diff options
| author |   kjell <kjell@openbsd.org> | 2000-02-01 19:29:57 +0000 |
|---|---|---|
| committer | kjell <kjell@openbsd.org> | 2000-02-01 19:29:57 +0000 |
| commit | 67df9a2bdd7069973a8000036a44a29105efc44f (patch) | |
| tree | b1df0bc5e2ebbebaeb8f31c88704f542bf8adf6a | |
| parent | general cleanup (remove LMC_IOMAPPED crud entirely) (diff) | |
| download | wireguard-openbsd-67df9a2bdd7069973a8000036a44a29105efc44f.tar.xz wireguard-openbsd-67df9a2bdd7069973a8000036a44a29105efc44f.zip | |
Update to IPFilter 3.3.8. Man pages still to go. See sbin/ipf/HISTORY
for details.
45 files changed, 283 insertions, 182 deletions
diff --git a/sbin/ipf/HISTORY b/sbin/ipf/HISTORY index 8e386cd93d7..0812e373b33 100644 --- a/sbin/ipf/HISTORY +++ b/sbin/ipf/HISTORY @@ -1,4 +1,4 @@ -# $OpenBSD: HISTORY,v 1.2 1999/12/28 08:20:40 kjell Exp $ +# $OpenBSD: HISTORY,v 1.3 2000/02/01 19:29:59 kjell Exp $ # # NOTE: Quite a few patches and suggestions come from other sources, to whom # I'm greatly indebted, even if no names are mentioned. @@ -9,7 +9,7 @@ # # Thanks to Tel.Net Media for allowing me to maintain and further develop # IP Filter as part of my job and supplying Sun equipment for testing the -# move to 64bits. +# move to 64bits and Gigabit Ethernet. # # Thanks to BSDI for providing object files for BSD/OS 3.1 and the means # to further support development of IP Filter under BSDI. @@ -21,6 +21,43 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.3.8 01/02/2000 - Released + +fix state handling of SYN packets. + +add parsing recognition of extra icmp types/codes and fix handling of +icmp time stamps and mask requests - Frank volf + +3.3.7 25/01/2000 - Released + +sync on state information as well as NAT information when required + +record nat protocol in all nat log records + +don't reuse the IP# from an active NAT session if the IP# in the rule +has changed dynamically. + +lookup the protocol for NAT log information in ipmon and pass that to +portname. + +fix the bug with changing the outbound interface of a packet where it +would lead to a panic. + +use fr_running instead of ipl_inited. (sysctl name change on freebsd) + +return EIO if someone attempts an ioctl on state/nat if ipfilter is not +enabled. + +fix rule insertion bug + +make state flushing clean anything that's not fully established (4/4) + +call fr_state_flush() after we've released ipf_state so we don't generate +a recursive mutex acquisition panic + +fix parsing of icmp code after return-icmp/return-icmp-as-dest and add +some patches to enhance parsing strength + 3.3.6 28/12/1999 - Released add in missing rwlock release in fr_checkicmpmatchingstate() and fix check diff --git a/sbin/ipf/facpri.c b/sbin/ipf/facpri.c index c3af7068cc2..4c866ca3698 100644 --- a/sbin/ipf/facpri.c +++ b/sbin/ipf/facpri.c @@ -1,4 +1,5 @@ -/* $OpenBSD: facpri.c,v 1.1 1999/12/14 04:17:17 kjell Exp $ */ +/* $OpenBSD: facpri.c,v 1.2 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -20,7 +21,7 @@ #include "facpri.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: facpri.c,v 1.1 1999/12/14 04:17:17 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: facpri.c,v 1.2 1999/08/01 11:10:45 darrenr Exp $"; #endif typedef struct table { diff --git a/sbin/ipf/facpri.h b/sbin/ipf/facpri.h index 1ca7ddd26f5..1d29c4ba82e 100644 --- a/sbin/ipf/facpri.h +++ b/sbin/ipf/facpri.h @@ -1,11 +1,12 @@ -/* $OpenBSD: facpri.h,v 1.1 1999/12/14 04:17:17 kjell Exp $ */ +/* $OpenBSD: facpri.h,v 1.2 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1999 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: facpri.h,v 1.1 1999/12/14 04:17:17 kjell Exp $ + * $IPFilter: facpri.h,v 1.2 1999/08/01 11:10:46 darrenr Exp $ */ #ifndef __FACPRI_H__ diff --git a/sbin/ipf/ifaddr.c b/sbin/ipf/ifaddr.c index 300e3e27f3e..832ca4e4cf8 100644 --- a/sbin/ipf/ifaddr.c +++ b/sbin/ipf/ifaddr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ifaddr.c,v 1.1 1999/12/16 07:38:45 kjell Exp $ */ +/* $OpenBSD: ifaddr.c,v 1.2 2000/02/01 19:30:00 kjell Exp $ */ #include <sys/types.h> #include <sys/ioctl.h> #include <sys/socket.h> @@ -6,6 +6,7 @@ #include <netinet/in.h> #include <err.h> #include <stdlib.h> +#include <unistd.h> #include "ifaddr.h" diff --git a/sbin/ipf/ifaddr.h b/sbin/ipf/ifaddr.h index 96ef1bac246..19f77d05926 100644 --- a/sbin/ipf/ifaddr.h +++ b/sbin/ipf/ifaddr.h @@ -1,7 +1,7 @@ -/* $OpenBSD: ifaddr.h,v 1.1 1999/12/16 07:38:45 kjell Exp $ */ +/* $OpenBSD: ifaddr.h,v 1.2 2000/02/01 19:30:00 kjell Exp $ */ -#ifndef __IFADDR_H__ -#define __IFADDR_H__ +#ifndef __IFADDR_H__ +#define __IFADDR_H__ int if_addr __P((char *, struct in_addr *)); diff --git a/sbin/ipf/ipf.c b/sbin/ipf/ipf.c index bf2517b13af..02c43d9177b 100644 --- a/sbin/ipf/ipf.c +++ b/sbin/ipf/ipf.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipf.c,v 1.20 1999/12/15 05:20:24 kjell Exp $ */ +/* $OpenBSD: ipf.c,v 1.21 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -44,7 +45,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 1.20 1999/12/15 05:20:24 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipf.c,v 2.2 1999/08/06 15:26:08 darrenr Exp $"; #endif #if SOLARIS diff --git a/sbin/ipf/ipf.h b/sbin/ipf/ipf.h index 5435972babd..30e3329eb18 100644 --- a/sbin/ipf/ipf.h +++ b/sbin/ipf/ipf.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ipf.h,v 1.11 1999/12/15 05:20:24 kjell Exp $ */ +/* $OpenBSD: ipf.h,v 1.12 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -7,7 +8,7 @@ * to the original author and the contributors. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 1.11 1999/12/15 05:20:24 kjell Exp $ + * $IPFilter: ipf.h,v 2.1.2.1 1999/10/05 12:59:25 darrenr Exp $ */ #ifndef __IPF_H__ diff --git a/sbin/ipf/opt.c b/sbin/ipf/opt.c index 74df2df5c45..3e384d68c5a 100644 --- a/sbin/ipf/opt.c +++ b/sbin/ipf/opt.c @@ -1,4 +1,5 @@ -/* $OpenBSD: opt.c,v 1.11 1999/12/15 05:20:24 kjell Exp $ */ +/* $OpenBSD: opt.c,v 1.12 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -28,7 +29,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: opt.c,v 1.11 1999/12/15 05:20:24 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: opt.c,v 2.1 1999/08/04 17:30:15 darrenr Exp $"; #endif extern int opts; diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c index f891877b1f0..7cad35c146a 100644 --- a/sbin/ipf/parse.c +++ b/sbin/ipf/parse.c @@ -1,4 +1,5 @@ -/* $OpenBSD: parse.c,v 1.30 1999/12/28 08:30:31 kjell Exp $ */ +/* $OpenBSD: parse.c,v 1.31 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -42,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: parse.c,v 1.30 1999/12/28 08:30:31 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.1.2.8 2000/01/27 08:49:42 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; @@ -129,21 +130,25 @@ int linenum; if (!strcasecmp("block", *cpp)) { fil.fr_flags |= FR_BLOCK; - if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19)) + if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) && + (i = 19)) fil.fr_flags |= FR_FAKEICMP; - else if (!strncasecmp(*(cpp+1), "return-icmp", 11)) + else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11)) fil.fr_flags |= FR_RETICMP; if (fil.fr_flags & FR_RETICMP) { cpp++; - if (!*(cpp+1)) { - fprintf(stderr, "%d: missing icmp code\n", - linenum); - return NULL; + if (strlen(*cpp) == i) { + if (*(cpp + 1) && **(cpp +1) == '(') { + cpp++; + i = 0; + } else + i = -1; } - i = 11; - if ((strlen(*cpp) > i) && (*(*cpp + i) != '(')) - i = 19; - if (*(*cpp + i) == '(') { + + /* + * The ICMP code is not required to follow in ()'s + */ + if ((i >= 0) && (*(*cpp + i) == '(')) { i++; j = icmpcode(*cpp + i); if (j == -1) { @@ -256,7 +261,7 @@ int linenum; if (!strcasecmp("log", *cpp)) { if (!*++cpp) { - fprintf(stderr, "%d: missing source specification\n", + fprintf(stderr, "%d: missing source specification\n", linenum); return NULL; } @@ -766,7 +771,7 @@ int linenum; /* * returns an ip address as a long var as a result of either a DNS lookup or - * straight inet_aton() call + * straight inet_addr() call */ u_32_t hostnum(host, resolved, linenum) char *host; @@ -1247,12 +1252,13 @@ int linenum; } -#define MAX_ICMPCODE 12 +#define MAX_ICMPCODE 15 char *icmpcodes[] = { "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail", "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib", - "net-tos", "host-tos", NULL }; + "net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff", + NULL }; /* * Return the number for the associated ICMP unreachable code. */ diff --git a/sbin/ipfstat/fils.c b/sbin/ipfstat/fils.c index 5def479df1f..67ec78629f0 100644 --- a/sbin/ipfstat/fils.c +++ b/sbin/ipfstat/fils.c @@ -1,4 +1,5 @@ -/* $OpenBSD: fils.c,v 1.17 1999/12/15 05:20:25 kjell Exp $ */ +/* $OpenBSD: fils.c,v 1.18 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -52,7 +53,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 1.17 1999/12/15 05:20:25 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: fils.c,v 2.2.2.5 2000/01/27 08:49:40 darrenr Exp $"; #endif #define F_IN 0 @@ -81,7 +82,7 @@ static void Usage(name) char *name; { fprintf(stderr, - "usage: %s [-aAfhIinosv] [-d device] [-M core] [-N system]\n", + "usage: %s [-aAfhIinosv] [-d device] [-M core]\n", name); exit(1); } @@ -98,7 +99,7 @@ char *argv[]; char *name = NULL, *device = IPL_NAME; int c, fd; - while ((c = getopt(argc, argv, "AafhIinosvd:M:")) != -1) + while ((c = getopt(argc, argv, "AafhgIinosvd:M:")) != -1) { switch (c) { @@ -247,11 +248,13 @@ struct friostat *fp; printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu", fp->f_st[0].fr_block, fp->f_st[0].fr_pass, fp->f_st[0].fr_nom); - printf(" counted %lu\n", fp->f_st[0].fr_acct); + printf(" counted %lu short %lu\n", + fp->f_st[0].fr_acct, fp->f_st[0].fr_short); printf("output packets:\t\tblocked %lu passed %lu nomatch %lu", fp->f_st[1].fr_block, fp->f_st[1].fr_pass, fp->f_st[1].fr_nom); - printf(" counted %lu\n", fp->f_st[0].fr_acct); + printf(" counted %lu short %lu\n", + fp->f_st[1].fr_acct, fp->f_st[1].fr_short); printf(" input packets logged:\tblocked %lu passed %lu\n", fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl); printf("output packets logged:\tblocked %lu passed %lu\n", diff --git a/sbin/ipfstat/kmem.c b/sbin/ipfstat/kmem.c index 7d57fb57fbf..b56fa34ee32 100644 --- a/sbin/ipfstat/kmem.c +++ b/sbin/ipfstat/kmem.c @@ -1,4 +1,5 @@ -/* $OpenBSD: kmem.c,v 1.12 1999/12/15 05:20:25 kjell Exp $ */ +/* $OpenBSD: kmem.c,v 1.13 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -21,7 +22,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 1.12 1999/12/15 05:20:25 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: kmem.c,v 2.1 1999/08/04 17:30:09 darrenr Exp $"; #endif static int kmemfd = -1; diff --git a/sbin/ipfstat/kmem.h b/sbin/ipfstat/kmem.h index 5da38aad7de..9d8e7cee3af 100644 --- a/sbin/ipfstat/kmem.h +++ b/sbin/ipfstat/kmem.h @@ -1,11 +1,12 @@ -/* $OpenBSD: kmem.h,v 1.9 1999/12/15 05:20:25 kjell Exp $ */ +/* $OpenBSD: kmem.h,v 1.10 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: kmem.h,v 1.9 1999/12/15 05:20:25 kjell Exp $ + * $IPFilter: kmem.h,v 2.1 1999/08/04 17:30:10 darrenr Exp $ */ #ifndef __KMEM_H__ diff --git a/sbin/ipnat/ipnat.c b/sbin/ipnat/ipnat.c index ab3cd70dfdd..70774ba9f92 100644 --- a/sbin/ipnat/ipnat.c +++ b/sbin/ipnat/ipnat.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipnat.c,v 1.33 1999/12/16 07:38:45 kjell Exp $ */ +/* $OpenBSD: ipnat.c,v 1.34 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -57,7 +58,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.33 1999/12/16 07:38:45 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipnat.c,v 2.1.2.2 1999/12/04 02:09:30 darrenr Exp $"; #endif @@ -402,6 +403,7 @@ char *msk; return mask; } + /* * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call diff --git a/sbin/ipnat/natparse.c b/sbin/ipnat/natparse.c index f20a8704ae5..40204a429e5 100644 --- a/sbin/ipnat/natparse.c +++ b/sbin/ipnat/natparse.c @@ -1,4 +1,5 @@ -/* $OpenBSD: natparse.c,v 1.1 1999/12/14 04:17:17 kjell Exp $ */ +/* $OpenBSD: natparse.c,v 1.2 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -54,7 +55,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: natparse.c,v 1.1 1999/12/14 04:17:17 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: natparse.c,v 1.2.2.1 1999/11/20 22:50:30 darrenr Exp $"; #endif diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c index eff9d8d23b1..a51f2b0c4bc 100644 --- a/sys/netinet/fil.c +++ b/sys/netinet/fil.c @@ -1,4 +1,5 @@ -/* $OpenBSD: fil.c,v 1.19 1999/12/17 06:17:07 kjell Exp $ */ +/* $OpenBSD: fil.c,v 1.20 2000/02/01 19:29:57 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -8,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 1.19 1999/12/17 06:17:07 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $"; #endif #include <sys/errno.h> @@ -246,6 +247,12 @@ fr_info_t *fin; if (!off && (icmp->icmp_type == ICMP_ECHOREPLY || icmp->icmp_type == ICMP_ECHO)) minicmpsz = ICMP_MINLEN; + if (!off && (icmp->icmp_type == ICMP_TSTAMP || + icmp->icmp_type == ICMP_TSTAMPREPLY)) + minicmpsz = 20; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + 3*timestamp(3*4) */ + if (!off && (icmp->icmp_type == ICMP_MASKREQ || + icmp->icmp_type == ICMP_MASKREPLY)) + minicmpsz = 12; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */ if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || (off && off < sizeof(struct icmp))) fi->fi_fl |= FI_SHORT; @@ -631,7 +638,7 @@ int out; case IPPROTO_UDP: plen = sizeof(udphdr_t); break; - /* need enough for complete ICMP error IP header */ + /* 96 - enough for complete ICMP error IP header */ case IPPROTO_ICMP: plen = ICMPERR_MAXPKTLEN - sizeof(ip_t); break; @@ -689,6 +696,9 @@ int out; READ_ENTER(&ipf_mutex); + if (fin->fin_fi.fi_fl & FI_SHORT) + ATOMIC_INC(frstats[out].fr_short); + /* * Check auth now. This, combined with the check below to see if apass * is 0 is to ensure that we don't count the packet twice, which can @@ -1179,7 +1189,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 1.19 1999/12/17 06:17:07 kjell Exp $ + * $IPFilter: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1580,7 +1590,10 @@ void frsync() # else for (ifp = ifnet; ifp; ifp = ifp->if_next) # endif + { ip_natsync(ifp); + ip_statesync(ifp); + } # endif WRITE_ENTER(&ipf_mutex); diff --git a/sys/netinet/ip_auth.c b/sys/netinet/ip_auth.c index ad69de43d9d..bca4a7a5da6 100644 --- a/sys/netinet/ip_auth.c +++ b/sys/netinet/ip_auth.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_auth.c,v 1.9 1999/12/15 05:20:21 kjell Exp $ */ +/* $OpenBSD: ip_auth.c,v 1.10 2000/02/01 19:29:58 kjell Exp $ */ + /* * Copyright (C) 1998 by Darren Reed & Guido van Rooij. * @@ -7,7 +8,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 1.9 1999/12/15 05:20:21 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_auth.c,v 2.1.2.2 2000/01/16 10:12:14 darrenr Exp $"; #endif #include <sys/errno.h> @@ -397,7 +398,7 @@ fr_authioctlloop: # if SOLARIS error = fr_qout(fr_auth[i].fra_q, m); # else /* SOLARIS */ -# if ((_BSDI_VERSION >= 199802) || defined(__OpenBSD__)) +# if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); # else diff --git a/sys/netinet/ip_auth.h b/sys/netinet/ip_auth.h index 7f6dead90e7..2e6492ea84a 100644 --- a/sys/netinet/ip_auth.h +++ b/sys/netinet/ip_auth.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_auth.h,v 1.4 1999/12/15 05:20:21 kjell Exp $ */ +/* $OpenBSD: ip_auth.h,v 1.5 2000/02/01 19:29:58 kjell Exp $ */ + /* * Copyright (C) 1997-1998 by Darren Reed & Guido Van Rooij. * @@ -6,7 +7,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_auth.h,v 1.4 1999/12/15 05:20:21 kjell Exp $ + * $IPFilter: ip_auth.h,v 2.1 1999/08/04 17:29:54 darrenr Exp $ * */ #ifndef __IP_AUTH_H__ diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c index 45a71603e54..681c9475688 100644 --- a/sys/netinet/ip_fil.c +++ b/sys/netinet/ip_fil.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_fil.c,v 1.28 1999/12/17 06:17:08 kjell Exp $ */ +/* $OpenBSD: ip_fil.c,v 1.29 2000/02/01 19:29:58 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -8,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 1.28 1999/12/17 06:17:08 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.16 2000/01/16 10:12:42 darrenr Exp $"; #endif #ifndef SOLARIS @@ -127,7 +128,6 @@ extern int tcp_ttl; # endif #endif -int ipl_inited = 0; # if defined (__OpenBSD__) int ipl_unreach = ICMP_UNREACH_FILTER_PROHIB; # else @@ -226,20 +226,8 @@ int count; } # endif -#if defined( __OpenBSD__) -/* - * Since iplattach() is called by main() at boot time, we put in a - * fake stub so that none of the machinery is initialized till explicitly - * enabled via ipf -E. Therefore we rename the real iplattach() to - * ipl_enable(). See also skeleton iplinit() later in this file. - */ -void iplattach __P((int)); -void iplattach(int dummy) {}; -int ipl_enable() -# else int iplattach() -# endif /* OpenBSD */ { char *defpass; int s; @@ -248,7 +236,7 @@ int iplattach() # endif SPL_NET(s); - if (ipl_inited || (fr_checkp == fr_check)) { + if (fr_running || (fr_checkp == fr_check)) { printf("IP Filter: already initialized\n"); SPL_X(s); return EBUSY; @@ -276,7 +264,6 @@ int iplattach() } # endif - ipl_inited = 1; bzero((char *)frcache, sizeof(frcache)); fr_savep = fr_checkp; fr_checkp = fr_check; @@ -304,6 +291,7 @@ int iplattach() timeout(ipfr_slowtimer, NULL, hz/2); # endif #endif + fr_running = 1; return 0; } @@ -312,11 +300,7 @@ int iplattach() * Disable the filter by removing the hooks from the IP input/output * stream. */ -# if defined(__OpenBSD__) -int ipl_disable() -# else int ipldetach() -# endif { int s, i = FR_INQUE|FR_OUTQUE; @@ -332,7 +316,7 @@ int ipldetach() # endif #endif SPL_NET(s); - if (!ipl_inited) + if (!fr_running) { printf("IP Filter: not initialized\n"); SPL_X(s); @@ -341,7 +325,7 @@ int ipldetach() fr_checkp = fr_savep; i = frflush(IPL_LOGIPF, i); - ipl_inited = 0; + fr_running = 0; # ifdef NETBSD_PF pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); @@ -464,11 +448,15 @@ int mode; SPL_NET(s); if (unit == IPL_LOGNAT) { + if (!fr_running) + return EIO; error = nat_ioctl(data, cmd, mode); SPL_X(s); return error; } if (unit == IPL_LOGSTATE) { + if (!fr_running) + return EIO; error = fr_state_ioctl(data, cmd, mode); SPL_X(s); return error; @@ -489,23 +477,10 @@ int mode; error = EPERM; else { IRCOPY(data, (caddr_t)&enable, sizeof(enable)); - if (enable) { -# if defined(__OpenBSD__) - error = ipl_enable(); -# else + if (enable) error = iplattach(); -# endif - if (error == 0) - fr_running = 1; - } else { -# if defined(__OpenBSD__) - error = ipl_disable(); -# else + else error = ipldetach(); -# endif - if (error == 0) - fr_running = 0; - } } break; } @@ -762,13 +737,15 @@ caddr_t data; } if (!f) { - if (req != SIOCINAFR || req != SIOCINIFR) + if (req != SIOCINAFR && req != SIOCINIFR) while ((f = *ftail)) ftail = &f->fr_next; else { - if (fp->fr_hits) + if (fp->fr_hits) { + ftail = fprev; while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; + } f = NULL; } } @@ -1004,8 +981,8 @@ ip_t *ip; # if _BSDI_VERSION >= 199802 return ip_output(m, (struct mbuf *)0, &ro, 0, 0, NULL); # else -# if defined(__OpenBSD__) - return ip_output(m, (struct mbuf *)0, 0, 0, 0, NULL); +# if defined(__OpenBSD__) + return ip_output(m, (struct mbuf *)0, 0, 0, 0, NULL); # else return ip_output(m, (struct mbuf *)0, 0, 0, 0); # endif @@ -1091,13 +1068,8 @@ void # endif iplinit() { -# if defined(__OpenBSD__) - /* must explicitly enable with 'ipf -E' - * which invokes ipl_enable(); */ -# else if (iplattach() != 0) printf("IP Filter failed to attach\n"); -# endif ip_init(); } # endif /* ! __NetBSD__ */ diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h index 96bc712f0d0..45f16bd5c04 100644 --- a/sys/netinet/ip_fil.h +++ b/sys/netinet/ip_fil.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_fil.h,v 1.14 1999/12/28 08:20:40 kjell Exp $ */ +/* $OpenBSD: ip_fil.h,v 1.15 2000/02/01 19:29:58 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -7,7 +8,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 1.14 1999/12/28 08:20:40 kjell Exp $ + * $IPFilter: ip_fil.h,v 2.3.2.7 2000/01/27 08:49:41 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -272,6 +273,7 @@ typedef struct filterstats { u_long fr_pass; /* packets allowed */ u_long fr_block; /* packets denied */ u_long fr_nom; /* packets which don't match any rule */ + u_long fr_short; /* packets which are short */ u_long fr_ppkl; /* packets allowed and logged */ u_long fr_bpkl; /* packets denied and logged */ u_long fr_npkl; /* packets unmatched and logged */ @@ -448,15 +450,7 @@ extern int iplclose __P((dev_t, int)); # if defined(__NetBSD__) && defined(PFIL_HOOKS) extern void ipfilterattach __P((int)); # endif - -#if !defined(__OpenBSD__) -/* - * OpenBSD has this call in the kernel but doesn't export it to userland. - * See ip_fil.c for actual hook and more details. - */ extern int iplattach __P((void)); -#endif - extern int ipl_enable __P((void)); extern int ipl_disable __P((void)); extern void ipflog_init __P((void)); @@ -563,7 +557,7 @@ extern void fr_makefrip __P((int, ip_t *, fr_info_t *)); extern int fr_ifpaddr __P((void *, struct in_addr *)); extern char *memstr __P((char *, char *, int, int)); extern int ipl_unreach; -extern int ipl_inited; +extern int fr_running; extern u_long ipl_frouteok[2]; extern int fr_pass; extern int fr_flags; diff --git a/sys/netinet/ip_fil_compat.h b/sys/netinet/ip_fil_compat.h index eab1ee7e804..49a53893719 100644 --- a/sys/netinet/ip_fil_compat.h +++ b/sys/netinet/ip_fil_compat.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_fil_compat.h,v 1.11 1999/12/15 05:20:21 kjell Exp $ */ +/* $OpenBSD: ip_fil_compat.h,v 1.12 2000/02/01 19:29:58 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -7,7 +8,7 @@ * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_fil_compat.h,v 1.11 1999/12/15 05:20:21 kjell Exp $ + * $IPFilter: ip_compat.h,v 2.1.2.3 1999/11/18 13:55:26 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c index 1444e14c23d..8c376473ec7 100644 --- a/sys/netinet/ip_frag.c +++ b/sys/netinet/ip_frag.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_frag.c,v 1.14 1999/12/15 05:20:22 kjell Exp $ */ +/* $OpenBSD: ip_frag.c,v 1.15 2000/02/01 19:29:58 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -8,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 1.14 1999/12/15 05:20:22 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) diff --git a/sys/netinet/ip_frag.h b/sys/netinet/ip_frag.h index 647bf54dc29..730abffbd67 100644 --- a/sys/netinet/ip_frag.h +++ b/sys/netinet/ip_frag.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_frag.h,v 1.9 1999/12/15 05:20:22 kjell Exp $ */ +/* $OpenBSD: ip_frag.h,v 1.10 2000/02/01 19:29:58 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -7,7 +8,7 @@ * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 1.9 1999/12/15 05:20:22 kjell Exp $ + * $IPFilter: ip_frag.h,v 2.2 1999/08/06 06:26:38 darrenr Exp $ */ #ifndef __IP_FRAG_H__ diff --git a/sys/netinet/ip_ftp_pxy.c b/sys/netinet/ip_ftp_pxy.c index 08e5ce5ae3f..bdb1e5e381e 100644 --- a/sys/netinet/ip_ftp_pxy.c +++ b/sys/netinet/ip_ftp_pxy.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_ftp_pxy.c,v 1.5 1999/12/15 05:20:22 kjell Exp $ */ +/* $OpenBSD: ip_ftp_pxy.c,v 1.6 2000/02/01 19:29:58 kjell Exp $ */ + /* * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. diff --git a/sys/netinet/ip_log.c b/sys/netinet/ip_log.c index 87c9de1c4a1..d458053c0a0 100644 --- a/sys/netinet/ip_log.c +++ b/sys/netinet/ip_log.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_log.c,v 1.5 1999/12/15 05:20:22 kjell Exp $ */ +/* $OpenBSD: ip_log.c,v 1.6 2000/02/01 19:29:58 kjell Exp $ */ + /* * Copyright (C) 1997-1998 by Darren Reed. * @@ -6,7 +7,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_log.c,v 1.5 1999/12/15 05:20:22 kjell Exp $ + * $IPFilter: ip_log.c,v 2.1.2.2 1999/09/21 11:55:44 darrenr Exp $ */ #include <sys/param.h> #if defined(KERNEL) && !defined(_KERNEL) diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c index ffd708579ba..34f9d120ff8 100644 --- a/sys/netinet/ip_nat.c +++ b/sys/netinet/ip_nat.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_nat.c,v 1.25 1999/12/17 07:50:05 kjell Exp $ */ +/* $OpenBSD: ip_nat.c,v 1.26 2000/02/01 19:29:58 kjell Exp $ */ + /* * Copyright (C) 1995-1998 by Darren Reed. * @@ -10,7 +11,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 1.25 1999/12/17 07:50:05 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_nat.c,v 2.2.2.12 2000/01/24 12:43:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -744,12 +745,22 @@ int direction; port = 0; in.s_addr = np->in_nip; if (l == 0) { + /* + * Check to see if there is an existing NAT + * setup for this IP address pair. + */ natl = nat_maplookup(fin->fin_ifp, flags, ip->ip_src, ip->ip_dst); if (natl != NULL) { in = natl->nat_outip; + if ((in.s_addr & np->in_outmsk) != + np->in_outip) + in.s_addr = 0; + else #ifndef sparc - in.s_addr = ntohl(in.s_addr); + in.s_addr = ntohl(in.s_addr); +#else + ; #endif } } @@ -1784,6 +1795,7 @@ u_int type; natl.nl_origport = nat->nat_oport; natl.nl_inport = nat->nat_inport; natl.nl_outport = nat->nat_outport; + natl.nl_p = nat->nat_p; natl.nl_type = type; natl.nl_rule = -1; #ifndef LARGE_NAT diff --git a/sys/netinet/ip_nat.h b/sys/netinet/ip_nat.h index 60f4533c844..1e87fba23fe 100644 --- a/sys/netinet/ip_nat.h +++ b/sys/netinet/ip_nat.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_nat.h,v 1.13 1999/12/15 05:20:22 kjell Exp $ */ +/* $OpenBSD: ip_nat.h,v 1.14 2000/02/01 19:29:58 kjell Exp $ */ + /* * Copyright (C) 1995-1998 by Darren Reed. * @@ -7,7 +8,7 @@ * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 1.13 1999/12/15 05:20:22 kjell Exp $ + * $IPFilter: ip_nat.h,v 2.1.2.3 2000/01/24 12:44:24 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -187,6 +188,7 @@ typedef struct natlog { int nl_rule; U_QUAD_T nl_pkts; U_QUAD_T nl_bytes; + u_char nl_p; } natlog_t; diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c index 0cf9c2d265c..49adee8d3e5 100644 --- a/sys/netinet/ip_proxy.c +++ b/sys/netinet/ip_proxy.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_proxy.c,v 1.5 1999/12/15 05:20:22 kjell Exp $ */ +/* $OpenBSD: ip_proxy.c,v 1.6 2000/02/01 19:29:59 kjell Exp $ */ + /* * Copyright (C) 1997-1998 by Darren Reed. * @@ -7,7 +8,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 1.5 1999/12/15 05:20:22 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) diff --git a/sys/netinet/ip_proxy.h b/sys/netinet/ip_proxy.h index bcc464b1779..330d84a1cb3 100644 --- a/sys/netinet/ip_proxy.h +++ b/sys/netinet/ip_proxy.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_proxy.h,v 1.4 1999/12/15 05:20:23 kjell Exp $ */ +/* $OpenBSD: ip_proxy.h,v 1.5 2000/02/01 19:29:59 kjell Exp $ */ + /* * Copyright (C) 1997-1998 by Darren Reed. * @@ -6,7 +7,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_proxy.h,v 1.4 1999/12/15 05:20:23 kjell Exp $ + * $IPFilter: ip_proxy.h,v 2.1.2.1 1999/09/19 12:18:20 darrenr Exp $ */ #ifndef __IP_PROXY_H__ diff --git a/sys/netinet/ip_raudio_pxy.c b/sys/netinet/ip_raudio_pxy.c index 7d9ab5b3291..0c84298e392 100644 --- a/sys/netinet/ip_raudio_pxy.c +++ b/sys/netinet/ip_raudio_pxy.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_raudio_pxy.c,v 1.3 1999/12/28 08:20:40 kjell Exp $ */ +/* $OpenBSD: ip_raudio_pxy.c,v 1.4 2000/02/01 19:29:59 kjell Exp $ */ + #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; #endif diff --git a/sys/netinet/ip_rcmd_pxy.c b/sys/netinet/ip_rcmd_pxy.c index 5782e9f3400..7f9cd27b53b 100644 --- a/sys/netinet/ip_rcmd_pxy.c +++ b/sys/netinet/ip_rcmd_pxy.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_rcmd_pxy.c,v 1.1 1999/12/14 04:17:17 kjell Exp $ */ +/* $OpenBSD: ip_rcmd_pxy.c,v 1.2 2000/02/01 19:29:59 kjell Exp $ */ + /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT * code. diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c index 2233e604a76..d307114c092 100644 --- a/sys/netinet/ip_state.c +++ b/sys/netinet/ip_state.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_state.c,v 1.17 1999/12/28 09:43:33 kjell Exp $ */ +/* $OpenBSD: ip_state.c,v 1.18 2000/02/01 19:29:59 kjell Exp $ */ + /* * Copyright (C) 1995-1998 by Darren Reed. * @@ -8,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 1.17 1999/12/28 09:43:33 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.3.2.18 2000/01/27 08:51:30 darrenr Exp $"; #endif #include <sys/errno.h> @@ -175,11 +176,10 @@ int which; delete = 1; break; case 1 : - if ((is->is_p == IPPROTO_TCP) && - (((is->is_state[0] <= TCPS_ESTABLISHED) && - (is->is_state[1] > TCPS_ESTABLISHED)) || - ((is->is_state[1] <= TCPS_ESTABLISHED) && - (is->is_state[0] > TCPS_ESTABLISHED)))) + if (is->is_p != IPPROTO_TCP) + break; + if ((is->is_state[0] != TCPS_ESTABLISHED) || + (is->is_state[1] != TCPS_ESTABLISHED)) delete = 1; break; } @@ -458,7 +458,7 @@ tcphdr_t *tcp; win = ntohs(tcp->th_win); end = seq + ip->ip_len - fin->fin_hlen - (tcp->th_off << 2) + ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); + ((tcp->th_flags & TH_FIN) ? 1 : 0); if (fdata->td_end == 0) { /* @@ -472,6 +472,8 @@ tcphdr_t *tcp; if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ ack = tdata->td_end; win = 1; + if ((tcp->th_flags == TH_SYN) && (tdata->td_maxwin == 0)) + tdata->td_maxwin = 1; } else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) && (ack == 0)) { /* gross hack to get around certain broken tcp stacks */ @@ -487,7 +489,7 @@ tcphdr_t *tcp; #define SEQ_GE(a,b) ((int)((a) - (b)) >= 0) #define SEQ_GT(a,b) ((int)((a) - (b)) > 0) if ((SEQ_GE(fdata->td_maxend, end)) && - (SEQ_GE(seq + maxwin, fdata->td_end - maxwin)) && + (SEQ_GE(seq, fdata->td_end - maxwin)) && /* XXX what about big packets */ #define MAXACKWINDOW 66000 (ackskew >= -MAXACKWINDOW) && @@ -672,8 +674,8 @@ fr_info_t *fin; int type; u_int hv; - /* - * Does it at least have the return (basic) IP header ? + /* + * Does it at least have the return (basic) IP header ? * Only a basic IP header (no options) should be with * an ICMP error header. */ @@ -707,10 +709,10 @@ fr_info_t *fin; if ((icmp->icmp_type != ICMP_ECHO) && (icmp->icmp_type != ICMP_TSTAMP) && (icmp->icmp_type != ICMP_IREQ) && - (icmp->icmp_type != ICMP_MASKREQ)) + (icmp->icmp_type != ICMP_MASKREQ)) return NULL; - /* + /* * perform a lookup of the ICMP packet in the state table */ @@ -734,9 +736,9 @@ fr_info_t *fin; for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && fr_matchsrcdst(is, src, dst, &ofin, NULL)) { - /* + /* * in the state table ICMP query's are stored - * with the type of the corresponding ICMP + * with the type of the corresponding ICMP * response. Correct here */ if (((is->is_type == ICMP_ECHOREPLY) && @@ -746,7 +748,7 @@ fr_info_t *fin; (is->is_type - 1 == ic->icmp_type)) { ips_stats.iss_hits++; is->is_pkts++; - is->is_bytes += ip->ip_len; + is->is_bytes += ip->ip_len; fr = is->is_rule; RWLOCK_EXIT(&ipf_state); return fr; @@ -804,7 +806,7 @@ fr_info_t *fin; * comes the other way around */ is->is_pkts++; - is->is_bytes += ip->ip_len; + is->is_bytes += ip->ip_len; /* * we deliberately do not touch the timeouts * for the accompanying state table entry. @@ -1040,11 +1042,11 @@ void fr_timeoutstate() } else isp = &is->is_next; RWLOCK_EXIT(&ipf_state); + SPL_X(s); if (fr_state_doflush) { (void) fr_state_flush(1); fr_state_doflush = 0; } - SPL_X(s); } @@ -1181,3 +1183,21 @@ u_int type; (void) ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1); } #endif + + +void ip_statesync(ifp) +void *ifp; +{ + register ipstate_t *is; + register int i; + + WRITE_ENTER(&ipf_state); + for (i = fr_statesize - 1; i >= 0; i--) + for (is = ips_table[i]; is != NULL; is = is->is_next) { + if (is->is_ifpin == ifp) + is->is_ifpin = NULL; + if (is->is_ifpout == ifp) + is->is_ifpout = NULL; + } + RWLOCK_EXIT(&ipf_state); +} diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h index 8752f068b98..7033b9344ab 100644 --- a/sys/netinet/ip_state.h +++ b/sys/netinet/ip_state.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ip_state.h,v 1.10 1999/12/15 05:20:23 kjell Exp $ */ +/* $OpenBSD: ip_state.h,v 1.11 2000/02/01 19:29:59 kjell Exp $ */ + /* * Copyright (C) 1995-1998 by Darren Reed. * @@ -7,7 +8,7 @@ * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 1.10 1999/12/15 05:20:23 kjell Exp $ + * $IPFilter: ip_state.h,v 2.1.2.2 2000/01/24 13:13:52 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -152,6 +153,7 @@ extern int fr_stateinit __P((void)); extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *)); extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, u_int)); extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); +extern void ip_statesync __P((void *)); extern void fr_timeoutstate __P((void)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); extern void fr_stateunload __P((void)); diff --git a/sys/netinet/ipl.h b/sys/netinet/ipl.h index 4716411676b..8c19f3df9b4 100644 --- a/sys/netinet/ipl.h +++ b/sys/netinet/ipl.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ipl.h,v 1.3 1999/12/28 08:20:40 kjell Exp $ */ +/* $OpenBSD: ipl.h,v 1.4 2000/02/01 19:29:59 kjell Exp $ */ + /* * Copyright (C) 1993-1999 by Darren Reed. * @@ -12,6 +13,6 @@ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.3.6" +#define IPL_VERSION "IP Filter: v3.3.8" #endif diff --git a/usr.sbin/ipftest/ipft_ef.c b/usr.sbin/ipftest/ipft_ef.c index 5cff7b076ad..3fccf5b14ae 100644 --- a/usr.sbin/ipftest/ipft_ef.c +++ b/usr.sbin/ipftest/ipft_ef.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipft_ef.c,v 1.11 1999/12/15 05:20:26 kjell Exp $ */ +/* $OpenBSD: ipft_ef.c,v 1.12 2000/02/01 19:30:01 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -52,7 +53,7 @@ etherfind -n -t #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.11 1999/12/15 05:20:26 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipft_ef.c,v 2.1 1999/08/04 17:30:02 darrenr Exp $"; #endif static int etherf_open __P((char *)); diff --git a/usr.sbin/ipftest/ipft_hx.c b/usr.sbin/ipftest/ipft_hx.c index 36595779516..0b27c2efe06 100644 --- a/usr.sbin/ipftest/ipft_hx.c +++ b/usr.sbin/ipftest/ipft_hx.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipft_hx.c,v 1.9 1999/12/15 05:20:26 kjell Exp $ */ +/* $OpenBSD: ipft_hx.c,v 1.10 2000/02/01 19:30:01 kjell Exp $ */ + /* * Copyright (C) 1995-1998 by Darren Reed. * @@ -43,7 +44,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.9 1999/12/15 05:20:26 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipft_hx.c,v 2.1 1999/08/04 17:30:03 darrenr Exp $"; #endif extern int opts; diff --git a/usr.sbin/ipftest/ipft_pc.c b/usr.sbin/ipftest/ipft_pc.c index 4e516699e5a..252ec566dd9 100644 --- a/usr.sbin/ipftest/ipft_pc.c +++ b/usr.sbin/ipftest/ipft_pc.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipft_pc.c,v 1.13 1999/12/15 05:20:26 kjell Exp $ */ +/* $OpenBSD: ipft_pc.c,v 1.14 2000/02/01 19:30:01 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -34,7 +35,7 @@ #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.13 1999/12/15 05:20:26 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipft_pc.c,v 2.1 1999/08/04 17:30:03 darrenr Exp $"; #endif struct llc { diff --git a/usr.sbin/ipftest/ipft_sn.c b/usr.sbin/ipftest/ipft_sn.c index 421ca51e369..210fec34100 100644 --- a/usr.sbin/ipftest/ipft_sn.c +++ b/usr.sbin/ipftest/ipft_sn.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipft_sn.c,v 1.10 1999/12/15 05:20:26 kjell Exp $ */ +/* $OpenBSD: ipft_sn.c,v 1.11 2000/02/01 19:30:01 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -38,7 +39,7 @@ #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 1.10 1999/12/15 05:20:26 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipft_sn.c,v 2.1 1999/08/04 17:30:04 darrenr Exp $"; #endif struct llc { diff --git a/usr.sbin/ipftest/ipft_td.c b/usr.sbin/ipftest/ipft_td.c index 335ff525c36..28520942f4a 100644 --- a/usr.sbin/ipftest/ipft_td.c +++ b/usr.sbin/ipftest/ipft_td.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipft_td.c,v 1.11 1999/12/15 05:20:26 kjell Exp $ */ +/* $OpenBSD: ipft_td.c,v 1.12 2000/02/01 19:30:01 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -61,7 +62,7 @@ tcpdump -nqte #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.11 1999/12/15 05:20:26 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipft_td.c,v 2.1 1999/08/04 17:30:04 darrenr Exp $"; #endif static int tcpd_open __P((char *)); diff --git a/usr.sbin/ipftest/ipft_tx.c b/usr.sbin/ipftest/ipft_tx.c index 7c3ec85fe04..e55c2b887f3 100644 --- a/usr.sbin/ipftest/ipft_tx.c +++ b/usr.sbin/ipftest/ipft_tx.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipft_tx.c,v 1.13 1999/12/15 05:20:26 kjell Exp $ */ +/* $OpenBSD: ipft_tx.c,v 1.14 2000/02/01 19:30:01 kjell Exp $ */ + /* * Copyright (C) 1995-1998 by Darren Reed. * @@ -44,7 +45,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.13 1999/12/15 05:20:26 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipft_tx.c,v 2.1 1999/08/04 17:30:05 darrenr Exp $"; #endif extern int opts; diff --git a/usr.sbin/ipftest/ipt.c b/usr.sbin/ipftest/ipt.c index dee57e5d113..09d30e36ef4 100644 --- a/usr.sbin/ipftest/ipt.c +++ b/usr.sbin/ipftest/ipt.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipt.c,v 1.14 1999/12/15 05:20:26 kjell Exp $ */ +/* $OpenBSD: ipt.c,v 1.15 2000/02/01 19:30:02 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -56,7 +57,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipt.c,v 1.14 1999/12/15 05:20:26 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipt.c,v 2.1.2.1 2000/01/24 14:49:11 darrenr Exp $"; #endif extern char *optarg; @@ -65,6 +66,7 @@ extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; extern struct ifnet *get_unit __P((char *)); extern void init_ifp __P((void)); extern ipnat_t *natparse __P((char *, int)); +extern int fr_running; int opts = 0; int main __P((int, char *[])); @@ -135,6 +137,7 @@ char *argv[]; nat_init(); fr_stateinit(); initparse(); + fr_running = 1; if (rules) { char line[513], *s; diff --git a/usr.sbin/ipftest/ipt.h b/usr.sbin/ipftest/ipt.h index bd49742d9ef..624a38b9493 100644 --- a/usr.sbin/ipftest/ipt.h +++ b/usr.sbin/ipftest/ipt.h @@ -1,11 +1,12 @@ -/* $OpenBSD: ipt.h,v 1.7 1999/12/15 05:20:27 kjell Exp $ */ +/* $OpenBSD: ipt.h,v 1.8 2000/02/01 19:30:02 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: ipt.h,v 1.7 1999/12/15 05:20:27 kjell Exp $ + * $IPFilter: ipt.h,v 2.1 1999/08/04 17:30:08 darrenr Exp $ */ #ifndef __IPT_H__ diff --git a/usr.sbin/ipftest/misc.c b/usr.sbin/ipftest/misc.c index ba2ec314100..f18169b5888 100644 --- a/usr.sbin/ipftest/misc.c +++ b/usr.sbin/ipftest/misc.c @@ -1,4 +1,5 @@ -/* $OpenBSD: misc.c,v 1.9 1999/12/15 05:20:27 kjell Exp $ */ +/* $OpenBSD: misc.c,v 1.10 2000/02/01 19:30:02 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -53,7 +54,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: misc.c,v 1.9 1999/12/15 05:20:27 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: misc.c,v 2.1 1999/08/04 17:30:11 darrenr Exp $"; #endif extern int opts; diff --git a/usr.sbin/ipftest/pcap.h b/usr.sbin/ipftest/pcap.h index 451c8496417..f16592d3303 100644 --- a/usr.sbin/ipftest/pcap.h +++ b/usr.sbin/ipftest/pcap.h @@ -1,11 +1,12 @@ -/* $OpenBSD: pcap.h,v 1.7 1999/12/15 05:20:27 kjell Exp $ */ +/* $OpenBSD: pcap.h,v 1.8 2000/02/01 19:30:02 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: pcap.h,v 1.7 1999/12/15 05:20:27 kjell Exp $ + * $IPFilter: pcap.h,v 2.1 1999/08/04 17:30:17 darrenr Exp $ */ /* * This header file is constructed to match the version described by diff --git a/usr.sbin/ipftest/snoop.h b/usr.sbin/ipftest/snoop.h index 5442ef1b4b8..a4265831f8a 100644 --- a/usr.sbin/ipftest/snoop.h +++ b/usr.sbin/ipftest/snoop.h @@ -1,4 +1,5 @@ -/* $OpenBSD: snoop.h,v 1.6 1999/12/15 05:20:27 kjell Exp $ */ +/* $OpenBSD: snoop.h,v 1.7 2000/02/01 19:30:02 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -12,7 +13,7 @@ /* * written to comply with the RFC (1761) from Sun. - * $Id: snoop.h,v 1.6 1999/12/15 05:20:27 kjell Exp $ + * $IPFilter: snoop.h,v 2.1 1999/08/04 17:30:19 darrenr Exp $ */ struct snoophdr { char s_id[8]; diff --git a/usr.sbin/ipmon/ipmon.c b/usr.sbin/ipmon/ipmon.c index f44289ac67d..620f390de18 100644 --- a/usr.sbin/ipmon/ipmon.c +++ b/usr.sbin/ipmon/ipmon.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipmon.c,v 1.20 1999/12/15 05:20:25 kjell Exp $ */ +/* $OpenBSD: ipmon.c,v 1.21 2000/02/01 19:30:01 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -8,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.20 1999/12/15 05:20:25 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipmon.c,v 2.3.2.4 2000/01/24 12:45:25 darrenr Exp $"; #endif #ifndef SOLARIS @@ -387,6 +388,7 @@ int blen; char *t = line; struct tm *tm; int res, i, len; + char *proto; nl = (struct natlog *)((char *)ipl + sizeof(*ipl)); res = (opts & OPT_RESOLVE) ? 1 : 0; @@ -413,14 +415,16 @@ int blen; sprintf(t, "Type: %d ", nl->nl_type); t += strlen(t); + proto = getproto(nl->nl_p); + (void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip), - portname(res, NULL, (u_int)nl->nl_inport)); + portname(res, proto, (u_int)nl->nl_inport)); t += strlen(t); (void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip), - portname(res, NULL, (u_int)nl->nl_outport)); + portname(res, proto, (u_int)nl->nl_outport)); t += strlen(t); (void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip), - portname(res, NULL, (u_int)nl->nl_origport)); + portname(res, proto, (u_int)nl->nl_origport)); t += strlen(t); if (nl->nl_type == NL_EXPIRE) { #ifdef USE_QUAD_T |