diff -cr ip_fil3.3.5/HISTORY ip_fil3.3.6/HISTORY *** ip_fil3.3.5/HISTORY Sat Dec 11 16:31:38 1999 --- ip_fil3.3.6/HISTORY Tue Dec 28 16:35:38 1999 *************** *** 20,25 **** --- 20,36 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.3.6 28/12/1999 - Released + + add in missing rwlock release in fr_checkicmpmatchingstate() and fix check + for ICMP_ECHO to only be for packet, not state entry which we don't have yet. + + handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() + + fix size of friostat for SunOS4 + + fix bug in running off the end of a buffer in real audio proxy + 3.3.5 11/12/1999 - Released fix parsing of "log level" and printing it back out too diff -cr ip_fil3.3.5/SunOS5/pkginfo ip_fil3.3.6/SunOS5/pkginfo *** ip_fil3.3.5/SunOS5/pkginfo Thu Dec 9 22:11:34 1999 --- ip_fil3.3.6/SunOS5/pkginfo Tue Dec 28 16:35:16 1999 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.5 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.6 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.3.5/SunOS5/postinstall ip_fil3.3.6/SunOS5/postinstall *** ip_fil3.3.5/SunOS5/postinstall Fri Dec 10 02:36:28 1999 --- ip_fil3.3.6/SunOS5/postinstall Tue Dec 28 16:34:33 1999 *************** *** 16,22 **** if [ x"`grep minor=ipauth ${DEVLINK}`" = x ] ; then echo "type=ddi_pseudo;name=ipf;minor=ipauth \M0" >> ${DEVLINK} fi ! if [ x${BASEDIR} = x ] ; then add_drv -m '* 0600 root root' ipf else add_drv -m '* 0600 root root' -b ${BASEDIR:-/} ipf --- 16,22 ---- if [ x"`grep minor=ipauth ${DEVLINK}`" = x ] ; then echo "type=ddi_pseudo;name=ipf;minor=ipauth \M0" >> ${DEVLINK} fi ! if [ x${BASEDIR} = x -o x${BASEDIR} = x/ ] ; then add_drv -m '* 0600 root root' ipf else add_drv -m '* 0600 root root' -b ${BASEDIR:-/} ipf diff -cr ip_fil3.3.5/buildsunos ip_fil3.3.6/buildsunos *** ip_fil3.3.5/buildsunos Sun Aug 8 23:55:20 1999 --- ip_fil3.3.6/buildsunos Tue Dec 28 16:08:14 1999 *************** *** 3,9 **** echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.1.2.1 1999/08/08 13:55:20 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then --- 3,9 ---- echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.1.2.2 1999/12/28 05:08:14 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then *************** *** 22,27 **** --- 22,34 ---- ln -s `pwd`/SunOS5/Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend ARCHINC= XARCH= + /bin/optisa sparcv9 >/dev/null 2>&1 + if [ $? -eq 0 ] ; then + if [ ! -d /opt/SUNWspro/bin ] ; then + echo "You must have SUNWspro to build a 64bit ipf" + exit 1 + fi + fi if [ -d /opt/SUNWspro/bin ] ; then CC="/opt/SUNWspro/bin/cc ${CFL}" export CC diff -cr ip_fil3.3.5/ip_fil.h ip_fil3.3.6/ip_fil.h *** ip_fil3.3.5/ip_fil.h Sat Dec 4 13:07:00 1999 --- ip_fil3.3.6/ip_fil.h Fri Dec 17 23:58:16 1999 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.3.2.5 1999/12/04 02:07:00 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.3.2.6 1999/12/17 12:58:16 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 307,317 **** struct frentry *f_auth; struct frgroup *f_groups[3][2]; u_long f_froute[2]; - int f_active; /* 1 or 0 - active rule set */ int f_defpass; /* default pass - from fr_pass */ ! int f_running; /* 1 if running, else 0 */ ! int f_logging; /* 1 if enabled, else 0 */ char f_version[32]; /* version string */ } friostat_t; typedef struct optlist { --- 307,321 ---- struct frentry *f_auth; struct frgroup *f_groups[3][2]; u_long f_froute[2]; int f_defpass; /* default pass - from fr_pass */ ! char f_active; /* 1 or 0 - active rule set */ ! char f_running; /* 1 if running, else 0 */ ! char f_logging; /* 1 if enabled, else 0 */ ! #if !SOLARIS && defined(sun) ! char f_version[25]; /* version string */ ! #else char f_version[32]; /* version string */ + #endif } friostat_t; typedef struct optlist { diff -cr ip_fil3.3.5/ip_nat.c ip_fil3.3.6/ip_nat.c *** ip_fil3.3.5/ip_nat.c Tue Dec 7 23:53:42 1999 --- ip_fil3.3.6/ip_nat.c Sat Dec 18 00:05:40 1999 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.10 1999/12/07 12:53:42 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.11 1999/12/17 13:05:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 326,331 **** --- 326,339 ---- switch (cmd) { + #ifdef IPFILTER_LOG + case SIOCIPFFB : + if (!(mode & FWRITE)) + error = EPERM; + else + *(int *)data = ipflog_clear(IPL_LOGNAT); + break; + #endif case SIOCADNAT : if (!(mode & FWRITE)) { error = EPERM; diff -cr ip_fil3.3.5/ip_raudio_pxy.c ip_fil3.3.6/ip_raudio_pxy.c *** ip_fil3.3.5/ip_raudio_pxy.c Sun Dec 5 22:13:17 1999 --- ip_fil3.3.6/ip_raudio_pxy.c Tue Dec 28 16:08:44 1999 *************** *** 233,239 **** } else return 0; ! for (a3 = a1, a4 = a2; a4 > 0; a4--, a3++) { rap->rap_sbf |= (1 << a3); rap->rap_svr[a3] = *s++; } --- 233,239 ---- } else return 0; ! for (a3 = a1, a4 = a2; (a4 > 0) && (a3 < 19) && (a3 >= 0); a4--,a3++) { rap->rap_sbf |= (1 << a3); rap->rap_svr[a3] = *s++; } diff -cr ip_fil3.3.5/ip_state.c ip_fil3.3.6/ip_state.c *** ip_fil3.3.5/ip_state.c Wed Dec 1 00:46:05 1999 --- ip_fil3.3.6/ip_state.c Tue Dec 28 16:24:58 1999 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.14 1999/11/30 13:46:05 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.16 1999/12/28 05:24:58 darrenr Exp $"; #endif #include *************** *** 227,232 **** --- 227,240 ---- } else error = EINVAL; break; + #ifdef IPFILTER_LOG + case SIOCIPFFB : + if (!(mode & FWRITE)) + error = EPERM; + else + *(int *)data = ipflog_clear(IPL_LOGSTATE); + break; + #endif case SIOCGIPST : IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t)); break; *************** *** 656,667 **** struct icmp *ic; u_short savelen; fr_info_t ofin; - u_int hv, dest; tcphdr_t *tcp; icmphdr_t *icmp; frentry_t *fr; ip_t *oip; int type; /* * Does it at least have the return (basic) IP header ? --- 664,675 ---- struct icmp *ic; u_short savelen; fr_info_t ofin; tcphdr_t *tcp; icmphdr_t *icmp; frentry_t *fr; ip_t *oip; int type; + u_int hv; /* * Does it at least have the return (basic) IP header ? *************** *** 695,702 **** * XXX theoretically ICMP_ECHOREP and the other reply's are * ICMP query's as well, but adding them here seems strange XXX */ ! if ((icmp->icmp_type != ICMP_ECHO) && (icmp->icmp_type != ICMP_TSTAMP) && ! (icmp->icmp_type != ICMP_IREQ) && (icmp->icmp_type != ICMP_MASKREQ)) return NULL; /* --- 703,712 ---- * XXX theoretically ICMP_ECHOREP and the other reply's are * ICMP query's as well, but adding them here seems strange XXX */ ! if ((icmp->icmp_type != ICMP_ECHO) && ! (icmp->icmp_type != ICMP_TSTAMP) && ! (icmp->icmp_type != ICMP_IREQ) && ! (icmp->icmp_type != ICMP_MASKREQ)) return NULL; /* *************** *** 706,713 **** hv = (pr = oip->ip_p); hv += (src.s_addr = oip->ip_src.s_addr); hv += (dst.s_addr = oip->ip_dst.s_addr); ! hv += icmp->icmp_id; ! hv += icmp->icmp_seq; hv %= fr_statesize; oip->ip_len = ntohs(oip->ip_len); --- 716,725 ---- hv = (pr = oip->ip_p); hv += (src.s_addr = oip->ip_src.s_addr); hv += (dst.s_addr = oip->ip_dst.s_addr); ! if (icmp->icmp_type == ICMP_ECHO) { ! hv += icmp->icmp_id; ! hv += icmp->icmp_seq; ! } hv %= fr_statesize; oip->ip_len = ntohs(oip->ip_len); *************** *** 716,745 **** ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ ! READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && - (icmp->icmp_id == is->is_icmp.ics_id) && - (icmp->icmp_seq == is->is_icmp.ics_seq) && fr_matchsrcdst(is, src, dst, &ofin, NULL)) { - /* * in the state table ICMP query's are stored * with the type of the corresponding ICMP * response. Correct here */ if (((is->is_type == ICMP_ECHOREPLY) && (icmp->icmp_type == ICMP_ECHO)) || ! (is->is_type - 1 == ic->icmp_type )) { ips_stats.iss_hits++; is->is_pkts++; is->is_bytes += ip->ip_len; ! return is->is_rule; } } RWLOCK_EXIT(&ipf_state); - return NULL; }; --- 728,757 ---- ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ ! READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && fr_matchsrcdst(is, src, dst, &ofin, NULL)) { /* * in the state table ICMP query's are stored * with the type of the corresponding ICMP * response. Correct here */ if (((is->is_type == ICMP_ECHOREPLY) && + (icmp->icmp_id == is->is_icmp.ics_id) && + (icmp->icmp_seq == is->is_icmp.ics_seq) && (icmp->icmp_type == ICMP_ECHO)) || ! (is->is_type - 1 == ic->icmp_type)) { ips_stats.iss_hits++; is->is_pkts++; is->is_bytes += ip->ip_len; ! fr = is->is_rule; ! RWLOCK_EXIT(&ipf_state); ! return fr; } } RWLOCK_EXIT(&ipf_state); return NULL; }; *************** *** 790,796 **** * we must swap src and dst here because the icmp * comes the other way around */ - dest = (is->is_dst.s_addr != src.s_addr); is->is_pkts++; is->is_bytes += ip->ip_len; /* --- 802,807 ---- *************** *** 838,854 **** switch (ip->ip_p) { case IPPROTO_ICMP : ! hv += ic->icmp_id; ! hv += ic->icmp_seq; hv %= fr_statesize; READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && - (ic->icmp_id == is->is_icmp.ics_id) && - (ic->icmp_seq == is->is_icmp.ics_seq) && fr_matchsrcdst(is, src, dst, fin, NULL)) { if ((is->is_type == ICMP_ECHOREPLY) && ! (ic->icmp_type == ICMP_ECHO)) ; else if (is->is_type != ic->icmp_type) continue; --- 849,868 ---- switch (ip->ip_p) { case IPPROTO_ICMP : ! if ((ic->icmp_type == ICMP_ECHO) || ! (ic->icmp_type == ICMP_ECHOREPLY)) { ! hv += ic->icmp_id; ! hv += ic->icmp_seq; ! } hv %= fr_statesize; READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && fr_matchsrcdst(is, src, dst, fin, NULL)) { if ((is->is_type == ICMP_ECHOREPLY) && ! (ic->icmp_type == ICMP_ECHO) && ! (ic->icmp_id == is->is_icmp.ics_id) && ! (ic->icmp_seq == is->is_icmp.ics_seq)) ; else if (is->is_type != ic->icmp_type) continue; diff -cr ip_fil3.3.5/ipl.h ip_fil3.3.6/ipl.h *** ip_fil3.3.5/ipl.h Thu Dec 9 22:11:33 1999 --- ip_fil3.3.6/ipl.h Tue Dec 28 16:35:15 1999 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.5" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.6" #endif diff -cr ip_fil3.3.5/man/ipmon.8 ip_fil3.3.6/man/ipmon.8 *** ip_fil3.3.5/man/ipmon.8 Sun Nov 21 22:04:18 1999 --- ip_fil3.3.6/man/ipmon.8 Tue Dec 28 16:45:54 1999 *************** *** 134,140 **** .B \-X show the log header record data in hex. .SH DIAGNOSTICS ! \fBipmon\fP expects data that it reads to be consistant with how it should be saved and will abort if it fails an assertion which detects an anomoly in the recorded data. .SH FILES --- 134,140 ---- .B \-X show the log header record data in hex. .SH DIAGNOSTICS ! \fBipmon\fP expects data that it reads to be consistent with how it should be saved and will abort if it fails an assertion which detects an anomoly in the recorded data. .SH FILES diff -cr ip_fil3.3.5/parse.c ip_fil3.3.6/parse.c *** ip_fil3.3.5/parse.c Sat Dec 11 16:30:26 1999 --- ip_fil3.3.6/parse.c Tue Dec 28 17:06:58 1999 *************** *** 41,47 **** #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.4 1999/12/11 05:30:26 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; --- 41,47 ---- #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.5 1999/12/28 06:06:58 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; *************** *** 243,249 **** return NULL; if (!strcasecmp("log", *cpp)) { ! cpp++; if (fil.fr_flags & FR_PASS) fil.fr_flags |= FR_LOGP; else if (fil.fr_flags & FR_BLOCK) --- 243,253 ---- return NULL; if (!strcasecmp("log", *cpp)) { ! if (!*++cpp) { ! fprintf(stderr, "%d: missing source specification\n", ! linenum); ! return NULL; ! } if (fil.fr_flags & FR_PASS) fil.fr_flags |= FR_LOGP; else if (fil.fr_flags & FR_BLOCK)