Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgraded IPFilter to 4.1.6

This commit is contained in:
martti 2005-02-19 21:30:24 +00:00
parent 76b5d9e30f
commit 460bbcc960
25 changed files with 275 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
dist/ipf/HISTORY vendored
View File

@ -10,6 +10,35 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
4.1.6 - Released 19 February 2005
add a new timeout number to NAT (fr_defnatipage) that is used for all
non-TCP/UDP/ICMP protocols - default 60 seconds.
buffer leak with bad nat - David Gueluy
fix memory leak with state entries created by proxies
eliminate copying too much data into a scan buffer
allow a trailing protocol name for map rules as well as rdr ones
fix bug in parsing of <= and > for NAT rules (two were crossed over)
FreeBSD's iplwrite hasn't kept pace with iplread's prototype
expand documention on the karma of using "auto" in ipnat map rules
add matching on IP protocol to ipnat map rules
allow ippool definitions to contain no addresses to start with
Linux NAT needs to modify the IP header checksum as it gets called after it
has been computed by IP.
UDP was missing a pullup for packet header information before examining
the header
4.1.5 - Released 9 January 2005
all rules were being converted into "dup-to" rules in the kernel

11
dist/ipf/ipf.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipf.h,v 1.8 2005/02/08 07:01:52 martti Exp $ */
/* $NetBSD: ipf.h,v 1.9 2005/02/19 21:30:24 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipf.h 1.12 6/5/96
* Id: ipf.h,v 2.71.2.4 2004/11/02 11:15:35 darrenr Exp
* Id: ipf.h,v 2.71.2.5 2005/02/01 02:44:34 darrenr Exp
*/
#ifndef __IPF_H__
@ -250,8 +250,8 @@ extern void printaps __P((ap_session_t *, int));
extern void printbuf __P((char *, int, int));
extern void printfr __P((struct frentry *, ioctlfunc_t));
extern void printtunable __P((ipftune_t *));
extern struct iphtable_s *printhash __P((struct iphtable_s *,
copyfunc_t, int));
extern struct iphtable_s *printhash __P((struct iphtable_s *, copyfunc_t,
char *, int));
extern struct iphtent_s *printhashnode __P((struct iphtable_s *,
struct iphtent_s *,
copyfunc_t, int));
@ -262,7 +262,8 @@ extern void printlookup __P((i6addr_t *addr, i6addr_t *mask));
extern void printmask __P((u_32_t *));
extern void printpacket __P((struct ip *));
extern void printpacket6 __P((struct ip *));
extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t, int));
extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t,
char *, int));
extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, int));
extern void printportcmp __P((int, struct frpcmp *));
extern void optprint __P((u_short *, u_long, u_long));

19
dist/ipf/lib/getportproto.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: getportproto.c,v 1.4 2004/11/13 19:16:10 he Exp $ */
/* $NetBSD: getportproto.c,v 1.5 2005/02/19 21:30:25 martti Exp $ */
#include <ctype.h>
#include "ipf.h"
@ -10,12 +10,23 @@ int proto;
struct servent *s;
struct protoent *p;
if (ISDIGIT(*name) && atoi(name) > 0)
return htons(atoi(name) & 65535);
if (ISDIGIT(*name)) {
int number;
char *s;
for (s = name; *s != '\0'; s++)
if (!ISDIGIT(*s))
return -1;
number = atoi(name);
if (number < 0 || number > 65535)
return -1;
return htons(number);
}
p = getprotobynumber(proto);
s = getservbyname(name, p ? p->p_name : NULL);
if (s != NULL)
return s->s_port;
return 0;
return -1;
}

10
dist/ipf/man/ipnat.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipnat.5,v 1.16 2004/07/23 05:39:04 martti Exp $
.\" $NetBSD: ipnat.5,v 1.17 2005/02/19 21:30:25 martti Exp $
.\"
.TH IPNAT 5
.SH NAME
@ -264,7 +264,13 @@ map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto
.fi
.PP
which would result in each IP address being given a small range of ports to
use (252). The problem here is that the \fBmap\fP directive tells the NAT
use (252). In all cases, the new port number that is used is deterministic.
That is, port X will always map to port Y.
WARNING: It is not advisable to use the \fBauto\fP feature if you are map'ing
to a /32 (i.e. 0/32) because the NAT code will try to map multiple hosts to
the same port number, outgoing and ultimately this will only succeed for one
of them.
The problem here is that the \fBmap\fP directive tells the NAT
code to use the next address/port pair available for an outgoing connection,
resulting in no easily discernible relation between external addresses/ports
and internal ones. This is overcome by using \fBmap-block\fP as follows:

11
dist/ipf/samples/proxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: proxy.c,v 1.4 2004/07/23 05:39:04 martti Exp $ */
/* $NetBSD: proxy.c,v 1.5 2005/02/19 21:30:25 martti Exp $ */
/*
* Sample transparent proxy program.
@ -141,6 +141,7 @@ char *extif;
struct sockaddr_in usin;
u_32_t sum1, sum2, sumd;
int onoff, ofd, slen;
ipfobj_t obj;
ipnat_t *ipn;
nat_t *nat;
@ -200,9 +201,15 @@ printf("local port# to use: %d\n", ntohs(usin.sin_port));
nat->nat_flags = IPN_TCPUDP;
bzero((char *)&obj, sizeof(obj));
obj.ipfo_rev = IPFILTER_VERSION;
obj.ipfo_size = sizeof(*nsp);
obj.ipfo_ptr = nsp;
obj.ipfo_type = IPFOBJ_NATSAVE;
onoff = 1;
if (ioctl(fd, SIOCSTLCK, &onoff) == 0) {
if (ioctl(fd, SIOCSTPUT, &nsp) != 0)
if (ioctl(fd, SIOCSTPUT, &obj) != 0)
perror("SIOCSTPUT");
onoff = 0;
if (ioctl(fd, SIOCSTLCK, &onoff) != 0)

5
dist/ipf/tools/ipf_y.y vendored
View File

@ -1090,7 +1090,10 @@ portnum:
$$ = ntohs($$);
free($1);
}
| YY_NUMBER { $$ = $1; }
| YY_NUMBER { $$ = $1;
if ($$ < 0 || $$ > 65535)
yyerror("invalid port number");
}
;
withlist:

67
dist/ipf/tools/ipnat_y.y vendored
View File

@ -211,7 +211,7 @@ mapblock:
}
;
redir: rdrit ifnames addr dport IPNY_TLATE dip nport rdrproto rdroptions
redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
{ nat->in_v = 4;
nat->in_outip = $3.a.s_addr;
nat->in_outmsk = $3.m.s_addr;
@ -226,7 +226,7 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport rdrproto rdroptions
nat->in_pnext != 0))
setnatproto(IPPROTO_TCP);
}
| rdrit ifnames rdrfrom IPNY_TLATE dip nport rdrproto rdroptions
| rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions
{ nat->in_v = 4;
if ((nat->in_p == 0) &&
((nat->in_flags & IPN_TCPUDP) == 0) &&
@ -239,7 +239,7 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport rdrproto rdroptions
nat->in_ifnames[0],
sizeof(nat->in_ifnames[0]));
}
| rdrit ifnames addr IPNY_TLATE dip rdrproto rdroptions
| rdrit ifnames addr IPNY_TLATE dip setproto rdroptions
{ nat->in_v = 4;
nat->in_outip = $3.a.s_addr;
nat->in_outmsk = $3.m.s_addr;
@ -250,7 +250,7 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport rdrproto rdroptions
}
;
proxy: | IPNY_PROXY IPNY_PORT YY_NUMBER YY_STR '/' proto
proxy: | IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto
{ strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
if (nat->in_dcmp == 0) {
nat->in_dport = htons($3);
@ -261,24 +261,35 @@ proxy: | IPNY_PROXY IPNY_PORT YY_NUMBER YY_STR '/' proto
free($4);
}
| IPNY_PROXY IPNY_PORT YY_STR YY_STR '/' proto
{ strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
nat->in_dport = getportproto($3, $6);
{ int pnum;
strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
pnum = getportproto($3, $6);
if (pnum == -1)
yyerror("invalid port number");
nat->in_dport = pnum;
setnatproto($6);
free($3);
free($4);
}
;
rdrproto:
| IPNY_TCP { setnatproto(IPPROTO_TCP); }
| IPNY_UDP { setnatproto(IPPROTO_UDP); }
| IPNY_TCPUDP { nat->in_flags |= IPN_TCPUDP;
nat->in_p = 0; }
| IPNY_TCP '/' IPNY_UDP { nat->in_flags |= IPN_TCPUDP;
nat->in_p = 0; }
| YY_NUMBER { setnatproto($1); }
| YY_STR { setnatproto(getproto($1));
free($1);
setproto:
| proto { if (nat->in_p != 0 ||
nat->in_flags & IPN_TCPUDP)
yyerror("protocol set twice");
setnatproto($1);
}
| IPNY_TCPUDP { if (nat->in_p != 0 ||
nat->in_flags & IPN_TCPUDP)
yyerror("protocol set twice");
nat->in_flags |= IPN_TCPUDP;
nat->in_p = 0;
}
| IPNY_TCP '/' IPNY_UDP { if (nat->in_p != 0 ||
nat->in_flags & IPN_TCPUDP)
yyerror("protocol set twice");
nat->in_flags |= IPN_TCPUDP;
nat->in_p = 0;
}
;
@ -297,8 +308,16 @@ dip:
;
portspec:
YY_NUMBER { $$ = $1; }
| YY_STR { $$ = getport(NULL, $1); }
YY_NUMBER { $$ = $1;
if ($$ < 0 || $$ > 65535)
yyerror("invalid port number");
}
| YY_STR { $$ = getport(NULL, $1);
if (ntohl((long)$$) < 0 ||
ntohl((long)$$) > 65535)
yyerror("invalid port number");
$$ = ntohs($$);
}
;
dport: | IPNY_PORT portspec { nat->in_pmin = htons($2);
@ -375,11 +394,15 @@ mapport:
nat->in_pmin = htons(1024);
nat->in_pmax = htons(65535);
}
| IPNY_ICMPIDMAP YY_STR portspec ':' portspec
| IPNY_ICMPIDMAP YY_STR YY_NUMBER ':' YY_NUMBER
{ if (strcmp($2, "icmp") != 0) {
yyerror("icmpidmap not followed by icmp");
}
free($2);
if ($3 < 0 || $3 > 65535)
yyerror("invalid ICMP Id number");
if ($5 < 0 || $5 > 65535)
yyerror("invalid ICMP Id number");
nat->in_flags = IPN_ICMPQUERY;
nat->in_pmin = htons($3);
nat->in_pmax = htons($5);
@ -449,7 +472,7 @@ portstuff:
;
mapoptions:
rr frag age mssclamp nattag
rr frag age mssclamp nattag setproto
;
rdroptions:
@ -536,8 +559,8 @@ compare:
| YY_CMP_EQ { $$ = FR_EQUAL; }
| YY_CMP_NE { $$ = FR_NEQUAL; }
| YY_CMP_LT { $$ = FR_LESST; }
| YY_CMP_GT { $$ = FR_LESSTE; }
| YY_CMP_LE { $$ = FR_GREATERT; }
| YY_CMP_LE { $$ = FR_LESSTE; }
| YY_CMP_GT { $$ = FR_GREATERT; }
| YY_CMP_GE { $$ = FR_GREATERTE; }
range:

12
dist/ipf/tools/ippool.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ippool.c,v 1.3 2004/03/28 14:34:45 he Exp $ */
/* $NetBSD: ippool.c,v 1.4 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 2003 by Darren Reed.
@ -431,14 +431,15 @@ char *argv[];
if (role != IPL_LOGALL) {
ptr = plstp->ipls_list[role];
while (ptr != NULL) {
ptr = printpool(ptr, kmemcpywrap, opts);
ptr = printpool(ptr, kmemcpywrap, poolname,
opts);
}
} else {
for (role = 0; role <= IPL_LOGMAX; role++) {
ptr = plstp->ipls_list[role];
while (ptr != NULL) {
ptr = printpool(ptr, kmemcpywrap,
opts);
poolname, opts);
}
}
role = IPL_LOGALL;
@ -458,14 +459,15 @@ char *argv[];
if (role != IPL_LOGALL) {
hptr = htstp->iphs_tables;
while (hptr != NULL) {
hptr = printhash(hptr, kmemcpywrap, opts);
hptr = printhash(hptr, kmemcpywrap,
poolname, opts);
}
} else {
for (role = 0; role <= IPL_LOGMAX; role++) {
hptr = htstp->iphs_tables;
while (hptr != NULL) {
hptr = printhash(hptr, kmemcpywrap,
opts);
poolname, opts);
}
op.iplo_unit = role;

23
dist/ipf/tools/lexer.c vendored
View File

@ -61,6 +61,8 @@ static int yygetc()
if (yypos < yylast) {
c = yytext[yypos++];
if (c == '\n')
yylineNum++;
return c;
}
@ -72,9 +74,9 @@ static int yygetc()
yypos++;
} else {
c = fgetc(yyin);
if (c == '\n')
yylineNum++;
}
if (c == '\n')
yylineNum++;
yytext[yypos++] = c;
yylast = yypos;
yytext[yypos] = '\0';
@ -86,6 +88,8 @@ static int yygetc()
static void yyunputc(c)
int c;
{
if (c == '\n')
yylineNum--;
yytext[--yypos] = c;
}
@ -202,6 +206,9 @@ nextchar:
if (lnext == 1) {
lnext = 0;
if ((isbuilding == 0) && !ISALNUM(c)) {
return c;
}
goto nextchar;
}
@ -214,7 +221,7 @@ nextchar:
}
yyswallow('\n');
rval = YY_COMMENT;
goto done;
goto nextchar;
case '$' :
if (isbuilding == 1) {
@ -280,6 +287,13 @@ nextchar:
break;
case EOF :
yylineNum = 1;
yypos = 0;
yylast = -1;
yyexpectaddr = 0;
yybreakondot = 0;
yyvarnext = 0;
yytokentype = 0;
return 0;
}
@ -477,7 +491,8 @@ done:
yytokentype = rval;
if (yydebug)
printf("lexed(%s) => %d\n", yystr, rval);
printf("lexed(%s) [%d,%d,%d] => %d\n", yystr, string_start,
string_end, pos, rval);
switch (rval)
{

8
regress/sys/kern/ipf/Makefile
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.8 2005/02/08 07:01:56 martti Exp $
# $NetBSD: Makefile,v 1.9 2005/02/19 21:30:25 martti Exp $
#
# (C)opyright 1993-1996 by Darren Reed.
#
@ -30,7 +30,7 @@ ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12
nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12
intests: in1 in2 in3 in4 in5
intests: in1 in2 in3 in4 in5 in6
logtests: l1
@ -64,7 +64,7 @@ ni6:
@${HOST_SH} ${.CURDIR}/natipftest ${.CURDIR} multi \
`${AWK} "/^$@ / { print; } " ${.CURDIR}/test.format`
in1 in2 in3 in4 in5:
in1 in2 in3 in4 in5 in6:
@${HOST_SH} ${.CURDIR}/intest ${.CURDIR} \
`${AWK} "/^$@ / { print; } " ${.CURDIR}/test.format`
@ -93,7 +93,7 @@ clean:
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15
/bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12
/bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12
/bin/rm -f in1 in2 in3 in4 in5
/bin/rm -f in1 in2 in3 in4 in5 in6
/bin/rm -f p1 p2 p3 ip1
/bin/rm -f l1
/bin/rm -f ipv6.1 ipv6.2 ipv6.3

38
sys/dist/ipf/netinet/fil.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: fil.c,v 1.8 2005/02/08 07:01:55 martti Exp $ */
/* $NetBSD: fil.c,v 1.9 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
@ -135,10 +135,10 @@ struct file;
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.8 2005/02/08 07:01:55 martti Exp $");
__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.9 2005/02/19 21:30:25 martti Exp $");
#else
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.46 2005/01/09 01:20:03 darrenr Exp";
static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.50 2005/02/17 05:32:24 darrenr Exp";
#endif
#endif
@ -1079,9 +1079,15 @@ fr_info_t *fin;
fi = &fin->fin_fi;
fi->fi_flx |= FI_TCPUDP;
udp = fin->fin_dp;
if (frpr_pullup(fin, sizeof(*udp)) == -1) {
fi->fi_flx |= FI_SHORT;
return;
}
if (!fin->fin_off && (fin->fin_dlen > 3)) {
udp = fin->fin_dp;
fin->fin_sport = ntohs(udp->uh_sport);
fin->fin_dport = ntohs(udp->uh_dport);
}
@ -2417,12 +2423,6 @@ filtered:
#endif
m = fin->fin_m;
if (FR_ISPASS(pass)) {
ATOMIC_INCL(frstats[out].fr_pass);
} else if (FR_ISBLOCK(pass)) {
ATOMIC_INCL(frstats[out].fr_block);
}
if (fr != NULL) {
frdest_t *fdp;
@ -2454,21 +2454,23 @@ filtered:
*/
RWLOCK_EXIT(&ipf_mutex);
finished:
if (!FR_ISPASS(pass)) {
ATOMIC_INCL(frstats[out].fr_block);
if (*mp != NULL) {
FREE_MB_T(*mp);
m = *mp = NULL;
}
}
} else {
ATOMIC_INCL(frstats[out].fr_pass);
#if defined(_KERNEL) && defined(__sgi)
else {
if ((fin->fin_hbuf != NULL) &&
(mtod(fin->fin_m, struct ip *) != fin->fin_ip)) {
COPYBACK(m, 0, fin->fin_plen, fin->fin_hbuf);
}
}
#endif
finished:
}
RWLOCK_EXIT(&ipf_global);
#ifdef _KERNEL
# if OpenBSD >= 200311
@ -2892,7 +2894,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* Id: fil.c,v 2.243.2.46 2005/01/09 01:20:03 darrenr Exp
* Id: fil.c,v 2.243.2.50 2005/02/17 05:32:24 darrenr Exp
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@ -4666,6 +4668,8 @@ ipftqent_t *tqe;
ipftq_t *ifq;
ifq = tqe->tqe_ifq;
if (ifq == NULL)
return;
tqe->tqe_die = fr_ticks + ifq->ifq_ttl;
if (tqe->tqe_next == NULL) /* at the end already ? */
@ -5520,6 +5524,8 @@ ipftuneable_t ipf_tuneables[] = {
sizeof(nat_logging), 0 },
{ { &fr_defnatage }, "fr_defnatage", 1, 0x7fffffff,
sizeof(fr_defnatage), IPFT_WRDISABLED },
{ { &fr_defnatipage }, "fr_defnatipage", 1, 0x7fffffff,
sizeof(fr_defnatipage), IPFT_WRDISABLED },
{ { &fr_defnaticmpage }, "fr_defnaticmpage", 1, 0x7fffffff,
sizeof(fr_defnaticmpage), IPFT_WRDISABLED },
/* frag */
@ -5911,11 +5917,11 @@ void fr_deinitialise()
{
fr_fragunload();
fr_authunload();
fr_natunload();
fr_stateunload();
#ifdef IPFILTER_SCAN
fr_scanunload();
#endif
fr_natunload();
appr_unload();
#ifdef IPFILTER_COMPILED

4
sys/dist/ipf/netinet/ip_fil_netbsd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil_netbsd.c,v 1.8 2005/02/17 04:14:31 christos Exp $ */
/* $NetBSD: ip_fil_netbsd.c,v 1.9 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.24 2005/01/08 16:55:54 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.25 2005/02/01 03:14:31 darrenr Exp";
#endif
#if defined(KERNEL) || defined(_KERNEL)

14
sys/dist/ipf/netinet/ip_ftp_pxy.c vendored
View File

@ -1,7 +1,7 @@
/* $NetBSD: ip_ftp_pxy.c,v 1.5 2005/02/08 07:01:55 martti Exp $ */
/* $NetBSD: ip_ftp_pxy.c,v 1.6 2005/02/19 21:30:25 martti Exp $ */
#include <sys/cdefs.h>
__KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.5 2005/02/08 07:01:55 martti Exp $");
__KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.6 2005/02/19 21:30:25 martti Exp $");
/*
* Copyright (C) 1997-2003 by Darren Reed
@ -11,7 +11,7 @@ __KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.5 2005/02/08 07:01:55 martti Exp $"
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* Id: ip_ftp_pxy.c,v 2.88.2.9 2005/01/08 17:24:13 darrenr Exp
* Id: ip_ftp_pxy.c,v 2.88.2.10 2005/02/04 10:22:54 darrenr Exp
*/
#define IPF_FTP_PROXY
@ -325,6 +325,8 @@ int dlen;
* mapping.
*/
bcopy((char *)fin, (char *)&fi, sizeof(fi));
fi.fin_state = NULL;
fi.fin_nat = NULL;
fi.fin_flx |= FI_IGNORE;
fi.fin_data[0] = sp;
fi.fin_data[1] = fin->fin_data[1] - 1;
@ -376,6 +378,8 @@ int dlen;
ip->ip_dst = nat->nat_inip;
}
(void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT);
if (fi.fin_state != NULL)
fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
ip->ip_len = slen;
ip->ip_src = swip;
@ -670,6 +674,8 @@ u_int data_ip;
* other way.
*/
bcopy((char *)fin, (char *)&fi, sizeof(fi));
fi.fin_state = NULL;
fi.fin_nat = NULL;
fi.fin_flx |= FI_IGNORE;
fi.fin_data[0] = 0;
fi.fin_data[1] = port;
@ -729,6 +735,8 @@ u_int data_ip;
ip->ip_dst = nat->nat_inip;
}
(void) fr_addstate(&fi, &nat2->nat_state, sflags);
if (fi.fin_state != NULL)
fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
ip->ip_len = slen;

5
sys/dist/ipf/netinet/ip_ipsec_pxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_ipsec_pxy.c,v 1.1.1.2 2005/02/19 21:27:14 martti Exp $ */
/* $NetBSD: ip_ipsec_pxy.c,v 1.2 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 2001-2003 by Darren Reed
@ -11,6 +11,9 @@
* Id: ip_ipsec_pxy.c,v 2.20.2.4 2005/02/04 10:22:55 darrenr Exp
*
*/
__KERNEL_RCSID(1, "$NetBSD: ip_ipsec_pxy.c,v 1.2 2005/02/19 21:30:25 martti Exp $");
#define IPF_IPSEC_PROXY

8
sys/dist/ipf/netinet/ip_irc_pxy.c vendored
View File

@ -1,11 +1,11 @@
/* $NetBSD: ip_irc_pxy.c,v 1.3 2005/02/08 07:01:55 martti Exp $ */
/* $NetBSD: ip_irc_pxy.c,v 1.4 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 2000-2003 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_irc_pxy.c,v 2.39.2.3 2004/12/09 19:40:59 darrenr Exp
* Id: ip_irc_pxy.c,v 2.39.2.4 2005/02/04 10:22:55 darrenr Exp
*/
#define IPF_IRC_PROXY
@ -399,6 +399,8 @@ nat_t *nat;
tcp2->th_win = htons(8192);
tcp2->th_sport = sp;
tcp2->th_dport = 0; /* XXX - don't specify remote port */
fi.fin_state = NULL;
fi.fin_nat = NULL;
fi.fin_data[0] = ntohs(sp);
fi.fin_data[1] = 0;
fi.fin_dp = (char *)tcp2;
@ -414,6 +416,8 @@ nat_t *nat;
nat_update(&fi, nat2, nat2->nat_ptr);
(void) fr_addstate(&fi, NULL, SI_W_DPORT);
if (fi.fin_state != NULL)
fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
ip->ip_src = swip;
}

11
sys/dist/ipf/netinet/ip_nat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_nat.c,v 1.4 2005/02/08 07:01:55 martti Exp $ */
/* $NetBSD: ip_nat.c,v 1.5 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 1995-2003 by Darren Reed.
@ -107,7 +107,7 @@ extern struct ifnet vpnif;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.195.2.27 2005/01/02 13:20:31 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.195.2.30 2005/02/04 09:44:37 darrenr Exp";
#endif
@ -160,6 +160,7 @@ int nat_logging = 0;
#endif
u_long fr_defnatage = DEF_NAT_AGE,
fr_defnatipage = 120, /* 60 seconds */
fr_defnaticmpage = 6; /* 3 seconds */
natstat_t nat_stats;
int fr_nat_lock = 0;
@ -275,7 +276,7 @@ int fr_natinit()
nat_icmptq.ifq_tail = &nat_icmptq.ifq_head;
MUTEX_INIT(&nat_icmptq.ifq_lock, "nat icmp ipftq tab");
nat_icmptq.ifq_next = &nat_iptq;
nat_iptq.ifq_ttl = fr_defnaticmpage;
nat_iptq.ifq_ttl = fr_defnatipage;
nat_iptq.ifq_head = NULL;
nat_iptq.ifq_tail = &nat_iptq.ifq_head;
MUTEX_INIT(&nat_iptq.ifq_lock, "nat ip ipftq tab");
@ -3572,6 +3573,8 @@ maskloop:
continue;
if (np->in_v != fin->fin_v)
continue;
if (np->in_p && (np->in_p != fin->fin_p))
continue;
if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags))
continue;
if (np->in_flags & IPN_FILTER) {
@ -3688,7 +3691,7 @@ u_32_t nflags;
CALC_SUMD(s1, s2, sumd);
fix_outcksum(fin, &fin->fin_ip->ip_sum, sumd);
}
#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || defined(linux)
else {
if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(fin, &fin->fin_ip->ip_sum,

5
sys/dist/ipf/netinet/ip_nat.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_nat.h,v 1.3 2005/02/08 07:01:55 martti Exp $ */
/* $NetBSD: ip_nat.h,v 1.4 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 1995-2001, 2003 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_nat.h 1.5 2/4/96
* Id: ip_nat.h,v 2.90.2.5 2004/12/20 23:12:05 darrenr Exp
* Id: ip_nat.h,v 2.90.2.6 2005/02/04 09:56:15 darrenr Exp
*/
#ifndef __IP_NAT_H__
@ -429,6 +429,7 @@ extern int fr_nat_lock;
extern void fr_natsync __P((void *));
extern u_long fr_defnatage;
extern u_long fr_defnaticmpage;
extern u_long fr_defnatipage;
/* nat_table[0] -> hashed list sorted by inside (ip, port) */
/* nat_table[1] -> hashed list sorted by outside (ip, port) */
extern nat_t **nat_table[2];

15
sys/dist/ipf/netinet/ip_pool.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_pool.c,v 1.2 2005/02/08 07:01:55 martti Exp $ */
/* $NetBSD: ip_pool.c,v 1.3 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -79,7 +79,7 @@ static int rn_freenode __P((struct radix_node *, void *));
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.11 2004/10/17 15:49:14 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.12 2005/02/01 04:04:46 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
@ -307,7 +307,11 @@ iplookupop_t *op;
for (i = 0; i < IPL_LOGSIZE; i++)
stats.ipls_list[i] = ip_pool_list[i];
} else if (unit >= 0 && unit < IPL_LOGSIZE) {
stats.ipls_list[unit] = ip_pool_list[unit];
if (op->iplo_name[0] != '\0')
stats.ipls_list[unit] = ip_pool_find(unit,
op->iplo_name);
else
stats.ipls_list[unit] = ip_pool_list[unit];
} else
err = EINVAL;
if (err == 0)
@ -332,7 +336,7 @@ char *name;
ip_pool_t *p;
for (p = ip_pool_list[unit]; p != NULL; p = p->ipo_next)
if (strcmp(p->ipo_name, name) == 0)
if (strncmp(p->ipo_name, name, sizeof(p->ipo_name)) == 0)
break;
return p;
}
@ -532,7 +536,8 @@ iplookupop_t *op;
#endif
for (p = ip_pool_list[unit]; p != NULL; ) {
if (strcmp(name, p->ipo_name) == 0) {
if (strncmp(name, p->ipo_name,
sizeof(p->ipo_name)) == 0) {
poolnum++;
#if defined(SNPRINTF) && defined(_KERNEL)
SNPRINTF(name, sizeof(name), "%x", poolnum);

6
sys/dist/ipf/netinet/ip_proxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_proxy.c,v 1.4 2005/02/09 23:42:30 christos Exp $ */
/* $NetBSD: ip_proxy.c,v 1.5 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 1997-2003 by Darren Reed.
@ -89,11 +89,11 @@ struct file;
#include "netinet/ip_ftp_pxy.c"
#include "netinet/ip_rcmd_pxy.c"
# include "netinet/ip_pptp_pxy.c"
#if defined(_KERNEL)
# include "netinet/ip_irc_pxy.c"
# include "netinet/ip_raudio_pxy.c"
# include "netinet/ip_h323_pxy.c"
# include "netinet/ip_pptp_pxy.c"
# ifdef IPFILTER_PRO
# include "netinet/ip_msnrpc_pxy.c"
# endif
@ -105,7 +105,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.9 2004/10/17 15:21:28 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.10 2005/02/17 04:40:03 darrenr Exp";
#endif
static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));

5
sys/dist/ipf/netinet/ip_raudio_pxy.c vendored
View File

@ -1,4 +1,7 @@
/* $NetBSD: ip_raudio_pxy.c,v 1.1.1.2 2005/02/19 21:27:19 martti Exp $ */
/* $NetBSD: ip_raudio_pxy.c,v 1.2 2005/02/19 21:30:25 martti Exp $ */
#include <sys/cdefs.h>
__KERNEL_RCSID(1, "$NetBSD: ip_raudio_pxy.c,v 1.2 2005/02/19 21:30:25 martti Exp $");
/*
* Copyright (C) 1998-2003 by Darren Reed

8
sys/dist/ipf/netinet/ip_rcmd_pxy.c vendored
View File

@ -1,14 +1,14 @@
/* $NetBSD: ip_rcmd_pxy.c,v 1.5 2005/02/08 07:01:56 martti Exp $ */
/* $NetBSD: ip_rcmd_pxy.c,v 1.6 2005/02/19 21:30:25 martti Exp $ */
#include <sys/cdefs.h>
__KERNEL_RCSID(1, "$NetBSD: ip_rcmd_pxy.c,v 1.5 2005/02/08 07:01:56 martti Exp $");
__KERNEL_RCSID(1, "$NetBSD: ip_rcmd_pxy.c,v 1.6 2005/02/19 21:30:25 martti Exp $");
/*
* Copyright (C) 1998-2003 by Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_rcmd_pxy.c,v 1.41.2.3 2004/12/09 19:41:00 darrenr Exp
* Id: ip_rcmd_pxy.c,v 1.41.2.4 2005/02/04 10:22:55 darrenr Exp
*
* Simple RCMD transparent proxy for in-kernel use. For use with the NAT
* code.
@ -206,6 +206,8 @@ nat_t *nat;
ip->ip_dst = nat->nat_inip;
}
(void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT);
if (fi.fin_state != NULL)
fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
ip->ip_len = slen;
ip->ip_src = swip;

6
sys/dist/ipf/netinet/ip_rpcb_pxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_rpcb_pxy.c,v 1.5 2005/02/08 07:01:56 martti Exp $ */
/* $NetBSD: ip_rpcb_pxy.c,v 1.6 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 2002-2003 by Ryan Beasley <ryanb@goddamnbastard.org>
@ -39,7 +39,7 @@
* o The enclosed hack of STREAMS support is pretty sick and most likely
* broken.
*
* Id: ip_rpcb_pxy.c,v 2.25.2.2 2004/12/09 19:41:00 darrenr Exp
* Id: ip_rpcb_pxy.c,v 2.25.2.3 2005/02/04 10:22:56 darrenr Exp
*/
#define IPF_RPCB_PROXY
@ -1272,6 +1272,8 @@ ippr_rpcb_getnat(fin, nat, proto, port)
*/
return(-1);
}
if (fi.fin_state != NULL)
fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
return(0);

13
sys/dist/ipf/netinet/ip_scan.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_scan.c,v 1.3 2005/02/08 07:01:56 martti Exp $ */
/* $NetBSD: ip_scan.c,v 1.4 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
@ -60,7 +60,7 @@ struct file;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40.2.1 2004/12/09 19:41:01 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40.2.2 2005/01/18 10:13:16 darrenr Exp";
#endif
#ifdef IPFILTER_SCAN /* endif at bottom of file */
@ -525,15 +525,16 @@ ipstate_t *is;
*/
s0 = is->is_s0[rv];
off = seq - s0;
if ((seq > s0 + 15) || (off < 0))
if ((off > 15) || (off < 0))
return 1;
thoff = TCP_OFF(tcp) << 2;
dlen = fin->fin_dlen - thoff;
if (dlen <= 0)
return 1;
seq += dlen;
if (seq > s0 + 15)
dlen -= (seq - (s0 + 15));
if (dlen > 16)
dlen = 16;
if (off + dlen > 16)
dlen = 16 - off;
j = 0xffff >> (16 - dlen);
i = (0xffff & j) << off;

75
sys/dist/ipf/netinet/ip_state.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_state.c,v 1.4 2005/02/08 07:01:56 martti Exp $ */
/* $NetBSD: ip_state.c,v 1.5 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 1995-2003 by Darren Reed.
@ -110,10 +110,10 @@ struct file;
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.4 2005/02/08 07:01:56 martti Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.5 2005/02/19 21:30:25 martti Exp $");
#else
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.23 2004/12/20 23:36:48 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.25 2005/02/17 05:56:26 darrenr Exp";
#endif
#endif
@ -2678,24 +2678,27 @@ int why;
* Since we want to delete this, remove it from the state table,
* where it can be found & used, first.
*/
*is->is_pnext = is->is_next;
if (is->is_pnext != NULL) {
*is->is_pnext = is->is_next;
if (is->is_next != NULL)
is->is_next->is_pnext = is->is_pnext;
if (is->is_next != NULL)
is->is_next->is_pnext = is->is_pnext;
is->is_pnext = NULL;
is->is_next = NULL;
}
is->is_pnext = NULL;
is->is_next = NULL;
if (is->is_phnext != NULL) {
*is->is_phnext = is->is_hnext;
if (is->is_hnext != NULL)
is->is_hnext->is_phnext = is->is_phnext;
if (ips_table[is->is_hv] == NULL)
ips_stats.iss_inuse--;
ips_stats.iss_bucketlen[is->is_hv]--;
*is->is_phnext = is->is_hnext;
if (is->is_hnext != NULL)
is->is_hnext->is_phnext = is->is_phnext;
if (ips_table[is->is_hv] == NULL)
ips_stats.iss_inuse--;
ips_stats.iss_bucketlen[is->is_hv]--;
is->is_phnext = NULL;
is->is_hnext = NULL;
is->is_phnext = NULL;
is->is_hnext = NULL;
}
/*
* Because ips_stats.iss_wild is a count of entries in the state
@ -2706,26 +2709,28 @@ int why;
if (!(is->is_flags & SI_CLONED)) {
ATOMIC_DECL(ips_stats.iss_wild);
}
is->is_flags &= ~(SI_WILDP|SI_WILDA);
}
/*
* Next, remove it from the timeout queue it is in.
*/
tqe = &is->is_sti;
ifq = tqe->tqe_ifq;
if (tqe->tqe_pnext != NULL) {
*tqe->tqe_pnext = tqe->tqe_next;
if (tqe->tqe_next != NULL)
tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
else /* we must be the tail anyway */
ifq->ifq_tail = tqe->tqe_pnext;
tqe->tqe_pnext = NULL;
tqe->tqe_ifq = NULL;
}
if (ifq != NULL) {
if (tqe->tqe_pnext != NULL) {
*tqe->tqe_pnext = tqe->tqe_next;
if (tqe->tqe_next != NULL)
tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
else /* we must be the tail anyway */
ifq->ifq_tail = tqe->tqe_pnext;
tqe->tqe_pnext = NULL;
tqe->tqe_ifq = NULL;
}
if ((ifq->ifq_flags & IFQF_USER) != 0)
fr_deletetimeoutqueue(ifq);
if ((ifq->ifq_flags & IFQF_USER) != 0)
fr_deletetimeoutqueue(ifq);
}
/*
* If it is still in use by something else, do not go any further,
@ -3671,31 +3676,25 @@ ipstate_t **isp;
fin = fin; /* LINT */
is = *isp;
*isp = NULL;
MUTEX_ENTER(&is->is_lock);
WRITE_ENTER(&ipf_state);
is->is_ref--;
if (is->is_ref == 0) {
is->is_ref++; /* To counter ref-- in fr_delstate() */
MUTEX_EXIT(&is->is_lock);
WRITE_ENTER(&ipf_state);
fr_delstate(is, ISL_EXPIRE);
RWLOCK_EXIT(&ipf_state);
#ifndef _KERNEL
#if 0
} else if (((fin->fin_out == 1) || (eol == 1)) &&
((ostate == IPF_TCPS_LAST_ACK) &&
(nstate == IPF_TCPS_TIME_WAIT))) {
;
#else
} else if ((is->is_sti.tqe_state[0] > IPF_TCPS_ESTABLISHED) ||
(is->is_sti.tqe_state[1] > IPF_TCPS_ESTABLISHED)) {
#endif
MUTEX_EXIT(&is->is_lock);
WRITE_ENTER(&ipf_state);
fr_delstate(is, ISL_ORPHAN);
RWLOCK_EXIT(&ipf_state);
#endif
} else {
MUTEX_EXIT(&is->is_lock);
}
RWLOCK_EXIT(&ipf_state);
}

8
sys/dist/ipf/netinet/ipl.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipl.h,v 1.2 2005/02/08 07:01:56 martti Exp $ */
/* $NetBSD: ipl.h,v 1.3 2005/02/19 21:30:25 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -6,14 +6,14 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
* Id: ipl.h,v 2.52.2.6 2005/01/08 17:27:10 darrenr Exp
* Id: ipl.h,v 2.52.2.7 2005/02/19 01:33:24 darrenr Exp
*/
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter: v4.1.5"
#define IPL_VERSION "IP Filter: v4.1.6"
#define IPFILTER_VERSION 4010500
#define IPFILTER_VERSION 4010600
#endif