From: kjell Date: Mon, 13 Mar 2000 23:40:17 +0000 (+0000) Subject: Import of Darren Reed's IPFilter 3.3.11. See sbin/ipf/HISTORY for detailed X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=a85bad55ddf6f0b7c06b58141d2a68ec9e1437ae;p=openbsd Import of Darren Reed's IPFilter 3.3.11. See sbin/ipf/HISTORY for detailed changelog. Documentation changes are now way behind. Volunteers? --- diff --git a/sbin/ipf/HISTORY b/sbin/ipf/HISTORY index f9111baf003..84b5927fe03 100644 --- a/sbin/ipf/HISTORY +++ b/sbin/ipf/HISTORY @@ -1,4 +1,4 @@ -# $OpenBSD: HISTORY,v 1.4 2000/02/16 22:34:21 kjell Exp $ +# $OpenBSD: HISTORY,v 1.5 2000/03/13 23:40:19 kjell Exp $ # # NOTE: Quite a few patches and suggestions come from other sources, to whom # I'm greatly indebted, even if no names are mentioned. @@ -21,6 +21,29 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.3.11 04/03/2000 - Released + +make "or-block" work with lines that start with "log" + +fix up parsing and printing of rules with syslog levels in them + +fix from Cy Schubert for calling of apr_fini only if non-null + +3.3.10 24/02/2000 - Released + +* fix back from guido for state tracking interfaces + +* update for NetBSD pfil interface changes + +* if attaching fails and we can abort, then cleanup when doing so. + +Julian Yip (julian@computer.org): +* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. +* ipf.c (packetlogon): use flag to store the return value from get_flags. +* ipmon.c (init_tabs): Generate cleanup so we do not have to cast + an int s->s_port to u_int port and try to check if the u_int port + is less than zero. + 3.3.9 15/02/2000 - Released fix scheduling of bad locking in fr_addstate() used when we attach onto diff --git a/sbin/ipf/facpri.c b/sbin/ipf/facpri.c index 9801ce875fc..00434b42a0f 100644 --- a/sbin/ipf/facpri.c +++ b/sbin/ipf/facpri.c @@ -1,4 +1,4 @@ -/* $OpenBSD: facpri.c,v 1.3 2000/02/16 22:34:21 kjell Exp $ */ +/* $OpenBSD: facpri.c,v 1.4 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/sbin/ipf/facpri.h b/sbin/ipf/facpri.h index d340c9fa3b5..8f819136b34 100644 --- a/sbin/ipf/facpri.h +++ b/sbin/ipf/facpri.h @@ -1,4 +1,4 @@ -/* $OpenBSD: facpri.h,v 1.3 2000/02/16 22:34:21 kjell Exp $ */ +/* $OpenBSD: facpri.h,v 1.4 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1999 by Darren Reed. diff --git a/sbin/ipf/ifaddr.c b/sbin/ipf/ifaddr.c index e9ed65f5239..e34116d5feb 100644 --- a/sbin/ipf/ifaddr.c +++ b/sbin/ipf/ifaddr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ifaddr.c,v 1.3 2000/02/16 22:34:21 kjell Exp $ */ +/* $OpenBSD: ifaddr.c,v 1.4 2000/03/13 23:40:19 kjell Exp $ */ #include #include #include diff --git a/sbin/ipf/ifaddr.h b/sbin/ipf/ifaddr.h index 054f957c934..8810aac2d78 100644 --- a/sbin/ipf/ifaddr.h +++ b/sbin/ipf/ifaddr.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ifaddr.h,v 1.3 2000/02/16 22:34:21 kjell Exp $ */ +/* $OpenBSD: ifaddr.h,v 1.4 2000/03/13 23:40:19 kjell Exp $ */ #ifndef __IFADDR_H__ #define __IFADDR_H__ diff --git a/sbin/ipf/ipf.c b/sbin/ipf/ipf.c index e3fe71acae6..17cf2d37345 100644 --- a/sbin/ipf/ipf.c +++ b/sbin/ipf/ipf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipf.c,v 1.22 2000/02/16 22:34:21 kjell Exp $ */ +/* $OpenBSD: ipf.c,v 1.23 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -45,7 +45,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipf.c,v 2.2 1999/08/06 15:26:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipf.c,v 2.2.2.1 2000/02/16 14:40:39 darrenr Exp $"; #endif #if SOLARIS @@ -365,8 +365,8 @@ char *opt; { int flag, err; - err = get_flags(); - if (err != 0) { + flag = get_flags(); + if (flag != 0) { if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) printf("log flag is currently %#x\n", flag); } diff --git a/sbin/ipf/ipf.h b/sbin/ipf/ipf.h index 799f5608569..f4f8c5d7d00 100644 --- a/sbin/ipf/ipf.h +++ b/sbin/ipf/ipf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipf.h,v 1.13 2000/02/16 22:34:21 kjell Exp $ */ +/* $OpenBSD: ipf.h,v 1.14 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/sbin/ipf/opt.c b/sbin/ipf/opt.c index 334f4596c27..99fbcda9529 100644 --- a/sbin/ipf/opt.c +++ b/sbin/ipf/opt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: opt.c,v 1.13 2000/02/16 22:34:21 kjell Exp $ */ +/* $OpenBSD: opt.c,v 1.14 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c index c8e29f9523d..819618680d8 100644 --- a/sbin/ipf/parse.c +++ b/sbin/ipf/parse.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.c,v 1.32 2000/02/16 22:34:21 kjell Exp $ */ +/* $OpenBSD: parse.c,v 1.33 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -43,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.1.2.8 2000/01/27 08:49:42 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.1.2.11 2000/03/04 05:19:25 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; @@ -68,10 +68,13 @@ void optprint __P((u_short *, u_long, u_long)); int countbits __P((u_32_t)); char *portname __P((int, int)); int ratoi __P((char *, int *, int, int)); +int loglevel __P((char **, u_short *, int)); +void printlog __P((frentry_t *)); #if defined(__OpenBSD__) extern int if_addr __P((char *, struct in_addr *)); #endif + char *proto = NULL; char flagset[] = "FSRPAU"; u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG }; @@ -188,42 +191,16 @@ int linenum; } if (!strcasecmp(*(cpp+1), "first")) { fil.fr_flags |= FR_LOGFIRST; + cpp++; + } + if (*cpp && !strcasecmp(*(cpp+1), "or-block")) { + fil.fr_flags |= FR_LOGORBLOCK; + cpp++; } if (!strcasecmp(*(cpp+1), "level")) { - int fac, pri; - char *s; - - fac = 0; - pri = 0; - if (!*++cpp) { - fprintf(stderr, "%d: %s\n", linenum, - "missing identifier after level"); + cpp++; + if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) return NULL; - } - s = index(*cpp, '.'); - if (s) { - *s++ = '\0'; - fac = fac_findname(*cpp); - if (fac == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown facility", *cpp); - return NULL; - } - pri = pri_findname(s); - if (pri == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown priority", s); - return NULL; - } - } else { - pri = pri_findname(*cpp); - if (pri == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown priority", *cpp); - return NULL; - } - } - fil.fr_loglevel = fac|pri; cpp++; } } else { @@ -324,6 +301,12 @@ int linenum; fil.fr_loglevel = fac|pri; cpp++; } + if (*cpp && !strcasecmp(*cpp, "level")) { + if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) + return NULL; + cpp++; + cpp++; + } } if (*cpp && !strcasecmp("quick", *cpp)) { @@ -645,6 +628,50 @@ int linenum; } +int loglevel(cpp, facpri, linenum) +char **cpp; +u_short *facpri; +int linenum; +{ + int fac, pri; + char *s; + + fac = 0; + pri = 0; + if (!*++cpp) { + fprintf(stderr, "%d: %s\n", linenum, + "missing identifier after level"); + return -1; + } + + s = index(*cpp, '.'); + if (s) { + *s++ = '\0'; + fac = fac_findname(*cpp); + if (fac == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown facility", *cpp); + return -1; + } + pri = pri_findname(s); + if (pri == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown priority", s); + return -1; + } + } else { + pri = pri_findname(*cpp); + if (pri == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown priority", *cpp); + return -1; + } + } + *facpri = fac|pri; + return 0; +} + + int to_interface(fdp, to, linenum) frdest_t *fdp; char *to; @@ -1302,6 +1329,12 @@ int linenum; } (*cp)++; + if (!**cp) { + fprintf(stderr, "%d: Missing state/frag after keep\n", + linenum); + return -1; + } + if (**cp && strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) { fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n", linenum, **cp); @@ -1386,7 +1419,7 @@ struct frentry *fp; "<>", "><"}; struct protoent *p; int ones = 0, pr; - char *s, *u; + char *s; u_char *t; u_short sec[2]; @@ -1409,11 +1442,7 @@ struct frentry *fp; } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) printf(" return-rst"); } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { - printf("log"); - if (fp->fr_flags & FR_LOGBODY) - printf(" body"); - if (fp->fr_flags & FR_LOGFIRST) - printf(" first"); + printlog(fp); } else if (fp->fr_flags & FR_ACCOUNT) printf("count"); else if (fp->fr_flags & FR_AUTH) @@ -1430,29 +1459,8 @@ struct frentry *fp; if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { - printf("log "); - if (fp->fr_flags & FR_LOGBODY) - printf("body "); - if (fp->fr_flags & FR_LOGFIRST) - printf("first "); - if (fp->fr_flags & FR_LOGORBLOCK) - printf("or-block "); - if (fp->fr_loglevel != 0xffff) { - if (fp->fr_loglevel & LOG_FACMASK) { - s = fac_toname(fp->fr_loglevel); - if (s == NULL) - s = "!!!"; - } else - s = ""; - u = pri_toname(fp->fr_loglevel); - if (u == NULL) - u = "!!!"; - if (*s) - printf("level %s.%s ", s, u); - else - printf("level %s ", u); - } - + printlog(fp); + putchar(' '); } if (fp->fr_flags & FR_QUICK) printf("quick "); @@ -1603,6 +1611,37 @@ struct frentry *fp; } +void printlog(fp) +frentry_t *fp; +{ + char *s, *u; + + printf("log"); + if (fp->fr_flags & FR_LOGBODY) + printf(" body"); + if (fp->fr_flags & FR_LOGFIRST) + printf(" first"); + if (fp->fr_flags & FR_LOGORBLOCK) + printf(" or-block"); + if (fp->fr_loglevel != 0xffff) { + printf(" level "); + if (fp->fr_loglevel & LOG_FACMASK) { + s = fac_toname(fp->fr_loglevel); + if (s == NULL) + s = "!!!"; + } else + s = ""; + u = pri_toname(fp->fr_loglevel); + if (u == NULL) + u = "!!!"; + if (*s) + printf("%s.%s", s, u); + else + printf("%s", u); + } +} + + int ratoi(ps, pi, min, max) char *ps; int *pi, min, max; diff --git a/sbin/ipfstat/fils.c b/sbin/ipfstat/fils.c index 65bfc9713cb..548c021a2aa 100644 --- a/sbin/ipfstat/fils.c +++ b/sbin/ipfstat/fils.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fils.c,v 1.19 2000/02/16 22:34:22 kjell Exp $ */ +/* $OpenBSD: fils.c,v 1.20 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -53,7 +53,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: fils.c,v 2.2.2.5 2000/01/27 08:49:40 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: fils.c,v 2.2.2.6 2000/02/23 11:16:35 darrenr Exp $"; #endif #define F_IN 0 @@ -244,6 +244,8 @@ struct friostat *fp; fp->f_st[0].fr_notip, fp->f_st[1].fr_notip); printf(" bad packets:\t\tin %lu\tout %lu\n", fp->f_st[0].fr_bad, fp->f_st[1].fr_bad); + printf("copied messages:\tin %lu\tout %lu\n", + fp->f_st[0].fr_copy, fp->f_st[1].fr_copy); #endif printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu", fp->f_st[0].fr_block, fp->f_st[0].fr_pass, diff --git a/sbin/ipfstat/kmem.c b/sbin/ipfstat/kmem.c index b80807fac4a..0e04df3b9cc 100644 --- a/sbin/ipfstat/kmem.c +++ b/sbin/ipfstat/kmem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kmem.c,v 1.14 2000/02/16 22:34:22 kjell Exp $ */ +/* $OpenBSD: kmem.c,v 1.15 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/sbin/ipfstat/kmem.h b/sbin/ipfstat/kmem.h index f14d5ab78f8..bc01009e090 100644 --- a/sbin/ipfstat/kmem.h +++ b/sbin/ipfstat/kmem.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kmem.h,v 1.11 2000/02/16 22:34:22 kjell Exp $ */ +/* $OpenBSD: kmem.h,v 1.12 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/sbin/ipnat/ipnat.c b/sbin/ipnat/ipnat.c index 60ac2d9d7c3..491fee1448d 100644 --- a/sbin/ipnat/ipnat.c +++ b/sbin/ipnat/ipnat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipnat.c,v 1.35 2000/02/16 22:34:22 kjell Exp $ */ +/* $OpenBSD: ipnat.c,v 1.36 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/sbin/ipnat/natparse.c b/sbin/ipnat/natparse.c index f4aa48153ac..1f9d2bfb78d 100644 --- a/sbin/ipnat/natparse.c +++ b/sbin/ipnat/natparse.c @@ -1,4 +1,4 @@ -/* $OpenBSD: natparse.c,v 1.3 2000/02/16 22:34:22 kjell Exp $ */ +/* $OpenBSD: natparse.c,v 1.4 2000/03/13 23:40:19 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c index 1f47b6b0447..22d275bedf4 100644 --- a/sys/netinet/fil.c +++ b/sys/netinet/fil.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fil.c,v 1.21 2000/02/16 22:34:17 kjell Exp $ */ +/* $OpenBSD: fil.c,v 1.22 2000/03/13 23:40:17 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.17 2000/03/03 14:51:16 darrenr Exp $"; #endif #include @@ -542,6 +542,8 @@ void *m; #ifdef IPFILTER_LOG if ((passt & FR_LOGMASK) == FR_LOG) { if (!IPLLOG(passt, ip, fin, m)) { + if (passt & FR_LOGORBLOCK) + passt |= FR_BLOCK|FR_QUICK; ATOMIC_INC(frstats[fin->fin_out].fr_skip); } ATOMIC_INC(frstats[fin->fin_out].fr_pkl); @@ -1189,7 +1191,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $IPFilter: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $ + * $IPFilter: fil.c,v 2.3.2.17 2000/03/03 14:51:16 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff --git a/sys/netinet/ip_auth.c b/sys/netinet/ip_auth.c index c67dcbfda32..6f4d88bf086 100644 --- a/sys/netinet/ip_auth.c +++ b/sys/netinet/ip_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_auth.c,v 1.11 2000/02/16 22:34:17 kjell Exp $ */ +/* $OpenBSD: ip_auth.c,v 1.12 2000/03/13 23:40:17 kjell Exp $ */ /* * Copyright (C) 1998 by Darren Reed & Guido van Rooij. diff --git a/sys/netinet/ip_auth.h b/sys/netinet/ip_auth.h index 063158f844c..3a23b0fe9c3 100644 --- a/sys/netinet/ip_auth.h +++ b/sys/netinet/ip_auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_auth.h,v 1.6 2000/02/16 22:34:18 kjell Exp $ */ +/* $OpenBSD: ip_auth.h,v 1.7 2000/03/13 23:40:17 kjell Exp $ */ /* * Copyright (C) 1997-1998 by Darren Reed & Guido Van Rooij. diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c index dbbf7ccfaba..42370ca6fb7 100644 --- a/sys/netinet/ip_fil.c +++ b/sys/netinet/ip_fil.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_fil.c,v 1.31 2000/02/18 07:47:02 kjell Exp $ */ +/* $OpenBSD: ip_fil.c,v 1.32 2000/03/13 23:40:17 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.17 2000/02/10 01:47:28 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.18 2000/02/22 11:40:06 darrenr Exp $"; #endif #ifndef SOLARIS @@ -227,8 +227,8 @@ int iplattach() { char *defpass; int s; -# ifdef __sgi - int error; +# if defined(__sgi) || (defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)) + int error = 0; # endif SPL_NET(s); @@ -249,13 +249,27 @@ int iplattach() return -1; # ifdef NETBSD_PF +# if __NetBSD_Version__ >= 104200000 + error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, + &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); + if (error) { + appr_unload(); + ip_natunload(); + fr_stateunload(); + return error; + } +# else pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT); +# endif # endif # ifdef __sgi error = ipfilter_sgi_attach(); if (error) { SPL_X(s); + appr_unload(); + ip_natunload(); + fr_stateunload(); return error; } # endif @@ -302,6 +316,9 @@ int iplattach() int ipldetach() { int s, i = FR_INQUE|FR_OUTQUE; +#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000) + int error = 0; +#endif #ifdef _KERNEL # if (__FreeBSD_version >= 300000) @@ -327,13 +344,21 @@ int ipldetach() fr_running = 0; # ifdef NETBSD_PF +# if __NetBSD_Version__ >= 104200000 + error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, + &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); + if (error) + return error; +# else pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); +# endif # endif # ifdef __sgi ipfilter_sgi_detach(); # endif + appr_unload(); ipfr_unload(); ip_natunload(); fr_stateunload(); diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h index 55067f8682a..0659077f953 100644 --- a/sys/netinet/ip_fil.h +++ b/sys/netinet/ip_fil.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_fil.h,v 1.16 2000/02/16 22:34:18 kjell Exp $ */ +/* $OpenBSD: ip_fil.h,v 1.17 2000/03/13 23:40:17 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -8,7 +8,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $IPFilter: ip_fil.h,v 2.3.2.7 2000/01/27 08:49:41 darrenr Exp $ + * $IPFilter: ip_fil.h,v 2.3.2.8 2000/02/23 11:16:36 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -295,6 +295,7 @@ typedef struct filterstats { u_long fr_bad; /* bad IP packets to the filter */ u_long fr_notip; /* packets passed through no on ip queue */ u_long fr_drop; /* packets dropped - no info for them! */ + u_long fr_copy; /* messages copied due to db_ref > 1 */ #endif } filterstats_t; diff --git a/sys/netinet/ip_fil_compat.h b/sys/netinet/ip_fil_compat.h index 43532222c01..0ad32f2315f 100644 --- a/sys/netinet/ip_fil_compat.h +++ b/sys/netinet/ip_fil_compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_fil_compat.h,v 1.13 2000/02/16 22:34:18 kjell Exp $ */ +/* $OpenBSD: ip_fil_compat.h,v 1.14 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c index 7ee09e1beb7..e2780d3e256 100644 --- a/sys/netinet/ip_frag.c +++ b/sys/netinet/ip_frag.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_frag.c,v 1.16 2000/02/16 22:34:18 kjell Exp $ */ +/* $OpenBSD: ip_frag.c,v 1.17 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/sys/netinet/ip_frag.h b/sys/netinet/ip_frag.h index a171169d445..a2efb5908eb 100644 --- a/sys/netinet/ip_frag.h +++ b/sys/netinet/ip_frag.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_frag.h,v 1.11 2000/02/16 22:34:19 kjell Exp $ */ +/* $OpenBSD: ip_frag.h,v 1.12 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/sys/netinet/ip_ftp_pxy.c b/sys/netinet/ip_ftp_pxy.c index 4e2f1095f2b..8080ad9f28f 100644 --- a/sys/netinet/ip_ftp_pxy.c +++ b/sys/netinet/ip_ftp_pxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ftp_pxy.c,v 1.7 2000/02/16 22:34:19 kjell Exp $ */ +/* $OpenBSD: ip_ftp_pxy.c,v 1.8 2000/03/13 23:40:18 kjell Exp $ */ /* * Simple FTP transparent proxy for in-kernel use. For use with the NAT diff --git a/sys/netinet/ip_log.c b/sys/netinet/ip_log.c index 092e4ac71f4..554032e937d 100644 --- a/sys/netinet/ip_log.c +++ b/sys/netinet/ip_log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_log.c,v 1.7 2000/02/16 22:34:19 kjell Exp $ */ +/* $OpenBSD: ip_log.c,v 1.8 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1997-1998 by Darren Reed. diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c index db49eebd90e..49b19127dee 100644 --- a/sys/netinet/ip_nat.c +++ b/sys/netinet/ip_nat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_nat.c,v 1.27 2000/02/16 22:34:19 kjell Exp $ */ +/* $OpenBSD: ip_nat.c,v 1.28 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. diff --git a/sys/netinet/ip_nat.h b/sys/netinet/ip_nat.h index 162938b9d22..09fb932be9b 100644 --- a/sys/netinet/ip_nat.h +++ b/sys/netinet/ip_nat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_nat.h,v 1.15 2000/02/16 22:34:19 kjell Exp $ */ +/* $OpenBSD: ip_nat.h,v 1.16 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c index 070c223a33f..bb3f623bff5 100644 --- a/sys/netinet/ip_proxy.c +++ b/sys/netinet/ip_proxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_proxy.c,v 1.7 2000/02/16 22:34:19 kjell Exp $ */ +/* $OpenBSD: ip_proxy.c,v 1.8 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1997-1998 by Darren Reed. @@ -8,7 +8,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$IPFilter: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_proxy.c,v 2.2.2.3 2000/02/29 22:47:17 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -102,15 +102,15 @@ ap_session_t *ap_sess_tab[AP_SESS_SIZE]; ap_session_t *ap_sess_list = NULL; aproxy_t ap_proxies[] = { #ifdef IPF_FTP_PROXY - { "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL, + { "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL, NULL, ippr_ftp_in, ippr_ftp_out }, #endif #ifdef IPF_RCMD_PROXY - { "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_new, - NULL, ippr_rcmd_out }, + { "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, NULL, + ippr_rcmd_new, NULL, ippr_rcmd_out }, #endif #ifdef IPF_RAUDIO_PROXY - { "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, + { "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, NULL, ippr_raudio_new, ippr_raudio_in, ippr_raudio_out }, #endif { "", '\0', 0, 0, NULL, NULL } @@ -387,3 +387,13 @@ int appr_init() } return err; } + + +void appr_unload() +{ + aproxy_t *ap; + + for (ap = ap_proxies; ap->apr_p; ap++) + if (ap->apr_fini) + (*ap->apr_fini)(); +} diff --git a/sys/netinet/ip_proxy.h b/sys/netinet/ip_proxy.h index ef5ac5a09cc..204ca733ac2 100644 --- a/sys/netinet/ip_proxy.h +++ b/sys/netinet/ip_proxy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_proxy.h,v 1.6 2000/02/16 22:34:19 kjell Exp $ */ +/* $OpenBSD: ip_proxy.h,v 1.7 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1997-1998 by Darren Reed. @@ -7,7 +7,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $IPFilter: ip_proxy.h,v 2.1.2.1 1999/09/19 12:18:20 darrenr Exp $ + * $IPFilter: ip_proxy.h,v 2.1.2.2 2000/02/22 11:41:15 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -74,6 +74,7 @@ typedef struct aproxy { int apr_ref; /* +1 per rule referencing it */ int apr_flags; int (* apr_init) __P((void)); + void (* apr_fini) __P((void)); int (* apr_new) __P((fr_info_t *, ip_t *, ap_session_t *, struct nat *)); int (* apr_inpkt) __P((fr_info_t *, ip_t *, @@ -122,6 +123,7 @@ extern ap_session_t *ap_sess_list; extern aproxy_t ap_proxies[]; extern int appr_init __P((void)); +extern void appr_unload __P((void)); extern int appr_ok __P((ip_t *, tcphdr_t *, struct ipnat *)); extern void appr_free __P((aproxy_t *)); extern void aps_free __P((ap_session_t *)); diff --git a/sys/netinet/ip_raudio_pxy.c b/sys/netinet/ip_raudio_pxy.c index 89fe6da5cc3..f43e05b1370 100644 --- a/sys/netinet/ip_raudio_pxy.c +++ b/sys/netinet/ip_raudio_pxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_raudio_pxy.c,v 1.5 2000/02/16 22:34:20 kjell Exp $ */ +/* $OpenBSD: ip_raudio_pxy.c,v 1.6 2000/03/13 23:40:18 kjell Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; diff --git a/sys/netinet/ip_rcmd_pxy.c b/sys/netinet/ip_rcmd_pxy.c index 4213182acbd..0edfba96e3d 100644 --- a/sys/netinet/ip_rcmd_pxy.c +++ b/sys/netinet/ip_rcmd_pxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_rcmd_pxy.c,v 1.3 2000/02/16 22:34:20 kjell Exp $ */ +/* $OpenBSD: ip_rcmd_pxy.c,v 1.4 2000/03/13 23:40:18 kjell Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c index bac0de93130..d9ca888d4e2 100644 --- a/sys/netinet/ip_state.c +++ b/sys/netinet/ip_state.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_state.c,v 1.19 2000/02/16 22:34:20 kjell Exp $ */ +/* $OpenBSD: ip_state.c,v 1.20 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.3.2.21 2000/02/15 08:04:01 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.3.2.22 2000/02/23 15:23:24 darrenr Exp $"; #endif #include @@ -380,7 +380,6 @@ u_int flags; pass = fr_flags; WRITE_ENTER(&ipf_state); - is->is_rout = pass & FR_OUTQUE ? 1 : 0; is->is_pass = pass; is->is_pkts = 1; is->is_bytes = ip->ip_len; @@ -565,7 +564,7 @@ tcphdr_t *tcp; if (rev == 0) { if (!out) { - if (is->is_ifpin == ifp) + if (is->is_ifpin == NULL || is->is_ifpin == ifp) ret = 1; } else { if (is->is_ifpout == NULL || is->is_ifpout == ifp) @@ -573,7 +572,7 @@ tcphdr_t *tcp; } } else { if (out) { - if (is->is_ifpin == ifp) + if (is->is_ifpin == NULL || is->is_ifpin == ifp) ret = 1; } else { if (is->is_ifpout == NULL || is->is_ifpout == ifp) @@ -639,7 +638,7 @@ tcphdr_t *tcp; } if (!rev) { - if (out && (out == is->is_rout)) { + if (out) { if (!is->is_ifpout) is->is_ifpout = ifp; } else { @@ -647,7 +646,7 @@ tcphdr_t *tcp; is->is_ifpin = ifp; } } else { - if (!out && (out != is->is_rout)) { + if (out) { if (!is->is_ifpin) is->is_ifpin = ifp; } else { diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h index bc7a7b3a309..5cc276d4d41 100644 --- a/sys/netinet/ip_state.h +++ b/sys/netinet/ip_state.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_state.h,v 1.12 2000/02/16 22:34:20 kjell Exp $ */ +/* $OpenBSD: ip_state.h,v 1.13 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. @@ -8,7 +8,7 @@ * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $IPFilter: ip_state.h,v 2.1.2.3 2000/02/15 08:04:03 darrenr Exp $ + * $IPFilter: ip_state.h,v 2.1.2.4 2000/02/23 15:23:27 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -58,7 +58,6 @@ typedef struct ipstate { struct in_addr is_src; struct in_addr is_dst; u_char is_p; /* Protocol */ - u_char is_rout; /* Is rule in/out ? */ u_32_t is_flags; u_32_t is_opt; /* packet options set */ u_32_t is_optmsk; /* " " mask */ diff --git a/sys/netinet/ipl.h b/sys/netinet/ipl.h index 275cd924977..dbde9998e62 100644 --- a/sys/netinet/ipl.h +++ b/sys/netinet/ipl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipl.h,v 1.5 2000/02/16 22:34:20 kjell Exp $ */ +/* $OpenBSD: ipl.h,v 1.6 2000/03/13 23:40:18 kjell Exp $ */ /* * Copyright (C) 1993-1999 by Darren Reed. @@ -13,6 +13,6 @@ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.3.9" +#define IPL_VERSION "IP Filter: v3.3.11" #endif diff --git a/usr.sbin/ipftest/ipft_ef.c b/usr.sbin/ipftest/ipft_ef.c index e7f69603606..15f6ae1c44c 100644 --- a/usr.sbin/ipftest/ipft_ef.c +++ b/usr.sbin/ipftest/ipft_ef.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_ef.c,v 1.13 2000/02/16 22:34:23 kjell Exp $ */ +/* $OpenBSD: ipft_ef.c,v 1.14 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/usr.sbin/ipftest/ipft_hx.c b/usr.sbin/ipftest/ipft_hx.c index b26d5593e68..46d00dafd3d 100644 --- a/usr.sbin/ipftest/ipft_hx.c +++ b/usr.sbin/ipftest/ipft_hx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_hx.c,v 1.11 2000/02/16 22:34:23 kjell Exp $ */ +/* $OpenBSD: ipft_hx.c,v 1.12 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. diff --git a/usr.sbin/ipftest/ipft_pc.c b/usr.sbin/ipftest/ipft_pc.c index 124b3bc949c..425a89efaa7 100644 --- a/usr.sbin/ipftest/ipft_pc.c +++ b/usr.sbin/ipftest/ipft_pc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_pc.c,v 1.15 2000/02/16 22:34:23 kjell Exp $ */ +/* $OpenBSD: ipft_pc.c,v 1.16 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/usr.sbin/ipftest/ipft_sn.c b/usr.sbin/ipftest/ipft_sn.c index c497da18df1..f9dd995ec09 100644 --- a/usr.sbin/ipftest/ipft_sn.c +++ b/usr.sbin/ipftest/ipft_sn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_sn.c,v 1.12 2000/02/16 22:34:23 kjell Exp $ */ +/* $OpenBSD: ipft_sn.c,v 1.13 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/usr.sbin/ipftest/ipft_td.c b/usr.sbin/ipftest/ipft_td.c index 5a9e8ee0e11..1129f836f47 100644 --- a/usr.sbin/ipftest/ipft_td.c +++ b/usr.sbin/ipftest/ipft_td.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_td.c,v 1.13 2000/02/16 22:34:23 kjell Exp $ */ +/* $OpenBSD: ipft_td.c,v 1.14 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/usr.sbin/ipftest/ipft_tx.c b/usr.sbin/ipftest/ipft_tx.c index 928c3e75028..23397c5319a 100644 --- a/usr.sbin/ipftest/ipft_tx.c +++ b/usr.sbin/ipftest/ipft_tx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_tx.c,v 1.15 2000/02/16 22:34:24 kjell Exp $ */ +/* $OpenBSD: ipft_tx.c,v 1.16 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. diff --git a/usr.sbin/ipftest/ipt.c b/usr.sbin/ipftest/ipt.c index f901dc3e7b3..4e6f6aa60f6 100644 --- a/usr.sbin/ipftest/ipt.c +++ b/usr.sbin/ipftest/ipt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipt.c,v 1.16 2000/02/16 22:34:24 kjell Exp $ */ +/* $OpenBSD: ipt.c,v 1.17 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/usr.sbin/ipftest/ipt.h b/usr.sbin/ipftest/ipt.h index a78bebaaccc..8b1fc4297f3 100644 --- a/usr.sbin/ipftest/ipt.h +++ b/usr.sbin/ipftest/ipt.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipt.h,v 1.9 2000/02/16 22:34:24 kjell Exp $ */ +/* $OpenBSD: ipt.h,v 1.10 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/usr.sbin/ipftest/misc.c b/usr.sbin/ipftest/misc.c index ea79b1fc80b..cc2aa4ce5c5 100644 --- a/usr.sbin/ipftest/misc.c +++ b/usr.sbin/ipftest/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.11 2000/02/16 22:34:24 kjell Exp $ */ +/* $OpenBSD: misc.c,v 1.12 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/usr.sbin/ipftest/pcap.h b/usr.sbin/ipftest/pcap.h index 876602392a5..cd30a4f85f8 100644 --- a/usr.sbin/ipftest/pcap.h +++ b/usr.sbin/ipftest/pcap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pcap.h,v 1.9 2000/02/16 22:34:25 kjell Exp $ */ +/* $OpenBSD: pcap.h,v 1.10 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/usr.sbin/ipftest/snoop.h b/usr.sbin/ipftest/snoop.h index b52d117863d..a7847ca8ff6 100644 --- a/usr.sbin/ipftest/snoop.h +++ b/usr.sbin/ipftest/snoop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: snoop.h,v 1.8 2000/02/16 22:34:25 kjell Exp $ */ +/* $OpenBSD: snoop.h,v 1.9 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. diff --git a/usr.sbin/ipmon/ipmon.c b/usr.sbin/ipmon/ipmon.c index ac367ae78e7..31b42559040 100644 --- a/usr.sbin/ipmon/ipmon.c +++ b/usr.sbin/ipmon/ipmon.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipmon.c,v 1.22 2000/02/16 22:34:23 kjell Exp $ */ +/* $OpenBSD: ipmon.c,v 1.23 2000/03/13 23:40:20 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipmon.c,v 2.3.2.4 2000/01/24 12:45:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipmon.c,v 2.3.2.5 2000/02/16 14:40:39 darrenr Exp $"; #endif #ifndef SOLARIS @@ -178,7 +178,7 @@ static void init_tabs() struct protoent *p; struct servent *s; char *name, **tab; - u_int port; + int port; if (protocols != NULL) { free(protocols); @@ -217,11 +217,11 @@ static void init_tabs() if (s->s_proto == NULL) continue; else if (!strcmp(s->s_proto, "tcp")) { - port = (u_int)s->s_port; + port = s->s_port; name = s->s_name; tab = tcp_ports; } else if (!strcmp(s->s_proto, "udp")) { - port = (u_int)s->s_port; + port = s->s_port; name = s->s_name; tab = udp_ports; } else