diff -cr ip_fil3.3.20/HISTORY ip_fil3.3.21/HISTORY *** ip_fil3.3.20/HISTORY Sat Oct 28 09:59:22 2000 --- ip_fil3.3.21/HISTORY Mon Jan 15 01:33:15 2001 *************** *** 20,25 **** --- 20,33 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.3.21 15/01/2001 - Released + + log all NAT sessions that get created, not just those that match rules + + fix bug in matching fragmented packets on the wrong interface + + Add TCP ECN patches + 3.3.20 28/10/2000 - Released fix introduced bug with ICMP packets being rejected when valid diff -cr ip_fil3.3.20/IRIX/Makefile ip_fil3.3.21/IRIX/Makefile *** ip_fil3.3.20/IRIX/Makefile Sat Aug 14 14:50:39 1999 --- ip_fil3.3.21/IRIX/Makefile Mon Jan 15 00:57:08 2001 *************** *** 34,39 **** --- 34,40 ---- TOP=.. #CC=cc -Wall -Wuninitialized -Wstrict-prototypes -Werror -O CFLAGS=-g -I$(TOP) + CCARGS=-D_STANDALONE $(CFLAGS) # ML=mli_ipl.c MLD=$(ML) *************** *** 70,207 **** build all: ipf ipfstat ipftest ipmon ipnat $(LKM) ipfstat: $(FILS) ! $(CC) $(DEBUG) $(CFLAGS) $(FILS) -o $@ $(LIBS) ipf: $(IPF) ! $(CC) $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) ${RM} -f $(TOP)/ipf ln -s `pwd`/ipf $(TOP) ipftest: $(IPT) ! $(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS) ${RM} -f $(TOP)/ipftest ln -s `pwd`/ipftest $(TOP) ipnat: ipnat.o kmem.o natparse.o ! $(CC) $(DEBUG) $(CFLAGS) ipnat.o kmem.o natparse.o -o $@ $(LIBS) tests: (cd test; make ) fils.o: $(TOP)/fils.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_frag.h \ $(TOP)/ip_compat.h $(TOP)/ip_state.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/fils.c -o $@ fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/fil.c -o $@ fil_k.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h ! $(CC) $(DEBUG) $(CFLAGS) $(POLICY) $(DFLAGS) -c $(TOP)/fil.c -o $@ ipf.o: $(TOP)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipf.c -o $@ ipt.o: $(TOP)/ipt.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipt.c -o $@ misc.o: $(TOP)/misc.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/misc.c -o $@ inet_addr.o: $(TOP)/inet_addr.c ! $(CC) $(ATON) $(DEBUG) $(CFLAGS) -c $(TOP)/inet_addr.c -o $@ opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ $(TOP)/snoop.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@ ipft_ef.o: $(TOP)/ipft_ef.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_ef.c -o $@ ipft_td.o: $(TOP)/ipft_td.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_td.c -o $@ ipft_pc.o: $(TOP)/ipft_pc.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_pc.c -o $@ ipft_tx.o: $(TOP)/ipft_tx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_tx.c -o $@ ipft_hx.o: $(TOP)/ipft_hx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_hx.c -o $@ ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_nat.c -o $@ ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_proxy.c -o $@ ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_frag.c -o $@ ip_state_u.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_state.c -o $@ ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_auth.c -o $@ ip_fil_u.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/$(IPFILC) -o $@ $(LKM): $(MODOBJS) ld $(MLFLAGS) -r -d $(MODOBJS) -o $(LKM) ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@ ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ ml_ipl.o: $(TOP)/$(MLD) $(TOP)/ipl.h ! $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ kmem.o: $(TOP)/kmem.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/kmem.c -o $@ parse.o: $(TOP)/parse.c $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/parse.c -o $@ facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/facpri.c -o $@ ipmon: $(TOP)/ipmon.c ! $(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) natparse.o: $(TOP)/natparse.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_proxy.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/natparse.c -o $@ clean: ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon ipnat $(LKM) --- 71,208 ---- build all: ipf ipfstat ipftest ipmon ipnat $(LKM) ipfstat: $(FILS) ! $(CC) $(DEBUG) $(CCARGS) $(FILS) -o $@ $(LIBS) ipf: $(IPF) ! $(CC) $(DEBUG) $(CCARGS) $(IPF) -o $@ $(LIBS) ${RM} -f $(TOP)/ipf ln -s `pwd`/ipf $(TOP) ipftest: $(IPT) ! $(CC) $(DEBUG) $(CCARGS) $(IPT) -o $@ $(LIBS) ${RM} -f $(TOP)/ipftest ln -s `pwd`/ipftest $(TOP) ipnat: ipnat.o kmem.o natparse.o ! $(CC) $(DEBUG) $(CCARGS) ipnat.o kmem.o natparse.o -o $@ $(LIBS) tests: (cd test; make ) fils.o: $(TOP)/fils.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_frag.h \ $(TOP)/ip_compat.h $(TOP)/ip_state.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/fils.c -o $@ fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/fil.c -o $@ fil_k.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h ! $(CC) $(DEBUG) $(CCARGS) $(POLICY) $(DFLAGS) -c $(TOP)/fil.c -o $@ ipf.o: $(TOP)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipf.c -o $@ ipt.o: $(TOP)/ipt.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipt.c -o $@ misc.o: $(TOP)/misc.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/misc.c -o $@ inet_addr.o: $(TOP)/inet_addr.c ! $(CC) $(ATON) $(DEBUG) $(CCARGS) -c $(TOP)/inet_addr.c -o $@ opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/opt.c -o $@ ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ $(TOP)/snoop.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_sn.c -o $@ ipft_ef.o: $(TOP)/ipft_ef.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_ef.c -o $@ ipft_td.o: $(TOP)/ipft_td.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_td.c -o $@ ipft_pc.o: $(TOP)/ipft_pc.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_pc.c -o $@ ipft_tx.o: $(TOP)/ipft_tx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_tx.c -o $@ ipft_hx.o: $(TOP)/ipft_hx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_hx.c -o $@ ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ip_nat.c -o $@ ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ip_proxy.c -o $@ ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ip_frag.c -o $@ ip_state_u.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ip_state.c -o $@ ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ip_auth.c -o $@ ip_fil_u.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/$(IPFILC) -o $@ $(LKM): $(MODOBJS) ld $(MLFLAGS) -r -d $(MODOBJS) -o $(LKM) ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CCARGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@ ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ ml_ipl.o: $(TOP)/$(MLD) $(TOP)/ipl.h ! $(CC) -I. $(CCARGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ kmem.o: $(TOP)/kmem.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/kmem.c -o $@ parse.o: $(TOP)/parse.c $(TOP)/ip_fil.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/parse.c -o $@ facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/facpri.c -o $@ ipmon: $(TOP)/ipmon.c ! $(CC) $(DEBUG) $(CCARGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) natparse.o: $(TOP)/natparse.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_proxy.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/natparse.c -o $@ clean: ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon ipnat $(LKM) diff -cr ip_fil3.3.20/IRIX/Makefile.ipsend ip_fil3.3.21/IRIX/Makefile.ipsend *** ip_fil3.3.20/IRIX/Makefile.ipsend Sun Aug 1 20:57:02 1999 --- ip_fil3.3.21/IRIX/Makefile.ipsend Mon Jan 15 00:57:16 2001 *************** *** 7,20 **** CC=cc CFLAGS=-g -I$(TOP) all build irix : ipsend ipresend iptest .c.o: ! $(CC) $(DEBUG) $(CFLAGS) -c $< -o $@ y.tab.o: $(TOP)/iplang/iplang_y.y ! (cd $(TOP)/iplang; $(MAKE) 'DESTDIR=../IRIX/$(CPUDIR)' ) lex.yy.o: $(TOP)/iplang/iplang_l.l (cd $(TOP)/iplang; $(MAKE) 'DESTDIR=../IRIX/$(CPUDIR)' ) --- 7,21 ---- CC=cc CFLAGS=-g -I$(TOP) + CCARGS=-D_STANDALONE $(CFLAGS) all build irix : ipsend ipresend iptest .c.o: ! $(CC) $(DEBUG) $(CCARGS) -c $< -o $@ y.tab.o: $(TOP)/iplang/iplang_y.y ! (cd $(TOP)/iplang; $(MAKE) 'DESTDIR=../IRIX/$(CPUDIR)' 'CC=$(CC) -D_STANDALONE') lex.yy.o: $(TOP)/iplang/iplang_l.l (cd $(TOP)/iplang; $(MAKE) 'DESTDIR=../IRIX/$(CPUDIR)' ) *************** *** 32,81 **** rm -rf *.o core a.out ipsend ipresend iptest ipsend.o: $(TOP)/ipsend/ipsend.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsend.c -o $@ ipsopt.o: $(TOP)/ipsend/ipsopt.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsopt.c -o $@ ipresend.o: $(TOP)/ipsend/ipresend.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipresend.c -o $@ ip.o: $(TOP)/ipsend/ip.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ip.c -o $@ resend.o: $(TOP)/ipsend/resend.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/resend.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ $(TOP)/snoop.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@ ipft_ef.o: $(TOP)/ipft_ef.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_ef.c -o $@ ipft_td.o: $(TOP)/ipft_td.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_td.c -o $@ ipft_pc.o: $(TOP)/ipft_pc.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_pc.c -o $@ ipft_tx.o: $(TOP)/ipft_tx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_tx.c -o $@ ipft_hx.o: $(TOP)/ipft_hx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_hx.c -o $@ iptest.o: $(TOP)/ipsend/iptest.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptest.c -o $@ iptests.o: $(TOP)/ipsend/iptests.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptests.c -o $@ sock.o: $(TOP)/ipsend/sock.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sock.c -o $@ arp.o: $(TOP)/ipsend/arp.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/arp.c -o $@ sirix.o: $(TOP)/ipsend/sirix.c ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sirix.c -o $@ --- 33,82 ---- rm -rf *.o core a.out ipsend ipresend iptest ipsend.o: $(TOP)/ipsend/ipsend.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipsend/ipsend.c -o $@ ipsopt.o: $(TOP)/ipsend/ipsopt.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipsend/ipsopt.c -o $@ ipresend.o: $(TOP)/ipsend/ipresend.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipsend/ipresend.c -o $@ ip.o: $(TOP)/ipsend/ip.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipsend/ip.c -o $@ resend.o: $(TOP)/ipsend/resend.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipsend/resend.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ $(TOP)/snoop.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_sn.c -o $@ ipft_ef.o: $(TOP)/ipft_ef.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_ef.c -o $@ ipft_td.o: $(TOP)/ipft_td.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_td.c -o $@ ipft_pc.o: $(TOP)/ipft_pc.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_pc.c -o $@ ipft_tx.o: $(TOP)/ipft_tx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_tx.c -o $@ ipft_hx.o: $(TOP)/ipft_hx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipft_hx.c -o $@ iptest.o: $(TOP)/ipsend/iptest.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipsend/iptest.c -o $@ iptests.o: $(TOP)/ipsend/iptests.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipsend/iptests.c -o $@ sock.o: $(TOP)/ipsend/sock.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipsend/sock.c -o $@ arp.o: $(TOP)/ipsend/arp.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipsend/arp.c -o $@ sirix.o: $(TOP)/ipsend/sirix.c ! $(CC) $(DEBUG) $(CCARGS) -c $(TOP)/ipsend/sirix.c -o $@ diff -cr ip_fil3.3.20/SunOS5/ipfboot ip_fil3.3.21/SunOS5/ipfboot *** ip_fil3.3.20/SunOS5/ipfboot Wed Aug 23 20:56:25 2000 --- ip_fil3.3.21/SunOS5/ipfboot Mon Jan 15 00:57:31 2001 *************** *** 28,34 **** echo "$0: load of ${IPNATCONF} failed" fi fi ! # ipmon -sn & ;; stop) --- 28,34 ---- echo "$0: load of ${IPNATCONF} failed" fi fi ! # ipmon -s & ;; stop) diff -cr ip_fil3.3.20/SunOS5/pkginfo ip_fil3.3.21/SunOS5/pkginfo *** ip_fil3.3.20/SunOS5/pkginfo Sat Oct 28 09:59:25 2000 --- ip_fil3.3.21/SunOS5/pkginfo Mon Jan 15 01:33:17 2001 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.20 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.21 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.3.20/fil.c ip_fil3.3.21/fil.c *** ip_fil3.3.20/fil.c Sat Oct 28 10:04:32 2000 --- ip_fil3.3.21/fil.c Mon Jan 15 00:55:06 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.25 2000/10/27 23:04:32 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.26 2001/01/14 13:55:06 darrenr Exp $"; #endif #include *************** *** 230,245 **** icmp = (icmphdr_t *)tcp; if (icmp->icmp_type == ICMP_ECHOREPLY || ! icmp->icmp_type == ICMP_ECHO) minicmpsz = ICMP_MINLEN; if (icmp->icmp_type == ICMP_TSTAMP || ! icmp->icmp_type == ICMP_TSTAMPREPLY) minicmpsz = 20; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + 3*timestamp(3*4) */ if (icmp->icmp_type == ICMP_MASKREQ || ! icmp->icmp_type == ICMP_MASKREPLY) minicmpsz = 12; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */ } --- 230,245 ---- icmp = (icmphdr_t *)tcp; if (icmp->icmp_type == ICMP_ECHOREPLY || ! icmp->icmp_type == ICMP_ECHO) minicmpsz = ICMP_MINLEN; if (icmp->icmp_type == ICMP_TSTAMP || ! icmp->icmp_type == ICMP_TSTAMPREPLY) minicmpsz = 20; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + 3*timestamp(3*4) */ if (icmp->icmp_type == ICMP_MASKREQ || ! icmp->icmp_type == ICMP_MASKREPLY) minicmpsz = 12; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */ } *************** *** 1191,1197 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.3.2.25 2000/10/27 23:04:32 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1191,1197 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.3.2.26 2001/01/14 13:55:06 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff -cr ip_fil3.3.20/ip_compat.h ip_fil3.3.21/ip_compat.h *** ip_fil3.3.20/ip_compat.h Wed Apr 26 02:21:11 2000 --- ip_fil3.3.21/ip_compat.h Mon Jan 15 01:33:04 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.1.2.6 2000/04/25 16:21:11 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.1.2.8 2001/01/14 14:33:04 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 846,850 **** --- 846,860 ---- #define ICMPERR_IPICMPHLEN (20 + 8) #define ICMPERR_MINPKTLEN (20 + 8 + 20) #define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8) + + /* + * ECN is a new addition to TCP - RFC 2481 + */ + #ifndef TH_ECN + # define TH_ECN 0x40 + #endif + #ifndef TH_CWR + # define TH_CWR 0x80 + #endif #endif /* __IP_COMPAT_H__ */ diff -cr ip_fil3.3.20/ip_frag.c ip_fil3.3.21/ip_frag.c *** ip_fil3.3.20/ip_frag.c Wed Jun 7 01:50:48 2000 --- ip_fil3.3.21/ip_frag.c Mon Jan 15 00:56:08 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.5 2000/06/06 15:50:48 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.7 2001/01/14 13:56:08 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) *************** *** 149,154 **** --- 149,155 ---- idx += ip->ip_src.s_addr; frag.ipfr_dst.s_addr = ip->ip_dst.s_addr; idx += ip->ip_dst.s_addr; + frag.ipfr_ifp = fin->fin_ifp; idx *= 127; idx %= IPFT_SIZE; *************** *** 259,264 **** --- 260,266 ---- idx += ip->ip_src.s_addr; frag.ipfr_dst.s_addr = ip->ip_dst.s_addr; idx += ip->ip_dst.s_addr; + frag.ipfr_ifp = fin->fin_ifp; idx *= 127; idx %= IPFT_SIZE; *************** *** 315,327 **** ipf = ipfr_lookup(ip, fin, ipfr_nattab); if (ipf != NULL) { nat = ipf->ipfr_data; ! /* ! * This is the last fragment for this packet. ! */ ! if ((ipf->ipfr_ttl == 1) && (nat != NULL)) { ! nat->nat_data = NULL; ! ipf->ipfr_data = NULL; ! } } else nat = NULL; RWLOCK_EXIT(&ipf_natfrag); --- 317,332 ---- ipf = ipfr_lookup(ip, fin, ipfr_nattab); if (ipf != NULL) { nat = ipf->ipfr_data; ! if (nat && (nat->nat_ifp == fin->fin_ifp)) { ! /* ! * This is the last fragment for this packet. ! */ ! if ((ipf->ipfr_ttl == 1) && (nat != NULL)) { ! nat->nat_data = NULL; ! ipf->ipfr_data = NULL; ! } ! } else ! nat = NULL; } else nat = NULL; RWLOCK_EXIT(&ipf_natfrag); diff -cr ip_fil3.3.20/ip_frag.h ip_fil3.3.21/ip_frag.h *** ip_fil3.3.20/ip_frag.h Fri Aug 6 16:26:38 1999 --- ip_fil3.3.21/ip_frag.h Sat Nov 11 00:11:45 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.2 1999/08/06 06:26:38 darrenr Exp $ */ #ifndef __IP_FRAG_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.2.2.1 2000/11/10 13:11:45 darrenr Exp $ */ #ifndef __IP_FRAG_H__ *************** *** 19,24 **** --- 19,25 ---- void *ipfr_data; struct in_addr ipfr_src; struct in_addr ipfr_dst; + void *ipfr_ifp; u_short ipfr_id; u_char ipfr_p; u_char ipfr_tos; diff -cr ip_fil3.3.20/ip_nat.c ip_fil3.3.21/ip_nat.c *** ip_fil3.3.20/ip_nat.c Sat Aug 12 17:32:46 2000 --- ip_fil3.3.21/ip_nat.c Mon Jan 15 00:56:35 2001 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.22 2000/08/12 07:32:46 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.23 2001/01/14 13:56:35 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 542,550 **** break; case FIONREAD : #ifdef IPFILTER_LOG MUTEX_DOWNGRADE(&ipf_nat); ! IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data, ! sizeof(iplused[IPL_LOGNAT])); #endif break; default : --- 542,550 ---- break; case FIONREAD : #ifdef IPFILTER_LOG + k = (int)iplused[IPL_LOGNAT]; MUTEX_DOWNGRADE(&ipf_nat); ! IWCOPY((caddr_t)&k, (caddr_t)data, sizeof(k)); #endif break; default : *************** *** 998,1003 **** --- 998,1006 ---- if (flags & IPN_TCPUDP) tcp->th_dport = nport; } + #ifdef IPFILTER_LOG + nat_log(nat, (u_int)np->in_redir); + #endif nat_stats.ns_added++; nat_stats.ns_inuse++; np->in_use++; *************** *** 1117,1123 **** * to only modify the checksum once for the port # and twice * for the IP#. */ ! if (nat->nat_dir == NAT_OUTBOUND) { sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); in = nat->nat_inip; oip->ip_src = in; --- 1120,1126 ---- * to only modify the checksum once for the port # and twice * for the IP#. */ ! if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) { sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); in = nat->nat_inip; oip->ip_src = in; *************** *** 1409,1417 **** if ((nat = nat_new(np, ip, fin, (u_int)nflags, NAT_OUTBOUND))) { np->in_hits++; - #ifdef IPFILTER_LOG - nat_log(nat, (u_int)np->in_redir); - #endif break; } } --- 1412,1417 ---- diff -cr ip_fil3.3.20/ipl.h ip_fil3.3.21/ipl.h *** ip_fil3.3.20/ipl.h Sat Oct 28 09:59:24 2000 --- ip_fil3.3.21/ipl.h Mon Jan 15 01:33:16 2001 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.20" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.21" #endif diff -cr ip_fil3.3.20/parse.c ip_fil3.3.21/parse.c *** ip_fil3.3.20/parse.c Thu Jun 22 00:50:52 2000 --- ip_fil3.3.21/parse.c Mon Jan 15 00:59:54 2001 *************** *** 41,47 **** #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.14 2000/06/21 14:50:52 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; --- 41,47 ---- #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.16 2001/01/14 13:59:54 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; *************** *** 71,78 **** char *proto = NULL; ! char flagset[] = "FSRPAU"; ! u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG }; static char thishost[MAXHOSTNAMELEN]; --- 71,79 ---- char *proto = NULL; ! char flagset[] = "FSRPAUEC"; ! u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, ! TH_ECN, TH_CWR }; static char thishost[MAXHOSTNAMELEN]; *************** *** 959,966 **** } *fp |= flags[t - flagset]; } ! if (!tcpfm) ! tcpfm = 0xff; *mask = tcpfm; return tcpf; } --- 960,971 ---- } *fp |= flags[t - flagset]; } ! if (!tcpfm) { ! if (tcpf == TH_SYN) ! tcpfm = 0xff & ~(TH_ECN|TH_CWR); ! else ! tcpfm = 0xff & ~(TH_ECN); ! } *mask = tcpfm; return tcpf; } *************** *** 987,994 **** return -1; while (**cp && (!strncasecmp(**cp, "ipopt", 5) || ! !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 4) || ! !strncasecmp(**cp, "frag", 3) || !strncasecmp(**cp, "no", 2) || !strncasecmp(**cp, "short", 5))) { if (***cp == 'n' || ***cp == 'N') { notopt = 1; --- 992,999 ---- return -1; while (**cp && (!strncasecmp(**cp, "ipopt", 5) || ! !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 3) || ! !strncasecmp(**cp, "frag", 4) || !strncasecmp(**cp, "no", 2) || !strncasecmp(**cp, "short", 5))) { if (***cp == 'n' || ***cp == 'N') { notopt = 1; diff -cr ip_fil3.3.20/test/expected/i7 ip_fil3.3.21/test/expected/i7 *** ip_fil3.3.20/test/expected/i7 Fri Jan 10 02:14:55 1997 --- ip_fil3.3.21/test/expected/i7 Mon Jan 15 01:09:26 2001 *************** *** 1,3 **** pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA ! block in on lo0(!) proto tcp from any to any flags A/FSRPAU pass in on lo0(!) proto tcp from any to any flags /SPA --- 1,3 ---- pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA ! block in on lo0(!) proto tcp from any to any flags A/FSRPAUC pass in on lo0(!) proto tcp from any to any flags /SPA