diff -cr ip_fil3.4.9/HISTORY ip_fil3.4.10/HISTORY *** ip_fil3.4.9/HISTORY Tue Aug 8 01:10:10 2000 --- ip_fil3.4.10/HISTORY Sun Sep 3 11:23:41 2000 *************** *** 20,25 **** --- 20,47 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.4.10 03/09/2000 - Released + + merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors' + + getline() adjusts linenum now + + add tcphalfclosed timeout + + fill in icmp_nextmtu field if it is defined on the platform + + RST generation fix from guido + + force 32bit compile for gcc on solaris if it can't generate 64bit code + + encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG + + fix up line wrap problems in plog script + + fix ICMP packet handling to not drop valid ICMP errors + + freebsd 5.0 compat changes + 3.4.9 08/08/2000 - Released implement new aging mechanism in fr_tcp_age() diff -cr ip_fil3.4.9/SunOS5/ipfboot ip_fil3.4.10/SunOS5/ipfboot *** ip_fil3.4.9/SunOS5/ipfboot Sat Jun 10 02:01:58 2000 --- ip_fil3.4.10/SunOS5/ipfboot Wed Aug 23 20:56:29 2000 *************** *** 1,6 **** #!/bin/sh ! id=`/usr/sbin/modinfo | grep ipf | awk ' { print $1 } ' -` ! pid=`ps -e | grep ipmon | awk ' { print $1 } ' -` PATH=${PATH}:/sbin:/opt/ipf/bin IPFILCONF=/etc/opt/ipf/ipf.conf IPNATCONF=/etc/opt/ipf/ipnat.conf --- 1,6 ---- #!/bin/sh ! id=`/usr/sbin/modinfo | awk '/ipf/ { print $1 } ' -` ! pid=`ps -e | awk '/ipmon/ { print $1 } ' -` PATH=${PATH}:/sbin:/opt/ipf/bin IPFILCONF=/etc/opt/ipf/ipf.conf IPNATCONF=/etc/opt/ipf/ipnat.conf *************** *** 21,27 **** case "$1" in start) ! if [ x$pid != x ] ; then kill -TERM $pid fi if [ x$id != x ] ; then --- 21,27 ---- case "$1" in start) ! if [ x"$pid" != x ] ; then kill -TERM $pid fi if [ x$id != x ] ; then *************** *** 50,56 **** ;; stop) ! if [ x$pid != x ] ; then kill -TERM $pid fi if [ x$id != x ] ; then --- 50,56 ---- ;; stop) ! if [ x"$pid" != x ] ; then kill -TERM $pid fi if [ x$id != x ] ; then diff -cr ip_fil3.4.9/SunOS5/pkginfo ip_fil3.4.10/SunOS5/pkginfo *** ip_fil3.4.9/SunOS5/pkginfo Tue Aug 8 01:10:11 2000 --- ip_fil3.4.10/SunOS5/pkginfo Sun Sep 3 17:01:25 2000 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.9 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.10 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.4.9/buildsunos ip_fil3.4.10/buildsunos *** ip_fil3.4.9/buildsunos Tue Aug 8 23:15:34 2000 --- ip_fil3.4.10/buildsunos Wed Aug 23 20:58:29 2000 *************** *** 3,9 **** echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.5.2.4 2000/08/08 11:40:22 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then --- 3,9 ---- echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.5.2.5 2000/08/23 10:58:29 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then *************** *** 40,46 **** case "$CC" in *gcc*) # gcc ! XARCH32="" XARCH64="-m64 -mcmodel=medlow" ;; *) # Sun C --- 40,46 ---- case "$CC" in *gcc*) # gcc ! XARCH32="-m32" XARCH64="-m64 -mcmodel=medlow" ;; *) # Sun C *************** *** 125,131 **** exit $? fi if [ x$solrev = x ] ; then ! make ${1+"$@"} sunos$rev "ARCH=`uname -m`" exit $? fi for b in $ISABITS --- 125,131 ---- exit $? fi if [ x$solrev = x ] ; then ! make ${1+"$@"} sunos$rev "TOP=.." "ARCH=`uname -m`" exit $? fi for b in $ISABITS diff -cr ip_fil3.4.9/common.c ip_fil3.4.10/common.c *** ip_fil3.4.9/common.c Sat May 6 21:20:10 2000 --- ip_fil3.4.10/common.c Sun Sep 3 11:22:40 2000 *************** *** 274,280 **** return 0; if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { (*seg)++; ! if (isdigit(***seg) && *(*seg + 2)) { if (portnum(**seg, pp, linenum) == 0) return -1; (*seg)++; --- 274,280 ---- return 0; if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { (*seg)++; ! if (isalnum(***seg) && *(*seg + 2)) { if (portnum(**seg, pp, linenum) == 0) return -1; (*seg)++; diff -cr ip_fil3.4.9/fil.c ip_fil3.4.10/fil.c *** ip_fil3.4.9/fil.c Thu Jul 27 23:08:18 2000 --- ip_fil3.4.10/fil.c Sun Aug 13 14:15:43 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.19 2000/07/27 13:08:18 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.20 2000/08/13 04:15:43 darrenr Exp $"; #endif #include *************** *** 844,854 **** --- 844,856 ---- # endif if (!out && fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) { ATOMIC_INCL(frstats[0].fr_badsrc); + # ifdef IPFILTER_LOG if (fr_chksrc == 2) { fin->fin_group = -2; pass = FR_INQUE|FR_NOMATCH|FR_LOGB; (void) IPLLOG(pass, ip, fin, m); } + # endif # if !SOLARIS m_freem(m); # endif *************** *** 1374,1380 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.35.2.19 2000/07/27 13:08:18 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1376,1382 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.35.2.20 2000/08/13 04:15:43 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff -cr ip_fil3.4.9/ip_compat.h ip_fil3.4.10/ip_compat.h *** ip_fil3.4.9/ip_compat.h Sat Apr 29 00:56:49 2000 --- ip_fil3.4.10/ip_compat.h Sun Aug 13 13:51:03 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.3 2000/04/28 14:56:49 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.4 2000/08/13 03:51:03 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 125,130 **** --- 125,134 ---- #endif #endif /* SOLARIS */ #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) + + #if defined(__FreeBSD__) && (__FreeBSD__ >= 5) && defined(_KERNEL) + # include + #endif #ifndef IP_OFFMASK #define IP_OFFMASK 0x1fff diff -cr ip_fil3.4.9/ip_fil.c ip_fil3.4.10/ip_fil.c *** ip_fil3.4.9/ip_fil.c Sun Aug 6 00:49:08 2000 --- ip_fil3.4.10/ip_fil.c Wed Aug 23 21:00:08 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.15 2000/08/05 14:49:08 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.16 2000/08/23 11:00:08 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 975,982 **** if (m == NULL) return -1; ! if (tcp->th_flags & TH_SYN) ! tlen = 1; #ifdef USE_INET6 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t); #else --- 975,984 ---- if (m == NULL) return -1; ! tlen = oip->ip_len - fin->fin_hlen - (tcp->th_off << 2) + ! ((tcp->th_flags & TH_SYN) ? 1 : 0) + ! ((tcp->th_flags & TH_FIN) ? 1 : 0); ! #ifdef USE_INET6 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t); #else *************** *** 997,1007 **** tcp2->th_sport = tcp->th_dport; tcp2->th_dport = tcp->th_sport; ! tcp2->th_ack = ntohl(tcp->th_seq); ! tcp2->th_ack += tlen; ! tcp2->th_ack = htonl(tcp2->th_ack); tcp2->th_off = sizeof(*tcp2) >> 2; - tcp2->th_flags = TH_RST|TH_ACK; # ifdef USE_INET6 if (fin->fin_v == 6) { ip6->ip6_plen = htons(sizeof(struct tcphdr)); --- 999,1014 ---- tcp2->th_sport = tcp->th_dport; tcp2->th_dport = tcp->th_sport; ! if (tcp->th_flags & TH_ACK) { ! tcp2->th_seq = tcp->th_ack; ! tcp2->th_flags = TH_RST|TH_ACK; ! } else { ! tcp2->th_ack = ntohl(tcp->th_seq); ! tcp2->th_ack += tlen; ! tcp2->th_ack = htonl(tcp2->th_ack); ! tcp2->th_flags = TH_RST; ! } tcp2->th_off = sizeof(*tcp2) >> 2; # ifdef USE_INET6 if (fin->fin_v == 6) { ip6->ip6_plen = htons(sizeof(struct tcphdr)); *************** *** 1143,1149 **** --- 1150,1161 ---- m_freem(m); return ENOBUFS; } + # ifdef M_TRAILINGSPACE + m->m_len = 0; + avail = M_TRAILINGSPACE(m); + # else avail = (m->m_flags & M_EXT) ? MCLBYTES : MHLEN; + # endif xtra = MIN(ntohs(oip6->ip6_plen) + sizeof(ip6_t), avail - hlen - sizeof(*icmp) - max_linkhdr); if (dst == 0) { *************** *** 1177,1182 **** --- 1189,1200 ---- icmp->icmp_type = type; icmp->icmp_code = fin->fin_icode; icmp->icmp_cksum = 0; + #ifdef icmp_nextmtu + if (type == ICMP_UNREACH && + fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp) + icmp->icmp_nextmtu = htons(((struct ifnet *) ifp)->if_mtu); + #endif + if (avail) { bcopy((char *)oip, (char *)&icmp->icmp_ip, MIN(ohlen, avail)); avail -= MIN(ohlen, avail); diff -cr ip_fil3.4.9/ip_ftp_pxy.c ip_fil3.4.10/ip_ftp_pxy.c *** ip_fil3.4.9/ip_ftp_pxy.c Mon Aug 7 22:35:27 2000 --- ip_fil3.4.10/ip_ftp_pxy.c Sun Sep 3 11:22:10 2000 *************** *** 2,8 **** * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.7.2.13 2000/08/07 12:35:27 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; --- 2,8 ---- * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.7.2.14 2000/09/03 00:22:10 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; *************** *** 214,220 **** sum2 -= sum1; sum2 = (sum2 & 0xffff) + (sum2 >> 16); ! fix_outcksum(&ip->ip_sum, sum2, 0); #endif ip->ip_len += inc; } --- 214,220 ---- sum2 -= sum1; sum2 = (sum2 & 0xffff) + (sum2 >> 16); ! fix_outcksum(&ip->ip_sum, sum2); #endif ip->ip_len += inc; } *************** *** 441,447 **** sum2 -= sum1; sum2 = (sum2 & 0xffff) + (sum2 >> 16); ! fix_outcksum(&ip->ip_sum, sum2, 0); #endif /* SOLARIS || defined(__sgi) */ ip->ip_len += inc; } --- 441,447 ---- sum2 -= sum1; sum2 = (sum2 & 0xffff) + (sum2 >> 16); ! fix_outcksum(&ip->ip_sum, sum2); #endif /* SOLARIS || defined(__sgi) */ ip->ip_len += inc; } diff -cr ip_fil3.4.9/ip_log.c ip_fil3.4.10/ip_log.c *** ip_fil3.4.9/ip_log.c Wed Jul 19 23:11:47 2000 --- ip_fil3.4.10/ip_log.c Sun Aug 13 13:50:41 2000 *************** *** 5,11 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_log.c,v 2.5.2.1 2000/07/19 13:11:47 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) --- 5,11 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_log.c,v 2.5.2.2 2000/08/13 03:50:41 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) *************** *** 21,28 **** # endif # else # ifdef KLD_MODULE - # include - # else # include # endif # endif --- 21,26 ---- diff -cr ip_fil3.4.9/ip_nat.c ip_fil3.4.10/ip_nat.c *** ip_fil3.4.9/ip_nat.c Wed Aug 9 02:11:12 2000 --- ip_fil3.4.10/ip_nat.c Tue Aug 29 21:55:31 2000 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.20 2000/08/08 16:01:01 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.22 2000/08/29 10:55:31 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 300,309 **** } ! void fix_outcksum(sp, n , len) u_short *sp; u_32_t n; - int len; { register u_short sumshort; register u_32_t sum1; --- 300,308 ---- } ! void fix_outcksum(sp, n) u_short *sp; u_32_t n; { register u_short sumshort; register u_32_t sum1; *************** *** 326,335 **** } ! void fix_incksum(sp, n , len) u_short *sp; u_32_t n; - int len; { register u_short sumshort; register u_32_t sum1; --- 325,333 ---- } ! void fix_incksum(sp, n ) u_short *sp; u_32_t n; { register u_short sumshort; register u_32_t sum1; *************** *** 1029,1035 **** { register nat_t *nat, **natp; register int j = 0; ! /* * ALL NAT mappings deleted, so lets just make the deletions * quicker. --- 1027,1033 ---- { register nat_t *nat, **natp; register int j = 0; ! /* * ALL NAT mappings deleted, so lets just make the deletions * quicker. *************** *** 1490,1496 **** oip = (ip_t *)((char *)fin->fin_dp + 8); minlen = (oip->ip_hl << 2); ! if (ip->ip_len < ICMPERR_MINPKTLEN + minlen) return NULL; /* * Is the buffer big enough for all of it ? It's the size of the IP --- 1488,1496 ---- oip = (ip_t *)((char *)fin->fin_dp + 8); minlen = (oip->ip_hl << 2); ! if (minlen < sizeof(ip_t)) ! return NULL; ! if (ip->ip_len < ICMPERR_IPICMPHLEN + minlen) return NULL; /* * Is the buffer big enough for all of it ? It's the size of the IP *************** *** 1524,1530 **** flags = IPN_UDP; if (flags & IPN_TCPUDP) { minlen += 8; /* + 64bits of data to get ports */ ! if (ip->ip_len < ICMPERR_MINPKTLEN + minlen) return NULL; tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); if (dir == NAT_INBOUND) --- 1524,1530 ---- flags = IPN_UDP; if (flags & IPN_TCPUDP) { minlen += 8; /* + 64bits of data to get ports */ ! if (ip->ip_len < ICMPERR_IPICMPHLEN + minlen) return NULL; tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); if (dir == NAT_INBOUND) *************** *** 1564,1569 **** --- 1564,1572 ---- if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) return NULL; + /* + * nat_icmplookup() will return NULL for `defective' packets. + */ if ((ip->ip_v != 4) || !(nat = nat_icmplookup(ip, fin, dir))) return NULL; *nflags = IPN_ICMPERR; *************** *** 1576,1588 **** /* * Need to adjust ICMP header to include the real IP#'s and * port #'s. Only apply a checksum change relative to the ! * IP address change is it will be modified again in ip_natout * for both address and port. Two checksum changes are * necessary for the two header address changes. Be careful * to only modify the checksum once for the port # and twice * for the IP#. */ if (nat->nat_dir == NAT_OUTBOUND) { sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); in = nat->nat_inip; --- 1579,1607 ---- /* * Need to adjust ICMP header to include the real IP#'s and * port #'s. Only apply a checksum change relative to the ! * IP address change as it will be modified again in ip_natout * for both address and port. Two checksum changes are * necessary for the two header address changes. Be careful * to only modify the checksum once for the port # and twice * for the IP#. */ + /* + * Step 1 + * Fix the ip addresses in the offending IP packet. You also need + * to adjust the IP header checksum of that offending IP packet + * and the ICMP checksum of the ICMP error message itself. + * + * Unfortunately, for UDP and TCP, the IP addresses are also contained + * in the pseudo header that is used to compute the UDP resp. TCP + * checksum. So, we must compensate that as well. Even worse, the + * change in the UDP and TCP checksums require yet another + * adjustment of the ICMP checksum of the ICMP error message. + * + * For the moment we forget about TCP, because that checksum is not + * in the first 8 bytes, so it will not be available in most cases. + */ + if (nat->nat_dir == NAT_OUTBOUND) { sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); in = nat->nat_inip; *************** *** 1598,1616 **** CALC_SUMD(sum1, sum2, sumd); if (nat->nat_dir == NAT_OUTBOUND) { ! fix_incksum(&oip->ip_sum, sumd, 0); sumd += (sumd & 0xffff); while (sumd > 0xffff) sumd = (sumd & 0xffff) + (sumd >> 16); ! fix_outcksum(&icmp->icmp_cksum, sumd, 0); } else { ! fix_outcksum(&oip->ip_sum, sumd, 0); #if !SOLARIS && !defined(__sgi) sumd += (sumd & 0xffff); while (sumd > 0xffff) sumd = (sumd & 0xffff) + (sumd >> 16); ! fix_incksum(&icmp->icmp_cksum, sumd, 0); #endif } --- 1617,1691 ---- CALC_SUMD(sum1, sum2, sumd); if (nat->nat_dir == NAT_OUTBOUND) { ! /* ! * Fix IP checksum of the offending IP packet to adjust for ! * the change in IP address ! */ ! fix_incksum(&oip->ip_sum, sumd); + /* + * Fix ICMP checksum of the ICMP error message to adjust for + * the change in the IP address + */ sumd += (sumd & 0xffff); while (sumd > 0xffff) sumd = (sumd & 0xffff) + (sumd >> 16); ! fix_outcksum(&icmp->icmp_cksum, sumd); ! ! /* ! * Fix UDP pseudo header checksum to compensate for the ! * IP address change ! */ ! if (oip->ip_p == IPPROTO_UDP) { ! udphdr_t *udp = (udphdr_t *)((((char *)oip) + ! (oip->ip_hl << 2))); ! ! sum1 = ntohs(udp->uh_sum); ! fix_incksum(&udp->uh_sum, sumd); ! sum2 = ntohs(udp->uh_sum); ! ! /* fix ICMP checksum to compensate the UDP checksum ! * adjustment ! */ ! CALC_SUMD(sum1, sum2, sumd); ! fix_outcksum(&icmp->icmp_cksum, sumd); ! }; } else { ! ! /* ! * Fix IP checksum of the offending IP packet to adjust for ! * the change in IP address ! */ ! fix_outcksum(&oip->ip_sum, sumd); ! #if !SOLARIS && !defined(__sgi) + /* + * Fix ICMP checksum of the ICMP error message to adjust for + * the change in the IP address + */ sumd += (sumd & 0xffff); while (sumd > 0xffff) sumd = (sumd & 0xffff) + (sumd >> 16); ! fix_incksum(&icmp->icmp_cksum, sumd); ! ! /* ! * Fix UDP pseudo header checksum to compensate for the ! * IP address change ! */ ! if (oip->ip_p == IPPROTO_UDP) { ! udphdr_t *udp = (udphdr_t *)((((char *)oip) + ! (oip->ip_hl << 2))); ! ! sum1 = ntohs(udp->uh_sum); ! fix_outcksum(&udp->uh_sum, sumd); ! sum2 = ntohs(udp->uh_sum); ! ! /* fix ICMP checksum to compensate the UDP checksum ! * adjustment ! */ ! CALC_SUMD(sum1, sum2, sumd); ! fix_incksum(&icmp->icmp_cksum, sumd); ! }; #endif } *************** *** 1623,1643 **** */ tcp = (tcphdr_t *)((((char *)oip) + (oip->ip_hl << 2))); if (nat->nat_dir == NAT_OUTBOUND) { if (tcp->th_sport != nat->nat_inport) { sum1 = ntohs(tcp->th_sport); sum2 = ntohs(nat->nat_inport); CALC_SUMD(sum1, sum2, sumd); tcp->th_sport = nat->nat_inport; ! fix_outcksum(&icmp->icmp_cksum, sumd, 0); } } else { if (tcp->th_dport != nat->nat_outport) { sum1 = ntohs(tcp->th_dport); sum2 = ntohs(nat->nat_outport); CALC_SUMD(sum1, sum2, sumd); tcp->th_dport = nat->nat_outport; ! fix_incksum(&icmp->icmp_cksum, sumd, 0); } } } --- 1698,1790 ---- */ tcp = (tcphdr_t *)((((char *)oip) + (oip->ip_hl << 2))); + /* + * Step 2 : + * For offending TCP/UDP IP packets, translate the ports as + * well, based on the NAT specification. Of course such + * a change must be reflected in the ICMP checksum as well. + * + * Advance notice : Now it becomes complicated :-) + * + * Since the port fields are part of the TCP/UDP checksum + * of the offending IP packet, you need to adjust that checksum + * as well... but, if you change, you must change the icmp + * checksum *again*, to reflect that change. + * + * To further complicate: the TCP checksum is not in the first + * 8 bytes of the offending ip packet, so it most likely is not + * available (we might have to fix that if the encounter a + * device that returns more than 8 data bytes on icmp error) + */ + if (nat->nat_dir == NAT_OUTBOUND) { if (tcp->th_sport != nat->nat_inport) { + + /* + * Fix icmp checksum to compensate port + * adjustment + */ sum1 = ntohs(tcp->th_sport); sum2 = ntohs(nat->nat_inport); CALC_SUMD(sum1, sum2, sumd); tcp->th_sport = nat->nat_inport; ! fix_outcksum(&icmp->icmp_cksum, sumd); ! ! /* ! * Fix udp checksum to compensate port ! * adjustment. NOTE : the offending IP packet ! * flows the other direction compared to the ! * ICMP message. ! */ ! if (oip->ip_p == IPPROTO_UDP) { ! udphdr_t *udp = (udphdr_t *)tcp; ! ! sum1 = ntohs(udp->uh_sum); ! fix_incksum(&udp->uh_sum, sumd); ! sum2 = ntohs(udp->uh_sum); ! ! /* ! * Fix icmp checksum to compensate udp ! * checksum adjustment ! */ ! CALC_SUMD(sum1, sum2, sumd); ! fix_outcksum(&icmp->icmp_cksum, sumd); ! } } } else { + if (tcp->th_dport != nat->nat_outport) { + + /* + * Fix icmp checksum to compensate port + * adjustment + */ sum1 = ntohs(tcp->th_dport); sum2 = ntohs(nat->nat_outport); CALC_SUMD(sum1, sum2, sumd); tcp->th_dport = nat->nat_outport; ! fix_incksum(&icmp->icmp_cksum, sumd); ! ! /* ! * Fix udp checksum to compensate port ! * adjustment. NOTE : the offending IP ! * packet flows the other direction compared ! * to the ICMP message. ! */ ! if (oip->ip_p == IPPROTO_UDP) { ! udphdr_t *udp = (udphdr_t *)tcp; ! ! sum1 = ntohs(udp->uh_sum); ! fix_outcksum(&udp->uh_sum, sumd); ! sum2 = ntohs(udp->uh_sum); ! ! /* ! * Fix icmp checksum to compensate udp ! * checksum adjustment ! */ ! CALC_SUMD(sum1, sum2, sumd); ! fix_incksum(&icmp->icmp_cksum, sumd); ! } } } } *************** *** 1940,1955 **** CALC_SUMD(s1, s2, sumd); if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(&ip->ip_sum, sumd, 0); else ! fix_outcksum(&ip->ip_sum, sumd, 0); } #if SOLARIS || defined(__sgi) else { if (nat->nat_dir == NAT_OUTBOUND) ! fix_outcksum(&ip->ip_sum, nat->nat_ipsumd, 0); else ! fix_incksum(&ip->ip_sum, nat->nat_ipsumd, 0); } #endif ip->ip_src = nat->nat_outip; --- 2087,2102 ---- CALC_SUMD(s1, s2, sumd); if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(&ip->ip_sum, sumd); else ! fix_outcksum(&ip->ip_sum, sumd); } #if SOLARIS || defined(__sgi) else { if (nat->nat_dir == NAT_OUTBOUND) ! fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); else ! fix_incksum(&ip->ip_sum, nat->nat_ipsumd); } #endif ip->ip_src = nat->nat_outip; *************** *** 1993,2003 **** if (csump) { if (nat->nat_dir == NAT_OUTBOUND) ! fix_outcksum(csump, nat->nat_sumd[1], ! ip->ip_len); else ! fix_incksum(csump, nat->nat_sumd[1], ! ip->ip_len); } } --- 2140,2148 ---- if (csump) { if (nat->nat_dir == NAT_OUTBOUND) ! fix_outcksum(csump, nat->nat_sumd[1]); else ! fix_incksum(csump, nat->nat_sumd[1]); } } *************** *** 2151,2159 **** */ #if SOLARIS || defined(__sgi) if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(&ip->ip_sum, nat->nat_ipsumd, 0); else ! fix_outcksum(&ip->ip_sum, nat->nat_ipsumd, 0); #endif if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { --- 2296,2304 ---- */ #if SOLARIS || defined(__sgi) if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(&ip->ip_sum, nat->nat_ipsumd); else ! fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); #endif if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { *************** *** 2194,2204 **** if (csump) { if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(csump, nat->nat_sumd[0], ! 0); else ! fix_outcksum(csump, nat->nat_sumd[0], ! 0); } } ATOMIC_INCL(nat_stats.ns_mapped[0]); --- 2339,2347 ---- if (csump) { if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(csump, nat->nat_sumd[0]); else ! fix_outcksum(csump, nat->nat_sumd[0]); } } ATOMIC_INCL(nat_stats.ns_mapped[0]); diff -cr ip_fil3.4.9/ip_nat.h ip_fil3.4.10/ip_nat.h *** ip_fil3.4.9/ip_nat.h Sun Jul 16 00:50:06 2000 --- ip_fil3.4.10/ip_nat.h Sun Sep 3 11:21:58 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.6 2000/07/15 14:50:06 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.7 2000/09/03 00:21:58 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 293,299 **** extern int ip_natin __P((ip_t *, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); extern void nat_log __P((struct nat *, u_int)); ! extern void fix_incksum __P((u_short *, u_32_t, int)); ! extern void fix_outcksum __P((u_short *, u_32_t, int)); #endif /* __IP_NAT_H__ */ --- 293,299 ---- extern int ip_natin __P((ip_t *, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); extern void nat_log __P((struct nat *, u_int)); ! extern void fix_incksum __P((u_short *, u_32_t)); ! extern void fix_outcksum __P((u_short *, u_32_t)); #endif /* __IP_NAT_H__ */ diff -cr ip_fil3.4.9/ip_raudio_pxy.c ip_fil3.4.10/ip_raudio_pxy.c *** ip_fil3.4.9/ip_raudio_pxy.c Sat May 6 21:19:33 2000 --- ip_fil3.4.10/ip_raudio_pxy.c Sun Sep 3 11:23:12 2000 *************** *** 1,5 **** /* ! * $Id: ip_raudio_pxy.c,v 1.7.2.1 2000/05/06 11:19:33 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; --- 1,5 ---- /* ! * $Id: ip_raudio_pxy.c,v 1.7.2.2 2000/09/03 00:23:12 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; *************** *** 171,178 **** tcphdr_t *tcp, tcph, *tcp2 = &tcph; raudio_t *rap = aps->aps_data; struct in_addr swa, swb; - u_int a1, a2, a3, a4; int off, dlen, slen; u_short sp, dp; fr_info_t fi; tcp_seq seq; --- 171,178 ---- tcphdr_t *tcp, tcph, *tcp2 = &tcph; raudio_t *rap = aps->aps_data; struct in_addr swa, swb; int off, dlen, slen; + int a1, a2, a3, a4; u_short sp, dp; fr_info_t fi; tcp_seq seq; diff -cr ip_fil3.4.9/ip_sfil.c ip_fil3.4.10/ip_sfil.c *** ip_fil3.4.9/ip_sfil.c Mon Aug 7 22:36:19 2000 --- ip_fil3.4.10/ip_sfil.c Wed Aug 23 21:00:28 2000 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.6 2000/08/07 12:36:19 darrenr Exp $"; #endif #include --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.7 2000/08/23 11:00:28 darrenr Exp $"; #endif #include *************** *** 688,694 **** fr_info_t *fin; { tcphdr_t *tcp, *tcp2; ! int tlen = 0, hlen; mblk_t *m; #ifdef USE_INET6 ip6_t *ip6, *oip6 = (ip6_t *)oip; --- 688,694 ---- fr_info_t *fin; { tcphdr_t *tcp, *tcp2; ! int tlen, hlen; mblk_t *m; #ifdef USE_INET6 ip6_t *ip6, *oip6 = (ip6_t *)oip; *************** *** 698,705 **** tcp = (struct tcphdr *)fin->fin_dp; if (tcp->th_flags & TH_RST) return -1; ! if (tcp->th_flags & TH_SYN) ! tlen = 1; #ifdef USE_INET6 if (fin->fin_v == 6) hlen = sizeof(ip6_t); --- 698,704 ---- tcp = (struct tcphdr *)fin->fin_dp; if (tcp->th_flags & TH_RST) return -1; ! tlen = (tcp->th_flags & (TH_SYN|TH_FIN)) ? 1 : 0; #ifdef USE_INET6 if (fin->fin_v == 6) hlen = sizeof(ip6_t); *************** *** 717,724 **** tcp2 = (struct tcphdr *)(m->b_rptr + hlen - sizeof(*tcp2)); tcp2->th_dport = tcp->th_sport; tcp2->th_sport = tcp->th_dport; ! tcp2->th_ack = htonl(ntohl(tcp->th_seq) + tlen); ! tcp2->th_seq = tcp->th_ack; tcp2->th_off = sizeof(struct tcphdr) >> 2; tcp2->th_flags = TH_RST|TH_ACK; --- 716,730 ---- tcp2 = (struct tcphdr *)(m->b_rptr + hlen - sizeof(*tcp2)); tcp2->th_dport = tcp->th_sport; tcp2->th_sport = tcp->th_dport; ! if (tcp->th_flags & TH_ACK) { ! tcp2->th_seq = tcp->th_ack; ! tcp2->th_flags = TH_RST|TH_ACK; ! } else { ! tcp2->th_ack = ntohl(tcp->th_seq); ! tcp2->th_ack += tlen; ! tcp2->th_ack = htonl(tcp2->th_ack); ! tcp2->th_flags = TH_RST; ! } tcp2->th_off = sizeof(struct tcphdr) >> 2; tcp2->th_flags = TH_RST|TH_ACK; *************** *** 791,798 **** struct icmp *icmp; mblk_t *m, *mb; int hlen, code; ! qif_t *qif; u_short sz; #ifdef USE_INET6 ip6_t *ip6, *oip6; #endif --- 797,805 ---- struct icmp *icmp; mblk_t *m, *mb; int hlen, code; ! qif_t *qif; u_short sz; + ill_t *il; #ifdef USE_INET6 ip6_t *ip6, *oip6; #endif *************** *** 851,856 **** --- 858,868 ---- icmp->icmp_type = type; icmp->icmp_code = code; icmp->icmp_cksum = 0; + #ifdef icmp_nextmtu + if (type == ICMP_UNREACH && (il = qif->qf_ill) && + fin->fin_icode == ICMP_UNREACH_NEEDFRAG) + icmp->icmp_nextmtu = htons(il->ill_max_frag); + #endif #ifdef USE_INET6 if (oip->ip_v == 6) { diff -cr ip_fil3.4.9/ip_state.c ip_fil3.4.10/ip_state.c *** ip_fil3.4.9/ip_state.c Wed Aug 9 02:11:12 2000 --- ip_fil3.4.10/ip_state.c Wed Aug 23 21:01:28 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.17 2000/08/08 16:01:03 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.18 2000/08/23 11:01:28 darrenr Exp $"; #endif #include *************** *** 135,141 **** fr_tcpclosewait = 2 * TCP_MSL, fr_tcplastack = 2 * TCP_MSL, fr_tcptimeout = 2 * TCP_MSL, ! fr_tcpclosed = 1, fr_udptimeout = 240, fr_icmptimeout = 120; int fr_statemax = IPSTATE_MAX, --- 135,142 ---- fr_tcpclosewait = 2 * TCP_MSL, fr_tcplastack = 2 * TCP_MSL, fr_tcptimeout = 2 * TCP_MSL, ! fr_tcpclosed = 120, ! fr_tcphalfclosed = 2 * 2 * 3600, /* 2 hours */ fr_udptimeout = 240, fr_icmptimeout = 120; int fr_statemax = IPSTATE_MAX, *************** *** 1566,1572 **** * SYN_RECEIVED -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; ! *age = fr_tcpidletimeout; /* or fr_tcptimeout? */ } break; --- 1567,1573 ---- * SYN_RECEIVED -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; ! *age = fr_tcpidletimeout; } break; *************** *** 1578,1584 **** * ESTABLISHED -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; ! *age = fr_tcpidletimeout; } else if (flags & TH_ACK) { /* an ACK, should we exclude other flags here? */ if (ostate == TCPS_FIN_WAIT_1) { --- 1579,1585 ---- * ESTABLISHED -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; ! *age = fr_tcphalfclosed; } else if (flags & TH_ACK) { /* an ACK, should we exclude other flags here? */ if (ostate == TCPS_FIN_WAIT_1) { *************** *** 1590,1596 **** * a half-closed connection */ state[dir] = TCPS_CLOSE_WAIT; ! *age = fr_tcpidletimeout; } else if (ostate < TCPS_CLOSE_WAIT) /* * Still a fully established connection, --- 1591,1597 ---- * a half-closed connection */ state[dir] = TCPS_CLOSE_WAIT; ! *age = fr_tcphalfclosed; } else if (ostate < TCPS_CLOSE_WAIT) /* * Still a fully established connection, *************** *** 1614,1620 **** * closed already and we did not close our side yet; * reset timeout */ ! *age = fr_tcpidletimeout; } break; --- 1615,1621 ---- * closed already and we did not close our side yet; * reset timeout */ ! *age = fr_tcphalfclosed; } break; *************** *** 1638,1644 **** * other side is still active (ESTABLISHED/CLOSE_WAIT); * continue with this half-closed connection */ ! *age = fr_tcpidletimeout; break; case TCPS_CLOSING: /* 7 */ --- 1639,1645 ---- * other side is still active (ESTABLISHED/CLOSE_WAIT); * continue with this half-closed connection */ ! *age = fr_tcphalfclosed; break; case TCPS_CLOSING: /* 7 */ diff -cr ip_fil3.4.9/ip_state.h ip_fil3.4.10/ip_state.h *** ip_fil3.4.9/ip_state.h Sat Jul 8 12:15:35 2000 --- ip_fil3.4.10/ip_state.h Wed Aug 23 21:01:31 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.13.2.1 2000/07/08 02:15:35 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.13.2.2 2000/08/23 11:01:31 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ *************** *** 173,178 **** --- 173,179 ---- extern u_long fr_tcplastack; extern u_long fr_tcptimeout; extern u_long fr_tcpclosed; + extern u_long fr_tcphalfclosed; extern u_long fr_udptimeout; extern u_long fr_icmptimeout; extern int fr_state_lock; diff -cr ip_fil3.4.9/ipf.c ip_fil3.4.10/ipf.c *** ip_fil3.4.9/ipf.c Tue Aug 8 00:54:05 2000 --- ip_fil3.4.10/ipf.c Wed Aug 23 21:02:13 2000 *************** *** 43,49 **** #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.3 2000/08/07 14:54:05 darrenr Exp $"; #endif #if SOLARIS --- 43,49 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.4 2000/08/23 11:02:13 darrenr Exp $"; #endif #if SOLARIS *************** *** 71,77 **** static void packetlogon __P((char *)), swapactive __P((void)); static int opendevice __P((char *)); static void closedevice __P((void)); ! static char *getline __P((char *, size_t, FILE *)); static char *ipfname = IPL_NAME; static void usage __P((void)); static void showversion __P((void)); --- 71,77 ---- static void packetlogon __P((char *)), swapactive __P((void)); static int opendevice __P((char *)); static void closedevice __P((void)); ! static char *getline __P((char *, size_t, FILE *, int *)); static char *ipfname = IPL_NAME; static void usage __P((void)); static void showversion __P((void)); *************** *** 252,259 **** exit(1); } ! while (getline(line, sizeof(line), fp)) { ! linenum++; /* * treat CR as EOL. LF is converted to NUL by getline(). */ --- 252,258 ---- exit(1); } ! while (getline(line, sizeof(line), fp, &linenum)) { /* * treat CR as EOL. LF is converted to NUL by getline(). */ *************** *** 335,344 **** * Similar to fgets(3) but can handle '\\' and NL is converted to NUL. * Returns NULL if error occured, EOF encounterd or input line is too long. */ ! static char *getline(str, size, file) register char *str; size_t size; FILE *file; { char *p; int s, len; --- 334,344 ---- * Similar to fgets(3) but can handle '\\' and NL is converted to NUL. * Returns NULL if error occured, EOF encounterd or input line is too long. */ ! static char *getline(str, size, file, linenum) register char *str; size_t size; FILE *file; + int *linenum; { char *p; int s, len; *************** *** 356,361 **** --- 356,362 ---- p[len] = '\0'; break; } + (*linenum)++; p[len - 1] = '\0'; if (len < 2 || p[len - 2] != '\\') break; diff -cr ip_fil3.4.9/ipl.h ip_fil3.4.10/ipl.h *** ip_fil3.4.9/ipl.h Tue Aug 8 01:10:09 2000 --- ip_fil3.4.10/ipl.h Sun Sep 3 17:01:26 2000 *************** *** 6,17 **** * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.10 2000/08/07 15:10:09 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.9" #endif --- 6,17 ---- * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.11 2000/09/03 06:01:16 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.10" #endif diff -cr ip_fil3.4.9/ipsend/44arp.c ip_fil3.4.10/ipsend/44arp.c *** ip_fil3.4.9/ipsend/44arp.c Thu Aug 5 03:31:01 1999 --- ip_fil3.4.10/ipsend/44arp.c Fri Aug 25 23:05:44 2000 *************** *** 67,73 **** struct sockaddr_dl *sdl; #ifdef IPSEND ! if (arp_getipv4(ip, ether) == 0) return 0; #endif --- 67,73 ---- struct sockaddr_dl *sdl; #ifdef IPSEND ! if (arp_getipv4(addr, ether) == 0) return 0; #endif diff -cr ip_fil3.4.9/mlf_ipl.c ip_fil3.4.10/mlf_ipl.c *** ip_fil3.4.9/mlf_ipl.c Fri Apr 7 22:31:02 2000 --- ip_fil3.4.10/mlf_ipl.c Wed Aug 23 21:02:33 2000 *************** *** 95,100 **** --- 95,102 ---- SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RW, &fr_tcpidletimeout, 0, ""); + SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RW, + &fr_tcphalfclosed, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RW, &fr_tcpclosewait, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RW, diff -cr ip_fil3.4.9/mlfk_ipl.c ip_fil3.4.10/mlfk_ipl.c *** ip_fil3.4.9/mlfk_ipl.c Sun Aug 6 00:46:36 2000 --- ip_fil3.4.10/mlfk_ipl.c Wed Aug 23 21:02:33 2000 *************** *** 23,29 **** * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ! * $Id: mlfk_ipl.c,v 2.1.2.2 2000/08/05 14:46:36 darrenr Exp $ */ --- 23,29 ---- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ! * $Id: mlfk_ipl.c,v 2.1.2.4 2000/08/23 11:02:33 darrenr Exp $ */ *************** *** 37,42 **** --- 37,43 ---- #include #include #include + #include #include *************** *** 64,69 **** --- 65,72 ---- &fr_tcptimeout, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RW, &fr_tcpclosed, 0, ""); + SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RW, + &fr_tcphalfclosed, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RW, &fr_udptimeout, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RW, diff -cr ip_fil3.4.9/perl/plog ip_fil3.4.10/perl/plog *** ip_fil3.4.9/perl/plog Wed Apr 26 02:17:23 2000 --- ip_fil3.4.10/perl/plog Sat Aug 12 14:10:22 2000 *************** *** 320,327 **** defined ($arg) || &usage (1, qq{-$flag requires an argument}); if ($flag eq 's') { ! defined ($services) && &usage (1, qq{too many service maps} ! ); $services = $arg; } elsif ($flag eq 'A') --- 320,326 ---- defined ($arg) || &usage (1, qq{-$flag requires an argument}); if ($flag eq 's') { ! defined ($services) && &usage (1, qq{too many service maps}); $services = $arg; } elsif ($flag eq 'A') *************** *** 433,440 **** # dd/mm/yyyy (no y2k problem here!). Both formats then have a packet # timestamp and the log info. my ($log); ! if (s/^\w+\s+\d+\s+\d+:\d+:\d+\s+(?:\d\w:)?[\w\.\-]+\s+\S*ipmon\[\d+\]:\s+( ! ?:\[ID\s+\d+\s+[\w\.]+\]\s+)?\d+:\d+:\d+\.\d+\s+//) { $log = $_; } --- 432,438 ---- # dd/mm/yyyy (no y2k problem here!). Both formats then have a packet # timestamp and the log info. my ($log); ! if (s/^\w+\s+\d+\s+\d+:\d+:\d+\s+(?:\d\w:)?[\w\.\-]+\s+\S*ipmon\[\d+\]:\s+(?:\[ID\s+\d+\s+[\w\.]+\]\s+)?\d+:\d+:\d+\.\d+\s+//) { $log = $_; } *************** *** 457,471 **** # number, "PR", a protocol name or number, "len", a header length, a # packet length (which will be in parentheses for protocols other than # TCP, UDP, or ICMP), and maybe some additional info. ! my @fields = ($log =~ /^(?:(\d+)x)?\s*(\w+)\s+@(\d+):(\d+)\s+(\w)\s+([\w\-\ ! ..,]+)\s+->\s+([\w\-\.,]+)\s+PR\s+(\w+)\s+len\s+(\d+)\s+\(?(\d+)\)?\s*(.*)$/ox); unless (scalar (@fields)) { print STDERR "$me:$.: cannot parse: $_\n"; next; } ! my ($count, $if, $group, $rule, $act, $src, $dest, $proto, $hlen, $len, $mo ! re) = @fields; # Skip actions we're not interested in. next unless (exists ($selectActs{$act})); --- 455,467 ---- # number, "PR", a protocol name or number, "len", a header length, a # packet length (which will be in parentheses for protocols other than # TCP, UDP, or ICMP), and maybe some additional info. ! my @fields = ($log =~ /^(?:(\d+)x)?\s*(\w+)\s+@(\d+):(\d+)\s+(\w)\s+([\w\-\..,]+)\s+->\s+([\w\-\.,]+)\s+PR\s+(\w+)\s+len\s+(\d+)\s+\(?(\d+)\)?\s*(.*)$/ox); unless (scalar (@fields)) { print STDERR "$me:$.: cannot parse: $_\n"; next; } ! my ($count, $if, $group, $rule, $act, $src, $dest, $proto, $hlen, $len, $more) = @fields; # Skip actions we're not interested in. next unless (exists ($selectActs{$act})); *************** *** 530,537 **** $dest = $x; # Skip hosts we're not interested in. ! next if ($selectHosts && !(exists ($selectHosts{$src}) || exists ($selectHo ! sts{$dest}))); # Convert proto to proto number. $proto = &protoNumber ($proto); --- 526,532 ---- $dest = $x; # Skip hosts we're not interested in. ! next if ($selectHosts && !(exists ($selectHosts{$src}) || exists ($selectHosts{$dest}))); # Convert proto to proto number. $proto = &protoNumber ($proto); *************** *** 566,577 **** } # Count the packet as outgoing traffic from the source address. ! &countPacket ($src, 's', $dest, $proto, $count, "$sport:$dport:$if:$act") i ! f ($sTable); # Count the packet as incoming traffic to the destination address. ! &countPacket ($dest, 'd', $src, $proto, $count, "$dport:$sport:$if:$act") i ! f ($dTable); } my $dir; --- 561,570 ---- } # Count the packet as outgoing traffic from the source address. ! &countPacket ($src, 's', $dest, $proto, $count, "$sport:$dport:$if:$act") if ($sTable); # Count the packet as incoming traffic to the destination address. ! &countPacket ($dest, 'd', $src, $proto, $count, "$dport:$sport:$if:$act") if ($dTable); } my $dir; *************** *** 588,603 **** { my @a = split (/\./, $a); my @b = split (/\./, $b); ! $a[0] <=> $b[0] || $a[1] <=> $b[1] || $a[2] <=> $b[2] || $a[3] <=> $b[3 ! ]; } sub packetSort { my ($asport, $adport, $aif, $aact) = split (/:/, $a); my ($bsport, $bdport, $bif, $bact) = split (/:/, $b); ! $bact cmp $aact || $aif cmp $bif || $asport <=> $bsport || $adport <=> ! $bdport; } my $host; --- 581,594 ---- { my @a = split (/\./, $a); my @b = split (/\./, $b); ! $a[0] <=> $b[0] || $a[1] <=> $b[1] || $a[2] <=> $b[2] || $a[3] <=> $b[3]; } sub packetSort { my ($asport, $adport, $aif, $aact) = split (/:/, $a); my ($bsport, $bdport, $bif, $bact) = split (/:/, $b); ! $bact cmp $aact || $aif cmp $bif || $asport <=> $bsport || $adport <=> $bdport; } my $host; *************** *** 636,654 **** $act = '?' unless (defined ($act = $acts{$act})); if (($protoName eq 'tcp') || ($protoName eq 'udp')) { ! printf (" %-6s %7s %4d %4s %16s %2s %s.%s\n", $if, $ ! act, $count, $protoName, &portName ($sport, $protoName), $arrow, $peerName, &po ! rtName ($dport, $protoName)); } elsif ($protoName eq 'icmp') { ! printf (" %-6s %7s %4d %4s %16s %2s %s\n", $if, $act ! , $count, $protoName, &icmpType ($sport), $arrow, $peerName); } else { ! printf (" %-6s %7s %4d %4s %16s %2s %s\n", $if, $act ! , $count, $protoName, '', $arrow, $peerName); } } } --- 627,641 ---- $act = '?' unless (defined ($act = $acts{$act})); if (($protoName eq 'tcp') || ($protoName eq 'udp')) { ! printf (" %-6s %7s %4d %4s %16s %2s %s.%s\n", $if, $act, $count, $protoName, &portName ($sport, $protoName), $arrow, $peerName, &portName ($dport, $protoName)); } elsif ($protoName eq 'icmp') { ! printf (" %-6s %7s %4d %4s %16s %2s %s\n", $if, $act, $count, $protoName, &icmpType ($sport), $arrow, $peerName); } else { ! printf (" %-6s %7s %4d %4s %16s %2s %s\n", $if, $act, $count, $protoName, '', $arrow, $peerName); } } } *************** *** 672,679 **** unless (exists ($pn{$pname})) { my $name = getservbyport ($port, $proto); ! $pn{$pname} = (defined ($name) ? $name : ($port <= 1023 ? $port : '')); } return $pn{$pname}; } --- 659,665 ---- unless (exists ($pn{$pname})) { my $name = getservbyport ($port, $proto); ! $pn{$pname} = (defined ($name) ? $name : ($port <= 1023 ? $port : '')); } return $pn{$pname}; } diff -cr ip_fil3.4.9/rules/BASIC.NAT ip_fil3.4.10/rules/BASIC.NAT *** ip_fil3.4.9/rules/BASIC.NAT Sat Aug 7 01:25:50 1999 --- ip_fil3.4.10/rules/BASIC.NAT Wed Aug 23 21:02:51 2000 *************** *** 8,13 **** --- 8,19 ---- # # If we have only 1 valid IP address from our ISP, then we do this: # + # To make ftp work, using the internal ftp proxy, use: + # + map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp + # + # For normal TCP/UDP and other IP protocols + # map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 map ppp0 w.x.y.z/24 -> a.b.c.d/32 # *************** *** 38,45 **** #map ppp0 w.x.y.q/32 -> a.b.c.J/32 #map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000 #map ppp0 w.x.y.p/32 -> a.b.c.K/32 - # - # To make ftp work, using the internal ftp proxy, use: - # - map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp - # --- 44,46 ----