Subject: pkg/27105: net/hlfl bug fix
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <ishit@oak.dti.ne.jp>
List: pkgsrc-bugs
Date: 10/01/2004 17:38:24
>Number:         27105
>Category:       pkg
>Synopsis:       net/hlfl bug fix
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 01 17:39:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     ISIHARA Takanori
>Release:        NetBSD/i386 2.0_BETA
>Organization:
Nagoya *BSD Users' Group :-)
>Environment:
NetBSD ishitPc4.home 2.0_BETA NetBSD 2.0_BETA (GENERIC_LAPTOP) #0: Sun Jul 18 01:07:01 UTC 2004  autobuild@tgm.netbsd.org:/autobuild/netbsd-2-0/i386/OBJ/autobuild/netbsd-2-0/src/sys/arch/i386/compile/GENERIC_LAPTOP i386

>Description:
net/hlfl bug fix patches.
patches from hlfl-cvs ML(hlfl cvs commits messages ML) Archives from December 2003 to Jun 2004.

>How-To-Repeat:
Part 1: Syntax no error file -> Syntax error message.
------
% pwd
/usr/pkg/share/hlfl
% hlfl -t ipfilter sample_1.hlfl
#
# ipf(5) rules
#
# Firewall rules generated by hlfl

#
# sample.1 : firewall of a cable modem
#            Security level : Low
#
#
# Setup :
#
#       eth0 : connected to the internal LAN
#       eth1 : connected to the outside
#
# loopback
pass out quick on lo  from 0.0.0.0/0  to 0.0.0.0/0  
pass in quick on lo  from 0.0.0.0/0  to 0.0.0.0/0  
#
# eth0
#
# We trust all the users of the internal LAN
# (I do this because I'm _alone_ in the LAN. You
#  may want to write more restrictive rules)
#
# Masquerading :
#
#
# accept whatever on eth0
pass out quick on eth0  from 0.0.0.0/0  to 0.0.0.0/0  
pass in quick on eth0  from 0.0.0.0/0  to 0.0.0.0/0  
# spoofing
block in quick on eth1  from 192.168.0.0/16  to 0.0.0.0/0  
block in quick on eth1  from 172.16.0.0/12  to 0.0.0.0/0  
block in quick on eth1  from 10.0.0.0/8  to 0.0.0.0/0  
block in quick on eth1  from 127.0.0.0/8  to 0.0.0.0/0  
block out quick on eth1  from 192.168.0.0/16  to 0.0.0.0/0  
block out quick on eth1  from 172.16.0.0/12  to 0.0.0.0/0  
block out quick on eth1  from 10.0.0.0/8  to 0.0.0.0/0  
block out quick on eth1  from 127.0.0.0/8  to 0.0.0.0/0  
# accept DHCP via UDP and TCP
pass out quick on eth1 proto udp from 0.0.0.0/0 port = 68 to 212.198.0.0/16 port = 67 keep state
pass out quick on eth1 proto tcp from 0.0.0.0/0 port = 68 to 212.198.0.0/16 port = 67 flags S keep state
# accept DNS
pass out quick on eth1 proto udp from 0.0.0.0/0 port = 53 to 0.0.0.0/0 port = 53 keep state
pass out quick on eth1 proto udp from 0.0.0.0/0 port 1023 >< 65535 to 0.0.0.0/0 port = 53 keep state
# accept NTP
pass out quick on eth1 proto udp from 0.0.0.0/0 port = 123 to 0.0.0.0/0 port = 123 keep state
# reject auth
*** sample_1.hlfl : Error line 52 : Syntax error



Part2: -v option add -> Segmentation fault.
-----
% pwd
/usr/pkg/share/hlfl
% hlfl -v -t ipfilter sample_1.hlfl
Segmentation fault


>Fix:
diff -uNr hlfl/Makefile hlfl.new/Makefile
--- hlfl/Makefile	2004-07-06 16:49:59.000000000 +0900
+++ hlfl.new/Makefile	2004-09-30 01:15:06.000000000 +0900
@@ -2,6 +2,7 @@
 #
 
 DISTNAME=		hlfl-0.60.1
+PKGREVISION=		1
 CATEGORIES=		net
 MASTER_SITES=		http://www.hlfl.org/hlfl/ \
 			ftp://ftp.hlfl.org/pub/hlfl/
diff -uNr hlfl/distinfo hlfl.new/distinfo
--- hlfl/distinfo	2004-07-06 16:50:01.000000000 +0900
+++ hlfl.new/distinfo	2004-09-30 01:13:08.000000000 +0900
@@ -2,3 +2,7 @@
 
 SHA1 (hlfl-0.60.1.tar.bz2) = 5438a393c0231852e7823591fe7ae24a7270c7c8
 Size (hlfl-0.60.1.tar.bz2) = 86954 bytes
+SHA1 (patch-aa) = d93814f84c2719a881e1fe469134ed7aebccc7aa
+SHA1 (patch-ab) = e43f3f2cd6c4160a913c025f1ae114391048e81b
+SHA1 (patch-ac) = 2f5cdafb72ad9a62385fca574c52845c9c224e58
+SHA1 (patch-ad) = 1788ce450c83dd508a953d4b1c3d9004c026bedd
diff -uNr hlfl/patches/patch-aa hlfl.new/patches/patch-aa
--- hlfl/patches/patch-aa	1970-01-01 09:00:00.000000000 +0900
+++ hlfl.new/patches/patch-aa	2004-09-30 01:11:57.000000000 +0900
@@ -0,0 +1,15 @@
+$NetBSD$
+
+--- NEWS.orig	2002-02-20 23:14:44.000000000 +0900
++++ NEWS
+@@ -1,3 +1,10 @@
++Oct 6, 2003 -- Version 0.60.1
++- ipchains now ACCEPT packets by default
++- malloc() are now checked
++- cisco accepts comments, netmask
++- spaces and tabs are better managed
++- as always, bugfixes here and there
++
+ Feb 20, 2002 -- Version 0.60.0
+ - dev system use autoconf 2.52 / automake 1.5
+ - verbose operators
diff -uNr hlfl/patches/patch-ab hlfl.new/patches/patch-ab
--- hlfl/patches/patch-ab	1970-01-01 09:00:00.000000000 +0900
+++ hlfl.new/patches/patch-ab	2004-09-30 01:11:57.000000000 +0900
@@ -0,0 +1,31 @@
+$NetBSD$
+
+--- src/hlfl.c.orig	2004-09-30 01:11:05.000000000 +0900
++++ src/hlfl.c
+@@ -58,7 +58,7 @@ struct definition *definitions = NULL;
+ 
+ #ifdef HAVE_GETOPT
+ /* option string for getopt() or getopt_long() */
+-char *optstr = "hvV:c:t:o:";
++char *optstr = "c:t:o:hvV";
+ #ifdef HAVE_GETOPT_LONG
+ /* array of long option structs for getopt_long() */
+ struct option long_options[] = {
+@@ -66,7 +66,7 @@ struct option long_options[] = {
+ 	{"output", 1, 0, 'o'},
+ 	{"type", 1, 0, 't'},
+ 	{"version", 0, 0, 'V'},
+-	{"verbose", 1, 0, 'v'},
++       {"verbose", 0, 0, 'v'},
+ 	{"check", 1, 0, 'c'},
+ 	{0, 0, 0, 0}
+ };
+@@ -1173,7 +1173,7 @@ char **argv;
+ 				break;
+ 			}
+ 		case 'v':{
+-				verbose_level = atoi(optarg);
++                               verbose_level = 1;
+ 				break;
+ 			}
+ 		case 'V':{
diff -uNr hlfl/patches/patch-ac hlfl.new/patches/patch-ac
--- hlfl/patches/patch-ac	1970-01-01 09:00:00.000000000 +0900
+++ hlfl.new/patches/patch-ac	2004-09-30 01:11:58.000000000 +0900
@@ -0,0 +1,23 @@
+$NetBSD$
+
+--- src/hlfl.def.orig	2002-10-27 20:43:28.000000000 +0900
++++ src/hlfl.def
+@@ -4,15 +4,15 @@
+ DEF("<->",		ACCEPT_TWO_WAYS)
+ DEF("<=>>",		ACCEPT_TWO_WAYS_ESTABLISHED)
+ DEF("<<=>",		ACCEPT_TWO_WAYS_ESTABLISHED_REVERSE)
+-DEF("X->",		DENY_OUT)
+-DEF("<-X",		DENY_IN)
+ DEF("<-X!",		REJECT_IN)
+ DEF("X!->",		REJECT_OUT)
+ DEF("!X->",		REJECT_OUT)
+ DEF("X!",		REJECT_ALL)
+-DEF("X",		DENY_ALL)
++DEF("X->",             DENY_OUT)
++DEF("<-X",             DENY_IN)
+ DEF("->",		ACCEPT_ONE_WAY)
+ DEF("<-",		ACCEPT_ONE_WAY_REVERSE)
++DEF("X",               DENY_ALL)
+ DEF("accept",		ACCEPT)
+ DEF("deny",		DENY)
+ DEF("reject",		REJECT)
diff -uNr hlfl/patches/patch-ad hlfl.new/patches/patch-ad
--- hlfl/patches/patch-ad	1970-01-01 09:00:00.000000000 +0900
+++ hlfl.new/patches/patch-ad	2004-09-30 01:11:58.000000000 +0900
@@ -0,0 +1,13 @@
+$NetBSD$
+
+--- src/linux_netfilter.c.orig	2003-06-17 07:17:59.000000000 +0900
++++ src/linux_netfilter.c
+@@ -15,7 +15,7 @@
+  * along with this program; if not, write to the Free Software
+  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+  *
+- * Reference : http://netfilter.kernelnotes.org/iptables-HOWTO-7.html
++ * Reference : http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html
+  */
+ 
+ #include "includes.h"

>Release-Note:
>Audit-Trail:
>Unformatted: