Only in ip_fil3.2.7/FWTK: fwtk-2.1-transparency.txt
diff -cr ip_fil3.2.6/HISTORY ip_fil3.2.7/HISTORY
*** ip_fil3.2.6/HISTORY Mon May 18 22:29:43 1998
--- ip_fil3.2.7/HISTORY Sun May 24 12:06:45 1998
***************
*** 12,17 ****
--- 12,31 ----
# and especially those who have found the time to port IP Filter to new
# platforms.
+ 3.2.7 24/05/98 - Released
+
+ u_long -> u_32_t conversions
+
+ patches from Bernd Ernesti for NetBSD
+
+ fixup ipmon to actually handle HUP's.
+
+ Linux fixes from Michael H. Warfield (mhw@wittsend.com)
+
+ update for keep state patch (not security related) - Guido
+
+ dumphex() uses stdout rather than log
+
3.2.6 18/05/98 - Released
fix potential security loop hole in keep state code.
diff -cr ip_fil3.2.6/INSTALL.Linux ip_fil3.2.7/INSTALL.Linux
*** ip_fil3.2.6/INSTALL.Linux Wed Nov 12 22:42:19 1997
--- ip_fil3.2.7/INSTALL.Linux Sat May 23 15:01:24 1998
***************
*** 19,29 ****
"make linux" from the ip_fil3.2.x directory. If this completes with
no errors, install IP Filter with a "make install-linux".
! Now that the user part of it is complete, it is time to work on the
! kernel. To start this off, run "Linux/kinstall". This will patch your
! kernel source code and configuration files so you can enabled IP Filter.
! You must now go to /usr/src/linux and configure your kernel using one of
! the available interfaces to enable IP Filter. IP Filter will be presented
as a three way choice "y/m/n" - select "m" to enable it. Save your kernel
configuration file, rebuild, install and reboot with the new kernel.
--- 19,30 ----
"make linux" from the ip_fil3.2.x directory. If this completes with
no errors, install IP Filter with a "make install-linux".
! Now that the user part of it is complete, it is time to work on the kernel.
! To start this off, run "Linux/minstall". This will configure the devices
! you will need for the IP Filter. Then run "Linux/kinstall". This will
! patch your kernel source code and configuration files so you can enabled IP
! Filter. You must now go to /usr/src/linux and configure your kernel using one
! of the available interfaces to enable IP Filter. IP Filter will be presented
as a three way choice "y/m/n" - select "m" to enable it. Save your kernel
configuration file, rebuild, install and reboot with the new kernel.
diff -cr ip_fil3.2.6/Linux/Config.in.diff ip_fil3.2.7/Linux/Config.in.diff
*** ip_fil3.2.6/Linux/Config.in.diff Wed Nov 12 21:29:28 1997
--- ip_fil3.2.7/Linux/Config.in.diff Sat May 23 15:00:30 1998
***************
*** 1,5 ****
! *** Config.in.orig Sun Nov 9 11:51:58 1997
! --- Config.in Sun Nov 9 11:53:34 1997
***************
*** 3,8 ****
--- 3,9 ----
--- 1,5 ----
! *** Config.in.dist Tue Aug 12 14:30:22 1997
! --- Config.in Wed May 20 13:56:59 1998
***************
*** 3,8 ****
--- 3,9 ----
diff -cr ip_fil3.2.6/Linux/ip_forward.c.diff ip_fil3.2.7/Linux/ip_forward.c.diff
*** ip_fil3.2.6/Linux/ip_forward.c.diff Mon Nov 24 17:24:33 1997
--- ip_fil3.2.7/Linux/ip_forward.c.diff Sat May 23 15:00:31 1998
***************
*** 1,8 ****
! *** ip_forward.c.dist Wed Nov 12 18:52:55 1997
! --- ip_forward.c Wed Nov 12 19:42:44 1997
***************
! *** 46,51 ****
! --- 46,58 ----
int sysctl_ip_forward = 0;
#endif
--- 1,8 ----
! *** ip_forward.c.dist Wed Dec 10 21:13:49 1997
! --- ip_forward.c Wed May 20 13:58:58 1998
***************
! *** 47,52 ****
! --- 47,59 ----
int sysctl_ip_forward = 0;
#endif
***************
*** 17,41 ****
/*
***************
! *** 309,314 ****
! --- 316,325 ----
! #endif
! }
! #endif
! + #ifdef CONFIG_FIREWALL_IPFILTER
! + if (fr_checkp && ((*fr_checkp)(iph, dev2, 1, &skb) || !skb))
! + return -1;
! + #endif
! /*
! * We now may allocate a new buffer, and copy the datagram into it.
***************
! *** 445,450 ****
! --- 456,469 ----
! }
! #endif
! }
! + #ifdef CONFIG_FIREWALL_IPFILTER
+ if (fr_checkp && ((*fr_checkp)(iph, skb2->dev, 1, &skb2) || !skb))
+ {
+ if (skb != skb2)
--- 17,41 ----
/*
***************
! *** 312,317 ****
! --- 319,328 ----
! #endif
! }
! #endif
! + #ifdef CONFIG_FIREWALL_IPFILTER
! + if (fr_checkp && ((*fr_checkp)(iph, dev2, 1, &skb) || !skb))
! + return -1;
! + #endif
! /*
! * We now may allocate a new buffer, and copy the datagram into it.
***************
! *** 481,486 ****
! --- 492,505 ----
! }
! #endif
! }
! + #ifdef CONFIG_FIREWALL_IPFILTER
+ if (fr_checkp && ((*fr_checkp)(iph, skb2->dev, 1, &skb2) || !skb))
+ {
+ if (skb != skb2)
***************
*** 43,48 ****
+ return -1;
+ }
+ #endif
-
#ifdef CONFIG_FIREWALL
if((fw_res = call_out_firewall(PF_INET, skb2->dev, iph, NULL)) < FW_ACCEPT)
--- 43,48 ----
+ return -1;
+ }
+ #endif
#ifdef CONFIG_FIREWALL
if((fw_res = call_out_firewall(PF_INET, skb2->dev, iph, NULL)) < FW_ACCEPT)
+ {
diff -cr ip_fil3.2.6/Linux/ip_input.c.diff ip_fil3.2.7/Linux/ip_input.c.diff
*** ip_fil3.2.6/Linux/ip_input.c.diff Mon Nov 24 20:58:51 1997
--- ip_fil3.2.7/Linux/ip_input.c.diff Sat May 23 15:00:32 1998
***************
*** 1,5 ****
! *** /usr/src/linux/net/ipv4/ip_input.c.dist Wed Nov 12 18:53:12 1997
! --- /usr/src/linux/net/ipv4/ip_input.c Mon Nov 24 20:39:50 1997
***************
*** 175,180 ****
--- 175,187 ----
--- 1,5 ----
! *** ip_input.c.dist Wed Sep 17 15:00:47 1997
! --- ip_input.c Wed May 20 13:57:00 1998
***************
*** 175,180 ****
--- 175,187 ----
***************
*** 17,33 ****
* Handle the issuing of an ioctl() request
* for the ip device. This is scheduled to
***************
! *** 381,386 ****
! --- 388,394 ----
! /*
! * See if the firewall wants to dispose of the packet.
! */
! +
! #ifdef CONFIG_FIREWALL
!
! if ((fwres=call_in_firewall(PF_INET, skb->dev, iph, &rport))<FW_ACCEPT)
! ***************
! *** 416,421 ****
--- 424,437 ----
is_frag|=IPFWD_LASTFRAG;
}
--- 17,23 ----
* Handle the issuing of an ioctl() request
* for the ip device. This is scheduled to
***************
! *** 417,422 ****
--- 424,437 ----
is_frag|=IPFWD_LASTFRAG;
}
diff -cr ip_fil3.2.6/Linux/ip_output.c.diff ip_fil3.2.7/Linux/ip_output.c.diff
*** ip_fil3.2.6/Linux/ip_output.c.diff Mon Nov 24 20:58:52 1997
--- ip_fil3.2.7/Linux/ip_output.c.diff Sat May 23 15:00:32 1998
***************
*** 1,5 ****
! *** /usr/src/linux/net/ipv4/ip_output.c.dist Wed Nov 12 18:53:27 1997
! --- /usr/src/linux/net/ipv4/ip_output.c Mon Nov 24 20:40:11 1997
***************
*** 76,81 ****
--- 76,88 ----
--- 1,5 ----
! *** ip_output.c.dist Mon Sep 15 12:53:36 1997
! --- ip_output.c Wed May 20 13:57:00 1998
***************
*** 76,81 ****
--- 76,88 ----
Only in ip_fil3.2.7/Linux: kernel.patch
Only in ip_fil3.2.7/Linux: kinstall
diff -cr ip_fil3.2.6/Linux/minstall ip_fil3.2.7/Linux/minstall
*** ip_fil3.2.6/Linux/minstall Sat Nov 22 23:50:20 1997
--- ip_fil3.2.7/Linux/minstall Sat May 23 14:41:53 1998
***************
*** 14,20 ****
mknod /dev/$i c $major $minor
minor=`expr $minor + 1`
done
! exit 0
echo "Patching netsyms.c, Config.in"
cat Linux/netsyms.c.diff Linux/Config.in.diff | (cd /usr/src/linux/net; patch)
--- 14,20 ----
mknod /dev/$i c $major $minor
minor=`expr $minor + 1`
done
!
echo "Patching netsyms.c, Config.in"
cat Linux/netsyms.c.diff Linux/Config.in.diff | (cd /usr/src/linux/net; patch)
diff -cr ip_fil3.2.6/Linux/netsyms.c.diff ip_fil3.2.7/Linux/netsyms.c.diff
*** ip_fil3.2.6/Linux/netsyms.c.diff Wed Nov 12 21:29:28 1997
--- ip_fil3.2.7/Linux/netsyms.c.diff Sat May 23 15:00:33 1998
***************
*** 1,13 ****
! *** netsyms.c.dist Wed Nov 12 18:49:38 1997
! --- netsyms.c Wed Nov 12 18:51:53 1997
***************
*** 60,65 ****
! --- 60,73 ----
extern int (*dlci_ioctl_hook)(unsigned int, void *);
#endif
! + #if !defined(CONFIG_FIREWALL_IPFILTER) && defined(CONFIG_FIREWALL_IPFILTER_MODUL
! + E)
+ # define CONFIG_FIREWALL_IPFILTER
+ #endif
+ #ifdef CONFIG_FIREWALL_IPFILTER
--- 1,12 ----
! *** netsyms.c.dist Wed Dec 10 21:14:27 1997
! --- netsyms.c Wed May 20 13:56:59 1998
***************
*** 60,65 ****
! --- 60,72 ----
extern int (*dlci_ioctl_hook)(unsigned int, void *);
#endif
! + #if !defined(CONFIG_FIREWALL_IPFILTER) && defined(CONFIG_FIREWALL_IPFILTER_MODULE)
+ # define CONFIG_FIREWALL_IPFILTER
+ #endif
+ #ifdef CONFIG_FIREWALL_IPFILTER
***************
*** 18,24 ****
#include <linux/symtab_begin.h>
***************
! *** 187,193 ****
X(netlink_donothing),
X(netlink_post),
#endif /* CONFIG_NETLINK */
--- 17,23 ----
#include <linux/symtab_begin.h>
***************
! *** 190,196 ****
X(netlink_donothing),
X(netlink_post),
#endif /* CONFIG_NETLINK */
***************
*** 26,32 ****
#include <linux/symtab_end.h>
};
! --- 195,204 ----
X(netlink_donothing),
X(netlink_post),
#endif /* CONFIG_NETLINK */
--- 25,31 ----
#include <linux/symtab_end.h>
};
! --- 198,207 ----
X(netlink_donothing),
X(netlink_post),
#endif /* CONFIG_NETLINK */
diff -cr ip_fil3.2.6/Linux/tcp_output.c.diff ip_fil3.2.7/Linux/tcp_output.c.diff
*** ip_fil3.2.6/Linux/tcp_output.c.diff Mon Nov 24 17:24:35 1997
--- ip_fil3.2.7/Linux/tcp_output.c.diff Sat May 23 15:00:34 1998
***************
*** 1,13 ****
! *** tcp_output.c.dist Sat Nov 8 18:16:22 1997
! --- tcp_output.c Sat Nov 22 23:39:56 1997
***************
*** 45,50 ****
! --- 45,58 ----
#include <linux/random.h>
#endif
! + #if !defined(CONFIG_FIREWALL_IPFILTER) && defined(CONFIG_FIREWALL_IPFILTER_MODUL
! + E)
+ # define CONFIG_FIREWALL_IPFILTER
+ #endif
+ #ifdef CONFIG_FIREWALL_IPFILTER
--- 1,12 ----
! *** tcp_output.c.dist Wed Oct 15 17:47:56 1997
! --- tcp_output.c Wed May 20 13:57:00 1998
***************
*** 45,50 ****
! --- 45,57 ----
#include <linux/random.h>
#endif
! + #if !defined(CONFIG_FIREWALL_IPFILTER) && defined(CONFIG_FIREWALL_IPFILTER_MODULE)
+ # define CONFIG_FIREWALL_IPFILTER
+ #endif
+ #ifdef CONFIG_FIREWALL_IPFILTER
diff -cr ip_fil3.2.6/Makefile ip_fil3.2.7/Makefile
*** ip_fil3.2.6/Makefile Mon May 18 21:14:08 1998
--- ip_fil3.2.7/Makefile Sat May 23 15:01:23 1998
***************
*** 5,11 ****
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
! # $Id: Makefile,v 2.0.2.26.2.8 1998/05/18 11:14:08 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
--- 5,11 ----
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
! # $Id: Makefile,v 2.0.2.26.2.10 1998/05/23 05:01:23 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
***************
*** 191,202 ****
(cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(MFLAGS); cd ..)
sunos5 solaris2:
! (cd SunOS5/$(CPU); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
! (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
sunos5x86 solaris2x86:
! (cd SunOS5/$(CPU); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
! (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
install-bsd:
(cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)
--- 191,206 ----
(cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(MFLAGS); cd ..)
sunos5 solaris2:
! (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
! (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
sunos5x86 solaris2x86:
! (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
! (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
!
! install-linux:
! (cd Linux/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)
! (cd Linux/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
install-bsd:
(cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)
diff -cr ip_fil3.2.6/SunOS5/Makefile ip_fil3.2.7/SunOS5/Makefile
*** ip_fil3.2.6/SunOS5/Makefile Fri May 15 00:01:03 1998
--- ip_fil3.2.7/SunOS5/Makefile Fri May 22 00:46:09 1998
***************
*** 19,30 ****
#
TOP=..
DCPU=`uname -m`
CC=gcc -Wall
DEBUG=-g
LIBS=-lsocket -lnsl -lelf
DEF=-D_KERNEL -DSUNDDI -D$(DCPU) -D__$(DCPU)__ $(CPU)
ATON=-DNEED_INET_ATON
! ROOT=$(DCPU)/root
ROOTINC=$(ROOT)/usr/include
#
MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
--- 19,31 ----
#
TOP=..
DCPU=`uname -m`
+ CPUDIR=$(DCPU)-`uname -r`
CC=gcc -Wall
DEBUG=-g
LIBS=-lsocket -lnsl -lelf
DEF=-D_KERNEL -DSUNDDI -D$(DCPU) -D__$(DCPU)__ $(CPU)
ATON=-DNEED_INET_ATON
! ROOT=$(CPUDIR)/root
ROOTINC=$(ROOT)/usr/include
#
MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
***************
*** 194,209 ****
mkdir -p $(PKGBIN) $(ROOT)/sbin $(ROOT)/usr/kernel/drv $(ROOT)/etc/init.d
mkdir -p $(ROOTINC)/netinet $(PKGDIR)/examples
mkdir -p $(PKGMAN)/man1 $(PKGMAN)/man4 $(PKGMAN)/man5 $(PKGMAN)/man8
! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipftest $(PKGBIN)/ipftest
! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipmon $(PKGBIN)/ipmon
! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipsend $(PKGBIN)/ipsend
! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipresend $(PKGBIN)/ipresend
-$(INSTALL) -c -g root -m 755 -o root $(TOP)/mkfilters $(PKGBIN)/mkfilters
! -$(INSTALL) -c -g root -m 755 -o root $(DCPU)/ipf $(ROOT)/usr/kernel/drv/ipf
-$(INSTALL) -c -g root -m 644 -o root ipf.conf $(ROOT)/usr/kernel/drv
! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipnat $(ROOT)/sbin/ipnat
! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipf.exe $(ROOT)/sbin/ipf
! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipfstat $(ROOT)/sbin/ipfstat
-$(INSTALL) -c -g root -m 755 -o root ipfboot $(ROOT)/etc/init.d
-cp $(TOP)/man/*.[0-9] .
-$(INSTALL) -g root -m 444 -o root ipf.8 $(PKGMAN)/man8
--- 195,210 ----
mkdir -p $(PKGBIN) $(ROOT)/sbin $(ROOT)/usr/kernel/drv $(ROOT)/etc/init.d
mkdir -p $(ROOTINC)/netinet $(PKGDIR)/examples
mkdir -p $(PKGMAN)/man1 $(PKGMAN)/man4 $(PKGMAN)/man5 $(PKGMAN)/man8
! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipftest $(PKGBIN)/ipftest
! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipmon $(PKGBIN)/ipmon
! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipsend $(PKGBIN)/ipsend
! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipresend $(PKGBIN)/ipresend
-$(INSTALL) -c -g root -m 755 -o root $(TOP)/mkfilters $(PKGBIN)/mkfilters
! -$(INSTALL) -c -g root -m 755 -o root $(CPUDIR)/ipf $(ROOT)/usr/kernel/drv/ipf
-$(INSTALL) -c -g root -m 644 -o root ipf.conf $(ROOT)/usr/kernel/drv
! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipnat $(ROOT)/sbin/ipnat
! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipf.exe $(ROOT)/sbin/ipf
! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipfstat $(ROOT)/sbin/ipfstat
-$(INSTALL) -c -g root -m 755 -o root ipfboot $(ROOT)/etc/init.d
-cp $(TOP)/man/*.[0-9] .
-$(INSTALL) -g root -m 444 -o root ipf.8 $(PKGMAN)/man8
***************
*** 229,235 ****
-$(INSTALL) -g root -m 644 -o root ip_frag.h $(ROOTINC)/netinet
-$(INSTALL) -g root -m 644 -o root ip_proxy.h $(ROOTINC)/netinet
-$(INSTALL) -g root -m 644 -o root ip_auth.h $(ROOTINC)/netinet
! (cd $(DCPU) && rm -f prototype pkginfo copyright postinstall && ln -s ../prototype ../pkginfo ../copyright ../postinstall .)
! (cd $(DCPU); pkgmk -o)
-pkgadd -d /var/spool/pkg
--- 230,236 ----
-$(INSTALL) -g root -m 644 -o root ip_frag.h $(ROOTINC)/netinet
-$(INSTALL) -g root -m 644 -o root ip_proxy.h $(ROOTINC)/netinet
-$(INSTALL) -g root -m 644 -o root ip_auth.h $(ROOTINC)/netinet
! (cd $(CPUDIR) && rm -f prototype pkginfo copyright postinstall && ln -s ../prototype ../pkginfo ../copyright ../postinstall .)
! (cd $(CPUDIR); pkgmk -o)
-pkgadd -d /var/spool/pkg
diff -cr ip_fil3.2.6/SunOS5/Makefile.ipsend ip_fil3.2.7/SunOS5/Makefile.ipsend
*** ip_fil3.2.6/SunOS5/Makefile.ipsend Wed Apr 8 23:50:25 1998
--- ip_fil3.2.7/SunOS5/Makefile.ipsend Fri May 22 00:46:10 1998
***************
*** 14,23 ****
$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
y.tab.o: $(TOP)/iplang/iplang_y.y
! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPU)/$@ 'DESTDIR=../SunOS5/$(CPU)' )
lex.yy.o: $(TOP)/iplang/iplang_l.l
! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPU)/$@ 'DESTDIR=../SunOS5/$(CPU)' )
ipsend: $(OBJS) $(UNIXOBJS)
$(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll
--- 14,23 ----
$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
y.tab.o: $(TOP)/iplang/iplang_y.y
! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPUDIR)/$@ 'DESTDIR=../SunOS5/$(CPUDIR)' )
lex.yy.o: $(TOP)/iplang/iplang_l.l
! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPUDIR)/$@ 'DESTDIR=../SunOS5/$(CPUDIR)' )
ipsend: $(OBJS) $(UNIXOBJS)
$(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll
diff -cr ip_fil3.2.6/SunOS5/pkginfo ip_fil3.2.7/SunOS5/pkginfo
*** ip_fil3.2.6/SunOS5/pkginfo Mon May 18 22:36:15 1998
--- ip_fil3.2.7/SunOS5/pkginfo Sun May 24 12:06:50 1998
***************
*** 5,11 ****
PKG=ipf
NAME=IP Filter
ARCH=sparc,i386
! VERSION=3.2,REV=6
CATEGORY=system
DESC=This package contains tools for building a firewall
VENDOR=Darren Reed
--- 5,11 ----
PKG=ipf
NAME=IP Filter
ARCH=sparc,i386
! VERSION=3.2,REV=7
CATEGORY=system
DESC=This package contains tools for building a firewall
VENDOR=Darren Reed
diff -cr ip_fil3.2.6/buildsunos ip_fil3.2.7/buildsunos
*** ip_fil3.2.6/buildsunos Sat May 24 17:32:46 1997
--- ip_fil3.2.7/buildsunos Fri May 22 00:46:04 1998
***************
*** 1,23 ****
#! /bin/sh
! # $Id: buildsunos,v 2.0.2.4 1997/05/24 07:32:46 darrenr Exp $
:
rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'`
cpu=`uname -m`
if [ $rev = 5 ] ; then
solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'`
! mkdir -p SunOS5/${cpu}
! /bin/rm -f SunOS5/${cpu}/Makefile
! /bin/rm -f SunOS5/${cpu}/Makefile.ipsend
! ln -s ../Makefile SunOS5/${cpu}/Makefile
! ln -s ../Makefile.ipsend SunOS5/${cpu}/Makefile.ipsend
fi
if [ $cpu = i86pc ] ; then
! make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu}
exit $?
fi
if [ x$solrev = x ] ; then
make ${1+"$@"} sunos$rev "ARCH=`uname -m`"
exit $?
fi
! make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu}
exit $?
--- 1,24 ----
#! /bin/sh
! # $Id: buildsunos,v 2.0.2.4.2.1 1998/05/21 14:46:04 darrenr Exp $
:
rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'`
cpu=`uname -m`
+ cpudir=${cpu}-`uname -r`
if [ $rev = 5 ] ; then
solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'`
! mkdir -p SunOS5/${cpudir}
! /bin/rm -f SunOS5/${cpudir}/Makefile
! /bin/rm -f SunOS5/${cpudir}/Makefile.ipsend
! ln -s ../Makefile SunOS5/${cpudir}/Makefile
! ln -s ../Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend
fi
if [ $cpu = i86pc ] ; then
! make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir}
exit $?
fi
if [ x$solrev = x ] ; then
make ${1+"$@"} sunos$rev "ARCH=`uname -m`"
exit $?
fi
! make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir}
exit $?
diff -cr ip_fil3.2.6/fil.c ip_fil3.2.7/fil.c
*** ip_fil3.2.6/fil.c Sun Apr 26 01:46:36 1998
--- ip_fil3.2.7/fil.c Sun May 24 05:20:30 1998
***************
*** 7,13 ****
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.12 1998/04/25 15:46:36 darrenr Exp $";
#endif
#include <sys/errno.h>
--- 7,13 ----
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $";
#endif
#include <sys/errno.h>
***************
*** 21,26 ****
--- 21,27 ----
#else
# include <stdio.h>
# include <string.h>
+ # include <stdlib.h>
#endif
#include <sys/uio.h>
#if !defined(__SVR4) && !defined(__svr4__)
***************
*** 579,584 ****
--- 580,594 ----
# endif
int up;
+ #ifdef M_CANFASTFWD
+ /*
+ * XXX For now, IP Filter and fast-forwarding of cached flows
+ * XXX are mutually exclusive. Eventually, IP Filter should
+ * XXX get a "can-fast-forward" filter rule.
+ */
+ m->m_flags &= ~M_CANFASTFWD;
+ #endif /* M_CANFASTFWD */
+
if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP ||
ip->ip_p == IPPROTO_ICMP)) {
int plen = 0;
***************
*** 895,901 ****
register u_short *addr;
register int len;
{
! register u_long sum = 0;
for (sum = 0; len > 1; len -= 2)
sum += *addr++;
--- 905,911 ----
register u_short *addr;
register int len;
{
! register u_32_t sum = 0;
for (sum = 0; len > 1; len -= 2)
sum += *addr++;
***************
*** 928,934 ****
u_char c[2];
u_short s;
} bytes;
! u_long sum;
u_short *sp;
# if SOLARIS || defined(__sgi)
int add, hlen;
--- 938,944 ----
u_char c[2];
u_short s;
} bytes;
! u_32_t sum;
u_short *sp;
# if SOLARIS || defined(__sgi)
int add, hlen;
***************
*** 1027,1033 ****
#endif /* SOLARIS */
if (len < 2)
break;
! if((u_long)sp & 1) {
bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
sum += bytes.s;
} else
--- 1037,1043 ----
#endif /* SOLARIS */
if (len < 2)
break;
! if((u_32_t)sp & 1) {
bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
sum += bytes.s;
} else
***************
*** 1081,1087 ****
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
! * $Id: fil.c,v 2.0.2.41.2.12 1998/04/25 15:46:36 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
--- 1091,1097 ----
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
! * $Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
diff -cr ip_fil3.2.6/ip_compat.h ip_fil3.2.7/ip_compat.h
*** ip_fil3.2.6/ip_compat.h Sat May 9 01:09:15 1998
--- ip_fil3.2.7/ip_compat.h Sun May 24 00:29:36 1998
***************
*** 6,12 ****
* to the original author and the contributors.
*
* @(#)ip_compat.h 1.8 1/14/96
! * $Id: ip_compat.h,v 2.0.2.31.2.10 1998/05/08 15:09:15 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
--- 6,12 ----
* to the original author and the contributors.
*
* @(#)ip_compat.h 1.8 1/14/96
! * $Id: ip_compat.h,v 2.0.2.31.2.11 1998/05/23 14:29:36 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
***************
*** 723,726 ****
--- 723,727 ----
#ifndef ICMP_ROUTERSOLICIT
# define ICMP_ROUTERSOLICIT 10
#endif
+
#endif /* __IP_COMPAT_H__ */
diff -cr ip_fil3.2.6/ip_fil.h ip_fil3.2.7/ip_fil.h
*** ip_fil3.2.6/ip_fil.h Wed Dec 3 21:02:30 1997
--- ip_fil3.2.7/ip_fil.h Sun May 24 00:29:37 1998
***************
*** 6,12 ****
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
! * $Id: ip_fil.h,v 2.0.2.39.2.10 1997/12/03 10:02:30 darrenr Exp $
*/
#ifndef __IP_FIL_H__
--- 6,12 ----
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
! * $Id: ip_fil.h,v 2.0.2.39.2.11 1998/05/23 14:29:37 darrenr Exp $
*/
#ifndef __IP_FIL_H__
***************
*** 518,521 ****
--- 518,522 ----
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
extern struct frgroup *ipfgroups[3][2];
extern struct filterstats frstats[];
+
#endif /* __IP_FIL_H__ */
diff -cr ip_fil3.2.6/ip_frag.h ip_fil3.2.7/ip_frag.h
*** ip_fil3.2.6/ip_frag.h Fri Oct 24 00:56:01 1997
--- ip_fil3.2.7/ip_frag.h Sun May 24 00:29:39 1998
***************
*** 6,12 ****
* to the original author and the contributors.
*
* @(#)ip_frag.h 1.5 3/24/96
! * $Id: ip_frag.h,v 2.0.2.12 1997/10/23 14:56:01 darrenr Exp $
*/
#ifndef __IP_FRAG_H__
--- 6,12 ----
* to the original author and the contributors.
*
* @(#)ip_frag.h 1.5 3/24/96
! * $Id: ip_frag.h,v 2.0.2.12.2.1 1998/05/23 14:29:39 darrenr Exp $
*/
#ifndef __IP_FRAG_H__
***************
*** 55,58 ****
--- 55,59 ----
#else
extern int ipfr_slowtimer __P((void));
#endif
+
#endif /* __IP_FIL_H__ */
diff -cr ip_fil3.2.6/ip_ftp_pxy.c ip_fil3.2.7/ip_ftp_pxy.c
*** ip_fil3.2.6/ip_ftp_pxy.c Wed Nov 12 21:50:51 1997
--- ip_fil3.2.7/ip_ftp_pxy.c Sun May 24 05:20:31 1998
***************
*** 54,71 ****
ap_session_t *aps;
nat_t *nat;
{
! u_long sum1, sum2;
short sel;
if (tcp->th_sport == aps->aps_dport) {
! sum2 = (u_long)ntohl(tcp->th_ack);
sel = aps->aps_sel;
if ((aps->aps_after[!sel] > aps->aps_after[sel]) &&
(sum2 > aps->aps_after[!sel])) {
sel = aps->aps_sel = !sel; /* switch to other set */
}
if (aps->aps_seqoff[sel] && (sum2 > aps->aps_after[sel])) {
! sum1 = (u_long)aps->aps_seqoff[sel];
tcp->th_ack = htonl(sum2 - sum1);
return 2;
}
--- 54,71 ----
ap_session_t *aps;
nat_t *nat;
{
! u_32_t sum1, sum2;
short sel;
if (tcp->th_sport == aps->aps_dport) {
! sum2 = (u_32_t)ntohl(tcp->th_ack);
sel = aps->aps_sel;
if ((aps->aps_after[!sel] > aps->aps_after[sel]) &&
(sum2 > aps->aps_after[!sel])) {
sel = aps->aps_sel = !sel; /* switch to other set */
}
if (aps->aps_seqoff[sel] && (sum2 > aps->aps_after[sel])) {
! sum1 = (u_32_t)aps->aps_seqoff[sel];
tcp->th_ack = htonl(sum2 - sum1);
return 2;
}
***************
*** 110,116 ****
ap_session_t *aps;
nat_t *nat;
{
! register u_long sum1, sum2;
char newbuf[IPF_MAXPORTLEN+1];
char portbuf[IPF_MAXPORTLEN+1], *s;
int ch = 0, off = (ip->ip_hl << 2) + (tcp->th_off << 2);
--- 110,116 ----
ap_session_t *aps;
nat_t *nat;
{
! register u_32_t sum1, sum2;
char newbuf[IPF_MAXPORTLEN+1];
char portbuf[IPF_MAXPORTLEN+1], *s;
int ch = 0, off = (ip->ip_hl << 2) + (tcp->th_off << 2);
***************
*** 243,259 ****
adjust_seqack:
if (tcp->th_dport == aps->aps_dport) {
! sum2 = (u_long)ntohl(tcp->th_seq);
off = aps->aps_sel;
if ((aps->aps_after[!off] > aps->aps_after[off]) &&
(sum2 > aps->aps_after[!off])) {
off = aps->aps_sel = !off; /* switch to other set */
}
if (aps->aps_seqoff[off]) {
! sum1 = (u_long)aps->aps_after[off] -
aps->aps_seqoff[off];
if (sum2 > sum1) {
! sum1 = (u_long)aps->aps_seqoff[off];
sum2 += sum1;
tcp->th_seq = htonl(sum2);
ch = 1;
--- 243,259 ----
adjust_seqack:
if (tcp->th_dport == aps->aps_dport) {
! sum2 = (u_32_t)ntohl(tcp->th_seq);
off = aps->aps_sel;
if ((aps->aps_after[!off] > aps->aps_after[off]) &&
(sum2 > aps->aps_after[!off])) {
off = aps->aps_sel = !off; /* switch to other set */
}
if (aps->aps_seqoff[off]) {
! sum1 = (u_32_t)aps->aps_after[off] -
aps->aps_seqoff[off];
if (sum2 > sum1) {
! sum1 = (u_32_t)aps->aps_seqoff[off];
sum2 += sum1;
tcp->th_seq = htonl(sum2);
ch = 1;
diff -cr ip_fil3.2.6/ip_nat.c ip_fil3.2.7/ip_nat.c
*** ip_fil3.2.6/ip_nat.c Sat May 9 01:10:17 1998
--- ip_fil3.2.7/ip_nat.c Sun May 24 05:05:29 1998
***************
*** 9,15 ****
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.8 1998/05/08 15:10:17 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
--- 9,15 ----
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05:29 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
***************
*** 130,139 ****
void fix_outcksum(sp, n)
u_short *sp;
! u_long n;
{
register u_short sumshort;
! register u_long sum1;
if (!n)
return;
--- 130,139 ----
void fix_outcksum(sp, n)
u_short *sp;
! u_32_t n;
{
register u_short sumshort;
! register u_32_t sum1;
if (!n)
return;
***************
*** 149,158 ****
void fix_incksum(sp, n)
u_short *sp;
! u_long n;
{
register u_short sumshort;
! register u_long sum1;
if (!n)
return;
--- 149,158 ----
void fix_incksum(sp, n)
u_short *sp;
! u_32_t n;
{
register u_short sumshort;
! register u_32_t sum1;
if (!n)
return;
***************
*** 521,527 ****
u_short flags;
int direction;
{
! register u_long sum1, sum2, sumd, l;
u_short port = 0, sport = 0, dport = 0, nport = 0;
struct in_addr in;
tcphdr_t *tcp = NULL;
--- 521,527 ----
u_short flags;
int direction;
{
! register u_32_t sum1, sum2, sumd, l;
u_short port = 0, sport = 0, dport = 0, nport = 0;
struct in_addr in;
tcphdr_t *tcp = NULL;
***************
*** 779,785 ****
*/
if (flags & IPN_TCPUDP) {
tcphdr_t *tcp = (tcphdr_t *)(oip + 1);
! u_long sum1, sum2, sumd;
struct in_addr in;
if (nat->nat_dir == NAT_OUTBOUND) {
--- 779,785 ----
*/
if (flags & IPN_TCPUDP) {
tcphdr_t *tcp = (tcphdr_t *)(oip + 1);
! u_32_t sum1, sum2, sumd;
struct in_addr in;
if (nat->nat_dir == NAT_OUTBOUND) {
***************
*** 964,970 ****
fr_info_t *fin;
{
register ipnat_t *np;
! register u_long ipa;
tcphdr_t *tcp = NULL;
u_short nflags = 0, sport = 0, dport = 0, *csump = NULL;
struct ifnet *ifp;
--- 964,970 ----
fr_info_t *fin;
{
register ipnat_t *np;
! register u_32_t ipa;
tcphdr_t *tcp = NULL;
u_short nflags = 0, sport = 0, dport = 0, *csump = NULL;
struct ifnet *ifp;
***************
*** 1281,1287 ****
#endif
{
register nat_t *nat;
! register u_long sum1, sum2, sumd;
struct in_addr in;
ipnat_t *np;
#if defined(_KERNEL) && !SOLARIS
--- 1281,1287 ----
#endif
{
register nat_t *nat;
! register u_32_t sum1, sum2, sumd;
struct in_addr in;
ipnat_t *np;
#if defined(_KERNEL) && !SOLARIS
diff -cr ip_fil3.2.6/ip_nat.h ip_fil3.2.7/ip_nat.h
*** ip_fil3.2.6/ip_nat.h Wed Nov 5 22:08:18 1997
--- ip_fil3.2.7/ip_nat.h Sun May 24 04:52:44 1998
***************
*** 6,12 ****
* to the original author and the contributors.
*
* @(#)ip_nat.h 1.5 2/4/96
! * $Id: ip_nat.h,v 2.0.2.23.2.1 1997/11/05 11:08:18 darrenr Exp $
*/
#ifndef __IP_NAT_H__
--- 6,12 ----
* to the original author and the contributors.
*
* @(#)ip_nat.h 1.5 2/4/96
! * $Id: ip_nat.h,v 2.0.2.23.2.3 1998/05/23 18:52:44 darrenr Exp $
*/
#ifndef __IP_NAT_H__
***************
*** 44,51 ****
typedef struct nat {
u_long nat_age;
int nat_flags;
! u_long nat_sumd;
! u_long nat_ipsumd;
void *nat_data;
struct in_addr nat_inip;
struct in_addr nat_outip;
--- 44,51 ----
typedef struct nat {
u_long nat_age;
int nat_flags;
! u_32_t nat_sumd;
! u_32_t nat_ipsumd;
void *nat_data;
struct in_addr nat_inip;
struct in_addr nat_outip;
***************
*** 175,180 ****
extern int ip_natin __P((ip_t *, int, fr_info_t *));
extern void ip_natunload __P((void)), ip_natexpire __P((void));
extern void nat_log __P((struct nat *, u_short));
! extern void fix_incksum __P((u_short *, u_long));
! extern void fix_outcksum __P((u_short *, u_long));
#endif /* __IP_NAT_H__ */
--- 175,181 ----
extern int ip_natin __P((ip_t *, int, fr_info_t *));
extern void ip_natunload __P((void)), ip_natexpire __P((void));
extern void nat_log __P((struct nat *, u_short));
! extern void fix_incksum __P((u_short *, u_32_t));
! extern void fix_outcksum __P((u_short *, u_32_t));
!
#endif /* __IP_NAT_H__ */
diff -cr ip_fil3.2.6/ip_state.c ip_fil3.2.7/ip_state.c
*** ip_fil3.2.6/ip_state.c Mon May 18 23:19:20 1998
--- ip_fil3.2.7/ip_state.c Sun May 24 13:53:04 1998
***************
*** 7,13 ****
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.10 1998/05/18 13:16:57 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__)
--- 7,13 ----
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:53:04 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__)
***************
*** 85,90 ****
--- 85,95 ----
extern kmutex_t ipf_state;
#endif
+ static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr,
+ fr_info_t *, void *, u_short, u_short));
+ static int fr_state_flush __P((int));
+ static ips_stat_t *fr_statetstats __P((void));
+
#define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */
***************
*** 97,103 ****
fr_icmptimeout = 120;
! ips_stat_t *fr_statetstats()
{
ips_stats.iss_active = ips_num;
ips_stats.iss_table = ips_table;
--- 102,108 ----
fr_icmptimeout = 120;
! static ips_stat_t *fr_statetstats()
{
ips_stats.iss_active = ips_num;
ips_stats.iss_table = ips_table;
***************
*** 111,117 ****
* which == 1 : flush TCP connections which have started to close but are
* stuck for some reason.
*/
! int fr_state_flush(which)
int which;
{
register int i;
--- 116,122 ----
* which == 1 : flush TCP connections which have started to close but are
* stuck for some reason.
*/
! static int fr_state_flush(which)
int which;
{
register int i;
***************
*** 301,313 ****
bcopy((char *)&ips, (char *)is, sizeof(*is));
hv %= IPSTATE_SIZE;
MUTEX_ENTER(&ipf_state);
! is->is_next = ips_table[hv];
! ips_table[hv] = is;
is->is_pass = pass;
is->is_pkts = 1;
is->is_bytes = ip->ip_len;
! is->is_ifp1 = fin->fin_ifp;
! is->is_ifp2 = NULL;
if (pass & FR_LOGFIRST)
is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
ips_num++;
--- 306,338 ----
bcopy((char *)&ips, (char *)is, sizeof(*is));
hv %= IPSTATE_SIZE;
MUTEX_ENTER(&ipf_state);
!
is->is_pass = pass;
is->is_pkts = 1;
is->is_bytes = ip->ip_len;
! /*
! * Copy these from the rule itself.
! */
! is->is_opt = fin->fin_fr->fr_ip.fi_optmsk;
! is->is_optmsk = fin->fin_fr->fr_mip.fi_optmsk;
! is->is_sec = fin->fin_fr->fr_ip.fi_secmsk;
! is->is_secmsk = fin->fin_fr->fr_mip.fi_secmsk;
! is->is_auth = fin->fin_fr->fr_ip.fi_auth;
! is->is_authmsk = fin->fin_fr->fr_mip.fi_auth;
! is->is_flags = fin->fin_fr->fr_ip.fi_fl;
! is->is_flags |= fin->fin_fr->fr_mip.fi_fl << 4;
! /*
! * add into table.
! */
! is->is_next = ips_table[hv];
! ips_table[hv] = is;
! if (fin->fin_out) {
! is->is_ifpin = NULL;
! is->is_ifpout = fin->fin_ifp;
! } else {
! is->is_ifpin = fin->fin_ifp;
! is->is_ifpout = NULL;
! }
if (pass & FR_LOGFIRST)
is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
ips_num++;
***************
*** 326,337 ****
* change timeout depending on whether new packet is a SYN-ACK returning for a
* SYN or a RST or FIN which indicate time to close up shop.
*/
! int fr_tcpstate(is, fin, ip, tcp, sport)
register ipstate_t *is;
fr_info_t *fin;
ip_t *ip;
tcphdr_t *tcp;
- u_short sport;
{
register int seqskew, ackskew;
register u_short swin, dwin;
--- 351,361 ----
* change timeout depending on whether new packet is a SYN-ACK returning for a
* SYN or a RST or FIN which indicate time to close up shop.
*/
! int fr_tcpstate(is, fin, ip, tcp)
register ipstate_t *is;
fr_info_t *fin;
ip_t *ip;
tcphdr_t *tcp;
{
register int seqskew, ackskew;
register u_short swin, dwin;
***************
*** 343,349 ****
*/
seq = ntohl(tcp->th_seq);
ack = ntohl(tcp->th_ack);
! source = (sport == is->is_sport);
if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */
ack = source ? is->is_ack : is->is_seq;
--- 367,373 ----
*/
seq = ntohl(tcp->th_seq);
ack = ntohl(tcp->th_ack);
! source = (ip->ip_src.s_addr == is->is_src.s_addr);
if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */
ack = source ? is->is_ack : is->is_seq;
***************
*** 403,445 ****
/*
* Nearing end of connection, start timeout.
*/
! fr_tcp_age(&is->is_age, is->is_state, ip, fin,
! tcp->th_sport == is->is_sport);
return 1;
}
return 0;
}
! static int
! fr_matchsrcdst(is, src, dst, ifp, tcp, sp, dp)
ipstate_t *is;
struct in_addr src, dst;
! void *ifp, *tcp;
u_short sp, dp;
{
! int ret = 0, rev;
rev = (is->is_dst.s_addr != dst.s_addr);
if (!rev) {
! if ((is->is_ifp1 == ifp) &&
(is->is_dst.s_addr == dst.s_addr) &&
(is->is_src.s_addr == src.s_addr) &&
! (!tcp || (sp == is->is_sport) && (dp == is->is_dport))) {
ret = 1;
}
} else {
! if (((is->is_ifp2 == ifp) || !is->is_ifp2) &&
(is->is_dst.s_addr == src.s_addr) &&
(is->is_src.s_addr == dst.s_addr) &&
(!tcp || (sp == is->is_dport) &&
(dp == is->is_sport))) {
- if (!is->is_ifp2)
- is->is_ifp2 = ifp;
ret = 1;
}
}
return ret;
}
--- 427,503 ----
/*
* Nearing end of connection, start timeout.
*/
! fr_tcp_age(&is->is_age, is->is_state, ip, fin, source);
return 1;
}
return 0;
}
! static int fr_matchsrcdst(is, src, dst, fin, tcp, sp, dp)
ipstate_t *is;
struct in_addr src, dst;
! fr_info_t *fin;
! void *tcp;
u_short sp, dp;
{
! int ret = 0, rev, out;
! void *ifp;
rev = (is->is_dst.s_addr != dst.s_addr);
+ ifp = fin->fin_ifp;
+ out = fin->fin_out;
if (!rev) {
! if (out) {
! if (!is->is_ifpout)
! is->is_ifpout = ifp;
! } else {
! if (!is->is_ifpin)
! is->is_ifpin = ifp;
! }
! } else {
! if (out) {
! if (!is->is_ifpin)
! is->is_ifpin = ifp;
! } else {
! if (!is->is_ifpout)
! is->is_ifpout = ifp;
! }
! }
!
! if (!rev) {
! if (((out && is->is_ifpout == ifp) ||
! (!out && is->is_ifpin == ifp)) &&
(is->is_dst.s_addr == dst.s_addr) &&
(is->is_src.s_addr == src.s_addr) &&
! (!tcp || (sp == is->is_sport) &&
! (dp == is->is_dport))) {
ret = 1;
}
} else {
! if (((out && is->is_ifpin == ifp) ||
! (!out && is->is_ifpout == ifp)) &&
(is->is_dst.s_addr == src.s_addr) &&
(is->is_src.s_addr == dst.s_addr) &&
(!tcp || (sp == is->is_dport) &&
(dp == is->is_sport))) {
ret = 1;
}
}
+
+ /*
+ * Whether or not this should be here, is questionable, but the aim
+ * is to get this out of the main line.
+ */
+ if (ret) {
+ if (((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) ||
+ ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) ||
+ ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth) ||
+ ((fin->fin_fi.fi_fl & (is->is_flags >> 4)) !=
+ (is->is_flags & 0xf)))
+ ret = 0;
+ }
return ret;
}
***************
*** 482,489 ****
if ((is->is_p == pr) &&
(ic->icmp_id == is->is_icmp.ics_id) &&
(ic->icmp_seq == is->is_icmp.ics_seq) &&
! fr_matchsrcdst(is, src, dst, fin->fin_ifp,
! NULL, 0, 0)) {
if (is->is_icmp.ics_type != ic->icmp_type)
continue;
is->is_age = fr_icmptimeout;
--- 540,546 ----
if ((is->is_p == pr) &&
(ic->icmp_id == is->is_icmp.ics_id) &&
(ic->icmp_seq == is->is_icmp.ics_seq) &&
! fr_matchsrcdst(is, src, dst, fin, NULL, 0, 0)) {
if (is->is_icmp.ics_type != ic->icmp_type)
continue;
is->is_age = fr_icmptimeout;
***************
*** 506,514 ****
MUTEX_ENTER(&ipf_state);
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
if ((is->is_p == pr) &&
! fr_matchsrcdst(is, src, dst, fin->fin_ifp,
! tcp, sport, dport)) {
! if (fr_tcpstate(is, fin, ip, tcp, sport)) {
pass = is->is_pass;
#ifdef _KERNEL
MUTEX_EXIT(&ipf_state);
--- 563,571 ----
MUTEX_ENTER(&ipf_state);
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
if ((is->is_p == pr) &&
! fr_matchsrcdst(is, src, dst, fin, tcp,
! sport, dport)) {
! if (fr_tcpstate(is, fin, ip, tcp)) {
pass = is->is_pass;
#ifdef _KERNEL
MUTEX_EXIT(&ipf_state);
***************
*** 539,545 ****
MUTEX_ENTER(&ipf_state);
for (is = ips_table[hv]; is; is = is->is_next)
if ((is->is_p == pr) &&
! fr_matchsrcdst(is, src, dst, fin->fin_ifp,
tcp, sport, dport)) {
ips_stats.iss_hits++;
is->is_pkts++;
--- 596,602 ----
MUTEX_ENTER(&ipf_state);
for (is = ips_table[hv]; is; is = is->is_next)
if ((is->is_p == pr) &&
! fr_matchsrcdst(is, src, dst, fin,
tcp, sport, dport)) {
ips_stats.iss_hits++;
is->is_pkts++;
diff -cr ip_fil3.2.6/ip_state.h ip_fil3.2.7/ip_state.h
*** ip_fil3.2.6/ip_state.h Mon May 18 21:15:24 1998
--- ip_fil3.2.7/ip_state.h Sun May 24 15:18:04 1998
***************
*** 6,12 ****
* to the original author and the contributors.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
! * $Id: ip_state.h,v 2.0.2.14.2.2 1998/05/18 11:15:24 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
--- 6,12 ----
* to the original author and the contributors.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
! * $Id: ip_state.h,v 2.0.2.14.2.6 1998/05/24 05:18:04 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
***************
*** 47,58 ****
u_int is_pass;
U_QUAD_T is_pkts;
U_QUAD_T is_bytes;
! void *is_ifp1;
! void *is_ifp2;
struct in_addr is_src;
struct in_addr is_dst;
u_char is_p;
u_char is_flags;
union {
icmpstate_t is_ics;
tcpstate_t is_ts;
--- 47,64 ----
u_int is_pass;
U_QUAD_T is_pkts;
U_QUAD_T is_bytes;
! void *is_ifpin;
! void *is_ifpout;
struct in_addr is_src;
struct in_addr is_dst;
u_char is_p;
u_char is_flags;
+ u_32_t is_opt;
+ u_32_t is_optmsk;
+ u_short is_sec;
+ u_short is_secmsk;
+ u_short is_auth;
+ u_short is_authmsk;
union {
icmpstate_t is_ics;
tcpstate_t is_ts;
***************
*** 122,135 ****
extern u_long fr_tcpclosed;
extern u_long fr_udptimeout;
extern u_long fr_icmptimeout;
! extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *,
! tcphdr_t *, u_short));
! extern ips_stat_t *fr_statetstats __P((void));
extern int fr_addstate __P((ip_t *, fr_info_t *, u_int));
extern int fr_checkstate __P((ip_t *, fr_info_t *));
extern void fr_timeoutstate __P((void));
extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
- extern int fr_state_flush __P((int));
extern void fr_stateunload __P((void));
extern void ipstate_log __P((struct ipstate *, u_short));
#if defined(__NetBSD__) || defined(__OpenBSD__)
--- 128,138 ----
extern u_long fr_tcpclosed;
extern u_long fr_udptimeout;
extern u_long fr_icmptimeout;
! extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *));
extern int fr_addstate __P((ip_t *, fr_info_t *, u_int));
extern int fr_checkstate __P((ip_t *, fr_info_t *));
extern void fr_timeoutstate __P((void));
extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
extern void fr_stateunload __P((void));
extern void ipstate_log __P((struct ipstate *, u_short));
#if defined(__NetBSD__) || defined(__OpenBSD__)
***************
*** 137,140 ****
--- 140,144 ----
#else
extern int fr_state_ioctl __P((caddr_t, int, int));
#endif
+
#endif /* __IP_STATE_H__ */
diff -cr ip_fil3.2.6/ipf.c ip_fil3.2.7/ipf.c
*** ip_fil3.2.6/ipf.c Wed Apr 8 23:44:53 1998
--- ip_fil3.2.7/ipf.c Sun May 24 00:29:44 1998
***************
*** 40,46 ****
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.3 1998/04/08 13:44:53 darrenr Exp $";
#endif
static void frsync __P((void));
--- 40,46 ----
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.4 1998/05/23 14:29:44 darrenr Exp $";
#endif
static void frsync __P((void));
***************
*** 406,412 ****
static void frsync()
{
! if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, 0) == -1)
perror("SIOCFRSYN");
else
printf("filter sync'd\n");
--- 406,414 ----
static void frsync()
{
! int frsyn = 0;
!
! if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1)
perror("SIOCFRSYN");
else
printf("filter sync'd\n");
diff -cr ip_fil3.2.6/ipft_tx.c ip_fil3.2.7/ipft_tx.c
*** ip_fil3.2.6/ipft_tx.c Thu Apr 9 00:31:16 1998
--- ip_fil3.2.7/ipft_tx.c Sun May 24 05:20:32 1998
***************
*** 43,49 ****
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.2 1998/04/08 14:31:16 darrenr Exp $";
#endif
extern int opts;
--- 43,49 ----
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.3 1998/05/23 19:20:32 darrenr Exp $";
#endif
extern int opts;
***************
*** 62,68 ****
static FILE *tfp = NULL;
static int tfd = -1;
! static u_long tx_hostnum __P((char *, int *));
static u_short tx_portnum __P((char *));
--- 62,68 ----
static FILE *tfp = NULL;
static int tfd = -1;
! static u_32_t tx_hostnum __P((char *, int *));
static u_short tx_portnum __P((char *));
***************
*** 70,76 ****
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
! static u_long tx_hostnum(host, resolved)
char *host;
int *resolved;
{
--- 70,76 ----
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
! static u_32_t tx_hostnum(host, resolved)
char *host;
int *resolved;
{
diff -cr ip_fil3.2.6/ipl.h ip_fil3.2.7/ipl.h
*** ip_fil3.2.6/ipl.h Mon May 18 22:29:46 1998
--- ip_fil3.2.7/ipl.h Sun May 24 12:06:47 1998
***************
*** 11,16 ****
#ifndef __IPL_H__
#define __IPL_H__
! #define IPL_VERSION "IP Filter v3.2.6"
#endif
--- 11,16 ----
#ifndef __IPL_H__
#define __IPL_H__
! #define IPL_VERSION "IP Filter v3.2.7"
#endif
diff -cr ip_fil3.2.6/iplang/iplang_y.y ip_fil3.2.7/iplang/iplang_y.y
*** ip_fil3.2.6/iplang/iplang_y.y Sun Dec 21 23:17:33 1997
--- ip_fil3.2.7/iplang/iplang_y.y Sun May 24 00:29:53 1998
***************
*** 6,12 ****
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
! * $Id: iplang_y.y,v 2.0.2.18.2.6 1997/12/21 12:17:33 darrenr Exp $
*/
#include <stdio.h>
--- 6,12 ----
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
! * $Id: iplang_y.y,v 2.0.2.18.2.7 1998/05/23 14:29:53 darrenr Exp $
*/
#include <stdio.h>
***************
*** 48,54 ****
--- 48,56 ----
#include "ipf.h"
#include "iplang.h"
+ #ifndef __NetBSD__
extern struct ether_addr *ether_aton __P((char *));
+ #endif
extern int opts;
extern struct ipopt_names ionames[];
diff -cr ip_fil3.2.6/ipmon.c ip_fil3.2.7/ipmon.c
*** ip_fil3.2.6/ipmon.c Fri May 1 23:18:49 1998
--- ip_fil3.2.7/ipmon.c Sun May 24 00:29:45 1998
***************
*** 7,13 ****
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.6 1998/05/01 13:18:49 darrenr Exp $";
#endif
#include <stdio.h>
--- 7,13 ----
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45 darrenr Exp $";
#endif
#include <stdio.h>
***************
*** 18,23 ****
--- 18,24 ----
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
+ #include <signal.h>
#include <sys/dir.h>
#else
#include <sys/filio.h>
***************
*** 103,108 ****
--- 104,111 ----
char *portname __P((int, char *, u_short));
int main __P((int, char *[]));
+ static void logopts __P((int, char *));
+
#define OPT_SYSLOG 0x001
#define OPT_RESOLVE 0x002
***************
*** 125,133 ****
{
FILE *fp;
! donehup = 1;
if (logfile && (fp = fopen(logfile, "a")))
newlog = fp;
}
--- 128,137 ----
{
FILE *fp;
! signal(SIGHUP, handlehup);
if (logfile && (fp = fopen(logfile, "a")))
newlog = fp;
+ donehup = 1;
}
***************
*** 195,201 ****
*t++ = '\n';
*t = '\0';
if (!(opts & OPT_SYSLOG))
! fputs(line, stdout);
else
syslog(LOG_INFO, "%s", line);
t = (u_char *)line;
--- 199,205 ----
*t++ = '\n';
*t = '\0';
if (!(opts & OPT_SYSLOG))
! fputs(line, log);
else
syslog(LOG_INFO, "%s", line);
t = (u_char *)line;
***************
*** 231,238 ****
*t = '\0';
}
if (!(opts & OPT_SYSLOG)) {
! fputs(line, stdout);
! fflush(stdout);
} else
syslog(LOG_INFO, "%s", line);
}
--- 235,242 ----
*t = '\0';
}
if (!(opts & OPT_SYSLOG)) {
! fputs(line, log);
! fflush(log);
} else
syslog(LOG_INFO, "%s", line);
}
***************
*** 246,264 ****
iplog_t *ipl = (iplog_t *)buf;
char *t = line;
struct tm *tm;
! int res;
nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
tm = localtime((time_t *)&ipl->ipl_sec);
if (!(opts & OPT_SYSLOG)) {
! (void) sprintf(t, "%2d/%02d/%4d ",
! tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
! t += strlen(t);
}
! (void) sprintf(t, "%02d:%02d:%02d.%-.6ld @%hd ",
! tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec,
! nl->nl_rule+1);
t += strlen(t);
if (nl->nl_type == NL_NEWMAP)
--- 250,270 ----
iplog_t *ipl = (iplog_t *)buf;
char *t = line;
struct tm *tm;
! int res, i, len;
nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
tm = localtime((time_t *)&ipl->ipl_sec);
+ len = sizeof(line);
if (!(opts & OPT_SYSLOG)) {
! (void) strftime(t, len, "%d/%m/%Y ", tm);
! i = strlen(t);
! len -= i;
! t += i;
}
! (void) strftime(t, len, "%T", tm);
! t += strlen(t);
! (void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1);
t += strlen(t);
if (nl->nl_type == NL_NEWMAP)
***************
*** 309,326 ****
struct protoent *pr;
char *t = line, *proto, pname[6];
struct tm *tm;
! int res;
sl = (struct ipslog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
tm = localtime((time_t *)&ipl->ipl_sec);
if (!(opts & OPT_SYSLOG)) {
! (void) sprintf(t, "%2d/%02d/%4d ",
! tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
! t += strlen(t);
}
! (void) sprintf(t, "%02d:%02d:%02d.%-.6ld ",
! tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec);
t += strlen(t);
if (sl->isl_type == ISL_NEW)
--- 315,335 ----
struct protoent *pr;
char *t = line, *proto, pname[6];
struct tm *tm;
! int res, i, len;
sl = (struct ipslog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
tm = localtime((time_t *)&ipl->ipl_sec);
+ len = sizeof(line);
if (!(opts & OPT_SYSLOG)) {
! (void) strftime(t, len, "%d/%m/%Y ", tm);
! i = strlen(t);
! len -= i;
! t += i;
}
! (void) strftime(t, len, "%T", tm);
! t += strlen(t);
! (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
t += strlen(t);
if (sl->isl_type == ISL_NEW)
***************
*** 416,422 ****
blen -= psize;
buf += psize;
}
- finishbuf:
if (bp)
free(bp);
return;
--- 425,430 ----
***************
*** 452,464 ****
ip->ip_len = ntohs(ip->ip_len);
#endif
if (!(opts & OPT_SYSLOG)) {
! (void) sprintf(t, "%2d/%02d/%4d ",
! tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
! t += strlen(t);
}
! (void) sprintf(t, "%02d:%02d:%02d.%-.6ld ", tm->tm_hour, tm->tm_min,
! tm->tm_sec, ipl->ipl_usec);
t += strlen(t);
if (ipl->ipl_count > 1) {
(void) sprintf(t, "%dx ", ipl->ipl_count);
--- 460,475 ----
ip->ip_len = ntohs(ip->ip_len);
#endif
+ len = sizeof(line);
if (!(opts & OPT_SYSLOG)) {
! (void) strftime(t, len, "%d/%m/%Y ", tm);
! i = strlen(t);
! len -= i;
! t += i;
}
! (void) strftime(t, len, "%T", tm);
! t += strlen(t);
! (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
t += strlen(t);
if (ipl->ipl_count > 1) {
(void) sprintf(t, "%dx ", ipl->ipl_count);
***************
*** 821,826 ****
--- 832,839 ----
close(2);
setsid();
}
+
+ signal(SIGHUP, handlehup);
for (doread = 1; doread; ) {
nr = 0;
diff -cr ip_fil3.2.6/ipnat.c ip_fil3.2.7/ipnat.c
*** ip_fil3.2.6/ipnat.c Tue May 5 23:35:31 1998
--- ip_fil3.2.7/ipnat.c Sun May 24 05:07:02 1998
***************
*** 62,68 ****
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.5 1998/05/05 13:35:31 darrenr Exp $";
#endif
--- 62,68 ----
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.6 1998/05/23 19:07:02 darrenr Exp $";
#endif
***************
*** 73,86 ****
extern char *optarg;
ipnat_t *parse __P((char *));
! u_long hostnum __P((char *, int *));
! u_long hostmask __P((char *));
u_short portnum __P((char *, char *));
void dostats __P((int, int)), flushtable __P((int, int));
void printnat __P((ipnat_t *, int, void *));
void parsefile __P((int, char *, int));
void usage __P((char *));
! int countbits __P((u_long));
char *getnattype __P((ipnat_t *));
int main __P((int, char*[]));
--- 73,86 ----
extern char *optarg;
ipnat_t *parse __P((char *));
! u_32_t hostnum __P((char *, int *));
! u_32_t hostmask __P((char *));
u_short portnum __P((char *, char *));
void dostats __P((int, int)), flushtable __P((int, int));
void printnat __P((ipnat_t *, int, void *));
void parsefile __P((int, char *, int));
void usage __P((char *));
! int countbits __P((u_32_t));
char *getnattype __P((ipnat_t *));
int main __P((int, char*[]));
***************
*** 162,170 ****
* of bits.
*/
int countbits(ip)
! u_long ip;
{
! u_long ipn;
int cnt = 0, i, j;
ip = ipn = ntohl(ip);
--- 162,170 ----
* of bits.
*/
int countbits(ip)
! u_32_t ip;
{
! u_32_t ipn;
int cnt = 0, i, j;
ip = ipn = ntohl(ip);
***************
*** 417,434 ****
}
! u_long hostmask(msk)
char *msk;
{
int bits = -1;
! u_long mask;
if (!isdigit(*msk))
! return (u_long)-1;
if (strchr(msk, '.'))
return inet_addr(msk);
if (strchr(msk, 'x'))
! return (u_long)strtol(msk, NULL, 0);
/*
* set x most significant bits
*/
--- 417,434 ----
}
! u_32_t hostmask(msk)
char *msk;
{
int bits = -1;
! u_32_t mask;
if (!isdigit(*msk))
! return (u_32_t)-1;
if (strchr(msk, '.'))
return inet_addr(msk);
if (strchr(msk, 'x'))
! return (u_32_t)strtol(msk, NULL, 0);
/*
* set x most significant bits
*/
***************
*** 445,451 ****
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
! u_long hostnum(host, resolved)
char *host;
int *resolved;
{
--- 445,451 ----
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
! u_32_t hostnum(host, resolved)
char *host;
int *resolved;
{
diff -cr ip_fil3.2.6/ipsend/ipresend.1 ip_fil3.2.7/ipsend/ipresend.1
*** ip_fil3.2.6/ipsend/ipresend.1 Sat Apr 11 12:59:39 1998
--- ip_fil3.2.7/ipsend/ipresend.1 Sun May 24 00:30:24 1998
***************
*** 92,99 ****
.B \-X
The input file is composed of text descriptions of IP packets.
.TP
- .SH FILES
- .DT
.SH SEE ALSO
snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p)
.SH DIAGNOSTICS
--- 92,97 ----
diff -cr ip_fil3.2.6/ipsend/ipsend.5 ip_fil3.2.7/ipsend/ipsend.5
*** ip_fil3.2.6/ipsend/ipsend.5 Tue Sep 16 00:56:21 1997
--- ip_fil3.2.7/ipsend/ipsend.5 Sun May 24 00:30:25 1998
***************
*** 392,398 ****
.B maskrep
Address mask reply.
.SH FILES
/etc/protocols
/etc/services
- /etc/hosts
.SH SEE ALSO
--- 392,401 ----
.B maskrep
Address mask reply.
.SH FILES
+ /etc/hosts
+ .br
/etc/protocols
+ .br
/etc/services
.SH SEE ALSO
+ ipsend(1), iptest(1), hosts(5), protocols(5), services(5)
diff -cr ip_fil3.2.6/ipsend/iptest.1 ip_fil3.2.7/ipsend/iptest.1
*** ip_fil3.2.6/ipsend/iptest.1 Sat Apr 11 12:59:41 1998
--- ip_fil3.2.7/ipsend/iptest.1 Sun May 24 00:30:26 1998
***************
*** 91,97 ****
Run a...
.DT
.SH SEE ALSO
! ipsend(1), ipresend(1), bpf(4), dlpi(7p)
.SH DIAGNOSTICS
Only one of the numeric test options may be given when \fIiptest\fP is run.
.PP
--- 91,97 ----
Run a...
.DT
.SH SEE ALSO
! ipsend(1), ipresend(1), bpf(4), ipsend(5), dlpi(7p)
.SH DIAGNOSTICS
Only one of the numeric test options may be given when \fIiptest\fP is run.
.PP
diff -cr ip_fil3.2.6/man/ipf.4 ip_fil3.2.7/man/ipf.4
*** ip_fil3.2.6/man/ipf.4 Fri Nov 28 18:25:04 1997
--- ip_fil3.2.7/man/ipf.4 Sun May 24 00:30:28 1998
***************
*** 3,8 ****
--- 3,9 ----
ipf \- packet filtering kernel interface
.SH SYNOPSIS
#include <netinet/ip_compat.h>
+ .br
#include <netinet/ip_fil.h>
.SH IOCTLS
.PP
***************
*** 200,204 ****
#endif
};
.fi
.SH SEE ALSO
! ipfstat(8), ipf(8), ipf(5)
--- 201,213 ----
#endif
};
.fi
+ .SH FILES
+ /dev/ipauth
+ .br
+ /dev/ipl
+ .br
+ /dev/ipnat
+ .br
+ /dev/ipstate
.SH SEE ALSO
! ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8)
diff -cr ip_fil3.2.6/man/ipf.5 ip_fil3.2.7/man/ipf.5
*** ip_fil3.2.6/man/ipf.5 Fri Nov 28 18:26:00 1997
--- ip_fil3.2.7/man/ipf.5 Sun May 24 00:30:29 1998
***************
*** 1,6 ****
.TH IPF 5
.SH NAME
! ipf \- IP packet filter rule syntax
.SH DESCRIPTION
.PP
A rule file for \fBipf\fP may have any name or even be stdin. As
--- 1,6 ----
.TH IPF 5
.SH NAME
! ipf, ipf.conf \- IP packet filter rule syntax
.SH DESCRIPTION
.PP
A rule file for \fBipf\fP may have any name or even be stdin. As
***************
*** 477,484 ****
need to be specified as the parser interprets each rule on its own and
qualifies all service/port names with the protocol specified.
.SH FILES
! /etc/services
.br
/etc/hosts
.SH SEE ALSO
! ipf(8), ipftest(1), mkfilters(1), ipmon(8)
--- 477,490 ----
need to be specified as the parser interprets each rule on its own and
qualifies all service/port names with the protocol specified.
.SH FILES
! /dev/ipauth
! .br
! /dev/ipl
! .br
! /dev/ipstate
.br
/etc/hosts
+ .br
+ /etc/services
.SH SEE ALSO
! ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)
diff -cr ip_fil3.2.6/man/ipf.8 ip_fil3.2.7/man/ipf.8
*** ip_fil3.2.6/man/ipf.8 Sat Apr 11 12:59:44 1998
--- ip_fil3.2.7/man/ipf.8 Sun May 24 00:30:30 1998
***************
*** 66,72 ****
.B \-I
Set the list to make changes to the inactive list.
.TP
! .B \-l \0<param>
Use of the \fB-l\fP flag toggles default logging of packets. Valid
arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
When an option is set, any packet which exits filtering and matches the
--- 66,72 ----
.B \-I
Set the list to make changes to the inactive list.
.TP
! .B \-l \0<pass|block|nomatch>
Use of the \fB-l\fP flag toggles default logging of packets. Valid
arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
When an option is set, any packet which exits filtering and matches the
***************
*** 106,113 ****
Zero global statistics held in the kernel for filtering only (this doesn't
affect fragment or state statistics).
.DT
.SH SEE ALSO
! ipfstat(8), ipftest(1), ipf(5), mkfilters(1)
.SH DIAGNOSTICS
.PP
Needs to be run as root for the packet filtering lists to actually
--- 106,119 ----
Zero global statistics held in the kernel for filtering only (this doesn't
affect fragment or state statistics).
.DT
+ .SH FILES
+ /dev/ipauth
+ .br
+ /dev/ipl
+ .br
+ /dev/ipstate
.SH SEE ALSO
! ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
.SH DIAGNOSTICS
.PP
Needs to be run as root for the packet filtering lists to actually
diff -cr ip_fil3.2.6/man/ipfstat.8 ip_fil3.2.7/man/ipfstat.8
*** ip_fil3.2.6/man/ipfstat.8 Fri Nov 28 18:25:06 1997
--- ip_fil3.2.7/man/ipfstat.8 Sun May 24 00:30:31 1998
***************
*** 69,74 ****
--- 69,78 ----
.SH FILES
/dev/kmem
.br
+ /dev/ipl
+ .br
+ /dev/ipstate
+ .br
/vmunix
.SH SEE ALSO
ipf(8)
diff -cr ip_fil3.2.6/man/ipftest.1 ip_fil3.2.7/man/ipftest.1
*** ip_fil3.2.6/man/ipftest.1 Fri Nov 28 18:25:07 1997
--- ip_fil3.2.7/man/ipftest.1 Sun May 24 00:30:32 1998
***************
*** 1,4 ****
! .TH ipftest 8
.SH NAME
ipftest \- test packet filter rules with arbitary input.
.SH SYNOPSIS
--- 1,4 ----
! .TH ipftest 1
.SH NAME
ipftest \- test packet filter rules with arbitary input.
.SH SYNOPSIS
***************
*** 119,127 ****
.TP
.BR \-r \0<filename>
Specify the filename from which to read filter rules.
- .SH FILES
.SH SEE ALSO
! ipf(8), ipf(5), snoop(1m), tcpdump(8), etherfind(8c)
.SH BUGS
Not all of the input formats are sufficiently capable of introducing a
wide enough variety of packets for them to be all useful in testing.
--- 119,126 ----
.TP
.BR \-r \0<filename>
Specify the filename from which to read filter rules.
.SH SEE ALSO
! ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
.SH BUGS
Not all of the input formats are sufficiently capable of introducing a
wide enough variety of packets for them to be all useful in testing.
diff -cr ip_fil3.2.6/man/ipmon.8 ip_fil3.2.7/man/ipmon.8
*** ip_fil3.2.6/man/ipmon.8 Fri Nov 28 18:25:07 1997
--- ip_fil3.2.7/man/ipmon.8 Sun May 24 00:30:33 1998
***************
*** 101,106 ****
recorded data.
.SH FILES
/dev/ipl
.SH SEE ALSO
! ipf(8), ipfstat(8)
.SH BUGS
--- 101,110 ----
recorded data.
.SH FILES
/dev/ipl
+ .br
+ /dev/ipnat
+ .br
+ /dev/ipstate
.SH SEE ALSO
! ipl(4), ipf(8), ipfstat(8), ipnat(8)
.SH BUGS
diff -cr ip_fil3.2.6/man/ipnat.1 ip_fil3.2.7/man/ipnat.1
*** ip_fil3.2.6/man/ipnat.1 Fri Nov 28 18:25:08 1997
--- ip_fil3.2.7/man/ipnat.1 Sun May 24 00:30:33 1998
***************
*** 41,45 ****
.B \-v
Turn verbose mode on. Displays information relating to rule processing.
.DT
.SH SEE ALSO
! ipfstat(1), ipftest(8), ipf(8), ipnat(5)
--- 41,47 ----
.B \-v
Turn verbose mode on. Displays information relating to rule processing.
.DT
+ .SH FILES
+ /dev/ipnat
.SH SEE ALSO
! ipnat(5), ipf(8), ipfstat(8)
diff -cr ip_fil3.2.6/man/ipnat.4 ip_fil3.2.7/man/ipnat.4
*** ip_fil3.2.6/man/ipnat.4 Fri Nov 28 18:25:08 1997
--- ip_fil3.2.7/man/ipnat.4 Sun May 24 00:30:34 1998
***************
*** 3,10 ****
--- 3,13 ----
ipnat \- Network Address Translation kernel interface
.SH SYNOPSIS
#include <netinet/ip_compat.h>
+ .br
#include <netinet/ip_fil.h>
+ .br
#include <netinet/ip_proxy.h>
+ .br
#include <netinet/ip_nat.h>
.SH IOCTLS
.PP
***************
*** 87,91 ****
.SH BUGS
It would be nice if there were more flexibility when adding and deleting
filter rules.
.SH SEE ALSO
! ipfstat(8), ipf(8), ipf(4), ipnat(5)
--- 90,96 ----
.SH BUGS
It would be nice if there were more flexibility when adding and deleting
filter rules.
+ .SH FILES
+ /dev/ipnat
.SH SEE ALSO
! ipf(4), ipnat(5), ipf(8), ipnat(8), ipfstat(8)
diff -cr ip_fil3.2.6/man/ipnat.5 ip_fil3.2.7/man/ipnat.5
*** ip_fil3.2.6/man/ipnat.5 Sun Jan 12 19:48:13 1997
--- ip_fil3.2.7/man/ipnat.5 Sun May 24 00:30:35 1998
***************
*** 1,6 ****
.TH IPNAT 5
.SH NAME
! ipnat \- IP NAT file format
.SH DESCRIPTION
The format for files accepted by ipnat is described by the following grammar:
.LP
--- 1,6 ----
.TH IPNAT 5
.SH NAME
! ipnat, ipnat.conf \- IP NAT file format
.SH DESCRIPTION
The format for files accepted by ipnat is described by the following grammar:
.LP
***************
*** 37,46 ****
.SH Examples
.PP
To change IP#'s used internally from network 10 into an ISP provided 8 bit
! subnet at 209.1.2.0, the following would be used:
.LP
.nf
! map 10.0.0.0/8 -> 209.1.2.0/24
.fi
.PP
The obvious problem here is we're trying to squeeze over 16,000,000 IP
--- 37,46 ----
.SH Examples
.PP
To change IP#'s used internally from network 10 into an ISP provided 8 bit
! subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
.LP
.nf
! map ppp0 10.0.0.0/8 -> 209.1.2.0/24
.fi
.PP
The obvious problem here is we're trying to squeeze over 16,000,000 IP
***************
*** 48,54 ****
and/or UDP, port remapping can be used;
.LP
.nf
! map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
.fi
.PP
which falls only 527,566 `addresses' short of the space available in network
--- 48,54 ----
and/or UDP, port remapping can be used;
.LP
.nf
! map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
.fi
.PP
which falls only 527,566 `addresses' short of the space available in network
***************
*** 56,70 ****
follows:
.LP
.nf
! map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
! map 10.0.0.0/8 -> 209.1.2.0/24
.fi
.PP
so that all TCP/UDP packets were port mapped and only other protocols, such as
ICMP, only have their IP# changed.
.SH FILES
/etc/services
.br
/etc/hosts
.SH SEE ALSO
! ipnat(1), ipf(5), ipnat(4)
--- 56,72 ----
follows:
.LP
.nf
! map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
! map ppp0 10.0.0.0/8 -> 209.1.2.0/24
.fi
.PP
so that all TCP/UDP packets were port mapped and only other protocols, such as
ICMP, only have their IP# changed.
.SH FILES
+ /dev/ipnat
+ .br
/etc/services
.br
/etc/hosts
.SH SEE ALSO
! ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8)
diff -cr ip_fil3.2.6/mln_ipl.c ip_fil3.2.7/mln_ipl.c
*** ip_fil3.2.6/mln_ipl.c Wed Oct 29 22:59:39 1997
--- ip_fil3.2.7/mln_ipl.c Sun May 24 00:29:47 1998
***************
*** 48,53 ****
--- 48,56 ----
#include "ip_compat.h"
#include "ip_fil.h"
+ #if !defined(__NetBSD_Version__) || __NetBSD_Version__ < 103050000
+ #define vn_lock(v,f) VOP_LOCK(v)
+ #endif
#if !defined(VOP_LEASE) && defined(LEASE_CHECK)
#define VOP_LEASE LEASE_CHECK
***************
*** 179,185 ****
if ((error = namei(&nd)))
return (error);
VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
! VOP_LOCK(nd.ni_vp);
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
}
--- 182,188 ----
if ((error = namei(&nd)))
return (error);
VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
! vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY);
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
}
diff -cr ip_fil3.2.6/parse.c ip_fil3.2.7/parse.c
*** ip_fil3.2.6/parse.c Sat Feb 28 13:04:40 1998
--- ip_fil3.2.7/parse.c Sun May 24 05:20:33 1998
***************
*** 35,41 ****
#if !defined(lint)
static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
! static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.2 1998/02/28 02:04:40 darrenr Exp $";
#endif
extern struct ipopt_names ionames[], secclass[];
--- 35,41 ----
#if !defined(lint)
static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
! static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.5 1998/05/23 19:20:33 darrenr Exp $";
#endif
extern struct ipopt_names ionames[], secclass[];
***************
*** 57,63 ****
int to_interface __P((frdest_t *, char *));
void print_toif __P((char *, frdest_t *));
void optprint __P((u_short, u_short, u_long, u_long));
! int countbits __P((u_long));
char *portname __P((int, int));
--- 57,63 ----
int to_interface __P((frdest_t *, char *));
void print_toif __P((char *, frdest_t *));
void optprint __P((u_short, u_short, u_long, u_long));
! int countbits __P((u_32_t));
char *portname __P((int, int));
***************
*** 475,486 ****
/*
* lazy users...
*/
! if (!fil.fr_proto && !(fil.fr_ip.fi_fl & FI_TCPUDP) &&
! (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) {
! (void)fprintf(stderr,
! "no protocol given for TCP/UDP comparisons\n");
return NULL;
}
/*
if ((fil.fr_flags & FR_KEEPFRAG) &&
(!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) {
--- 475,495 ----
/*
* lazy users...
*/
! if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) {
! (void)fprintf(stderr, "TCP protocol not specified\n");
return NULL;
}
+ if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) &&
+ (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) {
+ if (!fil.fr_proto) {
+ fil.fr_ip.fi_fl |= FI_TCPUDP;
+ fil.fr_mip.fi_fl |= FI_TCPUDP;
+ } else {
+ (void)fprintf(stderr,
+ "port comparisons for non-TCP/UDP\n");
+ return NULL;
+ }
+ }
/*
if ((fil.fr_flags & FR_KEEPFRAG) &&
(!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) {
***************
*** 980,986 ****
fp->fr_proto = IPPROTO_ICMP;
if (isdigit(***cp)) {
i = atoi(**cp);
- (*cp)++;
} else {
for (t = icmptypes, i = 0; ; t++, i++) {
if (!*t)
--- 989,994 ----
***************
*** 1082,1090 ****
* of bits.
*/
int countbits(ip)
! u_long ip;
{
! u_long ipn;
int cnt = 0, i, j;
ip = ipn = ntohl(ip);
--- 1090,1098 ----
* of bits.
*/
int countbits(ip)
! u_32_t ip;
{
! u_32_t ipn;
int cnt = 0, i, j;
ip = ipn = ntohl(ip);