diff -cr ip_fil3.3.10/HISTORY ip_fil3.3.11/HISTORY *** ip_fil3.3.10/HISTORY Thu Feb 24 02:23:47 2000 --- ip_fil3.3.11/HISTORY Sat Mar 4 12:16:04 2000 *************** *** 20,25 **** --- 20,33 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.3.11 04/03/2000 - Released + + make "or-block" work with lines that start with "log" + + fix up parsing and printing of rules with syslog levels in them + + fix from Cy Schubert for calling of apr_fini only if non-null + 3.3.10 24/02/2000 - Released * fix back from guido for state tracking interfaces *************** *** 28,34 **** * if attaching fails and we can abort, then cleanup when doing so. ! julian@computer.org: * solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. * ipf.c (packetlogon): use flag to store the return value from get_flags. * ipmon.c (init_tabs): Generate cleanup so we do not have to cast --- 36,42 ---- * if attaching fails and we can abort, then cleanup when doing so. ! Julian Yip (julian@computer.org): * solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. * ipf.c (packetlogon): use flag to store the return value from get_flags. * ipmon.c (init_tabs): Generate cleanup so we do not have to cast diff -cr ip_fil3.3.10/SunOS5/pkginfo ip_fil3.3.11/SunOS5/pkginfo *** ip_fil3.3.10/SunOS5/pkginfo Tue Feb 22 21:14:17 2000 --- ip_fil3.3.11/SunOS5/pkginfo Sat Mar 4 12:16:05 2000 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.10 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.11 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.3.10/fil.c ip_fil3.3.11/fil.c *** ip_fil3.3.10/fil.c Thu Jan 27 19:49:37 2000 --- ip_fil3.3.11/fil.c Sat Mar 4 01:51:16 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.17 2000/03/03 14:51:16 darrenr Exp $"; #endif #include *************** *** 540,545 **** --- 540,547 ---- #ifdef IPFILTER_LOG if ((passt & FR_LOGMASK) == FR_LOG) { if (!IPLLOG(passt, ip, fin, m)) { + if (passt & FR_LOGORBLOCK) + passt |= FR_BLOCK|FR_QUICK; ATOMIC_INC(frstats[fin->fin_out].fr_skip); } ATOMIC_INC(frstats[fin->fin_out].fr_pkl); *************** *** 1187,1193 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1189,1195 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.3.2.17 2000/03/03 14:51:16 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff -cr ip_fil3.3.10/ip_proxy.c ip_fil3.3.11/ip_proxy.c *** ip_fil3.3.10/ip_proxy.c Tue Feb 22 22:41:14 2000 --- ip_fil3.3.11/ip_proxy.c Wed Mar 1 09:47:17 2000 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.2 2000/02/22 11:41:14 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.3 2000/02/29 22:47:17 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 392,396 **** aproxy_t *ap; for (ap = ap_proxies; ap->apr_p; ap++) ! (*ap->apr_fini)(); } --- 392,397 ---- aproxy_t *ap; for (ap = ap_proxies; ap->apr_p; ap++) ! if (ap->apr_fini) ! (*ap->apr_fini)(); } diff -cr ip_fil3.3.10/ipl.h ip_fil3.3.11/ipl.h *** ip_fil3.3.10/ipl.h Tue Feb 22 21:14:17 2000 --- ip_fil3.3.11/ipl.h Sat Mar 4 12:16:04 2000 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.10" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.11" #endif diff -cr ip_fil3.3.10/parse.c ip_fil3.3.11/parse.c *** ip_fil3.3.10/parse.c Thu Jan 27 19:49:42 2000 --- ip_fil3.3.11/parse.c Sat Mar 4 16:21:18 2000 *************** *** 41,47 **** #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.8 2000/01/27 08:49:42 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; --- 41,47 ---- #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.11 2000/03/04 05:19:25 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; *************** *** 66,71 **** --- 66,73 ---- int countbits __P((u_32_t)); char *portname __P((int, int)); int ratoi __P((char *, int *, int, int)); + int loglevel __P((char **, u_short *, int)); + void printlog __P((frentry_t *)); char *proto = NULL; *************** *** 185,226 **** } if (!strcasecmp(*(cpp+1), "first")) { fil.fr_flags |= FR_LOGFIRST; } if (!strcasecmp(*(cpp+1), "level")) { ! int fac, pri; ! char *s; ! ! fac = 0; ! pri = 0; ! if (!*++cpp) { ! fprintf(stderr, "%d: %s\n", linenum, ! "missing identifier after level"); return NULL; - } - s = index(*cpp, '.'); - if (s) { - *s++ = '\0'; - fac = fac_findname(*cpp); - if (fac == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown facility", *cpp); - return NULL; - } - pri = pri_findname(s); - if (pri == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown priority", s); - return NULL; - } - } else { - pri = pri_findname(*cpp); - if (pri == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown priority", *cpp); - return NULL; - } - } - fil.fr_loglevel = fac|pri; cpp++; } } else { --- 187,202 ---- } if (!strcasecmp(*(cpp+1), "first")) { fil.fr_flags |= FR_LOGFIRST; + cpp++; + } + if (*cpp && !strcasecmp(*(cpp+1), "or-block")) { + fil.fr_flags |= FR_LOGORBLOCK; + cpp++; } if (!strcasecmp(*(cpp+1), "level")) { ! cpp++; ! if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) return NULL; cpp++; } } else { *************** *** 321,326 **** --- 297,308 ---- fil.fr_loglevel = fac|pri; cpp++; } + if (*cpp && !strcasecmp(*cpp, "level")) { + if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) + return NULL; + cpp++; + cpp++; + } } if (*cpp && !strcasecmp("quick", *cpp)) { *************** *** 642,647 **** --- 624,673 ---- } + int loglevel(cpp, facpri, linenum) + char **cpp; + u_short *facpri; + int linenum; + { + int fac, pri; + char *s; + + fac = 0; + pri = 0; + if (!*++cpp) { + fprintf(stderr, "%d: %s\n", linenum, + "missing identifier after level"); + return -1; + } + + s = index(*cpp, '.'); + if (s) { + *s++ = '\0'; + fac = fac_findname(*cpp); + if (fac == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown facility", *cpp); + return -1; + } + pri = pri_findname(s); + if (pri == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown priority", s); + return -1; + } + } else { + pri = pri_findname(*cpp); + if (pri == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown priority", *cpp); + return -1; + } + } + *facpri = fac|pri; + return 0; + } + + int to_interface(fdp, to, linenum) frdest_t *fdp; char *to; *************** *** 1290,1295 **** --- 1316,1327 ---- } (*cp)++; + if (!**cp) { + fprintf(stderr, "%d: Missing state/frag after keep\n", + linenum); + return -1; + } + if (**cp && strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) { fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n", linenum, **cp); *************** *** 1374,1380 **** "<>", "><"}; struct protoent *p; int ones = 0, pr; ! char *s, *u; u_char *t; u_short sec[2]; --- 1406,1412 ---- "<>", "><"}; struct protoent *p; int ones = 0, pr; ! char *s; u_char *t; u_short sec[2]; *************** *** 1397,1407 **** } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) printf(" return-rst"); } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { ! printf("log"); ! if (fp->fr_flags & FR_LOGBODY) ! printf(" body"); ! if (fp->fr_flags & FR_LOGFIRST) ! printf(" first"); } else if (fp->fr_flags & FR_ACCOUNT) printf("count"); else if (fp->fr_flags & FR_AUTH) --- 1429,1435 ---- } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) printf(" return-rst"); } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { ! printlog(fp); } else if (fp->fr_flags & FR_ACCOUNT) printf("count"); else if (fp->fr_flags & FR_AUTH) *************** *** 1418,1446 **** if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { ! printf("log "); ! if (fp->fr_flags & FR_LOGBODY) ! printf("body "); ! if (fp->fr_flags & FR_LOGFIRST) ! printf("first "); ! if (fp->fr_flags & FR_LOGORBLOCK) ! printf("or-block "); ! if (fp->fr_loglevel != 0xffff) { ! if (fp->fr_loglevel & LOG_FACMASK) { ! s = fac_toname(fp->fr_loglevel); ! if (s == NULL) ! s = "!!!"; ! } else ! s = ""; ! u = pri_toname(fp->fr_loglevel); ! if (u == NULL) ! u = "!!!"; ! if (*s) ! printf("level %s.%s ", s, u); ! else ! printf("level %s ", u); ! } ! } if (fp->fr_flags & FR_QUICK) printf("quick "); --- 1446,1453 ---- if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { ! printlog(fp); ! putchar(' '); } if (fp->fr_flags & FR_QUICK) printf("quick "); *************** *** 1588,1593 **** --- 1595,1631 ---- } putchar('\n'); (void)fflush(stdout); + } + + + void printlog(fp) + frentry_t *fp; + { + char *s, *u; + + printf("log"); + if (fp->fr_flags & FR_LOGBODY) + printf(" body"); + if (fp->fr_flags & FR_LOGFIRST) + printf(" first"); + if (fp->fr_flags & FR_LOGORBLOCK) + printf(" or-block"); + if (fp->fr_loglevel != 0xffff) { + printf(" level "); + if (fp->fr_loglevel & LOG_FACMASK) { + s = fac_toname(fp->fr_loglevel); + if (s == NULL) + s = "!!!"; + } else + s = ""; + u = pri_toname(fp->fr_loglevel); + if (u == NULL) + u = "!!!"; + if (*s) + printf("%s.%s", s, u); + else + printf("%s", u); + } } diff -cr ip_fil3.3.10/test/expected/i3 ip_fil3.3.11/test/expected/i3 *** ip_fil3.3.10/test/expected/i3 Fri Jan 10 02:14:55 1997 --- ip_fil3.3.11/test/expected/i3 Wed Mar 1 09:44:54 2000 *************** *** 6,8 **** --- 6,10 ---- pass in from 128.0.0.0/24 to 128.0.0.0/16 pass in from 127.0.0.1/32 to 127.0.0.1/32 block in log from any to any + block in log level auth.info on hme0(!) from any to any + log level local5.warn out from any to any diff -cr ip_fil3.3.10/test/regress/i3 ip_fil3.3.11/test/regress/i3 *** ip_fil3.3.10/test/regress/i3 Fri Jan 10 02:14:57 1997 --- ip_fil3.3.11/test/regress/i3 Wed Mar 1 09:44:54 2000 *************** *** 6,8 **** --- 6,10 ---- pass in from 128.0.0.1 mask 255.255.255.0 to 128.0.0.1 mask 255.255.0.0 pass in from localhost to localhost block in log from 0/0 to 0/0 + block in log level auth.info on hme0 all + log level local5.warn out all