2044,6 +2046,8 @@ u_int type;
ipsl.isl_p = is->is_p; ipsl.isl_p = is->is_p;
ipsl.isl_v = is->is_v; ipsl.isl_v = is->is_v;
ipsl.isl_flags = is->is_flags; ipsl.isl_flags = is->is_flags;
ipsl.isl_rulen = is->is_rulen;
ipsl.isl_group = is->is_group;
if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) { if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
ipsl.isl_sport = is->is_sport; ipsl.isl_sport = is->is_sport;
ipsl.isl_dport = is->is_dport; ipsl.isl_dport = is->is_dport;

5
contrib/ipfilter/ip_state.h
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing. * See the IPFILTER.LICENCE file for details on licencing.
* *
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
* $Id: ip_state.h,v 2.13.2.12 2002/03/25 11:14:55 darrenr Exp $ * $Id: ip_state.h,v 2.13.2.13 2002/06/27 14:40:29 darrenr Exp $
*/ */
#ifndef __IP_STATE_H__ #ifndef __IP_STATE_H__
#define __IP_STATE_H__ #define __IP_STATE_H__
@ -86,6 +86,7 @@ typedef struct ipstate {
tcpstate_t is_ts; tcpstate_t is_ts;
udpstate_t is_us; udpstate_t is_us;
} is_ps; } is_ps;
u_32_t is_group;
char is_ifname[4][IFNAMSIZ]; char is_ifname[4][IFNAMSIZ];
#if SOLARIS || defined(__sgi) #if SOLARIS || defined(__sgi)
kmutex_t is_lock; kmutex_t is_lock;
@ -147,6 +148,8 @@ typedef struct ipslog {
u_char isl_p; u_char isl_p;
u_char isl_flags; u_char isl_flags;
u_char isl_state[2]; u_char isl_state[2];
u_32_t isl_rulen;
u_32_t isl_group;
} ipslog_t; } ipslog_t;
#define isl_sport isl_ps.isl_ports[0] #define isl_sport isl_ps.isl_ports[0]

6
contrib/ipfilter/ipf.c
View File

@ -50,7 +50,7 @@
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.16 2002/06/06 10:48:35 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.17 2002/06/27 14:29:17 darrenr Exp $";
#endif #endif
#if SOLARIS #if SOLARIS
@ -389,7 +389,7 @@ int *linenum;
static void packetlogon(opt) static void packetlogon(opt)
char *opt; char *opt;
{ {
int flag, err; int flag;
flag = get_flags(); flag = get_flags();
if (flag != 0) { if (flag != 0) {
@ -415,7 +415,7 @@ char *opt;
printf("set log flag: block\n"); printf("set log flag: block\n");
} }
if (opendevice(ipfname) != -2 && (err = ioctl(fd, SIOCSETFF, &flag))) if (opendevice(ipfname) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0))
perror("ioctl(SIOCSETFF)"); perror("ioctl(SIOCSETFF)");
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {

12
contrib/ipfilter/ipft_ef.c
View File

@ -52,7 +52,7 @@ etherfind -n -t
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.2 2002/02/22 15:32:53 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $";
#endif #endif
static int etherf_open __P((char *)); static int etherf_open __P((char *));
@ -97,7 +97,7 @@ int cnt, *dir;
struct protoent *p = NULL; struct protoent *p = NULL;
char src[16], dst[16], sprt[16], dprt[16]; char src[16], dst[16], sprt[16], dprt[16];
char lbuf[128], len[8], prot[8], time[8], *s; char lbuf[128], len[8], prot[8], time[8], *s;
int slen, extra = 0, i, n; int slen, extra = 0, i;
if (!fgets(lbuf, sizeof(lbuf) - 1, efp)) if (!fgets(lbuf, sizeof(lbuf) - 1, efp))
return 0; return 0;
@ -108,10 +108,10 @@ int cnt, *dir;
bzero(&pkt, sizeof(pkt)); bzero(&pkt, sizeof(pkt));
if ((n = sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst, if (sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst,
sprt, dprt)) != 6) sprt, dprt) != 6)
if ((n = sscanf(lbuf, "%s %s %s %s %s %s %s", time, if (sscanf(lbuf, "%s %s %s %s %s %s %s", time,
len, prot, src, dst, sprt, dprt)) != 7) len, prot, src, dst, sprt, dprt) != 7)
return -1; return -1;
ip->ip_p = atoi(prot); ip->ip_p = atoi(prot);

6
contrib/ipfilter/ipft_td.c
View File

@ -61,7 +61,7 @@ tcpdump -nqte
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.2 2002/02/22 15:32:54 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $";
#endif #endif
static int tcpd_open __P((char *)); static int tcpd_open __P((char *));
@ -120,7 +120,7 @@ int cnt, *dir;
struct protoent *p; struct protoent *p;
char src[32], dst[32], misc[256], time[32], link1[32], link2[32]; char src[32], dst[32], misc[256], time[32], link1[32], link2[32];
char lbuf[160], *s; char lbuf[160], *s;
int n, dots, slen, extra = 0; int n, slen, extra = 0;
if (!fgets(lbuf, sizeof(lbuf) - 1, tfp)) if (!fgets(lbuf, sizeof(lbuf) - 1, tfp))
return 0; return 0;
@ -142,7 +142,7 @@ int cnt, *dir;
return -1; return -1;
} }
if ((dots = count_dots(dst)) == 4) { if (count_dots(dst) == 4) {
s = strrchr(src, '.'); s = strrchr(src, '.');
*s++ = '\0'; *s++ = '\0';
(void) inet_aton(src, &ip->ip_src); (void) inet_aton(src, &ip->ip_src);

6
contrib/ipfilter/ipft_tx.c
View File

@ -44,7 +44,7 @@
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.6 2002/03/13 03:55:15 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.7 2002/06/27 14:29:17 darrenr Exp $";
#endif #endif
extern int opts; extern int opts;
@ -177,10 +177,8 @@ char *buf, **ifn;
int cnt, *dir; int cnt, *dir;
{ {
register char *s; register char *s;
ip_t *ip;
char line[513]; char line[513];
ip = (ip_t *)buf;
*ifn = NULL; *ifn = NULL;
while (fgets(line, sizeof(line)-1, tfp)) { while (fgets(line, sizeof(line)-1, tfp)) {
if ((s = index(line, '\n'))) if ((s = index(line, '\n')))
@ -197,7 +195,7 @@ int cnt, *dir;
*dir = 0; *dir = 0;
if (!parseline(line, (ip_t *)buf, ifn, dir)) if (!parseline(line, (ip_t *)buf, ifn, dir))
#if 0 #if 0
return sizeof(*ip) + sizeof(tcphdr_t); return sizeof(ip_t) + sizeof(tcphdr_t);
#else #else
return sizeof(ip_t); return sizeof(ip_t);
#endif #endif

4
contrib/ipfilter/ipl.h
View File

@ -4,12 +4,12 @@
* See the IPFILTER.LICENCE file for details on licencing. * See the IPFILTER.LICENCE file for details on licencing.
* *
* @(#)ipl.h 1.21 6/5/96 * @(#)ipl.h 1.21 6/5/96
* $Id: ipl.h,v 2.15.2.34 2002/06/06 11:11:45 darrenr Exp $ * $Id: ipl.h,v 2.15.2.35 2002/08/28 13:00:50 darrenr Exp $
*/ */
#ifndef __IPL_H__ #ifndef __IPL_H__
#define __IPL_H__ #define __IPL_H__
#define IPL_VERSION "IP Filter: v3.4.28" #define IPL_VERSION "IP Filter: v3.4.29"
#endif #endif

6
contrib/ipfilter/ipmon.c
View File

@ -68,7 +68,7 @@
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.35 2002/06/04 14:43:49 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.36 2002/08/22 15:12:23 darrenr Exp $";
#endif #endif
@ -959,13 +959,13 @@ int blen;
*t++ = 'S'; *t++ = 'S';
lvl = LOG_ERR; lvl = LOG_ERR;
} else if (ipf->fl_flags & FR_PASS) { } else if (ipf->fl_flags & FR_PASS) {
if (ipf->fl_flags & FR_LOGP) if (ipf->fl_flags & FR_LOG)
*t++ = 'p'; *t++ = 'p';
else else
*t++ = 'P'; *t++ = 'P';
lvl = LOG_NOTICE; lvl = LOG_NOTICE;
} else if (ipf->fl_flags & FR_BLOCK) { } else if (ipf->fl_flags & FR_BLOCK) {
if (ipf->fl_flags & FR_LOGB) if (ipf->fl_flags & FR_LOG)
*t++ = 'b'; *t++ = 'b';
else else
*t++ = 'B'; *t++ = 'B';

23
contrib/ipfilter/kmem.c
View File

@ -46,7 +46,7 @@
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.15 2002/07/27 15:59:37 darrenr Exp $";
#endif #endif
#ifdef __sgi #ifdef __sgi
@ -55,7 +55,7 @@ typedef int kvm_t;
static int kvm_fd = -1; static int kvm_fd = -1;
static char *kvm_errstr; static char *kvm_errstr;
kvm_t kvm_open(kernel, core, swap, mode, errstr) kvm_t *kvm_open(kernel, core, swap, mode, errstr)
char *kernel, *core, *swap; char *kernel, *core, *swap;
int mode; int mode;
char *errstr; char *errstr;
@ -65,17 +65,18 @@ char *errstr;
if (core == NULL) if (core == NULL)
core = "/dev/kmem"; core = "/dev/kmem";
kvm_fd = open(core, mode); kvm_fd = open(core, mode);
return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL; return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL;
} }
int kvm_read(kvm, pos, buffer, size) int kvm_read(kvm, pos, buffer, size)
kvm_t kvm; kvm_t *kvm;
u_long pos; u_long pos;
char *buffer; char *buffer;
size_t size; size_t size;
{ {
int r, left; size_t left;
char *bufp; char *bufp;
int r;
if (lseek(*kvm, pos, 0) == -1) { if (lseek(*kvm, pos, 0) == -1) {
fprintf(stderr, "%s", kvm_errstr); fprintf(stderr, "%s", kvm_errstr);
@ -97,13 +98,19 @@ static kvm_t *kvm_f = NULL;
int openkmem(kern, core) int openkmem(kern, core)
char *kern, *core; char *kern, *core;
{ {
union {
int ui;
kvm_t *uk;
} k;
kvm_f = kvm_open(kern, core, NULL, O_RDONLY, ""); kvm_f = kvm_open(kern, core, NULL, O_RDONLY, "");
if (kvm_f == NULL) if (kvm_f == NULL)
{ {
perror("openkmem:open"); perror("openkmem:open");
return -1; return -1;
} }
return (int)kvm_f; k.uk = kvm_f;
return k.ui;
} }
int kmemcpy(buf, pos, n) int kmemcpy(buf, pos, n)
@ -120,7 +127,7 @@ register int n;
if (openkmem(NULL, NULL) == -1) if (openkmem(NULL, NULL) == -1)
return -1; return -1;
while ((r = kvm_read(kvm_f, pos, buf, n)) < n) while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n)
if (r <= 0) if (r <= 0)
{ {
fprintf(stderr, "pos=0x%x ", (u_int)pos); fprintf(stderr, "pos=0x%x ", (u_int)pos);
@ -152,7 +159,7 @@ register int n;
while (n > 0) while (n > 0)
{ {
r = kvm_read(kvm_f, pos, buf, 1); r = kvm_read(kvm_f, pos, buf, (size_t)1);
if (r <= 0) if (r <= 0)
{ {
fprintf(stderr, "pos=0x%x ", (u_int)pos); fprintf(stderr, "pos=0x%x ", (u_int)pos);

7
contrib/ipfilter/man/ipmon.8
View File

@ -46,8 +46,11 @@ long).
4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be 4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
viewed with \fBipfstat -n\fP. viewed with \fBipfstat -n\fP.
.LP .LP
5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short 5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fBS\fP for a short
packet, \fBn\fP did not match any rules or \fBL\fP for a log rule. packet, \fBn\fP did not match any rules, \fBL\fP for a log rule. The order
of precedence in showing flags is: S, p, b, n, L. A capital \fBP\fP or
\fBB\fP means that the packet has been logged due to a global logging
setting, not a particular rule.
.LP .LP
6. The addresses. 6. The addresses.
This is actually three fields: the source address and port This is actually three fields: the source address and port

9
contrib/ipfilter/man/ipnat.5
View File

@ -96,6 +96,15 @@ or as
map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32 map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
.fi .fi
.LP .LP
For even greater control, one may negate either of the "from" or "to" clauses
with a preceding exclamation mark ("!"). Please note that one may not use a
negated "from" within a \fBmap\fP rule or a negated "to" within a \fBrdr\fP
rule. Such a rule might look like the following:
.LP
.nf
+map de0 from 10.1.0.0/16 ! to 10.1.0.0/16 -> 201.2.3.4/32
.fi
.PP
Only IP address and port numbers can be compared against. This is available Only IP address and port numbers can be compared against. This is available
with all NAT rules. with all NAT rules.
.SH TRANSLATION .SH TRANSLATION

4
contrib/ipfilter/parse.c
View File

@ -935,7 +935,6 @@ u_long optmsk, optbits;
u_short secmsk = sec[0], secbits = sec[1]; u_short secmsk = sec[0], secbits = sec[1];
struct ipopt_names *io, *so; struct ipopt_names *io, *so;
char *s; char *s;
int secflag = 0;
s = " opt "; s = " opt ";
for (io = ionames; io->on_name; io++) for (io = ionames; io->on_name; io++)
@ -947,8 +946,7 @@ u_long optmsk, optbits;
if (io->on_value == IPOPT_SECURITY) if (io->on_value == IPOPT_SECURITY)
io++; io++;
s = ","; s = ",";
} else }
secflag = 1;
} }

7
contrib/ipfilter/printnat.c
View File

@ -58,7 +58,7 @@ extern char *sys_errlist[];
#endif #endif
#if !defined(lint) #if !defined(lint)
static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.9 2002/05/03 11:48:49 darrenr Exp $"; static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.10 2002/08/28 12:45:51 darrenr Exp $";
#endif #endif
@ -242,9 +242,10 @@ int opts;
0xffffffff), 0xffffffff),
hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport, hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
NAT_TABLE_SZ), NAT_TABLE_SZ),
printf("%s pr %u bkt %d/%d flags %x\n", printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n",
getsumd(nat->nat_sumd[1]), nat->nat_p, getsumd(nat->nat_sumd[1]), nat->nat_p,
hv1, hv2, nat->nat_flags); hv1, hv2, nat->nat_flags,
nat->nat_drop[0], nat->nat_drop[1]);
printf("\tifp %s ", getifname(nat->nat_ifp)); printf("\tifp %s ", getifname(nat->nat_ifp));
#ifdef USE_QUAD_T #ifdef USE_QUAD_T
printf("bytes %qu pkts %qu", printf("bytes %qu pkts %qu",

2
contrib/ipfilter/rules/example.9
View File

@ -4,7 +4,7 @@
block in all block in all
pass in all with opt sec pass in all with opt sec
# #
# only allow packets in and out on le0 which are top secret # only allow packets in and out on le1 which are top secret
# #
block out on le1 all block out on le1 all
pass out on le1 all with opt sec-class topsecret pass out on le1 all with opt sec-class topsecret

12
contrib/ipfilter/test/expected/f13
View File

@ -9,6 +9,8 @@ nomatch
nomatch nomatch
nomatch nomatch
nomatch nomatch
nomatch
nomatch
-------- --------
block block
nomatch nomatch
@ -21,6 +23,8 @@ nomatch
nomatch nomatch
nomatch nomatch
nomatch nomatch
nomatch
nomatch
-------- --------
nomatch nomatch
nomatch nomatch
@ -32,6 +36,8 @@ nomatch
pass pass
pass pass
nomatch nomatch
nomatch
nomatch
pass pass
-------- --------
nomatch nomatch
@ -44,6 +50,8 @@ nomatch
block block
block block
nomatch nomatch
nomatch
nomatch
block block
-------- --------
pass pass
@ -57,6 +65,8 @@ nomatch
nomatch nomatch
nomatch nomatch
nomatch nomatch
nomatch
nomatch
-------- --------
block block
nomatch nomatch
@ -69,4 +79,6 @@ nomatch
nomatch nomatch
nomatch nomatch
nomatch nomatch
nomatch
nomatch
-------- --------

14
contrib/ipfilter/test/input/f13
View File

@ -29,15 +29,23 @@
45 00 0018 0007 2000 3f 11 0000 01010101 02010101 45 00 0018 0007 2000 3f 11 0000 01010101 02010101
0035 0035 0035 0035
# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 # 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
45 00 001c 0008 2000 3f 11 0000 01010101 02010101 45 00 001c 0008 2000 3f 11 0000 01010101 02010101
0035003500040000 0035003500040000
# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 (short) # 1.1.1.1,53 -> 2.1.1.1,54 TTL=63 UDP MF FO=0 (short)
45 00 0018 0008 2000 3f 11 0000 01010101 02010101 45 00 0018 0008 2000 3f 11 0000 01010101 02010101
00350036 00350036
# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1 # 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 UDP MF FO=0
45 00 001c 0008 2000 3f 11 0000 01010101 02010101
0015003600040000
# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 TCP MF FO=0
45 00 001c 0008 2000 3f 06 0000 01010101 02010101
0015 0036 00000000 00000000 50 02 2000 0000 0000
# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP FO=1
45 00 001c 0008 0001 3f 11 0000 01010101 02010101 45 00 001c 0008 0001 3f 11 0000 01010101 02010101
0000000000000000 0000000000000000