Only in ip_fil3.2.7/FWTK: fwtk-2.1-transparency.txt diff -cr ip_fil3.2.6/HISTORY ip_fil3.2.7/HISTORY *** ip_fil3.2.6/HISTORY Mon May 18 22:29:43 1998 --- ip_fil3.2.7/HISTORY Sun May 24 12:06:45 1998 *************** *** 12,17 **** --- 12,31 ---- # and especially those who have found the time to port IP Filter to new # platforms. + 3.2.7 24/05/98 - Released + + u_long -> u_32_t conversions + + patches from Bernd Ernesti for NetBSD + + fixup ipmon to actually handle HUP's. + + Linux fixes from Michael H. Warfield (mhw@wittsend.com) + + update for keep state patch (not security related) - Guido + + dumphex() uses stdout rather than log + 3.2.6 18/05/98 - Released fix potential security loop hole in keep state code. diff -cr ip_fil3.2.6/INSTALL.Linux ip_fil3.2.7/INSTALL.Linux *** ip_fil3.2.6/INSTALL.Linux Wed Nov 12 22:42:19 1997 --- ip_fil3.2.7/INSTALL.Linux Sat May 23 15:01:24 1998 *************** *** 19,29 **** "make linux" from the ip_fil3.2.x directory. If this completes with no errors, install IP Filter with a "make install-linux". ! Now that the user part of it is complete, it is time to work on the ! kernel. To start this off, run "Linux/kinstall". This will patch your ! kernel source code and configuration files so you can enabled IP Filter. ! You must now go to /usr/src/linux and configure your kernel using one of ! the available interfaces to enable IP Filter. IP Filter will be presented as a three way choice "y/m/n" - select "m" to enable it. Save your kernel configuration file, rebuild, install and reboot with the new kernel. --- 19,30 ---- "make linux" from the ip_fil3.2.x directory. If this completes with no errors, install IP Filter with a "make install-linux". ! Now that the user part of it is complete, it is time to work on the kernel. ! To start this off, run "Linux/minstall". This will configure the devices ! you will need for the IP Filter. Then run "Linux/kinstall". This will ! patch your kernel source code and configuration files so you can enabled IP ! Filter. You must now go to /usr/src/linux and configure your kernel using one ! of the available interfaces to enable IP Filter. IP Filter will be presented as a three way choice "y/m/n" - select "m" to enable it. Save your kernel configuration file, rebuild, install and reboot with the new kernel. diff -cr ip_fil3.2.6/Linux/Config.in.diff ip_fil3.2.7/Linux/Config.in.diff *** ip_fil3.2.6/Linux/Config.in.diff Wed Nov 12 21:29:28 1997 --- ip_fil3.2.7/Linux/Config.in.diff Sat May 23 15:00:30 1998 *************** *** 1,5 **** ! *** Config.in.orig Sun Nov 9 11:51:58 1997 ! --- Config.in Sun Nov 9 11:53:34 1997 *************** *** 3,8 **** --- 3,9 ---- --- 1,5 ---- ! *** Config.in.dist Tue Aug 12 14:30:22 1997 ! --- Config.in Wed May 20 13:56:59 1998 *************** *** 3,8 **** --- 3,9 ---- diff -cr ip_fil3.2.6/Linux/ip_forward.c.diff ip_fil3.2.7/Linux/ip_forward.c.diff *** ip_fil3.2.6/Linux/ip_forward.c.diff Mon Nov 24 17:24:33 1997 --- ip_fil3.2.7/Linux/ip_forward.c.diff Sat May 23 15:00:31 1998 *************** *** 1,8 **** ! *** ip_forward.c.dist Wed Nov 12 18:52:55 1997 ! --- ip_forward.c Wed Nov 12 19:42:44 1997 *************** ! *** 46,51 **** ! --- 46,58 ---- int sysctl_ip_forward = 0; #endif --- 1,8 ---- ! *** ip_forward.c.dist Wed Dec 10 21:13:49 1997 ! --- ip_forward.c Wed May 20 13:58:58 1998 *************** ! *** 47,52 **** ! --- 47,59 ---- int sysctl_ip_forward = 0; #endif *************** *** 17,41 **** /* *************** ! *** 309,314 **** ! --- 316,325 ---- ! #endif ! } ! #endif ! + #ifdef CONFIG_FIREWALL_IPFILTER ! + if (fr_checkp && ((*fr_checkp)(iph, dev2, 1, &skb) || !skb)) ! + return -1; ! + #endif ! /* ! * We now may allocate a new buffer, and copy the datagram into it. *************** ! *** 445,450 **** ! --- 456,469 ---- ! } ! #endif ! } ! + #ifdef CONFIG_FIREWALL_IPFILTER + if (fr_checkp && ((*fr_checkp)(iph, skb2->dev, 1, &skb2) || !skb)) + { + if (skb != skb2) --- 17,41 ---- /* *************** ! *** 312,317 **** ! --- 319,328 ---- ! #endif ! } ! #endif ! + #ifdef CONFIG_FIREWALL_IPFILTER ! + if (fr_checkp && ((*fr_checkp)(iph, dev2, 1, &skb) || !skb)) ! + return -1; ! + #endif ! /* ! * We now may allocate a new buffer, and copy the datagram into it. *************** ! *** 481,486 **** ! --- 492,505 ---- ! } ! #endif ! } ! + #ifdef CONFIG_FIREWALL_IPFILTER + if (fr_checkp && ((*fr_checkp)(iph, skb2->dev, 1, &skb2) || !skb)) + { + if (skb != skb2) *************** *** 43,48 **** + return -1; + } + #endif - #ifdef CONFIG_FIREWALL if((fw_res = call_out_firewall(PF_INET, skb2->dev, iph, NULL)) < FW_ACCEPT) --- 43,48 ---- + return -1; + } + #endif #ifdef CONFIG_FIREWALL if((fw_res = call_out_firewall(PF_INET, skb2->dev, iph, NULL)) < FW_ACCEPT) + { diff -cr ip_fil3.2.6/Linux/ip_input.c.diff ip_fil3.2.7/Linux/ip_input.c.diff *** ip_fil3.2.6/Linux/ip_input.c.diff Mon Nov 24 20:58:51 1997 --- ip_fil3.2.7/Linux/ip_input.c.diff Sat May 23 15:00:32 1998 *************** *** 1,5 **** ! *** /usr/src/linux/net/ipv4/ip_input.c.dist Wed Nov 12 18:53:12 1997 ! --- /usr/src/linux/net/ipv4/ip_input.c Mon Nov 24 20:39:50 1997 *************** *** 175,180 **** --- 175,187 ---- --- 1,5 ---- ! *** ip_input.c.dist Wed Sep 17 15:00:47 1997 ! --- ip_input.c Wed May 20 13:57:00 1998 *************** *** 175,180 **** --- 175,187 ---- *************** *** 17,33 **** * Handle the issuing of an ioctl() request * for the ip device. This is scheduled to *************** ! *** 381,386 **** ! --- 388,394 ---- ! /* ! * See if the firewall wants to dispose of the packet. ! */ ! + ! #ifdef CONFIG_FIREWALL ! ! if ((fwres=call_in_firewall(PF_INET, skb->dev, iph, &rport)) *************** ! *** 187,193 **** X(netlink_donothing), X(netlink_post), #endif /* CONFIG_NETLINK */ --- 17,23 ---- #include *************** ! *** 190,196 **** X(netlink_donothing), X(netlink_post), #endif /* CONFIG_NETLINK */ *************** *** 26,32 **** #include }; ! --- 195,204 ---- X(netlink_donothing), X(netlink_post), #endif /* CONFIG_NETLINK */ --- 25,31 ---- #include }; ! --- 198,207 ---- X(netlink_donothing), X(netlink_post), #endif /* CONFIG_NETLINK */ diff -cr ip_fil3.2.6/Linux/tcp_output.c.diff ip_fil3.2.7/Linux/tcp_output.c.diff *** ip_fil3.2.6/Linux/tcp_output.c.diff Mon Nov 24 17:24:35 1997 --- ip_fil3.2.7/Linux/tcp_output.c.diff Sat May 23 15:00:34 1998 *************** *** 1,13 **** ! *** tcp_output.c.dist Sat Nov 8 18:16:22 1997 ! --- tcp_output.c Sat Nov 22 23:39:56 1997 *************** *** 45,50 **** ! --- 45,58 ---- #include #endif ! + #if !defined(CONFIG_FIREWALL_IPFILTER) && defined(CONFIG_FIREWALL_IPFILTER_MODUL ! + E) + # define CONFIG_FIREWALL_IPFILTER + #endif + #ifdef CONFIG_FIREWALL_IPFILTER --- 1,12 ---- ! *** tcp_output.c.dist Wed Oct 15 17:47:56 1997 ! --- tcp_output.c Wed May 20 13:57:00 1998 *************** *** 45,50 **** ! --- 45,57 ---- #include #endif ! + #if !defined(CONFIG_FIREWALL_IPFILTER) && defined(CONFIG_FIREWALL_IPFILTER_MODULE) + # define CONFIG_FIREWALL_IPFILTER + #endif + #ifdef CONFIG_FIREWALL_IPFILTER diff -cr ip_fil3.2.6/Makefile ip_fil3.2.7/Makefile *** ip_fil3.2.6/Makefile Mon May 18 21:14:08 1998 --- ip_fil3.2.7/Makefile Sat May 23 15:01:23 1998 *************** *** 5,11 **** # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.0.2.26.2.8 1998/05/18 11:14:08 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin --- 5,11 ---- # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.0.2.26.2.10 1998/05/23 05:01:23 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin *************** *** 191,202 **** (cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(MFLAGS); cd ..) sunos5 solaris2: ! (cd SunOS5/$(CPU); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) ! (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..) sunos5x86 solaris2x86: ! (cd SunOS5/$(CPU); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) ! (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..) install-bsd: (cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..) --- 191,206 ---- (cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(MFLAGS); cd ..) sunos5 solaris2: ! (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) ! (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..) sunos5x86 solaris2x86: ! (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) ! (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..) ! ! install-linux: ! (cd Linux/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..) ! (cd Linux/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) install-bsd: (cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..) diff -cr ip_fil3.2.6/SunOS5/Makefile ip_fil3.2.7/SunOS5/Makefile *** ip_fil3.2.6/SunOS5/Makefile Fri May 15 00:01:03 1998 --- ip_fil3.2.7/SunOS5/Makefile Fri May 22 00:46:09 1998 *************** *** 19,30 **** # TOP=.. DCPU=`uname -m` CC=gcc -Wall DEBUG=-g LIBS=-lsocket -lnsl -lelf DEF=-D_KERNEL -DSUNDDI -D$(DCPU) -D__$(DCPU)__ $(CPU) ATON=-DNEED_INET_ATON ! ROOT=$(DCPU)/root ROOTINC=$(ROOT)/usr/include # MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ --- 19,31 ---- # TOP=.. DCPU=`uname -m` + CPUDIR=$(DCPU)-`uname -r` CC=gcc -Wall DEBUG=-g LIBS=-lsocket -lnsl -lelf DEF=-D_KERNEL -DSUNDDI -D$(DCPU) -D__$(DCPU)__ $(CPU) ATON=-DNEED_INET_ATON ! ROOT=$(CPUDIR)/root ROOTINC=$(ROOT)/usr/include # MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ *************** *** 194,209 **** mkdir -p $(PKGBIN) $(ROOT)/sbin $(ROOT)/usr/kernel/drv $(ROOT)/etc/init.d mkdir -p $(ROOTINC)/netinet $(PKGDIR)/examples mkdir -p $(PKGMAN)/man1 $(PKGMAN)/man4 $(PKGMAN)/man5 $(PKGMAN)/man8 ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipftest $(PKGBIN)/ipftest ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipmon $(PKGBIN)/ipmon ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipsend $(PKGBIN)/ipsend ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipresend $(PKGBIN)/ipresend -$(INSTALL) -c -g root -m 755 -o root $(TOP)/mkfilters $(PKGBIN)/mkfilters ! -$(INSTALL) -c -g root -m 755 -o root $(DCPU)/ipf $(ROOT)/usr/kernel/drv/ipf -$(INSTALL) -c -g root -m 644 -o root ipf.conf $(ROOT)/usr/kernel/drv ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipnat $(ROOT)/sbin/ipnat ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipf.exe $(ROOT)/sbin/ipf ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipfstat $(ROOT)/sbin/ipfstat -$(INSTALL) -c -g root -m 755 -o root ipfboot $(ROOT)/etc/init.d -cp $(TOP)/man/*.[0-9] . -$(INSTALL) -g root -m 444 -o root ipf.8 $(PKGMAN)/man8 --- 195,210 ---- mkdir -p $(PKGBIN) $(ROOT)/sbin $(ROOT)/usr/kernel/drv $(ROOT)/etc/init.d mkdir -p $(ROOTINC)/netinet $(PKGDIR)/examples mkdir -p $(PKGMAN)/man1 $(PKGMAN)/man4 $(PKGMAN)/man5 $(PKGMAN)/man8 ! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipftest $(PKGBIN)/ipftest ! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipmon $(PKGBIN)/ipmon ! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipsend $(PKGBIN)/ipsend ! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipresend $(PKGBIN)/ipresend -$(INSTALL) -c -g root -m 755 -o root $(TOP)/mkfilters $(PKGBIN)/mkfilters ! -$(INSTALL) -c -g root -m 755 -o root $(CPUDIR)/ipf $(ROOT)/usr/kernel/drv/ipf -$(INSTALL) -c -g root -m 644 -o root ipf.conf $(ROOT)/usr/kernel/drv ! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipnat $(ROOT)/sbin/ipnat ! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipf.exe $(ROOT)/sbin/ipf ! -$(INSTALL) -c -s -g root -m 755 -o root $(CPUDIR)/ipfstat $(ROOT)/sbin/ipfstat -$(INSTALL) -c -g root -m 755 -o root ipfboot $(ROOT)/etc/init.d -cp $(TOP)/man/*.[0-9] . -$(INSTALL) -g root -m 444 -o root ipf.8 $(PKGMAN)/man8 *************** *** 229,235 **** -$(INSTALL) -g root -m 644 -o root ip_frag.h $(ROOTINC)/netinet -$(INSTALL) -g root -m 644 -o root ip_proxy.h $(ROOTINC)/netinet -$(INSTALL) -g root -m 644 -o root ip_auth.h $(ROOTINC)/netinet ! (cd $(DCPU) && rm -f prototype pkginfo copyright postinstall && ln -s ../prototype ../pkginfo ../copyright ../postinstall .) ! (cd $(DCPU); pkgmk -o) -pkgadd -d /var/spool/pkg --- 230,236 ---- -$(INSTALL) -g root -m 644 -o root ip_frag.h $(ROOTINC)/netinet -$(INSTALL) -g root -m 644 -o root ip_proxy.h $(ROOTINC)/netinet -$(INSTALL) -g root -m 644 -o root ip_auth.h $(ROOTINC)/netinet ! (cd $(CPUDIR) && rm -f prototype pkginfo copyright postinstall && ln -s ../prototype ../pkginfo ../copyright ../postinstall .) ! (cd $(CPUDIR); pkgmk -o) -pkgadd -d /var/spool/pkg diff -cr ip_fil3.2.6/SunOS5/Makefile.ipsend ip_fil3.2.7/SunOS5/Makefile.ipsend *** ip_fil3.2.6/SunOS5/Makefile.ipsend Wed Apr 8 23:50:25 1998 --- ip_fil3.2.7/SunOS5/Makefile.ipsend Fri May 22 00:46:10 1998 *************** *** 14,23 **** $(CC) $(DEBUG) $(CFLAGS) -c $< -o $@ y.tab.o: $(TOP)/iplang/iplang_y.y ! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPU)/$@ 'DESTDIR=../SunOS5/$(CPU)' ) lex.yy.o: $(TOP)/iplang/iplang_l.l ! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPU)/$@ 'DESTDIR=../SunOS5/$(CPU)' ) ipsend: $(OBJS) $(UNIXOBJS) $(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll --- 14,23 ---- $(CC) $(DEBUG) $(CFLAGS) -c $< -o $@ y.tab.o: $(TOP)/iplang/iplang_y.y ! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPUDIR)/$@ 'DESTDIR=../SunOS5/$(CPUDIR)' ) lex.yy.o: $(TOP)/iplang/iplang_l.l ! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPUDIR)/$@ 'DESTDIR=../SunOS5/$(CPUDIR)' ) ipsend: $(OBJS) $(UNIXOBJS) $(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll diff -cr ip_fil3.2.6/SunOS5/pkginfo ip_fil3.2.7/SunOS5/pkginfo *** ip_fil3.2.6/SunOS5/pkginfo Mon May 18 22:36:15 1998 --- ip_fil3.2.7/SunOS5/pkginfo Sun May 24 12:06:50 1998 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.2,REV=6 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.2,REV=7 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.2.6/buildsunos ip_fil3.2.7/buildsunos *** ip_fil3.2.6/buildsunos Sat May 24 17:32:46 1997 --- ip_fil3.2.7/buildsunos Fri May 22 00:46:04 1998 *************** *** 1,23 **** #! /bin/sh ! # $Id: buildsunos,v 2.0.2.4 1997/05/24 07:32:46 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` cpu=`uname -m` if [ $rev = 5 ] ; then solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'` ! mkdir -p SunOS5/${cpu} ! /bin/rm -f SunOS5/${cpu}/Makefile ! /bin/rm -f SunOS5/${cpu}/Makefile.ipsend ! ln -s ../Makefile SunOS5/${cpu}/Makefile ! ln -s ../Makefile.ipsend SunOS5/${cpu}/Makefile.ipsend fi if [ $cpu = i86pc ] ; then ! make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} exit $? fi if [ x$solrev = x ] ; then make ${1+"$@"} sunos$rev "ARCH=`uname -m`" exit $? fi ! make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} exit $? --- 1,24 ---- #! /bin/sh ! # $Id: buildsunos,v 2.0.2.4.2.1 1998/05/21 14:46:04 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` cpu=`uname -m` + cpudir=${cpu}-`uname -r` if [ $rev = 5 ] ; then solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'` ! mkdir -p SunOS5/${cpudir} ! /bin/rm -f SunOS5/${cpudir}/Makefile ! /bin/rm -f SunOS5/${cpudir}/Makefile.ipsend ! ln -s ../Makefile SunOS5/${cpudir}/Makefile ! ln -s ../Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend fi if [ $cpu = i86pc ] ; then ! make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir} exit $? fi if [ x$solrev = x ] ; then make ${1+"$@"} sunos$rev "ARCH=`uname -m`" exit $? fi ! make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir} exit $? diff -cr ip_fil3.2.6/fil.c ip_fil3.2.7/fil.c *** ip_fil3.2.6/fil.c Sun Apr 26 01:46:36 1998 --- ip_fil3.2.7/fil.c Sun May 24 05:20:30 1998 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.12 1998/04/25 15:46:36 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $"; #endif #include *************** *** 21,26 **** --- 21,27 ---- #else # include # include + # include #endif #include #if !defined(__SVR4) && !defined(__svr4__) *************** *** 579,584 **** --- 580,594 ---- # endif int up; + #ifdef M_CANFASTFWD + /* + * XXX For now, IP Filter and fast-forwarding of cached flows + * XXX are mutually exclusive. Eventually, IP Filter should + * XXX get a "can-fast-forward" filter rule. + */ + m->m_flags &= ~M_CANFASTFWD; + #endif /* M_CANFASTFWD */ + if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_ICMP)) { int plen = 0; *************** *** 895,901 **** register u_short *addr; register int len; { ! register u_long sum = 0; for (sum = 0; len > 1; len -= 2) sum += *addr++; --- 905,911 ---- register u_short *addr; register int len; { ! register u_32_t sum = 0; for (sum = 0; len > 1; len -= 2) sum += *addr++; *************** *** 928,934 **** u_char c[2]; u_short s; } bytes; ! u_long sum; u_short *sp; # if SOLARIS || defined(__sgi) int add, hlen; --- 938,944 ---- u_char c[2]; u_short s; } bytes; ! u_32_t sum; u_short *sp; # if SOLARIS || defined(__sgi) int add, hlen; *************** *** 1027,1033 **** #endif /* SOLARIS */ if (len < 2) break; ! if((u_long)sp & 1) { bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); sum += bytes.s; } else --- 1037,1043 ---- #endif /* SOLARIS */ if (len < 2) break; ! if((u_32_t)sp & 1) { bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); sum += bytes.s; } else *************** *** 1081,1087 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.0.2.41.2.12 1998/04/25 15:46:36 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1091,1097 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff -cr ip_fil3.2.6/ip_compat.h ip_fil3.2.7/ip_compat.h *** ip_fil3.2.6/ip_compat.h Sat May 9 01:09:15 1998 --- ip_fil3.2.7/ip_compat.h Sun May 24 00:29:36 1998 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.0.2.31.2.10 1998/05/08 15:09:15 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.0.2.31.2.11 1998/05/23 14:29:36 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 723,726 **** --- 723,727 ---- #ifndef ICMP_ROUTERSOLICIT # define ICMP_ROUTERSOLICIT 10 #endif + #endif /* __IP_COMPAT_H__ */ diff -cr ip_fil3.2.6/ip_fil.h ip_fil3.2.7/ip_fil.h *** ip_fil3.2.6/ip_fil.h Wed Dec 3 21:02:30 1997 --- ip_fil3.2.7/ip_fil.h Sun May 24 00:29:37 1998 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.0.2.39.2.10 1997/12/03 10:02:30 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.0.2.39.2.11 1998/05/23 14:29:37 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 518,521 **** --- 518,522 ---- extern struct frentry *ipfilter[2][2], *ipacct[2][2]; extern struct frgroup *ipfgroups[3][2]; extern struct filterstats frstats[]; + #endif /* __IP_FIL_H__ */ diff -cr ip_fil3.2.6/ip_frag.h ip_fil3.2.7/ip_frag.h *** ip_fil3.2.6/ip_frag.h Fri Oct 24 00:56:01 1997 --- ip_fil3.2.7/ip_frag.h Sun May 24 00:29:39 1998 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.0.2.12 1997/10/23 14:56:01 darrenr Exp $ */ #ifndef __IP_FRAG_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.0.2.12.2.1 1998/05/23 14:29:39 darrenr Exp $ */ #ifndef __IP_FRAG_H__ *************** *** 55,58 **** --- 55,59 ---- #else extern int ipfr_slowtimer __P((void)); #endif + #endif /* __IP_FIL_H__ */ diff -cr ip_fil3.2.6/ip_ftp_pxy.c ip_fil3.2.7/ip_ftp_pxy.c *** ip_fil3.2.6/ip_ftp_pxy.c Wed Nov 12 21:50:51 1997 --- ip_fil3.2.7/ip_ftp_pxy.c Sun May 24 05:20:31 1998 *************** *** 54,71 **** ap_session_t *aps; nat_t *nat; { ! u_long sum1, sum2; short sel; if (tcp->th_sport == aps->aps_dport) { ! sum2 = (u_long)ntohl(tcp->th_ack); sel = aps->aps_sel; if ((aps->aps_after[!sel] > aps->aps_after[sel]) && (sum2 > aps->aps_after[!sel])) { sel = aps->aps_sel = !sel; /* switch to other set */ } if (aps->aps_seqoff[sel] && (sum2 > aps->aps_after[sel])) { ! sum1 = (u_long)aps->aps_seqoff[sel]; tcp->th_ack = htonl(sum2 - sum1); return 2; } --- 54,71 ---- ap_session_t *aps; nat_t *nat; { ! u_32_t sum1, sum2; short sel; if (tcp->th_sport == aps->aps_dport) { ! sum2 = (u_32_t)ntohl(tcp->th_ack); sel = aps->aps_sel; if ((aps->aps_after[!sel] > aps->aps_after[sel]) && (sum2 > aps->aps_after[!sel])) { sel = aps->aps_sel = !sel; /* switch to other set */ } if (aps->aps_seqoff[sel] && (sum2 > aps->aps_after[sel])) { ! sum1 = (u_32_t)aps->aps_seqoff[sel]; tcp->th_ack = htonl(sum2 - sum1); return 2; } *************** *** 110,116 **** ap_session_t *aps; nat_t *nat; { ! register u_long sum1, sum2; char newbuf[IPF_MAXPORTLEN+1]; char portbuf[IPF_MAXPORTLEN+1], *s; int ch = 0, off = (ip->ip_hl << 2) + (tcp->th_off << 2); --- 110,116 ---- ap_session_t *aps; nat_t *nat; { ! register u_32_t sum1, sum2; char newbuf[IPF_MAXPORTLEN+1]; char portbuf[IPF_MAXPORTLEN+1], *s; int ch = 0, off = (ip->ip_hl << 2) + (tcp->th_off << 2); *************** *** 243,259 **** adjust_seqack: if (tcp->th_dport == aps->aps_dport) { ! sum2 = (u_long)ntohl(tcp->th_seq); off = aps->aps_sel; if ((aps->aps_after[!off] > aps->aps_after[off]) && (sum2 > aps->aps_after[!off])) { off = aps->aps_sel = !off; /* switch to other set */ } if (aps->aps_seqoff[off]) { ! sum1 = (u_long)aps->aps_after[off] - aps->aps_seqoff[off]; if (sum2 > sum1) { ! sum1 = (u_long)aps->aps_seqoff[off]; sum2 += sum1; tcp->th_seq = htonl(sum2); ch = 1; --- 243,259 ---- adjust_seqack: if (tcp->th_dport == aps->aps_dport) { ! sum2 = (u_32_t)ntohl(tcp->th_seq); off = aps->aps_sel; if ((aps->aps_after[!off] > aps->aps_after[off]) && (sum2 > aps->aps_after[!off])) { off = aps->aps_sel = !off; /* switch to other set */ } if (aps->aps_seqoff[off]) { ! sum1 = (u_32_t)aps->aps_after[off] - aps->aps_seqoff[off]; if (sum2 > sum1) { ! sum1 = (u_32_t)aps->aps_seqoff[off]; sum2 += sum1; tcp->th_seq = htonl(sum2); ch = 1; diff -cr ip_fil3.2.6/ip_nat.c ip_fil3.2.7/ip_nat.c *** ip_fil3.2.6/ip_nat.c Sat May 9 01:10:17 1998 --- ip_fil3.2.7/ip_nat.c Sun May 24 05:05:29 1998 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.8 1998/05/08 15:10:17 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05:29 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 130,139 **** void fix_outcksum(sp, n) u_short *sp; ! u_long n; { register u_short sumshort; ! register u_long sum1; if (!n) return; --- 130,139 ---- void fix_outcksum(sp, n) u_short *sp; ! u_32_t n; { register u_short sumshort; ! register u_32_t sum1; if (!n) return; *************** *** 149,158 **** void fix_incksum(sp, n) u_short *sp; ! u_long n; { register u_short sumshort; ! register u_long sum1; if (!n) return; --- 149,158 ---- void fix_incksum(sp, n) u_short *sp; ! u_32_t n; { register u_short sumshort; ! register u_32_t sum1; if (!n) return; *************** *** 521,527 **** u_short flags; int direction; { ! register u_long sum1, sum2, sumd, l; u_short port = 0, sport = 0, dport = 0, nport = 0; struct in_addr in; tcphdr_t *tcp = NULL; --- 521,527 ---- u_short flags; int direction; { ! register u_32_t sum1, sum2, sumd, l; u_short port = 0, sport = 0, dport = 0, nport = 0; struct in_addr in; tcphdr_t *tcp = NULL; *************** *** 779,785 **** */ if (flags & IPN_TCPUDP) { tcphdr_t *tcp = (tcphdr_t *)(oip + 1); ! u_long sum1, sum2, sumd; struct in_addr in; if (nat->nat_dir == NAT_OUTBOUND) { --- 779,785 ---- */ if (flags & IPN_TCPUDP) { tcphdr_t *tcp = (tcphdr_t *)(oip + 1); ! u_32_t sum1, sum2, sumd; struct in_addr in; if (nat->nat_dir == NAT_OUTBOUND) { *************** *** 964,970 **** fr_info_t *fin; { register ipnat_t *np; ! register u_long ipa; tcphdr_t *tcp = NULL; u_short nflags = 0, sport = 0, dport = 0, *csump = NULL; struct ifnet *ifp; --- 964,970 ---- fr_info_t *fin; { register ipnat_t *np; ! register u_32_t ipa; tcphdr_t *tcp = NULL; u_short nflags = 0, sport = 0, dport = 0, *csump = NULL; struct ifnet *ifp; *************** *** 1281,1287 **** #endif { register nat_t *nat; ! register u_long sum1, sum2, sumd; struct in_addr in; ipnat_t *np; #if defined(_KERNEL) && !SOLARIS --- 1281,1287 ---- #endif { register nat_t *nat; ! register u_32_t sum1, sum2, sumd; struct in_addr in; ipnat_t *np; #if defined(_KERNEL) && !SOLARIS diff -cr ip_fil3.2.6/ip_nat.h ip_fil3.2.7/ip_nat.h *** ip_fil3.2.6/ip_nat.h Wed Nov 5 22:08:18 1997 --- ip_fil3.2.7/ip_nat.h Sun May 24 04:52:44 1998 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.0.2.23.2.1 1997/11/05 11:08:18 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.0.2.23.2.3 1998/05/23 18:52:44 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 44,51 **** typedef struct nat { u_long nat_age; int nat_flags; ! u_long nat_sumd; ! u_long nat_ipsumd; void *nat_data; struct in_addr nat_inip; struct in_addr nat_outip; --- 44,51 ---- typedef struct nat { u_long nat_age; int nat_flags; ! u_32_t nat_sumd; ! u_32_t nat_ipsumd; void *nat_data; struct in_addr nat_inip; struct in_addr nat_outip; *************** *** 175,180 **** extern int ip_natin __P((ip_t *, int, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); extern void nat_log __P((struct nat *, u_short)); ! extern void fix_incksum __P((u_short *, u_long)); ! extern void fix_outcksum __P((u_short *, u_long)); #endif /* __IP_NAT_H__ */ --- 175,181 ---- extern int ip_natin __P((ip_t *, int, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); extern void nat_log __P((struct nat *, u_short)); ! extern void fix_incksum __P((u_short *, u_32_t)); ! extern void fix_outcksum __P((u_short *, u_32_t)); ! #endif /* __IP_NAT_H__ */ diff -cr ip_fil3.2.6/ip_state.c ip_fil3.2.7/ip_state.c *** ip_fil3.2.6/ip_state.c Mon May 18 23:19:20 1998 --- ip_fil3.2.7/ip_state.c Sun May 24 13:53:04 1998 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.10 1998/05/18 13:16:57 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:53:04 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) *************** *** 85,90 **** --- 85,95 ---- extern kmutex_t ipf_state; #endif + static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr, + fr_info_t *, void *, u_short, u_short)); + static int fr_state_flush __P((int)); + static ips_stat_t *fr_statetstats __P((void)); + #define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */ *************** *** 97,103 **** fr_icmptimeout = 120; ! ips_stat_t *fr_statetstats() { ips_stats.iss_active = ips_num; ips_stats.iss_table = ips_table; --- 102,108 ---- fr_icmptimeout = 120; ! static ips_stat_t *fr_statetstats() { ips_stats.iss_active = ips_num; ips_stats.iss_table = ips_table; *************** *** 111,117 **** * which == 1 : flush TCP connections which have started to close but are * stuck for some reason. */ ! int fr_state_flush(which) int which; { register int i; --- 116,122 ---- * which == 1 : flush TCP connections which have started to close but are * stuck for some reason. */ ! static int fr_state_flush(which) int which; { register int i; *************** *** 301,313 **** bcopy((char *)&ips, (char *)is, sizeof(*is)); hv %= IPSTATE_SIZE; MUTEX_ENTER(&ipf_state); ! is->is_next = ips_table[hv]; ! ips_table[hv] = is; is->is_pass = pass; is->is_pkts = 1; is->is_bytes = ip->ip_len; ! is->is_ifp1 = fin->fin_ifp; ! is->is_ifp2 = NULL; if (pass & FR_LOGFIRST) is->is_pass &= ~(FR_LOGFIRST|FR_LOG); ips_num++; --- 306,338 ---- bcopy((char *)&ips, (char *)is, sizeof(*is)); hv %= IPSTATE_SIZE; MUTEX_ENTER(&ipf_state); ! is->is_pass = pass; is->is_pkts = 1; is->is_bytes = ip->ip_len; ! /* ! * Copy these from the rule itself. ! */ ! is->is_opt = fin->fin_fr->fr_ip.fi_optmsk; ! is->is_optmsk = fin->fin_fr->fr_mip.fi_optmsk; ! is->is_sec = fin->fin_fr->fr_ip.fi_secmsk; ! is->is_secmsk = fin->fin_fr->fr_mip.fi_secmsk; ! is->is_auth = fin->fin_fr->fr_ip.fi_auth; ! is->is_authmsk = fin->fin_fr->fr_mip.fi_auth; ! is->is_flags = fin->fin_fr->fr_ip.fi_fl; ! is->is_flags |= fin->fin_fr->fr_mip.fi_fl << 4; ! /* ! * add into table. ! */ ! is->is_next = ips_table[hv]; ! ips_table[hv] = is; ! if (fin->fin_out) { ! is->is_ifpin = NULL; ! is->is_ifpout = fin->fin_ifp; ! } else { ! is->is_ifpin = fin->fin_ifp; ! is->is_ifpout = NULL; ! } if (pass & FR_LOGFIRST) is->is_pass &= ~(FR_LOGFIRST|FR_LOG); ips_num++; *************** *** 326,337 **** * change timeout depending on whether new packet is a SYN-ACK returning for a * SYN or a RST or FIN which indicate time to close up shop. */ ! int fr_tcpstate(is, fin, ip, tcp, sport) register ipstate_t *is; fr_info_t *fin; ip_t *ip; tcphdr_t *tcp; - u_short sport; { register int seqskew, ackskew; register u_short swin, dwin; --- 351,361 ---- * change timeout depending on whether new packet is a SYN-ACK returning for a * SYN or a RST or FIN which indicate time to close up shop. */ ! int fr_tcpstate(is, fin, ip, tcp) register ipstate_t *is; fr_info_t *fin; ip_t *ip; tcphdr_t *tcp; { register int seqskew, ackskew; register u_short swin, dwin; *************** *** 343,349 **** */ seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); ! source = (sport == is->is_sport); if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */ ack = source ? is->is_ack : is->is_seq; --- 367,373 ---- */ seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); ! source = (ip->ip_src.s_addr == is->is_src.s_addr); if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */ ack = source ? is->is_ack : is->is_seq; *************** *** 403,445 **** /* * Nearing end of connection, start timeout. */ ! fr_tcp_age(&is->is_age, is->is_state, ip, fin, ! tcp->th_sport == is->is_sport); return 1; } return 0; } ! static int ! fr_matchsrcdst(is, src, dst, ifp, tcp, sp, dp) ipstate_t *is; struct in_addr src, dst; ! void *ifp, *tcp; u_short sp, dp; { ! int ret = 0, rev; rev = (is->is_dst.s_addr != dst.s_addr); if (!rev) { ! if ((is->is_ifp1 == ifp) && (is->is_dst.s_addr == dst.s_addr) && (is->is_src.s_addr == src.s_addr) && ! (!tcp || (sp == is->is_sport) && (dp == is->is_dport))) { ret = 1; } } else { ! if (((is->is_ifp2 == ifp) || !is->is_ifp2) && (is->is_dst.s_addr == src.s_addr) && (is->is_src.s_addr == dst.s_addr) && (!tcp || (sp == is->is_dport) && (dp == is->is_sport))) { - if (!is->is_ifp2) - is->is_ifp2 = ifp; ret = 1; } } return ret; } --- 427,503 ---- /* * Nearing end of connection, start timeout. */ ! fr_tcp_age(&is->is_age, is->is_state, ip, fin, source); return 1; } return 0; } ! static int fr_matchsrcdst(is, src, dst, fin, tcp, sp, dp) ipstate_t *is; struct in_addr src, dst; ! fr_info_t *fin; ! void *tcp; u_short sp, dp; { ! int ret = 0, rev, out; ! void *ifp; rev = (is->is_dst.s_addr != dst.s_addr); + ifp = fin->fin_ifp; + out = fin->fin_out; if (!rev) { ! if (out) { ! if (!is->is_ifpout) ! is->is_ifpout = ifp; ! } else { ! if (!is->is_ifpin) ! is->is_ifpin = ifp; ! } ! } else { ! if (out) { ! if (!is->is_ifpin) ! is->is_ifpin = ifp; ! } else { ! if (!is->is_ifpout) ! is->is_ifpout = ifp; ! } ! } ! ! if (!rev) { ! if (((out && is->is_ifpout == ifp) || ! (!out && is->is_ifpin == ifp)) && (is->is_dst.s_addr == dst.s_addr) && (is->is_src.s_addr == src.s_addr) && ! (!tcp || (sp == is->is_sport) && ! (dp == is->is_dport))) { ret = 1; } } else { ! if (((out && is->is_ifpin == ifp) || ! (!out && is->is_ifpout == ifp)) && (is->is_dst.s_addr == src.s_addr) && (is->is_src.s_addr == dst.s_addr) && (!tcp || (sp == is->is_dport) && (dp == is->is_sport))) { ret = 1; } } + + /* + * Whether or not this should be here, is questionable, but the aim + * is to get this out of the main line. + */ + if (ret) { + if (((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) || + ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) || + ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth) || + ((fin->fin_fi.fi_fl & (is->is_flags >> 4)) != + (is->is_flags & 0xf))) + ret = 0; + } return ret; } *************** *** 482,489 **** if ((is->is_p == pr) && (ic->icmp_id == is->is_icmp.ics_id) && (ic->icmp_seq == is->is_icmp.ics_seq) && ! fr_matchsrcdst(is, src, dst, fin->fin_ifp, ! NULL, 0, 0)) { if (is->is_icmp.ics_type != ic->icmp_type) continue; is->is_age = fr_icmptimeout; --- 540,546 ---- if ((is->is_p == pr) && (ic->icmp_id == is->is_icmp.ics_id) && (ic->icmp_seq == is->is_icmp.ics_seq) && ! fr_matchsrcdst(is, src, dst, fin, NULL, 0, 0)) { if (is->is_icmp.ics_type != ic->icmp_type) continue; is->is_age = fr_icmptimeout; *************** *** 506,514 **** MUTEX_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && ! fr_matchsrcdst(is, src, dst, fin->fin_ifp, ! tcp, sport, dport)) { ! if (fr_tcpstate(is, fin, ip, tcp, sport)) { pass = is->is_pass; #ifdef _KERNEL MUTEX_EXIT(&ipf_state); --- 563,571 ---- MUTEX_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && ! fr_matchsrcdst(is, src, dst, fin, tcp, ! sport, dport)) { ! if (fr_tcpstate(is, fin, ip, tcp)) { pass = is->is_pass; #ifdef _KERNEL MUTEX_EXIT(&ipf_state); *************** *** 539,545 **** MUTEX_ENTER(&ipf_state); for (is = ips_table[hv]; is; is = is->is_next) if ((is->is_p == pr) && ! fr_matchsrcdst(is, src, dst, fin->fin_ifp, tcp, sport, dport)) { ips_stats.iss_hits++; is->is_pkts++; --- 596,602 ---- MUTEX_ENTER(&ipf_state); for (is = ips_table[hv]; is; is = is->is_next) if ((is->is_p == pr) && ! fr_matchsrcdst(is, src, dst, fin, tcp, sport, dport)) { ips_stats.iss_hits++; is->is_pkts++; diff -cr ip_fil3.2.6/ip_state.h ip_fil3.2.7/ip_state.h *** ip_fil3.2.6/ip_state.h Mon May 18 21:15:24 1998 --- ip_fil3.2.7/ip_state.h Sun May 24 15:18:04 1998 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.0.2.14.2.2 1998/05/18 11:15:24 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.0.2.14.2.6 1998/05/24 05:18:04 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ *************** *** 47,58 **** u_int is_pass; U_QUAD_T is_pkts; U_QUAD_T is_bytes; ! void *is_ifp1; ! void *is_ifp2; struct in_addr is_src; struct in_addr is_dst; u_char is_p; u_char is_flags; union { icmpstate_t is_ics; tcpstate_t is_ts; --- 47,64 ---- u_int is_pass; U_QUAD_T is_pkts; U_QUAD_T is_bytes; ! void *is_ifpin; ! void *is_ifpout; struct in_addr is_src; struct in_addr is_dst; u_char is_p; u_char is_flags; + u_32_t is_opt; + u_32_t is_optmsk; + u_short is_sec; + u_short is_secmsk; + u_short is_auth; + u_short is_authmsk; union { icmpstate_t is_ics; tcpstate_t is_ts; *************** *** 122,135 **** extern u_long fr_tcpclosed; extern u_long fr_udptimeout; extern u_long fr_icmptimeout; ! extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, ! tcphdr_t *, u_short)); ! extern ips_stat_t *fr_statetstats __P((void)); extern int fr_addstate __P((ip_t *, fr_info_t *, u_int)); extern int fr_checkstate __P((ip_t *, fr_info_t *)); extern void fr_timeoutstate __P((void)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); - extern int fr_state_flush __P((int)); extern void fr_stateunload __P((void)); extern void ipstate_log __P((struct ipstate *, u_short)); #if defined(__NetBSD__) || defined(__OpenBSD__) --- 128,138 ---- extern u_long fr_tcpclosed; extern u_long fr_udptimeout; extern u_long fr_icmptimeout; ! extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *)); extern int fr_addstate __P((ip_t *, fr_info_t *, u_int)); extern int fr_checkstate __P((ip_t *, fr_info_t *)); extern void fr_timeoutstate __P((void)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); extern void fr_stateunload __P((void)); extern void ipstate_log __P((struct ipstate *, u_short)); #if defined(__NetBSD__) || defined(__OpenBSD__) *************** *** 137,140 **** --- 140,144 ---- #else extern int fr_state_ioctl __P((caddr_t, int, int)); #endif + #endif /* __IP_STATE_H__ */ diff -cr ip_fil3.2.6/ipf.c ip_fil3.2.7/ipf.c *** ip_fil3.2.6/ipf.c Wed Apr 8 23:44:53 1998 --- ip_fil3.2.7/ipf.c Sun May 24 00:29:44 1998 *************** *** 40,46 **** #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.3 1998/04/08 13:44:53 darrenr Exp $"; #endif static void frsync __P((void)); --- 40,46 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.4 1998/05/23 14:29:44 darrenr Exp $"; #endif static void frsync __P((void)); *************** *** 406,412 **** static void frsync() { ! if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, 0) == -1) perror("SIOCFRSYN"); else printf("filter sync'd\n"); --- 406,414 ---- static void frsync() { ! int frsyn = 0; ! ! if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1) perror("SIOCFRSYN"); else printf("filter sync'd\n"); diff -cr ip_fil3.2.6/ipft_tx.c ip_fil3.2.7/ipft_tx.c *** ip_fil3.2.6/ipft_tx.c Thu Apr 9 00:31:16 1998 --- ip_fil3.2.7/ipft_tx.c Sun May 24 05:20:32 1998 *************** *** 43,49 **** #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.2 1998/04/08 14:31:16 darrenr Exp $"; #endif extern int opts; --- 43,49 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.3 1998/05/23 19:20:32 darrenr Exp $"; #endif extern int opts; *************** *** 62,68 **** static FILE *tfp = NULL; static int tfd = -1; ! static u_long tx_hostnum __P((char *, int *)); static u_short tx_portnum __P((char *)); --- 62,68 ---- static FILE *tfp = NULL; static int tfd = -1; ! static u_32_t tx_hostnum __P((char *, int *)); static u_short tx_portnum __P((char *)); *************** *** 70,76 **** * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ ! static u_long tx_hostnum(host, resolved) char *host; int *resolved; { --- 70,76 ---- * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ ! static u_32_t tx_hostnum(host, resolved) char *host; int *resolved; { diff -cr ip_fil3.2.6/ipl.h ip_fil3.2.7/ipl.h *** ip_fil3.2.6/ipl.h Mon May 18 22:29:46 1998 --- ip_fil3.2.7/ipl.h Sun May 24 12:06:47 1998 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.2.6" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.2.7" #endif diff -cr ip_fil3.2.6/iplang/iplang_y.y ip_fil3.2.7/iplang/iplang_y.y *** ip_fil3.2.6/iplang/iplang_y.y Sun Dec 21 23:17:33 1997 --- ip_fil3.2.7/iplang/iplang_y.y Sun May 24 00:29:53 1998 *************** *** 6,12 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: iplang_y.y,v 2.0.2.18.2.6 1997/12/21 12:17:33 darrenr Exp $ */ #include --- 6,12 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: iplang_y.y,v 2.0.2.18.2.7 1998/05/23 14:29:53 darrenr Exp $ */ #include *************** *** 48,54 **** --- 48,56 ---- #include "ipf.h" #include "iplang.h" + #ifndef __NetBSD__ extern struct ether_addr *ether_aton __P((char *)); + #endif extern int opts; extern struct ipopt_names ionames[]; diff -cr ip_fil3.2.6/ipmon.c ip_fil3.2.7/ipmon.c *** ip_fil3.2.6/ipmon.c Fri May 1 23:18:49 1998 --- ip_fil3.2.7/ipmon.c Sun May 24 00:29:45 1998 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.6 1998/05/01 13:18:49 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45 darrenr Exp $"; #endif #include *************** *** 18,23 **** --- 18,24 ---- #include #if !defined(__SVR4) && !defined(__svr4__) #include + #include #include #else #include *************** *** 103,108 **** --- 104,111 ---- char *portname __P((int, char *, u_short)); int main __P((int, char *[])); + static void logopts __P((int, char *)); + #define OPT_SYSLOG 0x001 #define OPT_RESOLVE 0x002 *************** *** 125,133 **** { FILE *fp; ! donehup = 1; if (logfile && (fp = fopen(logfile, "a"))) newlog = fp; } --- 128,137 ---- { FILE *fp; ! signal(SIGHUP, handlehup); if (logfile && (fp = fopen(logfile, "a"))) newlog = fp; + donehup = 1; } *************** *** 195,201 **** *t++ = '\n'; *t = '\0'; if (!(opts & OPT_SYSLOG)) ! fputs(line, stdout); else syslog(LOG_INFO, "%s", line); t = (u_char *)line; --- 199,205 ---- *t++ = '\n'; *t = '\0'; if (!(opts & OPT_SYSLOG)) ! fputs(line, log); else syslog(LOG_INFO, "%s", line); t = (u_char *)line; *************** *** 231,238 **** *t = '\0'; } if (!(opts & OPT_SYSLOG)) { ! fputs(line, stdout); ! fflush(stdout); } else syslog(LOG_INFO, "%s", line); } --- 235,242 ---- *t = '\0'; } if (!(opts & OPT_SYSLOG)) { ! fputs(line, log); ! fflush(log); } else syslog(LOG_INFO, "%s", line); } *************** *** 246,264 **** iplog_t *ipl = (iplog_t *)buf; char *t = line; struct tm *tm; ! int res; nl = (struct natlog *)((char *)ipl + sizeof(*ipl)); res = (opts & OPT_RESOLVE) ? 1 : 0; tm = localtime((time_t *)&ipl->ipl_sec); if (!(opts & OPT_SYSLOG)) { ! (void) sprintf(t, "%2d/%02d/%4d ", ! tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900); ! t += strlen(t); } ! (void) sprintf(t, "%02d:%02d:%02d.%-.6ld @%hd ", ! tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec, ! nl->nl_rule+1); t += strlen(t); if (nl->nl_type == NL_NEWMAP) --- 250,270 ---- iplog_t *ipl = (iplog_t *)buf; char *t = line; struct tm *tm; ! int res, i, len; nl = (struct natlog *)((char *)ipl + sizeof(*ipl)); res = (opts & OPT_RESOLVE) ? 1 : 0; tm = localtime((time_t *)&ipl->ipl_sec); + len = sizeof(line); if (!(opts & OPT_SYSLOG)) { ! (void) strftime(t, len, "%d/%m/%Y ", tm); ! i = strlen(t); ! len -= i; ! t += i; } ! (void) strftime(t, len, "%T", tm); ! t += strlen(t); ! (void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1); t += strlen(t); if (nl->nl_type == NL_NEWMAP) *************** *** 309,326 **** struct protoent *pr; char *t = line, *proto, pname[6]; struct tm *tm; ! int res; sl = (struct ipslog *)((char *)ipl + sizeof(*ipl)); res = (opts & OPT_RESOLVE) ? 1 : 0; tm = localtime((time_t *)&ipl->ipl_sec); if (!(opts & OPT_SYSLOG)) { ! (void) sprintf(t, "%2d/%02d/%4d ", ! tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900); ! t += strlen(t); } ! (void) sprintf(t, "%02d:%02d:%02d.%-.6ld ", ! tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec); t += strlen(t); if (sl->isl_type == ISL_NEW) --- 315,335 ---- struct protoent *pr; char *t = line, *proto, pname[6]; struct tm *tm; ! int res, i, len; sl = (struct ipslog *)((char *)ipl + sizeof(*ipl)); res = (opts & OPT_RESOLVE) ? 1 : 0; tm = localtime((time_t *)&ipl->ipl_sec); + len = sizeof(line); if (!(opts & OPT_SYSLOG)) { ! (void) strftime(t, len, "%d/%m/%Y ", tm); ! i = strlen(t); ! len -= i; ! t += i; } ! (void) strftime(t, len, "%T", tm); ! t += strlen(t); ! (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); t += strlen(t); if (sl->isl_type == ISL_NEW) *************** *** 416,422 **** blen -= psize; buf += psize; } - finishbuf: if (bp) free(bp); return; --- 425,430 ---- *************** *** 452,464 **** ip->ip_len = ntohs(ip->ip_len); #endif if (!(opts & OPT_SYSLOG)) { ! (void) sprintf(t, "%2d/%02d/%4d ", ! tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900); ! t += strlen(t); } ! (void) sprintf(t, "%02d:%02d:%02d.%-.6ld ", tm->tm_hour, tm->tm_min, ! tm->tm_sec, ipl->ipl_usec); t += strlen(t); if (ipl->ipl_count > 1) { (void) sprintf(t, "%dx ", ipl->ipl_count); --- 460,475 ---- ip->ip_len = ntohs(ip->ip_len); #endif + len = sizeof(line); if (!(opts & OPT_SYSLOG)) { ! (void) strftime(t, len, "%d/%m/%Y ", tm); ! i = strlen(t); ! len -= i; ! t += i; } ! (void) strftime(t, len, "%T", tm); ! t += strlen(t); ! (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); t += strlen(t); if (ipl->ipl_count > 1) { (void) sprintf(t, "%dx ", ipl->ipl_count); *************** *** 821,826 **** --- 832,839 ---- close(2); setsid(); } + + signal(SIGHUP, handlehup); for (doread = 1; doread; ) { nr = 0; diff -cr ip_fil3.2.6/ipnat.c ip_fil3.2.7/ipnat.c *** ip_fil3.2.6/ipnat.c Tue May 5 23:35:31 1998 --- ip_fil3.2.7/ipnat.c Sun May 24 05:07:02 1998 *************** *** 62,68 **** #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.5 1998/05/05 13:35:31 darrenr Exp $"; #endif --- 62,68 ---- #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.6 1998/05/23 19:07:02 darrenr Exp $"; #endif *************** *** 73,86 **** extern char *optarg; ipnat_t *parse __P((char *)); ! u_long hostnum __P((char *, int *)); ! u_long hostmask __P((char *)); u_short portnum __P((char *, char *)); void dostats __P((int, int)), flushtable __P((int, int)); void printnat __P((ipnat_t *, int, void *)); void parsefile __P((int, char *, int)); void usage __P((char *)); ! int countbits __P((u_long)); char *getnattype __P((ipnat_t *)); int main __P((int, char*[])); --- 73,86 ---- extern char *optarg; ipnat_t *parse __P((char *)); ! u_32_t hostnum __P((char *, int *)); ! u_32_t hostmask __P((char *)); u_short portnum __P((char *, char *)); void dostats __P((int, int)), flushtable __P((int, int)); void printnat __P((ipnat_t *, int, void *)); void parsefile __P((int, char *, int)); void usage __P((char *)); ! int countbits __P((u_32_t)); char *getnattype __P((ipnat_t *)); int main __P((int, char*[])); *************** *** 162,170 **** * of bits. */ int countbits(ip) ! u_long ip; { ! u_long ipn; int cnt = 0, i, j; ip = ipn = ntohl(ip); --- 162,170 ---- * of bits. */ int countbits(ip) ! u_32_t ip; { ! u_32_t ipn; int cnt = 0, i, j; ip = ipn = ntohl(ip); *************** *** 417,434 **** } ! u_long hostmask(msk) char *msk; { int bits = -1; ! u_long mask; if (!isdigit(*msk)) ! return (u_long)-1; if (strchr(msk, '.')) return inet_addr(msk); if (strchr(msk, 'x')) ! return (u_long)strtol(msk, NULL, 0); /* * set x most significant bits */ --- 417,434 ---- } ! u_32_t hostmask(msk) char *msk; { int bits = -1; ! u_32_t mask; if (!isdigit(*msk)) ! return (u_32_t)-1; if (strchr(msk, '.')) return inet_addr(msk); if (strchr(msk, 'x')) ! return (u_32_t)strtol(msk, NULL, 0); /* * set x most significant bits */ *************** *** 445,451 **** * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ ! u_long hostnum(host, resolved) char *host; int *resolved; { --- 445,451 ---- * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ ! u_32_t hostnum(host, resolved) char *host; int *resolved; { diff -cr ip_fil3.2.6/ipsend/ipresend.1 ip_fil3.2.7/ipsend/ipresend.1 *** ip_fil3.2.6/ipsend/ipresend.1 Sat Apr 11 12:59:39 1998 --- ip_fil3.2.7/ipsend/ipresend.1 Sun May 24 00:30:24 1998 *************** *** 92,99 **** .B \-X The input file is composed of text descriptions of IP packets. .TP - .SH FILES - .DT .SH SEE ALSO snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p) .SH DIAGNOSTICS --- 92,97 ---- diff -cr ip_fil3.2.6/ipsend/ipsend.5 ip_fil3.2.7/ipsend/ipsend.5 *** ip_fil3.2.6/ipsend/ipsend.5 Tue Sep 16 00:56:21 1997 --- ip_fil3.2.7/ipsend/ipsend.5 Sun May 24 00:30:25 1998 *************** *** 392,398 **** .B maskrep Address mask reply. .SH FILES /etc/protocols /etc/services - /etc/hosts .SH SEE ALSO --- 392,401 ---- .B maskrep Address mask reply. .SH FILES + /etc/hosts + .br /etc/protocols + .br /etc/services .SH SEE ALSO + ipsend(1), iptest(1), hosts(5), protocols(5), services(5) diff -cr ip_fil3.2.6/ipsend/iptest.1 ip_fil3.2.7/ipsend/iptest.1 *** ip_fil3.2.6/ipsend/iptest.1 Sat Apr 11 12:59:41 1998 --- ip_fil3.2.7/ipsend/iptest.1 Sun May 24 00:30:26 1998 *************** *** 91,97 **** Run a... .DT .SH SEE ALSO ! ipsend(1), ipresend(1), bpf(4), dlpi(7p) .SH DIAGNOSTICS Only one of the numeric test options may be given when \fIiptest\fP is run. .PP --- 91,97 ---- Run a... .DT .SH SEE ALSO ! ipsend(1), ipresend(1), bpf(4), ipsend(5), dlpi(7p) .SH DIAGNOSTICS Only one of the numeric test options may be given when \fIiptest\fP is run. .PP diff -cr ip_fil3.2.6/man/ipf.4 ip_fil3.2.7/man/ipf.4 *** ip_fil3.2.6/man/ipf.4 Fri Nov 28 18:25:04 1997 --- ip_fil3.2.7/man/ipf.4 Sun May 24 00:30:28 1998 *************** *** 3,8 **** --- 3,9 ---- ipf \- packet filtering kernel interface .SH SYNOPSIS #include + .br #include .SH IOCTLS .PP *************** *** 200,204 **** #endif }; .fi .SH SEE ALSO ! ipfstat(8), ipf(8), ipf(5) --- 201,213 ---- #endif }; .fi + .SH FILES + /dev/ipauth + .br + /dev/ipl + .br + /dev/ipnat + .br + /dev/ipstate .SH SEE ALSO ! ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8) diff -cr ip_fil3.2.6/man/ipf.5 ip_fil3.2.7/man/ipf.5 *** ip_fil3.2.6/man/ipf.5 Fri Nov 28 18:26:00 1997 --- ip_fil3.2.7/man/ipf.5 Sun May 24 00:30:29 1998 *************** *** 1,6 **** .TH IPF 5 .SH NAME ! ipf \- IP packet filter rule syntax .SH DESCRIPTION .PP A rule file for \fBipf\fP may have any name or even be stdin. As --- 1,6 ---- .TH IPF 5 .SH NAME ! ipf, ipf.conf \- IP packet filter rule syntax .SH DESCRIPTION .PP A rule file for \fBipf\fP may have any name or even be stdin. As *************** *** 477,484 **** need to be specified as the parser interprets each rule on its own and qualifies all service/port names with the protocol specified. .SH FILES ! /etc/services .br /etc/hosts .SH SEE ALSO ! ipf(8), ipftest(1), mkfilters(1), ipmon(8) --- 477,490 ---- need to be specified as the parser interprets each rule on its own and qualifies all service/port names with the protocol specified. .SH FILES ! /dev/ipauth ! .br ! /dev/ipl ! .br ! /dev/ipstate .br /etc/hosts + .br + /etc/services .SH SEE ALSO ! ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8) diff -cr ip_fil3.2.6/man/ipf.8 ip_fil3.2.7/man/ipf.8 *** ip_fil3.2.6/man/ipf.8 Sat Apr 11 12:59:44 1998 --- ip_fil3.2.7/man/ipf.8 Sun May 24 00:30:30 1998 *************** *** 66,72 **** .B \-I Set the list to make changes to the inactive list. .TP ! .B \-l \0 Use of the \fB-l\fP flag toggles default logging of packets. Valid arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP. When an option is set, any packet which exits filtering and matches the --- 66,72 ---- .B \-I Set the list to make changes to the inactive list. .TP ! .B \-l \0 Use of the \fB-l\fP flag toggles default logging of packets. Valid arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP. When an option is set, any packet which exits filtering and matches the *************** *** 106,113 **** Zero global statistics held in the kernel for filtering only (this doesn't affect fragment or state statistics). .DT .SH SEE ALSO ! ipfstat(8), ipftest(1), ipf(5), mkfilters(1) .SH DIAGNOSTICS .PP Needs to be run as root for the packet filtering lists to actually --- 106,119 ---- Zero global statistics held in the kernel for filtering only (this doesn't affect fragment or state statistics). .DT + .SH FILES + /dev/ipauth + .br + /dev/ipl + .br + /dev/ipstate .SH SEE ALSO ! ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8) .SH DIAGNOSTICS .PP Needs to be run as root for the packet filtering lists to actually diff -cr ip_fil3.2.6/man/ipfstat.8 ip_fil3.2.7/man/ipfstat.8 *** ip_fil3.2.6/man/ipfstat.8 Fri Nov 28 18:25:06 1997 --- ip_fil3.2.7/man/ipfstat.8 Sun May 24 00:30:31 1998 *************** *** 69,74 **** --- 69,78 ---- .SH FILES /dev/kmem .br + /dev/ipl + .br + /dev/ipstate + .br /vmunix .SH SEE ALSO ipf(8) diff -cr ip_fil3.2.6/man/ipftest.1 ip_fil3.2.7/man/ipftest.1 *** ip_fil3.2.6/man/ipftest.1 Fri Nov 28 18:25:07 1997 --- ip_fil3.2.7/man/ipftest.1 Sun May 24 00:30:32 1998 *************** *** 1,4 **** ! .TH ipftest 8 .SH NAME ipftest \- test packet filter rules with arbitary input. .SH SYNOPSIS --- 1,4 ---- ! .TH ipftest 1 .SH NAME ipftest \- test packet filter rules with arbitary input. .SH SYNOPSIS *************** *** 119,127 **** .TP .BR \-r \0 Specify the filename from which to read filter rules. - .SH FILES .SH SEE ALSO ! ipf(8), ipf(5), snoop(1m), tcpdump(8), etherfind(8c) .SH BUGS Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. --- 119,126 ---- .TP .BR \-r \0 Specify the filename from which to read filter rules. .SH SEE ALSO ! ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c) .SH BUGS Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. diff -cr ip_fil3.2.6/man/ipmon.8 ip_fil3.2.7/man/ipmon.8 *** ip_fil3.2.6/man/ipmon.8 Fri Nov 28 18:25:07 1997 --- ip_fil3.2.7/man/ipmon.8 Sun May 24 00:30:33 1998 *************** *** 101,106 **** recorded data. .SH FILES /dev/ipl .SH SEE ALSO ! ipf(8), ipfstat(8) .SH BUGS --- 101,110 ---- recorded data. .SH FILES /dev/ipl + .br + /dev/ipnat + .br + /dev/ipstate .SH SEE ALSO ! ipl(4), ipf(8), ipfstat(8), ipnat(8) .SH BUGS diff -cr ip_fil3.2.6/man/ipnat.1 ip_fil3.2.7/man/ipnat.1 *** ip_fil3.2.6/man/ipnat.1 Fri Nov 28 18:25:08 1997 --- ip_fil3.2.7/man/ipnat.1 Sun May 24 00:30:33 1998 *************** *** 41,45 **** .B \-v Turn verbose mode on. Displays information relating to rule processing. .DT .SH SEE ALSO ! ipfstat(1), ipftest(8), ipf(8), ipnat(5) --- 41,47 ---- .B \-v Turn verbose mode on. Displays information relating to rule processing. .DT + .SH FILES + /dev/ipnat .SH SEE ALSO ! ipnat(5), ipf(8), ipfstat(8) diff -cr ip_fil3.2.6/man/ipnat.4 ip_fil3.2.7/man/ipnat.4 *** ip_fil3.2.6/man/ipnat.4 Fri Nov 28 18:25:08 1997 --- ip_fil3.2.7/man/ipnat.4 Sun May 24 00:30:34 1998 *************** *** 3,10 **** --- 3,13 ---- ipnat \- Network Address Translation kernel interface .SH SYNOPSIS #include + .br #include + .br #include + .br #include .SH IOCTLS .PP *************** *** 87,91 **** .SH BUGS It would be nice if there were more flexibility when adding and deleting filter rules. .SH SEE ALSO ! ipfstat(8), ipf(8), ipf(4), ipnat(5) --- 90,96 ---- .SH BUGS It would be nice if there were more flexibility when adding and deleting filter rules. + .SH FILES + /dev/ipnat .SH SEE ALSO ! ipf(4), ipnat(5), ipf(8), ipnat(8), ipfstat(8) diff -cr ip_fil3.2.6/man/ipnat.5 ip_fil3.2.7/man/ipnat.5 *** ip_fil3.2.6/man/ipnat.5 Sun Jan 12 19:48:13 1997 --- ip_fil3.2.7/man/ipnat.5 Sun May 24 00:30:35 1998 *************** *** 1,6 **** .TH IPNAT 5 .SH NAME ! ipnat \- IP NAT file format .SH DESCRIPTION The format for files accepted by ipnat is described by the following grammar: .LP --- 1,6 ---- .TH IPNAT 5 .SH NAME ! ipnat, ipnat.conf \- IP NAT file format .SH DESCRIPTION The format for files accepted by ipnat is described by the following grammar: .LP *************** *** 37,46 **** .SH Examples .PP To change IP#'s used internally from network 10 into an ISP provided 8 bit ! subnet at 209.1.2.0, the following would be used: .LP .nf ! map 10.0.0.0/8 -> 209.1.2.0/24 .fi .PP The obvious problem here is we're trying to squeeze over 16,000,000 IP --- 37,46 ---- .SH Examples .PP To change IP#'s used internally from network 10 into an ISP provided 8 bit ! subnet at 209.1.2.0 through the ppp0 interface, the following would be used: .LP .nf ! map ppp0 10.0.0.0/8 -> 209.1.2.0/24 .fi .PP The obvious problem here is we're trying to squeeze over 16,000,000 IP *************** *** 48,54 **** and/or UDP, port remapping can be used; .LP .nf ! map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 .fi .PP which falls only 527,566 `addresses' short of the space available in network --- 48,54 ---- and/or UDP, port remapping can be used; .LP .nf ! map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 .fi .PP which falls only 527,566 `addresses' short of the space available in network *************** *** 56,70 **** follows: .LP .nf ! map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 ! map 10.0.0.0/8 -> 209.1.2.0/24 .fi .PP so that all TCP/UDP packets were port mapped and only other protocols, such as ICMP, only have their IP# changed. .SH FILES /etc/services .br /etc/hosts .SH SEE ALSO ! ipnat(1), ipf(5), ipnat(4) --- 56,72 ---- follows: .LP .nf ! map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 ! map ppp0 10.0.0.0/8 -> 209.1.2.0/24 .fi .PP so that all TCP/UDP packets were port mapped and only other protocols, such as ICMP, only have their IP# changed. .SH FILES + /dev/ipnat + .br /etc/services .br /etc/hosts .SH SEE ALSO ! ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8) diff -cr ip_fil3.2.6/mln_ipl.c ip_fil3.2.7/mln_ipl.c *** ip_fil3.2.6/mln_ipl.c Wed Oct 29 22:59:39 1997 --- ip_fil3.2.7/mln_ipl.c Sun May 24 00:29:47 1998 *************** *** 48,53 **** --- 48,56 ---- #include "ip_compat.h" #include "ip_fil.h" + #if !defined(__NetBSD_Version__) || __NetBSD_Version__ < 103050000 + #define vn_lock(v,f) VOP_LOCK(v) + #endif #if !defined(VOP_LEASE) && defined(LEASE_CHECK) #define VOP_LEASE LEASE_CHECK *************** *** 179,185 **** if ((error = namei(&nd))) return (error); VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); ! VOP_LOCK(nd.ni_vp); VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); } --- 182,188 ---- if ((error = namei(&nd))) return (error); VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); ! vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY); VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); } diff -cr ip_fil3.2.6/parse.c ip_fil3.2.7/parse.c *** ip_fil3.2.6/parse.c Sat Feb 28 13:04:40 1998 --- ip_fil3.2.7/parse.c Sun May 24 05:20:33 1998 *************** *** 35,41 **** #if !defined(lint) static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.2 1998/02/28 02:04:40 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; --- 35,41 ---- #if !defined(lint) static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.5 1998/05/23 19:20:33 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; *************** *** 57,63 **** int to_interface __P((frdest_t *, char *)); void print_toif __P((char *, frdest_t *)); void optprint __P((u_short, u_short, u_long, u_long)); ! int countbits __P((u_long)); char *portname __P((int, int)); --- 57,63 ---- int to_interface __P((frdest_t *, char *)); void print_toif __P((char *, frdest_t *)); void optprint __P((u_short, u_short, u_long, u_long)); ! int countbits __P((u_32_t)); char *portname __P((int, int)); *************** *** 475,486 **** /* * lazy users... */ ! if (!fil.fr_proto && !(fil.fr_ip.fi_fl & FI_TCPUDP) && ! (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) { ! (void)fprintf(stderr, ! "no protocol given for TCP/UDP comparisons\n"); return NULL; } /* if ((fil.fr_flags & FR_KEEPFRAG) && (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) { --- 475,495 ---- /* * lazy users... */ ! if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) { ! (void)fprintf(stderr, "TCP protocol not specified\n"); return NULL; } + if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) && + (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) { + if (!fil.fr_proto) { + fil.fr_ip.fi_fl |= FI_TCPUDP; + fil.fr_mip.fi_fl |= FI_TCPUDP; + } else { + (void)fprintf(stderr, + "port comparisons for non-TCP/UDP\n"); + return NULL; + } + } /* if ((fil.fr_flags & FR_KEEPFRAG) && (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) { *************** *** 980,986 **** fp->fr_proto = IPPROTO_ICMP; if (isdigit(***cp)) { i = atoi(**cp); - (*cp)++; } else { for (t = icmptypes, i = 0; ; t++, i++) { if (!*t) --- 989,994 ---- *************** *** 1082,1090 **** * of bits. */ int countbits(ip) ! u_long ip; { ! u_long ipn; int cnt = 0, i, j; ip = ipn = ntohl(ip); --- 1090,1098 ---- * of bits. */ int countbits(ip) ! u_32_t ip; { ! u_32_t ipn; int cnt = 0, i, j; ip = ipn = ntohl(ip);