diff options
| -rw-r--r-- | sbin/ipf/HISTORY | 13 | ||||
| -rw-r--r-- | sys/netinet/ip_fil.h | 14 | ||||
| -rw-r--r-- | sys/netinet/ip_raudio_pxy.c | 4 | ||||
| -rw-r--r-- | sys/netinet/ip_state.c | 46 | ||||
| -rw-r--r-- | sys/netinet/ipl.h | 4 |
5 files changed, 51 insertions, 30 deletions
diff --git a/sbin/ipf/HISTORY b/sbin/ipf/HISTORY index ff068aa3779..8e386cd93d7 100644 --- a/sbin/ipf/HISTORY +++ b/sbin/ipf/HISTORY @@ -1,4 +1,4 @@ -# $OpenBSD: HISTORY,v 1.1 1999/12/28 07:46:01 kjell Exp $ +# $OpenBSD: HISTORY,v 1.2 1999/12/28 08:20:40 kjell Exp $ # # NOTE: Quite a few patches and suggestions come from other sources, to whom # I'm greatly indebted, even if no names are mentioned. @@ -21,6 +21,17 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.3.6 28/12/1999 - Released + +add in missing rwlock release in fr_checkicmpmatchingstate() and fix check +for ICMP_ECHO to only be for packet, not state entry which we don't have yet. + +handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() + +fix size of friostat for SunOS4 + +fix bug in running off the end of a buffer in real audio proxy + 3.3.5 11/12/1999 - Released fix parsing of "log level" and printing it back out too diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h index a44e5780b47..96bc712f0d0 100644 --- a/sys/netinet/ip_fil.h +++ b/sys/netinet/ip_fil.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_fil.h,v 1.13 1999/12/15 05:20:21 kjell Exp $ */ +/* $OpenBSD: ip_fil.h,v 1.14 1999/12/28 08:20:40 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -7,7 +7,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 1.13 1999/12/15 05:20:21 kjell Exp $ + * $Id: ip_fil.h,v 1.14 1999/12/28 08:20:40 kjell Exp $ */ #ifndef __IP_FIL_H__ @@ -308,11 +308,15 @@ typedef struct friostat { struct frentry *f_auth; struct frgroup *f_groups[3][2]; u_long f_froute[2]; - int f_active; /* 1 or 0 - active rule set */ int f_defpass; /* default pass - from fr_pass */ - int f_running; /* 1 if running, else 0 */ - int f_logging; /* 1 if enabled, else 0 */ + char f_active; /* 1 or 0 - active rule set */ + char f_running; /* 1 if running, else 0 */ + char f_logging; /* 1 if enabled, else 0 */ +#if !SOLARIS && defined(sun) + char f_version[25]; /* version string */ +#else char f_version[32]; /* version string */ +#endif } friostat_t; typedef struct optlist { diff --git a/sys/netinet/ip_raudio_pxy.c b/sys/netinet/ip_raudio_pxy.c index 0212a0c1ebf..7d9ab5b3291 100644 --- a/sys/netinet/ip_raudio_pxy.c +++ b/sys/netinet/ip_raudio_pxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_raudio_pxy.c,v 1.2 1999/12/17 06:17:08 kjell Exp $ */ +/* $OpenBSD: ip_raudio_pxy.c,v 1.3 1999/12/28 08:20:40 kjell Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; #endif @@ -234,7 +234,7 @@ nat_t *nat; } else return 0; - for (a3 = a1, a4 = a2; a4 > 0; a4--, a3++) { + for (a3 = a1, a4 = a2; (a4 > 0) && (a3 < 19) && (a3 >= 0); a4--,a3++) { rap->rap_sbf |= (1 << a3); rap->rap_svr[a3] = *s++; } diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c index 3b30b7fe37d..f3e6a05733d 100644 --- a/sys/netinet/ip_state.c +++ b/sys/netinet/ip_state.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_state.c,v 1.15 1999/12/17 07:50:06 kjell Exp $ */ +/* $OpenBSD: ip_state.c,v 1.16 1999/12/28 08:20:40 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. * @@ -8,7 +8,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 1.15 1999/12/17 07:50:06 kjell Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 1.16 1999/12/28 08:20:40 kjell Exp $"; #endif #include <sys/errno.h> @@ -665,12 +665,12 @@ fr_info_t *fin; struct icmp *ic; u_short savelen; fr_info_t ofin; - u_int hv, dest; tcphdr_t *tcp; icmphdr_t *icmp; frentry_t *fr; ip_t *oip; int type; + u_int hv; /* * Does it at least have the return (basic) IP header ? @@ -704,8 +704,10 @@ fr_info_t *fin; * XXX theoretically ICMP_ECHOREP and the other reply's are * ICMP query's as well, but adding them here seems strange XXX */ - if ((icmp->icmp_type != ICMP_ECHO) && (icmp->icmp_type != ICMP_TSTAMP) && - (icmp->icmp_type != ICMP_IREQ) && (icmp->icmp_type != ICMP_MASKREQ)) + if ((icmp->icmp_type != ICMP_ECHO) && + (icmp->icmp_type != ICMP_TSTAMP) && + (icmp->icmp_type != ICMP_IREQ) && + (icmp->icmp_type != ICMP_MASKREQ)) return NULL; /* @@ -715,8 +717,10 @@ fr_info_t *fin; hv = (pr = oip->ip_p); hv += (src.s_addr = oip->ip_src.s_addr); hv += (dst.s_addr = oip->ip_dst.s_addr); - hv += icmp->icmp_id; - hv += icmp->icmp_seq; + if (icmp->icmp_type == ICMP_ECHO) { + hv += icmp->icmp_id; + hv += icmp->icmp_seq; + } hv %= fr_statesize; oip->ip_len = ntohs(oip->ip_len); @@ -725,30 +729,30 @@ fr_info_t *fin; ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ - + READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && - (icmp->icmp_id == is->is_icmp.ics_id) && - (icmp->icmp_seq == is->is_icmp.ics_seq) && fr_matchsrcdst(is, src, dst, &ofin, NULL)) { - /* * in the state table ICMP query's are stored * with the type of the corresponding ICMP * response. Correct here */ if (((is->is_type == ICMP_ECHOREPLY) && + (icmp->icmp_id == is->is_icmp.ics_id) && + (icmp->icmp_seq == is->is_icmp.ics_seq) && (icmp->icmp_type == ICMP_ECHO)) || - (is->is_type - 1 == ic->icmp_type )) { + (is->is_type - 1 == ic->icmp_type)) { ips_stats.iss_hits++; is->is_pkts++; is->is_bytes += ip->ip_len; - return is->is_rule; + fr = is->is_rule; + RWLOCK_EXIT(&ipf_state); + return fr; } } RWLOCK_EXIT(&ipf_state); - return NULL; }; @@ -799,7 +803,6 @@ fr_info_t *fin; * we must swap src and dst here because the icmp * comes the other way around */ - dest = (is->is_dst.s_addr != src.s_addr); is->is_pkts++; is->is_bytes += ip->ip_len; /* @@ -847,17 +850,20 @@ fr_info_t *fin; switch (ip->ip_p) { case IPPROTO_ICMP : - hv += ic->icmp_id; - hv += ic->icmp_seq; + if ((ic->icmp_type == ICMP_ECHO) || + (ic->icmp_type == ICMP_ECHOREPLY)) { + hv += ic->icmp_id; + hv += ic->icmp_seq; + } hv %= fr_statesize; READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && - (ic->icmp_id == is->is_icmp.ics_id) && - (ic->icmp_seq == is->is_icmp.ics_seq) && fr_matchsrcdst(is, src, dst, fin, NULL)) { if ((is->is_type == ICMP_ECHOREPLY) && - (ic->icmp_type == ICMP_ECHO)) + (ic->icmp_type == ICMP_ECHO) && + (ic->icmp_id == is->is_icmp.ics_id) && + (ic->icmp_seq == is->is_icmp.ics_seq)) ; else if (is->is_type != ic->icmp_type) continue; diff --git a/sys/netinet/ipl.h b/sys/netinet/ipl.h index 9c4d8badf2d..4716411676b 100644 --- a/sys/netinet/ipl.h +++ b/sys/netinet/ipl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipl.h,v 1.2 1999/12/17 06:17:08 kjell Exp $ */ +/* $OpenBSD: ipl.h,v 1.3 1999/12/28 08:20:40 kjell Exp $ */ /* * Copyright (C) 1993-1999 by Darren Reed. * @@ -12,6 +12,6 @@ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.3.5" +#define IPL_VERSION "IP Filter: v3.3.6" #endif |