diff -cr ip_fil3.3.9/HISTORY ip_fil3.3.10/HISTORY *** ip_fil3.3.9/HISTORY Tue Feb 15 19:35:07 2000 --- ip_fil3.3.10/HISTORY Thu Feb 24 02:23:47 2000 *************** *** 20,25 **** --- 20,40 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.3.10 24/02/2000 - Released + + * fix back from guido for state tracking interfaces + + * update for NetBSD pfil interface changes + + * if attaching fails and we can abort, then cleanup when doing so. + + julian@computer.org: + * solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. + * ipf.c (packetlogon): use flag to store the return value from get_flags. + * ipmon.c (init_tabs): Generate cleanup so we do not have to cast + an int s->s_port to u_int port and try to check if the u_int port + is less than zero. + 3.3.9 15/02/2000 - Released fix scheduling of bad locking in fr_addstate() used when we attach onto diff -cr ip_fil3.3.9/SunOS5/pkginfo ip_fil3.3.10/SunOS5/pkginfo *** ip_fil3.3.9/SunOS5/pkginfo Tue Feb 15 19:32:12 2000 --- ip_fil3.3.10/SunOS5/pkginfo Tue Feb 22 21:14:17 2000 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.9 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.10 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.3.9/fils.c ip_fil3.3.10/fils.c *** ip_fil3.3.9/fils.c Thu Jan 27 19:49:40 2000 --- ip_fil3.3.10/fils.c Wed Feb 23 22:16:35 2000 *************** *** 51,57 **** #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fils.c,v 2.2.2.5 2000/01/27 08:49:40 darrenr Exp $"; #endif extern char *optarg; --- 51,57 ---- #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fils.c,v 2.2.2.6 2000/02/23 11:16:35 darrenr Exp $"; #endif extern char *optarg; *************** *** 234,239 **** --- 234,241 ---- fp->f_st[0].fr_notip, fp->f_st[1].fr_notip); PRINTF(" bad packets:\t\tin %lu\tout %lu\n", fp->f_st[0].fr_bad, fp->f_st[1].fr_bad); + PRINTF("copied messages:\tin %lu\tout %lu\n", + fp->f_st[0].fr_copy, fp->f_st[1].fr_copy); #endif PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu", fp->f_st[0].fr_block, fp->f_st[0].fr_pass, diff -cr ip_fil3.3.9/ip_fil.c ip_fil3.3.10/ip_fil.c *** ip_fil3.3.9/ip_fil.c Thu Feb 10 12:47:28 2000 --- ip_fil3.3.10/ip_fil.c Tue Feb 22 22:40:06 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.17 2000/02/10 01:47:28 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.18 2000/02/22 11:40:06 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 220,227 **** { char *defpass; int s; ! # ifdef __sgi ! int error; # endif SPL_NET(s); --- 220,227 ---- { char *defpass; int s; ! # if defined(__sgi) || (defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)) ! int error = 0; # endif SPL_NET(s); *************** *** 242,254 **** --- 242,268 ---- return -1; # ifdef NETBSD_PF + # if __NetBSD_Version__ >= 104200000 + error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, + &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); + if (error) { + appr_unload(); + ip_natunload(); + fr_stateunload(); + return error; + } + # else pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT); + # endif # endif # ifdef __sgi error = ipfilter_sgi_attach(); if (error) { SPL_X(s); + appr_unload(); + ip_natunload(); + fr_stateunload(); return error; } # endif *************** *** 292,297 **** --- 306,314 ---- int ipldetach() { int s, i = FR_INQUE|FR_OUTQUE; + #if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000) + int error = 0; + #endif #ifdef _KERNEL # if (__FreeBSD_version >= 300000) *************** *** 317,329 **** --- 334,354 ---- fr_running = 0; # ifdef NETBSD_PF + # if __NetBSD_Version__ >= 104200000 + error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, + &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); + if (error) + return error; + # else pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); + # endif # endif # ifdef __sgi ipfilter_sgi_detach(); # endif + appr_unload(); ipfr_unload(); ip_natunload(); fr_stateunload(); diff -cr ip_fil3.3.9/ip_fil.h ip_fil3.3.10/ip_fil.h *** ip_fil3.3.9/ip_fil.h Thu Jan 27 19:49:41 2000 --- ip_fil3.3.10/ip_fil.h Wed Feb 23 22:16:36 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.3.2.7 2000/01/27 08:49:41 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.3.2.8 2000/02/23 11:16:36 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 293,298 **** --- 293,299 ---- u_long fr_bad; /* bad IP packets to the filter */ u_long fr_notip; /* packets passed through no on ip queue */ u_long fr_drop; /* packets dropped - no info for them! */ + u_long fr_copy; /* messages copied due to db_ref > 1 */ #endif } filterstats_t; diff -cr ip_fil3.3.9/ip_proxy.c ip_fil3.3.10/ip_proxy.c *** ip_fil3.3.9/ip_proxy.c Sun Sep 19 22:18:19 1999 --- ip_fil3.3.10/ip_proxy.c Tue Feb 22 22:41:14 2000 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.2 2000/02/22 11:41:14 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 100,114 **** ap_session_t *ap_sess_list = NULL; aproxy_t ap_proxies[] = { #ifdef IPF_FTP_PROXY ! { "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL, ippr_ftp_in, ippr_ftp_out }, #endif #ifdef IPF_RCMD_PROXY ! { "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_new, ! NULL, ippr_rcmd_out }, #endif #ifdef IPF_RAUDIO_PROXY ! { "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, ippr_raudio_new, ippr_raudio_in, ippr_raudio_out }, #endif { "", '\0', 0, 0, NULL, NULL } --- 100,114 ---- ap_session_t *ap_sess_list = NULL; aproxy_t ap_proxies[] = { #ifdef IPF_FTP_PROXY ! { "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL, NULL, ippr_ftp_in, ippr_ftp_out }, #endif #ifdef IPF_RCMD_PROXY ! { "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, NULL, ! ippr_rcmd_new, NULL, ippr_rcmd_out }, #endif #ifdef IPF_RAUDIO_PROXY ! { "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, NULL, ippr_raudio_new, ippr_raudio_in, ippr_raudio_out }, #endif { "", '\0', 0, 0, NULL, NULL } *************** *** 384,387 **** --- 384,396 ---- break; } return err; + } + + + void appr_unload() + { + aproxy_t *ap; + + for (ap = ap_proxies; ap->apr_p; ap++) + (*ap->apr_fini)(); } diff -cr ip_fil3.3.9/ip_proxy.h ip_fil3.3.10/ip_proxy.h *** ip_fil3.3.9/ip_proxy.h Sun Sep 19 22:18:20 1999 --- ip_fil3.3.10/ip_proxy.h Tue Feb 22 22:41:15 2000 *************** *** 5,11 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_proxy.h,v 2.1.2.1 1999/09/19 12:18:20 darrenr Exp $ */ #ifndef __IP_PROXY_H__ --- 5,11 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_proxy.h,v 2.1.2.2 2000/02/22 11:41:15 darrenr Exp $ */ #ifndef __IP_PROXY_H__ *************** *** 72,77 **** --- 72,78 ---- int apr_ref; /* +1 per rule referencing it */ int apr_flags; int (* apr_init) __P((void)); + void (* apr_fini) __P((void)); int (* apr_new) __P((fr_info_t *, ip_t *, ap_session_t *, struct nat *)); int (* apr_inpkt) __P((fr_info_t *, ip_t *, *************** *** 120,125 **** --- 121,127 ---- extern aproxy_t ap_proxies[]; extern int appr_init __P((void)); + extern void appr_unload __P((void)); extern int appr_ok __P((ip_t *, tcphdr_t *, struct ipnat *)); extern void appr_free __P((aproxy_t *)); extern void aps_free __P((ap_session_t *)); diff -cr ip_fil3.3.9/ip_state.c ip_fil3.3.10/ip_state.c *** ip_fil3.3.9/ip_state.c Tue Feb 15 19:04:01 2000 --- ip_fil3.3.10/ip_state.c Thu Feb 24 02:23:24 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.21 2000/02/15 08:04:01 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.22 2000/02/23 15:23:24 darrenr Exp $"; #endif #include *************** *** 378,384 **** pass = fr_flags; WRITE_ENTER(&ipf_state); - is->is_rout = pass & FR_OUTQUE ? 1 : 0; is->is_pass = pass; is->is_pkts = 1; is->is_bytes = ip->ip_len; --- 378,383 ---- *************** *** 563,569 **** if (rev == 0) { if (!out) { ! if (is->is_ifpin == ifp) ret = 1; } else { if (is->is_ifpout == NULL || is->is_ifpout == ifp) --- 562,568 ---- if (rev == 0) { if (!out) { ! if (is->is_ifpin == NULL || is->is_ifpin == ifp) ret = 1; } else { if (is->is_ifpout == NULL || is->is_ifpout == ifp) *************** *** 571,577 **** } } else { if (out) { ! if (is->is_ifpin == ifp) ret = 1; } else { if (is->is_ifpout == NULL || is->is_ifpout == ifp) --- 570,576 ---- } } else { if (out) { ! if (is->is_ifpin == NULL || is->is_ifpin == ifp) ret = 1; } else { if (is->is_ifpout == NULL || is->is_ifpout == ifp) *************** *** 637,643 **** } if (!rev) { ! if (out && (out == is->is_rout)) { if (!is->is_ifpout) is->is_ifpout = ifp; } else { --- 636,642 ---- } if (!rev) { ! if (out) { if (!is->is_ifpout) is->is_ifpout = ifp; } else { *************** *** 645,651 **** is->is_ifpin = ifp; } } else { ! if (!out && (out != is->is_rout)) { if (!is->is_ifpin) is->is_ifpin = ifp; } else { --- 644,650 ---- is->is_ifpin = ifp; } } else { ! if (out) { if (!is->is_ifpin) is->is_ifpin = ifp; } else { diff -cr ip_fil3.3.9/ip_state.h ip_fil3.3.10/ip_state.h *** ip_fil3.3.9/ip_state.h Tue Feb 15 19:04:03 2000 --- ip_fil3.3.10/ip_state.h Thu Feb 24 02:23:27 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.1.2.3 2000/02/15 08:04:03 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.1.2.4 2000/02/23 15:23:27 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ *************** *** 56,62 **** struct in_addr is_src; struct in_addr is_dst; u_char is_p; /* Protocol */ - u_char is_rout; /* Is rule in/out ? */ u_32_t is_flags; u_32_t is_opt; /* packet options set */ u_32_t is_optmsk; /* " " mask */ --- 56,61 ---- diff -cr ip_fil3.3.9/ipf.c ip_fil3.3.10/ipf.c *** ip_fil3.3.9/ipf.c Sat Aug 7 01:26:08 1999 --- ip_fil3.3.10/ipf.c Thu Feb 17 01:40:39 2000 *************** *** 43,49 **** #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.2 1999/08/06 15:26:08 darrenr Exp $"; #endif #if SOLARIS --- 43,49 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.2.2.1 2000/02/16 14:40:39 darrenr Exp $"; #endif #if SOLARIS *************** *** 348,355 **** { int flag, err; ! err = get_flags(); ! if (err != 0) { if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) printf("log flag is currently %#x\n", flag); } --- 348,355 ---- { int flag, err; ! flag = get_flags(); ! if (flag != 0) { if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) printf("log flag is currently %#x\n", flag); } diff -cr ip_fil3.3.9/ipl.h ip_fil3.3.10/ipl.h *** ip_fil3.3.9/ipl.h Tue Feb 15 19:32:12 2000 --- ip_fil3.3.10/ipl.h Tue Feb 22 21:14:17 2000 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.9" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.10" #endif diff -cr ip_fil3.3.9/ipmon.c ip_fil3.3.10/ipmon.c *** ip_fil3.3.9/ipmon.c Mon Jan 24 23:45:25 2000 --- ip_fil3.3.10/ipmon.c Thu Feb 17 01:40:39 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.3.2.4 2000/01/24 12:45:25 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.3.2.5 2000/02/16 14:40:39 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 168,174 **** struct protoent *p; struct servent *s; char *name, **tab; ! u_int port; if (protocols != NULL) { free(protocols); --- 168,174 ---- struct protoent *p; struct servent *s; char *name, **tab; ! int port; if (protocols != NULL) { free(protocols); *************** *** 207,217 **** if (s->s_proto == NULL) continue; else if (!strcmp(s->s_proto, "tcp")) { ! port = (u_int)s->s_port; name = s->s_name; tab = tcp_ports; } else if (!strcmp(s->s_proto, "udp")) { ! port = (u_int)s->s_port; name = s->s_name; tab = udp_ports; } else --- 207,217 ---- if (s->s_proto == NULL) continue; else if (!strcmp(s->s_proto, "tcp")) { ! port = s->s_port; name = s->s_name; tab = tcp_ports; } else if (!strcmp(s->s_proto, "udp")) { ! port = s->s_port; name = s->s_name; tab = udp_ports; } else diff -cr ip_fil3.3.9/solaris.c ip_fil3.3.10/solaris.c *** ip_fil3.3.9/solaris.c Tue Feb 15 19:04:34 2000 --- ip_fil3.3.10/solaris.c Wed Feb 23 22:16:37 2000 *************** *** 6,12 **** * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.1.2.17 2000/02/15 08:04:34 darrenr Exp $" #include #include --- 6,12 ---- * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.1.2.19 2000/02/23 11:16:37 darrenr Exp $" #include #include *************** *** 637,642 **** --- 637,643 ---- *mp = m2; MTYPE(m2) = M_DATA; freemsg(mt); + mt = m2; frstats[out].fr_pull[0]++; synced = 1; *************** *** 772,777 **** --- 773,779 ---- m1 = copymsg(mb); freemsg(mb); mb = m1; + frstats[0].fr_copy++; } READ_ENTER(&ipf_solaris); *************** *** 872,877 **** --- 874,880 ---- m1 = copymsg(mb); freemsg(mb); mb = m1; + frstats[1].fr_copy++; } READ_ENTER(&ipf_solaris);