Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Upgraded IPFilter to 4.1.8
details: https://anonhg.NetBSD.org/src/rev/a52a7fe65e7a
branches: trunk
changeset: 579974:a52a7fe65e7a
user: martti <martti%NetBSD.org@localhost>
date: Sun Apr 03 15:05:30 2005 +0000
description:
Upgraded IPFilter to 4.1.8
diffstat:
dist/ipf/HISTORY | 74 +++++
dist/ipf/ipf.h | 6 +-
dist/ipf/lib/getport.c | 19 +-
dist/ipf/samples/proxy.c | 4 +-
dist/ipf/tools/ipf_y.y | 14 +-
dist/ipf/tools/ipfs.c | 21 +-
dist/ipf/tools/ipfstat.c | 78 ++++-
dist/ipf/tools/ipnat_y.y | 16 +-
regress/sys/kern/ipf/Makefile | 9 +-
regress/sys/kern/ipf/expected/ni5 | 1 -
sys/dist/ipf/netinet/fil.c | 280 ++++++++++++++----
sys/dist/ipf/netinet/ip_compat.h | 11 +-
sys/dist/ipf/netinet/ip_fil.h | 71 ++--
sys/dist/ipf/netinet/ip_fil_netbsd.c | 49 +-
sys/dist/ipf/netinet/ip_ftp_pxy.c | 294 ++++++++++---------
sys/dist/ipf/netinet/ip_ipsec_pxy.c | 38 +-
sys/dist/ipf/netinet/ip_nat.c | 302 +++++++++++++++-----
sys/dist/ipf/netinet/ip_nat.h | 7 +-
sys/dist/ipf/netinet/ip_pptp_pxy.c | 512 ++++++++++++++++++++++++++--------
sys/dist/ipf/netinet/ip_proxy.c | 6 +-
sys/dist/ipf/netinet/ip_proxy.h | 8 +-
sys/dist/ipf/netinet/ip_state.c | 225 +++++++++------
sys/dist/ipf/netinet/ip_state.h | 6 +-
sys/dist/ipf/netinet/ip_sync.c | 6 +-
sys/dist/ipf/netinet/ipl.h | 8 +-
25 files changed, 1411 insertions(+), 654 deletions(-)
diffs (truncated from 3972 to 300 lines):
diff -r 17ab6397e092 -r a52a7fe65e7a dist/ipf/HISTORY
--- a/dist/ipf/HISTORY Sun Apr 03 15:01:04 2005 +0000
+++ b/dist/ipf/HISTORY Sun Apr 03 15:05:30 2005 +0000
@@ -10,6 +10,80 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
+4.1.8 - Released 29 March 2005
+
+include path from Phil Dibowitz for sorting ipfstat -t output by source or
+destination port.
+
+fix a bug in printing rules where interface names could not be printed,
+even if they're in the rule structure.
+
+fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD
+
+add 2 new features to SIOCGNATL:
+- if IPN_FINDFORWARD is set, check if the respective MAP is already
+ present in the outbound table
+- if IPN_IN is set, search for a matching MAP entry instead of RDR
+ (Peter Potsma)
+
+turn off function inlining for freebsd 5.3+
+
+UDP doesn't pullup enough data which can sometimes cause a panic.
+Fix other protocols, as required, where a similar problem may exist.
+
+overhaul the timeout queue management, especially that for user defined queues
+which are now only freed in an orderly manner.
+
+4.1.7 - Released 13 March 2005
+
+Using the GRE call field is almost impossible because it is unbalanced and
+both call fields are not present in each v1 header.
+
+Fix a problem where it was possible to load duplicate rules into ipf
+
+patch from John Wehle to address problems with fastroute on solaris
+
+Copying data out for ipf -z failed because it tried to copy out to an address
+that is a kernel pointer in user space.
+
+add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP
+
+synch up with NetBSD's changes
+
+fix problems parsing long lines of text in the ftp proxy where they would not
+be parsed properly and stop the session from working
+
+enhance the PPTP proxy so that it tries to decode messages in the TCP stream
+so it knows when to create and destroy the state/nat sessions for GRE. There
+are also 4 new regression tests for it, testing map/rdr rules.
+
+impose some limits on the size of data that can be moved with SIOCSTPUT in
+the NAT code and also prevent a duplicate session entry from being created
+using this method.
+
+add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL
+to check if it is possible to create an outgoing transparent NAT mapping to
+compliment the redirect being investigated.
+
+Linux requires that the checksums in the IP header get adjusted
+
+only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers
+in SIOCSTPUT to prevent bad data being loaded from userspace.
+
+make the byte counting for state correct (was counting data from ICMP packet
+twice)
+
+print out the keyword "frag-body" if the flag is set.
+
+fix ipfs loading/restoring NAT sessions
+
+patch from Frank to correctly format IP addresses in ipfstat -t output
+
+parsing port numbers in ipf/ipnat was confusing as the port number was returned
+in an int that was also overloaded to be the suceess/failure. instead, change
+the port using pass by reference and only use the return value for indicating
+success or failure.
+
4.1.6 - Released 19 February 2005
add a new timeout number to NAT (fr_defnatipage) that is used for all
diff -r 17ab6397e092 -r a52a7fe65e7a dist/ipf/ipf.h
--- a/dist/ipf/ipf.h Sun Apr 03 15:01:04 2005 +0000
+++ b/dist/ipf/ipf.h Sun Apr 03 15:05:30 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipf.h,v 1.9 2005/02/19 21:30:24 martti Exp $ */
+/* $NetBSD: ipf.h,v 1.10 2005/04/03 15:05:30 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipf.h 1.12 6/5/96
- * Id: ipf.h,v 2.71.2.5 2005/02/01 02:44:34 darrenr Exp
+ * Id: ipf.h,v 2.71.2.6 2005/02/21 05:05:29 darrenr Exp
*/
#ifndef __IPF_H__
@@ -196,7 +196,7 @@
extern int fac_findname __P((char *));
extern void fill6bits __P((int, u_int *));
extern int gethost __P((char *, u_32_t *));
-extern int getport __P((struct frentry *, char *));
+extern int getport __P((struct frentry *, char *, u_short *));
extern int getportproto __P((char *, int));
extern int getproto __P((char *));
extern char *getline __P((char *, size_t, FILE *, int *));
diff -r 17ab6397e092 -r a52a7fe65e7a dist/ipf/lib/getport.c
--- a/dist/ipf/lib/getport.c Sun Apr 03 15:01:04 2005 +0000
+++ b/dist/ipf/lib/getport.c Sun Apr 03 15:05:30 2005 +0000
@@ -1,8 +1,9 @@
#include "ipf.h"
-int getport(fr, name)
+int getport(fr, name, port)
frentry_t *fr;
char *name;
+u_short *port;
{
struct protoent *p;
struct servent *s;
@@ -10,8 +11,10 @@
if (fr == NULL || fr->fr_type != FR_T_IPF) {
s = getservbyname(name, NULL);
- if (s != NULL)
- return s->s_port;
+ if (s != NULL) {
+ *port = s->s_port;
+ return 0;
+ }
return -1;
}
@@ -27,13 +30,15 @@
s = getservbyname(name, "udp");
if (s == NULL || s->s_port != p1)
return -1;
- return p1;
+ *port = p1;
+ return 0;
}
p = getprotobynumber(fr->fr_proto);
s = getservbyname(name, p ? p->p_name : NULL);
- if (s != NULL)
- return s->s_port;
-
+ if (s != NULL) {
+ *port = s->s_port;
+ return 0;
+ }
return -1;
}
diff -r 17ab6397e092 -r a52a7fe65e7a dist/ipf/samples/proxy.c
--- a/dist/ipf/samples/proxy.c Sun Apr 03 15:01:04 2005 +0000
+++ b/dist/ipf/samples/proxy.c Sun Apr 03 15:05:30 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: proxy.c,v 1.5 2005/02/19 21:30:25 martti Exp $ */
+/* $NetBSD: proxy.c,v 1.6 2005/04/03 15:05:30 martti Exp $ */
/*
* Sample transparent proxy program.
@@ -101,7 +101,7 @@
* Open the NAT device and lookup the mapping pair.
*/
fd = open(IPNAT_NAME, O_RDONLY);
- if (ioctl(fd, SIOCGNATL, &natlookp) == -1) {
+ if (ioctl(fd, SIOCGNATL, &obj) == -1) {
perror("ioctl(SIOCGNATL)");
exit(-1);
}
diff -r 17ab6397e092 -r a52a7fe65e7a dist/ipf/tools/ipf_y.y
--- a/dist/ipf/tools/ipf_y.y Sun Apr 03 15:01:04 2005 +0000
+++ b/dist/ipf/tools/ipf_y.y Sun Apr 03 15:05:30 2005 +0000
@@ -67,6 +67,7 @@
frentry_t fr;
frtuc_t *frt;
struct alist_s *alist;
+ u_short port;
struct {
u_short p1;
u_short p2;
@@ -79,7 +80,8 @@
union i6addr ip6;
};
-%type <num> portnum facility priority icmpcode seclevel secname icmptype
+%type <port> portnum
+%type <num> facility priority icmpcode seclevel secname icmptype
%type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
%type <num> portc porteq
%type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24
@@ -1084,15 +1086,15 @@
;
portnum:
- servicename { $$ = getport(frc, $1);
- if ($$ == -1)
+ servicename { if (getport(frc, $1, &($$)) == -1)
yyerror("service unknown");
$$ = ntohs($$);
free($1);
}
- | YY_NUMBER { $$ = $1;
- if ($$ < 0 || $$ > 65535)
+ | YY_NUMBER { if ($1 > 65535) /* Unsigned */
yyerror("invalid port number");
+ else
+ $$ = $1;
}
;
@@ -2042,7 +2044,7 @@
if ((opts & OPT_ZERORULEST) != 0) {
if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
- if ((opts & OPT_DONOTHING) != 0) {
+ if ((opts & OPT_DONOTHING) == 0) {
fprintf(stderr, "%d:", yylineNum);
perror("ioctl(SIOCZRLST)");
}
diff -r 17ab6397e092 -r a52a7fe65e7a dist/ipf/tools/ipfs.c
--- a/dist/ipf/tools/ipfs.c Sun Apr 03 15:01:04 2005 +0000
+++ b/dist/ipf/tools/ipfs.c Sun Apr 03 15:05:30 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipfs.c,v 1.5 2005/02/08 07:01:54 martti Exp $ */
+/* $NetBSD: ipfs.c,v 1.6 2005/04/03 15:05:30 martti Exp $ */
/*
* Copyright (C) 1999-2001, 2003 by Darren Reed.
@@ -587,16 +587,12 @@
return 1;
}
- if (ipn.ipn_dsize > 0) {
- n = ipn.ipn_dsize;
+ in = (nat_save_t *)malloc(ipn.ipn_dsize);
+ if (!in)
+ break;
- if (n > sizeof(ipn.ipn_data))
- n -= sizeof(ipn.ipn_data);
- else
- n = 0;
- in = malloc(sizeof(*in) + n);
- if (!in)
- break;
+ if (ipn.ipn_dsize > sizeof(ipn)) {
+ n = ipn.ipn_dsize - sizeof(ipn);
if (n > 0) {
s = in->ipn_data + sizeof(in->ipn_data);
i = read(nfd, s, n);
@@ -610,9 +606,6 @@
return 1;
}
}
- } else {
- ipn.ipn_dsize = 0;
- in = (nat_save_t *)malloc(sizeof(*in));
}
bcopy((char *)&ipn, (char *)in, sizeof(ipn));
@@ -751,7 +744,7 @@
if (opts & OPT_VERBOSE)
printf("Got nat next %p ipn_dsize %d ng_sz %d\n",
ipnp->ipn_next, ipnp->ipn_dsize, ng.ng_sz);
- if (write(nfd, ipnp, ng.ng_sz) != ng.ng_sz) {
+ if (write(nfd, ipnp, ipnp->ipn_dsize) != ipnp->ipn_dsize) {
perror("nat:write");
close(nfd);
free(ipnp);
diff -r 17ab6397e092 -r a52a7fe65e7a dist/ipf/tools/ipfstat.c
--- a/dist/ipf/tools/ipfstat.c Sun Apr 03 15:01:04 2005 +0000
+++ b/dist/ipf/tools/ipfstat.c Sun Apr 03 15:05:30 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipfstat.c,v 1.9 2005/02/08 07:01:54 martti Exp $ */
+/* $NetBSD: ipfstat.c,v 1.10 2005/04/03 15:05:30 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@@ -70,7 +70,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ipfstat.c,v 1.44.2.9 2004/12/09 19:41:26 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ipfstat.c,v 1.44.2.11 2005/03/30 14:09:57 darrenr Exp";
#endif
#ifdef __hpux
@@ -107,8 +107,10 @@
#define STSORT_BYTES 2
#define STSORT_TTL 3
#define STSORT_SRCIP 4
-#define STSORT_DSTIP 5
-#define STSORT_MAX STSORT_DSTIP
Home |
Main Index |
Thread Index |
Old Index