src - OpenBSD base system

diff options


context:
space:
mode:

author	Kjell Wooding <kjell@cvs.openbsd.org>	2000-08-10 05:50:28 +0000
committer	Kjell Wooding <kjell@cvs.openbsd.org>	2000-08-10 05:50:28 +0000
commit	f6f9719d77e16be22cc895846d5a194bedc0a06c (patch)
tree	72ffe5baca00bf7f9e9b21455a0220c82f42babd /sys
parent	ad4cd1f6669755dfa5db6525909b031b9fee7918 (diff)

Import ipf 3.3.18. Fixes more problems with the in-kernel FTP proxy,

some nat state bugs, and ups the default state table size. See sbin/ipf/HISTORY for details.

Diffstat (limited to 'sys')

-rw-r--r--

sys/netinet/fil.c

-rw-r--r--

sys/netinet/ip_fil.c

-rw-r--r--

sys/netinet/ip_fil_compat.h

-rw-r--r--

sys/netinet/ip_frag.c

-rw-r--r--

sys/netinet/ip_ftp_pxy.c

-rw-r--r--

sys/netinet/ip_nat.c

-rw-r--r--

sys/netinet/ip_proxy.c

-rw-r--r--

sys/netinet/ip_state.c

-rw-r--r--

sys/netinet/ip_state.h

-rw-r--r--

sys/netinet/ipl.h

10 files changed, 168 insertions, 50 deletions

diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c
index 676b5418e0f..828ad128d60 100644
--- a/sys/netinet/fil.c
+++ b/sys/netinet/fil.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: fil.c,v 1.25 2000/05/24 21:59:10 kjell Exp $ */

+/* $OpenBSD: fil.c,v 1.26 2000/08/10 05:50:25 kjell Exp $ */

@@ -9,7 +9,7 @@

#if !defined(lint)

-static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.20 2000/05/22 06:57:42 darrenr Exp $";

+static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.22 2000/07/08 02:13:28 darrenr Exp $";

#endif

#include <sys/errno.h>

@@ -23,6 +23,9 @@ static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.20 2000/05/22 06:57:42

#endif

#if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \

(__FreeBSD_version >= 220000)

+# if (__FreeBSD_version >= 400019)

+# define CSUM_DELAY_DATA

+# endif

# include <sys/filio.h>

# include <sys/fcntl.h>

#else

@@ -1187,7 +1190,7 @@ nodata:

* SUCH DAMAGE.

* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94

- * $IPFilter: fil.c,v 2.3.2.20 2000/05/22 06:57:42 darrenr Exp $

+ * $IPFilter: fil.c,v 2.3.2.22 2000/07/08 02:13:28 darrenr Exp $

* Copy data from an mbuf chain starting "off" bytes from the beginning,

@@ -1592,6 +1595,7 @@ void frsync()

ip_natsync(ifp);

ip_statesync(ifp);

}

+ ip_natsync((struct ifnet *)-1);

# endif

WRITE_ENTER(&ipf_mutex);

diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c
index 5f5cb113d24..b8243712c19 100644
--- a/sys/netinet/ip_fil.c
+++ b/sys/netinet/ip_fil.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_fil.c,v 1.35 2000/05/24 21:59:11 kjell Exp $ */

+/* $OpenBSD: ip_fil.c,v 1.36 2000/08/10 05:50:25 kjell Exp $ */

@@ -9,7 +9,7 @@

#if !defined(lint)

-static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.21 2000/05/22 06:57:47 darrenr Exp $";

+static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.22 2000/07/08 02:43:47 darrenr Exp $";

#endif

#ifndef SOLARIS

@@ -1401,15 +1401,29 @@ char *name;

if (!ifneta) {

ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);

+ if (!ifneta)

+ return NULL;

ifneta[1] = NULL;

ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));

+ if (!ifneta[0]) {

+ free(ifneta);

+ return NULL;

+ }

nifs = 1;

} else {

nifs++;

ifneta = (struct ifnet **)realloc(ifneta,

(nifs + 1) * sizeof(*ifa));

+ if (!ifneta) {

+ nifs = 0;

+ return NULL;

+ }

ifneta[nifs] = NULL;

ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));

+ if (!ifneta[nifs - 1]) {

+ nifs--;

+ return NULL;

+ }

}

ifp = ifneta[nifs - 1];

diff --git a/sys/netinet/ip_fil_compat.h b/sys/netinet/ip_fil_compat.h
index d9c078e47e3..97f420e12ae 100644
--- a/sys/netinet/ip_fil_compat.h
+++ b/sys/netinet/ip_fil_compat.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_fil_compat.h,v 1.17 2000/06/16 21:47:16 provos Exp $ */

+/* $OpenBSD: ip_fil_compat.h,v 1.18 2000/08/10 05:50:26 kjell Exp $ */

@@ -149,6 +149,10 @@ typedef unsigned long u_32_t;

# endif

#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */

+#ifndef MAX

+#define MAX(a,b) (((a) > (b)) ? (a) : (b))

+#endif

* Security Options for Intenet Protocol (IPSO) as defined in RFC 1108.

diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c
index e2780d3e256..4ac9b87c98a 100644
--- a/sys/netinet/ip_frag.c
+++ b/sys/netinet/ip_frag.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_frag.c,v 1.17 2000/03/13 23:40:18 kjell Exp $ */

+/* $OpenBSD: ip_frag.c,v 1.18 2000/08/10 05:50:26 kjell Exp $ */

@@ -9,7 +9,7 @@

#if !defined(lint)

-static const char rcsid[] = "@(#)$IPFilter: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $";

+static const char rcsid[] = "@(#)$IPFilter: ip_frag.c,v 2.4.2.5 2000/06/06 15:50:48 darrenr Exp $";

#endif

#if defined(KERNEL) && !defined(_KERNEL)

@@ -139,6 +139,9 @@ ipfr_t *table[];

ipfr_t **fp, *fra, frag;

u_int idx;

+ if (ipfr_inuse >= IPFT_SIZE)

+ return NULL;

frag.ipfr_p = ip->ip_p;

idx = ip->ip_p;

frag.ipfr_id = ip->ip_id;

diff --git a/sys/netinet/ip_ftp_pxy.c b/sys/netinet/ip_ftp_pxy.c
index 755bbe4efca..16ec4c3edf5 100644
--- a/sys/netinet/ip_ftp_pxy.c
+++ b/sys/netinet/ip_ftp_pxy.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ftp_pxy.c,v 1.10 2000/04/12 21:32:39 kjell Exp $ */

+/* $OpenBSD: ip_ftp_pxy.c,v 1.11 2000/08/10 05:50:26 kjell Exp $ */

* Simple FTP transparent proxy for in-kernel use. For use with the NAT

@@ -9,7 +9,10 @@ extern kmutex_t ipf_rw;

#endif

#define isdigit(x) ((x) >= '0' && (x) <= '9')

-#define isupper(x) ((unsigned)((x) - 'A') <= 'Z' - 'A')

+#define isupper(x) (((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z'))

+#define islower(x) (((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z'))

+#define isalpha(x) (isupper(x) || islower(x))

+#define toupper(x) (isupper(x) ? (x) : (x) - 'a' + 'A')

#define IPF_FTP_PROXY

@@ -26,7 +29,7 @@ int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));

int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));

int ippr_ftp_portmsg __P((fr_info_t *, ip_t *, nat_t *));

int ippr_ftp_pasvmsg __P((fr_info_t *, ip_t *, nat_t *));

-int ippr_ftp_complete __P((char *, size_t));

+int ippr_ftp_complete __P((char *, size_t, char *));

u_short ipf_ftp_atoi __P((char **));

@@ -46,8 +49,8 @@ int ippr_ftp_init()

}

-int ippr_ftp_complete(buf, len)

-char *buf;

+int ippr_ftp_complete(buf, len, cbuf)

+char *buf, *cbuf;

size_t len;

{

@@ -74,17 +77,22 @@ size_t len;

return -1;

} else

return -1;

- } else if (isupper(c)) {

+ } else if (isalpha(c)) {

+ cbuf[0] = toupper(c);

c = *s++;

i--;

- if (isupper(c)) {

+ if (isalpha(c)) {

+ cbuf[1] = toupper(c);

c = *s++;

i--;

- if (isupper(c)) {

+ if (isalpha(c)) {

+ cbuf[2] = toupper(c);

c = *s++;

i--;

- if (isupper(c)) {

+ if (isalpha(c)) {

+ cbuf[3] = toupper(c);

c = *s++;

+ cbuf[4] = c;

i--;

if (c != ' ')

return -1;

@@ -164,7 +172,7 @@ fr_info_t *fin;

ip_t *ip;

nat_t *nat;

{

- char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s;

+ char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s, cmd[6];

tcphdr_t *tcp, tcph, *tcp2 = &tcph;

size_t nlen = 0, dlen, olen;

u_short a5, a6, sp, dp;

@@ -196,26 +204,27 @@ nat_t *nat;

if (dlen > 0)

m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);

#endif

- if (dlen == 0)

+ if (dlen <= 0)

return 0;

+ bzero(cmd, sizeof(cmd));

portbuf[sizeof(portbuf) - 1] = '\0';

*newbuf = '\0';

* Check that a user is progressing through the login ok.

- if (ippr_ftp_complete(portbuf, dlen))

+ if (ippr_ftp_complete(portbuf, dlen, cmd))

return 0;

ftp = nat->nat_aps->aps_data;

switch (ftp->ftp_passok)

{

case 0 :

- if (!strncmp(portbuf, "USER ", 5))

+ if (!strncmp(cmd, "USER ", 5))

ftp->ftp_passok = 1;

break;

case 2 :

- if (!strncmp(portbuf, "PASS ", 5))

+ if (!strncmp(cmd, "PASS ", 5))

ftp->ftp_passok = 3;

break;

}

@@ -224,7 +233,7 @@ nat_t *nat;

* Check for client sending out PORT message.

- if (!ippr_ftp_pasvonly && !strncmp(portbuf, "PORT ", 5)) {

+ if (!ippr_ftp_pasvonly && !strncmp(cmd, "PORT ", 5)) {

if (dlen < IPF_MINPORTLEN)

return 0;

} else

@@ -391,7 +400,7 @@ fr_info_t *fin;

ip_t *ip;

nat_t *nat;

{

- char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s;

+ char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s, cmd[6];

int off, olen, dlen, nlen = 0, inc = 0;

tcphdr_t tcph, *tcp2 = &tcph;

struct in_addr swip, swip2;

@@ -422,8 +431,9 @@ nat_t *nat;

if (dlen > 0)

m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);

#endif

- if (dlen == 0)

+ if (dlen <= 0)

return 0;

+ bzero(cmd, sizeof(cmd));

portbuf[sizeof(portbuf) - 1] = '\0';

*newbuf = '\0';

@@ -450,7 +460,7 @@ nat_t *nat;

break;

}

- if (ippr_ftp_complete(portbuf, dlen) || (ftp->ftp_passok != 4))

+ if (ippr_ftp_complete(portbuf, dlen, cmd) || (ftp->ftp_passok != 4))

return 0;

diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c
index 6bf634f9c9c..a6283e04d34 100644
--- a/sys/netinet/ip_nat.c
+++ b/sys/netinet/ip_nat.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_nat.c,v 1.33 2000/07/03 04:50:05 aaron Exp $ */

+/* $OpenBSD: ip_nat.c,v 1.34 2000/08/10 05:50:26 kjell Exp $ */

@@ -11,7 +11,7 @@

#if !defined(lint)

-static const char rcsid[] = "@(#)$IPFilter: ip_nat.c,v 2.2.2.18 2000/05/19 15:52:29 darrenr Exp $";

+static const char rcsid[] = "@(#)$IPFilter: ip_nat.c,v 2.2.2.21 2000/08/08 16:00:33 darrenr Exp $";

#endif

#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)

@@ -410,7 +410,7 @@ int mode;

* mapping range. In all cases, the range is inclusive of

* the start and ending IP addresses.

* If to a CIDR address, lose 2: broadcast + network address

- * (so subtract 1)

+ * (so subtract 1)

* If to a range, add one.

* If to a single IP address, set to 1.

@@ -614,9 +614,9 @@ void

nat_ifdetach(ifp)

struct ifnet *ifp;

{

- ipnat_t *n, **np = &nat_list;

+ ipnat_t *n, **np;

- while ((n = *np)) {

+ for (np = &nat_list; (n = *np) != NULL; np = &n->in_next) {

*np = n->in_next;

if (!n->in_use) {

if (n->in_apr)

@@ -627,6 +627,7 @@ nat_ifdetach(ifp)

n->in_flags |= IPN_DELETE;

n->in_next = NULL;

}

+ n = NULL;

}

@@ -1027,11 +1028,13 @@ nat_t *nat_icmpinlookup(ip, fin)

ip_t *ip;

fr_info_t *fin;

{

- icmphdr_t *icmp;

tcphdr_t *tcp = NULL;

+ icmphdr_t *icmp;

ip_t *oip;

- int flags = 0, type;

+ int flags = 0, type, minlen;

+ if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK))

+ return NULL;

icmp = (icmphdr_t *)fin->fin_dp;

* Does it at least have the return (basic) IP header ?

@@ -1050,13 +1053,43 @@ fr_info_t *fin;

return NULL;

oip = (ip_t *)((char *)fin->fin_dp + 8);

- if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2))

+ minlen = (oip->ip_hl << 2);

+ if (ip->ip_len < ICMPERR_MINPKTLEN + minlen)

+ return NULL;

+ /*

+ * Is the buffer big enough for all of it ? It's the size of the IP

+ * header claimed in the encapsulated part which is of concern. It

+ * may be too big to be in this buffer but not so big that it's

+ * outside the ICMP packet, leading to TCP deref's causing problems.

+ * This is possible because we don't know how big oip_hl is when we

+ * do the pullup early in fr_check() and thus can't gaurantee it is

+ * all here now.

+ */

+#ifdef _KERNEL

+ {

+ mb_t *m;

+# if SOLARIS

+ m = fin->fin_qfm;

+ if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > (char *)m->b_wptr)

return NULL;

+# else

+ m = *(mb_t **)fin->fin_mp;

+ if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN >

+ (char *)ip + m->m_len)

+ return NULL;

+# endif

+ }

+#endif

if (oip->ip_p == IPPROTO_TCP)

flags = IPN_TCP;

else if (oip->ip_p == IPPROTO_UDP)

flags = IPN_UDP;

if (flags & IPN_TCPUDP) {

+ minlen += 8; /* + 64bits of data to get ports */

+ if (ip->ip_len < ICMPERR_MINPKTLEN + minlen)

+ return NULL;

tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2));

return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p,

oip->ip_dst, oip->ip_src,

@@ -1135,7 +1168,10 @@ u_int *nflags;

if ((flags & IPN_TCPUDP) != 0) {

tcphdr_t *tcp;

- /* XXX - what if this is bogus hl and we go off the end ? */

+ /*

+ * XXX - what if this is bogus hl and we go off the end ?

+ * In this case, nat_icmpinlookup() will have returned NULL.

+ */

tcp = (tcphdr_t *)((((char *)oip) + (oip->ip_hl << 2)));

if (nat->nat_dir == NAT_OUTBOUND) {

@@ -1466,6 +1502,7 @@ maskloop:

} else if (ip->ip_p == IPPROTO_ICMP) {

nat->nat_age = fr_defnaticmpage;

}

if (csump) {

if (nat->nat_dir == NAT_OUTBOUND)

fix_outcksum(csump, nat->nat_sumd[1],

diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c
index 871183209f1..d6803d78744 100644
--- a/sys/netinet/ip_proxy.c
+++ b/sys/netinet/ip_proxy.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_proxy.c,v 1.10 2000/06/16 21:47:16 provos Exp $ */

+/* $OpenBSD: ip_proxy.c,v 1.11 2000/08/10 05:50:26 kjell Exp $ */

@@ -80,6 +80,11 @@ static const char rcsid[] = "@(#)$IPFilter: ip_proxy.c,v 2.2.2.4 2000/03/15 13:5

# include <sys/malloc.h>

#endif

+#ifndef MIN

+#define MIN(a,b) (((a)<(b))?(a):(b))

+#endif

static ap_session_t *appr_new_session __P((aproxy_t *, ip_t *,

fr_info_t *, nat_t *));

static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));

diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c
index 983d2ca299b..51cda10dee3 100644
--- a/sys/netinet/ip_state.c
+++ b/sys/netinet/ip_state.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_state.c,v 1.22 2000/05/24 21:59:11 kjell Exp $ */

+/* $OpenBSD: ip_state.c,v 1.23 2000/08/10 05:50:26 kjell Exp $ */

@@ -9,7 +9,7 @@

#if !defined(lint)

-static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.3.2.25 2000/05/22 06:57:53 darrenr Exp $";

+static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.3.2.28 2000/08/08 16:00:35 darrenr Exp $";

#endif

#include <sys/errno.h>

@@ -152,7 +152,7 @@ static ips_stat_t *fr_statetstats()

* flush state tables. two actions currently defined:

* which == 0 : flush all state table entries

* which == 1 : flush TCP connections which have started to close but are

- * stuck for some reason.

+ * stuck for some reason.

static int fr_state_flush(which)

int which;

@@ -679,12 +679,12 @@ fr_info_t *fin;

struct icmp *ic;

u_short savelen;

+ icmphdr_t *icmp;

fr_info_t ofin;

tcphdr_t *tcp;

- icmphdr_t *icmp;

+ int type, len;

frentry_t *fr;

ip_t *oip;

- int type;

u_int hv;

@@ -708,6 +708,38 @@ fr_info_t *fin;

if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2))

return NULL;

+ /*

+ * Sanity Checks.

+ */

+ len = fin->fin_dlen - ICMPERR_ICMPHLEN;

+ if ((len <= 0) || ((oip->ip_hl << 2) > len))

+ return NULL;

+ /*

+ * Is the buffer big enough for all of it ? It's the size of the IP

+ * header claimed in the encapsulated part which is of concern. It

+ * may be too big to be in this buffer but not so big that it's

+ * outside the ICMP packet, leading to TCP deref's causing problems.

+ * This is possible because we don't know how big oip_hl is when we

+ * do the pullup early in fr_check() and thus can't gaurantee it is

+ * all here now.

+ */

+#ifdef _KERNEL

+ {

+ mb_t *m;

+# if SOLARIS

+ m = fin->fin_qfm;

+ if ((char *)oip + len > (char *)m->b_wptr)

+ return NULL;

+# else

+ m = *(mb_t **)fin->fin_mp;

+ if ((char *)oip + len > (char *)ip + m->m_len)

+ return NULL;

+# endif

+ }

+#endif

if (oip->ip_p == IPPROTO_ICMP) {

icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2));

@@ -738,9 +770,10 @@ fr_info_t *fin;

}

hv %= fr_statesize;

- oip->ip_len = ntohs(oip->ip_len);

+ savelen = oip->ip_len;

+ oip->ip_len = len;

fr_makefrip(oip->ip_hl << 2, oip, &ofin);

- oip->ip_len = htons(oip->ip_len);

+ oip->ip_len = savelen;

ofin.fin_ifp = fin->fin_ifp;

ofin.fin_out = !fin->fin_out;

ofin.fin_mp = NULL; /* if dereferenced, panic XXX */

@@ -795,7 +828,7 @@ fr_info_t *fin;

* order. Any change we make must be undone afterwards.

savelen = oip->ip_len;

- oip->ip_len = ip->ip_len - (ip->ip_hl << 2) - ICMPERR_ICMPHLEN;

+ oip->ip_len = len;

fr_makefrip(oip->ip_hl << 2, oip, &ofin);

oip->ip_len = savelen;

ofin.fin_ifp = fin->fin_ifp;

@@ -899,7 +932,15 @@ fr_info_t *fin;

case IPPROTO_TCP :

{

+ register int i;

+ i = tcp->th_flags;

+ /*

+ * Just plain ignore RST flag set with either FIN or SYN.

+ */

+ if ((i & TH_RST) &&

+ ((i & (TH_FIN|TH_SYN|TH_RST)) != TH_RST))

+ break;

tryagain = 0;

retry_tcp:

hvm = hv % fr_statesize;

diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h
index 5174f8571d4..edfcc8d6e3a 100644
--- a/sys/netinet/ip_state.h
+++ b/sys/netinet/ip_state.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_state.h,v 1.14 2000/04/13 17:13:42 kjell Exp $ */

+/* $OpenBSD: ip_state.h,v 1.15 2000/08/10 05:50:26 kjell Exp $ */

@@ -8,17 +8,17 @@

* to the original author and the contributors.

- * $IPFilter: ip_state.h,v 2.1.2.4 2000/02/23 15:23:27 darrenr Exp $

+ * $IPFilter: ip_state.h,v 2.1.2.5 2000/07/08 02:15:56 darrenr Exp $

#ifndef __IP_STATE_H__

#define __IP_STATE_H__

#ifndef IPSTATE_SIZE

-# define IPSTATE_SIZE 257

+# define IPSTATE_SIZE 5737

#endif

#ifndef IPSTATE_MAX

-# define IPSTATE_MAX 2048 /* Maximum number of states held */

+# define IPSTATE_MAX 4013 /* Maximum number of states held */

#endif

#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\

diff --git a/sys/netinet/ipl.h b/sys/netinet/ipl.h
index ffdd854ff0d..1fd9dfb8feb 100644
--- a/sys/netinet/ipl.h
+++ b/sys/netinet/ipl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipl.h,v 1.11 2000/05/24 21:59:11 kjell Exp $ */

+/* $OpenBSD: ipl.h,v 1.12 2000/08/10 05:50:26 kjell Exp $ */

@@ -13,6 +13,6 @@

#ifndef __IPL_H__

#define __IPL_H__

-#define IPL_VERSION "IP Filter: v3.3.16"

+#define IPL_VERSION "IP Filter: v3.3.18"

#endif