diff -cNr ip_fil3.4.25/BSD/Makefile ip_fil3.4.26/BSD/Makefile *** ip_fil3.4.25/BSD/Makefile Thu Mar 7 01:05:09 2002 --- ip_fil3.4.26/BSD/Makefile Thu Apr 25 03:13:31 2002 *************** *** 7,12 **** --- 7,14 ---- # BINDEST=/usr/sbin SBINDEST=/sbin + SEARCHDIRS=$(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin \ + /usr/local/bin /usr/local/sbin MANDIR=/usr/share/man CC=cc -Wall -Wstrict-prototypes -Wuninitialized -O CFLAGS=-g -I$(TOP) *************** *** 49,54 **** --- 51,64 ---- FILS=fils.o parse.o kmem.o opt.o facpri.o common.o printstate.o build all: ipf ipfs ipfstat ipftest ipmon ipnat $(LKM) + /bin/rm -f $(TOP)/ipf + ln -s `pwd`/ipf $(TOP) + /bin/rm -f $(TOP)/ipftest + ln -s `pwd`/ipftest $(TOP) + /bin/rm -f $(TOP)/ipmon + ln -s `pwd`/ipmon $(TOP) + /bin/rm -f $(TOP)/ipnat + ln -s `pwd`/ipnat $(TOP) ipfstat: $(FILS) $(CC) -static $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \ *************** *** 56,68 **** ipf: $(IPF) $(CC) -static $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipf - ln -s `pwd`/ipf $(TOP) ipftest: $(IPT) $(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipftest - ln -s `pwd`/ipftest $(TOP) ipnat: $(IPNAT) $(CC) -static $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm --- 66,74 ---- *************** *** 220,227 **** ipmon: $(TOP)/ipmon.c $(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipmon - ln -s `pwd`/ipmon $(TOP) clean: ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ --- 226,231 ---- *************** *** 250,257 **** ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \ def="`expr $$i : '[^:]*:\(.*\)'`"; \ p="`expr $$i : '\([^:]*\):.*'`"; \ ! for d in $(BINDEST) $(SBINDEST); do \ ! if [ -f $$d/$$i ] ; then \ echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \ $(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \ dd=$$d; \ --- 254,261 ---- ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \ def="`expr $$i : '[^:]*:\(.*\)'`"; \ p="`expr $$i : '\([^:]*\):.*'`"; \ ! for d in $(SEARCHDIRS); do \ ! if [ -f $$d/$$p ] ; then \ echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \ $(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \ dd=$$d; \ diff -cNr ip_fil3.4.25/BSD/kupgrade ip_fil3.4.26/BSD/kupgrade *** ip_fil3.4.25/BSD/kupgrade Sat Oct 20 18:35:16 2001 --- ip_fil3.4.26/BSD/kupgrade Mon Mar 25 22:16:53 2002 *************** *** 8,13 **** --- 8,22 ---- argv0=`basename $0` dir=`pwd` karch=`uname -m` + os=`uname -s` + if [ $os = FreeBSD ] ; then + rev=`uname -r` + rev=`expr $rev : '\([0-9]*\)\..*'` + if [ $rev = 2 ] ; then + echo "Copying /usr/include/osreldate.h to /sys/sys" + cp /usr/include/osreldate.h /sys/sys + fi + fi archdir="/sys/arch/$karch" ipfdir=/sys/netinet if [ -d /sys/contrib/ipfilter ] ; then diff -cNr ip_fil3.4.25/FreeBSD-4.0/kinstall ip_fil3.4.26/FreeBSD-4.0/kinstall *** ip_fil3.4.25/FreeBSD-4.0/kinstall Sat Feb 2 03:01:30 2002 --- ip_fil3.4.26/FreeBSD-4.0/kinstall Mon Mar 25 23:53:22 2002 *************** *** 28,38 **** echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" ln -s /usr/include/osreldate.h /sys/sys/osreldate.h ! patchfile=FreeBSd-4.0/ipv6-patch-$krev if ( -f $patchfile ) then echo "" echo "Patching ip6_input.c and ip6_output.c" cat $patchfile | (cd /sys/netinet6; patch) endif set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` --- 28,40 ---- echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" ln -s /usr/include/osreldate.h /sys/sys/osreldate.h ! set patchfile=FreeBSd-4.0/ipv6-patch-$krev if ( -f $patchfile ) then echo "" echo "Patching ip6_input.c and ip6_output.c" cat $patchfile | (cd /sys/netinet6; patch) + else + echo "IPv6 patching not required for your OS version" endif set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` diff -cNr ip_fil3.4.25/HISTORY ip_fil3.4.26/HISTORY *** ip_fil3.4.25/HISTORY Wed Mar 13 15:03:54 2002 --- ip_fil3.4.26/HISTORY Thu Apr 25 11:57:56 2002 *************** *** 22,27 **** --- 22,80 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.4.26 25/04/2002 - Released + + fix parsing and printing of NAT rules with regression tests. + + add code to adjust TCP checksums inside ICMP errors where present and as + required for NAT. + + fix documentation problems in instal documents + + fix locking problem with auth code on Solaris + + fix use of version macros for FreeBSD and make the use of __FreeBSD_version + override previous hacks except when not present + + fix the macros defined for SIOCAUTHR and SIOCAUTHW + + fix the H.323 proxy so it no longer panics (multiple issues: re-entry into + nat_ioctl with lock held on Solaris, trying to copy data from kernel space + with copyin, unaligned access to get 32bit & 16bit numbers) + + use the ip_ttl ndd parameter on Solaris to fill in ip_ttl for packets + generated by IPFilter + + fix comparing state information to delete state table entries + + flag packets as being "bad state" if they're outside the window and prevent + them from being able to cause new state to be created - except for SYN packets + + be stricter about what packets match a TCP state table entry if its creation + was triggered by a SYN packet. + + add patches to handle TCP window scaling + + don't update TCP state table entries if the packet is not considered to be + part of the connection + + ipfs wasn't allowing -i command line option in getopt + + IRIX: fix kvm interface, fix compile warnings, compile the kernel with -O2 + regardless of user compile, fix the getkflags script to prune down the + output more so it is acceptable + + change building in Makefiles to create links to the application in $(TOP) + at the end of "build" rather than when each is created. + + update BSD/kupgrade for FreeBSD + + l4check wasn't properly closing things when a connection fails + + man page updates for ipmon(8) and ipnat(5) + + more regression tests added. + 3.4.25 13/03/2002 - Released retain rule # in state information diff -cNr ip_fil3.4.25/INSTALL.IRIX ip_fil3.4.26/INSTALL.IRIX *** ip_fil3.4.25/INSTALL.IRIX Thu Oct 30 00:11:10 1997 --- ip_fil3.4.26/INSTALL.IRIX Wed Apr 10 15:06:28 2002 *************** *** 17,29 **** CC=gcc to CC=cc - b) enable full optimization - This means changing the lines reading: - DEBUG=-g - CFLAGS=-I$$(TOP) - to - DEBUG= - CFLAGS=-O2 -I$$(TOP) 1. do "make irix" (Warning: GNU make is not supported, so if it has been installed on your system, verify your path and/or do "which make" --- 17,22 ---- diff -cNr ip_fil3.4.25/INSTALL.SunOS ip_fil3.4.26/INSTALL.SunOS *** ip_fil3.4.25/INSTALL.SunOS Thu Aug 5 03:29:52 1999 --- ip_fil3.4.26/INSTALL.SunOS Wed Mar 27 22:09:04 2002 *************** *** 3,9 **** 1. do a "make solaris" in this directory ! 2. Run the script "SunOS4/minstall" as root. 3. change directory to SunOS4 and run "make install" --- 3,9 ---- 1. do a "make solaris" in this directory ! 2. do a "make install-sunos4" in this directory 3. change directory to SunOS4 and run "make install" *************** *** 24,40 **** 1. do a "make solaris" in this directory ! 2. Run the script "SunOS4/kinstall" as root. NOTE: This script sets up /dev/ipl as char. device 59,0 in /sys/sun/conf.c ! 3. Run the following commands as root: mknod /dev/ipl c 59 0 mknod /dev/ipnat c 59 1 mknod /dev/ipstate c 59 2 mknod /dev/ipauth c 59 3 ! 4. Reboot using the new kernel Darren Reed darrenr@pobox.com --- 24,42 ---- 1. do a "make solaris" in this directory ! 2. do a "make install-sunos4" in this directory ! ! 4. Run the script "SunOS4/kinstall" as root. NOTE: This script sets up /dev/ipl as char. device 59,0 in /sys/sun/conf.c ! 4. Run the following commands as root: mknod /dev/ipl c 59 0 mknod /dev/ipnat c 59 1 mknod /dev/ipstate c 59 2 mknod /dev/ipauth c 59 3 ! 5. Reboot using the new kernel Darren Reed darrenr@pobox.com diff -cNr ip_fil3.4.25/IRIX/Makefile ip_fil3.4.26/IRIX/Makefile *** ip_fil3.4.25/IRIX/Makefile Thu Mar 7 01:05:10 2002 --- ip_fil3.4.26/IRIX/Makefile Thu Apr 25 03:13:31 2002 *************** *** 48,54 **** "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ "CPUDIR=$(CPUDIR)" # ! CCARGS=$(SGIREV) -D_STANDALONE $(DEBUG) $(CFLAGS) $(IPFLOG) # ########## ########## ########## ########## ########## ########## ########## # --- 48,56 ---- "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ "CPUDIR=$(CPUDIR)" # ! CKFLAGS=$(SGIREV) -O2 -I$(TOP) $(IPFLOG) -D_KMEMUSER ! CCARGS=$(SGIREV) -D_KMEMUSER $(DEBUG) $(CFLAGS) $(IPFLOG) ! #-D_STANDALONE # ########## ########## ########## ########## ########## ########## ########## # *************** *** 69,75 **** IPNAT=ipnat.o kmem.o natparse.o common.o inet_addr.o printnat.o FILS=fils.o parse.o common.o kmem.o opt.o inet_addr.o facpri.o printstate.o ! build all: ipf ipfstat ipftest ipmon ipnat $(LKM) ipfstat: $(FILS) $(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \ --- 71,85 ---- IPNAT=ipnat.o kmem.o natparse.o common.o inet_addr.o printnat.o FILS=fils.o parse.o common.o kmem.o opt.o inet_addr.o facpri.o printstate.o ! build all: ipf ipfstat ipftest ipmon ipnat ipfs $(LKM) ! ${RM} -f $(TOP)/ipftest ! ln -s `pwd`/ipftest $(TOP) ! ${RM} -f $(TOP)/ipf ! ln -s `pwd`/ipf $(TOP) ! ${RM} -f $(TOP)/ipmon ! ln -s `pwd`/ipmon $(TOP) ! ${RM} -f $(TOP)/ipnat ! ln -s `pwd`/ipnat $(TOP) ipfstat: $(FILS) $(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \ *************** *** 77,93 **** ipf: $(IPF) $(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) - ${RM} -f $(TOP)/ipf - ln -s `pwd`/ipf $(TOP) ipftest: $(IPT) $(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) - ${RM} -f $(TOP)/ipftest - ln -s `pwd`/ipftest $(TOP) ipnat: $(IPNAT) $(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lelf tests: (cd test; make ) --- 87,105 ---- ipf: $(IPF) $(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) ipftest: $(IPT) $(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) ipnat: $(IPNAT) $(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lelf + ipfs: ipfs.o + $(CC) $(CCARGS) ipfs.o -o $@ $(LIBS) + + ipfs.o: $(TOP)/ipfs.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_state.h \ + $(TOP)/ip_nat.h + $(CC) $(CCARGS) -c $(TOP)/ipfs.c -o $@ tests: (cd test; make ) *************** *** 100,106 **** $(CC) $(CCARGS) -c $(TOP)/fil.c -o $@ fil_k.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h ! $(CC) $(CCARGS) $(POLICY) $(DFLAGS) -c $(TOP)/fil.c -o $@ ipf.o: $(TOP)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(CCARGS) -c $(TOP)/ipf.c -o $@ --- 112,118 ---- $(CC) $(CCARGS) -c $(TOP)/fil.c -o $@ fil_k.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h ! $(CC) $(CKFLAGS) $(POLICY) $(DFLAGS) -c $(TOP)/fil.c -o $@ ipf.o: $(TOP)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(CCARGS) -c $(TOP)/ipf.c -o $@ *************** *** 168,198 **** ld $(MLFLAGS) -r -d $(MODOBJS) -o $(LKM) ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@ ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ ml_ipl.o: $(TOP)/$(MLD) $(TOP)/ipl.h ! $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ kmem.o: $(TOP)/kmem.c $(CC) $(CCARGS) -c $(TOP)/kmem.c -o $@ --- 180,210 ---- ld $(MLFLAGS) -r -d $(MODOBJS) -o $(LKM) ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@ ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ ml_ipl.o: $(TOP)/$(MLD) $(TOP)/ipl.h ! $(CC) -I. $(CKFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ kmem.o: $(TOP)/kmem.c $(CC) $(CCARGS) -c $(TOP)/kmem.c -o $@ *************** *** 208,215 **** ipmon: $(TOP)/ipmon.c $(CC) $(CCARGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) - ${RM} -f $(TOP)/ipmon - ln -s `pwd`/ipmon $(TOP) natparse.o: $(TOP)/natparse.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_proxy.h $(TOP)/ip_nat.h --- 220,225 ---- *************** *** 238,243 **** --- 248,254 ---- -$(INSTALL) -F $(SBINDEST) -m 755 -src $(CPUDIR)/ipf -O ipf -$(INSTALL) -F $(SBINDEST) -m 755 -src $(CPUDIR)/ipfstat -O ipfstat -$(INSTALL) -F $(SBINDEST) -m 755 -src $(CPUDIR)/ipnat -O ipnat + -$(INSTALL) -F $(SBINDEST) -m 755 -src $(CPUDIR)/ipfs -O ipfs -$(INSTALL) -F $(SBINDEST) -m 755 -src $(CPUDIR)/ipmon -O ipmon -$(INSTALL) -F $(BINDEST) -m 755 -src $(CPUDIR)/ipftest -O ipftest diff -cNr ip_fil3.4.25/IRIX/Makefile.ipsend.std ip_fil3.4.26/IRIX/Makefile.ipsend.std *** ip_fil3.4.25/IRIX/Makefile.ipsend.std Fri Oct 20 02:37:36 2000 --- ip_fil3.4.26/IRIX/Makefile.ipsend.std Thu Apr 4 00:35:18 2002 *************** *** 7,13 **** CC=cc CFLAGS=-g -I$(TOP) ! CCARGS=$(DEBUG) $(CFLAGS) -D_STANDALONE all build irix : ipsend ipresend iptest --- 7,14 ---- CC=cc CFLAGS=-g -I$(TOP) ! CCARGS=$(DEBUG) $(CFLAGS) -D_KMEMUSER ! #-D_STANDALONE all build irix : ipsend ipresend iptest diff -cNr ip_fil3.4.25/IRIX/Makefile.std ip_fil3.4.26/IRIX/Makefile.std *** ip_fil3.4.25/IRIX/Makefile.std Thu Mar 7 01:05:10 2002 --- ip_fil3.4.26/IRIX/Makefile.std Thu Apr 18 03:44:08 2002 *************** *** 13,20 **** # based on our current CPU: # SGIREV=-DIRIX=$(SGI) ! DCPU=`uname -m` ! KFLAGS=`$(TOP)/IRIX/getkflags` # BINDEST=/usr/sbin SBINDEST=/usr/etc --- 13,20 ---- # based on our current CPU: # SGIREV=-DIRIX=$(SGI) ! DCPU!=uname -m ! KFLAGS!=$(TOP)/IRIX/getkflags # BINDEST=/usr/sbin SBINDEST=/usr/etc *************** *** 33,39 **** MLFLAGS= -G 0 LKM=ipflkm.o #else - MLFLAGS= -G 8 LKM=ipfilter.o #endif MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ --- 33,38 ---- *************** *** 42,48 **** "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ "CPUDIR=$(CPUDIR)" # ! CCARGS=$(SGIREV) -D_STANDALONE $(DEBUG) $(CFLAGS) $(IPFLOG) # ########## ########## ########## ########## ########## ########## ########## # --- 41,49 ---- "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ "CPUDIR=$(CPUDIR)" # ! CKFLAGS=$(SGIREV) -O2 -I$(TOP) $(IPFLOG) -D_KMEMUSER ! CCARGS=$(SGIREV) $(DEBUG) $(CFLAGS) $(IPFLOG) -D_KMEMUSER ! #-D_STANDALONE # ########## ########## ########## ########## ########## ########## ########## # *************** *** 63,69 **** IPNAT=ipnat.o kmem.o natparse.o common.o inet_addr.o printnat.o FILS=fils.o parse.o common.o kmem.o opt.o inet_addr.o facpri.o printstate.o ! build all: ipf ipfstat ipftest ipmon ipnat $(LKM) ipfstat: $(FILS) $(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \ --- 64,76 ---- IPNAT=ipnat.o kmem.o natparse.o common.o inet_addr.o printnat.o FILS=fils.o parse.o common.o kmem.o opt.o inet_addr.o facpri.o printstate.o ! build all: ipf ipfstat ipftest ipmon ipnat ipfs $(LKM) ! ${RM} -f $(TOP)/ipf ! ln -s `pwd`/ipf $(TOP) ! ${RM} -f $(TOP)/ipftest ! ln -s `pwd`/ipftest $(TOP) ! ${RM} -f $(TOP)/ipmon ! ln -s `pwd`/ipmon $(TOP) ipfstat: $(FILS) $(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \ *************** *** 71,87 **** ipf: $(IPF) $(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) - ${RM} -f $(TOP)/ipf - ln -s `pwd`/ipf $(TOP) ipftest: $(IPT) $(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) - ${RM} -f $(TOP)/ipftest - ln -s `pwd`/ipftest $(TOP) ipnat: $(IPNAT) $(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lelf tests: (cd test; make ) --- 78,97 ---- ipf: $(IPF) $(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) ipftest: $(IPT) $(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) ipnat: $(IPNAT) $(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lelf + ipfs: ipfs.o + $(CC) $(CCARGS) ipfs.o -o $@ $(LIBS) + + ipfs.o: $(TOP)/ipfs.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_state.h \ + $(TOP)/ip_nat.h + $(CC) $(CCARGS) -c $(TOP)/ipfs.c -o $@ + tests: (cd test; make ) *************** *** 94,100 **** $(CC) $(CCARGS) -c $(TOP)/fil.c -o $@ fil_k.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h ! $(CC) $(CCARGS) $(POLICY) $(DFLAGS) -c $(TOP)/fil.c -o $@ ipf.o: $(TOP)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(CCARGS) -c $(TOP)/ipf.c -o $@ --- 104,110 ---- $(CC) $(CCARGS) -c $(TOP)/fil.c -o $@ fil_k.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h ! $(CC) $(CKFLAGS) $(POLICY) $(DFLAGS) -c $(TOP)/fil.c -o $@ ipf.o: $(TOP)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(CCARGS) -c $(TOP)/ipf.c -o $@ *************** *** 162,192 **** ld $(MLFLAGS) -r -d $(MODOBJS) -o $(LKM) ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@ ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ ml_ipl.o: $(TOP)/$(MLD) $(TOP)/ipl.h ! $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ kmem.o: $(TOP)/kmem.c $(CC) $(CCARGS) -c $(TOP)/kmem.c -o $@ --- 172,202 ---- ld $(MLFLAGS) -r -d $(MODOBJS) -o $(LKM) ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@ ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h ! $(CC) $(CKFLAGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ ml_ipl.o: $(TOP)/$(MLD) $(TOP)/ipl.h ! $(CC) -I. $(CKFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ kmem.o: $(TOP)/kmem.c $(CC) $(CCARGS) -c $(TOP)/kmem.c -o $@ *************** *** 202,209 **** ipmon: $(TOP)/ipmon.c $(CC) $(CCARGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) - ${RM} -f $(TOP)/ipmon - ln -s `pwd`/ipmon $(TOP) natparse.o: $(TOP)/natparse.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_proxy.h $(TOP)/ip_nat.h --- 212,217 ---- *************** *** 232,237 **** --- 240,246 ---- -$(INSTALL) -F $(SBINDEST) -m 755 -src $(CPUDIR)/ipf -O ipf -$(INSTALL) -F $(SBINDEST) -m 755 -src $(CPUDIR)/ipfstat -O ipfstat -$(INSTALL) -F $(SBINDEST) -m 755 -src $(CPUDIR)/ipnat -O ipnat + -$(INSTALL) -F $(SBINDEST) -m 755 -src $(CPUDIR)/ipfs -O ipfs -$(INSTALL) -F $(SBINDEST) -m 755 -src $(CPUDIR)/ipmon -O ipmon -$(INSTALL) -F $(BINDEST) -m 755 -src $(CPUDIR)/ipftest -O ipftest diff -cNr ip_fil3.4.25/IRIX/getkflags ip_fil3.4.26/IRIX/getkflags *** ip_fil3.4.25/IRIX/getkflags Sat Feb 23 02:32:57 2002 --- ip_fil3.4.26/IRIX/getkflags Thu Apr 4 00:30:28 2002 *************** *** 8,12 **** -e 's/\$(CPUBOARD)/CPUBOARD/g' \ -e 's/^#$//' /var/sysgen/Makefile.kernio | \ /usr/lib/cpp -DCPUBOARD=${CPUNUM} | \ ! egrep -v '^$|^#.*|^$|^ROOT=|^include' exit 0 --- 8,13 ---- -e 's/\$(CPUBOARD)/CPUBOARD/g' \ -e 's/^#$//' /var/sysgen/Makefile.kernio | \ /usr/lib/cpp -DCPUBOARD=${CPUNUM} | \ ! egrep -v '^$|^#.*|^$|^ROOT=|^include' | \ ! sed -e 's/CFLAGS *[+]*[=]*//' -e 's/\\//' -e 's/-fullwarn//' exit 0 diff -cNr ip_fil3.4.25/QNX_OCL.txt ip_fil3.4.26/QNX_OCL.txt *** ip_fil3.4.25/QNX_OCL.txt Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/QNX_OCL.txt Wed Mar 27 21:07:28 2002 *************** *** 0 **** --- 1,275 ---- + End User License Certificate (EULA) End User License Certificate + (EULA) + Support Support + QNX Source Licenses QNX Source Licenses + License of the month + Confidential Source License + Version 1.0 + + QNX Open Community License Version 1.0 + + THIS QNX OPEN COMMUNITY LICENSE ( "THE OCL", OR "THIS AGREEMENT") + APPLIES TO PROGRAMS THAT QNX SOFTWARE SYSTEMS LTD. ("QSS") EXPRESSLY + ELECTS TO LICENSE UNDER THE OCL TERMS. IT ALSO APPLIES TO DERIVATIVE + WORKS CREATED UNDER THIS AGREEMENT THAT CREATORS ELECT TO LICENSE TO + OTHERS IN SOURCE CODE FORM. ANY USE, REPRODUCTION, MODIFICATION OR + DISTRIBUTION OF SUCH PROGRAMS CONSTITUTES RECIPIENT'S ACCEPTANCE OF + THE OCL. THE LICENSE RIGHTS GRANTED BELOW ARE CONDITIONAL UPON + RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT AND THE FORMATION OF A + BINDING CONTRACT. NOTHING ELSE GRANTS PERMISSION TO USE, REPRODUCE, + MODIFY OR DISTRIBUTE SUCH PROGRAMS OR THEIR DERIVATIVE WORKS. THESE + ACTIONS ARE OTHERWISE PROHIBITED. CONTACT QSS IF OTHER STEPS ARE + REQUIRED LOCALLY TO CREATE A BINDING CONTRACT. + + The OCL is intended to promote the development, use and distribution + of derivative works created from QSS source code. This includes + commercial distribution of object code versions under the terms of + Recipient's own license agreement and, at Recipient's option, sharing + of source code modifications within the QNX developer's community. The + license granted under the OCL is royalty free. Recipient is entitled + to charge royalties for object code versions of derivative works that + originate with Recipient. If Recipient elects to license source code + for its derivative works to others, then it must be licensed under the + OCL. The terms of the OCL are as follows: + + 1. DEFINITIONS + + "Contribution" means: + + a. in the case of QSS: (i) the Original Program, where the Original + Program originates from QSS, (ii) changes and/or additions to + Unrestricted Open Source, where the Original Program originates + from Unrestricted Open Source and where such changes and/or + additions originate from QSS, and (iii) changes and/or additions + to the Program where such changes and/or additions originate from + QSS. + b. in the case of each Contributor, changes and/or additions to the + Program, where such changes and/or additions originate from and + are distributed by that particular Contributor. + + A Contribution 'originates' from a Contributor if it was added to the + Program by such Contributor itself or anyone acting on such + Contributor's behalf. Contributions do not include additions to the + Program which: (i) are separate modules of software distributed in + conjunction with the Program under their own license agreement, and + (ii) are not derivative works of the Program. + + "Contributor" means QSS and any other entity that distributes the + Program. + + "Licensed Patents " mean patent claims licensable by Contributor to + others, which are necessarily infringed by the use or sale of its + Contribution alone or when combined with the Program. + + "Unrestricted Open Source" means published source code that is + licensed for free use and distribution under an unrestricted licensing + and distribution model, such as the Berkley Software Design ("BSD") + and "BSD-like" licenses. It specifically excludes any source code + licensed under any version of the GNU General Public License (GPL) or + the GNU Lesser/Library GPL. All "Unrestricted Open Source" license + terms appear or are clearly identified in the header of any affected + source code for the Original Program. + + "Original Program" means the original version of the software + accompanying this Agreement as released by QSS, including source code, + object code and documentation, if any. + + "Program" means the Original Program and Contributions. + + "Recipient" means anyone who receives the Program under this + Agreement, including all Contributors. + + 2. GRANT OF RIGHTS + + a. Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free + copyright license to reproduce, prepare derivative works of, + publicly display, publicly perform, and directly and indirectly + sublicense and distribute the Contribution of such Contributor, if + any, and such derivative works, in source code and object code + form. + b. Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free patent + license under Licensed Patents to make, use, sell, offer to sell, + import and otherwise transfer the Contribution of such + Contributor, if any, in source code and object code form. This + patent license shall apply to the combination of the Contribution + and the Program if, at the time the Contribution is added by the + Contributor, such addition of the Contribution causes such + combination to be covered by the Licensed Patents. The patent + license shall not apply to any other combinations which include + the Contribution. + c. Recipient understands that although each Contributor grants the + licenses to its Contributions set forth herein, no assurances are + provided by any Contributor that the Program does not infringe the + patent or other intellectual property rights of any other entity. + Each Contributor disclaims any liability to Recipient for claims + brought by any other entity based on infringement of intellectual + property rights or otherwise. As a condition to exercising the + rights and licenses granted hereunder, each Recipient hereby + assumes sole responsibility to secure any other intellectual + property rights needed, if any. For example, if a third party + patent license is required to allow Recipient to distribute the + Program, it is Recipient's responsibility to acquire that license + before distributing the Program. + d. Each Contributor represents that to its knowledge it has + sufficient copyright rights in its Contribution, if any, to grant + the copyright license set forth in this Agreement. + + 3. REQUIREMENTS + + A Contributor may choose to distribute the Program in object code form + under its own license agreement, provided that: + + a. it complies with the terms and conditions of this Agreement; and + b. its license agreement: + i. effectively disclaims on behalf of all Contributors all + warranties and conditions, express and implied, including + warranties or conditions of title and non-infringement, and + implied warranties or conditions of merchantability and + fitness for a particular purpose; + ii. effectively excludes on behalf of all Contributors all + liability for damages, including direct, indirect, special, + incidental and consequential damages, such as lost profits; + and + iii. states that any provisions which differ from this Agreement + are offered by that Contributor alone and not by any other + party. + + If the Program is made available in source code form: + + a. it must be made available under this Agreement; and + b. a copy of this Agreement must be included with each copy of the + Program. Each Contributor must include the following in a + conspicuous location in the Program along with any other copyright + or attribution statements required by the terms of any applicable + Unrestricted Open Source license: + Copyright {date here}, QNX Software Systems Ltd. and others. All + Rights Reserved. + + In addition, each Contributor must identify itself as the originator + of its Contribution, if any, in a manner that reasonably allows + subsequent Recipients to identify the originator of the Contribution. + + 4. COMMERCIAL DISTRIBUTION + + Commercial distributors of software may accept certain + responsibilities with respect to end users, business partners and the + like. While this license is intended to facilitate the commercial use + of the Program, the Contributor who includes the Program in a + commercial product offering should do so in a manner which does not + create potential liability for other Contributors. Therefore, if a + Contributor includes the Program in a commercial product offering, + such Contributor ("Commercial Contributor") hereby agrees to defend + and indemnify every other Contributor ("Indemnified Contributor") + against any losses, damages and costs (collectively "Losses") arising + from claims, lawsuits and other legal actions brought by a third party + against the Indemnified Contributor to the extent caused by the acts + or omissions of such Commercial Contributor in connection with its + distribution of the Program in a commercial product offering. The + obligations in this section do not apply to any claims or Losses + relating to any actual or alleged intellectual property infringement. + In order to qualify, an Indemnified Contributor must: a) promptly + notify the Commercial Contributor in writing of such claim, and b) + allow the Commercial Contributor to control, and cooperate with the + Commercial Contributor in, the defense and any related settlement + negotiations. The Indemnified Contributor may participate in any such + claim at its own expense. + + For example, a Contributor might include the Program in a commercial + product offering, Product X. That Contributor is then a Commercial + Contributor. If that Commercial Contributor then makes performance + claims, or offers warranties related to Product X, those performance + claims and warranties are such Commercial Contributor's responsibility + alone. Under this section, the Commercial Contributor would have to + defend claims against the other Contributors related to those + performance claims and warranties, and if a court requires any other + Contributor to pay any damages as a result, the Commercial Contributor + must pay those damages. + + 5. NO WARRANTY + + Recipient acknowledges that there may be errors or bugs in the Program + and that it is imperative that Recipient conduct thorough testing to + identify and correct any problems prior to the productive use or + commercial release of any products that use the Program, and prior to + the release of any modifications, updates or enhancements thereto. + + EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS + PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY + WARRANTIES OR CONDITIONS OF TITLE, NON- INFRINGEMENT, MERCHANTABILITY + OR FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely + responsible for determining the appropriateness of using and + distributing the Program and assumes all risks associated with its + exercise of rights under this Agreement, including but not limited to + the risks and costs of program errors, compliance with applicable + laws, damage to or loss of data, programs or equipment, and + unavailability or interruption of operations. + + 6. DISCLAIMER OF LIABILITY + + EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR + ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING + WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR + DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED + HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + + 7. GENERAL + + If any provision of this Agreement is invalid or unenforceable under + applicable law, it shall not affect the validity or enforceability of + the remainder of the terms of this Agreement, and without further + action by the parties hereto, such provision shall be reformed to the + minimum extent necessary to make such provision valid and enforceable. + + If Recipient institutes patent litigation against a Contributor with + respect to a patent applicable to software (including a cross-claim or + counterclaim in a lawsuit), then any patent licenses granted by that + Contributor to such recipient under this Agreement shall terminate as + of the date such litigation is filed. In addition, If Recipient + institutes patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Program + itself (excluding combinations of the Program with other software or + hardware) infringes such Recipient's patent(s), then such Recipient's + rights granted under Section 2(b) shall terminate as of the date such + litigation is filed. + + All Recipient's rights under this Agreement shall terminate if it + fails to comply with any of the material terms or conditions of this + Agreement and does not cure such failure in a reasonable period of + time after becoming aware of such noncompliance. If all Recipient's + rights under this Agreement terminate, Recipient agrees to cease use + and distribution of the Program as soon as reasonably practicable. + However, Recipient's obligations under this Agreement and any licenses + granted by Recipient relating to the Program shall continue and + survive. + + QSS may publish new versions (including revisions) of this Agreement + from time to time. Each new version of the Agreement will be given a + distinguishing version number. The Program (including Contributions) + may always be distributed subject to the version of the Agreement + under which it was received. In addition, after a new version of the + Agreement is published, Contributor may elect to distribute the + Program (including its Contributions) under the new version. No one + other than QSS has the right to modify this Agreement. Except as + expressly stated in Sections 2(a) and 2(b) above, Recipient receives + no rights or licenses to the intellectual property of any Contributor + under this Agreement, whether expressly, by implication, estoppel or + otherwise. All rights in the Program not expressly granted under this + Agreement are reserved. + + This Agreement is governed by the laws in force in the Province of + Ontario, Canada without regard to the conflict of law provisions + therein. The parties expressly disclaim the provisions of the United + Nations Convention on Contracts for the International Sale of Goods. + No party to this Agreement will bring a legal action under this + Agreement more than one year after the cause of action arose. Each + party waives its rights to a jury trial in any resulting litigation. + + * QNX is a registered trademark of QNX Software Systems Ltd. + + Document Version: ocl1_00 diff -cNr ip_fil3.4.25/SunOS4/Makefile ip_fil3.4.26/SunOS4/Makefile *** ip_fil3.4.25/SunOS4/Makefile Thu Mar 7 01:05:10 2002 --- ip_fil3.4.26/SunOS4/Makefile Thu Apr 25 03:13:31 2002 *************** *** 52,57 **** --- 52,65 ---- (cd $(TOP) $(MAKE) $(MFLAGS) sunos4; ) sunos4 solaris1 build: ipf ipfstat ipftest ipmon ipnat ipfs if_ipl.o + /bin/rm -f $(TOP)/ipf + ln -s `pwd`/ipf $(TOP) + /bin/rm -f $(TOP)/ipftest + ln -s `pwd`/ipftest $(TOP) + /bin/rm -f $(TOP)/ipmon + ln -s `pwd`/ipmon $(TOP) + /bin/rm -f $(TOP)/ipnat + ln -s `pwd`/ipnat $(TOP) ipfstat: $(FILS) $(CC) $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \ *************** *** 59,74 **** ipf: $(IPF) $(CC) $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipf - ln -s `pwd`/ipf $(TOP) ipfs: ipfs.o $(CC) $(DEBUG) $(CFLAGS) ipfs.o -o $@ $(LIBS) ipftest: $(IPT) $(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipftest - ln -s `pwd`/ipftest $(TOP) ipnat: $(IPNAT) $(CC) $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm --- 67,78 ---- *************** *** 213,220 **** ipmon: $(TOP)/ipmon.c $(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipmon - ln -s `pwd`/ipmon $(TOP) clean: ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ --- 217,222 ---- diff -cNr ip_fil3.4.25/SunOS5/Makefile ip_fil3.4.26/SunOS5/Makefile *** ip_fil3.4.25/SunOS5/Makefile Wed Mar 13 13:30:41 2002 --- ip_fil3.4.26/SunOS5/Makefile Thu Apr 25 03:13:32 2002 *************** *** 74,79 **** --- 74,94 ---- sunos5 solaris2 build: $(OBJ) $(OBJ)/ipf.exe $(OBJ)/ipfstat $(OBJ)/ipftest \ $(OBJ)/ipmon $(OBJ)/ipnat $(OBJ)/ipf $(OBJ)/ipfs + /bin/rm -f $(TOP)/ipf $(TOP)/$(OBJ)/ipf + /bin/rm -f $(TOP)/ipftest $(TOP)/$(OBJ)/ipftest + /bin/rm -f $(TOP)/ipmon $(TOP)/$(OBJ)/ipmon + /bin/rm -f $(TOP)/ipnat $(TOP)/$(OBJ)/ipnat + if [ -f /usr/lib/isaexec -a "$(OBJ)" != . ] ; then \ + mkdir -p $(TOP)/$(OBJ); \ + cp /usr/lib/isaexec $(TOP)/ipf; \ + ln $(TOP)/ipf $(TOP)/ipftest; \ + ln $(TOP)/ipf $(TOP)/ipmon; \ + ln $(TOP)/ipf $(TOP)/ipnat; \ + fi + ln -s `pwd`/$(OBJ)/ipf.exe $(TOP)/$(OBJ)/ipf + ln -s `pwd`/$(OBJ)/ipmon $(TOP)/$(OBJ)/ipmon + ln -s `pwd`/$(OBJ)/ipftest $(TOP)/$(OBJ)/ipftest + ln -s `pwd`/$(OBJ)/ipnat $(TOP)/$(OBJ)/ipnat pkg: if [ "$(CPUDIR)" = "" ] ; then \ *************** *** 88,108 **** $(OBJ)/ipf.exe: $(IPF) $(CC) $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipf $(TOP)/$(OBJ)/ipf - if [ -f /usr/lib/isaexec -a "$(OBJ)" != . ] ; then \ - mkdir -p $(TOP)/$(OBJ); \ - cp /usr/lib/isaexec $(TOP)/ipf; \ - fi - ln -s `pwd`/$(OBJ)/ipf.exe $(TOP)/$(OBJ)/ipf # Magic dependency on ipf.exe creates the $(TOP)/sparcv{7,9} directories. ! $(OBJ)/ipftest: $(IPT) $(OBJ)/ipf.exe $(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipftest $(TOP)/$(OBJ)/ipftest - if [ -f /usr/lib/isaexec -a "$(OBJ)" != . ] ; then \ - ln $(TOP)/ipf $(TOP)/ipftest; \ - fi - ln -s `pwd`/$(OBJ)/ipftest $(TOP)/$(OBJ)/ipftest $(OBJ)/ipnat: $(IPNAT) $(CC) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm --- 103,112 ---- $(OBJ)/ipf.exe: $(IPF) $(CC) $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) # Magic dependency on ipf.exe creates the $(TOP)/sparcv{7,9} directories. ! $(OBJ)/ipftest: $(IPT) $(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS) $(OBJ)/ipnat: $(IPNAT) $(CC) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm *************** *** 242,252 **** $(OBJ)/ipmon: $(TOP)/ipmon.c $(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipmon $(TOP)/$(OBJ)/ipmon - if [ -f /usr/lib/isaexec -a "$(OBJ)" != . ] ; then \ - ln $(TOP)/ipf $(TOP)/ipmon; \ - fi - ln -s `pwd`/$(OBJ)/ipmon $(TOP)/$(OBJ)/ipmon clean: if [ `basename \`pwd\`` != SunOS5 ] ; then \ --- 246,251 ---- diff -cNr ip_fil3.4.25/SunOS5/pkginfo ip_fil3.4.26/SunOS5/pkginfo *** ip_fil3.4.25/SunOS5/pkginfo Wed Mar 13 14:57:42 2002 --- ip_fil3.4.26/SunOS5/pkginfo Wed Apr 24 00:59:07 2002 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.25 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.26 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cNr ip_fil3.4.25/fil.c ip_fil3.4.26/fil.c *** ip_fil3.4.25/fil.c Wed Mar 13 13:23:13 2002 --- ip_fil3.4.26/fil.c Mon Mar 25 22:07:37 2002 *************** *** 97,103 **** #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.58 2002/03/13 02:23:13 darrenr Exp $"; #endif #ifndef _KERNEL --- 97,103 ---- #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $"; #endif #ifndef _KERNEL *************** *** 211,219 **** fin->fin_data[1] = 0; fin->fin_rule = -1; fin->fin_group = -1; - #ifdef _KERNEL fin->fin_icode = ipl_unreach; - #endif v = fin->fin_v; fi->fi_v = v; fin->fin_hlen = hlen; --- 211,217 ---- *************** *** 263,268 **** --- 261,267 ---- fin->fin_off = off; fin->fin_plen = plen; fin->fin_dp = (char *)tcp; + fin->fin_misc = 0; off <<= 3; switch (p) *************** *** 295,301 **** } } ! if (!(plen >= hlen + minicmpsz)) fi->fi_fl |= FI_SHORT; break; --- 294,300 ---- } } ! if (!(plen >= minicmpsz)) fi->fi_fl |= FI_SHORT; break; *************** *** 1496,1502 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.35.2.58 2002/03/13 02:23:13 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1495,1501 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff -cNr ip_fil3.4.25/fils.c ip_fil3.4.26/fils.c *** ip_fil3.4.25/fils.c Sat Feb 23 02:32:45 2002 --- ip_fil3.4.26/fils.c Thu Apr 4 00:18:36 2002 *************** *** 94,100 **** #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.34 2002/02/22 15:32:45 darrenr Exp $"; #endif extern char *optarg; --- 94,100 ---- #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp $"; #endif extern char *optarg; *************** *** 1200,1214 **** if (c == ERR) continue; ! if (tolower(c) == 'l') { redraw = 1; ! } else if (tolower(c) == 'q') { ! nocbreak(); ! endwin(); ! exit(0); ! } else if (tolower(c) == 'r') { reverse = !reverse; ! } else if (tolower(c) == 's') { sorting++; if (sorting > STSORT_MAX) sorting = 0; --- 1200,1214 ---- if (c == ERR) continue; ! if (isalpha(c) && isupper(c)) ! c = tolower(c); ! if (c == 'l') { redraw = 1; ! } else if (c == 'q') { ! break; /* exits while() loop */ ! } else if (c == 'r') { reverse = !reverse; ! } else if (c == 's') { sorting++; if (sorting > STSORT_MAX) sorting = 0; diff -cNr ip_fil3.4.25/ip_auth.c ip_fil3.4.26/ip_auth.c *** ip_fil3.4.25/ip_auth.c Wed Mar 6 20:44:10 2002 --- ip_fil3.4.26/ip_auth.c Wed Apr 24 00:57:27 2002 *************** *** 104,110 **** #endif #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.17 2002/03/06 09:44:10 darrenr Exp $"; #endif --- 104,110 ---- #endif #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp $"; #endif *************** *** 405,410 **** --- 405,411 ---- RWLOCK_EXIT(&ipf_auth); return 0; } + RWLOCK_EXIT(&ipf_auth); #ifdef _KERNEL # if SOLARIS mutex_enter(&ipf_authmx); *************** *** 417,423 **** error = SLEEP(&fr_authnext, "fr_authnext"); # endif #endif - RWLOCK_EXIT(&ipf_auth); if (!error) goto fr_authioctlloop; break; --- 418,423 ---- *************** *** 447,453 **** #ifdef _KERNEL if (m && au->fra_info.fin_out) { # if SOLARIS ! error = fr_qout(fra->fra_q, m); # else /* SOLARIS */ struct route ro; --- 447,453 ---- #ifdef _KERNEL if (m && au->fra_info.fin_out) { # if SOLARIS ! error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0; # else /* SOLARIS */ struct route ro; *************** *** 469,475 **** fr_authstats.fas_sendok++; } else if (m) { # if SOLARIS ! error = fr_qin(fra->fra_q, m); # else /* SOLARIS */ ifq = &ipintrq; if (IF_QFULL(ifq)) { --- 469,475 ---- fr_authstats.fas_sendok++; } else if (m) { # if SOLARIS ! error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0; # else /* SOLARIS */ ifq = &ipintrq; if (IF_QFULL(ifq)) { diff -cNr ip_fil3.4.25/ip_compat.h ip_fil3.4.26/ip_compat.h *** ip_fil3.4.25/ip_compat.h Wed Mar 13 14:54:34 2002 --- ip_fil3.4.26/ip_compat.h Wed Apr 24 02:08:50 2002 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.39 2002/03/13 03:54:34 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.43 2002/04/23 16:08:50 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 103,109 **** # include #endif - /* * This is a workaround for troubles on FreeBSD and OpenBSD. */ --- 103,108 ---- *************** *** 197,206 **** #endif /* SOLARIS */ #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) - #if defined(__FreeBSD__) && (__FreeBSD__ >= 5) && defined(_KERNEL) - # include - #endif - #ifndef IP_OFFMASK #define IP_OFFMASK 0x1fff #endif --- 196,201 ---- *************** *** 215,220 **** --- 210,239 ---- #endif /* BSD > 199306 */ + #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) + # include + # ifndef __FreeBSD_version + # include + # endif + # ifdef IPFILTER_LKM + # define ACTUALLY_LKM_NOT_KERNEL + # endif + # if defined(__FreeBSD_version) && (__FreeBSD_version < 300000) + # include + # else + # if (__FreeBSD_version >= 300000) && (__FreeBSD_version < 400000) + # if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL) + # define ACTUALLY_LKM_NOT_KERNEL + # endif + # endif + # endif + #endif /* __FreeBSD__ && KERNEL */ + + #if defined(__FreeBSD_version) && (__FreeBSD_version >= 500000) && \ + defined(_KERNEL) + # include + #endif + /* * These operating systems already take care of the problem for us. */ *************** *** 230,235 **** --- 249,261 ---- # include "opt_inet6.h" # endif # ifdef INET6 + # define USE_INET6 + # endif + # endif + # if !defined(_KERNEL) && !defined(IPFILTER_LKM) + # if (defined(__FreeBSD_version) && (__FreeBSD_version >= 400000)) || \ + (defined(OpenBSD) && (OpenBSD >= 200111)) || \ + (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000)) # define USE_INET6 # endif # endif *************** *** 341,380 **** #define IPOPT_EIP 145 /* EIP */ #define IPOPT_FINN 205 /* FINN */ ! ! #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) ! # ifdef IPFILTER_LKM ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # else ! # include ! # endif ! # endif ! # define ACTUALLY_LKM_NOT_KERNEL ! # else ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # else ! # include ! # endif ! # endif ! # endif ! # if __FreeBSD__ < 3 ! # include ! # else ! # if __FreeBSD__ == 3 ! # if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL) ! # define ACTUALLY_LKM_NOT_KERNEL ! # endif ! # endif ! # endif ! #endif /* __FreeBSD__ && KERNEL */ /* * Build some macros and #defines to enable the same code to compile anywhere --- 367,375 ---- #define IPOPT_EIP 145 /* EIP */ #define IPOPT_FINN 205 /* FINN */ ! #ifndef TCPOPT_WSCALE ! # define TCPOPT_WSCALE 3 ! #endif /* * Build some macros and #defines to enable the same code to compile anywhere *************** *** 580,586 **** defined(__FreeBSD__) || defined(__OpenBSD__) || defined(_BSDI_VERSION) # include # endif ! # if !defined(__FreeBSD__) || (defined (__FreeBSD__) && __FreeBSD__>=3) # if (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105180000)) || \ (defined(OpenBSD) && (OpenBSD >= 200111)) # include --- 575,582 ---- defined(__FreeBSD__) || defined(__OpenBSD__) || defined(_BSDI_VERSION) # include # endif ! # if !defined(__FreeBSD__) || (defined (__FreeBSD_version) && \ ! (__FreeBSD_version >= 300000)) # if (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105180000)) || \ (defined(OpenBSD) && (OpenBSD >= 200111)) # include *************** *** 589,597 **** extern vm_map_t kmem_map; # endif # include ! # else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */ # include ! # endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */ # ifdef M_PFIL # define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_PFIL, M_NOWAIT) # define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) --- 585,593 ---- extern vm_map_t kmem_map; # endif # include ! # else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */ # include ! # endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */ # ifdef M_PFIL # define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_PFIL, M_NOWAIT) # define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) diff -cNr ip_fil3.4.25/ip_fil.c ip_fil3.4.26/ip_fil.c *** ip_fil3.4.25/ip_fil.c Wed Mar 13 13:29:08 2002 --- ip_fil3.4.26/ip_fil.c Wed Mar 27 02:54:39 2002 *************** *** 25,30 **** --- 25,31 ---- # endif #endif #ifdef __sgi + # define _KMEMUSER # include #endif #ifndef _KERNEL *************** *** 119,125 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.53 2002/03/13 02:29:08 darrenr Exp $"; #endif --- 120,126 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp $"; #endif *************** *** 359,365 **** } # ifdef NETBSD_PF ! # if __NetBSD_Version__ >= 104200000 # if __NetBSD_Version__ >= 105110000 if ( !(ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET)) --- 360,366 ---- } # ifdef NETBSD_PF ! # if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) # if __NetBSD_Version__ >= 105110000 if ( !(ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET)) *************** *** 526,532 **** fr_running = 0; # ifdef NETBSD_PF ! # if __NetBSD_Version__ >= 104200000 # if __NetBSD_Version__ >= 105110000 if (ph_inet != NULL) error = pfil_remove_hook((void *)fr_check_wrapper, NULL, --- 527,533 ---- fr_running = 0; # ifdef NETBSD_PF ! # if ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)) # if __NetBSD_Version__ >= 105110000 if (ph_inet != NULL) error = pfil_remove_hook((void *)fr_check_wrapper, NULL, *************** *** 2136,2143 **** num = io->iov_len; if (num > left) num = left; ! start = io->iov_base + offset; ! if (start > io->iov_base + io->iov_len) { offset -= io->iov_len; ioc++; continue; --- 2137,2144 ---- num = io->iov_len; if (num > left) num = left; ! start = (char *)io->iov_base + offset; ! if (start > (char *)io->iov_base + io->iov_len) { offset -= io->iov_len; ioc++; continue; diff -cNr ip_fil3.4.25/ip_fil.h ip_fil3.4.26/ip_fil.h *** ip_fil3.4.25/ip_fil.h Wed Mar 13 14:56:46 2002 --- ip_fil3.4.26/ip_fil.h Wed Apr 10 14:57:14 2002 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.29.2.29 2002/03/13 03:56:46 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 55,62 **** # define SIOCFRSYN _IOW('r', 73, u_int) # define SIOCFRZST _IOWR('r', 74, struct friostat *) # define SIOCZRLST _IOWR('r', 75, struct frentry *) ! # define SIOCAUTHW _IOWR('r', 76, struct frauth_t *) ! # define SIOCAUTHR _IOWR('r', 77, struct frauth_t *) # define SIOCATHST _IOWR('r', 78, struct fr_authstat *) # define SIOCSTLCK _IOWR('r', 79, u_int) # define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *) --- 55,62 ---- # define SIOCFRSYN _IOW('r', 73, u_int) # define SIOCFRZST _IOWR('r', 74, struct friostat *) # define SIOCZRLST _IOWR('r', 75, struct frentry *) ! # define SIOCAUTHW _IOWR('r', 76, struct frauth *) ! # define SIOCAUTHR _IOWR('r', 77, struct frauth *) # define SIOCATHST _IOWR('r', 78, struct fr_authstat *) # define SIOCSTLCK _IOWR('r', 79, u_int) # define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *) *************** *** 80,87 **** # define SIOCFRSYN _IOW(r, 73, u_int) # define SIOCFRZST _IOWR(r, 74, struct friostat *) # define SIOCZRLST _IOWR(r, 75, struct frentry *) ! # define SIOCAUTHW _IOWR(r, 76, struct frauth_t *) ! # define SIOCAUTHR _IOWR(r, 77, struct frauth_t *) # define SIOCATHST _IOWR(r, 78, struct fr_authstat *) # define SIOCSTLCK _IOWR(r, 79, u_int) # define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *) --- 80,87 ---- # define SIOCFRSYN _IOW(r, 73, u_int) # define SIOCFRZST _IOWR(r, 74, struct friostat *) # define SIOCZRLST _IOWR(r, 75, struct frentry *) ! # define SIOCAUTHW _IOWR(r, 76, struct frauth *) ! # define SIOCAUTHR _IOWR(r, 77, struct frauth *) # define SIOCATHST _IOWR(r, 78, struct fr_authstat *) # define SIOCSTLCK _IOWR(r, 79, u_int) # define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *) *************** *** 135,146 **** void *fin_ifp; /* interface packet is `on' */ struct fr_ip fin_fi; /* IP Packet summary */ u_short fin_data[2]; /* TCP/UDP ports, ICMP code/type */ ! u_char fin_out; /* in or out ? 1 == out, 0 == in */ ! u_char fin_rev; /* state only: 1 = reverse */ u_short fin_hlen; /* length of IP header in bytes */ u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */ ! /* From here on is packet specific */ ! u_char fin_icode; /* ICMP error to return */ u_32_t fin_rule; /* rule # last matched */ u_32_t fin_group; /* group number, -1 for none */ struct frentry *fin_fr; /* last matching rule */ --- 135,145 ---- void *fin_ifp; /* interface packet is `on' */ struct fr_ip fin_fi; /* IP Packet summary */ u_short fin_data[2]; /* TCP/UDP ports, ICMP code/type */ ! u_int fin_out; /* in or out ? 1 == out, 0 == in */ u_short fin_hlen; /* length of IP header in bytes */ + u_char fin_rev; /* state only: 1 = reverse */ u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */ ! u_int fin_icode; /* ICMP error to return */ u_32_t fin_rule; /* rule # last matched */ u_32_t fin_group; /* group number, -1 for none */ struct frentry *fin_fr; /* last matching rule */ *************** *** 149,154 **** --- 148,154 ---- u_short fin_off; u_short fin_dlen; /* length of data portion of packet */ u_short fin_id; /* IP packet id field */ + u_int fin_misc; void *fin_mp; /* pointer to pointer to mbuf */ #if SOLARIS void *fin_qfm; /* pointer to mblk where pkt starts */ *************** *** 171,176 **** --- 171,181 ---- #define FI_LCSIZE offsetof(fr_info_t, fin_dp) /* + * For fin_misc + */ + #define FM_BADSTATE 0x00000001 + + /* * Size for copying cache fr_info structure */ #define FI_COPYSIZE offsetof(fr_info_t, fin_dp) *************** *** 421,430 **** typedef struct ipflog { #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) ! u_char fl_ifname[LIFNAMSIZ]; #else u_int fl_unit; ! u_char fl_ifname[LIFNAMSIZ]; #endif u_char fl_plen; /* extra data after hlen */ u_char fl_hlen; /* length of IP headers saved */ --- 426,435 ---- typedef struct ipflog { #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) ! char fl_ifname[LIFNAMSIZ]; #else u_int fl_unit; ! char fl_ifname[LIFNAMSIZ]; #endif u_char fl_plen; /* extra data after hlen */ u_char fl_hlen; /* length of IP headers saved */ diff -cNr ip_fil3.4.25/ip_frag.c ip_fil3.4.26/ip_frag.c *** ip_fil3.4.25/ip_frag.c Wed Mar 6 20:44:11 2002 --- ip_fil3.4.26/ip_frag.c Wed Apr 10 14:56:10 2002 *************** *** 90,96 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.20 2002/03/06 09:44:11 darrenr Exp $"; #endif --- 90,96 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.21 2002/04/10 04:56:10 darrenr Exp $"; #endif *************** *** 584,592 **** if (fr_running <= 0) return; #endif - READ_ENTER(&ipf_solaris); #if defined(__sgi) && defined(_KERNEL) ipfilter_sgi_intfsync(); #endif --- 584,592 ---- if (fr_running <= 0) return; + READ_ENTER(&ipf_solaris); #endif #if defined(__sgi) && defined(_KERNEL) ipfilter_sgi_intfsync(); #endif diff -cNr ip_fil3.4.25/ip_h323_pxy.c ip_fil3.4.26/ip_h323_pxy.c *** ip_fil3.4.25/ip_h323_pxy.c Sat Feb 23 02:32:48 2002 --- ip_fil3.4.26/ip_h323_pxy.c Sun Apr 21 02:41:48 2002 *************** *** 52,69 **** int datlen, *off; unsigned short *port; { if (datlen < 6) return -1; *port = 0; ! for (*off = 0; *off <= datlen - 6; *off = *off + 1) { ! if (ipaddr == *(int *)(data + *off)) { ! *port = (*(data + *off + 4) << 8) + *(data + *off +5); break; } } ! return (*off > datlen - 6) ? -1 : 0; } /* --- 52,78 ---- int datlen, *off; unsigned short *port; { + u_32_t addr; + u_char *dp; + int offset; + if (datlen < 6) return -1; *port = 0; ! offset = *off; ! dp = (u_char *)data; ! ! for (offset = 0; offset <= datlen - 6; offset++, dp++) { ! addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3]; ! if (ipaddr == addr) { ! *port = (*(dp + 4) << 8) | *(dp + 5); break; } } ! *off = offset; ! return (offset > datlen - 6) ? -1 : 0; } /* *************** *** 109,119 **** * We are lucky here because this function is not * called with ipf_nat locked. */ ! if (nat_ioctl((caddr_t)ipn, SIOCRMNAT, FWRITE) == -1) { /* log the error */ } } KFREES(aps->aps_data, aps->aps_psiz); } return; } --- 118,132 ---- * We are lucky here because this function is not * called with ipf_nat locked. */ ! if (nat_ioctl((caddr_t)ipn, SIOCRMNAT, NAT_SYSSPACE| ! NAT_LOCKHELD|FWRITE) == -1) { /* log the error */ } } KFREES(aps->aps_data, aps->aps_psiz); + /* avoid double free */ + aps->aps_data = NULL; + aps->aps_psiz = 0; } return; } *************** *** 144,150 **** ipaddr = ip->ip_src.s_addr; data = (unsigned char *)tcp + (tcp->th_off << 2); ! datlen = ip->ip_len - (ip->ip_hl << 2) - (tcp->th_off << 2); if (find_port(ipaddr, data, datlen, &off, &port) == 0) { ipnat_t *ipn; char *newarray; --- 157,163 ---- ipaddr = ip->ip_src.s_addr; data = (unsigned char *)tcp + (tcp->th_off << 2); ! datlen = fin->fin_dlen - (tcp->th_off << 2); if (find_port(ipaddr, data, datlen, &off, &port) == 0) { ipnat_t *ipn; char *newarray; *************** *** 177,189 **** * of calling nat_ioctl(), we add the nat rule ourself. */ RWLOCK_EXIT(&ipf_nat); ! if (nat_ioctl((caddr_t)ipn, SIOCADNAT, FWRITE) == -1) { READ_ENTER(&ipf_nat); return -1; } READ_ENTER(&ipf_nat); ! bcopy(aps->aps_data, newarray, aps->aps_psiz); ! KFREES(aps->aps_data, aps->aps_psiz); aps->aps_data = newarray; aps->aps_psiz += sizeof(*ipn); } --- 190,205 ---- * of calling nat_ioctl(), we add the nat rule ourself. */ RWLOCK_EXIT(&ipf_nat); ! if (nat_ioctl((caddr_t)ipn, SIOCADNAT, ! NAT_SYSSPACE|FWRITE) == -1) { READ_ENTER(&ipf_nat); return -1; } READ_ENTER(&ipf_nat); ! if (aps->aps_data != NULL && aps->aps_psiz > 0) { ! bcopy(aps->aps_data, newarray, aps->aps_psiz); ! KFREES(aps->aps_data, aps->aps_psiz); ! } aps->aps_data = newarray; aps->aps_psiz += sizeof(*ipn); } *************** *** 256,263 **** #ifdef IPFILTER_LOG nat_log(ipn, (u_int)(nat->nat_ptr->in_redir)); #endif ! *(int *)(data + off) = ip->ip_src.s_addr; ! *(short *)(data + off + 4) = ipn->nat_outport; } } } --- 272,281 ---- #ifdef IPFILTER_LOG nat_log(ipn, (u_int)(nat->nat_ptr->in_redir)); #endif ! bcopy((u_char*)&ip->ip_src.s_addr, ! data + off, 4); ! bcopy((u_char*)&ipn->nat_outport, ! data + off + 4, 2); } } } diff -cNr ip_fil3.4.25/ip_log.c ip_fil3.4.26/ip_log.c *** ip_fil3.4.25/ip_log.c Wed Mar 13 14:57:05 2002 --- ip_fil3.4.26/ip_log.c Wed Mar 27 02:54:40 2002 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_log.c,v 2.5.2.17 2002/03/13 03:57:05 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_log.c,v 2.5.2.18 2002/03/26 15:54:40 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) *************** *** 84,89 **** --- 84,90 ---- # include # include # ifdef __sgi + # define _KMEMUSER # include # ifdef IFF_DRVRLOCK /* IRIX6 */ # include diff -cNr ip_fil3.4.25/ip_nat.c ip_fil3.4.26/ip_nat.c *** ip_fil3.4.25/ip_nat.c Wed Mar 6 20:44:11 2002 --- ip_fil3.4.26/ip_nat.c Wed Apr 24 00:58:27 2002 *************** *** 109,115 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.63 2002/03/06 09:44:11 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, --- 109,115 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.66 2002/04/23 14:58:27 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, *************** *** 425,431 **** int mode; { register ipnat_t *nat, *nt, *n = NULL, **np = NULL; ! int error = 0, ret, arg; ipnat_t natd; u_32_t i, j; --- 425,431 ---- int mode; { register ipnat_t *nat, *nt, *n = NULL, **np = NULL; ! int error = 0, ret, arg, getlock; ipnat_t natd; u_32_t i, j; *************** *** 436,444 **** nat = NULL; /* XXX gcc -Wuninitialized */ KMALLOC(nt, ipnat_t *); ! if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) ! error = IRCOPYPTR(data, (char *)&natd, sizeof(natd)); ! else if (cmd == SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */ error = IRCOPY(data, (char *)&arg, sizeof(arg)); if (error) error = EFAULT; --- 436,450 ---- nat = NULL; /* XXX gcc -Wuninitialized */ KMALLOC(nt, ipnat_t *); ! getlock = (mode & NAT_LOCKHELD) ? 0 : 1; ! if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { ! if (mode & NAT_SYSSPACE) { ! bcopy(data, (char *)&natd, sizeof(natd)); ! error = 0; ! } else { ! error = IRCOPYPTR(data, (char *)&natd, sizeof(natd)); ! } ! } else if (cmd == SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */ error = IRCOPY(data, (char *)&arg, sizeof(arg)); if (error) error = EFAULT; *************** *** 450,456 **** /* * For add/delete, look to see if the NAT entry is already present */ ! WRITE_ENTER(&ipf_nat); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { nat = &natd; nat->in_flags &= IPN_USERFLAGS; --- 456,463 ---- /* * For add/delete, look to see if the NAT entry is already present */ ! if (getlock == 1) ! WRITE_ENTER(&ipf_nat); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { nat = &natd; nat->in_flags &= IPN_USERFLAGS; *************** *** 715,721 **** error = EINVAL; break; } ! RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ done: if (nt) KFREE(nt); --- 722,729 ---- error = EINVAL; break; } ! if (getlock == 1) ! RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ done: if (nt) KFREE(nt); *************** *** 831,837 **** return ENOMEM; bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn)); ! bcopy((char *)aps, ipnn->ipn_data, sizeof(*aps)); if (aps->aps_data) { bcopy(aps->aps_data, ipnn->ipn_data + sizeof(*aps), aps->aps_psiz); --- 839,845 ---- return ENOMEM; bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn)); ! bcopy((char *)aps, (char *)ipnn->ipn_data, sizeof(*aps)); if (aps->aps_data) { bcopy(aps->aps_data, ipnn->ipn_data + sizeof(*aps), aps->aps_psiz); *************** *** 1650,1660 **** { u_32_t sum1, sum2, sumd, sumd2 = 0; struct in_addr in; icmphdr_t *icmp; udphdr_t *udp; nat_t *nat; ip_t *oip; - int flags; if ((fin->fin_fl & FI_SHORT) || (fin->fin_off != 0)) return NULL; --- 1658,1669 ---- { u_32_t sum1, sum2, sumd, sumd2 = 0; struct in_addr in; + int flags, dlen; icmphdr_t *icmp; udphdr_t *udp; + tcphdr_t *tcp; nat_t *nat; ip_t *oip; if ((fin->fin_fl & FI_SHORT) || (fin->fin_off != 0)) return NULL; *************** *** 1673,1678 **** --- 1682,1694 ---- else if (oip->ip_p == IPPROTO_UDP) flags = IPN_UDP; udp = (udphdr_t *)((((char *)oip) + (oip->ip_hl << 2))); + dlen = ip->ip_len - ((char *)udp - (char *)ip); + /* + * XXX - what if this is bogus hl and we go off the end ? + * In this case, nat_icmplookup() will have returned NULL. + */ + tcp = (tcphdr_t *)udp; + /* * Need to adjust ICMP header to include the real IP#'s and * port #'s. Only apply a checksum change relative to the *************** *** 1695,1702 **** * change in the UDP and TCP checksums require yet another * adjustment of the ICMP checksum of the ICMP error message. * - * For the moment we forget about TCP, because that checksum is not - * in the first 8 bytes, so it will not be available in most cases. */ if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) { --- 1711,1716 ---- *************** *** 1754,1768 **** sumd2 = sumd; } ! #if 0 /* * Fix TCP pseudo header checksum to compensate for the * IP address change. Before we can do the change, we * must make sure that oip is sufficient large to hold * the TCP checksum (normally it does not!). */ ! if (oip->ip_p == IPPROTO_TCP) { } #endif } else { --- 1768,1792 ---- sumd2 = sumd; } ! #if 1 /* * Fix TCP pseudo header checksum to compensate for the * IP address change. Before we can do the change, we * must make sure that oip is sufficient large to hold * the TCP checksum (normally it does not!). */ ! if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { + sum1 = ntohs(tcp->th_sum); + fix_datacksum(&tcp->th_sum, sumd); + sum2 = ntohs(tcp->th_sum); + + /* + * Fix ICMP checksum to compensate the TCP + * checksum adjustment. + */ + CALC_SUMD(sum1, sum2, sumd); + sumd2 = sumd; } #endif } else { *************** *** 1813,1827 **** sumd2 = sumd; } ! #if 0 /* * Fix TCP pseudo header checksum to compensate for the * IP address change. Before we can do the change, we * must make sure that oip is sufficient large to hold * the TCP checksum (normally it does not!). */ ! if (oip->ip_p == IPPROTO_TCP) { }; #endif --- 1837,1861 ---- sumd2 = sumd; } ! #if 1 /* * Fix TCP pseudo header checksum to compensate for the * IP address change. Before we can do the change, we * must make sure that oip is sufficient large to hold * the TCP checksum (normally it does not!). */ ! if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { + sum1 = ntohs(tcp->th_sum); + fix_datacksum(&tcp->th_sum, sumd); + sum2 = ntohs(tcp->th_sum); + + /* + * Fix ICMP checksum to compensate the TCP + * checksum adjustment. + */ + CALC_SUMD(sum1, sum2, sumd); + sumd2 = sumd; }; #endif *************** *** 1829,1842 **** } if ((flags & IPN_TCPUDP) != 0) { - tcphdr_t *tcp; - - /* - * XXX - what if this is bogus hl and we go off the end ? - * In this case, nat_icmpinlookup() will have returned NULL. - */ - tcp = (tcphdr_t *)udp; - /* * Step 2 : * For offending TCP/UDP IP packets, translate the ports as --- 1863,1868 ---- *************** *** 1852,1859 **** * * To further complicate: the TCP checksum is not in the first * 8 bytes of the offending ip packet, so it most likely is not ! * available (we might have to fix that if the encounter a ! * device that returns more than 8 data bytes on icmp error) */ if (nat->nat_oport == tcp->th_dport) { --- 1878,1886 ---- * * To further complicate: the TCP checksum is not in the first * 8 bytes of the offending ip packet, so it most likely is not ! * available. Some OSses like Solaris return enough bytes to ! * include the TCP checksum. So we have to check if the ! * ip->ip_len actually holds the TCP checksum of the oip! */ if (nat->nat_oport == tcp->th_dport) { *************** *** 1891,1896 **** --- 1918,1944 ---- CALC_SUMD(sum1, sum2, sumd); sumd2 += sumd; } + + /* + * Fix tcp checksum (if present) to compensate + * port adjustment. NOTE : the offending IP + * packet flows the other direction compared to + * the ICMP message. + */ + if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { + + sum1 = ntohs(tcp->th_sum); + fix_datacksum(&tcp->th_sum, sumd); + sum2 = ntohs(tcp->th_sum); + + /* + * Fix ICMP checksum to + * compensate TCP checksum + * adjustment. + */ + CALC_SUMD(sum1, sum2, sumd); + sumd2 += sumd; + } } } else { if (tcp->th_dport != nat->nat_outport) { *************** *** 1926,1931 **** --- 1974,1999 ---- CALC_SUMD(sum1, sum2, sumd); sumd2 += sumd; } + + /* + * Fix tcp checksum (if present) to compensate + * port adjustment. NOTE : the offending IP + * packet flows the other direction compared to + * the ICMP message. + */ + if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { + + sum1 = ntohs(tcp->th_sum); + fix_datacksum(&tcp->th_sum, sumd); + sum2 = ntohs(tcp->th_sum); + + /* + * Fix ICMP checksum to compensate + * UDP checksum adjustment. + */ + CALC_SUMD(sum1, sum2, sumd); + sumd2 += sumd; + } } } if (sumd2) { *************** *** 2435,2441 **** csump = &tcp->th_sum; MUTEX_ENTER(&nat->nat_lock); fr_tcp_age(&nat->nat_age, ! nat->nat_tcpstate, fin, 1); if (nat->nat_age < fr_defnaticmpage) nat->nat_age = fr_defnaticmpage; #ifdef LARGE_NAT --- 2503,2509 ---- csump = &tcp->th_sum; MUTEX_ENTER(&nat->nat_lock); fr_tcp_age(&nat->nat_age, ! nat->nat_tcpstate, fin, 1, 0); if (nat->nat_age < fr_defnaticmpage) nat->nat_age = fr_defnaticmpage; #ifdef LARGE_NAT *************** *** 2643,2649 **** csump = &tcp->th_sum; MUTEX_ENTER(&nat->nat_lock); fr_tcp_age(&nat->nat_age, ! nat->nat_tcpstate, fin, 0); if (nat->nat_age < fr_defnaticmpage) nat->nat_age = fr_defnaticmpage; #ifdef LARGE_NAT --- 2711,2717 ---- csump = &tcp->th_sum; MUTEX_ENTER(&nat->nat_lock); fr_tcp_age(&nat->nat_age, ! nat->nat_tcpstate, fin, 0, 0); if (nat->nat_age < fr_defnaticmpage) nat->nat_age = fr_defnaticmpage; #ifdef LARGE_NAT diff -cNr ip_fil3.4.25/ip_nat.h ip_fil3.4.26/ip_nat.h *** ip_fil3.4.25/ip_nat.h Wed Jan 2 02:10:49 2002 --- ip_fil3.4.26/ip_nat.h Sun Apr 21 02:42:05 2002 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.25 2002/01/01 15:10:49 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.26 2002/04/20 16:42:05 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 276,281 **** --- 276,283 ---- (sd) = (s2) - (s1); \ (sd) = ((sd) & 0xffff) + ((sd) >> 16); } + #define NAT_SYSSPACE 0x80000000 + #define NAT_LOCKHELD 0x40000000 extern u_int ipf_nattable_sz; extern u_int ipf_natrules_sz; diff -cNr ip_fil3.4.25/ip_sfil.c ip_fil3.4.26/ip_sfil.c *** ip_fil3.4.25/ip_sfil.c Thu Dec 27 09:28:51 2001 --- ip_fil3.4.26/ip_sfil.c Fri Apr 5 18:43:25 2002 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.15 2001/12/26 22:28:51 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.16 2002/04/05 08:43:25 darrenr Exp $"; #endif #include *************** *** 61,66 **** --- 61,67 ---- int ipl_unreach = ICMP_UNREACH_HOST; u_long ipl_frouteok[2] = {0, 0}; static int frzerostats __P((caddr_t)); + static u_long *ip_ttl_ptr; static int frrequest __P((minor_t, int, caddr_t, int)); static int send_ip __P((fr_info_t *fin, mblk_t *m)); *************** *** 107,112 **** --- 108,115 ---- int iplattach __P((void)) { + int i; + #ifdef IPFDEBUG cmn_err(CE_CONT, "iplattach()\n"); #endif *************** *** 133,138 **** --- 136,154 ---- return -1; if (appr_init() == -1) return -1; + + ip_ttl_ptr = NULL; + /* + * XXX - There is no terminator for this array, so it is not possible + * to tell if what we are looking for is missing and go off the end + * of the array. + */ + for (i = 0; ; i++) { + if (!strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl")) { + ip_ttl_ptr = &ip_param_arr[i].ip_param_value; + break; + } + } return 0; } *************** *** 774,780 **** ip = (ip_t *)m->b_rptr; ip->ip_v = IPVERSION; ! ip->ip_ttl = 60; ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m); } READ_ENTER(&ipf_solaris); --- 790,796 ---- ip = (ip_t *)m->b_rptr; ip->ip_v = IPVERSION; ! ip->ip_ttl = (u_char)(*ip_ttl_ptr); ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m); } READ_ENTER(&ipf_solaris); *************** *** 894,900 **** ip->ip_p = IPPROTO_ICMP; ip->ip_id = oip->ip_id; ip->ip_sum = 0; ! ip->ip_ttl = 60; ip->ip_tos = oip->ip_tos; ip->ip_len = (u_short)htons(sz); if (dst == 0) { --- 910,916 ---- ip->ip_p = IPPROTO_ICMP; ip->ip_id = oip->ip_id; ip->ip_sum = 0; ! ip->ip_ttl = (u_char)(*ip_ttl_ptr); ip->ip_tos = oip->ip_tos; ip->ip_len = (u_short)htons(sz); if (dst == 0) { diff -cNr ip_fil3.4.25/ip_state.c ip_fil3.4.26/ip_state.c *** ip_fil3.4.25/ip_state.c Thu Mar 7 01:07:36 2002 --- ip_fil3.4.26/ip_state.c Mon Apr 15 22:14:03 2002 *************** *** 93,99 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.61 2002/03/06 14:07:36 darrenr Exp $"; #endif #ifndef MIN --- 93,99 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.66 2002/04/15 12:14:03 darrenr Exp $"; #endif #ifndef MIN *************** *** 123,128 **** --- 123,129 ---- static void fr_delstate __P((ipstate_t *)); static int fr_state_remove __P((caddr_t)); static void fr_ipsmove __P((ipstate_t **, ipstate_t *, u_int)); + static int fr_tcpoptions __P((tcphdr_t *)); int fr_stputent __P((caddr_t)); int fr_stgetent __P((caddr_t)); void fr_stinsert __P((ipstate_t *)); *************** *** 298,304 **** if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) && !bcmp((char *)&sp->is_src, (char *)&st.is_src, sizeof(st.is_src)) && ! !bcmp((char *)&sp->is_dst, (char *)&st.is_src, sizeof(st.is_dst)) && !bcmp((char *)&sp->is_ps, (char *)&st.is_ps, sizeof(st.is_ps))) { --- 299,305 ---- if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) && !bcmp((char *)&sp->is_src, (char *)&st.is_src, sizeof(st.is_src)) && ! !bcmp((char *)&sp->is_dst, (char *)&st.is_dst, sizeof(st.is_dst)) && !bcmp((char *)&sp->is_ps, (char *)&st.is_ps, sizeof(st.is_ps))) { *************** *** 578,584 **** void *ifp; int out; ! if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT)) return NULL; if (ips_num == fr_statemax) { ips_stats.iss_max++; --- 579,586 ---- void *ifp; int out; ! if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) || ! (fin->fin_misc & FM_BADSTATE)) return NULL; if (ips_num == fr_statemax) { ips_stats.iss_max++; *************** *** 619,624 **** --- 621,628 ---- switch (is->is_p) { + int off; + #ifdef USE_INET6 case IPPROTO_ICMPV6 : ic = (struct icmp *)fin->fin_dp; *************** *** 680,694 **** hv += is->is_dport; } is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen - ! (tcp->th_off << 2) + ((tcp->th_flags & TH_SYN) ? 1 : 0) + ((tcp->th_flags & TH_FIN) ? 1 : 0); is->is_maxsend = is->is_send; - is->is_dend = 0; is->is_maxdwin = 1; is->is_maxswin = ntohs(tcp->th_win); if (is->is_maxswin == 0) is->is_maxswin = 1; /* * If we're creating state for a starting connection, start the * timer on it as we'll never see an error if it fails to --- 684,705 ---- hv += is->is_dport; } is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen - ! (off = (tcp->th_off << 2)) + ((tcp->th_flags & TH_SYN) ? 1 : 0) + ((tcp->th_flags & TH_FIN) ? 1 : 0); is->is_maxsend = is->is_send; is->is_maxdwin = 1; is->is_maxswin = ntohs(tcp->th_win); if (is->is_maxswin == 0) is->is_maxswin = 1; + + if ((tcp->th_flags & TH_OPENING) == TH_SYN) + is->is_fsm = 1; + + if ((tcp->th_flags & TH_SYN) && + ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) + is->is_swscale = fr_tcpoptions(tcp); + /* * If we're creating state for a starting connection, start the * timer on it as we'll never see an error if it fails to *************** *** 785,791 **** is->is_me = stsave; if (is->is_p == IPPROTO_TCP) { fr_tcp_age(&is->is_age, is->is_state, fin, ! 0); /* 0 = packet from the source */ } #ifdef IPFILTER_LOG ipstate_log(is, ISL_NEW); --- 796,802 ---- is->is_me = stsave; if (is->is_p == IPPROTO_TCP) { fr_tcp_age(&is->is_age, is->is_state, fin, ! 0, is->is_fsm); /* 0 = packet from the source */ } #ifdef IPFILTER_LOG ipstate_log(is, ISL_NEW); *************** *** 798,803 **** --- 809,854 ---- } + static int fr_tcpoptions(tcp) + tcphdr_t *tcp; + { + u_char *opt, *last; + int wscale; + + opt = (u_char *) (tcp + 1); + last = ((u_char *)tcp) + (tcp->th_off << 2); + + /* If we don't find wscale here, we need to clear it */ + wscale = -2; + + /* Termination condition picked such that opt[0 .. 2] exist */ + while ((opt < last - 2) && (*opt != TCPOPT_EOL)) { + switch (*opt) { + case TCPOPT_NOP: + opt++; + continue; + case TCPOPT_WSCALE: + /* Proper length ? */ + if (opt[1] == 3) { + if (opt[2] > 14) + wscale = 14; + else + wscale = opt[2]; + } + break; + default: + /* Unknown options must be two bytes+ */ + if (opt[1] < 2) + break; + opt += opt[1]; + continue; + } + break; + } + return wscale; + } + + /* * check to see if a packet with TCP headers fits within the TCP window. *************** *** 813,821 **** register tcp_seq seq, ack, end; register int ackskew; tcpdata_t *fdata, *tdata; ! u_short win, maxwin; ! int ret = 0; int source; /* * Find difference between last checked packet and this packet. --- 864,873 ---- register tcp_seq seq, ack, end; register int ackskew; tcpdata_t *fdata, *tdata; ! u_32_t win, maxwin; ! int ret = 0, off; int source; + int wscale; /* * Find difference between last checked packet and this packet. *************** *** 825,839 **** source = 0; fdata = &is->is_tcp.ts_data[!source]; tdata = &is->is_tcp.ts_data[source]; seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); win = ntohs(tcp->th_win); ! end = seq + fin->fin_dlen - (tcp->th_off << 2) + ((tcp->th_flags & TH_SYN) ? 1 : 0) + ((tcp->th_flags & TH_FIN) ? 1 : 0); MUTEX_ENTER(&is->is_lock); ! if (fdata->td_end == 0) { /* * Must be a (outgoing) SYN-ACK in reply to a SYN. */ --- 877,905 ---- source = 0; fdata = &is->is_tcp.ts_data[!source]; tdata = &is->is_tcp.ts_data[source]; + off = tcp->th_off << 2; seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); win = ntohs(tcp->th_win); ! end = seq + fin->fin_dlen - off + ((tcp->th_flags & TH_SYN) ? 1 : 0) + ((tcp->th_flags & TH_FIN) ? 1 : 0); + + if ((tcp->th_flags & TH_SYN) && (off >= sizeof(*tcp) + 4)) + wscale = fr_tcpoptions(tcp); + else + wscale = -1; + MUTEX_ENTER(&is->is_lock); ! ! if (wscale >= 0) ! fdata->td_wscale = wscale; ! else if (wscale == -2) ! fdata->td_wscale = tdata->td_wscale = 0; ! ! if ((fdata->td_end == 0) && ! (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) { /* * Must be a (outgoing) SYN-ACK in reply to a SYN. */ *************** *** 853,858 **** --- 919,925 ---- if (seq == end) seq = end = fdata->td_end; + win <<= fdata->td_wscale; maxwin = tdata->td_maxwin; ackskew = tdata->td_end - ack; *************** *** 878,906 **** * Thus, when ackskew is negative but still seems to belong * to this session, we bump up the destinations end value. */ - if (ackskew < 0) - tdata->td_end = ack; - - /* update max window seen */ - if (fdata->td_maxwin < win) - fdata->td_maxwin = win; - if (SEQ_GT(end, fdata->td_end)) - fdata->td_end = end; - if (SEQ_GE(ack + win, tdata->td_maxend)) { - tdata->td_maxend = ack + win; - if (win == 0) - tdata->td_maxend++; - } - - ATOMIC_INCL(ips_stats.iss_hits); /* * Nearing end of connection, start timeout. */ /* source ? 0 : 1 -> !source */ ! fr_tcp_age(&is->is_age, is->is_state, fin, !source); ! ret = 1; } MUTEX_EXIT(&is->is_lock); return ret; } --- 945,977 ---- * Thus, when ackskew is negative but still seems to belong * to this session, we bump up the destinations end value. */ /* * Nearing end of connection, start timeout. */ /* source ? 0 : 1 -> !source */ ! if (fr_tcp_age(&is->is_age, is->is_state, fin, !source, ! (int)is->is_fsm) == 0) { ! if (ackskew < 0) ! tdata->td_end = ack; ! ! /* update max window seen */ ! if (fdata->td_maxwin < win) ! fdata->td_maxwin = win; ! if (SEQ_GT(end, fdata->td_end)) ! fdata->td_end = end; ! if (SEQ_GE(ack + win, tdata->td_maxend)) { ! tdata->td_maxend = ack + win; ! if (win == 0) ! tdata->td_maxend++; ! } ! ! ATOMIC_INCL(ips_stats.iss_hits); ! ret = 1; ! } } MUTEX_EXIT(&is->is_lock); + if ((ret == 0) && (tcp->th_flags != TH_SYN)) + fin->fin_misc |= FM_BADSTATE; return ret; } *************** *** 1079,1087 **** register ipstate_t *is, **isp; register u_short sport, dport; register u_char pr; union i6addr dst, src; struct icmp *ic; - u_short savelen; icmphdr_t *icmp; fr_info_t ofin; int type, len; --- 1150,1158 ---- register ipstate_t *is, **isp; register u_short sport, dport; register u_char pr; + u_short savelen, ohlen; union i6addr dst, src; struct icmp *ic; icmphdr_t *icmp; fr_info_t ofin; int type, len; *************** *** 1110,1123 **** return NULL; oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN); ! if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) return NULL; /* * Sanity checks. */ len = fin->fin_dlen - ICMPERR_ICMPHLEN; ! if ((len <= 0) || ((oip->ip_hl << 2) > len)) return NULL; /* --- 1181,1195 ---- return NULL; oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN); ! ohlen = oip->ip_hl << 2; ! if (fin->fin_plen < ICMPERR_MAXPKTLEN + ohlen - sizeof(*oip)) return NULL; /* * Sanity checks. */ len = fin->fin_dlen - ICMPERR_ICMPHLEN; ! if ((len <= 0) || (ohlen > len)) return NULL; /* *************** *** 1157,1163 **** switch (oip->ip_p) { case IPPROTO_ICMP : ! icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2)); /* * a ICMP error can only be generated as a result of an --- 1229,1235 ---- switch (oip->ip_p) { case IPPROTO_ICMP : ! icmp = (icmphdr_t *)((char *)oip + ohlen); /* * a ICMP error can only be generated as a result of an *************** *** 1187,1193 **** savelen = oip->ip_len; oip->ip_len = len; ofin.fin_v = 4; ! fr_makefrip(oip->ip_hl << 2, oip, &ofin); oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; --- 1259,1265 ---- savelen = oip->ip_len; oip->ip_len = len; ofin.fin_v = 4; ! fr_makefrip(ohlen, oip, &ofin); oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; *************** *** 1209,1220 **** case IPPROTO_TCP : case IPPROTO_UDP : break; default : return NULL; } ! tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); dport = tcp->th_dport; sport = tcp->th_sport; --- 1281,1294 ---- case IPPROTO_TCP : case IPPROTO_UDP : + if (fin->fin_plen < ICMPERR_MAXPKTLEN) + return NULL; break; default : return NULL; } ! tcp = (tcphdr_t *)((char *)oip + ohlen); dport = tcp->th_dport; sport = tcp->th_sport; *************** *** 1239,1245 **** savelen = oip->ip_len; oip->ip_len = len; ofin.fin_v = 4; ! fr_makefrip(oip->ip_hl << 2, oip, &ofin); oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; --- 1313,1319 ---- savelen = oip->ip_len; oip->ip_len = len; ofin.fin_v = 4; ! fr_makefrip(ohlen, oip, &ofin); oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; *************** *** 1481,1489 **** fr_matchsrcdst(is, src, dst, fin, tcp)) { rev = fin->fin_rev; if ((pr == IPPROTO_TCP)) { ! if (!fr_tcpstate(is, fin, ip, tcp)) { ! continue; ! } } else if ((pr == IPPROTO_UDP)) { if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; --- 1555,1562 ---- fr_matchsrcdst(is, src, dst, fin, tcp)) { rev = fin->fin_rev; if ((pr == IPPROTO_TCP)) { ! if (!fr_tcpstate(is, fin, ip, tcp)) ! is = NULL; } else if ((pr == IPPROTO_UDP)) { if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; *************** *** 1504,1509 **** --- 1577,1583 ---- } break; } + RWLOCK_EXIT(&ipf_state); if (!tryagain && ips_wild) { hv -= dport; *************** *** 1703,1717 **** * dir == 1 : a packet from dest to source * */ ! void fr_tcp_age(age, state, fin, dir) u_long *age; u_char *state; fr_info_t *fin; ! int dir; { tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; u_char flags = tcp->th_flags; int dlen, ostate; ostate = state[1 - dir]; --- 1777,1792 ---- * dir == 1 : a packet from dest to source * */ ! int fr_tcp_age(age, state, fin, dir, fsm) u_long *age; u_char *state; fr_info_t *fin; ! int dir, fsm; { tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; u_char flags = tcp->th_flags; int dlen, ostate; + u_long newage; ostate = state[1 - dir]; *************** *** 1725,1734 **** *age = fr_tcpclosewait; state[dir] = TCPS_CLOSE_WAIT; } ! return; } ! *age = fr_tcptimeout; /* default 4 mins */ switch(state[dir]) { --- 1800,1809 ---- *age = fr_tcpclosewait; state[dir] = TCPS_CLOSE_WAIT; } ! return 0; } ! newage = 0; switch(state[dir]) { *************** *** 1739,1749 **** * CLOSED -> SYN_RECEIVED */ state[dir] = TCPS_SYN_RECEIVED; ! *age = fr_tcptimeout; ! } else if ((flags & (TH_SYN|TH_ACK)) == TH_SYN) { /* 'dir' sent S, CLOSED -> SYN_SENT */ state[dir] = TCPS_SYN_SENT; ! *age = fr_tcptimeout; } /* * The next piece of code makes it possible to get --- 1814,1824 ---- * CLOSED -> SYN_RECEIVED */ state[dir] = TCPS_SYN_RECEIVED; ! newage = fr_tcptimeout; ! } else if ((flags & TH_OPENING) == TH_SYN) { /* 'dir' sent S, CLOSED -> SYN_SENT */ state[dir] = TCPS_SYN_SENT; ! newage = fr_tcptimeout; } /* * The next piece of code makes it possible to get *************** *** 1752,1763 **** * does not work when a strict 'flags S keep state' is * used for tcp connections of course */ ! if ((flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) { /* we saw an A, guess 'dir' is in ESTABLISHED mode */ if (state[1 - dir] == TCPS_CLOSED || state[1 - dir] == TCPS_ESTABLISHED) { state[dir] = TCPS_ESTABLISHED; ! *age = fr_tcpidletimeout; } } /* --- 1827,1838 ---- * does not work when a strict 'flags S keep state' is * used for tcp connections of course */ ! if (!fsm && (flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) { /* we saw an A, guess 'dir' is in ESTABLISHED mode */ if (state[1 - dir] == TCPS_CLOSED || state[1 - dir] == TCPS_ESTABLISHED) { state[dir] = TCPS_ESTABLISHED; ! newage = fr_tcpidletimeout; } } /* *************** *** 1772,1785 **** break; case TCPS_SYN_SENT: /* 2 */ ! if ((flags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) { /* * We see an A from 'dir' which is in SYN_SENT * state: 'dir' sent an A in response to an SA * which it received, SYN_SENT -> ESTABLISHED */ state[dir] = TCPS_ESTABLISHED; ! *age = fr_tcpidletimeout; } else if (flags & TH_FIN) { /* * We see an F from 'dir' which is in SYN_SENT --- 1847,1870 ---- break; case TCPS_SYN_SENT: /* 2 */ ! if (flags == TH_SYN) { ! /* ! * A retransmitted SYN packet. We do not reset the ! * timeout here to fr_tcptimeout because a connection ! * connect timeout does not renew after every packet ! * that is sent. We need to set newage to something ! * to indicate the packet has passed the check for its ! * flags being valid in the TCP FSM. ! */ ! newage = *age; ! } else if ((flags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) { /* * We see an A from 'dir' which is in SYN_SENT * state: 'dir' sent an A in response to an SA * which it received, SYN_SENT -> ESTABLISHED */ state[dir] = TCPS_ESTABLISHED; ! newage = fr_tcpidletimeout; } else if (flags & TH_FIN) { /* * We see an F from 'dir' which is in SYN_SENT *************** *** 1787,1793 **** * connection; SYN_SENT -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; ! *age = fr_tcpidletimeout; /* or fr_tcptimeout? */ } else if ((flags & TH_OPENING) == TH_OPENING) { /* * We see an SA from 'dir' which is already in --- 1872,1878 ---- * connection; SYN_SENT -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; ! newage = fr_tcpidletimeout; /* or fr_tcptimeout? */ } else if ((flags & TH_OPENING) == TH_OPENING) { /* * We see an SA from 'dir' which is already in *************** *** 1795,1801 **** * simultaneous open; SYN_SENT -> SYN_RECEIVED */ state[dir] = TCPS_SYN_RECEIVED; ! *age = fr_tcptimeout; } break; --- 1880,1886 ---- * simultaneous open; SYN_SENT -> SYN_RECEIVED */ state[dir] = TCPS_SYN_RECEIVED; ! newage = fr_tcptimeout; } break; *************** *** 1807,1813 **** * SYN_RECEIVED -> ESTABLISHED */ state[dir] = TCPS_ESTABLISHED; ! *age = fr_tcpidletimeout; } else if (flags & TH_FIN) { /* * We see an F from 'dir' which is in SYN_RECEIVED --- 1892,1898 ---- * SYN_RECEIVED -> ESTABLISHED */ state[dir] = TCPS_ESTABLISHED; ! newage = fr_tcpidletimeout; } else if (flags & TH_FIN) { /* * We see an F from 'dir' which is in SYN_RECEIVED *************** *** 1815,1821 **** * SYN_RECEIVED -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; ! *age = fr_tcpidletimeout; } break; --- 1900,1906 ---- * SYN_RECEIVED -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; ! newage = fr_tcpidletimeout; } break; *************** *** 1827,1833 **** * ESTABLISHED -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; ! *age = fr_tcphalfclosed; } else if (flags & TH_ACK) { /* an ACK, should we exclude other flags here? */ if (ostate == TCPS_FIN_WAIT_1) { --- 1912,1918 ---- * ESTABLISHED -> FIN_WAIT_1 */ state[dir] = TCPS_FIN_WAIT_1; ! newage = fr_tcphalfclosed; } else if (flags & TH_ACK) { /* an ACK, should we exclude other flags here? */ if (ostate == TCPS_FIN_WAIT_1) { *************** *** 1839,1851 **** * a half-closed connection */ state[dir] = TCPS_CLOSE_WAIT; ! *age = fr_tcphalfclosed; } else if (ostate < TCPS_CLOSE_WAIT) /* * Still a fully established connection, * reset timeout */ ! *age = fr_tcpidletimeout; } break; --- 1924,1936 ---- * a half-closed connection */ state[dir] = TCPS_CLOSE_WAIT; ! newage = fr_tcphalfclosed; } else if (ostate < TCPS_CLOSE_WAIT) /* * Still a fully established connection, * reset timeout */ ! newage = fr_tcpidletimeout; } break; *************** *** 1855,1861 **** * Application closed and 'dir' sent a FIN, we're now * going into LAST_ACK state */ ! *age = fr_tcplastack; state[dir] = TCPS_LAST_ACK; } else { /* --- 1940,1946 ---- * Application closed and 'dir' sent a FIN, we're now * going into LAST_ACK state */ ! newage = fr_tcplastack; state[dir] = TCPS_LAST_ACK; } else { /* *************** *** 1863,1869 **** * closed already and we did not close our side yet; * reset timeout */ ! *age = fr_tcphalfclosed; } break; --- 1948,1954 ---- * closed already and we did not close our side yet; * reset timeout */ ! newage = fr_tcphalfclosed; } break; *************** *** 1880,1893 **** * packet here? does the window code guarantee that? */ state[dir] = TCPS_TIME_WAIT; ! *age = fr_tcptimeout; } else /* * We closed our side of the connection already but the * other side is still active (ESTABLISHED/CLOSE_WAIT); * continue with this half-closed connection */ ! *age = fr_tcphalfclosed; break; case TCPS_CLOSING: /* 7 */ --- 1965,1978 ---- * packet here? does the window code guarantee that? */ state[dir] = TCPS_TIME_WAIT; ! newage = fr_tcptimeout; } else /* * We closed our side of the connection already but the * other side is still active (ESTABLISHED/CLOSE_WAIT); * continue with this half-closed connection */ ! newage = fr_tcphalfclosed; break; case TCPS_CLOSING: /* 7 */ *************** *** 1901,1907 **** * There is still data to be delivered, reset * timeout */ ! *age = fr_tcplastack; } /* * We cannot detect when we go out of LAST_ACK state to CLOSED --- 1986,1992 ---- * There is still data to be delivered, reset * timeout */ ! newage = fr_tcplastack; } /* * We cannot detect when we go out of LAST_ACK state to CLOSED *************** *** 1916,1924 **** --- 2001,2016 ---- break; case TCPS_TIME_WAIT: /* 10 */ + newage = fr_tcptimeout; /* default 4 mins */ /* we're in 2MSL timeout now */ break; } + + if (newage != 0) { + *age = newage; + return 0; + } + return -1; } *************** *** 2068,2075 **** --- 2160,2173 ---- hv = (pr = oip->ip6_nxt); src.in6 = oip->ip6_src; hv += src.in4.s_addr; + hv += src.i6[1]; + hv += src.i6[2]; + hv += src.i6[3]; dst.in6 = oip->ip6_dst; hv += dst.in4.s_addr; + hv += dst.i6[1]; + hv += dst.i6[2]; + hv += dst.i6[3]; hv += dport; hv += sport; hv %= fr_statesize; diff -cNr ip_fil3.4.25/ip_state.h ip_fil3.4.26/ip_state.h *** ip_fil3.4.25/ip_state.h Thu Mar 7 01:07:38 2002 --- ip_fil3.4.26/ip_state.h Mon Mar 25 22:14:55 2002 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.13.2.10 2002/03/06 14:07:38 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.13.2.12 2002/03/25 11:14:55 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ *************** *** 42,48 **** typedef struct tcpdata { u_32_t td_end; u_32_t td_maxend; ! u_short td_maxwin; } tcpdata_t; typedef struct tcpstate { --- 42,49 ---- typedef struct tcpdata { u_32_t td_end; u_32_t td_maxend; ! u_32_t td_maxwin; ! u_char td_wscale; } tcpdata_t; typedef struct tcpstate { *************** *** 58,77 **** struct ipstate *is_hnext; struct ipstate **is_phnext; struct ipstate **is_me; ! u_long is_age; ! u_int is_frage[2]; /* age from filter rule, forward & reverse */ ! u_int is_pass; U_QUAD_T is_pkts; U_QUAD_T is_bytes; - void *is_ifp[4]; - frentry_t *is_rule; union i6addr is_src; union i6addr is_dst; u_char is_p; /* Protocol */ ! u_char is_v; ! u_int is_hv; u_32_t is_rulen; /* rule number */ ! u_32_t is_flags; u_32_t is_opt; /* packet options set */ u_32_t is_optmsk; /* " " mask */ u_short is_sec; /* security options set */ --- 59,80 ---- struct ipstate *is_hnext; struct ipstate **is_phnext; struct ipstate **is_me; ! frentry_t *is_rule; U_QUAD_T is_pkts; U_QUAD_T is_bytes; union i6addr is_src; union i6addr is_dst; + void *is_ifp[4]; + u_long is_age; + u_int is_frage[2]; /* age from filter rule, forward & reverse */ + u_int is_pass; u_char is_p; /* Protocol */ ! u_char is_v; /* IP version */ ! u_char is_fsm; /* 1 = following FSM, 0 = not */ ! u_char is_xxx; /* pad */ ! u_int is_hv; /* hash value for this in the table */ u_32_t is_rulen; /* rule number */ ! u_32_t is_flags; /* flags for this structure */ u_32_t is_opt; /* packet options set */ u_32_t is_optmsk; /* " " mask */ u_short is_sec; /* security options set */ *************** *** 100,105 **** --- 103,110 ---- #define is_dend is_tcp.ts_data[1].td_end #define is_maxswin is_tcp.ts_data[0].td_maxwin #define is_maxdwin is_tcp.ts_data[1].td_maxwin + #define is_swscale is_tcp.ts_data[0].td_wscale + #define is_dwscale is_tcp.ts_data[1].td_wscale #define is_maxsend is_tcp.ts_data[0].td_maxend #define is_maxdend is_tcp.ts_data[1].td_maxend #define is_sport is_tcp.ts_sport *************** *** 191,197 **** extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); extern void ip_statesync __P((void *)); extern void fr_timeoutstate __P((void)); ! extern void fr_tcp_age __P((u_long *, u_char *, fr_info_t *, int)); extern void fr_stateunload __P((void)); extern void ipstate_log __P((struct ipstate *, u_int)); #if defined(__NetBSD__) || defined(__OpenBSD__) --- 196,202 ---- extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); extern void ip_statesync __P((void *)); extern void fr_timeoutstate __P((void)); ! extern int fr_tcp_age __P((u_long *, u_char *, fr_info_t *, int, int)); extern void fr_stateunload __P((void)); extern void ipstate_log __P((struct ipstate *, u_int)); #if defined(__NetBSD__) || defined(__OpenBSD__) diff -cNr ip_fil3.4.25/ipf.c ip_fil3.4.26/ipf.c *** ip_fil3.4.25/ipf.c Sat Feb 23 02:32:53 2002 --- ip_fil3.4.26/ipf.c Wed Apr 10 14:56:36 2002 *************** *** 50,56 **** #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.13 2002/02/22 15:32:53 darrenr Exp $"; #endif #if SOLARIS --- 50,56 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.14 2002/04/10 04:56:36 darrenr Exp $"; #endif #if SOLARIS *************** *** 225,231 **** if (ioctl(fd, SIOCFRENB, &enable) == -1) { if (errno == EBUSY) fprintf(stderr, ! "IP FIlter: already initialized\n"); else perror("SIOCFRENB"); } --- 225,231 ---- if (ioctl(fd, SIOCFRENB, &enable) == -1) { if (errno == EBUSY) fprintf(stderr, ! "IP Filter: already initialized\n"); else perror("SIOCFRENB"); } diff -cNr ip_fil3.4.25/ipfs.c ip_fil3.4.26/ipfs.c *** ip_fil3.4.25/ipfs.c Sat Sep 15 04:52:21 2001 --- ip_fil3.4.26/ipfs.c Thu Apr 18 03:42:59 2002 *************** *** 45,51 **** #include "ipf.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.8 2001/09/14 18:52:21 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR --- 45,51 ---- #include "ipf.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.9 2002/04/17 17:42:59 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR *************** *** 208,214 **** int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0; char *dirname = NULL, *filename = NULL, *ifs = NULL; ! while ((c = getopt(argc, argv, "d:f:lNnSRruvWw")) != -1) switch (c) { case 'd' : --- 208,214 ---- int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0; char *dirname = NULL, *filename = NULL, *ifs = NULL; ! while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1) switch (c) { case 'd' : diff -cNr ip_fil3.4.25/ipl.h ip_fil3.4.26/ipl.h *** ip_fil3.4.25/ipl.h Wed Mar 13 14:57:42 2002 --- ip_fil3.4.26/ipl.h Wed Apr 24 00:59:13 2002 *************** *** 4,15 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.31 2002/03/13 03:57:42 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.25" #endif --- 4,15 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.32 2002/04/23 14:59:13 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.26" #endif diff -cNr ip_fil3.4.25/ipmon.c ip_fil3.4.26/ipmon.c *** ip_fil3.4.25/ipmon.c Wed Mar 13 14:30:18 2002 --- ip_fil3.4.26/ipmon.c Fri Mar 22 21:27:16 2002 *************** *** 68,74 **** #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.32 2002/03/13 03:30:18 darrenr Exp $"; #endif --- 68,74 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.34 2002/03/22 10:27:16 darrenr Exp $"; #endif diff -cNr ip_fil3.4.25/ipsend/ipsend.c ip_fil3.4.26/ipsend/ipsend.c *** ip_fil3.4.25/ipsend/ipsend.c Sat Feb 23 02:32:57 2002 --- ip_fil3.4.26/ipsend/ipsend.c Wed Apr 24 00:58:57 2002 *************** *** 31,41 **** #include #endif #include "ipsend.h" - #include "ipf.h" #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.4 2002/02/22 15:32:57 darrenr Exp $"; #endif --- 31,40 ---- #include #endif #include "ipsend.h" #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.5 2002/04/23 14:58:57 darrenr Exp $"; #endif diff -cNr ip_fil3.4.25/ipt.c ip_fil3.4.26/ipt.c *** ip_fil3.4.25/ipt.c Mon Mar 11 14:30:51 2002 --- ip_fil3.4.26/ipt.c Wed Mar 27 02:54:40 2002 *************** *** 13,18 **** --- 13,19 ---- # endif #endif #ifdef __sgi + # define _KMEMUSER # include #endif #include *************** *** 63,69 **** #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.19 2002/03/11 03:30:51 darrenr Exp $"; #endif extern char *optarg; --- 64,70 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.21 2002/03/26 15:54:40 darrenr Exp $"; #endif extern char *optarg; *************** *** 113,122 **** while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1) switch (c) { - #ifdef USE_INET6 case '6' : use_inet6 = 1; break; #endif case 'b' : opts |= OPT_BRIEF; --- 114,126 ---- while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1) switch (c) { case '6' : + #ifdef USE_INET6 use_inet6 = 1; break; + #else + fprintf(stderr, "IPv6 not supported\n"); + exit(1); #endif case 'b' : opts |= OPT_BRIEF; diff -cNr ip_fil3.4.25/kmem.c ip_fil3.4.26/kmem.c *** ip_fil3.4.25/kmem.c Wed Mar 6 20:44:16 2002 --- ip_fil3.4.26/kmem.c Thu Apr 18 03:44:44 2002 *************** *** 46,63 **** #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.12 2002/03/06 09:44:16 darrenr Exp $"; #endif ! #ifndef __sgi ! static kvm_t *kvm_f = NULL; ! ! #else ! ! typedef int kvm_t; ! ! static kvm_t kvm_f = -1; static char *kvm_errstr; kvm_t kvm_open(kernel, core, swap, mode, errstr) --- 46,58 ---- #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp $"; #endif ! #ifdef __sgi ! typedef int kvm_t; ! static int kvm_fd = -1; static char *kvm_errstr; kvm_t kvm_open(kernel, core, swap, mode, errstr) *************** *** 65,76 **** int mode; char *errstr; { - kvm_t fd; - kvm_errstr = errstr; ! fd = open(core, mode); ! return fd; } int kvm_read(kvm, pos, buffer, size) --- 60,71 ---- int mode; char *errstr; { kvm_errstr = errstr; ! if (core == NULL) ! core = "/dev/kmem"; ! kvm_fd = open(core, mode); ! return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL; } int kvm_read(kvm, pos, buffer, size) *************** *** 82,102 **** int r, left; char *bufp; ! if (lseek(kvm, pos, 0) == -1) { fprintf(stderr, "%s", kvm_errstr); perror("lseek"); return -1; } for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) { ! r = read(kvm, bufp, 1); if (r <= 0) return -1; } ! return 0; } #endif int openkmem(kern, core) char *kern, *core; --- 77,98 ---- int r, left; char *bufp; ! if (lseek(*kvm, pos, 0) == -1) { fprintf(stderr, "%s", kvm_errstr); perror("lseek"); return -1; } for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) { ! r = read(*kvm, bufp, 1); if (r <= 0) return -1; } ! return size; } #endif + static kvm_t *kvm_f = NULL; int openkmem(kern, core) char *kern, *core; diff -cNr ip_fil3.4.25/l4check/l4check.c ip_fil3.4.26/l4check/l4check.c *** ip_fil3.4.25/l4check/l4check.c Thu Mar 9 01:10:07 2000 --- ip_fil3.4.26/l4check/l4check.c Thu Apr 18 03:43:43 2002 *************** *** 141,147 **** l4cfg_t *l4; int dead; { ! close(l4->l4_fd); l4->l4_fd = -1; l4->l4_rw = -1; if (dead && l4->l4_alive) { --- 141,148 ---- l4cfg_t *l4; int dead; { ! if (l4->l4_fd != -1) ! close(l4->l4_fd); l4->l4_fd = -1; l4->l4_rw = -1; if (dead && l4->l4_alive) { *************** *** 307,313 **** if (opts & OPT_VERBOSE) fprintf(stderr, "failed\n"); perror("connect"); ! close(fd); fd = -1; } else { if (opts & OPT_VERBOSE) --- 308,314 ---- if (opts & OPT_VERBOSE) fprintf(stderr, "failed\n"); perror("connect"); ! closel4(l4, 1); fd = -1; } else { if (opts & OPT_VERBOSE) diff -cNr ip_fil3.4.25/man/ipmon.8 ip_fil3.4.26/man/ipmon.8 *** ip_fil3.4.25/man/ipmon.8 Wed Mar 6 19:33:50 2002 --- ip_fil3.4.26/man/ipmon.8 Tue Mar 26 01:58:38 2002 *************** *** 46,52 **** 4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be viewed with \fBipfstat -n\fP. .LP ! 5. The action: \fBp\fP for passed or \fBb\fP for blocked. .LP 6. The addresses. This is actually three fields: the source address and port --- 46,53 ---- 4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be viewed with \fBipfstat -n\fP. .LP ! 5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short ! packet, \fBn\fP did not match any rules or \fBL\fP for a log rule. .LP 6. The addresses. This is actually three fields: the source address and port diff -cNr ip_fil3.4.25/man/ipnat.5 ip_fil3.4.26/man/ipnat.5 *** ip_fil3.4.25/man/ipnat.5 Thu Jan 10 00:12:40 2002 --- ip_fil3.4.26/man/ipnat.5 Thu Apr 25 03:19:22 2002 *************** *** 7,14 **** .nf ipmap :: = mapblock | redir | map . ! map ::= mapit ifname ipmask "->" ipmask [ mapport ] . ! map ::= mapit ifname fromto "->" ipmask [ mapport ] . mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options . --- 7,14 ---- .nf ipmap :: = mapblock | redir | map . ! map ::= mapit ifname ipmask "->" dstipmask [ mapport ] . ! map ::= mapit ifname fromto "->" dstipmask [ mapport ] . mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options . *************** *** 18,23 **** --- 18,24 ---- mapit ::= "map" | "bimap" . fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . + dstipmask ::= ipmask | "range" ip "-" ip . mapport ::= "portmap" tcpudp portnumber ":" portnumber . options ::= [ tcpudp ] [ rr ] . *************** *** 33,38 **** --- 34,43 ---- numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . .fi + .PP + In addition to this, # is used to mark the start of a comment and may + appear at the end of a line with a NAT rule (as described above) or on its + own lines. Blank lines are ignored. .PP For standard NAT functionality, a rule should start with \fBmap\fP and then proceeds to specify the interface for which outgoing packets will have their diff -cNr ip_fil3.4.25/mlf_ipl.c ip_fil3.4.26/mlf_ipl.c *** ip_fil3.4.25/mlf_ipl.c Tue Aug 28 07:14:03 2001 --- ip_fil3.4.26/mlf_ipl.c Thu Apr 4 00:31:57 2002 *************** *** 12,34 **** #include #if defined(__FreeBSD__) # ifdef IPFILTER_LKM - # ifndef __FreeBSD_cc_version - # include - # else - # if __FreeBSD_cc_version < 430000 - # include - # endif - # endif # define ACTUALLY_LKM_NOT_KERNEL - # else - # ifndef __FreeBSD_cc_version - # include - # else - # if __FreeBSD_cc_version < 430000 - # include - # endif - # endif # endif #endif #include --- 12,22 ---- #include #if defined(__FreeBSD__) + # ifndef __FreeBSD_version + # include + # endif # ifdef IPFILTER_LKM # define ACTUALLY_LKM_NOT_KERNEL # endif #endif #include diff -cNr ip_fil3.4.25/mls_ipl.c ip_fil3.4.26/mls_ipl.c *** ip_fil3.4.25/mls_ipl.c Tue Jun 26 20:43:20 2001 --- ip_fil3.4.26/mls_ipl.c Wed Apr 10 15:05:54 2002 *************** *** 40,46 **** #if !defined(lint) static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $"; #endif extern int ipldetach __P((void)); --- 40,46 ---- #if !defined(lint) static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.2 2002/04/10 05:05:54 darrenr Exp $"; #endif extern int ipldetach __P((void)); *************** *** 49,54 **** --- 49,55 ---- #endif extern int nulldev __P((void)); extern int errno; + extern int iplidentify __P((char *)); extern int nodev __P((void)); diff -cNr ip_fil3.4.25/natparse.c ip_fil3.4.26/natparse.c *** ip_fil3.4.25/natparse.c Sat Feb 23 02:32:55 2002 --- ip_fil3.4.26/natparse.c Thu Apr 25 03:30:51 2002 *************** *** 56,62 **** #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.23 2002/02/22 15:32:55 darrenr Exp $"; #endif --- 56,62 ---- #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.24 2002/04/24 17:30:51 darrenr Exp $"; #endif *************** *** 394,408 **** cpp++; if (ipn.in_redir & NAT_MAPBLK) { - if (*cpp && strcasecmp(*cpp, "ports")) { - fprintf(stderr, - "%d: expected \"ports\" - got \"%s\"\n", - linenum, *cpp); - return NULL; - } - cpp++; if (*cpp) { ! ipn.in_pmin = atoi(*cpp); cpp++; } else ipn.in_pmin = 0; --- 394,417 ---- cpp++; if (ipn.in_redir & NAT_MAPBLK) { if (*cpp) { ! if (strcasecmp(*cpp, "ports")) { ! fprintf(stderr, ! "%d: expected \"ports\" - got \"%s\"\n", ! linenum, *cpp); ! return NULL; ! } ! cpp++; ! if (*cpp == NULL) { ! fprintf(stderr, ! "%d: missing argument to \"ports\"\n", ! linenum); ! return NULL; ! } ! if (!strcasecmp(*cpp, "auto")) ! ipn.in_flags |= IPN_AUTOPORTMAP; ! else ! ipn.in_pmin = atoi(*cpp); cpp++; } else ipn.in_pmin = 0; *************** *** 483,488 **** --- 492,501 ---- ipn.in_p = atoi(proto); } } + if ((ipn.in_flags & IPN_TCPUDP) == 0) { + port1a = "0"; + port2a = "0"; + } if (*cpp && !strcasecmp(*cpp, "round-robin")) { cpp++; *************** *** 548,554 **** if ((ipn.in_redir & NAT_MAPBLK) != 0) nat_setgroupmap(&ipn); ! if (*cpp && !strcasecmp(*cpp, "frag")) { cpp++; ipn.in_flags |= IPN_FRAG; } --- 561,567 ---- if ((ipn.in_redir & NAT_MAPBLK) != 0) nat_setgroupmap(&ipn); ! if (*cpp && !*(cpp+1) && !strcasecmp(*cpp, "frag")) { cpp++; ipn.in_flags |= IPN_FRAG; } *************** *** 618,629 **** (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel)); cpp++; - if (*cpp) { - fprintf(stderr, - "%d: too many parameters for \"proxy\"\n", - linenum); - return NULL; - } } else if (!strcasecmp(*cpp, "portmap")) { if (ipn.in_redir == NAT_BIMAP) { fprintf(stderr, "%d: cannot use portmap with bimap\n", --- 631,636 ---- *************** *** 683,688 **** --- 690,700 ---- } } + if (*cpp && !strcasecmp(*cpp, "frag")) { + cpp++; + ipn.in_flags |= IPN_FRAG; + } + if (*cpp && !strcasecmp(*cpp, "age")) { cpp++; if (!*cpp) { *************** *** 690,695 **** --- 702,708 ---- linenum); return NULL; } + ipn.in_age[0] = atoi(*cpp); s = index(*cpp, '/'); if (s != NULL) ipn.in_age[1] = atoi(s + 1); diff -cNr ip_fil3.4.25/printnat.c ip_fil3.4.26/printnat.c *** ip_fil3.4.25/printnat.c Sat Feb 23 02:32:56 2002 --- ip_fil3.4.26/printnat.c Thu Apr 25 03:35:37 2002 *************** *** 58,64 **** #endif #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.6 2002/02/22 15:32:56 darrenr Exp $"; #endif --- 58,64 ---- #endif #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.7 2002/04/24 17:35:37 darrenr Exp $"; #endif *************** *** 298,303 **** --- 298,306 ---- struct servent *sv; int bits; + if (np->in_p != 0) + pr = getprotobynumber(np->in_p); + switch (np->in_redir) { case NAT_REDIRECT : *************** *** 372,383 **** printf(" udp"); else if (np->in_p == 0) printf(" ip"); ! else if (np->in_p != 0) ! printf(" %d", np->in_p); if (np->in_flags & IPN_ROUNDR) printf(" round-robin"); if (np->in_flags & IPN_FRAG) printf(" frag"); printf("\n"); if (opts & OPT_DEBUG) printf("\tspc %lu flg %#x max %u use %d\n", --- 375,392 ---- printf(" udp"); else if (np->in_p == 0) printf(" ip"); ! else if (np->in_p != 0) { ! if (pr != NULL) ! printf(" %s", pr->p_name); ! else ! printf(" %d", np->in_p); ! } if (np->in_flags & IPN_ROUNDR) printf(" round-robin"); if (np->in_flags & IPN_FRAG) printf(" frag"); + if (np->in_age[0]) + printf(" age %d/%d", np->in_age[0], np->in_age[1]); printf("\n"); if (opts & OPT_DEBUG) printf("\tspc %lu flg %#x max %u use %d\n", *************** *** 389,395 **** printf("%s/", inet_ntoa(np->in_in[0])); bits = countbits(np->in_in[1].s_addr); if (bits != -1) ! printf("%d ", bits); else printf("%s", inet_ntoa(np->in_in[1])); } --- 398,404 ---- printf("%s/", inet_ntoa(np->in_in[0])); bits = countbits(np->in_in[1].s_addr); if (bits != -1) ! printf("%d", bits); else printf("%s", inet_ntoa(np->in_in[1])); } *************** *** 401,412 **** printf("%s/", inet_ntoa(np->in_out[0])); bits = countbits(np->in_out[1].s_addr); if (bits != -1) ! printf("%d ", bits); else printf("%s", inet_ntoa(np->in_out[1])); } if (*np->in_plabel) { - pr = getprotobynumber(np->in_p); printf(" proxy port"); if (np->in_dport != 0) { if (pr != NULL) --- 410,420 ---- printf("%s/", inet_ntoa(np->in_out[0])); bits = countbits(np->in_out[1].s_addr); if (bits != -1) ! printf("%d", bits); else printf("%s", inet_ntoa(np->in_out[1])); } if (*np->in_plabel) { printf(" proxy port"); if (np->in_dport != 0) { if (pr != NULL) *************** *** 426,433 **** else printf("%d", np->in_p); } else if (np->in_redir == NAT_MAPBLK) { ! printf(" ports %d", np->in_pmin); ! if (opts & OPT_VERBOSE) printf("\n\tip modulous %d", np->in_pmax); } else if (np->in_pmin || np->in_pmax) { printf(" portmap"); --- 434,445 ---- else printf("%d", np->in_p); } else if (np->in_redir == NAT_MAPBLK) { ! if ((np->in_pmin == 0) && ! (np->in_flags & IPN_AUTOPORTMAP)) ! printf(" ports auto"); ! else ! printf(" ports %d", np->in_pmin); ! if (opts & OPT_DEBUG) printf("\n\tip modulous %d", np->in_pmax); } else if (np->in_pmin || np->in_pmax) { printf(" portmap"); *************** *** 451,456 **** --- 463,470 ---- } if (np->in_flags & IPN_FRAG) printf(" frag"); + if (np->in_age[0]) + printf(" age %d/%d", np->in_age[0], np->in_age[1]); printf("\n"); if (opts & OPT_DEBUG) { printf("\tspace %lu nextip %s pnext %d", np->in_space, diff -cNr ip_fil3.4.25/printstate.c ip_fil3.4.26/printstate.c *** ip_fil3.4.25/printstate.c Sat Feb 23 02:32:56 2002 --- ip_fil3.4.26/printstate.c Sun Apr 21 02:42:37 2002 *************** *** 15,20 **** --- 15,23 ---- #include #include #include + #if __FreeBSD_version >= 300000 + # include + #endif #include "kmem.h" #include "netinet/ip_compat.h" #include "ipf.h" *************** *** 47,61 **** if (ips.is_p == IPPROTO_TCP) #if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ (__FreeBSD_version >= 220000) || defined(__OpenBSD__) ! PRINTF("\t%hu -> %hu %x:%x %hu:%hu", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, ! ips.is_maxswin, ips.is_maxdwin); #else ! PRINTF("\t%hu -> %hu %x:%x %hu:%hu", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, ! ips.is_maxswin, ips.is_maxdwin); #endif else if (ips.is_p == IPPROTO_UDP) PRINTF(" %hu -> %hu", ntohs(ips.is_sport), --- 50,66 ---- if (ips.is_p == IPPROTO_TCP) #if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ (__FreeBSD_version >= 220000) || defined(__OpenBSD__) ! PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, ! ips.is_maxswin>>ips.is_swscale, ips.is_swscale, ! ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale); #else ! PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, ! ips.is_maxswin>>ips.is_swscale, ips.is_swscale, ! ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale); #endif else if (ips.is_p == IPPROTO_UDP) PRINTF(" %hu -> %hu", ntohs(ips.is_sport), diff -cNr ip_fil3.4.25/solaris.c ip_fil3.4.26/solaris.c *** ip_fil3.4.25/solaris.c Wed Jan 16 01:36:54 2002 --- ip_fil3.4.26/solaris.c Wed Apr 24 00:57:51 2002 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.15.2.29 2002/01/15 14:36:54 darrenr Exp $" #include #include --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.15.2.30 2002/04/23 14:57:51 darrenr Exp $" #include #include *************** *** 1112,1118 **** freemsg(mb); } RWLOCK_EXIT(&ipf_solaris); ! return 0; } --- 1112,1118 ---- freemsg(mb); } RWLOCK_EXIT(&ipf_solaris); ! return 1; } *************** *** 1263,1269 **** freemsg(mb); } RWLOCK_EXIT(&ipf_solaris); ! return 0; } --- 1263,1269 ---- freemsg(mb); } RWLOCK_EXIT(&ipf_solaris); ! return 1; } diff -cNr ip_fil3.4.25/test/Makefile ip_fil3.4.26/test/Makefile *** ip_fil3.4.25/test/Makefile Mon Mar 11 16:27:19 2002 --- ip_fil3.4.26/test/Makefile Thu Apr 25 02:47:47 2002 *************** *** 9,31 **** SBINDEST=/sbin MANDIR=/usr/share/man ! tests: first 0 ftests ptests ntests nitests logtests first: -mkdir -p results # Filtering tests ! ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 ntests: n1 n2 n3 n4 n5 n6 n7 ! nitests: ni1 ni2 logtests: l1 0: @(cd ..; make ipftest; ) --- 9,35 ---- SBINDEST=/sbin MANDIR=/usr/share/man ! tests: first 0 ftests ptests ntests nitests logtests ipv6 intests first: -mkdir -p results # Filtering tests ! ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 ntests: n1 n2 n3 n4 n5 n6 n7 ! nitests: ni1 ni2 ni3 ni4 ! ! intests: in1 in2 in3 in4 logtests: l1 + ipv6: ipv6.1 ipv6.2 + 0: @(cd ..; make ipftest; ) *************** *** 38,59 **** f15 f16: @/bin/sh ./mtest $@ i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: @/bin/sh ./itest $@ n1 n2 n3 n4 n5 n6 n7: @/bin/sh ./nattest $@ ! ni1 ni2: @/bin/sh ./natipftest $@ l1: @/bin/sh ./logtest $@ clean: ! /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 ! /bin/rm -f ni1 ni2 /bin/rm -f l1 /bin/rm -f results/* --- 42,74 ---- f15 f16: @/bin/sh ./mtest $@ + f17: + @/bin/sh ./mhtest $@ + i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: @/bin/sh ./itest $@ n1 n2 n3 n4 n5 n6 n7: @/bin/sh ./nattest $@ ! ni1 ni2 ni3 ni4: @/bin/sh ./natipftest $@ + in1 in2 in3 in4: + @/bin/sh ./intest $@ + l1: @/bin/sh ./logtest $@ + ipv6.1 ipv6.2: + @/bin/sh ./dotest6 $@ + clean: ! /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 f17 /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 ! /bin/rm -f ni1 ni2 ni3 ni4 ! /bin/rm -f in1 in2 in3 in4 /bin/rm -f l1 + /bin/rm -f ipv6.1 ipv6.2 /bin/rm -f results/* diff -cNr ip_fil3.4.25/test/expected/f11 ip_fil3.4.26/test/expected/f11 *** ip_fil3.4.25/test/expected/f11 Thu Aug 5 03:31:28 1999 --- ip_fil3.4.26/test/expected/f11 Fri Mar 22 21:23:23 2002 *************** *** 1,6 **** --- 1,11 ---- pass + nomatch + nomatch + pass pass + nomatch pass + nomatch pass nomatch nomatch *************** *** 11,18 **** --- 16,28 ---- nomatch -------- block + nomatch + nomatch + block block + nomatch block + nomatch block nomatch nomatch *************** *** 28,33 **** --- 38,48 ---- nomatch nomatch nomatch + nomatch + nomatch + nomatch + nomatch + nomatch pass pass nomatch *************** *** 40,45 **** --- 55,65 ---- nomatch nomatch nomatch + nomatch + nomatch + nomatch + nomatch + nomatch block block nomatch *************** *** 52,57 **** --- 72,82 ---- nomatch nomatch nomatch + nomatch + nomatch + nomatch + nomatch + nomatch pass pass pass *************** *** 64,72 **** --- 89,119 ---- nomatch nomatch nomatch + nomatch + nomatch + nomatch + nomatch + nomatch block block block + nomatch + nomatch + -------- + nomatch + nomatch + nomatch + nomatch + nomatch + pass + nomatch + pass + nomatch + nomatch + nomatch + nomatch + nomatch + nomatch nomatch nomatch -------- diff -cNr ip_fil3.4.25/test/expected/f17 ip_fil3.4.26/test/expected/f17 *** ip_fil3.4.25/test/expected/f17 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/expected/f17 Wed Apr 10 15:05:31 2002 *************** *** 0 **** --- 1,10 ---- + pass + block return-rst + pass + pass + pass + pass + pass + pass + pass + -------- diff -cNr ip_fil3.4.25/test/expected/in1 ip_fil3.4.26/test/expected/in1 *** ip_fil3.4.25/test/expected/in1 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/expected/in1 Thu Apr 25 02:43:48 2002 *************** *** 0 **** --- 1,24 ---- + map le0 0.0.0.0/0 -> 0.0.0.0/32 + map le0 0.0.0.1/32 -> 0.0.0.1/32 + map le0 128.0.0.0/1 -> 0.0.0.0/0 + map le0 10.0.0.0/8 -> 1.2.3.0/24 + map le0 10.0.0.0/8 -> 1.2.3.0/24 + map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp 20000:29999 + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 30000:39999 + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 1010 ftp/tcp + map le0 0.0.0.0/0 -> 0.0.0.0/32 frag + map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 frag + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp frag + map le0 0.0.0.0/0 -> 0.0.0.0/32 age 10/10 + map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 age 10/20 + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 age 30/30 + map le0 0.0.0.0/0 -> 0.0.0.0/32 frag age 10/10 + map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag age 10/20 + map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 frag age 30/30 diff -cNr ip_fil3.4.25/test/expected/in2 ip_fil3.4.26/test/expected/in2 *** ip_fil3.4.25/test/expected/in2 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/expected/in2 Thu Apr 25 02:43:48 2002 *************** *** 0 **** --- 1,22 ---- + rdr le0 0.0.0.0/0 port 0 -> 1.1.1.1 port 0 tcp + rdr le0 0.0.0.0/0 port 0 -> 1.1.1.1 port 0 ip + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1 port 80 tcp + rdr le0 0.0.0.0/0 port 0 -> 1.1.1.1 port 0 ip + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1 port 80 tcp + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1 port 80 udp + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1 port 80 tcp/udp + rdr le0 0.0.0.0/0 port 0 -> 1.1.1.1 port 0 icmp + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1 port 80 tcp round-robin + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin + rdr le0 0.0.0.0/0 port 0 -> 1.1.1.1 port 0 ip frag + rdr le0 0.0.0.0/0 port 0 -> 1.1.1.1 port 0 icmp frag + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1 port 80 tcp round-robin frag + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag + rdr le0 0.0.0.0/0 port 0 -> 1.1.1.1 port 0 ip frag age 10/10 + rdr le0 0.0.0.0/0 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 + rdr le0 0.0.0.0/0 port 0 -> 1.1.1.1 port 0 icmp frag age 10/10 + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 + rdr le0 0.0.0.0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 diff -cNr ip_fil3.4.25/test/expected/in3 ip_fil3.4.26/test/expected/in3 *** ip_fil3.4.25/test/expected/in3 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/expected/in3 Thu Apr 25 02:43:48 2002 *************** *** 0 **** --- 1,5 ---- + bimap le0 0.0.0.0/0 -> 0.0.0.0/32 + bimap le0 0.0.0.1/32 -> 0.0.0.1/32 + bimap le0 128.0.0.0/1 -> 0.0.0.0/0 + bimap le0 10.0.0.0/8 -> 1.2.3.0/24 + bimap le0 10.0.5.0/24 -> 1.2.3.0/24 diff -cNr ip_fil3.4.25/test/expected/in4 ip_fil3.4.26/test/expected/in4 *** ip_fil3.4.25/test/expected/in4 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/expected/in4 Thu Apr 25 02:43:48 2002 *************** *** 0 **** --- 1,5 ---- + map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports 0 + map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports 0 + map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports 256 + map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports auto + map-block le0 10.0.0.0/16 -> 203.1.1.0/24 ports auto diff -cNr ip_fil3.4.25/test/expected/ipv6.1 ip_fil3.4.26/test/expected/ipv6.1 *** ip_fil3.4.25/test/expected/ipv6.1 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/expected/ipv6.1 Tue Mar 26 01:26:47 2002 *************** *** 0 **** --- 1,3 ---- + pass + pass + -------- diff -cNr ip_fil3.4.25/test/expected/ipv6.2 ip_fil3.4.26/test/expected/ipv6.2 *** ip_fil3.4.25/test/expected/ipv6.2 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/expected/ipv6.2 Tue Mar 26 01:30:25 2002 *************** *** 0 **** --- 1,15 ---- + nomatch + block + nomatch + block + -------- + block + nomatch + block + nomatch + -------- + pass + pass + pass + pass + -------- diff -cNr ip_fil3.4.25/test/expected/l1 ip_fil3.4.26/test/expected/l1 *** ip_fil3.4.25/test/expected/l1 Wed Mar 13 13:31:20 2002 --- ip_fil3.4.26/test/expected/l1 Thu Mar 14 02:22:05 2002 *************** *** 1,49 **** log in all ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN ! 01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- pass in on anon0 all head 100 -------- pass in log quick from 3.3.3.3 to any group 100 -------- pass in log body quick from 2.2.2.2 to any ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN ! 01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -------- pass in log quick proto tcp from 1.1.1.1 to any flags S keep state ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN ! 01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN -------- pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -------- ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN ! 01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN ! 01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN ! 01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN ! 01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT ! 01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN ! 01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN ! 01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- --- 1,49 ---- log in all ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN ! 01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- pass in on anon0 all head 100 -------- pass in log quick from 3.3.3.3 to any group 100 -------- pass in log body quick from 2.2.2.2 to any ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN ! 01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -------- pass in log quick proto tcp from 1.1.1.1 to any flags S keep state ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN ! 01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN -------- pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -------- ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN ! 01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN ! 01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN ! 01/01/1970 00:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN ! 01/01/1970 00:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT ! 01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN ! 01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN ! 01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 00:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- diff -cNr ip_fil3.4.25/test/expected/l1.b ip_fil3.4.26/test/expected/l1.b *** ip_fil3.4.25/test/expected/l1.b Wed Mar 13 13:31:20 2002 --- ip_fil3.4.26/test/expected/l1.b Thu Mar 14 02:22:05 2002 *************** *** 1,47 **** ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN ! 01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- -------- -------- ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN ! 01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d ............ ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -------- ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN ! 01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN ! -------- ! 01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN ! -------- ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN ! 01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN ! 01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN ! 01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN ! 01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT ! 01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN ! 01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d ............ ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN ! 01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d 0e 0f 40 61 ..............@a 42 63 44 65 46 67 48 69 4a 6b 4c 6d BcDeFgHiJkLm ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- --- 1,47 ---- ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN ! 01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- -------- -------- ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN ! 01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d ............ ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -------- ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN ! 01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN ! -------- ! 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN ! -------- ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN ! 01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN ! 01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN ! 01/01/1970 00:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN ! 01/01/1970 00:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT ! 01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN ! 01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN ! 01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d ............ ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN ! 01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d 0e 0f 40 61 ..............@a 42 63 44 65 46 67 48 69 4a 6b 4c 6d BcDeFgHiJkLm ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 00:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN ! 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- diff -cNr ip_fil3.4.25/test/expected/ni4 ip_fil3.4.26/test/expected/ni4 *** ip_fil3.4.25/test/expected/ni4 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/expected/ni4 Mon Apr 22 01:53:12 2002 *************** *** 0 **** --- 1,4 ---- + 4500 003c 4706 4000 ff06 28aa 0606 0606 0404 0404 9c40 0050 0000 0001 0000 0000 a002 16d0 849a 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 809a 0000 ff01 3323 0303 0303 0202 0202 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 + 4500 0058 809a 0000 ff01 3303 0303 0303 0202 0202 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + ------------------------------- diff -cNr ip_fil3.4.25/test/input/f11 ip_fil3.4.26/test/input/f11 *** ip_fil3.4.25/test/input/f11 Thu Aug 5 03:31:32 1999 --- ip_fil3.4.26/test/input/f11 Fri Mar 22 21:23:24 2002 *************** *** 1,6 **** --- 1,11 ---- in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S + in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA + in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA + in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A + in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A + in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A diff -cNr ip_fil3.4.25/test/input/f17 ip_fil3.4.26/test/input/f17 *** ip_fil3.4.25/test/input/f17 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/input/f17 Wed Apr 10 15:05:32 2002 *************** *** 0 **** --- 1,61 ---- + # (1.1.1.1,54076,seq=0xbfd08989) -> (2.2.2.2,25,seq=0) SYN + [out,ppp0] + 4500 003c 8262 0000 4006 8417 0101 0101 + 0202 0202 d33c 0019 bfd0 8989 0000 0000 + a002 4000 6190 0000 0204 05b4 0103 0300 + 0101 080a 008e 17f7 0000 0000 + + # (2.2.2.2,25,seq=0x40203436) -> (1.1.1.1,54076,seq=0xbfdfcbc9) ACK + [in,ppp0] + 4500 003c 8262 0000 1106 b317 0202 0202 + 0101 0101 0019 d33c 4020 3436 bfdf cbc9 + 5010 4000 fb0c 0000 0204 0584 0103 0300 + 0101 080a 008e 17f7 0000 0000 + + # (1.1.1.1,54076,seq=0xbfd08989) -> (2.2.2.2,25,seq=0x0) SYN + [out,ppp0] + 4500 003c 8265 0000 4006 8414 0101 0101 + 0202 0202 d33c 0019 bfd0 8989 0000 0000 + a002 4000 6185 0000 0204 05b4 0103 0300 + 0101 080a 008e 1802 0000 0000 + + # (2.2.2.2,25,seq=0xed674d4e) -> (1.1.1.1,54076,seq=0xbfd0898a) SYN-ACK + [in,ppp0] + 4500 002c 7442 4000 2906 6947 0202 0202 + 0101 0101 0019 d33c ed67 4d4e bfd0 898a + 6012 2118 ab84 0000 0204 0584 + + # + # (2.2.2.2,25,seq=0xbfd0898a) -> (1.1.1.1,54076,seq=0xed674d4e) ACK + [out,ppp0] + 4500 002c 8262 0000 4006 8417 0101 0101 + 0202 0202 d33c 0019 bfd0 898a ed67 4d4e + 5010 4000 6190 0000 0000 + + # (1.1.1.1,54076,seq=0xcfd08989) -> (2.2.2.2,25,seq=0x0) SYN + [out,ppp0] + 4500 003c 8265 0000 4006 8414 0101 0101 + 0202 0202 d33c 0019 cfd0 8989 0000 0000 + a002 4000 6185 0000 0204 05b4 0103 0300 + 0101 080a 008e 1802 0000 0000 + + # (1.1.1.1,54076,seq=0xcfd08989) -> (2.2.2.2,25,seq=0x0) SYN + [out,ppp0] + 4500 003c 8266 0000 4006 8413 0101 0101 + 0202 0202 d33c 0019 cfd0 8989 0000 0000 + a002 4000 6185 0000 0204 05b4 0103 0300 + 0101 080a 008e 1802 0000 0000 + + # (2.2.2.2,25,seq=0xed674d4e) -> (1.1.1.1,54076,seq=0xcfd0898a) SYN-ACK + [in,ppp0] + 4500 002c 7442 4000 2906 6947 0202 0202 + 0101 0101 0019 d33c ed67 4d4e cfd0 898a + 6012 2118 ab84 0000 0204 0584 + + # + # (2.2.2.2,25,seq=0xcfd0898a) -> (1.1.1.1,54076,seq=0xed674d4e) ACK + [out,ppp0] + 4500 002c 8262 0000 4006 8417 0101 0101 + 0202 0202 d33c 0019 cfd0 898a ed67 4d4e + 5010 4000 6190 0000 0000 + diff -cNr ip_fil3.4.25/test/input/ipf6-1 ip_fil3.4.26/test/input/ipf6-1 *** ip_fil3.4.25/test/input/ipf6-1 Sat Jan 12 01:23:20 2002 --- ip_fil3.4.26/test/input/ipf6-1 Thu Jan 1 10:00:00 1970 *************** *** 1,26 **** - [out,de0] - 6000 0000 0020 3aff ef00 0000 0000 0000 - 0000 0000 0001 0013 ff02 0000 0000 0000 - 0000 0001 ff01 000b 8700 ea32 0000 0000 - ef00 0000 0000 0000 0000 0000 0001 000b - 0101 0048 5487 5c6f - - [in,de0] - 6000 0000 0020 3aff ef00 0000 0000 0000 - 0000 0000 0001 000b ef00 0000 0000 0000 - 0000 0000 0001 0013 8800 5322 6000 0000 - ef00 0000 0000 0000 0000 0000 0001 000b - 0201 0800 2071 cce1 - - [out,de0] - 6000 0000 0010 3a40 ef00 0000 0000 0000 - 0000 0000 0001 0013 ef00 0000 0000 0000 - 0000 0000 0001 000b 8000 3210 06ff 0002 - 9ec3 3c3c 8a82 0300 - - [in,de0] - 6000 0000 0010 3aff ef00 0000 0000 0000 - 0000 0000 0001 000b ef00 0000 0000 0000 - 0000 0000 0001 0013 8100 3110 06ff 0002 - 9ec3 3c3c 8a82 0300 - --- 0 ---- diff -cNr ip_fil3.4.25/test/input/ipv6.2 ip_fil3.4.26/test/input/ipv6.2 *** ip_fil3.4.25/test/input/ipv6.2 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/input/ipv6.2 Tue Mar 26 01:30:04 2002 *************** *** 0 **** --- 1,26 ---- + [out,de0] + 6000 0000 0020 3aff ef00 0000 0000 0000 + 0000 0000 0001 0013 ff02 0000 0000 0000 + 0000 0001 ff01 000b 8700 ea32 0000 0000 + ef00 0000 0000 0000 0000 0000 0001 000b + 0101 0048 5487 5c6f + + [in,de0] + 6000 0000 0020 3aff ef00 0000 0000 0000 + 0000 0000 0001 000b ef00 0000 0000 0000 + 0000 0000 0001 0013 8800 5322 6000 0000 + ef00 0000 0000 0000 0000 0000 0001 000b + 0201 0800 2071 cce1 + + [out,de0] + 6000 0000 0010 3a40 ef00 0000 0000 0000 + 0000 0000 0001 0013 ef00 0000 0000 0000 + 0000 0000 0001 000b 8000 3210 06ff 0002 + 9ec3 3c3c 8a82 0300 + + [in,de0] + 6000 0000 0010 3aff ef00 0000 0000 0000 + 0000 0000 0001 000b ef00 0000 0000 0000 + 0000 0000 0001 0013 8100 3110 06ff 0002 + 9ec3 3c3c 8a82 0300 + diff -cNr ip_fil3.4.25/test/input/ni4 ip_fil3.4.26/test/input/ni4 *** ip_fil3.4.25/test/input/ni4 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/input/ni4 Mon Apr 22 01:53:12 2002 *************** *** 0 **** --- 1,10 ---- + #v tos len id off ttl p sum src dst + # ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet + # going out) + [out,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 02 02 02 02 04 04 04 04 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 + + [in,df0] 45 00 00 38 80 9a 00 00 ff 01 33 23 03 03 03 03 01 01 01 01 03 03 60 6b 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 9c 40 00 50 00 00 00 01 + + # ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits) + [in,df0] 45 00 00 58 80 9a 00 00 ff 01 33 03 03 03 03 03 01 01 01 01 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 9c 40 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 84 9a 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 + diff -cNr ip_fil3.4.25/test/intest ip_fil3.4.26/test/intest *** ip_fil3.4.25/test/intest Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/intest Thu Apr 25 02:43:56 2002 *************** *** 0 **** --- 1,21 ---- + #!/bin/sh + if [ -f /usr/ucb/touch ] ; then + TOUCH=/usr/ucb/touch + else + if [ -f /usr/bin/touch ] ; then + TOUCH=/usr/bin/touch + else + if [ -f /bin/touch ] ; then + TOUCH=/bin/touch + fi + fi + fi + echo "$1..."; + /bin/cp /dev/null results/$1 + ../ipnat -nvf regress/$1 2>/dev/null > results/$1 + cmp expected/$1 results/$1 + status=$? + if [ $status = 0 ] ; then + $TOUCH $1 + fi + exit $status diff -cNr ip_fil3.4.25/test/logtest ip_fil3.4.26/test/logtest *** ip_fil3.4.25/test/logtest Wed Mar 13 13:31:04 2002 --- ip_fil3.4.26/test/logtest Mon Mar 25 22:16:02 2002 *************** *** 22,36 **** /bin/rm -f logout exit 1 fi ! ../ipmon -P /dev/null -f logout >> results/$1 echo "--------" >> results/$1 ! ../ipmon -P /dev/null -bf logout >> results/$1.b echo "--------" >> results/$1.b done ) < regress/$1 ../ipftest -br regress/$1 -Hi input/$1 -l logout > /dev/null ! ../ipmon -P /dev/null -f logout >> results/$1 echo "--------" >> results/$1 ! ../ipmon -P /dev/null -bf logout >> results/$1.b echo "--------" >> results/$1.b cmp expected/$1 results/$1 --- 22,36 ---- /bin/rm -f logout exit 1 fi ! TZ=GMT ../ipmon -P /dev/null -f logout >> results/$1 echo "--------" >> results/$1 ! TZ=GMT ../ipmon -P /dev/null -bf logout >> results/$1.b echo "--------" >> results/$1.b done ) < regress/$1 ../ipftest -br regress/$1 -Hi input/$1 -l logout > /dev/null ! TZ=GMT ../ipmon -P /dev/null -f logout >> results/$1 echo "--------" >> results/$1 ! TZ=GMT ../ipmon -P /dev/null -bf logout >> results/$1.b echo "--------" >> results/$1.b cmp expected/$1 results/$1 diff -cNr ip_fil3.4.25/test/mhtest ip_fil3.4.26/test/mhtest *** ip_fil3.4.25/test/mhtest Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/mhtest Thu Apr 4 20:44:31 2002 *************** *** 0 **** --- 1,36 ---- + #!/bin/sh + # multiple rules at the same time + + if [ -f /usr/ucb/touch ] ; then + TOUCH=/usr/ucb/touch + else + if [ -f /usr/bin/touch ] ; then + TOUCH=/usr/bin/touch + else + if [ -f /bin/touch ] ; then + TOUCH=/bin/touch + fi + fi + fi + echo "$1..."; + + /bin/cp /dev/null results/$1 + + ../ipftest -br regress/$1 -Hi input/$1 > results/$1 + if [ $? -ne 0 ] ; then + exit 1 + fi + echo "--------" >> results/$1 + + cmp expected/$1 results/$1 + status=$? + if [ $status -ne 0 ] ; then + exit $status + fi + cmp expected/$1 results/$1 + status=$? + if [ $status -ne 0 ] ; then + exit $status + fi + $TOUCH $1 + exit 0 diff -cNr ip_fil3.4.25/test/regress/f11 ip_fil3.4.26/test/regress/f11 *** ip_fil3.4.25/test/regress/f11 Fri Jan 10 02:14:56 1997 --- ip_fil3.4.26/test/regress/f11 Fri Mar 22 21:23:27 2002 *************** *** 4,6 **** --- 4,7 ---- block in proto udp from any to any port = 53 keep frags pass in proto udp from any to any port = 53 keep state block in proto udp from any to any port = 53 keep state + pass in on e0 proto tcp from any to any port = 25 keep state diff -cNr ip_fil3.4.25/test/regress/f17 ip_fil3.4.26/test/regress/f17 *** ip_fil3.4.25/test/regress/f17 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/regress/f17 Thu Apr 4 20:40:58 2002 *************** *** 0 **** --- 1,4 ---- + block in all + block out all + pass out quick on ppp0 proto tcp all flags S keep state + block return-rst in quick proto tcp all diff -cNr ip_fil3.4.25/test/regress/in1 ip_fil3.4.26/test/regress/in1 *** ip_fil3.4.25/test/regress/in1 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/regress/in1 Thu Apr 25 02:43:48 2002 *************** *** 0 **** --- 1,24 ---- + map le0 0/0 -> 0/32 + map le0 1/32 -> 1/32 + map le0 128.0.0.0/1 -> 0/0 + map le0 10.0.0.0/8 -> 1.2.3.0/24 + map le0 10.0.0.5/8 -> 1.2.3.4/24 + map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 + map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 + map ppp0 192.168.0.0/16 -> 0/32 portmap udp 20000:29999 + map ppp0 192.168.0.0/16 -> 0/32 portmap tcp/udp 30000:39999 + map ppp0 192.168.0.0/16 -> 0/32 portmap tcp auto + map ppp0 192.168.0.0/16 -> 0/32 portmap udp auto + map ppp0 192.168.0.0/16 -> 0/32 portmap tcp/udp auto + map ppp0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp + map ppp0 192.168.0.0/16 -> 0/32 proxy port 1010 ftp/tcp + map le0 0/0 -> 0/32 frag + map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag + map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 frag + map ppp0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp frag + map le0 0/0 -> 0/32 age 10 + map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 age 10/20 + map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 age 30 + map le0 0/0 -> 0/32 frag age 10 + map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag age 10/20 + map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 frag age 30 diff -cNr ip_fil3.4.25/test/regress/in2 ip_fil3.4.26/test/regress/in2 *** ip_fil3.4.25/test/regress/in2 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/regress/in2 Thu Apr 25 02:43:48 2002 *************** *** 0 **** --- 1,22 ---- + rdr le0 0/0 port 0 -> 1.1.1.1 port 0 + rdr le0 0/0 port 0 -> 1.1.1.1 port 0 ip + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 ip + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 tcp + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 udp + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 tcp/udp + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 icmp + rdr le0 0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 tcp round-robin + rdr le0 0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin + rdr le0 0/0 port 0 -> 1.1.1.1 port 0 ip frag + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 icmp frag + rdr le0 0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 tcp round-robin frag + rdr le0 0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag + rdr le0 0/0 port 0 -> 1.1.1.1 port 0 ip frag age 10 + rdr le0 0/0 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 icmp frag age 10 + rdr le0 0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 + rdr le0 0/0 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 + rdr le0 0/0 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 diff -cNr ip_fil3.4.25/test/regress/in3 ip_fil3.4.26/test/regress/in3 *** ip_fil3.4.25/test/regress/in3 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/regress/in3 Thu Apr 25 02:43:48 2002 *************** *** 0 **** --- 1,5 ---- + bimap le0 0/0 -> 0/32 + bimap le0 1/32 -> 1/32 + bimap le0 128.0.0.0/1 -> 0/0 + bimap le0 10.0.0.0/8 -> 1.2.3.0/24 + bimap le0 10.0.5.6/24 -> 1.2.3.4/24 diff -cNr ip_fil3.4.25/test/regress/in4 ip_fil3.4.26/test/regress/in4 *** ip_fil3.4.25/test/regress/in4 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/regress/in4 Thu Apr 25 02:43:48 2002 *************** *** 0 **** --- 1,5 ---- + map-block le0 10.0.0.0/24 -> 203.1.1.0/24 + map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports 0 + map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports 256 + map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports auto + map-block le0 10.0.0.0/16 -> 203.1.1.0/24 ports auto diff -cNr ip_fil3.4.25/test/regress/ipf6-1 ip_fil3.4.26/test/regress/ipf6-1 *** ip_fil3.4.25/test/regress/ipf6-1 Sat Jan 12 01:23:21 2002 --- ip_fil3.4.26/test/regress/ipf6-1 Thu Jan 1 10:00:00 1970 *************** *** 1,3 **** - block in all - block out all - pass out proto 58 all keep state --- 0 ---- diff -cNr ip_fil3.4.25/test/regress/ipv6.2 ip_fil3.4.26/test/regress/ipv6.2 *** ip_fil3.4.25/test/regress/ipv6.2 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/regress/ipv6.2 Tue Mar 26 01:25:43 2002 *************** *** 0 **** --- 1,3 ---- + block in all + block out all + pass out proto 58 all keep state diff -cNr ip_fil3.4.25/test/regress/ni4.ipf ip_fil3.4.26/test/regress/ni4.ipf *** ip_fil3.4.25/test/regress/ni4.ipf Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/regress/ni4.ipf Mon Apr 22 01:53:12 2002 *************** *** 0 **** --- 1,4 ---- + block in all + block out all + pass out proto udp from any to any keep state + pass out proto tcp from any to any flags S keep state diff -cNr ip_fil3.4.25/test/regress/ni4.nat ip_fil3.4.26/test/regress/ni4.nat *** ip_fil3.4.25/test/regress/ni4.nat Thu Jan 1 10:00:00 1970 --- ip_fil3.4.26/test/regress/ni4.nat Mon Apr 22 01:53:12 2002 *************** *** 0 **** --- 1 ---- + map df0 2.2.2.2/32 -> 6.6.6.6/32 portmap tcp/udp 40000:60000