Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/dist/ipf Resolve conflicts.
details: https://anonhg.NetBSD.org/src/rev/812f8e7c8b9c
branches: trunk
changeset: 481543:812f8e7c8b9c
user: veego <veego%NetBSD.org@localhost>
date: Tue Feb 01 20:31:10 2000 +0000
description:
Resolve conflicts.
diffstat:
dist/ipf/HISTORY | 39 ++++++++++++++++++++++++++++-
dist/ipf/fils.c | 10 ++++---
dist/ipf/ip_lfil.c | 2 +-
dist/ipf/ip_sfil.c | 2 +-
dist/ipf/ipmon.c | 13 ++++++---
dist/ipf/ipt.c | 2 +-
dist/ipf/man/ipf.5 | 5 ++-
dist/ipf/man/ipmon.8 | 2 +-
dist/ipf/parse.c | 69 +++++++++++++++++++++++++++++++++------------------
9 files changed, 103 insertions(+), 41 deletions(-)
diffs (truncated from 362 to 300 lines):
diff -r adf2ff3fb63b -r 812f8e7c8b9c dist/ipf/HISTORY
--- a/dist/ipf/HISTORY Tue Feb 01 20:11:02 2000 +0000
+++ b/dist/ipf/HISTORY Tue Feb 01 20:31:10 2000 +0000
@@ -8,7 +8,7 @@
#
# Thanks to Tel.Net Media for allowing me to maintain and further develop
# IP Filter as part of my job and supplying Sun equipment for testing the
-# move to 64bits.
+# move to 64bits and Gigabit Ethernet.
#
# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means
# to further support development of IP Filter under BSDI.
@@ -20,6 +20,43 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
+3.3.8 01/02/2000 - Released
+
+fix state handling of SYN packets.
+
+add parsing recognition of extra icmp types/codes and fix handling of
+icmp time stamps and mask requests - Frank volf
+
+3.3.7 25/01/2000 - Released
+
+sync on state information as well as NAT information when required
+
+record nat protocol in all nat log records
+
+don't reuse the IP# from an active NAT session if the IP# in the rule
+has changed dynamically.
+
+lookup the protocol for NAT log information in ipmon and pass that to
+portname.
+
+fix the bug with changing the outbound interface of a packet where it
+would lead to a panic.
+
+use fr_running instead of ipl_inited. (sysctl name change on freebsd)
+
+return EIO if someone attempts an ioctl on state/nat if ipfilter is not
+enabled.
+
+fix rule insertion bug
+
+make state flushing clean anything that's not fully established (4/4)
+
+call fr_state_flush() after we've released ipf_state so we don't generate
+a recursive mutex acquisition panic
+
+fix parsing of icmp code after return-icmp/return-icmp-as-dest and add
+some patches to enhance parsing strength
+
3.3.6 28/12/1999 - Released
add in missing rwlock release in fr_checkicmpmatchingstate() and fix check
diff -r adf2ff3fb63b -r 812f8e7c8b9c dist/ipf/fils.c
--- a/dist/ipf/fils.c Tue Feb 01 20:11:02 2000 +0000
+++ b/dist/ipf/fils.c Tue Feb 01 20:31:10 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: fils.c,v 1.2 1999/12/11 23:33:07 veego Exp $ */
+/* $NetBSD: fils.c,v 1.3 2000/02/01 20:31:10 veego Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -53,7 +53,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
-static const char rcsid[] = "@(#)Id: fils.c,v 2.2.2.4 1999/12/04 02:06:24 darrenr Exp";
+static const char rcsid[] = "@(#)Id: fils.c,v 2.2.2.5 2000/01/27 08:49:40 darrenr Exp";
#endif
extern char *optarg;
@@ -240,11 +240,13 @@
PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
fp->f_st[0].fr_nom);
- PRINTF(" counted %lu\n", fp->f_st[0].fr_acct);
+ PRINTF(" counted %lu short %lu\n",
+ fp->f_st[0].fr_acct, fp->f_st[0].fr_short);
PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
fp->f_st[1].fr_nom);
- PRINTF(" counted %lu\n", fp->f_st[0].fr_acct);
+ PRINTF(" counted %lu short %lu\n",
+ fp->f_st[1].fr_acct, fp->f_st[1].fr_short);
PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
PRINTF("output packets logged:\tblocked %lu passed %lu\n",
diff -r adf2ff3fb63b -r 812f8e7c8b9c dist/ipf/ip_lfil.c
--- a/dist/ipf/ip_lfil.c Tue Feb 01 20:11:02 2000 +0000
+++ b/dist/ipf/ip_lfil.c Tue Feb 01 20:31:10 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_lfil.c,v 1.1.1.2 2000/02/01 20:11:16 veego Exp $ */
+/* $NetBSD: ip_lfil.c,v 1.2 2000/02/01 20:31:10 veego Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
diff -r adf2ff3fb63b -r 812f8e7c8b9c dist/ipf/ip_sfil.c
--- a/dist/ipf/ip_sfil.c Tue Feb 01 20:11:02 2000 +0000
+++ b/dist/ipf/ip_sfil.c Tue Feb 01 20:31:10 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_sfil.c,v 1.1.1.2 2000/02/01 20:11:19 veego Exp $ */
+/* $NetBSD: ip_sfil.c,v 1.2 2000/02/01 20:31:11 veego Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
diff -r adf2ff3fb63b -r 812f8e7c8b9c dist/ipf/ipmon.c
--- a/dist/ipf/ipmon.c Tue Feb 01 20:11:02 2000 +0000
+++ b/dist/ipf/ipmon.c Tue Feb 01 20:31:10 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipmon.c,v 1.2 1999/12/11 23:33:07 veego Exp $ */
+/* $NetBSD: ipmon.c,v 1.3 2000/02/01 20:31:11 veego Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed";
-static const char rcsid[] = "@(#)Id: ipmon.c,v 2.3.2.3 1999/11/28 04:05:28 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ipmon.c,v 2.3.2.4 2000/01/24 12:45:25 darrenr Exp";
#endif
#ifndef SOLARIS
@@ -363,6 +363,7 @@
char *t = line;
struct tm *tm;
int res, i, len;
+ char *proto;
nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
@@ -389,14 +390,16 @@
sprintf(t, "Type: %d ", nl->nl_type);
t += strlen(t);
+ proto = getproto(nl->nl_p);
+
(void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip),
- portname(res, NULL, (u_int)nl->nl_inport));
+ portname(res, proto, (u_int)nl->nl_inport));
t += strlen(t);
(void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip),
- portname(res, NULL, (u_int)nl->nl_outport));
+ portname(res, proto, (u_int)nl->nl_outport));
t += strlen(t);
(void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip),
- portname(res, NULL, (u_int)nl->nl_origport));
+ portname(res, proto, (u_int)nl->nl_origport));
t += strlen(t);
if (nl->nl_type == NL_EXPIRE) {
#ifdef USE_QUAD_T
diff -r adf2ff3fb63b -r 812f8e7c8b9c dist/ipf/ipt.c
--- a/dist/ipf/ipt.c Tue Feb 01 20:11:02 2000 +0000
+++ b/dist/ipf/ipt.c Tue Feb 01 20:31:10 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipt.c,v 1.1.1.2 2000/02/01 20:11:23 veego Exp $ */
+/* $NetBSD: ipt.c,v 1.2 2000/02/01 20:31:11 veego Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
diff -r adf2ff3fb63b -r 812f8e7c8b9c dist/ipf/man/ipf.5
--- a/dist/ipf/man/ipf.5 Tue Feb 01 20:11:02 2000 +0000
+++ b/dist/ipf/man/ipf.5 Tue Feb 01 20:31:10 2000 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: ipf.5,v 1.2 1999/12/11 23:39:12 veego Exp $
+.\" $NetBSD: ipf.5,v 1.3 2000/02/01 20:31:13 veego Exp $
.\"
.TH IPF 5
.SH NAME
@@ -74,7 +74,8 @@
"inforep" | "maskreq" | "maskrep" | decnumber .
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
- "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
+ "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
+ "filter-prohib" | "host-preced" | "cutoff-preced" .
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
"tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
"addext" | "visa" | "imitd" | "eip" | "finn" .
diff -r adf2ff3fb63b -r 812f8e7c8b9c dist/ipf/man/ipmon.8
--- a/dist/ipf/man/ipmon.8 Tue Feb 01 20:11:02 2000 +0000
+++ b/dist/ipf/man/ipmon.8 Tue Feb 01 20:31:10 2000 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: ipmon.8,v 1.2 1999/12/28 07:40:13 darrenr Exp $
+.\" $NetBSD: ipmon.8,v 1.3 2000/02/01 20:31:13 veego Exp $
.\"
.TH ipmon 8
.SH NAME
diff -r adf2ff3fb63b -r 812f8e7c8b9c dist/ipf/parse.c
--- a/dist/ipf/parse.c Tue Feb 01 20:11:02 2000 +0000
+++ b/dist/ipf/parse.c Tue Feb 01 20:31:10 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: parse.c,v 1.2 1999/12/28 07:40:12 darrenr Exp $ */
+/* $NetBSD: parse.c,v 1.3 2000/02/01 20:31:11 veego Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -43,7 +43,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
-static const char rcsid[] = "@(#)Id: parse.c,v 2.1.2.4 1999/12/11 05:30:26 darrenr Exp";
+static const char rcsid[] = "@(#)Id: parse.c,v 2.1.2.8 2000/01/27 08:49:42 darrenr Exp";
#endif
extern struct ipopt_names ionames[], secclass[];
@@ -129,16 +129,25 @@
if (!strcasecmp("block", *cpp)) {
fil.fr_flags |= FR_BLOCK;
- if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19))
+ if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) &&
+ (i = 19))
fil.fr_flags |= FR_FAKEICMP;
- else if (!strncasecmp(*(cpp+1), "return-icmp", 11))
+ else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11))
fil.fr_flags |= FR_RETICMP;
if (fil.fr_flags & FR_RETICMP) {
cpp++;
- i = 11;
- if ((strlen(*cpp) > i) && (*(*cpp + i) != '('))
- i = 19;
- if (*(*cpp + i) == '(') {
+ if (strlen(*cpp) == i) {
+ if (*(cpp + 1) && **(cpp +1) == '(') {
+ cpp++;
+ i = 0;
+ } else
+ i = -1;
+ }
+
+ /*
+ * The ICMP code is not required to follow in ()'s
+ */
+ if ((i >= 0) && (*(*cpp + i) == '(')) {
i++;
j = icmpcode(*cpp + i);
if (j == -1) {
@@ -185,7 +194,11 @@
fac = 0;
pri = 0;
- cpp++;
+ if (!*++cpp) {
+ fprintf(stderr, "%d: %s\n", linenum,
+ "missing identifier after level");
+ return NULL;
+ }
s = index(*cpp, '.');
if (s) {
*s++ = '\0';
@@ -219,7 +232,10 @@
fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp);
return NULL;
}
- cpp++;
+ if (!*++cpp) {
+ fprintf(stderr, "%d: missing 'in'/'out' keyword\n", linenum);
+ return NULL;
+ }
if (!strcasecmp("in", *cpp))
fil.fr_flags |= FR_INQUE;
@@ -236,13 +252,11 @@
linenum);
return NULL;
}
- } else {
- fprintf(stderr, "%d: missing 'in'/'out' keyword (%s)\n",
- linenum, *cpp);
+ }
+ if (!*++cpp) {
+ fprintf(stderr, "%d: missing source specification\n", linenum);
return NULL;
}
- if (!*++cpp)
- return NULL;
if (!strcasecmp("log", *cpp)) {
if (!*++cpp) {
@@ -254,15 +268,15 @@
fil.fr_flags |= FR_LOGP;
else if (fil.fr_flags & FR_BLOCK)
fil.fr_flags |= FR_LOGB;
- if (!strcasecmp(*cpp, "body")) {
+ if (*cpp && !strcasecmp(*cpp, "body")) {
fil.fr_flags |= FR_LOGBODY;
cpp++;
}
- if (!strcasecmp(*cpp, "first")) {
+ if (*cpp && !strcasecmp(*cpp, "first")) {
fil.fr_flags |= FR_LOGFIRST;
cpp++;
}
- if (!strcasecmp(*cpp, "or-block")) {
+ if (*cpp && !strcasecmp(*cpp, "or-block")) {
if (!(fil.fr_flags & FR_PASS)) {
Home |
Main Index |
Thread Index |
Old Index