Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgraded IPFilter to 3.4.29

Browse Source
This commit is contained in:
martti 2002-09-19 08:08:14 +00:00
parent 1b37ad3011
commit 87f18f024e
35 changed files with 630 additions and 264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
dist/ipf/HISTORY vendored
View File

@ -22,6 +22,68 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
3.4.29 28/8/2002 - Released
Make substantial changes to the FTP proxy to improve reliability, security
and functionality.
don't send ICMP errors/TCP RST's in response to blocked proxy packets
fix potential memory leaks when unloading ipfilter from kernel
fix bug in SIOCGNATL handler that did not preserve the expected
byte order from earlier versions in the port number
set do not fragment flag in generated packets according to system flags,
where available.
preserve filter rule number and group number in state structure
fix bug in ipmon printing of p/P/b/B
make some changes to the kmem.c code for IRIX compatibility
add code to specifically handle ip.tun* interfaces on Solaris
3.4.28 6/6/2002 - Released
Fix for H.323 proxy to work on little endian boxes
IRIX: Update installation documentation
add route lock patch
allow use of groups > 65535
create a new packet info summary for packets going through ipfr_fastroute()
so that where details are different (RST/ICMP errors), the packet now gets
correctly NAT'd, etc.
fix the FTP proxy so that checks for TCP sequence numbers outside the
normal offset due to data changes use absolute numbers
make it possible to remove rules in ipftest
Update installing onto OpenBSD and split into two directories:
OpenBSD-2 and OpenBSD-3
fix error in printout out the protocol in NAT rules
always unlock ipfilter if locking fails half way through in ipfs
fix problems with TCP window scaling
update of man pages for ipnat(4) and ipftest(1)
3.4.27 28/04/2002 - Released
fix calculation of 2's complmenent 16 bit checksum for user space
add mbuflen() to usespace compiles.
add more #ifdef complexity for platform portability
add OpenBSD 3.1 diffs
3.4.26 25/04/2002 - Released
fix parsing and printing of NAT rules with regression tests.

14
dist/ipf/fils.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: fils.c,v 1.17 2002/05/30 18:10:25 thorpej Exp $ */
/* $NetBSD: fils.c,v 1.18 2002/09/19 08:08:16 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -95,10 +95,8 @@
#endif
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp";
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: fils.c,v 2.21.2.36 2002/06/27 14:29:16 darrenr Exp";
#endif
extern char *optarg;
@ -201,7 +199,7 @@ char *argv[];
ipfrstat_t *ifrstp = &ifrst;
char *device = IPL_NAME, *memf = NULL;
char *kern = NULL;
int c, fd, myoptind;
int c, myoptind;
struct protoent *proto;
int protocol = -1; /* -1 = wild card for any protocol */
@ -358,8 +356,8 @@ char *argv[];
bzero((char *)&ipsst, sizeof(ipsst));
bzero((char *)&ifrst, sizeof(ifrst));
fd = ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
&frauthstp, &frf);
ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
&frauthstp, &frf);
} else
ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);

17
dist/ipf/ipf.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipf.c,v 1.11 2002/05/30 18:10:26 thorpej Exp $ */
/* $NetBSD: ipf.c,v 1.12 2002/09/19 08:08:16 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -51,10 +51,8 @@
#include "ipl.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipf.c,v 2.10.2.14 2002/04/10 04:56:36 darrenr Exp";
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipf.c,v 2.10.2.17 2002/06/27 14:29:17 darrenr Exp";
#endif
#if SOLARIS
@ -197,8 +195,11 @@ char *ipfdev;
if (!(opts & OPT_DONOTHING) && fd == -1)
if ((fd = open(ipfdev, O_RDWR)) == -1)
if ((fd = open(ipfdev, O_RDONLY)) == -1)
if ((fd = open(ipfdev, O_RDONLY)) == -1) {
perror("open device");
if (errno == ENODEV)
fprintf(stderr, "IPFilter enabled?\n");
}
return fd;
}
@ -390,7 +391,7 @@ int *linenum;
static void packetlogon(opt)
char *opt;
{
int flag, err;
int flag;
flag = get_flags();
if (flag != 0) {
@ -416,7 +417,7 @@ char *opt;
printf("set log flag: block\n");
}
if (opendevice(ipfname) != -2 && (err = ioctl(fd, SIOCSETFF, &flag)))
if (opendevice(ipfname) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0))
perror("ioctl(SIOCSETFF)");
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {

18
dist/ipf/ipfs.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipfs.c,v 1.8 2002/05/30 18:10:26 thorpej Exp $ */
/* $NetBSD: ipfs.c,v 1.9 2002/09/19 08:08:17 martti Exp $ */
/*
* Copyright (C) 1999-2001 by Darren Reed.
@ -47,8 +47,7 @@
#include "ipf.h"
#if !defined(lint)
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipfs.c,v 2.6.2.9 2002/04/17 17:42:59 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipfs.c,v 2.6.2.11 2002/06/04 14:44:05 darrenr Exp";
#endif
#ifndef IPF_SAVEDIR
@ -736,16 +735,16 @@ char *dirname;
devfd = opendevice(IPL_STATE);
if (devfd == -1)
return 1;
goto bad;
if (writestate(devfd, NULL))
return 1;
goto bad;
close(devfd);
devfd = opendevice(IPL_NAT);
if (devfd == -1)
return 1;
goto bad;
if (writenat(devfd, NULL))
return 1;
goto bad;
close(devfd);
if (setlock(fd, 0)) {
@ -754,6 +753,11 @@ char *dirname;
}
return 0;
bad:
setlock(fd, 0);
close(fd);
return 1;
}

18
dist/ipf/ipft_ef.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipft_ef.c,v 1.5 2002/04/09 02:32:52 thorpej Exp $ */
/* $NetBSD: ipft_ef.c,v 1.6 2002/09/19 08:08:17 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -53,10 +53,8 @@ etherfind -n -t
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipft_ef.c,v 2.2.2.2 2002/02/22 15:32:53 darrenr Exp";
static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ipft_ef.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp";
#endif
static int etherf_open __P((char *));
@ -101,7 +99,7 @@ int cnt, *dir;
struct protoent *p = NULL;
char src[16], dst[16], sprt[16], dprt[16];
char lbuf[128], len[8], prot[8], time[8], *s;
int slen, extra = 0, i, n;
int slen, extra = 0, i;
if (!fgets(lbuf, sizeof(lbuf) - 1, efp))
return 0;
@ -112,10 +110,10 @@ int cnt, *dir;
bzero(&pkt, sizeof(pkt));
if ((n = sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst,
sprt, dprt)) != 6)
if ((n = sscanf(lbuf, "%s %s %s %s %s %s %s", time,
len, prot, src, dst, sprt, dprt)) != 7)
if (sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst,
sprt, dprt) != 6)
if (sscanf(lbuf, "%s %s %s %s %s %s %s", time,
len, prot, src, dst, sprt, dprt) != 7)
return -1;
ip->ip_p = atoi(prot);

12
dist/ipf/ipft_td.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipft_td.c,v 1.5 2002/04/09 02:32:52 thorpej Exp $ */
/* $NetBSD: ipft_td.c,v 1.6 2002/09/19 08:08:17 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -62,10 +62,8 @@ tcpdump -nqte
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipft_td.c,v 2.2.2.2 2002/02/22 15:32:54 darrenr Exp";
static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ipft_td.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp";
#endif
static int tcpd_open __P((char *));
@ -124,7 +122,7 @@ int cnt, *dir;
struct protoent *p;
char src[32], dst[32], misc[256], time[32], link1[32], link2[32];
char lbuf[160], *s;
int n, dots, slen, extra = 0;
int n, slen, extra = 0;
if (!fgets(lbuf, sizeof(lbuf) - 1, tfp))
return 0;
@ -146,7 +144,7 @@ int cnt, *dir;
return -1;
}
if ((dots = count_dots(dst)) == 4) {
if (count_dots(dst) == 4) {
s = strrchr(src, '.');
*s++ = '\0';
(void) inet_aton(src, &ip->ip_src);

12
dist/ipf/ipft_tx.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipft_tx.c,v 1.6 2002/04/09 02:32:52 thorpej Exp $ */
/* $NetBSD: ipft_tx.c,v 1.7 2002/09/19 08:08:18 martti Exp $ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
@ -45,10 +45,8 @@
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipft_tx.c,v 2.3.2.6 2002/03/13 03:55:15 darrenr Exp";
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)Id: ipft_tx.c,v 2.3.2.7 2002/06/27 14:29:17 darrenr Exp";
#endif
extern int opts;
@ -181,10 +179,8 @@ char *buf, **ifn;
int cnt, *dir;
{
register char *s;
ip_t *ip;
char line[513];
ip = (ip_t *)buf;
*ifn = NULL;
while (fgets(line, sizeof(line)-1, tfp)) {
if ((s = index(line, '\n')))
@ -201,7 +197,7 @@ int cnt, *dir;
*dir = 0;
if (!parseline(line, (ip_t *)buf, ifn, dir))
#if 0
return sizeof(*ip) + sizeof(tcphdr_t);
return sizeof(ip_t) + sizeof(tcphdr_t);
#else
return sizeof(ip_t);
#endif

23
dist/ipf/ipmon.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipmon.c,v 1.13 2002/07/01 13:56:53 christos Exp $ */
/* $NetBSD: ipmon.c,v 1.14 2002/09/19 08:08:18 martti Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
@ -69,10 +69,8 @@
#include "netinet/ip_state.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipmon.c,v 2.12.2.34 2002/03/22 10:27:16 darrenr Exp";
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipmon.c,v 2.12.2.36 2002/08/22 15:12:23 darrenr Exp";
#endif
@ -969,13 +967,13 @@ int blen;
*t++ = 'S';
lvl = LOG_ERR;
} else if (ipf->fl_flags & FR_PASS) {
if (ipf->fl_flags & FR_LOGP)
if (ipf->fl_flags & FR_LOG)
*t++ = 'p';
else
*t++ = 'P';
lvl = LOG_NOTICE;
} else if (ipf->fl_flags & FR_BLOCK) {
if (ipf->fl_flags & FR_LOGB)
if (ipf->fl_flags & FR_LOG)
*t++ = 'b';
else
*t++ = 'B';
@ -1262,14 +1260,15 @@ int main(argc, argv)
int argc;
char *argv[];
{
struct stat sb;
FILE *log = stdout;
int fd[3], doread, n, i;
int tr, nr, regular[3], c;
int fdt[3], devices = 0, make_daemon = 0;
char buf[IPLLOGSIZE], *iplfile[3], *s;
extern int optind;
int fd[3], doread, n, i;
extern char *optarg;
extern int optind;
int regular[3], c;
FILE *log = stdout;
struct stat sb;
size_t nr, tr;
fd[0] = fd[1] = fd[2] = -1;
fdt[0] = fdt[1] = fdt[2] = -1;

10
dist/ipf/ipnat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipnat.c,v 1.10 2002/04/09 02:32:52 thorpej Exp $ */
/* $NetBSD: ipnat.c,v 1.11 2002/09/19 08:08:18 martti Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
@ -61,10 +61,8 @@ extern char *sys_errlist[];
#endif
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipnat.c,v 2.16.2.20 2002/02/22 15:32:55 darrenr Exp";
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)Id: ipnat.c,v 2.16.2.21 2002/06/06 10:49:19 darrenr Exp";
#endif
@ -179,6 +177,8 @@ char *argv[];
((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
STRERROR(errno));
if (errno == ENODEV)
fprintf(stderr, "IPFilter enabled?\n");
exit(1);
}
if (ioctl(fd, SIOCGNATS, &nsp) == -1) {

2
dist/ipf/ipsend/ip_var.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_var.h,v 1.1.1.2 2002/09/19 07:56:44 martti Exp $ */
/* $NetBSD: ip_var.h,v 1.2 2002/09/19 08:08:21 martti Exp $ */
/* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */

58
dist/ipf/ipt.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipt.c,v 1.8 2002/05/30 18:10:28 thorpej Exp $ */
/* $NetBSD: ipt.c,v 1.9 2002/09/19 08:08:19 martti Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
@ -65,10 +65,8 @@
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipt.c,v 2.6.2.21 2002/03/26 15:54:40 darrenr Exp";
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipt.c,v 2.6.2.22 2002/06/04 14:52:58 darrenr Exp";
#endif
extern char *optarg;
@ -80,6 +78,7 @@ extern ipnat_t *natparse __P((char *, int));
extern int fr_running;
int opts = 0;
int rremove = 0;
int use_inet6 = 0;
int main __P((int, char *[]));
int loadrules __P((char *));
@ -115,7 +114,7 @@ char *argv[];
ipflog_init();
fr_running = 1;
while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1)
while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:RSTvxX")) != -1)
switch (c)
{
case '6' :
@ -167,6 +166,9 @@ char *argv[];
case 'P' :
r = &pcap;
break;
case 'R' :
rremove = 1;
break;
case 'S' :
r = &snoop;
break;
@ -334,20 +336,44 @@ char *file;
if (!(fr = natparse(line, linenum)))
continue;
i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
(caddr_t)&fr, FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr, "iplioctl(ADNAT,%p,1) = %d\n",
fr, i);
if (rremove == 0) {
i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
(caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr,
"iplioctl(ADNAT,%p,1) = %d\n",
fr, i);
} else {
i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCRMNAT,
(caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr,
"iplioctl(RMNAT,%p,1) = %d\n",
fr, i);
}
} else {
if (!(fr = parse(line, linenum)))
continue;
i = IPL_EXTERN(ioctl)(0, SIOCADAFR, (caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr, "iplioctl(ADAFR,%p,1) = %d\n",
fr, i);
if (rremove == 0) {
i = IPL_EXTERN(ioctl)(0, SIOCADAFR,
(caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr,
"iplioctl(ADAFR,%p,1) = %d\n",
fr, i);
} else {
i = IPL_EXTERN(ioctl)(0, SIOCRMAFR,
(caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr,
"iplioctl(RMAFR,%p,1) = %d\n",
fr, i);
}
}
}
(void)fclose(fp);

29
dist/ipf/kmem.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: kmem.c,v 1.8 2002/05/30 18:10:29 thorpej Exp $ */
/* $NetBSD: kmem.c,v 1.9 2002/09/19 08:08:19 martti Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
@ -47,10 +47,8 @@
#endif
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp";
static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
static const char rcsid[] = "@(#)Id: kmem.c,v 2.2.2.15 2002/07/27 15:59:37 darrenr Exp";
#endif
#ifdef __sgi
@ -59,7 +57,7 @@ typedef int kvm_t;
static int kvm_fd = -1;
static char *kvm_errstr;
kvm_t kvm_open(kernel, core, swap, mode, errstr)
kvm_t *kvm_open(kernel, core, swap, mode, errstr)
char *kernel, *core, *swap;
int mode;
char *errstr;
@ -69,17 +67,18 @@ char *errstr;
if (core == NULL)
core = "/dev/kmem";
kvm_fd = open(core, mode);
return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL;
return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL;
}
int kvm_read(kvm, pos, buffer, size)
kvm_t kvm;
kvm_t *kvm;
u_long pos;
char *buffer;
size_t size;
{
int r, left;
size_t left;
char *bufp;
int r;
if (lseek(*kvm, pos, 0) == -1) {
fprintf(stderr, "%s", kvm_errstr);
@ -101,13 +100,19 @@ static kvm_t *kvm_f = NULL;
int openkmem(kern, core)
char *kern, *core;
{
union {
int ui;
kvm_t *uk;
} k;
kvm_f = kvm_open(kern, core, NULL, O_RDONLY, "");
if (kvm_f == NULL)
{
perror("openkmem:open");
return -1;
}
return 0;
k.uk = kvm_f;
return k.ui;
}
int kmemcpy(buf, pos, n)
@ -124,7 +129,7 @@ register int n;
if (openkmem(NULL, NULL) == -1)
return -1;
while ((r = kvm_read(kvm_f, pos, buf, n)) < n)
while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n)
if (r <= 0)
{
fprintf(stderr, "pos=0x%x ", (u_int)pos);
@ -156,7 +161,7 @@ register int n;
while (n > 0)
{
r = kvm_read(kvm_f, pos, buf, 1);
r = kvm_read(kvm_f, pos, buf, (size_t)1);
if (r <= 0)
{
fprintf(stderr, "pos=0x%x ", (u_int)pos);

15
dist/ipf/man/ipftest.1 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipftest.1,v 1.2 1999/12/11 23:40:29 veego Exp $
.\" $NetBSD: ipftest.1,v 1.3 2002/09/19 08:08:22 martti Exp $
.\"
.TH ipftest 1
.SH NAME
@ -6,7 +6,7 @@ ipftest \- test packet filter rules with arbitary input.
.SH SYNOPSIS
.B ipftest
[
.B \-vbdPSTEHX
.B \-vbdPRSTEHX
] [
.B \-I
interface
@ -78,6 +78,10 @@ The input file specified by \fB\-i\fP is a binary file produced using libpcap
(i.e., tcpdump version 3). Packets are read from this file as being input
(for rule purposes). An interface maybe specified using \fB\-I\fP.
.TP
.B \-R
Remove rules rather than load them. This is not a toggle option, so once
set, it cannot be reset by further use of -R.
.TP
.B \-S
The input file is to be in "snoop" format (see RFC 1761). Packets are read
from this file and used as input from any interface. This is perhaps the
@ -100,7 +104,12 @@ option combinations:
.B \-H
The input file is to be hex digits, representing the binary makeup of the
packet. No length correction is made, if an incorrect length is put in
the IP header.
the IP header. A packet may be broken up over several lines of hex digits,
a blank line indicating the end of the packet. It is possible to specify
both the interface name and direction of the packet (for filtering purposes)
at the start of the line using this format: [direction,interface] To define
a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
and part of the input syntax.
.TP
.B \-X
The input file is composed of text descriptions of IP packets.

9
dist/ipf/man/ipmon.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipmon.8,v 1.9 2002/05/02 17:11:39 martti Exp $
.\" $NetBSD: ipmon.8,v 1.10 2002/09/19 08:08:22 martti Exp $
.\"
.TH ipmon 8
.SH NAME
@ -48,8 +48,11 @@ long).
4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
viewed with \fBipfstat -n\fP.
.LP
5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short
packet, \fBn\fP did not match any rules or \fBL\fP for a log rule.
5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fBS\fP for a short
packet, \fBn\fP did not match any rules, \fBL\fP for a log rule. The order
of precedence in showing flags is: S, p, b, n, L. A capital \fBP\fP or
\fBB\fP means that the packet has been logged due to a global logging
setting, not a particular rule.
.LP
6. The addresses.
This is actually three fields: the source address and port

25
dist/ipf/man/ipnat.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipnat.5,v 1.8 2002/06/16 14:43:46 wiz Exp $
.\" $NetBSD: ipnat.5,v 1.9 2002/09/19 08:08:22 martti Exp $
.\"
.TH IPNAT 5
.SH NAME
@ -21,18 +21,20 @@ mapit ::= "map" | "bimap" .
fromto ::= "from" object "to" object .
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
dstipmask ::= ipmask | "range" ip "-" ip .
mapport ::= "portmap" tcpudp portnumber ":" portnumber .
mapport ::= "portmap" tcpudp portspec .
clamp ::= "mssclamp" number .
options ::= [ tcpudp ] [ rr ] .
object = addr [ port-comp | port-range ] .
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
object :: = addr [ port-comp | port-range ] .
addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp :: = "port" compare port-num .
port-range :: = "port" port-num range port-num .
rr ::= "round-robin" .
nummask = host-name [ "/" decnumber ] .
tcpudp ::= "tcp" | "udp" | "tcp/udp" .
portnumber ::= number { numbers } | "auto" .
portspec ::= "auto" | portnumber ":" portnumber .
portnumber ::= number { numbers } .
ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
@ -97,6 +99,15 @@ or as
map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
.fi
.LP
For even greater control, one may negate either of the "from" or "to" clauses
with a preceding exclamation mark ("!"). Please note that one may not use a
negated "from" within a \fBmap\fP rule or a negated "to" within a \fBrdr\fP
rule. Such a rule might look like the following:
.LP
.nf
+map de0 from 10.1.0.0/16 ! to 10.1.0.0/16 -> 201.2.3.4/32
.fi
.PP
Only IP address and port numbers can be compared against. This is available
with all NAT rules.
.SH TRANSLATION

8
dist/ipf/parse.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: parse.c,v 1.12 2002/04/09 02:32:53 thorpej Exp $ */
/* $NetBSD: parse.c,v 1.13 2002/09/19 08:08:20 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -151,7 +151,7 @@ int linenum;
}
fil.fr_icode = j;
}
} else if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
} else if (!strcasecmp(*(cpp+1), "return-rst")) {
fil.fr_flags |= FR_RETRST;
cpp++;
}
@ -939,7 +939,6 @@ u_long optmsk, optbits;
u_short secmsk = sec[0], secbits = sec[1];
struct ipopt_names *io, *so;
char *s;
int secflag = 0;
s = " opt ";
for (io = ionames; io->on_name; io++)
@ -951,8 +950,7 @@ u_long optmsk, optbits;
if (io->on_value == IPOPT_SECURITY)
io++;
s = ",";
} else
secflag = 1;
}
}

10
dist/ipf/printnat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: printnat.c,v 1.8 2002/05/30 18:10:31 thorpej Exp $ */
/* $NetBSD: printnat.c,v 1.9 2002/09/19 08:08:20 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -60,8 +60,7 @@ extern char *sys_errlist[];
#endif
#if !defined(lint)
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: printnat.c,v 1.1.2.8 2002/04/25 16:44:13 darrenr Exp";
static const char rcsid[] = "@(#)Id: printnat.c,v 1.1.2.10 2002/08/28 12:45:51 darrenr Exp";
#endif
@ -245,9 +244,10 @@ int opts;
0xffffffff),
hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
NAT_TABLE_SZ),
printf("%s pr %u bkt %d/%d flags %x\n",
printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n",
getsumd(nat->nat_sumd[1]), nat->nat_p,
hv1, hv2, nat->nat_flags);
hv1, hv2, nat->nat_flags,
nat->nat_drop[0], nat->nat_drop[1]);
printf("\tifp %s ", getifname(nat->nat_ifp));
#ifdef USE_QUAD_T
printf("bytes %qu pkts %qu",

2
dist/ipf/rules/example.9 vendored
View File

@ -1,4 +1,4 @@
# $NetBSD: example.9,v 1.1.1.2 2002/09/19 07:56:58 martti Exp $
# $NetBSD: example.9,v 1.2 2002/09/19 08:08:23 martti Exp $
#
# drop all packets without IP security options
#

8
regress/sys/kern/ipf/Makefile
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.2 2002/05/13 06:34:14 martti Exp $
# $NetBSD: Makefile,v 1.3 2002/09/19 08:09:49 martti Exp $
#
# (C)opyright 1993-1996 by Darren Reed.
#
@ -17,7 +17,7 @@ first:
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17
# Rule parsing tests
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12
ntests: n1 n2 n3 n4 n5 n6 n7
@ -44,7 +44,7 @@ f15 f16:
f17:
@/bin/sh ${.CURDIR}/mhtest $@ ${.CURDIR}
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12:
@/bin/sh ${.CURDIR}/itest $@ ${.CURDIR}
n1 n2 n3 n4 n5 n6 n7:
@ -64,7 +64,7 @@ ipv6.1 ipv6.2:
clean:
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 f17
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12
/bin/rm -f n1 n2 n3 n4 n5 n6 n7
/bin/rm -f ni1 ni2 ni3 ni4 ni5
/bin/rm -f in1 in2 in3 in4

22
sys/netinet/fil.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: fil.c,v 1.56 2002/06/09 16:33:36 itojun Exp $ */
/* $NetBSD: fil.c,v 1.57 2002/09/19 08:09:10 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -100,10 +100,10 @@
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.56 2002/06/09 16:33:36 itojun Exp $");
__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.57 2002/09/19 08:09:10 martti Exp $");
#else
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp";
static const char rcsid[] = "@(#)Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp";
#endif
#endif
@ -1086,7 +1086,7 @@ int out;
fin->fin_fr = fr;
if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
if (fin->fin_fl & FI_FRAG) {
if (ipfr_newfrag(ip, fin, pass) == -1) {
if (ipfr_newfrag(ip, fin) == -1) {
ATOMIC_INCL(frstats[out].fr_bnfr);
} else {
ATOMIC_INCL(frstats[out].fr_nfr);
@ -1201,7 +1201,16 @@ logit:
* some operating systems.
*/
if (!out) {
if (pass & FR_RETICMP) {
if (changed == -1)
/*
* If a packet results in a NAT error, do not
* send a reset or ICMP error as it may disrupt
* an existing flow. This is the proxy saying
* the content is bad so just drop the packet
* silently.
*/
;
else if (pass & FR_RETICMP) {
int dst;
if ((pass & FR_RETMASK) == FR_FAKEICMP)
@ -1511,7 +1520,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp
* Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@ -1626,7 +1635,6 @@ frgroup_t ***fgpp;
fgp = &ipfgroups[0][set];
else
return NULL;
num &= 0xffff;
while ((fg = *fgp))
if (fg->fg_num == num)

11
sys/netinet/ip_auth.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_auth.c,v 1.28 2002/06/09 16:33:39 itojun Exp $ */
/* $NetBSD: ip_auth.c,v 1.29 2002/09/19 08:09:11 martti Exp $ */
/*
* Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
@ -108,9 +108,9 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.28 2002/06/09 16:33:39 itojun Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.29 2002/09/19 08:09:11 martti Exp $");
#else
static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp";
#endif
#endif
@ -622,7 +622,10 @@ void fr_authexpire()
} else
faep = &fae->fae_next;
}
ipauth = &fae_list->fae_fr;
if (fae_list != NULL)
ipauth = &fae_list->fae_fr;
else
ipauth = NULL;
for (frp = &fr_authlist; (fr = *frp); ) {
if (fr->fr_ref == 1) {

13
sys/netinet/ip_compat.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_compat.h,v 1.29 2002/06/09 16:33:39 itojun Exp $ */
/* $NetBSD: ip_compat.h,v 1.30 2002/09/19 08:09:11 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_compat.h 1.8 1/14/96
* Id: ip_compat.h,v 2.26.2.44 2002/04/25 16:32:15 darrenr Exp
* Id: ip_compat.h,v 2.26.2.46 2002/06/27 14:39:40 darrenr Exp
*/
#ifndef _NETINET_IP_COMPAT_H_
@ -188,6 +188,9 @@ typedef struct qif {
*/
size_t qf_hl; /* header length */
int qf_sap;
# if SOLARIS2 >= 8
int qf_tunoff; /* tunnel offset */
#endif
size_t qf_incnt;
size_t qf_outcnt;
} qif_t;
@ -215,7 +218,11 @@ typedef int minor_t;
#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
# include <sys/param.h>
# ifndef __FreeBSD_version
# include <sys/osreldate.h>
# ifdef IPFILTER_LKM
# include <osreldate.h>
# else
# include <sys/osreldate.h>
# endif
# endif
# ifdef IPFILTER_LKM
# define ACTUALLY_LKM_NOT_KERNEL

74
sys/netinet/ip_fil.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil.c,v 1.84 2002/09/07 00:10:24 enami Exp $ */
/* $NetBSD: ip_fil.c,v 1.85 2002/09/19 08:09:12 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -123,10 +123,10 @@ extern int ip_optcopy __P((struct ip *, struct ip *));
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_fil.c,v 1.84 2002/09/07 00:10:24 enami Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_fil.c,v 1.85 2002/09/19 08:09:12 martti Exp $");
#else
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp";
#endif
#endif
@ -164,6 +164,7 @@ static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **,
fr_info_t *, frdest_t *));
# endif
# ifdef __sgi
extern int tcp_mtudisc;
extern kmutex_t ipf_rw;
extern KRWLOCK_T ipf_mutex;
# endif
@ -198,15 +199,6 @@ struct timeout ipfr_slowtimer_ch;
toid_t ipfr_slowtimer_ch;
#endif
#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \
defined(_KERNEL)
#include <sys/conf.h>
const struct cdevsw ipl_cdevsw = {
iplopen, iplclose, iplread, nowrite, iplioctl,
nostop, notty, nopoll, nommap,
};
#endif
#if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
# include <sys/device.h>
# include <sys/conf.h>
@ -501,7 +493,7 @@ int ipl_disable()
int ipldetach()
# endif
{
int s, i = FR_INQUE|FR_OUTQUE;
int s, i;
#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
int error = 0;
# if __NetBSD_Version__ >= 105150000
@ -542,7 +534,8 @@ int ipldetach()
printf("%s unloaded\n", ipfilter_version);
fr_checkp = fr_savep;
i = frflush(IPL_LOGIPF, i);
i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
fr_running = 0;
# ifdef NETBSD_PF
@ -662,6 +655,9 @@ int mode;
unit = dev;
#endif
if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
return ENODEV;
SPL_NET(s);
if (unit == IPL_LOGNAT) {
@ -922,7 +918,8 @@ caddr_t data;
* Check that the group number does exist and that if a head group
* has been specified, doesn't exist.
*/
if ((req != SIOCZRLST) && fp->fr_grhead &&
if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
(req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
return EEXIST;
if ((req != SIOCZRLST) && fp->fr_group &&
@ -1256,13 +1253,18 @@ fr_info_t *fin;
struct mbuf **mp;
{
struct mbuf *m = *mp;
char *dpsave;
int error;
int error, hlen;
fr_info_t frn;
ip_t *ip;
dpsave = fin->fin_dp;
bzero((char *)&frn, sizeof(frn));
frn.fin_ifp = fin->fin_ifp;
frn.fin_v = fin->fin_v;
frn.fin_out = fin->fin_out;
frn.fin_mp = fin->fin_mp;
ip = mtod(m, ip_t *);
hlen = sizeof(*ip);
ip->ip_v = fin->fin_v;
if (ip->ip_v == 4) {
@ -1270,28 +1272,41 @@ struct mbuf **mp;
ip->ip_v = IPVERSION;
ip->ip_tos = oip->ip_tos;
ip->ip_id = oip->ip_id;
ip->ip_off = 0;
# if defined(__NetBSD__) || defined(__OpenBSD__)
if (ip_mtudisc != 0)
ip->ip_off = IP_DF;
# else
# if defined(__sgi)
if (ip->ip_p == IPPROTO_TCP && tcp_mtudisc != 0)
ip->ip_off = IP_DF;
# endif
# endif
# if (BSD < 199306) || defined(__sgi)
ip->ip_ttl = tcp_ttl;
# else
ip->ip_ttl = ip_defttl;
# endif
ip->ip_sum = 0;
fin->fin_dp = (char *)(ip + 1);
frn.fin_dp = (char *)(ip + 1);
}
# ifdef USE_INET6
else if (ip->ip_v == 6) {
ip6_t *ip6 = (ip6_t *)ip;
hlen = sizeof(*ip6);
ip6->ip6_hlim = 127;
fin->fin_dp = (char *)(ip6 + 1);
frn.fin_dp = (char *)(ip6 + 1);
}
# endif
# ifdef IPSEC
m->m_pkthdr.rcvif = NULL;
# endif
error = ipfr_fastroute(m, mp, fin, NULL);
fin->fin_dp = dpsave;
fr_makefrip(hlen, ip, &frn);
error = ipfr_fastroute(m, mp, &frn, NULL);
return error;
}
@ -1598,6 +1613,9 @@ frdest_t *fdp;
/*
* Route packet.
*/
#ifdef __sgi
ROUTE_RDLOCK();
#endif
bzero((caddr_t)ro, sizeof (*ro));
dst = (struct sockaddr_in *)&ro->ro_dst;
dst->sin_family = AF_INET;
@ -1634,6 +1652,11 @@ frdest_t *fdp;
# else
rtalloc(ro);
# endif
#ifdef __sgi
ROUTE_UNLOCK();
#endif
if (!ifp) {
if (!fr || !(fr->fr_flags & FR_FASTROUTE)) {
error = -2;
@ -1686,7 +1709,8 @@ frdest_t *fdp;
*/
if (ip->ip_len <= ifp->if_mtu) {
# ifndef sparc
# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510))
# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) && \
!(__NetBSD_Version__ >= 105110000)
ip->ip_id = htons(ip->ip_id);
# endif
ip->ip_len = htons(ip->ip_len);
@ -2133,7 +2157,7 @@ int code;
fr_info_t *fin;
int dst;
{
verbose("- ICMP UNREACHABLE RST sent\n");
verbose("- ICMP UNREACHABLE sent\n");
return 0;
}

5
sys/netinet/ip_fil.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil.h,v 1.45 2002/07/01 13:55:35 christos Exp $ */
/* $NetBSD: ip_fil.h,v 1.46 2002/09/19 08:09:13 martti Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp
* Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp
*/
#ifndef _NETINET_IP_FIL_H_
@ -509,6 +509,7 @@ extern int send_reset __P((ip_t *, fr_info_t *));
extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int));
extern int ipf_log __P((void));
extern struct ifnet *get_unit __P((char *, int));
extern int mbuflen __P((mb_t *));
# if defined(__NetBSD__) || defined(__OpenBSD__) || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
extern int iplioctl __P((dev_t, u_long, caddr_t, int));

25
sys/netinet/ip_frag.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_frag.c,v 1.32 2002/08/14 00:23:29 itojun Exp $ */
/* $NetBSD: ip_frag.c,v 1.33 2002/09/19 08:09:14 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -93,10 +93,10 @@ extern struct timeout ipfr_slowtimer_ch;
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.32 2002/08/14 00:23:29 itojun Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.33 2002/09/19 08:09:14 martti Exp $");
#else
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.10.2.21 2002/04/10 04:56:10 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.10.2.24 2002/08/28 12:41:04 darrenr Exp";
#endif
#endif
@ -127,7 +127,7 @@ extern kmutex_t ipf_rw;
#endif
static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, u_int, ipfr_t **));
static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, ipfr_t **));
static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **));
static void ipfr_delete __P((ipfr_t *));
@ -145,10 +145,9 @@ ipfrstat_t *ipfr_fragstats()
* add a new entry to the fragment cache, registering it as having come
* through this box, with the result of the filter operation.
*/
static ipfr_t *ipfr_new(ip, fin, pass, table)
static ipfr_t *ipfr_new(ip, fin, table)
ip_t *ip;
fr_info_t *fin;
u_int pass;
ipfr_t *table[];
{
ipfr_t **fp, *fra, frag;
@ -205,7 +204,7 @@ ipfr_t *table[];
/*
* Instert the fragment into the fragment table, copy the struct used
* in the search using bcopy rather than reassign each field.
* Set the ttl to the default and mask out logging from "pass"
* Set the ttl to the default.
*/
if ((fra->ipfr_next = table[idx]))
table[idx]->ipfr_prev = fra;
@ -227,17 +226,16 @@ ipfr_t *table[];
}
int ipfr_newfrag(ip, fin, pass)
int ipfr_newfrag(ip, fin)
ip_t *ip;
fr_info_t *fin;
u_int pass;
{
ipfr_t *ipf;
if ((ip->ip_v != 4) || (fr_frag_lock))
return -1;
WRITE_ENTER(&ipf_frag);
ipf = ipfr_new(ip, fin, pass, ipfr_heads);
ipf = ipfr_new(ip, fin, ipfr_heads);
RWLOCK_EXIT(&ipf_frag);
if (ipf == NULL) {
ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr);
@ -248,10 +246,9 @@ u_int pass;
}
int ipfr_nat_newfrag(ip, fin, pass, nat)
int ipfr_nat_newfrag(ip, fin, nat)
ip_t *ip;
fr_info_t *fin;
u_int pass;
nat_t *nat;
{
ipfr_t *ipf;
@ -263,10 +260,10 @@ nat_t *nat;
off = fin->fin_off;
off <<= 3;
if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
return NULL;
return -1;
WRITE_ENTER(&ipf_natfrag);
ipf = ipfr_new(ip, fin, pass, ipfr_nattab);
ipf = ipfr_new(ip, fin, ipfr_nattab);
if (ipf != NULL) {
ipf->ipfr_data = nat;
nat->nat_data = ipf;

8
sys/netinet/ip_frag.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_frag.h,v 1.17 2002/01/24 08:23:12 martti Exp $ */
/* $NetBSD: ip_frag.h,v 1.18 2002/09/19 08:09:15 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_frag.h 1.5 3/24/96
* Id: ip_frag.h,v 2.4.2.6 2002/01/01 15:09:38 darrenr Exp
* Id: ip_frag.h,v 2.4.2.7 2002/07/06 14:17:51 darrenr Exp
*/
#ifndef _NETINET_IP_FRAG_H_
@ -50,8 +50,8 @@ typedef struct ipfrstat {
extern int fr_ipfrttl;
extern int fr_frag_lock;
extern ipfrstat_t *ipfr_fragstats __P((void));
extern int ipfr_newfrag __P((ip_t *, fr_info_t *, u_int));
extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *));
extern int ipfr_newfrag __P((ip_t *, fr_info_t *));
extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, struct nat *));
extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *));
extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *));
extern void ipfr_forget __P((void *));

190
sys/netinet/ip_ftp_pxy.c
View File

@ -1,13 +1,13 @@
/* $NetBSD: ip_ftp_pxy.c,v 1.24 2002/05/02 17:13:29 martti Exp $ */
/* $NetBSD: ip_ftp_pxy.c,v 1.25 2002/09/19 08:09:15 martti Exp $ */
#include <sys/cdefs.h>
__KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.24 2002/05/02 17:13:29 martti Exp $");
__KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.25 2002/09/19 08:09:15 martti Exp $");
/*
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* Id: ip_ftp_pxy.c,v 2.7.2.34 2002/04/26 10:22:45 darrenr Exp
* Id: ip_ftp_pxy.c,v 2.7.2.38 2002/08/28 12:45:47 darrenr Exp
*/
#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw;
@ -303,7 +303,7 @@ int dlen;
ip->ip_len = slen;
ip->ip_src = swip;
}
return APR_INC(inc);
return inc;
}
@ -586,7 +586,7 @@ int dlen;
wptr = f->ftps_wptr;
if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2)))
return inc;
return 0;
if (ftp->ftp_passok == FTPXY_GO) {
if (!strncmp(rptr, "227 ", 4))
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
@ -726,6 +726,10 @@ size_t len;
}
/*
* rv == 0 for outbound processing,
* rv == 1 for inbound processing.
*/
int ippr_ftp_process(fin, ip, nat, ftp, rv)
fr_info_t *fin;
ip_t *ip;
@ -733,15 +737,16 @@ nat_t *nat;
ftpinfo_t *ftp;
int rv;
{
int mlen, len, off, inc, i, sel;
int mlen, len, off, inc, i, sel, sel2, ok, ackoff, seqoff;
u_32_t thseq, thack;
char *rptr, *wptr;
ap_session_t *aps;
ftpside_t *f, *t;
tcphdr_t *tcp;
mb_t *m;
tcp = (tcphdr_t *)fin->fin_dp;
off = fin->fin_hlen + (tcp->th_off << 2);
#if SOLARIS && defined(_KERNEL)
m = fin->fin_qfm;
#else
@ -759,42 +764,149 @@ int rv;
#endif
mlen -= off;
aps = nat->nat_aps;
t = &ftp->ftp_side[1 - rv];
f = &ftp->ftp_side[rv];
if (!mlen) {
if (!t->ftps_seq ||
(int)ntohl(tcp->th_ack) - (int)t->ftps_seq > 0)
t->ftps_seq = ntohl(tcp->th_ack);
f->ftps_len = 0;
return 0;
}
thseq = ntohl(tcp->th_seq);
thack = ntohl(tcp->th_ack);
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
i = 0;
sel = nat->nat_aps->aps_sel[1 - rv];
if (rv) {
if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq))
i = nat->nat_aps->aps_ackoff[sel];
sel = aps->aps_sel[1 - rv];
sel2 = aps->aps_sel[rv];
if (rv == 0) {
seqoff = aps->aps_seqoff[sel];
if (aps->aps_seqmin[sel] > seqoff + thseq)
seqoff = aps->aps_seqoff[!sel];
ackoff = aps->aps_ackoff[sel2];
if (aps->aps_ackmin[sel2] > ackoff + thack)
ackoff = aps->aps_ackoff[!sel2];
} else {
if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq))
i = nat->nat_aps->aps_seqoff[sel];
#if PROXY_DEBUG
printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq,
aps->aps_ackmin[sel]);
#endif
seqoff = aps->aps_ackoff[sel];
if (aps->aps_ackmin[sel] > seqoff + thseq)
seqoff = aps->aps_ackoff[!sel];
#if PROXY_DEBUG
printf("ackoff %d thack %x seqmin %x\n", ackoff, thack,
aps->aps_seqmin[sel2]);
#endif
ackoff = aps->aps_seqoff[sel2];
if (ackoff > 0) {
if (aps->aps_seqmin[sel2] > ackoff + thack)
ackoff = aps->aps_seqoff[!sel2];
} else {
if (aps->aps_seqmin[sel2] > thack)
ackoff = aps->aps_seqoff[!sel2];
}
}
#if PROXY_DEBUG
printf("%s: %x seq %x/%d ack %x/%d len %d\n", rv ? "IN" : "OUT",
tcp->th_flags, thseq, seqoff, thack, ackoff, mlen);
printf("sel %d seqmin %x/%x offset %d/%d\n", sel,
aps->aps_seqmin[sel], aps->aps_seqmin[sel2],
aps->aps_seqoff[sel], aps->aps_seqoff[sel2]);
printf("sel %d ackmin %x/%x offset %d/%d\n", sel2,
aps->aps_ackmin[sel], aps->aps_ackmin[sel2],
aps->aps_ackoff[sel], aps->aps_ackoff[sel2]);
#endif
/*
* XXX - Ideally, this packet should get dropped because we now know
* that it is out of order (and there is no real danger in doing so
* apart from causing packets to go through here ordered).
*/
if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq))
f->ftps_seq = ntohl(tcp->th_seq);
#if PROXY_DEBUG
printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n",
rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff);
#endif
ok = 0;
if (t->ftps_seq[0] == 0)
t->ftps_seq[0] = thack, ok = 1;
else {
inc = ntohl(tcp->th_seq) - f->ftps_seq;
if (inc > i) {
return APR_ERR(1);
if (ackoff == 0) {
if (t->ftps_seq[0] == thack)
ok = 1;
else if (t->ftps_seq[1] == thack) {
t->ftps_seq[0] = thack;
ok = 1;
}
} else {
if (t->ftps_seq[0] + ackoff == thack)
ok = 1;
else if (t->ftps_seq[0] == thack + ackoff)
ok = 1;
else if (t->ftps_seq[1] + ackoff == thack) {
t->ftps_seq[0] = thack - ackoff;
ok = 1;
} else if (t->ftps_seq[1] == thack + ackoff) {
t->ftps_seq[0] = thack - ackoff;
ok = 1;
}
}
}
#if PROXY_DEBUG
if (!ok)
printf("not ok\n");
#endif
if (!mlen) {
if (t->ftps_seq[0] + ackoff != thack)
return APR_ERR(1);
#if PROXY_DEBUG
printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]);
#endif
if (tcp->th_flags & TH_FIN) {
if (thseq + seqoff == f->ftps_seq[0] + 1 ||
f->ftps_seq[0] + seqoff + 1 == thseq ||
thseq + seqoff == f->ftps_seq[0] ||
thseq == f->ftps_seq[0] + seqoff)
;
else {
#if PROXY_DEBUG
printf("FIN: thseq %x seqoff %d ftps_seq %x\n",
thseq, seqoff, f->ftps_seq[0]);
#endif
return APR_ERR(1);
}
}
f->ftps_len = 0;
return 0;
}
ok = 0;
if (thseq == f->ftps_seq[0] || thseq == f->ftps_seq[1])
ok = 1;
/*
* Retransmitted data packet.
*/
else if (thseq + mlen == f->ftps_seq[0] ||
thseq + mlen == f->ftps_seq[1])
ok = 1;
if (ok == 0) {
inc = thseq - f->ftps_seq[0];
#if PROXY_DEBUG
printf("inc %d sel %d rv %d\n", inc, sel, rv);
printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0],
f->ftps_seq[1]);
printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel],
aps->aps_ackoff[sel]);
printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel],
aps->aps_seqoff[sel]);
#endif
return APR_ERR(1);
}
inc = 0;
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
f->ftps_seq[0] = thseq;
f->ftps_seq[1] = f->ftps_seq[0] + mlen;
f->ftps_len = mlen;
while (mlen > 0) {
@ -838,6 +950,7 @@ int rv;
* ftp proxy for this connection.
*/
if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) {
/* f->ftps_seq[1] += inc; */
return APR_ERR(2);
}
@ -878,7 +991,24 @@ int rv;
}
}
t->ftps_seq = ntohl(tcp->th_ack);
/* f->ftps_seq[1] += inc; */
if (tcp->th_flags & TH_FIN)
f->ftps_seq[1]++;
#ifndef _KERNEL
mlen = mbuflen(m);
#else
# if SOLARIS
mlen = msgdsize(m);
# else
mlen = mbufchainlen(m);
# endif
#endif
off = fin->fin_hlen + (tcp->th_off << 2);
mlen -= off;
#if PROXY_DEBUG
printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen);
#endif
f->ftps_rptr = rptr;
f->ftps_wptr = wptr;
return APR_INC(inc);

10
sys/netinet/ip_h323_pxy.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_h323_pxy.c,v 1.4 2002/06/09 16:33:40 itojun Exp $ */
/* $NetBSD: ip_h323_pxy.c,v 1.5 2002/09/19 08:09:16 martti Exp $ */
/*
* Copyright 2001, QNX Software Systems Ltd. All Rights Reserved
@ -11,6 +11,7 @@
* authorized by a written license agreement from QSSL. For more information,
* please email licensing@qnx.com.
*
* For more details, see QNX_OCL.txt provided with this distribution.
*/
/*
@ -27,7 +28,7 @@
# include <sys/ioctl.h>
#endif
__KERNEL_RCSID(1, "$NetBSD: ip_h323_pxy.c,v 1.4 2002/06/09 16:33:40 itojun Exp $");
__KERNEL_RCSID(1, "$NetBSD: ip_h323_pxy.c,v 1.5 2002/09/19 08:09:16 martti Exp $");
#define IPF_H323_PROXY
@ -56,7 +57,7 @@ unsigned char *data;
int datlen, *off;
unsigned short *port;
{
u_32_t addr;
u_32_t addr, netaddr;
u_char *dp;
int offset;
@ -66,10 +67,11 @@ unsigned short *port;
*port = 0;
offset = *off;
dp = (u_char *)data;
netaddr = ntohl(ipaddr);
for (offset = 0; offset <= datlen - 6; offset++, dp++) {
addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3];
if (ipaddr == addr)
if (netaddr == addr)
{
*port = (*(dp + 4) << 8) | *(dp + 5);
break;

23
sys/netinet/ip_nat.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_nat.c,v 1.51 2002/06/09 16:33:41 itojun Exp $ */
/* $NetBSD: ip_nat.c,v 1.52 2002/09/19 08:09:16 martti Exp $ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
@ -112,10 +112,10 @@ extern struct ifnet vpnif;
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.51 2002/06/09 16:33:41 itojun Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.52 2002/09/19 08:09:16 martti Exp $");
#else
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.37.2.67 2002/04/27 15:23:39 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp";
#endif
#endif
@ -476,8 +476,12 @@ int mode;
}
for (np = &nat_list; (n = *np); np = &n->in_next)
if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
IPN_CMPSIZ))
IPN_CMPSIZ)) {
if (n->in_redir == NAT_REDIRECT &&
n->in_pnext != nat->in_pnext)
continue;
break;
}
}
switch (cmd)
@ -2333,8 +2337,8 @@ register natlookup_t *np;
fr_info_t fi;
bzero((char *)&fi, sizeof(fi));
fi.fin_data[0] = np->nl_inport;
fi.fin_data[1] = np->nl_outport;
fi.fin_data[0] = ntohs(np->nl_inport);
fi.fin_data[1] = ntohs(np->nl_outport);
/*
* If nl_inip is non null, this is a lookup based on the real
@ -2516,7 +2520,7 @@ maskloop:
if (nat) {
np = nat->nat_ptr;
if (natadd && (fin->fin_fl & FI_FRAG) && np)
ipfr_nat_newfrag(ip, fin, 0, nat);
ipfr_nat_newfrag(ip, fin, nat);
MUTEX_ENTER(&nat->nat_lock);
if (fin->fin_p != IPPROTO_TCP) {
if (np && np->in_age[1])
@ -2617,6 +2621,8 @@ maskloop:
i = appr_check(ip, fin, nat);
if (i == 0)
i = 1;
else if (i == -1)
nat->nat_drop[1]++;
} else
i = 1;
ATOMIC_INCL(nat_stats.ns_mapped[1]);
@ -2741,11 +2747,12 @@ maskloop:
np = nat->nat_ptr;
fin->fin_fr = nat->nat_fr;
if (natadd && (fin->fin_fl & FI_FRAG) && np)
ipfr_nat_newfrag(ip, fin, 0, nat);
ipfr_nat_newfrag(ip, fin, nat);
if (np && (np->in_apr != NULL) && (np->in_dport == 0 ||
(tcp != NULL && sport == np->in_dport))) {
i = appr_check(ip, fin, nat);
if (i == -1) {
nat->nat_drop[0]++;
RWLOCK_EXIT(&ipf_nat);
return i;
}

5
sys/netinet/ip_nat.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_nat.h,v 1.26 2002/05/02 17:12:06 martti Exp $ */
/* $NetBSD: ip_nat.h,v 1.27 2002/09/19 08:09:17 martti Exp $ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_nat.h 1.5 2/4/96
* Id: ip_nat.h,v 2.17.2.26 2002/04/20 16:42:05 darrenr Exp
* Id: ip_nat.h,v 2.17.2.27 2002/08/28 12:45:51 darrenr Exp
*/
#ifndef _NETINET_IP_NAT_H_
@ -80,6 +80,7 @@ typedef struct nat {
u_32_t nat_mssclamp; /* if != zero clamp MSS to this */
U_QUAD_T nat_pkts;
U_QUAD_T nat_bytes;
u_int nat_drop[2];
u_short nat_oport; /* other port */
u_short nat_inport;
u_short nat_outport;

103
sys/netinet/ip_proxy.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_proxy.c,v 1.34 2002/06/09 16:33:42 itojun Exp $ */
/* $NetBSD: ip_proxy.c,v 1.35 2002/09/19 08:09:18 martti Exp $ */
/*
* Copyright (C) 1997-2002 by Darren Reed.
@ -79,9 +79,9 @@
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_proxy.c,v 1.34 2002/06/09 16:33:42 itojun Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_proxy.c,v 1.35 2002/09/19 08:09:18 martti Exp $");
#else
static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.9.2.22 2002/04/26 10:23:17 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp";
#endif
#endif
@ -96,6 +96,8 @@ extern KRWLOCK_T ipf_nat, ipf_state;
static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
#define PROXY_DEBUG 0
#define AP_SESS_SIZE 53
#include "netinet/ip_ftp_pxy.c"
@ -129,7 +131,7 @@ aproxy_t ap_proxies[] = {
ippr_ipsec_match },
#endif
#ifdef IPF_NETBIOS_PROXY
{ NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL,
{ NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL,
NULL, NULL, NULL, ippr_netbios_out, NULL },
#endif
#ifdef IPF_H323_PROXY
@ -320,9 +322,19 @@ nat_t *nat;
sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
#endif
if (sum != tcp->th_sum) {
#if PROXY_DEBUG
printf("proxy tcp checksum failure\n");
#endif
frstats[fin->fin_out].fr_tcpbad++;
return -1;
}
/*
* Don't both the proxy with these...or in fact, should
* we free up proxy stuff when seen?
*/
if ((tcp->th_flags & TH_RST) != 0)
return 0;
}
apr = aps->aps_apr;
@ -336,9 +348,16 @@ nat_t *nat;
}
rv = APR_EXIT(err);
if (rv == 1)
if (rv == 1) {
#if PROXY_DEBUG
printf("proxy says bad packet received\n");
#endif
return -1;
}
if (rv == 2) {
#if PROXY_DEBUG
printf("proxy says free app proxy data\n");
#endif
appr_free(apr);
nat->nat_aps = NULL;
return -1;
@ -419,6 +438,9 @@ ap_session_t *aps;
}
/*
* returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise
*/
static int appr_fixseqack(fin, ip, aps, inc)
fr_info_t *fin;
ip_t *ip;
@ -428,20 +450,32 @@ int inc;
int sel, ch = 0, out, nlen;
u_32_t seq1, seq2;
tcphdr_t *tcp;
short inc2;
tcp = (tcphdr_t *)fin->fin_dp;
out = fin->fin_out;
/*
* ip_len has already been adjusted by 'inc'.
*/
nlen = ip->ip_len;
nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
inc2 = inc;
inc = (int)inc2;
if (out != 0) {
seq1 = (u_32_t)ntohl(tcp->th_seq);
sel = aps->aps_sel[out];
/* switch to other set ? */
if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
(seq1 > aps->aps_seqmin[!sel]))
(seq1 > aps->aps_seqmin[!sel])) {
#if PROXY_DEBUG
printf("proxy out switch set seq %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_seqmin[!sel]);
#endif
sel = aps->aps_sel[out] = !sel;
}
if (aps->aps_seqoff[sel]) {
seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel];
@ -454,8 +488,13 @@ int inc;
}
if (inc && (seq1 > aps->aps_seqmin[!sel])) {
aps->aps_seqmin[!sel] = seq1 + nlen - 1;
aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc;
aps->aps_seqmin[sel] = seq1 + nlen - 1;
aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc;
#if PROXY_DEBUG
printf("proxy seq set %d at %x to %d + %d\n", sel,
aps->aps_seqmin[sel], aps->aps_seqoff[sel],
inc);
#endif
}
/***/
@ -465,8 +504,13 @@ int inc;
/* switch to other set ? */
if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
(seq1 > aps->aps_ackmin[!sel]))
(seq1 > aps->aps_ackmin[!sel])) {
#if PROXY_DEBUG
printf("proxy out switch set ack %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_ackmin[!sel]);
#endif
sel = aps->aps_sel[1 - out] = !sel;
}
if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) {
seq2 = aps->aps_ackoff[sel];
@ -479,12 +523,16 @@ int inc;
/* switch to other set ? */
if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
(seq1 > aps->aps_ackmin[!sel]))
(seq1 > aps->aps_ackmin[!sel])) {
#if PROXY_DEBUG
printf("proxy in switch set ack %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_ackmin[!sel]);
#endif
sel = aps->aps_sel[out] = !sel;
}
if (aps->aps_ackoff[sel]) {
seq2 = aps->aps_ackmin[sel] -
aps->aps_ackoff[sel];
seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel];
if (seq1 > seq2) {
seq2 = aps->aps_ackoff[sel];
seq1 += seq2;
@ -496,6 +544,11 @@ int inc;
if (inc && (seq1 > aps->aps_ackmin[!sel])) {
aps->aps_ackmin[!sel] = seq1 + nlen - 1;
aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc;
#if PROXY_DEBUG
printf("proxy ack set %d at %x to %d + %d\n", !sel,
aps->aps_seqmin[!sel], aps->aps_seqoff[sel],
inc);
#endif
}
/***/
@ -505,15 +558,31 @@ int inc;
/* switch to other set ? */
if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
(seq1 > aps->aps_seqmin[!sel]))
(seq1 > aps->aps_seqmin[!sel])) {
#if PROXY_DEBUG
printf("proxy in switch set seq %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_seqmin[!sel]);
#endif
sel = aps->aps_sel[1 - out] = !sel;
}
if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) {
seq2 = aps->aps_seqoff[sel];
tcp->th_ack = htonl(seq1 - seq2);
ch = 1;
if (aps->aps_seqoff[sel] != 0) {
#if PROXY_DEBUG
printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel,
aps->aps_seqoff[sel], seq1,
aps->aps_seqmin[sel]);
#endif
if (seq1 > aps->aps_seqmin[sel]) {
seq2 = aps->aps_seqoff[sel];
tcp->th_ack = htonl(seq1 - seq2);
ch = 1;
}
}
}
#if PROXY_DEBUG
printf("appr_fixseqack: seq %x ack %x\n", ntohl(tcp->th_seq),
ntohl(tcp->th_ack));
#endif
return ch ? 2 : 0;
}

6
sys/netinet/ip_proxy.h
View File

@ -1,11 +1,11 @@
/* $NetBSD: ip_proxy.h,v 1.17 2002/01/24 08:23:14 martti Exp $ */
/* $NetBSD: ip_proxy.h,v 1.18 2002/09/19 08:09:18 martti Exp $ */
/*
* Copyright (C) 1997-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_proxy.h,v 2.8.2.12 2002/01/01 13:41:43 darrenr Exp
* Id: ip_proxy.h,v 2.8.2.13 2002/07/04 11:07:37 darrenr Exp
*/
#ifndef _NETINET_IP_PROXY_H_
@ -97,7 +97,7 @@ typedef struct aproxy {
typedef struct ftpside {
char *ftps_rptr;
char *ftps_wptr;
u_32_t ftps_seq;
u_32_t ftps_seq[2];
u_32_t ftps_len;
int ftps_junk;
int ftps_cmds;

34
sys/netinet/ip_state.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_state.c,v 1.40 2002/06/09 16:33:42 itojun Exp $ */
/* $NetBSD: ip_state.c,v 1.41 2002/09/19 08:09:19 martti Exp $ */
/*
* Copyright (C) 1995-2002 by Darren Reed.
@ -96,10 +96,10 @@
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.40 2002/06/09 16:33:42 itojun Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.41 2002/09/19 08:09:19 martti Exp $");
#else
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_state.c,v 2.30.2.70 2002/04/27 16:06:15 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_state.c,v 2.30.2.74 2002/07/27 15:58:10 darrenr Exp";
#endif
#endif
@ -582,9 +582,9 @@ u_int flags;
register u_int hv;
struct icmp *ic;
ipstate_t ips;
int out, ws;
u_int pass;
void *ifp;
int out;
if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) ||
(fin->fin_misc & FM_BADSTATE))
@ -699,9 +699,9 @@ u_int flags;
if ((tcp->th_flags & TH_SYN) &&
((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) {
int wscale = fr_tcpoptions(tcp);
if (wscale >= 0)
is->is_swscale = wscale;
ws = fr_tcpoptions(tcp);
if (ws >= 0)
is->is_swscale = ws;
}
}
@ -748,6 +748,7 @@ u_int flags;
is->is_hv = hv;
is->is_rule = fin->fin_fr;
if (is->is_rule != NULL) {
is->is_group = is->is_rule->fr_group;
ATOMIC_INC32(is->is_rule->fr_ref);
pass = is->is_rule->fr_flags;
is->is_frage[0] = is->is_rule->fr_age[0];
@ -817,7 +818,7 @@ u_int flags;
RWLOCK_EXIT(&ipf_state);
fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst);
if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG))
ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
ipfr_newfrag(ip, fin);
return is;
}
@ -910,6 +911,7 @@ tcphdr_t *tcp;
fdata->td_wscale = wscale;
else if (wscale == -2)
fdata->td_wscale = tdata->td_wscale = 0;
win <<= fdata->td_wscale;
if ((fdata->td_end == 0) &&
(!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) {
@ -918,7 +920,9 @@ tcphdr_t *tcp;
*/
fdata->td_end = end;
fdata->td_maxwin = 1;
fdata->td_maxend = end + 1;
fdata->td_maxend = end + win;
if (win == 0)
fdata->td_maxend++;
}
if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */
@ -932,7 +936,6 @@ tcphdr_t *tcp;
if (seq == end)
seq = end = fdata->td_end;
win <<= fdata->td_wscale;
maxwin = tdata->td_maxwin;
ackskew = tdata->td_end - ack;
@ -1071,7 +1074,7 @@ tcphdr_t *tcp;
} else {
is->is_src = fin->fin_fi.fi_dst;
}
} else if ((flags & FI_W_DPORT) != 0) {
} else if ((flags & FI_W_DADDR) != 0) {
if (rev == 0) {
is->is_dst = fin->fin_fi.fi_dst;
} else {
@ -1407,7 +1410,8 @@ fr_info_t *fin;
tcphdr_t *tcp;
int rev;
if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT))
if ((ips_list == NULL) || (fin->fin_off != 0) || fr_state_lock ||
(fin->fin_fl & FI_SHORT))
return NULL;
is = NULL;
@ -1467,7 +1471,7 @@ icmp6again:
rev = fin->fin_rev;
if (is->is_frage[rev] != 0)
is->is_age = is->is_frage[rev];
else if (fin->fin_rev)
else if (rev != 0)
is->is_age = fr_icmpacktimeout;
else
is->is_age = fr_icmptimeout;
@ -1638,7 +1642,7 @@ retry_tcpudp:
pass = is->is_pass;
RWLOCK_EXIT(&ipf_state);
if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG))
ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
ipfr_newfrag(ip, fin);
#ifndef _KERNEL
if ((tcp != NULL) && (tcp->th_flags & TCP_CLOSE))
fr_delstate(is);
@ -2049,6 +2053,8 @@ u_int type;
ipsl.isl_p = is->is_p;
ipsl.isl_v = is->is_v;
ipsl.isl_flags = is->is_flags;
ipsl.isl_rulen = is->is_rulen;
ipsl.isl_group = is->is_group;
if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
ipsl.isl_sport = is->is_sport;
ipsl.isl_dport = is->is_dport;

7
sys/netinet/ip_state.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_state.h,v 1.22 2002/05/02 17:12:07 martti Exp $ */
/* $NetBSD: ip_state.h,v 1.23 2002/09/19 08:09:20 martti Exp $ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
* Id: ip_state.h,v 2.13.2.12 2002/03/25 11:14:55 darrenr Exp
* Id: ip_state.h,v 2.13.2.13 2002/06/27 14:40:29 darrenr Exp
*/
#ifndef _NETINET_IP_STATE_H_
#define _NETINET_IP_STATE_H_
@ -88,6 +88,7 @@ typedef struct ipstate {
tcpstate_t is_ts;
udpstate_t is_us;
} is_ps;
u_32_t is_group;
char is_ifname[4][IFNAMSIZ];
#if SOLARIS || defined(__sgi)
kmutex_t is_lock;
@ -149,6 +150,8 @@ typedef struct ipslog {
u_char isl_p;
u_char isl_flags;
u_char isl_state[2];
u_32_t isl_rulen;
u_32_t isl_group;
} ipslog_t;
#define isl_sport isl_ps.isl_ports[0]

6
sys/netinet/ipl.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipl.h,v 1.13 2002/05/02 17:12:07 martti Exp $ */
/* $NetBSD: ipl.h,v 1.14 2002/09/19 08:09:20 martti Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
@ -6,12 +6,12 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
* Id: ipl.h,v 2.15.2.33 2002/04/27 14:53:48 darrenr Exp
* Id: ipl.h,v 2.15.2.35 2002/08/28 13:00:50 darrenr Exp
*/
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter: v3.4.27"
#define IPL_VERSION "IP Filter: v3.4.29"
#endif