diff -crN ip_fil4.1.8/AIX/Makefile ip_fil4.1.9/AIX/Makefile *** ip_fil4.1.8/AIX/Makefile Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/AIX/Makefile Sun Jun 12 17:18:33 2005 *************** *** 0 **** --- 1,405 ---- + # + # Copyright (C) 2000 by Darren Reed. + # + # See the IPFILTER.LICENCE file for details on licencing. + # + BINDEST=/usr/sbin + SBINDEST=/sbin + MANDIR=/usr/share/man + CC=cc + CFLAGS=-g -I$(TOP) + DEBUG=-O3 + # + # For AIX 5.3 + # + CPU=`uname -p` + INC=-I/usr/include + DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) + LKM=ipf + DLKM= + OBJ=. + TOP=.. + HERE=AIX/$(OSREV) + AIX=`uname -v` + DEST=. + MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ + 'CFLAGS=$(CFLAGS)' "IPFLKM=$(IPFLKM)" \ + "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ + "DEBUG=$(DEBUG)" "DCPU=$(CPU)" "CPUDIR=$(CPUDIR)" \ + "LOOKUP=$(LOOKUP)" "SCAN=$(SCAN)" "ALLOPTS=$(ALLOPTS)" + LIBS=-q$(BITS) -L. -lipf + CCARGS=$(DEBUG) $(CFLAGS) -I. -DAIX=$(AIX) -q$(BITS) + EXTRA=$(ALLOPTS) + FIXRADIX=-Dradix_node=ipf_radix_node -Dradix_node_head=ipf_radix_node_head \ + -Drn_inithead=ipf_rn_inithead -Drn_walktree=ipf_rn_walktree + MILLI=`../bootbits.sh` + FIXMILLI=-D_H_STRING=1 -Dbzero=bzero$(MILLI) \ + -Dmemcmp=memcmp$(MILLI) \ + -Dmemcpy=memcpy$(MILLI) \ + -Dmemccpy=memccpy$(MILLI) \ + -Dmemset=memset$(MILLI) \ + -Dmemmove=memmove$(MILLI) \ + -Dfill=fill$(MILLI) \ + -Dstrstr=strstr$(MILLI) + # + ########## ########## ########## ########## ########## ########## ########## + # + CP=/bin/cp + RM=/bin/rm + CHMOD=/bin/chmod + INSTALL=$(TOP)/bsdinstall + # + MODOBJS=ip_fil.o fil.o md5.o ip_nat.o ip_frag.o ip_state.o \ + ip_proxy.o ip_auth.o ip_log.o ip_pool.o ip_htable.o ip_lookup.o \ + ip_sync.o ip_scan.o ip_rules.o + #radix.o + DFLAGS=$(DEBUG) -DAIX=$(AIX) $(IPFLKM) $(IPFLOG) $(DEF) $(CFLAGS) $(DLKM) \ + $(FIXMILLI) $(IPFBPF) $(LOOKUP) -I. + IPF=ipf.o ipfcomp.o ipf_y.o ipf_l.o + IPT=ipftest.o fil_u.o ip_frag_u.o ip_state_u.o ip_nat_u.o \ + ip_proxy_u.o ip_auth_u.o ip_fil_u.o ip_sync_u.o ip_scan_u.o \ + ip_log_u.o ip_pool_u.o ip_htable_u.o ip_lookup_u.o ip_rules_u.o \ + ipf_y.o ipf_l.o ipnat_y.o ipnat_l.o ippool_y.o ippool_l.o \ + bpf_filter_u.o md5_u.o radix_u.o + IPNAT=ipnat.o ipnat_y.o ipnat_l.o + IPMON=ipmon.o ipmon_y.o ipmon_l.o + IPPOOL=ippool_y.o ippool_l.o kmem.o ippool.o + FILS=ipfstat.o + LIBSRC=$(TOP)/lib + RANLIB=ranlib + AROPTS=-X $(BITS) crs + TOOL=$(TOP)/tools + + include $(TOP)/lib/Makefile + + build all: radix_ipf_local.h ./libipf.a ipf.exe ipfs ipfstat ipftest ipmon \ + ipnat ippool ipscan ipsyncm ipsyncs cfg_ipf $(LKM) + -sh -c 'for i in ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$$i $(TOP); done' + -ln -s `pwd`/ipf.exe $(TOP)/ipf + + ipfstat: $(FILS) ./libipf.a + $(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \ + -o $@ $(LIBS) $(STATETOP_LIB) + + ipf.exe: $(IPF) ./libipf.a + $(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) $(LIBBPF) + + ipftest: $(IPT) ./libipf.a + $(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) $(LIBBPF) + + ipnat: $(IPNAT) ./libipf.a + $(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) + + ipfs: ipfs.o ./libipf.a + $(CC) $(CCARGS) ipfs.o -o $@ $(LIBS) + + ipsyncm: ipsyncm.o ./libipf.a + $(CC) $(CCARGS) ipsyncm.o -o $@ $(LIBS) + + ipsyncs: ipsyncs.o ./libipf.a + $(CC) $(CCARGS) ipsyncs.o -o $@ $(LIBS) + + ipsyncm.o: $(TOOL)/ipsyncm.c $(TOP)/ip_sync.h + $(CC) $(CCARGS) -c $(TOOL)/ipsyncm.c -o $@ + + ipsyncs.o: $(TOOL)/ipsyncs.c $(TOP)/ip_sync.h + $(CC) $(CCARGS) -c $(TOOL)/ipsyncs.c -o $@ + + tests: + (cd test; make ) + + ipfstat.o: $(TOOL)/ipfstat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_frag.h \ + $(TOP)/ip_compat.h $(TOP)/ip_state.h $(TOP)/ip_nat.h + $(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \ + -c $(TOOL)/ipfstat.c -o $@ + + ipfs.o: $(TOOL)/ipfs.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_state.h \ + $(TOP)/ip_nat.h + $(CC) $(CCARGS) -c $(TOOL)/ipfs.c -o $@ + + fil_u.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h + $(CC) $(CCARGS) $(EXTRA) $(FIXRADIX) $(IPFBPF) -c $(TOP)/fil.c -o $@ + + ipf.o: $(TOOL)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h + $(CC) $(CCARGS) -c $(TOOL)/ipf.c -o $@ + + ipf_y.o: ipf_y.c ipf_y.h $(TOP)/ipf.h ipf_l.h + $(CC) $(CCARGS) $(IPFBPF) -c ipf_y.c -o $@ + + ipf_l.o: ipf_l.c ipf_y.h $(TOP)/ipf.h ipf_l.h + $(CC) $(CCARGS) -I. -c ipf_l.c -o $@ + + ipf_y.h ipf_y.c: $(TOOL)/ipf_y.y $(TOP)/ip_pool.h + (cd $(TOOL); make "DEST=../$(HERE)" ../$(HERE)/$@) + + ipf_l.c ipf_l.h: $(TOOL)/lexer.c $(TOP)/ipf.h + (cd $(TOOL); make "DEST=../$(HERE)" ../$(HERE)/$@) + + ipfcomp.o: $(TOOL)/ipfcomp.c $(TOP)/ip_fil.h $(TOP)/ipf.h + $(CC) $(CCARGS) -c $(TOOL)/ipfcomp.c -o $@ + + ipftest.o: $(TOOL)/ipftest.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h + $(CC) $(CCARGS) -c $(TOOL)/ipftest.c -o $@ + + ipnat.o: $(TOOL)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h + $(CC) $(CCARGS) -c $(TOOL)/ipnat.c -o $@ + + ipnat_y.o: ipnat_y.c ipnat_y.h $(TOP)/ip_fil.h $(TOP)/ip_compat.h \ + $(TOP)/ipf.h $(TOP)/ip_nat.h ipnat_l.h + $(CC) $(CCARGS) -c ipnat_y.c -o $@ + + ipnat_l.o: ipnat_l.c ipnat_y.h $(TOP)/ip_fil.h $(TOP)/ip_compat.h \ + $(TOP)/ipf.h $(TOP)/ip_nat.h ipnat_l.h + $(CC) $(CCARGS) -I. -c ipnat_l.c -o $@ + + ipnat_y.h ipnat_y.c: $(TOOL)/ipnat_y.y $(TOP)/ip_nat.h + (cd $(TOOL); make "DEST=../$(HERE)" ../$(HERE)/$@) + + ipnat_l.c ipnat_l.h: $(TOOL)/lexer.c $(TOP)/ip_nat.h + (cd $(TOOL); make "DEST=../$(HERE)" ../$(HERE)/$@) + + ip_rules.c: $(TOP)/rules/ip_rules $(TOP)/tools/ipfcomp.c ipf.exe + ./ipf.exe -cc -nf $(TOP)/rules/ip_rules + + $(TOP)/ip_rules.h: ip_rules.c + if [ ! -f $(TOP)/ip_rules.h ] ; then \ + /bin/mv -f ip_rules.h $(TOP); \ + else \ + touch $(TOP)/ip_rules.h; \ + fi + + ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_nat.c -o $@ + + ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ + $(TOP)/ip_ftp_pxy.c $(TOP)/ip_rcmd_pxy.c $(TOP)/ip_raudio_pxy.c \ + $(TOP)/ip_rpcb_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_nat.h \ + $(TOP)/ip_fil.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_proxy.c -o $@ + + ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_frag.c -o $@ + + ip_state_u.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h $(TOP)/ip_nat.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_state.c -o $@ + + ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_auth.c -o $@ + + ip_fil_u.o: $(TOP)/ip_fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h + $(CC) $(CCARGS) $(EXTRA) $(FIXRADIX) -c $(TOP)/ip_fil.c -o $@ + + ip_scan_u.o: $(TOP)/ip_scan.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ + $(TOP)/ip_scan.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_scan.c -o $@ + + ip_sync_u.o: $(TOP)/ip_sync.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ + $(TOP)/ip_sync.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_sync.c -o $@ + + ip_rules_u.o: ip_rules.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_rules.h + $(CC) $(CCARGS) $(EXTRA) -c ip_rules.c -o $@ + + ip_log_u.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_log.c -o $@ + + ip_pool_u.o: $(TOP)/ip_pool.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ + $(TOP)/ip_pool.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_pool.c -o $@ + + ip_htable_u.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ + $(TOP)/ip_htable.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_htable.c -o $@ + + ip_lookup_u.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ + $(TOP)/ip_lookup.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_lookup.c -o $@ + + bpf_filter_u.o: $(TOP)/bpf_filter.c $(TOP)/pcap-ipf.h $(TOP)/bpf-ipf.h + $(CC) $(CCARGS) -c $(TOP)/bpf_filter.c -o $@ + + md5_u.o: $(TOP)/md5.c $(TOP)/md5.h + $(CC) $(CCARGS) -c $(TOP)/md5.c -o $@ + + radix_u.o: $(TOP)/radix.c $(TOP)/radix_ipf.h + $(CC) $(CCARGS) -c $(TOP)/radix.c -o $@ + + cfg_ipf: cfg_ipf.o + # ld -o cfg_ipf cfg_ipf.o -L/usr/lib/ia64l32 -L/usr/ccs/lib/ia64l32 \ + # -lodm -lrts -lcfg + $(CC) $(CCARGS) -o cfg_ipf cfg_ipf.o -lodm -lrts -lcfg + + cfg_ipf.o: ../aix_cfg_ipf.c + $(CC) -D_ALL_SOURCE -D_KERNEL $(CCARGS) -c ../aix_cfg_ipf.c -o $@ + + $(LKM): $(MODOBJS) ../ipfkext.exp /lib/kernex.exp /lib/syscalls.exp + ld -G -eipfconfig -bimport:/lib/syscalls.exp -bimport:/lib/kernex.exp \ + -bimport:/lib/kernex.exp -bimport:/lib/netinet.exp \ + -bimport:/lib/statcmd.exp \ + -lcsys -lsys -bexport:../ipfkext.exp -bmap:ipfkext.map \ + $(MODOBJS) -o $(LKM)32 + /bin/rm -f $(LKM) + ar -X $(BITS) cq $(LKM) $(LKM)32 + + fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h $(TOP)/ipl.h + $(CC) $(POLICY) $(DFLAGS) $(IPFBPF) -c $(TOP)/fil.c -o $@ + + ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ + + ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ + + ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h $(TOP)/ip_nat.h + $(CC) $(DFLAGS) -DIPSTATE_SIZE=127 -c $(TOP)/ip_state.c -o $@ + + ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ + $(TOP)/ip_ftp_pxy.c $(TOP)/ip_rcmd_pxy.c $(TOP)/ip_raudio_pxy.c \ + $(TOP)/ip_rpcb_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_nat.h \ + $(TOP)/ip_nat.h $(TOP)/ip_fil.h + $(CC) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ + + ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ + + ip_fil.o: $(TOP)/ip_fil_aix.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h + $(CC) $(DFLAGS) $(COMPIPF) -c $(TOP)/ip_fil_aix.c -o $@ + + ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ + + ip_scan.o: $(TOP)/ip_scan.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_scan.h + $(CC) $(DFLAGS) -c $(TOP)/ip_scan.c -o $@ + + ip_sync.o: $(TOP)/ip_sync.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_sync.h + $(CC) $(DFLAGS) -c $(TOP)/ip_sync.c -o $@ + + radix.o: $(TOP)/radix.c radix_ipf_local.h + $(CC) $(DFLAGS) -c $(TOP)/radix.c -o $@ + + ip_pool.o: $(TOP)/ip_pool.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ + $(TOP)/ip_pool.h radix_ipf_local.h + $(CC) $(DFLAGS) $(FIXRADIX) -c $(TOP)/ip_pool.c -o $@ + + ip_htable.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ + $(TOP)/ip_htable.h + $(CC) $(DFLAGS) -c $(TOP)/ip_htable.c -o $@ + + ip_lookup.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ + $(TOP)/ip_lookup.h + $(CC) $(DFLAGS) $(FIXRADIX) -c $(TOP)/ip_lookup.c -o $@ + + ip_rules.o: ip_rules.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_rules.h + $(CC) -I. $(DFLAGS) -c ip_rules.c -o $@ + + ip_rulesx.o: ip_rules.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_rules.h + $(CC) -I. -DIPFILTER_COMPILED $(DFLAGS) -c ip_rules.c -o $@ + + #aix.o: $(TOP)/aix.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h + # $(CC) $(DFLAGS) -c $(TOP)/aix.c -o $@ + + md5.o: $(TOP)/md5.c $(TOP)/md5.h + $(CC) $(DFLAGS) -c $(TOP)/md5.c -o $@ + + ipmon: $(IPMON) ./libipf.a + $(CC) $(CCARGS) $(LOGFAC) $(IPMON) -o $@ $(LIBS) -ll + + ipmon.o: $(TOOL)/ipmon.c $(TOP)/ipmon.h + $(CC) $(CCARGS) $(LOGFAC) -c $(TOOL)/ipmon.c -o $@ + + ipmon_y.o: ipmon_y.c ipmon_y.h $(TOP)/ipmon.h ipmon_l.h + $(CC) $(CCARGS) -c ipmon_y.c -o $@ + + ipmon_l.o: ipmon_l.c ipmon_y.h $(TOP)/ipmon.h ipmon_l.h + $(CC) $(CCARGS) -I. -c ipmon_l.c -o $@ + + ipmon_y.h ipmon_y.c: $(TOOL)/ipmon_y.y $(TOP)/ipmon.h + (cd $(TOOL); make "DEST=../$(HERE)" ../$(HERE)/$@) + + ipmon_l.c ipmon_l.h: $(TOOL)/lexer.c $(TOP)/ipmon.h + (cd $(TOOL); make "DEST=../$(HERE)" ../$(HERE)/$@) + + ipscan: ipscan_y.o ipscan_l.o + $(CC) $(DEBUG) ipscan_y.o ipscan_l.o -o $@ -ll $(LIBS) + + ipscan_y.o: ipscan_y.c ipscan_y.h $(TOP)/ip_scan.h ipscan_l.h + $(CC) $(CCARGS) -c ipscan_y.c -o $@ + + ipscan_l.o: ipscan_l.c ipscan_y.h $(TOP)/ip_scan.h ipscan_l.h + $(CC) $(CCARGS) -I. -c ipscan_l.c -o $@ + + ipscan_y.h ipscan_y.c: $(TOOL)/ipscan_y.y $(TOP)/ip_scan.h + (cd $(TOOL); make "DEST=../$(HERE)" ../$(HERE)/$@) + + ipscan_l.c ipscan_l.h: $(TOOL)/lexer.c $(TOP)/ip_scan.h + (cd $(TOOL); make "DEST=../$(HERE)" ../$(HERE)/$@) + + ippool: $(IPPOOL) + $(CC) $(DEBUG) -I. $(CFLAGS) $(IPPOOL) -o $@ $(LIBS) -ll + + ippool.o: $(TOOL)/ippool.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_pool.h + $(CC) $(CCARGS) -c $(TOOL)/ippool.c -o $@ + + ippool_y.o: ippool_y.c ippool_y.h $(TOP)/ip_pool.h ippool_l.h + $(CC) $(CCARGS) -c ippool_y.c -o $@ + + ippool_l.o: ippool_l.c ippool_y.h $(TOP)/ip_pool.h ippool_l.h + $(CC) $(CCARGS) -I. -c ippool_l.c -o $@ + + ippool_y.h ippool_y.c: $(TOOL)/ippool_y.y $(TOP)/ip_pool.h + (cd $(TOOL); make "DEST=../$(HERE)" ../$(HERE)/$@) + + ippool_l.c ippool_l.h: $(TOOL)/lexer.c $(TOP)/ip_pool.h + (cd $(TOOL); make "DEST=../$(HERE)" ../$(HERE)/$@) + + radix_ipf_local.h: $(TOP)/radix_ipf.h Makefile + # sed -e 's/radix_node/ipf_radix_node/g' \ + # -e 's/radix_mask/ipf_radix_mask/g' \ + # $(TOP)/radix_ipf.h > $@ + cp /usr/include/net/radix.h $@ + chmod u+w $@ + + .y.c: + + .l.c: + + clean: + ${RM} -f ../ipf.exe ../ipnat ../ipmon ../ippool ../ipftest + ${RM} -f ../ipscan ../ipsyncm ../ipsyncs cfg_ipf + ${RM} -f *.core *.o *.a *.o.d radix_ipf_local.h + ${RM} -f fils ipf.exe ipfstat ipftest ipmon if_ipl ipnat + ${RM} -f $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h + ${RM} -f ip_fil.c ipf_l.c ipf_y.c ipf_y.h ipf_l.h + ${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c ipscan_l.h + ${RM} -f ippool ippool_y.c ippool_y.h ippool_l.c ippool_l.h + ${RM} -f ipnat_y.c ipnat_y.h ipnat_l.c ipnat_l.h + ${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h + ${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c y.tab.? lex.yy.c ipfs + ${RM} -f ipsyncm ipsyncs ip_rules.c ip_rules.h + + ${MAKE} -f Makefile.ipsend ${MFLAGS} clean + -(for i in *; do \ + if [ -d $${i} -a -f $${i}/Makefile ] ; then \ + cd $${i}; (make TOP=../.. clean); cd ..; \ + rm $${i}/Makefile $${i}/Makefile.ipsend; \ + rmdir $${i}; \ + fi \ + done) + + install: + cp cfg_ipf /usr/lib/methods + cp $(LKM) /usr/lib/drivers/ipf + -for i in ipfs ipnat ipscan ipfstat; do \ + $(INSTALL) -s -c -g system -m 755 -o root $$i $(SBINDEST); \ + done + $(INSTALL) -s -c -g system -m 755 -o root ipf.exe $(SBINDEST)/ipf + -for i in ipmon ipftest ipsyncs ipsyncm; do \ + $(INSTALL) -s -c -g system -m 755 -o root $$i $(BINDEST); \ + done + (cd $(TOP)/man; make INSTALL=../bsdinstall MANDIR=$(MANDIR) install; cd $(TOP)) + sync diff -crN ip_fil4.1.8/AIX/Makefile.ipsend ip_fil4.1.9/AIX/Makefile.ipsend *** ip_fil4.1.8/AIX/Makefile.ipsend Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/AIX/Makefile.ipsend Sun Jun 12 17:18:34 2005 *************** *** 0 **** --- 1,78 ---- + MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ + "CC=$(CC)" "CFLAGS=$(CFLAGS)" "DEBUG=$(DEBUG)" \ + "IPFLKM=$(IPFLKM)" "IPFLOG=$(IPFLOG)" \ + "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" "LOOKUP=$(LOOKUP)" + FIXRADIX=-Dradix_node=ipf_radix_node -Dradix_node_head=ipf_radix_node_head + OBJS=ipsend.o ip.o ipsopt.o iplang_y.o iplang_l.o + IPFTO=ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o + ROBJS=ipresend.o ip.o resend.o + TOBJS=iptest.o iptests.o ip.o + UNIXOBJS=dlcommon.o sbpf.o arp.o sock.o + OBJ=. + LIBS=-L$(OBJ) -lipf + + CC=cc + CFLAGS=-g -I$(TOP) + CCARGS=$(DEBUG) $(CFLAGS) -I. + + all nit sunos4 sunos4-nit build : ipsend ipresend iptest + + iplang_y.o: $(TOP)/iplang/iplang_y.y + (cd $(TOP)/iplang; $(MAKE) 'DESTDIR=../AIX/$(OSREV)' ) + + iplang_l.o: $(TOP)/iplang/iplang_l.l + (cd $(TOP)/iplang; $(MAKE) 'DESTDIR=../AIX/$(OSREV)' ) + + .c.o: + $(CC) $(CCARGS) -c $(TOP)/ipsend/$< -o $@ + + ipsend: $(OBJS) $(UNIXOBJS) + $(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll + + ipresend: $(ROBJS) $(UNIXOBJS) + $(CC) $(DEBUG) $(ROBJS) $(UNIXOBJS) -o $@ $(LIBS) + + iptest: $(TOBJS) $(UNIXOBJS) + $(CC) $(DEBUG) $(TOBJS) $(UNIXOBJS) -o $@ $(LIBS) + + clean: + rm -rf *.o core a.out ipsend ipresend iptest iplang_y.* iplang_l.* + + ipsend.o: $(TOP)/ipsend/ipsend.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/ipsend.c -o $@ + ipsopt.o: $(TOP)/ipsend/ipsopt.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/ipsopt.c -o $@ + ipresend.o: $(TOP)/ipsend/ipresend.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/ipresend.c -o $@ + ip.o: $(TOP)/ipsend/ip.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/ip.c -o $@ + resend.o: $(TOP)/ipsend/resend.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/resend.c -o $@ + ipft_sn.o: $(TOP)/ipft_sn.c + $(CC) $(CCARGS) -c $(TOP)/ipft_sn.c -o $@ + ipft_pc.o: $(TOP)/ipft_pc.c + $(CC) $(CCARGS) -c $(TOP)/ipft_pc.c -o $@ + iptest.o: $(TOP)/ipsend/iptest.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/iptest.c -o $@ + iptests.o: $(TOP)/ipsend/iptests.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/iptests.c -o $@ + sbpf.o: $(TOP)/ipsend/sbpf.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/sbpf.c -o $@ + snit.o: $(TOP)/ipsend/snit.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/snit.c -o $@ + sock.o: $(TOP)/ipsend/sock.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/sock.c -o $@ + arp.o: $(TOP)/ipsend/arp.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/arp.c -o $@ + 44arp.o: $(TOP)/ipsend/44arp.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/44arp.c -o $@ + lsock.o: $(TOP)/ipsend/lsock.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/lsock.c -o $@ + slinux.o: $(TOP)/ipsend/slinux.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/slinux.c -o $@ + larp.o: $(TOP)/ipsend/larp.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/larp.c -o $@ + dlcommon.o: $(TOP)/ipsend/dlcommon.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/dlcommon.c -o $@ + sdlpi.o: $(TOP)/ipsend/sdlpi.c + $(CC) $(CCARGS) -c $(TOP)/ipsend/sdlpi.c -o $@ diff -crN ip_fil4.1.8/AIX/aix_cfg_ipf.c ip_fil4.1.9/AIX/aix_cfg_ipf.c *** ip_fil4.1.8/AIX/aix_cfg_ipf.c Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/AIX/aix_cfg_ipf.c Sun Jun 12 17:18:34 2005 *************** *** 0 **** --- 1,257 ---- + /* + * Copyright (C) 2005 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: aix_cfg_ipf.c,v 1.1.2.1 2005/06/12 07:18:34 darrenr Exp $ + */ + #include + #include + #include + #include + /* + * This is a workaround for troubles on FreeBSD, HPUX, OpenBSD. + * Needed here because on some systems gets included by things + * like + */ + #include + #include + #include + #include + #define _TCP_DEBUG_H_ + #include + #include + #include + #include + #include + #include + + #include + + #include + #include + #include + #include + #include + #include + #include + #include + + #include "netinet/ip_compat.h" + #include "netinet/ip_fil.h" + + #ifndef __P + # ifdef __STDC__ + # define __P(x) x + # else + # define __P(x) () + # endif + #endif + #ifndef __STDC__ + # undef const + # define const + #endif + + /* + * AIX requires a specific configure/unconfigure program + */ + #undef ASSERT + #include + #include + + void loadipf __P((int major, int minor, dev_t devno, char *)); + void unloadipf __P((int major, int minor, dev_t devno)); + void queryipf __P((int major, int minor, dev_t devno)); + int checkarg __P((int, char *arg)); + void usage __P((char *)); + + static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, + IPAUTH_NAME, IPSYNC_NAME, IPSCAN_NAME, + IPLOOKUP_NAME, NULL }; + + int + main(int argc, char *argv[]) + { + int major, minor, action; + dev_t devno; + + action = checkarg(argc, argv[1]); + if (action == -1) + usage(argv[0]); + + if (odm_initialize() == -1) { + fprintf(stderr, "odm_initialize() failed\n"); + exit(1); + } + + major = genmajor("ipf"); + if (major == -1) { + fprintf(stderr, "genmajor(ipf) failed\n"); + exit(1); + } + minor = 0; + + devno = makedev(major, minor); + if (devno == -1) { + fprintf(stderr, "makedev(%d,%d) failed\n", major, minor); + exit(1); + } + printf("Major %d\ndevno %x\n", major, devno); + + switch (action) + { + case 1 : + loadipf(major, minor, devno, argv[2]); + break; + case 2 : + unloadipf(major, minor, devno); + break; + case 3 : + queryipf(major, minor, devno); + break; + } + + odm_terminate(); + + return 0; + } + + + void usage(char *prog) + { + fprintf(stderr, "Usage:\t%s -l\n\t%s -u\n\t%s -q\n", + prog, prog, prog); + exit(1); + } + + + int checkarg(int argc, char *arg) + { + if (argc < 2) + return -1; + + if (!strcmp(arg, "-l") && (argc <= 3)) + return 1; + + if (!strcmp(arg, "-u") && (argc == 2)) + return 2; + + if (!strcmp(arg, "-q") && (argc == 2)) + return 3; + + return -1; + } + + + void + loadipf(int major, int minor, dev_t devno, char *path) + { + struct cfg_dd ipfcfg; + struct cfg_load cfg; + char *buffer[1024]; + char *ipfpath; + int i; + + bzero(buffer, sizeof(buffer)); + if (path != NULL) + ipfpath = path; + else + ipfpath = "/usr/lib/drivers/ipf"; + + #if 0 + bzero((char *)&cfg, sizeof(cfg)); + cfg.path = ipfpath; + cfg.libpath = "/usr/lib/drivers/"; + sysconfig(SYS_SINGLELOAD, &cfg, sizeof(cfg)); + ipfcfg.kmid = cfg.kmid; + #else + ipfcfg.kmid = (mid_t)loadext(ipfpath, TRUE, TRUE); + #endif + if (ipfcfg.kmid == (mid_t)NULL) + { + perror("loadext"); + buffer[0] = "execerror"; + buffer[1] = "ipf"; + loadquery(1, &buffer[2], sizeof(buffer) - sizeof(*buffer)*2); + execvp("/usr/sbin/execerror", buffer); + exit(errno); + } + + ipfcfg.devno = devno; + ipfcfg.cmd = CFG_INIT; + ipfcfg.ddsptr = (caddr_t)NULL; + ipfcfg.ddslen = 0; + + if (sysconfig(SYS_CFGDD, &ipfcfg, sizeof(ipfcfg)) == -1) { + perror("sysconifg(SYS_CFGDD)"); + exit(errno); + } + + for (i = 0; ipf_devfiles[i] != NULL; i++) { + unlink(ipf_devfiles[i]); + if (mknod(ipf_devfiles[i], 0600 | _S_IFCHR, devno) == -1) { + perror("mknod(devfile)"); + exit(errno); + } + } + } + + + void + unloadipf(int major, int minor, dev_t devno) + { + struct cfg_dd ipfcfg; + struct cfg_load cfg; + int i; + + cfg.path = "/usr/lib/drivers/ipf"; + cfg.kmid = 0; + if (sysconfig(SYS_QUERYLOAD, &cfg, sizeof(cfg)) == -1) { + perror("sysconfig(SYS_QUERYLOAD)"); + exit(errno); + } + + ipfcfg.kmid = cfg.kmid; + ipfcfg.devno = devno; + ipfcfg.cmd = CFG_TERM; + if (sysconfig(SYS_CFGDD, &ipfcfg, sizeof(ipfcfg)) == -1) { + perror("sysconfig(SYS_CFGDD)"); + exit(errno); + } + + for (i = 0; ipf_devfiles[i] != NULL; i++) { + unlink(ipf_devfiles[i]); + } + + if (loadext("ipf", FALSE, FALSE) == NULL) { + perror("loadext"); + exit(errno); + } + } + + + void + queryipf(int major, int minor, dev_t devno) + { + struct cfg_dd ipfcfg; + struct cfg_load cfg; + int i; + + cfg.path = "/usr/lib/drivers/ipf"; + cfg.kmid = 0; + if (sysconfig(SYS_QUERYLOAD, &cfg, sizeof(cfg)) == -1) { + perror("sysconfig(SYS_QUERYLOAD)"); + exit(errno); + } + + printf("Kernel module ID: %d\n", cfg.kmid); + + ipfcfg.kmid = cfg.kmid; + ipfcfg.devno = devno; + ipfcfg.cmd = CFG_QVPD; + if (sysconfig(SYS_CFGDD, &ipfcfg, sizeof(ipfcfg)) == -1) { + perror("sysconfig(SYS_CFGDD)"); + exit(errno); + } + } + diff -crN ip_fil4.1.8/AIX/bootbits.sh ip_fil4.1.9/AIX/bootbits.sh *** ip_fil4.1.8/AIX/bootbits.sh Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/AIX/bootbits.sh Sun Jun 12 17:18:35 2005 *************** *** 0 **** --- 1,21 ---- + #!/bin/sh + case `file /unix 2>/dev/null` in + *64*) + bits=64 + ;; + *) + bits=32 + ;; + esac + + case $1 in + milli) + if [ $bits = 64 ] ; then + echo 64 + fi + ;; + *) + echo $bits + ;; + esac + exit 0 diff -crN ip_fil4.1.8/AIX/cpurev ip_fil4.1.9/AIX/cpurev *** ip_fil4.1.8/AIX/cpurev Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/AIX/cpurev Sun Jun 12 17:18:35 2005 *************** *** 0 **** --- 1,6 ---- + #!/bin/sh + rev=`uname -r` + build=`uname -v` + model=`uname -M` + echo $rev.$build.$model + exit 0 diff -crN ip_fil4.1.8/AIX/ipfkext.exp ip_fil4.1.9/AIX/ipfkext.exp *** ip_fil4.1.8/AIX/ipfkext.exp Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/AIX/ipfkext.exp Sun Jun 12 17:18:35 2005 *************** *** 0 **** --- 1,2 ---- + #!/unix + * export values from ipfkext diff -crN ip_fil4.1.8/BSD/Makefile ip_fil4.1.9/BSD/Makefile *** ip_fil4.1.8/BSD/Makefile Fri Feb 4 20:40:05 2005 --- ip_fil4.1.9/BSD/Makefile Sun Jun 12 17:18:37 2005 *************** *** 45,51 **** ip_scan.o ip_sync.o # ip_trafcon.o DFLAGS=$(IPFLKM) $(IPFLOG) $(LOOKUP) $(SYNC) $(DEF) $(DLKM) $(IPFBPF) ! IPF=ipf.o ipfcomp.o ipf_y.o ipf_l.o IPT=ipftest.o fil_u.o ip_frag_u.o ip_state_u.o ip_nat_u.o \ ip_proxy_u.o ip_auth_u.o ip_htable_u.o ip_lookup_u.o ip_pool_u.o \ ip_scan_u.o ip_sync_u.o ip_rules_u.o ip_fil_u.o ip_log_u.o \ --- 45,51 ---- ip_scan.o ip_sync.o # ip_trafcon.o DFLAGS=$(IPFLKM) $(IPFLOG) $(LOOKUP) $(SYNC) $(DEF) $(DLKM) $(IPFBPF) ! IPF=ipf.o ipfcomp.o ipf_y.o ipf_l.o bpf_filter_u.o IPT=ipftest.o fil_u.o ip_frag_u.o ip_state_u.o ip_nat_u.o \ ip_proxy_u.o ip_auth_u.o ip_htable_u.o ip_lookup_u.o ip_pool_u.o \ ip_scan_u.o ip_sync_u.o ip_rules_u.o ip_fil_u.o ip_log_u.o \ diff -crN ip_fil4.1.8/BSD/kupgrade ip_fil4.1.9/BSD/kupgrade *** ip_fil4.1.8/BSD/kupgrade Mon Mar 28 19:33:57 2005 --- ip_fil4.1.9/BSD/kupgrade Wed Jul 20 04:37:15 2005 *************** *** 31,36 **** --- 31,44 ---- major=x fi + if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then + echo "Please do a build of ipfilter and then run the following" + echo "command to build extra files:" + echo + echo "make ip_rules.c" + exit 1 + fi + echo -n "Installing " for j in auth frag nat proxy scan state sync pool htable lookup rules; do for i in ip_$j.[ch]; do diff -crN ip_fil4.1.8/HISTORY ip_fil4.1.9/HISTORY *** ip_fil4.1.8/HISTORY Thu Mar 31 00:14:05 2005 --- ip_fil4.1.9/HISTORY Sat Aug 13 15:42:49 2005 *************** *** 10,15 **** --- 10,58 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 4.1.9 - Released 13 August 2005 + + make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF + is defined when compiled. + + move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h + + make the BSD/upgrade script more instructive about the requiements for + ip_rules.[ch] when it is run + + register for interface events on FreeBSD (>5.2.1) and NetBSD so that + "ipf -y" is not not requried to tell ipfilter about interface changes. + + for "quick" rules that do "keep state", move the state adding into the rule + evaluation so that we can detect it failing as rules are evaluated and + continue on to the next rather than wait until we're done and it's too late + to recover for more rule processing. + + mark ICMP packets advertising an MTU that's too small as being bad + + rework ipv6 header parsing to get better code reuse and fix logic errors + in dealing with ipv6 packets containing fragment headers. Also, where a + protocol handler was doing both v4 & v6, make a seperate function for each. + + build for both amd64 and i86pc (32bit) on Solaris10 and later, if possible + + include start of work to get IPFilter working on AIX 5.3 + + Use FI_ICMPERR flag rather than try to compute its equivalent all the time + + Rewrork IPv6 extension header parsing to get better code reuse + + Add missing timeout on Linux + + Fix for locking when reading from ipsync (Frank Volf) + + Fix insertion/appending of rules that use a collection number + + Somehow turning up the spl knob to splnet disappeared on platforms that still + use the spl interface. + + fix problems with "ipf -T" not listing multiple variables properly + 4.1.8 - Released 29 March 2005 include path from Phil Dibowitz for sorting ipfstat -t output by source or diff -crN ip_fil4.1.8/HPUX/ipf.psf.dist ip_fil4.1.9/HPUX/ipf.psf.dist *** ip_fil4.1.8/HPUX/ipf.psf.dist Thu Mar 31 00:14:06 2005 --- ip_fil4.1.9/HPUX/ipf.psf.dist Sat Aug 13 15:42:50 2005 *************** *** 4,12 **** # # Copyright: Copyright (c) 2000 Darren Reed # ! # Description: PSF for IP FIlter 4.1.8 # ! # $Id: ipf.psf.dist,v 1.1.2.9 2005/03/30 14:14:06 darrenr Exp $ # The vendor definition here applies to all subsequently defined products. --- 4,12 ---- # # Copyright: Copyright (c) 2000 Darren Reed # ! # Description: PSF for IP FIlter 4.1.9 # ! # $Id: ipf.psf.dist,v 1.1.2.10 2005/08/13 05:42:50 darrenr Exp $ # The vendor definition here applies to all subsequently defined products. *************** *** 24,32 **** # Bundle definition(s): bundle tag IPF ! title IP Filter 4.1.8 description Firewall/NAT ! revision A.04.01.08 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX --- 24,32 ---- # Bundle definition(s): bundle tag IPF ! title IP Filter 4.1.9 description Firewall/NAT ! revision A.04.01.09 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX *************** *** 37,52 **** is_reference false vendor_tag IPFilter hp_srdo swtype=O;user=B;bundle_type=O ! contents IPF-RUN,r=A.04.01.08,a=HP-UX_HPREV_32/64,v=IPFilter end # bundle IPF # Product definition(s): product tag IPF-RUN ! title IP Filter 4.1.8 description Firewall/NAT copyright < ../../SunOS5/copyright ! revision A.04.01.08 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX --- 37,52 ---- is_reference false vendor_tag IPFilter hp_srdo swtype=O;user=B;bundle_type=O ! contents IPF-RUN,r=A.04.01.09,a=HP-UX_HPREV_32/64,v=IPFilter end # bundle IPF # Product definition(s): product tag IPF-RUN ! title IP Filter 4.1.9 description Firewall/NAT copyright < ../../SunOS5/copyright ! revision A.04.01.09 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX *************** *** 68,76 **** # InternetSrvcs.IPF-ALL fileset tag IPF-ALL ! title IP Filter 4.1.8 : IPF-ALL description < ../IPF-ALL/description ! revision A.04.01.08 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX --- 68,76 ---- # InternetSrvcs.IPF-ALL fileset tag IPF-ALL ! title IP Filter 4.1.9 : IPF-ALL description < ../IPF-ALL/description ! revision A.04.01.09 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX diff -crN ip_fil4.1.8/Linux/Makefile ip_fil4.1.9/Linux/Makefile *** ip_fil4.1.8/Linux/Makefile Mon Feb 14 04:12:50 2005 --- ip_fil4.1.9/Linux/Makefile Thu Jan 12 06:11:37 2006 *************** *** 479,485 **** done $(CP) $(TOP)/ipl.h $(ROOTDIR)/usr/include/netinet/ipl.h -if [ -d $(IPV4DIR) ] ; then \ ! -if [ -f $(CPUDIR)/ipfilter.$(MODEXT) ] ; then \ cp $(CPUDIR)/ipfilter.$(MODEXT) $(ROOTDIR)$(IPV4DIR)/ipfilter.$(MODEXT); \ else \ cp $(CPUDIR)/ipfilter.o $(ROOTDIR)$(IPV4DIR)/ipfilter.$(MODEXT); \ --- 479,485 ---- done $(CP) $(TOP)/ipl.h $(ROOTDIR)/usr/include/netinet/ipl.h -if [ -d $(IPV4DIR) ] ; then \ ! if [ -f $(CPUDIR)/ipfilter.$(MODEXT) ] ; then \ cp $(CPUDIR)/ipfilter.$(MODEXT) $(ROOTDIR)$(IPV4DIR)/ipfilter.$(MODEXT); \ else \ cp $(CPUDIR)/ipfilter.o $(ROOTDIR)$(IPV4DIR)/ipfilter.$(MODEXT); \ diff -crN ip_fil4.1.8/Linux/ipfilter.spec.dist ip_fil4.1.9/Linux/ipfilter.spec.dist *** ip_fil4.1.8/Linux/ipfilter.spec.dist Thu Mar 31 00:14:06 2005 --- ip_fil4.1.9/Linux/ipfilter.spec.dist Sat Aug 13 15:42:50 2005 *************** *** 1,8 **** Summary: IP Filter Software Name: ipfilter ! Version: 4.1.8 Release: 1 ! Copyright: Copyright 2004 Darren Reed Group: System Environment/Base BuildRoot: /usr/src/redhat/BUILD/ipfilter --- 1,8 ---- Summary: IP Filter Software Name: ipfilter ! Version: 4.1.9 Release: 1 ! Copyright: Copyright 2005 Darren Reed Group: System Environment/Base BuildRoot: /usr/src/redhat/BUILD/ipfilter diff -crN ip_fil4.1.8/Makefile ip_fil4.1.9/Makefile *** ip_fil4.1.8/Makefile Tue Nov 9 05:42:40 2004 --- ip_fil4.1.9/Makefile Sun Jun 12 17:18:08 2005 *************** *** 5,11 **** # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.76.2.13 2004/11/08 18:42:40 darrenr Exp $ # SHELL=/bin/sh BINDEST=/usr/local/bin --- 5,11 ---- # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.76.2.15 2005/06/12 07:18:08 darrenr Exp $ # SHELL=/bin/sh BINDEST=/usr/local/bin *************** *** 237,242 **** --- 237,247 ---- (cd OSF/`OSF/cpurev`; make build TRU64=`uname -v` TOP=../.. "DEBUG=-g" $(MFLAGS) "MACHASSERT=$(MACHASSERT)" "OSREV=`../cpurev`"; cd ..) (cd OSF/`OSF/cpurev`; make -f Makefile.ipsend build TRU64=`uname -v` TOP=../.. $(MFLAGS) "OSREV=`../cpurev`"; cd ..) + aix: null include + make setup "TARGOS=AIX" "CPUDIR=`AIX/cpurev`" + (cd AIX/`AIX/cpurev`; make build AIX=`uname -v` TOP=../.. "DEBUG=-g" $(MFLAGS) "OSREV=`../cpurev`" BITS=`../bootbits.sh`; cd ..) + # (cd AIX/`AIX/cpurev`; make -f Makefile.ipsend build AIX=`uname -v` TOP=../.. $(MFLAGS) "OSREV=`../cpurev`"; cd ..) + bsd: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" "MLR=mln_rule.o"; cd ..) *************** *** 277,282 **** --- 282,288 ---- (cd HPUX; $(MAKE) BITS=32 TOP=.. clean) (cd Linux; $(MAKE) TOP=.. clean) (cd OSF; $(MAKE) TOP=.. clean) + (cd AIX; $(MAKE) TOP=.. clean) if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; $(MAKE) clean); fi [ -d test ] && (cd test; $(MAKE) clean) (cd ipsend; $(MAKE) clean) *************** *** 295,300 **** --- 301,309 ---- clean-osf: clean-include (cd OSF; make clean) + clean-aix: clean-include + (cd AIX; make clean) + clean-linux: clean-include (cd Linux; make clean) *************** *** 347,352 **** --- 356,365 ---- install-sunos5: solaris null (cd SunOS5; $(MAKE) CPU=$(CPU) TOP=.. install) + install-aix: + (cd AIX/`AIX/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..) + # (cd AIX/`AIX/cpurev`; make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) + install-hpux: hpux (cd HPUX/`HPUX/cpurev`; $(MAKE) CPU=$(CPU) TOP=../.. "BITS=`getconf KERNEL_BITS`" install) *************** *** 355,361 **** install-osf install-tru64: (cd OSF/`OSF/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..) - (cd OSF/`OSF/cpurev`; make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) do-cvs: find . -type d -name CVS -print | xargs /bin/rm -rf --- 368,373 ---- diff -crN ip_fil4.1.8/NAT.FreeBSD ip_fil4.1.9/NAT.FreeBSD *** ip_fil4.1.8/NAT.FreeBSD Mon Mar 31 01:16:38 1997 --- ip_fil4.1.9/NAT.FreeBSD Sat Jun 18 12:41:30 2005 *************** *** 4,10 **** You will need to change three files: /etc/rc.local ! /etc/sysconfig /etc/natrules You will have to: --- 4,10 ---- You will need to change three files: /etc/rc.local ! /etc/rc.conf /etc/natrules You will have to: diff -crN ip_fil4.1.8/OpenBSD-3/README.3_0 ip_fil4.1.9/OpenBSD-3/README.3_0 *** ip_fil4.1.8/OpenBSD-3/README.3_0 Thu Mar 31 00:14:06 2005 --- ip_fil4.1.9/OpenBSD-3/README.3_0 Sat Aug 13 15:42:50 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.8.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.0-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.8 BSD/kupgrade 4. Build a new OpenBSD kernel --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.9.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.0-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.9 BSD/kupgrade 4. Build a new OpenBSD kernel *************** *** 49,55 **** 5. Build and install IPFilter ! cd ip_fil4.1.8 make openbsd make install-bsd OpenBSD-3/makedevs-3.0 --- 49,55 ---- 5. Build and install IPFilter ! cd ip_fil4.1.9 make openbsd make install-bsd OpenBSD-3/makedevs-3.0 *************** *** 57,63 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.0-rc-diffs 7. Reboot --- 57,63 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.0-rc-diffs 7. Reboot diff -crN ip_fil4.1.8/OpenBSD-3/README.3_1 ip_fil4.1.9/OpenBSD-3/README.3_1 *** ip_fil4.1.8/OpenBSD-3/README.3_1 Thu Mar 31 00:14:06 2005 --- ip_fil4.1.9/OpenBSD-3/README.3_1 Sat Aug 13 15:42:51 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.8.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.1-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.8 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.9.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.1-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.9 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto *************** *** 52,58 **** 5. Build and install IPFilter ! cd ip_fil4.1.8 make openbsd make install-bsd OpenBSD-3/makedevs-3.1 --- 52,58 ---- 5. Build and install IPFilter ! cd ip_fil4.1.9 make openbsd make install-bsd OpenBSD-3/makedevs-3.1 *************** *** 60,66 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.1-rc-diffs 7. Reboot --- 60,66 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.1-rc-diffs 7. Reboot *************** *** 79,86 **** Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.1-rc-diffs ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.1-MAKEDEV-diffs ! cd ~/ip_fil4.1.8 ./OpenBSD-3/fixdist-3.0 --- 79,86 ---- Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.1-rc-diffs ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.1-MAKEDEV-diffs ! cd ~/ip_fil4.1.9 ./OpenBSD-3/fixdist-3.0 diff -crN ip_fil4.1.8/OpenBSD-3/README.3_2 ip_fil4.1.9/OpenBSD-3/README.3_2 *** ip_fil4.1.8/OpenBSD-3/README.3_2 Thu Mar 31 00:14:06 2005 --- ip_fil4.1.9/OpenBSD-3/README.3_2 Sat Aug 13 15:42:51 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.8.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.2-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.8 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.9.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.2-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.9 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto *************** *** 52,58 **** 5. Build and install IPFilter ! cd ip_fil4.1.8 make openbsd make install-bsd OpenBSD-3/makedevs-3.2 --- 52,58 ---- 5. Build and install IPFilter ! cd ip_fil4.1.9 make openbsd make install-bsd OpenBSD-3/makedevs-3.2 *************** *** 60,66 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.2-rc-diffs 7. Reboot --- 60,66 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.2-rc-diffs 7. Reboot *************** *** 79,86 **** Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.2-rc-diffs ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.2-MAKEDEV-diffs ! cd ~/ip_fil4.1.8 ./OpenBSD-3/fixdist-3.2 --- 79,86 ---- Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.2-rc-diffs ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.2-MAKEDEV-diffs ! cd ~/ip_fil4.1.9 ./OpenBSD-3/fixdist-3.2 diff -crN ip_fil4.1.8/OpenBSD-3/README.3_3 ip_fil4.1.9/OpenBSD-3/README.3_3 *** ip_fil4.1.8/OpenBSD-3/README.3_3 Thu Mar 31 00:14:07 2005 --- ip_fil4.1.9/OpenBSD-3/README.3_3 Sat Aug 13 15:42:51 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.8.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.3-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.8 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.9.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.3-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.9 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto *************** *** 52,58 **** 5. Build and install IPFilter ! cd ip_fil4.1.8 make openbsd make install-bsd OpenBSD-3/makedevs-3.2 --- 52,58 ---- 5. Build and install IPFilter ! cd ip_fil4.1.9 make openbsd make install-bsd OpenBSD-3/makedevs-3.2 *************** *** 60,66 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.3-rc-diffs 7. Reboot --- 60,66 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.3-rc-diffs 7. Reboot *************** *** 79,86 **** Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.3-rc-diffs ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.3-MAKEDEV-diffs ! cd ~/ip_fil4.1.8 ./OpenBSD-3/fixdist-3.2 --- 79,86 ---- Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.3-rc-diffs ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.3-MAKEDEV-diffs ! cd ~/ip_fil4.1.9 ./OpenBSD-3/fixdist-3.2 diff -crN ip_fil4.1.8/OpenBSD-3/README.3_4 ip_fil4.1.9/OpenBSD-3/README.3_4 *** ip_fil4.1.8/OpenBSD-3/README.3_4 Thu Mar 31 00:14:07 2005 --- ip_fil4.1.9/OpenBSD-3/README.3_4 Sat Aug 13 15:42:52 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.8.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.4-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.8 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.9.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.4-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.9 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto *************** *** 52,58 **** 5. Build and install IPFilter ! cd ip_fil4.1.8 make openbsd make install-bsd OpenBSD-3/makedevs-3.4 --- 52,58 ---- 5. Build and install IPFilter ! cd ip_fil4.1.9 make openbsd make install-bsd OpenBSD-3/makedevs-3.4 *************** *** 60,66 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.4-rc-diffs 7. Reboot --- 60,66 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.4-rc-diffs 7. Reboot *************** *** 79,86 **** Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.4-rc-diffs ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.4-MAKEDEV-diffs ! cd ~/ip_fil4.1.8 ./OpenBSD-3/fixdist-3.4 --- 79,86 ---- Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.4-rc-diffs ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.4-MAKEDEV-diffs ! cd ~/ip_fil4.1.9 ./OpenBSD-3/fixdist-3.4 diff -crN ip_fil4.1.8/OpenBSD-3/README.3_5 ip_fil4.1.9/OpenBSD-3/README.3_5 *** ip_fil4.1.8/OpenBSD-3/README.3_5 Thu Mar 31 00:14:07 2005 --- ip_fil4.1.9/OpenBSD-3/README.3_5 Sat Aug 13 15:42:52 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.8.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.5-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.8 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.9.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.5-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.9 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto *************** *** 52,58 **** 5. Build and install IPFilter ! cd ip_fil4.1.8 make openbsd make install-bsd OpenBSD-3/makedevs-3.5 --- 52,58 ---- 5. Build and install IPFilter ! cd ip_fil4.1.9 make openbsd make install-bsd OpenBSD-3/makedevs-3.5 *************** *** 60,66 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.5-rc-diffs 7. Reboot --- 60,66 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.5-rc-diffs 7. Reboot *************** *** 79,86 **** Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.5-rc-diffs ! patch < ~/ip_fil4.1.8/OpenBSD-3/3.5-MAKEDEV-diffs ! cd ~/ip_fil4.1.8 ./OpenBSD-3/fixdist-3.5 --- 79,86 ---- Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.5-rc-diffs ! patch < ~/ip_fil4.1.9/OpenBSD-3/3.5-MAKEDEV-diffs ! cd ~/ip_fil4.1.9 ./OpenBSD-3/fixdist-3.5 diff -crN ip_fil4.1.8/SunOS4/Makefile ip_fil4.1.9/SunOS4/Makefile *** ip_fil4.1.8/SunOS4/Makefile Tue Jul 6 21:22:28 2004 --- ip_fil4.1.9/SunOS4/Makefile Fri Aug 12 00:26:37 2005 *************** *** 12,17 **** --- 12,18 ---- # # For SunOS 4.1.x # + DCPU=$(shell uname -m) DCPU:sh=uname -m DEF=-D$(DCPU) -D__$(DCPU)__ -DINET -DKERNEL -D_KERNEL -Dsun $(CPU) IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST diff -crN ip_fil4.1.8/SunOS5/Makefile ip_fil4.1.9/SunOS5/Makefile *** ip_fil4.1.8/SunOS5/Makefile Tue Jul 6 21:20:18 2004 --- ip_fil4.1.9/SunOS5/Makefile Fri Aug 12 00:27:13 2005 *************** *** 3,8 **** --- 3,9 ---- # # See the IPFILTER.LICENCE file for details on licencing. # + TOP=$(shell echo `pwd`/..) TOP:sh=echo `pwd`/.. BINDEST=/usr/local/bin SBINDEST=/sbin/$(OBJ) *************** *** 12,17 **** --- 13,19 ---- # # For SunOS 5.x # + CPUDIR=$(shell echo `uname -p`-`uname -r`) CPUDIR:sh=echo `uname -p`-`uname -r` ROOT=$(CPUDIR)/root PKGDIR=$(ROOT)/opt/ipf *************** *** 20,29 **** # DEST=$(OBJ) TOOL=$(TOP)/tools #CPU:sh=uname -p #REV:sh=uname -r HERE=SunOS5/$(CPUDIR) ! BITS:sh=if optisa sparcv9 >/dev/null 2>&1; then echo "64"; else echo "32"; fi CC=gcc -Wall DEBUG=-g LIBS=-lsocket -lnsl -lelf -L$(OBJ) -lipf $(LIBBPF) --- 22,51 ---- # DEST=$(OBJ) TOOL=$(TOP)/tools + #CPU=$(shell uname -p) + #REV=$(shell uname -v) #CPU:sh=uname -p #REV:sh=uname -r HERE=SunOS5/$(CPUDIR) ! BITS=$(shell if optisa amd64 sparcv9 >/dev/null 2>&1; then echo "64"; else echo "32"; fi) ! BITS:sh=if optisa amd64 sparcv9 >/dev/null 2>&1; then echo "64"; else echo "32"; fi ! ARCH=$(shell uname -p) ! ARCH:sh=uname -p ! ! OBJ32_i386=i86 ! OBJ64_i386=amd64 ! OBJ32_sparc=sparcv7 ! OBJ64_sparc=sparcv9 ! OBJ32=$(OBJ32_$(ARCH)) ! OBJ64=$(OBJ64_$(ARCH)) ! ! PROTO32_i386=prototype_ia32 ! PROTO64_i386=prototype_amd64 ! PROTO32_sparc=prototype32 ! PROTO64_sparc=prototype64 ! PROTO32=$(PROTO32_$(ARCH)) ! PROTO64=$(PROTO64_$(ARCH)) ! CC=gcc -Wall DEBUG=-g LIBS=-lsocket -lnsl -lelf -L$(OBJ) -lipf $(LIBBPF) *************** *** 112,118 **** $(OBJ)/ipf.exe: $(IPF) $(OBJ)/libipf.a $(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) -ll $(LIBBPF) ! # Magic dependency on ipf.exe creates the $(TOP)/sparcv{7,9} directories. $(OBJ)/ipftest: $(IPT) $(OBJ)/ipf.exe $(OBJ)/libipf.a $(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) -ll $(LIBBPF) --- 134,140 ---- $(OBJ)/ipf.exe: $(IPF) $(OBJ)/libipf.a $(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) -ll $(LIBBPF) ! # Magic dependency on ipf.exe creates the $(TOP)/$(OBJ{32,64}) directories. $(OBJ)/ipftest: $(IPT) $(OBJ)/ipf.exe $(OBJ)/libipf.a $(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) -ll $(LIBBPF) *************** *** 424,430 **** ${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h; \ ${RM} -f ipsyncm ipsyncs ipfs; \ fi ! /bin/rm -rf */root ipf.pkg* sparcv7 sparcv9 make -f Makefile.ipsend clean "TOP=${TOP}" -(for i in *; do \ if [ -d $${i} -a -h $${i}/Makefile ] ; then \ --- 446,452 ---- ${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h; \ ${RM} -f ipsyncm ipsyncs ipfs; \ fi ! /bin/rm -rf */root ipf.pkg* $(OBJ32) $(OBJ64) make -f Makefile.ipsend clean "TOP=${TOP}" -(for i in *; do \ if [ -d $${i} -a -h $${i}/Makefile ] ; then \ *************** *** 435,444 **** done) $(CPUDIR)/ipf.pkg: $(CPUDIR)/ipf.pkg.common ! if [ -d $(CPUDIR)/sparcv7 ]; then \ ! $(MAKE) PROTO=prototype32 PKG=ipf OBJ=sparcv7 \ BITS=32 TOP=$(TOP) ipf.pkg.bin; \ ! $(MAKE) PROTO=prototype64 PKG=ipfx OBJ=sparcv9 \ BITS=64 TOP=$(TOP) ipf.pkg.bin; \ else \ ($(MAKE) PROTO=prototype OBJ=. BITS=${BITS} \ --- 457,466 ---- done) $(CPUDIR)/ipf.pkg: $(CPUDIR)/ipf.pkg.common ! if [ -d $(CPUDIR)/$(OBJ32) ]; then \ ! $(MAKE) PROTO=$(PROTO32) PKG=ipf OBJ=$(OBJ32) \ BITS=32 TOP=$(TOP) ipf.pkg.bin; \ ! $(MAKE) PROTO=$(PROTO64) PKG=ipfx OBJ=$(OBJ64) \ BITS=64 TOP=$(TOP) ipf.pkg.bin; \ else \ ($(MAKE) PROTO=prototype OBJ=. BITS=${BITS} \ *************** *** 513,519 **** -sed -e 's/ipf/$(PKG)/' -e "s/NAME=.*/&$(BITTYPE)/" \ -e "s/ARCH=.*/ARCH=`uname -p` (${BITS}-bit)/" \ < pkginfo > $(CPUDIR)/pkginfo ! -if [ "$(BITS)" = 64 ]; then echo 'SUNW_ISA=sparcv9' >> $(CPUDIR)/pkginfo; fi (cd $(CPUDIR); pkgmk -a `uname -p` -o -d $(TMP)) --- 535,541 ---- -sed -e 's/ipf/$(PKG)/' -e "s/NAME=.*/&$(BITTYPE)/" \ -e "s/ARCH=.*/ARCH=`uname -p` (${BITS}-bit)/" \ < pkginfo > $(CPUDIR)/pkginfo ! -if [ "$(BITS)" = 64 ]; then echo 'SUNW_ISA=$(OBJ64)' >> $(CPUDIR)/pkginfo; fi (cd $(CPUDIR); pkgmk -a `uname -p` -o -d $(TMP)) *************** *** 525,529 **** exit 1; \ fi # Must add ipfx before ipf or driver attach fails. ! -[ -d $(CPUDIR)/sparcv9 ] && pkgadd -d ipf.pkg ipfx -pkgadd -d ipf.pkg ipf --- 547,551 ---- exit 1; \ fi # Must add ipfx before ipf or driver attach fails. ! -[ -d $(CPUDIR)/$(OBJ64) ] && pkgadd -d ipf.pkg ipfx -pkgadd -d ipf.pkg ipf diff -crN ip_fil4.1.8/SunOS5/ipfboot ip_fil4.1.9/SunOS5/ipfboot *** ip_fil4.1.8/SunOS5/ipfboot Tue Mar 30 02:27:53 2004 --- ip_fil4.1.9/SunOS5/ipfboot Fri Aug 12 00:25:40 2005 *************** *** 15,20 **** --- 15,31 ---- fi + getpid() + { + if [ -f /usr/bin/pgrep ] ; then + rval=`pgrep $1` + else + rval=`ps -ef | awk "/$1/ { print \\$2; } " -` + fi + + return $rval + } + logmsg() { logger -p local0.emerg -t ipfilter "$1" *************** *** 56,62 **** if [ -f $PIDFILE ] ; then pid=`cat $PIDFILE 2>/dev/null` else ! pid=`pgrep ipmon` fi } --- 67,74 ---- if [ -f $PIDFILE ] ; then pid=`cat $PIDFILE 2>/dev/null` else ! getpid ipmon ! pid=$? fi } diff -crN ip_fil4.1.8/SunOS5/pkginfo ip_fil4.1.9/SunOS5/pkginfo *** ip_fil4.1.8/SunOS5/pkginfo Thu Mar 31 00:14:07 2005 --- ip_fil4.1.9/SunOS5/pkginfo Sat Aug 13 15:42:52 2005 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=4.1.8 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=4.1.9 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -crN ip_fil4.1.8/SunOS5/prototype ip_fil4.1.9/SunOS5/prototype *** ip_fil4.1.8/SunOS5/prototype Tue Mar 9 01:06:00 2004 --- ip_fil4.1.9/SunOS5/prototype Wed Jul 20 04:45:28 2005 *************** *** 30,40 **** d none /usr/kernel/drv f none /usr/kernel/drv/ipf=root/usr/kernel/drv/ipf d none /sbin ! f none /sbin/ipfs=root/sbin/ipfs ! f none /sbin/ipfstat=root/sbin/ipfstat ! f none /sbin/ipf=root/sbin/ipf ! f none /sbin/ipnat=root/sbin/ipnat ! f none /sbin/ippool=root/sbin/ippool d none /etc d none /etc/init.d f none /etc/init.d/ipfboot=root/etc/init.d/ipfboot --- 30,45 ---- d none /usr/kernel/drv f none /usr/kernel/drv/ipf=root/usr/kernel/drv/ipf d none /sbin ! s none /sbin/ipfs=../usr/sbin/ipfs ! s none /sbin/ipfstat=../usr/sbin/ipfstat ! s none /sbin/ipf=../usr/sbin/ipf ! s none /sbin/ipnat=../usr/sbin/ipnat ! s none /sbin/ippool=../usr/sbin/ippool ! f none /usr/sbin/ipfs=root/sbin/ipfs ! f none /usr/sbin/ipfstat=root/sbin/ipfstat ! f none /usr/sbin/ipf=root/sbin/ipf ! f none /usr/sbin/ipnat=root/sbin/ipnat ! f none /usr/sbin/ippool=root/sbin/ippool d none /etc d none /etc/init.d f none /etc/init.d/ipfboot=root/etc/init.d/ipfboot diff -crN ip_fil4.1.8/SunOS5/prototype_amd64 ip_fil4.1.9/SunOS5/prototype_amd64 *** ip_fil4.1.8/SunOS5/prototype_amd64 Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/SunOS5/prototype_amd64 Wed Jul 20 10:50:01 2005 *************** *** 0 **** --- 1,16 ---- + i pkginfo + i copyright=../copyright + default 0755 root root + d none /usr ? ? ? + d none /usr/kernel ? ? ? + d none /usr/kernel/drv ? ? ? + d none /usr/kernel/drv/amd64 ? ? ? + f none /usr/kernel/drv/amd64/ipf=root/usr/kernel/drv/amd64/ipf + d none /usr/sbin ? ? ? + d none /usr/sbin/amd64 ? ? ? + f none /usr/sbin/amd64/ipfstat=root/sbin/amd64/ipfstat + f none /usr/sbin/amd64/ipf=root/sbin/amd64/ipf + f none /usr/sbin/amd64/ipfs=root/sbin/amd64/ipfs + f none /usr/sbin/amd64/ipnat=root/sbin/amd64/ipnat + f none /usr/sbin/amd64/ippool=root/sbin/amd64/ippool + f none /usr/sbin/amd64/ipmon=root/opt/ipf/bin/amd64/ipmon diff -crN ip_fil4.1.8/SunOS5/prototype_ia32 ip_fil4.1.9/SunOS5/prototype_ia32 *** ip_fil4.1.8/SunOS5/prototype_ia32 Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/SunOS5/prototype_ia32 Wed Jul 20 10:50:01 2005 *************** *** 0 **** --- 1,111 ---- + i pkginfo + i copyright=../copyright + i postinstall=../postinstall + i depend=../depend + !default 0755 root root + #i preinstall=../preinstall + i preremove=../preremove + i postremove=../postremove + d none /opt ? ? ? + d none /opt/ipf + d none /opt/ipf/man + d none /opt/ipf/man/man1 + d none /opt/ipf/man/man1m + d none /opt/ipf/man/man4 + d none /opt/ipf/man/man5 + d none /opt/ipf/man/man8 + d none /opt/ipf/bin + # Moved so we can hardlink against isaexec + s none /opt/ipf/bin/ipmon=../../../usr/sbin/ipmon + f none /opt/ipf/bin/ipftest=root/opt/ipf/bin/i86/ipftest + f none /opt/ipf/bin/ipsend=root/opt/ipf/bin/i86/ipsend + f none /opt/ipf/bin/ipresend=root/opt/ipf/bin/i86/ipresend + f none /opt/ipf/bin/mkfilters=root/opt/ipf/bin/i86/mkfilters + d none /opt/ipf/examples + d none /var ? ? ? + d none /var/db 700 root sys + d none /var/db/ipf 700 root sys + d none /usr ? ? ? + d none /usr/include ? ? ? + d none /usr/include/ipfilter 755 root bin + d none /usr/kernel ? ? ? + d none /usr/kernel/drv ? ? ? + f none /usr/kernel/drv/ipf=root/usr/kernel/drv/i86/ipf + d none /sbin ? ? ? + # Moved so we can hardlink against isaexec + s none /sbin/ipfs=../usr/sbin/ipfs + s none /sbin/ipfstat=../usr/sbin/ipfstat + s none /sbin/ipf=../usr/sbin/ipf + s none /sbin/ipnat=../usr/sbin/ipnat + s none /sbin/ippool=../usr/sbin/ippool + l none /usr/sbin/ipfs=../../usr/lib/isaexec + l none /usr/sbin/ipfstat=../../usr/lib/isaexec + l none /usr/sbin/ipf=../../usr/lib/isaexec + l none /usr/sbin/ipnat=../../usr/lib/isaexec + l none /usr/sbin/ippool=../../usr/lib/isaexec + l none /usr/sbin/ipmon=../../usr/lib/isaexec + d none /usr/sbin ? ? ? + d none /usr/sbin/i86 ? ? ? + f none /usr/sbin/i86/ipfs=root/sbin/i86/ipfs + f none /usr/sbin/i86/ipfstat=root/sbin/i86/ipfstat + f none /usr/sbin/i86/ipf=root/sbin/i86/ipf + f none /usr/sbin/i86/ipnat=root/sbin/i86/ipnat + f none /usr/sbin/i86/ippool=root/sbin/i86/ippool + f none /usr/sbin/i86/ipmon=root/opt/ipf/bin/i86/ipmon + d none /etc ? ? ? + d none /etc/init.d ? ? ? + f none /etc/init.d/ipfboot=root/etc/init.d/ipfboot + d none /etc/rc2.d ? ? ? + l none /etc/rc2.d/S65ipfboot=/etc/init.d/ipfboot + d none /etc/opt ? ? ? + d none /etc/opt/ipf 755 root sys + !default 0444 root root + f none /opt/ipf/man/man8/ipfstat.8=root/opt/ipf/man/man8/ipfstat.8 + f none /opt/ipf/man/man8/ipmon.8=root/opt/ipf/man/man8/ipmon.8 + f none /opt/ipf/man/man8/ipf.8=root/opt/ipf/man/man8/ipf.8 + f none /opt/ipf/man/man8/ipfs.8=root/opt/ipf/man/man8/ipfs.8 + f none /opt/ipf/man/man8/ipnat.8=root/opt/ipf/man/man8/ipnat.8 + f none /opt/ipf/man/man8/ippool.8=root/opt/ipf/man/man8/ippool.8 + f none /opt/ipf/man/man1/ipftest.1=root/opt/ipf/man/man1/ipftest.1 + f none /opt/ipf/man/man1/mkfilters.1=root/opt/ipf/man/man1/mkfilters.1 + f none /opt/ipf/man/man4/ipf.4=root/opt/ipf/man/man4/ipf.4 + f none /opt/ipf/man/man4/ipl.4=root/opt/ipf/man/man4/ipl.4 + f none /opt/ipf/man/man4/ipnat.4=root/opt/ipf/man/man4/ipnat.4 + f none /opt/ipf/man/man5/ipf.5=root/opt/ipf/man/man5/ipf.5 + f none /opt/ipf/man/man5/ipnat.5=root/opt/ipf/man/man5/ipnat.5 + f none /opt/ipf/man/man5/ippool.5=root/opt/ipf/man/man5/ippool.5 + f none /usr/kernel/drv/ipf.conf=root/usr/kernel/drv/ipf.conf + f none /usr/include/ipfilter/ip_fil.h=root/usr/include/ipfilter/ip_fil.h + f none /usr/include/ipfilter/ip_auth.h=root/usr/include/ipfilter/ip_auth.h + f none /usr/include/ipfilter/ip_compat.h=root/usr/include/ipfilter/ip_compat.h + f none /usr/include/ipfilter/ip_frag.h=root/usr/include/ipfilter/ip_frag.h + f none /usr/include/ipfilter/ip_htable.h=root/usr/include/ipfilter/ip_htable.h + f none /usr/include/ipfilter/ip_lookup.h=root/usr/include/ipfilter/ip_lookup.h + f none /usr/include/ipfilter/ip_nat.h=root/usr/include/ipfilter/ip_nat.h + f none /usr/include/ipfilter/ip_pool.h=root/usr/include/ipfilter/ip_pool.h + f none /usr/include/ipfilter/ip_proxy.h=root/usr/include/ipfilter/ip_proxy.h + f none /usr/include/ipfilter/ip_state.h=root/usr/include/ipfilter/ip_state.h + f none /opt/ipf/examples/example.1=root/opt/ipf/examples/example.1 + f none /opt/ipf/examples/example.2=root/opt/ipf/examples/example.2 + f none /opt/ipf/examples/example.3=root/opt/ipf/examples/example.3 + f none /opt/ipf/examples/example.4=root/opt/ipf/examples/example.4 + f none /opt/ipf/examples/example.5=root/opt/ipf/examples/example.5 + f none /opt/ipf/examples/example.6=root/opt/ipf/examples/example.6 + f none /opt/ipf/examples/example.7=root/opt/ipf/examples/example.7 + f none /opt/ipf/examples/example.8=root/opt/ipf/examples/example.8 + f none /opt/ipf/examples/example.9=root/opt/ipf/examples/example.9 + f none /opt/ipf/examples/example.10=root/opt/ipf/examples/example.10 + f none /opt/ipf/examples/example.11=root/opt/ipf/examples/example.11 + f none /opt/ipf/examples/example.12=root/opt/ipf/examples/example.12 + f none /opt/ipf/examples/example.13=root/opt/ipf/examples/example.13 + f none /opt/ipf/examples/example.sr=root/opt/ipf/examples/example.sr + f none /opt/ipf/examples/nat.eg=root/opt/ipf/examples/nat.eg + f none /opt/ipf/examples/server=root/opt/ipf/examples/server + f none /opt/ipf/examples/tcpstate=root/opt/ipf/examples/tcpstate + f none /opt/ipf/examples/BASIC.NAT=root/opt/ipf/examples/BASIC.NAT + f none /opt/ipf/examples/BASIC_1.FW=root/opt/ipf/examples/BASIC_1.FW + f none /opt/ipf/examples/BASIC_2.FW=root/opt/ipf/examples/BASIC_2.FW + f none /opt/ipf/examples/firewall=root/opt/ipf/examples/firewall + f none /opt/ipf/examples/ftp-proxy=root/opt/ipf/examples/ftp-proxy + f none /opt/ipf/examples/ftppxy=root/opt/ipf/examples/ftppxy + f none /opt/ipf/examples/nat-setup=root/opt/ipf/examples/nat-setup diff -crN ip_fil4.1.8/bpf_filter.c ip_fil4.1.9/bpf_filter.c *** ip_fil4.1.8/bpf_filter.c Wed Aug 20 02:49:58 2003 --- ip_fil4.1.9/bpf_filter.c Sat Jun 18 12:41:30 2005 *************** *** 40,46 **** #if !(defined(lint) || defined(KERNEL) || defined(_KERNEL)) static const char rcsid[] = ! "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2 2003/08/19 16:49:58 darrenr Exp $ (LBL)"; #endif #include --- 40,46 ---- #if !(defined(lint) || defined(KERNEL) || defined(_KERNEL)) static const char rcsid[] = ! "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.1 2005/06/18 02:41:30 darrenr Exp $ (LBL)"; #endif #include *************** *** 51,57 **** #include #include ! #include "ip_compat.h" #include "bpf-ipf.h" --- 51,57 ---- #include #include ! #include "netinet/ip_compat.h" #include "bpf-ipf.h" diff -crN ip_fil4.1.8/buildsunos ip_fil4.1.9/buildsunos *** ip_fil4.1.8/buildsunos Sun Feb 8 05:08:46 2004 --- ip_fil4.1.9/buildsunos Wed Jul 20 10:51:08 2005 *************** *** 3,9 **** echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.20 2004/02/07 18:08:46 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then --- 3,9 ---- echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.20.2.1 2005/07/20 00:51:08 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then *************** *** 62,84 **** *gcc*) # gcc XARCH32="" XARCH64="-m64 -mcmodel=medlow" ;; *) # Sun C XARCH32="-Xa -xildoff" ! XARCH64="$XARCH32 -xarch=v9 -xchip=ultra -dalign -xcode=abs32" ;; esac export CC ISABITS=32 ! OBJ32=sparcv7 ARCHINC32= ! OBJ64=sparcv9 ! ARCHINC64="-I/usr/include/v9" ! if [ $solrev -ge 7 ] && /bin/optisa sparcv8plus > /dev/null then # We run Solaris 7+ on 64 bit capable hardware. BUILDBOTH=true --- 62,97 ---- *gcc*) # gcc XARCH32="" XARCH64="-m64 -mcmodel=medlow" + XARCH64_i386="-m64 -mcmodel=kernel -mno-red-zone -ffreestanding" ;; *) # Sun C XARCH32="-Xa -xildoff" ! XARCH64_sparc="$XARCH32 -xarch=v9 -xchip=ultra -dalign -xcode=abs32" ! XARCH64_i386="$XARCH32 -xarch=amd64 -xcode=abs32" ;; esac + XARCH64="`eval echo '$XARCH64_'$cpu`" + OBJ32_sparc=sparcv7 + OBJ64_sparc=sparcv9 + OBJ32_i386=i86 + OBJ64_i386=amd64 export CC ISABITS=32 ! OBJ32=`eval echo '$OBJ32_'$cpu` ! OBJ64=`eval echo '$OBJ64_'$cpu` ARCHINC32= ! ARCHINC64_sparc="-I/usr/include/v9" ! ARCHINC64_i386="" ! ARCHINC64="`eval echo '$ARCHINC_'$cpu`" ! if [ $solrev -ge 10 ] && /bin/optisa sparcv8plus amd64 > /dev/null ! then ! # Introducing amd64 ! BUILDBOTH=true ! elif [ $solrev -ge 7 ] && /bin/optisa sparcv8plus > /dev/null then # We run Solaris 7+ on 64 bit capable hardware. BUILDBOTH=true *************** *** 143,149 **** # Default $MAKE to make : ${MAKE:=make} ! if [ $cpu = i386 ] ; then if [ -n "$BPFILTER" ] ; then BPF="BPFILTER=./$BPFILTER" fi --- 156,162 ---- # Default $MAKE to make : ${MAKE:=make} ! if [ $cpu = i386 -a $solrev -lt 10 ] ; then if [ -n "$BPFILTER" ] ; then BPF="BPFILTER=./$BPFILTER" fi diff -crN ip_fil4.1.8/fil.c ip_fil4.1.9/fil.c *** ip_fil4.1.8/fil.c Mon Mar 28 20:47:50 2005 --- ip_fil4.1.9/fil.c Sat Aug 13 15:19:59 2005 *************** *** 32,38 **** #else # include #endif ! #include #if defined(_KERNEL) # include # include --- 32,40 ---- #else # include #endif ! #if !defined(_AIX51) ! # include ! #endif #if defined(_KERNEL) # include # include *************** *** 86,92 **** # include #endif #include ! #if !defined(__sgi) || defined(_KERNEL) # include # include #endif --- 88,94 ---- # include #endif #include ! #if (!defined(__sgi) && !defined(AIX)) || defined(_KERNEL) # include # include #endif *************** *** 132,138 **** #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.57 2005/03/28 10:47:50 darrenr Exp $"; #endif #ifndef _KERNEL --- 134,140 ---- #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.64 2005/08/13 05:19:59 darrenr Exp $"; #endif #ifndef _KERNEL *************** *** 171,176 **** --- 173,179 ---- u_short fr_ip_id = 0; int fr_chksrc = 0; /* causes a system crash if enabled */ int fr_minttl = 4; + int fr_icmpminfragmtu = 68; u_long fr_frouteok[2] = {0, 0}; u_long fr_userifqs = 0; u_long fr_badcoalesces[2] = {0, 0}; *************** *** 216,221 **** --- 219,225 ---- static ipfunc_t fr_findfunc __P((ipfunc_t)); static frentry_t *fr_firewall __P((fr_info_t *, u_32_t *)); static int fr_funcinit __P((frentry_t *fr)); + static INLINE void frpr_ah __P((fr_info_t *)); static INLINE void frpr_esp __P((fr_info_t *)); static INLINE void frpr_gre __P((fr_info_t *)); static INLINE void frpr_udp __P((fr_info_t *)); *************** *** 232,238 **** static INLINE void *fr_resolvelookup __P((u_int, u_int, lookupfunc_t *)); #endif static void frsynclist __P((frentry_t *, void *)); ! static ipftuneable_t *fr_findtunebyname __P((char *)); static ipftuneable_t *fr_findtunebycookie __P((void *, void **)); --- 236,242 ---- static INLINE void *fr_resolvelookup __P((u_int, u_int, lookupfunc_t *)); #endif static void frsynclist __P((frentry_t *, void *)); ! static ipftuneable_t *fr_findtunebyname __P((const char *)); static ipftuneable_t *fr_findtunebycookie __P((void *, void **)); *************** *** 326,340 **** * adding more code to a growing switch statement. */ #ifdef USE_INET6 static INLINE void frpr_udp6 __P((fr_info_t *)); static INLINE void frpr_tcp6 __P((fr_info_t *)); static INLINE void frpr_icmp6 __P((fr_info_t *)); ! static INLINE void frpr_ipv6hdr __P((fr_info_t *)); static INLINE void frpr_short6 __P((fr_info_t *, int)); static INLINE int frpr_hopopts6 __P((fr_info_t *)); static INLINE int frpr_routing6 __P((fr_info_t *)); static INLINE int frpr_dstopts6 __P((fr_info_t *)); ! static INLINE int frpr_fragment6 __P((fr_info_t *)); /* ------------------------------------------------------------------------ */ --- 330,348 ---- * adding more code to a growing switch statement. */ #ifdef USE_INET6 + static INLINE int frpr_ah6 __P((fr_info_t *)); + static INLINE void frpr_esp6 __P((fr_info_t *)); + static INLINE void frpr_gre6 __P((fr_info_t *)); static INLINE void frpr_udp6 __P((fr_info_t *)); static INLINE void frpr_tcp6 __P((fr_info_t *)); static INLINE void frpr_icmp6 __P((fr_info_t *)); ! static INLINE int frpr_ipv6hdr __P((fr_info_t *)); static INLINE void frpr_short6 __P((fr_info_t *, int)); static INLINE int frpr_hopopts6 __P((fr_info_t *)); static INLINE int frpr_routing6 __P((fr_info_t *)); static INLINE int frpr_dstopts6 __P((fr_info_t *)); ! static INLINE void frpr_fragment6 __P((fr_info_t *)); ! static INLINE int frpr_ipv6exthdr __P((fr_info_t *, int, int)); /* ------------------------------------------------------------------------ */ *************** *** 347,366 **** /* for IPv6 and marks the packet with FI_SHORT if so. See function comment */ /* for frpr_short() for more details. */ /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_short6(fin, min) fr_info_t *fin; ! int min; { - fr_ip_t *fi = &fin->fin_fi; - int off; ! off = fin->fin_off; ! if (off == 0) { ! if (fin->fin_plen < fin->fin_hlen + min) ! fi->fi_flx |= FI_SHORT; ! } else if (off < min) { ! fi->fi_flx |= FI_SHORT; ! } } --- 355,367 ---- /* for IPv6 and marks the packet with FI_SHORT if so. See function comment */ /* for frpr_short() for more details. */ /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_short6(fin, xmin) fr_info_t *fin; ! int xmin; { ! if (fin->fin_dlen < xmin) ! fin->fin_flx |= FI_SHORT; } *************** *** 373,383 **** /* Copy values from the IPv6 header into the fr_info_t struct and call the */ /* per-protocol analyzer if it exists. */ /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_ipv6hdr(fin) fr_info_t *fin; { - int p, go = 1, i, hdrcount, coalesced; ip6_t *ip6 = (ip6_t *)fin->fin_ip; fr_ip_t *fi = &fin->fin_fi; fin->fin_off = 0; --- 374,384 ---- /* Copy values from the IPv6 header into the fr_info_t struct and call the */ /* per-protocol analyzer if it exists. */ /* ------------------------------------------------------------------------ */ ! static INLINE int frpr_ipv6hdr(fin) fr_info_t *fin; { ip6_t *ip6 = (ip6_t *)fin->fin_ip; + int p, go = 1, i, hdrcount; fr_ip_t *fi = &fin->fin_fi; fin->fin_off = 0; *************** *** 387,393 **** fi->fi_secmsk = 0; fi->fi_auth = 0; - coalesced = (fin->fin_flx & FI_COALESCE) ? 1 : 0; p = ip6->ip6_nxt; fi->fi_ttl = ip6->ip6_hlim; fi->fi_src.in6 = ip6->ip6_src; --- 388,393 ---- *************** *** 414,461 **** break; case IPPROTO_GRE : ! frpr_gre(fin); go = 0; break; case IPPROTO_HOPOPTS : - /* - * Actually, hop by hop header is only allowed right - * after IPv6 header! - */ - if (hdrcount != 0) - fin->fin_flx |= FI_BAD; - - if (coalesced == 0) { - coalesced = fr_coalesce(fin); - if (coalesced != 1) - return; - } p = frpr_hopopts6(fin); break; case IPPROTO_DSTOPTS : - if (coalesced == 0) { - coalesced = fr_coalesce(fin); - if (coalesced != 1) - return; - } p = frpr_dstopts6(fin); break; case IPPROTO_ROUTING : - if (coalesced == 0) { - coalesced = fr_coalesce(fin); - if (coalesced != 1) - return; - } p = frpr_routing6(fin); break; - case IPPROTO_ESP : - frpr_esp(fin); - /*FALLTHROUGH*/ case IPPROTO_AH : case IPPROTO_IPV6 : for (i = 0; ip6exthdr[i].ol_bit != 0; i++) if (ip6exthdr[i].ol_val == p) { --- 414,444 ---- break; case IPPROTO_GRE : ! frpr_gre6(fin); go = 0; break; case IPPROTO_HOPOPTS : p = frpr_hopopts6(fin); break; case IPPROTO_DSTOPTS : p = frpr_dstopts6(fin); break; case IPPROTO_ROUTING : p = frpr_routing6(fin); break; case IPPROTO_AH : + p = frpr_ah6(fin); + break; + + case IPPROTO_ESP : + frpr_esp6(fin); + go = 0; + break; + case IPPROTO_IPV6 : for (i = 0; ip6exthdr[i].ol_bit != 0; i++) if (ip6exthdr[i].ol_val == p) { *************** *** 470,481 **** break; case IPPROTO_FRAGMENT : ! if (coalesced == 0) { ! coalesced = fr_coalesce(fin); ! if (coalesced != 1) ! return; ! } ! p = frpr_fragment6(fin); break; default : --- 453,460 ---- break; case IPPROTO_FRAGMENT : ! frpr_fragment6(fin); ! go = 0; break; default : *************** *** 489,497 **** * extension headers (go != 0), the entire header may not have * been pulled up when the code gets to this point. This is * only done for "go != 0" because the other header handlers ! * will all pullup their complete header and the other ! * indicator of an incomplete header is that this eas just an ! * extension header. */ if ((go != 0) && (p != IPPROTO_NONE) && (frpr_pullup(fin, 0) == -1)) { --- 468,476 ---- * extension headers (go != 0), the entire header may not have * been pulled up when the code gets to this point. This is * only done for "go != 0" because the other header handlers ! * will all pullup their complete header. The other indicator ! * of an incomplete packet is that this was just an extension ! * header. */ if ((go != 0) && (p != IPPROTO_NONE) && (frpr_pullup(fin, 0) == -1)) { *************** *** 500,518 **** } } fi->fi_p = p; } /* ------------------------------------------------------------------------ */ ! /* Function: frpr_hopopts6 */ /* Returns: int - value of the next header or IPPROTO_NONE if error */ ! /* Parameters: fin(I) - pointer to packet information */ /* */ /* IPv6 Only */ - /* This is function checks pending hop by hop options extension header */ /* ------------------------------------------------------------------------ */ ! static INLINE int frpr_hopopts6(fin) fr_info_t *fin; { struct ip6_ext *hdr; u_short shift; --- 479,502 ---- } } fi->fi_p = p; + + return 0; } /* ------------------------------------------------------------------------ */ ! /* Function: frpr_ipv6exthdr */ /* Returns: int - value of the next header or IPPROTO_NONE if error */ ! /* Parameters: fin(I) - pointer to packet information */ ! /* multiple(I) - flag indicating yes/no if multiple occurances */ ! /* of this extension header are allowed. */ ! /* proto(I) - protocol number for this extension header */ /* */ /* IPv6 Only */ /* ------------------------------------------------------------------------ */ ! static INLINE int frpr_ipv6exthdr(fin, multiple, proto) fr_info_t *fin; + int multiple, proto; { struct ip6_ext *hdr; u_short shift; *************** *** 537,544 **** } for (i = 0; ip6exthdr[i].ol_bit != 0; i++) ! if (ip6exthdr[i].ol_val == IPPROTO_HOPOPTS) { ! fin->fin_optmsk |= ip6exthdr[i].ol_bit; break; } --- 521,535 ---- } for (i = 0; ip6exthdr[i].ol_bit != 0; i++) ! if (ip6exthdr[i].ol_val == proto) { ! /* ! * Most IPv6 extension headers are only allowed once. ! */ ! if ((multiple == 0) && ! ((fin->fin_optmsk & ip6exthdr[i].ol_bit) != 0)) ! fin->fin_flx |= FI_BAD; ! else ! fin->fin_optmsk |= ip6exthdr[i].ol_bit; break; } *************** *** 550,555 **** --- 541,561 ---- /* ------------------------------------------------------------------------ */ + /* Function: frpr_hopopts6 */ + /* Returns: int - value of the next header or IPPROTO_NONE if error */ + /* Parameters: fin(I) - pointer to packet information */ + /* */ + /* IPv6 Only */ + /* This is function checks pending hop by hop options extension header */ + /* ------------------------------------------------------------------------ */ + static INLINE int frpr_hopopts6(fin) + fr_info_t *fin; + { + return frpr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS); + } + + + /* ------------------------------------------------------------------------ */ /* Function: frpr_routing6 */ /* Returns: int - value of the next header or IPPROTO_NONE if error */ /* Parameters: fin(I) - pointer to packet information */ *************** *** 561,660 **** fr_info_t *fin; { struct ip6_ext *hdr; ! u_short shift; ! int i; ! fin->fin_flx |= FI_V6EXTHDR; ! ! /* 8 is default length of extension hdr */ ! if ((fin->fin_dlen - 8) < 0) { ! fin->fin_flx |= FI_SHORT; return IPPROTO_NONE; - } - if (frpr_pullup(fin, 8) == -1) - return IPPROTO_NONE; hdr = fin->fin_dp; - shift = 8 + (hdr->ip6e_len << 3); /* * Nasty extension header length? */ ! if ((shift > fin->fin_dlen) || (shift < sizeof(struct ip6_hdr)) || ((shift - sizeof(struct ip6_hdr)) & 15)) { fin->fin_flx |= FI_BAD; return IPPROTO_NONE; } - for (i = 0; ip6exthdr[i].ol_bit != 0; i++) - if (ip6exthdr[i].ol_val == IPPROTO_ROUTING) { - fin->fin_optmsk |= ip6exthdr[i].ol_bit; - break; - } - - fin->fin_dp = (char *)fin->fin_dp + shift; - fin->fin_dlen -= shift; - return hdr->ip6e_nxt; } /* ------------------------------------------------------------------------ */ /* Function: frpr_fragment6 */ ! /* Returns: int - value of the next header or IPPROTO_NONE if error */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* IPv6 Only */ /* Examine the IPv6 fragment header and extract fragment offset information.*/ /* ------------------------------------------------------------------------ */ ! static INLINE int frpr_fragment6(fin) fr_info_t *fin; { struct ip6_frag *frag; - struct ip6_ext *hdr; - int i; - - fin->fin_flx |= (FI_FRAG|FI_V6EXTHDR); ! /* 8 is default length of extension hdr */ ! if ((fin->fin_dlen - 8) < 0) { ! fin->fin_flx |= FI_SHORT; ! return IPPROTO_NONE; ! } ! /* ! * Only one frgament header is allowed per IPv6 packet but it need ! * not be the first nor last (not possible in some cases.) ! */ ! for (i = 0; ip6exthdr[i].ol_bit != 0; i++) ! if (ip6exthdr[i].ol_val == IPPROTO_FRAGMENT) ! break; ! if (fin->fin_optmsk & ip6exthdr[i].ol_bit) { ! fin->fin_flx |= FI_BAD; ! return IPPROTO_NONE; ! } ! fin->fin_optmsk |= ip6exthdr[i].ol_bit; ! if (frpr_pullup(fin, sizeof(*frag)) == -1) ! return IPPROTO_NONE; ! hdr = fin->fin_dp; /* ! * Length must be zero, i.e. it has no length. */ ! if (hdr->ip6e_len != 0) { fin->fin_flx |= FI_BAD; ! return IPPROTO_NONE; ! } ! ! if ((int)(fin->fin_dlen - sizeof(*frag)) < 0) { ! fin->fin_flx |= FI_SHORT; ! return IPPROTO_NONE; } - frag = fin->fin_dp; fin->fin_off = frag->ip6f_offlg & IP6F_OFF_MASK; fin->fin_off <<= 3; if (fin->fin_off != 0) --- 567,638 ---- fr_info_t *fin; { struct ip6_ext *hdr; ! int shift; ! if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE) return IPPROTO_NONE; hdr = fin->fin_dp; shift = 8 + (hdr->ip6e_len << 3); /* * Nasty extension header length? */ ! if ((shift < sizeof(struct ip6_hdr)) || ((shift - sizeof(struct ip6_hdr)) & 15)) { fin->fin_flx |= FI_BAD; + /* + * Compensate for the changes made in frpr_ipv6exthdr() + */ + fin->fin_dlen += shift; + fin->fin_dp = (char *)fin->fin_dp - shift; return IPPROTO_NONE; } return hdr->ip6e_nxt; } /* ------------------------------------------------------------------------ */ /* Function: frpr_fragment6 */ ! /* Returns: void */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* IPv6 Only */ /* Examine the IPv6 fragment header and extract fragment offset information.*/ + /* */ + /* We don't know where the transport layer header (or whatever is next is), */ + /* as it could be behind destination options (amongst others). Because */ + /* there is no fragment cache, there is no knowledge about whether or not an*/ + /* upper layer header has been seen (or where it ends) and thus we are not */ + /* able to continue processing beyond this header with any confidence. */ /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_fragment6(fin) fr_info_t *fin; { struct ip6_frag *frag; ! fin->fin_flx |= FI_FRAG; ! if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE) ! return; ! if (frpr_pullup(fin, sizeof(*frag)) == -1) ! return; ! frpr_short6(fin, sizeof(*frag)); ! if ((fin->fin_flx & FI_SHORT) != 0) ! return; + frag = fin->fin_dp; /* ! * Fragment but no fragmentation info set? Bad packet... */ ! if (frag->ip6f_offlg == 0) { fin->fin_flx |= FI_BAD; ! return; } fin->fin_off = frag->ip6f_offlg & IP6F_OFF_MASK; fin->fin_off <<= 3; if (fin->fin_off != 0) *************** *** 662,669 **** fin->fin_dp = (char *)fin->fin_dp + sizeof(*frag); fin->fin_dlen -= sizeof(*frag); - - return frag->ip6f_nxt; } --- 640,645 ---- *************** *** 679,712 **** static INLINE int frpr_dstopts6(fin) fr_info_t *fin; { ! struct ip6_ext *hdr; ! u_short shift; ! int i; ! ! /* 8 is default length of extension hdr */ ! if ((fin->fin_dlen - 8) < 0) { ! fin->fin_flx |= FI_SHORT; ! return IPPROTO_NONE; ! } ! ! if (frpr_pullup(fin, 8) == -1) ! return IPPROTO_NONE; ! hdr = fin->fin_dp; ! ! shift = 8 + (hdr->ip6e_len << 3); ! if (shift > fin->fin_dlen) { /* Nasty extension header length? */ ! fin->fin_flx |= FI_BAD; ! return IPPROTO_NONE; ! } ! ! for (i = 0; ip6exthdr[i].ol_bit != 0; i++) ! if (ip6exthdr[i].ol_val == IPPROTO_DSTOPTS) ! break; ! fin->fin_optmsk |= ip6exthdr[i].ol_bit; ! fin->fin_dp = (char *)fin->fin_dp + shift; ! fin->fin_dlen -= shift; ! ! return hdr->ip6e_nxt; } --- 655,661 ---- static INLINE int frpr_dstopts6(fin) fr_info_t *fin; { ! return frpr_ipv6exthdr(fin, 1, IPPROTO_DSTOPTS); } *************** *** 756,762 **** } } ! frpr_short(fin, minicmpsz); } --- 705,711 ---- } } ! frpr_short6(fin, minicmpsz); } *************** *** 767,772 **** --- 716,722 ---- /* */ /* IPv6 Only */ /* Analyse the packet for IPv6/UDP properties. */ + /* Is not expected to be called for fragmented packets. */ /* ------------------------------------------------------------------------ */ static INLINE void frpr_udp6(fin) fr_info_t *fin; *************** *** 774,780 **** fr_checkv6sum(fin); ! frpr_short(fin, sizeof(struct udphdr)); frpr_udpcommon(fin); } --- 724,730 ---- fr_checkv6sum(fin); ! frpr_short6(fin, sizeof(struct udphdr)); frpr_udpcommon(fin); } *************** *** 787,792 **** --- 737,743 ---- /* */ /* IPv6 Only */ /* Analyse the packet for IPv6/TCP properties. */ + /* Is not expected to be called for fragmented packets. */ /* ------------------------------------------------------------------------ */ static INLINE void frpr_tcp6(fin) fr_info_t *fin; *************** *** 794,803 **** fr_checkv6sum(fin); ! frpr_short(fin, sizeof(struct tcphdr)); frpr_tcpcommon(fin); } #endif /* USE_INET6 */ --- 745,824 ---- fr_checkv6sum(fin); ! frpr_short6(fin, sizeof(struct tcphdr)); frpr_tcpcommon(fin); } + + + /* ------------------------------------------------------------------------ */ + /* Function: frpr_esp6 */ + /* Returns: void */ + /* Parameters: fin(I) - pointer to packet information */ + /* */ + /* IPv6 Only */ + /* Analyse the packet for ESP properties. */ + /* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */ + /* even though the newer ESP packets must also have a sequence number that */ + /* is 32bits as well, it is not possible(?) to determine the version from a */ + /* simple packet header. */ + /* ------------------------------------------------------------------------ */ + static INLINE void frpr_esp6(fin) + fr_info_t *fin; + { + + frpr_short6(fin, sizeof(grehdr_t)); + + (void) frpr_pullup(fin, 8); + } + + + /* ------------------------------------------------------------------------ */ + /* Function: frpr_ah6 */ + /* Returns: void */ + /* Parameters: fin(I) - pointer to packet information */ + /* */ + /* IPv6 Only */ + /* Analyse the packet for AH properties. */ + /* The minimum length is taken to be the combination of all fields in the */ + /* header being present and no authentication data (null algorithm used.) */ + /* ------------------------------------------------------------------------ */ + static INLINE int frpr_ah6(fin) + fr_info_t *fin; + { + authhdr_t *ah; + + frpr_short6(fin, 12); + + if (frpr_pullup(fin, sizeof(*ah)) == -1) + return IPPROTO_NONE; + + ah = (authhdr_t *)fin->fin_dp; + return ah->ah_next; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: frpr_gre6 */ + /* Returns: void */ + /* Parameters: fin(I) - pointer to packet information */ + /* */ + /* Analyse the packet for GRE properties. */ + /* ------------------------------------------------------------------------ */ + static INLINE void frpr_gre6(fin) + fr_info_t *fin; + { + grehdr_t *gre; + + frpr_short6(fin, sizeof(grehdr_t)); + + if (frpr_pullup(fin, sizeof(grehdr_t)) == -1) + return; + + gre = fin->fin_dp; + if (GRE_REV(gre->gr_flags) == 1) + fin->fin_data[0] = gre->gr_call; + } #endif /* USE_INET6 */ *************** *** 834,861 **** /* ------------------------------------------------------------------------ */ /* Function: frpr_short */ /* Returns: void */ ! /* Parameters: fin(I) - pointer to packet information */ ! /* min(I) - minimum header size */ /* */ ! /* Check if a packet is "short" as defined by min. The rule we are */ /* applying here is that the packet must not be fragmented within the layer */ /* 4 header. That is, it must not be a fragment that has its offset set to */ /* start within the layer 4 header (hdrmin) or if it is at offset 0, the */ /* entire layer 4 header must be present (min). */ /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_short(fin, min) fr_info_t *fin; ! int min; { - fr_ip_t *fi = &fin->fin_fi; - int off; ! off = fin->fin_off; ! if (off == 0) { ! if (fin->fin_plen < fin->fin_hlen + min) ! fi->fi_flx |= FI_SHORT; ! } else if (off < min) { ! fi->fi_flx |= FI_SHORT; } } --- 855,879 ---- /* ------------------------------------------------------------------------ */ /* Function: frpr_short */ /* Returns: void */ ! /* Parameters: fin(I) - pointer to packet information */ ! /* xmin(I) - minimum header size */ /* */ ! /* Check if a packet is "short" as defined by xmin. The rule we are */ /* applying here is that the packet must not be fragmented within the layer */ /* 4 header. That is, it must not be a fragment that has its offset set to */ /* start within the layer 4 header (hdrmin) or if it is at offset 0, the */ /* entire layer 4 header must be present (min). */ /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_short(fin, xmin) fr_info_t *fin; ! int xmin; { ! if (fin->fin_off == 0) { ! if (fin->fin_dlen < xmin) ! fin->fin_flx |= FI_SHORT; ! } else if (fin->fin_off < xmin) { ! fin->fin_flx |= FI_SHORT; } } *************** *** 868,874 **** /* IPv4 Only */ /* Do a sanity check on the packet for ICMP (v4). In nearly all cases, */ /* except extrememly bad packets, both type and code will be present. */ ! /* The expected minimum size of an ICMP packet is very much dependant on */ /* the type of it. */ /* */ /* XXX - other ICMP sanity checks? */ --- 886,892 ---- /* IPv4 Only */ /* Do a sanity check on the packet for ICMP (v4). In nearly all cases, */ /* except extrememly bad packets, both type and code will be present. */ ! /* The expected minimum size of an ICMP packet is very much dependent on */ /* the type of it. */ /* */ /* XXX - other ICMP sanity checks? */ *************** *** 878,890 **** { int minicmpsz = sizeof(struct icmp); icmphdr_t *icmp; if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1) return; fr_checkv4sum(fin); ! if (!fin->fin_off && (fin->fin_dlen > 1)) { icmp = fin->fin_dp; fin->fin_data[0] = *(u_short *)icmp; --- 896,914 ---- { int minicmpsz = sizeof(struct icmp); icmphdr_t *icmp; + ip_t *oip; + + if (fin->fin_off != 0) { + frpr_short(fin, ICMPERR_ICMPHLEN); + return; + } if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1) return; fr_checkv4sum(fin); ! if (fin->fin_dlen > 1) { icmp = fin->fin_dp; fin->fin_data[0] = *(u_short *)icmp; *************** *** 918,930 **** * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+) */ case ICMP_UNREACH : case ICMP_SOURCEQUENCH : case ICMP_REDIRECT : case ICMP_TIMXCEED : case ICMP_PARAMPROB : if (fr_coalesce(fin) != 1) return; ! fin->fin_flx |= FI_ICMPERR; break; default : break; --- 942,966 ---- * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+) */ case ICMP_UNREACH : + if (icmp->icmp_code == ICMP_UNREACH_NEEDFRAG) { + if (icmp->icmp_nextmtu < fr_icmpminfragmtu) + fin->fin_flx |= FI_BAD; + } case ICMP_SOURCEQUENCH : case ICMP_REDIRECT : case ICMP_TIMXCEED : case ICMP_PARAMPROB : + fin->fin_flx |= FI_ICMPERR; if (fr_coalesce(fin) != 1) return; ! /* ! * ICMP error packets should not be generated for IP ! * packets that are a fragment that isn't the first ! * fragment. ! */ ! oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN); ! if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0) ! fin->fin_flx |= FI_BAD; break; default : break; *************** *** 953,962 **** { int flags, tlen; tcphdr_t *tcp; - fr_ip_t *fi; ! fi = &fin->fin_fi; ! fi->fi_flx |= FI_TCPUDP; if (fin->fin_off != 0) return; --- 989,996 ---- { int flags, tlen; tcphdr_t *tcp; ! fin->fin_flx |= FI_TCPUDP; if (fin->fin_off != 0) return; *************** *** 969,975 **** fin->fin_dport = ntohs(tcp->th_dport); } ! if ((fi->fi_flx & FI_SHORT) != 0) return; /* --- 1003,1009 ---- fin->fin_dport = ntohs(tcp->th_dport); } ! if ((fin->fin_flx & FI_SHORT) != 0) return; /* *************** *** 1091,1104 **** fr_info_t *fin; { udphdr_t *udp; - fr_ip_t *fi; ! fi = &fin->fin_fi; ! fi->fi_flx |= FI_TCPUDP; if (!fin->fin_off && (fin->fin_dlen > 3)) { if (frpr_pullup(fin, sizeof(*udp)) == -1) { ! fi->fi_flx |= FI_SHORT; return; } --- 1125,1136 ---- fr_info_t *fin; { udphdr_t *udp; ! fin->fin_flx |= FI_TCPUDP; if (!fin->fin_off && (fin->fin_dlen > 3)) { if (frpr_pullup(fin, sizeof(*udp)) == -1) { ! fin->fin_flx |= FI_SHORT; return; } *************** *** 1164,1178 **** static INLINE void frpr_esp(fin) fr_info_t *fin; { ! if (frpr_pullup(fin, 8) == -1) return; ! if (fin->fin_v == 4) ! frpr_short(fin, 8); ! #ifdef USE_INET6 ! else if (fin->fin_v == 6) ! frpr_short6(fin, sizeof(grehdr_t)); ! #endif } --- 1196,1230 ---- static INLINE void frpr_esp(fin) fr_info_t *fin; { ! if ((fin->fin_off == 0) && (frpr_pullup(fin, 8) == -1)) return; ! frpr_short(fin, 8); ! } ! ! ! /* ------------------------------------------------------------------------ */ ! /* Function: frpr_ah */ ! /* Returns: void */ ! /* Parameters: fin(I) - pointer to packet information */ ! /* */ ! /* Analyse the packet for AH properties. */ ! /* The minimum length is taken to be the combination of all fields in the */ ! /* header being present and no authentication data (null algorithm used.) */ ! /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_ah(fin) ! fr_info_t *fin; ! { ! authhdr_t *ah; ! int len; ! ! if ((fin->fin_off == 0) && (frpr_pullup(fin, sizeof(*ah)) == -1)) ! return; ! ! ah = (authhdr_t *)fin->fin_dp; ! ! len = (ah->ah_plen + 2) << 2; ! frpr_short(fin, len); } *************** *** 1188,1205 **** { grehdr_t *gre; ! if (frpr_pullup(fin, sizeof(grehdr_t)) == -1) return; ! if (fin->fin_v == 4) ! frpr_short(fin, sizeof(grehdr_t)); ! #ifdef USE_INET6 ! else if (fin->fin_v == 6) ! frpr_short6(fin, sizeof(grehdr_t)); ! #endif ! gre = fin->fin_dp; ! if (GRE_REV(gre->gr_flags) == 1) ! fin->fin_data[0] = gre->gr_call; } --- 1240,1255 ---- { grehdr_t *gre; ! if ((fin->fin_off == 0) && (frpr_pullup(fin, sizeof(grehdr_t)) == -1)) return; ! frpr_short(fin, sizeof(grehdr_t)); ! ! if (fin->fin_off == 0) { ! gre = fin->fin_dp; ! if (GRE_REV(gre->gr_flags) == 1) ! fin->fin_data[0] = gre->gr_call; ! } } *************** *** 1255,1266 **** * set packet attribute flags based on the offset and * calculate the byte offset that it represents. */ - if ((off & IP_MF) != 0) { - fi->fi_flx |= FI_FRAG; - if (fin->fin_dlen == 0) - fi->fi_flx |= FI_BAD; - } - off &= IP_MF|IP_OFFMASK; if (off != 0) { fi->fi_flx |= FI_FRAG; --- 1305,1310 ---- *************** *** 1268,1274 **** if (off != 0) { fin->fin_flx |= FI_FRAGBODY; off <<= 3; ! if (off + fin->fin_dlen > 0xffff) { fi->fi_flx |= FI_BAD; } } --- 1312,1328 ---- if (off != 0) { fin->fin_flx |= FI_FRAGBODY; off <<= 3; ! if ((off + fin->fin_dlen > 65535) || ! (fin->fin_dlen == 0) || (fin->fin_dlen & 7)) { ! /* ! * The length of the packet, starting at its ! * offset cannot exceed 65535 (0xffff) as the ! * length of an IP packet is only 16 bits. ! * ! * Any fragment that isn't the last fragment ! * must have a length greater than 0 and it ! * must be an even multiple of 8. ! */ fi->fi_flx |= FI_BAD; } } *************** *** 1289,1294 **** --- 1343,1351 ---- case IPPROTO_ICMP : frpr_icmp(fin); break; + case IPPROTO_AH : + frpr_ah(fin); + break; case IPPROTO_ESP : frpr_esp(fin); break; *************** *** 1417,1424 **** if (v == 4) frpr_ipv4hdr(fin); #ifdef USE_INET6 ! else if (v == 6) ! frpr_ipv6hdr(fin); #endif if (fin->fin_ip == NULL) return -1; --- 1474,1483 ---- if (v == 4) frpr_ipv4hdr(fin); #ifdef USE_INET6 ! else if (v == 6) { ! if (frpr_ipv6hdr(fin) == -1) ! return -1; ! } #endif if (fin->fin_ip == NULL) return -1; *************** *** 1751,1757 **** { int rulen, portcmp, off, logged, skip; struct frentry *fr, *fnext; ! u_32_t passt; /* * Do not allow nesting deeper than 16 levels. --- 1810,1816 ---- { int rulen, portcmp, off, logged, skip; struct frentry *fr, *fnext; ! u_32_t passt, passo; /* * Do not allow nesting deeper than 16 levels. *************** *** 1819,1833 **** case FR_T_BPFOPC|FR_T_BUILTIN : { u_char *mc; - int wlen; if (*fin->fin_mp == NULL) continue; if (fin->fin_v != fr->fr_v) continue; mc = (u_char *)fin->fin_m; ! wlen = fin->fin_dlen + fin->fin_hlen; ! if (!bpf_filter(fr->fr_data, mc, wlen, 0)) continue; break; } --- 1878,1890 ---- case FR_T_BPFOPC|FR_T_BUILTIN : { u_char *mc; if (*fin->fin_mp == NULL) continue; if (fin->fin_v != fr->fr_v) continue; mc = (u_char *)fin->fin_m; ! if (!bpf_filter(fr->fr_data, mc, fin->fin_plen, 0)) continue; break; } *************** *** 1909,1914 **** --- 1966,1972 ---- } #endif /* IPFILTER_LOG */ fr->fr_bytes += (U_QUAD_T)fin->fin_plen; + passo = pass; if (FR_ISSKIP(passt)) skip = fr->fr_arg; else if ((passt & FR_LOGMASK) != FR_LOG) *************** *** 1931,1938 **** if (fin->fin_flx & FI_DONTCACHE) logged = 1; } ! if (pass & FR_QUICK) break; } if (logged) fin->fin_flx |= FI_DONTCACHE; --- 1989,2017 ---- if (fin->fin_flx & FI_DONTCACHE) logged = 1; } ! ! if (pass & FR_QUICK) { ! /* ! * Finally, if we've asked to track state for this ! * packet, set it up. Add state for "quick" rules ! * here so that if the action fails we can consider ! * the rule to "not match" and keep on processing ! * filter rules. ! */ ! if ((pass & FR_KEEPSTATE) && ! !(fin->fin_flx & FI_STATE)) { ! int out = fin->fin_out; ! ! if (fr_addstate(fin, NULL, 0) != NULL) { ! ATOMIC_INCL(frstats[out].fr_ads); ! } else { ! ATOMIC_INCL(frstats[out].fr_bads); ! pass = passo; ! continue; ! } ! } break; + } } if (logged) fin->fin_flx |= FI_DONTCACHE; *************** *** 2017,2034 **** * the result as if it were from the ACL's. */ fc = &frcache[out][CACHE_HASH(fin)]; if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) { /* ! * copy cached data so we can unlock the mutex ! * earlier. */ bcopy((char *)fc, (char *)fin, FI_COPYSIZE); ATOMIC_INCL(frstats[out].fr_chit); if ((fr = fin->fin_fr) != NULL) { ATOMIC_INC64(fr->fr_hits); pass = fr->fr_flags; } } else { #ifdef USE_INET6 if (fin->fin_v == 6) fin->fin_fr = ipfilter6[out][fr_active]; --- 2096,2117 ---- * the result as if it were from the ACL's. */ fc = &frcache[out][CACHE_HASH(fin)]; + READ_ENTER(&ipf_frcache); if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) { /* ! * copy cached data so we can unlock the mutexes earlier. */ bcopy((char *)fc, (char *)fin, FI_COPYSIZE); + RWLOCK_EXIT(&ipf_frcache); ATOMIC_INCL(frstats[out].fr_chit); + if ((fr = fin->fin_fr) != NULL) { ATOMIC_INC64(fr->fr_hits); pass = fr->fr_flags; } } else { + RWLOCK_EXIT(&ipf_frcache); + #ifdef USE_INET6 if (fin->fin_v == 6) fin->fin_fr = ipfilter6[out][fr_active]; *************** *** 2037,2045 **** fin->fin_fr = ipfilter[out][fr_active]; if (fin->fin_fr != NULL) pass = fr_scanlist(fin, fr_pass); if (((pass & FR_KEEPSTATE) == 0) && ! ((fin->fin_flx & FI_DONTCACHE) == 0)) bcopy((char *)fin, (char *)fc, FI_COPYSIZE); if ((pass & FR_NOMATCH)) { ATOMIC_INCL(frstats[out].fr_nom); } --- 2120,2132 ---- fin->fin_fr = ipfilter[out][fr_active]; if (fin->fin_fr != NULL) pass = fr_scanlist(fin, fr_pass); + if (((pass & FR_KEEPSTATE) == 0) && ! ((fin->fin_flx & FI_DONTCACHE) == 0)) { ! WRITE_ENTER(&ipf_frcache); bcopy((char *)fin, (char *)fc, FI_COPYSIZE); + RWLOCK_EXIT(&ipf_frcache); + } if ((pass & FR_NOMATCH)) { ATOMIC_INCL(frstats[out].fr_nom); } *************** *** 2134,2140 **** /* User space: */ /* -1 == packet blocked */ /* 1 == packet not matched */ ! /* -2 == requires authantication */ /* Kernel: */ /* > 0 == filter error # for packet */ /* Parameters: ip(I) - pointer to start of IPv4/6 packet */ --- 2221,2227 ---- /* User space: */ /* -1 == packet blocked */ /* 1 == packet not matched */ ! /* -2 == requires authentication */ /* Kernel: */ /* > 0 == filter error # for packet */ /* Parameters: ip(I) - pointer to start of IPv4/6 packet */ *************** *** 2184,2189 **** --- 2271,2277 ---- #ifdef USE_INET6 ip6_t *ip6; #endif + SPL_INT(s); /* * The first part of fr_check() deals with making sure that what goes *************** *** 2223,2228 **** --- 2311,2320 ---- if ((m->m_flags & M_MCAST) != 0) fin->fin_flx |= FI_MBCAST|FI_MULTICAST; # endif + # if defined(M_MLOOP) + if ((m->m_flags & M_MLOOP) != 0) + fin->fin_flx |= FI_MBCAST|FI_MULTICAST; + # endif # if defined(M_BCAST) if ((m->m_flags & M_BCAST) != 0) fin->fin_flx |= FI_MBCAST|FI_BROADCAST; *************** *** 2259,2269 **** fin->fin_out = out; fin->fin_ifp = ifp; fin->fin_error = ENETUNREACH; ! fin->fin_hlen = (u_short )hlen; fin->fin_dp = (char *)ip + hlen; fin->fin_ipoff = (char *)ip - MTOD(m, char *); #ifdef USE_INET6 if (v == 6) { ATOMIC_INCL(frstats[out].fr_ipv6); --- 2351,2363 ---- fin->fin_out = out; fin->fin_ifp = ifp; fin->fin_error = ENETUNREACH; ! fin->fin_hlen = (u_short)hlen; fin->fin_dp = (char *)ip + hlen; fin->fin_ipoff = (char *)ip - MTOD(m, char *); + SPL_NET(s); + #ifdef USE_INET6 if (v == 6) { ATOMIC_INCL(frstats[out].fr_ipv6); *************** *** 2289,2296 **** fin->fin_plen = ip->ip_len; } ! if (fr_makefrip(hlen, ip, fin) == -1) ! goto finished; /* * For at least IPv6 packets, if a m_pullup() fails then this pointer --- 2383,2392 ---- fin->fin_plen = ip->ip_len; } ! if (fr_makefrip(hlen, ip, fin) == -1) { ! pass = FR_BLOCK|FR_NOMATCH; ! goto filtered; ! } /* * For at least IPv6 packets, if a m_pullup() fails then this pointer *************** *** 2439,2447 **** * we are dropping it (* BSD ONLY *). * Reassign m from fin_m as we may have a new buffer, now. */ - #if defined(USE_INET6) || (defined(__sgi) && defined(_KERNEL)) filtered: - #endif m = fin->fin_m; if (fr != NULL) { --- 2535,2541 ---- *************** *** 2492,2500 **** #endif } RWLOCK_EXIT(&ipf_global); #ifdef _KERNEL ! # if OpenBSD >= 200311 if (FR_ISPASS(pass) && (v == 4)) { ip = fin->fin_ip; ip->ip_len = ntohs(ip->ip_len); --- 2586,2596 ---- #endif } + SPL_X(s); RWLOCK_EXIT(&ipf_global); + #ifdef _KERNEL ! # if OpenBSD >= 200311 if (FR_ISPASS(pass) && (v == 4)) { ip = fin->fin_ip; ip->ip_len = ntohs(ip->ip_len); *************** *** 2885,2891 **** #if defined(_KERNEL) && ( ((BSD < 199103) && !defined(MENTAT)) || \ ! defined(__sgi) ) && !defined(linux) /* * Copyright (c) 1982, 1986, 1988, 1991, 1993 * The Regents of the University of California. All rights reserved. --- 2981,2987 ---- #if defined(_KERNEL) && ( ((BSD < 199103) && !defined(MENTAT)) || \ ! defined(__sgi) ) && !defined(linux) && !defined(_AIX51) /* * Copyright (c) 1982, 1986, 1988, 1991, 1993 * The Regents of the University of California. All rights reserved. *************** *** 2915,2921 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.243.2.57 2005/03/28 10:47:50 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 3011,3017 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.243.2.64 2005/08/13 05:19:59 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, *************** *** 2984,2990 **** m = m->m_next; } while (len > 0) { ! mlen = min (m->m_len - off, len); bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen); cp += mlen; len -= mlen; --- 3080,3086 ---- m = m->m_next; } while (len > 0) { ! mlen = min(m->m_len - off, len); bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen); cp += mlen; len -= mlen; *************** *** 3033,3039 **** frgroup_t *fg, **fgp; /* ! * Which list of groups to search in is dependant on which list of * rules are being operated on. */ fgp = &ipfgroups[unit][set]; --- 3129,3135 ---- frgroup_t *fg, **fgp; /* ! * Which list of groups to search in is dependent on which list of * rules are being operated on. */ fgp = &ipfgroups[unit][set]; *************** *** 3993,4002 **** fprev = &fg->fg_start; } - for (f = *fprev; (f = *fprev) != NULL; fprev = &f->fr_next) - if (fp->fr_collect <= f->fr_collect) - break; ftail = fprev; /* * Copy in extra data for the rule. --- 4089,4103 ---- fprev = &fg->fg_start; } ftail = fprev; + for (f = *ftail; (f = *ftail) != NULL; ftail = &f->fr_next) { + if (fp->fr_collect <= f->fr_collect) { + ftail = fprev; + f = NULL; + break; + } + fprev = ftail; + } /* * Copy in extra data for the rule. *************** *** 4095,4101 **** break; #endif default : - break; } break; --- 4196,4201 ---- *************** *** 4135,4148 **** WRITE_ENTER(&ipf_mutex); bzero((char *)frcache, sizeof(frcache)); ! for (; (f = *ftail) != NULL; ftail = &f->fr_next) ! if ((fp->fr_cksum == f->fr_cksum) && ! (f->fr_dsize == fp->fr_dsize) && ! !bcmp((char *)&f->fr_func, ! (char *)&fp->fr_func, FR_CMPSIZ) && ! (!ptr || !f->fr_data || !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize))) break; /* * If zero'ing statistics, copy current to caller and zero. --- 4235,4251 ---- WRITE_ENTER(&ipf_mutex); bzero((char *)frcache, sizeof(frcache)); ! for (; (f = *ftail) != NULL; ftail = &f->fr_next) { ! if ((fp->fr_cksum != f->fr_cksum) || ! (f->fr_dsize != fp->fr_dsize)) ! continue; ! if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func, FR_CMPSIZ)) ! continue; ! if ((!ptr && !f->fr_data) || ! (ptr && f->fr_data && !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize))) break; + } /* * If zero'ing statistics, copy current to caller and zero. *************** *** 4188,4199 **** } if (!f) { ! if (req == (ioctlcmd_t)SIOCINAFR || ! req == (ioctlcmd_t)SIOCINIFR) { ftail = fprev; if (fp->fr_hits != 0) { ! while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; } f = NULL; ptr = NULL; --- 4291,4330 ---- } if (!f) { ! /* ! * At the end of this, ftail must point to the place where the ! * new rule is to be saved/inserted/added. ! * For SIOCAD*FR, this should be the last rule in the group of ! * rules that have equal fr_collect fields. ! * For SIOCIN*FR, ... ! */ ! if (req == (ioctlcmd_t)SIOCADAFR || ! req == (ioctlcmd_t)SIOCADIFR) { ! ! for (ftail = fprev; (f = *ftail) != NULL; ) { ! if (f->fr_collect > fp->fr_collect) ! break; ! ftail = &f->fr_next; ! } ! f = NULL; ! ptr = NULL; ! error = 0; ! } else if (req == (ioctlcmd_t)SIOCINAFR || ! req == (ioctlcmd_t)SIOCINIFR) { ! while ((f = *fprev) != NULL) { ! if (f->fr_collect >= fp->fr_collect) ! break; ! fprev = &f->fr_next; ! } ftail = fprev; if (fp->fr_hits != 0) { ! while (fp->fr_hits && (f = *ftail)) { ! if (f->fr_collect != fp->fr_collect) ! break; ! fprev = ftail; ftail = &f->fr_next; + fp->fr_hits--; + } } f = NULL; ptr = NULL; *************** *** 4238,4244 **** } if (*f->fr_grhead != '\0') fr_delgroup(f->fr_grhead, unit, set); ! fr_fixskip(fprev, f, -1); *ftail = f->fr_next; f->fr_next = NULL; (void)fr_derefrule(&f); --- 4369,4375 ---- } if (*f->fr_grhead != '\0') fr_delgroup(f->fr_grhead, unit, set); ! fr_fixskip(ftail, f, -1); *ftail = f->fr_next; f->fr_next = NULL; (void)fr_derefrule(&f); *************** *** 4259,4265 **** } else f = fp; if (f != NULL) { ! if (fg != NULL && fg->fg_head!= NULL ) fg->fg_head->fr_ref++; if (fp != f) bcopy((char *)fp, (char *)f, --- 4390,4396 ---- } else f = fp; if (f != NULL) { ! if (fg != NULL && fg->fg_head != NULL) fg->fg_head->fr_ref++; if (fp != f) bcopy((char *)fp, (char *)f, *************** *** 4278,4284 **** *ftail = f; if (req == (ioctlcmd_t)SIOCINIFR || req == (ioctlcmd_t)SIOCINAFR) ! fr_fixskip(fprev, f, 1); f->fr_grp = NULL; group = f->fr_grhead; if (*group != '\0') { --- 4409,4415 ---- *ftail = f; if (req == (ioctlcmd_t)SIOCINIFR || req == (ioctlcmd_t)SIOCINAFR) ! fr_fixskip(ftail, f, 1); f->fr_grp = NULL; group = f->fr_grhead; if (*group != '\0') { *************** *** 4978,4984 **** { static char namebuf[LIFNAMSIZ]; # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \ ! defined(__sgi) || defined(linux) || \ (defined(sun) && !defined(__SVR4) && !defined(__svr4__)) int unit, space; char temp[20]; --- 5109,5115 ---- { static char namebuf[LIFNAMSIZ]; # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \ ! defined(__sgi) || defined(linux) || defined(_AIX51) || \ (defined(sun) && !defined(__SVR4) && !defined(__svr4__)) int unit, space; char temp[20]; *************** *** 4990,4996 **** (void) strncpy(buffer, ifp->if_name, LIFNAMSIZ); buffer[LIFNAMSIZ - 1] = '\0'; # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \ ! defined(__sgi) || \ (defined(sun) && !defined(__SVR4) && !defined(__svr4__)) for (s = buffer; *s; s++) ; --- 5121,5127 ---- (void) strncpy(buffer, ifp->if_name, LIFNAMSIZ); buffer[LIFNAMSIZ - 1] = '\0'; # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \ ! defined(__sgi) || defined(_AIX51) || \ (defined(sun) && !defined(__SVR4) && !defined(__svr4__)) for (s = buffer; *s; s++) ; *************** *** 5603,5608 **** --- 5734,5743 ---- sizeof(fr_update_ipid), 0 }, { { &fr_chksrc }, "fr_chksrc", 0, 1, sizeof(fr_chksrc), 0 }, + { { &fr_minttl }, "fr_minttl", 0, 1, + sizeof(fr_minttl), 0 }, + { { &fr_icmpminfragmtu }, "fr_icmpminfragmtu", 0, 1, + sizeof(fr_icmpminfragmtu), 0 }, { { &fr_pass }, "fr_pass", 0, 0xffffffff, sizeof(fr_pass), 0 }, /* state */ *************** *** 5748,5754 **** /* to the matching structure. */ /* ------------------------------------------------------------------------ */ static ipftuneable_t *fr_findtunebyname(name) ! char *name; { ipftuneable_t *ta; --- 5883,5889 ---- /* to the matching structure. */ /* ------------------------------------------------------------------------ */ static ipftuneable_t *fr_findtunebyname(name) ! const char *name; { ipftuneable_t *ta; *************** *** 5928,5933 **** --- 6063,6069 ---- tu.ipft_vshort = *ta->ipft_pshort; else if (ta->ipft_sz == sizeof(u_char)) tu.ipft_vchar = *ta->ipft_pchar; + tu.ipft_cookie = ta; tu.ipft_sz = ta->ipft_sz; tu.ipft_min = ta->ipft_min; tu.ipft_max = ta->ipft_max; *************** *** 6139,6169 **** /* ------------------------------------------------------------------------ */ - /* Function: fr_icmp4errortype */ - /* Returns: int - 1 == success, 0 == failure */ - /* Parameters: icmptype(I) - ICMP type number */ - /* */ - /* Tests to see if the ICMP type number passed is an error type or not. */ - /* ------------------------------------------------------------------------ */ - int fr_icmp4errortype(icmptype) - int icmptype; - { - - switch (icmptype) - { - case ICMP_SOURCEQUENCH : - case ICMP_PARAMPROB : - case ICMP_REDIRECT : - case ICMP_TIMXCEED : - case ICMP_UNREACH : - return 1; - default: - return 0; - } - } - - - /* ------------------------------------------------------------------------ */ /* Function: fr_resolvenic */ /* Returns: void* - NULL = wildcard name, -1 = failed to find NIC, else */ /* pointer to interface structure for NIC */ --- 6275,6280 ---- diff -crN ip_fil4.1.8/hpux.c ip_fil4.1.9/hpux.c *** ip_fil4.1.8/hpux.c Thu Dec 16 05:30:29 2004 --- ip_fil4.1.9/hpux.c Thu Jul 14 07:40:54 2005 *************** *** 46,53 **** #undef IPFDEBUG extern struct filterstats frstats[]; - extern ipfrwlock_t ipf_mutex, ipf_nat, ipf_global; - extern ipfmutex_t ipf_rw, ipf_stinsert; extern int fr_running; extern int fr_flags; extern int fr_check __P(()); --- 46,51 ---- diff -crN ip_fil4.1.8/ip_auth.c ip_fil4.1.9/ip_auth.c *** ip_fil4.1.8/ip_auth.c Thu Aug 26 21:25:21 2004 --- ip_fil4.1.9/ip_auth.c Sun Jun 12 17:18:14 2005 *************** *** 117,123 **** /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.3 2004/08/26 11:25:21 darrenr Exp $"; #endif --- 117,123 ---- /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.5 2005/06/12 07:18:14 darrenr Exp $"; #endif *************** *** 366,374 **** #if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \ (!defined(__FreeBSD_version) || (__FreeBSD_version < 501000)) struct ifqueue *ifq; ! # ifdef USE_SPL ! int s; ! # endif /* USE_SPL */ #endif frauth_t auth, *au = &auth, *fra; int i, error = 0, len; --- 366,372 ---- #if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \ (!defined(__FreeBSD_version) || (__FreeBSD_version < 501000)) struct ifqueue *ifq; ! SPL_INT(s); #endif frauth_t auth, *au = &auth, *fra; int i, error = 0, len; *************** *** 505,514 **** # ifdef MENTAT error = !putq(fra->fra_q, m); # else /* MENTAT */ ! # ifdef linux # else # if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) || \ ! (defined(__sgi) && (IRIX >= 60500) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 470102))) error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); --- 503,512 ---- # ifdef MENTAT error = !putq(fra->fra_q, m); # else /* MENTAT */ ! # if defined(linux) || defined(AIX) # else # if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) || \ ! (defined(__sgi) && (IRIX >= 60500) || defined(AIX) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 470102))) error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); *************** *** 525,536 **** # ifdef MENTAT error = !putq(fra->fra_q, m); # else /* MENTAT */ ! # ifdef linux # else ! # if __FreeBSD_version >= 501000 netisr_dispatch(NETISR_IP, m); # else ! # if IRIX >= 60516 ifq = &((struct ifnet *)fra->fra_info.fin_ifp)->if_snd; # else ifq = &ipintrq; --- 523,534 ---- # ifdef MENTAT error = !putq(fra->fra_q, m); # else /* MENTAT */ ! # if defined(linux) || defined(AIX) # else ! # if (__FreeBSD_version >= 501000) netisr_dispatch(NETISR_IP, m); # else ! # if (IRIX >= 60516) ifq = &((struct ifnet *)fra->fra_info.fin_ifp)->if_snd; # else ifq = &ipintrq; *************** *** 661,669 **** register frauthent_t *fae, **faep; register frentry_t *fr, **frp; mb_t *m; ! # if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL) ! int s; ! # endif if (fr_auth_lock) return; --- 659,665 ---- register frauthent_t *fae, **faep; register frentry_t *fr, **frp; mb_t *m; ! SPL_INT(s); if (fr_auth_lock) return; *************** *** 712,720 **** { frauthent_t *fae, **faep; int error = 0; ! # if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL) ! int s; ! #endif if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) return EIO; --- 708,714 ---- { frauthent_t *fae, **faep; int error = 0; ! SPL_INT(s); if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) return EIO; diff -crN ip_fil4.1.8/ip_compat.h ip_fil4.1.9/ip_compat.h *** ip_fil4.1.8/ip_compat.h Mon Mar 28 19:33:36 2005 --- ip_fil4.1.9/ip_compat.h Fri Aug 12 01:13:49 2005 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.142.2.25 2005/03/28 09:33:36 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.142.2.30 2005/08/11 15:13:49 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 766,772 **** /* F R E E B S D */ /* ----------------------------------------------------------------------- */ #ifdef __FreeBSD__ ! # if defined(_KERNEL) && !defined(IPFILTER_LKM) && !defined(KLD_MODULE) # if (__FreeBSD_version >= 500000) # include "opt_bpf.h" # else --- 766,772 ---- /* F R E E B S D */ /* ----------------------------------------------------------------------- */ #ifdef __FreeBSD__ ! # if defined(_KERNEL) # if (__FreeBSD_version >= 500000) # include "opt_bpf.h" # else *************** *** 1204,1209 **** --- 1204,1318 ---- #endif + /* ----------------------------------------------------------------------- */ + /* A I X */ + /* ----------------------------------------------------------------------- */ + #if defined(_AIX51) + # undef MENTAT + + # include + # include + + # ifdef _KERNEL + # define rw_read_locked(x) 0 + # include + # include + # define KMUTEX_T simple_lock_t + # define KRWLOCK_T complex_lock_t + # define USE_MUTEXES 1 + # define USE_SPL 1 + # define READ_ENTER(x) lock_read((x)->ipf_lk) + # define WRITE_ENTER(x) lock_write((x)->ipf_lk) + # define MUTEX_DOWNGRADE(x) lock_write_to_read((x)->ipf_lk) + # define RWLOCK_INIT(x, y) lock_alloc(&(x)->ipf_lk, \ + LOCK_ALLOC_PIN, \ + (u_short)y, 0); \ + lock_init((x)->ipf_lk, TRUE) + # define RWLOCK_EXIT(x) lock_done((x)->ipf_lk) + # define RW_DESTROY(x) lock_free(&(x)->ipf_lk) + # define MUTEX_ENTER(x) simple_lock((x)->ipf_lk) + # define MUTEX_INIT(x, y) lock_alloc(&(x)->ipf_lk, \ + LOCK_ALLOC_PIN, \ + (u_short)y, 0); \ + simple_lock_init((x)->ipf_lk) + # define MUTEX_DESTROY(x) lock_free(&(x)->ipf_lk) + # define MUTEX_EXIT(x) simple_unlock((x)->ipf_lk) + # define MUTEX_NUKE(x) bzero(&(x)->ipf_lk, sizeof((x)->ipf_lk)) + # define ATOMIC_INC64(x) { MUTEX_ENTER(&ipf_rw); (x)++; \ + MUTEX_EXIT(&ipf_rw); } + # define ATOMIC_DEC64(x) { MUTEX_ENTER(&ipf_rw); (x)--; \ + MUTEX_EXIT(&ipf_rw); } + # define ATOMIC_INC32(x) { MUTEX_ENTER(&ipf_rw); (x)++; \ + MUTEX_EXIT(&ipf_rw); } + # define ATOMIC_DEC32(x) { MUTEX_ENTER(&ipf_rw); (x)--; \ + MUTEX_EXIT(&ipf_rw); } + # define ATOMIC_INCL(x) { MUTEX_ENTER(&ipf_rw); (x)++; \ + MUTEX_EXIT(&ipf_rw); } + # define ATOMIC_DECL(x) { MUTEX_ENTER(&ipf_rw); (x)--; \ + MUTEX_EXIT(&ipf_rw); } + # define ATOMIC_INC(x) { MUTEX_ENTER(&ipf_rw); (x)++; \ + MUTEX_EXIT(&ipf_rw); } + # define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); (x)--; \ + MUTEX_EXIT(&ipf_rw); } + # define SPL_NET(x) x = splnet() + # define SPL_IMP(x) x = splimp() + # undef SPL_X + # define SPL_X(x) splx(x) + # define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d) + extern void* getifp __P((char *, int)); + # define GETIFP(n, v) getifp(n, v) + # define GET_MINOR minor + # define SLEEP(id, n) sleepx((id), PZERO+1, 0) + # define WAKEUP(id,x) wakeup(id) + # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) + # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) + # define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) + # define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) + # define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_TEMP, M_NOWAIT) + # define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_TEMP, \ + ((c) > 4096) ? M_WAITOK : M_NOWAIT) + # define KFREE(x) FREE((x), M_TEMP) + # define KFREES(x,s) FREE((x), M_TEMP) + # define MSGDSIZE(x) mbufchainlen(x) + # define M_LEN(x) (x)->m_len + # define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL) + # define GETKTIME(x) + # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ + ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) + # define IPF_PANIC(x,y) + typedef struct mbuf mb_t; + # endif /* _KERNEL */ + + /* + * These are from's Solaris' #defines for little endian. + */ + #if !defined(IP6F_MORE_FRAG) + # define IP6F_MORE_FRAG 0x0100 + #endif + #if !defined(IP6F_RESERVED_MASK) + # define IP6F_RESERVED_MASK 0x0600 + #endif + #if !defined(IP6F_OFF_MASK) + # define IP6F_OFF_MASK 0xf8ff + #endif + + struct ip6_ext { + u_char ip6e_nxt; + u_char ip6e_len; + }; + + typedef int ioctlcmd_t; + typedef int minor_t; + /* + * Really, any arch where sizeof(long) != sizeof(int). + */ + typedef unsigned int u_32_t; + # define U_32_T 1 + + # define OS_RECOGNISED 1 + #endif /* _AIX51 */ + + #ifndef OS_RECOGNISED #error ip_compat.h does not recognise this platform/OS. #endif *************** *** 1219,1225 **** * For BSD kernels, if bpf is in the kernel, enable ipfilter to use bpf in * filter rules. */ ! #if !defined(IPFILTER_BPF) && ((NBPF > 0) || (NBPFILTER > 0)) # define IPFILTER_BPF #endif --- 1328,1334 ---- * For BSD kernels, if bpf is in the kernel, enable ipfilter to use bpf in * filter rules. */ ! #if !defined(IPFILTER_BPF) && ((NBPF > 0) || (NBPFILTER > 0) || (DEV_BPF > 0)) # define IPFILTER_BPF #endif *************** *** 1311,1316 **** --- 1420,1426 ---- # define M_LEN(x) (x)->mb_len # define M_DUPLICATE(x) (x) # define GETKTIME(x) gettimeofday((struct timeval *)(x), NULL) + # undef MTOD # define MTOD(m, t) ((t)(m)->mb_buf) # define FREE_MB_T(x) # define SLEEP(x,y) 1; *************** *** 1561,1566 **** --- 1671,1682 ---- # define ATOMIC_DEC(x) (x)-- #endif + #if defined(USE_SPL) && defined(_KERNEL) + # define SPL_INT(x) int x + #else + # define SPL_INT(x) + #endif + /* * If there are no atomic operations for bit sizes defined, define them to all * use a generic one that works for all sizes. *************** *** 2271,2277 **** /* * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data, * another IP header and then 64 bits of data, totalling 56. Of course, ! * the last 64 bits is dependant on that being available. */ #define ICMPERR_ICMPHLEN 8 #define ICMPERR_IPICMPHLEN (20 + 8) --- 2387,2393 ---- /* * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data, * another IP header and then 64 bits of data, totalling 56. Of course, ! * the last 64 bits is dependent on that being available. */ #define ICMPERR_ICMPHLEN 8 #define ICMPERR_IPICMPHLEN (20 + 8) *************** *** 2290,2293 **** --- 2406,2413 ---- # define DPRINT(x) #endif + #ifdef RESCUE + # undef IPFILTER_BPF + #endif + #endif /* __IP_COMPAT_H__ */ diff -crN ip_fil4.1.8/ip_fil.h ip_fil4.1.9/ip_fil.h *** ip_fil4.1.8/ip_fil.h Mon Mar 28 20:47:52 2005 --- ip_fil4.1.9/ip_fil.h Sat Jul 16 15:55:35 2005 *************** *** 4,15 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.170.2.18 2005/03/28 10:47:52 darrenr Exp $ */ #ifndef __IP_FIL_H__ #define __IP_FIL_H__ #ifndef SOLARIS # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif --- 4,17 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.170.2.22 2005/07/16 05:55:35 darrenr Exp $ */ #ifndef __IP_FIL_H__ #define __IP_FIL_H__ + #include "netinet/ip_compat.h" + #ifndef SOLARIS # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif *************** *** 22,28 **** # endif #endif ! #if defined(__STDC__) || defined(__GNUC__) # define SIOCADAFR _IOW('r', 60, struct ipfobj) # define SIOCRMAFR _IOW('r', 61, struct ipfobj) # define SIOCSETFF _IOW('r', 62, u_int) --- 24,30 ---- # endif #endif ! #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51) # define SIOCADAFR _IOW('r', 60, struct ipfobj) # define SIOCRMAFR _IOW('r', 61, struct ipfobj) # define SIOCSETFF _IOW('r', 62, u_int) *************** *** 911,916 **** --- 913,921 ---- } tcpinfo_t; + /* + * Structures to define a GRE header as seen in a packet. + */ struct grebits { u_32_t grb_C:1; u_32_t grb_R:1; *************** *** 945,951 **** #define gr_A gr_bits.grb_A #define gr_ver gr_bits.grb_ver ! typedef struct greinfo { u_short gs_call[2]; u_short gs_flags; --- 950,958 ---- #define gr_A gr_bits.grb_A #define gr_ver gr_bits.grb_ver ! /* ! * GRE information tracked by "keep state" ! */ typedef struct greinfo { u_short gs_call[2]; u_short gs_flags; *************** *** 956,961 **** --- 963,982 ---- /* + * Format of an Authentication header + */ + typedef struct authhdr { + u_char ah_next; + u_char ah_plen; + u_short ah_reserved; + u_32_t ah_spi; + u_32_t ah_seq; + /* Following the sequence number field is 0 or more bytes of */ + /* authentication data, as specified by ah_plen - RFC 2402. */ + } authhdr_t; + + + /* * Timeout tail queue list member */ typedef struct ipftqent { *************** *** 1235,1240 **** --- 1256,1262 ---- extern ipfmutex_t ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new; extern ipfrwlock_t ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag; extern ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; + extern ipfrwlock_t ipf_frcache; extern char *memstr __P((char *, char *, int, int)); extern int count4bits __P((u_32_t)); *************** *** 1309,1315 **** extern void fr_forgetifp __P((void *)); extern frentry_t *fr_getrulen __P((int, char *, u_32_t)); extern void fr_getstat __P((struct friostat *)); - extern int fr_icmp4errortype __P((int)); extern int fr_ifpaddr __P((int, int, void *, struct in_addr *, struct in_addr *)); extern int fr_initialise __P((void)); --- 1331,1336 ---- diff -crN ip_fil4.1.8/ip_fil_aix.c ip_fil4.1.9/ip_fil_aix.c *** ip_fil4.1.8/ip_fil_aix.c Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/ip_fil_aix.c Sat Aug 13 15:23:28 2005 *************** *** 0 **** --- 1,1732 ---- + /* + * Copyright (C) 1993-2003 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + #define __FULL_PROTO + #if !defined(lint) + static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; + static const char rcsid[] = "@(#)$Id: ip_fil_aix.c,v 2.1.2.1 2005/08/13 05:23:28 darrenr Exp $"; + #endif + + #if defined(KERNEL) || defined(_KERNEL) + # undef KERNEL + # undef _KERNEL + # define KERNEL 1 + # define _KERNEL 1 + #endif + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include "netinet/ip_compat.h" + #ifdef USE_INET6 + # include + #endif + #include "netinet/ip_fil.h" + #include "netinet/ip_nat.h" + #include "netinet/ip_frag.h" + #include "netinet/ip_state.h" + #include "netinet/ip_proxy.h" + #include "netinet/ip_auth.h" + #ifdef IPFILTER_SYNC + #include "netinet/ip_sync.h" + #endif + #ifdef IPFILTER_SCAN + #include "netinet/ip_scan.h" + #endif + #include "netinet/ip_pool.h" + #ifdef INET + extern int ip_optcopy __P((struct ip *, struct ip *)); + #endif + + /* + ipstat + inbound_fw + nethsque + rw_read_locked + ip_output + netisr_dispatch + ipforwarding + ip_output_post_fw + ipintr_noqueue_post_fw + max_linkhdr + in_localaddr + ip_optcopy + outbound_fw + */ + + + static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); + static int fr_send_ip __P((fr_info_t *, mb_t *, mb_t **)); + #ifdef KMUTEX_T + extern ipfmutex_t ipf_rw; + extern ipfrwlock_t ipf_mutex; + #endif + #ifdef USE_INET6 + static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **, + fr_info_t *, frdest_t *)); + #endif + + #include + #include + + void fr_check_inbound __P((struct ifnet *, struct mbuf *, inbound_fw_args_t *)); + int fr_check_outbound __P((struct ifnet *, struct mbuf *, outbound_fw_args_t *)); + + int ipfopen __P((dev_t, u_long, chan_t, int)); + int ipfclose __P((dev_t, chan_t)); + int ipfread __P((dev_t, struct uio *, chan_t, int)); + int ipfwrite __P((dev_t, struct uio *, chan_t, int)); + int ipfioctl __P((dev_t, int, caddr_t, int)); + int ipfconfig __P((dev_t, int, struct uio *)); + + ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; + ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; + ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag; + ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; + int ipf_locks_done = 0; + + const struct devsw ipfdevsw = { + ipfopen, /* d_open entry point for open routine */ + ipfclose, /* d_close entry point for close routine */ + ipfread, /* d_read entry point for read routine */ + ipfwrite, /* d_write entry point for write routine */ + ipfioctl, /* d_ioctl entry point for ioctl routine */ + nodev, /* d_strategy entry point for strategy routine */ + NULL, /* d_ttys pointer to tty device structure */ + nodev, /* d_select entry point for select routine */ + ipfconfig, /* d_config entry point for config routine */ + nodev, /* d_print entry point for print routine */ + nodev, /* d_dump entry point for dump routine */ + nodev, /* d_mpx entry point for mpx routine */ + nodev, /* d_revoke entry point for revoke routine */ + NULL, /* d_dsdptr pointer to device specific data */ + 0, /* d_selptr ptr to outstanding select cntl blks */ + #ifdef _IA64 + DEV_MPSAFE | DEV_64BIT + #else + 0 /* d_opts internal device switch control field */ + #endif + + }; + + + int ipfconfig(devno, cmd, uiop) + dev_t devno; + int cmd; + struct uio *uiop; + { + int error = EINVAL; + + printf("ipfconfig(%u,%x,%p)\n", devno,cmd,uiop); + + switch (cmd) + { + case CFG_INIT : + error = devswadd(devno, &ipfdevsw); + if (error == 0) + error = ipfattach(); + break; + case CFG_TERM : + error = devswdel(devno); + break; + case CFG_QVPD : + error = 0; + break; + default : + return EINVAL; + } + + return 0; + } + + + int ipfattach() + { + int s; + + SPL_NET(s); + if ((fr_running > 0) || (inbound_fw == fr_check_inbound)) { + printf("IP Filter: already initialized\n"); + SPL_X(s); + return EBUSY; + } + + bzero((char *)frcache, sizeof(frcache)); + MUTEX_INIT(&ipf_rw, "ipf rw mutex"); + MUTEX_INIT(&ipf_timeoutlock, "ipf timeout lock mutex"); + RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); + ipf_locks_done = 1; + + if (fr_initialise() < 0) { + SPL_X(s); + return EIO; + } + + bzero((char *)frcache, sizeof(frcache)); + inbound_fw = fr_check_inbound; + outbound_fw = fr_check_outbound; + + if (fr_control_forwarding & 1) + ipforwarding = 1; + + SPL_X(s); + + return 0; + } + + + /* + * Disable the filter by removing the hooks from the IP input/output + * stream. + */ + int ipldetach() + { + int s; + + SPL_NET(s); + + inbound_fw = NULL; + outbound_fw = NULL; + (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE); + + if (fr_control_forwarding & 2) + ipforwarding = 0; + + fr_deinitialise(); + + SPL_X(s); + return 0; + } + + + /* + * explicit inbound hook to call fr_check from + */ + void fr_check_inbound(ifp, m, args) + struct ifnet *ifp; + struct mbuf *m; + inbound_fw_args_t *args; + { + ip_t *ip; + + if (fr_check_mbuf(&m) == -1) { + if (m != NULL) { + FREE_MB_T(m); + } + return; + } + + ip = mtod(m, ip_t *); + + switch (fr_check (ip, ip->ip_hl << 2, ifp, 0, &m)) + { + case 0 : + ipintr_noqueue_post_fw(ifp, m, args); + break; + default : + if (m != NULL) { + FREE_MB_T(m); + } + break; + } + + return; + } + + + /* + * explicit outbound hook to call fr_check from + */ + int fr_check_outbound(ifp, m, args) + struct ifnet *ifp; + struct mbuf *m; + outbound_fw_args_t *args; + { + ip_t *ip; + + if (fr_check_mbuf(&m) == -1) { + if (m != NULL) { + FREE_MB_T(m); + } + return 1; /* FIREWALL_NOTOK */ + } + + ip = mtod(m, ip_t *); + + switch (fr_check (ip, ip->ip_hl << 2, ifp, 1, &m)) + { + case 0 : + ip_output_post_fw(ifp, m, args); + return 0; /* FIREWALL_OK */ + default : + break; + } + + if (m != NULL) { + FREE_MB_T(m); + } + return 1; /* FIREWALL_NOTOK */ + } + + int fr_check_mbuf(mp) + struct mbuf **mp; + { + struct mbuf *m, *m0; + int i, hlen; + ip_t *ip; + + m = *mp; + + if ((m->m_len < sizeof (struct ip)) && + (m = m_pullup(m, sizeof (struct ip))) == 0) { + *mp = m; + ipstat.ips_toosmall++; + return -1; + } + ip = mtod(m, struct ip *); + + switch (ip->ip_v) + { + case 4 : + hlen = ip->ip_hl << 2; + if (hlen < sizeof(struct ip)) { /* minimum header length */ + ipstat.ips_badhlen++; + return -1; + } + if ((hlen > sizeof(struct ip)) && (hlen > m->m_len)) { + if ((m = m_pullup(m, hlen)) == 0) { + *mp = m; + ipstat.ips_badhlen++; + return -2; + } + ip = mtod(m, struct ip *); + } + if (ip->ip_sum = in_cksum(m, hlen)) { + ipstat.ips_badsum++; + return -1; + } + + /* + * Convert fields to host representation. + * XXX - no need for NTOHS on big endian (sparc) + */ + NTOHS(ip->ip_len); + if (ip->ip_len < hlen) { + ipstat.ips_badlen++; + return -1; + } + NTOHS(ip->ip_id); + NTOHS(ip->ip_off); + + /* + * Check that the amount of data in the buffers + * is as at least much as the IP header would have us expect. + * Trim mbufs if longer than we expect. + * Drop packet if shorter than we expect. + */ + i = -(u_short)ip->ip_len; + m0 = m; + for (;;) { + i += m->m_len; + if (m->m_next == 0) + break; + m = m->m_next; + } + if (i != 0) { + if (i < 0) { + ipstat.ips_tooshort++; + m = m0; + return -1; + } + if (i <= m->m_len) + m->m_len -= i; + else + m_adj(m0, -i); + } + break; + #ifdef USE_INET6 + case 6 : + break; + #endif + default : + return -1; + } + return 0; + } + + + /* + * Filter ioctl interface. + */ + int ipfioctl(dev, cmd, data, mode) + dev_t dev; + int cmd; + caddr_t data; + int mode; + { + int s; + int error = 0, unit = 0, tmp; + friostat_t fio; + + unit = GET_MINOR(dev); + if ((IPL_LOGMAX < unit) || (unit < 0)) + return ENXIO; + + if (fr_running <= 0) { + if (unit != IPL_LOGIPF) + return EIO; + if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET && + cmd != SIOCIPFSET && cmd != SIOCFRENB && + cmd != SIOCGETFS && cmd != SIOCGETFF) + return EIO; + } + + SPL_NET(s); + + error = fr_ioctlswitch(unit, data, cmd, mode); + if (error != -1) { + SPL_X(s); + return error; + } + error = 0; + + switch (cmd) + { + case FIONREAD : + #ifdef IPFILTER_LOG + BCOPYOUT(&iplused[IPL_LOGIPF], (caddr_t)data, + sizeof(iplused[IPL_LOGIPF])); + #endif + break; + case SIOCFRENB : + if (!(mode & FWRITE)) + error = EPERM; + else { + BCOPYIN(data, &tmp, sizeof(tmp)); + if (tmp) { + if (fr_running > 0) + error = 0; + else + error = ipfattach(); + if (error == 0) + fr_running = 1; + else + (void) ipldetach(); + } else { + error = ipldetach(); + if (error == 0) + fr_running = -1; + } + } + break; + case SIOCIPFSET : + if (!(mode & FWRITE)) { + error = EPERM; + break; + } + case SIOCIPFGETNEXT : + case SIOCIPFGET : + error = fr_ipftune(cmd, data); + break; + case SIOCSETFF : + if (!(mode & FWRITE)) + error = EPERM; + else + BCOPYIN(data, &fr_flags, sizeof(fr_flags)); + break; + case SIOCGETFF : + BCOPYOUT(&fr_flags, data, sizeof(fr_flags)); + break; + case SIOCFUNCL : + error = fr_resolvefunc(data); + break; + case SIOCINAFR : + case SIOCRMAFR : + case SIOCADAFR : + case SIOCZRLST : + if (!(mode & FWRITE)) + error = EPERM; + else + error = frrequest(unit, cmd, data, fr_active, 1); + break; + case SIOCINIFR : + case SIOCRMIFR : + case SIOCADIFR : + if (!(mode & FWRITE)) + error = EPERM; + else + error = frrequest(unit, cmd, data, 1 - fr_active, 1); + break; + case SIOCSWAPA : + if (!(mode & FWRITE)) + error = EPERM; + else { + bzero((char *)frcache, sizeof(frcache[0]) * 2); + *(u_int *)data = fr_active; + fr_active = 1 - fr_active; + } + break; + case SIOCGETFS : + fr_getstat(&fio); + error = fr_outobj(data, &fio, IPFOBJ_IPFSTAT); + break; + case SIOCFRZST : + if (!(mode & FWRITE)) + error = EPERM; + else + error = fr_zerostats(data); + break; + case SIOCIPFFL : + if (!(mode & FWRITE)) + error = EPERM; + else { + BCOPYIN(data, &tmp, sizeof(tmp)); + tmp = frflush(unit, 4, tmp); + BCOPYOUT(&tmp, data, sizeof(tmp)); + } + break; + #ifdef USE_INET6 + case SIOCIPFL6 : + if (!(mode & FWRITE)) + error = EPERM; + else { + BCOPYIN(data, &tmp, sizeof(tmp)); + tmp = frflush(unit, 6, tmp); + BCOPYOUT(&tmp, data, sizeof(tmp)); + } + break; + #endif + case SIOCSTLCK : + BCOPYIN(data, &tmp, sizeof(tmp)); + fr_state_lock = tmp; + fr_nat_lock = tmp; + fr_frag_lock = tmp; + fr_auth_lock = tmp; + break; + #ifdef IPFILTER_LOG + case SIOCIPFFB : + if (!(mode & FWRITE)) + error = EPERM; + else + *(int *)data = ipflog_clear(unit); + break; + #endif /* IPFILTER_LOG */ + case SIOCGFRST : + error = fr_outobj(data, fr_fragstats(), IPFOBJ_FRAGSTAT); + break; + case SIOCFRSYN : + if (!(mode & FWRITE)) + error = EPERM; + else { + frsync(NULL); + } + break; + default : + error = EINVAL; + break; + } + SPL_X(s); + return error; + } + + + #if 0 + void fr_forgetifp(ifp) + void *ifp; + { + register frentry_t *f; + + WRITE_ENTER(&ipf_mutex); + for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + #ifdef USE_INET6 + for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + #endif + RWLOCK_EXIT(&ipf_mutex); + fr_natsync(ifp); + } + #endif + + + /* + * routines below for saving IP headers to buffer + */ + int ipfopen(dev_t dev, u_long flags, chan_t chan, int ext) + { + u_int min = GET_MINOR(dev); + + if (IPL_LOGMAX < min) + min = ENXIO; + else + min = 0; + return min; + } + + + int ipfclose(dev_t dev, chan_t chan) + { + u_int min = GET_MINOR(dev); + + if (IPL_LOGMAX < min) + min = ENXIO; + else + min = 0; + return min; + } + + /* + * ipfread/ipllog + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ + int ipfread(dev_t dev, struct uio *uio, chan_t chan, int ext) + { + + # ifdef IPFILTER_SYNC + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_read(uio); + # endif + + #ifdef IPFILTER_LOG + return ipflog_read(GET_MINOR(dev), uio); + #else + return ENXIO; + #endif + } + + + /* + * ipfwrite + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ + int ipfwrite(dev_t dev, struct uio *uio, chan_t chan, int ext) + { + + #ifdef IPFILTER_SYNC + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_write(uio); + #endif + return ENXIO; + } + + + /* + * fr_send_reset - this could conceivably be a call to tcp_respond(), but that + * requires a large amount of setting up and isn't any more efficient. + */ + int fr_send_reset(fin) + fr_info_t *fin; + { + struct tcphdr *tcp, *tcp2; + int tlen = 0, hlen; + struct mbuf *m; + #ifdef USE_INET6 + ip6_t *ip6; + #endif + ip_t *ip; + + tcp = fin->fin_dp; + if (tcp->th_flags & TH_RST) + return -1; /* feedback loop */ + + #ifndef IPFILTER_CKSUM + if (fr_checkl4sum(fin) == -1) + return -1; + #endif + + tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) + + ((tcp->th_flags & TH_SYN) ? 1 : 0) + + ((tcp->th_flags & TH_FIN) ? 1 : 0); + + #ifdef USE_INET6 + hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t); + #else + hlen = sizeof(ip_t); + #endif + #ifdef MGETHDR + MGETHDR(m, M_DONTWAIT, MT_HEADER); + #else + MGET(m, M_DONTWAIT, MT_HEADER); + #endif + if (m == NULL) + return -1; + if (sizeof(*tcp2) + hlen > MHLEN) { + MCLGET(m, M_DONTWAIT); + if (m == NULL) + return -1; + if ((m->m_flags & M_EXT) == 0) { + FREE_MB_T(m); + return -1; + } + } + + m->m_len = sizeof(*tcp2) + hlen; + m->m_data += max_linkhdr; + m->m_pkthdr.len = m->m_len; + m->m_pkthdr.rcvif = (struct ifnet *)0; + ip = mtod(m, struct ip *); + bzero((char *)ip, hlen); + #ifdef USE_INET6 + ip6 = (ip6_t *)ip; + #endif + bzero((char *)ip, sizeof(*tcp2) + hlen); + tcp2 = (struct tcphdr *)((char *)ip + hlen); + tcp2->th_sport = tcp->th_dport; + tcp2->th_dport = tcp->th_sport; + + if (tcp->th_flags & TH_ACK) { + tcp2->th_seq = tcp->th_ack; + tcp2->th_flags = TH_RST; + tcp2->th_ack = 0; + } else { + tcp2->th_seq = 0; + tcp2->th_ack = ntohl(tcp->th_seq); + tcp2->th_ack += tlen; + tcp2->th_ack = htonl(tcp2->th_ack); + tcp2->th_flags = TH_RST|TH_ACK; + } + tcp2->th_x2 = 0; + TCP_OFF_A(tcp2, sizeof(*tcp2) >> 2); + tcp2->th_win = tcp->th_win; + tcp2->th_sum = 0; + tcp2->th_urp = 0; + + #ifdef USE_INET6 + if (fin->fin_v == 6) { + ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; + ip6->ip6_plen = htons(sizeof(struct tcphdr)); + ip6->ip6_nxt = IPPROTO_TCP; + ip6->ip6_hlim = 0; + ip6->ip6_src = fin->fin_dst6; + ip6->ip6_dst = fin->fin_src6; + tcp2->th_sum = in6_cksum(m, IPPROTO_TCP, + sizeof(*ip6), sizeof(*tcp2)); + return fr_send_ip(fin, m, &m); + } + #endif + #ifdef INET + ip->ip_p = IPPROTO_TCP; + ip->ip_len = htons(sizeof(struct tcphdr)); + ip->ip_src.s_addr = fin->fin_daddr; + ip->ip_dst.s_addr = fin->fin_saddr; + tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2)); + ip->ip_len = hlen + sizeof(*tcp2); + return fr_send_ip(fin, m, &m); + #else + return 0; + #endif + } + + + static int fr_send_ip(fin, m, mpp) + fr_info_t *fin; + mb_t *m, **mpp; + { + fr_info_t fnew; + #ifdef INET + ip_t *oip; + #endif + ip_t *ip; + int hlen; + + ip = mtod(m, ip_t *); + bzero((char *)&fnew, sizeof(fnew)); + + IP_V_A(ip, fin->fin_v); + switch (fin->fin_v) + { + #ifdef INET + case 4 : + fnew.fin_v = 4; + oip = fin->fin_ip; + IP_HL_A(ip, sizeof(*oip) >> 2); + ip->ip_tos = oip->ip_tos; + ip->ip_id = fr_nextipid(fin); + ip->ip_off = 0; + ip->ip_ttl = IPDEFTTL; + ip->ip_sum = 0; + hlen = sizeof(*oip); + break; + #endif + #ifdef USE_INET6 + case 6 : + { + ip6_t *ip6 = (ip6_t *)ip; + + ip6->ip6_vfc = 0x60; + ip6->ip6_hlim = IPDEFTTL; + + fnew.fin_v = 6; + hlen = sizeof(*ip6); + break; + } + #endif + default : + return EINVAL; + } + #ifdef IPSEC + m->m_pkthdr.rcvif = NULL; + #endif + + fnew.fin_ifp = fin->fin_ifp; + fnew.fin_flx = FI_NOCKSUM; + fnew.fin_m = m; + fnew.fin_ip = ip; + fnew.fin_mp = mpp; + fnew.fin_hlen = hlen; + fnew.fin_dp = (char *)ip + hlen; + (void) fr_makefrip(hlen, ip, &fnew); + + return fr_fastroute(m, mpp, &fnew, NULL); + } + + + int fr_send_icmp_err(type, fin, dst) + int type; + fr_info_t *fin; + int dst; + { + int err, hlen, xtra, iclen, ohlen, avail, code; + struct in_addr dst4; + struct icmp *icmp; + struct mbuf *m; + void *ifp; + #ifdef USE_INET6 + ip6_t *ip6; + struct in6_addr dst6; + #endif + ip_t *ip, *ip2; + + if ((type < 0) || (type > ICMP_MAXTYPE)) + return -1; + + code = fin->fin_icode; + #ifdef USE_INET6 + if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int))) + return -1; + #endif + + #ifndef IPFILTER_CKSUM + if (fr_checkl4sum(fin) == -1) + return -1; + #endif + #ifdef MGETHDR + MGETHDR(m, M_DONTWAIT, MT_HEADER); + #else + MGET(m, M_DONTWAIT, MT_HEADER); + #endif + if (m == NULL) + return -1; + avail = MHLEN; + + xtra = 0; + hlen = 0; + ohlen = 0; + ifp = fin->fin_ifp; + if (fin->fin_v == 4) { + if ((fin->fin_p == IPPROTO_ICMP) && + !(fin->fin_flx & FI_SHORT)) + switch (ntohs(fin->fin_data[0]) >> 8) + { + case ICMP_ECHO : + case ICMP_TSTAMP : + case ICMP_IREQ : + case ICMP_MASKREQ : + break; + default : + FREE_MB_T(m); + return 0; + } + + if (dst == 0) { + if (fr_ifpaddr(4, FRI_NORMAL, ifp, + &dst4, NULL) == -1) { + FREE_MB_T(m); + return -1; + } + } else + dst4.s_addr = fin->fin_daddr; + + hlen = sizeof(ip_t); + ohlen = fin->fin_hlen; + if (fin->fin_hlen < fin->fin_plen) + xtra = MIN(fin->fin_dlen, 8); + else + xtra = 0; + } + + #ifdef USE_INET6 + else if (fin->fin_v == 6) { + hlen = sizeof(ip6_t); + ohlen = sizeof(ip6_t); + type = icmptoicmp6types[type]; + if (type == ICMP6_DST_UNREACH) + code = icmptoicmp6unreach[code]; + + if (hlen + sizeof(*icmp) + max_linkhdr + + fin->fin_plen > avail) { + MCLGET(m, M_DONTWAIT); + if (m == NULL) + return -1; + if ((m->m_flags & M_EXT) == 0) { + FREE_MB_T(m); + return -1; + } + avail = MCLBYTES; + } + xtra = MIN(fin->fin_plen, + avail - hlen - sizeof(*icmp) - max_linkhdr); + if (dst == 0) { + if (fr_ifpaddr(6, FRI_NORMAL, ifp, + (struct in_addr *)&dst6, NULL) == -1) { + FREE_MB_T(m); + return -1; + } + } else + dst6 = fin->fin_dst6; + } + #endif + else { + FREE_MB_T(m); + return -1; + } + + iclen = hlen + sizeof(*icmp); + avail -= (max_linkhdr + iclen); + if (avail < 0) { + FREE_MB_T(m); + return -1; + } + if (xtra > avail) + xtra = avail; + iclen += xtra; + m->m_data += max_linkhdr; + m->m_pkthdr.rcvif = (struct ifnet *)0; + m->m_pkthdr.len = iclen; + m->m_len = iclen; + ip = mtod(m, ip_t *); + icmp = (struct icmp *)((char *)ip + hlen); + ip2 = (ip_t *)&icmp->icmp_ip; + + icmp->icmp_type = type; + icmp->icmp_code = fin->fin_icode; + icmp->icmp_cksum = 0; + #ifdef icmp_nextmtu + if (type == ICMP_UNREACH && + fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp) + icmp->icmp_nextmtu = htons(((struct ifnet *)ifp)->if_mtu); + #endif + + bcopy((char *)fin->fin_ip, (char *)ip2, ohlen); + + #if defined(M_CSUM_IPv4) + /* + * Clear any in-bound checksum flags for this packet. + */ + m->m_pkthdr.csuminfo = 0; + #endif /* __NetBSD__ && M_CSUM_IPv4 */ + + #ifdef USE_INET6 + ip6 = (ip6_t *)ip; + if (fin->fin_v == 6) { + ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; + ip6->ip6_plen = htons(iclen - hlen); + ip6->ip6_nxt = IPPROTO_ICMPV6; + ip6->ip6_hlim = 0; + ip6->ip6_src = dst6; + ip6->ip6_dst = fin->fin_src6; + if (xtra > 0) + bcopy((char *)fin->fin_ip + ohlen, + (char *)&icmp->icmp_ip + ohlen, xtra); + icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6, + sizeof(*ip6), iclen - hlen); + } else + #endif + { + ip2->ip_len = htons(ip2->ip_len); + ip2->ip_off = htons(ip2->ip_off); + ip->ip_p = IPPROTO_ICMP; + ip->ip_src.s_addr = dst4.s_addr; + ip->ip_dst.s_addr = fin->fin_saddr; + + if (xtra > 0) + bcopy((char *)fin->fin_ip + ohlen, + (char *)&icmp->icmp_ip + ohlen, xtra); + icmp->icmp_cksum = ipf_cksum((u_short *)icmp, + sizeof(*icmp) + 8); + ip->ip_len = iclen; + ip->ip_p = IPPROTO_ICMP; + } + err = fr_send_ip(fin, m, &m); + return err; + } + + + int fr_fastroute(m0, mpp, fin, fdp) + mb_t *m0, **mpp; + fr_info_t *fin; + frdest_t *fdp; + { + register struct ip *ip, *mhip; + register struct mbuf *m = m0; + register struct route *ro; + int len, off, error = 0, hlen, code; + struct ifnet *ifp, *sifp; + struct sockaddr_in *dst; + struct route iproute; + u_short ip_off; + frentry_t *fr; + + if (fin->fin_v == 6) { + #ifdef USE_INET6 + error = ipfr_fastroute6(m0, mpp, fin, fdp); + #else + error = EPROTONOSUPPORT; + #endif + if ((error != 0) && (*mpp != NULL)) { + FREE_MB_T(*mpp); + *mpp = NULL; + } + return error; + } + #ifndef INET + return EPROTONOSUPPORT; + #else + + hlen = fin->fin_hlen; + ip = mtod(m0, struct ip *); + + # if defined(M_CSUM_IPv4) + /* + * Clear any in-bound checksum flags for this packet. + */ + m0->m_pkthdr.csuminfo = 0; + # endif /* __NetBSD__ && M_CSUM_IPv4 */ + + /* + * Route packet. + */ + ro = &iproute; + bzero((caddr_t)ro, sizeof (*ro)); + dst = (struct sockaddr_in *)&ro->ro_dst; + dst->sin_family = AF_INET; + dst->sin_addr = ip->ip_dst; + + fr = fin->fin_fr; + if (fdp != NULL) + ifp = fdp->fd_ifp; + else + ifp = fin->fin_ifp; + + if ((ifp == NULL) && (!fr || !(fr->fr_flags & FR_FASTROUTE))) { + error = -2; + goto bad; + } + + /* + * In case we're here due to "to " being used with "keep state", + * check that we're going in the correct direction. + */ + if ((fr != NULL) && (fin->fin_rev != 0)) { + if ((ifp != NULL) && (fdp == &fr->fr_tif)) + return -1; + } + if (fdp != NULL) { + if (fdp->fd_ip.s_addr != 0) + dst->sin_addr = fdp->fd_ip; + } + + dst->sin_len = sizeof(*dst); + rtalloc(ro); + + if ((ifp == NULL) && (ro->ro_rt != NULL)) + ifp = ro->ro_rt->rt_ifp; + + if ((ro->ro_rt == NULL) || (ifp == NULL)) { + if (in_localaddr(ip->ip_dst)) + error = EHOSTUNREACH; + else + error = ENETUNREACH; + goto bad; + } + if (ro->ro_rt->rt_flags & RTF_GATEWAY) + dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway; + if (ro->ro_rt) + ro->ro_rt->rt_use++; + + /* + * For input packets which are being "fastrouted", they won't + * go back through output filtering and miss their chance to get + * NAT'd and counted. + */ + if (fin->fin_out == 0) { + sifp = fin->fin_ifp; + fin->fin_ifp = ifp; + fin->fin_out = 1; + (void) fr_acctpkt(fin, NULL); + fin->fin_fr = NULL; + if (!fr || !(fr->fr_flags & FR_RETMASK)) { + u_32_t pass; + + (void) fr_checkstate(fin, &pass); + } + + switch (fr_checknatout(fin, NULL)) + { + case 0 : + break; + case 1 : + ip->ip_sum = 0; + break; + case -1 : + error = -1; + goto done; + break; + } + + fin->fin_ifp = sifp; + fin->fin_out = 0; + } else + ip->ip_sum = 0; + /* + * If small enough for interface, can just send directly. + */ + if (ip->ip_len <= ifp->if_mtu) { + int i = 0; + + if (m->m_flags & M_EXT) + i = 1; + + ip->ip_len = htons(ip->ip_len); + ip->ip_off = htons(ip->ip_off); + # if defined(M_CSUM_IPv4) + # if (__NetBSD_Version__ >= 105009999) + if (ifp->if_csum_flags_tx & M_CSUM_IPv4) + m->m_pkthdr.csuminfo |= M_CSUM_IPv4; + # else + if (ifp->if_capabilities & IFCAP_CSUM_IPv4) + m->m_pkthdr.csuminfo |= M_CSUM_IPv4; + # endif /* (__NetBSD_Version__ >= 105009999) */ + else if (ip->ip_sum == 0) + ip->ip_sum = in_cksum(m, hlen); + # else + if (!ip->ip_sum) + ip->ip_sum = in_cksum(m, hlen); + # endif /* M_CSUM_IPv4 */ + error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, + ro->ro_rt); + if (i) { + ip->ip_len = ntohs(ip->ip_len); + ip->ip_off = ntohs(ip->ip_off); + } + goto done; + } + + /* + * Too large for interface; fragment if possible. + * Must be able to put at least 8 bytes per fragment. + */ + ip_off = ip->ip_off; + if (ip_off & IP_DF) { + error = EMSGSIZE; + goto bad; + } + len = (ifp->if_mtu - hlen) &~ 7; + if (len < 8) { + error = EMSGSIZE; + goto bad; + } + + { + int mhlen, firstlen = len; + struct mbuf **mnext = &m->m_act; + + /* + * Loop through length of segment after first fragment, + * make new header and copy data of each part and link onto chain. + */ + m0 = m; + mhlen = sizeof (struct ip); + for (off = hlen + len; off < ip->ip_len; off += len) { + # ifdef MGETHDR + MGETHDR(m, M_DONTWAIT, MT_HEADER); + # else + MGET(m, M_DONTWAIT, MT_HEADER); + # endif + if (m == 0) { + m = m0; + error = ENOBUFS; + goto bad; + } + m->m_data += max_linkhdr; + mhip = mtod(m, struct ip *); + bcopy((char *)ip, (char *)mhip, sizeof(*ip)); + if (hlen > sizeof (struct ip)) { + mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip); + IP_HL_A(mhip, mhlen >> 2); + } + m->m_len = mhlen; + mhip->ip_off = ((off - hlen) >> 3) + ip_off; + if (off + len >= ip->ip_len) + len = ip->ip_len - off; + else + mhip->ip_off |= IP_MF; + mhip->ip_len = htons((u_short)(len + mhlen)); + m->m_next = m_copy(m0, off, len); + if (m->m_next == 0) { + error = ENOBUFS; /* ??? */ + goto sendorfree; + } + m->m_pkthdr.len = mhlen + len; + m->m_pkthdr.rcvif = NULL; + mhip->ip_off = htons((u_short)mhip->ip_off); + mhip->ip_sum = 0; + mhip->ip_sum = in_cksum(m, mhlen); + *mnext = m; + mnext = &m->m_act; + } + /* + * Update first fragment by trimming what's been copied out + * and updating header, then send each fragment (in order). + */ + m_adj(m0, hlen + firstlen - ip->ip_len); + ip->ip_len = htons((u_short)(hlen + firstlen)); + ip->ip_off = htons((u_short)IP_MF); + ip->ip_sum = 0; + ip->ip_sum = in_cksum(m0, hlen); + sendorfree: + for (m = m0; m; m = m0) { + m0 = m->m_act; + m->m_act = 0; + if (error == 0) + error = (*ifp->if_output)(ifp, m, + (struct sockaddr *)dst, ro->ro_rt); + else + FREE_MB_T(m); + } + } + done: + if (!error) + fr_frouteok[0]++; + else + fr_frouteok[1]++; + + if (ro->ro_rt) { + RTFREE(ro->ro_rt); + } + *mpp = NULL; + return error; + bad: + if (error == EMSGSIZE) { + sifp = fin->fin_ifp; + code = fin->fin_icode; + fin->fin_icode = ICMP_UNREACH_NEEDFRAG; + fin->fin_ifp = ifp; + (void) fr_send_icmp_err(ICMP_UNREACH, fin, 1); + fin->fin_ifp = sifp; + fin->fin_icode = code; + } + FREE_MB_T(m); + goto done; + #endif /* INET */ + } + + + #if defined(USE_INET6) + /* + * This is the IPv6 specific fastroute code. It doesn't clean up the mbuf's + * or ensure that it is an IPv6 packet that is being forwarded, those are + * expected to be done by the called (ipfr_fastroute). + */ + static int ipfr_fastroute6(m0, mpp, fin, fdp) + struct mbuf *m0, **mpp; + fr_info_t *fin; + frdest_t *fdp; + { + struct route_in6 ip6route; + struct sockaddr_in6 *dst6; + struct route_in6 *ro; + struct rtentry *rt; + struct ifnet *ifp; + frentry_t *fr; + u_long mtu; + int error; + + ro = &ip6route; + fr = fin->fin_fr; + bzero((caddr_t)ro, sizeof(*ro)); + dst6 = (struct sockaddr_in6 *)&ro->ro_dst; + dst6->sin6_family = AF_INET6; + dst6->sin6_len = sizeof(struct sockaddr_in6); + dst6->sin6_addr = fin->fin_fi.fi_dst.in6; + + if (fdp != NULL) + ifp = fdp->fd_ifp; + else + ifp = fin->fin_ifp; + + if ((fr != NULL) && (fin->fin_rev != 0)) { + if ((ifp != NULL) && (fdp == &fr->fr_tif)) + return 0; + } + if (fdp != NULL) { + if (IP6_NOTZERO(&fdp->fd_ip6)) + dst6->sin6_addr = fdp->fd_ip6.in6; + } + + rtalloc((struct route *)ro); + + if ((ifp == NULL) && (ro->ro_rt != NULL)) + ifp = ro->ro_rt->rt_ifp; + + if ((ro->ro_rt == NULL) || (ifp == NULL)) { + error = EHOSTUNREACH; + goto bad; + } + + rt = fdp ? NULL : ro->ro_rt; + + /* KAME */ + if (IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr)) + dst6->sin6_addr.s6_addr16[1] = htons(ifp->if_index); + + { + if (ro->ro_rt->rt_flags & RTF_GATEWAY) + dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway; + ro->ro_rt->rt_use++; + + error = ip6_getpmtu(ro, ro, ifp, &finaldst, &mtu, &frag); + if ((error == 0) && (m0->m_pkthdr.len <= mtu)) { + *mpp = NULL; + error = nd6_output(ifp, ifp, m0, dst6, rt); + } else { + error = EMSGSIZE; + } + } + bad: + if (ro->ro_rt != NULL) { + RTFREE(ro->ro_rt); + } + return error; + } + #endif + + + int fr_verifysrc(fin) + fr_info_t *fin; + { + struct sockaddr_in *dst; + struct route iproute; + + bzero((char *)&iproute, sizeof(iproute)); + dst = (struct sockaddr_in *)&iproute.ro_dst; + dst->sin_len = sizeof(*dst); + dst->sin_family = AF_INET; + dst->sin_addr = fin->fin_src; + rtalloc(&iproute); + if (iproute.ro_rt == NULL) + return 0; + return (fin->fin_ifp == iproute.ro_rt->rt_ifp); + } + + + /* + * return the first IP Address associated with an interface + */ + int fr_ifpaddr(v, atype, ifptr, inp, inpmask) + int v, atype; + void *ifptr; + struct in_addr *inp, *inpmask; + { + #ifdef USE_INET6 + struct in6_addr *inp6 = NULL; + #endif + struct sockaddr *sock, *mask; + struct sockaddr_in *sin; + struct ifaddr *ifa; + struct ifnet *ifp; + + if ((ifptr == NULL) || (ifptr == (void *)-1)) + return -1; + + ifp = ifptr; + mask = NULL; + + if (v == 4) + inp->s_addr = 0; + #ifdef USE_INET6 + else if (v == 6) + bzero((char *)inp, sizeof(struct in6_addr)); + #endif + + ifa = ifp->if_addrlist; + sock = ifa->ifa_addr; + while (sock != NULL && ifa != NULL) { + sin = (struct sockaddr_in *)sock; + if ((v == 4) && (sin->sin_family == AF_INET)) + break; + #ifdef USE_INET6 + if ((v == 6) && (sin->sin_family == AF_INET6)) { + inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr; + if (!IN6_IS_ADDR_LINKLOCAL(inp6) && + !IN6_IS_ADDR_LOOPBACK(inp6)) + break; + } + #endif + ifa = ifa->ifa_next; + if (ifa != NULL) + sock = ifa->ifa_addr; + } + if (ifa == NULL || sock == NULL) + return -1; + + mask = ifa->ifa_netmask; + if (atype == FRI_BROADCAST) + sock = ifa->ifa_broadaddr; + else if (atype == FRI_PEERADDR) + sock = ifa->ifa_dstaddr; + + #ifdef USE_INET6 + if (v == 6) + return fr_ifpfillv6addr(atype, (struct sockaddr_in6 *)sock, + (struct sockaddr_in6 *)mask, + inp, inpmask); + #endif + return fr_ifpfillv4addr(atype, (struct sockaddr_in *)sock, + (struct sockaddr_in *)mask, inp, inpmask); + } + + + u_32_t fr_newisn(fin) + fr_info_t *fin; + { + u_32_t newiss; + #if 0 + static int iss_seq_off = 0; + u_char hash[16]; + MD5_CTX ctx; + + /* + * Compute the base value of the ISS. It is a hash + * of (saddr, sport, daddr, dport, secret). + */ + MD5Init(&ctx); + + MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_src, + sizeof(fin->fin_fi.fi_src)); + MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_dst, + sizeof(fin->fin_fi.fi_dst)); + MD5Update(&ctx, (u_char *) &fin->fin_dat, sizeof(fin->fin_dat)); + + MD5Update(&ctx, ipf_iss_secret, sizeof(ipf_iss_secret)); + + MD5Final(hash, &ctx); + + memcpy(&newiss, hash, sizeof(newiss)); + + /* + * Now increment our "timer", and add it in to + * the computed value. + * + * XXX Use `addin'? + * XXX TCP_ISSINCR too large to use? + */ + iss_seq_off += 0x00010000; + newiss += iss_seq_off; + #endif + return newiss; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_nextipid */ + /* Returns: int - 0 == success, -1 == error (packet should be droppped) */ + /* Parameters: fin(I) - pointer to packet information */ + /* */ + /* Returns the next IPv4 ID to use for this packet. */ + /* ------------------------------------------------------------------------ */ + u_short fr_nextipid(fin) + fr_info_t *fin; + { + static u_short ipid = 0; + u_short id; + + MUTEX_ENTER(&ipf_rw); + id = ipid++; + MUTEX_EXIT(&ipf_rw); + + return id; + } + + + INLINE void fr_checkv4sum(fin) + fr_info_t *fin; + { + #ifdef M_CSUM_TCP_UDP_BAD + int manual, pflag, cflags, active; + mb_t *m; + + if ((fin->fin_flx & FI_NOCKSUM) != 0) + return; + + manual = 0; + m = fin->fin_m; + if (m == NULL) { + manual = 1; + goto skipauto; + } + + switch (fin->fin_p) + { + case IPPROTO_UDP : + pflag = M_CSUM_UDPv4; + break; + case IPPROTO_TCP : + pflag = M_CSUM_TCPv4; + break; + default : + pflag = 0; + manual = 1; + break; + } + + active = ((struct ifnet *)fin->fin_ifp)->if_csum_flags_rx & pflag; + active |= M_CSUM_TCP_UDP_BAD | M_CSUM_DATA; + cflags = m->m_pkthdr.csum_flags & active; + + if (pflag != 0) { + if (cflags == (pflag | M_CSUM_TCP_UDP_BAD)) { + fin->fin_flx |= FI_BAD; + } else if (cflags == (pflag | M_CSUM_DATA)) { + if ((m->m_pkthdr.csum_data ^ 0xffff) != 0) + fin->fin_flx |= FI_BAD; + } else if (cflags == pflag) { + ; + } else { + manual = 1; + } + } + skipauto: + # ifdef IPFILTER_CKSUM + if (manual != 0) + if (fr_checkl4sum(fin) == -1) + fin->fin_flx |= FI_BAD; + # else + ; + # endif + #else + # ifdef IPFILTER_CKSUM + if (fr_checkl4sum(fin) == -1) + fin->fin_flx |= FI_BAD; + # endif + #endif + } + + + #ifdef USE_INET6 + INLINE void fr_checkv6sum(fin) + fr_info_t *fin; + { + # ifdef M_CSUM_TCP_UDP_BAD + int manual, pflag, cflags, active; + mb_t *m; + + if ((fin->fin_flx & FI_NOCKSUM) != 0) + return; + + manual = 0; + m = fin->fin_m; + + switch (fin->fin_p) + { + case IPPROTO_UDP : + pflag = M_CSUM_UDPv6; + break; + case IPPROTO_TCP : + pflag = M_CSUM_TCPv6; + break; + default : + pflag = 0; + manual = 1; + break; + } + + active = ((struct ifnet *)fin->fin_ifp)->if_csum_flags_rx & pflag; + active |= M_CSUM_TCP_UDP_BAD | M_CSUM_DATA; + cflags = m->m_pkthdr.csum_flags & active; + + if (pflag != 0) { + if (cflags == (pflag | M_CSUM_TCP_UDP_BAD)) { + fin->fin_flx |= FI_BAD; + } else if (cflags == (pflag | M_CSUM_DATA)) { + if ((m->m_pkthdr.csum_data ^ 0xffff) != 0) + fin->fin_flx |= FI_BAD; + } else if (cflags == pflag) { + ; + } else { + manual = 1; + } + } + # ifdef IPFILTER_CKSUM + if (manual != 0) + if (fr_checkl4sum(fin) == -1) + fin->fin_flx |= FI_BAD; + # endif + # else + # ifdef IPFILTER_CKSUM + if (fr_checkl4sum(fin) == -1) + fin->fin_flx |= FI_BAD; + # endif + # endif + } + #endif /* USE_INET6 */ + + + size_t mbufchainlen(m0) + struct mbuf *m0; + { + size_t len; + + if ((m0->m_flags & M_PKTHDR) != 0) { + len = m0->m_pkthdr.len; + } else { + struct mbuf *m; + + for (m = m0, len = 0; m != NULL; m = m->m_next) + len += m->m_len; + } + return len; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_pullup */ + /* Returns: NULL == pullup failed, else pointer to protocol header */ + /* Parameters: m(I) - pointer to buffer where data packet starts */ + /* fin(I) - pointer to packet information */ + /* len(I) - number of bytes to pullup */ + /* */ + /* Attempt to move at least len bytes (from the start of the buffer) into a */ + /* single buffer for ease of access. Operating system native functions are */ + /* used to manage buffers - if necessary. If the entire packet ends up in */ + /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ + /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ + /* and ONLY if the pullup succeeds. */ + /* */ + /* We assume that 'min' is a pointer to a buffer that is part of the chain */ + /* of buffers that starts at *fin->fin_mp. */ + /* ------------------------------------------------------------------------ */ + void *fr_pullup(min, fin, len) + mb_t *min; + fr_info_t *fin; + int len; + { + int out = fin->fin_out, dpoff, ipoff; + mb_t *m = min; + char *ip; + + if (m == NULL) + return NULL; + + ip = (char *)fin->fin_ip; + if ((fin->fin_flx & FI_COALESCE) != 0) + return ip; + + ipoff = fin->fin_ipoff; + if (fin->fin_dp != NULL) + dpoff = (char *)fin->fin_dp - (char *)ip; + else + dpoff = 0; + + if (M_LEN(m) < len) { + #ifdef MHLEN + /* + * Assume that M_PKTHDR is set and just work with what is left + * rather than check.. + * Should not make any real difference, anyway. + */ + if (len > MHLEN) + #else + if (len > MLEN) + #endif + { + FREE_MB_T(*fin->fin_mp); + m = NULL; + } else + { + m = m_pullup(m, len); + } + *fin->fin_mp = m; + fin->fin_m = m; + if (m == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + return NULL; + } + ip = MTOD(m, char *) + ipoff; + } + + ATOMIC_INCL(frstats[out].fr_pull[0]); + fin->fin_ip = (ip_t *)ip; + if (fin->fin_dp != NULL) + fin->fin_dp = (char *)fin->fin_ip + dpoff; + + if (len == fin->fin_plen) + fin->fin_flx |= FI_COALESCE; + return ip; + } + + + void *getifp(name, v) + char *name; + int v; + { + return NULL; + } diff -crN ip_fil4.1.8/ip_fil_bsdos.c ip_fil4.1.9/ip_fil_bsdos.c *** ip_fil4.1.8/ip_fil_bsdos.c Sun Jan 9 03:55:51 2005 --- ip_fil4.1.9/ip_fil_bsdos.c Thu Jul 14 07:40:44 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_bsdos.c,v 2.45.2.17 2005/01/08 16:55:51 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_bsdos.c,v 2.45.2.18 2005/07/13 21:40:44 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 66,75 **** static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); static int fr_send_ip __P((ip_t *, fr_info_t *, mb_t *, mb_t **)); - #ifdef KMUTEX_T - extern ipfmutex_t ipf_rw; - extern ipfrwlock_t ipf_mutex; - #endif #if (_BSDI_VERSION >= 199510) # include --- 66,71 ---- diff -crN ip_fil4.1.8/ip_fil_freebsd.c ip_fil4.1.9/ip_fil_freebsd.c *** ip_fil4.1.8/ip_fil_freebsd.c Tue Feb 1 14:15:56 2005 --- ip_fil4.1.9/ip_fil_freebsd.c Mon Jul 18 19:09:54 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.25 2005/02/01 03:15:56 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.28 2005/07/18 09:09:54 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 123,129 **** # ifdef USE_MUTEXES ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; # endif int ipf_locks_done = 0; --- 123,129 ---- # ifdef USE_MUTEXES ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ipf_frcache; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; # endif int ipf_locks_done = 0; *************** *** 145,150 **** --- 145,163 ---- #endif /* __FreeBSD_version >= 500011 */ + #if (__FreeBSD_version >= 502103) + static eventhandler_tag ipf_arrivetag, ipf_departtag, ipf_clonetag; + + static void ipf_ifevent(void *arg); + + static void ipf_ifevent(arg) + void *arg; + { + frsync(NULL); + } + #endif + + #if (__FreeBSD_version >= 501108) && defined(_KERNEL) static int *************** *** 201,206 **** --- 214,220 ---- RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); MUTEX_INIT(&ipf_timeoutlock, "ipf timeout queue mutex"); RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); + RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock"); RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); ipf_locks_done = 1; *************** *** 269,274 **** --- 283,300 ---- } # endif # endif + + #if (__FreeBSD_version >= 502103) + ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \ + ipf_ifevent, NULL, \ + EVENTHANDLER_PRI_ANY); + ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \ + ipf_ifevent, NULL, \ + EVENTHANDLER_PRI_ANY); + ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \ + NULL, EVENTHANDLER_PRI_ANY); + #endif + if (fr_checkp != fr_check) { fr_savep = fr_checkp; fr_checkp = fr_check; *************** *** 313,318 **** --- 339,356 ---- if (fr_control_forwarding & 2) ipforwarding = 0; + #if (__FreeBSD_version >= 502103) + if (ipf_arrivetag != NULL) { + EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag); + } + if (ipf_departtag != NULL) { + EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag); + } + if (ipf_clonetag != NULL) { + EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag); + } + #endif + SPL_NET(s); #if (__FreeBSD_version >= 300000) *************** *** 378,383 **** --- 416,422 ---- MUTEX_DESTROY(&ipf_timeoutlock); MUTEX_DESTROY(&ipf_rw); RW_DESTROY(&ipf_mutex); + RW_DESTROY(&ipf_frcache); RW_DESTROY(&ipf_ipidfrag); RW_DESTROY(&ipf_global); ipf_locks_done = 0; *************** *** 419,425 **** friostat_t fio; #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 2) && (mode & FWRITE)) return EPERM; #endif --- 458,464 ---- friostat_t fio; #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 3) && (mode & FWRITE)) return EPERM; #endif diff -crN ip_fil4.1.8/ip_fil_hpux.c ip_fil4.1.9/ip_fil_hpux.c *** ip_fil4.1.8/ip_fil_hpux.c Sun Jan 9 03:55:52 2005 --- ip_fil4.1.9/ip_fil_hpux.c Thu Jul 14 07:40:44 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_hpux.c,v 2.45.2.11 2005/01/08 16:55:52 darrenr Exp $"; #endif #include --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_hpux.c,v 2.45.2.12 2005/07/13 21:40:44 darrenr Exp $"; #endif #include *************** *** 58,64 **** static int fr_send_ip(fr_info_t *, mblk_t *); ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; int *ip_ttl_ptr; int *ip_mtudisc; --- 58,64 ---- static int fr_send_ip(fr_info_t *, mblk_t *); ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ipf_frcache; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; int *ip_ttl_ptr; int *ip_mtudisc; *************** *** 80,85 **** --- 80,86 ---- RW_DESTROY(&ipf_ipidfrag); RW_DESTROY(&ipf_mutex); + RW_DESTROY(&ipf_frcache); /* NOTE: This lock is acquired in ipf_detach */ RWLOCK_EXIT(&ipf_global); RW_DESTROY(&ipf_global); *************** *** 103,108 **** --- 104,110 ---- MUTEX_INIT(&ipf_timeoutlock, "ipf_timeoutlock"); RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); + RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock"); RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); if (fr_initialise() < 0) diff -crN ip_fil4.1.8/ip_fil_irix.c ip_fil4.1.9/ip_fil_irix.c *** ip_fil4.1.8/ip_fil_irix.c Sun Jan 9 03:55:53 2005 --- ip_fil4.1.9/ip_fil_irix.c Thu Jul 14 07:40:45 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_irix.c,v 2.42.2.15 2005/01/08 16:55:53 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_irix.c,v 2.42.2.16 2005/07/13 21:40:45 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 75,82 **** static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); static int fr_send_ip __P((fr_info_t *, struct mbuf *, struct mbuf **)); - extern ipfmutex_t ipf_rw; - extern ipfrwlock_t ipf_mutex; int ipl_attach() --- 75,80 ---- diff -crN ip_fil4.1.8/ip_fil_linux.c ip_fil4.1.9/ip_fil_linux.c *** ip_fil4.1.8/ip_fil_linux.c Sun Jan 9 03:55:53 2005 --- ip_fil4.1.9/ip_fil_linux.c Thu Jul 14 07:40:45 2005 *************** *** 12,17 **** --- 12,18 ---- #include #include + #include #include extern int sysctl_ip_default_ttl; *************** *** 21,28 **** ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; static u_int ipf_linux_inout __P((u_int, struct sk_buff **, const struct net_device *, const struct net_device *, int (*okfn)(struct sk_buff *))); --- 22,30 ---- ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ipf_frcache; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; + struct timer_list ipf_timer; static u_int ipf_linux_inout __P((u_int, struct sk_buff **, const struct net_device *, const struct net_device *, int (*okfn)(struct sk_buff *))); *************** *** 95,100 **** --- 97,189 ---- #endif + int iplattach() + { + int err, i; + + SPL_NET(s); + if (fr_running > 0) { + SPL_X(s); + return -EBUSY; + } + + bzero((char *)frcache, sizeof(frcache)); + MUTEX_INIT(&ipf_rw, "ipf rw mutex"); + MUTEX_INIT(&ipl_mutex, "ipf log mutex"); + MUTEX_INIT(&ipf_timeoutlock, "ipf timeout lock mutex"); + RWLOCK_INIT(&ipf_global, "ipf global rwlock"); + RWLOCK_INIT(&ipf_mutex, "ipf global mutex rwlock"); + RWLOCK_INIT(&ipf_frcache, "ipf cache mutex rwlock"); + RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); + + for (i = 0; i < sizeof(ipf_hooks)/sizeof(ipf_hooks[0]); i++) { + err = nf_register_hook(&ipf_hooks[i]); + if (err != 0) + return err; + } + + if (fr_initialise() < 0) { + for (i = 0; i < sizeof(ipf_hooks)/sizeof(ipf_hooks[0]); i++) + nf_unregister_hook(&ipf_hooks[i]); + SPL_X(s); + return EIO; + } + + bzero((char *)frcache, sizeof(frcache)); + #ifdef notyet + if (fr_control_forwarding & 1) + ipv4_devconf.forwarding = 1; + #endif + + SPL_X(s); + /* timeout(fr_slowtimer, NULL, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT); */ + init_timer(&ipf_timer); + ipf_timer.function = fr_slowtimer; + ipf_timer.data = NULL; + ipf_timer.expires = (HZ / IPF_HZ_DIVIDE) * IPF_HZ_MULT; + add_timer(&ipf_timer); + mod_timer(&ipf_timer, HZ/2 + jiffies); + return 0; + } + + + int ipldetach() + { + int i; + + del_timer(&ipf_timer); + + SPL_NET(s); + + for (i = 0; i < sizeof(ipf_hooks)/sizeof(ipf_hooks[0]); i++) + nf_unregister_hook(&ipf_hooks[i]); + /* untimeout(fr_slowtimer, NULL); */ + + #ifdef notyet + if (fr_control_forwarding & 2) + ipv4_devconf.forwarding = 0; + #endif + + fr_deinitialise(); + + (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE); + + MUTEX_DESTROY(&ipf_timeoutlock); + MUTEX_DESTROY(&ipl_mutex); + MUTEX_DESTROY(&ipf_rw); + RW_DESTROY(&ipf_mutex); + RW_DESTROY(&ipf_frcache); + RW_DESTROY(&ipf_global); + RW_DESTROY(&ipf_ipidfrag); + + SPL_X(s); + + return 0; + } + + + /* * Filter ioctl interface. */ *************** *** 794,875 **** } - int iplattach() - { - int err, i; - - SPL_NET(s); - if (fr_running > 0) { - SPL_X(s); - return -EBUSY; - } - - bzero((char *)frcache, sizeof(frcache)); - MUTEX_INIT(&ipf_rw, "ipf rw mutex"); - MUTEX_INIT(&ipl_mutex, "ipf log mutex"); - MUTEX_INIT(&ipf_timeoutlock, "ipf timeout lock mutex"); - RWLOCK_INIT(&ipf_global, "ipf global rwlock"); - RWLOCK_INIT(&ipf_mutex, "ipf global mutex rwlock"); - RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); - - for (i = 0; i < sizeof(ipf_hooks)/sizeof(ipf_hooks[0]); i++) { - err = nf_register_hook(&ipf_hooks[i]); - if (err != 0) - return err; - } - - if (fr_initialise() < 0) { - for (i = 0; i < sizeof(ipf_hooks)/sizeof(ipf_hooks[0]); i++) - nf_unregister_hook(&ipf_hooks[i]); - SPL_X(s); - return EIO; - } - - bzero((char *)frcache, sizeof(frcache)); - #ifdef notyet - if (fr_control_forwarding & 1) - ipv4_devconf.forwarding = 1; - #endif - - SPL_X(s); - /* timeout(fr_slowtimer, NULL, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT); */ - return 0; - } - - - int ipldetach() - { - int i; - - SPL_NET(s); - - for (i = 0; i < sizeof(ipf_hooks)/sizeof(ipf_hooks[0]); i++) - nf_unregister_hook(&ipf_hooks[i]); - /* untimeout(fr_slowtimer, NULL); */ - - #ifdef notyet - if (fr_control_forwarding & 2) - ipv4_devconf.forwarding = 0; - #endif - - fr_deinitialise(); - - (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE); - (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE); - - MUTEX_DESTROY(&ipf_timeoutlock); - MUTEX_DESTROY(&ipl_mutex); - MUTEX_DESTROY(&ipf_rw); - RW_DESTROY(&ipf_mutex); - RW_DESTROY(&ipf_global); - RW_DESTROY(&ipf_ipidfrag); - - SPL_X(s); - - return 0; - } - - static u_int ipf_linux_inout(hooknum, skbp, inifp, outifp, okfn) u_int hooknum; struct sk_buff **skbp; --- 883,888 ---- *************** *** 1102,1104 **** --- 1115,1143 ---- fin->fin_flx |= FI_COALESCE; return ip; } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_slowtimer */ + /* Returns: Nil */ + /* Parameters: Nil */ + /* */ + /* Slowly expire held state for fragments. Timeouts are set * in */ + /* expectation of this being called twice per second. */ + /* ------------------------------------------------------------------------ */ + void fr_slowtimer(long value) + { + READ_ENTER(&ipf_global); + + fr_fragexpire(); + fr_timeoutstate(); + fr_natexpire(); + fr_authexpire(); + fr_ticks++; + if (fr_running <= 0) + goto done; + mod_timer(&ipf_timer, HZ/2 + jiffies); + + done: + RWLOCK_EXIT(&ipf_global); + } diff -crN ip_fil4.1.8/ip_fil_netbsd.c ip_fil4.1.9/ip_fil_netbsd.c *** ip_fil4.1.8/ip_fil_netbsd.c Tue Feb 22 09:51:08 2005 --- ip_fil4.1.9/ip_fil_netbsd.c Mon Jul 18 11:45:26 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_netbsd.c,v 2.55.2.27 2005/02/21 22:51:08 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_netbsd.c,v 2.55.2.30 2005/07/18 01:45:26 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 90,99 **** static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); static int fr_send_ip __P((fr_info_t *, mb_t *, mb_t **)); - #ifdef KMUTEX_T - extern ipfmutex_t ipf_rw; - extern ipfrwlock_t ipf_mutex; - #endif #ifdef USE_INET6 static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **, fr_info_t *, frdest_t *)); --- 90,95 ---- *************** *** 209,214 **** --- 205,231 ---- ifp, (dir == PFIL_OUT), mp)); } # endif + + + # ifdef PFIL_TYPE_IFNET + static int ipf_pfilsync(hdr, mp, ifp, dir) + void *hdr; + struct mbuf **mp; + struct ifnet *ifp; + int dir; + { + /* + * The interface pointer is useless for create (we have nothing to + * compare it to) and at detach, the interface name is still in the + * list of active NICs (albeit, down, but that's not any real + * indicator) and doing ifunit() on the name will still return the + * pointer, so it's not much use then, either. + */ + frsync(NULL); + return 0; + } + # endif + #endif /* __NetBSD_Version__ >= 105110000 */ *************** *** 249,254 **** --- 266,274 ---- # ifdef USE_INET6 struct pfil_head *ph_inet6; # endif + # ifdef PFIL_TYPE_IFNET + struct pfil_head *ph_ifsync; + # endif # endif #endif *************** *** 271,280 **** --- 291,307 ---- # ifdef USE_INET6 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); # endif + # ifdef PFIL_TYPE_IFNET + ph_ifsync = pfil_head_get(PFIL_TYPE_IFNET, 0); + # endif + if (ph_inet == NULL # ifdef USE_INET6 && ph_inet6 == NULL # endif + # ifdef PFIL_TYPE_IFNET + && ph_ifsync == NULL + # endif ) { printf("pfil_head_get failed\n"); return ENODEV; *************** *** 285,306 **** PFIL_IN|PFIL_OUT, ph_inet); else error = 0; ! # else error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); - # endif - if (error) { - # ifdef USE_INET6 - goto pfil_error; - # else - fr_deinitialise(); - SPL_X(s); - return error; # endif ! } # else pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT); # endif # ifdef USE_INET6 # if __NetBSD_Version__ >= 105110000 if (ph_inet6 != NULL) --- 312,327 ---- PFIL_IN|PFIL_OUT, ph_inet); else error = 0; ! # else error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); # endif ! if (error) ! goto pfil_error; # else pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT); # endif + # ifdef USE_INET6 # if __NetBSD_Version__ >= 105110000 if (ph_inet6 != NULL) *************** *** 311,328 **** if (error) { pfil_remove_hook((void *)fr_check_wrapper6, NULL, PFIL_IN|PFIL_OUT, ph_inet6); # else error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh); if (error) { pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); ! # endif ! pfil_error: ! fr_deinitialise(); ! SPL_X(s); ! return error; } # endif #endif --- 332,354 ---- if (error) { pfil_remove_hook((void *)fr_check_wrapper6, NULL, PFIL_IN|PFIL_OUT, ph_inet6); + goto pfil_error; + } # else error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh); if (error) { pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); ! goto pfil_error; } + # endif + # endif + + # ifdef PFIL_TYPE_IFNET + if (ph_ifsync != NULL) + (void) pfil_add_hook((void *)ipf_pfilsync, NULL, + PFIL_IFNET, ph_ifsync); # endif #endif *************** *** 345,350 **** --- 371,383 ---- timeout(fr_slowtimer, NULL, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT); #endif return 0; + + #if __NetBSD_Version__ >= 105110000 + pfil_error: + fr_deinitialise(); + SPL_X(s); + return error; + #endif } *************** *** 362,367 **** --- 395,403 ---- # ifdef USE_INET6 struct pfil_head *ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); # endif + # ifdef PFIL_TYPE_IFNET + struct pfil_head *ph_ifsync = pfil_head_get(PFIL_TYPE_IFNET, 0); + # endif # endif #endif *************** *** 385,390 **** --- 421,431 ---- #ifdef NETBSD_PF # if (__NetBSD_Version__ >= 104200000) # if __NetBSD_Version__ >= 105110000 + # ifdef PFIL_TYPE_IFNET + (void) pfil_remove_hook((void *)ipf_pfilsync, NULL, + PFIL_IFNET, ph_ifsync); + # endif + if (ph_inet != NULL) error = pfil_remove_hook((void *)fr_check_wrapper, NULL, PFIL_IN|PFIL_OUT, ph_inet); *************** *** 1383,1388 **** --- 1424,1430 ---- u_long mtu; int error; + error = 0; ro = &ip6route; fr = fin->fin_fr; bzero((caddr_t)ro, sizeof(*ro)); diff -crN ip_fil4.1.8/ip_fil_openbsd.c ip_fil4.1.9/ip_fil_openbsd.c *** ip_fil4.1.8/ip_fil_openbsd.c Sun Jan 9 03:55:54 2005 --- ip_fil4.1.9/ip_fil_openbsd.c Thu Jul 14 07:40:46 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_openbsd.c,v 2.50.2.21 2005/01/08 16:55:54 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_openbsd.c,v 2.50.2.22 2005/07/13 21:40:46 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 74,83 **** static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); static int fr_send_ip __P((fr_info_t *, mb_t *, mb_t **)); - #ifdef KMUTEX_T - extern ipfmutex_t ipf_rw; - extern ipfrwlock_t ipf_mutex; - #endif #ifdef USE_INET6 static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **, fr_info_t *, frdest_t *)); --- 74,79 ---- diff -crN ip_fil4.1.8/ip_fil_osf.c ip_fil4.1.9/ip_fil_osf.c *** ip_fil4.1.8/ip_fil_osf.c Sun Jan 9 03:55:55 2005 --- ip_fil4.1.9/ip_fil_osf.c Thu Jul 14 07:40:46 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_osf.c,v 2.44.2.18 2005/01/08 16:55:55 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_osf.c,v 2.44.2.19 2005/07/13 21:40:46 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 79,85 **** ipfmutex_t ipf_rw, ipl_mutex, ipf_authmx, ipf_timeoutlock; ipfmutex_t ipf_nat_new, ipf_natio, ipf_stinsert; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_frag, ipf_tru64; ipfrwlock_t ipf_state, ipf_nat, ipf_natfrag, ipf_auth, ipf_ipidfrag; int ipf_locks_done = 0; --- 79,85 ---- ipfmutex_t ipf_rw, ipl_mutex, ipf_authmx, ipf_timeoutlock; ipfmutex_t ipf_nat_new, ipf_natio, ipf_stinsert; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_frag, ipf_tru64, ipf_frcache; ipfrwlock_t ipf_state, ipf_nat, ipf_natfrag, ipf_auth, ipf_ipidfrag; int ipf_locks_done = 0; diff -crN ip_fil4.1.8/ip_fil_solaris.c ip_fil4.1.9/ip_fil_solaris.c *** ip_fil4.1.8/ip_fil_solaris.c Fri Mar 4 01:03:00 2005 --- ip_fil4.1.9/ip_fil_solaris.c Thu Jul 14 07:40:46 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_solaris.c,v 2.62.2.17 2005/03/03 14:03:00 darrenr Exp $"; #endif #include --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_solaris.c,v 2.62.2.19 2005/07/13 21:40:46 darrenr Exp $"; #endif #include *************** *** 61,67 **** ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; kcondvar_t iplwait, ipfauthwait; #if SOLARIS2 >= 7 --- 61,67 ---- ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ipf_frcache; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; kcondvar_t iplwait, ipfauthwait; #if SOLARIS2 >= 7 *************** *** 1029,1038 **** int result; #if SOLARIS2 >= 6 - ire_t *gw; - dir = ire_route_lookup(fin->fin_saddr, 0xffffffff, 0, 0, NULL, ! &gw, NULL, MATCH_IRE_DSTONLY|MATCH_IRE_DEFAULT| MATCH_IRE_RECURSIVE); #else dir = ire_lookup(fin->fin_saddr); --- 1029,1036 ---- int result; #if SOLARIS2 >= 6 dir = ire_route_lookup(fin->fin_saddr, 0xffffffff, 0, 0, NULL, ! NULL, NULL, MATCH_IRE_DSTONLY|MATCH_IRE_DEFAULT| MATCH_IRE_RECURSIVE); #else dir = ire_lookup(fin->fin_saddr); *************** *** 1111,1123 **** struct in_addr dst; queue_t *q = NULL; mblk_t *mp = NULL; - ire_t *dir, *gw; size_t hlen = 0; qpktinfo_t *qpi; frentry_t *fr; frdest_t fd; qif_t *qif; ill_t *ifp; u_char *s; ip_t *ip; #ifndef sparc --- 1109,1121 ---- struct in_addr dst; queue_t *q = NULL; mblk_t *mp = NULL; size_t hlen = 0; qpktinfo_t *qpi; frentry_t *fr; frdest_t fd; qif_t *qif; ill_t *ifp; + ire_t *dir; u_char *s; ip_t *ip; #ifndef sparc *************** *** 1202,1217 **** } #if SOLARIS2 >= 6 - gw = NULL; if (fin->fin_v == 4) { dir = ire_route_lookup(dst.s_addr, 0xffffffff, 0, 0, NULL, ! &gw, NULL, MATCH_IRE_DSTONLY| MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE); } # ifdef USE_INET6 else if (fin->fin_v == 6) { dir = ire_route_lookup_v6(&ip6->ip6_dst, NULL, 0, 0, ! NULL, &gw, NULL, MATCH_IRE_DSTONLY| MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE); } # endif --- 1200,1214 ---- } #if SOLARIS2 >= 6 if (fin->fin_v == 4) { dir = ire_route_lookup(dst.s_addr, 0xffffffff, 0, 0, NULL, ! NULL, NULL, MATCH_IRE_DSTONLY| MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE); } # ifdef USE_INET6 else if (fin->fin_v == 6) { dir = ire_route_lookup_v6(&ip6->ip6_dst, NULL, 0, 0, ! NULL, NULL, NULL, MATCH_IRE_DSTONLY| MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE); } # endif diff -crN ip_fil4.1.8/ip_fil_sunos4.c ip_fil4.1.9/ip_fil_sunos4.c *** ip_fil4.1.8/ip_fil_sunos4.c Sun Jan 9 03:55:56 2005 --- ip_fil4.1.9/ip_fil_sunos4.c Thu Jul 14 07:40:46 2005 *************** *** 54,60 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_sunos4.c,v 2.46.2.17 2005/01/08 16:55:56 darrenr Exp $"; #endif extern struct protosw inetsw[]; --- 54,60 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_sunos4.c,v 2.46.2.18 2005/07/13 21:40:46 darrenr Exp $"; #endif extern struct protosw inetsw[]; *************** *** 324,330 **** { register frentry_t *f; - WRITE_ENTER(&ipf_mutex); for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next) if (f->fr_ifa == ifp) f->fr_ifa = (void *)-1; --- 324,329 ---- *************** *** 337,343 **** for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next) if (f->fr_ifa == ifp) f->fr_ifa = (void *)-1; - RWLOCK_EXIT(&ipf_mutex); fr_natsync(ifp); } #endif --- 336,341 ---- diff -crN ip_fil4.1.8/ip_frag.c ip_fil4.1.9/ip_frag.c *** ip_fil4.1.8/ip_frag.c Tue Jan 27 11:24:54 2004 --- ip_fil4.1.9/ip_frag.c Fri Aug 12 00:33:10 2005 *************** *** 45,51 **** # endif #endif #if !defined(__SVR4) && !defined(__svr4__) ! # if defined(_KERNEL) && !defined(__sgi) # include # endif #else --- 45,51 ---- # endif #endif #if !defined(__SVR4) && !defined(__svr4__) ! # if defined(_KERNEL) && !defined(__sgi) && !defined(AIX) # include # endif #else *************** *** 100,106 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.77 2004/01/27 00:24:54 darrenr Exp $"; #endif --- 100,106 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.77.2.5 2005/08/11 14:33:10 darrenr Exp $"; #endif *************** *** 235,241 **** ip = fin->fin_ip; if (pass & FR_FRSTRICT) ! if ((ip->ip_off & IP_OFFMASK) != 0) return NULL; frag.ipfr_p = ip->ip_p; --- 235,241 ---- ip = fin->fin_ip; if (pass & FR_FRSTRICT) ! if (fin->fin_off != 0) return NULL; frag.ipfr_p = ip->ip_p; *************** *** 275,282 **** return NULL; } ! if ((fra->ipfr_rule = fin->fin_fr) != NULL) ! fin->fin_fr->fr_ref++; /* * Insert the fragment into the fragment table, copy the struct used --- 275,290 ---- return NULL; } ! fra->ipfr_rule = fin->fin_fr; ! if (fra->ipfr_rule != NULL) { ! ! frentry_t *fr; ! ! fr = fin->fin_fr; ! MUTEX_ENTER(&fr->fr_lock); ! fr->fr_ref++; ! MUTEX_EXIT(&fr->fr_lock); ! } /* * Insert the fragment into the fragment table, copy the struct used *************** *** 744,752 **** { ipfr_t **fp, *fra; nat_t *nat; ! #if defined(USE_SPL) && defined(_KERNEL) ! int s; ! #endif if (fr_frag_lock) return; --- 752,758 ---- { ipfr_t **fp, *fra; nat_t *nat; ! SPL_INT(s); if (fr_frag_lock) return; *************** *** 812,818 **** /* expectation of this being called twice per second. */ /* ------------------------------------------------------------------------ */ #if !defined(_KERNEL) || (!SOLARIS && !defined(__hpux) && !defined(__sgi) && \ ! !defined(__osf__)) # if defined(_KERNEL) && ((BSD >= 199103) || defined(__sgi)) void fr_slowtimer __P((void *ptr)) # else --- 818,824 ---- /* expectation of this being called twice per second. */ /* ------------------------------------------------------------------------ */ #if !defined(_KERNEL) || (!SOLARIS && !defined(__hpux) && !defined(__sgi) && \ ! !defined(__osf__) && !defined(linux)) # if defined(_KERNEL) && ((BSD >= 199103) || defined(__sgi)) void fr_slowtimer __P((void *ptr)) # else diff -crN ip_fil4.1.8/ip_frag.h ip_fil4.1.9/ip_frag.h *** ip_fil4.1.8/ip_frag.h Tue Mar 30 02:21:56 2004 --- ip_fil4.1.9/ip_frag.h Sat Jun 11 04:02:37 2005 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.23.2.1 2004/03/29 16:21:56 darrenr Exp $ */ #ifndef __IP_FRAG_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.23.2.2 2005/06/10 18:02:37 darrenr Exp $ */ #ifndef __IP_FRAG_H__ *************** *** 78,84 **** --- 78,88 ---- extern void fr_slowtimer __P((void *)); # endif #else + # if defined(linux) && defined(_KERNEL) + extern void fr_slowtimer __P((long)); + # else extern int fr_slowtimer __P((void)); + # endif #endif #endif /* __IP_FRAG_H__ */ diff -crN ip_fil4.1.8/ip_h323_pxy.c ip_fil4.1.9/ip_h323_pxy.c *** ip_fil4.1.8/ip_h323_pxy.c Wed May 12 02:06:30 2004 --- ip_fil4.1.9/ip_h323_pxy.c Sat Jul 16 07:56:50 2005 *************** *** 246,252 **** tcp = (tcphdr_t *)fin->fin_dp; ipaddr = nat->nat_inip.s_addr; data = (caddr_t)tcp + (TCP_OFF(tcp) << 2); ! datlen = ip->ip_len - fin->fin_hlen - (TCP_OFF(tcp) << 2); if (find_port(ipaddr, data, datlen, &off, &port) == 0) { fr_info_t fi; nat_t *nat2; --- 246,252 ---- tcp = (tcphdr_t *)fin->fin_dp; ipaddr = nat->nat_inip.s_addr; data = (caddr_t)tcp + (TCP_OFF(tcp) << 2); ! datlen = fin->fin_dlen - (TCP_OFF(tcp) << 2); if (find_port(ipaddr, data, datlen, &off, &port) == 0) { fr_info_t fi; nat_t *nat2; diff -crN ip_fil4.1.8/ip_htable.c ip_fil4.1.9/ip_htable.c *** ip_fil4.1.8/ip_htable.c Mon Oct 18 01:49:15 2004 --- ip_fil4.1.9/ip_htable.c Sat May 14 15:11:38 2005 *************** *** 51,57 **** /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_htable.c,v 2.34.2.2 2004/10/17 15:49:15 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP --- 51,57 ---- /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_htable.c,v 2.34.2.3 2005/05/14 05:11:38 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP *************** *** 102,109 **** int err, i, unit; KMALLOC(iph, iphtable_t *); ! if (iph == NULL) return ENOMEM; err = COPYIN(op->iplo_struct, iph, sizeof(*iph)); if (err != 0) { --- 102,111 ---- int err, i, unit; KMALLOC(iph, iphtable_t *); ! if (iph == NULL) { ! ipht_nomem[op->iplo_unit]++; return ENOMEM; + } err = COPYIN(op->iplo_struct, iph, sizeof(*iph)); if (err != 0) { diff -crN ip_fil4.1.8/ip_ipsec_pxy.c ip_fil4.1.9/ip_ipsec_pxy.c *** ip_fil4.1.8/ip_ipsec_pxy.c Mon Mar 28 20:47:53 2005 --- ip_fil4.1.9/ip_ipsec_pxy.c Sat Jul 16 07:56:50 2005 *************** *** 6,12 **** * Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ipsec_pxy.c,v 2.20.2.6 2005/03/28 10:47:53 darrenr Exp $ * */ #define IPF_IPSEC_PROXY --- 6,12 ---- * Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ipsec_pxy.c,v 2.20.2.7 2005/07/15 21:56:50 darrenr Exp $ * */ #define IPF_IPSEC_PROXY *************** *** 94,101 **** mb_t *m; ip_t *ip; bzero(ipsec_buffer, sizeof(ipsec_buffer)); - off = fin->fin_hlen + sizeof(udphdr_t); ip = fin->fin_ip; m = fin->fin_m; --- 94,101 ---- mb_t *m; ip_t *ip; + off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff; bzero(ipsec_buffer, sizeof(ipsec_buffer)); ip = fin->fin_ip; m = fin->fin_m; *************** *** 285,292 **** if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_flx & FI_FRAG)) return -1; ipsec = aps->aps_data; - off = fin->fin_hlen + sizeof(udphdr_t); m = fin->fin_m; COPYDATA(m, off, sizeof(cookies), (char *)cookies); --- 285,292 ---- if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_flx & FI_FRAG)) return -1; + off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff; ipsec = aps->aps_data; m = fin->fin_m; COPYDATA(m, off, sizeof(cookies), (char *)cookies); diff -crN ip_fil4.1.8/ip_log.c ip_fil4.1.9/ip_log.c *** ip_fil4.1.8/ip_log.c Sat Oct 16 17:59:27 2004 --- ip_fil4.1.9/ip_log.c Sat Jun 11 17:47:44 2005 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_log.c,v 2.75.2.6 2004/10/16 07:59:27 darrenr Exp $ */ #include #if defined(KERNEL) || defined(_KERNEL) --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_log.c,v 2.75.2.7 2005/06/11 07:47:44 darrenr Exp $ */ #include #if defined(KERNEL) || defined(_KERNEL) *************** *** 414,422 **** iplog_t *ipl; size_t len; int i; ! # if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL) ! int s; ! # endif /* * Check to see if this log record has a CRC which matches the last --- 414,420 ---- iplog_t *ipl; size_t len; int i; ! SPL_INT(s); /* * Check to see if this log record has a CRC which matches the last *************** *** 536,544 **** size_t dlen, copied; int error = 0; iplog_t *ipl; ! # if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL) ! int s; ! # endif /* * Sanity checks. Make sure the minor # is valid and we're copying --- 534,540 ---- size_t dlen, copied; int error = 0; iplog_t *ipl; ! SPL_INT(s); /* * Sanity checks. Make sure the minor # is valid and we're copying *************** *** 650,658 **** { iplog_t *ipl; int used; ! # if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL) ! int s; ! # endif SPL_NET(s); MUTEX_ENTER(&ipl_mutex); --- 646,652 ---- { iplog_t *ipl; int used; ! SPL_INT(s); SPL_NET(s); MUTEX_ENTER(&ipl_mutex); diff -crN ip_fil4.1.8/ip_lookup.c ip_fil4.1.9/ip_lookup.c *** ip_fil4.1.8/ip_lookup.c Tue Jul 6 21:16:25 2004 --- ip_fil4.1.9/ip_lookup.c Sun Jun 12 17:18:20 2005 *************** *** 33,39 **** # undef _KERNEL #endif #include ! #if (defined(__osf__) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL) # ifdef __osf__ # include # endif --- 33,39 ---- # undef _KERNEL #endif #include ! #if (defined(__osf__) || defined(AIX) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL) # ifdef __osf__ # include # endif *************** *** 61,67 **** /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_lookup.c,v 2.35.2.5 2004/07/06 11:16:25 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP --- 61,67 ---- /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_lookup.c,v 2.35.2.7 2005/06/12 07:18:20 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP *************** *** 135,143 **** int mode; { int err; ! # if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL) ! int s; ! # endif mode = mode; /* LINT */ --- 135,141 ---- int mode; { int err; ! SPL_INT(s); mode = mode; /* LINT */ diff -crN ip_fil4.1.8/ip_lookup.h ip_fil4.1.9/ip_lookup.h *** ip_fil4.1.8/ip_lookup.h Sun Mar 7 01:33:02 2004 --- ip_fil4.1.9/ip_lookup.h Sun Jun 12 17:18:21 2005 *************** *** 2,8 **** #ifndef __IP_LOOKUP_H__ #define __IP_LOOKUP_H__ ! #if defined(__STDC__) || defined(__GNUC__) # define SIOCLOOKUPADDTABLE _IOWR('r', 60, struct iplookupop) # define SIOCLOOKUPDELTABLE _IOWR('r', 61, struct iplookupop) # define SIOCLOOKUPSTAT _IOWR('r', 64, struct iplookupop) --- 2,8 ---- #ifndef __IP_LOOKUP_H__ #define __IP_LOOKUP_H__ ! #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51) # define SIOCLOOKUPADDTABLE _IOWR('r', 60, struct iplookupop) # define SIOCLOOKUPDELTABLE _IOWR('r', 61, struct iplookupop) # define SIOCLOOKUPSTAT _IOWR('r', 64, struct iplookupop) diff -crN ip_fil4.1.8/ip_nat.c ip_fil4.1.9/ip_nat.c *** ip_fil4.1.8/ip_nat.c Mon Mar 28 21:09:54 2005 --- ip_fil4.1.9/ip_nat.c Fri Aug 12 05:51:36 2005 *************** *** 35,41 **** #else # include #endif ! #include #if !defined(linux) # include #endif --- 35,43 ---- #else # include #endif ! #if !defined(AIX) ! # include ! #endif #if !defined(linux) # include #endif *************** *** 105,111 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.38 2005/03/28 11:09:54 darrenr Exp $"; #endif --- 107,113 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.42 2005/08/11 19:51:36 darrenr Exp $"; #endif *************** *** 797,806 **** error = appr_ioctl(data, cmd, mode); break; case SIOCSTLCK : ! fr_lock(data, &fr_nat_lock); break; case SIOCSTPUT : ! if (fr_nat_lock) { error = fr_natputent(data, getlock); } else { error = EACCES; --- 799,812 ---- error = appr_ioctl(data, cmd, mode); break; case SIOCSTLCK : ! if (!(mode & FWRITE)) { ! error = EPERM; ! } else { ! fr_lock(data, &fr_nat_lock); ! } break; case SIOCSTPUT : ! if (fr_nat_lock && (mode & FWRITE)) { error = fr_natputent(data, getlock); } else { error = EACCES; *************** *** 2512,2519 **** * Only a basic IP header (no options) should be with an ICMP error * header. Also, if it's not an error type, then return. */ ! if ((fin->fin_hlen != sizeof(ip_t)) || ! !fr_icmp4errortype(type)) return NULL; /* --- 2518,2524 ---- * Only a basic IP header (no options) should be with an ICMP error * header. Also, if it's not an error type, then return. */ ! if ((fin->fin_hlen != sizeof(ip_t)) || !(fin->fin_flx & FI_ICMPERR)) return NULL; /* *************** *** 3803,3810 **** CALC_SUMD(s1, s2, sumd); fix_outcksum(fin, &fin->fin_ip->ip_sum, sumd); } ! #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || defined(linux) else { if (nat->nat_dir == NAT_OUTBOUND) fix_outcksum(fin, &fin->fin_ip->ip_sum, nat->nat_ipsumd); --- 3808,3822 ---- CALC_SUMD(s1, s2, sumd); fix_outcksum(fin, &fin->fin_ip->ip_sum, sumd); } ! #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || \ ! defined(linux) || defined(BRIDGE_IPF) else { + /* + * Strictly speaking, this isn't necessary on BSD + * kernels because they do checksum calculation after + * this code has run BUT if ipfilter is being used + * to do NAT as a bridge, that code doesn't exist. + */ if (nat->nat_dir == NAT_OUTBOUND) fix_outcksum(fin, &fin->fin_ip->ip_sum, nat->nat_ipsumd); *************** *** 4313,4321 **** { ipftq_t *ifq, *ifqnext; ipftqent_t *tqe, *tqn; ! #if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL) ! int s; ! #endif int i; SPL_NET(s); --- 4325,4331 ---- { ipftq_t *ifq, *ifqnext; ipftqent_t *tqe, *tqn; ! SPL_INT(s); int i; SPL_NET(s); *************** *** 4370,4378 **** ipnat_t *n; nat_t *nat; void *ifp2; ! #if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL) ! int s; ! #endif if (fr_running <= 0) return; --- 4380,4386 ---- ipnat_t *n; nat_t *nat; void *ifp2; ! SPL_INT(s); if (fr_running <= 0) return; *************** *** 4607,4615 **** --- 4615,4634 ---- MUTEX_NUKE(&clone->nat_lock); + clone->nat_aps = NULL; + /* + * Initialize all these so that nat_delete() doesn't cause a crash. + */ + clone->nat_tqe.tqe_pnext = NULL; + clone->nat_tqe.tqe_next = NULL; + clone->nat_tqe.tqe_ifq = NULL; + clone->nat_tqe.tqe_parent = clone; + clone->nat_flags &= ~SI_CLONE; clone->nat_flags |= SI_CLONED; + if (clone->nat_hm) + clone->nat_hm->hm_ref++; if (nat_insert(clone, fin->fin_rev) == -1) { KFREE(clone); *************** *** 4628,4641 **** MUTEX_EXIT(&fr->fr_lock); } - /* * Because the clone is created outside the normal loop of things and * TCP has special needs in terms of state, initialise the timeout * state of the new NAT from here. */ if (clone->nat_p == IPPROTO_TCP) { ! (void) fr_tcp_age(&clone->nat_tqe, fin, nat_tqb, \ clone->nat_flags); } #ifdef IPFILTER_SYNC --- 4647,4659 ---- MUTEX_EXIT(&fr->fr_lock); } /* * Because the clone is created outside the normal loop of things and * TCP has special needs in terms of state, initialise the timeout * state of the new NAT from here. */ if (clone->nat_p == IPPROTO_TCP) { ! (void) fr_tcp_age(&clone->nat_tqe, fin, nat_tqb, clone->nat_flags); } #ifdef IPFILTER_SYNC diff -crN ip_fil4.1.8/ip_nat.h ip_fil4.1.9/ip_nat.h *** ip_fil4.1.8/ip_nat.h Mon Mar 28 21:09:55 2005 --- ip_fil4.1.9/ip_nat.h Sat Jun 18 12:41:32 2005 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.90.2.9 2005/03/28 11:09:55 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.90.2.11 2005/06/18 02:41:32 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 14,31 **** #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif ! #if defined(__STDC__) || defined(__GNUC__) #define SIOCADNAT _IOW('r', 60, struct ipfobj) #define SIOCRMNAT _IOW('r', 61, struct ipfobj) #define SIOCGNATS _IOWR('r', 62, struct ipfobj) #define SIOCGNATL _IOWR('r', 63, struct ipfobj) - #define SIOCPROXY _IOWR('r', 64, struct ap_control) #else #define SIOCADNAT _IOW(r, 60, struct ipfobj) #define SIOCRMNAT _IOW(r, 61, struct ipfobj) #define SIOCGNATS _IOWR(r, 62, struct ipfobj) #define SIOCGNATL _IOWR(r, 63, struct ipfobj) - #define SIOCPROXY _IOWR(r, 64, struct ap_control) #endif #undef LARGE_NAT /* define this if you're setting up a system to NAT --- 14,29 ---- #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif ! #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51) #define SIOCADNAT _IOW('r', 60, struct ipfobj) #define SIOCRMNAT _IOW('r', 61, struct ipfobj) #define SIOCGNATS _IOWR('r', 62, struct ipfobj) #define SIOCGNATL _IOWR('r', 63, struct ipfobj) #else #define SIOCADNAT _IOW(r, 60, struct ipfobj) #define SIOCRMNAT _IOW(r, 61, struct ipfobj) #define SIOCGNATS _IOWR(r, 62, struct ipfobj) #define SIOCGNATL _IOWR(r, 63, struct ipfobj) #endif #undef LARGE_NAT /* define this if you're setting up a system to NAT *************** *** 295,300 **** --- 293,299 ---- } natget_t; + #undef tr_flags typedef struct nattrpnt { struct in_addr tr_dstip; /* real destination IP# */ struct in_addr tr_srcip; /* real source IP# */ diff -crN ip_fil4.1.8/ip_netbios_pxy.c ip_fil4.1.9/ip_netbios_pxy.c *** ip_fil4.1.8/ip_netbios_pxy.c Mon Dec 1 13:52:16 2003 --- ip_fil4.1.9/ip_netbios_pxy.c Sat Jul 16 07:56:51 2005 *************** *** 1,7 **** /* * Simple netbios-dgm transparent proxy for in-kernel use. * For use with the NAT code. ! * $Id: ip_netbios_pxy.c,v 2.8 2003/12/01 02:52:16 darrenr Exp $ */ /*- --- 1,7 ---- /* * Simple netbios-dgm transparent proxy for in-kernel use. * For use with the NAT code. ! * $Id: ip_netbios_pxy.c,v 2.8.2.1 2005/07/15 21:56:51 darrenr Exp $ */ /*- *************** *** 29,35 **** * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ! * $Id: ip_netbios_pxy.c,v 2.8 2003/12/01 02:52:16 darrenr Exp $ */ #define IPF_NETBIOS_PROXY --- 29,35 ---- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ! * $Id: ip_netbios_pxy.c,v 2.8.2.1 2005/07/15 21:56:51 darrenr Exp $ */ #define IPF_NETBIOS_PROXY *************** *** 80,98 **** aps = aps; /* LINT */ nat = nat; /* LINT */ ! ip = fin->fin_ip; ! m = *(mb_t **)fin->fin_mp; ! off = fin->fin_hlen + sizeof(udphdr_t); ! dlen = M_LEN(m); ! dlen -= off; ! /* * no net bios datagram could possibly be shorter than this */ if (dlen < 11) return 0; udp = (udphdr_t *)fin->fin_dp; /* * move past the --- 80,96 ---- aps = aps; /* LINT */ nat = nat; /* LINT */ ! m = fin->fin_m; ! dlen = fin->fin_dlen - sizeof(*udp); /* * no net bios datagram could possibly be shorter than this */ if (dlen < 11) return 0; + ip = fin->fin_ip; udp = (udphdr_t *)fin->fin_dp; + off = (char *)udp - (char *)ip + sizeof(*udp) + fin->fin_ipoff; /* * move past the diff -crN ip_fil4.1.8/ip_pool.c ip_fil4.1.9/ip_pool.c *** ip_fil4.1.8/ip_pool.c Tue Feb 1 15:04:46 2005 --- ip_fil4.1.9/ip_pool.c Sun Jun 12 17:18:26 2005 *************** *** 53,59 **** # include #endif ! #if (defined(__osf__) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL) # ifdef __osf__ # include # endif --- 53,60 ---- # include #endif ! #if defined(_KERNEL) && (defined(__osf__) || defined(AIX) || \ ! defined(__hpux) || defined(__sgi)) # ifdef __osf__ # include # endif *************** *** 77,83 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_pool.c,v 2.55.2.12 2005/02/01 04:04:46 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP --- 78,84 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_pool.c,v 2.55.2.14 2005/06/12 07:18:26 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP *************** *** 354,364 **** addrfamily_t *addr, *mask; { struct radix_node *n; ! #ifdef USE_SPL ! int s; SPL_NET(s); - #endif RADIX_NODE_HEAD_LOCK(ipo->ipo_head); n = ipo->ipo_head->rnh_lookup(addr, mask, ipo->ipo_head); RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head); --- 355,363 ---- addrfamily_t *addr, *mask; { struct radix_node *n; ! SPL_INT(s); SPL_NET(s); RADIX_NODE_HEAD_LOCK(ipo->ipo_head); n = ipo->ipo_head->rnh_lookup(addr, mask, ipo->ipo_head); RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head); diff -crN ip_fil4.1.8/ip_pool.h ip_fil4.1.9/ip_pool.h *** ip_fil4.1.8/ip_pool.h Tue Mar 23 23:44:34 2004 --- ip_fil4.1.9/ip_pool.h Sun Jun 12 17:18:27 2005 *************** *** 3,16 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_pool.h,v 2.26.2.2 2004/03/23 12:44:34 darrenr Exp $ */ #ifndef __IP_POOL_H__ #define __IP_POOL_H__ #if defined(_KERNEL) && !defined(__osf__) && !defined(__hpux) && \ ! !defined(linux) && !defined(sun) # include extern void rn_freehead __P((struct radix_node_head *)); # define FreeS(p, z) KFREES(p, z) --- 3,16 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_pool.h,v 2.26.2.3 2005/06/12 07:18:27 darrenr Exp $ */ #ifndef __IP_POOL_H__ #define __IP_POOL_H__ #if defined(_KERNEL) && !defined(__osf__) && !defined(__hpux) && \ ! !defined(linux) && !defined(sun) && !defined(AIX) # include extern void rn_freehead __P((struct radix_node_head *)); # define FreeS(p, z) KFREES(p, z) diff -crN ip_fil4.1.8/ip_pptp_pxy.c ip_fil4.1.9/ip_pptp_pxy.c *** ip_fil4.1.8/ip_pptp_pxy.c Thu Mar 17 05:17:34 2005 --- ip_fil4.1.9/ip_pptp_pxy.c Sat Jul 16 07:56:52 2005 *************** *** 4,10 **** * Simple PPTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_pptp_pxy.c,v 2.10.2.9 2005/03/16 18:17:34 darrenr Exp $ * */ #define IPF_PPTP_PROXY --- 4,10 ---- * Simple PPTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_pptp_pxy.c,v 2.10.2.10 2005/07/15 21:56:52 darrenr Exp $ * */ #define IPF_PPTP_PROXY *************** *** 87,96 **** pptp_pxy_t *pptp; ipnat_t *ipn; ip_t *ip; - int off; ip = fin->fin_ip; - off = fin->fin_hlen + sizeof(udphdr_t); if (nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_inip, ip->ip_dst) != NULL) { --- 87,94 ---- diff -crN ip_fil4.1.8/ip_proxy.c ip_fil4.1.9/ip_proxy.c *** ip_fil4.1.8/ip_proxy.c Fri Mar 4 01:28:24 2005 --- ip_fil4.1.9/ip_proxy.c Sat Jun 18 12:41:33 2005 *************** *** 14,20 **** #include #include #include ! #include #if !defined(_KERNEL) && !defined(__KERNEL__) # include # include --- 14,22 ---- #include #include #include ! #if !defined(AIX) ! # include ! #endif #if !defined(_KERNEL) && !defined(__KERNEL__) # include # include *************** *** 33,39 **** #include #if defined(_KERNEL) # if !defined(__NetBSD__) && !defined(sun) && !defined(__osf__) && \ ! !defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi) # include # endif # include --- 35,42 ---- #include #if defined(_KERNEL) # if !defined(__NetBSD__) && !defined(sun) && !defined(__osf__) && \ ! !defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi) && \ ! !defined(AIX) # include # endif # include *************** *** 92,100 **** # include "netinet/ip_irc_pxy.c" # include "netinet/ip_raudio_pxy.c" # include "netinet/ip_h323_pxy.c" - # ifdef IPFILTER_PRO - # include "netinet/ip_msnrpc_pxy.c" - # endif # include "netinet/ip_netbios_pxy.c" #endif #include "netinet/ip_ipsec_pxy.c" --- 95,100 ---- *************** *** 103,109 **** /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.12 2005/03/03 14:28:24 darrenr Exp $"; #endif static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); --- 103,109 ---- /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.14 2005/06/18 02:41:33 darrenr Exp $"; #endif static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); diff -crN ip_fil4.1.8/ip_proxy.h ip_fil4.1.9/ip_proxy.h *** ip_fil4.1.8/ip_proxy.h Sun Mar 13 06:33:48 2005 --- ip_fil4.1.9/ip_proxy.h Sat Jun 18 12:41:33 2005 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_proxy.h,v 2.31.2.2 2005/03/12 19:33:48 darrenr Exp $ */ #ifndef __IP_PROXY_H__ --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_proxy.h,v 2.31.2.3 2005/06/18 02:41:33 darrenr Exp $ */ #ifndef __IP_PROXY_H__ *************** *** 13,18 **** --- 13,24 ---- #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif + #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51) + #define SIOCPROXY _IOWR('r', 64, struct ap_control) + #else + #define SIOCPROXY _IOWR(r, 64, struct ap_control) + #endif + #ifndef APR_LABELLEN #define APR_LABELLEN 16 #endif *************** *** 20,34 **** struct nat; struct ipnat; typedef struct ap_tcp { u_short apt_sport; /* source port */ u_short apt_dport; /* destination port */ short apt_sel[2]; /* {seq,ack}{off,min} set selector */ short apt_seqoff[2]; /* sequence # difference */ ! tcp_seq apt_seqmin[2]; /* don't change seq-off until after this */ short apt_ackoff[2]; /* sequence # difference */ ! tcp_seq apt_ackmin[2]; /* don't change seq-off until after this */ u_char apt_state[2]; /* connection state */ } ap_tcp_t; --- 26,41 ---- struct nat; struct ipnat; + struct ipstate; typedef struct ap_tcp { u_short apt_sport; /* source port */ u_short apt_dport; /* destination port */ short apt_sel[2]; /* {seq,ack}{off,min} set selector */ short apt_seqoff[2]; /* sequence # difference */ ! u_32_t apt_seqmin[2]; /* don't change seq-off until after this */ short apt_ackoff[2]; /* sequence # difference */ ! u_32_t apt_ackmin[2]; /* don't change seq-off until after this */ u_char apt_state[2]; /* connection state */ } ap_tcp_t; *************** *** 195,201 **** u_32_t rap_sbf; /* flag to indicate which of the 19 bytes have * been filled */ ! tcp_seq rap_sseq; } raudio_t; #define RA_ID_END 0 --- 202,208 ---- u_32_t rap_sbf; /* flag to indicate which of the 19 bytes have * been filled */ ! u_32_t rap_sseq; } raudio_t; #define RA_ID_END 0 *************** *** 231,237 **** int ipsc_rckset; ipnat_t ipsc_rule; nat_t *ipsc_nat; ! ipstate_t *ipsc_state; } ipsec_pxy_t; /* --- 238,244 ---- int ipsc_rckset; ipnat_t ipsc_rule; nat_t *ipsc_nat; ! struct ipstate *ipsc_state; } ipsec_pxy_t; /* *************** *** 251,257 **** typedef struct pptp_pxy { ipnat_t pptp_rule; nat_t *pptp_nat; ! ipstate_t *pptp_state; u_short pptp_call[2]; pptp_side_t pptp_side[2]; } pptp_pxy_t; --- 258,264 ---- typedef struct pptp_pxy { ipnat_t pptp_rule; nat_t *pptp_nat; ! struct ipstate *pptp_state; u_short pptp_call[2]; pptp_side_t pptp_side[2]; } pptp_pxy_t; diff -crN ip_fil4.1.8/ip_scan.c ip_fil4.1.9/ip_scan.c *** ip_fil4.1.8/ip_scan.c Tue Jan 18 21:13:16 2005 --- ip_fil4.1.9/ip_scan.c Sat Jul 16 15:54:47 2005 *************** *** 32,38 **** # endif #endif #include ! #if !defined(__hpux) && !defined(__osf__) && !defined(linux) # include #endif #ifdef __FreeBSD__ --- 32,38 ---- # endif #endif #include ! #if !defined(__hpux) && !defined(__osf__) && !defined(linux) && !defined(AIX) # include #endif #ifdef __FreeBSD__ *************** *** 58,64 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40.2.2 2005/01/18 10:13:16 darrenr Exp $"; #endif #ifdef IPFILTER_SCAN /* endif at bottom of file */ --- 58,64 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40.2.4 2005/07/16 05:54:47 darrenr Exp $"; #endif #ifdef IPFILTER_SCAN /* endif at bottom of file */ *************** *** 537,544 **** j = 0xffff >> (16 - dlen); i = (0xffff & j) << off; #ifdef _KERNEL ! COPYDATA(*(mb_t **)fin->fin_mp, fin->fin_hlen + thoff, dlen, ! (caddr_t)is->is_sbuf[rv] + off); #endif is->is_smsk[rv] |= i; for (j = 0, i = is->is_smsk[rv]; i & 1; i >>= 1) --- 537,544 ---- j = 0xffff >> (16 - dlen); i = (0xffff & j) << off; #ifdef _KERNEL ! COPYDATA(*(mb_t **)fin->fin_mp, fin->fin_plen - fin->fin_dlen + thoff, ! dlen, (caddr_t)is->is_sbuf[rv] + off); #endif is->is_smsk[rv] |= i; for (j = 0, i = is->is_smsk[rv]; i & 1; i >>= 1) diff -crN ip_fil4.1.8/ip_scan.h ip_fil4.1.9/ip_scan.h *** ip_fil4.1.8/ip_scan.h Sat Jul 26 08:05:01 2003 --- ip_fil4.1.9/ip_scan.h Sun Jun 12 17:18:29 2005 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_scan.h,v 2.9 2003/07/25 22:05:01 darrenr Exp $ */ #ifndef __IP_SCAN_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_scan.h,v 2.9.2.1 2005/06/12 07:18:29 darrenr Exp $ */ #ifndef __IP_SCAN_H__ *************** *** 25,31 **** struct ipstate; ! #if defined(__STDC__) || defined(__GNUC__) # define SIOCADSCA _IOWR('r', 60, struct ipscan *) # define SIOCRMSCA _IOWR('r', 61, struct ipscan *) # define SIOCGSCST _IOWR('r', 62, struct ipscan *) --- 25,31 ---- struct ipstate; ! #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51) # define SIOCADSCA _IOWR('r', 60, struct ipscan *) # define SIOCRMSCA _IOWR('r', 61, struct ipscan *) # define SIOCGSCST _IOWR('r', 62, struct ipscan *) diff -crN ip_fil4.1.8/ip_state.c ip_fil4.1.9/ip_state.c *** ip_fil4.1.8/ip_state.c Mon Mar 28 20:47:54 2005 --- ip_fil4.1.9/ip_state.c Fri Aug 12 05:58:03 2005 *************** *** 107,113 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.29 2005/03/28 10:47:54 darrenr Exp $"; #endif static ipstate_t **ips_table = NULL; --- 107,113 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.36 2005/08/11 19:58:03 darrenr Exp $"; #endif static ipstate_t **ips_table = NULL; *************** *** 505,517 **** * means no packets match). */ case SIOCSTLCK : ! fr_lock(data, &fr_state_lock); break; /* * Add an entry to the current state table. */ case SIOCSTPUT : ! if (!fr_state_lock) { error = EACCES; break; } --- 505,521 ---- * means no packets match). */ case SIOCSTLCK : ! if (!(mode & FWRITE)) { ! error = EPERM; ! } else { ! fr_lock(data, &fr_state_lock); ! } break; /* * Add an entry to the current state table. */ case SIOCSTPUT : ! if (!fr_state_lock || !(mode &FWRITE)) { error = EACCES; break; } *************** *** 633,638 **** --- 637,643 ---- if (fr == NULL) { READ_ENTER(&ipf_state); fr_stinsert(isn, 0); + MUTEX_EXIT(&isn->is_lock); RWLOCK_EXIT(&ipf_state); return 0; } *************** *** 680,685 **** --- 685,691 ---- } READ_ENTER(&ipf_state); fr_stinsert(isn, 0); + MUTEX_EXIT(&isn->is_lock); RWLOCK_EXIT(&ipf_state); } else { *************** *** 687,692 **** --- 693,699 ---- for (is = ips_list; is; is = is->is_next) if (is->is_rule == fr) { fr_stinsert(isn, 0); + MUTEX_EXIT(&isn->is_lock); break; } *************** *** 714,719 **** --- 721,727 ---- /* to pointers and adjusts running stats for the hash table as appropriate. */ /* */ /* Locking: it is assumed that some kind of lock on ipf_state is held. */ + /* Exits with is_lock initialised and held. */ /* ------------------------------------------------------------------------ */ void fr_stinsert(is, rev) ipstate_t *is; *************** *** 778,784 **** MUTEX_EXIT(&ipf_stinsert); fr_setstatequeue(is, rev); - MUTEX_EXIT(&is->is_lock); } --- 786,791 ---- *************** *** 1122,1129 **** * this may change. */ is->is_v = fin->fin_v; ! is->is_opt = fin->fin_optmsk; ! is->is_optmsk = 0xffffffff; is->is_sec = fin->fin_secmsk; is->is_secmsk = 0xffff; is->is_auth = fin->fin_auth; --- 1129,1142 ---- * this may change. */ is->is_v = fin->fin_v; ! is->is_opt[0] = fin->fin_optmsk; ! is->is_optmsk[0] = 0xffffffff; ! is->is_optmsk[1] = 0xffffffff; ! if (is->is_v == 6) { ! is->is_opt[0] &= ~0x8; ! is->is_optmsk[0] &= ~0x8; ! is->is_optmsk[1] &= ~0x8; ! } is->is_sec = fin->fin_secmsk; is->is_secmsk = 0xffff; is->is_auth = fin->fin_auth; *************** *** 1148,1160 **** * timer on it as we'll never see an error if it fails to * connect. */ - MUTEX_ENTER(&is->is_lock); (void) fr_tcp_age(&is->is_sti, fin, ips_tqtqb, is->is_flags); MUTEX_EXIT(&is->is_lock); #ifdef IPFILTER_SCAN if ((is->is_flags & SI_CLONE) == 0) (void) ipsc_attachis(is); #endif } #ifdef IPFILTER_SYNC if ((is->is_flags & IS_STATESYNC) && ((is->is_flags & SI_CLONE) == 0)) --- 1161,1174 ---- * timer on it as we'll never see an error if it fails to * connect. */ (void) fr_tcp_age(&is->is_sti, fin, ips_tqtqb, is->is_flags); MUTEX_EXIT(&is->is_lock); #ifdef IPFILTER_SCAN if ((is->is_flags & SI_CLONE) == 0) (void) ipsc_attachis(is); #endif + } else { + MUTEX_EXIT(&is->is_lock); } #ifdef IPFILTER_SYNC if ((is->is_flags & IS_STATESYNC) && ((is->is_flags & SI_CLONE) == 0)) *************** *** 1193,1205 **** char buf[64], *s, opt; mb_t *m = NULL; ! off = fin->fin_hlen + sizeof(*tcp); ! len = (TCP_OFF(tcp) << 2) - sizeof(*tcp); ! if (fin->fin_plen < off + len) return 0; m = fin->fin_m; - off += fin->fin_ipoff; mlen = MSGDSIZE(m) - off; if (len > mlen) { len = mlen; --- 1207,1220 ---- char buf[64], *s, opt; mb_t *m = NULL; ! len = (TCP_OFF(tcp) << 2); ! if (fin->fin_dlen < len) return 0; + len -= sizeof(*tcp); + + off = fin->fin_plen - fin->fin_dlen + sizeof(*tcp) + fin->fin_ipoff; m = fin->fin_m; mlen = MSGDSIZE(m) - off; if (len > mlen) { len = mlen; *************** *** 1582,1589 **** clone->is_flags &= ~SI_CLONE; clone->is_flags |= SI_CLONED; fr_stinsert(clone, fin->fin_rev); ! MUTEX_ENTER(&clone->is_lock); ! clone->is_ref = 1; if (clone->is_p == IPPROTO_TCP) { (void) fr_tcp_age(&clone->is_sti, fin, ips_tqtqb, clone->is_flags); --- 1597,1603 ---- clone->is_flags &= ~SI_CLONE; clone->is_flags |= SI_CLONED; fr_stinsert(clone, fin->fin_rev); ! clone->is_ref = 2; if (clone->is_p == IPPROTO_TCP) { (void) fr_tcp_age(&clone->is_sti, fin, ips_tqtqb, clone->is_flags); *************** *** 1768,1774 **** * Match up any flags set from IP options. */ if ((cflx && (flx != (cflx & cmask))) || ! ((fin->fin_optmsk & is->is_optmsk) != is->is_opt) || ((fin->fin_secmsk & is->is_secmsk) != is->is_sec) || ((fin->fin_auth & is->is_authmsk) != is->is_auth)) return NULL; --- 1782,1788 ---- * Match up any flags set from IP options. */ if ((cflx && (flx != (cflx & cmask))) || ! ((fin->fin_optmsk & is->is_optmsk[rev]) != is->is_opt[rev]) || ((fin->fin_secmsk & is->is_secmsk) != is->is_sec) || ((fin->fin_auth & is->is_authmsk) != is->is_auth)) return NULL; *************** *** 1785,1793 **** if ((flags & (SI_W_SPORT|SI_W_DPORT))) { if ((flags & SI_CLONE) != 0) { ! is = fr_stclone(fin, tcp, is); ! if (is == NULL) return NULL; } else { ATOMIC_DECL(ips_stats.iss_wild); } --- 1799,1810 ---- if ((flags & (SI_W_SPORT|SI_W_DPORT))) { if ((flags & SI_CLONE) != 0) { ! ipstate_t *clone; ! ! clone = fr_stclone(fin, tcp, is); ! if (clone == NULL) return NULL; + is = clone; } else { ATOMIC_DECL(ips_stats.iss_wild); } *************** *** 1818,1825 **** ret = -1; ! if (is->is_flx[out][rev] == 0) is->is_flx[out][rev] = flx; /* * Check if the interface name for this "direction" is set and if not, --- 1835,1848 ---- ret = -1; ! if (is->is_flx[out][rev] == 0) { is->is_flx[out][rev] = flx; + is->is_opt[rev] = fin->fin_optmsk; + if (is->is_v == 6) { + is->is_opt[rev] &= ~0x8; + is->is_optmsk[rev] &= ~0x8; + } + } /* * Check if the interface name for this "direction" is set and if not, *************** *** 1865,1885 **** /* * Does it at least have the return (basic) IP header ? * Only a basic IP header (no options) should be with * an ICMP error header. */ if ((fin->fin_v != 4) || (fin->fin_hlen != sizeof(ip_t)) || ! (fin->fin_plen < ICMPERR_MINPKTLEN)) return NULL; ic = fin->fin_dp; type = ic->icmp_type; - /* - * If it's not an error type, then return - */ - if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) && - (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) && - (type != ICMP_PARAMPROB)) - return NULL; oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN); /* --- 1888,1903 ---- /* * Does it at least have the return (basic) IP header ? + * Is it an actual recognised ICMP error type? * Only a basic IP header (no options) should be with * an ICMP error header. */ if ((fin->fin_v != 4) || (fin->fin_hlen != sizeof(ip_t)) || ! (fin->fin_plen < ICMPERR_MINPKTLEN) || ! !(fin->fin_flx & FI_ICMPERR)) return NULL; ic = fin->fin_dp; type = ic->icmp_type; oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN); /* *************** *** 1942,1948 **** */ savelen = oip->ip_len; oip->ip_len = len; ! oip->ip_off = htons(oip->ip_off); ofin.fin_flx = FI_NOCKSUM; ofin.fin_v = 4; --- 1960,1966 ---- */ savelen = oip->ip_len; oip->ip_len = len; ! oip->ip_off = ntohs(oip->ip_off); ofin.fin_flx = FI_NOCKSUM; ofin.fin_v = 4; *************** *** 1970,1977 **** switch (oip->ip_p) { case IPPROTO_ICMP : - icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2)); - /* * an ICMP error can only be generated as a result of an * ICMP query, not as the response on an ICMP error --- 1988,1993 ---- *************** *** 1979,1993 **** * XXX theoretically ICMP_ECHOREP and the other reply's are * ICMP query's as well, but adding them here seems strange XXX */ ! if ((icmp->icmp_type != ICMP_ECHO) && ! (icmp->icmp_type != ICMP_TSTAMP) && ! (icmp->icmp_type != ICMP_IREQ) && ! (icmp->icmp_type != ICMP_MASKREQ)) return NULL; /* * perform a lookup of the ICMP packet in the state table */ hv = (pr = oip->ip_p); src.in4 = oip->ip_src; hv += src.in4.s_addr; --- 1995,2007 ---- * XXX theoretically ICMP_ECHOREP and the other reply's are * ICMP query's as well, but adding them here seems strange XXX */ ! if ((ofin.fin_flx & FI_ICMPERR) != 0) return NULL; /* * perform a lookup of the ICMP packet in the state table */ + icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2)); hv = (pr = oip->ip_p); src.in4 = oip->ip_src; hv += src.in4.s_addr; *************** *** 2798,2806 **** ipftq_t *ifq, *ifqnext; ipftqent_t *tqe, *tqn; ipstate_t *is; ! #if defined(USE_SPL) && defined(_KERNEL) ! int s; ! #endif SPL_NET(s); WRITE_ENTER(&ipf_state); --- 2812,2818 ---- ipftq_t *ifq, *ifqnext; ipftqent_t *tqe, *tqn; ipstate_t *is; ! SPL_INT(s); SPL_NET(s); WRITE_ENTER(&ipf_state); *************** *** 2870,2878 **** int delete, removed; long try, maxtick; u_long interval; ! #if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL) ! int s; ! #endif removed = 0; --- 2882,2888 ---- int delete, removed; long try, maxtick; u_long interval; ! SPL_INT(s); removed = 0; *************** *** 3040,3046 **** rval = 0; dir = fin->fin_rev; tcpflags = tcp->th_flags; ! dlen = fin->fin_plen - fin->fin_hlen - (TCP_OFF(tcp) << 2); if (tcpflags & TH_RST) { if (!(tcpflags & TH_PUSH) && !dlen) --- 3050,3056 ---- rval = 0; dir = fin->fin_rev; tcpflags = tcp->th_flags; ! dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2); if (tcpflags & TH_RST) { if (!(tcpflags & TH_PUSH) && !dlen) *************** *** 3314,3322 **** (u_long)tcp, tcpflags, (u_long)tqe, nstate, ostate); # endif - # ifdef DIAGNOSTIC - panic("invalid TCP state"); - # endif #else abort(); #endif --- 3324,3329 ---- *************** *** 3440,3459 **** /* * Does it at least have the return (basic) IP header ? * Only a basic IP header (no options) should be with * an ICMP error header. */ ! if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN)) return NULL; ic6 = fin->fin_dp; type = ic6->icmp6_type; - /* - * If it's not an error type, then return - */ - if ((type != ICMP6_DST_UNREACH) && (type != ICMP6_PACKET_TOO_BIG) && - (type != ICMP6_TIME_EXCEEDED) && (type != ICMP6_PARAM_PROB)) - return NULL; oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN); if (fin->fin_plen < sizeof(*oip6)) --- 3447,3462 ---- /* * Does it at least have the return (basic) IP header ? + * Is it an actual recognised ICMP error type? * Only a basic IP header (no options) should be with * an ICMP error header. */ ! if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN) || ! !(fin->fin_flx & FI_ICMPERR)) return NULL; ic6 = fin->fin_dp; type = ic6->icmp6_type; oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN); if (fin->fin_plen < sizeof(*oip6)) diff -crN ip_fil4.1.8/ip_state.h ip_fil4.1.9/ip_state.h *** ip_fil4.1.8/ip_state.h Fri Mar 4 01:24:11 2005 --- ip_fil4.1.9/ip_state.h Fri Aug 12 05:58:04 2005 *************** *** 4,15 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.68.2.3 2005/03/03 14:24:11 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ ! #if defined(__STDC__) || defined(__GNUC__) # define SIOCDELST _IOW('r', 61, struct ipfobj) #else # define SIOCDELST _IOW(r, 61, struct ipfobj) --- 4,15 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.68.2.5 2005/08/11 19:58:04 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ ! #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51) # define SIOCDELST _IOW('r', 61, struct ipfobj) #else # define SIOCDELST _IOW(r, 61, struct ipfobj) *************** *** 58,65 **** u_char is_v; u_32_t is_hv; u_32_t is_tag; ! u_32_t is_opt; /* packet options set */ ! u_32_t is_optmsk; /* " " mask */ u_short is_sec; /* security options set */ u_short is_secmsk; /* " " mask */ u_short is_auth; /* authentication options set */ --- 58,65 ---- u_char is_v; u_32_t is_hv; u_32_t is_tag; ! u_32_t is_opt[2]; /* packet options set */ ! u_32_t is_optmsk[2]; /* " " mask */ u_short is_sec; /* security options set */ u_short is_secmsk; /* " " mask */ u_short is_auth; /* authentication options set */ diff -crN ip_fil4.1.8/ip_sync.c ip_fil4.1.9/ip_sync.c *** ip_fil4.1.8/ip_sync.c Sat Feb 19 00:06:29 2005 --- ip_fil4.1.9/ip_sync.c Sun Jun 12 14:18:14 2005 *************** *** 96,102 **** /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_sync.c,v 2.40.2.3 2005/02/18 13:06:29 darrenr Exp $"; #endif #define SYNC_STATETABSZ 256 --- 96,102 ---- /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_sync.c,v 2.40.2.4 2005/06/12 04:18:14 darrenr Exp $"; #endif #define SYNC_STATETABSZ 256 *************** *** 440,460 **** l = get_sleep_lock(&sl_tail); err = sleep(&sl_tail, PZERO+1); spinunlock(l); } # else /* __hpux */ # ifdef __osf__ err = mpsleep(&sl_tail, PSUSP|PCATCH, "ipl sleep", 0, &ipsl_mutex, MS_LOCK_SIMPLE); # else MUTEX_EXIT(&ipsl_mutex); err = SLEEP(&sl_tail, "ipl sleep"); # endif /* __osf__ */ # endif /* __hpux */ - if (err) { - MUTEX_EXIT(&ipsl_mutex); - return err; - } # endif /* SOLARIS */ } MUTEX_EXIT(&ipsl_mutex); --- 440,465 ---- l = get_sleep_lock(&sl_tail); err = sleep(&sl_tail, PZERO+1); + if (err) { + MUTEX_EXIT(&ipsl_mutex); + return EINTR; + } spinunlock(l); } # else /* __hpux */ # ifdef __osf__ err = mpsleep(&sl_tail, PSUSP|PCATCH, "ipl sleep", 0, &ipsl_mutex, MS_LOCK_SIMPLE); + if (err) + return EINTR; # else MUTEX_EXIT(&ipsl_mutex); err = SLEEP(&sl_tail, "ipl sleep"); + if (err) + return EINTR; + MUTEX_ENTER(&ipsl_mutex); # endif /* __osf__ */ # endif /* __hpux */ # endif /* SOLARIS */ } MUTEX_EXIT(&ipsl_mutex); diff -crN ip_fil4.1.8/ipf.h ip_fil4.1.9/ipf.h *** ip_fil4.1.8/ipf.h Mon Feb 21 16:05:29 2005 --- ip_fil4.1.9/ipf.h Sun Jun 12 17:18:31 2005 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 ! * $Id: ipf.h,v 2.71.2.6 2005/02/21 05:05:29 darrenr Exp $ */ #ifndef __IPF_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 ! * $Id: ipf.h,v 2.71.2.7 2005/06/12 07:18:31 darrenr Exp $ */ #ifndef __IPF_H__ *************** *** 263,268 **** --- 263,269 ---- extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t, char *, int)); extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, int)); + extern void printproto __P((struct protoent *, int, struct ipnat *)); extern void printportcmp __P((int, struct frpcmp *)); extern void optprint __P((u_short *, u_long, u_long)); #ifdef USE_INET6 diff -crN ip_fil4.1.8/ipl.h ip_fil4.1.9/ipl.h *** ip_fil4.1.8/ipl.h Thu Mar 31 00:14:05 2005 --- ip_fil4.1.9/ipl.h Sat Aug 13 15:42:49 2005 *************** *** 4,17 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.52.2.9 2005/03/30 14:14:05 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v4.1.8" ! #define IPFILTER_VERSION 4010800 #endif --- 4,17 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.52.2.10 2005/08/13 05:42:49 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v4.1.9" ! #define IPFILTER_VERSION 4010900 #endif diff -crN ip_fil4.1.8/ipsend/arp.c ip_fil4.1.9/ipsend/arp.c *** ip_fil4.1.8/ipsend/arp.c Mon Dec 1 13:01:15 2003 --- ip_fil4.1.9/ipsend/arp.c Sun Jun 12 17:18:38 2005 *************** *** 5,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: arp.c,v 2.8 2003/12/01 02:01:15 darrenr Exp $"; #endif #include #include ! #if !defined(ultrix) && !defined(hpux) && !defined(__hpux) && !defined(__osf__) #include #endif #include --- 5,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: arp.c,v 2.8.2.1 2005/06/12 07:18:38 darrenr Exp $"; #endif #include #include ! #if !defined(ultrix) && !defined(hpux) && !defined(__hpux) && !defined(__osf__) && !defined(_AIX51) #include #endif #include diff -crN ip_fil4.1.8/ipsend/iptests.c ip_fil4.1.9/ipsend/iptests.c *** ip_fil4.1.8/ipsend/iptests.c Sat Apr 17 09:33:04 2004 --- ip_fil4.1.9/ipsend/iptests.c Sun Jun 12 17:18:39 2005 *************** *** 6,12 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.3 2004/04/16 23:33:04 darrenr Exp $"; #endif #include #include --- 6,12 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.4 2005/06/12 07:18:39 darrenr Exp $"; #endif #include #include *************** *** 30,36 **** # include #endif #if !defined(ultrix) && !defined(hpux) && !defined(linux) && \ ! !defined(__sgi) && !defined(__osf__) # include #endif #ifndef ultrix --- 30,36 ---- # include #endif #if !defined(ultrix) && !defined(hpux) && !defined(linux) && \ ! !defined(__sgi) && !defined(__osf__) && !defined(_AIX51) # include #endif #ifndef ultrix diff -crN ip_fil4.1.8/lib/Makefile ip_fil4.1.9/lib/Makefile *** ip_fil4.1.8/lib/Makefile Mon Mar 22 23:20:35 2004 --- ip_fil4.1.9/lib/Makefile Sun Jun 12 17:40:12 2005 *************** *** 68,73 **** --- 68,74 ---- $(DEST)/printip.o \ $(DEST)/printpool.o \ $(DEST)/printpoolnode.o \ + $(DEST)/printproto.o \ $(DEST)/printfr.o \ $(DEST)/printfraginfo.o \ $(DEST)/printhostmap.o \ *************** *** 246,251 **** --- 247,254 ---- $(DEST)/printpoolnode.o: $(LIBSRC)/printpoolnode.c $(TOP)/ip_fil.h \ $(TOP)/ip_pool.h $(TOP)/ip_lookup.h $(CC) $(CCARGS) -c $(LIBSRC)/printpoolnode.c -o $@ + $(DEST)/printproto.o: $(LIBSRC)/printproto.c $(TOP)/ip_fil.h + $(CC) $(CCARGS) -c $(LIBSRC)/printproto.c -o $@ $(DEST)/printhostmap.o: $(LIBSRC)/printhostmap.c $(TOP)/ip_fil.h $(CC) $(CCARGS) -c $(LIBSRC)/printhostmap.c -o $@ $(DEST)/printifname.o: $(LIBSRC)/printifname.c $(INCDEP) diff -crN ip_fil4.1.8/lib/getproto.c ip_fil4.1.9/lib/getproto.c *** ip_fil4.1.8/lib/getproto.c Fri Dec 10 06:41:18 2004 --- ip_fil4.1.9/lib/getproto.c Sun Jun 12 17:18:41 2005 *************** *** 12,17 **** --- 12,25 ---- if (*s == '\0') return atoi(name); + #ifdef _AIX51 + /* + * For some bogus reason, "ip" is 252 in /etc/protocols on AIX 5 + */ + if (!strcasecmp(name, "ip")) + return 0; + #endif + p = getprotobyname(name); if (p != NULL) return p->p_proto; diff -crN ip_fil4.1.8/lib/ipf_dotuning.c ip_fil4.1.9/lib/ipf_dotuning.c *** ip_fil4.1.8/lib/ipf_dotuning.c Thu Sep 18 12:46:37 2003 --- ip_fil4.1.9/lib/ipf_dotuning.c Sat Jun 11 20:00:48 2005 *************** *** 1,5 **** #include "ipf.h" ! #include "ipl.h" #include void ipf_dotuning(fd, tuneargs, iocfn) --- 1,5 ---- #include "ipf.h" ! #include "netinet/ipl.h" #include void ipf_dotuning(fd, tuneargs, iocfn) *************** *** 31,36 **** --- 31,37 ---- printtunable(&tu); } } else if ((t = strchr(s, '=')) != NULL) { + tu.ipft_cookie = NULL; *t++ = '\0'; strncpy(tu.ipft_name, s, sizeof(tu.ipft_name)); if (sscanf(t, "%lu", &tu.ipft_vlong) == 1) { *************** *** 43,55 **** return; } } else { strncpy(tu.ipft_name, s, sizeof(tu.ipft_name)); if ((*iocfn)(fd, SIOCIPFGET, &obj) == -1) { perror("ioctl(SIOCIPFGET)"); return; } ! if (tu.ipft_cookie == NULL) return; tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0'; printtunable(&tu); --- 44,59 ---- return; } } else { + tu.ipft_cookie = NULL; strncpy(tu.ipft_name, s, sizeof(tu.ipft_name)); if ((*iocfn)(fd, SIOCIPFGET, &obj) == -1) { perror("ioctl(SIOCIPFGET)"); return; } ! if (tu.ipft_cookie == NULL) { ! fprintf(stderr, "Null cookie for %s\n", s); return; + } tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0'; printtunable(&tu); diff -crN ip_fil4.1.8/lib/ipft_tx.c ip_fil4.1.9/lib/ipft_tx.c *** ip_fil4.1.8/lib/ipft_tx.c Fri Dec 10 06:41:21 2004 --- ip_fil4.1.9/lib/ipft_tx.c Sat Jun 18 12:41:34 2005 *************** *** 3,13 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ipft_tx.c,v 1.15.2.2 2004/12/09 19:41:21 darrenr Exp $ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.2 2004/12/09 19:41:21 darrenr Exp $"; #endif #include --- 3,13 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ipft_tx.c,v 1.15.2.3 2005/06/18 02:41:34 darrenr Exp $ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.3 2005/06/18 02:41:34 darrenr Exp $"; #endif #include *************** *** 29,36 **** static int text_readip __P((char *, int, char **, int *)); static int parseline __P((char *, ip_t *, char **, int *)); ! static char _tcp_flagset[] = "FSRPAUEC"; ! static u_char _tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, TH_ECN, TH_CWR }; struct ipread iptext = { text_open, text_close, text_readip, R_DO_CKSUM }; --- 29,36 ---- static int text_readip __P((char *, int, char **, int *)); static int parseline __P((char *, ip_t *, char **, int *)); ! static char myflagset[] = "FSRPAUEC"; ! static u_char myflags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, TH_ECN, TH_CWR }; struct ipread iptext = { text_open, text_close, text_readip, R_DO_CKSUM }; *************** *** 278,291 **** ip->ip_dst.s_addr = tx_hostnum(*cpp, &r); cpp++; if (*cpp && ip->ip_p == IPPROTO_TCP) { - extern char _tcp_flagset[]; - extern u_char _tcp_flags[]; char *s, *t; tcp->th_flags = 0; for (s = *cpp; *s; s++) ! if ((t = strchr(_tcp_flagset, *s))) ! tcp->th_flags |= _tcp_flags[t - _tcp_flagset]; if (tcp->th_flags) cpp++; if (tcp->th_flags == 0) --- 278,289 ---- ip->ip_dst.s_addr = tx_hostnum(*cpp, &r); cpp++; if (*cpp && ip->ip_p == IPPROTO_TCP) { char *s, *t; tcp->th_flags = 0; for (s = *cpp; *s; s++) ! if ((t = strchr(myflagset, *s))) ! tcp->th_flags |= myflags[t - myflagset]; if (tcp->th_flags) cpp++; if (tcp->th_flags == 0) diff -crN ip_fil4.1.8/lib/kmem.c ip_fil4.1.9/lib/kmem.c *** ip_fil4.1.8/lib/kmem.c Sun Jun 20 20:25:58 2004 --- ip_fil4.1.9/lib/kmem.c Sun Jun 12 17:18:41 2005 *************** *** 16,22 **** #include #include #include ! #if !defined(__sgi) && !defined(__hpux) && !defined(__osf__) && !defined(linux) #include #endif #include --- 16,22 ---- #include #include #include ! #if !defined(__sgi) && !defined(__hpux) && !defined(__osf__) && !defined(linux) && !defined(_AIX51) #include #endif #include *************** *** 42,53 **** #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: kmem.c,v 1.16.2.1 2004/06/20 10:25:58 darrenr Exp $"; #endif ! #if !defined(__sgi) && !defined(__hpux) && !defined(__osf__) && !defined(linux) /* * For all platforms where there is a libkvm and a kvm_t, we use that... */ --- 42,54 ---- #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: kmem.c,v 1.16.2.2 2005/06/12 07:18:41 darrenr Exp $"; #endif ! #if !defined(__sgi) && !defined(__hpux) && !defined(__osf__) && \ ! !defined(linux) && !defined(_AIX51) /* * For all platforms where there is a libkvm and a kvm_t, we use that... */ diff -crN ip_fil4.1.8/lib/printfr.c ip_fil4.1.9/lib/printfr.c *** ip_fil4.1.8/lib/printfr.c Thu Mar 17 02:38:13 2005 --- ip_fil4.1.9/lib/printfr.c Sun Jun 12 17:18:42 2005 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: printfr.c,v 1.43.2.10 2005/03/16 15:38:13 darrenr Exp $ */ #include "ipf.h" --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: printfr.c,v 1.43.2.12 2005/06/12 07:18:42 darrenr Exp $ */ #include "ipf.h" *************** *** 105,110 **** --- 105,113 ---- if ((fp->fr_type & FR_T_BUILTIN) != 0) printf("# Builtin: "); + if (fp->fr_collect != 0) + printf("%u ", fp->fr_collect); + if (fp->fr_type == FR_T_CALLFUNC) { ; } else if (fp->fr_func != NULL) { *************** *** 206,215 **** pr = -1; } else if (fp->fr_mip.fi_p) { pr = fp->fr_ip.fi_p; ! if ((p = getprotobynumber(fp->fr_proto))) ! printf("proto %s ", p->p_name); ! else ! printf("proto %d ", fp->fr_proto); } } --- 209,218 ---- pr = -1; } else if (fp->fr_mip.fi_p) { pr = fp->fr_ip.fi_p; ! p = getprotobynumber(pr); ! printf("proto "); ! printproto(p, pr, NULL); ! putchar(' '); } } diff -crN ip_fil4.1.8/lib/printnat.c ip_fil4.1.9/lib/printnat.c *** ip_fil4.1.8/lib/printnat.c Wed Jan 12 14:39:04 2005 --- ip_fil4.1.9/lib/printnat.c Sun Jun 12 17:18:43 2005 *************** *** 11,21 **** #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.8 2005/01/12 03:39:04 darrenr Exp $"; #endif - static void printproto __P((ipnat_t *, struct protoent *)); - /* * Print out a NAT rule */ --- 11,19 ---- #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.9 2005/06/12 07:18:43 darrenr Exp $"; #endif /* * Print out a NAT rule */ *************** *** 106,112 **** else printf(" port %d", ntohs(np->in_pnext)); } ! printproto(np, pr); if (np->in_flags & IPN_ROUNDR) printf(" round-robin"); if (np->in_flags & IPN_FRAG) --- 104,111 ---- else printf(" port %d", ntohs(np->in_pnext)); } ! putchar(' '); ! printproto(pr, np->in_p, np); if (np->in_flags & IPN_ROUNDR) printf(" round-robin"); if (np->in_flags & IPN_FRAG) *************** *** 162,171 **** } printf(" %.*s/", (int)sizeof(np->in_plabel), np->in_plabel); ! if (pr != NULL) ! fputs(pr->p_name, stdout); ! else ! printf("%d", np->in_p); } else if (np->in_redir == NAT_MAPBLK) { if ((np->in_pmin == 0) && (np->in_flags & IPN_AUTOPORTMAP)) --- 161,167 ---- } printf(" %.*s/", (int)sizeof(np->in_plabel), np->in_plabel); ! printproto(pr, np->in_p, NULL); } else if (np->in_redir == NAT_MAPBLK) { if ((np->in_pmin == 0) && (np->in_flags & IPN_AUTOPORTMAP)) *************** *** 176,186 **** printf("\n\tip modulous %d", np->in_pmax); } else if (np->in_pmin || np->in_pmax) { if (np->in_flags & IPN_ICMPQUERY) { ! printf(" icmpidmap"); } else { ! printf(" portmap"); } ! printproto(np, pr); if (np->in_flags & IPN_AUTOPORTMAP) { printf(" auto"); if (opts & OPT_DEBUG) --- 172,182 ---- printf("\n\tip modulous %d", np->in_pmax); } else if (np->in_pmin || np->in_pmax) { if (np->in_flags & IPN_ICMPQUERY) { ! printf(" icmpidmap "); } else { ! printf(" portmap "); } ! printproto(pr, np->in_p, np); if (np->in_flags & IPN_AUTOPORTMAP) { printf(" auto"); if (opts & OPT_DEBUG) *************** *** 192,199 **** printf(" %d:%d", ntohs(np->in_pmin), ntohs(np->in_pmax)); } ! } else if (np->in_flags & IPN_TCPUDP || np->in_p) ! printproto(np, pr); if (np->in_flags & IPN_FRAG) printf(" frag"); --- 188,197 ---- printf(" %d:%d", ntohs(np->in_pmin), ntohs(np->in_pmax)); } ! } else if (np->in_flags & IPN_TCPUDP || np->in_p) { ! putchar(' '); ! printproto(pr, np->in_p, np); ! } if (np->in_flags & IPN_FRAG) printf(" frag"); *************** *** 225,245 **** np->in_tqehead[0], np->in_tqehead[1], np->in_comment); } } - - static void printproto(np, pr) - ipnat_t *np; - struct protoent *pr; - { - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if (np->in_flags & IPN_TCP) - printf(" tcp"); - else if (np->in_flags & IPN_UDP) - printf(" udp"); - else if (np->in_flags & IPN_ICMPQUERY) - printf(" icmp"); - else if (pr != NULL) - printf(" %s", pr->p_name); - else - printf(" %d", np->in_p); - } --- 223,225 ---- diff -crN ip_fil4.1.8/lib/printproto.c ip_fil4.1.9/lib/printproto.c *** ip_fil4.1.8/lib/printproto.c Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/lib/printproto.c Sun Jun 12 17:21:53 2005 *************** *** 0 **** --- 1,51 ---- + /* + * Copyright (C) 1993-2005 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + + #include "ipf.h" + + + #if !defined(lint) + static const char rcsid[] = "@(#)$Id: printproto.c,v 1.1.2.1 2005/06/12 07:21:53 darrenr Exp $"; + #endif + + + void printproto(pr, p, np) + struct protoent *pr; + int p; + ipnat_t *np; + { + if (np != NULL) { + if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) + printf("tcp/udp"); + else if (np->in_flags & IPN_TCP) + printf("tcp"); + else if (np->in_flags & IPN_UDP) + printf("udp"); + else if (np->in_flags & IPN_ICMPQUERY) + printf("icmp"); + #ifdef _AIX51 + /* + * To make up for "ip = 252" and "hopopt = 0" in /etc/protocols + */ + else if (np->in_p == 0) + printf("ip"); + #endif + else if (pr != NULL) + printf("%s", pr->p_name); + else + printf("%d", np->in_p); + } else { + #ifdef _AIX51 + if (p == 0) + printf("ip"); + else + #endif + if (pr != NULL) + printf("%s", pr->p_name); + else + printf("%d", p); + } + } diff -crN ip_fil4.1.8/lib/printstate.c ip_fil4.1.9/lib/printstate.c *** ip_fil4.1.8/lib/printstate.c Fri Mar 4 01:19:25 2005 --- ip_fil4.1.9/lib/printstate.c Fri Aug 12 05:58:05 2005 *************** *** 142,149 **** PRINTF("\tpkt_flags & %x(%x) = %x,\t", ips.is_flags & 0xf, ips.is_flags, ips.is_flags >> 4); ! PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk, ! ips.is_opt); PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", ips.is_secmsk, ips.is_sec, ips.is_authmsk, ips.is_auth); --- 142,149 ---- PRINTF("\tpkt_flags & %x(%x) = %x,\t", ips.is_flags & 0xf, ips.is_flags, ips.is_flags >> 4); ! PRINTF("\tpkt_options & %x = %x, %x = %x \n", ips.is_optmsk[0], ! ips.is_opt[0], ips.is_optmsk[1], ips.is_opt[1]); PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", ips.is_secmsk, ips.is_sec, ips.is_authmsk, ips.is_auth); diff -crN ip_fil4.1.8/man/ipmon.8 ip_fil4.1.9/man/ipmon.8 *** ip_fil4.1.8/man/ipmon.8 Wed Mar 17 06:46:22 2004 --- ip_fil4.1.9/man/ipmon.8 Mon Jul 18 13:24:46 2005 *************** *** 4,10 **** .SH SYNOPSIS .B ipmon [ ! .B \-abDFhnpstvxX ] [ .B "\-N " ] [ --- 4,10 ---- .SH SYNOPSIS .B ipmon [ ! .B \-abBDFhnpstvxX ] [ .B "\-N " ] [ *************** *** 71,76 **** --- 71,79 ---- In order for \fBipmon\fP to properly work, the kernel option \fBIPFILTER_LOG\fP must be turned on in your kernel. Please see \fBoptions(4)\fP for more details. + .LP + \fBipmon\fP reopns its log file(s) and rereads its configuration file + when it receives a SIGHUP signal. .SH OPTIONS .TP .B \-a *************** *** 81,86 **** --- 84,94 ---- For rules which log the body of a packet, generate hex output representing the packet contents after the headers. .TP + .B \-B + Enable logging of the raw, unformatted binary data to the specified + \fI\fP file. This can be read, later, using \fBipmon\fP + with the \fB-f\fP option. + .TP .B \-D Cause ipmon to turn itself into a daemon. Using subshells or backgrounding of ipmon is not required to turn it into an orphan so it can run indefinitely. diff -crN ip_fil4.1.8/man/ipnat.5 ip_fil4.1.9/man/ipnat.5 *** ip_fil4.1.8/man/ipnat.5 Fri Feb 4 04:22:19 2005 --- ip_fil4.1.9/man/ipnat.5 Fri Aug 12 00:24:08 2005 *************** *** 10,18 **** map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ] mapoptions . mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions . ! redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions . lhs ::= ipmask | fromto . dport ::= "port" portnum [ "-" portnum ] . ports ::= "ports" numports | "auto" . rdrport ::= "port" portnum . --- 10,19 ---- map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ] mapoptions . mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions . ! redir ::= "rdr" ifname rlhs "->" ip [ "," ip ] rdrport rdroptions . lhs ::= ipmask | fromto . + rlhs ::= ipmask dport | fromto . dport ::= "port" portnum [ "-" portnum ] . ports ::= "ports" numports | "auto" . rdrport ::= "port" portnum . diff -crN ip_fil4.1.8/man/ipnat.8 ip_fil4.1.9/man/ipnat.8 *** ip_fil4.1.8/man/ipnat.8 Sun Jun 20 19:57:23 2004 --- ip_fil4.1.9/man/ipnat.8 Sun Jun 12 17:00:24 2005 *************** *** 33,39 **** .TP .B \-C delete all entries in the current NAT rule listing (NAT rules) ! .TP .B \-d Enable printing of some extra debugging information. .TP --- 33,39 ---- .TP .B \-C delete all entries in the current NAT rule listing (NAT rules) ! .TP .B \-d Enable printing of some extra debugging information. .TP *************** *** 52,61 **** calls or doing anything which would alter the currently running kernel. .TP .B \-r ! Remove matching NAT rules rather than add them to the internal lists .TP .B \-s ! Retrieve and display NAT statistics .TP .B \-v Turn verbose mode on. Displays information relating to rule processing --- 52,61 ---- calls or doing anything which would alter the currently running kernel. .TP .B \-r ! Remove matching NAT rules rather than add them to the internal lists. .TP .B \-s ! Retrieve and display NAT statistics. .TP .B \-v Turn verbose mode on. Displays information relating to rule processing diff -crN ip_fil4.1.8/mlfk_ipl.c ip_fil4.1.9/mlfk_ipl.c *** ip_fil4.1.8/mlfk_ipl.c Mon Nov 1 05:45:30 2004 --- ip_fil4.1.9/mlfk_ipl.c Mon Jul 18 13:00:03 2005 *************** *** 93,108 **** #define CDEV_MAJOR 79 #if __FreeBSD_version >= 501000 static struct cdevsw ipl_cdevsw = { ! #if __FreeBSD_version >= 502103 .d_version = D_VERSION, .d_flags = 0, /* D_NEEDGIANT - Should be SMP safe */ ! #endif .d_open = iplopen, .d_close = iplclose, .d_read = iplread, .d_ioctl = iplioctl, .d_name = "ipl", .d_maj = CDEV_MAJOR, }; #else static struct cdevsw ipl_cdevsw = { --- 93,111 ---- #define CDEV_MAJOR 79 #if __FreeBSD_version >= 501000 static struct cdevsw ipl_cdevsw = { ! # if __FreeBSD_version >= 502103 .d_version = D_VERSION, .d_flags = 0, /* D_NEEDGIANT - Should be SMP safe */ ! # endif .d_open = iplopen, .d_close = iplclose, .d_read = iplread, + .d_write = iplwrite, .d_ioctl = iplioctl, .d_name = "ipl", + # if __FreeBSD_version < 600000 .d_maj = CDEV_MAJOR, + # endif }; #else static struct cdevsw ipl_cdevsw = { diff -crN ip_fil4.1.8/mli_ipl.c ip_fil4.1.9/mli_ipl.c *** ip_fil4.1.8/mli_ipl.c Thu Dec 16 05:30:41 2004 --- ip_fil4.1.9/mli_ipl.c Fri Aug 12 05:48:24 2005 *************** *** 57,63 **** ipfmutex_t ipl_mutex, ipfi_mutex, ipf_rw, ipf_stinsert, ipf_authmx; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; ! ipfrwlock_t ipf_global, ipf_mutex, ipf_ipidfrag; int (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **)); --- 57,63 ---- ipfmutex_t ipl_mutex, ipfi_mutex, ipf_rw, ipf_stinsert, ipf_authmx; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; ! ipfrwlock_t ipf_global, ipf_mutex, ipf_ipidfrag, ipf_frcache; int (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **)); *************** *** 159,167 **** switch(m->m_type) { - case MT_DATA: - /* FALLTHROUGH */ case MT_HEADER: if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) { #if (IPFDEBUG >= 4) --- 159,172 ---- switch(m->m_type) { case MT_HEADER: + if (m->m_len == 0) { + if (m->m_next == NULL) + break; + m = m->m_next; + } + /* FALLTHROUGH */ + case MT_DATA: if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) { #if (IPFDEBUG >= 4) *************** *** 574,579 **** --- 579,585 ---- LOCK_DEALLOC(ipf_frag.l); LOCK_DEALLOC(ipf_authmx.l); LOCK_DEALLOC(ipf_mutex.l); + LOCK_DEALLOC(ipf_frcache.l); LOCK_DEALLOC(ipfi_mutex.l); RWLOCK_EXIT(&ipf_global); LOCK_DEALLOC(ipf_global.l); *************** *** 582,587 **** --- 588,594 ---- MUTEX_DESTROY(&ipfi_mutex); MUTEX_DESTROY(&ipf_timeoutlock); RW_DESTROY(&ipf_mutex); + RW_DESTROY(&ipf_frcache); RWLOCK_EXIT(&ipf_global); delay(hz); RW_DESTROY(&ipf_global); *************** *** 605,610 **** --- 612,618 ---- #if (IRIX < 60500) ipfi_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_frcache.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_timeoutlock.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_global.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_frag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); *************** *** 620,632 **** if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_timeoutlock.l || !ipf_frag.l || !ipf_state.l || !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipf_rw.l || !ipf_ipidfrag.l || !ipl_mutex.l || ! !ipf_stinsert.l || !ipf_authmx.l) panic("IP Filter: LOCK_ALLOC failed"); #else MUTEX_INIT(&ipf_rw, "ipf rw mutex"); MUTEX_INIT(&ipf_timeoutlock, "ipf timeout mutex"); RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); #endif #ifdef IPFILTER_LKM --- 628,641 ---- if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_timeoutlock.l || !ipf_frag.l || !ipf_state.l || !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipf_rw.l || !ipf_ipidfrag.l || !ipl_mutex.l || ! !ipf_stinsert.l || !ipf_authmx.l || !ipf_frcache.l) panic("IP Filter: LOCK_ALLOC failed"); #else MUTEX_INIT(&ipf_rw, "ipf rw mutex"); MUTEX_INIT(&ipf_timeoutlock, "ipf timeout mutex"); RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); + RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock"); #endif #ifdef IPFILTER_LKM diff -crN ip_fil4.1.8/radix.c ip_fil4.1.9/radix.c *** ip_fil4.1.8/radix.c Tue Mar 15 22:44:43 2005 --- ip_fil4.1.9/radix.c Sun Jun 12 17:18:32 2005 *************** *** 101,106 **** --- 101,112 ---- static struct radix_mask *rn_new_radix_mask __P((struct radix_node *, struct radix_mask *)); static int rn_freenode __P((struct radix_node *, void *)); + #if defined(AIX) && !defined(_KERNEL) + struct radix_node *rn_match __P((void *, struct radix_node_head *)); + struct radix_node *rn_addmask __P((int, int, void *)); + #define FreeS(x, y) KFREES(x, y) + #define Bcopy(x, y, z) bcopy(x, y, z) + #endif /* * The data structure for the keys is a radix tree with one way diff -crN ip_fil4.1.8/radix_ipf.h ip_fil4.1.9/radix_ipf.h *** ip_fil4.1.8/radix_ipf.h Tue Mar 23 23:44:34 2004 --- ip_fil4.1.9/radix_ipf.h Sun Jun 12 17:18:33 2005 *************** *** 26,32 **** * @(#)radix.h 8.2 (Berkeley) 10/31/94 */ ! #ifndef _NET_RADIX_H_ #define _NET_RADIX_H_ #ifndef _RADIX_H_ #define _RADIX_H_ --- 26,32 ---- * @(#)radix.h 8.2 (Berkeley) 10/31/94 */ ! #if !defined(_NET_RADIX_H_) && !defined(_RADIX_H_) #define _NET_RADIX_H_ #ifndef _RADIX_H_ #define _RADIX_H_ *************** *** 40,46 **** # endif #endif ! #ifdef __sgi # define radix_mask ipf_radix_mask # define radix_node ipf_radix_node # define radix_node_head ipf_radix_node_head --- 40,46 ---- # endif #endif ! #if defined(__sgi) # define radix_mask ipf_radix_mask # define radix_node ipf_radix_node # define radix_node_head ipf_radix_node_head *************** *** 144,149 **** --- 144,155 ---- }; + #if defined(AIX) + # undef Bcmp + # undef Bzero + # undef R_Malloc + # undef Free + #endif #define Bcmp(a, b, n) bcmp(((caddr_t)(a)), ((caddr_t)(b)), (unsigned)(n)) #if defined(linux) && defined(_KERNEL) # define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n)) *************** *** 155,161 **** #define FreeS(p, z) KFREES(p, z) #define Free(p) KFREE(p) ! #if (defined(__osf__) || (IRIX >= 60516)) && defined(_KERNEL) # define rn_init ipf_rn_init # define rn_fini ipf_rn_fini # define rn_inithead ipf_rn_inithead --- 161,167 ---- #define FreeS(p, z) KFREES(p, z) #define Free(p) KFREE(p) ! #if (defined(__osf__) || defined(AIX) || (IRIX >= 60516)) && defined(_KERNEL) # define rn_init ipf_rn_init # define rn_fini ipf_rn_fini # define rn_inithead ipf_rn_inithead diff -crN ip_fil4.1.8/samples/relay.c ip_fil4.1.9/samples/relay.c *** ip_fil4.1.8/samples/relay.c Fri May 7 00:20:52 2004 --- ip_fil4.1.9/samples/relay.c Sat Jun 18 12:41:34 2005 *************** *** 16,25 **** #include #include #include ! #include "ip_compat.h" ! #include "ip_fil.h" ! #include "ip_nat.h" ! #include "ipl.h" #define RELAY_BUFSZ 8192 --- 16,25 ---- #include #include #include ! #include "netinet/ip_compat.h" ! #include "netinet/ip_fil.h" ! #include "netinet/ip_nat.h" ! #include "netinet/ipl.h" #define RELAY_BUFSZ 8192 diff -crN ip_fil4.1.8/solaris.c ip_fil4.1.9/solaris.c *** ip_fil4.1.8/solaris.c Thu Dec 16 04:13:20 2004 --- ip_fil4.1.9/solaris.c Thu Jul 14 07:40:47 2005 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.73.2.5 2004/12/15 17:13:20 darrenr Exp $" #include #include --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.73.2.6 2005/07/13 21:40:47 darrenr Exp $" #include #include *************** *** 291,296 **** --- 291,297 ---- */ RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); + RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock"); /* * Lock people out while we set things up. *************** *** 405,410 **** --- 406,412 ---- if (!ipldetach()) { RWLOCK_EXIT(&ipf_global); RW_DESTROY(&ipf_mutex); + RW_DESTROY(&ipf_frcache); RW_DESTROY(&ipf_global); cmn_err(CE_CONT, "!%s detached.\n", ipfilter_version); return (DDI_SUCCESS); diff -crN ip_fil4.1.8/test/Makefile ip_fil4.1.9/test/Makefile *** ip_fil4.1.8/test/Makefile Wed Mar 2 04:28:03 2005 --- ip_fil4.1.9/test/Makefile Wed May 11 07:16:09 2005 *************** *** 24,30 **** ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 # Rule parsing tests ! ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 --- 24,30 ---- ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 # Rule parsing tests ! ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 *************** *** 46,52 **** f15 f16 f17: @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` ! i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 bpf1: @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12: --- 46,52 ---- f15 f16 f17: @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` ! i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 bpf1: @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12: *************** *** 78,84 **** clean: /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 ! /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 /bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 /bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 --- 78,84 ---- clean: /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 ! /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 /bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 /bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 diff -crN ip_fil4.1.8/test/expected/i16 ip_fil4.1.9/test/expected/i16 *** ip_fil4.1.8/test/expected/i16 Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/test/expected/i16 Wed May 11 07:16:10 2005 *************** *** 0 **** --- 1,3 ---- + block out all + 100 pass in all + 10101 pass out proto tcp from any to any diff -crN ip_fil4.1.8/test/regress/i16 ip_fil4.1.9/test/regress/i16 *** ip_fil4.1.8/test/regress/i16 Thu Jan 1 10:00:00 1970 --- ip_fil4.1.9/test/regress/i16 Wed May 11 07:16:12 2005 *************** *** 0 **** --- 1,3 ---- + 0 block out all + 100 pass in all + 10101 pass out proto tcp all diff -crN ip_fil4.1.8/test/test.format ip_fil4.1.9/test/test.format *** ip_fil4.1.8/test/test.format Wed Mar 2 04:28:03 2005 --- ip_fil4.1.9/test/test.format Thu Jul 14 07:48:22 2005 *************** *** 33,38 **** --- 33,39 ---- i13 text text i14 text text i15 text text + i16 text text in1 text text in2 text text in3 text text diff -crN ip_fil4.1.8/tools/ipf_y.y ip_fil4.1.9/tools/ipf_y.y *** ip_fil4.1.8/tools/ipf_y.y Mon Feb 21 16:05:34 2005 --- ip_fil4.1.9/tools/ipf_y.y Sun Jun 12 17:18:44 2005 *************** *** 3,9 **** #include #include #ifdef IPFILTER_BPF ! # include # include #endif #include "netinet/ip_pool.h" --- 3,10 ---- #include #include #ifdef IPFILTER_BPF ! # include "pcap-bpf.h" ! # define _NET_BPF_H_ # include #endif #include "netinet/ip_pool.h" diff -crN ip_fil4.1.8/tools/ipfs.c ip_fil4.1.9/tools/ipfs.c *** ip_fil4.1.8/tools/ipfs.c Wed Mar 9 11:04:24 2005 --- ip_fil4.1.9/tools/ipfs.c Wed May 11 07:19:03 2005 *************** *** 39,45 **** #include #include #include "ipf.h" ! #include "ipl.h" #if !defined(lint) static const char rcsid[] = "@(#)Id: ipfs.c,v 1.12 2003/12/01 01:56:53 darrenr Exp"; --- 39,45 ---- #include #include #include "ipf.h" ! #include "netinet/ipl.h" #if !defined(lint) static const char rcsid[] = "@(#)Id: ipfs.c,v 1.12 2003/12/01 01:56:53 darrenr Exp"; diff -crN ip_fil4.1.8/tools/ipfstat.c ip_fil4.1.9/tools/ipfstat.c *** ip_fil4.1.8/tools/ipfstat.c Thu Mar 31 00:09:57 2005 --- ip_fil4.1.9/tools/ipfstat.c Sun Jun 12 17:18:46 2005 *************** *** 68,74 **** #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.11 2005/03/30 14:09:57 darrenr Exp $"; #endif #ifdef __hpux --- 68,74 ---- #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.12 2005/06/12 07:18:46 darrenr Exp $"; #endif #ifdef __hpux *************** *** 1006,1015 **** { char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; ! int i, j, winy, tsentry, maxx, maxy, redraw = 0; int len, srclen, dstlen, forward = 1, c = 0; ips_stat_t ipsst, *ipsstp = &ipsst; statetop_t *tstable = NULL, *tp; ipstate_t ips; ipfobj_t ipfo; struct timeval selecttimeout; --- 1006,1016 ---- { char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; ! int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0; int len, srclen, dstlen, forward = 1, c = 0; ips_stat_t ipsst, *ipsstp = &ipsst; statetop_t *tstable = NULL, *tp; + const char *errstr = ""; ipstate_t ips; ipfobj_t ipfo; struct timeval selecttimeout; *************** *** 1049,1056 **** /* get state table */ bzero((char *)&ipsst, sizeof(ipsst)); if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { ! perror("ioctl(SIOCGETFS)"); ! exit(-1); } /* clear the history */ --- 1050,1058 ---- /* get state table */ bzero((char *)&ipsst, sizeof(ipsst)); if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { ! errstr = "ioctl(SIOCGETFS)"; ! ret = -1; ! goto out; } /* clear the history */ *************** *** 1414,1425 **** --- 1416,1430 ---- } } /* while */ + out: printw("\n"); curs_set(1); nocbreak(); endwin(); free(tstable); + if (ret != 0) + perror(errstr); } #endif *************** *** 1610,1616 **** --- 1615,1623 ---- int v; i6addr_t *addr; { + #ifdef USE_INET6 static char hostbuf[MAXHOSTNAMELEN+1]; + #endif if (v == 4) return inet_ntoa(addr->in4); diff -crN ip_fil4.1.8/tools/ipftest.c ip_fil4.1.9/tools/ipftest.c *** ip_fil4.1.8/tools/ipftest.c Tue Feb 1 13:41:24 2005 --- ip_fil4.1.9/tools/ipftest.c Sat Jul 16 16:05:28 2005 *************** *** 10,16 **** #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.3 2005/02/01 02:41:24 darrenr Exp $"; #endif extern char *optarg; --- 10,16 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.4 2005/07/16 06:05:28 darrenr Exp $"; #endif extern char *optarg; *************** *** 23,29 **** ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; int opts = OPT_DONOTHING; int use_inet6 = 0; --- 23,29 ---- ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ! ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw, ipf_frcache; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; int opts = OPT_DONOTHING; int use_inet6 = 0; *************** *** 95,100 **** --- 95,101 ---- MUTEX_INIT(&ipf_timeoutlock, "ipf timeout lock"); RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); + RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock"); RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); initparse(); diff -crN ip_fil4.1.8/tools/ipmon.c ip_fil4.1.9/tools/ipmon.c *** ip_fil4.1.8/tools/ipmon.c Fri Dec 10 06:41:26 2004 --- ip_fil4.1.9/tools/ipmon.c Sat Jun 18 12:41:35 2005 *************** *** 76,82 **** #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.8 2004/12/09 19:41:26 darrenr Exp $"; #endif --- 76,82 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.10 2005/06/18 02:41:35 darrenr Exp $"; #endif *************** *** 418,423 **** --- 418,431 ---- p->p_name != NULL && protocols[p->p_proto] == NULL) protocols[p->p_proto] = strdup(p->p_name); endprotoent(); + #if defined(_AIX51) + if (protocols[0]) + free(protocols[0]); + if (protocols[252]) + free(protocols[252]); + protocols[0] = "ip"; + protocols[252] = NULL; + #endif } if (udp_ports != NULL) { *************** *** 1022,1028 **** (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit); t += strlen(t); #endif ! #ifdef __sgi if ((ipf->fl_group[0] == 255) && (ipf->fl_group[1] == '\0')) #else if ((ipf->fl_group[0] == -1) && (ipf->fl_group[1] == '\0')) --- 1030,1037 ---- (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit); t += strlen(t); #endif ! #if defined(__sgi) || defined(_AIX51) || defined(__powerpc__) || \ ! defined(__arm__) if ((ipf->fl_group[0] == 255) && (ipf->fl_group[1] == '\0')) #else if ((ipf->fl_group[0] == -1) && (ipf->fl_group[1] == '\0')) diff -crN ip_fil4.1.8/tools/ipnat.c ip_fil4.1.9/tools/ipnat.c *** ip_fil4.1.8/tools/ipnat.c Thu Apr 29 03:56:22 2004 --- ip_fil4.1.9/tools/ipnat.c Wed May 11 07:19:30 2005 *************** *** 49,55 **** # include #endif #include "ipf.h" ! #include "ipl.h" #include "kmem.h" #ifdef __hpux --- 49,55 ---- # include #endif #include "ipf.h" ! #include "netinet/ipl.h" #include "kmem.h" #ifdef __hpux *************** *** 65,71 **** #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.1 2004/04/28 17:56:22 darrenr Exp $"; #endif --- 65,71 ---- #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.2 2005/05/10 21:19:30 darrenr Exp $"; #endif diff -crN ip_fil4.1.8/tru64.c ip_fil4.1.9/tru64.c *** ip_fil4.1.8/tru64.c Thu Dec 16 05:30:42 2004 --- ip_fil4.1.9/tru64.c Thu Jul 14 07:40:48 2005 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: tru64.c,v 2.11.2.4 2004/12/15 18:30:42 darrenr Exp $"; #endif #include #include --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: tru64.c,v 2.11.2.5 2005/07/13 21:40:48 darrenr Exp $"; #endif #include #include *************** *** 635,640 **** --- 635,641 ---- RWLOCK_INIT(&ipf_tru64, 1); RWLOCK_INIT(&ipf_global, 1); RWLOCK_INIT(&ipf_mutex, 1); + RWLOCK_INIT(&ipf_frcache, 1); ipftru64_inited = 1; status = iplattach(); *************** *** 800,805 **** --- 801,807 ---- if (ipftru64_inited == 1) { RW_DESTROY(&ipf_tru64); RW_DESTROY(&ipf_global); + RW_DESTROY(&ipf_frcache); RW_DESTROY(&ipf_mutex); ipftru64_inited = 0; }