summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sbin/ipf/HISTORY26
-rw-r--r--sbin/ipf/parse.c31
-rw-r--r--sbin/ipfstat/fils.c12
-rw-r--r--sbin/ipnat/ipnat.c4
-rw-r--r--sbin/ipnat/natparse.c10
-rw-r--r--sys/netinet/fil.c10
-rw-r--r--sys/netinet/ip_fil.c18
-rw-r--r--sys/netinet/ip_fil_compat.h6
-rw-r--r--sys/netinet/ip_frag.c7
-rw-r--r--sys/netinet/ip_ftp_pxy.c46
-rw-r--r--sys/netinet/ip_nat.c55
-rw-r--r--sys/netinet/ip_proxy.c7
-rw-r--r--sys/netinet/ip_state.c57
-rw-r--r--sys/netinet/ip_state.h8
-rw-r--r--sys/netinet/ipl.h4
-rw-r--r--usr.sbin/ipmon/ipmon.c67
16 files changed, 279 insertions, 89 deletions
diff --git a/sbin/ipf/HISTORY b/sbin/ipf/HISTORY
index be00c1875f4..5c81d705dab 100644
--- a/sbin/ipf/HISTORY
+++ b/sbin/ipf/HISTORY
@@ -1,4 +1,4 @@
-# $OpenBSD: HISTORY,v 1.8 2000/05/24 21:59:11 kjell Exp $
+# $OpenBSD: HISTORY,v 1.9 2000/08/10 05:50:27 kjell Exp $
#
# NOTE: Quite a few patches and suggestions come from other sources, to whom
# I'm greatly indebted, even if no names are mentioned.
@@ -21,6 +21,30 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
+3.3.18 08/08/2000 - Released
+
+fix up command checking in the ftp proxy
+
+fix getting the version from the kernel for solaris
+
+fix icmp state checking bug
+
+print out better information for ICMP packets in ipmon
+
+open ipfilter device read only if we know we can
+
+3.3.17 08/07/2000 - Released
+
+increase default state table sizes
+
+don't apply patches to FreeBSD twice
+
+fix parsing of icmp code when using words
+
+fix printing of icmp code when it is 0
+
+add compatibility #ifdef for FreeBSD's CSUM_DELAY_DATA
+
3.3.16 23/05/2000 - Released
don't add TCP state if it is an RST packet and (attempt) to send out
diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c
index 8b3e04f1027..9b6b38f10c5 100644
--- a/sbin/ipf/parse.c
+++ b/sbin/ipf/parse.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.c,v 1.34 2000/04/05 05:35:28 kjell Exp $ */
+/* $OpenBSD: parse.c,v 1.35 2000/08/10 05:50:27 kjell Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -43,7 +43,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.1.2.12 2000/03/08 11:43:55 darrenr Exp $";
+static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.1.2.14 2000/06/21 14:50:52 darrenr Exp $";
#endif
extern struct ipopt_names ionames[], secclass[];
@@ -1268,14 +1268,20 @@ int linenum;
linenum, **cp);
return -1;
}
- fp->fr_icmp |= (u_short)i;
- fp->fr_icmpm = (u_short)0xffff;
- (*cp)++;
- return 0;
+ } else {
+ i = icmpcode(**cp);
+ if (i == -1) {
+ fprintf(stderr,
+ "%d: Invalid icmp code (%s) specified\n",
+ linenum, **cp);
+ return -1;
+ }
}
- fprintf(stderr, "%d: Invalid icmp code (%s) specified\n",
- linenum, **cp);
- return -1;
+ i &= 0xff;
+ fp->fr_icmp |= (u_short)i;
+ fp->fr_icmpm = (u_short)0xffff;
+ (*cp)++;
+ return 0;
}
@@ -1295,9 +1301,8 @@ char *str;
char *s;
int i, len;
- if (!(s = strrchr(str, ')')))
- return -1;
- *s = '\0';
+ if ((s = strrchr(str, ')')))
+ *s = '\0';
if (isdigit(*str)) {
if (!ratoi(str, &i, 0, 255))
return -1;
@@ -1565,7 +1570,7 @@ struct frentry *fp;
printf(" icmp-type %s", icmptypes[type]);
else
printf(" icmp-type %d", type);
- if (code)
+ if (ntohs(fp->fr_icmpm) & 0xff)
printf(" code %d", code);
}
if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {
diff --git a/sbin/ipfstat/fils.c b/sbin/ipfstat/fils.c
index 548c021a2aa..e92236fb230 100644
--- a/sbin/ipfstat/fils.c
+++ b/sbin/ipfstat/fils.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: fils.c,v 1.20 2000/03/13 23:40:19 kjell Exp $ */
+/* $OpenBSD: fils.c,v 1.21 2000/08/10 05:50:27 kjell Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -53,7 +53,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: fils.c,v 2.2.2.6 2000/02/23 11:16:35 darrenr Exp $";
+static const char rcsid[] = "@(#)$IPFilter: fils.c,v 2.2.2.7 2000/05/24 20:34:56 darrenr Exp $";
#endif
#define F_IN 0
@@ -314,15 +314,15 @@ frentry_t *fp;
fp->fr_flags |= FR_OUTQUE;
if (opts & (OPT_HITS|OPT_VERBOSE))
#ifdef USE_QUAD_T
- printf("%qd ", fp->fr_hits);
+ printf("%qu ", fp->fr_hits);
#else
- printf("%ld ", fp->fr_hits);
+ printf("%lu ", fp->fr_hits);
#endif
if (opts & (OPT_ACCNT|OPT_VERBOSE))
#ifdef USE_QUAD_T
- printf("%qd ", fp->fr_bytes);
+ printf("%qu ", fp->fr_bytes);
#else
- printf("%ld ", fp->fr_bytes);
+ printf("%lu ", fp->fr_bytes);
#endif
if (opts & OPT_SHOWLINENO)
printf("@%d ", n);
diff --git a/sbin/ipnat/ipnat.c b/sbin/ipnat/ipnat.c
index e9e9a17f8b7..3cfc24a5892 100644
--- a/sbin/ipnat/ipnat.c
+++ b/sbin/ipnat/ipnat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipnat.c,v 1.37 2000/07/26 20:33:01 mickey Exp $ */
+/* $OpenBSD: ipnat.c,v 1.38 2000/08/10 05:50:27 kjell Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -58,7 +58,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: ipnat.c,v 2.1.2.2 1999/12/04 02:09:30 darrenr Exp $";
+static const char rcsid[] = "@(#)$IPFilter: ipnat.c,v 2.1.2.3 2000/07/27 13:07:07 darrenr Exp $";
#endif
diff --git a/sbin/ipnat/natparse.c b/sbin/ipnat/natparse.c
index ff15cfe14e4..62c40794f15 100644
--- a/sbin/ipnat/natparse.c
+++ b/sbin/ipnat/natparse.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: natparse.c,v 1.5 2000/05/01 06:16:48 kjell Exp $ */
+/* $OpenBSD: natparse.c,v 1.6 2000/08/10 05:50:27 kjell Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -55,7 +55,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: natparse.c,v 1.2.2.2 2000/03/25 00:37:37 darrenr Exp $";
+static const char rcsid[] = "@(#)$IPFilter: natparse.c,v 1.2.2.3 2000/06/25 07:13:28 darrenr Exp $";
#endif
@@ -746,7 +746,11 @@ char *msk;
if (strchr(msk, '.'))
return inet_addr(msk);
if (strchr(msk, 'x'))
- return (u_32_t)strtol(msk, NULL, 0);
+#if defined(sun) && !defined(__SVR4) && !defined(__svr4__)
+ return (u_32_t)htonl(strtol(msk, NULL, 0));
+#else
+ return (u_32_t)htonl(strtoul(msk, NULL, 0));
+#endif
/*
* set x most significant bits
*/
diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c
index 676b5418e0f..828ad128d60 100644
--- a/sys/netinet/fil.c
+++ b/sys/netinet/fil.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: fil.c,v 1.25 2000/05/24 21:59:10 kjell Exp $ */
+/* $OpenBSD: fil.c,v 1.26 2000/08/10 05:50:25 kjell Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.20 2000/05/22 06:57:42 darrenr Exp $";
+static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.22 2000/07/08 02:13:28 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -23,6 +23,9 @@ static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.20 2000/05/22 06:57:42
#endif
#if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \
(__FreeBSD_version >= 220000)
+# if (__FreeBSD_version >= 400019)
+# define CSUM_DELAY_DATA
+# endif
# include <sys/filio.h>
# include <sys/fcntl.h>
#else
@@ -1187,7 +1190,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $IPFilter: fil.c,v 2.3.2.20 2000/05/22 06:57:42 darrenr Exp $
+ * $IPFilter: fil.c,v 2.3.2.22 2000/07/08 02:13:28 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@@ -1592,6 +1595,7 @@ void frsync()
ip_natsync(ifp);
ip_statesync(ifp);
}
+ ip_natsync((struct ifnet *)-1);
# endif
WRITE_ENTER(&ipf_mutex);
diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c
index 5f5cb113d24..b8243712c19 100644
--- a/sys/netinet/ip_fil.c
+++ b/sys/netinet/ip_fil.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_fil.c,v 1.35 2000/05/24 21:59:11 kjell Exp $ */
+/* $OpenBSD: ip_fil.c,v 1.36 2000/08/10 05:50:25 kjell Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.21 2000/05/22 06:57:47 darrenr Exp $";
+static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.22 2000/07/08 02:43:47 darrenr Exp $";
#endif
#ifndef SOLARIS
@@ -1401,15 +1401,29 @@ char *name;
if (!ifneta) {
ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
+ if (!ifneta)
+ return NULL;
ifneta[1] = NULL;
ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
+ if (!ifneta[0]) {
+ free(ifneta);
+ return NULL;
+ }
nifs = 1;
} else {
nifs++;
ifneta = (struct ifnet **)realloc(ifneta,
(nifs + 1) * sizeof(*ifa));
+ if (!ifneta) {
+ nifs = 0;
+ return NULL;
+ }
ifneta[nifs] = NULL;
ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
+ if (!ifneta[nifs - 1]) {
+ nifs--;
+ return NULL;
+ }
}
ifp = ifneta[nifs - 1];
diff --git a/sys/netinet/ip_fil_compat.h b/sys/netinet/ip_fil_compat.h
index d9c078e47e3..97f420e12ae 100644
--- a/sys/netinet/ip_fil_compat.h
+++ b/sys/netinet/ip_fil_compat.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_fil_compat.h,v 1.17 2000/06/16 21:47:16 provos Exp $ */
+/* $OpenBSD: ip_fil_compat.h,v 1.18 2000/08/10 05:50:26 kjell Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -149,6 +149,10 @@ typedef unsigned long u_32_t;
# endif
#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
+#ifndef MAX
+#define MAX(a,b) (((a) > (b)) ? (a) : (b))
+#endif
+
/*
* Security Options for Intenet Protocol (IPSO) as defined in RFC 1108.
*
diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c
index e2780d3e256..4ac9b87c98a 100644
--- a/sys/netinet/ip_frag.c
+++ b/sys/netinet/ip_frag.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_frag.c,v 1.17 2000/03/13 23:40:18 kjell Exp $ */
+/* $OpenBSD: ip_frag.c,v 1.18 2000/08/10 05:50:26 kjell Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $";
+static const char rcsid[] = "@(#)$IPFilter: ip_frag.c,v 2.4.2.5 2000/06/06 15:50:48 darrenr Exp $";
#endif
#if defined(KERNEL) && !defined(_KERNEL)
@@ -139,6 +139,9 @@ ipfr_t *table[];
ipfr_t **fp, *fra, frag;
u_int idx;
+ if (ipfr_inuse >= IPFT_SIZE)
+ return NULL;
+
frag.ipfr_p = ip->ip_p;
idx = ip->ip_p;
frag.ipfr_id = ip->ip_id;
diff --git a/sys/netinet/ip_ftp_pxy.c b/sys/netinet/ip_ftp_pxy.c
index 755bbe4efca..16ec4c3edf5 100644
--- a/sys/netinet/ip_ftp_pxy.c
+++ b/sys/netinet/ip_ftp_pxy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ftp_pxy.c,v 1.10 2000/04/12 21:32:39 kjell Exp $ */
+/* $OpenBSD: ip_ftp_pxy.c,v 1.11 2000/08/10 05:50:26 kjell Exp $ */
/*
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
@@ -9,7 +9,10 @@ extern kmutex_t ipf_rw;
#endif
#define isdigit(x) ((x) >= '0' && (x) <= '9')
-#define isupper(x) ((unsigned)((x) - 'A') <= 'Z' - 'A')
+#define isupper(x) (((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z'))
+#define islower(x) (((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z'))
+#define isalpha(x) (isupper(x) || islower(x))
+#define toupper(x) (isupper(x) ? (x) : (x) - 'a' + 'A')
#define IPF_FTP_PROXY
@@ -26,7 +29,7 @@ int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_ftp_portmsg __P((fr_info_t *, ip_t *, nat_t *));
int ippr_ftp_pasvmsg __P((fr_info_t *, ip_t *, nat_t *));
-int ippr_ftp_complete __P((char *, size_t));
+int ippr_ftp_complete __P((char *, size_t, char *));
u_short ipf_ftp_atoi __P((char **));
@@ -46,8 +49,8 @@ int ippr_ftp_init()
}
-int ippr_ftp_complete(buf, len)
-char *buf;
+int ippr_ftp_complete(buf, len, cbuf)
+char *buf, *cbuf;
size_t len;
{
register char *s, c;
@@ -74,17 +77,22 @@ size_t len;
return -1;
} else
return -1;
- } else if (isupper(c)) {
+ } else if (isalpha(c)) {
+ cbuf[0] = toupper(c);
c = *s++;
i--;
- if (isupper(c)) {
+ if (isalpha(c)) {
+ cbuf[1] = toupper(c);
c = *s++;
i--;
- if (isupper(c)) {
+ if (isalpha(c)) {
+ cbuf[2] = toupper(c);
c = *s++;
i--;
- if (isupper(c)) {
+ if (isalpha(c)) {
+ cbuf[3] = toupper(c);
c = *s++;
+ cbuf[4] = c;
i--;
if (c != ' ')
return -1;
@@ -164,7 +172,7 @@ fr_info_t *fin;
ip_t *ip;
nat_t *nat;
{
- char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s;
+ char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s, cmd[6];
tcphdr_t *tcp, tcph, *tcp2 = &tcph;
size_t nlen = 0, dlen, olen;
u_short a5, a6, sp, dp;
@@ -196,26 +204,27 @@ nat_t *nat;
if (dlen > 0)
m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);
#endif
- if (dlen == 0)
+ if (dlen <= 0)
return 0;
+ bzero(cmd, sizeof(cmd));
portbuf[sizeof(portbuf) - 1] = '\0';
*newbuf = '\0';
/*
* Check that a user is progressing through the login ok.
*/
- if (ippr_ftp_complete(portbuf, dlen))
+ if (ippr_ftp_complete(portbuf, dlen, cmd))
return 0;
ftp = nat->nat_aps->aps_data;
switch (ftp->ftp_passok)
{
case 0 :
- if (!strncmp(portbuf, "USER ", 5))
+ if (!strncmp(cmd, "USER ", 5))
ftp->ftp_passok = 1;
break;
case 2 :
- if (!strncmp(portbuf, "PASS ", 5))
+ if (!strncmp(cmd, "PASS ", 5))
ftp->ftp_passok = 3;
break;
}
@@ -224,7 +233,7 @@ nat_t *nat;
/*
* Check for client sending out PORT message.
*/
- if (!ippr_ftp_pasvonly && !strncmp(portbuf, "PORT ", 5)) {
+ if (!ippr_ftp_pasvonly && !strncmp(cmd, "PORT ", 5)) {
if (dlen < IPF_MINPORTLEN)
return 0;
} else
@@ -391,7 +400,7 @@ fr_info_t *fin;
ip_t *ip;
nat_t *nat;
{
- char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s;
+ char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s, cmd[6];
int off, olen, dlen, nlen = 0, inc = 0;
tcphdr_t tcph, *tcp2 = &tcph;
struct in_addr swip, swip2;
@@ -422,8 +431,9 @@ nat_t *nat;
if (dlen > 0)
m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);
#endif
- if (dlen == 0)
+ if (dlen <= 0)
return 0;
+ bzero(cmd, sizeof(cmd));
portbuf[sizeof(portbuf) - 1] = '\0';
*newbuf = '\0';
@@ -450,7 +460,7 @@ nat_t *nat;
break;
}
- if (ippr_ftp_complete(portbuf, dlen) || (ftp->ftp_passok != 4))
+ if (ippr_ftp_complete(portbuf, dlen, cmd) || (ftp->ftp_passok != 4))
return 0;
/*
diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c
index 6bf634f9c9c..a6283e04d34 100644
--- a/sys/netinet/ip_nat.c
+++ b/sys/netinet/ip_nat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_nat.c,v 1.33 2000/07/03 04:50:05 aaron Exp $ */
+/* $OpenBSD: ip_nat.c,v 1.34 2000/08/10 05:50:26 kjell Exp $ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
@@ -11,7 +11,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: ip_nat.c,v 2.2.2.18 2000/05/19 15:52:29 darrenr Exp $";
+static const char rcsid[] = "@(#)$IPFilter: ip_nat.c,v 2.2.2.21 2000/08/08 16:00:33 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@@ -410,7 +410,7 @@ int mode;
* mapping range. In all cases, the range is inclusive of
* the start and ending IP addresses.
* If to a CIDR address, lose 2: broadcast + network address
- * (so subtract 1)
+ * (so subtract 1)
* If to a range, add one.
* If to a single IP address, set to 1.
*/
@@ -614,9 +614,9 @@ void
nat_ifdetach(ifp)
struct ifnet *ifp;
{
- ipnat_t *n, **np = &nat_list;
+ ipnat_t *n, **np;
- while ((n = *np)) {
+ for (np = &nat_list; (n = *np) != NULL; np = &n->in_next) {
*np = n->in_next;
if (!n->in_use) {
if (n->in_apr)
@@ -627,6 +627,7 @@ nat_ifdetach(ifp)
n->in_flags |= IPN_DELETE;
n->in_next = NULL;
}
+ n = NULL;
}
}
@@ -1027,11 +1028,13 @@ nat_t *nat_icmpinlookup(ip, fin)
ip_t *ip;
fr_info_t *fin;
{
- icmphdr_t *icmp;
tcphdr_t *tcp = NULL;
+ icmphdr_t *icmp;
ip_t *oip;
- int flags = 0, type;
+ int flags = 0, type, minlen;
+ if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK))
+ return NULL;
icmp = (icmphdr_t *)fin->fin_dp;
/*
* Does it at least have the return (basic) IP header ?
@@ -1050,13 +1053,43 @@ fr_info_t *fin;
return NULL;
oip = (ip_t *)((char *)fin->fin_dp + 8);
- if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2))
+ minlen = (oip->ip_hl << 2);
+ if (ip->ip_len < ICMPERR_MINPKTLEN + minlen)
+ return NULL;
+ /*
+ * Is the buffer big enough for all of it ? It's the size of the IP
+ * header claimed in the encapsulated part which is of concern. It
+ * may be too big to be in this buffer but not so big that it's
+ * outside the ICMP packet, leading to TCP deref's causing problems.
+ * This is possible because we don't know how big oip_hl is when we
+ * do the pullup early in fr_check() and thus can't gaurantee it is
+ * all here now.
+ */
+#ifdef _KERNEL
+ {
+ mb_t *m;
+
+# if SOLARIS
+ m = fin->fin_qfm;
+ if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > (char *)m->b_wptr)
return NULL;
+# else
+ m = *(mb_t **)fin->fin_mp;
+ if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN >
+ (char *)ip + m->m_len)
+ return NULL;
+# endif
+ }
+#endif
+
if (oip->ip_p == IPPROTO_TCP)
flags = IPN_TCP;
else if (oip->ip_p == IPPROTO_UDP)
flags = IPN_UDP;
if (flags & IPN_TCPUDP) {
+ minlen += 8; /* + 64bits of data to get ports */
+ if (ip->ip_len < ICMPERR_MINPKTLEN + minlen)
+ return NULL;
tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2));
return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p,
oip->ip_dst, oip->ip_src,
@@ -1135,7 +1168,10 @@ u_int *nflags;
if ((flags & IPN_TCPUDP) != 0) {
tcphdr_t *tcp;
- /* XXX - what if this is bogus hl and we go off the end ? */
+ /*
+ * XXX - what if this is bogus hl and we go off the end ?
+ * In this case, nat_icmpinlookup() will have returned NULL.
+ */
tcp = (tcphdr_t *)((((char *)oip) + (oip->ip_hl << 2)));
if (nat->nat_dir == NAT_OUTBOUND) {
@@ -1466,6 +1502,7 @@ maskloop:
} else if (ip->ip_p == IPPROTO_ICMP) {
nat->nat_age = fr_defnaticmpage;
}
+
if (csump) {
if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(csump, nat->nat_sumd[1],
diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c
index 871183209f1..d6803d78744 100644
--- a/sys/netinet/ip_proxy.c
+++ b/sys/netinet/ip_proxy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_proxy.c,v 1.10 2000/06/16 21:47:16 provos Exp $ */
+/* $OpenBSD: ip_proxy.c,v 1.11 2000/08/10 05:50:26 kjell Exp $ */
/*
* Copyright (C) 1997-1998 by Darren Reed.
@@ -80,6 +80,11 @@ static const char rcsid[] = "@(#)$IPFilter: ip_proxy.c,v 2.2.2.4 2000/03/15 13:5
# include <sys/malloc.h>
#endif
+
+#ifndef MIN
+#define MIN(a,b) (((a)<(b))?(a):(b))
+#endif
+
static ap_session_t *appr_new_session __P((aproxy_t *, ip_t *,
fr_info_t *, nat_t *));
static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c
index 983d2ca299b..51cda10dee3 100644
--- a/sys/netinet/ip_state.c
+++ b/sys/netinet/ip_state.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_state.c,v 1.22 2000/05/24 21:59:11 kjell Exp $ */
+/* $OpenBSD: ip_state.c,v 1.23 2000/08/10 05:50:26 kjell Exp $ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.3.2.25 2000/05/22 06:57:53 darrenr Exp $";
+static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.3.2.28 2000/08/08 16:00:35 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -152,7 +152,7 @@ static ips_stat_t *fr_statetstats()
* flush state tables. two actions currently defined:
* which == 0 : flush all state table entries
* which == 1 : flush TCP connections which have started to close but are
- * stuck for some reason.
+ * stuck for some reason.
*/
static int fr_state_flush(which)
int which;
@@ -679,12 +679,12 @@ fr_info_t *fin;
register u_char pr;
struct icmp *ic;
u_short savelen;
+ icmphdr_t *icmp;
fr_info_t ofin;
tcphdr_t *tcp;
- icmphdr_t *icmp;
+ int type, len;
frentry_t *fr;
ip_t *oip;
- int type;
u_int hv;
/*
@@ -708,6 +708,38 @@ fr_info_t *fin;
if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2))
return NULL;
+ /*
+ * Sanity Checks.
+ */
+ len = fin->fin_dlen - ICMPERR_ICMPHLEN;
+ if ((len <= 0) || ((oip->ip_hl << 2) > len))
+ return NULL;
+
+ /*
+ * Is the buffer big enough for all of it ? It's the size of the IP
+ * header claimed in the encapsulated part which is of concern. It
+ * may be too big to be in this buffer but not so big that it's
+ * outside the ICMP packet, leading to TCP deref's causing problems.
+ * This is possible because we don't know how big oip_hl is when we
+ * do the pullup early in fr_check() and thus can't gaurantee it is
+ * all here now.
+ */
+#ifdef _KERNEL
+ {
+ mb_t *m;
+
+# if SOLARIS
+ m = fin->fin_qfm;
+ if ((char *)oip + len > (char *)m->b_wptr)
+ return NULL;
+# else
+ m = *(mb_t **)fin->fin_mp;
+ if ((char *)oip + len > (char *)ip + m->m_len)
+ return NULL;
+# endif
+ }
+#endif
+
if (oip->ip_p == IPPROTO_ICMP) {
icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2));
@@ -738,9 +770,10 @@ fr_info_t *fin;
}
hv %= fr_statesize;
- oip->ip_len = ntohs(oip->ip_len);
+ savelen = oip->ip_len;
+ oip->ip_len = len;
fr_makefrip(oip->ip_hl << 2, oip, &ofin);
- oip->ip_len = htons(oip->ip_len);
+ oip->ip_len = savelen;
ofin.fin_ifp = fin->fin_ifp;
ofin.fin_out = !fin->fin_out;
ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
@@ -795,7 +828,7 @@ fr_info_t *fin;
* order. Any change we make must be undone afterwards.
*/
savelen = oip->ip_len;
- oip->ip_len = ip->ip_len - (ip->ip_hl << 2) - ICMPERR_ICMPHLEN;
+ oip->ip_len = len;
fr_makefrip(oip->ip_hl << 2, oip, &ofin);
oip->ip_len = savelen;
ofin.fin_ifp = fin->fin_ifp;
@@ -899,7 +932,15 @@ fr_info_t *fin;
case IPPROTO_TCP :
{
register u_short dport = tcp->th_dport, sport = tcp->th_sport;
+ register int i;
+ i = tcp->th_flags;
+ /*
+ * Just plain ignore RST flag set with either FIN or SYN.
+ */
+ if ((i & TH_RST) &&
+ ((i & (TH_FIN|TH_SYN|TH_RST)) != TH_RST))
+ break;
tryagain = 0;
retry_tcp:
hvm = hv % fr_statesize;
diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h
index 5174f8571d4..edfcc8d6e3a 100644
--- a/sys/netinet/ip_state.h
+++ b/sys/netinet/ip_state.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_state.h,v 1.14 2000/04/13 17:13:42 kjell Exp $ */
+/* $OpenBSD: ip_state.h,v 1.15 2000/08/10 05:50:26 kjell Exp $ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
@@ -8,17 +8,17 @@
* to the original author and the contributors.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
- * $IPFilter: ip_state.h,v 2.1.2.4 2000/02/23 15:23:27 darrenr Exp $
+ * $IPFilter: ip_state.h,v 2.1.2.5 2000/07/08 02:15:56 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
#ifndef IPSTATE_SIZE
-# define IPSTATE_SIZE 257
+# define IPSTATE_SIZE 5737
#endif
#ifndef IPSTATE_MAX
-# define IPSTATE_MAX 2048 /* Maximum number of states held */
+# define IPSTATE_MAX 4013 /* Maximum number of states held */
#endif
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
diff --git a/sys/netinet/ipl.h b/sys/netinet/ipl.h
index ffdd854ff0d..1fd9dfb8feb 100644
--- a/sys/netinet/ipl.h
+++ b/sys/netinet/ipl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipl.h,v 1.11 2000/05/24 21:59:11 kjell Exp $ */
+/* $OpenBSD: ipl.h,v 1.12 2000/08/10 05:50:26 kjell Exp $ */
/*
* Copyright (C) 1993-1999 by Darren Reed.
@@ -13,6 +13,6 @@
#ifndef __IPL_H__
#define __IPL_H__
-#define IPL_VERSION "IP Filter: v3.3.16"
+#define IPL_VERSION "IP Filter: v3.3.18"
#endif
diff --git a/usr.sbin/ipmon/ipmon.c b/usr.sbin/ipmon/ipmon.c
index 31b42559040..6b38934dbaa 100644
--- a/usr.sbin/ipmon/ipmon.c
+++ b/usr.sbin/ipmon/ipmon.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipmon.c,v 1.23 2000/03/13 23:40:20 kjell Exp $ */
+/* $OpenBSD: ipmon.c,v 1.24 2000/08/10 05:50:27 kjell Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: ipmon.c,v 2.3.2.5 2000/02/16 14:40:39 darrenr Exp $";
+static const char rcsid[] = "@(#)$IPFilter: ipmon.c,v 2.3.2.6 2000/08/07 13:04:51 darrenr Exp $";
#endif
#ifndef SOLARIS
@@ -579,10 +579,11 @@ int blen;
{
tcphdr_t *tp;
struct icmp *ic;
+ struct icmp *icmphdr;
struct tm *tm;
char *t, *proto;
u_short hl, p;
- int i, lvl, res, len;
+ int i, lvl, res, len, ipoff;
ip_t *ipc, *ip;
iplog_t *ipl;
ipflog_t *ipf;
@@ -713,19 +714,57 @@ int blen;
ic->icmp_type == ICMP_REDIRECT ||
ic->icmp_type == ICMP_TIMXCEED) {
ipc = &ic->icmp_ip;
- tp = (tcphdr_t *)((char *)ipc + hl);
-
+ i = ntohs(ipc->ip_len);
+ ipoff = ntohs(ipc->ip_off);
proto = getproto(ipc->ip_p);
- t += strlen(t);
- (void) sprintf(t, " for %s,%s -",
- hostname(res, ipc->ip_src),
- portname(res, proto, (u_int)tp->th_sport));
- t += strlen(t);
- (void) sprintf(t, " %s,%s PR %s len %hu %hu",
- hostname(res, ipc->ip_dst),
- portname(res, proto, (u_int)tp->th_dport),
- proto, ipc->ip_hl << 2, ipc->ip_len);
+ if (!(ipoff & IP_OFFMASK) &&
+ ((ipc->ip_p == IPPROTO_TCP) ||
+ (ipc->ip_p == IPPROTO_UDP))) {
+ tp = (tcphdr_t *)((char *)ipc + hl);
+
+ t += strlen(t);
+ (void) sprintf(t, " for %s,%s -",
+ hostname(res, ipc->ip_src),
+ portname(res, proto,
+ (u_int)tp->th_sport));
+ t += strlen(t);
+ (void) sprintf(t, " %s,%s PR %s len %hu %hu",
+ hostname(res, ipc->ip_dst),
+ portname(res, proto,
+ (u_int)tp->th_dport),
+ proto, ipc->ip_hl << 2, ipc->ip_len);
+ } else if ((ipc->ip_p == IPPROTO_ICMP) &&
+ !(ipoff & IP_OFFMASK)) {
+ icmphdr = (icmphdr_t *)((char *)ipc + hl);
+
+ t += strlen(t);
+ (void) sprintf(t, " for %s -",
+ hostname(res, ipc->ip_src));
+ t += strlen(t);
+ (void) sprintf(t,
+ " %s PR icmp len %hu %hu icmp %d/%d",
+ hostname(res, ipc->ip_dst),
+ ipc->ip_hl << 2, i,
+ icmphdr->icmp_type, icmphdr->icmp_code);
+ } else {
+
+ t += strlen(t);
+ (void) sprintf(t, " for %s -",
+ hostname(res, ipc->ip_src));
+ t += strlen(t);
+ (void) sprintf(t, " %s PR %s len %hu (%hu)",
+ hostname(res, ipc->ip_dst),
+ proto, ipc->ip_hl << 2, ipc->ip_len);
+ t += strlen(t);
+ if (ipc->ip_off & IP_OFFMASK) {
+ (void) sprintf(t, " frag %s%s%hu@%hu",
+ ipoff & IP_MF ? "+" : "",
+ ipoff & IP_DF ? "-" : "",
+ i - (ipc->ip_hl << 2),
+ (ipoff & IP_OFFMASK) << 3);
+ }
+ }
}
} else {
(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));