From 18c772ae03d7e1f977314e90bd189cc5bd011d58 Mon Sep 17 00:00:00 2001 From: darrenr Date: Fri, 7 Jun 2002 08:58:22 +0000 Subject: [PATCH] Import IPFilter 3.4.28 --- contrib/ipfilter/BSD/Makefile | 1 + contrib/ipfilter/FreeBSD-4.0/kinstall | 2 +- contrib/ipfilter/HISTORY | 39 ++++++++++++++++++++ contrib/ipfilter/fil.c | 5 ++- contrib/ipfilter/ip_auth.c | 7 ++-- contrib/ipfilter/ip_compat.h | 8 +++-- contrib/ipfilter/ip_fil.c | 40 +++++++++++++++------ contrib/ipfilter/ip_fil.h | 3 +- contrib/ipfilter/ip_ftp_pxy.c | 10 ++++-- contrib/ipfilter/ip_h323_pxy.c | 5 +-- contrib/ipfilter/ip_nat.c | 8 +++-- contrib/ipfilter/ip_proxy.c | 7 ++-- contrib/ipfilter/ip_sfil.c | 12 +++++-- contrib/ipfilter/ip_state.c | 19 ++++++---- contrib/ipfilter/ipf.c | 7 ++-- contrib/ipfilter/ipfs.c | 15 +++++--- contrib/ipfilter/ipl.h | 4 +-- contrib/ipfilter/ipmon.c | 13 +++---- contrib/ipfilter/ipnat.c | 4 ++- contrib/ipfilter/ipsend/ip_var.h | 2 +- contrib/ipfilter/ipt.c | 52 ++++++++++++++++++++------- contrib/ipfilter/man/ipftest.1 | 13 +++++-- contrib/ipfilter/man/ipnat.4 | 2 +- contrib/ipfilter/man/ipnat.5 | 14 ++++---- contrib/ipfilter/mlf_ipl.c | 6 +++- contrib/ipfilter/parse.c | 2 +- contrib/ipfilter/printnat.c | 14 ++++---- contrib/ipfilter/test/Makefile | 6 ++-- contrib/ipfilter/test/expected/in1 | 6 ++-- 29 files changed, 236 insertions(+), 90 deletions(-) diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index afa9e52447a2..835d2336953c 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -231,6 +231,7 @@ clean: ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h \ y.tab.? lex.yy.c ipfs + ${RM} -f ../opt_inet6.h ${MAKE} -f Makefile.ipsend ${MFLAGS} clean -(for i in *; do \ diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall index 2598c6c88da4..99ec6790bb00 100755 --- a/contrib/ipfilter/FreeBSD-4.0/kinstall +++ b/contrib/ipfilter/FreeBSD-4.0/kinstall @@ -28,7 +28,7 @@ echo "" echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" ln -s /usr/include/osreldate.h /sys/sys/osreldate.h -set patchfile=FreeBSd-4.0/ipv6-patch-$krev +set patchfile=FreeBSD-4.0/ipv6-patch-$krev if ( -f $patchfile ) then echo "" echo "Patching ip6_input.c and ip6_output.c" diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index ec317dc2ae05..0369d3f0ae8d 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,45 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.28 6/6/2002 - Released + +Fix for H.323 proxy to work on little endian boxes + +IRIX: Update installation documentation + add route lock patch + +allow use of groups > 65535 + +create a new packet info summary for packets going through ipfr_fastroute() +so that where details are different (RST/ICMP errors), the packet now gets +correctly NAT'd, etc. + +fix the FTP proxy so that checks for TCP sequence numbers outside the +normal offset due to data changes use absolute numbers + +make it possible to remove rules in ipftest + +Update installing onto OpenBSD and split into two directories: +OpenBSD-2 and OpenBSD-3 + +fix error in printout out the protocol in NAT rules + +always unlock ipfilter if locking fails half way through in ipfs + +fix problems with TCP window scaling + +update of man pages for ipnat(4) and ipftest(1) + +3.4.27 28/04/2002 - Released + +fix calculation of 2's complmenent 16 bit checksum for user space + +add mbuflen() to usespace compiles. + +add more #ifdef complexity for platform portability + +add OpenBSD 3.1 diffs + 3.4.26 25/04/2002 - Released fix parsing and printing of NAT rules with regression tests. diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index 92d82f1a5d78..ed319d4b52e9 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -97,7 +97,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $"; #endif #ifndef _KERNEL @@ -1501,7 +1501,7 @@ tcphdr_t *tcp; * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $ + * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1616,7 +1616,6 @@ frgroup_t ***fgpp; fgp = &ipfgroups[0][set]; else return NULL; - num &= 0xffff; while ((fg = *fgp)) if (fg->fg_num == num) diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c index 2a73079d2cb0..efe2e99337d5 100644 --- a/contrib/ipfilter/ip_auth.c +++ b/contrib/ipfilter/ip_auth.c @@ -104,7 +104,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $"; #endif @@ -615,7 +615,10 @@ void fr_authexpire() } else faep = &fae->fae_next; } - ipauth = &fae_list->fae_fr; + if (fae_list != NULL) + ipauth = &fae_list->fae_fr; + else + ipauth = NULL; for (frp = &fr_authlist; (fr = *frp); ) { if (fr->fr_ref == 1) { diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 3b1b9807b561..81690a7f9a32 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.44 2002/04/25 16:32:15 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.45 2002/06/04 14:40:54 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -213,7 +213,11 @@ typedef int minor_t; #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) # include # ifndef __FreeBSD_version -# include +# ifdef IPFILTER_LKM +# include +# else +# include +# endif # endif # ifdef IPFILTER_LKM # define ACTUALLY_LKM_NOT_KERNEL diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 2aeeaf878115..52383564e79c 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -120,7 +120,7 @@ extern int ip_optcopy __P((struct ip *, struct ip *)); #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.58 2002/06/06 10:47:27 darrenr Exp $"; #endif @@ -643,6 +643,9 @@ int mode; unit = dev; #endif + if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF)) + return ENODEV; + SPL_NET(s); if (unit == IPL_LOGNAT) { @@ -887,7 +890,8 @@ caddr_t data; * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ - if ((req != SIOCZRLST) && fp->fr_grhead && + if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) || + (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead && fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) return EEXIST; if ((req != SIOCZRLST) && fp->fr_group && @@ -1221,13 +1225,18 @@ fr_info_t *fin; struct mbuf **mp; { struct mbuf *m = *mp; - char *dpsave; - int error; + int error, hlen; + fr_info_t frn; ip_t *ip; - dpsave = fin->fin_dp; + bzero((char *)&frn, sizeof(frn)); + frn.fin_ifp = fin->fin_ifp; + frn.fin_v = fin->fin_v; + frn.fin_out = fin->fin_out; + frn.fin_mp = fin->fin_mp; ip = mtod(m, ip_t *); + hlen = sizeof(*ip); ip->ip_v = fin->fin_v; if (ip->ip_v == 4) { @@ -1242,21 +1251,24 @@ struct mbuf **mp; ip->ip_ttl = ip_defttl; # endif ip->ip_sum = 0; - fin->fin_dp = (char *)(ip + 1); + frn.fin_dp = (char *)(ip + 1); } # ifdef USE_INET6 else if (ip->ip_v == 6) { ip6_t *ip6 = (ip6_t *)ip; + hlen = sizeof(*ip6); ip6->ip6_hlim = 127; - fin->fin_dp = (char *)(ip6 + 1); + frn.fin_dp = (char *)(ip6 + 1); } # endif # ifdef IPSEC m->m_pkthdr.rcvif = NULL; # endif - error = ipfr_fastroute(m, mp, fin, NULL); - fin->fin_dp = dpsave; + + fr_makefrip(hlen, ip, &frn); + + error = ipfr_fastroute(m, mp, &frn, NULL); return error; } @@ -1563,6 +1575,9 @@ frdest_t *fdp; /* * Route packet. */ +#ifdef __sgi + ROUTE_RDLOCK(); +#endif bzero((caddr_t)ro, sizeof (*ro)); dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; @@ -1599,6 +1614,11 @@ frdest_t *fdp; # else rtalloc(ro); # endif + +#ifdef __sgi + ROUTE_UNLOCK(); +#endif + if (!ifp) { if (!fr || !(fr->fr_flags & FR_FASTROUTE)) { error = -2; @@ -2098,7 +2118,7 @@ int code; fr_info_t *fin; int dst; { - verbose("- ICMP UNREACHABLE RST sent\n"); + verbose("- ICMP UNREACHABLE sent\n"); return 0; } diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index 82deef5f2cd7..56175f28c986 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp $ + * $Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -508,6 +508,7 @@ extern int send_reset __P((ip_t *, fr_info_t *)); extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int)); extern int ipf_log __P((void)); extern struct ifnet *get_unit __P((char *, int)); +extern int mbuflen __P((mb_t *)); # if defined(__NetBSD__) || defined(__OpenBSD__) || \ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index 2411bd998c61..f2603e07d279 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.34 2002/04/26 10:22:45 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.36 2002/06/06 10:44:40 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -766,10 +766,10 @@ int rv; i = 0; sel = nat->nat_aps->aps_sel[1 - rv]; if (rv) { - if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq)) + if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq)) i = nat->nat_aps->aps_ackoff[sel]; } else { - if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq)) + if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq)) i = nat->nat_aps->aps_seqoff[sel]; } /* @@ -781,6 +781,10 @@ int rv; f->ftps_seq = ntohl(tcp->th_seq); else { inc = ntohl(tcp->th_seq) - f->ftps_seq; + if (inc < 0) + inc = -inc; + if (i < 0) + i = -i; if (inc > i) { return APR_ERR(1); } diff --git a/contrib/ipfilter/ip_h323_pxy.c b/contrib/ipfilter/ip_h323_pxy.c index a61b0402e907..ec9b2fe2b8a6 100644 --- a/contrib/ipfilter/ip_h323_pxy.c +++ b/contrib/ipfilter/ip_h323_pxy.c @@ -52,7 +52,7 @@ unsigned char *data; int datlen, *off; unsigned short *port; { - u_32_t addr; + u_32_t addr, netaddr; u_char *dp; int offset; @@ -62,10 +62,11 @@ unsigned short *port; *port = 0; offset = *off; dp = (u_char *)data; + netaddr = ntohl(ipaddr); for (offset = 0; offset <= datlen - 6; offset++, dp++) { addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3]; - if (ipaddr == addr) + if (netaddr == addr) { *port = (*(dp + 4) << 8) | *(dp + 5); break; diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index bf346610beca..da5235a2ca28 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -109,7 +109,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.67 2002/04/27 15:23:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.68 2002/06/04 14:46:08 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, @@ -469,8 +469,12 @@ int mode; } for (np = &nat_list; (n = *np); np = &n->in_next) if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, - IPN_CMPSIZ)) + IPN_CMPSIZ)) { + if (n->in_redir == NAT_REDIRECT && + n->in_pnext != nat->in_pnext) + continue; break; + } } switch (cmd) diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c index 2bc32d410f74..2051f2a466e3 100644 --- a/contrib/ipfilter/ip_proxy.c +++ b/contrib/ipfilter/ip_proxy.c @@ -75,7 +75,7 @@ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.22 2002/04/26 10:23:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $"; #endif #if defined(_KERNEL) && (SOLARIS || defined(__sgi)) @@ -122,7 +122,7 @@ aproxy_t ap_proxies[] = { ippr_ipsec_match }, #endif #ifdef IPF_NETBIOS_PROXY - { NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL, + { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL, NULL, NULL, NULL, ippr_netbios_out, NULL }, #endif #ifdef IPF_H323_PROXY @@ -421,11 +421,14 @@ int inc; int sel, ch = 0, out, nlen; u_32_t seq1, seq2; tcphdr_t *tcp; + short inc2; tcp = (tcphdr_t *)fin->fin_dp; out = fin->fin_out; nlen = ip->ip_len; nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); + inc2 = inc; + inc = (int)inc2; if (out != 0) { seq1 = (u_32_t)ntohl(tcp->th_seq); diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index a00d8fda93df..5a76f4b12576 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.16 2002/04/05 08:43:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.18 2002/06/06 10:47:26 darrenr Exp $"; #endif #include @@ -61,7 +61,11 @@ int fr_running = 0; int ipl_unreach = ICMP_UNREACH_HOST; u_long ipl_frouteok[2] = {0, 0}; static int frzerostats __P((caddr_t)); +#if SOLARIS2 >= 7 +static u_int *ip_ttl_ptr; +#else static u_long *ip_ttl_ptr; +#endif static int frrequest __P((minor_t, int, caddr_t, int)); static int send_ip __P((fr_info_t *fin, mblk_t *m)); @@ -196,6 +200,9 @@ int *rp; if (IPL_LOGMAX < unit) return ENXIO; + if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF)) + return ENODEV; + if (fr_running <= 0) return 0; @@ -422,7 +429,8 @@ caddr_t data; * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ - if ((req != SIOCZRLST) && fp->fr_grhead && + if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) || + (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead && fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) { error = EEXIST; goto out; diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index a6d1773b5ba9..f4dac8a02c81 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -93,7 +93,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.70 2002/04/27 16:06:15 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.71 2002/05/29 14:23:05 darrenr Exp $"; #endif #ifndef MIN @@ -575,9 +575,9 @@ u_int flags; register u_int hv; struct icmp *ic; ipstate_t ips; + int out, ws; u_int pass; void *ifp; - int out; if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) || (fin->fin_misc & FM_BADSTATE)) @@ -691,8 +691,11 @@ u_int flags; is->is_maxsend = is->is_send; if ((tcp->th_flags & TH_SYN) && - ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) - is->is_swscale = fr_tcpoptions(tcp); + ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) { + ws = fr_tcpoptions(tcp); + if (ws >= 0) + is->is_swscale = ws; + } } is->is_maxdwin = 1; @@ -900,6 +903,7 @@ tcphdr_t *tcp; fdata->td_wscale = wscale; else if (wscale == -2) fdata->td_wscale = tdata->td_wscale = 0; + win <<= fdata->td_wscale; if ((fdata->td_end == 0) && (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) { @@ -908,7 +912,9 @@ tcphdr_t *tcp; */ fdata->td_end = end; fdata->td_maxwin = 1; - fdata->td_maxend = end + 1; + fdata->td_maxend = end + win; + if (win == 0) + fdata->td_maxend++; } if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ @@ -922,7 +928,6 @@ tcphdr_t *tcp; if (seq == end) seq = end = fdata->td_end; - win <<= fdata->td_wscale; maxwin = tdata->td_maxwin; ackskew = tdata->td_end - ack; @@ -1457,7 +1462,7 @@ fr_info_t *fin; rev = fin->fin_rev; if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; - else if (fin->fin_rev) + else if (rev != 0) is->is_age = fr_icmpacktimeout; else is->is_age = fr_icmptimeout; diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index fc35b31b585b..f9b85aff8f03 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -50,7 +50,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.14 2002/04/10 04:56:36 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.16 2002/06/06 10:48:35 darrenr Exp $"; #endif #if SOLARIS @@ -193,8 +193,11 @@ char *ipfdev; if (!(opts & OPT_DONOTHING) && fd == -1) if ((fd = open(ipfdev, O_RDWR)) == -1) - if ((fd = open(ipfdev, O_RDONLY)) == -1) + if ((fd = open(ipfdev, O_RDONLY)) == -1) { perror("open device"); + if (errno == ENODEV) + fprintf(stderr, "IPFilter enabled?\n"); + } return fd; } diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c index a2ccf8923156..0e864f7c2361 100644 --- a/contrib/ipfilter/ipfs.c +++ b/contrib/ipfilter/ipfs.c @@ -45,7 +45,7 @@ #include "ipf.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.9 2002/04/17 17:42:59 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.11 2002/06/04 14:44:05 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR @@ -733,16 +733,16 @@ char *dirname; devfd = opendevice(IPL_STATE); if (devfd == -1) - return 1; + goto bad; if (writestate(devfd, NULL)) - return 1; + goto bad; close(devfd); devfd = opendevice(IPL_NAT); if (devfd == -1) - return 1; + goto bad; if (writenat(devfd, NULL)) - return 1; + goto bad; close(devfd); if (setlock(fd, 0)) { @@ -751,6 +751,11 @@ char *dirname; } return 0; + +bad: + setlock(fd, 0); + close(fd); + return 1; } diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index 0fc3a8ddfeda..6cd868d155e6 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -4,12 +4,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.33 2002/04/27 14:53:48 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.34 2002/06/06 11:11:45 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.27" +#define IPL_VERSION "IP Filter: v3.4.28" #endif diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index 3e8707b06ea4..6bf90b91e4be 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -68,7 +68,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.34 2002/03/22 10:27:16 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.35 2002/06/04 14:43:49 darrenr Exp $"; #endif @@ -1252,14 +1252,15 @@ int main(argc, argv) int argc; char *argv[]; { - struct stat sb; - FILE *log = stdout; - int fd[3], doread, n, i; - int tr, nr, regular[3], c; int fdt[3], devices = 0, make_daemon = 0; char buf[IPLLOGSIZE], *iplfile[3], *s; - extern int optind; + int fd[3], doread, n, i; extern char *optarg; + extern int optind; + int regular[3], c; + FILE *log = stdout; + struct stat sb; + size_t nr, tr; fd[0] = fd[1] = fd[2] = -1; fdt[0] = fdt[1] = fdt[2] = -1; diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index e19edb86a75e..5df3f20e41f9 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -60,7 +60,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.20 2002/02/22 15:32:55 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.21 2002/06/06 10:49:19 darrenr Exp $"; #endif @@ -175,6 +175,8 @@ char *argv[]; ((fd = open(IPL_NAT, O_RDONLY)) == -1)) { (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT, STRERROR(errno)); + if (errno == ENODEV) + fprintf(stderr, "IPFilter enabled?\n"); exit(1); } if (ioctl(fd, SIOCGNATS, &nsp) == -1) { diff --git a/contrib/ipfilter/ipsend/ip_var.h b/contrib/ipfilter/ipsend/ip_var.h index 92eb38a0befc..ace980079313 100644 --- a/contrib/ipfilter/ipsend/ip_var.h +++ b/contrib/ipfilter/ipsend/ip_var.h @@ -44,7 +44,7 @@ struct ipq { * Note: ipf_next must be at same offset as ipq_next above */ struct ipasfrag { -#if defined(vax) || defined(i386) +#if defined(vax) || defined(i386) || defined(__i386__) u_char ip_hl:4, ip_v:4; #endif diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c index 0c3b50ce153e..83650859f4ab 100644 --- a/contrib/ipfilter/ipt.c +++ b/contrib/ipfilter/ipt.c @@ -64,7 +64,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.21 2002/03/26 15:54:40 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.22 2002/06/04 14:52:58 darrenr Exp $"; #endif extern char *optarg; @@ -76,6 +76,7 @@ extern ipnat_t *natparse __P((char *, int)); extern int fr_running; int opts = 0; +int rremove = 0; int use_inet6 = 0; int main __P((int, char *[])); int loadrules __P((char *)); @@ -111,7 +112,7 @@ char *argv[]; ipflog_init(); fr_running = 1; - while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1) + while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:RSTvxX")) != -1) switch (c) { case '6' : @@ -163,6 +164,9 @@ char *argv[]; case 'P' : r = &pcap; break; + case 'R' : + rremove = 1; + break; case 'S' : r = &snoop; break; @@ -330,20 +334,44 @@ char *file; if (!(fr = natparse(line, linenum))) continue; - i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT, - (caddr_t)&fr, FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, "iplioctl(ADNAT,%p,1) = %d\n", - fr, i); + if (rremove == 0) { + i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT, + (caddr_t)&fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(ADNAT,%p,1) = %d\n", + fr, i); + } else { + i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCRMNAT, + (caddr_t)&fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(RMNAT,%p,1) = %d\n", + fr, i); + } } else { if (!(fr = parse(line, linenum))) continue; - i = IPL_EXTERN(ioctl)(0, SIOCADAFR, (caddr_t)&fr, - FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, "iplioctl(ADAFR,%p,1) = %d\n", - fr, i); + if (rremove == 0) { + i = IPL_EXTERN(ioctl)(0, SIOCADAFR, + (caddr_t)&fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(ADAFR,%p,1) = %d\n", + fr, i); + } else { + i = IPL_EXTERN(ioctl)(0, SIOCRMAFR, + (caddr_t)&fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(RMAFR,%p,1) = %d\n", + fr, i); + } } } (void)fclose(fp); diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1 index aba216a87fdb..9f7f2e3f2982 100644 --- a/contrib/ipfilter/man/ipftest.1 +++ b/contrib/ipfilter/man/ipftest.1 @@ -4,7 +4,7 @@ ipftest \- test packet filter rules with arbitary input. .SH SYNOPSIS .B ipftest [ -.B \-vbdPSTEHX +.B \-vbdPRSTEHX ] [ .B \-I interface @@ -76,6 +76,10 @@ The input file specified by \fB\-i\fP is a binary file produced using libpcap (i.e., tcpdump version 3). Packets are read from this file as being input (for rule purposes). An interface maybe specified using \fB\-I\fP. .TP +.B \-R +Remove rules rather than load them. This is not a toggle option, so once +set, it cannot be reset by further use of -R. +.TP .B \-S The input file is to be in "snoop" format (see RFC 1761). Packets are read from this file and used as input from any interface. This is perhaps the @@ -98,7 +102,12 @@ option combinations: .B \-H The input file is to be hex digits, representing the binary makeup of the packet. No length correction is made, if an incorrect length is put in -the IP header. +the IP header. A packet may be broken up over several lines of hex digits, +a blank line indicating the end of the packet. It is possible to specify +both the interface name and direction of the packet (for filtering purposes) +at the start of the line using this format: [direction,interface] To define +a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required +and part of the input syntax. .TP .B \-X The input file is composed of text descriptions of IP packets. diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4 index 6cba7b64ede2..54f55d3de810 100644 --- a/contrib/ipfilter/man/ipnat.4 +++ b/contrib/ipfilter/man/ipnat.4 @@ -31,7 +31,7 @@ being that the fd must be that of the device associated with the module (i.e., /dev/ipl). .LP .PP -The strcture used with the NAT interface is described below: +The structure used with the NAT interface is described below: .LP .nf typedef struct ipnat { diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index 16c1752b4f54..a8beb6fc3d39 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -19,17 +19,19 @@ mapit ::= "map" | "bimap" . fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . dstipmask ::= ipmask | "range" ip "-" ip . -mapport ::= "portmap" tcpudp portnumber ":" portnumber . +mapport ::= "portmap" tcpudp portspec . options ::= [ tcpudp ] [ rr ] . -object = addr [ port-comp | port-range ] . -addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp = "port" compare port-num . -port-range = "port" port-num range port-num . +object :: = addr [ port-comp | port-range ] . +addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . +port-comp :: = "port" compare port-num . +port-range :: = "port" port-num range port-num . rr ::= "round-robin" . +nummask = host-name [ "/" decnumber ] . tcpudp ::= "tcp" | "udp" | "tcp/udp" . -portnumber ::= number { numbers } | "auto" . +portspec ::= "auto" | portnumber ":" portnumber . +portnumber ::= number { numbers } . ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index 84d2a955a4de..a165c792cde4 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -13,7 +13,11 @@ #if defined(__FreeBSD__) # ifndef __FreeBSD_version -# include +# ifdef IPFILTER_LKM +# include +# else +# include +# endif # endif # ifdef IPFILTER_LKM # define ACTUALLY_LKM_NOT_KERNEL diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 6a2a04ed5327..02590dfbe7b8 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -147,7 +147,7 @@ int linenum; } fil.fr_icode = j; } - } else if (!strncasecmp(*(cpp+1), "return-rst", 10)) { + } else if (!strcasecmp(*(cpp+1), "return-rst")) { fil.fr_flags |= FR_RETRST; cpp++; } diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c index fe8388d70e4a..ba5524b83434 100644 --- a/contrib/ipfilter/printnat.c +++ b/contrib/ipfilter/printnat.c @@ -58,7 +58,7 @@ extern char *sys_errlist[]; #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.8 2002/04/25 16:44:13 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.9 2002/05/03 11:48:49 darrenr Exp $"; #endif @@ -442,6 +442,12 @@ int opts; printf("\n\tip modulous %d", np->in_pmax); } else if (np->in_pmin || np->in_pmax) { printf(" portmap"); + if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) + printf(" tcp/udp"); + else if (np->in_flags & IPN_TCP) + printf(" tcp"); + else if (np->in_flags & IPN_UDP) + printf(" udp"); if (np->in_flags & IPN_AUTOPORTMAP) { printf(" auto"); if (opts & OPT_DEBUG) @@ -450,12 +456,6 @@ int opts; ntohs(np->in_pmax), np->in_ippip, np->in_ppip); } else { - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if (np->in_flags & IPN_TCP) - printf(" tcp"); - else if (np->in_flags & IPN_UDP) - printf(" udp"); printf(" %d:%d", ntohs(np->in_pmin), ntohs(np->in_pmax)); } diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index 2c4acd817cf5..812841348a7a 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -18,7 +18,7 @@ first: ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 # Rule parsing tests -ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 +ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 ntests: n1 n2 n3 n4 n5 n6 n7 @@ -45,7 +45,7 @@ f15 f16: f17: @/bin/sh ./mhtest $@ -i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: +i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12: @/bin/sh ./itest $@ n1 n2 n3 n4 n5 n6 n7: @@ -65,7 +65,7 @@ ipv6.1 ipv6.2: clean: /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 f17 - /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 + /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 /bin/rm -f ni1 ni2 ni3 ni4 ni5 /bin/rm -f in1 in2 in3 in4 diff --git a/contrib/ipfilter/test/expected/in1 b/contrib/ipfilter/test/expected/in1 index f3d0777943c0..73e39f92f0de 100644 --- a/contrib/ipfilter/test/expected/in1 +++ b/contrib/ipfilter/test/expected/in1 @@ -7,9 +7,9 @@ map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp 20000:29999 map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 30000:39999 -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto +map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp auto +map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp auto +map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 1010 ftp/tcp map le0 0.0.0.0/0 -> 0.0.0.0/32 frag