From 635ff71d68c21b0cc5df26ad8a0eeb3a73f0f96b Mon Sep 17 00:00:00 2001 From: Darren Reed Date: Sat, 27 Apr 2002 16:52:49 +0000 Subject: [PATCH 1/3] Import version 3.4.27 --- sys/contrib/ipfilter/netinet/fil.c | 24 +++++++- sys/contrib/ipfilter/netinet/ip_compat.h | 7 ++- sys/contrib/ipfilter/netinet/ip_ftp_pxy.c | 75 ++++++++++++++++------- sys/contrib/ipfilter/netinet/ip_log.c | 5 +- sys/contrib/ipfilter/netinet/ip_nat.c | 9 +-- sys/contrib/ipfilter/netinet/ip_proxy.c | 4 +- sys/contrib/ipfilter/netinet/ip_state.c | 68 ++++++++++---------- sys/contrib/ipfilter/netinet/ipl.h | 4 +- 8 files changed, 123 insertions(+), 73 deletions(-) diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 3ce8131413c..92d82f1a5d7 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -97,7 +97,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $"; #endif #ifndef _KERNEL @@ -1454,7 +1454,13 @@ nodata: # endif /* defined(BSD) || defined(sun) */ # endif /* SOLARIS */ #else /* KERNEL */ - sum2 = 0; + for (; slen > 1; slen -= 2) + sum += *sp++; + if (slen) + sum += ntohs(*(u_char *)sp << 8); + while (sum > 0xffff) + sum = (sum & 0xffff) + (sum >> 16); + sum2 = (u_short)(~sum & 0xffff); #endif /* KERNEL */ tcp->th_sum = ts; return sum2; @@ -1495,7 +1501,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $ + * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -2160,3 +2166,15 @@ int icmptoicmp6unreach[ICMP_MAX_UNREACH] = { ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */ }; #endif + + +#ifndef _KERNEL +int mbuflen(buf) +mb_t *buf; +{ + ip_t *ip; + + ip = (ip_t *)buf; + return ip->ip_len; +} +#endif diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index d0dc859aae4..3b1b9807b56 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.43 2002/04/23 16:08:50 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.44 2002/04/25 16:32:15 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -252,7 +252,7 @@ typedef u_int32_t u_32_t; # define USE_INET6 # endif # endif -# if !defined(_KERNEL) && !defined(IPFILTER_LKM) +# if !defined(_KERNEL) && !defined(IPFILTER_LKM) && !defined(USE_INET6) # if (defined(__FreeBSD_version) && (__FreeBSD_version >= 400000)) || \ (defined(OpenBSD) && (OpenBSD >= 200111)) || \ (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000)) @@ -572,7 +572,8 @@ extern void m_copyback __P((struct mbuf *, int, int, caddr_t)); # endif # if (BSD >= 199306) || defined(__FreeBSD__) # if (defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105180000)) || \ - defined(__FreeBSD__) || defined(__OpenBSD__) || defined(_BSDI_VERSION) + defined(__FreeBSD__) || (defined(OpenBSD) && (OpenBSD < 200206)) || \ + defined(_BSDI_VERSION) # include # endif # if !defined(__FreeBSD__) || (defined (__FreeBSD_version) && \ diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index 0968b1055dc..2411bd998c6 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.33 2002/02/15 14:48:38 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.34 2002/04/26 10:22:45 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -184,7 +184,11 @@ int dlen; if ((inc + ip->ip_len) > 65535) return 0; -#if SOLARIS +#if !defined(_KERNEL) + m = *((mb_t **)fin->fin_mp); + bcopy(newbuf, (char *)m + off, nlen); +#else +# if SOLARIS m = fin->fin_qfm; for (m1 = m; m1->b_cont; m1 = m1->b_cont) ; @@ -210,19 +214,20 @@ int dlen; m1->b_wptr += inc; } copyin_mblk(m, off, nlen, newbuf); -#else +# else m = *((mb_t **)fin->fin_mp); if (inc < 0) m_adj(m, inc); /* the mbuf chain will be extended if necessary by m_copyback() */ m_copyback(m, off, nlen, newbuf); -# ifdef M_PKTHDR +# ifdef M_PKTHDR if (!(m->m_flags & M_PKTHDR)) m->m_pkthdr.len += inc; +# endif # endif #endif if (inc != 0) { -#if SOLARIS || defined(__sgi) +#if (SOLARIS || defined(__sgi)) && defined(_KERNEL) register u_32_t sum1, sum2; sum1 = ip->ip_len; @@ -269,6 +274,7 @@ int dlen; tcp2->th_win = htons(8192); tcp2->th_sport = htons(sp); tcp2->th_off = 5; + tcp2->th_flags = TH_SYN; tcp2->th_dport = 0; /* XXX - don't specify remote port */ fi.fin_data[1] = 0; fi.fin_dlen = sizeof(*tcp2); @@ -452,7 +458,11 @@ int dlen; if ((inc + ip->ip_len) > 65535) return 0; -#if SOLARIS +#if !defined(_KERNEL) + m = *((mb_t **)fin->fin_mp); + m_copyback(m, off, nlen, newbuf); +#else +# if SOLARIS m = fin->fin_qfm; for (m1 = m; m1->b_cont; m1 = m1->b_cont) ; @@ -475,15 +485,16 @@ int dlen; m1->b_wptr += inc; } /*copyin_mblk(m, off, nlen, newbuf);*/ -#else /* SOLARIS */ +# else /* SOLARIS */ m = *((mb_t **)fin->fin_mp); if (inc < 0) m_adj(m, inc); /* the mbuf chain will be extended if necessary by m_copyback() */ /*m_copyback(m, off, nlen, newbuf);*/ -#endif /* SOLARIS */ +# endif /* SOLARIS */ +#endif /* _KERNEL */ if (inc != 0) { -#if SOLARIS || defined(__sgi) +#if (SOLARIS || defined(__sgi)) && defined(_KERNEL) register u_32_t sum1, sum2; sum1 = ip->ip_len; @@ -520,6 +531,7 @@ int dlen; tcp2->th_win = htons(8192); tcp2->th_sport = 0; /* XXX - fake it for nat_new */ tcp2->th_off = 5; + tcp2->th_flags = TH_SYN; fi.fin_data[1] = a5 << 8 | a6; fi.fin_dlen = sizeof(*tcp2); tcp2->th_dport = htons(fi.fin_data[1]); @@ -721,17 +733,22 @@ int rv; tcp = (tcphdr_t *)fin->fin_dp; off = fin->fin_hlen + (tcp->th_off << 2); -#if SOLARIS +#if SOLARIS && defined(_KERNEL) m = fin->fin_qfm; #else m = *((mb_t **)fin->fin_mp); #endif -#if SOLARIS - mlen = msgdsize(m) - off; +#ifndef _KERNEL + mlen = mbuflen(m); #else - mlen = mbufchainlen(m) - off; +# if SOLARIS + mlen = msgdsize(m); +# else + mlen = mbufchainlen(m); +# endif #endif + mlen -= off; t = &ftp->ftp_side[1 - rv]; f = &ftp->ftp_side[rv]; @@ -743,15 +760,18 @@ int rv; return 0; } - inc = 0; rptr = f->ftps_rptr; wptr = f->ftps_wptr; + i = 0; sel = nat->nat_aps->aps_sel[1 - rv]; - if (rv) - i = nat->nat_aps->aps_ackoff[sel]; - else - i = nat->nat_aps->aps_seqoff[sel]; + if (rv) { + if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq)) + i = nat->nat_aps->aps_ackoff[sel]; + } else { + if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq)) + i = nat->nat_aps->aps_seqoff[sel]; + } /* * XXX - Ideally, this packet should get dropped because we now know * that it is out of order (and there is no real danger in doing so @@ -759,18 +779,26 @@ int rv; */ if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq)) f->ftps_seq = ntohl(tcp->th_seq); - else if (ntohl(tcp->th_seq) + i != f->ftps_seq) { - return APR_ERR(1); + else { + inc = ntohl(tcp->th_seq) - f->ftps_seq; + if (inc > i) { + return APR_ERR(1); + } } + inc = 0; f->ftps_len = mlen; while (mlen > 0) { len = MIN(mlen, FTP_BUFSZ / 2); -#if SOLARIS - copyout_mblk(m, off, len, wptr); +#if !defined(_KERNEL) + bcopy((char *)m + off, wptr, len); #else +# if SOLARIS + copyout_mblk(m, off, len, wptr); +# else m_copydata(m, off, len, wptr); +# endif #endif mlen -= len; off += len; @@ -800,8 +828,9 @@ int rv; * Off to a bad start so lets just forget about using the * ftp proxy for this connection. */ - if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) + if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) { return APR_ERR(2); + } while ((f->ftps_junk == 1) && (rptr < wptr)) { while ((rptr < wptr) && (*rptr != '\r')) diff --git a/sys/contrib/ipfilter/netinet/ip_log.c b/sys/contrib/ipfilter/netinet/ip_log.c index 45bc74c7114..6bf7a4d9b17 100644 --- a/sys/contrib/ipfilter/netinet/ip_log.c +++ b/sys/contrib/ipfilter/netinet/ip_log.c @@ -3,13 +3,14 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_log.c,v 2.5.2.18 2002/03/26 15:54:40 darrenr Exp $ + * $Id: ip_log.c,v 2.5.2.19 2002/04/25 16:32:48 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif -#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ + defined(_KERNEL) # include "opt_ipfilter_log.h" #endif #ifdef __FreeBSD__ diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index e0d59519346..bf346610bec 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -109,7 +109,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.66 2002/04/23 14:58:27 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.67 2002/04/27 15:23:39 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, @@ -1768,7 +1768,6 @@ int dir; sumd2 = sumd; } -#if 1 /* * Fix TCP pseudo header checksum to compensate for the * IP address change. Before we can do the change, we @@ -1788,7 +1787,6 @@ int dir; CALC_SUMD(sum1, sum2, sumd); sumd2 = sumd; } -#endif } else { /* @@ -1837,7 +1835,6 @@ int dir; sumd2 = sumd; } -#if 1 /* * Fix TCP pseudo header checksum to compensate for the * IP address change. Before we can do the change, we @@ -1856,9 +1853,7 @@ int dir; */ CALC_SUMD(sum1, sum2, sumd); sumd2 = sumd; - }; -#endif - + } #endif } diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index a4ce80a5da9..2bc32d410f7 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -75,7 +75,7 @@ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.21 2002/03/06 09:44:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.22 2002/04/26 10:23:17 darrenr Exp $"; #endif #if defined(_KERNEL) && (SOLARIS || defined(__sgi)) @@ -91,8 +91,8 @@ static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); #define AP_SESS_SIZE 53 -#if defined(_KERNEL) #include "netinet/ip_ftp_pxy.c" +#if defined(_KERNEL) #include "netinet/ip_rcmd_pxy.c" #include "netinet/ip_raudio_pxy.c" #include "netinet/ip_netbios_pxy.c" diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index 2e8b8f3f7e1..a6d1773b5ba 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -93,7 +93,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.66 2002/04/15 12:14:03 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.70 2002/04/27 16:06:15 darrenr Exp $"; #endif #ifndef MIN @@ -683,11 +683,18 @@ u_int flags; hv += is->is_sport; hv += is->is_dport; } - is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen - - (off = (tcp->th_off << 2)) + - ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); - is->is_maxsend = is->is_send; + if ((flags & FI_IGNOREPKT) == 0) { + is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen - + (off = (tcp->th_off << 2)) + + ((tcp->th_flags & TH_SYN) ? 1 : 0) + + ((tcp->th_flags & TH_FIN) ? 1 : 0); + is->is_maxsend = is->is_send; + + if ((tcp->th_flags & TH_SYN) && + ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) + is->is_swscale = fr_tcpoptions(tcp); + } + is->is_maxdwin = 1; is->is_maxswin = ntohs(tcp->th_win); if (is->is_maxswin == 0) @@ -696,10 +703,6 @@ u_int flags; if ((tcp->th_flags & TH_OPENING) == TH_SYN) is->is_fsm = 1; - if ((tcp->th_flags & TH_SYN) && - ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) - is->is_swscale = fr_tcpoptions(tcp); - /* * If we're creating state for a starting connection, start the * timer on it as we'll never see an error if it fails to @@ -970,7 +973,7 @@ tcphdr_t *tcp; } } MUTEX_EXIT(&is->is_lock); - if ((ret == 0) && (tcp->th_flags != TH_SYN)) + if ((ret == 0) && ((tcp->th_flags & TH_OPENING) != TH_SYN)) fin->fin_misc |= FM_BADSTATE; return ret; } @@ -1224,6 +1227,10 @@ fr_info_t *fin; */ bzero((char *)&src, sizeof(src)); bzero((char *)&dst, sizeof(dst)); + bzero((char *)&ofin, sizeof(ofin)); + ofin.fin_ifp = fin->fin_ifp; + ofin.fin_out = !fin->fin_out; + ofin.fin_v = 4; fr = NULL; switch (oip->ip_p) @@ -1258,12 +1265,8 @@ fr_info_t *fin; savelen = oip->ip_len; oip->ip_len = len; - ofin.fin_v = 4; fr_makefrip(ohlen, oip, &ofin); oip->ip_len = savelen; - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) @@ -1312,12 +1315,8 @@ fr_info_t *fin; */ savelen = oip->ip_len; oip->ip_len = len; - ofin.fin_v = 4; fr_makefrip(ohlen, oip, &ofin); oip->ip_len = savelen; - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) { /* @@ -1847,7 +1846,7 @@ int dir, fsm; break; case TCPS_SYN_SENT: /* 2 */ - if (flags == TH_SYN) { + if ((flags & ~(TH_ECN|TH_CWR)) == TH_SYN) { /* * A retransmitted SYN packet. We do not reset the * timeout here to fr_tcptimeout because a connection @@ -1893,6 +1892,12 @@ int dir, fsm; */ state[dir] = TCPS_ESTABLISHED; newage = fr_tcpidletimeout; + } else if ((flags & ~(TH_ECN|TH_CWR)) == TH_OPENING) { + /* + * We see an SA from 'dir' which is already in + * SYN_RECEIVED state. + */ + newage = fr_tcptimeout; } else if (flags & TH_FIN) { /* * We see an F from 'dir' which is in SYN_RECEIVED @@ -1987,6 +1992,8 @@ int dir, fsm; * timeout */ newage = fr_tcplastack; + else + newage = *age; } /* * We cannot detect when we go out of LAST_ACK state to CLOSED @@ -2094,6 +2101,15 @@ fr_info_t *fin; if (fin->fin_plen < sizeof(*oip)) return NULL; + if ((oip->ip6_nxt != IPPROTO_TCP) && (oip->ip6_nxt != IPPROTO_UDP) && + (oip->ip6_nxt != IPPROTO_ICMPV6)) + return NULL; + + bzero((char *)&ofin, sizeof(ofin)); + ofin.fin_out = !fin->fin_out; + ofin.fin_ifp = fin->fin_ifp; + ofin.fin_v = 6; + if (oip->ip6_nxt == IPPROTO_ICMPV6) { oic = (struct icmp6_hdr *)(oip + 1); /* @@ -2119,12 +2135,8 @@ fr_info_t *fin; hv %= fr_statesize; oip->ip6_plen = ntohs(oip->ip6_plen); - ofin.fin_v = 6; fr_makefrip(sizeof(*oip), (ip_t *)oip, &ofin); oip->ip6_plen = htons(oip->ip6_plen); - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) @@ -2149,10 +2161,8 @@ fr_info_t *fin; RWLOCK_EXIT(&ipf_state); return NULL; - }; + } - if ((oip->ip6_nxt != IPPROTO_TCP) && (oip->ip6_nxt != IPPROTO_UDP)) - return NULL; tcp = (tcphdr_t *)(oip + 1); dport = tcp->th_dport; sport = tcp->th_sport; @@ -2183,12 +2193,8 @@ fr_info_t *fin; */ savelen = oip->ip6_plen; oip->ip6_plen = ip->ip6_plen - sizeof(*ip) - ICMPERR_ICMPHLEN; - ofin.fin_v = 6; fr_makefrip(sizeof(*oip), (ip_t *)oip, &ofin); oip->ip6_plen = savelen; - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) { /* diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h index 2e99b65c027..0fc3a8ddfed 100644 --- a/sys/contrib/ipfilter/netinet/ipl.h +++ b/sys/contrib/ipfilter/netinet/ipl.h @@ -4,12 +4,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.32 2002/04/23 14:59:13 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.33 2002/04/27 14:53:48 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.26" +#define IPL_VERSION "IP Filter: v3.4.27" #endif From aafab58b583f68ae844b063fd907388c1d61abf7 Mon Sep 17 00:00:00 2001 From: Darren Reed Date: Fri, 7 Jun 2002 08:58:22 +0000 Subject: [PATCH 2/3] Import IPFilter 3.4.28 --- sys/contrib/ipfilter/netinet/fil.c | 5 ++- sys/contrib/ipfilter/netinet/ip_auth.c | 7 ++-- sys/contrib/ipfilter/netinet/ip_compat.h | 8 +++-- sys/contrib/ipfilter/netinet/ip_fil.c | 40 ++++++++++++++++------ sys/contrib/ipfilter/netinet/ip_fil.h | 3 +- sys/contrib/ipfilter/netinet/ip_ftp_pxy.c | 10 ++++-- sys/contrib/ipfilter/netinet/ip_h323_pxy.c | 5 +-- sys/contrib/ipfilter/netinet/ip_nat.c | 8 +++-- sys/contrib/ipfilter/netinet/ip_proxy.c | 7 ++-- sys/contrib/ipfilter/netinet/ip_state.c | 19 ++++++---- sys/contrib/ipfilter/netinet/ipl.h | 4 +-- 11 files changed, 80 insertions(+), 36 deletions(-) diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 92d82f1a5d7..ed319d4b52e 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -97,7 +97,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $"; #endif #ifndef _KERNEL @@ -1501,7 +1501,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $ + * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1616,7 +1616,6 @@ frgroup_t ***fgpp; fgp = &ipfgroups[0][set]; else return NULL; - num &= 0xffff; while ((fg = *fgp)) if (fg->fg_num == num) diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index 2a73079d2cb..efe2e99337d 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -104,7 +104,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $"; #endif @@ -615,7 +615,10 @@ void fr_authexpire() } else faep = &fae->fae_next; } - ipauth = &fae_list->fae_fr; + if (fae_list != NULL) + ipauth = &fae_list->fae_fr; + else + ipauth = NULL; for (frp = &fr_authlist; (fr = *frp); ) { if (fr->fr_ref == 1) { diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index 3b1b9807b56..81690a7f9a3 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.44 2002/04/25 16:32:15 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.45 2002/06/04 14:40:54 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -213,7 +213,11 @@ typedef int minor_t; #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) # include # ifndef __FreeBSD_version -# include +# ifdef IPFILTER_LKM +# include +# else +# include +# endif # endif # ifdef IPFILTER_LKM # define ACTUALLY_LKM_NOT_KERNEL diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c index 2aeeaf87811..52383564e79 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.c +++ b/sys/contrib/ipfilter/netinet/ip_fil.c @@ -120,7 +120,7 @@ extern int ip_optcopy __P((struct ip *, struct ip *)); #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.58 2002/06/06 10:47:27 darrenr Exp $"; #endif @@ -643,6 +643,9 @@ int mode; unit = dev; #endif + if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF)) + return ENODEV; + SPL_NET(s); if (unit == IPL_LOGNAT) { @@ -887,7 +890,8 @@ caddr_t data; * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ - if ((req != SIOCZRLST) && fp->fr_grhead && + if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) || + (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead && fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) return EEXIST; if ((req != SIOCZRLST) && fp->fr_group && @@ -1221,13 +1225,18 @@ fr_info_t *fin; struct mbuf **mp; { struct mbuf *m = *mp; - char *dpsave; - int error; + int error, hlen; + fr_info_t frn; ip_t *ip; - dpsave = fin->fin_dp; + bzero((char *)&frn, sizeof(frn)); + frn.fin_ifp = fin->fin_ifp; + frn.fin_v = fin->fin_v; + frn.fin_out = fin->fin_out; + frn.fin_mp = fin->fin_mp; ip = mtod(m, ip_t *); + hlen = sizeof(*ip); ip->ip_v = fin->fin_v; if (ip->ip_v == 4) { @@ -1242,21 +1251,24 @@ struct mbuf **mp; ip->ip_ttl = ip_defttl; # endif ip->ip_sum = 0; - fin->fin_dp = (char *)(ip + 1); + frn.fin_dp = (char *)(ip + 1); } # ifdef USE_INET6 else if (ip->ip_v == 6) { ip6_t *ip6 = (ip6_t *)ip; + hlen = sizeof(*ip6); ip6->ip6_hlim = 127; - fin->fin_dp = (char *)(ip6 + 1); + frn.fin_dp = (char *)(ip6 + 1); } # endif # ifdef IPSEC m->m_pkthdr.rcvif = NULL; # endif - error = ipfr_fastroute(m, mp, fin, NULL); - fin->fin_dp = dpsave; + + fr_makefrip(hlen, ip, &frn); + + error = ipfr_fastroute(m, mp, &frn, NULL); return error; } @@ -1563,6 +1575,9 @@ frdest_t *fdp; /* * Route packet. */ +#ifdef __sgi + ROUTE_RDLOCK(); +#endif bzero((caddr_t)ro, sizeof (*ro)); dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; @@ -1599,6 +1614,11 @@ frdest_t *fdp; # else rtalloc(ro); # endif + +#ifdef __sgi + ROUTE_UNLOCK(); +#endif + if (!ifp) { if (!fr || !(fr->fr_flags & FR_FASTROUTE)) { error = -2; @@ -2098,7 +2118,7 @@ int code; fr_info_t *fin; int dst; { - verbose("- ICMP UNREACHABLE RST sent\n"); + verbose("- ICMP UNREACHABLE sent\n"); return 0; } diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index 82deef5f2cd..56175f28c98 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp $ + * $Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -508,6 +508,7 @@ extern int send_reset __P((ip_t *, fr_info_t *)); extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int)); extern int ipf_log __P((void)); extern struct ifnet *get_unit __P((char *, int)); +extern int mbuflen __P((mb_t *)); # if defined(__NetBSD__) || defined(__OpenBSD__) || \ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index 2411bd998c6..f2603e07d27 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.34 2002/04/26 10:22:45 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.36 2002/06/06 10:44:40 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -766,10 +766,10 @@ int rv; i = 0; sel = nat->nat_aps->aps_sel[1 - rv]; if (rv) { - if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq)) + if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq)) i = nat->nat_aps->aps_ackoff[sel]; } else { - if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq)) + if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq)) i = nat->nat_aps->aps_seqoff[sel]; } /* @@ -781,6 +781,10 @@ int rv; f->ftps_seq = ntohl(tcp->th_seq); else { inc = ntohl(tcp->th_seq) - f->ftps_seq; + if (inc < 0) + inc = -inc; + if (i < 0) + i = -i; if (inc > i) { return APR_ERR(1); } diff --git a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c index a61b0402e90..ec9b2fe2b8a 100644 --- a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c @@ -52,7 +52,7 @@ unsigned char *data; int datlen, *off; unsigned short *port; { - u_32_t addr; + u_32_t addr, netaddr; u_char *dp; int offset; @@ -62,10 +62,11 @@ unsigned short *port; *port = 0; offset = *off; dp = (u_char *)data; + netaddr = ntohl(ipaddr); for (offset = 0; offset <= datlen - 6; offset++, dp++) { addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3]; - if (ipaddr == addr) + if (netaddr == addr) { *port = (*(dp + 4) << 8) | *(dp + 5); break; diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index bf346610bec..da5235a2ca2 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -109,7 +109,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.67 2002/04/27 15:23:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.68 2002/06/04 14:46:08 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, @@ -469,8 +469,12 @@ int mode; } for (np = &nat_list; (n = *np); np = &n->in_next) if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, - IPN_CMPSIZ)) + IPN_CMPSIZ)) { + if (n->in_redir == NAT_REDIRECT && + n->in_pnext != nat->in_pnext) + continue; break; + } } switch (cmd) diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index 2bc32d410f7..2051f2a466e 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -75,7 +75,7 @@ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.22 2002/04/26 10:23:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $"; #endif #if defined(_KERNEL) && (SOLARIS || defined(__sgi)) @@ -122,7 +122,7 @@ aproxy_t ap_proxies[] = { ippr_ipsec_match }, #endif #ifdef IPF_NETBIOS_PROXY - { NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL, + { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL, NULL, NULL, NULL, ippr_netbios_out, NULL }, #endif #ifdef IPF_H323_PROXY @@ -421,11 +421,14 @@ int inc; int sel, ch = 0, out, nlen; u_32_t seq1, seq2; tcphdr_t *tcp; + short inc2; tcp = (tcphdr_t *)fin->fin_dp; out = fin->fin_out; nlen = ip->ip_len; nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); + inc2 = inc; + inc = (int)inc2; if (out != 0) { seq1 = (u_32_t)ntohl(tcp->th_seq); diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index a6d1773b5ba..f4dac8a02c8 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -93,7 +93,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.70 2002/04/27 16:06:15 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.71 2002/05/29 14:23:05 darrenr Exp $"; #endif #ifndef MIN @@ -575,9 +575,9 @@ u_int flags; register u_int hv; struct icmp *ic; ipstate_t ips; + int out, ws; u_int pass; void *ifp; - int out; if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) || (fin->fin_misc & FM_BADSTATE)) @@ -691,8 +691,11 @@ u_int flags; is->is_maxsend = is->is_send; if ((tcp->th_flags & TH_SYN) && - ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) - is->is_swscale = fr_tcpoptions(tcp); + ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) { + ws = fr_tcpoptions(tcp); + if (ws >= 0) + is->is_swscale = ws; + } } is->is_maxdwin = 1; @@ -900,6 +903,7 @@ tcphdr_t *tcp; fdata->td_wscale = wscale; else if (wscale == -2) fdata->td_wscale = tdata->td_wscale = 0; + win <<= fdata->td_wscale; if ((fdata->td_end == 0) && (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) { @@ -908,7 +912,9 @@ tcphdr_t *tcp; */ fdata->td_end = end; fdata->td_maxwin = 1; - fdata->td_maxend = end + 1; + fdata->td_maxend = end + win; + if (win == 0) + fdata->td_maxend++; } if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ @@ -922,7 +928,6 @@ tcphdr_t *tcp; if (seq == end) seq = end = fdata->td_end; - win <<= fdata->td_wscale; maxwin = tdata->td_maxwin; ackskew = tdata->td_end - ack; @@ -1457,7 +1462,7 @@ icmp6again: rev = fin->fin_rev; if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; - else if (fin->fin_rev) + else if (rev != 0) is->is_age = fr_icmpacktimeout; else is->is_age = fr_icmptimeout; diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h index 0fc3a8ddfed..6cd868d155e 100644 --- a/sys/contrib/ipfilter/netinet/ipl.h +++ b/sys/contrib/ipfilter/netinet/ipl.h @@ -4,12 +4,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.33 2002/04/27 14:53:48 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.34 2002/06/06 11:11:45 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.27" +#define IPL_VERSION "IP Filter: v3.4.28" #endif From 39cf61414ceccbb5948110f94ed340ae89a86b41 Mon Sep 17 00:00:00 2001 From: Darren Reed Date: Wed, 28 Aug 2002 13:26:01 +0000 Subject: [PATCH 3/3] Import IPfilter 3.4.29. Main purpose is to address ftp proxy problems. --- sys/contrib/ipfilter/netinet/ip_h323_pxy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c index ec9b2fe2b8a..8d8ef923f7a 100644 --- a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c @@ -9,6 +9,7 @@ * authorized by a written license agreement from QSSL. For more information, * please email licensing@qnx.com. * + * For more details, see QNX_OCL.txt provided with this distribution. */ /*