diff options
| author | Kjell Wooding <kjell@cvs.openbsd.org> | 2000-02-01 19:30:03 +0000 |
|---|---|---|
| committer | Kjell Wooding <kjell@cvs.openbsd.org> | 2000-02-01 19:30:03 +0000 |
| commit | a1bcf1b27619ea77e568a627662b6f03b82861eb (patch) | |
| tree | 27150d5734105f6f131181b85702aef8c640b2a6 /sbin/ipf | |
| parent | e68fb82f07f3d13d45357f91edb7ca2d5f067ba0 (diff) | |
Update to IPFilter 3.3.8. Man pages still to go. See sbin/ipf/HISTORY
for details.
Diffstat (limited to 'sbin/ipf')
| -rw-r--r-- | sbin/ipf/HISTORY | 41 | ||||
| -rw-r--r-- | sbin/ipf/facpri.c | 5 | ||||
| -rw-r--r-- | sbin/ipf/facpri.h | 5 | ||||
| -rw-r--r-- | sbin/ipf/ifaddr.c | 3 | ||||
| -rw-r--r-- | sbin/ipf/ifaddr.h | 6 | ||||
| -rw-r--r-- | sbin/ipf/ipf.c | 5 | ||||
| -rw-r--r-- | sbin/ipf/ipf.h | 5 | ||||
| -rw-r--r-- | sbin/ipf/opt.c | 5 | ||||
| -rw-r--r-- | sbin/ipf/parse.c | 38 |
9 files changed, 81 insertions, 32 deletions
diff --git a/sbin/ipf/HISTORY b/sbin/ipf/HISTORY index 8e386cd93d7..0812e373b33 100644 --- a/sbin/ipf/HISTORY +++ b/sbin/ipf/HISTORY @@ -1,4 +1,4 @@ -# $OpenBSD: HISTORY,v 1.2 1999/12/28 08:20:40 kjell Exp $ +# $OpenBSD: HISTORY,v 1.3 2000/02/01 19:29:59 kjell Exp $ # # NOTE: Quite a few patches and suggestions come from other sources, to whom # I'm greatly indebted, even if no names are mentioned. @@ -9,7 +9,7 @@ # # Thanks to Tel.Net Media for allowing me to maintain and further develop # IP Filter as part of my job and supplying Sun equipment for testing the -# move to 64bits. +# move to 64bits and Gigabit Ethernet. # # Thanks to BSDI for providing object files for BSD/OS 3.1 and the means # to further support development of IP Filter under BSDI. @@ -21,6 +21,43 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.3.8 01/02/2000 - Released + +fix state handling of SYN packets. + +add parsing recognition of extra icmp types/codes and fix handling of +icmp time stamps and mask requests - Frank volf + +3.3.7 25/01/2000 - Released + +sync on state information as well as NAT information when required + +record nat protocol in all nat log records + +don't reuse the IP# from an active NAT session if the IP# in the rule +has changed dynamically. + +lookup the protocol for NAT log information in ipmon and pass that to +portname. + +fix the bug with changing the outbound interface of a packet where it +would lead to a panic. + +use fr_running instead of ipl_inited. (sysctl name change on freebsd) + +return EIO if someone attempts an ioctl on state/nat if ipfilter is not +enabled. + +fix rule insertion bug + +make state flushing clean anything that's not fully established (4/4) + +call fr_state_flush() after we've released ipf_state so we don't generate +a recursive mutex acquisition panic + +fix parsing of icmp code after return-icmp/return-icmp-as-dest and add +some patches to enhance parsing strength + 3.3.6 28/12/1999 - Released add in missing rwlock release in fr_checkicmpmatchingstate() and fix check diff --git a/sbin/ipf/facpri.c b/sbin/ipf/facpri.c index c3af7068cc2..4c866ca3698 100644 --- a/sbin/ipf/facpri.c +++ b/sbin/ipf/facpri.c @@ -1,4 +1,5 @@ -/* $OpenBSD: facpri.c,v 1.1 1999/12/14 04:17:17 kjell Exp $ */ +/* $OpenBSD: facpri.c,v 1.2 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -20,7 +21,7 @@ #include "facpri.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: facpri.c,v 1.1 1999/12/14 04:17:17 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: facpri.c,v 1.2 1999/08/01 11:10:45 darrenr Exp $"; #endif typedef struct table { diff --git a/sbin/ipf/facpri.h b/sbin/ipf/facpri.h index 1ca7ddd26f5..1d29c4ba82e 100644 --- a/sbin/ipf/facpri.h +++ b/sbin/ipf/facpri.h @@ -1,11 +1,12 @@ -/* $OpenBSD: facpri.h,v 1.1 1999/12/14 04:17:17 kjell Exp $ */ +/* $OpenBSD: facpri.h,v 1.2 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1999 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: facpri.h,v 1.1 1999/12/14 04:17:17 kjell Exp $ + * $IPFilter: facpri.h,v 1.2 1999/08/01 11:10:46 darrenr Exp $ */ #ifndef __FACPRI_H__ diff --git a/sbin/ipf/ifaddr.c b/sbin/ipf/ifaddr.c index 300e3e27f3e..832ca4e4cf8 100644 --- a/sbin/ipf/ifaddr.c +++ b/sbin/ipf/ifaddr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ifaddr.c,v 1.1 1999/12/16 07:38:45 kjell Exp $ */ +/* $OpenBSD: ifaddr.c,v 1.2 2000/02/01 19:30:00 kjell Exp $ */ #include <sys/types.h> #include <sys/ioctl.h> #include <sys/socket.h> @@ -6,6 +6,7 @@ #include <netinet/in.h> #include <err.h> #include <stdlib.h> +#include <unistd.h> #include "ifaddr.h" diff --git a/sbin/ipf/ifaddr.h b/sbin/ipf/ifaddr.h index 96ef1bac246..19f77d05926 100644 --- a/sbin/ipf/ifaddr.h +++ b/sbin/ipf/ifaddr.h @@ -1,7 +1,7 @@ -/* $OpenBSD: ifaddr.h,v 1.1 1999/12/16 07:38:45 kjell Exp $ */ +/* $OpenBSD: ifaddr.h,v 1.2 2000/02/01 19:30:00 kjell Exp $ */ -#ifndef __IFADDR_H__ -#define __IFADDR_H__ +#ifndef __IFADDR_H__ +#define __IFADDR_H__ int if_addr __P((char *, struct in_addr *)); diff --git a/sbin/ipf/ipf.c b/sbin/ipf/ipf.c index bf2517b13af..02c43d9177b 100644 --- a/sbin/ipf/ipf.c +++ b/sbin/ipf/ipf.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipf.c,v 1.20 1999/12/15 05:20:24 kjell Exp $ */ +/* $OpenBSD: ipf.c,v 1.21 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -44,7 +45,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 1.20 1999/12/15 05:20:24 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipf.c,v 2.2 1999/08/06 15:26:08 darrenr Exp $"; #endif #if SOLARIS diff --git a/sbin/ipf/ipf.h b/sbin/ipf/ipf.h index 5435972babd..30e3329eb18 100644 --- a/sbin/ipf/ipf.h +++ b/sbin/ipf/ipf.h @@ -1,4 +1,5 @@ -/* $OpenBSD: ipf.h,v 1.11 1999/12/15 05:20:24 kjell Exp $ */ +/* $OpenBSD: ipf.h,v 1.12 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -7,7 +8,7 @@ * to the original author and the contributors. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 1.11 1999/12/15 05:20:24 kjell Exp $ + * $IPFilter: ipf.h,v 2.1.2.1 1999/10/05 12:59:25 darrenr Exp $ */ #ifndef __IPF_H__ diff --git a/sbin/ipf/opt.c b/sbin/ipf/opt.c index 74df2df5c45..3e384d68c5a 100644 --- a/sbin/ipf/opt.c +++ b/sbin/ipf/opt.c @@ -1,4 +1,5 @@ -/* $OpenBSD: opt.c,v 1.11 1999/12/15 05:20:24 kjell Exp $ */ +/* $OpenBSD: opt.c,v 1.12 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -28,7 +29,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: opt.c,v 1.11 1999/12/15 05:20:24 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: opt.c,v 2.1 1999/08/04 17:30:15 darrenr Exp $"; #endif extern int opts; diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c index f891877b1f0..7cad35c146a 100644 --- a/sbin/ipf/parse.c +++ b/sbin/ipf/parse.c @@ -1,4 +1,5 @@ -/* $OpenBSD: parse.c,v 1.30 1999/12/28 08:30:31 kjell Exp $ */ +/* $OpenBSD: parse.c,v 1.31 2000/02/01 19:30:00 kjell Exp $ */ + /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -42,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: parse.c,v 1.30 1999/12/28 08:30:31 kjell Exp $"; +static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.1.2.8 2000/01/27 08:49:42 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; @@ -129,21 +130,25 @@ int linenum; if (!strcasecmp("block", *cpp)) { fil.fr_flags |= FR_BLOCK; - if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19)) + if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) && + (i = 19)) fil.fr_flags |= FR_FAKEICMP; - else if (!strncasecmp(*(cpp+1), "return-icmp", 11)) + else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11)) fil.fr_flags |= FR_RETICMP; if (fil.fr_flags & FR_RETICMP) { cpp++; - if (!*(cpp+1)) { - fprintf(stderr, "%d: missing icmp code\n", - linenum); - return NULL; + if (strlen(*cpp) == i) { + if (*(cpp + 1) && **(cpp +1) == '(') { + cpp++; + i = 0; + } else + i = -1; } - i = 11; - if ((strlen(*cpp) > i) && (*(*cpp + i) != '(')) - i = 19; - if (*(*cpp + i) == '(') { + + /* + * The ICMP code is not required to follow in ()'s + */ + if ((i >= 0) && (*(*cpp + i) == '(')) { i++; j = icmpcode(*cpp + i); if (j == -1) { @@ -256,7 +261,7 @@ int linenum; if (!strcasecmp("log", *cpp)) { if (!*++cpp) { - fprintf(stderr, "%d: missing source specification\n", + fprintf(stderr, "%d: missing source specification\n", linenum); return NULL; } @@ -766,7 +771,7 @@ int linenum; /* * returns an ip address as a long var as a result of either a DNS lookup or - * straight inet_aton() call + * straight inet_addr() call */ u_32_t hostnum(host, resolved, linenum) char *host; @@ -1247,12 +1252,13 @@ int linenum; } -#define MAX_ICMPCODE 12 +#define MAX_ICMPCODE 15 char *icmpcodes[] = { "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail", "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib", - "net-tos", "host-tos", NULL }; + "net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff", + NULL }; /* * Return the number for the associated ICMP unreachable code. */ |