diff -cr ip_fil3.4.16/BNF ip_fil3.4.17/BNF *** ip_fil3.4.16/BNF Sun Sep 17 19:36:08 2000 --- ip_fil3.4.17/BNF Wed Mar 21 00:18:43 2001 *************** *** 17,23 **** call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . ! froute = "fastroute" | "to" interface-name . protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" object "to" object . --- 17,23 ---- call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . ! froute = "fastroute" | "to" interface-name [ ":" ipaddr ] . protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" object "to" object . diff -cr ip_fil3.4.16/HISTORY ip_fil3.4.17/HISTORY *** ip_fil3.4.16/HISTORY Mon Jan 15 02:00:38 2001 --- ip_fil3.4.17/HISTORY Fri Apr 6 21:20:18 2001 *************** *** 22,27 **** --- 22,47 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.4.17 06/04/2001 - Released + + fix fragment#0 handling bug where they could get in via cache information + created by state table entries + + use ire_walk to look for ire cache entries with link layer headers cached + + deal with bad SPL assumptions for log reading on BSD + + fix ftp proxy to allow logins with passwords + + some auth rule patches, fixing byte endian problems and returning as an error + + support LOG_SECURITY, where available, in ipmon + + don't return an error for packets which match auth rules + + introduce fr_icmpacktimeout to timeout entries once an ICMP reply has + been seen separately to when created + 3.4.16 15/01/2001 - Released fix race condition in flushing of state entries that are timing out diff -cr ip_fil3.4.16/IMPORTANT ip_fil3.4.17/IMPORTANT *** ip_fil3.4.16/IMPORTANT Thu Aug 5 03:29:51 1999 --- ip_fil3.4.17/IMPORTANT Tue Apr 3 23:06:56 2001 *************** *** 3,43 **** **************************************** 1) - If you're using this software and have a rule which ends like this: - - flags S - - (for TCP), then to make it totally effective, you need to change it to appear - as follows: - - flags S/SA - - The problem is that the old code would compare all the TCP flags against the - rule (which just has "S") to see if that matched exactly. It is very possible - for this to not be the case and in these cases, the rule would fail to match - a 'valid' TCP SYN packet. - - Why does it need to be "S/SA" and not "S/S" ? - - "S/S" will match the SYN-ACK as well the SYN. - - By defalt, "flags S" will now be converted to "flags S/AUPRFS". - - If you have any queries regarding this, see the examples and ipf(4). - If you still have a query or suggestion, please email me. - - - 2) - - If a filter rule used, in combination port comparisons and the flags - keywords, a "short" TCP packet, if not explicitly blocked high up in - the list of packets, would actually get matched even though it would - otherwise not have been (due to the ports not). This behaviour has - subsequently been fixed. - - - 3) - If you have BOTH GNU make and the normal make shipped with your system, DO NOT use the GNU make to build this package. --- 3,8 ---- diff -cr ip_fil3.4.16/SunOS5/copyright ip_fil3.4.17/SunOS5/copyright *** ip_fil3.4.16/SunOS5/copyright Thu Aug 5 03:30:47 1999 --- ip_fil3.4.17/SunOS5/copyright Wed Mar 21 00:20:17 2001 *************** *** 1,5 **** ! Copyright (C) 1993-1998 by Darren Reed. The author accepts no responsibility for the use of this software and provides it on an ``as is'' basis without express or implied warranty. --- 1,5 ---- ! Copyright (C) 1993-2001 by Darren Reed. The author accepts no responsibility for the use of this software and provides it on an ``as is'' basis without express or implied warranty. diff -cr ip_fil3.4.16/SunOS5/pkginfo ip_fil3.4.17/SunOS5/pkginfo *** ip_fil3.4.16/SunOS5/pkginfo Mon Jan 15 00:47:15 2001 --- ip_fil3.4.17/SunOS5/pkginfo Fri Apr 6 22:21:46 2001 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.16 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.17 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.4.16/SunOS5/system ip_fil3.4.17/SunOS5/system *** ip_fil3.4.16/SunOS5/system Sun Aug 1 23:18:16 1999 --- ip_fil3.4.17/SunOS5/system Wed Jan 17 23:28:59 2001 *************** *** 18,25 **** set ipf:fr_icmptimeout = 120 * NAT timeouts ! set ipf:fr_defnaticmpage = 600 ! set ipf:fr_defnatage = 6 * Fragment timeouts set ipf:fr_ipfrttl = 1200 --- 18,25 ---- set ipf:fr_icmptimeout = 120 * NAT timeouts ! set ipf:fr_defnaticmpage = 6 ! set ipf:fr_defnatage = 600 * Fragment timeouts set ipf:fr_ipfrttl = 1200 diff -cr ip_fil3.4.16/buildsunos ip_fil3.4.17/buildsunos *** ip_fil3.4.16/buildsunos Sun Dec 17 23:43:14 2000 --- ip_fil3.4.17/buildsunos Wed Apr 4 01:47:06 2001 *************** *** 3,9 **** echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.5.2.8 2000/12/17 12:43:14 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then --- 3,9 ---- echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.5.2.9 2001/04/03 15:47:06 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then *************** *** 36,41 **** --- 36,43 ---- v=`echo '__GNUC__' | 2>&1 ${CC} -E - | 2>&1 sed -ne '/^[0-9]* *$/p'` if [ x$v != x ] ; then CC=gcc + else + CC=cc fi if [ $solrev -ge 7 ] && /bin/optisa sparcv8plus > /dev/null diff -cr ip_fil3.4.16/common.c ip_fil3.4.17/common.c *** ip_fil3.4.16/common.c Wed Jan 10 17:18:09 2001 --- ip_fil3.4.17/common.c Wed Apr 4 00:13:34 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given --- 1,5 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff -cr ip_fil3.4.16/facpri.c ip_fil3.4.17/facpri.c *** ip_fil3.4.16/facpri.c Tue Mar 14 09:10:18 2000 --- ip_fil3.4.17/facpri.c Wed Apr 4 00:13:35 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given --- 1,5 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 19,25 **** #include "facpri.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: facpri.c,v 1.3 2000/03/13 22:10:18 darrenr Exp $"; #endif typedef struct table { --- 19,25 ---- #include "facpri.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: facpri.c,v 1.3.2.2 2001/04/03 14:13:35 darrenr Exp $"; #endif typedef struct table { *************** *** 54,59 **** --- 54,62 ---- { "cron", LOG_CRON2 }, #else { "cron2", LOG_CRON2 }, + #endif + #ifdef LOG_SECURITY + { "security", LOG_SECURITY }, #endif { "local0", LOG_LOCAL0 }, { "local1", LOG_LOCAL1 }, { "local2", LOG_LOCAL2 }, { "local3", LOG_LOCAL3 }, diff -cr ip_fil3.4.16/fil.c ip_fil3.4.17/fil.c *** ip_fil3.4.16/fil.c Sun Dec 17 16:49:22 2000 --- ip_fil3.4.17/fil.c Wed Apr 4 01:46:41 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.31 2001/04/03 15:46:41 darrenr Exp $"; #endif #include *************** *** 258,264 **** fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); fi->fi_tos = 0; fi->fi_fl = 0; ! plen = ntohs(ip6->ip6_plen); fin->fin_dlen = plen; } #endif --- 258,264 ---- fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); fi->fi_tos = 0; fi->fi_fl = 0; ! plen = ntohs(ip6->ip6_plen) + sizeof(*ip6); fin->fin_dlen = plen; } #endif *************** *** 787,793 **** mb_t *mc = NULL; # if !defined(__SVR4) && !defined(__svr4__) # ifdef __sgi ! char hbuf[(0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8]; # endif int up; --- 787,793 ---- mb_t *mc = NULL; # if !defined(__SVR4) && !defined(__svr4__) # ifdef __sgi ! char hbuf[128]; # endif int up; *************** *** 812,817 **** --- 812,820 ---- # ifdef USE_INET6 if (v == 6) { len = ntohs(((ip6_t*)ip)->ip6_plen); + if (!len) + return -1; /* potential jumbo gram */ + len += sizeof(ip6_t); p = ((ip6_t *)ip)->ip6_nxt; } else # endif *************** *** 820,826 **** len = ip->ip_len; } ! if ((p == IPPROTO_TCP || p == IPPROTO_UDP || p == IPPROTO_ICMP # ifdef USE_INET6 || (v == 6 && p == IPPROTO_ICMPV6) # endif --- 823,830 ---- len = ip->ip_len; } ! if ((p == IPPROTO_TCP || p == IPPROTO_UDP || ! (v == 4 && p == IPPROTO_ICMP) # ifdef USE_INET6 || (v == 6 && p == IPPROTO_ICMPV6) # endif *************** *** 1229,1235 **** ipfr_fastroute(ip, mc, mp, fin, &fr->fr_dif); } # endif /* !SOLARIS */ ! return (pass & FR_PASS) ? 0 : error; #else /* _KERNEL */ if (pass & FR_NOMATCH) return 1; --- 1233,1239 ---- ipfr_fastroute(ip, mc, mp, fin, &fr->fr_dif); } # endif /* !SOLARIS */ ! return (pass & (FR_PASS|FR_AUTH)) ? 0 : error; #else /* _KERNEL */ if (pass & FR_NOMATCH) return 1; *************** *** 1458,1464 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1462,1468 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.35.2.31 2001/04/03 15:46:41 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff -cr ip_fil3.4.16/ip_auth.c ip_fil3.4.17/ip_auth.c *** ip_fil3.4.16/ip_auth.c Wed Jan 10 17:18:35 2001 --- ip_fil3.4.17/ip_auth.c Wed Apr 4 01:48:12 2001 *************** *** 1,12 **** /* ! * Copyright (C) 1998-2000 by Darren Reed & Guido van Rooij. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.5 2001/01/10 06:18:35 darrenr Exp $"; #endif #include --- 1,12 ---- /* ! * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.8 2001/04/03 15:48:12 darrenr Exp $"; #endif #include *************** *** 236,275 **** fr_auth[i].fra_pass = 0; fr_auth[i].fra_age = fr_defaultauthage; bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin)); ! #if !defined(sparc) && !defined(m68k) /* * No need to copyback here as we want to undo the changes, not keep * them. */ - # if SOLARIS && defined(_KERNEL) if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4)) - # endif { register u_short bo; bo = ip->ip_len; ip->ip_len = htons(bo); - # if !SOLARIS && !defined(__NetBSD__) - /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */ - bo = ip->ip_id; - ip->ip_id = htons(bo); - # endif bo = ip->ip_off; ip->ip_off = htons(bo); } ! #endif ! #if SOLARIS && defined(_KERNEL) m->b_rptr -= qif->qf_off; fr_authpkts[i] = *(mblk_t **)fin->fin_mp; fr_auth[i].fra_q = qif->qf_q; cv_signal(&ipfauthwait); #else fr_authpkts[i] = m; - # if defined(linux) && defined(_KERNEL) - wake_up_interruptible(&ipfauthwait); - # else WAKEUP(&fr_authnext); - # endif #endif return 1; } --- 236,264 ---- fr_auth[i].fra_pass = 0; fr_auth[i].fra_age = fr_defaultauthage; bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin)); ! #if SOLARIS && defined(_KERNEL) ! # if !defined(sparc) /* * No need to copyback here as we want to undo the changes, not keep * them. */ if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4)) { register u_short bo; bo = ip->ip_len; ip->ip_len = htons(bo); bo = ip->ip_off; ip->ip_off = htons(bo); } ! # endif m->b_rptr -= qif->qf_off; fr_authpkts[i] = *(mblk_t **)fin->fin_mp; fr_auth[i].fra_q = qif->qf_q; cv_signal(&ipfauthwait); #else fr_authpkts[i] = m; WAKEUP(&fr_authnext); #endif return 1; } *************** *** 313,319 **** else faep = &fae->fae_next; if (cmd == SIOCRMAFR) { ! if (!fae) error = ESRCH; else { WRITE_ENTER(&ipf_auth); --- 302,310 ---- else faep = &fae->fae_next; if (cmd == SIOCRMAFR) { ! if (!fr || !frptr) ! error = EINVAL; ! else if (!fae) error = ESRCH; else { WRITE_ENTER(&ipf_auth); *************** *** 322,328 **** RWLOCK_EXIT(&ipf_auth); KFREE(fae); } ! } else { KMALLOC(fae, frauthent_t *); if (fae != NULL) { bcopy((char *)fr, (char *)&fae->fae_fr, --- 313,319 ---- RWLOCK_EXIT(&ipf_auth); KFREE(fae); } ! } else if (fr && frptr) { KMALLOC(fae, frauthent_t *); if (fae != NULL) { bcopy((char *)fr, (char *)&fae->fae_fr, *************** *** 338,344 **** RWLOCK_EXIT(&ipf_auth); } else error = ENOMEM; ! } break; case SIOCATHST: READ_ENTER(&ipf_auth); --- 329,336 ---- RWLOCK_EXIT(&ipf_auth); } else error = ENOMEM; ! } else ! error = EINVAL; break; case SIOCATHST: READ_ENTER(&ipf_auth); *************** *** 407,418 **** # if SOLARIS error = fr_qout(fr_auth[i].fra_q, m); # else /* SOLARIS */ ! # if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) ! error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); # else ! error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL); # endif # endif /* SOLARIS */ if (error) fr_authstats.fas_sendfail++; --- 399,416 ---- # if SOLARIS error = fr_qout(fr_auth[i].fra_q, m); # else /* SOLARIS */ ! struct route ro; ! ! bzero((char *)&ro, sizeof(ro)); ! # if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \ ! defined(__OpenBSD__) ! error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL); # else ! error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL); # endif + if (ro.ro_rt) + RTFREE(ro.ro_rt); # endif /* SOLARIS */ if (error) fr_authstats.fas_sendfail++; diff -cr ip_fil3.4.16/ip_compat.h ip_fil3.4.17/ip_compat.h *** ip_fil3.4.16/ip_compat.h Mon Jan 15 01:58:21 2001 --- ip_fil3.4.17/ip_compat.h Wed Apr 4 00:13:35 2001 *************** *** 1,12 **** /* ! * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.9 2001/01/14 14:58:01 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 1,12 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.11 2001/04/03 14:13:35 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 508,514 **** # define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0) # define WAKEUP(id) wakeup(id) # endif /* BSD */ ! # if defined(NetBSD) && NetBSD <= 1991011 && NetBSD >= 199407 # define SPL_NET(x) x = splsoftnet() # define SPL_X(x) (void) splx(x) # else --- 508,515 ---- # define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0) # define WAKEUP(id) wakeup(id) # endif /* BSD */ ! # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199407)) || \ ! (defined(OpenBSD) && (OpenBSD >= 200006)) # define SPL_NET(x) x = splsoftnet() # define SPL_X(x) (void) splx(x) # else *************** *** 517,523 **** # define SPL_NET(x) x = splnet() # define SPL_X(x) (void) splx(x) # endif ! # endif /* NetBSD && NetBSD <= 1991011 && NetBSD >= 199407 */ # define PANIC(x,y) if (x) panic y #else /* KERNEL */ # define SLEEP(x,y) ; --- 518,524 ---- # define SPL_NET(x) x = splnet() # define SPL_X(x) (void) splx(x) # endif ! # endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */ # define PANIC(x,y) if (x) panic y #else /* KERNEL */ # define SLEEP(x,y) ; diff -cr ip_fil3.4.16/ip_fil.c ip_fil3.4.17/ip_fil.c *** ip_fil3.4.16/ip_fil.c Fri Oct 20 02:39:42 2000 --- ip_fil3.4.17/ip_fil.c Wed Apr 4 00:13:37 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given --- 1,5 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.17 2000/10/19 15:39:42 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.19 2001/04/03 14:13:37 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 246,257 **** # ifdef IPFILTER_LOG ipflog_init(); # endif ! if (nat_init() == -1) ! return -1; ! if (fr_stateinit() == -1) ! return -1; ! if (appr_init() == -1) ! return -1; # ifdef NETBSD_PF # if __NetBSD_Version__ >= 104200000 --- 246,263 ---- # ifdef IPFILTER_LOG ipflog_init(); # endif ! if (nat_init() == -1) { ! SPL_X(s); ! return EIO; ! } ! if (fr_stateinit() == -1) { ! SPL_X(s); ! return EIO; ! } ! if (appr_init() == -1) { ! SPL_X(s); ! return EIO; ! } # ifdef NETBSD_PF # if __NetBSD_Version__ >= 104200000 *************** *** 261,266 **** --- 267,273 ---- # ifdef USE_INET6 goto pfil_error; # else + SPL_X(s); appr_unload(); ip_natunload(); fr_stateunload(); *************** *** 277,282 **** --- 284,290 ---- pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); pfil_error: + SPL_X(s); appr_unload(); ip_natunload(); fr_stateunload(); diff -cr ip_fil3.4.16/ip_fil.h ip_fil3.4.17/ip_fil.h *** ip_fil3.4.16/ip_fil.h Sun Nov 12 22:54:53 2000 --- ip_fil3.4.17/ip_fil.h Wed Mar 21 00:18:05 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.29.2.4 2000/11/12 11:54:53 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.29.2.5 2001/03/20 13:18:05 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 59,65 **** # define SIOCSTLCK _IOWR('r', 79, u_int) # define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *) # define SIOCSTGET _IOWR('r', 81, struct ipstate_save *) ! # define SIOCSTGSZ _IOWR('r', 82, struct natget *) # define SIOCGFRST _IOWR('r', 83, struct ipfrstat *) #else # define SIOCADAFR _IOW(r, 60, struct frentry *) --- 59,65 ---- # define SIOCSTLCK _IOWR('r', 79, u_int) # define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *) # define SIOCSTGET _IOWR('r', 81, struct ipstate_save *) ! # define SIOCSTGSZ _IOWR('r', 82, struct natget) # define SIOCGFRST _IOWR('r', 83, struct ipfrstat *) #else # define SIOCADAFR _IOW(r, 60, struct frentry *) *************** *** 84,90 **** # define SIOCSTLCK _IOWR(r, 79, u_int) # define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *) # define SIOCSTGET _IOWR(r, 81, struct ipstate_save *) ! # define SIOCSTGSZ _IOWR(r, 82, struct natget *) # define SIOCGFRST _IOWR(r, 83, struct ipfrstat *) #endif #define SIOCADDFR SIOCADAFR --- 84,90 ---- # define SIOCSTLCK _IOWR(r, 79, u_int) # define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *) # define SIOCSTGET _IOWR(r, 81, struct ipstate_save *) ! # define SIOCSTGSZ _IOWR(r, 82, struct natget) # define SIOCGFRST _IOWR(r, 83, struct ipfrstat *) #endif #define SIOCADDFR SIOCADAFR diff -cr ip_fil3.4.16/ip_frag.c ip_fil3.4.17/ip_frag.c *** ip_fil3.4.16/ip_frag.c Mon Nov 27 21:26:56 2000 --- ip_fil3.4.17/ip_frag.c Fri Apr 6 22:31:20 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.8 2001/04/06 12:31:20 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) *************** *** 141,152 **** u_int pass; ipfr_t *table[]; { ! ipfr_t **fp, *fra, frag; ! u_int idx; if (ipfr_inuse >= IPFT_SIZE) return NULL; frag.ipfr_p = ip->ip_p; idx = ip->ip_p; frag.ipfr_id = ip->ip_id; --- 141,155 ---- u_int pass; ipfr_t *table[]; { ! ipfr_t **fp, *fra, frag; ! u_int idx, off; if (ipfr_inuse >= IPFT_SIZE) return NULL; + if (!(fin->fin_fi.fi_fl & FI_FRAG)) + return NULL; + frag.ipfr_p = ip->ip_p; idx = ip->ip_p; frag.ipfr_id = ip->ip_id; *************** *** 200,206 **** /* * Compute the offset of the expected start of the next packet. */ ! fra->ipfr_off = (ip->ip_off & IP_OFFMASK) + (fin->fin_dlen >> 3); ATOMIC_INCL(ipfr_stats.ifs_new); ATOMIC_INC32(ipfr_inuse); return fra; --- 203,212 ---- /* * Compute the offset of the expected start of the next packet. */ ! off = ip->ip_off & IP_OFFMASK; ! if (!off) ! fra->ipfr_seen0 = 1; ! fra->ipfr_off = off + (fin->fin_dlen >> 3); ATOMIC_INCL(ipfr_stats.ifs_new); ATOMIC_INC32(ipfr_inuse); return fra; *************** *** 256,261 **** --- 262,270 ---- ipfr_t *f, frag; u_int idx; + if (!(fin->fin_fi.fi_fl & FI_FRAG)) + return NULL; + /* * For fragments, we record protocol, packet id, TOS and both IP#'s * (these should all be the same for all fragments of a packet). *************** *** 283,288 **** --- 292,310 ---- IPFR_CMPSZ)) { u_short atoff, off; + /* + * XXX - We really need to be guarding against the + * retransmission of (src,dst,id,offset-range) here + * because a fragmented packet is never resent with + * the same IP ID#. + */ + off = ip->ip_off & IP_OFFMASK; + if (f->ipfr_seen0) { + if (!off || (fin->fin_fi.fi_fl & FI_SHORT)) + continue; + } else if (!off) + f->ipfr_seen0 = 1; + if (f != table[idx]) { /* * move fragment info. to the top of the list *************** *** 295,301 **** f->ipfr_prev = NULL; table[idx] = f; } - off = ip->ip_off & IP_OFFMASK; atoff = off + (fin->fin_dlen >> 3); /* * If we've follwed the fragments, and this is the --- 317,322 ---- diff -cr ip_fil3.4.16/ip_frag.h ip_fil3.4.17/ip_frag.h *** ip_fil3.4.16/ip_frag.h Sat Nov 11 00:10:54 2000 --- ip_fil3.4.17/ip_frag.h Fri Apr 6 22:31:20 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.4.2.2 2000/11/10 13:10:54 darrenr Exp $ */ #ifndef __IP_FRAG_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.4.2.3 2001/04/06 12:31:20 darrenr Exp $ */ #ifndef __IP_FRAG_H__ *************** *** 24,30 **** u_char ipfr_p; u_char ipfr_tos; u_short ipfr_off; ! u_short ipfr_ttl; frentry_t *ipfr_rule; } ipfr_t; --- 24,31 ---- u_char ipfr_p; u_char ipfr_tos; u_short ipfr_off; ! u_char ipfr_ttl; ! u_char ipfr_seen0; frentry_t *ipfr_rule; } ipfr_t; *************** *** 40,46 **** struct ipfr **ifs_nattab; } ipfrstat_t; ! #define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1) extern int fr_ipfrttl; extern int fr_frag_lock; --- 41,48 ---- struct ipfr **ifs_nattab; } ipfrstat_t; ! #define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_off) - \ ! offsetof(ipfr_t, ipfr_src)) extern int fr_ipfrttl; extern int fr_frag_lock; diff -cr ip_fil3.4.16/ip_ftp_pxy.c ip_fil3.4.17/ip_ftp_pxy.c *** ip_fil3.4.16/ip_ftp_pxy.c Sat Dec 2 11:15:06 2000 --- ip_fil3.4.17/ip_ftp_pxy.c Thu Jan 18 00:30:52 2001 *************** *** 2,8 **** * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.7.2.20 2000/12/02 00:15:06 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; --- 2,8 ---- * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.7.2.21 2001/01/17 13:30:52 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; *************** *** 513,522 **** if ((ftp->ftp_passok == 1) && !strncmp(rptr, "331", 3)) ftp->ftp_passok = 2; ! else if ((ftp->ftp_passok == 3) && !strncmp(rptr, "230", 3)) ! ftp->ftp_passok = 4; ! else if ((ftp->ftp_passok == 3) && !strncmp(rptr, "530", 3)) ! ftp->ftp_passok = 0; else if ((ftp->ftp_passok == 4) && !strncmp(rptr, "227 ", 4)) { inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); } else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) { --- 513,523 ---- if ((ftp->ftp_passok == 1) && !strncmp(rptr, "331", 3)) ftp->ftp_passok = 2; ! else if (((ftp->ftp_passok == 3) || (ftp->ftp_passok == 1)) && ! !strncmp(rptr, "230", 3)) { ! ftp->ftp_passok = 4; ! } else if ((ftp->ftp_passok == 3) && !strncmp(rptr, "530", 3)) ! ftp->ftp_passok = 0; else if ((ftp->ftp_passok == 4) && !strncmp(rptr, "227 ", 4)) { inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); } else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) { diff -cr ip_fil3.4.16/ip_log.c ip_fil3.4.17/ip_log.c *** ip_fil3.4.16/ip_log.c Sun Aug 13 13:50:41 2000 --- ip_fil3.4.17/ip_log.c Wed Apr 4 01:45:49 2001 *************** *** 1,11 **** /* ! * Copyright (C) 1997-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_log.c,v 2.5.2.2 2000/08/13 03:50:41 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) --- 1,11 ---- /* ! * Copyright (C) 1997-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_log.c,v 2.5.2.3 2001/04/03 15:45:49 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) *************** *** 45,51 **** # include # endif # include ! # if defined(_KERNEL) && !defined(linux) # include # endif # include --- 45,51 ---- # include # endif # include ! # if defined(_KERNEL) # include # endif # include *************** *** 55,63 **** # else # include # endif ! # ifndef linux ! # include ! # endif # else # include # include --- 55,61 ---- # else # include # endif ! # include # else # include # include *************** *** 69,77 **** # include # include # endif ! # ifndef linux ! # include ! # endif # include # include --- 67,73 ---- # include # include # endif ! # include # include # include *************** *** 89,95 **** # include # endif # endif ! # if !defined(linux) && !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/ # include # endif # include --- 85,91 ---- # include # endif # endif ! # if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/ # include # endif # include *************** *** 97,105 **** # include # include # include ! # ifndef linux ! # include ! # endif # ifndef _KERNEL # include # endif --- 93,99 ---- # include # include # include ! # include # ifndef _KERNEL # include # endif *************** *** 130,138 **** iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1], *ipll[IPL_LOGMAX+1]; size_t iplused[IPL_LOGMAX+1]; static fr_info_t iplcrc[IPL_LOGMAX+1]; - # ifdef linux - static struct wait_queue *iplwait[IPL_LOGMAX+1]; - # endif /* --- 124,129 ---- *************** *** 229,237 **** (defined(OpenBSD) && (OpenBSD >= 199603)) strncpy(ipfl.fl_ifname, ifp->if_xname, IFNAMSIZ); # else - # ifndef linux ipfl.fl_unit = (u_char)ifp->if_unit; - # endif if ((ipfl.fl_ifname[0] = ifp->if_name[0])) if ((ipfl.fl_ifname[1] = ifp->if_name[1])) if ((ipfl.fl_ifname[2] = ifp->if_name[2])) --- 220,226 ---- *************** *** 337,343 **** ipl->ipl_count = 1; ipl->ipl_next = NULL; ipl->ipl_dsize = len; ! # if SOLARIS || defined(sun) || defined(linux) uniqtime((struct timeval *)&ipl->ipl_sec); # else # if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) --- 326,332 ---- ipl->ipl_count = 1; ipl->ipl_next = NULL; ipl->ipl_dsize = len; ! # if SOLARIS || defined(sun) uniqtime((struct timeval *)&ipl->ipl_sec); # else # if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) *************** *** 370,380 **** mutex_exit(&ipl_mutex); # else MUTEX_EXIT(&ipl_mutex); - # ifdef linux - wake_up_interruptible(&iplwait[dev]); - # else wakeup(&iplh[dev]); - # endif # endif return 1; } --- 359,365 ---- *************** *** 399,406 **** return ENXIO; if (!uio->uio_resid) return 0; ! if ((uio->uio_resid < sizeof(iplog_t)) || ! (uio->uio_resid > IPLLOGSIZE)) return EINVAL; /* --- 384,390 ---- return ENXIO; if (!uio->uio_resid) return 0; ! if (uio->uio_resid < sizeof(iplog_t)) return EINVAL; /* *************** *** 417,435 **** return EINTR; } # else - # ifdef linux - interruptible_sleep_on(&iplwait[unit]); - if (current->signal & ~current->blocked) - return -EINTR; - # else MUTEX_EXIT(&ipl_mutex); - SPL_X(s); error = SLEEP(&iplh[unit], "ipl sleep"); ! if (error) return error; ! SPL_NET(s); MUTEX_ENTER(&ipl_mutex); - # endif /* linux */ # endif /* SOLARIS */ } --- 401,413 ---- return EINTR; } # else MUTEX_EXIT(&ipl_mutex); error = SLEEP(&iplh[unit], "ipl sleep"); ! if (error) { ! SPL_X(s); return error; ! } MUTEX_ENTER(&ipl_mutex); # endif /* SOLARIS */ } *************** *** 447,456 **** iplt[unit] = ipl->ipl_next; iplused[unit] -= dlen; MUTEX_EXIT(&ipl_mutex); - SPL_X(s); error = UIOMOVE((caddr_t)ipl, dlen, UIO_READ, uio); if (error) { - SPL_NET(s); MUTEX_ENTER(&ipl_mutex); ipl->ipl_next = iplt[unit]; iplt[unit] = ipl; --- 425,432 ---- *************** *** 458,464 **** break; } KFREES((caddr_t)ipl, dlen); - SPL_NET(s); MUTEX_ENTER(&ipl_mutex); } if (!iplt[unit]) { --- 434,439 ---- *************** *** 469,481 **** MUTEX_EXIT(&ipl_mutex); SPL_X(s); - # ifdef linux - if (!error) - return (int)copied; - return -error; - # else return error; - # endif } --- 444,450 ---- diff -cr ip_fil3.4.16/ip_nat.c ip_fil3.4.17/ip_nat.c *** ip_fil3.4.16/ip_nat.c Wed Jan 10 17:19:11 2001 --- ip_fil3.4.17/ip_nat.c Sat Apr 7 00:09:05 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1995-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given --- 1,5 ---- /* ! * Copyright (C) 1995-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.32 2001/01/10 06:19:11 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.35 2001/04/06 14:07:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 2283,2289 **** */ if (nat) { np = nat->nat_ptr; ! if (natadd && fin->fin_fi.fi_fl & FI_FRAG) ipfr_nat_newfrag(ip, fin, 0, nat); MUTEX_ENTER(&nat->nat_lock); nat->nat_age = fr_defnatage; --- 2283,2290 ---- */ if (nat) { np = nat->nat_ptr; ! if (natadd && (fin->fin_fi.fi_fl & FI_FRAG) && ! np && (np->in_flags & IPN_FRAG)) ipfr_nat_newfrag(ip, fin, 0, nat); MUTEX_ENTER(&nat->nat_lock); nat->nat_age = fr_defnatage; *************** *** 2488,2494 **** if (nat) { np = nat->nat_ptr; fin->fin_fr = nat->nat_fr; ! if (natadd && fin->fin_fi.fi_fl & FI_FRAG) ipfr_nat_newfrag(ip, fin, 0, nat); if ((np->in_apr != NULL) && (np->in_dport == 0 || (tcp != NULL && sport == np->in_dport))) { --- 2489,2496 ---- if (nat) { np = nat->nat_ptr; fin->fin_fr = nat->nat_fr; ! if (natadd && (fin->fin_fi.fi_fl & FI_FRAG) && ! np && (np->in_flags & IPN_FRAG)) ipfr_nat_newfrag(ip, fin, 0, nat); if ((np->in_apr != NULL) && (np->in_dport == 0 || (tcp != NULL && sport == np->in_dport))) { diff -cr ip_fil3.4.16/ip_nat.h ip_fil3.4.17/ip_nat.h *** ip_fil3.4.16/ip_nat.h Sat Nov 18 14:58:04 2000 --- ip_fil3.4.17/ip_nat.h Fri Apr 6 23:48:45 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.14 2000/11/18 03:58:04 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.15 2001/04/06 13:47:35 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 226,231 **** --- 226,232 ---- #define IPN_ROUNDR 0x100 #define IPN_NOTSRC 0x080000 #define IPN_NOTDST 0x100000 + #define IPN_FRAG 0x200000 typedef struct natlog { diff -cr ip_fil3.4.16/ip_raudio_pxy.c ip_fil3.4.17/ip_raudio_pxy.c *** ip_fil3.4.16/ip_raudio_pxy.c Sat Oct 28 09:54:04 2000 --- ip_fil3.4.17/ip_raudio_pxy.c Wed Apr 4 01:45:15 2001 *************** *** 1,5 **** /* ! * $Id: ip_raudio_pxy.c,v 1.7.2.3 2000/10/27 22:54:04 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; --- 1,5 ---- /* ! * $Id: ip_raudio_pxy.c,v 1.7.2.4 2001/04/03 15:45:15 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; *************** *** 62,69 **** raudio_t *rap = aps->aps_data; unsigned char membuf[512 + 1], *s; u_short id = 0; - tcphdr_t *tcp; int off, dlen; int len = 0; mb_t *m; #if SOLARIS --- 62,69 ---- raudio_t *rap = aps->aps_data; unsigned char membuf[512 + 1], *s; u_short id = 0; int off, dlen; + tcphdr_t *tcp; int len = 0; mb_t *m; #if SOLARIS *************** *** 86,99 **** dlen = msgdsize(m) - off; if (dlen <= 0) return 0; ! copyout_mblk(m, off, MIN(sizeof(membuf), dlen), (char *)membuf); #else m = *(mb_t **)fin->fin_mp; dlen = mbufchainlen(m) - off; if (dlen <= 0) return 0; ! m_copydata(m, off, MIN(sizeof(membuf), dlen), (char *)membuf); #endif /* * In all the startup parsing, ensure that we don't go outside --- 86,101 ---- dlen = msgdsize(m) - off; if (dlen <= 0) return 0; ! dlen = MIN(sizeof(membuf), dlen); ! copyout_mblk(m, off, dlen, (char *)membuf); #else m = *(mb_t **)fin->fin_mp; dlen = mbufchainlen(m) - off; if (dlen <= 0) return 0; ! dlen = MIN(sizeof(membuf), dlen); ! m_copydata(m, off, dlen, (char *)membuf); #endif /* * In all the startup parsing, ensure that we don't go outside diff -cr ip_fil3.4.16/ip_state.c ip_fil3.4.17/ip_state.c *** ip_fil3.4.16/ip_state.c Tue Jan 9 01:04:46 2001 --- ip_fil3.4.17/ip_state.c Fri Apr 6 22:31:21 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1995-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given --- 1,5 ---- /* ! * Copyright (C) 1995-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.28 2001/01/08 14:04:46 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.30 2001/04/06 12:31:21 darrenr Exp $"; #endif #include *************** *** 140,146 **** fr_tcpclosed = 120, fr_tcphalfclosed = 2 * 2 * 3600, /* 2 hours */ fr_udptimeout = 240, ! fr_icmptimeout = 120; int fr_statemax = IPSTATE_MAX, fr_statesize = IPSTATE_SIZE; int fr_state_doflush = 0, --- 140,148 ---- fr_tcpclosed = 120, fr_tcphalfclosed = 2 * 2 * 3600, /* 2 hours */ fr_udptimeout = 240, ! fr_udpacktimeout = 24, ! fr_icmptimeout = 120, ! fr_icmpacktimeout = 12; int fr_statemax = IPSTATE_MAX, fr_statesize = IPSTATE_SIZE; int fr_state_doflush = 0, *************** *** 688,694 **** #endif RWLOCK_EXIT(&ipf_state); fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst); ! if (fin->fin_fi.fi_fl & FI_FRAG) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return is; } --- 690,696 ---- #endif RWLOCK_EXIT(&ipf_state); fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst); ! if ((fin->fin_fi.fi_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return is; } *************** *** 1254,1260 **** if ((is->is_p == pr) && (is->is_v == v) && fr_matchsrcdst(is, src, dst, fin, NULL) && fr_matchicmpqueryreply(v, is, ic)) { ! is->is_age = fr_icmptimeout; break; } } --- 1256,1265 ---- if ((is->is_p == pr) && (is->is_v == v) && fr_matchsrcdst(is, src, dst, fin, NULL) && fr_matchicmpqueryreply(v, is, ic)) { ! if (fin->fin_rev) ! is->is_age = fr_icmpacktimeout; ! else ! is->is_age = fr_icmptimeout; break; } } *************** *** 1302,1307 **** --- 1307,1317 ---- if (!fr_tcpstate(is, fin, ip, tcp)) { continue; } + } if ((pr == IPPROTO_UDP)) { + if (fin->fin_rev) + is->is_age = fr_udpacktimeout; + else + is->is_age = fr_udptimeout; } break; } *************** *** 1345,1351 **** fr_delstate(is); #endif RWLOCK_EXIT(&ipf_state); ! if (fin->fin_fi.fi_fl & FI_FRAG) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return fr; } --- 1355,1361 ---- fr_delstate(is); #endif RWLOCK_EXIT(&ipf_state); ! if ((fin->fin_fi.fi_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return fr; } diff -cr ip_fil3.4.16/ipfs.c ip_fil3.4.17/ipfs.c *** ip_fil3.4.16/ipfs.c Wed Jan 10 17:20:12 2001 --- ip_fil3.4.17/ipfs.c Wed Apr 4 00:14:09 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1999 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given --- 1,5 ---- /* ! * Copyright (C) 1999-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 41,47 **** #include "ipf.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.3 2001/01/10 06:20:12 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR --- 41,47 ---- #include "ipf.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.5 2001/04/03 14:14:09 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR *************** *** 532,537 **** --- 532,538 ---- } bzero((char *)&ipn, sizeof(ipn)); + ipnp = &ipn; /* * 1. Read all state information in. *************** *** 573,579 **** } } else in = (nat_save_t *)malloc(sizeof(*in)); ! bcopy((char *)&ipnp, (char *)in, sizeof(ipn)); /* * Check to see if this is the first state entry that will --- 574,580 ---- } } else in = (nat_save_t *)malloc(sizeof(*in)); ! bcopy((char *)ipnp, (char *)in, sizeof(ipn)); /* * Check to see if this is the first state entry that will diff -cr ip_fil3.4.16/ipft_tx.c ip_fil3.4.17/ipft_tx.c *** ip_fil3.4.16/ipft_tx.c Wed Jan 10 17:19:53 2001 --- ip_fil3.4.17/ipft_tx.c Wed Apr 4 00:14:09 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1995-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given --- 1,5 ---- /* ! * Copyright (C) 1995-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 43,49 **** #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.1 2001/01/10 06:19:53 darrenr Exp $"; #endif extern int opts; --- 43,49 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.3 2001/04/03 14:14:09 darrenr Exp $"; #endif extern int opts; *************** *** 223,234 **** bzero(ipopts, sizeof(ipopts)); ip->ip_hl = sizeof(*ip) >> 2; ip->ip_v = IPVERSION; ! for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && i < 19; ) cps[++i] = strtok(NULL, " \b\t\r\n"); - if (i < 2) - return 1; cpp = cps; c = **cpp; if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) { --- 223,234 ---- bzero(ipopts, sizeof(ipopts)); ip->ip_hl = sizeof(*ip) >> 2; ip->ip_v = IPVERSION; ! for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && (i < 19); ) cps[++i] = strtok(NULL, " \b\t\r\n"); cpp = cps; + if (!*cpp) + return 1; c = **cpp; if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) { *************** *** 237,248 **** --- 237,252 ---- } *out = (tolower(c) == 'o') ? 1 : 0; cpp++; + if (!*cpp) + return 1; if (!strcasecmp(*cpp, "on")) { cpp++; if (!*cpp) return 1; *ifn = strdup(*cpp++); + if (!*cpp) + return 1; } c = **cpp; diff -cr ip_fil3.4.16/ipl.h ip_fil3.4.17/ipl.h *** ip_fil3.4.16/ipl.h Mon Jan 15 00:47:15 2001 --- ip_fil3.4.17/ipl.h Fri Apr 6 22:21:28 2001 *************** *** 1,17 **** /* ! * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.17 2001/01/14 13:47:15 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.16" #endif --- 1,17 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.19 2001/04/06 12:21:28 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.17" #endif diff -cr ip_fil3.4.16/ipmon.c ip_fil3.4.17/ipmon.c *** ip_fil3.4.16/ipmon.c Wed Jan 10 17:18:08 2001 --- ip_fil3.4.17/ipmon.c Wed Apr 4 00:14:10 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given --- 1,5 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.8 2001/01/10 06:18:08 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.9 2001/04/03 14:14:10 darrenr Exp $"; #endif #ifndef SOLARIS diff -cr ip_fil3.4.16/ipsend/ipresend.1 ip_fil3.4.17/ipsend/ipresend.1 *** ip_fil3.4.16/ipsend/ipresend.1 Sun Aug 1 20:57:24 1999 --- ip_fil3.4.17/ipsend/ipresend.1 Wed Mar 21 00:20:08 2001 *************** *** 2,8 **** .SH NAME ipresend \- resend IP packets out to network .SH SYNOPSIS ! .B ipsend [ .B \-EHPRSTX ] [ --- 2,8 ---- .SH NAME ipresend \- resend IP packets out to network .SH SYNOPSIS ! .B ipresend [ .B \-EHPRSTX ] [ diff -cr ip_fil3.4.16/ipsend/sdlpi.c ip_fil3.4.17/ipsend/sdlpi.c *** ip_fil3.4.16/ipsend/sdlpi.c Thu Aug 5 03:31:13 1999 --- ip_fil3.4.17/ipsend/sdlpi.c Wed Feb 28 21:51:11 2001 *************** *** 40,46 **** #if !defined(lint) static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $"; #endif #define CHUNKSIZE 8192 --- 40,46 ---- #if !defined(lint) static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.1.4.1 2001/02/28 10:51:11 darrenr Exp $"; #endif #define CHUNKSIZE 8192 *************** *** 58,64 **** char devname[16], *s, buf[256]; int i, fd; ! (void) sprintf(devname, "/dev/%s", device); s = devname + 5; while (*s && !isdigit(*s)) --- 58,65 ---- char devname[16], *s, buf[256]; int i, fd; ! (void) strcpy(devname, "/dev/"); ! (void) strncat(devname, device, sizeof(devname) - strlen(devname)); s = devname + 5; while (*s && !isdigit(*s)) diff -cr ip_fil3.4.16/man/ipf.5 ip_fil3.4.17/man/ipf.5 *** ip_fil3.4.16/man/ipf.5 Sun Sep 17 19:35:47 2000 --- ip_fil3.4.17/man/ipf.5 Wed Apr 4 01:44:04 2001 *************** *** 374,380 **** # packets with ONLY the SYN flag set. ... flags SA ! # becomes "flags SA/AUPRFS" and will match any # packet with only the SYN and ACK flags set. ... flags S/SA --- 374,380 ---- # packets with ONLY the SYN flag set. ... flags SA ! # becomes "flags SA/AUPRFSC" and will match any # packet with only the SYN and ACK flags set. ... flags S/SA diff -cr ip_fil3.4.16/natparse.c ip_fil3.4.17/natparse.c *** ip_fil3.4.16/natparse.c Sat Jul 8 12:14:40 2000 --- ip_fil3.4.17/natparse.c Fri Apr 6 23:48:45 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given --- 1,5 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 54,60 **** #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.6 2000/07/08 02:14:40 darrenr Exp $"; #endif --- 54,60 ---- #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.9 2001/04/06 13:47:35 darrenr Exp $"; #endif *************** *** 160,165 **** --- 160,167 ---- printf(" udp"); if (np->in_flags & IPN_ROUNDR) printf(" round-robin"); + if (np->in_flags & IPN_FRAG) + printf(" frag"); printf("\n"); if (opts & OPT_DEBUG) printf("\t%p %lu %#x %u %p %d\n", np->in_ifp, *************** *** 231,236 **** --- 233,240 ---- ntohs(np->in_pmax)); } } + if (np->in_flags & IPN_FRAG) + printf(" frag"); printf("\n"); if (opts & OPT_DEBUG) { printf("\tifp %p space %lu nextip %s pnext %d", *************** *** 277,282 **** --- 281,287 ---- char *s, *t, *cps[31], **cpp; int i, cnt; + proto = NULL; if ((s = strchr(line, '\n'))) *s = '\0'; *************** *** 623,628 **** --- 628,638 ---- ipn.in_flags |= IPN_ROUNDR; } + if (*cpp && !strcasecmp(*cpp, "frag")) { + cpp++; + ipn.in_flags |= IPN_FRAG; + } + if (*cpp) { fprintf(stderr, "%d: extra junk at the end of rdr: %s\n", *************** *** 640,645 **** --- 650,660 ---- if ((ipn.in_redir & NAT_MAPBLK) != 0) nat_setgroupmap(&ipn); + + if (*cpp && !strcasecmp(*cpp, "frag")) { + cpp++; + ipn.in_flags |= IPN_FRAG; + } if (!*cpp) return &ipn; diff -cr ip_fil3.4.16/relay.c ip_fil3.4.17/relay.c *** ip_fil3.4.16/relay.c Thu Dec 9 01:35:58 1999 --- ip_fil3.4.17/relay.c Wed Feb 28 20:22:57 2001 *************** *** 107,113 **** int fd, sl = sizeof(sl), se; openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON); ! if ((fd = open("/dev/ipl", O_RDONLY)) == -1) { se = errno; perror("open"); errno = se; --- 107,113 ---- int fd, sl = sizeof(sl), se; openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON); ! if ((fd = open("/dev/ipnat", O_RDONLY)) == -1) { se = errno; perror("open"); errno = se; *************** *** 115,120 **** --- 115,123 ---- exit(-1); } + bzero(&nl, sizeof(nl)); + nl.nl_flags = IPN_TCP; + bzero(&sin, sizeof(sin)); sin.sin_family = AF_INET; sl = sizeof(sin); *************** *** 151,158 **** exit(-1); } ! sin.sin_port = nl.nl_inport; ! sin.sin_addr = nl.nl_inip; sl = sizeof(sin); fd = socket(AF_INET, SOCK_STREAM, 0); --- 154,161 ---- exit(-1); } ! sin.sin_port = nl.nl_realport; ! sin.sin_addr = nl.nl_realip; sl = sizeof(sin); fd = socket(AF_INET, SOCK_STREAM, 0); diff -cr ip_fil3.4.16/solaris.c ip_fil3.4.17/solaris.c *** ip_fil3.4.16/solaris.c Mon Nov 27 21:28:41 2000 --- ip_fil3.4.17/solaris.c Fri Apr 6 21:19:36 2001 *************** *** 1,12 **** /* ! * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.15.2.8 2000/11/27 10:28:41 darrenr Exp $" #include #include --- 1,12 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.15.2.13 2001/04/06 11:19:36 darrenr Exp $" #include #include *************** *** 210,217 **** { int ipfinst; - if (fr_running < 0) - return -1; ipfinst = mod_install(&modlink1); #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst); --- 210,215 ---- *************** *** 224,231 **** { int ipfinst; - if (fr_running < 0) - return -1; ipfinst = mod_remove(&modlink1); #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst); --- 222,227 ---- *************** *** 239,246 **** { int ipfinst; - if (fr_running < 0) - return -1; ipfinst = mod_info(&modlink1, modinfop); #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x", modinfop, ipfinst); --- 235,240 ---- *************** *** 275,280 **** --- 269,293 ---- } + static void ipf_ire_walk(ire, arg) + ire_t *ire; + void *arg; + { + qif_t *qif = arg; + + if ((ire->ire_type == IRE_CACHE) && (ire->ire_ipif != NULL) && + (ire->ire_ipif->ipif_ill == qif->qf_ill)) { + #if SOLARIS2 >= 8 + mblk_t *m = ire->ire_fp_mp; + #else + mblk_t *m = ire->ire_ll_hdr_mp; + #endif + if (m != NULL) + qif->qf_hl = m->b_wptr - m->b_rptr; + } + } + + static int ipf_attach(dip, cmd) dev_info_t *dip; ddi_attach_cmd_t cmd; *************** *** 529,536 **** { register mblk_t *m, *mt = *mp; register ip_t *ip; ! size_t hlen, len, off, mlen, iphlen, plen; ! int err, synced = 0, sap, p; u_char *bp; #if SOLARIS2 >= 8 ip6_t *ip6; --- 542,549 ---- { register mblk_t *m, *mt = *mp; register ip_t *ip; ! size_t hlen, len, off, off2, mlen, iphlen, plen, woff; ! int err, synced = 0, sap, p, realigned = 0; u_char *bp; #if SOLARIS2 >= 8 ip6_t *ip6; *************** *** 648,653 **** --- 661,669 ---- ((char *)&tlen)[0] = ((char *)&ip6->ip6_plen)[0]; ((char *)&tlen)[1] = ((char *)&ip6->ip6_plen)[1]; plen = ntohs(tlen); + if (!plen) + return -1; /* Jumbo gram */ + plen += sizeof(*ip6); sap = IP6_DL_SAP; } #endif *************** *** 659,692 **** /* * Ok, the IP header isn't on a 32bit aligned address so junk it. */ ! if (((u_int)ip & 0x3) || (len < hlen) || (sap == -1)) { ! mblk_t *m2; ! u_char *s; /* * Junk using pullupmsg - it's next to useless. */ fixalign: len = msgdsize(m); ! m2 = allocb(len, BPRI_HI); if (m2 == NULL) { frstats[out].fr_pull[1]++; return -1; } m2->b_wptr = m2->b_rptr + len; ! s = (u_char *)ip; ! for (bp = m2->b_rptr; m; bp += len) { ! len = m->b_wptr - s; ! bcopy(m->b_rptr, bp, len); ! m = m->b_cont; ! if (m) ! s = m->b_rptr; } - *mp = m2; - MTYPE(m2) = M_DATA; - freemsg(mt); - mt = m2; frstats[out].fr_pull[0]++; synced = 1; --- 675,753 ---- /* * Ok, the IP header isn't on a 32bit aligned address so junk it. */ ! if (((u_long)ip & 0x3) || (plen > mlen) || (len < hlen) || ! (sap == -1)) { ! mblk_t *m1, *m2; ! u_char *s, c; ! int v; /* * Junk using pullupmsg - it's next to useless. */ fixalign: + if (off) + m->b_rptr -= off; + #ifdef sparc + c = (*(u_char *)ip & 0xf0) >> 4; + #else + c = (*(u_char *)ip & 0xf); + #endif + if (c != 4 + #if SOLARIS2 >= 8 + && c != 6 + #endif + ) { + frstats[out].fr_notip++; + return (fr_flags & FF_BLOCKNONIP) ? -1 : 0; + } + + if (realigned) + return -1; + realigned = 1; + off2 = (size_t)((u_long)ip & 0x3); + if (off2) + off2 = 4 - off2; len = msgdsize(m); ! m2 = allocb(len + off2, BPRI_HI); if (m2 == NULL) { frstats[out].fr_pull[1]++; return -1; } + MTYPE(m2) = M_DATA; + m2->b_rptr += off2; m2->b_wptr = m2->b_rptr + len; ! m1 = m; ! s = (u_char *)m->b_rptr; ! for (bp = m2->b_rptr; m1 && (bp < m2->b_wptr); bp += len) { ! len = MIN(m1->b_wptr - s, m2->b_wptr - bp); ! bcopy(s, bp, len); ! m1 = m1->b_cont; ! if (m1) ! s = m1->b_rptr; ! } ! ! if (mt != m && mt->b_cont == m && !off) { ! /* ! * check if the buffer we're changing is chained in- ! * between other buffers and unlink/relink as required. ! */ ! (void) unlinkb(mt); /* should return 'm' */ ! m1 = unlinkb(m); ! if (m1) ! linkb(m2, m1); ! freemsg(m); ! linkb(mt, m2); ! } else { ! if (m == mt) { ! m1 = unlinkb(mt); ! if (m1) ! linkb(m2, m1); ! } ! freemsg(mt); ! *mp = m2; ! mt = m2; } frstats[out].fr_pull[0]++; synced = 1; *************** *** 790,804 **** break; } if (hlen > mlen) { hlen = mlen; ! #if SOLARIS2 >= 8 ! } else if (sap == IP6_DL_SAP) { ! if (m->b_wptr - m->b_rptr > plen + hlen) ! m->b_wptr = m->b_rptr + plen + hlen; ! #endif ! } else if (m->b_wptr - m->b_rptr > plen) ! m->b_wptr = m->b_rptr + plen; /* * If we don't have enough data in the mblk or we haven't yet copied --- 851,863 ---- break; } + woff = 0; if (hlen > mlen) { hlen = mlen; ! } else if (m->b_wptr - m->b_rptr > plen) { ! woff = m->b_wptr - m->b_rptr - plen; ! m->b_wptr -= woff; ! } /* * If we don't have enough data in the mblk or we haven't yet copied *************** *** 818,825 **** qif->qf_off = off; qif->qf_len = len; err = fr_check(ip, iphlen, qif->qf_ill, out, qif, mp); ! if (err == 2) goto fixalign; /* * Copy back the ip header data if it was changed, we haven't yet * freed the message and we aren't going to drop the packet. --- 877,885 ---- qif->qf_off = off; qif->qf_len = len; err = fr_check(ip, iphlen, qif->qf_ill, out, qif, mp); ! if (err == 2) { goto fixalign; + } /* * Copy back the ip header data if it was changed, we haven't yet * freed the message and we aren't going to drop the packet. *************** *** 828,833 **** --- 888,894 ---- */ if (*mp != NULL) { if (*mp == mt) { + m->b_wptr += woff; m->b_rptr -= off; #ifndef sparc # if SOLARIS2 >= 8 *************** *** 854,859 **** --- 915,944 ---- } + /* + * Only called for M_IOCACK messages + */ + void fr_qif_update(qif, mp) + qif_t *qif; + mblk_t *mp; + { + struct iocblk *iocp; + + if (!qif || !mp) + return; + iocp = (struct iocblk *)mp->b_rptr; + if (mp->b_cont && (iocp->ioc_cmd == DL_IOC_HDR_INFO)) { + mp = mp->b_cont; + if (MTYPE(mp) == M_PROTO && mp->b_cont) { + mp = mp->b_cont; + if (MTYPE(mp) == M_DATA) { + qif->qf_hl = mp->b_wptr - mp->b_rptr; + } + } + } + } + + int fr_qin(q, mb) queue_t *q; mblk_t *mb; *************** *** 871,878 **** --- 956,968 ---- mblk_t *m1; m1 = copymsg(mb); + mb->b_prev = NULL; freemsg(mb); mb = m1; + if (!m1) { + frstats[1].fr_drop++; + return 0; + } frstats[0].fr_copy++; } *************** *** 929,941 **** return 0; } - bcopy((char *)qif, (char *)&qf, sizeof(qf)); - qif = &qf; - type = MTYPE(mb); pnext = qif->qf_rqinfo->qi_putp; ! if (datamsg(type) || (type == M_BREAK)) ! err = fr_precheck(&mb, q, qif, 0); RWLOCK_EXIT(&ipfs_mutex); RWLOCK_EXIT(&ipf_solaris); --- 1019,1034 ---- return 0; } pnext = qif->qf_rqinfo->qi_putp; + type = MTYPE(mb); + if (type == M_IOCACK) + fr_qif_update(qif, mb); + else { + bcopy((char *)qif, (char *)&qf, sizeof(qf)); ! if (datamsg(type) || (type == M_BREAK)) ! err = fr_precheck(&mb, q, &qf, 0); ! } RWLOCK_EXIT(&ipfs_mutex); RWLOCK_EXIT(&ipf_solaris); *************** *** 944,951 **** if (pnext) return (*pnext)(q, mb); ! cmn_err(CE_WARN, "!IP Filter: inp NULL: qif %x q %x info %x", ! qif, q, q->q_qinfo); } if (mb) { mb->b_prev = NULL; --- 1037,1045 ---- if (pnext) return (*pnext)(q, mb); ! cmn_err(CE_WARN, ! "!IP Filter: inp NULL: qif %x %s q %x info %x", ! &qf, qf.qf_name, q, q->q_qinfo); } if (mb) { mb->b_prev = NULL; *************** *** 972,979 **** --- 1066,1078 ---- mblk_t *m1; m1 = copymsg(mb); + mb->b_prev = NULL; freemsg(mb); mb = m1; + if (!m1) { + frstats[1].fr_drop++; + return 0; + } frstats[1].fr_copy++; } *************** *** 1040,1052 **** return 0; } - bcopy((char *)qif, (char *)&qf, sizeof(qf)); - qif = &qf; - type = MTYPE(mb); pnext = qif->qf_wqinfo->qi_putp; ! if (datamsg(type) || (type == M_BREAK)) ! err = fr_precheck(&mb, q, qif, 1); RWLOCK_EXIT(&ipfs_mutex); RWLOCK_EXIT(&ipf_solaris); --- 1139,1154 ---- return 0; } pnext = qif->qf_wqinfo->qi_putp; + type = MTYPE(mb); + if (type == M_IOCACK) + fr_qif_update(qif, mb); + else { + bcopy((char *)qif, (char *)&qf, sizeof(qf)); ! if (datamsg(type) || (type == M_BREAK)) ! err = fr_precheck(&mb, q, &qf, 1); ! } RWLOCK_EXIT(&ipfs_mutex); RWLOCK_EXIT(&ipf_solaris); *************** *** 1057,1063 **** cmn_err(CE_WARN, "!IP Filter: outp NULL: qif %x %s q %x info %x", ! qif, qif->qf_name, q, q->q_qinfo); } if (mb) { mb->b_prev = NULL; --- 1159,1165 ---- cmn_err(CE_WARN, "!IP Filter: outp NULL: qif %x %s q %x info %x", ! &qf, qf.qf_name, q, q->q_qinfo); } if (mb) { mb->b_prev = NULL; *************** *** 1105,1117 **** } ioc = (struct iocblk *)mb->b_rptr; ! switch (ioc->ioc_cmd) { case I_LINK: case I_UNLINK: case SIOCSIFADDR: case SIOCSIFFLAGS: #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x\n", ioc->ioc_cmd); #endif WRITE_ENTER(&ipfs_mutex); if (synctimeoutid == 0) { --- 1207,1224 ---- } ioc = (struct iocblk *)mb->b_rptr; ! switch (ioc->ioc_cmd) ! { ! case DL_IOC_HDR_INFO: ! fr_qif_update(qif_from_queue(q), mb); ! break; case I_LINK: case I_UNLINK: case SIOCSIFADDR: case SIOCSIFFLAGS: #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x\n", ! ioc->ioc_cmd); #endif WRITE_ENTER(&ipfs_mutex); if (synctimeoutid == 0) { *************** *** 1293,1298 **** --- 1400,1411 ---- "Unknown layer 2 header size for %s type %d\n", qif->qf_name, il->ill_type); } + + /* + * XXX Awful hack for PPP; fix when PPP/snoop fixed. + */ + if (il->ill_type == IFT_ETHER && !il->ill_bcast_addr_length) + qif->qf_hl = 0; #endif strncpy(qif->qf_name, il->ill_name, sizeof(qif->qf_name)); qif->qf_name[sizeof(qif->qf_name) - 1] = '\0'; *************** *** 1377,1382 **** --- 1490,1496 ---- #endif out->q_qinfo = &qif->qf_wqinit; + ire_walk(ipf_ire_walk, (char *)qif); RWLOCK_EXIT(&ipfs_mutex); cmn_err(CE_CONT, "IP Filter: attach to [%s,%d] - %s\n", qif->qf_name, il->ill_ppa,