diff --git a/dist/ipf/HISTORY b/dist/ipf/HISTORY index ec317dc2ae05..75026a0c3eaf 100644 --- a/dist/ipf/HISTORY +++ b/dist/ipf/HISTORY @@ -22,6 +22,68 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.29 28/8/2002 - Released + +Make substantial changes to the FTP proxy to improve reliability, security +and functionality. + +don't send ICMP errors/TCP RST's in response to blocked proxy packets + +fix potential memory leaks when unloading ipfilter from kernel + +fix bug in SIOCGNATL handler that did not preserve the expected +byte order from earlier versions in the port number + +set do not fragment flag in generated packets according to system flags, +where available. + +preserve filter rule number and group number in state structure + +fix bug in ipmon printing of p/P/b/B + +make some changes to the kmem.c code for IRIX compatibility + +add code to specifically handle ip.tun* interfaces on Solaris + +3.4.28 6/6/2002 - Released + +Fix for H.323 proxy to work on little endian boxes + +IRIX: Update installation documentation + add route lock patch + +allow use of groups > 65535 + +create a new packet info summary for packets going through ipfr_fastroute() +so that where details are different (RST/ICMP errors), the packet now gets +correctly NAT'd, etc. + +fix the FTP proxy so that checks for TCP sequence numbers outside the +normal offset due to data changes use absolute numbers + +make it possible to remove rules in ipftest + +Update installing onto OpenBSD and split into two directories: +OpenBSD-2 and OpenBSD-3 + +fix error in printout out the protocol in NAT rules + +always unlock ipfilter if locking fails half way through in ipfs + +fix problems with TCP window scaling + +update of man pages for ipnat(4) and ipftest(1) + +3.4.27 28/04/2002 - Released + +fix calculation of 2's complmenent 16 bit checksum for user space + +add mbuflen() to usespace compiles. + +add more #ifdef complexity for platform portability + +add OpenBSD 3.1 diffs + 3.4.26 25/04/2002 - Released fix parsing and printing of NAT rules with regression tests. diff --git a/dist/ipf/fils.c b/dist/ipf/fils.c index 4ce6b78b454f..beeae0732b99 100644 --- a/dist/ipf/fils.c +++ b/dist/ipf/fils.c @@ -1,4 +1,4 @@ -/* $NetBSD: fils.c,v 1.17 2002/05/30 18:10:25 thorpej Exp $ */ +/* $NetBSD: fils.c,v 1.18 2002/09/19 08:08:16 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -95,10 +95,8 @@ #endif #if !defined(lint) -static const char sccsid[] __attribute__((__unused__)) = - "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp"; +static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)Id: fils.c,v 2.21.2.36 2002/06/27 14:29:16 darrenr Exp"; #endif extern char *optarg; @@ -201,7 +199,7 @@ char *argv[]; ipfrstat_t *ifrstp = &ifrst; char *device = IPL_NAME, *memf = NULL; char *kern = NULL; - int c, fd, myoptind; + int c, myoptind; struct protoent *proto; int protocol = -1; /* -1 = wild card for any protocol */ @@ -358,8 +356,8 @@ char *argv[]; bzero((char *)&ipsst, sizeof(ipsst)); bzero((char *)&ifrst, sizeof(ifrst)); - fd = ipfstate_live(device, &fiop, &ipsstp, &ifrstp, - &frauthstp, &frf); + ipfstate_live(device, &fiop, &ipsstp, &ifrstp, + &frauthstp, &frf); } else ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); diff --git a/dist/ipf/ipf.c b/dist/ipf/ipf.c index 7032b790eb0f..e7c0ec492391 100644 --- a/dist/ipf/ipf.c +++ b/dist/ipf/ipf.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipf.c,v 1.11 2002/05/30 18:10:26 thorpej Exp $ */ +/* $NetBSD: ipf.c,v 1.12 2002/09/19 08:08:16 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -51,10 +51,8 @@ #include "ipl.h" #if !defined(lint) -static const char sccsid[] __attribute__((__unused__)) = - "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: ipf.c,v 2.10.2.14 2002/04/10 04:56:36 darrenr Exp"; +static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipf.c,v 2.10.2.17 2002/06/27 14:29:17 darrenr Exp"; #endif #if SOLARIS @@ -197,8 +195,11 @@ char *ipfdev; if (!(opts & OPT_DONOTHING) && fd == -1) if ((fd = open(ipfdev, O_RDWR)) == -1) - if ((fd = open(ipfdev, O_RDONLY)) == -1) + if ((fd = open(ipfdev, O_RDONLY)) == -1) { perror("open device"); + if (errno == ENODEV) + fprintf(stderr, "IPFilter enabled?\n"); + } return fd; } @@ -390,7 +391,7 @@ int *linenum; static void packetlogon(opt) char *opt; { - int flag, err; + int flag; flag = get_flags(); if (flag != 0) { @@ -416,7 +417,7 @@ char *opt; printf("set log flag: block\n"); } - if (opendevice(ipfname) != -2 && (err = ioctl(fd, SIOCSETFF, &flag))) + if (opendevice(ipfname) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0)) perror("ioctl(SIOCSETFF)"); if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { diff --git a/dist/ipf/ipfs.c b/dist/ipf/ipfs.c index f52889354092..8f67874457d4 100644 --- a/dist/ipf/ipfs.c +++ b/dist/ipf/ipfs.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipfs.c,v 1.8 2002/05/30 18:10:26 thorpej Exp $ */ +/* $NetBSD: ipfs.c,v 1.9 2002/09/19 08:08:17 martti Exp $ */ /* * Copyright (C) 1999-2001 by Darren Reed. @@ -47,8 +47,7 @@ #include "ipf.h" #if !defined(lint) -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: ipfs.c,v 2.6.2.9 2002/04/17 17:42:59 darrenr Exp"; +static const char rcsid[] = "@(#)Id: ipfs.c,v 2.6.2.11 2002/06/04 14:44:05 darrenr Exp"; #endif #ifndef IPF_SAVEDIR @@ -736,16 +735,16 @@ char *dirname; devfd = opendevice(IPL_STATE); if (devfd == -1) - return 1; + goto bad; if (writestate(devfd, NULL)) - return 1; + goto bad; close(devfd); devfd = opendevice(IPL_NAT); if (devfd == -1) - return 1; + goto bad; if (writenat(devfd, NULL)) - return 1; + goto bad; close(devfd); if (setlock(fd, 0)) { @@ -754,6 +753,11 @@ char *dirname; } return 0; + +bad: + setlock(fd, 0); + close(fd); + return 1; } diff --git a/dist/ipf/ipft_ef.c b/dist/ipf/ipft_ef.c index 80b228afea7c..14f6c0ea7b4c 100644 --- a/dist/ipf/ipft_ef.c +++ b/dist/ipf/ipft_ef.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipft_ef.c,v 1.5 2002/04/09 02:32:52 thorpej Exp $ */ +/* $NetBSD: ipft_ef.c,v 1.6 2002/09/19 08:08:17 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -53,10 +53,8 @@ etherfind -n -t #include "ipt.h" #if !defined(lint) -static const char sccsid[] __attribute__((__unused__)) = - "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: ipft_ef.c,v 2.2.2.2 2002/02/22 15:32:53 darrenr Exp"; +static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipft_ef.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp"; #endif static int etherf_open __P((char *)); @@ -101,7 +99,7 @@ int cnt, *dir; struct protoent *p = NULL; char src[16], dst[16], sprt[16], dprt[16]; char lbuf[128], len[8], prot[8], time[8], *s; - int slen, extra = 0, i, n; + int slen, extra = 0, i; if (!fgets(lbuf, sizeof(lbuf) - 1, efp)) return 0; @@ -112,10 +110,10 @@ int cnt, *dir; bzero(&pkt, sizeof(pkt)); - if ((n = sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst, - sprt, dprt)) != 6) - if ((n = sscanf(lbuf, "%s %s %s %s %s %s %s", time, - len, prot, src, dst, sprt, dprt)) != 7) + if (sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst, + sprt, dprt) != 6) + if (sscanf(lbuf, "%s %s %s %s %s %s %s", time, + len, prot, src, dst, sprt, dprt) != 7) return -1; ip->ip_p = atoi(prot); diff --git a/dist/ipf/ipft_td.c b/dist/ipf/ipft_td.c index 630361e786eb..8b6a4740c5bf 100644 --- a/dist/ipf/ipft_td.c +++ b/dist/ipf/ipft_td.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipft_td.c,v 1.5 2002/04/09 02:32:52 thorpej Exp $ */ +/* $NetBSD: ipft_td.c,v 1.6 2002/09/19 08:08:17 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -62,10 +62,8 @@ tcpdump -nqte #include "ipt.h" #if !defined(lint) -static const char sccsid[] __attribute__((__unused__)) = - "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: ipft_td.c,v 2.2.2.2 2002/02/22 15:32:54 darrenr Exp"; +static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipft_td.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp"; #endif static int tcpd_open __P((char *)); @@ -124,7 +122,7 @@ int cnt, *dir; struct protoent *p; char src[32], dst[32], misc[256], time[32], link1[32], link2[32]; char lbuf[160], *s; - int n, dots, slen, extra = 0; + int n, slen, extra = 0; if (!fgets(lbuf, sizeof(lbuf) - 1, tfp)) return 0; @@ -146,7 +144,7 @@ int cnt, *dir; return -1; } - if ((dots = count_dots(dst)) == 4) { + if (count_dots(dst) == 4) { s = strrchr(src, '.'); *s++ = '\0'; (void) inet_aton(src, &ip->ip_src); diff --git a/dist/ipf/ipft_tx.c b/dist/ipf/ipft_tx.c index e4a3a97a1350..6edfd46e6a7d 100644 --- a/dist/ipf/ipft_tx.c +++ b/dist/ipf/ipft_tx.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipft_tx.c,v 1.6 2002/04/09 02:32:52 thorpej Exp $ */ +/* $NetBSD: ipft_tx.c,v 1.7 2002/09/19 08:08:18 martti Exp $ */ /* * Copyright (C) 1995-2001 by Darren Reed. @@ -45,10 +45,8 @@ #include "ipt.h" #if !defined(lint) -static const char sccsid[] __attribute__((__unused__)) = - "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: ipft_tx.c,v 2.3.2.6 2002/03/13 03:55:15 darrenr Exp"; +static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipft_tx.c,v 2.3.2.7 2002/06/27 14:29:17 darrenr Exp"; #endif extern int opts; @@ -181,10 +179,8 @@ char *buf, **ifn; int cnt, *dir; { register char *s; - ip_t *ip; char line[513]; - ip = (ip_t *)buf; *ifn = NULL; while (fgets(line, sizeof(line)-1, tfp)) { if ((s = index(line, '\n'))) @@ -201,7 +197,7 @@ int cnt, *dir; *dir = 0; if (!parseline(line, (ip_t *)buf, ifn, dir)) #if 0 - return sizeof(*ip) + sizeof(tcphdr_t); + return sizeof(ip_t) + sizeof(tcphdr_t); #else return sizeof(ip_t); #endif diff --git a/dist/ipf/ipmon.c b/dist/ipf/ipmon.c index 6f3b98ef90e8..74e6e32202cb 100644 --- a/dist/ipf/ipmon.c +++ b/dist/ipf/ipmon.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipmon.c,v 1.13 2002/07/01 13:56:53 christos Exp $ */ +/* $NetBSD: ipmon.c,v 1.14 2002/09/19 08:08:18 martti Exp $ */ /* * Copyright (C) 1993-2002 by Darren Reed. @@ -69,10 +69,8 @@ #include "netinet/ip_state.h" #if !defined(lint) -static const char sccsid[] __attribute__((__unused__)) = - "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: ipmon.c,v 2.12.2.34 2002/03/22 10:27:16 darrenr Exp"; +static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipmon.c,v 2.12.2.36 2002/08/22 15:12:23 darrenr Exp"; #endif @@ -969,13 +967,13 @@ int blen; *t++ = 'S'; lvl = LOG_ERR; } else if (ipf->fl_flags & FR_PASS) { - if (ipf->fl_flags & FR_LOGP) + if (ipf->fl_flags & FR_LOG) *t++ = 'p'; else *t++ = 'P'; lvl = LOG_NOTICE; } else if (ipf->fl_flags & FR_BLOCK) { - if (ipf->fl_flags & FR_LOGB) + if (ipf->fl_flags & FR_LOG) *t++ = 'b'; else *t++ = 'B'; @@ -1262,14 +1260,15 @@ int main(argc, argv) int argc; char *argv[]; { - struct stat sb; - FILE *log = stdout; - int fd[3], doread, n, i; - int tr, nr, regular[3], c; int fdt[3], devices = 0, make_daemon = 0; char buf[IPLLOGSIZE], *iplfile[3], *s; - extern int optind; + int fd[3], doread, n, i; extern char *optarg; + extern int optind; + int regular[3], c; + FILE *log = stdout; + struct stat sb; + size_t nr, tr; fd[0] = fd[1] = fd[2] = -1; fdt[0] = fdt[1] = fdt[2] = -1; diff --git a/dist/ipf/ipnat.c b/dist/ipf/ipnat.c index d22d1c790528..82b59a466ae0 100644 --- a/dist/ipf/ipnat.c +++ b/dist/ipf/ipnat.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipnat.c,v 1.10 2002/04/09 02:32:52 thorpej Exp $ */ +/* $NetBSD: ipnat.c,v 1.11 2002/09/19 08:08:18 martti Exp $ */ /* * Copyright (C) 1993-2002 by Darren Reed. @@ -61,10 +61,8 @@ extern char *sys_errlist[]; #endif #if !defined(lint) -static const char sccsid[] __attribute__((__unused__)) = - "@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: ipnat.c,v 2.16.2.20 2002/02/22 15:32:55 darrenr Exp"; +static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipnat.c,v 2.16.2.21 2002/06/06 10:49:19 darrenr Exp"; #endif @@ -179,6 +177,8 @@ char *argv[]; ((fd = open(IPL_NAT, O_RDONLY)) == -1)) { (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT, STRERROR(errno)); + if (errno == ENODEV) + fprintf(stderr, "IPFilter enabled?\n"); exit(1); } if (ioctl(fd, SIOCGNATS, &nsp) == -1) { diff --git a/dist/ipf/ipsend/ip_var.h b/dist/ipf/ipsend/ip_var.h index 00c35e3332ac..a6c5cc4199db 100644 --- a/dist/ipf/ipsend/ip_var.h +++ b/dist/ipf/ipsend/ip_var.h @@ -1,4 +1,4 @@ -/* $NetBSD: ip_var.h,v 1.1.1.2 2002/09/19 07:56:44 martti Exp $ */ +/* $NetBSD: ip_var.h,v 1.2 2002/09/19 08:08:21 martti Exp $ */ /* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */ diff --git a/dist/ipf/ipt.c b/dist/ipf/ipt.c index c125c89c0c88..3eb588fd9222 100644 --- a/dist/ipf/ipt.c +++ b/dist/ipf/ipt.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipt.c,v 1.8 2002/05/30 18:10:28 thorpej Exp $ */ +/* $NetBSD: ipt.c,v 1.9 2002/09/19 08:08:19 martti Exp $ */ /* * Copyright (C) 1993-2002 by Darren Reed. @@ -65,10 +65,8 @@ #include "ipt.h" #if !defined(lint) -static const char sccsid[] __attribute__((__unused__)) = - "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: ipt.c,v 2.6.2.21 2002/03/26 15:54:40 darrenr Exp"; +static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipt.c,v 2.6.2.22 2002/06/04 14:52:58 darrenr Exp"; #endif extern char *optarg; @@ -80,6 +78,7 @@ extern ipnat_t *natparse __P((char *, int)); extern int fr_running; int opts = 0; +int rremove = 0; int use_inet6 = 0; int main __P((int, char *[])); int loadrules __P((char *)); @@ -115,7 +114,7 @@ char *argv[]; ipflog_init(); fr_running = 1; - while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1) + while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:RSTvxX")) != -1) switch (c) { case '6' : @@ -167,6 +166,9 @@ char *argv[]; case 'P' : r = &pcap; break; + case 'R' : + rremove = 1; + break; case 'S' : r = &snoop; break; @@ -334,20 +336,44 @@ char *file; if (!(fr = natparse(line, linenum))) continue; - i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT, - (caddr_t)&fr, FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, "iplioctl(ADNAT,%p,1) = %d\n", - fr, i); + if (rremove == 0) { + i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT, + (caddr_t)&fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(ADNAT,%p,1) = %d\n", + fr, i); + } else { + i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCRMNAT, + (caddr_t)&fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(RMNAT,%p,1) = %d\n", + fr, i); + } } else { if (!(fr = parse(line, linenum))) continue; - i = IPL_EXTERN(ioctl)(0, SIOCADAFR, (caddr_t)&fr, - FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, "iplioctl(ADAFR,%p,1) = %d\n", - fr, i); + if (rremove == 0) { + i = IPL_EXTERN(ioctl)(0, SIOCADAFR, + (caddr_t)&fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(ADAFR,%p,1) = %d\n", + fr, i); + } else { + i = IPL_EXTERN(ioctl)(0, SIOCRMAFR, + (caddr_t)&fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(RMAFR,%p,1) = %d\n", + fr, i); + } } } (void)fclose(fp); diff --git a/dist/ipf/kmem.c b/dist/ipf/kmem.c index c60a09938e55..c057b98555b0 100644 --- a/dist/ipf/kmem.c +++ b/dist/ipf/kmem.c @@ -1,4 +1,4 @@ -/* $NetBSD: kmem.c,v 1.8 2002/05/30 18:10:29 thorpej Exp $ */ +/* $NetBSD: kmem.c,v 1.9 2002/09/19 08:08:19 martti Exp $ */ /* * Copyright (C) 1993-2002 by Darren Reed. @@ -47,10 +47,8 @@ #endif #if !defined(lint) -static const char sccsid[] __attribute__((__unused__)) = - "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp"; +static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; +static const char rcsid[] = "@(#)Id: kmem.c,v 2.2.2.15 2002/07/27 15:59:37 darrenr Exp"; #endif #ifdef __sgi @@ -59,7 +57,7 @@ typedef int kvm_t; static int kvm_fd = -1; static char *kvm_errstr; -kvm_t kvm_open(kernel, core, swap, mode, errstr) +kvm_t *kvm_open(kernel, core, swap, mode, errstr) char *kernel, *core, *swap; int mode; char *errstr; @@ -69,17 +67,18 @@ char *errstr; if (core == NULL) core = "/dev/kmem"; kvm_fd = open(core, mode); - return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL; + return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL; } int kvm_read(kvm, pos, buffer, size) -kvm_t kvm; +kvm_t *kvm; u_long pos; char *buffer; size_t size; { - int r, left; + size_t left; char *bufp; + int r; if (lseek(*kvm, pos, 0) == -1) { fprintf(stderr, "%s", kvm_errstr); @@ -101,13 +100,19 @@ static kvm_t *kvm_f = NULL; int openkmem(kern, core) char *kern, *core; { + union { + int ui; + kvm_t *uk; + } k; + kvm_f = kvm_open(kern, core, NULL, O_RDONLY, ""); if (kvm_f == NULL) { perror("openkmem:open"); return -1; } - return 0; + k.uk = kvm_f; + return k.ui; } int kmemcpy(buf, pos, n) @@ -124,7 +129,7 @@ register int n; if (openkmem(NULL, NULL) == -1) return -1; - while ((r = kvm_read(kvm_f, pos, buf, n)) < n) + while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n) if (r <= 0) { fprintf(stderr, "pos=0x%x ", (u_int)pos); @@ -156,7 +161,7 @@ register int n; while (n > 0) { - r = kvm_read(kvm_f, pos, buf, 1); + r = kvm_read(kvm_f, pos, buf, (size_t)1); if (r <= 0) { fprintf(stderr, "pos=0x%x ", (u_int)pos); diff --git a/dist/ipf/man/ipftest.1 b/dist/ipf/man/ipftest.1 index 93c0f87471fa..a9eb89e09831 100644 --- a/dist/ipf/man/ipftest.1 +++ b/dist/ipf/man/ipftest.1 @@ -1,4 +1,4 @@ -.\" $NetBSD: ipftest.1,v 1.2 1999/12/11 23:40:29 veego Exp $ +.\" $NetBSD: ipftest.1,v 1.3 2002/09/19 08:08:22 martti Exp $ .\" .TH ipftest 1 .SH NAME @@ -6,7 +6,7 @@ ipftest \- test packet filter rules with arbitary input. .SH SYNOPSIS .B ipftest [ -.B \-vbdPSTEHX +.B \-vbdPRSTEHX ] [ .B \-I interface @@ -78,6 +78,10 @@ The input file specified by \fB\-i\fP is a binary file produced using libpcap (i.e., tcpdump version 3). Packets are read from this file as being input (for rule purposes). An interface maybe specified using \fB\-I\fP. .TP +.B \-R +Remove rules rather than load them. This is not a toggle option, so once +set, it cannot be reset by further use of -R. +.TP .B \-S The input file is to be in "snoop" format (see RFC 1761). Packets are read from this file and used as input from any interface. This is perhaps the @@ -100,7 +104,12 @@ option combinations: .B \-H The input file is to be hex digits, representing the binary makeup of the packet. No length correction is made, if an incorrect length is put in -the IP header. +the IP header. A packet may be broken up over several lines of hex digits, +a blank line indicating the end of the packet. It is possible to specify +both the interface name and direction of the packet (for filtering purposes) +at the start of the line using this format: [direction,interface] To define +a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required +and part of the input syntax. .TP .B \-X The input file is composed of text descriptions of IP packets. diff --git a/dist/ipf/man/ipmon.8 b/dist/ipf/man/ipmon.8 index 7bde705a2970..8b0cbf0fd701 100644 --- a/dist/ipf/man/ipmon.8 +++ b/dist/ipf/man/ipmon.8 @@ -1,4 +1,4 @@ -.\" $NetBSD: ipmon.8,v 1.9 2002/05/02 17:11:39 martti Exp $ +.\" $NetBSD: ipmon.8,v 1.10 2002/09/19 08:08:22 martti Exp $ .\" .TH ipmon 8 .SH NAME @@ -48,8 +48,11 @@ long). 4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be viewed with \fBipfstat -n\fP. .LP -5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short -packet, \fBn\fP did not match any rules or \fBL\fP for a log rule. +5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fBS\fP for a short +packet, \fBn\fP did not match any rules, \fBL\fP for a log rule. The order +of precedence in showing flags is: S, p, b, n, L. A capital \fBP\fP or +\fBB\fP means that the packet has been logged due to a global logging +setting, not a particular rule. .LP 6. The addresses. This is actually three fields: the source address and port diff --git a/dist/ipf/man/ipnat.5 b/dist/ipf/man/ipnat.5 index 59e8086a960a..d4333f61e991 100644 --- a/dist/ipf/man/ipnat.5 +++ b/dist/ipf/man/ipnat.5 @@ -1,4 +1,4 @@ -.\" $NetBSD: ipnat.5,v 1.8 2002/06/16 14:43:46 wiz Exp $ +.\" $NetBSD: ipnat.5,v 1.9 2002/09/19 08:08:22 martti Exp $ .\" .TH IPNAT 5 .SH NAME @@ -21,18 +21,20 @@ mapit ::= "map" | "bimap" . fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . dstipmask ::= ipmask | "range" ip "-" ip . -mapport ::= "portmap" tcpudp portnumber ":" portnumber . +mapport ::= "portmap" tcpudp portspec . clamp ::= "mssclamp" number . options ::= [ tcpudp ] [ rr ] . -object = addr [ port-comp | port-range ] . -addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp = "port" compare port-num . -port-range = "port" port-num range port-num . +object :: = addr [ port-comp | port-range ] . +addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . +port-comp :: = "port" compare port-num . +port-range :: = "port" port-num range port-num . rr ::= "round-robin" . +nummask = host-name [ "/" decnumber ] . tcpudp ::= "tcp" | "udp" | "tcp/udp" . -portnumber ::= number { numbers } | "auto" . +portspec ::= "auto" | portnumber ":" portnumber . +portnumber ::= number { numbers } . ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . @@ -97,6 +99,15 @@ or as map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32 .fi .LP +For even greater control, one may negate either of the "from" or "to" clauses +with a preceding exclamation mark ("!"). Please note that one may not use a +negated "from" within a \fBmap\fP rule or a negated "to" within a \fBrdr\fP +rule. Such a rule might look like the following: +.LP +.nf ++map de0 from 10.1.0.0/16 ! to 10.1.0.0/16 -> 201.2.3.4/32 +.fi +.PP Only IP address and port numbers can be compared against. This is available with all NAT rules. .SH TRANSLATION diff --git a/dist/ipf/parse.c b/dist/ipf/parse.c index 5bc75818b406..3699f92e60de 100644 --- a/dist/ipf/parse.c +++ b/dist/ipf/parse.c @@ -1,4 +1,4 @@ -/* $NetBSD: parse.c,v 1.12 2002/04/09 02:32:53 thorpej Exp $ */ +/* $NetBSD: parse.c,v 1.13 2002/09/19 08:08:20 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -151,7 +151,7 @@ int linenum; } fil.fr_icode = j; } - } else if (!strncasecmp(*(cpp+1), "return-rst", 10)) { + } else if (!strcasecmp(*(cpp+1), "return-rst")) { fil.fr_flags |= FR_RETRST; cpp++; } @@ -939,7 +939,6 @@ u_long optmsk, optbits; u_short secmsk = sec[0], secbits = sec[1]; struct ipopt_names *io, *so; char *s; - int secflag = 0; s = " opt "; for (io = ionames; io->on_name; io++) @@ -951,8 +950,7 @@ u_long optmsk, optbits; if (io->on_value == IPOPT_SECURITY) io++; s = ","; - } else - secflag = 1; + } } diff --git a/dist/ipf/printnat.c b/dist/ipf/printnat.c index 48db941f260f..80ef6aeae38c 100644 --- a/dist/ipf/printnat.c +++ b/dist/ipf/printnat.c @@ -1,4 +1,4 @@ -/* $NetBSD: printnat.c,v 1.8 2002/05/30 18:10:31 thorpej Exp $ */ +/* $NetBSD: printnat.c,v 1.9 2002/09/19 08:08:20 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -60,8 +60,7 @@ extern char *sys_errlist[]; #endif #if !defined(lint) -static const char rcsid[] __attribute__((__unused__)) = - "@(#)Id: printnat.c,v 1.1.2.8 2002/04/25 16:44:13 darrenr Exp"; +static const char rcsid[] = "@(#)Id: printnat.c,v 1.1.2.10 2002/08/28 12:45:51 darrenr Exp"; #endif @@ -245,9 +244,10 @@ int opts; 0xffffffff), hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport, NAT_TABLE_SZ), - printf("%s pr %u bkt %d/%d flags %x\n", + printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n", getsumd(nat->nat_sumd[1]), nat->nat_p, - hv1, hv2, nat->nat_flags); + hv1, hv2, nat->nat_flags, + nat->nat_drop[0], nat->nat_drop[1]); printf("\tifp %s ", getifname(nat->nat_ifp)); #ifdef USE_QUAD_T printf("bytes %qu pkts %qu", diff --git a/dist/ipf/rules/example.9 b/dist/ipf/rules/example.9 index edaf72b53305..43cd864572ec 100644 --- a/dist/ipf/rules/example.9 +++ b/dist/ipf/rules/example.9 @@ -1,4 +1,4 @@ -# $NetBSD: example.9,v 1.1.1.2 2002/09/19 07:56:58 martti Exp $ +# $NetBSD: example.9,v 1.2 2002/09/19 08:08:23 martti Exp $ # # drop all packets without IP security options # diff --git a/regress/sys/kern/ipf/Makefile b/regress/sys/kern/ipf/Makefile index 872312c75c16..ca523a190905 100644 --- a/regress/sys/kern/ipf/Makefile +++ b/regress/sys/kern/ipf/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.2 2002/05/13 06:34:14 martti Exp $ +# $NetBSD: Makefile,v 1.3 2002/09/19 08:09:49 martti Exp $ # # (C)opyright 1993-1996 by Darren Reed. # @@ -17,7 +17,7 @@ first: ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 # Rule parsing tests -ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 +ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 ntests: n1 n2 n3 n4 n5 n6 n7 @@ -44,7 +44,7 @@ f15 f16: f17: @/bin/sh ${.CURDIR}/mhtest $@ ${.CURDIR} -i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: +i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12: @/bin/sh ${.CURDIR}/itest $@ ${.CURDIR} n1 n2 n3 n4 n5 n6 n7: @@ -64,7 +64,7 @@ ipv6.1 ipv6.2: clean: /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 f17 - /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 + /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 /bin/rm -f ni1 ni2 ni3 ni4 ni5 /bin/rm -f in1 in2 in3 in4 diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c index b3db54f04107..30496c1f047b 100644 --- a/sys/netinet/fil.c +++ b/sys/netinet/fil.c @@ -1,4 +1,4 @@ -/* $NetBSD: fil.c,v 1.56 2002/06/09 16:33:36 itojun Exp $ */ +/* $NetBSD: fil.c,v 1.57 2002/09/19 08:09:10 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -100,10 +100,10 @@ #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.56 2002/06/09 16:33:36 itojun Exp $"); +__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.57 2002/09/19 08:09:10 martti Exp $"); #else static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp"; +static const char rcsid[] = "@(#)Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp"; #endif #endif @@ -1086,7 +1086,7 @@ int out; fin->fin_fr = fr; if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { if (fin->fin_fl & FI_FRAG) { - if (ipfr_newfrag(ip, fin, pass) == -1) { + if (ipfr_newfrag(ip, fin) == -1) { ATOMIC_INCL(frstats[out].fr_bnfr); } else { ATOMIC_INCL(frstats[out].fr_nfr); @@ -1201,7 +1201,16 @@ logit: * some operating systems. */ if (!out) { - if (pass & FR_RETICMP) { + if (changed == -1) + /* + * If a packet results in a NAT error, do not + * send a reset or ICMP error as it may disrupt + * an existing flow. This is the proxy saying + * the content is bad so just drop the packet + * silently. + */ + ; + else if (pass & FR_RETICMP) { int dst; if ((pass & FR_RETMASK) == FR_FAKEICMP) @@ -1511,7 +1520,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp + * Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1626,7 +1635,6 @@ frgroup_t ***fgpp; fgp = &ipfgroups[0][set]; else return NULL; - num &= 0xffff; while ((fg = *fgp)) if (fg->fg_num == num) diff --git a/sys/netinet/ip_auth.c b/sys/netinet/ip_auth.c index 2221b380b337..f677e95bb2ef 100644 --- a/sys/netinet/ip_auth.c +++ b/sys/netinet/ip_auth.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_auth.c,v 1.28 2002/06/09 16:33:39 itojun Exp $ */ +/* $NetBSD: ip_auth.c,v 1.29 2002/09/19 08:09:11 martti Exp $ */ /* * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij. @@ -108,9 +108,9 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.28 2002/06/09 16:33:39 itojun Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.29 2002/09/19 08:09:11 martti Exp $"); #else -static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp"; +static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp"; #endif #endif @@ -622,7 +622,10 @@ void fr_authexpire() } else faep = &fae->fae_next; } - ipauth = &fae_list->fae_fr; + if (fae_list != NULL) + ipauth = &fae_list->fae_fr; + else + ipauth = NULL; for (frp = &fr_authlist; (fr = *frp); ) { if (fr->fr_ref == 1) { diff --git a/sys/netinet/ip_compat.h b/sys/netinet/ip_compat.h index 12d2e899ab4d..b553761591a3 100644 --- a/sys/netinet/ip_compat.h +++ b/sys/netinet/ip_compat.h @@ -1,4 +1,4 @@ -/* $NetBSD: ip_compat.h,v 1.29 2002/06/09 16:33:39 itojun Exp $ */ +/* $NetBSD: ip_compat.h,v 1.30 2002/09/19 08:09:11 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * Id: ip_compat.h,v 2.26.2.44 2002/04/25 16:32:15 darrenr Exp + * Id: ip_compat.h,v 2.26.2.46 2002/06/27 14:39:40 darrenr Exp */ #ifndef _NETINET_IP_COMPAT_H_ @@ -188,6 +188,9 @@ typedef struct qif { */ size_t qf_hl; /* header length */ int qf_sap; +# if SOLARIS2 >= 8 + int qf_tunoff; /* tunnel offset */ +#endif size_t qf_incnt; size_t qf_outcnt; } qif_t; @@ -215,7 +218,11 @@ typedef int minor_t; #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) # include # ifndef __FreeBSD_version -# include +# ifdef IPFILTER_LKM +# include +# else +# include +# endif # endif # ifdef IPFILTER_LKM # define ACTUALLY_LKM_NOT_KERNEL diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c index cc2ea4a87cff..40b8609f1979 100644 --- a/sys/netinet/ip_fil.c +++ b/sys/netinet/ip_fil.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_fil.c,v 1.84 2002/09/07 00:10:24 enami Exp $ */ +/* $NetBSD: ip_fil.c,v 1.85 2002/09/19 08:09:12 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -123,10 +123,10 @@ extern int ip_optcopy __P((struct ip *, struct ip *)); #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: ip_fil.c,v 1.84 2002/09/07 00:10:24 enami Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_fil.c,v 1.85 2002/09/19 08:09:12 martti Exp $"); #else static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp"; +static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp"; #endif #endif @@ -164,6 +164,7 @@ static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **, fr_info_t *, frdest_t *)); # endif # ifdef __sgi +extern int tcp_mtudisc; extern kmutex_t ipf_rw; extern KRWLOCK_T ipf_mutex; # endif @@ -198,15 +199,6 @@ struct timeout ipfr_slowtimer_ch; toid_t ipfr_slowtimer_ch; #endif -#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \ - defined(_KERNEL) -#include -const struct cdevsw ipl_cdevsw = { - iplopen, iplclose, iplread, nowrite, iplioctl, - nostop, notty, nopoll, nommap, -}; -#endif - #if (_BSDI_VERSION >= 199510) && defined(_KERNEL) # include # include @@ -501,7 +493,7 @@ int ipl_disable() int ipldetach() # endif { - int s, i = FR_INQUE|FR_OUTQUE; + int s, i; #if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000) int error = 0; # if __NetBSD_Version__ >= 105150000 @@ -542,7 +534,8 @@ int ipldetach() printf("%s unloaded\n", ipfilter_version); fr_checkp = fr_savep; - i = frflush(IPL_LOGIPF, i); + i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); fr_running = 0; # ifdef NETBSD_PF @@ -662,6 +655,9 @@ int mode; unit = dev; #endif + if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF)) + return ENODEV; + SPL_NET(s); if (unit == IPL_LOGNAT) { @@ -922,7 +918,8 @@ caddr_t data; * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ - if ((req != SIOCZRLST) && fp->fr_grhead && + if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) || + (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead && fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) return EEXIST; if ((req != SIOCZRLST) && fp->fr_group && @@ -1256,13 +1253,18 @@ fr_info_t *fin; struct mbuf **mp; { struct mbuf *m = *mp; - char *dpsave; - int error; + int error, hlen; + fr_info_t frn; ip_t *ip; - dpsave = fin->fin_dp; + bzero((char *)&frn, sizeof(frn)); + frn.fin_ifp = fin->fin_ifp; + frn.fin_v = fin->fin_v; + frn.fin_out = fin->fin_out; + frn.fin_mp = fin->fin_mp; ip = mtod(m, ip_t *); + hlen = sizeof(*ip); ip->ip_v = fin->fin_v; if (ip->ip_v == 4) { @@ -1270,28 +1272,41 @@ struct mbuf **mp; ip->ip_v = IPVERSION; ip->ip_tos = oip->ip_tos; ip->ip_id = oip->ip_id; - ip->ip_off = 0; + +# if defined(__NetBSD__) || defined(__OpenBSD__) + if (ip_mtudisc != 0) + ip->ip_off = IP_DF; +# else +# if defined(__sgi) + if (ip->ip_p == IPPROTO_TCP && tcp_mtudisc != 0) + ip->ip_off = IP_DF; +# endif +# endif + # if (BSD < 199306) || defined(__sgi) ip->ip_ttl = tcp_ttl; # else ip->ip_ttl = ip_defttl; # endif ip->ip_sum = 0; - fin->fin_dp = (char *)(ip + 1); + frn.fin_dp = (char *)(ip + 1); } # ifdef USE_INET6 else if (ip->ip_v == 6) { ip6_t *ip6 = (ip6_t *)ip; + hlen = sizeof(*ip6); ip6->ip6_hlim = 127; - fin->fin_dp = (char *)(ip6 + 1); + frn.fin_dp = (char *)(ip6 + 1); } # endif # ifdef IPSEC m->m_pkthdr.rcvif = NULL; # endif - error = ipfr_fastroute(m, mp, fin, NULL); - fin->fin_dp = dpsave; + + fr_makefrip(hlen, ip, &frn); + + error = ipfr_fastroute(m, mp, &frn, NULL); return error; } @@ -1598,6 +1613,9 @@ frdest_t *fdp; /* * Route packet. */ +#ifdef __sgi + ROUTE_RDLOCK(); +#endif bzero((caddr_t)ro, sizeof (*ro)); dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; @@ -1634,6 +1652,11 @@ frdest_t *fdp; # else rtalloc(ro); # endif + +#ifdef __sgi + ROUTE_UNLOCK(); +#endif + if (!ifp) { if (!fr || !(fr->fr_flags & FR_FASTROUTE)) { error = -2; @@ -1686,7 +1709,8 @@ frdest_t *fdp; */ if (ip->ip_len <= ifp->if_mtu) { # ifndef sparc -# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) +# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) && \ + !(__NetBSD_Version__ >= 105110000) ip->ip_id = htons(ip->ip_id); # endif ip->ip_len = htons(ip->ip_len); @@ -2133,7 +2157,7 @@ int code; fr_info_t *fin; int dst; { - verbose("- ICMP UNREACHABLE RST sent\n"); + verbose("- ICMP UNREACHABLE sent\n"); return 0; } diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h index 148f89af5c3b..706ec6730b92 100644 --- a/sys/netinet/ip_fil.h +++ b/sys/netinet/ip_fil.h @@ -1,4 +1,4 @@ -/* $NetBSD: ip_fil.h,v 1.45 2002/07/01 13:55:35 christos Exp $ */ +/* $NetBSD: ip_fil.h,v 1.46 2002/09/19 08:09:13 martti Exp $ */ /* * Copyright (C) 1993-2002 by Darren Reed. @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp + * Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp */ #ifndef _NETINET_IP_FIL_H_ @@ -509,6 +509,7 @@ extern int send_reset __P((ip_t *, fr_info_t *)); extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int)); extern int ipf_log __P((void)); extern struct ifnet *get_unit __P((char *, int)); +extern int mbuflen __P((mb_t *)); # if defined(__NetBSD__) || defined(__OpenBSD__) || \ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c index 01da9413fffc..e8db367f9bf2 100644 --- a/sys/netinet/ip_frag.c +++ b/sys/netinet/ip_frag.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_frag.c,v 1.32 2002/08/14 00:23:29 itojun Exp $ */ +/* $NetBSD: ip_frag.c,v 1.33 2002/09/19 08:09:14 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -93,10 +93,10 @@ extern struct timeout ipfr_slowtimer_ch; #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.32 2002/08/14 00:23:29 itojun Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.33 2002/09/19 08:09:14 martti Exp $"); #else static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.10.2.21 2002/04/10 04:56:10 darrenr Exp"; +static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.10.2.24 2002/08/28 12:41:04 darrenr Exp"; #endif #endif @@ -127,7 +127,7 @@ extern kmutex_t ipf_rw; #endif -static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, u_int, ipfr_t **)); +static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, ipfr_t **)); static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **)); static void ipfr_delete __P((ipfr_t *)); @@ -145,10 +145,9 @@ ipfrstat_t *ipfr_fragstats() * add a new entry to the fragment cache, registering it as having come * through this box, with the result of the filter operation. */ -static ipfr_t *ipfr_new(ip, fin, pass, table) +static ipfr_t *ipfr_new(ip, fin, table) ip_t *ip; fr_info_t *fin; -u_int pass; ipfr_t *table[]; { ipfr_t **fp, *fra, frag; @@ -205,7 +204,7 @@ ipfr_t *table[]; /* * Instert the fragment into the fragment table, copy the struct used * in the search using bcopy rather than reassign each field. - * Set the ttl to the default and mask out logging from "pass" + * Set the ttl to the default. */ if ((fra->ipfr_next = table[idx])) table[idx]->ipfr_prev = fra; @@ -227,17 +226,16 @@ ipfr_t *table[]; } -int ipfr_newfrag(ip, fin, pass) +int ipfr_newfrag(ip, fin) ip_t *ip; fr_info_t *fin; -u_int pass; { ipfr_t *ipf; if ((ip->ip_v != 4) || (fr_frag_lock)) return -1; WRITE_ENTER(&ipf_frag); - ipf = ipfr_new(ip, fin, pass, ipfr_heads); + ipf = ipfr_new(ip, fin, ipfr_heads); RWLOCK_EXIT(&ipf_frag); if (ipf == NULL) { ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr); @@ -248,10 +246,9 @@ u_int pass; } -int ipfr_nat_newfrag(ip, fin, pass, nat) +int ipfr_nat_newfrag(ip, fin, nat) ip_t *ip; fr_info_t *fin; -u_int pass; nat_t *nat; { ipfr_t *ipf; @@ -263,10 +260,10 @@ nat_t *nat; off = fin->fin_off; off <<= 3; if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0)) - return NULL; + return -1; WRITE_ENTER(&ipf_natfrag); - ipf = ipfr_new(ip, fin, pass, ipfr_nattab); + ipf = ipfr_new(ip, fin, ipfr_nattab); if (ipf != NULL) { ipf->ipfr_data = nat; nat->nat_data = ipf; diff --git a/sys/netinet/ip_frag.h b/sys/netinet/ip_frag.h index 09b16ffd14e5..bfb042713a10 100644 --- a/sys/netinet/ip_frag.h +++ b/sys/netinet/ip_frag.h @@ -1,4 +1,4 @@ -/* $NetBSD: ip_frag.h,v 1.17 2002/01/24 08:23:12 martti Exp $ */ +/* $NetBSD: ip_frag.h,v 1.18 2002/09/19 08:09:15 martti Exp $ */ /* * Copyright (C) 1993-2001 by Darren Reed. @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_frag.h 1.5 3/24/96 - * Id: ip_frag.h,v 2.4.2.6 2002/01/01 15:09:38 darrenr Exp + * Id: ip_frag.h,v 2.4.2.7 2002/07/06 14:17:51 darrenr Exp */ #ifndef _NETINET_IP_FRAG_H_ @@ -50,8 +50,8 @@ typedef struct ipfrstat { extern int fr_ipfrttl; extern int fr_frag_lock; extern ipfrstat_t *ipfr_fragstats __P((void)); -extern int ipfr_newfrag __P((ip_t *, fr_info_t *, u_int)); -extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *)); +extern int ipfr_newfrag __P((ip_t *, fr_info_t *)); +extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, struct nat *)); extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *)); extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *)); extern void ipfr_forget __P((void *)); diff --git a/sys/netinet/ip_ftp_pxy.c b/sys/netinet/ip_ftp_pxy.c index 9632315a39ab..6fc7804fd9af 100644 --- a/sys/netinet/ip_ftp_pxy.c +++ b/sys/netinet/ip_ftp_pxy.c @@ -1,13 +1,13 @@ -/* $NetBSD: ip_ftp_pxy.c,v 1.24 2002/05/02 17:13:29 martti Exp $ */ +/* $NetBSD: ip_ftp_pxy.c,v 1.25 2002/09/19 08:09:15 martti Exp $ */ #include -__KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.24 2002/05/02 17:13:29 martti Exp $"); +__KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.25 2002/09/19 08:09:15 martti Exp $"); /* * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * Id: ip_ftp_pxy.c,v 2.7.2.34 2002/04/26 10:22:45 darrenr Exp + * Id: ip_ftp_pxy.c,v 2.7.2.38 2002/08/28 12:45:47 darrenr Exp */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -303,7 +303,7 @@ int dlen; ip->ip_len = slen; ip->ip_src = swip; } - return APR_INC(inc); + return inc; } @@ -586,7 +586,7 @@ int dlen; wptr = f->ftps_wptr; if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2))) - return inc; + return 0; if (ftp->ftp_passok == FTPXY_GO) { if (!strncmp(rptr, "227 ", 4)) inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); @@ -726,6 +726,10 @@ size_t len; } +/* + * rv == 0 for outbound processing, + * rv == 1 for inbound processing. + */ int ippr_ftp_process(fin, ip, nat, ftp, rv) fr_info_t *fin; ip_t *ip; @@ -733,15 +737,16 @@ nat_t *nat; ftpinfo_t *ftp; int rv; { - int mlen, len, off, inc, i, sel; + int mlen, len, off, inc, i, sel, sel2, ok, ackoff, seqoff; + u_32_t thseq, thack; char *rptr, *wptr; + ap_session_t *aps; ftpside_t *f, *t; tcphdr_t *tcp; mb_t *m; tcp = (tcphdr_t *)fin->fin_dp; off = fin->fin_hlen + (tcp->th_off << 2); - #if SOLARIS && defined(_KERNEL) m = fin->fin_qfm; #else @@ -759,42 +764,149 @@ int rv; #endif mlen -= off; + aps = nat->nat_aps; t = &ftp->ftp_side[1 - rv]; f = &ftp->ftp_side[rv]; - if (!mlen) { - if (!t->ftps_seq || - (int)ntohl(tcp->th_ack) - (int)t->ftps_seq > 0) - t->ftps_seq = ntohl(tcp->th_ack); - f->ftps_len = 0; - return 0; - } + thseq = ntohl(tcp->th_seq); + thack = ntohl(tcp->th_ack); - rptr = f->ftps_rptr; - wptr = f->ftps_wptr; - - i = 0; - sel = nat->nat_aps->aps_sel[1 - rv]; - if (rv) { - if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq)) - i = nat->nat_aps->aps_ackoff[sel]; + sel = aps->aps_sel[1 - rv]; + sel2 = aps->aps_sel[rv]; + if (rv == 0) { + seqoff = aps->aps_seqoff[sel]; + if (aps->aps_seqmin[sel] > seqoff + thseq) + seqoff = aps->aps_seqoff[!sel]; + ackoff = aps->aps_ackoff[sel2]; + if (aps->aps_ackmin[sel2] > ackoff + thack) + ackoff = aps->aps_ackoff[!sel2]; } else { - if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq)) - i = nat->nat_aps->aps_seqoff[sel]; +#if PROXY_DEBUG + printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq, + aps->aps_ackmin[sel]); +#endif + seqoff = aps->aps_ackoff[sel]; + if (aps->aps_ackmin[sel] > seqoff + thseq) + seqoff = aps->aps_ackoff[!sel]; + +#if PROXY_DEBUG + printf("ackoff %d thack %x seqmin %x\n", ackoff, thack, + aps->aps_seqmin[sel2]); +#endif + ackoff = aps->aps_seqoff[sel2]; + if (ackoff > 0) { + if (aps->aps_seqmin[sel2] > ackoff + thack) + ackoff = aps->aps_seqoff[!sel2]; + } else { + if (aps->aps_seqmin[sel2] > thack) + ackoff = aps->aps_seqoff[!sel2]; + } } +#if PROXY_DEBUG + printf("%s: %x seq %x/%d ack %x/%d len %d\n", rv ? "IN" : "OUT", + tcp->th_flags, thseq, seqoff, thack, ackoff, mlen); + printf("sel %d seqmin %x/%x offset %d/%d\n", sel, + aps->aps_seqmin[sel], aps->aps_seqmin[sel2], + aps->aps_seqoff[sel], aps->aps_seqoff[sel2]); + printf("sel %d ackmin %x/%x offset %d/%d\n", sel2, + aps->aps_ackmin[sel], aps->aps_ackmin[sel2], + aps->aps_ackoff[sel], aps->aps_ackoff[sel2]); +#endif + /* * XXX - Ideally, this packet should get dropped because we now know * that it is out of order (and there is no real danger in doing so * apart from causing packets to go through here ordered). */ - if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq)) - f->ftps_seq = ntohl(tcp->th_seq); +#if PROXY_DEBUG + printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n", + rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff); +#endif + + ok = 0; + if (t->ftps_seq[0] == 0) + t->ftps_seq[0] = thack, ok = 1; else { - inc = ntohl(tcp->th_seq) - f->ftps_seq; - if (inc > i) { - return APR_ERR(1); + if (ackoff == 0) { + if (t->ftps_seq[0] == thack) + ok = 1; + else if (t->ftps_seq[1] == thack) { + t->ftps_seq[0] = thack; + ok = 1; + } + } else { + if (t->ftps_seq[0] + ackoff == thack) + ok = 1; + else if (t->ftps_seq[0] == thack + ackoff) + ok = 1; + else if (t->ftps_seq[1] + ackoff == thack) { + t->ftps_seq[0] = thack - ackoff; + ok = 1; + } else if (t->ftps_seq[1] == thack + ackoff) { + t->ftps_seq[0] = thack - ackoff; + ok = 1; + } } } + +#if PROXY_DEBUG + if (!ok) + printf("not ok\n"); +#endif + + if (!mlen) { + if (t->ftps_seq[0] + ackoff != thack) + return APR_ERR(1); + +#if PROXY_DEBUG + printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]); +#endif + if (tcp->th_flags & TH_FIN) { + if (thseq + seqoff == f->ftps_seq[0] + 1 || + f->ftps_seq[0] + seqoff + 1 == thseq || + thseq + seqoff == f->ftps_seq[0] || + thseq == f->ftps_seq[0] + seqoff) + ; + else { +#if PROXY_DEBUG + printf("FIN: thseq %x seqoff %d ftps_seq %x\n", + thseq, seqoff, f->ftps_seq[0]); +#endif + return APR_ERR(1); + } + } + f->ftps_len = 0; + return 0; + } + + ok = 0; + if (thseq == f->ftps_seq[0] || thseq == f->ftps_seq[1]) + ok = 1; + /* + * Retransmitted data packet. + */ + else if (thseq + mlen == f->ftps_seq[0] || + thseq + mlen == f->ftps_seq[1]) + ok = 1; + if (ok == 0) { + inc = thseq - f->ftps_seq[0]; +#if PROXY_DEBUG + printf("inc %d sel %d rv %d\n", inc, sel, rv); + printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0], + f->ftps_seq[1]); + printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel], + aps->aps_ackoff[sel]); + printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel], + aps->aps_seqoff[sel]); +#endif + + return APR_ERR(1); + } + inc = 0; + rptr = f->ftps_rptr; + wptr = f->ftps_wptr; + f->ftps_seq[0] = thseq; + f->ftps_seq[1] = f->ftps_seq[0] + mlen; f->ftps_len = mlen; while (mlen > 0) { @@ -838,6 +950,7 @@ int rv; * ftp proxy for this connection. */ if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) { + /* f->ftps_seq[1] += inc; */ return APR_ERR(2); } @@ -878,7 +991,24 @@ int rv; } } - t->ftps_seq = ntohl(tcp->th_ack); + /* f->ftps_seq[1] += inc; */ + if (tcp->th_flags & TH_FIN) + f->ftps_seq[1]++; +#ifndef _KERNEL + mlen = mbuflen(m); +#else +# if SOLARIS + mlen = msgdsize(m); +# else + mlen = mbufchainlen(m); +# endif +#endif + off = fin->fin_hlen + (tcp->th_off << 2); + mlen -= off; +#if PROXY_DEBUG + printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen); +#endif + f->ftps_rptr = rptr; f->ftps_wptr = wptr; return APR_INC(inc); diff --git a/sys/netinet/ip_h323_pxy.c b/sys/netinet/ip_h323_pxy.c index ba2b3cf4adfe..bc83559b1b62 100644 --- a/sys/netinet/ip_h323_pxy.c +++ b/sys/netinet/ip_h323_pxy.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_h323_pxy.c,v 1.4 2002/06/09 16:33:40 itojun Exp $ */ +/* $NetBSD: ip_h323_pxy.c,v 1.5 2002/09/19 08:09:16 martti Exp $ */ /* * Copyright 2001, QNX Software Systems Ltd. All Rights Reserved @@ -11,6 +11,7 @@ * authorized by a written license agreement from QSSL. For more information, * please email licensing@qnx.com. * + * For more details, see QNX_OCL.txt provided with this distribution. */ /* @@ -27,7 +28,7 @@ # include #endif -__KERNEL_RCSID(1, "$NetBSD: ip_h323_pxy.c,v 1.4 2002/06/09 16:33:40 itojun Exp $"); +__KERNEL_RCSID(1, "$NetBSD: ip_h323_pxy.c,v 1.5 2002/09/19 08:09:16 martti Exp $"); #define IPF_H323_PROXY @@ -56,7 +57,7 @@ unsigned char *data; int datlen, *off; unsigned short *port; { - u_32_t addr; + u_32_t addr, netaddr; u_char *dp; int offset; @@ -66,10 +67,11 @@ unsigned short *port; *port = 0; offset = *off; dp = (u_char *)data; + netaddr = ntohl(ipaddr); for (offset = 0; offset <= datlen - 6; offset++, dp++) { addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3]; - if (ipaddr == addr) + if (netaddr == addr) { *port = (*(dp + 4) << 8) | *(dp + 5); break; diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c index cc5fc03405ae..8c98bdecf2e9 100644 --- a/sys/netinet/ip_nat.c +++ b/sys/netinet/ip_nat.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_nat.c,v 1.51 2002/06/09 16:33:41 itojun Exp $ */ +/* $NetBSD: ip_nat.c,v 1.52 2002/09/19 08:09:16 martti Exp $ */ /* * Copyright (C) 1995-2001 by Darren Reed. @@ -112,10 +112,10 @@ extern struct ifnet vpnif; #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.51 2002/06/09 16:33:41 itojun Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.52 2002/09/19 08:09:16 martti Exp $"); #else static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.37.2.67 2002/04/27 15:23:39 darrenr Exp"; +static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp"; #endif #endif @@ -476,8 +476,12 @@ int mode; } for (np = &nat_list; (n = *np); np = &n->in_next) if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, - IPN_CMPSIZ)) + IPN_CMPSIZ)) { + if (n->in_redir == NAT_REDIRECT && + n->in_pnext != nat->in_pnext) + continue; break; + } } switch (cmd) @@ -2333,8 +2337,8 @@ register natlookup_t *np; fr_info_t fi; bzero((char *)&fi, sizeof(fi)); - fi.fin_data[0] = np->nl_inport; - fi.fin_data[1] = np->nl_outport; + fi.fin_data[0] = ntohs(np->nl_inport); + fi.fin_data[1] = ntohs(np->nl_outport); /* * If nl_inip is non null, this is a lookup based on the real @@ -2516,7 +2520,7 @@ maskloop: if (nat) { np = nat->nat_ptr; if (natadd && (fin->fin_fl & FI_FRAG) && np) - ipfr_nat_newfrag(ip, fin, 0, nat); + ipfr_nat_newfrag(ip, fin, nat); MUTEX_ENTER(&nat->nat_lock); if (fin->fin_p != IPPROTO_TCP) { if (np && np->in_age[1]) @@ -2617,6 +2621,8 @@ maskloop: i = appr_check(ip, fin, nat); if (i == 0) i = 1; + else if (i == -1) + nat->nat_drop[1]++; } else i = 1; ATOMIC_INCL(nat_stats.ns_mapped[1]); @@ -2741,11 +2747,12 @@ maskloop: np = nat->nat_ptr; fin->fin_fr = nat->nat_fr; if (natadd && (fin->fin_fl & FI_FRAG) && np) - ipfr_nat_newfrag(ip, fin, 0, nat); + ipfr_nat_newfrag(ip, fin, nat); if (np && (np->in_apr != NULL) && (np->in_dport == 0 || (tcp != NULL && sport == np->in_dport))) { i = appr_check(ip, fin, nat); if (i == -1) { + nat->nat_drop[0]++; RWLOCK_EXIT(&ipf_nat); return i; } diff --git a/sys/netinet/ip_nat.h b/sys/netinet/ip_nat.h index 3169583d0365..3d317657ac59 100644 --- a/sys/netinet/ip_nat.h +++ b/sys/netinet/ip_nat.h @@ -1,4 +1,4 @@ -/* $NetBSD: ip_nat.h,v 1.26 2002/05/02 17:12:06 martti Exp $ */ +/* $NetBSD: ip_nat.h,v 1.27 2002/09/19 08:09:17 martti Exp $ */ /* * Copyright (C) 1995-2001 by Darren Reed. @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 - * Id: ip_nat.h,v 2.17.2.26 2002/04/20 16:42:05 darrenr Exp + * Id: ip_nat.h,v 2.17.2.27 2002/08/28 12:45:51 darrenr Exp */ #ifndef _NETINET_IP_NAT_H_ @@ -80,6 +80,7 @@ typedef struct nat { u_32_t nat_mssclamp; /* if != zero clamp MSS to this */ U_QUAD_T nat_pkts; U_QUAD_T nat_bytes; + u_int nat_drop[2]; u_short nat_oport; /* other port */ u_short nat_inport; u_short nat_outport; diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c index 824315326d50..9bd517b52dce 100644 --- a/sys/netinet/ip_proxy.c +++ b/sys/netinet/ip_proxy.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_proxy.c,v 1.34 2002/06/09 16:33:42 itojun Exp $ */ +/* $NetBSD: ip_proxy.c,v 1.35 2002/09/19 08:09:18 martti Exp $ */ /* * Copyright (C) 1997-2002 by Darren Reed. @@ -79,9 +79,9 @@ #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: ip_proxy.c,v 1.34 2002/06/09 16:33:42 itojun Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_proxy.c,v 1.35 2002/09/19 08:09:18 martti Exp $"); #else -static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.9.2.22 2002/04/26 10:23:17 darrenr Exp"; +static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp"; #endif #endif @@ -96,6 +96,8 @@ extern KRWLOCK_T ipf_nat, ipf_state; static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); +#define PROXY_DEBUG 0 + #define AP_SESS_SIZE 53 #include "netinet/ip_ftp_pxy.c" @@ -129,7 +131,7 @@ aproxy_t ap_proxies[] = { ippr_ipsec_match }, #endif #ifdef IPF_NETBIOS_PROXY - { NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL, + { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL, NULL, NULL, NULL, ippr_netbios_out, NULL }, #endif #ifdef IPF_H323_PROXY @@ -320,9 +322,19 @@ nat_t *nat; sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif if (sum != tcp->th_sum) { +#if PROXY_DEBUG + printf("proxy tcp checksum failure\n"); +#endif frstats[fin->fin_out].fr_tcpbad++; return -1; } + + /* + * Don't both the proxy with these...or in fact, should + * we free up proxy stuff when seen? + */ + if ((tcp->th_flags & TH_RST) != 0) + return 0; } apr = aps->aps_apr; @@ -336,9 +348,16 @@ nat_t *nat; } rv = APR_EXIT(err); - if (rv == 1) + if (rv == 1) { +#if PROXY_DEBUG + printf("proxy says bad packet received\n"); +#endif return -1; + } if (rv == 2) { +#if PROXY_DEBUG + printf("proxy says free app proxy data\n"); +#endif appr_free(apr); nat->nat_aps = NULL; return -1; @@ -419,6 +438,9 @@ ap_session_t *aps; } +/* + * returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise + */ static int appr_fixseqack(fin, ip, aps, inc) fr_info_t *fin; ip_t *ip; @@ -428,20 +450,32 @@ int inc; int sel, ch = 0, out, nlen; u_32_t seq1, seq2; tcphdr_t *tcp; + short inc2; tcp = (tcphdr_t *)fin->fin_dp; out = fin->fin_out; + /* + * ip_len has already been adjusted by 'inc'. + */ nlen = ip->ip_len; nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); + inc2 = inc; + inc = (int)inc2; + if (out != 0) { seq1 = (u_32_t)ntohl(tcp->th_seq); sel = aps->aps_sel[out]; /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && - (seq1 > aps->aps_seqmin[!sel])) + (seq1 > aps->aps_seqmin[!sel])) { +#if PROXY_DEBUG + printf("proxy out switch set seq %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_seqmin[!sel]); +#endif sel = aps->aps_sel[out] = !sel; +} if (aps->aps_seqoff[sel]) { seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; @@ -454,8 +488,13 @@ int inc; } if (inc && (seq1 > aps->aps_seqmin[!sel])) { - aps->aps_seqmin[!sel] = seq1 + nlen - 1; - aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc; + aps->aps_seqmin[sel] = seq1 + nlen - 1; + aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc; +#if PROXY_DEBUG + printf("proxy seq set %d at %x to %d + %d\n", sel, + aps->aps_seqmin[sel], aps->aps_seqoff[sel], + inc); +#endif } /***/ @@ -465,8 +504,13 @@ int inc; /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && - (seq1 > aps->aps_ackmin[!sel])) + (seq1 > aps->aps_ackmin[!sel])) { +#if PROXY_DEBUG + printf("proxy out switch set ack %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_ackmin[!sel]); +#endif sel = aps->aps_sel[1 - out] = !sel; +} if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { seq2 = aps->aps_ackoff[sel]; @@ -479,12 +523,16 @@ int inc; /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && - (seq1 > aps->aps_ackmin[!sel])) + (seq1 > aps->aps_ackmin[!sel])) { +#if PROXY_DEBUG + printf("proxy in switch set ack %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_ackmin[!sel]); +#endif sel = aps->aps_sel[out] = !sel; +} if (aps->aps_ackoff[sel]) { - seq2 = aps->aps_ackmin[sel] - - aps->aps_ackoff[sel]; + seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel]; if (seq1 > seq2) { seq2 = aps->aps_ackoff[sel]; seq1 += seq2; @@ -496,6 +544,11 @@ int inc; if (inc && (seq1 > aps->aps_ackmin[!sel])) { aps->aps_ackmin[!sel] = seq1 + nlen - 1; aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; +#if PROXY_DEBUG + printf("proxy ack set %d at %x to %d + %d\n", !sel, + aps->aps_seqmin[!sel], aps->aps_seqoff[sel], + inc); +#endif } /***/ @@ -505,15 +558,31 @@ int inc; /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && - (seq1 > aps->aps_seqmin[!sel])) + (seq1 > aps->aps_seqmin[!sel])) { +#if PROXY_DEBUG + printf("proxy in switch set seq %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_seqmin[!sel]); +#endif sel = aps->aps_sel[1 - out] = !sel; +} - if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) { - seq2 = aps->aps_seqoff[sel]; - tcp->th_ack = htonl(seq1 - seq2); - ch = 1; + if (aps->aps_seqoff[sel] != 0) { +#if PROXY_DEBUG + printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel, + aps->aps_seqoff[sel], seq1, + aps->aps_seqmin[sel]); +#endif + if (seq1 > aps->aps_seqmin[sel]) { + seq2 = aps->aps_seqoff[sel]; + tcp->th_ack = htonl(seq1 - seq2); + ch = 1; + } } } +#if PROXY_DEBUG + printf("appr_fixseqack: seq %x ack %x\n", ntohl(tcp->th_seq), + ntohl(tcp->th_ack)); +#endif return ch ? 2 : 0; } diff --git a/sys/netinet/ip_proxy.h b/sys/netinet/ip_proxy.h index 37209cfb096c..1f44ab7f7017 100644 --- a/sys/netinet/ip_proxy.h +++ b/sys/netinet/ip_proxy.h @@ -1,11 +1,11 @@ -/* $NetBSD: ip_proxy.h,v 1.17 2002/01/24 08:23:14 martti Exp $ */ +/* $NetBSD: ip_proxy.h,v 1.18 2002/09/19 08:09:18 martti Exp $ */ /* * Copyright (C) 1997-2001 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * Id: ip_proxy.h,v 2.8.2.12 2002/01/01 13:41:43 darrenr Exp + * Id: ip_proxy.h,v 2.8.2.13 2002/07/04 11:07:37 darrenr Exp */ #ifndef _NETINET_IP_PROXY_H_ @@ -97,7 +97,7 @@ typedef struct aproxy { typedef struct ftpside { char *ftps_rptr; char *ftps_wptr; - u_32_t ftps_seq; + u_32_t ftps_seq[2]; u_32_t ftps_len; int ftps_junk; int ftps_cmds; diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c index 3bc009b455b4..1cf66d6ab457 100644 --- a/sys/netinet/ip_state.c +++ b/sys/netinet/ip_state.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_state.c,v 1.40 2002/06/09 16:33:42 itojun Exp $ */ +/* $NetBSD: ip_state.c,v 1.41 2002/09/19 08:09:19 martti Exp $ */ /* * Copyright (C) 1995-2002 by Darren Reed. @@ -96,10 +96,10 @@ #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.40 2002/06/09 16:33:42 itojun Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.41 2002/09/19 08:09:19 martti Exp $"); #else static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)Id: ip_state.c,v 2.30.2.70 2002/04/27 16:06:15 darrenr Exp"; +static const char rcsid[] = "@(#)Id: ip_state.c,v 2.30.2.74 2002/07/27 15:58:10 darrenr Exp"; #endif #endif @@ -582,9 +582,9 @@ u_int flags; register u_int hv; struct icmp *ic; ipstate_t ips; + int out, ws; u_int pass; void *ifp; - int out; if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) || (fin->fin_misc & FM_BADSTATE)) @@ -699,9 +699,9 @@ u_int flags; if ((tcp->th_flags & TH_SYN) && ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) { - int wscale = fr_tcpoptions(tcp); - if (wscale >= 0) - is->is_swscale = wscale; + ws = fr_tcpoptions(tcp); + if (ws >= 0) + is->is_swscale = ws; } } @@ -748,6 +748,7 @@ u_int flags; is->is_hv = hv; is->is_rule = fin->fin_fr; if (is->is_rule != NULL) { + is->is_group = is->is_rule->fr_group; ATOMIC_INC32(is->is_rule->fr_ref); pass = is->is_rule->fr_flags; is->is_frage[0] = is->is_rule->fr_age[0]; @@ -817,7 +818,7 @@ u_int flags; RWLOCK_EXIT(&ipf_state); fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst); if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) - ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); + ipfr_newfrag(ip, fin); return is; } @@ -910,6 +911,7 @@ tcphdr_t *tcp; fdata->td_wscale = wscale; else if (wscale == -2) fdata->td_wscale = tdata->td_wscale = 0; + win <<= fdata->td_wscale; if ((fdata->td_end == 0) && (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) { @@ -918,7 +920,9 @@ tcphdr_t *tcp; */ fdata->td_end = end; fdata->td_maxwin = 1; - fdata->td_maxend = end + 1; + fdata->td_maxend = end + win; + if (win == 0) + fdata->td_maxend++; } if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ @@ -932,7 +936,6 @@ tcphdr_t *tcp; if (seq == end) seq = end = fdata->td_end; - win <<= fdata->td_wscale; maxwin = tdata->td_maxwin; ackskew = tdata->td_end - ack; @@ -1071,7 +1074,7 @@ tcphdr_t *tcp; } else { is->is_src = fin->fin_fi.fi_dst; } - } else if ((flags & FI_W_DPORT) != 0) { + } else if ((flags & FI_W_DADDR) != 0) { if (rev == 0) { is->is_dst = fin->fin_fi.fi_dst; } else { @@ -1407,7 +1410,8 @@ fr_info_t *fin; tcphdr_t *tcp; int rev; - if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT)) + if ((ips_list == NULL) || (fin->fin_off != 0) || fr_state_lock || + (fin->fin_fl & FI_SHORT)) return NULL; is = NULL; @@ -1467,7 +1471,7 @@ icmp6again: rev = fin->fin_rev; if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; - else if (fin->fin_rev) + else if (rev != 0) is->is_age = fr_icmpacktimeout; else is->is_age = fr_icmptimeout; @@ -1638,7 +1642,7 @@ retry_tcpudp: pass = is->is_pass; RWLOCK_EXIT(&ipf_state); if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) - ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); + ipfr_newfrag(ip, fin); #ifndef _KERNEL if ((tcp != NULL) && (tcp->th_flags & TCP_CLOSE)) fr_delstate(is); @@ -2049,6 +2053,8 @@ u_int type; ipsl.isl_p = is->is_p; ipsl.isl_v = is->is_v; ipsl.isl_flags = is->is_flags; + ipsl.isl_rulen = is->is_rulen; + ipsl.isl_group = is->is_group; if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) { ipsl.isl_sport = is->is_sport; ipsl.isl_dport = is->is_dport; diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h index 33372f3fe047..740ac92d3625 100644 --- a/sys/netinet/ip_state.h +++ b/sys/netinet/ip_state.h @@ -1,4 +1,4 @@ -/* $NetBSD: ip_state.h,v 1.22 2002/05/02 17:12:07 martti Exp $ */ +/* $NetBSD: ip_state.h,v 1.23 2002/09/19 08:09:20 martti Exp $ */ /* * Copyright (C) 1995-2001 by Darren Reed. @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * Id: ip_state.h,v 2.13.2.12 2002/03/25 11:14:55 darrenr Exp + * Id: ip_state.h,v 2.13.2.13 2002/06/27 14:40:29 darrenr Exp */ #ifndef _NETINET_IP_STATE_H_ #define _NETINET_IP_STATE_H_ @@ -88,6 +88,7 @@ typedef struct ipstate { tcpstate_t is_ts; udpstate_t is_us; } is_ps; + u_32_t is_group; char is_ifname[4][IFNAMSIZ]; #if SOLARIS || defined(__sgi) kmutex_t is_lock; @@ -149,6 +150,8 @@ typedef struct ipslog { u_char isl_p; u_char isl_flags; u_char isl_state[2]; + u_32_t isl_rulen; + u_32_t isl_group; } ipslog_t; #define isl_sport isl_ps.isl_ports[0] diff --git a/sys/netinet/ipl.h b/sys/netinet/ipl.h index 37439c6355ba..8de4ce2dc90c 100644 --- a/sys/netinet/ipl.h +++ b/sys/netinet/ipl.h @@ -1,4 +1,4 @@ -/* $NetBSD: ipl.h,v 1.13 2002/05/02 17:12:07 martti Exp $ */ +/* $NetBSD: ipl.h,v 1.14 2002/09/19 08:09:20 martti Exp $ */ /* * Copyright (C) 1993-2002 by Darren Reed. @@ -6,12 +6,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * Id: ipl.h,v 2.15.2.33 2002/04/27 14:53:48 darrenr Exp + * Id: ipl.h,v 2.15.2.35 2002/08/28 13:00:50 darrenr Exp */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.27" +#define IPL_VERSION "IP Filter: v3.4.29" #endif