diff -cr ip_fil3.4.15/HISTORY ip_fil3.4.16/HISTORY *** ip_fil3.4.15/HISTORY Sun Dec 17 23:43:44 2000 --- ip_fil3.4.16/HISTORY Mon Jan 15 02:00:38 2001 *************** *** 22,27 **** --- 22,35 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.4.16 15/01/2001 - Released + + fix race condition in flushing of state entries that are timing out + + Add TCP ECN patches + + log all NAT entries created, not just those via rules + 3.4.15 17/12/2000 - Released add minimum ttl filtering (to be replaced later by return-icmp-as-dest diff -cr ip_fil3.4.15/SunOS5/Makefile ip_fil3.4.16/SunOS5/Makefile *** ip_fil3.4.15/SunOS5/Makefile Wed Oct 18 22:28:02 2000 --- ip_fil3.4.16/SunOS5/Makefile Mon Nov 27 04:14:02 2000 *************** *** 21,27 **** #CPU:sh=uname -p #REV:sh=uname -r CPUDIR=`uname -p`-`uname -r` ! BITS:sh=if optisa sparcv9 >/dev/null 2>&1; then echo "64"; else echo "32"; fi CC=gcc -Wall DEBUG=-g LIBS=-lsocket -lnsl -lelf --- 21,28 ---- #CPU:sh=uname -p #REV:sh=uname -r CPUDIR=`uname -p`-`uname -r` ! #BITS:sh=optisa sparcv9 >/dev/null 2>&1; if [ $$? -eq 0 ] ; then echo "64"; else echo "32"; fi ! BITS=32 CC=gcc -Wall DEBUG=-g LIBS=-lsocket -lnsl -lelf diff -cr ip_fil3.4.15/SunOS5/pkginfo ip_fil3.4.16/SunOS5/pkginfo *** ip_fil3.4.15/SunOS5/pkginfo Sun Dec 17 23:28:52 2000 --- ip_fil3.4.16/SunOS5/pkginfo Mon Jan 15 00:47:15 2001 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.15 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.16 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.4.15/common.c ip_fil3.4.16/common.c *** ip_fil3.4.15/common.c Sun Sep 3 11:22:40 2000 --- ip_fil3.4.16/common.c Wed Jan 10 17:18:09 2001 *************** *** 52,59 **** char *proto = NULL; ! char flagset[] = "FSRPAU"; ! u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG }; #ifdef USE_INET6 void fill6bits __P((int, u_32_t *)); --- 52,60 ---- char *proto = NULL; ! char flagset[] = "FSRPAUEC"; ! u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, ! TH_ECN, TH_CWR }; #ifdef USE_INET6 void fill6bits __P((int, u_32_t *)); *************** *** 409,416 **** if (s && *s == '0') tcpfm = strtol(s, NULL, 0); ! if (!tcpfm) ! tcpfm = 0xff; *mask = tcpfm; return tcpf; } --- 410,421 ---- if (s && *s == '0') tcpfm = strtol(s, NULL, 0); ! if (!tcpfm) { ! if (tcpf == TH_SYN) ! tcpfm = 0xff & ~(TH_ECN|TH_CWR); ! else ! tcpfm = 0xff & ~(TH_ECN); ! } *mask = tcpfm; return tcpf; } diff -cr ip_fil3.4.15/ip_auth.c ip_fil3.4.16/ip_auth.c *** ip_fil3.4.15/ip_auth.c Sun Aug 6 00:48:50 2000 --- ip_fil3.4.16/ip_auth.c Wed Jan 10 17:18:35 2001 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.4 2000/08/05 14:48:50 darrenr Exp $"; #endif #include --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.5 2001/01/10 06:18:35 darrenr Exp $"; #endif #include *************** *** 352,358 **** READ_ENTER(&ipf_auth); if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data, ! sizeof(fr_info_t)); RWLOCK_EXIT(&ipf_auth); if (error) break; --- 352,358 ---- READ_ENTER(&ipf_auth); if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data, ! sizeof(frauth_t)); RWLOCK_EXIT(&ipf_auth); if (error) break; diff -cr ip_fil3.4.15/ip_compat.h ip_fil3.4.16/ip_compat.h *** ip_fil3.4.15/ip_compat.h Sun Nov 12 22:53:45 2000 --- ip_fil3.4.16/ip_compat.h Mon Jan 15 01:58:21 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.7 2000/11/12 11:53:45 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.9 2001/01/14 14:58:01 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 974,981 **** #define A_A & #endif - #define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) - #ifndef ICMP_ROUTERADVERT # define ICMP_ROUTERADVERT 9 #endif --- 974,979 ---- *************** *** 997,1001 **** --- 995,1012 ---- #define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8) #define ICMP6ERR_MINPKTLEN (40 + 8) #define ICMP6ERR_IPICMPHLEN (40 + 8 + 40) + + /* + * ECN is a new addition to TCP - RFC 2481 + */ + #ifndef TH_ECN + # define TH_ECN 0x40 + #endif + #ifndef TH_CWR + # define TH_CWR 0x80 + #endif + #define TH_ECNALL (TH_ECN|TH_CWR) + + #define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|TH_ECN|TH_CWR) #endif /* __IP_COMPAT_H__ */ diff -cr ip_fil3.4.15/ip_nat.c ip_fil3.4.16/ip_nat.c *** ip_fil3.4.15/ip_nat.c Sun Dec 17 08:06:40 2000 --- ip_fil3.4.16/ip_nat.c Wed Jan 10 17:19:11 2001 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.31 2000/12/16 21:06:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.32 2001/01/10 06:19:11 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 2049,2055 **** if ((!ifp || ifp == nat->nat_ifp) && nat->nat_inip.s_addr == srcip && nat->nat_oip.s_addr == dst.s_addr && ! (((p == 0) && (flags == (nat->nat_flags & IPN_TCPUDP))) || (p == nat->nat_p)) && (!flags || ((nat->nat_inport == sport || nflags & FI_W_SPORT) && (nat->nat_oport == dport || nflags & FI_W_DPORT)))) --- 2049,2055 ---- if ((!ifp || ifp == nat->nat_ifp) && nat->nat_inip.s_addr == srcip && nat->nat_oip.s_addr == dst.s_addr && ! (((p == 0) && (flags == (nflags & IPN_TCPUDP))) || (p == nat->nat_p)) && (!flags || ((nat->nat_inport == sport || nflags & FI_W_SPORT) && (nat->nat_oport == dport || nflags & FI_W_DPORT)))) diff -cr ip_fil3.4.15/ip_state.c ip_fil3.4.16/ip_state.c *** ip_fil3.4.15/ip_state.c Sat Dec 2 11:15:25 2000 --- ip_fil3.4.16/ip_state.c Tue Jan 9 01:04:46 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.27 2000/12/02 00:15:25 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.28 2001/01/08 14:04:46 darrenr Exp $"; #endif #include *************** *** 1373,1378 **** --- 1373,1381 ---- } + /* + * Must always be called with fr_ipfstate held as a write lock. + */ static void fr_delstate(is) ipstate_t *is; { *************** *** 1391,1397 **** fr = is->is_rule; if (fr != NULL) { ! ATOMIC_DEC32(fr->fr_ref); if (fr->fr_ref == 0) { KFREE(fr); } --- 1394,1400 ---- fr = is->is_rule; if (fr != NULL) { ! fr->fr_ref--; if (fr->fr_ref == 0) { KFREE(fr); } *************** *** 1447,1458 **** fr_delstate(is); } else isp = &is->is_next; - RWLOCK_EXIT(&ipf_state); - SPL_X(s); if (fr_state_doflush) { (void) fr_state_flush(1); fr_state_doflush = 0; } } --- 1450,1461 ---- fr_delstate(is); } else isp = &is->is_next; if (fr_state_doflush) { (void) fr_state_flush(1); fr_state_doflush = 0; } + RWLOCK_EXIT(&ipf_state); + SPL_X(s); } diff -cr ip_fil3.4.15/ipfs.c ip_fil3.4.16/ipfs.c *** ip_fil3.4.15/ipfs.c Mon Nov 27 21:29:32 2000 --- ip_fil3.4.16/ipfs.c Wed Jan 10 17:20:12 2001 *************** *** 41,47 **** #include "ipf.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.2 2000/11/27 10:29:32 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR --- 41,47 ---- #include "ipf.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.3 2001/01/10 06:20:12 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR *************** *** 451,456 **** --- 451,461 ---- return 1; } is = (ipstate_save_t *)malloc(sizeof(*is)); + if(!is) { + fprintf(stderr, "malloc failed\n"); + return 1; + } + bcopy((char *)&ips, (char *)is, sizeof(ips)); /* diff -cr ip_fil3.4.15/ipft_tx.c ip_fil3.4.16/ipft_tx.c *** ip_fil3.4.15/ipft_tx.c Tue Mar 14 09:10:24 2000 --- ip_fil3.4.16/ipft_tx.c Wed Jan 10 17:19:53 2001 *************** *** 43,49 **** #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3 2000/03/13 22:10:24 darrenr Exp $"; #endif extern int opts; --- 43,49 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.1 2001/01/10 06:19:53 darrenr Exp $"; #endif extern int opts; *************** *** 54,62 **** static int text_readip __P((char *, int, char **, int *)); static int parseline __P((char *, ip_t *, char **, int *)); ! static char _tcp_flagset[] = "FSRPAU"; static u_char _tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, ! TH_ACK, TH_URG }; struct ipread iptext = { text_open, text_close, text_readip }; static FILE *tfp = NULL; --- 54,62 ---- static int text_readip __P((char *, int, char **, int *)); static int parseline __P((char *, ip_t *, char **, int *)); ! static char _tcp_flagset[] = "FSRPAUEC"; static u_char _tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, ! TH_ACK, TH_URG, TH_ECN, TH_CWR }; struct ipread iptext = { text_open, text_close, text_readip }; static FILE *tfp = NULL; diff -cr ip_fil3.4.15/ipl.h ip_fil3.4.16/ipl.h *** ip_fil3.4.15/ipl.h Sun Dec 17 23:28:50 2000 --- ip_fil3.4.16/ipl.h Mon Jan 15 00:47:15 2001 *************** *** 6,17 **** * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.16 2000/12/17 12:28:50 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.15" #endif --- 6,17 ---- * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.17 2001/01/14 13:47:15 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.16" #endif diff -cr ip_fil3.4.15/ipmon.c ip_fil3.4.16/ipmon.c *** ip_fil3.4.15/ipmon.c Wed Nov 1 09:17:41 2000 --- ip_fil3.4.16/ipmon.c Wed Jan 10 17:18:08 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.6 2000/10/31 22:17:41 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.8 2001/01/10 06:18:08 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 91,96 **** --- 91,98 ---- { TH_FIN, 'F' }, { TH_URG, 'U' }, { TH_PUSH,'P' }, + { TH_ECN, 'E' }, + { TH_CWR, 'C' }, { 0, '\0' } }; *************** *** 144,149 **** --- 146,152 ---- #define OPT_FILTER 0x200 #define OPT_PORTNUM 0x400 #define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER) + #define OPT_LOGBODY 0x800 #define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b)) *************** *** 836,841 **** --- 839,846 ---- dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf)); if (opts & OPT_HEXBODY) dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen); + else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY)) + dumphex(log, (u_char *)ip + ipf->fl_hlen, ipf->fl_plen); } *************** *** 947,953 **** iplfile[1] = IPNAT_NAME; iplfile[2] = IPSTATE_NAME; ! while ((c = getopt(argc, argv, "?aDf:FhnN:o:O:pP:sS:tvxX")) != -1) switch (c) { case 'a' : --- 952,958 ---- iplfile[1] = IPNAT_NAME; iplfile[2] = IPSTATE_NAME; ! while ((c = getopt(argc, argv, "?abDf:FhnN:o:O:pP:sS:tvxX")) != -1) switch (c) { case 'a' : *************** *** 955,960 **** --- 960,968 ---- fdt[0] = IPL_LOGIPF; fdt[1] = IPL_LOGNAT; fdt[2] = IPL_LOGSTATE; + break; + case 'b' : + opts |= OPT_LOGBODY; break; case 'D' : make_daemon = 1; diff -cr ip_fil3.4.15/ipsend/ip.c ip_fil3.4.16/ipsend/ip.c *** ip_fil3.4.15/ipsend/ip.c Thu Aug 5 03:31:04 1999 --- ip_fil3.4.16/ipsend/ip.c Wed Jan 10 17:21:19 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; ! static const char rcsid[] = "@(#)$Id: ip.c,v 2.1 1999/08/04 17:31:04 darrenr Exp $"; #endif #include #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; ! static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.1 2001/01/10 06:21:19 darrenr Exp $"; #endif #include #include *************** *** 99,105 **** --- 99,113 ---- int err, iplen; if (!ipbuf) + { ipbuf = (char *)malloc(65536); + if(!ipbuf) + { + perror("malloc failed"); + return -2; + } + } + eh = (ether_header_t *)ipbuf; bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); diff -cr ip_fil3.4.15/ipsend/ipsend.c ip_fil3.4.16/ipsend/ipsend.c *** ip_fil3.4.15/ipsend/ipsend.c Sat Dec 4 14:37:05 1999 --- ip_fil3.4.16/ipsend/ipsend.c Wed Jan 10 17:21:19 2001 *************** *** 12,18 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2 1999/12/04 03:37:05 darrenr Exp $"; #endif #include #include --- 12,18 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.1 2001/01/10 06:21:19 darrenr Exp $"; #endif #include #include *************** *** 347,352 **** --- 347,358 ---- printf("Options: %d\n", olen); ti = (struct tcpiphdr *)malloc(olen + ip->ip_len); + if(!ti) + { + fprintf(stderr,"malloc failed\n"); + exit(2); + } + bcopy((char *)ip, (char *)ti, sizeof(*ip)); ip = (ip_t *)ti; ip->ip_hl = (olen >> 2); diff -cr ip_fil3.4.15/ipsend/resend.c ip_fil3.4.16/ipsend/resend.c *** ip_fil3.4.15/ipsend/resend.c Thu Aug 5 03:31:12 1999 --- ip_fil3.4.16/ipsend/resend.c Wed Jan 10 17:21:20 2001 *************** *** 12,18 **** */ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: resend.c,v 2.1 1999/08/04 17:31:12 darrenr Exp $"; #endif #include #include --- 12,18 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.1 2001/01/10 06:21:20 darrenr Exp $"; #endif #include #include *************** *** 97,102 **** --- 97,107 ---- ip = (struct ip *)pbuf; eh = (ether_header_t *)malloc(sizeof(*eh)); + if(!eh) + { + perror("malloc failed"); + return -2; + } bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1)) diff -cr ip_fil3.4.15/man/ipfstat.8 ip_fil3.4.16/man/ipfstat.8 *** ip_fil3.4.15/man/ipfstat.8 Sat Jun 3 14:56:52 2000 --- ip_fil3.4.16/man/ipfstat.8 Mon Nov 27 04:14:30 2000 *************** *** 139,152 **** .SH STATE TOP Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In this mode the state table is displayed similar to the way \fBtop\fP displays ! the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and\fB\-T\fP commandline options can be used to restrict the state entries that will be shown and to specify the frequency of display updates. .PP In state top mode, the following keys can be used to influence the displayed ! information. \fBl\fP can be used to redraw the screen. \fBq\fP is used to ! quit the program. \fBs\fP can be used to change the sorting criterion and ! \fBr\fP can be used to reverse the sorting criterion. .PP States can be sorted by protocol number, by number of IP packets, by number of bytes and by time-to-live of the state entry. The default is to sort by --- 139,160 ---- .SH STATE TOP Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In this mode the state table is displayed similar to the way \fBtop\fP displays ! the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP commandline options can be used to restrict the state entries that will be shown and to specify the frequency of display updates. .PP In state top mode, the following keys can be used to influence the displayed ! information: ! .TP ! \fBd\fP select information to display. ! .TP ! \fBl\fP redraw the screen. ! .TP ! \fBq\fP quit the program. ! .TP ! \fBs\fP switch between different sorting criterion. ! .TP ! \fBr\fP reverse the sorting criterion. .PP States can be sorted by protocol number, by number of IP packets, by number of bytes and by time-to-live of the state entry. The default is to sort by diff -cr ip_fil3.4.15/samples/userauth.c ip_fil3.4.16/samples/userauth.c *** ip_fil3.4.15/samples/userauth.c Thu Dec 9 01:36:11 1999 --- ip_fil3.4.16/samples/userauth.c Wed Jan 10 17:20:54 2001 *************** *** 21,27 **** char yn[16]; int fd; ! fd = open(IPL_NAME, O_RDWR); while (ioctl(fd, SIOCAUTHW, &frap) == 0) { if (fra.fra_info.fin_out) fra.fra_pass = FR_OUTQUE; --- 21,27 ---- char yn[16]; int fd; ! fd = open(IPL_AUTH, O_RDWR); while (ioctl(fd, SIOCAUTHW, &frap) == 0) { if (fra.fra_info.fin_out) fra.fra_pass = FR_OUTQUE; diff -cr ip_fil3.4.15/test/expected/i7 ip_fil3.4.16/test/expected/i7 *** ip_fil3.4.15/test/expected/i7 Wed Mar 8 23:04:56 2000 --- ip_fil3.4.16/test/expected/i7 Fri Jan 12 01:06:50 2001 *************** *** 1,4 **** pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA ! block in on lo0(!) proto tcp from any to any flags A/0xff pass in on lo0(!) proto tcp from any to any flags /SPA block in on lo0(!) proto tcp from any to any flags 0x80/A --- 1,4 ---- pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA ! block in on lo0(!) proto tcp from any to any flags A/0xbf pass in on lo0(!) proto tcp from any to any flags /SPA block in on lo0(!) proto tcp from any to any flags 0x80/A