diff -cr ip_fil3.4.12/HISTORY ip_fil3.4.13/HISTORY *** ip_fil3.4.12/HISTORY Thu Oct 26 21:42:51 2000 --- ip_fil3.4.13/HISTORY Sat Oct 28 09:54:28 2000 *************** *** 22,27 **** --- 22,34 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.4.13 28/10/2000 - Released + + fix introduced bug with ICMP packets being rejected when valid + + fix bug with proxy's that don't set fin_dlen correctly when calling + fr_addstate() + 3.4.12 26/10/2000 - Released fix installing into FreeBSD-4.1 diff -cr ip_fil3.4.12/SunOS5/pkginfo ip_fil3.4.13/SunOS5/pkginfo *** ip_fil3.4.12/SunOS5/pkginfo Wed Oct 25 22:08:40 2000 --- ip_fil3.4.13/SunOS5/pkginfo Sat Oct 28 09:54:42 2000 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.12 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.13 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.4.12/ip_ftp_pxy.c ip_fil3.4.13/ip_ftp_pxy.c *** ip_fil3.4.12/ip_ftp_pxy.c Fri Oct 20 02:40:40 2000 --- ip_fil3.4.13/ip_ftp_pxy.c Sat Oct 28 01:02:10 2000 *************** *** 2,8 **** * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.7.2.17 2000/10/19 15:40:40 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; --- 2,8 ---- * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.7.2.18 2000/10/27 14:02:10 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; *************** *** 252,257 **** --- 252,258 ---- tcp2->th_dport = 0; /* XXX - don't specify remote port */ fi.fin_data[0] = ntohs(sp); fi.fin_data[1] = 0; + fi.fin_dlen = sizeof(*tcp2); fi.fin_dp = (char *)tcp2; swip = ip->ip_src; ip->ip_src = nat->nat_inip; *************** *** 467,472 **** --- 468,474 ---- tcp2->th_sport = 0; /* XXX - fake it for nat_new */ tcp2->th_off = 5; fi.fin_data[0] = a5 << 8 | a6; + fi.fin_dlen = sizeof(*tcp2); tcp2->th_dport = htons(fi.fin_data[0]); fi.fin_data[1] = 0; fi.fin_dp = (char *)tcp2; diff -cr ip_fil3.4.12/ip_nat.c ip_fil3.4.13/ip_nat.c *** ip_fil3.4.12/ip_nat.c Wed Oct 25 21:38:47 2000 --- ip_fil3.4.13/ip_nat.c Sat Oct 28 01:06:48 2000 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.25 2000/10/25 10:38:47 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.26 2000/10/27 14:06:48 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 118,124 **** u_int ipf_natrules_sz = NAT_SIZE; u_int ipf_rdrrules_sz = RDR_SIZE; u_int ipf_hostmap_sz = HOSTMAP_SIZE; - int nat_wilds = 0; u_32_t nat_masks = 0; u_32_t rdr_masks = 0; ipnat_t **nat_rules = NULL; --- 118,123 ---- *************** *** 144,150 **** static int fr_natgetent __P((caddr_t)); static int fr_natgetsz __P((caddr_t)); static int fr_natputent __P((caddr_t)); ! static void nat_tabmove __P((nat_t *, u_int)); static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *)); static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr, struct in_addr)); --- 143,149 ---- static int fr_natgetent __P((caddr_t)); static int fr_natgetsz __P((caddr_t)); static int fr_natputent __P((caddr_t)); ! static void nat_tabmove __P((nat_t *)); static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *)); static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr, struct in_addr)); *************** *** 1004,1010 **** struct ipnat *ipn; if (natd->nat_flags & FI_WILDP) ! nat_wilds--; if (natd->nat_hnext[0]) natd->nat_hnext[0]->nat_phnext[0] = natd->nat_phnext[0]; *natd->nat_phnext[0] = natd->nat_hnext[0]; --- 1003,1009 ---- struct ipnat *ipn; if (natd->nat_flags & FI_WILDP) ! nat_stats.ns_wilds--; if (natd->nat_hnext[0]) natd->nat_hnext[0]->nat_phnext[0] = natd->nat_phnext[0]; *natd->nat_phnext[0] = natd->nat_hnext[0]; *************** *** 1148,1154 **** bzero((char *)nat, sizeof(*nat)); nat->nat_flags = flags; if (flags & FI_WILDP) ! nat_wilds++; /* * Search the current table for a match. */ --- 1147,1153 ---- bzero((char *)nat, sizeof(*nat)); nat->nat_flags = flags; if (flags & FI_WILDP) ! nat_stats.ns_wilds++; /* * Search the current table for a match. */ *************** *** 1916,1922 **** ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))))) return nat; } ! if (!nat_wilds || !(flags & IPN_TCPUDP)) return NULL; RWLOCK_EXIT(&ipf_nat); hv = NAT_HASH_FN(dst, 0, ipf_nattable_sz); --- 1915,1921 ---- ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))))) return nat; } ! if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP)) return NULL; RWLOCK_EXIT(&ipf_nat); hv = NAT_HASH_FN(dst, 0, ipf_nattable_sz); *************** *** 1935,1942 **** continue; if (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) && ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))) { ! hv = NAT_HASH_FN(dst, dport, ipf_nattable_sz); ! nat_tabmove(nat, hv); break; } } --- 1934,1940 ---- continue; if (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) && ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))) { ! nat_tabmove(nat); break; } } *************** *** 1945,1955 **** } ! static void nat_tabmove(nat, hv) nat_t *nat; - u_int hv; { nat_t **natp; /* * Remove the NAT entry from the old location --- 1943,1953 ---- } ! static void nat_tabmove(nat) nat_t *nat; { nat_t **natp; + u_int hv; /* * Remove the NAT entry from the old location *************** *** 1959,1967 **** *nat->nat_phnext[0] = nat->nat_hnext[0]; if (nat->nat_hnext[1]) ! nat->nat_hnext[0]->nat_phnext[1] = nat->nat_phnext[1]; *nat->nat_phnext[1] = nat->nat_hnext[1]; natp = &nat_table[0][hv]; if (*natp) (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; --- 1957,1970 ---- *nat->nat_phnext[0] = nat->nat_hnext[0]; if (nat->nat_hnext[1]) ! nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1]; *nat->nat_phnext[1] = nat->nat_hnext[1]; + /* + * Add into the NAT table in the new position + */ + hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport, + ipf_nattable_sz); natp = &nat_table[0][hv]; if (*natp) (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; *************** *** 1969,1977 **** nat->nat_hnext[0] = *natp; *natp = nat; ! /* ! * Add into the NAT table in the new position ! */ natp = &nat_table[1][hv]; if (*natp) (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; --- 1972,1979 ---- nat->nat_hnext[0] = *natp; *natp = nat; ! hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport, ! ipf_nattable_sz); natp = &nat_table[1][hv]; if (*natp) (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; *************** *** 2018,2024 **** (nat->nat_oport == dport || nflags & FI_W_DPORT)))) return nat; } ! if (!nat_wilds || !(flags & IPN_TCPUDP)) return NULL; RWLOCK_EXIT(&ipf_nat); hv = NAT_HASH_FN(srcip, 0, ipf_nattable_sz); --- 2020,2026 ---- (nat->nat_oport == dport || nflags & FI_W_DPORT)))) return nat; } ! if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP)) return NULL; RWLOCK_EXIT(&ipf_nat); hv = NAT_HASH_FN(srcip, 0, ipf_nattable_sz); *************** *** 2037,2044 **** continue; if (((nat->nat_inport == sport) || (nflags & FI_W_DPORT)) && ((nat->nat_oport == dport) || (nflags & FI_W_SPORT))) { ! hv = NAT_HASH_FN(srcip, sport, ipf_nattable_sz); ! nat_tabmove(nat, hv); break; } } --- 2039,2045 ---- continue; if (((nat->nat_inport == sport) || (nflags & FI_W_DPORT)) && ((nat->nat_oport == dport) || (nflags & FI_W_SPORT))) { ! nat_tabmove(nat); break; } } *************** *** 2179,2185 **** nat->nat_outport = sport; nat->nat_flags &= ~(FI_W_DPORT|FI_W_SPORT); nflags = nat->nat_flags; ! nat_wilds--; } } else { RWLOCK_EXIT(&ipf_nat); --- 2180,2186 ---- nat->nat_outport = sport; nat->nat_flags &= ~(FI_W_DPORT|FI_W_SPORT); nflags = nat->nat_flags; ! nat_stats.ns_wilds--; } } else { RWLOCK_EXIT(&ipf_nat); *************** *** 2392,2398 **** nat->nat_outport = dport; nat->nat_flags &= ~(FI_W_SPORT|FI_W_DPORT); nflags = nat->nat_flags; ! nat_wilds--; } } else { RWLOCK_EXIT(&ipf_nat); --- 2393,2399 ---- nat->nat_outport = dport; nat->nat_flags &= ~(FI_W_SPORT|FI_W_DPORT); nflags = nat->nat_flags; ! nat_stats.ns_wilds--; } } else { RWLOCK_EXIT(&ipf_nat); diff -cr ip_fil3.4.12/ip_nat.h ip_fil3.4.13/ip_nat.h *** ip_fil3.4.12/ip_nat.h Fri Oct 20 02:44:04 2000 --- ip_fil3.4.13/ip_nat.h Sat Oct 28 01:06:51 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.9 2000/10/19 15:44:04 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.10 2000/10/27 14:06:51 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 207,212 **** --- 207,213 ---- u_int ns_rultab_sz; u_int ns_rdrtab_sz; nat_t *ns_instances; + u_int ns_wilds; } natstat_t; #define IPN_ANY 0x000 diff -cr ip_fil3.4.12/ip_raudio_pxy.c ip_fil3.4.13/ip_raudio_pxy.c *** ip_fil3.4.12/ip_raudio_pxy.c Sun Sep 3 11:23:12 2000 --- ip_fil3.4.13/ip_raudio_pxy.c Sat Oct 28 09:54:04 2000 *************** *** 1,5 **** /* ! * $Id: ip_raudio_pxy.c,v 1.7.2.2 2000/09/03 00:23:12 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; --- 1,5 ---- /* ! * $Id: ip_raudio_pxy.c,v 1.7.2.3 2000/10/27 22:54:04 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; *************** *** 265,270 **** --- 265,271 ---- tcp2->th_off = 5; fi.fin_dp = (char *)tcp2; fi.fin_fr = &raudiofr; + fi.fin_dlen = sizeof(*tcp2); tcp2->th_win = htons(8192); slen = ip->ip_len; ip->ip_len = fin->fin_hlen + sizeof(*tcp); diff -cr ip_fil3.4.12/ip_rcmd_pxy.c ip_fil3.4.13/ip_rcmd_pxy.c *** ip_fil3.4.12/ip_rcmd_pxy.c Sat Jul 15 22:38:30 2000 --- ip_fil3.4.13/ip_rcmd_pxy.c Sat Oct 28 09:54:04 2000 *************** *** 1,5 **** /* ! * $Id: ip_rcmd_pxy.c,v 1.4.2.2 2000/07/15 12:38:30 darrenr Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT --- 1,5 ---- /* ! * $Id: ip_rcmd_pxy.c,v 1.4.2.3 2000/10/27 22:54:04 darrenr Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT *************** *** 146,151 **** --- 146,152 ---- fi.fin_data[0] = ntohs(sp); fi.fin_data[1] = 0; fi.fin_dp = (char *)tcp2; + fi.fin_dlen = sizeof(*tcp2); swip = ip->ip_src; ip->ip_src = nat->nat_inip; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, diff -cr ip_fil3.4.12/ip_state.c ip_fil3.4.13/ip_state.c *** ip_fil3.4.12/ip_state.c Thu Oct 26 21:41:29 2000 --- ip_fil3.4.13/ip_state.c Sat Oct 28 01:06:08 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.22 2000/10/26 10:41:29 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.23 2000/10/27 14:06:08 darrenr Exp $"; #endif #include *************** *** 1188,1193 **** --- 1188,1194 ---- * ...and put the hash in the new one. */ hvm = hv % fr_statesize; + is->is_hv = hvm; isp = &ips_table[hvm]; if (*isp) (*isp)->is_phnext = &is->is_hnext; diff -cr ip_fil3.4.12/ipl.h ip_fil3.4.13/ipl.h *** ip_fil3.4.12/ipl.h Wed Oct 25 22:08:41 2000 --- ip_fil3.4.13/ipl.h Sat Oct 28 09:54:41 2000 *************** *** 6,17 **** * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.13 2000/10/25 11:08:41 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.12" #endif --- 6,17 ---- * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.14 2000/10/27 22:54:41 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.13" #endif diff -cr ip_fil3.4.12/iplang/Makefile ip_fil3.4.13/iplang/Makefile *** ip_fil3.4.12/iplang/Makefile Tue Mar 14 12:05:02 2000 --- ip_fil3.4.13/iplang/Makefile Sat Oct 28 01:05:47 2000 *************** *** 11,16 **** --- 11,19 ---- $(DESTDIR)/y.tab.o: $(DESTDIR)/y.tab.c $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/y.tab.c -o $@ + $(DESTDIR)/$(OBJ)/y.tab.o: $(DESTDIR)/y.tab.c + $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/y.tab.c -o $@ + $(DESTDIR)/lex.yy.o: $(DESTDIR)/lex.yy.c $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/lex.yy.c -o $@ diff -cr ip_fil3.4.12/ipnat.c ip_fil3.4.13/ipnat.c *** ip_fil3.4.12/ipnat.c Thu Jul 27 23:07:13 2000 --- ip_fil3.4.13/ipnat.c Sat Oct 28 01:06:47 2000 *************** *** 57,63 **** #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.3 2000/07/27 13:07:13 darrenr Exp $"; #endif --- 57,63 ---- #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.4 2000/10/27 14:06:47 darrenr Exp $"; #endif *************** *** 309,314 **** --- 309,315 ---- printf("no memory\t%lu\tbad nat\t%lu\n", ns.ns_memfail, ns.ns_badnat); printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules); + printf("wilds\t%u\n", ns.ns_wilds); if (opts & OPT_VERBOSE) printf("table %p list %p\n", ns.ns_table, ns.ns_list); }