Resolve conflicts.

2000-06-12 10:43:24 +00:00 · 2000-06-12 10:43:24 +00:00 · 5189b64cf6
parent ecbf42696a
commit 5189b64cf6
3 changed files with 82 additions and 17 deletions
--- a/dist/ipf/HISTORY
+++ b/dist/ipf/HISTORY
@ -20,6 +20,28 @@
 # and especially those who have found the time to port IP Filter to new
 # platforms.
 #
+3.4.6	11/06/2000 - Released
+
+add extra regression tests for new nat functionality
+
+place restrictions on using '!' in map/rdr rules
+
+fix up solaris compile problems
+
+3.4.5	10/06/2000 - Released
+
+mention -sl in ipfstat.8
+
+fix/support '!' in from/to rules (rdr) for NAT
+
+add from/to support to rdr NAT rules
+
+don't send ICMP errors in response to ICMP errors
+
+fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot
+
+input accounting list used for both outbound and inbound packets
+
 3.4.4	23/05/2000 - Released

 don't add TCP state if it is an RST packet and (attempt) to send out
--- a/dist/ipf/man/ipfstat.8
+++ b/dist/ipf/man/ipfstat.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: ipfstat.8,v 1.3 2000/05/03 11:40:19 veego Exp $
+.\"	$NetBSD: ipfstat.8,v 1.4 2000/06/12 10:43:25 veego Exp $
 .\"
 .TH ipfstat 8
 .SH NAME
@ -101,8 +101,10 @@ protocol number. If this option is not specified, state entries for any
 protocol are specified.
 .TP
 .B \-s
-Show packet/flow state information (statistics) and held state information (in
-the kernel) if any is present.
+Show packet/flow state information (statistics only).
+.TP
+.B \-sl
+Show held state information (in the kernel) if any is present (no statistics).
 .TP
 .BR \-S \0<addrport>
 This option is only valid in combination with \fB\-t\fP. Limit the state top
--- a/dist/ipf/natparse.c
+++ b/dist/ipf/natparse.c
@ -1,4 +1,4 @@
-/*	$NetBSD: natparse.c,v 1.2 2000/05/03 11:40:17 veego Exp $	*/
+/*	$NetBSD: natparse.c,v 1.3 2000/06/12 10:43:24 veego Exp $	*/

 /*
 * Copyright (C) 1993-2000 by Darren Reed.
@ -56,7 +56,7 @@ extern	char	*sys_errlist[];

 #if !defined(lint)
 static const char sccsid[] ="@(#)ipnat.c	1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)Id: natparse.c,v 1.17.2.1 2000/04/28 18:08:00 darrenr Exp";
+static const char rcsid[] = "@(#)Id: natparse.c,v 1.17.2.4 2000/06/10 16:06:30 darrenr Exp";
 #endif


@ -105,6 +105,8 @@ void *ptr;
 	printf(" %s ", np->in_ifname);

 	if (np->in_flags & IPN_FILTER) {
+		if (np->in_flags & IPN_NOTSRC)
+			printf("! ");
 		printf("from ");
 		if (np->in_redir == NAT_REDIRECT)
 			printhostmask(4, (u_32_t *)&np->in_srcip,
@ -115,10 +117,12 @@ void *ptr;
 		if (np->in_scmp)
 			printportcmp(np->in_p, &np->in_tuc.ftu_src);

+		if (np->in_flags & IPN_NOTDST)
+			printf(" !");
 		printf(" to ");
 		if (np->in_redir == NAT_REDIRECT)
-			printhostmask(4, (u_32_t *)&np->in_inip,
-				      (u_32_t *)&np->in_inmsk);
+			printhostmask(4, (u_32_t *)&np->in_outip,
+				      (u_32_t *)&np->in_outmsk);
 		else
 			printhostmask(4, (u_32_t *)&np->in_srcip,
 				      (u_32_t *)&np->in_srcmsk);
@ -134,12 +138,12 @@ void *ptr;
 				printf("/%d ", bits);
 			else
 				printf("/%s ", inet_ntoa(np->in_out[1]));
+			if (np->in_pmin)
+				printf("port %d", ntohs(np->in_pmin));
+			if (np->in_pmax != np->in_pmin)
+				printf("- %d", ntohs(np->in_pmax));
 		}
-		if (np->in_pmin)
-			printf("port %d ", ntohs(np->in_pmin));
-		if (np->in_pmax != np->in_pmin)
-			printf("- %d ", ntohs(np->in_pmax));
-		printf("-> %s", inet_ntoa(np->in_in[0]));
+		printf(" -> %s", inet_ntoa(np->in_in[0]));
 		if (np->in_flags & IPN_SPLIT)
 			printf(",%s", inet_ntoa(np->in_in[1]));
 		if (np->in_pnext)
@ -314,7 +318,27 @@ int linenum;
 	ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
 	cpp++;

-	if (!strcasecmp(*cpp, "from")) {
+	if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
+		if (!strcmp(*cpp, "!")) {
+			cpp++;
+			if (strcasecmp(*cpp, "from")) {
+				fprintf(stderr, "Missing from after !\n");
+				return NULL;
+			}
+			ipn.in_flags |= IPN_NOTSRC;
+		} else if (**cpp == '!') {
+			if (strcasecmp(*cpp + 1, "from")) {
+				fprintf(stderr, "Missing from after !\n");
+				return NULL;
+			}
+			ipn.in_flags |= IPN_NOTSRC;
+		}
+		if ((ipn.in_flags & IPN_NOTSRC) &&
+		    (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
+			fprintf(stderr, "Cannot use '! from' with map\n");
+			return NULL;
+		}
+
 		ipn.in_flags |= IPN_FILTER;
 		cpp++;
 		if (ipn.in_redir == NAT_REDIRECT) {
@ -333,23 +357,37 @@ int linenum;
 				}
 		}

+		if (!strcmp(*cpp, "!")) {
+			cpp++;
+			ipn.in_flags |= IPN_NOTDST;
+		} else if (**cpp == '!') {
+			(*cpp)++;
+			ipn.in_flags |= IPN_NOTDST;
+		}
+
 		if (strcasecmp(*cpp, "to")) {
 			fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
 				linenum, *cpp);
 			return NULL;
 		}
+		if ((ipn.in_flags & IPN_NOTDST) &&
+		    (ipn.in_redir & (NAT_REDIRECT))) {
+			fprintf(stderr, "Cannot use '! to' with rdr\n");
+			return NULL;
+		}

 		if (!*++cpp) {
 			fprintf(stderr, "%d: missing host after to\n", linenum);
 			return NULL;
 		}
 		if (ipn.in_redir == NAT_REDIRECT) {
-				if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
-					     (u_32_t *)&ipn.in_inmsk,
+				if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
+					     (u_32_t *)&ipn.in_outmsk,
 					     &ipn.in_dport, &ipn.in_dcmp,
 					     &ipn.in_dtop, linenum)) {
 					return NULL;
 				}
+				ipn.in_pmin = htons(ipn.in_dport);
 		} else {
 				if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
 					     (u_32_t *)&ipn.in_srcmsk,
@ -675,8 +713,11 @@ int linenum;
 		return NULL;
 	}
 	cpp++;
-	if (!*cpp)
+	if (!*cpp) {
+		fprintf(stderr, "%d: missing expression following portmap\n",
+			linenum);
 		return NULL;
+	}

 	if (!strcasecmp(*cpp, "tcp"))
 		ipn.in_flags |= IPN_TCP;
@ -743,7 +784,7 @@ int opts;
 		fp = stdin;

 	while (fgets(line, sizeof(line) - 1, fp)) {
-	        linenum++;
+		linenum++;
 		line[sizeof(line) - 1] = '\0';
 		if ((s = strchr(line, '\n')))
 			*s = '\0';