Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Import IPFilter 3.4.23
details: https://anonhg.NetBSD.org/src/rev/393719f60608
branches: trunk
changeset: 521140:393719f60608
user: martti <martti%NetBSD.org@localhost>
date: Thu Jan 24 08:18:28 2002 +0000
description:
Import IPFilter 3.4.23
diffstat:
dist/ipf/FreeBSD-4.0/INST.FreeBSD-4 | 24 +
dist/ipf/IMPORTANT | 35 -
dist/ipf/IPFILTER.LICENCE | 28 +
dist/ipf/IRIX/Makefile.std | 9 +-
dist/ipf/OpenBSD/2.9-IPv6.diffs | 86 +++
dist/ipf/OpenBSD/3.0-MAKEDEV-diffs | 569 ++++++++++++++++++++
dist/ipf/OpenBSD/3.0-rc-diffs | 83 +++
dist/ipf/OpenBSD/3.0-sys-diffs | 982 ++++++++++++++++++++++++++++++++++++
dist/ipf/OpenBSD/README.3_0 | 77 ++
dist/ipf/OpenBSD/fixdist-3.0 | 434 +++++++++++++++
dist/ipf/OpenBSD/makedevs-3.0 | 72 ++
dist/ipf/OpenBSD/mknewipf.sh | 21 +
dist/ipf/common.c | 61 +-
dist/ipf/etc/protocols | 10 +-
dist/ipf/etc/services | 1 +
dist/ipf/ip_ipsec_pxy.c | 294 ++++++++++
dist/ipf/ip_netbios_pxy.c | 111 ++++
dist/ipf/iplang/iplang.h | 6 +-
dist/ipf/ipsd/ipsd.c | 8 +-
dist/ipf/ipsd/ipsd.h | 6 +-
dist/ipf/ipsd/ipsdr.c | 8 +-
dist/ipf/ipsd/linux.h | 6 +-
dist/ipf/ipsd/sbpf.c | 6 +-
dist/ipf/ipsd/sdlpi.c | 6 +-
dist/ipf/ipsd/slinux.c | 6 +-
dist/ipf/ipsd/snit.c | 6 +-
dist/ipf/ipsend/arp.c | 15 +-
dist/ipf/ipsend/hpux.c | 6 +-
dist/ipf/ipsend/ipresend.c | 15 +-
dist/ipf/ipsend/ipsend.h | 14 +-
dist/ipf/ipsend/ipsopt.c | 20 +-
dist/ipf/ipsend/iptests.c | 32 +-
dist/ipf/ipsend/larp.c | 8 +-
dist/ipf/ipsend/linux.h | 6 +-
dist/ipf/ipsend/lsock.c | 8 +-
dist/ipf/ipsend/sbpf.c | 10 +-
dist/ipf/ipsend/sdlpi.c | 11 +-
dist/ipf/ipsend/sirix.c | 6 +-
dist/ipf/ipsend/slinux.c | 8 +-
dist/ipf/ipsend/snit.c | 8 +-
dist/ipf/ipsend/ultrix.c | 6 +-
dist/ipf/man/ipfs.8 | 10 +-
dist/ipf/mlfk_ipl.c | 8 +-
dist/ipf/printnat.c | 461 ++++++++++++++++
dist/ipf/printstate.c | 141 +++++
dist/ipf/samples/Makefile | 18 +-
dist/ipf/test/expected/f13 | 72 ++
dist/ipf/test/expected/ni1 | 3 +
dist/ipf/test/expected/ni2 | 10 +
dist/ipf/test/input/f13 | 4 +
dist/ipf/test/input/ipf6-1 | 26 +
dist/ipf/test/input/ni1 | 6 +
dist/ipf/test/input/ni2 | 161 +++++
dist/ipf/test/natipftest | 28 +
dist/ipf/test/regress/ipf6-1 | 3 +
dist/ipf/test/regress/ni1.ipf | 4 +
dist/ipf/test/regress/ni1.nat | 1 +
dist/ipf/test/regress/ni2.ipf | 1 +
dist/ipf/test/regress/ni2.nat | 1 +
sys/netinet/ip_ipsec_pxy.c | 294 ++++++++++
sys/netinet/ip_netbios_pxy.c | 111 ++++
61 files changed, 4280 insertions(+), 211 deletions(-)
diffs (truncated from 5247 to 300 lines):
diff -r df0b247c4456 -r 393719f60608 dist/ipf/FreeBSD-4.0/INST.FreeBSD-4
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/FreeBSD-4.0/INST.FreeBSD-4 Thu Jan 24 08:18:28 2002 +0000
@@ -0,0 +1,24 @@
+To build a kernel with the IP filter, follow these seven steps:
+
+ 1. do "make freebsd4"
+
+ 2. do "make install-bsd"
+ (probably has to be done as root)
+
+ 3. run "FreeBSD-4/kinstall" as root
+
+ 4. build a new kernel
+
+ 5. install the new kernel
+
+ 6. If not using DEVFS, create devices for IP Filter as follows:
+ mknod /dev/ipl c 79 0
+ mknod /dev/ipnat c 79 1
+ mknod /dev/ipstate c 79 2
+ mknod /dev/ipauth c 79 3
+
+ 7. reboot
+
+
+Darren Reed
+darrenr%pobox.com@localhost
diff -r df0b247c4456 -r 393719f60608 dist/ipf/IMPORTANT
--- a/dist/ipf/IMPORTANT Thu Jan 24 07:45:33 2002 +0000
+++ b/dist/ipf/IMPORTANT Thu Jan 24 08:18:28 2002 +0000
@@ -3,41 +3,6 @@
****************************************
1)
-If you're using this software and have a rule which ends like this:
-
-flags S
-
-(for TCP), then to make it totally effective, you need to change it to appear
-as follows:
-
-flags S/SA
-
-The problem is that the old code would compare all the TCP flags against the
-rule (which just has "S") to see if that matched exactly. It is very possible
-for this to not be the case and in these cases, the rule would fail to match
-a 'valid' TCP SYN packet.
-
-Why does it need to be "S/SA" and not "S/S" ?
-
-"S/S" will match the SYN-ACK as well the SYN.
-
-By defalt, "flags S" will now be converted to "flags S/AUPRFS".
-
-If you have any queries regarding this, see the examples and ipf(4).
-If you still have a query or suggestion, please email me.
-
-
-2)
-
-If a filter rule used, in combination port comparisons and the flags
-keywords, a "short" TCP packet, if not explicitly blocked high up in
-the list of packets, would actually get matched even though it would
-otherwise not have been (due to the ports not). This behaviour has
-subsequently been fixed.
-
-
-3)
-
If you have BOTH GNU make and the normal make shipped with your system,
DO NOT use the GNU make to build this package.
diff -r df0b247c4456 -r 393719f60608 dist/ipf/IPFILTER.LICENCE
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/IPFILTER.LICENCE Thu Jan 24 08:18:28 2002 +0000
@@ -0,0 +1,28 @@
+Copyright (C) 1993-2002 by Darren Reed.
+
+The author accepts no responsibility for the use of this software and
+provides it on an ``as is'' basis without express or implied warranty.
+
+Redistribution and use, with or without modification, in source and binary
+forms, are permitted provided that this notice is preserved in its entirety
+and due credit is given to the original author and the contributors.
+
+The licence and distribution terms for any publically available version or
+derivative of this code cannot be changed. i.e. this code cannot simply be
+copied, in part or in whole, and put under another distribution licence
+[including the GNU Public Licence.]
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+I hate legalese, don't you ?
+
diff -r df0b247c4456 -r 393719f60608 dist/ipf/IRIX/Makefile.std
--- a/dist/ipf/IRIX/Makefile.std Thu Jan 24 07:45:33 2002 +0000
+++ b/dist/ipf/IRIX/Makefile.std Thu Jan 24 08:18:28 2002 +0000
@@ -28,8 +28,13 @@
ML=mli_ipl.c
MLD=$(ML)
IPFILC=ip_fil.c
-MLFLAGS=-G 0
+#if defined(IPFLKM) && !empty(IPFLKM)
+MLFLAGS= -G 0
LKM=ipflkm.o
+#else
+MLFLAGS= -G 8
+LKM=ipfilter.o
+#endif
MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \
"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
@@ -226,7 +231,7 @@
-$(INSTALL) -F $(MANDIR)/man1 -m 444 -src $(TOP)/ipsend/ipresend.1 -O ipresend.1
-$(INSTALL) -F $(MANDIR)/man1 -m 444 -src $(TOP)/ipsend/iptest.1 -O iptest.1
-$(INSTALL) -F $(MANDIR)/man5 -m 444 -src $(TOP)/ipsend/ipsend.5 -O ipsend.5
- -$(INSTALL) -F $(MANDIR)/man1 -m 444 -src $(TOP)/man/ipnat.1 -O ipnat.1
+ -$(INSTALL) -F $(MANDIR)/man8 -m 444 -src $(TOP)/man/ipnat.8 -O ipnat.8
-$(INSTALL) -F $(MANDIR)/man1 -m 444 -src $(TOP)/man/ipftest.1 -O ipftest.1
-$(INSTALL) -F $(MANDIR)/man4 -m 444 -src $(TOP)/man/ipf.4 -O ipf.4
-$(INSTALL) -F $(MANDIR)/man4 -m 444 -src $(TOP)/man/ipl.4 -O ipl.4
diff -r df0b247c4456 -r 393719f60608 dist/ipf/OpenBSD/2.9-IPv6.diffs
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/OpenBSD/2.9-IPv6.diffs Thu Jan 24 08:18:28 2002 +0000
@@ -0,0 +1,86 @@
+*** ip6_input.c.orig Sun Sep 2 12:51:02 2001
+--- ip6_input.c Mon Sep 3 22:25:23 2001
+***************
+*** 130,135 ****
+--- 130,138 ----
+ #ifdef PULLDOWN_TEST
+ static struct mbuf *ip6_pullexthdr __P((struct mbuf *, size_t, int));
+ #endif
++ #if defined(IPFILTER) || defined(IPFILTER_LKM)
++ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
++ #endif
+
+ /*
+ * IP6 initialization: fill in IP6 protocol switch table.
+***************
+*** 274,279 ****
+--- 277,302 ----
+ in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
+ goto bad;
+ }
++
++ #if defined(IPFILTER) || defined(IPFILTER_LKM)
++ /*
++ * Check if we want to allow this packet to be processed.
++ * Consider it to be bad if not.
++ */
++ if (fr_checkp != NULL) {
++ struct mbuf *m0 = m;
++
++ if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6),
++ m->m_pkthdr.rcvif, 0, &m0)) {
++ return;
++ }
++ m = m0;
++ if (m == 0) { /* in case of 'fastroute' */
++ return;
++ }
++ ip6 = mtod(m, struct ip6_hdr *);
++ }
++ #endif
+
+ ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
+
+*** ip6_output.c.orig Sun Sep 2 12:51:21 2001
+--- ip6_output.c Mon Sep 3 22:27:46 2001
+***************
+*** 113,118 ****
+--- 113,122 ----
+ struct mbuf *ip6e_dest2;
+ };
+
++ #if defined(IPFILTER) || defined(IPFILTER_LKM)
++ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
++ #endif
++
+ static int ip6_pcbopts __P((struct ip6_pktopts **, struct mbuf *,
+ struct socket *));
+ static int ip6_setmoptions __P((int, struct ip6_moptions **, struct mbuf *));
+***************
+*** 910,915 ****
+--- 914,938 ----
+ m->m_pkthdr.rcvif = NULL;
+ }
+
++
++ #if defined(IPFILTER) || defined(IPFILTER_LKM)
++ /*
++ * looks like most checking has been done now...do a filter check
++ */
++ if (fr_checkp != NULL) {
++ struct mbuf *m1 = m;
++ if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6), ifp, 1, &m1)) {
++ error = EHOSTUNREACH;
++ goto done;
++ }
++ m = m1;
++ if (m1 == 0) { /* in case of 'fastroute' */
++ error = 0;
++ goto done;
++ }
++ ip6 = mtod(m, struct ip6_hdr *);
++ }
++ #endif
+ /*
+ * Send the packet to the outgoing interface.
+ * If necessary, do IPv6 fragmentation before sending.
diff -r df0b247c4456 -r 393719f60608 dist/ipf/OpenBSD/3.0-MAKEDEV-diffs
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/OpenBSD/3.0-MAKEDEV-diffs Thu Jan 24 08:18:28 2002 +0000
@@ -0,0 +1,569 @@
+diff -cr src.30/etc/etc.alpha/MAKEDEV src/etc/etc.alpha/MAKEDEV
+*** src.30/etc/etc.alpha/MAKEDEV Thu Jul 5 12:54:06 2001
+--- src/etc/etc.alpha/MAKEDEV Fri Dec 28 12:43:16 2001
+***************
+*** 83,88 ****
+--- 83,89 ----
+ # *random inkernal random data source
+ # uk* SCSI Unknown device
+ # ss* SCSI scanners
++ # ipl IP filter log
+ # altq ALTQ control interface
+ # iop I2O controller device
+
+***************
+*** 161,167 ****
+ sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9
+ sh $this pf audio0 tun0 tun1 tun2 tun3
+ sh $this ttyB0 ttyB1 tty00 tty01 lkm
+! sh $this mmclock lpa0 lpt0 random
+ sh $this uk0 uk1 ss0 ss1
+ sh $this ttyc0 ttyc1 ttyc2 ttyc3 ttyc4 ttyc5 ttyc6 ttyc7
+ sh $this local xfs0 altq
+--- 162,168 ----
+ sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9
+ sh $this pf audio0 tun0 tun1 tun2 tun3
+ sh $this ttyB0 ttyB1 tty00 tty01 lkm
+! sh $this mmclock lpa0 lpt0 random ipl
+ sh $this uk0 uk1 ss0 ss1
+ sh $this ttyc0 ttyc1 ttyc2 ttyc3 ttyc4 ttyc5 ttyc6 ttyc7
+ sh $this local xfs0 altq
+***************
+*** 495,500 ****
+--- 496,510 ----
+ mknod pf c 35 0
+ chown root.wheel pf
+ chmod 600 pf
++ ;;
++
++ ipl)
++ rm -f ipl ipnat ipstate ipauth
++ mknod ipl c 37 0
++ mknod ipnat c 37 1
++ mknod ipstate c 37 2
++ mknod ipauth c 37 3
++ chown root.wheel ipl ipnat ipstate ipauth
+ ;;
+
+ tun*)
+diff -cr src.30/etc/etc.amiga/MAKEDEV src/etc/etc.amiga/MAKEDEV
+*** src.30/etc/etc.amiga/MAKEDEV Thu Jun 28 12:58:53 2001
+--- src/etc/etc.amiga/MAKEDEV Fri Dec 28 12:45:25 2001
+***************
+*** 86,91 ****
+--- 86,92 ----
+ # lkm loadable kernel modules interface
+ # bpf* Berkeley Packet Filter
+ # tun* network tunnel driver
++ # ipf IP filter
+ # ss* SCSI scanners
+ # uk* SCSI Unknown device
+ # *random inkernal random data source
+***************
+*** 168,174 ****
+ sh $this vnd0 vnd1 vnd2 vnd3 vnd4 vnd5 vnd6 cd0 cd1 fd0 fd1 fd2 fd3
+ sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9
+ sh $this view00 view01 view02 view03 view04 view05 pty0 pty1
+! sh $this lpa0 lpa1 lpt0 lpt1 lpt2
+ sh $this ccd0 ccd1 ccd2 ccd3 wd0 wd1 ch0 uk0 uk1
+ sh $this pf tun0 tun1 par0 lkm ss0 random audio0 xfs0 altq local
+ ;;
+--- 169,175 ----
+ sh $this vnd0 vnd1 vnd2 vnd3 vnd4 vnd5 vnd6 cd0 cd1 fd0 fd1 fd2 fd3
+ sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9
+ sh $this view00 view01 view02 view03 view04 view05 pty0 pty1
Home |
Main Index |
Thread Index |
Old Index