diff -cr ip_fil3.3.18/HISTORY ip_fil3.3.19/HISTORY *** ip_fil3.3.18/HISTORY Tue Aug 8 01:10:26 2000 --- ip_fil3.3.19/HISTORY Tue Oct 24 23:21:52 2000 *************** *** 20,25 **** --- 20,33 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.3.19 24/10/2000 - Released + + don't access ICMP data fields that aren't there + + fill in icmp_nextmtu field where/when possible + + don't junk good ICMP packets when doing NAT processing + 3.3.18 08/08/2000 - Released fix up command checking in the ftp proxy diff -cr ip_fil3.3.18/SunOS5/ipfboot ip_fil3.3.19/SunOS5/ipfboot *** ip_fil3.3.18/SunOS5/ipfboot Mon Oct 11 23:29:26 1999 --- ip_fil3.3.19/SunOS5/ipfboot Wed Aug 23 20:56:25 2000 *************** *** 1,13 **** #!/bin/sh ! id=`/usr/sbin/modinfo | grep ipf | awk ' { print $1 } ' -` ! pid=`ps -e | grep ipmon | awk ' { print $1 } ' -` PATH=${PATH}:/sbin:/opt/ipf/bin IPFILCONF=/etc/opt/ipf/ipf.conf IPNATCONF=/etc/opt/ipf/ipnat.conf case "$1" in start) ! if [ x$pid != x ] ; then kill -TERM $pid fi if [ x$id != x ] ; then --- 1,13 ---- #!/bin/sh ! id=`/usr/sbin/modinfo | awk '/ipf/ { print $1 } ' -` ! pid=`ps -e | awk '/ipmon/ { print $1 } ' -` PATH=${PATH}:/sbin:/opt/ipf/bin IPFILCONF=/etc/opt/ipf/ipf.conf IPNATCONF=/etc/opt/ipf/ipnat.conf case "$1" in start) ! if [ x"$pid" != x ] ; then kill -TERM $pid fi if [ x$id != x ] ; then *************** *** 32,38 **** ;; stop) ! if [ x$pid != x ] ; then kill -TERM $pid fi if [ x$id != x ] ; then --- 32,38 ---- ;; stop) ! if [ x"$pid" != x ] ; then kill -TERM $pid fi if [ x$id != x ] ; then diff -cr ip_fil3.3.18/SunOS5/pkginfo ip_fil3.3.19/SunOS5/pkginfo *** ip_fil3.3.18/SunOS5/pkginfo Tue Aug 8 01:10:27 2000 --- ip_fil3.3.19/SunOS5/pkginfo Tue Oct 24 23:07:46 2000 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.18 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.19 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.3.18/fil.c ip_fil3.3.19/fil.c *** ip_fil3.3.18/fil.c Sat Jul 8 12:13:28 2000 --- ip_fil3.3.19/fil.c Tue Oct 24 22:57:39 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.22 2000/07/08 02:13:28 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.23 2000/10/24 11:57:39 darrenr Exp $"; #endif #include *************** *** 224,229 **** --- 224,239 ---- int minicmpsz = sizeof(struct icmp); icmphdr_t *icmp; + if (fin->fin_dlen > 1) + fin->fin_data[0] = *(u_short *)tcp; + + if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || + (off && off < sizeof(struct icmp))) { + fi->fi_fl |= FI_SHORT; + if (fin->fin_dlen < 2) + break; + } + icmp = (icmphdr_t *)tcp; if (!off && (icmp->icmp_type == ICMP_ECHOREPLY || *************** *** 240,250 **** minicmpsz = 12; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */ - if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || - (off && off < sizeof(struct icmp))) - fi->fi_fl |= FI_SHORT; - if (fin->fin_dlen > 1) - fin->fin_data[0] = *(u_short *)tcp; break; } case IPPROTO_TCP : --- 250,255 ---- *************** *** 1188,1194 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.3.2.22 2000/07/08 02:13:28 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1193,1199 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.3.2.23 2000/10/24 11:57:39 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff -cr ip_fil3.3.18/ip_fil.c ip_fil3.3.19/ip_fil.c *** ip_fil3.3.18/ip_fil.c Sat Jul 8 12:43:47 2000 --- ip_fil3.3.19/ip_fil.c Fri Aug 25 23:10:53 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.22 2000/07/08 02:43:47 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.23 2000/08/25 13:10:53 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 1007,1012 **** --- 1007,1018 ---- icmp->icmp_type = type; icmp->icmp_code = code; icmp->icmp_cksum = 0; + # ifdef icmp_nextmtu + if (type == ICMP_UNREACH && + fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp) + icmp->icmp_nextmtu = htons(((struct ifnet *) ifp)->if_mtu); + # endif + bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip)); bcopy((char *)oip + (oip->ip_hl << 2), (char *)&icmp->icmp_ip + sizeof(*oip), 8); /* 64 bits */ diff -cr ip_fil3.3.18/ip_nat.c ip_fil3.3.19/ip_nat.c *** ip_fil3.3.18/ip_nat.c Wed Aug 9 02:11:05 2000 --- ip_fil3.3.19/ip_nat.c Sat Aug 12 17:32:46 2000 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.21 2000/08/08 16:00:33 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.22 2000/08/12 07:32:46 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 1035,1041 **** oip = (ip_t *)((char *)fin->fin_dp + 8); minlen = (oip->ip_hl << 2); ! if (ip->ip_len < ICMPERR_MINPKTLEN + minlen) return NULL; /* * Is the buffer big enough for all of it ? It's the size of the IP --- 1035,1043 ---- oip = (ip_t *)((char *)fin->fin_dp + 8); minlen = (oip->ip_hl << 2); ! if (minlen < sizeof(ip_t)) ! return NULL; ! if (ip->ip_len < ICMPERR_IPICMPHLEN + minlen) return NULL; /* * Is the buffer big enough for all of it ? It's the size of the IP *************** *** 1069,1075 **** flags = IPN_UDP; if (flags & IPN_TCPUDP) { minlen += 8; /* + 64bits of data to get ports */ ! if (ip->ip_len < ICMPERR_MINPKTLEN + minlen) return NULL; tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, --- 1071,1077 ---- flags = IPN_UDP; if (flags & IPN_TCPUDP) { minlen += 8; /* + 64bits of data to get ports */ ! if (ip->ip_len < ICMPERR_IPICMPHLEN + minlen) return NULL; tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, diff -cr ip_fil3.3.18/ipl.h ip_fil3.3.19/ipl.h *** ip_fil3.3.18/ipl.h Tue Aug 8 01:10:26 2000 --- ip_fil3.3.19/ipl.h Tue Oct 24 23:07:47 2000 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.18" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.19" #endif diff -cr ip_fil3.3.18/ipsend/44arp.c ip_fil3.3.19/ipsend/44arp.c *** ip_fil3.3.18/ipsend/44arp.c Thu Aug 5 03:31:01 1999 --- ip_fil3.3.19/ipsend/44arp.c Fri Aug 25 23:05:48 2000 *************** *** 67,73 **** struct sockaddr_dl *sdl; #ifdef IPSEND ! if (arp_getipv4(ip, ether) == 0) return 0; #endif --- 67,73 ---- struct sockaddr_dl *sdl; #ifdef IPSEND ! if (arp_getipv4(addr, ether) == 0) return 0; #endif