diff options
-rw-r--r-- | sys/netinet/fil.c | 18 | ||||
-rw-r--r-- | sys/netinet/ip_auth.c | 8 | ||||
-rw-r--r-- | sys/netinet/ip_fil.c | 87 | ||||
-rw-r--r-- | sys/netinet/ip_fil.h | 8 | ||||
-rw-r--r-- | sys/netinet/ip_frag.c | 19 | ||||
-rw-r--r-- | sys/netinet/ip_log.c | 16 | ||||
-rw-r--r-- | sys/netinet/ip_nat.c | 36 | ||||
-rw-r--r-- | sys/netinet/ip_proxy.c | 18 | ||||
-rw-r--r-- | sys/netinet/ip_state.c | 14 | ||||
-rw-r--r-- | sys/netinet/ip_state.h | 11 |
10 files changed, 147 insertions, 88 deletions
diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c index f3f70f32c21..6509da46d9e 100644 --- a/sys/netinet/fil.c +++ b/sys/netinet/fil.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fil.c,v 1.27 2001/01/17 04:47:11 fgsch Exp $ */ +/* $OpenBSD: fil.c,v 1.28 2001/01/30 04:23:55 kjell Exp $ */ /* * Copyright (C) 1993-2000 by Darren Reed. @@ -77,7 +77,7 @@ static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.35.2.30 2000/12/17 05:49:2 #include <netinet/tcp.h> #include <netinet/udp.h> #include <netinet/ip_icmp.h> -#include "netinet/ip_compat.h" +#include <netinet/ip_fil_compat.h> #ifdef USE_INET6 # include <netinet/icmp6.h> # if !SOLARIS && defined(_KERNEL) @@ -85,12 +85,12 @@ static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.35.2.30 2000/12/17 05:49:2 # endif #endif #include <netinet/tcpip.h> -#include "netinet/ip_fil.h" -#include "netinet/ip_proxy.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_frag.h" -#include "netinet/ip_state.h" -#include "netinet/ip_auth.h" +#include <netinet/ip_fil.h> +#include <netinet/ip_proxy.h> +#include <netinet/ip_nat.h> +#include <netinet/ip_frag.h> +#include <netinet/ip_state.h> +#include <netinet/ip_auth.h> # if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) # include <sys/malloc.h> # if defined(_KERNEL) && !defined(IPFILTER_LKM) @@ -100,7 +100,7 @@ static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.35.2.30 2000/12/17 05:49:2 #ifndef MIN # define MIN(a,b) (((a)<(b))?(a):(b)) #endif -#include "netinet/ipl.h" +#include <netinet/ipl.h> #ifndef _KERNEL # include "ipf.h" diff --git a/sys/netinet/ip_auth.c b/sys/netinet/ip_auth.c index 67904a1cb82..17046ab8283 100644 --- a/sys/netinet/ip_auth.c +++ b/sys/netinet/ip_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_auth.c,v 1.16 2001/01/17 07:25:18 fgsch Exp $ */ +/* $OpenBSD: ip_auth.c,v 1.17 2001/01/30 04:23:55 kjell Exp $ */ /* * Copyright (C) 1998-2000 by Darren Reed & Guido van Rooij. @@ -91,10 +91,10 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #endif #include <netinet/udp.h> #include <netinet/ip_icmp.h> -#include "netinet/ip_compat.h" +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> -#include "netinet/ip_fil.h" -#include "netinet/ip_auth.h" +#include <netinet/ip_fil.h> +#include <netinet/ip_auth.h> #if !SOLARIS && !defined(linux) # include <net/netisr.h> # ifdef __FreeBSD__ diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c index 11a41d22bf1..97d595ce821 100644 --- a/sys/netinet/ip_fil.c +++ b/sys/netinet/ip_fil.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_fil.c,v 1.39 2001/01/17 05:16:37 fgsch Exp $ */ +/* $OpenBSD: ip_fil.c,v 1.40 2001/01/30 04:23:55 kjell Exp $ */ /* * Copyright (C) 1993-2000 by Darren Reed. @@ -99,16 +99,16 @@ static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.42.2.17 2000/10/19 15:3 # include <unistd.h> # include <syslog.h> #endif -#include "netinet/ip_compat.h" +#include <netinet/ip_fil_compat.h> #ifdef USE_INET6 # include <netinet/icmp6.h> #endif -#include "netinet/ip_fil.h" -#include "netinet/ip_proxy.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_frag.h" -#include "netinet/ip_state.h" -#include "netinet/ip_auth.h" +#include <netinet/ip_fil.h> +#include <netinet/ip_proxy.h> +#include <netinet/ip_nat.h> +#include <netinet/ip_frag.h> +#include <netinet/ip_state.h> +#include <netinet/ip_auth.h> #if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) # include <sys/malloc.h> #endif @@ -133,7 +133,12 @@ extern int tcp_ttl; # endif #endif +# if defined (__OpenBSD__) +int ipl_unreach = ICMP_UNREACH_FILTER_PROHIB; +# else int ipl_unreach = ICMP_UNREACH_FILTER; +# endif + u_long ipl_frouteok[2] = {0, 0}; static int frzerostats __P((caddr_t)); @@ -174,7 +179,7 @@ struct callout_handle ipfr_slowtimer_ch; struct callout ipfr_slowtimer_ch; #endif #if defined(__OpenBSD__) -#include <sys/timeout.h> +# include <sys/timeout.h> struct timeout ipfr_slowtimer_ch; #endif #if defined(__sgi) && defined(_KERNEL) @@ -335,7 +340,7 @@ pfil_error: timeout_add(&ipfr_slowtimer_ch, hz / 2); # else # if (__FreeBSD_version >= 300000) || defined(__sgi) - ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); + ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); # else timeout(ipfr_slowtimer, NULL, hz/2); # endif @@ -367,7 +372,7 @@ int ipldetach() # if (__FreeBSD_version >= 300000) untimeout(ipfr_slowtimer, NULL, ipfr_slowtimer_ch); # else -# ifdef __sgi +# ifdef __sgi untimeout(ipfr_slowtimer_ch); # else untimeout(ipfr_slowtimer, NULL); @@ -384,9 +389,7 @@ int ipldetach() return 0; } -#if !defined(__OpenBSD__) printf("%s unloaded\n", ipfilter_version); -#endif fr_checkp = fr_savep; i = frflush(IPL_LOGIPF, i); @@ -485,7 +488,34 @@ int mode; unit = GET_MINOR(dev); if ((IPL_LOGMAX < unit) || (unit < 0)) return ENXIO; -#else + +# if defined(__OpenBSD__) + /* Prevent IPF changes when securelevel > 1 */ + if (securelevel > 1) { + switch (cmd) { +# ifndef IPFILTER_LKM + case SIOCFRENB: +# endif + case SIOCSETFF: + case SIOCADAFR: + case SIOCADIFR: + case SIOCINAFR: + case SIOCINIFR: + case SIOCRMAFR: + case SIOCRMIFR: + case SIOCZRLST: + case SIOCSWAPA: + case SIOCFRZST: + case SIOCIPFFL: +# ifdef IPFILTER_LOG + case SIOCIPFFB: +# endif + case SIOCSTLCK: + return EPERM; + } + } +# endif /* OpenBSD */ +#else /* _KERNEL */ unit = dev; #endif @@ -1404,11 +1434,9 @@ frdest_t *fdp; # endif i = 1; # endif -# ifndef sparc ip->ip_id = htons(ip->ip_id); ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); -# endif if (!ip->ip_sum) ip->ip_sum = in_cksum(m, hlen); # if BSD >= 199306 @@ -1487,9 +1515,7 @@ frdest_t *fdp; m->m_pkthdr.len = mhlen + len; m->m_pkthdr.rcvif = NULL; # endif -# ifndef sparc mhip->ip_off = htons((u_short)mhip->ip_off); -# endif mhip->ip_sum = 0; mhip->ip_sum = in_cksum(m, mhlen); *mnext = m; @@ -1584,6 +1610,7 @@ static int no_output __P((struct ifnet *ifp, struct mbuf *m, return 0; } + # ifdef __STDC__ # ifdef __sgi static int write_output __P((struct ifnet *ifp, struct mbuf *m, @@ -1601,21 +1628,27 @@ ip_t *ip; { # endif char fname[32]; - int fd; + FILE *fp; # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) +# if defined __OpenBSD__ + sprintf(fname, "/var/run/%s", ifp->if_xname); +# else sprintf(fname, "/tmp/%s", ifp->if_xname); +# endif # else sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); # endif - fd = open(fname, O_WRONLY|O_APPEND); - if (fd == -1) { - perror("open"); - return -1; + /* + * XXX + * This is still raceable, if the attacker gains the ability to + * erase the existing file in /tmp + */ + if ((fp = fopen(fname, "a"))) { + fwrite((char *)ip, ntohs(ip->ip_len), 1, fp); + fclose(fp); } - write(fd, (char *)ip, ntohs(ip->ip_len)); - close(fd); return 0; } @@ -1701,7 +1734,11 @@ void init_ifp() (defined(OpenBSD) && (OpenBSD >= 199603)) for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { ifp->if_output = write_output; +# if defined(__OpenBSD__) + sprintf(fname, "/var/run/%s", ifp->if_xname); +# else sprintf(fname, "/tmp/%s", ifp->if_xname); +# endif fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); if (fd == -1) perror("open"); diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h index 72b5025c19e..4e2a4c78ae8 100644 --- a/sys/netinet/ip_fil.h +++ b/sys/netinet/ip_fil.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_fil.h,v 1.21 2001/01/17 04:47:13 fgsch Exp $ */ +/* $OpenBSD: ip_fil.h,v 1.22 2001/01/30 04:23:56 kjell Exp $ */ /* * Copyright (C) 1993-2000 by Darren Reed. @@ -424,8 +424,10 @@ typedef struct ipflog { } ipflog_t; -#ifndef ICMP_UNREACH_FILTER -# define ICMP_UNREACH_FILTER 13 +#if !defined(__OpenBSD__) +# ifndef ICMP_UNREACH_FILTER +# define ICMP_UNREACH_FILTER 13 +# endif #endif #ifndef IPF_LOGGING diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c index 4f5bd7822ad..37af2b1de4c 100644 --- a/sys/netinet/ip_frag.c +++ b/sys/netinet/ip_frag.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_frag.c,v 1.20 2001/01/17 04:47:13 fgsch Exp $ */ +/* $OpenBSD: ip_frag.c,v 1.21 2001/01/30 04:23:56 kjell Exp $ */ /* * Copyright (C) 1993-2000 by Darren Reed. @@ -69,21 +69,21 @@ static const char rcsid[] = "@(#)$IPFilter: ip_frag.c,v 2.10.2.7 2000/11/27 10:2 #include <netinet/tcp.h> #include <netinet/udp.h> #include <netinet/ip_icmp.h> -#include "netinet/ip_compat.h" +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> -#include "netinet/ip_fil.h" -#include "netinet/ip_proxy.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_frag.h" -#include "netinet/ip_state.h" -#include "netinet/ip_auth.h" +#include <netinet/ip_fil.h> +#include <netinet/ip_proxy.h> +#include <netinet/ip_nat.h> +#include <netinet/ip_frag.h> +#include <netinet/ip_state.h> +#include <netinet/ip_auth.h> #if (__FreeBSD_version >= 300000) # include <sys/malloc.h> # if (defined(KERNEL) || defined(_KERNEL)) # ifndef IPFILTER_LKM # include <sys/libkern.h> # include <sys/systm.h> -# endif +# endif extern struct callout_handle ipfr_slowtimer_ch; # endif #endif @@ -91,6 +91,7 @@ extern struct callout_handle ipfr_slowtimer_ch; # include <sys/callout.h> extern struct callout ipfr_slowtimer_ch; #elif defined(__OpenBSD__) +# include <sys/timeout.h> extern struct timeout ipfr_slowtimer_ch; #endif diff --git a/sys/netinet/ip_log.c b/sys/netinet/ip_log.c index 1c798708e11..a5d696631cb 100644 --- a/sys/netinet/ip_log.c +++ b/sys/netinet/ip_log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_log.c,v 1.9 2001/01/17 04:47:14 fgsch Exp $ */ +/* $OpenBSD: ip_log.c,v 1.10 2001/01/30 04:23:56 kjell Exp $ */ /* * Copyright (C) 1997-2000 by Darren Reed. @@ -105,14 +105,14 @@ # ifndef _KERNEL # include <syslog.h> # endif -# include "netinet/ip_compat.h" +# include <netinet/ip_fil_compat.h> # include <netinet/tcpip.h> -# include "netinet/ip_fil.h" -# include "netinet/ip_proxy.h" -# include "netinet/ip_nat.h" -# include "netinet/ip_frag.h" -# include "netinet/ip_state.h" -# include "netinet/ip_auth.h" +# include <netinet/ip_fil.h> +# include <netinet/ip_proxy.h> +# include <netinet/ip_nat.h> +# include <netinet/ip_frag.h> +# include <netinet/ip_state.h> +# include <netinet/ip_auth.h> # if (__FreeBSD_version >= 300000) # include <sys/malloc.h> # endif diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c index c6d49f9d84f..a92c042cbcd 100644 --- a/sys/netinet/ip_nat.c +++ b/sys/netinet/ip_nat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_nat.c,v 1.37 2001/01/17 07:25:19 fgsch Exp $ */ +/* $OpenBSD: ip_nat.c,v 1.38 2001/01/30 04:23:56 kjell Exp $ */ /* * Copyright (C) 1995-2000 by Darren Reed. @@ -97,13 +97,13 @@ extern struct ifnet vpnif; #include <netinet/tcp.h> #include <netinet/udp.h> #include <netinet/ip_icmp.h> -#include "netinet/ip_compat.h" +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> -#include "netinet/ip_fil.h" -#include "netinet/ip_proxy.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_frag.h" -#include "netinet/ip_state.h" +#include <netinet/ip_fil.h> +#include <netinet/ip_proxy.h> +#include <netinet/ip_nat.h> +#include <netinet/ip_frag.h> +#include <netinet/ip_state.h> #if (__FreeBSD_version >= 300000) # include <sys/malloc.h> #endif @@ -342,11 +342,7 @@ u_32_t n; return; } #endif -#ifdef sparc - sum1 = (~(*sp)) & 0xffff; -#else sum1 = (~ntohs(*sp)) & 0xffff; -#endif sum1 += ~(n) & 0xffff; sum1 = (sum1 >> 16) + (sum1 & 0xffff); /* Again */ @@ -430,6 +426,24 @@ int mode; if ((securelevel >= 2) && (mode & FWRITE)) return EPERM; #endif +#if defined(_KERNEL) +# if defined(__OpenBSD__) + /* Prevent IPNAT changes when securelevel > 1 */ + if (securelevel > 1) { + switch (cmd) { + case SIOCIPFFL: +# ifdef IPFILTER_LOG + case SIOCIPFFB: +# endif + case SIOCADNAT: + case SIOCRMNAT: + case SIOCSTPUT: + case SIOCSTLCK: + return EPERM; + } + } +# endif /* OpenBSD */ +#endif /* _KERNEL */ nat = NULL; /* XXX gcc -Wuninitialized */ KMALLOC(nt, ipnat_t *); diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c index 24de449b3d6..467b4f86eee 100644 --- a/sys/netinet/ip_proxy.c +++ b/sys/netinet/ip_proxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_proxy.c,v 1.12 2001/01/17 04:47:15 fgsch Exp $ */ +/* $OpenBSD: ip_proxy.c,v 1.13 2001/01/30 04:23:56 kjell Exp $ */ /* * Copyright (C) 1997-2000 by Darren Reed. @@ -70,12 +70,12 @@ static const char rcsid[] = "@(#)$IPFilter: ip_proxy.c,v 2.9.2.1 2000/05/06 12:3 #include <netinet/tcp.h> #include <netinet/udp.h> #include <netinet/ip_icmp.h> -#include "netinet/ip_compat.h" +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> -#include "netinet/ip_fil.h" -#include "netinet/ip_proxy.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_state.h" +#include <netinet/ip_fil.h> +#include <netinet/ip_proxy.h> +#include <netinet/ip_nat.h> +#include <netinet/ip_state.h> #if (__FreeBSD_version >= 300000) # include <sys/malloc.h> #endif @@ -93,9 +93,9 @@ static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); #define AP_SESS_SIZE 53 #if defined(_KERNEL) && !defined(linux) -#include "netinet/ip_ftp_pxy.c" -#include "netinet/ip_rcmd_pxy.c" -#include "netinet/ip_raudio_pxy.c" +#include <netinet/ip_ftp_pxy.c> +#include <netinet/ip_rcmd_pxy.c> +#include <netinet/ip_raudio_pxy.c> #endif ap_session_t *ap_sess_tab[AP_SESS_SIZE]; diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c index d1dc3d96731..a17feb9c3f5 100644 --- a/sys/netinet/ip_state.c +++ b/sys/netinet/ip_state.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_state.c,v 1.25 2001/01/17 07:25:19 fgsch Exp $ */ +/* $OpenBSD: ip_state.c,v 1.26 2001/01/30 04:23:56 kjell Exp $ */ /* * Copyright (C) 1995-2000 by Darren Reed. @@ -81,13 +81,13 @@ static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.30.2.28 2001/01/08 14 #endif #include <netinet/udp.h> #include <netinet/ip_icmp.h> -#include "netinet/ip_compat.h" +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> -#include "netinet/ip_fil.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_frag.h" -#include "netinet/ip_proxy.h" -#include "netinet/ip_state.h" +#include <netinet/ip_fil.h> +#include <netinet/ip_nat.h> +#include <netinet/ip_frag.h> +#include <netinet/ip_proxy.h> +#include <netinet/ip_state.h> #ifdef USE_INET6 #include <netinet/icmp6.h> #endif diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h index a7cbaaac28d..0f28639ffc2 100644 --- a/sys/netinet/ip_state.h +++ b/sys/netinet/ip_state.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_state.h,v 1.16 2001/01/17 04:47:16 fgsch Exp $ */ +/* $OpenBSD: ip_state.h,v 1.17 2001/01/30 04:23:56 kjell Exp $ */ /* * Copyright (C) 1995-2000 by Darren Reed. @@ -19,8 +19,13 @@ # define SIOCDELST _IOW(r, 61, struct ipstate *) #endif -#define IPSTATE_SIZE 5737 -#define IPSTATE_MAX 4013 /* Maximum number of states held */ +#ifndef IPSTATE_SIZE +# define IPSTATE_SIZE 5737 +#endif + +#ifndef IPSTATE_MAX +# define IPSTATE_MAX 4013 /* Maximum number of states held */ +#endif #define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ (((s1) == (d2)) && ((d1) == (s2)))) |