Subject: pkg/27105: net/hlfl bug fix
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <ishit@oak.dti.ne.jp>
List: pkgsrc-bugs
Date: 10/01/2004 17:38:24
>Number: 27105
>Category: pkg
>Synopsis: net/hlfl bug fix
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Oct 01 17:39:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: ISIHARA Takanori
>Release: NetBSD/i386 2.0_BETA
>Organization:
Nagoya *BSD Users' Group :-)
>Environment:
NetBSD ishitPc4.home 2.0_BETA NetBSD 2.0_BETA (GENERIC_LAPTOP) #0: Sun Jul 18 01:07:01 UTC 2004 autobuild@tgm.netbsd.org:/autobuild/netbsd-2-0/i386/OBJ/autobuild/netbsd-2-0/src/sys/arch/i386/compile/GENERIC_LAPTOP i386
>Description:
net/hlfl bug fix patches.
patches from hlfl-cvs ML(hlfl cvs commits messages ML) Archives from December 2003 to Jun 2004.
>How-To-Repeat:
Part 1: Syntax no error file -> Syntax error message.
------
% pwd
/usr/pkg/share/hlfl
% hlfl -t ipfilter sample_1.hlfl
#
# ipf(5) rules
#
# Firewall rules generated by hlfl
#
# sample.1 : firewall of a cable modem
# Security level : Low
#
#
# Setup :
#
# eth0 : connected to the internal LAN
# eth1 : connected to the outside
#
# loopback
pass out quick on lo from 0.0.0.0/0 to 0.0.0.0/0
pass in quick on lo from 0.0.0.0/0 to 0.0.0.0/0
#
# eth0
#
# We trust all the users of the internal LAN
# (I do this because I'm _alone_ in the LAN. You
# may want to write more restrictive rules)
#
# Masquerading :
#
#
# accept whatever on eth0
pass out quick on eth0 from 0.0.0.0/0 to 0.0.0.0/0
pass in quick on eth0 from 0.0.0.0/0 to 0.0.0.0/0
# spoofing
block in quick on eth1 from 192.168.0.0/16 to 0.0.0.0/0
block in quick on eth1 from 172.16.0.0/12 to 0.0.0.0/0
block in quick on eth1 from 10.0.0.0/8 to 0.0.0.0/0
block in quick on eth1 from 127.0.0.0/8 to 0.0.0.0/0
block out quick on eth1 from 192.168.0.0/16 to 0.0.0.0/0
block out quick on eth1 from 172.16.0.0/12 to 0.0.0.0/0
block out quick on eth1 from 10.0.0.0/8 to 0.0.0.0/0
block out quick on eth1 from 127.0.0.0/8 to 0.0.0.0/0
# accept DHCP via UDP and TCP
pass out quick on eth1 proto udp from 0.0.0.0/0 port = 68 to 212.198.0.0/16 port = 67 keep state
pass out quick on eth1 proto tcp from 0.0.0.0/0 port = 68 to 212.198.0.0/16 port = 67 flags S keep state
# accept DNS
pass out quick on eth1 proto udp from 0.0.0.0/0 port = 53 to 0.0.0.0/0 port = 53 keep state
pass out quick on eth1 proto udp from 0.0.0.0/0 port 1023 >< 65535 to 0.0.0.0/0 port = 53 keep state
# accept NTP
pass out quick on eth1 proto udp from 0.0.0.0/0 port = 123 to 0.0.0.0/0 port = 123 keep state
# reject auth
*** sample_1.hlfl : Error line 52 : Syntax error
Part2: -v option add -> Segmentation fault.
-----
% pwd
/usr/pkg/share/hlfl
% hlfl -v -t ipfilter sample_1.hlfl
Segmentation fault
>Fix:
diff -uNr hlfl/Makefile hlfl.new/Makefile
--- hlfl/Makefile 2004-07-06 16:49:59.000000000 +0900
+++ hlfl.new/Makefile 2004-09-30 01:15:06.000000000 +0900
@@ -2,6 +2,7 @@
#
DISTNAME= hlfl-0.60.1
+PKGREVISION= 1
CATEGORIES= net
MASTER_SITES= http://www.hlfl.org/hlfl/ \
ftp://ftp.hlfl.org/pub/hlfl/
diff -uNr hlfl/distinfo hlfl.new/distinfo
--- hlfl/distinfo 2004-07-06 16:50:01.000000000 +0900
+++ hlfl.new/distinfo 2004-09-30 01:13:08.000000000 +0900
@@ -2,3 +2,7 @@
SHA1 (hlfl-0.60.1.tar.bz2) = 5438a393c0231852e7823591fe7ae24a7270c7c8
Size (hlfl-0.60.1.tar.bz2) = 86954 bytes
+SHA1 (patch-aa) = d93814f84c2719a881e1fe469134ed7aebccc7aa
+SHA1 (patch-ab) = e43f3f2cd6c4160a913c025f1ae114391048e81b
+SHA1 (patch-ac) = 2f5cdafb72ad9a62385fca574c52845c9c224e58
+SHA1 (patch-ad) = 1788ce450c83dd508a953d4b1c3d9004c026bedd
diff -uNr hlfl/patches/patch-aa hlfl.new/patches/patch-aa
--- hlfl/patches/patch-aa 1970-01-01 09:00:00.000000000 +0900
+++ hlfl.new/patches/patch-aa 2004-09-30 01:11:57.000000000 +0900
@@ -0,0 +1,15 @@
+$NetBSD$
+
+--- NEWS.orig 2002-02-20 23:14:44.000000000 +0900
++++ NEWS
+@@ -1,3 +1,10 @@
++Oct 6, 2003 -- Version 0.60.1
++- ipchains now ACCEPT packets by default
++- malloc() are now checked
++- cisco accepts comments, netmask
++- spaces and tabs are better managed
++- as always, bugfixes here and there
++
+ Feb 20, 2002 -- Version 0.60.0
+ - dev system use autoconf 2.52 / automake 1.5
+ - verbose operators
diff -uNr hlfl/patches/patch-ab hlfl.new/patches/patch-ab
--- hlfl/patches/patch-ab 1970-01-01 09:00:00.000000000 +0900
+++ hlfl.new/patches/patch-ab 2004-09-30 01:11:57.000000000 +0900
@@ -0,0 +1,31 @@
+$NetBSD$
+
+--- src/hlfl.c.orig 2004-09-30 01:11:05.000000000 +0900
++++ src/hlfl.c
+@@ -58,7 +58,7 @@ struct definition *definitions = NULL;
+
+ #ifdef HAVE_GETOPT
+ /* option string for getopt() or getopt_long() */
+-char *optstr = "hvV:c:t:o:";
++char *optstr = "c:t:o:hvV";
+ #ifdef HAVE_GETOPT_LONG
+ /* array of long option structs for getopt_long() */
+ struct option long_options[] = {
+@@ -66,7 +66,7 @@ struct option long_options[] = {
+ {"output", 1, 0, 'o'},
+ {"type", 1, 0, 't'},
+ {"version", 0, 0, 'V'},
+- {"verbose", 1, 0, 'v'},
++ {"verbose", 0, 0, 'v'},
+ {"check", 1, 0, 'c'},
+ {0, 0, 0, 0}
+ };
+@@ -1173,7 +1173,7 @@ char **argv;
+ break;
+ }
+ case 'v':{
+- verbose_level = atoi(optarg);
++ verbose_level = 1;
+ break;
+ }
+ case 'V':{
diff -uNr hlfl/patches/patch-ac hlfl.new/patches/patch-ac
--- hlfl/patches/patch-ac 1970-01-01 09:00:00.000000000 +0900
+++ hlfl.new/patches/patch-ac 2004-09-30 01:11:58.000000000 +0900
@@ -0,0 +1,23 @@
+$NetBSD$
+
+--- src/hlfl.def.orig 2002-10-27 20:43:28.000000000 +0900
++++ src/hlfl.def
+@@ -4,15 +4,15 @@
+ DEF("<->", ACCEPT_TWO_WAYS)
+ DEF("<=>>", ACCEPT_TWO_WAYS_ESTABLISHED)
+ DEF("<<=>", ACCEPT_TWO_WAYS_ESTABLISHED_REVERSE)
+-DEF("X->", DENY_OUT)
+-DEF("<-X", DENY_IN)
+ DEF("<-X!", REJECT_IN)
+ DEF("X!->", REJECT_OUT)
+ DEF("!X->", REJECT_OUT)
+ DEF("X!", REJECT_ALL)
+-DEF("X", DENY_ALL)
++DEF("X->", DENY_OUT)
++DEF("<-X", DENY_IN)
+ DEF("->", ACCEPT_ONE_WAY)
+ DEF("<-", ACCEPT_ONE_WAY_REVERSE)
++DEF("X", DENY_ALL)
+ DEF("accept", ACCEPT)
+ DEF("deny", DENY)
+ DEF("reject", REJECT)
diff -uNr hlfl/patches/patch-ad hlfl.new/patches/patch-ad
--- hlfl/patches/patch-ad 1970-01-01 09:00:00.000000000 +0900
+++ hlfl.new/patches/patch-ad 2004-09-30 01:11:58.000000000 +0900
@@ -0,0 +1,13 @@
+$NetBSD$
+
+--- src/linux_netfilter.c.orig 2003-06-17 07:17:59.000000000 +0900
++++ src/linux_netfilter.c
+@@ -15,7 +15,7 @@
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+- * Reference : http://netfilter.kernelnotes.org/iptables-HOWTO-7.html
++ * Reference : http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html
+ */
+
+ #include "includes.h"
>Release-Note:
>Audit-Trail:
>Unformatted: