Updated to v3.2.9 of Darren's codebase. His code reimplements variable

locking, replaces u_long's with u_32_t to properly handle 64bit archs.
Wrapped OpenBSD specific preprocessor logic.

7 files changed, 101 insertions, 46 deletions

diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile
index 960e047452e..4e55c23f66d 100644
--- a/sbin/ipf/Makefile
+++ b/sbin/ipf/Makefile
@@ -1,9 +1,7 @@
-#	$OpenBSD: Makefile,v 1.3 1996/06/23 14:30:52 deraadt Exp $
+#	$OpenBSD: Makefile,v 1.4 1998/09/15 09:55:44 pattonme Exp $
 
 PROG=	ipf
 MAN=	ipf.1 ipf.4 ipf.5
 SRCS=	ipf.c parse.c opt.c
-CFLAGS+=-DIPL_NAME=\"/dev/ipl\" -I${.CURDIR}/../../sys/netinet
-
 
 .include <bsd.prog.mk>
diff --git a/sbin/ipf/ipf.1 b/sbin/ipf/ipf.1
index 5efd91b35c6..248f44675c1 100644
--- a/sbin/ipf/ipf.1
+++ b/sbin/ipf/ipf.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipf.1,v 1.12 1998/01/26 04:13:32 dgregor Exp $
+.\"	$OpenBSD: ipf.1,v 1.13 1998/09/15 09:55:44 pattonme Exp $
 .TH IPF 1
 .SH NAME
 ipf \- alters packet filtering lists for IP packet input and output
@@ -67,7 +67,7 @@ lists.
 .B \-I
 Set the list to make changes to the inactive list.
 .TP
-.B \-l \0<param>
+.B \-l \0<pass|block|nomatch>
 Use of the \fB-l\fP flag toggles default logging of packets.  Valid
 arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
 When an option is set, any packet which exits filtering and matches the
@@ -109,12 +109,20 @@ affect fragment or state statistics).
 .DT
 .SH FILES
 \fI/usr/share/ipf\fP -- sample configuration files.
+.br
+/dev/ipauth
+.br
+/dev/ipl
+.br
+/dev/ipstate
 .SH SEE ALSO
-ipfstat(8), ipftest(1), ipf(5), mkfilters(1)
+ipftest(1), ipnat(1), ipf(4), ipl(4), ipnat(4), ipf(5), ipnat(5), ipfstat(8), ipmon(8)
+.br
+http://coombs.anu.edu.au/ipfilter/
 .SH DIAGNOSTICS
 .PP
 Needs to be run as root for the packet filtering lists to actually
 be affected inside the kernel.
 .SH BUGS
 .PP
-If you find any, please send email to me at darrenr@cyber.com.au
+If you find any, please send email to me at darrenr@pobox.com
diff --git a/sbin/ipf/ipf.4 b/sbin/ipf/ipf.4
index 551ac82ed67..d244e0fc057 100644
--- a/sbin/ipf/ipf.4
+++ b/sbin/ipf/ipf.4
@@ -1,9 +1,10 @@
-.\"	$OpenBSD: ipf.4,v 1.12 1998/09/01 16:38:17 deraadt Exp $
+.\"	$OpenBSD: ipf.4,v 1.13 1998/09/15 09:55:44 pattonme Exp $
 .TH IPF 4
 .SH NAME
 ipf \- packet filtering kernel interface
 .SH SYNOPSIS
 #include <netinet/ip_fil_compat.h>
+.br
 #include <netinet/ip_fil.h>
 .SH IOCTLS
 .PP
@@ -102,7 +103,7 @@ Flags which are recognised in fr_pass:
      FR_LOGFIRST     0x000040   /* log only the first packet to match */
      FR_RETRST       0x000080   /* return a TCP RST packet if blocked */
      FR__RETICMP     0x000100   /* return an ICMP packet if blocked */
-     FR_NOMATCH      0x000200   /* no match occurred */
+     FR_NOMATCH      0x000200   /* no match occured */
      FR_ACCOUNT      0x000400   /* count packet bytes */
      FR_KEEPFRAG     0x000800   /* keep fragment information */
      FR_KEEPSTATE    0x001000   /* keep `connection' state information */
@@ -140,7 +141,7 @@ from the list(s).  The values which it will take and recognise are FR_INQUE
 and FR_OUTQUE (see above).
 
 \fBGeneral Logging Flags\fP
-There are two flags which can be set to log packets independently of the
+There are two flags which can be set to log packets independantly of the
 rules used.  These allow for packets which are either passed or blocked
 to be logged.  To set (and clear)/get these flags, two ioctls are
 provided:
@@ -201,5 +202,14 @@ struct	filterstats {
 #endif
 };
 .fi
+.SH FILES
+/dev/ipauth
+.br
+/dev/ipl
+.br
+/dev/ipstate
 .SH SEE ALSO
-ipfstat(8), ipf(1), ipf(5)
+ipf(1), ipftest(1), ipnat(1), ipl(4), ipnat(4), ipf(5), ipnat(5), ipfstat(8), i
+pmon(8)
+.br
+http://coombs.anu.edu.au/ipfilter/
diff --git a/sbin/ipf/ipf.5 b/sbin/ipf/ipf.5
index f036affb88b..5f469e4927a 100644
--- a/sbin/ipf/ipf.5
+++ b/sbin/ipf/ipf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipf.5,v 1.10 1998/01/26 04:13:34 dgregor Exp $
+.\"	$OpenBSD: ipf.5,v 1.11 1998/09/15 09:55:44 pattonme Exp $
 .TH IPF 5
 .SH NAME
 ipf \- IP packet filter rule syntax
@@ -483,5 +483,14 @@ qualifies all service/port names with the protocol specified.
 \fI/etc/hosts\fP -- host names
 .br
 \fI/usr/share/ipf\fP -- sample configuration files
+.br
+/dev/ipauth
+.br
+/dev/ipl
+.br
+/dev/ipstate
+.br
 .SH SEE ALSO
-ipf(1), ipftest(1), mkfilters(1), ipmon(8), ipf(4), hosts(5), services(5)
+ipf(1), ipftest(1), ipnat(1), ipf(4), ipl(4), ipnat(4), hosts(5), ipnat(5), services(5), ipfstat(8), ipmon(8)
+.br
+http://coombs.anu.edu.au/ipfilter/
diff --git a/sbin/ipf/ipf.c b/sbin/ipf/ipf.c
index e1fba7a31db..ab2a50cc113 100644
--- a/sbin/ipf/ipf.c
+++ b/sbin/ipf/ipf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ipf.c,v 1.11 1998/01/26 04:13:35 dgregor Exp $      */
+/*     $OpenBSD: ipf.c,v 1.12 1998/09/15 09:55:44 pattonme Exp $      */
 /*
  * Copyright (C) 1993-1997 by Darren Reed.
  *
@@ -35,13 +35,17 @@
 #include <netdb.h>
 #include <arpa/nameser.h>
 #include <resolv.h>
-#include "ip_fil_compat.h"
-#include "ip_fil.h"
+#if defined(__OpenBSD__)
+# include <netinet/ip_fil_compat.h>
+#else
+# include <netinet/ip_compat.h>
+#endif
+#include <netinet/ip_fil.h>
 #include "ipf.h"
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipf.c	1.23 6/5/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 1.11 1998/01/26 04:13:35 dgregor Exp $";
+static const char rcsid[] = "@(#)$Id: ipf.c,v 1.12 1998/09/15 09:55:44 pattonme Exp $";
 #endif
 
 static	void	frsync __P((void));
@@ -205,12 +209,10 @@ char	*name, *file;
 		exit(1);
 	}
 
-	while (getline(line, sizeof(line)-1, fp)) {
+	while (getline(line, sizeof(line), fp)) {
 		/*
-		 * treat both CR and LF as EOL
+		 * treat CR as EOL.  LF is converted to NUL by getline().
 		 */
-		if ((s = index(line, '\n')))
-			*s = '\0';
 		if ((s = index(line, '\r')))
 			*s = '\0';
 		/*
@@ -223,7 +225,7 @@ char	*name, *file;
 			continue;
 
 		if (opts & OPT_VERBOSE)
-			(void)fprintf(stderr, "[%s]\n",line);
+			(void)fprintf(stderr, "[%s]\n", line);
 
 		fr = parse(line);
 		(void)fflush(stdout);
@@ -270,24 +272,34 @@ char	*name, *file;
 			}
 		}
 	}
+	if (ferror(fp) || !feof(fp)) {
+		fprintf(stderr, "%s: %s: file error or line too long\n",
+		    name, file);
+		exit(1);
+	}
 	(void)fclose(fp);
 }
 
 /*
- * Similar to fgets(3) but can handle '\\'
+ * Similar to fgets(3) but can handle '\\' and NL is converted to NUL.
+ * Returns NULL if error occured, EOF encounterd or input line is too long.
  */
 static char *getline(str, size, file)
 register char	*str;
 size_t	size;
 FILE	*file;
 {
-	register char *p;
-	register int len;
+	char *p;
+	int s, len;
 
 	do {
-		for (p = str; ; p += strlen(p) - 1) {
-			if (!fgets(p, size, file))
-				return(NULL);
+		for (p = str, s = size;; p += len, s -= len) {
+			/*
+			 * if an error occured, EOF was encounterd, or there
+			 * was no room to put NUL, return NULL.
+			 */
+			if (fgets(p, s, file) == NULL)
+				return (NULL);
 			len = strlen(p);
 			p[len - 1] = '\0';
 			if (p[len - 1] != '\\')
@@ -295,7 +307,7 @@ FILE	*file;
 			size -= len;
 		}
 	} while (*str == '\0' || *str == '\n');
-	return(str);
+	return (str);
 }
 
 
@@ -399,7 +411,9 @@ static void swapactive()
 
 static void frsync()
 {
-	if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, 0) == -1)
+	int frsyn = 0;
+
+	if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1)
 		perror("SIOCFRSYN");
 	else
 		printf("filter sync'd\n");
diff --git a/sbin/ipf/opt.c b/sbin/ipf/opt.c
index 1e65c9bd0e0..4e470381ef0 100644
--- a/sbin/ipf/opt.c
+++ b/sbin/ipf/opt.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: opt.c,v 1.8 1998/01/26 04:13:37 dgregor Exp $      */
+/*     $OpenBSD: opt.c,v 1.9 1998/09/15 09:55:44 pattonme Exp $      */
 /*
  * Copyright (C) 1993-1997 by Darren Reed.
  *
@@ -21,14 +21,18 @@
 #include <netinet/tcp.h>
 #include <net/if.h>
 #include <arpa/inet.h>
-#include "ip_fil_compat.h"
+#if defined(__OpenBSD__)
+# include <netinet/ip_fil_compat.h>
+#else
+# include <netinet/ip_compat.h>
+#endif
 #include <netinet/tcpip.h>
-#include "ip_fil.h"
+#include <netinet/ip_fil.h>
 #include "ipf.h"
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)opt.c	1.8 4/10/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: opt.c,v 1.8 1998/01/26 04:13:37 dgregor Exp $";
+static const char rcsid[] = "@(#)$Id: opt.c,v 1.9 1998/09/15 09:55:44 pattonme Exp $";
 #endif
 
 extern	int	opts;
diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c
index 808b5835aef..b457d66f540 100644
--- a/sbin/ipf/parse.c
+++ b/sbin/ipf/parse.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.c,v 1.20 1998/07/09 06:12:23 deraadt Exp $      */
+/*     $OpenBSD: parse.c,v 1.21 1998/09/15 09:55:45 pattonme Exp $      */
 /*
  * Copyright (C) 1993-1997 by Darren Reed.
  *
@@ -30,13 +30,17 @@
 #include <arpa/inet.h>
 #include <resolv.h>
 #include <ctype.h>
-#include "ip_fil_compat.h"
-#include "ip_fil.h"
+#if defined(__OpenBSD__)
+# include <netinet/ip_fil_compat.h>
+#else
+# include <netinet/ip_compat.h>
+#endif
+#include <netinet/ip_fil.h>
 #include "ipf.h"
 
 #if !defined(lint)
 static const char sccsid[] ="@(#)parse.c	1.44 6/5/96 (C) 1993-1996 Darren Reed";
-static const char rcsid[] = "@(#)$Id: parse.c,v 1.20 1998/07/09 06:12:23 deraadt Exp $";
+static const char rcsid[] = "@(#)$Id: parse.c,v 1.21 1998/09/15 09:55:45 pattonme Exp $";
 #endif
 
 extern	struct	ipopt_names	ionames[], secclass[];
@@ -58,7 +62,7 @@ int	icmpcode __P((char *)), addkeep __P((char ***, struct frentry *));
 int	to_interface __P((frdest_t *, char *));
 void	print_toif __P((char *, frdest_t *));
 void	optprint __P((u_short, u_short, u_long, u_long));
-int	countbits __P((u_long));
+int	countbits __P((u_32_t));
 char	*portname __P((int, int));
 
 
@@ -476,12 +480,21 @@ char	*line;
 	/*
 	 * lazy users...
 	 */
-	if (!fil.fr_proto && !(fil.fr_ip.fi_fl & FI_TCPUDP) &&
-	    (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) {
-		(void)fprintf(stderr,
-			"no protocol given for TCP/UDP comparisons\n");
+	if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) {
+		(void)fprintf(stderr, "TCP protocol not specified\n");
 		return NULL;
 	}
+	if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) &&
+	    (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) {
+		if (!fil.fr_proto) {
+			fil.fr_ip.fi_fl |= FI_TCPUDP;
+			fil.fr_mip.fi_fl |= FI_TCPUDP;
+		} else {
+			(void)fprintf(stderr,
+				     "port comparisons for non-TCP/UDP\n");
+			return NULL;
+		}
+	}
 /*
 	if ((fil.fr_flags & FR_KEEPFRAG) &&
 	    (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) {
@@ -981,7 +994,6 @@ struct	frentry	*fp;
 		fp->fr_proto = IPPROTO_ICMP;
 	if (isdigit(***cp)) {
 		i = atoi(**cp);
-		(*cp)++;
 	} else {
 		for (t = icmptypes, i = 0; ; t++, i++) {
 			if (!*t)
@@ -1083,9 +1095,9 @@ struct	frentry	*fp;
  * of bits.
  */
 int	countbits(ip)
-u_long	ip;
+u_32_t	ip;
 {
-	u_long	ipn;
+	u_32_t	ipn;
 	int	cnt = 0, i, j;
 
 	ip = ipn = ntohl(ip);