ipfilter-cvs Mailing List for ipfilter (Page 6)
Brought to you by:
darren_r
Menu
▾
▴
ipfilter-cvs — Mailing list for CVS emails
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(121) |
Oct
(125) |
Nov
(15) |
Dec
(11) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(6) |
Feb
(39) |
Mar
(27) |
Apr
(19) |
May
(12) |
Jun
(24) |
Jul
(58) |
Aug
(73) |
Sep
(18) |
Oct
(13) |
Nov
(28) |
Dec
(52) |
| 2009 |
Jan
(61) |
Feb
(20) |
Mar
(99) |
Apr
(4) |
May
(20) |
Jun
(16) |
Jul
(80) |
Aug
(16) |
Sep
|
Oct
|
Nov
(11) |
Dec
(33) |
| 2010 |
Jan
(21) |
Feb
(40) |
Mar
(6) |
Apr
(1) |
May
(5) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(22) |
Sep
|
Oct
(91) |
Nov
(85) |
Dec
(26) |
| 2012 |
Jan
(102) |
Feb
(15) |
Mar
|
Apr
|
May
(37) |
Jun
(72) |
Jul
(111) |
Aug
(17) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
(4) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(48) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Darren <dar...@us...> - 2012-07-13 12:25:40
|
Update of /cvsroot/ipfilter/ipfilter
In directory vz-cvs-4.sog:/tmp/cvs-serv26277
Modified Files:
Tag: v5-1-RELEASE
fil.c ip_dstlist.c ip_ipsec_pxy.c ip_lookup.c ip_nat.c
ip_nat.h ip_pptp_pxy.c ip_rcmd_pxy.c ip_tftp_pxy.c
Log Message:
3543493 tokens are not flushed when disabled
3543487 NAT rules do not always release lookup objects
Index: ip_ipsec_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_ipsec_pxy.c,v
retrieving revision 1.14.2.5
retrieving revision 1.14.2.6
diff -C2 -d -r1.14.2.5 -r1.14.2.6
*** ip_ipsec_pxy.c 13 Jul 2012 06:39:03 -0000 1.14.2.5
--- ip_ipsec_pxy.c 13 Jul 2012 12:25:34 -0000 1.14.2.6
***************
*** 424,428 ****
ipsec->ipsc_nat = NULL;
ipsec->ipsc_rule->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &ipsec->ipsc_rule);
}
}
--- 424,428 ----
ipsec->ipsc_nat = NULL;
ipsec->ipsc_rule->in_flags |= IPN_DELETE;
! ipf_nat_rule_deref(softc, &ipsec->ipsc_rule);
}
}
Index: ip_tftp_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_tftp_pxy.c,v
retrieving revision 1.1.2.6
retrieving revision 1.1.2.7
diff -C2 -d -r1.1.2.6 -r1.1.2.7
*** ip_tftp_pxy.c 13 Jul 2012 06:39:03 -0000 1.1.2.6
--- ip_tftp_pxy.c 13 Jul 2012 12:25:35 -0000 1.1.2.7
***************
*** 257,261 ****
if (tftp != NULL) {
tftp->ti_rule->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &tftp->ti_rule);
}
}
--- 257,261 ----
if (tftp != NULL) {
tftp->ti_rule->in_flags |= IPN_DELETE;
! ipf_nat_rule_deref(softc, &tftp->ti_rule);
}
}
Index: ip_dstlist.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_dstlist.c,v
retrieving revision 1.13.2.10
retrieving revision 1.13.2.11
diff -C2 -d -r1.13.2.10 -r1.13.2.11
*** ip_dstlist.c 6 Jul 2012 14:35:36 -0000 1.13.2.10
--- ip_dstlist.c 13 Jul 2012 12:25:34 -0000 1.13.2.11
***************
*** 224,232 ****
int i;
! for (i = -1; i <= IPL_LOGMAX; i++)
! while (softd->dstlist[i + 1] != NULL)
ipf_dstlist_table_remove(softc, softd,
softd->dstlist[i + 1]);
ASSERT(softd->stats.ipls_numderefnodes == 0);
}
--- 224,235 ----
int i;
! for (i = -1; i <= IPL_LOGMAX; i++) {
! while (softd->dstlist[i + 1] != NULL) {
ipf_dstlist_table_remove(softc, softd,
softd->dstlist[i + 1]);
+ }
+ }
+ ASSERT(softd->stats.ipls_numdereflists == 0);
ASSERT(softd->stats.ipls_numderefnodes == 0);
}
***************
*** 922,927 ****
/* Remove a given destination list from existance. While the IPDST_DELETE */
/* flag is set every time we call this function and the reference count is */
! /* non-zero, the "numdereflists" counter is only incremented when the entry */
! /* is removed from the list as it only becomes dereferenced once. */
/* ------------------------------------------------------------------------ */
static void
--- 925,932 ----
/* Remove a given destination list from existance. While the IPDST_DELETE */
/* flag is set every time we call this function and the reference count is */
! /* non-zero, the "numdereflists" counter is always incremented because the */
! /* decision about whether it will be freed or not is not made here. This */
! /* means that the only action the code can take here is to treat it as if */
! /* it will become a detached. */
/* ------------------------------------------------------------------------ */
static void
***************
*** 935,943 ****
softd->tails[d->ipld_unit + 1] = d->ipld_pnext;
! if (d->ipld_pnext != NULL) {
*d->ipld_pnext = d->ipld_next;
- if (d->ipld_ref > 1)
- softd->stats.ipls_numdereflists++;
- }
if (d->ipld_next != NULL)
d->ipld_next->ipld_pnext = d->ipld_pnext;
--- 940,945 ----
softd->tails[d->ipld_unit + 1] = d->ipld_pnext;
! if (d->ipld_pnext != NULL)
*d->ipld_pnext = d->ipld_next;
if (d->ipld_next != NULL)
d->ipld_next->ipld_pnext = d->ipld_pnext;
***************
*** 947,957 ****
ipf_dstlist_table_clearnodes(softd, d);
! d->ipld_ref--;
! if (d->ipld_ref > 0) {
! d->ipld_flags |= IPDST_DELETE;
! return;
! }
! ipf_dstlist_table_free(softd, d);
}
--- 949,956 ----
ipf_dstlist_table_clearnodes(softd, d);
! softd->stats.ipls_numdereflists++;
! d->ipld_flags |= IPDST_DELETE;
! ipf_dstlist_table_deref(softc, softd, d);
}
Index: fil.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/fil.c,v
retrieving revision 1.68.2.55
retrieving revision 1.68.2.56
diff -C2 -d -r1.68.2.55 -r1.68.2.56
*** fil.c 13 Jul 2012 06:39:03 -0000 1.68.2.55
--- fil.c 13 Jul 2012 12:25:34 -0000 1.68.2.56
***************
*** 201,210 ****
static int ipf_synclist __P((ipf_main_softc_t *, frentry_t *,
void *));
static ipftuneable_t *ipf_tune_findbyname __P((ipftuneable_t *,
const char *));
static ipftuneable_t *ipf_tune_findbycookie __P((ipftuneable_t **, void *,
void **));
- static void ipf_token_unlink __P((ipf_main_softc_t *,
- ipftoken_t *));
static int ipf_updateipid __P((fr_info_t *));
static int ipf_settimeout __P((struct ipf_main_softc_s *,
--- 201,211 ----
static int ipf_synclist __P((ipf_main_softc_t *, frentry_t *,
void *));
+ static void ipf_token_flush __P((ipf_main_softc_t *));
+ static void ipf_token_unlink __P((ipf_main_softc_t *,
+ ipftoken_t *));
static ipftuneable_t *ipf_tune_findbyname __P((ipftuneable_t *,
const char *));
static ipftuneable_t *ipf_tune_findbycookie __P((ipftuneable_t **, void *,
void **));
static int ipf_updateipid __P((fr_info_t *));
static int ipf_settimeout __P((struct ipf_main_softc_s *,
***************
*** 7525,7528 ****
--- 7526,7555 ----
/* ------------------------------------------------------------------------ */
+ /* Function: ipf_token_flush */
+ /* Returns: None. */
+ /* Parameters: softc(I) - pointer to soft context main structure */
+ /* */
+ /* Loop through all of the existing tokens and call deref to see if they */
+ /* can be freed. Normally a function like this might just loop on */
+ /* ipf_token_head but there is a chance that a token might have a ref count */
+ /* of greater than one and in that case the the reference would drop twice */
+ /* by code that is only entitled to drop it once. */
+ /* ------------------------------------------------------------------------ */
+ static void
+ ipf_token_flush(softc)
+ ipf_main_softc_t *softc;
+ {
+ ipftoken_t *it, *next;
+
+ WRITE_ENTER(&softc->ipf_tokens);
+ for (it = softc->ipf_token_head; it != NULL; it = next) {
+ next = it->ipt_next;
+ (void) ipf_token_deref(softc, it);
+ }
+ RWLOCK_EXIT(&softc->ipf_tokens);
+ }
+
+
+ /* ------------------------------------------------------------------------ */
/* Function: ipf_token_del */
/* Returns: int - 0 = success, else error */
***************
*** 7716,7720 ****
case IPFGENITER_IPNAT :
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_rulederef(softc, (ipnat_t **)datap);
RWLOCK_EXIT(&softc->ipf_nat);
break;
--- 7743,7747 ----
case IPFGENITER_IPNAT :
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_rule_deref(softc, (ipnat_t **)datap);
RWLOCK_EXIT(&softc->ipf_nat);
break;
***************
*** 9630,9633 ****
--- 9657,9662 ----
{
+ ipf_token_flush(softc);
+
if (ipf_proxy_soft_fini(softc, softc->ipf_proxy_soft) == -1)
return -1;
Index: ip_pptp_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_pptp_pxy.c,v
retrieving revision 1.13.2.5
retrieving revision 1.13.2.6
diff -C2 -d -r1.13.2.5 -r1.13.2.6
*** ip_pptp_pxy.c 13 Jul 2012 06:39:03 -0000 1.13.2.5
--- ip_pptp_pxy.c 13 Jul 2012 12:25:35 -0000 1.13.2.6
***************
*** 573,577 ****
ipf_nat_setpending(softc, pptp->pptp_nat);
pptp->pptp_rule->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &pptp->pptp_rule);
}
}
--- 573,577 ----
ipf_nat_setpending(softc, pptp->pptp_nat);
pptp->pptp_rule->in_flags |= IPN_DELETE;
! ipf_nat_rule_deref(softc, &pptp->pptp_rule);
}
}
Index: ip_lookup.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_lookup.c,v
retrieving revision 1.18.2.9
retrieving revision 1.18.2.10
diff -C2 -d -r1.18.2.9 -r1.18.2.10
*** ip_lookup.c 15 Jun 2012 08:33:37 -0000 1.18.2.9
--- ip_lookup.c 13 Jul 2012 12:25:34 -0000 1.18.2.10
***************
*** 742,747 ****
WRITE_ENTER(&softc->ipf_tokens);
! if (i == MAX_BACKENDS)
! ipf_token_deref(softc, token);
RWLOCK_EXIT(&softc->ipf_tokens);
--- 742,746 ----
WRITE_ENTER(&softc->ipf_tokens);
! ipf_token_deref(softc, token);
RWLOCK_EXIT(&softc->ipf_tokens);
Index: ip_rcmd_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_rcmd_pxy.c,v
retrieving revision 1.17.2.5
retrieving revision 1.17.2.6
diff -C2 -d -r1.17.2.5 -r1.17.2.6
*** ip_rcmd_pxy.c 13 Jul 2012 06:39:03 -0000 1.17.2.5
--- ip_rcmd_pxy.c 13 Jul 2012 12:25:35 -0000 1.17.2.6
***************
*** 156,160 ****
if (rci != NULL) {
rci->rcmd_rule->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &rci->rcmd_rule);
}
}
--- 156,160 ----
if (rci != NULL) {
rci->rcmd_rule->in_flags |= IPN_DELETE;
! ipf_nat_rule_deref(softc, &rci->rcmd_rule);
}
}
Index: ip_nat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat.c,v
retrieving revision 1.60.2.38
retrieving revision 1.60.2.39
diff -C2 -d -r1.60.2.38 -r1.60.2.39
*** ip_nat.c 13 Jul 2012 06:39:03 -0000 1.60.2.38
--- ip_nat.c 13 Jul 2012 12:25:35 -0000 1.60.2.39
***************
*** 228,232 ****
static int ipf_nat_finalise __P((fr_info_t *, nat_t *));
static int ipf_nat_flushtable __P((ipf_main_softc_t *, ipf_nat_softc_t *));
- static void ipf_nat_free_rule __P((ipf_main_softc_t *, ipf_nat_softc_t *, ipnat_t *));
static int ipf_nat_getnext __P((ipf_main_softc_t *, ipftoken_t *,
ipfgeniter_t *, ipfobj_t *));
--- 228,231 ----
***************
*** 259,262 ****
--- 258,262 ----
static int ipf_nat_ruleaddrinit __P((ipf_main_softc_t *,
ipf_nat_softc_t *, ipnat_t *));
+ static void ipf_nat_rule_fini __P((ipf_main_softc_t *, ipnat_t *));
static int ipf_nat_rule_init __P((ipf_main_softc_t *, ipf_nat_softc_t *,
ipnat_t *));
***************
*** 935,939 ****
hm->hm_ref--;
if (hm->hm_ref == 0) {
! ipf_nat_rulederef(softc, &hm->hm_ipnat);
if (hm->hm_hnext)
hm->hm_hnext->hm_phnext = hm->hm_phnext;
--- 935,939 ----
hm->hm_ref--;
if (hm->hm_ref == 0) {
! ipf_nat_rule_deref(softc, &hm->hm_ipnat);
if (hm->hm_hnext)
hm->hm_hnext->hm_phnext = hm->hm_phnext;
***************
*** 1091,1095 ****
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
int error = 0, ret, arg, getlock;
! ipnat_t *nat, *nt, *n = NULL;
ipnat_t natd;
SPL_INT(s);
--- 1091,1095 ----
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
int error = 0, ret, arg, getlock;
! ipnat_t *nat, *nt, *n;
ipnat_t natd;
SPL_INT(s);
***************
*** 1120,1125 ****
#endif
! nat = NULL; /* XXX gcc -Wuninitialized */
nt = NULL;
if ((cmd == (ioctlcmd_t)SIOCADNAT) || (cmd == (ioctlcmd_t)SIOCRMNAT) ||
--- 1120,1126 ----
#endif
! n = NULL;
nt = NULL;
+ nat = NULL;
if ((cmd == (ioctlcmd_t)SIOCADNAT) || (cmd == (ioctlcmd_t)SIOCRMNAT) ||
***************
*** 1256,1261 ****
error = ipf_nat_siocaddnat(softc, softn, nt, getlock);
MUTEX_EXIT(&softn->ipf_nat_io);
! if (error == 0)
nt = NULL;
break;
--- 1257,1264 ----
error = ipf_nat_siocaddnat(softc, softn, nt, getlock);
MUTEX_EXIT(&softn->ipf_nat_io);
! if (error == 0) {
! nat = NULL;
nt = NULL;
+ }
break;
***************
*** 1496,1499 ****
--- 1499,1504 ----
}
done:
+ if (nat != NULL)
+ ipf_nat_rule_fini(softc, nat);
if (nt != NULL)
KFREES(nt, nt->in_size);
***************
*** 1648,1651 ****
--- 1653,1667 ----
int idx, error;
+ if ((n->in_ndst.na_atype == FRI_LOOKUP) &&
+ (n->in_ndst.na_type != IPLT_DSTLIST)) {
+ IPFERROR(60071);
+ return EINVAL;
+ }
+ if ((n->in_nsrc.na_atype == FRI_LOOKUP) &&
+ (n->in_nsrc.na_type != IPLT_DSTLIST)) {
+ IPFERROR(60069);
+ return EINVAL;
+ }
+
if (n->in_redir == NAT_BIMAP) {
n->in_ndstaddr = n->in_osrcaddr;
***************
*** 1673,1681 ****
return error;
- if ((n->in_nsrc.na_atype == FRI_LOOKUP) &&
- (n->in_nsrc.na_type != IPLT_DSTLIST)) {
- IPFERROR(60069);
- return EINVAL;
- }
error = ipf_nat_nextaddrinit(softc, n->in_names, &n->in_nsrc, 1,
n->in_ifps[idx]);
--- 1689,1692 ----
***************
*** 1683,1691 ****
return error;
- if ((n->in_ndst.na_atype == FRI_LOOKUP) &&
- (n->in_ndst.na_type != IPLT_DSTLIST)) {
- IPFERROR(60071);
- return EINVAL;
- }
error = ipf_nat_nextaddrinit(softc, n->in_names, &n->in_ndst, 1,
n->in_ifps[idx]);
--- 1694,1697 ----
***************
*** 1783,1859 ****
/* ------------------------------------------------------------------------ */
- /* Function: ipf_nat_free_rule */
- /* Returns: Nil */
- /* Parameters: softc(I) - pointer to soft context main structure */
- /* softn(I) - pointer to NAT context structure */
- /* n(I) - pointer to NAT rule */
- /* */
- /* This function is concerned with releasing all of the resources that were */
- /* allocated when the NAT rule structure was constructed. */
- /* ------------------------------------------------------------------------ */
- static void
- ipf_nat_free_rule(softc, softn, n)
- ipf_main_softc_t *softc;
- ipf_nat_softc_t *softn;
- ipnat_t *n;
- {
- if (n->in_apr != NULL)
- ipf_proxy_deref(n->in_apr);
-
- if (n->in_odst.na_atype == FRI_LOOKUP)
- ipf_lookup_deref(softc, n->in_odst.na_type, n->in_odst.na_ptr);
-
- if (n->in_osrc.na_atype == FRI_LOOKUP)
- ipf_lookup_deref(softc, n->in_osrc.na_type, n->in_osrc.na_ptr);
-
- if (n->in_ndst.na_atype == FRI_LOOKUP)
- ipf_lookup_deref(softc, n->in_ndst.na_type, n->in_ndst.na_ptr);
-
- if (n->in_nsrc.na_atype == FRI_LOOKUP)
- ipf_lookup_deref(softc, n->in_nsrc.na_type, n->in_nsrc.na_ptr);
-
- if (n->in_redir & NAT_REDIRECT) {
- if ((n->in_flags & IPN_PROXYRULE) == 0) {
- ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_rdr);
- }
- }
- if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
- if ((n->in_flags & IPN_PROXYRULE) == 0) {
- ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_map);
- }
- }
-
- if (n->in_divmp != NULL) {
- FREE_MB_T(n->in_divmp);
- }
-
- if (n->in_tqehead[0] != NULL) {
- if (ipf_deletetimeoutqueue(n->in_tqehead[0]) == 0) {
- ipf_freetimeoutqueue(softc, n->in_tqehead[1]);
- }
- }
-
- if (n->in_tqehead[1] != NULL) {
- if (ipf_deletetimeoutqueue(n->in_tqehead[1]) == 0) {
- ipf_freetimeoutqueue(softc, n->in_tqehead[1]);
- }
- }
-
- if ((n->in_flags & IPN_PROXYRULE) == 0) {
- ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules);
- }
-
- MUTEX_DESTROY(&n->in_lock);
-
- KFREES(n, n->in_size);
-
- #if SOLARIS && !defined(INSTANCES)
- if (softn->ipf_nat_stats.ns_rules == 0)
- pfil_delayed_copy = 1;
- #endif
- }
-
-
- /* ------------------------------------------------------------------------ */
/* Function: ipf_nat_getsz */
/* Returns: int - 0 == success, != 0 is the error value. */
--- 1789,1792 ----
***************
*** 2585,2589 ****
if (ipn != NULL) {
! ipf_nat_rulederef(softc, &ipn);
}
--- 2518,2523 ----
if (ipn != NULL) {
! ipn->in_space++;
! ipf_nat_rule_deref(softc, &ipn);
}
***************
*** 2759,2763 ****
np->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &np);
}
--- 2693,2697 ----
np->in_flags |= IPN_DELETE;
! ipf_nat_rule_deref(softc, &np);
}
***************
*** 4482,4486 ****
/* Function: ipf_nat_tabmove */
/* Returns: Nil */
! /* Parameters: nat(I) - pointer to NAT structure */
/* Write Lock: ipf_nat */
/* */
--- 4416,4421 ----
/* Function: ipf_nat_tabmove */
/* Returns: Nil */
! /* Parameters: softn(I) - pointer to NAT context structure */
! /* nat(I) - pointer to NAT structure */
/* Write Lock: ipf_nat */
/* */
***************
*** 6142,6146 ****
/* Function: ipf_nat_expire */
/* Returns: Nil */
! /* Parameters: Nil */
/* */
/* Check all of the timeout queues for entries at the top which need to be */
--- 6077,6081 ----
/* Function: ipf_nat_expire */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
/* */
/* Check all of the timeout queues for entries at the top which need to be */
***************
*** 6200,6204 ****
/* Function: ipf_nat_sync */
/* Returns: Nil */
! /* Parameters: ifp(I) - pointer to network interface */
/* */
/* Walk through all of the currently active NAT sessions, looking for those */
--- 6135,6140 ----
/* Function: ipf_nat_sync */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* ifp(I) - pointer to network interface */
/* */
/* Walk through all of the currently active NAT sessions, looking for those */
***************
*** 6398,6402 ****
/* Function: nat_log */
/* Returns: Nil */
! /* Parameters: nat(I) - pointer to NAT structure */
/* action(I) - action related to NAT structure being performed */
/* */
--- 6334,6340 ----
/* Function: nat_log */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softn(I) - pointer to NAT context structure */
! /* nat(I) - pointer to NAT structure */
/* action(I) - action related to NAT structure being performed */
/* */
***************
*** 6493,6516 ****
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat_rulederef */
/* Returns: Nil */
! /* Parameters: isp(I) - pointer to pointer to NAT rule */
/* Write Locks: ipf_nat */
/* */
/* ------------------------------------------------------------------------ */
void
! ipf_nat_rulederef(softc, inp)
ipf_main_softc_t *softc;
ipnat_t **inp;
{
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
! ipnat_t *np;
! np = *inp;
*inp = NULL;
! np->in_space++;
! np->in_use--;
! if (np->in_use == 0)
! ipf_nat_free_rule(softc, softn, np);
}
--- 6431,6499 ----
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat_rule_deref */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* inp(I) - pointer to pointer to NAT rule */
/* Write Locks: ipf_nat */
/* */
+ /* Dropping the refernce count for a rule means that whatever held the */
+ /* pointer to this rule (*inp) is no longer interested in it and when the */
+ /* reference count drops to zero, any resources allocated for the rule can */
+ /* be released and the rule itself free'd. */
/* ------------------------------------------------------------------------ */
void
! ipf_nat_rule_deref(softc, inp)
ipf_main_softc_t *softc;
ipnat_t **inp;
{
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
! ipnat_t *n;
! n = *inp;
*inp = NULL;
! n->in_use--;
! if (n->in_use > 0)
! return;
!
! if (n->in_apr != NULL)
! ipf_proxy_deref(n->in_apr);
!
! ipf_nat_rule_fini(softc, n);
!
! if (n->in_redir & NAT_REDIRECT) {
! if ((n->in_flags & IPN_PROXYRULE) == 0) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_rdr);
! }
! }
! if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
! if ((n->in_flags & IPN_PROXYRULE) == 0) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_map);
! }
! }
!
! if (n->in_tqehead[0] != NULL) {
! if (ipf_deletetimeoutqueue(n->in_tqehead[0]) == 0) {
! ipf_freetimeoutqueue(softc, n->in_tqehead[1]);
! }
! }
!
! if (n->in_tqehead[1] != NULL) {
! if (ipf_deletetimeoutqueue(n->in_tqehead[1]) == 0) {
! ipf_freetimeoutqueue(softc, n->in_tqehead[1]);
! }
! }
!
! if ((n->in_flags & IPN_PROXYRULE) == 0) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules);
! }
!
! MUTEX_DESTROY(&n->in_lock);
!
! KFREES(n, n->in_size);
!
! #if SOLARIS && !defined(INSTANCES)
! if (softn->ipf_nat_stats.ns_rules == 0)
! pfil_delayed_copy = 1;
! #endif
}
***************
*** 6519,6523 ****
/* Function: ipf_nat_deref */
/* Returns: Nil */
! /* Parameters: isp(I) - pointer to pointer to NAT table entry */
/* */
/* Decrement the reference counter for this NAT table entry and free it if */
--- 6502,6507 ----
/* Function: ipf_nat_deref */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* natp(I) - pointer to pointer to NAT table entry */
/* */
/* Decrement the reference counter for this NAT table entry and free it if */
***************
*** 6771,6778 ****
/* ------------------------------------------------------------------------ */
! /* Function: softn->ipf_nat_setqueue */
/* Returns: Nil */
! /* Parameters: nat(I)- pointer to NAT structure */
! /* rev(I) - forward(0) or reverse(1) direction */
/* Locks: ipf_nat (read or write) */
/* */
--- 6755,6763 ----
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat_setqueue */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softn(I) - pointer to NAT context structure */
! /* nat(I)- pointer to NAT structure */
/* Locks: ipf_nat (read or write) */
/* */
***************
*** 6829,6833 ****
/* Function: nat_getnext */
/* Returns: int - 0 == ok, else error */
! /* Parameters: t(I) - pointer to ipftoken structure */
/* itp(I) - pointer to ipfgeniter_t structure */
/* */
--- 6814,6819 ----
/* Function: nat_getnext */
/* Returns: int - 0 == ok, else error */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* t(I) - pointer to ipftoken structure */
/* itp(I) - pointer to ipfgeniter_t structure */
/* */
***************
*** 6946,6950 ****
if (ipn != NULL) {
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_rulederef(softc, &ipn);
RWLOCK_EXIT(&softc->ipf_nat);
}
--- 6932,6936 ----
if (ipn != NULL) {
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_rule_deref(softc, &ipn);
RWLOCK_EXIT(&softc->ipf_nat);
}
***************
*** 6971,6975 ****
/* Function: nat_extraflush */
/* Returns: int - 0 == success, -1 == failure */
! /* Parameters: which(I) - how to flush the active NAT table */
/* Write Locks: ipf_nat */
/* */
--- 6957,6963 ----
/* Function: nat_extraflush */
/* Returns: int - 0 == success, -1 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softn(I) - pointer to NAT context structure */
! /* which(I) - how to flush the active NAT table */
/* Write Locks: ipf_nat */
/* */
***************
*** 7134,7138 ****
/* Function: ipf_nat_flush_entry */
/* Returns: 0 - always succeeds */
! /* Parameters: entry(I) - pointer to NAT entry */
/* Write Locks: ipf_nat */
/* */
--- 7122,7127 ----
/* Function: ipf_nat_flush_entry */
/* Returns: 0 - always succeeds */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* entry(I) - pointer to NAT entry */
/* Write Locks: ipf_nat */
/* */
***************
*** 7155,7160 ****
/* Function: ipf_nat_iterator */
/* Returns: int - 0 == ok, else error */
! /* Parameters: token(I) - pointer to ipftoken structure */
! /* itp(I) - pointer to ipfgeniter_t structure */
/* */
/* This function acts as a handler for the SIOCGENITER ioctls that use a */
--- 7144,7151 ----
/* Function: ipf_nat_iterator */
/* Returns: int - 0 == ok, else error */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* token(I) - pointer to ipftoken structure */
! /* itp(I) - pointer to ipfgeniter_t structure */
! /* obj(I) - pointer to data description structure */
/* */
/* This function acts as a handler for the SIOCGENITER ioctls that use a */
***************
*** 7201,7205 ****
/* Function: ipf_nat_setpending */
/* Returns: Nil */
! /* Parameters: nat(I) - pointer to NAT structure */
/* Locks: ipf_nat (read or write) */
/* */
--- 7192,7197 ----
/* Function: ipf_nat_setpending */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* nat(I) - pointer to NAT structure */
/* Locks: ipf_nat (read or write) */
/* */
***************
*** 7559,7563 ****
/* Function: nat_builddivertmp */
/* Returns: int - -1 == error, 0 == success */
! /* Parameters: np(I) - pointer to a NAT rule */
/* */
/* For encap/divert rules, a skeleton packet representing what will be */
--- 7551,7556 ----
/* Function: nat_builddivertmp */
/* Returns: int - -1 == error, 0 == success */
! /* Parameters: softn(I) - pointer to NAT context structure */
! /* np(I) - pointer to a NAT rule */
/* */
/* For encap/divert rules, a skeleton packet representing what will be */
***************
*** 7733,7738 ****
/* Function: nat_matchencap */
/* Returns: int - -1 == packet error, 1 == success, 0 = no match */
! /* Parameters: fin(I) - pointer to packet information */
! /* np(I) - pointer to a NAT rule */
/* */
/* To properly compare a packet travelling in the reverse direction to an */
--- 7726,7732 ----
/* Function: nat_matchencap */
/* Returns: int - -1 == packet error, 1 == success, 0 = no match */
! /* Parameters: softn(I) - pointer to NAT context structure */
! /* fin(I) - pointer to packet information */
! /* np(I) - pointer to a NAT rule */
/* */
/* To properly compare a packet travelling in the reverse direction to an */
***************
*** 7970,7974 ****
/* Function: nat_nextaddrinit */
/* Returns: int - 0 == success, else error number */
! /* Parameters: na(I) - NAT address information for generating new addr*/
/* initial(I) - flag indicating if it is the first call for */
/* this "na" structure. */
--- 7964,7969 ----
/* Function: nat_nextaddrinit */
/* Returns: int - 0 == success, else error number */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* na(I) - NAT address information for generating new addr*/
/* initial(I) - flag indicating if it is the first call for */
/* this "na" structure. */
***************
*** 8248,8253 ****
/* Function: ipf_nat_matchflush */
/* Returns: int - -1 == error, 0 == success */
! /* Parameters: fin(I) - pointer to packet information */
! /* nat(I) - pointer to current NAT session */
/* */
/* ------------------------------------------------------------------------ */
--- 8243,8249 ----
/* Function: ipf_nat_matchflush */
/* Returns: int - -1 == error, 0 == success */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softn(I) - pointer to NAT context structure */
! /* nat(I) - pointer to current NAT session */
/* */
/* ------------------------------------------------------------------------ */
***************
*** 8481,8485 ****
/* Function: ipf_nat_gettable */
/* Returns: int - 0 = success, else error */
! /* Parameters: data(I) - pointer to ioctl data */
/* */
/* This function handles ioctl requests for tables of nat information. */
--- 8477,8483 ----
/* Function: ipf_nat_gettable */
/* Returns: int - 0 = success, else error */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softn(I) - pointer to NAT context structure */
! /* data(I) - pointer to ioctl data */
/* */
/* This function handles ioctl requests for tables of nat information. */
***************
*** 8529,8533 ****
/* Function: ipf_nat_settimeout */
/* Returns: int - 0 = success, else failure */
! /* Parameters: t(I) - pointer to tunable */
/* p(I) - pointer to new tuning data */
/* */
--- 8527,8532 ----
/* Function: ipf_nat_settimeout */
/* Returns: int - 0 = success, else failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* t(I) - pointer to tunable */
/* p(I) - pointer to new tuning data */
/* */
***************
*** 8566,8570 ****
/* Function: ipf_nat_rehash */
/* Returns: int - 0 = success, else failure */
! /* Parameters: t(I) - pointer to tunable */
/* p(I) - pointer to new tuning data */
/* */
--- 8565,8570 ----
/* Function: ipf_nat_rehash */
/* Returns: int - 0 = success, else failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* t(I) - pointer to tunable */
/* p(I) - pointer to new tuning data */
/* */
***************
*** 8749,8753 ****
/* Function: ipf_nat_rehash_rules */
/* Returns: int - 0 = success, else failure */
! /* Parameters: t(I) - pointer to tunable */
/* p(I) - pointer to new tuning data */
/* */
--- 8749,8754 ----
/* Function: ipf_nat_rehash_rules */
/* Returns: int - 0 = success, else failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* t(I) - pointer to tunable */
/* p(I) - pointer to new tuning data */
/* */
***************
*** 8856,8860 ****
/* Function: ipf_nat_hostmap_rehash */
/* Returns: int - 0 = success, else failure */
! /* Parameters: t(I) - pointer to tunable */
/* p(I) - pointer to new tuning data */
/* */
--- 8857,8862 ----
/* Function: ipf_nat_hostmap_rehash */
/* Returns: int - 0 = success, else failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* t(I) - pointer to tunable */
/* p(I) - pointer to new tuning data */
/* */
***************
*** 9039,9042 ****
--- 9041,9052 ----
+ /* ------------------------------------------------------------------------ */
+ /* Function: ipf_nat_rule_init */
+ /* Returns: int - 0 == success, else rules do not match. */
+ /* Parameters: softc(I) - pointer to soft context main structure */
+ /* softn(I) - pointer to NAT context structure */
+ /* n(I) - first rule to compare */
+ /* */
+ /* ------------------------------------------------------------------------ */
static int
ipf_nat_rule_init(softc, softn, n)
***************
*** 9097,9098 ****
--- 9107,9141 ----
return error;
}
+
+
+ /* ------------------------------------------------------------------------ */
+ /* Function: ipf_nat_rule_fini */
+ /* Returns: int - 0 == success, else rules do not match. */
+ /* Parameters: softc(I) - pointer to soft context main structure */
+ /* n(I) - rule to work on */
+ /* */
+ /* This function is used to release any objects that were referenced during */
+ /* the rule initialisation. This is useful both when free'ing the rule and */
+ /* when handling ioctls that need to initialise these fields but not */
+ /* actually use them after the ioctl processing has finished. */
+ /* ------------------------------------------------------------------------ */
+ static void
+ ipf_nat_rule_fini(softc, n)
+ ipf_main_softc_t *softc;
+ ipnat_t *n;
+ {
+ if (n->in_odst.na_atype == FRI_LOOKUP && n->in_odst.na_ptr != NULL)
+ ipf_lookup_deref(softc, n->in_odst.na_type, n->in_odst.na_ptr);
+
+ if (n->in_osrc.na_atype == FRI_LOOKUP && n->in_osrc.na_ptr != NULL)
+ ipf_lookup_deref(softc, n->in_osrc.na_type, n->in_osrc.na_ptr);
+
+ if (n->in_ndst.na_atype == FRI_LOOKUP && n->in_ndst.na_ptr != NULL)
+ ipf_lookup_deref(softc, n->in_ndst.na_type, n->in_ndst.na_ptr);
+
+ if (n->in_nsrc.na_atype == FRI_LOOKUP && n->in_nsrc.na_ptr != NULL)
+ ipf_lookup_deref(softc, n->in_nsrc.na_type, n->in_nsrc.na_ptr);
+
+ if (n->in_divmp != NULL)
+ FREE_MB_T(n->in_divmp);
+ }
Index: ip_nat.h
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat.h,v
retrieving revision 1.18.2.11
retrieving revision 1.18.2.12
diff -C2 -d -r1.18.2.11 -r1.18.2.12
*** ip_nat.h 13 Jul 2012 06:39:03 -0000 1.18.2.11
--- ip_nat.h 13 Jul 2012 12:25:35 -0000 1.18.2.12
***************
*** 710,714 ****
struct in_addr, struct in_addr));
extern u_short *ipf_nat_proto __P((fr_info_t *, nat_t *, u_int));
! extern void ipf_nat_rulederef __P((ipf_main_softc_t *, ipnat_t **));
extern void ipf_nat_setqueue __P((ipf_main_softc_t *, ipf_nat_softc_t *,
nat_t *));
--- 710,714 ----
struct in_addr, struct in_addr));
extern u_short *ipf_nat_proto __P((fr_info_t *, nat_t *, u_int));
! extern void ipf_nat_rule_deref __P((ipf_main_softc_t *, ipnat_t **));
extern void ipf_nat_setqueue __P((ipf_main_softc_t *, ipf_nat_softc_t *,
nat_t *));
|
|
From: Darren <dar...@us...> - 2012-07-13 12:25:38
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv26277/tools
Modified Files:
Tag: v5-1-RELEASE
ipnat.c
Log Message:
3543493 tokens are not flushed when disabled
3543487 NAT rules do not always release lookup objects
Index: ipnat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ipnat.c,v
retrieving revision 1.10.2.10
retrieving revision 1.10.2.11
diff -C2 -d -r1.10.2.10 -r1.10.2.11
*** ipnat.c 13 Jul 2012 06:41:36 -0000 1.10.2.10
--- ipnat.c 13 Jul 2012 12:25:35 -0000 1.10.2.11
***************
*** 497,504 ****
printf("%lu\tlog successes\n", nsp->ns_side[0].ns_log);
printf("%lu\tlog failures\n", nsp->ns_side[1].ns_log);
! printf("%lu\tadded in\n%lu\tadded out\n%",
nsp->ns_side[0].ns_added,
nsp->ns_side[1].ns_added);
! printf("%lu\tactive\n", nsp->ns_active);
printf("%lu\ttransparent adds\n", nsp->ns_addtrpnt);
printf("%lu\tdivert build\n", nsp->ns_divert_build);
--- 497,504 ----
printf("%lu\tlog successes\n", nsp->ns_side[0].ns_log);
printf("%lu\tlog failures\n", nsp->ns_side[1].ns_log);
! printf("%lu\tadded in\n%lu\tadded out\n",
nsp->ns_side[0].ns_added,
nsp->ns_side[1].ns_added);
! printf("%u\tactive\n", nsp->ns_active);
printf("%lu\ttransparent adds\n", nsp->ns_addtrpnt);
printf("%lu\tdivert build\n", nsp->ns_divert_build);
|
|
From: Darren <dar...@us...> - 2012-07-13 11:56:54
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv25711/tools
Modified Files:
ipnat.c
Log Message:
3543493 tokens are not flushed when disabled
3543487 NAT rules do not always release lookup objects
Index: ipnat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ipnat.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -C2 -d -r1.21 -r1.22
*** ipnat.c 13 Jul 2012 06:41:28 -0000 1.21
--- ipnat.c 13 Jul 2012 11:56:51 -0000 1.22
***************
*** 508,515 ****
printf("%lu\tlog successes\n", nsp->ns_side[0].ns_log);
printf("%lu\tlog failures\n", nsp->ns_side[1].ns_log);
! printf("%lu\tadded in\n%lu\tadded out\n%",
! nsp->ns_side[0].ns_added,
! nsp->ns_side[1].ns_added);
! printf("%lu\tactive\n", nsp->ns_active);
printf("%lu\ttransparent adds\n", nsp->ns_addtrpnt);
printf("%lu\tdivert build\n", nsp->ns_divert_build);
--- 508,514 ----
printf("%lu\tlog successes\n", nsp->ns_side[0].ns_log);
printf("%lu\tlog failures\n", nsp->ns_side[1].ns_log);
! printf("%lu\tadded in\n%lu\tadded out\n",
! nsp->ns_side[0].ns_added, nsp->ns_side[1].ns_added);
! printf("%u\tactive\n", nsp->ns_active);
printf("%lu\ttransparent adds\n", nsp->ns_addtrpnt);
printf("%lu\tdivert build\n", nsp->ns_divert_build);
|
|
From: Darren <dar...@us...> - 2012-07-13 11:54:44
|
Update of /cvsroot/ipfilter/ipfilter
In directory vz-cvs-4.sog:/tmp/cvs-serv25679
Modified Files:
ip_nat6.c
Log Message:
3541645 netmask management adds /32 for /0
Index: ip_nat6.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat6.c,v
retrieving revision 1.37
retrieving revision 1.38
diff -C2 -d -r1.37 -r1.38
*** ip_nat6.c 13 Jul 2012 06:38:23 -0000 1.37
--- ip_nat6.c 13 Jul 2012 11:54:41 -0000 1.38
***************
*** 131,136 ****
nat_addr_t *, int, void *);
static int ipf_nat6_insert(ipf_main_softc_t *, ipf_nat_softc_t *, nat_t *);
- static void ipf_nat6_delmap(ipf_nat_softc_t *, ipnat_t *);
- static void ipf_nat6_delrdr(ipf_nat_softc_t *, ipnat_t *);
--- 131,134 ----
***************
*** 209,213 ****
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat6_add_rdr */
/* Returns: Nil */
/* Parameters: n(I) - pointer to NAT rule to add */
--- 207,211 ----
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat6_addrdr */
/* Returns: Nil */
/* Parameters: n(I) - pointer to NAT rule to add */
***************
*** 222,225 ****
--- 220,224 ----
ipnat_t *n;
{
+ i6addr_t *mask;
ipnat_t **np;
i6addr_t j;
***************
*** 227,235 ****
int k;
! if ((n->in_redir & NAT_BIMAP) == NAT_BIMAP) {
k = count6bits(n->in_nsrcmsk6.i6);
! ipf_inet6_mask_add(k, &n->in_nsrcmsk6,
! &softn->ipf_nat6_rdr_mask);
!
IP6_AND(&n->in_odstip6, &n->in_odstmsk6, &j);
hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_rdrrules_sz);
--- 226,232 ----
int k;
! if ((n->in_redir & NAT_BIMAP) == NAT_BIMAP) {
k = count6bits(n->in_nsrcmsk6.i6);
! mask = &n->in_nsrcmsk6;
IP6_AND(&n->in_odstip6, &n->in_odstmsk6, &j);
hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_rdrrules_sz);
***************
*** 237,250 ****
} else if (n->in_odstatype == FRI_NORMAL) {
k = count6bits(n->in_odstmsk6.i6);
! ipf_inet6_mask_add(k, &n->in_odstmsk6,
! &softn->ipf_nat6_rdr_mask);
!
IP6_AND(&n->in_odstip6, &n->in_odstmsk6, &j);
hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_rdrrules_sz);
} else {
! ipf_inet6_mask_add(0, &n->in_odstmsk6,
! &softn->ipf_nat6_rdr_mask);
hv = 0;
}
np = softn->ipf_nat_rdr_rules + hv;
while (*np != NULL)
--- 234,247 ----
} else if (n->in_odstatype == FRI_NORMAL) {
k = count6bits(n->in_odstmsk6.i6);
! mask = &n->in_odstmsk6;
IP6_AND(&n->in_odstip6, &n->in_odstmsk6, &j);
hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_rdrrules_sz);
} else {
! k = 0;
hv = 0;
+ mask = NULL;
}
+ ipf_inet6_mask_add(k, mask, &softn->ipf_nat6_rdr_mask);
+
np = softn->ipf_nat_rdr_rules + hv;
while (*np != NULL)
***************
*** 272,275 ****
--- 269,273 ----
ipnat_t *n;
{
+ i6addr_t *mask;
ipnat_t **np;
i6addr_t j;
***************
*** 279,291 ****
if (n->in_osrcatype == FRI_NORMAL) {
k = count6bits(n->in_osrcmsk6.i6);
! ipf_inet6_mask_add(k, &n->in_osrcmsk6,
! &softn->ipf_nat6_map_mask);
IP6_AND(&n->in_osrcip6, &n->in_osrcmsk6, &j);
hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_maprules_sz);
} else {
! ipf_inet6_mask_add(0, &n->in_osrcmsk6,
! &softn->ipf_nat6_map_mask);
hv = 0;
}
np = softn->ipf_nat_map_rules + hv;
--- 277,289 ----
if (n->in_osrcatype == FRI_NORMAL) {
k = count6bits(n->in_osrcmsk6.i6);
! mask = &n->in_osrcmsk6;
IP6_AND(&n->in_osrcip6, &n->in_osrcmsk6, &j);
hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_maprules_sz);
} else {
! k = 0;
hv = 0;
+ mask = NULL;
}
+ ipf_inet6_mask_add(k, mask, &softn->ipf_nat6_map_mask);
np = softn->ipf_nat_map_rules + hv;
***************
*** 307,323 ****
/* Removes a NAT rdr rule from the hash table of NAT rdr rules. */
/* ------------------------------------------------------------------------ */
! static void
ipf_nat6_delrdr(softn, n)
ipf_nat_softc_t *softn;
! ipnat_t *n;
{
int k;
! if (n->in_osrcatype == FRI_NORMAL) {
! k = count6bits(n->in_osrcmsk6.i6);
} else {
k = 0;
}
! ipf_inet6_mask_del(k, &n->in_osrcmsk6, &softn->ipf_nat6_map_mask);
if (n->in_rnext != NULL)
--- 305,327 ----
/* Removes a NAT rdr rule from the hash table of NAT rdr rules. */
/* ------------------------------------------------------------------------ */
! void
ipf_nat6_delrdr(softn, n)
ipf_nat_softc_t *softn;
! ipnat_t *n;
{
+ i6addr_t *mask;
int k;
! if ((n->in_redir & NAT_BIMAP) == NAT_BIMAP) {
! k = count6bits(n->in_nsrcmsk6.i6);
! mask = &n->in_nsrcmsk6;
! } else if (n->in_odstatype == FRI_NORMAL) {
! k = count6bits(n->in_odstmsk6.i6);
! mask = &n->in_odstmsk6;
} else {
k = 0;
+ mask = NULL;
}
! ipf_inet6_mask_del(k, mask, &softn->ipf_nat6_rdr_mask);
if (n->in_rnext != NULL)
***************
*** 335,351 ****
/* Removes a NAT map rule from the hash table of NAT map rules. */
/* ------------------------------------------------------------------------ */
! static void
ipf_nat6_delmap(softn, n)
ipf_nat_softc_t *softn;
! ipnat_t *n;
{
int k;
if (n->in_osrcatype == FRI_NORMAL) {
! k = count6bits(n->in_odstmsk6.i6);
} else {
k = 0;
}
! ipf_inet6_mask_del(k, &n->in_odstmsk6, &softn->ipf_nat6_map_mask);
if (n->in_mnext != NULL)
--- 339,358 ----
/* Removes a NAT map rule from the hash table of NAT map rules. */
/* ------------------------------------------------------------------------ */
! void
ipf_nat6_delmap(softn, n)
ipf_nat_softc_t *softn;
! ipnat_t *n;
{
+ i6addr_t *mask;
int k;
if (n->in_osrcatype == FRI_NORMAL) {
! k = count6bits(n->in_osrcmsk6.i6);
! mask = &n->in_osrcmsk6;
} else {
k = 0;
+ mask = NULL;
}
! ipf_inet6_mask_del(k, mask, &softn->ipf_nat6_map_mask);
if (n->in_mnext != NULL)
***************
*** 3086,3090 ****
i = 1;
else if (i == -1) {
! NBUMPSIDE6D(1, ns_appr_fail);
}
#else
--- 3093,3097 ----
i = 1;
else if (i == -1) {
! NBUMPSIDE6D(1, ns_ipf_proxy_fail);
}
#else
***************
*** 3351,3355 ****
i = appr_check(fin, nat);
if (i == -1) {
! NBUMPSIDE6D(0, ns_appr_fail);
return -1;
}
--- 3358,3362 ----
i = appr_check(fin, nat);
if (i == -1) {
! NBUMPSIDE6D(0, ns_ipf_proxy_fail);
return -1;
}
|
|
From: Darren <dar...@us...> - 2012-07-13 11:25:45
|
Update of /cvsroot/ipfilter/ipfilter
In directory vz-cvs-4.sog:/tmp/cvs-serv24229
Modified Files:
Tag: v5-1-RELEASE
ip_state.c
Log Message:
3543491 function comments in ip_state.c are old
Index: ip_state.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_state.c,v
retrieving revision 1.48.2.22
retrieving revision 1.48.2.23
diff -C2 -d -r1.48.2.22 -r1.48.2.23
*** ip_state.c 19 Jun 2012 07:58:30 -0000 1.48.2.22
--- ip_state.c 13 Jul 2012 11:25:43 -0000 1.48.2.23
***************
*** 503,507 ****
/* Function: ipf_state_stats */
/* Returns: ips_state_t* - pointer to state stats structure */
! /* Parameters: Nil */
/* */
/* Put all the current numbers and pointers into a single struct and return */
--- 503,507 ----
/* Function: ipf_state_stats */
/* Returns: ips_state_t* - pointer to state stats structure */
! /* Parameters: softc(I) - pointer to soft context main structure */
/* */
/* Put all the current numbers and pointers into a single struct and return */
***************
*** 534,538 ****
/* Function: ipf_state_remove */
/* Returns: int - 0 == success, != 0 == failure */
! /* Parameters: data(I) - pointer to state structure to delete from table */
/* */
/* Search for a state structure that matches the one passed, according to */
--- 534,539 ----
/* Function: ipf_state_remove */
/* Returns: int - 0 == success, != 0 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* data(I) - pointer to state structure to delete from table */
/* */
/* Search for a state structure that matches the one passed, according to */
***************
*** 576,582 ****
/* Function: ipf_state_ioctl */
/* Returns: int - 0 == success, != 0 == failure */
! /* Parameters: data(I) - pointer to ioctl data */
! /* cmd(I) - ioctl command integer */
! /* mode(I) - file mode bits used with open */
/* */
/* Processes an ioctl call made to operate on the IP Filter state device. */
--- 577,586 ----
/* Function: ipf_state_ioctl */
/* Returns: int - 0 == success, != 0 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* data(I) - pointer to ioctl data */
! /* cmd(I) - ioctl command integer */
! /* mode(I) - file mode bits used with open */
! /* uid(I) - uid of process making the ioctl call */
! /* ctx(I) - pointer specific to context of the call */
/* */
/* Processes an ioctl call made to operate on the IP Filter state device. */
***************
*** 829,833 ****
/* Function: ipf_state_getent */
/* Returns: int - 0 == success, != 0 == failure */
! /* Parameters: data(I) - pointer to state structure to retrieve from table */
/* */
/* Copy out state information from the kernel to a user space process. If */
--- 833,839 ----
/* Function: ipf_state_getent */
/* Returns: int - 0 == success, != 0 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softs(I) - pointer to state context structure */
! /* data(I) - pointer to state structure to retrieve from table*/
/* */
/* Copy out state information from the kernel to a user space process. If */
***************
*** 893,897 ****
/* Function: ipf_state_putent */
/* Returns: int - 0 == success, != 0 == failure */
! /* Parameters: data(I) - pointer to state information struct */
/* */
/* This function implements the SIOCSTPUT ioctl: insert a state entry into */
--- 899,905 ----
/* Function: ipf_state_putent */
/* Returns: int - 0 == success, != 0 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softs(I) - pointer to state context structure */
! /* data(I) - pointer to state information struct */
/* */
/* This function implements the SIOCSTPUT ioctl: insert a state entry into */
***************
*** 1034,1041 ****
/* ------------------------------------------------------------------------ */
! /* Function: ipf_state_insert */
! /* Returns: int - 0 == success, -1 == failure */
! /* Parameters: is(I) - pointer to state structure */
! /* rev(I) - flag indicating forward/reverse direction of packet */
/* */
/* Inserts a state structure into the hash table (for lookups) and the list */
--- 1042,1050 ----
/* ------------------------------------------------------------------------ */
! /* Function: ipf_state_insert */
! /* Returns: int - 0 == success, -1 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* Parameters: is(I) - pointer to state structure */
! /* rev(I) - flag indicating direction of packet */
/* */
/* Inserts a state structure into the hash table (for lookups) and the list */
***************
*** 1340,1344 ****
/* Function: ipf_state_add */
/* Returns: ipstate_t - 0 = success */
! /* Parameters: fin(I) - pointer to packet information */
/* stsave(O) - pointer to place to save pointer to created */
/* state structure. */
--- 1349,1354 ----
/* Function: ipf_state_add */
/* Returns: ipstate_t - 0 = success */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* fin(I) - pointer to packet information */
/* stsave(O) - pointer to place to save pointer to created */
/* state structure. */
***************
*** 1646,1650 ****
is->is_flags = flags & IS_INHERITED;
is->is_rulen = fin->fin_rule;
- DT3(state_insert, ipstate_t *, is, u_int, hv, u_32_t, flags);
/*
--- 1656,1659 ----
***************
*** 1862,1866 ****
/* Returns: int - 1 == packet matches state entry, 0 == it does not, */
/* -1 == packet has bad TCP options data */
! /* Parameters: fin(I) - pointer to packet information */
/* tcp(I) - pointer to TCP packet header */
/* td(I) - pointer to TCP data held as part of the state */
--- 1871,1876 ----
/* Returns: int - 1 == packet matches state entry, 0 == it does not, */
/* -1 == packet has bad TCP options data */
! /* Parameters: softs(I) - pointer to state context structure */
! /* fin(I) - pointer to packet information */
/* tcp(I) - pointer to TCP packet header */
/* td(I) - pointer to TCP data held as part of the state */
***************
*** 1966,1970 ****
/* Function: ipf_state_tcp */
/* Returns: int - 1 == packet matches state entry, 0 == it does not */
! /* Parameters: fin(I) - pointer to packet information */
/* tcp(I) - pointer to TCP packet header */
/* is(I) - pointer to master state structure */
--- 1976,1982 ----
/* Function: ipf_state_tcp */
/* Returns: int - 1 == packet matches state entry, 0 == it does not */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softs(I) - pointer to state context structure */
! /* fin(I) - pointer to packet information */
/* tcp(I) - pointer to TCP packet header */
/* is(I) - pointer to master state structure */
***************
*** 2392,2400 ****
/* Function: ipf_matchsrcdst */
/* Returns: Nil */
! /* Parameters: fin(I) - pointer to packet information */
! /* is(I) - pointer to state structure */
! /* src(I) - pointer to source address */
! /* dst(I) - pointer to destination address */
! /* tcp(I) - pointer to TCP/UDP header */
/* */
/* Match a state table entry against an IP packet. The logic below is that */
--- 2404,2413 ----
/* Function: ipf_matchsrcdst */
/* Returns: Nil */
! /* Parameters: fin(I) - pointer to packet information */
! /* is(I) - pointer to state structure */
! /* src(I) - pointer to source address */
! /* dst(I) - pointer to destination address */
! /* tcp(I) - pointer to TCP/UDP header */
! /* cmask(I) - mask of FI_* bits to check */
/* */
/* Match a state table entry against an IP packet. The logic below is that */
***************
*** 2858,2861 ****
--- 2871,2875 ----
/* Parameters: fin(I) - pointer to packet information */
/* is(I) - pointer to state table entry */
+ /* src(I) - source address to check permission for */
/* */
/* For an ICMP packet that has so far matched a state table entry, check if */
***************
*** 2982,2990 ****
/* Returns: ipstate_t* - NULL == no matching state found, */
/* else pointer to state information is returned */
! /* Parameters: fin(I) - pointer to packet information */
! /* tcp(I) - pointer to TCP/UDP header. */
/* */
/* Search the state table for a matching entry to the packet described by */
! /* the contents of *fin. */
/* */
/* If we return NULL then no lock on ipf_state is held. */
--- 2996,3006 ----
/* Returns: ipstate_t* - NULL == no matching state found, */
/* else pointer to state information is returned */
! /* Parameters: fin(I) - pointer to packet information */
! /* tcp(I) - pointer to TCP/UDP header. */
! /* ifqp(O) - pointer for storing tailq timeout */
/* */
/* Search the state table for a matching entry to the packet described by */
! /* the contents of *fin. For certain protocols, when a match is found the */
! /* timeout queue is also selected and stored in ifpq if it is non-NULL. */
/* */
/* If we return NULL then no lock on ipf_state is held. */
***************
*** 3269,3273 ****
/* Returns: frentry_t* - NULL == search failed, */
/* else pointer to rule for matching state */
! /* Parameters: ifp(I) - pointer to interface */
/* passp(I) - pointer to filtering result flags */
/* */
--- 3285,3289 ----
/* Returns: frentry_t* - NULL == search failed, */
/* else pointer to rule for matching state */
! /* Parameters: fin(I) - pointer to packet information */
/* passp(I) - pointer to filtering result flags */
/* */
***************
*** 3428,3432 ****
/* Function: ipf_fixoutisn */
/* Returns: Nil */
! /* Parameters: fin(I) - pointer to packet information */
/* is(I) - pointer to master state structure */
/* */
--- 3444,3448 ----
/* Function: ipf_fixoutisn */
/* Returns: Nil */
! /* Parameters: fin(I) - pointer to packet information */
/* is(I) - pointer to master state structure */
/* */
***************
*** 3506,3510 ****
/* Function: ipf_state_sync */
/* Returns: Nil */
! /* Parameters: ifp(I) - pointer to interface */
/* */
/* Walk through all state entries and if an interface pointer match is */
--- 3522,3527 ----
/* Function: ipf_state_sync */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* ifp(I) - pointer to interface */
/* */
/* Walk through all state entries and if an interface pointer match is */
***************
*** 3552,3556 ****
/* Function: ipf_state_del */
/* Returns: int - 0 = deleted, else refernce count on active struct */
! /* Parameters: is(I) - pointer to state structure to delete */
/* why(I) - if not 0, log reason why it was deleted */
/* Write Locks: ipf_state */
--- 3569,3574 ----
/* Function: ipf_state_del */
/* Returns: int - 0 = deleted, else refernce count on active struct */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* is(I) - pointer to state structure to delete */
/* why(I) - if not 0, log reason why it was deleted */
/* Write Locks: ipf_state */
***************
*** 3693,3697 ****
/* Function: ipf_state_expire */
/* Returns: Nil */
! /* Parameters: Nil */
/* */
/* Slowly expire held state for thingslike UDP and ICMP. The algorithm */
--- 3711,3715 ----
/* Function: ipf_state_expire */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
/* */
/* Slowly expire held state for thingslike UDP and ICMP. The algorithm */
***************
*** 3756,3760 ****
/* Function: ipf_state_flush */
/* Returns: int - 0 == success, -1 == failure */
! /* Parameters: Nil */
/* Write Locks: ipf_state */
/* */
--- 3774,3780 ----
/* Function: ipf_state_flush */
/* Returns: int - 0 == success, -1 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* which(I) - which flush action to perform */
! /* proto(I) - which protocol to flush (0 == ALL) */
/* Write Locks: ipf_state */
/* */
***************
*** 3928,3932 ****
/* Function: ipf_state_flush_entry */
/* Returns: int - 0 = entry deleted, else not deleted */
! /* Parameters: entry(I) - pointer to state structure to delete */
/* Write Locks: ipf_state */
/* */
--- 3948,3953 ----
/* Function: ipf_state_flush_entry */
/* Returns: int - 0 = entry deleted, else not deleted */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* entry(I) - pointer to state structure to delete */
/* Write Locks: ipf_state */
/* */
***************
*** 3947,3951 ****
/* Function: ipf_tcp_age */
/* Returns: int - 1 == state transition made, 0 == no change (rejected) */
! /* Parameters: tq(I) - pointer to timeout queue information */
/* fin(I) - pointer to packet information */
/* tqtab(I) - TCP timeout queue table this is in */
--- 3968,3972 ----
/* Function: ipf_tcp_age */
/* Returns: int - 1 == state transition made, 0 == no change (rejected) */
! /* Parameters: tqe(I) - pointer to timeout queue information */
/* fin(I) - pointer to packet information */
/* tqtab(I) - TCP timeout queue table this is in */
***************
*** 4327,4332 ****
/* Function: ipf_state_log */
/* Returns: Nil */
! /* Parameters: is(I) - pointer to state structure */
! /* type(I) - type of log entry to create */
/* */
/* Creates a state table log entry using the state structure and type info. */
--- 4348,4354 ----
/* Function: ipf_state_log */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* is(I) - pointer to state structure */
! /* type(I) - type of log entry to create */
/* */
/* Creates a state table log entry using the state structure and type info. */
***************
*** 4599,4603 ****
/* Function: ipf_sttab_init */
/* Returns: Nil */
! /* Parameters: tqp(I) - pointer to an array of timeout queues for TCP */
/* */
/* Initialise the array of timeout queues for TCP. */
--- 4621,4626 ----
/* Function: ipf_sttab_init */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* tqp(I) - pointer to an array of timeout queues for TCP */
/* */
/* Initialise the array of timeout queues for TCP. */
***************
*** 4652,4656 ****
/* Function: ipf_state_deref */
/* Returns: Nil */
! /* Parameters: isp(I) - pointer to pointer to state table entry */
/* */
/* Decrement the reference counter for this state table entry and free it */
--- 4675,4680 ----
/* Function: ipf_state_deref */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* isp(I) - pointer to pointer to state table entry */
/* */
/* Decrement the reference counter for this state table entry and free it */
***************
*** 4713,4718 ****
/* Function: ipf_state_setqueue */
/* Returns: Nil */
! /* Parameters: is(I) - pointer to state structure */
! /* rev(I) - forward(0) or reverse(1) direction */
/* Locks: ipf_state (read or write) */
/* */
--- 4737,4743 ----
/* Function: ipf_state_setqueue */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* is(I) - pointer to state structure */
! /* rev(I) - forward(0) or reverse(1) direction */
/* Locks: ipf_state (read or write) */
/* */
***************
*** 4784,4789 ****
/* Function: ipf_state_iter */
/* Returns: int - 0 == success, else error */
! /* Parameters: token(I) - pointer to ipftoken structure */
/* itp(I) - pointer to ipfgeniter structure */
/* */
/* This function handles the SIOCGENITER ioctl for the state tables and */
--- 4809,4816 ----
/* Function: ipf_state_iter */
/* Returns: int - 0 == success, else error */
! /* Parameters: softc(I) - pointer to main soft context */
! /* token(I) - pointer to ipftoken structure */
/* itp(I) - pointer to ipfgeniter structure */
+ /* obj(I) - pointer to data description structure */
/* */
/* This function handles the SIOCGENITER ioctl for the state tables and */
***************
*** 4866,4870 ****
/* Function: ipf_state_gettable */
/* Returns: int - 0 = success, else error */
! /* Parameters: data(I) - pointer to ioctl data */
/* */
/* This function handles ioctl requests for tables of state information. */
--- 4893,4899 ----
/* Function: ipf_state_gettable */
/* Returns: int - 0 = success, else error */
! /* Parameters: softc(I) - pointer to main soft context */
! /* softs(I) - pointer to state context structure */
! /* data(I) - pointer to ioctl data */
/* */
/* This function handles ioctl requests for tables of state information. */
***************
*** 4902,4906 ****
/* Function: ipf_state_setpending */
/* Returns: Nil */
! /* Parameters: is(I) - pointer to state structure */
/* Locks: ipf_state (read or write) */
/* */
--- 4931,4936 ----
/* Function: ipf_state_setpending */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to main soft context */
! /* is(I) - pointer to state structure */
/* Locks: ipf_state (read or write) */
/* */
***************
*** 4936,4940 ****
/* Function: ipf_state_matchflush */
/* Returns: Nil */
! /* Parameters: is(I) - pointer to state structure */
/* Locks: ipf_state (read or write) */
/* */
--- 4966,4971 ----
/* Function: ipf_state_matchflush */
/* Returns: Nil */
! /* Parameters: softc(I) - pointer to main soft context */
! /* data(I) - pointer to state structure */
/* Locks: ipf_state (read or write) */
/* */
***************
*** 4978,4982 ****
/* Function: ipf_state_matcharray */
/* Returns: int - 0 = no match, 1 = match */
! /* Parameters: is(I) - pointer to state structure */
/* Locks: ipf_state (read or write) */
/* */
--- 5009,5015 ----
/* Function: ipf_state_matcharray */
/* Returns: int - 0 = no match, 1 = match */
! /* Parameters: state(I) - pointer to state structure */
! /* array(I) - pointer to ipf matching expression */
! /* ticks(I) - current value of ipfilter tick timer */
/* Locks: ipf_state (read or write) */
/* */
***************
*** 5132,5137 ****
/* Function: ipf_state_settimeout */
/* Returns: int 0 = success, else failure */
! /* Parameters: t(I) - pointer to tuneable being changed */
! /* p(I) - pointer to the new value */
/* */
/* Sets a timeout value for one of the many timeout queues. We find the */
--- 5165,5171 ----
/* Function: ipf_state_settimeout */
/* Returns: int 0 = success, else failure */
! /* Parameters: softc(I) - pointer to main soft context */
! /* t(I) - pointer to tuneable being changed */
! /* p(I) - pointer to the new value */
/* */
/* Sets a timeout value for one of the many timeout queues. We find the */
***************
*** 5184,5189 ****
/* Function: ipf_state_rehash */
/* Returns: int 0 = success, else failure */
! /* Parameters: t(I) - pointer to tuneable being changed */
! /* p(I) - pointer to the new value */
/* */
/* To change the size of the state hash table at runtime, a new table has */
--- 5218,5224 ----
/* Function: ipf_state_rehash */
/* Returns: int 0 = success, else failure */
! /* Parameters: softc(I) - pointer to main soft context */
! /* t(I) - pointer to tuneable being changed */
! /* p(I) - pointer to the new value */
/* */
/* To change the size of the state hash table at runtime, a new table has */
|
|
From: Darren <dar...@us...> - 2012-07-13 11:25:06
|
Update of /cvsroot/ipfilter/ipfilter In directory vz-cvs-4.sog:/tmp/cvs-serv24199 Modified Files: ip_state.c Log Message: 3543491 function comments in ip_state.c are old Index: ip_state.c =================================================================== RCS file: /cvsroot/ipfilter/ipfilter/ip_state.c,v retrieving revision 1.68 retrieving revision 1.69 diff -C2 -d -r1.68 -r1.69 *** ip_state.c 19 Jun 2012 07:55:29 -0000 1.68 --- ip_state.c 13 Jul 2012 11:25:03 -0000 1.69 *************** *** 498,502 **** /* Function: ipf_state_stats */ /* Returns: ips_state_t* - pointer to state stats structure */ ! /* Parameters: Nil */ /* */ /* Put all the current numbers and pointers into a single struct and return */ --- 498,502 ---- /* Function: ipf_state_stats */ /* Returns: ips_state_t* - pointer to state stats structure */ ! /* Parameters: softc(I) - pointer to soft context main structure */ /* */ /* Put all the current numbers and pointers into a single struct and return */ *************** *** 529,533 **** /* Function: ipf_state_remove */ /* Returns: int - 0 == success, != 0 == failure */ ! /* Parameters: data(I) - pointer to state structure to delete from table */ /* */ /* Search for a state structure that matches the one passed, according to */ --- 529,534 ---- /* Function: ipf_state_remove */ /* Returns: int - 0 == success, != 0 == failure */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* data(I) - pointer to state structure to delete from table */ /* */ /* Search for a state structure that matches the one passed, according to */ *************** *** 571,577 **** /* Function: ipf_state_ioctl */ /* Returns: int - 0 == success, != 0 == failure */ ! /* Parameters: data(I) - pointer to ioctl data */ ! /* cmd(I) - ioctl command integer */ ! /* mode(I) - file mode bits used with open */ /* */ /* Processes an ioctl call made to operate on the IP Filter state device. */ --- 572,581 ---- /* Function: ipf_state_ioctl */ /* Returns: int - 0 == success, != 0 == failure */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* data(I) - pointer to ioctl data */ ! /* cmd(I) - ioctl command integer */ ! /* mode(I) - file mode bits used with open */ ! /* uid(I) - uid of process making the ioctl call */ ! /* ctx(I) - pointer specific to context of the call */ /* */ /* Processes an ioctl call made to operate on the IP Filter state device. */ *************** *** 824,828 **** /* Function: ipf_state_getent */ /* Returns: int - 0 == success, != 0 == failure */ ! /* Parameters: data(I) - pointer to state structure to retrieve from table */ /* */ /* Copy out state information from the kernel to a user space process. If */ --- 828,834 ---- /* Function: ipf_state_getent */ /* Returns: int - 0 == success, != 0 == failure */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* softs(I) - pointer to state context structure */ ! /* data(I) - pointer to state structure to retrieve from table*/ /* */ /* Copy out state information from the kernel to a user space process. If */ *************** *** 888,892 **** /* Function: ipf_state_putent */ /* Returns: int - 0 == success, != 0 == failure */ ! /* Parameters: data(I) - pointer to state information struct */ /* */ /* This function implements the SIOCSTPUT ioctl: insert a state entry into */ --- 894,900 ---- /* Function: ipf_state_putent */ /* Returns: int - 0 == success, != 0 == failure */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* softs(I) - pointer to state context structure */ ! /* data(I) - pointer to state information struct */ /* */ /* This function implements the SIOCSTPUT ioctl: insert a state entry into */ *************** *** 1029,1036 **** /* ------------------------------------------------------------------------ */ ! /* Function: ipf_state_insert */ ! /* Returns: int - 0 == success, -1 == failure */ ! /* Parameters: is(I) - pointer to state structure */ ! /* rev(I) - flag indicating forward/reverse direction of packet */ /* */ /* Inserts a state structure into the hash table (for lookups) and the list */ --- 1037,1045 ---- /* ------------------------------------------------------------------------ */ ! /* Function: ipf_state_insert */ ! /* Returns: int - 0 == success, -1 == failure */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* Parameters: is(I) - pointer to state structure */ ! /* rev(I) - flag indicating direction of packet */ /* */ /* Inserts a state structure into the hash table (for lookups) and the list */ *************** *** 1477,1481 **** /* Function: ipf_state_add */ /* Returns: ipstate_t - 0 = success */ ! /* Parameters: fin(I) - pointer to packet information */ /* stsave(O) - pointer to place to save pointer to created */ /* state structure. */ --- 1486,1491 ---- /* Function: ipf_state_add */ /* Returns: ipstate_t - 0 = success */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* fin(I) - pointer to packet information */ /* stsave(O) - pointer to place to save pointer to created */ /* state structure. */ *************** *** 1794,1798 **** is->is_flags = flags & IS_INHERITED; is->is_rulen = fin->fin_rule; - DT3(state_insert, ipstate_t *, is, u_int, hv, u_32_t, flags); /* --- 1804,1807 ---- *************** *** 2013,2017 **** /* Returns: int - 1 == packet matches state entry, 0 == it does not, */ /* -1 == packet has bad TCP options data */ ! /* Parameters: fin(I) - pointer to packet information */ /* tcp(I) - pointer to TCP packet header */ /* td(I) - pointer to TCP data held as part of the state */ --- 2022,2027 ---- /* Returns: int - 1 == packet matches state entry, 0 == it does not, */ /* -1 == packet has bad TCP options data */ ! /* Parameters: softs(I) - pointer to state context structure */ ! /* fin(I) - pointer to packet information */ /* tcp(I) - pointer to TCP packet header */ /* td(I) - pointer to TCP data held as part of the state */ *************** *** 2117,2121 **** /* Function: ipf_state_tcp */ /* Returns: int - 1 == packet matches state entry, 0 == it does not */ ! /* Parameters: fin(I) - pointer to packet information */ /* tcp(I) - pointer to TCP packet header */ /* is(I) - pointer to master state structure */ --- 2127,2133 ---- /* Function: ipf_state_tcp */ /* Returns: int - 1 == packet matches state entry, 0 == it does not */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* softs(I) - pointer to state context structure */ ! /* fin(I) - pointer to packet information */ /* tcp(I) - pointer to TCP packet header */ /* is(I) - pointer to master state structure */ *************** *** 2543,2551 **** /* Function: ipf_matchsrcdst */ /* Returns: Nil */ ! /* Parameters: fin(I) - pointer to packet information */ ! /* is(I) - pointer to state structure */ ! /* src(I) - pointer to source address */ ! /* dst(I) - pointer to destination address */ ! /* tcp(I) - pointer to TCP/UDP header */ /* */ /* Match a state table entry against an IP packet. The logic below is that */ --- 2555,2564 ---- /* Function: ipf_matchsrcdst */ /* Returns: Nil */ ! /* Parameters: fin(I) - pointer to packet information */ ! /* is(I) - pointer to state structure */ ! /* src(I) - pointer to source address */ ! /* dst(I) - pointer to destination address */ ! /* tcp(I) - pointer to TCP/UDP header */ ! /* cmask(I) - mask of FI_* bits to check */ /* */ /* Match a state table entry against an IP packet. The logic below is that */ *************** *** 3037,3040 **** --- 3050,3054 ---- /* Parameters: fin(I) - pointer to packet information */ /* is(I) - pointer to state table entry */ + /* src(I) - source address to check permission for */ /* */ /* For an ICMP packet that has so far matched a state table entry, check if */ *************** *** 3161,3169 **** /* Returns: ipstate_t* - NULL == no matching state found, */ /* else pointer to state information is returned */ ! /* Parameters: fin(I) - pointer to packet information */ ! /* tcp(I) - pointer to TCP/UDP header. */ /* */ /* Search the state table for a matching entry to the packet described by */ ! /* the contents of *fin. */ /* */ /* If we return NULL then no lock on ipf_state is held. */ --- 3175,3185 ---- /* Returns: ipstate_t* - NULL == no matching state found, */ /* else pointer to state information is returned */ ! /* Parameters: fin(I) - pointer to packet information */ ! /* tcp(I) - pointer to TCP/UDP header. */ ! /* ifqp(O) - pointer for storing tailq timeout */ /* */ /* Search the state table for a matching entry to the packet described by */ ! /* the contents of *fin. For certain protocols, when a match is found the */ ! /* timeout queue is also selected and stored in ifpq if it is non-NULL. */ /* */ /* If we return NULL then no lock on ipf_state is held. */ *************** *** 3456,3460 **** /* Returns: frentry_t* - NULL == search failed, */ /* else pointer to rule for matching state */ ! /* Parameters: ifp(I) - pointer to interface */ /* passp(I) - pointer to filtering result flags */ /* */ --- 3472,3476 ---- /* Returns: frentry_t* - NULL == search failed, */ /* else pointer to rule for matching state */ ! /* Parameters: fin(I) - pointer to packet information */ /* passp(I) - pointer to filtering result flags */ /* */ *************** *** 3615,3619 **** /* Function: ipf_fixoutisn */ /* Returns: Nil */ ! /* Parameters: fin(I) - pointer to packet information */ /* is(I) - pointer to master state structure */ /* */ --- 3631,3635 ---- /* Function: ipf_fixoutisn */ /* Returns: Nil */ ! /* Parameters: fin(I) - pointer to packet information */ /* is(I) - pointer to master state structure */ /* */ *************** *** 3693,3697 **** /* Function: ipf_state_sync */ /* Returns: Nil */ ! /* Parameters: ifp(I) - pointer to interface */ /* */ /* Walk through all state entries and if an interface pointer match is */ --- 3709,3714 ---- /* Function: ipf_state_sync */ /* Returns: Nil */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* ifp(I) - pointer to interface */ /* */ /* Walk through all state entries and if an interface pointer match is */ *************** *** 3739,3743 **** /* Function: ipf_state_del */ /* Returns: int - 0 = deleted, else refernce count on active struct */ ! /* Parameters: is(I) - pointer to state structure to delete */ /* why(I) - if not 0, log reason why it was deleted */ /* Write Locks: ipf_state */ --- 3756,3761 ---- /* Function: ipf_state_del */ /* Returns: int - 0 = deleted, else refernce count on active struct */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* is(I) - pointer to state structure to delete */ /* why(I) - if not 0, log reason why it was deleted */ /* Write Locks: ipf_state */ *************** *** 3880,3884 **** /* Function: ipf_state_expire */ /* Returns: Nil */ ! /* Parameters: Nil */ /* */ /* Slowly expire held state for thingslike UDP and ICMP. The algorithm */ --- 3898,3902 ---- /* Function: ipf_state_expire */ /* Returns: Nil */ ! /* Parameters: softc(I) - pointer to soft context main structure */ /* */ /* Slowly expire held state for thingslike UDP and ICMP. The algorithm */ *************** *** 3943,3947 **** /* Function: ipf_state_flush */ /* Returns: int - 0 == success, -1 == failure */ ! /* Parameters: Nil */ /* Write Locks: ipf_state */ /* */ --- 3961,3967 ---- /* Function: ipf_state_flush */ /* Returns: int - 0 == success, -1 == failure */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* which(I) - which flush action to perform */ ! /* proto(I) - which protocol to flush (0 == ALL) */ /* Write Locks: ipf_state */ /* */ *************** *** 4115,4119 **** /* Function: ipf_state_flush_entry */ /* Returns: int - 0 = entry deleted, else not deleted */ ! /* Parameters: entry(I) - pointer to state structure to delete */ /* Write Locks: ipf_state */ /* */ --- 4135,4140 ---- /* Function: ipf_state_flush_entry */ /* Returns: int - 0 = entry deleted, else not deleted */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* entry(I) - pointer to state structure to delete */ /* Write Locks: ipf_state */ /* */ *************** *** 4134,4138 **** /* Function: ipf_tcp_age */ /* Returns: int - 1 == state transition made, 0 == no change (rejected) */ ! /* Parameters: tq(I) - pointer to timeout queue information */ /* fin(I) - pointer to packet information */ /* tqtab(I) - TCP timeout queue table this is in */ --- 4155,4159 ---- /* Function: ipf_tcp_age */ /* Returns: int - 1 == state transition made, 0 == no change (rejected) */ ! /* Parameters: tqe(I) - pointer to timeout queue information */ /* fin(I) - pointer to packet information */ /* tqtab(I) - TCP timeout queue table this is in */ *************** *** 4514,4519 **** /* Function: ipf_state_log */ /* Returns: Nil */ ! /* Parameters: is(I) - pointer to state structure */ ! /* type(I) - type of log entry to create */ /* */ /* Creates a state table log entry using the state structure and type info. */ --- 4535,4541 ---- /* Function: ipf_state_log */ /* Returns: Nil */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* is(I) - pointer to state structure */ ! /* type(I) - type of log entry to create */ /* */ /* Creates a state table log entry using the state structure and type info. */ *************** *** 4786,4790 **** /* Function: ipf_sttab_init */ /* Returns: Nil */ ! /* Parameters: tqp(I) - pointer to an array of timeout queues for TCP */ /* */ /* Initialise the array of timeout queues for TCP. */ --- 4808,4813 ---- /* Function: ipf_sttab_init */ /* Returns: Nil */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* tqp(I) - pointer to an array of timeout queues for TCP */ /* */ /* Initialise the array of timeout queues for TCP. */ *************** *** 4839,4843 **** /* Function: ipf_state_deref */ /* Returns: Nil */ ! /* Parameters: isp(I) - pointer to pointer to state table entry */ /* */ /* Decrement the reference counter for this state table entry and free it */ --- 4862,4867 ---- /* Function: ipf_state_deref */ /* Returns: Nil */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* isp(I) - pointer to pointer to state table entry */ /* */ /* Decrement the reference counter for this state table entry and free it */ *************** *** 4894,4899 **** /* Function: ipf_state_setqueue */ /* Returns: Nil */ ! /* Parameters: is(I) - pointer to state structure */ ! /* rev(I) - forward(0) or reverse(1) direction */ /* Locks: ipf_state (read or write) */ /* */ --- 4918,4924 ---- /* Function: ipf_state_setqueue */ /* Returns: Nil */ ! /* Parameters: softc(I) - pointer to soft context main structure */ ! /* is(I) - pointer to state structure */ ! /* rev(I) - forward(0) or reverse(1) direction */ /* Locks: ipf_state (read or write) */ /* */ *************** *** 4965,4970 **** /* Function: ipf_state_iter */ /* Returns: int - 0 == success, else error */ ! /* Parameters: token(I) - pointer to ipftoken structure */ /* itp(I) - pointer to ipfgeniter structure */ /* */ /* This function handles the SIOCGENITER ioctl for the state tables and */ --- 4990,4997 ---- /* Function: ipf_state_iter */ /* Returns: int - 0 == success, else error */ ! /* Parameters: softc(I) - pointer to main soft context */ ! /* token(I) - pointer to ipftoken structure */ /* itp(I) - pointer to ipfgeniter structure */ + /* obj(I) - pointer to data description structure */ /* */ /* This function handles the SIOCGENITER ioctl for the state tables and */ *************** *** 5048,5052 **** /* Function: ipf_state_gettable */ /* Returns: int - 0 = success, else error */ ! /* Parameters: data(I) - pointer to ioctl data */ /* */ /* This function handles ioctl requests for tables of state information. */ --- 5075,5081 ---- /* Function: ipf_state_gettable */ /* Returns: int - 0 = success, else error */ ! /* Parameters: softc(I) - pointer to main soft context */ ! /* softs(I) - pointer to state context structure */ ! /* data(I) - pointer to ioctl data */ /* */ /* This function handles ioctl requests for tables of state information. */ *************** *** 5084,5088 **** /* Function: ipf_state_setpending */ /* Returns: Nil */ ! /* Parameters: is(I) - pointer to state structure */ /* Locks: ipf_state (read or write) */ /* */ --- 5113,5118 ---- /* Function: ipf_state_setpending */ /* Returns: Nil */ ! /* Parameters: softc(I) - pointer to main soft context */ ! /* is(I) - pointer to state structure */ /* Locks: ipf_state (read or write) */ /* */ *************** *** 5118,5122 **** /* Function: ipf_state_matchflush */ /* Returns: Nil */ ! /* Parameters: is(I) - pointer to state structure */ /* Locks: ipf_state (read or write) */ /* */ --- 5148,5153 ---- /* Function: ipf_state_matchflush */ /* Returns: Nil */ ! /* Parameters: softc(I) - pointer to main soft context */ ! /* data(I) - pointer to state structure */ /* Locks: ipf_state (read or write) */ /* */ *************** *** 5160,5164 **** /* Function: ipf_state_matcharray */ /* Returns: int - 0 = no match, 1 = match */ ! /* Parameters: is(I) - pointer to state structure */ /* Locks: ipf_state (read or write) */ /* */ --- 5191,5197 ---- /* Function: ipf_state_matcharray */ /* Returns: int - 0 = no match, 1 = match */ ! /* Parameters: state(I) - pointer to state structure */ ! /* array(I) - pointer to ipf matching expression */ ! /* ticks(I) - current value of ipfilter tick timer */ /* Locks: ipf_state (read or write) */ /* */ *************** *** 5314,5319 **** /* Function: ipf_state_settimeout */ /* Returns: int 0 = success, else failure */ ! /* Parameters: t(I) - pointer to tuneable being changed */ ! /* p(I) - pointer to the new value */ /* */ /* Sets a timeout value for one of the many timeout queues. We find the */ --- 5347,5353 ---- /* Function: ipf_state_settimeout */ /* Returns: int 0 = success, else failure */ ! /* Parameters: softc(I) - pointer to main soft context */ ! /* t(I) - pointer to tuneable being changed */ ! /* p(I) - pointer to the new value */ /* */ /* Sets a timeout value for one of the many timeout queues. We find the */ *************** *** 5366,5371 **** /* Function: ipf_state_rehash */ /* Returns: int 0 = success, else failure */ ! /* Parameters: t(I) - pointer to tuneable being changed */ ! /* p(I) - pointer to the new value */ /* */ /* To change the size of the state hash table at runtime, a new table has */ --- 5400,5406 ---- /* Function: ipf_state_rehash */ /* Returns: int 0 = success, else failure */ ! /* Parameters: softc(I) - pointer to main soft context */ ! /* t(I) - pointer to tuneable being changed */ ! /* p(I) - pointer to the new value */ /* */ /* To change the size of the state hash table at runtime, a new table has */ |
|
From: Darren <dar...@us...> - 2012-07-13 06:47:02
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv13535/tools
Modified Files:
Tag: v5-1-RELEASE
ipnat_y.y
Log Message:
3543404 ipnat.conf parsing uses family/ip version badly
3543403 incorrect line number printed in ipnat parsing errors
Index: ipnat_y.y
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ipnat_y.y,v
retrieving revision 1.19.2.11
retrieving revision 1.19.2.12
diff -C2 -d -r1.19.2.11 -r1.19.2.12
*** ipnat_y.y 9 Jul 2012 15:57:15 -0000 1.19.2.11
--- ipnat_y.y 13 Jul 2012 06:47:00 -0000 1.19.2.12
***************
*** 191,196 ****
map: mapit ifnames addr tlate rhsaddr proxy mapoptions
! { nat->in_v[0] = $3.v;
! if ($3.f != 0 && $3.f != $5.f && $5.f != 0)
yyerror("3.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
--- 191,195 ----
map: mapit ifnames addr tlate rhsaddr proxy mapoptions
! { if ($3.f != 0 && $3.f != $5.f && $5.f != 0)
yyerror("3.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
***************
*** 217,221 ****
if (nat->in_v[1] == 0 && $5.v != 0)
nat->in_v[1] = $5.v;
- nat->in_v[0] = $3.v;
if (nat->in_v[0] == 0 && $5.v != 0)
nat->in_v[0] = $5.v;
--- 216,219 ----
***************
*** 235,239 ****
}
| no mapit ifnames addr setproto ';'
! { nat->in_v[0] = $4.v;
nat->in_osrcatype = $4.t;
bcopy(&$4.a, &nat->in_osrc.na_addr[0],
--- 233,238 ----
}
| no mapit ifnames addr setproto ';'
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = $4.v;
nat->in_osrcatype = $4.t;
bcopy(&$4.a, &nat->in_osrc.na_addr[0],
***************
*** 245,250 ****
}
| mapit ifnames mapfrom tlate rhsaddr proxy mapoptions
! { nat->in_v[0] = ftov($3);
! if ($3 != 0 && $5.f != 0 && $3 != $5.f)
yyerror("5.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
--- 244,248 ----
}
| mapit ifnames mapfrom tlate rhsaddr proxy mapoptions
! { if ($3 != 0 && $5.f != 0 && $3 != $5.f)
yyerror("5.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
***************
*** 266,271 ****
}
| mapit ifnames mapfrom tlate rhsaddr mapport mapoptions
! { nat->in_v[0] = ftov($3);
! if ($3 != 0 && $5.f != 0 && $3 != $5.f)
yyerror("6.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
--- 264,268 ----
}
| mapit ifnames mapfrom tlate rhsaddr mapport mapoptions
! { if ($3 != 0 && $5.f != 0 && $3 != $5.f)
yyerror("6.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
***************
*** 286,291 ****
mapblock:
mapblockit ifnames addr tlate addr ports mapoptions
! { nat->in_v[0] = $3.v;
! if ($3.f != 0 && $5.f != 0 && $3.f != $5.f)
yyerror("7.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
--- 283,287 ----
mapblock:
mapblockit ifnames addr tlate addr ports mapoptions
! { if ($3.f != 0 && $5.f != 0 && $3.f != $5.f)
yyerror("7.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
***************
*** 308,312 ****
}
| no mapblockit ifnames { yyexpectaddr = 1; } addr setproto ';'
! { nat->in_v[0] = $5.v;
nat->in_osrcatype = $5.t;
bcopy(&$5.a, &nat->in_osrc.na_addr[0],
--- 304,311 ----
}
| no mapblockit ifnames { yyexpectaddr = 1; } addr setproto ';'
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = $5.v;
! if (nat->in_v[1] == 0)
! nat->in_v[1] = $5.v;
nat->in_osrcatype = $5.t;
bcopy(&$5.a, &nat->in_osrc.na_addr[0],
***************
*** 322,329 ****
{ if ($6 != 0 && $3.f != 0 && $6 != $3.f)
yyerror("21.address family mismatch");
! if ($3.v != AF_UNSPEC)
! nat->in_v[0] = ftov($3.f);
! else
! nat->in_v[0] = ftov($6);
nat->in_odstatype = $3.t;
bcopy(&$3.a, &nat->in_odst.na_addr[0],
--- 321,330 ----
{ if ($6 != 0 && $3.f != 0 && $6 != $3.f)
yyerror("21.address family mismatch");
! if (nat->in_v[0] == 0) {
! if ($3.v != AF_UNSPEC)
! nat->in_v[0] = ftov($3.f);
! else
! nat->in_v[0] = ftov($6);
! }
nat->in_odstatype = $3.t;
bcopy(&$3.a, &nat->in_odst.na_addr[0],
***************
*** 335,339 ****
}
| no rdrit ifnames addr dport setproto ';'
! { nat->in_v[0] = ftov($4.f);
nat->in_odstatype = $4.t;
bcopy(&$4.a, &nat->in_odst.na_addr[0],
--- 336,341 ----
}
| no rdrit ifnames addr dport setproto ';'
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = ftov($4.f);
nat->in_odstatype = $4.t;
bcopy(&$4.a, &nat->in_odst.na_addr[0],
***************
*** 347,354 ****
{ if ($5 != 0 && $3 != 0 && $5 != $3)
yyerror("20.address family mismatch");
! if ($3 != AF_UNSPEC)
! nat->in_v[0] = ftov($3);
! else
! nat->in_v[0] = ftov($5);
setrdrifnames();
}
--- 349,358 ----
{ if ($5 != 0 && $3 != 0 && $5 != $3)
yyerror("20.address family mismatch");
! if (nat->in_v[0] == 0) {
! if ($3 != AF_UNSPEC)
! nat->in_v[0] = ftov($3);
! else
! nat->in_v[0] = ftov($5);
! }
setrdrifnames();
}
***************
*** 362,366 ****
rewrite:
IPNY_REWRITE oninout rwrproto mapfrom tlate newdst newopts
! { nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP)
setmapifnames();
--- 366,371 ----
rewrite:
IPNY_REWRITE oninout rwrproto mapfrom tlate newdst newopts
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP)
setmapifnames();
***************
*** 372,376 ****
divert: IPNY_DIVERT oninout rwrproto mapfrom tlate divdst newopts
! { nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP) {
setmapifnames();
--- 377,382 ----
divert: IPNY_DIVERT oninout rwrproto mapfrom tlate divdst newopts
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP) {
setmapifnames();
***************
*** 385,389 ****
encap: IPNY_ENCAP oninout rwrproto mapfrom tlate encapdst newopts
! { nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP) {
setmapifnames();
--- 391,396 ----
encap: IPNY_ENCAP oninout rwrproto mapfrom tlate encapdst newopts
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP) {
setmapifnames();
***************
*** 422,426 ****
oninout:
! inout IPNY_ON ifnames { nat->in_v[0] = 4; }
;
--- 429,433 ----
oninout:
! inout IPNY_ON ifnames { ; }
;
***************
*** 945,948 ****
--- 952,957 ----
{ bzero(&$$, sizeof($$));
$$.a = $1.a;
+ $$.f = $1.f;
+ $$.v = ftov($1.f);
$$.t = FRI_NORMAL;
ntomask($$.f, $3, (u_32_t *)&$$.m);
***************
*** 951,956 ****
$$.a.i6[2] &= $$.m.i6[2];
$$.a.i6[3] &= $$.m.i6[3];
- $$.f = $1.f;
- $$.v = ftov($1.f);
yyexpectaddr = 0;
}
--- 960,963 ----
***************
*** 978,981 ****
--- 985,990 ----
$$.f = $1.f;
$$.v = ftov($1.f);
+ if ($$.f == AF_INET6)
+ yyerror("incorrect inet6 mask");
}
| hostname mask ipaddr { bzero(&$$, sizeof($$));
***************
*** 1509,1513 ****
sprintf(msg, "%d:ioctl(zero nat rule)",
! yylineNum);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
--- 1518,1522 ----
sprintf(msg, "%d:ioctl(zero nat rule)",
! ipn->in_flineno);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
***************
*** 1529,1533 ****
sprintf(msg, "%d:ioctl(delete nat rule)",
! yylineNum);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
--- 1538,1542 ----
sprintf(msg, "%d:ioctl(delete nat rule)",
! ipn->in_flineno);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
***************
*** 1539,1543 ****
sprintf(msg, "%d:ioctl(add/insert nat rule)",
! yylineNum);
if (errno == EEXIST) {
sprintf(msg + strlen(msg), "(line %d)",
--- 1548,1552 ----
sprintf(msg, "%d:ioctl(add/insert nat rule)",
! ipn->in_flineno);
if (errno == EEXIST) {
sprintf(msg + strlen(msg), "(line %d)",
|
|
From: Darren <dar...@us...> - 2012-07-13 06:46:48
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv13513/tools
Modified Files:
ipnat_y.y
Log Message:
3543404 ipnat.conf parsing uses family/ip version badly
3543403 incorrect line number printed in ipnat parsing errors
Index: ipnat_y.y
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ipnat_y.y,v
retrieving revision 1.30
retrieving revision 1.31
diff -C2 -d -r1.30 -r1.31
*** ipnat_y.y 9 Jul 2012 15:57:06 -0000 1.30
--- ipnat_y.y 13 Jul 2012 06:46:45 -0000 1.31
***************
*** 191,196 ****
map: mapit ifnames addr tlate rhsaddr proxy mapoptions
! { nat->in_v[0] = $3.v;
! if ($3.f != 0 && $3.f != $5.f && $5.f != 0)
yyerror("3.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
--- 191,195 ----
map: mapit ifnames addr tlate rhsaddr proxy mapoptions
! { if ($3.f != 0 && $3.f != $5.f && $5.f != 0)
yyerror("3.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
***************
*** 217,221 ****
if (nat->in_v[1] == 0 && $5.v != 0)
nat->in_v[1] = $5.v;
- nat->in_v[0] = $3.v;
if (nat->in_v[0] == 0 && $5.v != 0)
nat->in_v[0] = $5.v;
--- 216,219 ----
***************
*** 235,239 ****
}
| no mapit ifnames addr setproto ';'
! { nat->in_v[0] = $4.v;
nat->in_osrcatype = $4.t;
bcopy(&$4.a, &nat->in_osrc.na_addr[0],
--- 233,238 ----
}
| no mapit ifnames addr setproto ';'
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = $4.v;
nat->in_osrcatype = $4.t;
bcopy(&$4.a, &nat->in_osrc.na_addr[0],
***************
*** 245,250 ****
}
| mapit ifnames mapfrom tlate rhsaddr proxy mapoptions
! { nat->in_v[0] = ftov($3);
! if ($3 != 0 && $5.f != 0 && $3 != $5.f)
yyerror("5.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
--- 244,248 ----
}
| mapit ifnames mapfrom tlate rhsaddr proxy mapoptions
! { if ($3 != 0 && $5.f != 0 && $3 != $5.f)
yyerror("5.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
***************
*** 266,271 ****
}
| mapit ifnames mapfrom tlate rhsaddr mapport mapoptions
! { nat->in_v[0] = ftov($3);
! if ($3 != 0 && $5.f != 0 && $3 != $5.f)
yyerror("6.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
--- 264,268 ----
}
| mapit ifnames mapfrom tlate rhsaddr mapport mapoptions
! { if ($3 != 0 && $5.f != 0 && $3 != $5.f)
yyerror("6.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
***************
*** 286,291 ****
mapblock:
mapblockit ifnames addr tlate addr ports mapoptions
! { nat->in_v[0] = $3.v;
! if ($3.f != 0 && $5.f != 0 && $3.f != $5.f)
yyerror("7.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
--- 283,287 ----
mapblock:
mapblockit ifnames addr tlate addr ports mapoptions
! { if ($3.f != 0 && $5.f != 0 && $3.f != $5.f)
yyerror("7.address family mismatch");
if (nat->in_v[0] == 0 && $5.v != 0)
***************
*** 308,312 ****
}
| no mapblockit ifnames { yyexpectaddr = 1; } addr setproto ';'
! { nat->in_v[0] = $5.v;
nat->in_osrcatype = $5.t;
bcopy(&$5.a, &nat->in_osrc.na_addr[0],
--- 304,311 ----
}
| no mapblockit ifnames { yyexpectaddr = 1; } addr setproto ';'
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = $5.v;
! if (nat->in_v[1] == 0)
! nat->in_v[1] = $5.v;
nat->in_osrcatype = $5.t;
bcopy(&$5.a, &nat->in_osrc.na_addr[0],
***************
*** 322,329 ****
{ if ($6 != 0 && $3.f != 0 && $6 != $3.f)
yyerror("21.address family mismatch");
! if ($3.v != AF_UNSPEC)
! nat->in_v[0] = ftov($3.f);
! else
! nat->in_v[0] = ftov($6);
nat->in_odstatype = $3.t;
bcopy(&$3.a, &nat->in_odst.na_addr[0],
--- 321,330 ----
{ if ($6 != 0 && $3.f != 0 && $6 != $3.f)
yyerror("21.address family mismatch");
! if (nat->in_v[0] == 0) {
! if ($3.v != AF_UNSPEC)
! nat->in_v[0] = ftov($3.f);
! else
! nat->in_v[0] = ftov($6);
! }
nat->in_odstatype = $3.t;
bcopy(&$3.a, &nat->in_odst.na_addr[0],
***************
*** 335,339 ****
}
| no rdrit ifnames addr dport setproto ';'
! { nat->in_v[0] = ftov($4.f);
nat->in_odstatype = $4.t;
bcopy(&$4.a, &nat->in_odst.na_addr[0],
--- 336,341 ----
}
| no rdrit ifnames addr dport setproto ';'
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = ftov($4.f);
nat->in_odstatype = $4.t;
bcopy(&$4.a, &nat->in_odst.na_addr[0],
***************
*** 347,354 ****
{ if ($5 != 0 && $3 != 0 && $5 != $3)
yyerror("20.address family mismatch");
! if ($3 != AF_UNSPEC)
! nat->in_v[0] = ftov($3);
! else
! nat->in_v[0] = ftov($5);
setrdrifnames();
}
--- 349,358 ----
{ if ($5 != 0 && $3 != 0 && $5 != $3)
yyerror("20.address family mismatch");
! if (nat->in_v[0] == 0) {
! if ($3 != AF_UNSPEC)
! nat->in_v[0] = ftov($3);
! else
! nat->in_v[0] = ftov($5);
! }
setrdrifnames();
}
***************
*** 362,366 ****
rewrite:
IPNY_REWRITE oninout rwrproto mapfrom tlate newdst newopts
! { nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP)
setmapifnames();
--- 366,371 ----
rewrite:
IPNY_REWRITE oninout rwrproto mapfrom tlate newdst newopts
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP)
setmapifnames();
***************
*** 372,376 ****
divert: IPNY_DIVERT oninout rwrproto mapfrom tlate divdst newopts
! { nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP) {
setmapifnames();
--- 377,382 ----
divert: IPNY_DIVERT oninout rwrproto mapfrom tlate divdst newopts
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP) {
setmapifnames();
***************
*** 385,389 ****
encap: IPNY_ENCAP oninout rwrproto mapfrom tlate encapdst newopts
! { nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP) {
setmapifnames();
--- 391,396 ----
encap: IPNY_ENCAP oninout rwrproto mapfrom tlate encapdst newopts
! { if (nat->in_v[0] == 0)
! nat->in_v[0] = ftov($4);
if (nat->in_redir & NAT_MAP) {
setmapifnames();
***************
*** 422,426 ****
oninout:
! inout IPNY_ON ifnames { nat->in_v[0] = 4; }
;
--- 429,433 ----
oninout:
! inout IPNY_ON ifnames { ; }
;
***************
*** 945,948 ****
--- 952,957 ----
{ bzero(&$$, sizeof($$));
$$.a = $1.a;
+ $$.f = $1.f;
+ $$.v = ftov($1.f);
$$.t = FRI_NORMAL;
ntomask($$.f, $3, (u_32_t *)&$$.m);
***************
*** 951,956 ****
$$.a.i6[2] &= $$.m.i6[2];
$$.a.i6[3] &= $$.m.i6[3];
- $$.f = $1.f;
- $$.v = ftov($1.f);
yyexpectaddr = 0;
}
--- 960,963 ----
***************
*** 978,981 ****
--- 985,990 ----
$$.f = $1.f;
$$.v = ftov($1.f);
+ if ($$.f == AF_INET6)
+ yyerror("incorrect inet6 mask");
}
| hostname mask ipaddr { bzero(&$$, sizeof($$));
***************
*** 1509,1513 ****
sprintf(msg, "%d:ioctl(zero nat rule)",
! yylineNum);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
--- 1518,1522 ----
sprintf(msg, "%d:ioctl(zero nat rule)",
! ipn->in_flineno);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
***************
*** 1529,1533 ****
sprintf(msg, "%d:ioctl(delete nat rule)",
! yylineNum);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
--- 1538,1542 ----
sprintf(msg, "%d:ioctl(delete nat rule)",
! ipn->in_flineno);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
***************
*** 1539,1543 ****
sprintf(msg, "%d:ioctl(add/insert nat rule)",
! yylineNum);
if (errno == EEXIST) {
sprintf(msg + strlen(msg), "(line %d)",
--- 1548,1552 ----
sprintf(msg, "%d:ioctl(add/insert nat rule)",
! ipn->in_flineno);
if (errno == EEXIST) {
sprintf(msg + strlen(msg), "(line %d)",
|
|
From: Darren <dar...@us...> - 2012-07-13 06:41:38
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv13387/tools
Modified Files:
Tag: v5-1-RELEASE
ipnat.c
Log Message:
3543402 Not all NAT statistics are printed
Index: ipnat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ipnat.c,v
retrieving revision 1.10.2.9
retrieving revision 1.10.2.10
diff -C2 -d -r1.10.2.9 -r1.10.2.10
*** ipnat.c 19 Jun 2012 07:56:34 -0000 1.10.2.9
--- ipnat.c 13 Jul 2012 06:41:36 -0000 1.10.2.10
***************
*** 497,504 ****
printf("%lu\tlog successes\n", nsp->ns_side[0].ns_log);
printf("%lu\tlog failures\n", nsp->ns_side[1].ns_log);
! printf("%lu\tadded in\n%lu\tadded out\n",
nsp->ns_side[0].ns_added,
nsp->ns_side[1].ns_added);
printf("%lu\texpired\n", nsp->ns_expire);
printf("%u\twilds\n", nsp->ns_wilds);
if (opts & OPT_VERBOSE)
--- 497,522 ----
printf("%lu\tlog successes\n", nsp->ns_side[0].ns_log);
printf("%lu\tlog failures\n", nsp->ns_side[1].ns_log);
! printf("%lu\tadded in\n%lu\tadded out\n%",
nsp->ns_side[0].ns_added,
nsp->ns_side[1].ns_added);
+ printf("%lu\tactive\n", nsp->ns_active);
+ printf("%lu\ttransparent adds\n", nsp->ns_addtrpnt);
+ printf("%lu\tdivert build\n", nsp->ns_divert_build);
printf("%lu\texpired\n", nsp->ns_expire);
+ printf("%lu\tflush all\n", nsp->ns_flush_all);
+ printf("%lu\tflush closing\n", nsp->ns_flush_closing);
+ printf("%lu\tflush queue\n", nsp->ns_flush_queue);
+ printf("%lu\tflush state\n", nsp->ns_flush_state);
+ printf("%lu\tflush timeout\n", nsp->ns_flush_timeout);
+ printf("%lu\thostmap new\n", nsp->ns_hm_new);
+ printf("%lu\thostmap fails\n", nsp->ns_hm_newfail);
+ printf("%lu\thostmap add\n", nsp->ns_hm_addref);
+ printf("%lu\thostmap NULL rule\n", nsp->ns_hm_nullnp);
+ printf("%lu\tlog ok\n", nsp->ns_log_ok);
+ printf("%lu\tlog fail\n", nsp->ns_log_fail);
+ printf("%u\torphan count\n", nsp->ns_orphans);
+ printf("%u\trule count\n", nsp->ns_rules);
+ printf("%u\tmap rules\n", nsp->ns_rules_map);
+ printf("%u\trdr rules\n", nsp->ns_rules_rdr);
printf("%u\twilds\n", nsp->ns_wilds);
if (opts & OPT_VERBOSE)
|
|
From: Darren <dar...@us...> - 2012-07-13 06:41:30
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv13376/tools
Modified Files:
ipnat.c
Log Message:
3543402 Not all NAT statistics are printed
Index: ipnat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ipnat.c,v
retrieving revision 1.20
retrieving revision 1.21
diff -C2 -d -r1.20 -r1.21
*** ipnat.c 19 Jun 2012 07:50:49 -0000 1.20
--- ipnat.c 13 Jul 2012 06:41:28 -0000 1.21
***************
*** 508,515 ****
printf("%lu\tlog successes\n", nsp->ns_side[0].ns_log);
printf("%lu\tlog failures\n", nsp->ns_side[1].ns_log);
! printf("%lu\tadded in\n%lu\tadded out\n",
nsp->ns_side[0].ns_added,
nsp->ns_side[1].ns_added);
printf("%lu\texpired\n", nsp->ns_expire);
printf("%u\twilds\n", nsp->ns_wilds);
if (opts & OPT_VERBOSE)
--- 508,533 ----
printf("%lu\tlog successes\n", nsp->ns_side[0].ns_log);
printf("%lu\tlog failures\n", nsp->ns_side[1].ns_log);
! printf("%lu\tadded in\n%lu\tadded out\n%",
nsp->ns_side[0].ns_added,
nsp->ns_side[1].ns_added);
+ printf("%lu\tactive\n", nsp->ns_active);
+ printf("%lu\ttransparent adds\n", nsp->ns_addtrpnt);
+ printf("%lu\tdivert build\n", nsp->ns_divert_build);
printf("%lu\texpired\n", nsp->ns_expire);
+ printf("%lu\tflush all\n", nsp->ns_flush_all);
+ printf("%lu\tflush closing\n", nsp->ns_flush_closing);
+ printf("%lu\tflush queue\n", nsp->ns_flush_queue);
+ printf("%lu\tflush state\n", nsp->ns_flush_state);
+ printf("%lu\tflush timeout\n", nsp->ns_flush_timeout);
+ printf("%lu\thostmap new\n", nsp->ns_hm_new);
+ printf("%lu\thostmap fails\n", nsp->ns_hm_newfail);
+ printf("%lu\thostmap add\n", nsp->ns_hm_addref);
+ printf("%lu\thostmap NULL rule\n", nsp->ns_hm_nullnp);
+ printf("%lu\tlog ok\n", nsp->ns_log_ok);
+ printf("%lu\tlog fail\n", nsp->ns_log_fail);
+ printf("%u\torphan count\n", nsp->ns_orphans);
+ printf("%u\trule count\n", nsp->ns_rules);
+ printf("%u\tmap rules\n", nsp->ns_rules_map);
+ printf("%u\trdr rules\n", nsp->ns_rules_rdr);
printf("%u\twilds\n", nsp->ns_wilds);
if (opts & OPT_VERBOSE)
|
|
From: Darren <dar...@us...> - 2012-07-13 06:39:05
|
Update of /cvsroot/ipfilter/ipfilter
In directory vz-cvs-4.sog:/tmp/cvs-serv12287
Modified Files:
Tag: v5-1-RELEASE
fil.c ip_ipsec_pxy.c ip_nat.c ip_nat.h ip_nat6.c ip_pool.c
ip_pptp_pxy.c ip_proxy.c ip_proxy.h ip_rcmd_pxy.c
ip_rpcb_pxy.c ip_tftp_pxy.c
Log Message:
3542979 NAT session list management is too simple
3542978 ipv4 and ipv6 nat insert have common hash insertion
3542977 ipnat_t refence tracking incomplete
3542975 proxies must use ipnat_t separately
Index: ip_proxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_proxy.c,v
retrieving revision 1.16.2.14
retrieving revision 1.16.2.15
diff -C2 -d -r1.16.2.14 -r1.16.2.15
*** ip_proxy.c 19 Jun 2012 07:58:30 -0000 1.16.2.14
--- ip_proxy.c 13 Jul 2012 06:39:03 -0000 1.16.2.15
***************
*** 143,147 ****
ipf_p_tftp_soft_create, ipf_p_tftp_soft_destroy,
NULL, NULL,
! ipf_p_tftp_new, ipf_p_tftp_del, ipf_p_tftp_in, ipf_p_tftp_out, NULL,
NULL, NULL, NULL, NULL },
#endif
--- 143,148 ----
ipf_p_tftp_soft_create, ipf_p_tftp_soft_destroy,
NULL, NULL,
! ipf_p_tftp_new, ipf_p_tftp_del,
! ipf_p_tftp_in, ipf_p_tftp_out, NULL,
NULL, NULL, NULL, NULL },
#endif
***************
*** 1099,1103 ****
/* ------------------------------------------------------------------------ */
! /* Function: aps_free */
/* Returns: Nil */
/* Parameters: softc(I) - pointer to soft context main structure */
--- 1100,1104 ----
/* ------------------------------------------------------------------------ */
! /* Function: ipf_proxy_free */
/* Returns: Nil */
/* Parameters: softc(I) - pointer to soft context main structure */
***************
*** 1109,1113 ****
/* ------------------------------------------------------------------------ */
void
! aps_free(softc, aps)
ipf_main_softc_t *softc;
ap_session_t *aps;
--- 1110,1114 ----
/* ------------------------------------------------------------------------ */
void
! ipf_proxy_free(softc, aps)
ipf_main_softc_t *softc;
ap_session_t *aps;
Index: ip_ipsec_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_ipsec_pxy.c,v
retrieving revision 1.14.2.4
retrieving revision 1.14.2.5
diff -C2 -d -r1.14.2.4 -r1.14.2.5
*** ip_ipsec_pxy.c 26 Jan 2012 05:44:25 -0000 1.14.2.4
--- ip_ipsec_pxy.c 13 Jul 2012 06:39:03 -0000 1.14.2.5
***************
*** 13,16 ****
--- 13,29 ----
+ /*
+ * IPSec proxy
+ */
+ typedef struct ipf_ipsec_softc_s {
+ frentry_t ipsec_fr;
+ int ipsec_proxy_init;
+ int ipsec_proxy_ttl;
+ ipftq_t *ipsec_nat_tqe;
+ ipftq_t *ipsec_state_tqe;
+ char ipsec_buffer[1500];
+ } ipf_ipsec_softc_t;
+
+
void *ipf_p_ipsec_soft_create __P((ipf_main_softc_t *));
void ipf_p_ipsec_soft_destroy __P((ipf_main_softc_t *, void *));
***************
*** 24,36 ****
int ipf_p_ipsec_match __P((fr_info_t *, ap_session_t *, nat_t *));
- typedef struct ipf_ipsec_softc_s {
- frentry_t ipsec_fr;
- int ipsec_proxy_init;
- int ipsec_proxy_ttl;
- ipftq_t *ipsec_nat_tqe;
- ipftq_t *ipsec_state_tqe;
- char ipsec_buffer[1500];
- } ipf_ipsec_softc_t;
-
/*
--- 37,40 ----
***************
*** 138,148 ****
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
#endif
ipsec_pxy_t *ipsec;
ipnat_t *ipn, *np;
fr_info_t fi;
char *ptr;
! int p, off, dlen, ttl;
! mb_t *m;
ip_t *ip;
off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff;
--- 142,153 ----
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
#endif
+ int p, off, dlen, ttl;
ipsec_pxy_t *ipsec;
ipnat_t *ipn, *np;
fr_info_t fi;
char *ptr;
! int size;
ip_t *ip;
+ mb_t *m;
off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff;
***************
*** 162,172 ****
np = nat->nat_ptr;
! aps->aps_psiz = sizeof(*ipsec) + np->in_namelen;
! KMALLOCS(aps->aps_data, ipsec_pxy_t *, aps->aps_psiz);
! if (aps->aps_data == NULL)
return -1;
! ipsec = aps->aps_data;
bzero((char *)ipsec, sizeof(*ipsec));
/*
--- 167,186 ----
np = nat->nat_ptr;
! size = np->in_size;
! KMALLOC(ipsec, ipsec_pxy_t *);
! if (ipsec == NULL)
return -1;
! KMALLOCS(ipn, ipnat_t *, size);
! if (ipn == NULL) {
! KFREE(ipsec);
! return -1;
! }
!
! aps->aps_data = ipsec;
! aps->aps_psiz = sizeof(*ipsec);
bzero((char *)ipsec, sizeof(*ipsec));
+ bzero((char *)ipn, size);
+ ipsec->ipsc_rule = ipn;
/*
***************
*** 175,179 ****
* describe ESP but UDP instead.
*/
! ipn = &ipsec->ipsc_rule;
ttl = IPF_TTLVAL(softi->ipsec_nat_tqe->ifq_ttl);
ipn->in_tqehead[0] = ipf_nat_add_tq(softc, ttl);
--- 189,193 ----
* describe ESP but UDP instead.
*/
! ipn->in_size = size;
ttl = IPF_TTLVAL(softi->ipsec_nat_tqe->ifq_ttl);
ipn->in_tqehead[0] = ipf_nat_add_tq(softc, ttl);
***************
*** 196,199 ****
--- 210,214 ----
ipn->in_pr[0] = IPPROTO_ESP;
ipn->in_pr[1] = IPPROTO_ESP;
+ ipn->in_flags = (np->in_flags | IPN_PROXYRULE);
MUTEX_INIT(&ipn->in_lock, "IPSec proxy NAT rule");
***************
*** 297,301 ****
MUTEX_ENTER(&softn->ipf_nat_new);
! ipsec->ipsc_nat = ipf_nat_add(&fi, &ipsec->ipsc_rule,
&ipsec->ipsc_nat,
NAT_SLAVE|SI_WILDP,
--- 312,316 ----
MUTEX_ENTER(&softn->ipf_nat_new);
! ipsec->ipsc_nat = ipf_nat_add(&fi, ipsec->ipsc_rule,
&ipsec->ipsc_nat,
NAT_SLAVE|SI_WILDP,
***************
*** 408,411 ****
--- 423,428 ----
ipsec->ipsc_state = NULL;
ipsec->ipsc_nat = NULL;
+ ipsec->ipsc_rule->in_flags |= IPN_DELETE;
+ ipf_nat_rulederef(softc, &ipsec->ipsc_rule);
}
}
Index: ip_tftp_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_tftp_pxy.c,v
retrieving revision 1.1.2.5
retrieving revision 1.1.2.6
diff -C2 -d -r1.1.2.5 -r1.1.2.6
*** ip_tftp_pxy.c 19 Jun 2012 07:58:30 -0000 1.1.2.5
--- ip_tftp_pxy.c 13 Jul 2012 06:39:03 -0000 1.1.2.6
***************
*** 45,49 ****
int ti_lasterror;
char ti_filename[80];
! ipnat_t ti_rule;
} tftpinfo_t;
--- 45,49 ----
int ti_lasterror;
char ti_filename[80];
! ipnat_t *ti_rule;
} tftpinfo_t;
***************
*** 172,192 ****
tftpinfo_t *ti;
ipnat_t *ipn;
KMALLOC(ti, tftpinfo_t *);
if (ti == NULL)
return -1;
!
! nat = nat; /* LINT */
! fin = fin; /* LINT */
!
! aps->aps_psiz = sizeof(*ti);
aps->aps_data = ti;
bzero((char *)ti, sizeof(*ti));
udp = (udphdr_t *)fin->fin_dp;
aps->aps_sport = udp->uh_sport;
aps->aps_dport = udp->uh_dport;
! ipn = &ti->ti_rule;
ipn->in_ifps[0] = nat->nat_ifps[0];
ipn->in_ifps[1] = nat->nat_ifps[1];
--- 172,203 ----
tftpinfo_t *ti;
ipnat_t *ipn;
+ ipnat_t *np;
+ int size;
+
+ fin = fin; /* LINT */
+
+ np = nat->nat_ptr;
+ size = np->in_size;
KMALLOC(ti, tftpinfo_t *);
if (ti == NULL)
return -1;
! KMALLOCS(ipn, ipnat_t *, size);
! if (ipn == NULL) {
! KFREE(ti);
! return -1;
! }
aps->aps_data = ti;
+ aps->aps_psiz = sizeof(*ti);
bzero((char *)ti, sizeof(*ti));
+ bzero((char *)ipn, size);
+ ti->ti_rule = ipn;
+
udp = (udphdr_t *)fin->fin_dp;
aps->aps_sport = udp->uh_sport;
aps->aps_dport = udp->uh_dport;
! ipn->in_size = size;
ipn->in_ifps[0] = nat->nat_ifps[0];
ipn->in_ifps[1] = nat->nat_ifps[1];
***************
*** 196,200 ****
ipn->in_ippip = 1;
! if ((nat->nat_ptr->in_redir & NAT_REDIRECT) != 0) {
ipn->in_redir = NAT_MAP;
ipn->in_snip = ntohl(nat->nat_odstaddr);
--- 207,211 ----
ipn->in_ippip = 1;
! if ((np->in_redir & NAT_REDIRECT) != 0) {
ipn->in_redir = NAT_MAP;
ipn->in_snip = ntohl(nat->nat_odstaddr);
***************
*** 222,232 ****
ipn->in_pr[0] = IPPROTO_UDP;
ipn->in_pr[1] = IPPROTO_UDP;
! ipn->in_flags = IPN_UDP|IPN_FIXEDDPORT;
MUTEX_INIT(&ipn->in_lock, "tftp proxy NAT rule");
! ipn->in_namelen = nat->nat_ptr->in_namelen;
! bcopy(nat->nat_ptr->in_names, ipn->in_ifnames, ipn->in_namelen);
! ipn->in_ifnames[0] = nat->nat_ptr->in_ifnames[0];
! ipn->in_ifnames[1] = nat->nat_ptr->in_ifnames[1];
ti->ti_lastcmd = 0;
--- 233,243 ----
ipn->in_pr[0] = IPPROTO_UDP;
ipn->in_pr[1] = IPPROTO_UDP;
! ipn->in_flags = IPN_UDP|IPN_FIXEDDPORT|IPN_PROXYRULE;
MUTEX_INIT(&ipn->in_lock, "tftp proxy NAT rule");
! ipn->in_namelen = np->in_namelen;
! bcopy(np->in_names, ipn->in_ifnames, ipn->in_namelen);
! ipn->in_ifnames[0] = np->in_ifnames[0];
! ipn->in_ifnames[1] = np->in_ifnames[1];
ti->ti_lastcmd = 0;
***************
*** 245,249 ****
tftp = aps->aps_data;
if (tftp != NULL) {
! MUTEX_DESTROY(&tftp->ti_rule.in_lock);
}
}
--- 256,261 ----
tftp = aps->aps_data;
if (tftp != NULL) {
! tftp->ti_rule->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &tftp->ti_rule);
}
}
***************
*** 290,299 ****
bzero((char *)&udp, sizeof(udp));
udp.uh_sport = 0; /* XXX - don't specify remote port */
! udp.uh_dport = ti->ti_rule.in_ndport;
udp.uh_ulen = htons(sizeof(udp));
udp.uh_sum = 0;
fi.fin_dp = (char *)&udp;
fi.fin_fr = &tftpfr;
! fi.fin_dport = ntohs(ti->ti_rule.in_ndport);
fi.fin_sport = 0;
fi.fin_dlen = sizeof(udp);
--- 302,311 ----
bzero((char *)&udp, sizeof(udp));
udp.uh_sport = 0; /* XXX - don't specify remote port */
! udp.uh_dport = ti->ti_rule->in_ndport;
udp.uh_ulen = htons(sizeof(udp));
udp.uh_sum = 0;
fi.fin_dp = (char *)&udp;
fi.fin_fr = &tftpfr;
! fi.fin_dport = ntohs(ti->ti_rule->in_ndport);
fi.fin_sport = 0;
fi.fin_dlen = sizeof(udp);
***************
*** 317,321 ****
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, &ti->ti_rule, NULL, nflags, dir);
MUTEX_EXIT(&softn->ipf_nat_new);
if (nat2 != NULL) {
--- 329,333 ----
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, ti->ti_rule, NULL, nflags, dir);
MUTEX_EXIT(&softn->ipf_nat_new);
if (nat2 != NULL) {
***************
*** 323,326 ****
--- 335,349 ----
ipf_nat_update(&fi, nat2);
fi.fin_ifp = NULL;
+ if (ti->ti_rule->in_redir == NAT_MAP) {
+ fi.fin_fi.fi_saddr = nat->nat_ndstaddr;
+ ip->ip_src = nat->nat_ndstip;
+ fi.fin_fi.fi_daddr = nat->nat_nsrcaddr;
+ ip->ip_dst = nat->nat_nsrcip;
+ } else {
+ fi.fin_fi.fi_saddr = nat->nat_odstaddr;
+ ip->ip_src = nat->nat_odstip;
+ fi.fin_fi.fi_daddr = nat->nat_osrcaddr;
+ ip->ip_dst = nat->nat_osrcip;
+ }
if (ipf_state_add(softc, &fi, NULL, SI_W_SPORT) != 0) {
ipf_nat_setpending(softc, nat2);
Index: ip_proxy.h
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_proxy.h,v
retrieving revision 1.7.2.6
retrieving revision 1.7.2.7
diff -C2 -d -r1.7.2.6 -r1.7.2.7
*** ip_proxy.h 29 May 2012 12:22:38 -0000 1.7.2.6
--- ip_proxy.h 13 Jul 2012 06:39:03 -0000 1.7.2.7
***************
*** 181,184 ****
--- 181,199 ----
/*
+ * IPsec proxy
+ */
+ typedef u_32_t ipsec_cookie_t[2];
+
+ typedef struct ipsec_pxy {
+ ipsec_cookie_t ipsc_icookie;
+ ipsec_cookie_t ipsc_rcookie;
+ int ipsc_rckset;
+ nat_t *ipsc_nat;
+ struct ipstate *ipsc_state;
+ ipnat_t *ipsc_rule;
+ } ipsec_pxy_t;
+
+
+ /*
* For the irc proxy.
*/
***************
*** 196,208 ****
/*
- * For the rcmd proxy. rcmd_rule must be last for names in ipnat_t
- */
- typedef struct rcmdinfo {
- u_32_t rcmd_port; /* Port number seen */
- u_32_t rcmd_portseq; /* Sequence number where port is first seen */
- ipnat_t rcmd_rule; /* Template rule for back connection */
- } rcmdinfo_t;
-
- /*
* For the DNS "proxy"
*/
--- 211,214 ----
***************
*** 259,299 ****
/*
- * IPSec proxy. ipsc_rule must be last for names in ipnat_t
- */
- typedef u_32_t ipsec_cookie_t[2];
-
- typedef struct ipsec_pxy {
- ipsec_cookie_t ipsc_icookie;
- ipsec_cookie_t ipsc_rcookie;
- int ipsc_rckset;
- nat_t *ipsc_nat;
- struct ipstate *ipsc_state;
- ipnat_t ipsc_rule;
- } ipsec_pxy_t;
-
- /*
- * PPTP proxy. pptp_rule must be last for names in ipnat_t
- */
- typedef struct pptp_side {
- u_32_t pptps_nexthdr;
- u_32_t pptps_next;
- int pptps_state;
- int pptps_gothdr;
- int pptps_len;
- int pptps_bytes;
- char *pptps_wptr;
- char pptps_buffer[512];
- } pptp_side_t;
-
- typedef struct pptp_pxy {
- nat_t *pptp_nat;
- struct ipstate *pptp_state;
- u_short pptp_call[2];
- pptp_side_t pptp_side[2];
- ipnat_t pptp_rule;
- } pptp_pxy_t;
-
-
- /*
* Sun RPCBIND proxy
*/
--- 265,268 ----
***************
*** 479,483 ****
extern int ipf_proxy_new __P((fr_info_t *, struct nat *));
extern int ipf_proxy_ok __P((fr_info_t *, tcphdr_t *, struct ipnat *));
! extern void aps_free __P((ipf_main_softc_t *, ap_session_t *));
extern int ipf_proxy_main_load __P((void));
extern int ipf_proxy_main_unload __P((void));
--- 448,452 ----
extern int ipf_proxy_new __P((fr_info_t *, struct nat *));
extern int ipf_proxy_ok __P((fr_info_t *, tcphdr_t *, struct ipnat *));
! extern void ipf_proxy_free __P((ipf_main_softc_t *, ap_session_t *));
extern int ipf_proxy_main_load __P((void));
extern int ipf_proxy_main_unload __P((void));
Index: fil.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/fil.c,v
retrieving revision 1.68.2.54
retrieving revision 1.68.2.55
diff -C2 -d -r1.68.2.54 -r1.68.2.55
*** fil.c 13 Jul 2012 06:18:12 -0000 1.68.2.54
--- fil.c 13 Jul 2012 06:39:03 -0000 1.68.2.55
***************
*** 7733,7737 ****
case IPFGENITER_HOSTMAP :
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_hostmapdel((hostmap_t **)datap);
RWLOCK_EXIT(&softc->ipf_nat);
break;
--- 7733,7737 ----
case IPFGENITER_HOSTMAP :
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_hostmapdel(softc, (hostmap_t **)datap);
RWLOCK_EXIT(&softc->ipf_nat);
break;
Index: ip_pptp_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_pptp_pxy.c,v
retrieving revision 1.13.2.4
retrieving revision 1.13.2.5
diff -C2 -d -r1.13.2.4 -r1.13.2.5
*** ip_pptp_pxy.c 26 Jan 2012 05:44:25 -0000 1.13.2.4
--- ip_pptp_pxy.c 13 Jul 2012 06:39:03 -0000 1.13.2.5
***************
*** 10,17 ****
#define IPF_PPTP_PROXY
typedef struct pptp_hdr {
! u_short pptph_len;
! u_short pptph_type;
! u_32_t pptph_cookie;
} pptp_hdr_t;
--- 10,41 ----
#define IPF_PPTP_PROXY
+
+
+ /*
+ * PPTP proxy
+ */
+ typedef struct pptp_side {
+ u_32_t pptps_nexthdr;
+ u_32_t pptps_next;
+ int pptps_state;
+ int pptps_gothdr;
+ int pptps_len;
+ int pptps_bytes;
+ char *pptps_wptr;
+ char pptps_buffer[512];
+ } pptp_side_t;
+
+ typedef struct pptp_pxy {
+ nat_t *pptp_nat;
+ struct ipstate *pptp_state;
+ u_short pptp_call[2];
+ pptp_side_t pptp_side[2];
+ ipnat_t *pptp_rule;
+ } pptp_pxy_t;
+
typedef struct pptp_hdr {
! u_short pptph_len;
! u_short pptph_type;
! u_32_t pptph_cookie;
} pptp_hdr_t;
***************
*** 91,98 ****
{
pptp_pxy_t *pptp;
! ipnat_t *ipn, *np;
ip_t *ip;
ip = fin->fin_ip;
if (ipf_nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_osrcip,
--- 115,126 ----
{
pptp_pxy_t *pptp;
! ipnat_t *ipn;
! ipnat_t *np;
! int size;
ip_t *ip;
ip = fin->fin_ip;
+ np = nat->nat_ptr;
+ size = np->in_size;
if (ipf_nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_osrcip,
***************
*** 102,114 ****
return -1;
}
- np = nat->nat_ptr;
! aps->aps_psiz = sizeof(*pptp) + np->in_namelen;
! KMALLOCS(aps->aps_data, pptp_pxy_t *, aps->aps_psiz);
! if (aps->aps_data == NULL) {
if (ipf_p_pptp_debug > 0)
printf("ipf_p_pptp_new: malloc for aps_data failed\n");
return -1;
}
/*
--- 130,151 ----
return -1;
}
! KMALLOC(pptp, pptp_pxy_t *);
! if (pptp == NULL) {
if (ipf_p_pptp_debug > 0)
printf("ipf_p_pptp_new: malloc for aps_data failed\n");
return -1;
}
+ KMALLOCS(ipn, ipnat_t *, size);
+ if (ipn == NULL) {
+ KFREE(pptp);
+ return -1;
+ }
+
+ aps->aps_data = pptp;
+ aps->aps_psiz = sizeof(*pptp);
+ bzero((char *)pptp, sizeof(*pptp));
+ bzero((char *)ipn, size);
+ pptp->pptp_rule = ipn;
/*
***************
*** 117,123 ****
* describe GRE but TCP instead.
*/
! pptp = aps->aps_data;
! bzero((char *)pptp, sizeof(*pptp));
! ipn = &pptp->pptp_rule;
ipn->in_ifps[0] = fin->fin_ifp;
ipn->in_apr = NULL;
--- 154,158 ----
* describe GRE but TCP instead.
*/
! ipn->in_size = size;
ipn->in_ifps[0] = fin->fin_ifp;
ipn->in_apr = NULL;
***************
*** 136,139 ****
--- 171,175 ----
ipn->in_odstmsk = 0xffffffff;
ipn->in_ndstmsk = 0xffffffff;
+ ipn->in_flags = (np->in_flags | IPN_PROXYRULE);
MUTEX_INIT(&ipn->in_lock, "pptp proxy NAT rule");
***************
*** 204,211 ****
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, &pptp->pptp_rule, &pptp->pptp_nat,
NAT_SLAVE, nat->nat_dir);
MUTEX_EXIT(&softn->ipf_nat_new);
- pptp->pptp_nat = nat2;
if (nat2 != NULL) {
(void) ipf_nat_proto(&fi, nat2, 0);
--- 240,246 ----
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, pptp->pptp_rule, &pptp->pptp_nat,
NAT_SLAVE, nat->nat_dir);
MUTEX_EXIT(&softn->ipf_nat_new);
if (nat2 != NULL) {
(void) ipf_nat_proto(&fi, nat2, 0);
***************
*** 537,541 ****
if (pptp->pptp_nat != NULL)
ipf_nat_setpending(softc, pptp->pptp_nat);
! MUTEX_DESTROY(&pptp->pptp_rule.in_lock);
}
}
--- 572,577 ----
if (pptp->pptp_nat != NULL)
ipf_nat_setpending(softc, pptp->pptp_nat);
! pptp->pptp_rule->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &pptp->pptp_rule);
}
}
Index: ip_pool.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_pool.c,v
retrieving revision 1.21.2.18
retrieving revision 1.21.2.19
diff -C2 -d -r1.21.2.18 -r1.21.2.19
*** ip_pool.c 6 Jul 2012 14:35:36 -0000 1.21.2.18
--- ip_pool.c 13 Jul 2012 06:39:03 -0000 1.21.2.19
***************
*** 418,422 ****
#endif
if (node.ipn_mask.adf_len != node.ipn_addr.adf_len) {
- printf("%d != %d\n",node.ipn_mask.adf_len, node.ipn_addr.adf_len);
IPFERROR(70029);
return EINVAL;
--- 418,421 ----
Index: ip_nat6.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat6.c,v
retrieving revision 1.22.2.17
retrieving revision 1.22.2.18
diff -C2 -d -r1.22.2.17 -r1.22.2.18
*** ip_nat6.c 13 Jul 2012 06:15:08 -0000 1.22.2.17
--- ip_nat6.c 13 Jul 2012 06:39:03 -0000 1.22.2.18
***************
*** 135,138 ****
--- 135,139 ----
#define NINCLSIDE6(y,x) ATOMIC_INCL(softn->ipf_nat_stats.ns_side6[y].x)
+ #define NBUMPSIDE(y,x) softn->ipf_nat_stats.ns_side[y].x++
#define NBUMPSIDE6(y,x) softn->ipf_nat_stats.ns_side6[y].x++
#define NBUMPSIDE6D(y,x) \
***************
*** 250,253 ****
--- 251,255 ----
n->in_prnext = np;
n->in_hv[0] = hv;
+ n->in_use++;
*np = n;
}
***************
*** 292,295 ****
--- 294,298 ----
n->in_pmnext = np;
n->in_hv[1] = hv;
+ n->in_use++;
*np = n;
}
***************
*** 326,329 ****
--- 329,333 ----
n->in_rnext->in_prnext = n->in_prnext;
*n->in_prnext = n->in_rnext;
+ n->in_use--;
}
***************
*** 356,359 ****
--- 360,364 ----
n->in_mnext->in_pmnext = n->in_pmnext;
*n->in_pmnext = n->in_mnext;
+ n->in_use--;
}
***************
*** 409,412 ****
--- 414,418 ----
n->in_prnext = np;
n->in_hv[0] = hv;
+ n->in_use++;
*np = n;
} else if (n->in_redir & NAT_REDIRECT) {
***************
*** 419,422 ****
--- 425,429 ----
n->in_pmnext = np;
n->in_hv[1] = hv;
+ n->in_use++;
*np = n;
}
***************
*** 491,494 ****
--- 498,502 ----
softn->ipf_hm_maptable[hv] = hm;
hm->hm_ipnat = np;
+ np->in_use++;
hm->hm_osrcip6 = *src;
hm->hm_odstip6 = *dst;
***************
*** 576,580 ****
in = hm->hm_nsrcip6;
} else if ((l == 1) && (hm != NULL)) {
! ipf_nat_hostmapdel(&hm);
}
--- 584,588 ----
in = hm->hm_nsrcip6;
} else if ((l == 1) && (hm != NULL)) {
! ipf_nat_hostmapdel(softc, &hm);
}
***************
*** 1193,1197 ****
NBUMPSIDE6(fin->fin_out, ns_badnatnew);
if ((hm = nat->nat_hm) != NULL)
! ipf_nat_hostmapdel(&hm);
KFREE(nat);
nat = NULL;
--- 1201,1205 ----
NBUMPSIDE6(fin->fin_out, ns_badnatnew);
if ((hm = nat->nat_hm) != NULL)
! ipf_nat_hostmapdel(softc, &hm);
KFREE(nat);
nat = NULL;
***************
*** 1321,1329 ****
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat6_insert */
! /* Returns: int - 0 == sucess, -1 == failure */
! /* Parameters: nat(I) - pointer to NAT structure */
! /* rev(I) - flag indicating forward/reverse direction of packet */
! /* Write Lock: ipf_nat */
/* */
/* Insert a NAT entry into the hash tables for searching and add it to the */
--- 1329,1338 ----
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat6_insert */
! /* Returns: int - 0 == sucess, -1 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softn(I) - pointer to NAT context structure */
! /* nat(I) - pointer to NAT structure */
! /* Write Lock: ipf_nat */
/* */
/* Insert a NAT entry into the hash tables for searching and add it to the */
***************
*** 1338,1342 ****
u_int hv1, hv2;
u_32_t sp, dp;
- nat_t **natp;
ipnat_t *in;
--- 1347,1350 ----
***************
*** 1357,1361 ****
}
hv1 = NAT_HASH_FN6(&nat->nat_osrc6, sp, 0xffffffff);
! hv1 = NAT_HASH_FN6(&nat->nat_odst6, hv1 + dp, softn->ipf_nat_table_sz);
/*
--- 1365,1370 ----
}
hv1 = NAT_HASH_FN6(&nat->nat_osrc6, sp, 0xffffffff);
! hv1 = NAT_HASH_FN6(&nat->nat_odst6, hv1 + dp,
! softn->ipf_nat_table_sz);
/*
***************
*** 1375,1379 ****
}
hv2 = NAT_HASH_FN6(&nat->nat_nsrc6, sp, 0xffffffff);
! hv2 = NAT_HASH_FN6(&nat->nat_ndst6, hv2 + dp, softn->ipf_nat_table_sz);
/*
* TRACE nat6_nsrcaddr, nat6_nsport, nat6_ndstaddr,
--- 1384,1389 ----
}
hv2 = NAT_HASH_FN6(&nat->nat_nsrc6, sp, 0xffffffff);
! hv2 = NAT_HASH_FN6(&nat->nat_ndst6, hv2 + dp,
! softn->ipf_nat_table_sz);
/*
* TRACE nat6_nsrcaddr, nat6_nsport, nat6_ndstaddr,
***************
*** 1392,1414 ****
}
- if (softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv1] >=
- softn->ipf_nat_maxbucket) {
- NBUMPSIDE6D(0, ns_bucket_max);
- return -1;
- }
-
- if (softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv2] >=
- softn->ipf_nat_maxbucket) {
- NBUMPSIDE6D(1, ns_bucket_max);
- return -1;
- }
- if (nat->nat_dir == NAT_INBOUND || nat->nat_dir == NAT_ENCAPIN ||
- nat->nat_dir == NAT_DIVERTIN) {
- u_int swap;
-
- swap = hv2;
- hv2 = hv1;
- hv1 = swap;
- }
nat->nat_hv[0] = hv1;
nat->nat_hv[1] = hv2;
--- 1402,1405 ----
***************
*** 1417,1425 ****
in = nat->nat_ptr;
! nat->nat_ref = 1;
! nat->nat_bytes[0] = 0;
! nat->nat_pkts[0] = 0;
! nat->nat_bytes[1] = 0;
! nat->nat_pkts[1] = 0;
nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0';
--- 1408,1412 ----
in = nat->nat_ptr;
! nat->nat_ref = nat->nat_me ? 2 : 1;
nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0';
***************
*** 1449,1483 ****
}
! nat->nat_next = softn->ipf_nat_instances;
! nat->nat_pnext = &softn->ipf_nat_instances;
! if (softn->ipf_nat_instances)
! softn->ipf_nat_instances->nat_pnext = &nat->nat_next;
! softn->ipf_nat_instances = nat;
!
! natp = &softn->ipf_nat_table[0][hv1];
! if (*natp)
! (*natp)->nat_phnext[0] = &nat->nat_hnext[0];
! else
! NBUMPSIDE6(0, ns_inuse);
! nat->nat_phnext[0] = natp;
! nat->nat_hnext[0] = *natp;
! *natp = nat;
! softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv1]++;
!
! natp = &softn->ipf_nat_table[1][hv2];
! if (*natp)
! (*natp)->nat_phnext[1] = &nat->nat_hnext[1];
! else
! NBUMPSIDE6(1, ns_inuse);
! nat->nat_phnext[1] = natp;
! nat->nat_hnext[1] = *natp;
! *natp = nat;
! softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv2]++;
!
! ipf_nat_setqueue(softc, softn, nat);
!
! softn->ipf_nat_stats.ns_side[1].ns_added++;
! softn->ipf_nat_stats.ns_active++;
! return 0;
}
--- 1436,1440 ----
}
! return ipf_nat_hashtab_add(softc, softn, nat);
}
Index: ip_nat.h
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat.h,v
retrieving revision 1.18.2.10
retrieving revision 1.18.2.11
diff -C2 -d -r1.18.2.10 -r1.18.2.11
*** ip_nat.h 9 Jul 2012 16:13:00 -0000 1.18.2.10
--- ip_nat.h 13 Jul 2012 06:39:03 -0000 1.18.2.11
***************
*** 232,236 ****
u_long in_hits;
int in_size;
! u_int in_use;
u_int in_hv[2];
int in_flineno; /* conf. file line number */
--- 232,236 ----
u_long in_hits;
int in_size;
! int in_use;
u_int in_hv[2];
int in_flineno; /* conf. file line number */
***************
*** 366,369 ****
--- 366,370 ----
#define IPN_SEQUENTIAL 0x400000
#define IPN_PURGE 0x800000
+ #define IPN_PROXYRULE 0x1000000
#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_SIPRANGE|IPN_SPLIT|\
IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|IPN_NO|\
***************
*** 643,646 ****
--- 644,648 ----
nat_t *ipf_nat_instances;
ipnat_t *ipf_nat_list;
+ ipnat_t **ipf_nat_list_tail;
ipnat_t **ipf_nat_map_rules;
ipnat_t **ipf_nat_rdr_rules;
***************
*** 679,683 ****
extern void ipf_nat_deref __P((ipf_main_softc_t *, nat_t **));
extern void ipf_nat_expire __P((ipf_main_softc_t *));
! extern void ipf_nat_hostmapdel __P((hostmap_t **));
extern int ipf_nat_hostmap_rehash __P((ipf_main_softc_t *,
ipftuneable_t *, ipftuneval_t *));
--- 681,687 ----
extern void ipf_nat_deref __P((ipf_main_softc_t *, nat_t **));
extern void ipf_nat_expire __P((ipf_main_softc_t *));
! extern int ipf_nat_hashtab_add __P((ipf_main_softc_t *,
! ipf_nat_softc_t *, nat_t *));
! extern void ipf_nat_hostmapdel __P((ipf_main_softc_t *, hostmap_t **));
extern int ipf_nat_hostmap_rehash __P((ipf_main_softc_t *,
ipftuneable_t *, ipftuneval_t *));
Index: ip_rcmd_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_rcmd_pxy.c,v
retrieving revision 1.17.2.4
retrieving revision 1.17.2.5
diff -C2 -d -r1.17.2.4 -r1.17.2.5
*** ip_rcmd_pxy.c 26 Jan 2012 05:44:25 -0000 1.17.2.4
--- ip_rcmd_pxy.c 13 Jul 2012 06:39:03 -0000 1.17.2.5
***************
*** 12,15 ****
--- 12,21 ----
#define IPF_RCMD_PROXY
+ typedef struct rcmdinfo {
+ u_32_t rcmd_port; /* Port number seen */
+ u_32_t rcmd_portseq; /* Sequence number where port is first seen */
+ ipnat_t *rcmd_rule; /* Template rule for back connection */
+ } rcmdinfo_t;
+
void ipf_p_rcmd_main_load __P((void));
void ipf_p_rcmd_main_unload __P((void));
***************
*** 66,75 ****
rcmdinfo_t *rc;
ipnat_t *ipn;
fin = fin; /* LINT */
- nat = nat; /* LINT */
! aps->aps_psiz = sizeof(rcmdinfo_t) + nat->nat_ptr->in_namelen + 1;
! KMALLOCS(rc, rcmdinfo_t *, aps->aps_psiz);
if (rc == NULL) {
#ifdef IP_RCMD_PROXY_DEBUG
--- 72,83 ----
rcmdinfo_t *rc;
ipnat_t *ipn;
+ ipnat_t *np;
+ int size;
fin = fin; /* LINT */
! np = nat->nat_ptr;
! size = np->in_size;
! KMALLOC(rc, rcmdinfo_t *);
if (rc == NULL) {
#ifdef IP_RCMD_PROXY_DEBUG
***************
*** 79,88 ****
}
aps->aps_data = rc;
bzero((char *)rc, sizeof(*rc));
aps->aps_sport = tcp->th_sport;
aps->aps_dport = tcp->th_dport;
! ipn = &rc->rcmd_rule;
ipn->in_ifps[0] = nat->nat_ifps[0];
ipn->in_ifps[1] = nat->nat_ifps[1];
--- 87,106 ----
}
+ KMALLOCS(ipn, ipnat_t *, size);
+ if (ipn == NULL) {
+ KFREE(rc);
+ return -1;
+ }
+
aps->aps_data = rc;
+ aps->aps_psiz = sizeof(*rc);
bzero((char *)rc, sizeof(*rc));
+ bzero((char *)ipn, size);
+ rc->rcmd_rule = ipn;
+
aps->aps_sport = tcp->th_sport;
aps->aps_dport = tcp->th_dport;
! ipn->in_size = size;
ipn->in_ifps[0] = nat->nat_ifps[0];
ipn->in_ifps[1] = nat->nat_ifps[1];
***************
*** 92,96 ****
ipn->in_ippip = 1;
! if ((nat->nat_ptr->in_redir & NAT_REDIRECT) != 0) {
ipn->in_redir = NAT_MAP;
ipn->in_snip = ntohl(nat->nat_odstaddr);
--- 110,114 ----
ipn->in_ippip = 1;
! if ((np->in_redir & NAT_REDIRECT) != 0) {
ipn->in_redir = NAT_MAP;
ipn->in_snip = ntohl(nat->nat_odstaddr);
***************
*** 116,123 ****
ipn->in_pr[0] = IPPROTO_TCP;
ipn->in_pr[1] = IPPROTO_TCP;
MUTEX_INIT(&ipn->in_lock, "rcmd proxy NAT rule");
! ipn->in_namelen = nat->nat_ptr->in_namelen;
! bcopy(nat->nat_ptr->in_names, ipn->in_ifnames, ipn->in_namelen);
ipn->in_ifnames[0] = nat->nat_ptr->in_ifnames[0];
ipn->in_ifnames[1] = nat->nat_ptr->in_ifnames[1];
--- 134,142 ----
ipn->in_pr[0] = IPPROTO_TCP;
ipn->in_pr[1] = IPPROTO_TCP;
+ ipn->in_flags = (np->in_flags | IPN_PROXYRULE);
MUTEX_INIT(&ipn->in_lock, "rcmd proxy NAT rule");
! ipn->in_namelen = np->in_namelen;
! bcopy(np->in_names, ipn->in_ifnames, ipn->in_namelen);
ipn->in_ifnames[0] = nat->nat_ptr->in_ifnames[0];
ipn->in_ifnames[1] = nat->nat_ptr->in_ifnames[1];
***************
*** 136,140 ****
rci = aps->aps_data;
if (rci != NULL) {
! MUTEX_DESTROY(&rci->rcmd_rule.in_lock);
}
}
--- 155,160 ----
rci = aps->aps_data;
if (rci != NULL) {
! rci->rcmd_rule->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &rci->rcmd_rule);
}
}
***************
*** 284,288 ****
nflags |= NAT_SLAVE|IPN_TCP;
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, &rc->rcmd_rule, NULL, nflags,
direction);
MUTEX_EXIT(&softn->ipf_nat_new);
--- 304,308 ----
nflags |= NAT_SLAVE|IPN_TCP;
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, rc->rcmd_rule, NULL, nflags,
direction);
MUTEX_EXIT(&softn->ipf_nat_new);
Index: ip_rpcb_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_rpcb_pxy.c,v
retrieving revision 1.13.2.2
retrieving revision 1.13.2.3
diff -C2 -d -r1.13.2.2 -r1.13.2.3
*** ip_rpcb_pxy.c 27 Dec 2009 07:34:34 -0000 1.13.2.2
--- ip_rpcb_pxy.c 13 Jul 2012 06:39:03 -0000 1.13.2.3
***************
*** 1259,1262 ****
--- 1259,1263 ----
}
+ natl->nat_ptr = ipn;
fi.fin_saddr = natl->nat_nsrcaddr;
fi.fin_daddr = natl->nat_ndstaddr;
Index: ip_nat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat.c,v
retrieving revision 1.60.2.37
retrieving revision 1.60.2.38
diff -C2 -d -r1.60.2.37 -r1.60.2.38
*** ip_nat.c 13 Jul 2012 06:15:08 -0000 1.60.2.37
--- ip_nat.c 13 Jul 2012 06:39:03 -0000 1.60.2.38
***************
*** 262,268 ****
ipnat_t *));
static int ipf_nat_siocaddnat __P((ipf_main_softc_t *, ipf_nat_softc_t *,
! ipnat_t *, ipnat_t **, int));
static void ipf_nat_siocdelnat __P((ipf_main_softc_t *, ipf_nat_softc_t *,
! ipnat_t *, ipnat_t **, int));
static void ipf_nat_tabmove __P((ipf_nat_softc_t *, nat_t *));
--- 262,268 ----
ipnat_t *));
static int ipf_nat_siocaddnat __P((ipf_main_softc_t *, ipf_nat_softc_t *,
! ipnat_t *, int));
static void ipf_nat_siocdelnat __P((ipf_main_softc_t *, ipf_nat_softc_t *,
! ipnat_t *, int));
static void ipf_nat_tabmove __P((ipf_nat_softc_t *, nat_t *));
***************
*** 334,337 ****
--- 334,339 ----
}
+ softn->ipf_nat_list_tail = &softn->ipf_nat_list;
+
softn->ipf_nat_table_max = NAT_TABLE_MAX;
softn->ipf_nat_table_sz = NAT_TABLE_SZ;
***************
*** 669,672 ****
--- 671,675 ----
n->in_prnext = np;
n->in_hv[0] = hv;
+ n->in_use++;
*np = n;
}
***************
*** 710,713 ****
--- 713,717 ----
n->in_pmnext = np;
n->in_hv[1] = rhv;
+ n->in_use++;
*np = n;
}
***************
*** 764,767 ****
--- 768,772 ----
n->in_prnext = np;
n->in_hv[0] = rhv;
+ n->in_use++;
*np = n;
}
***************
*** 775,778 ****
--- 780,784 ----
n->in_pmnext = np;
n->in_hv[1] = rhv;
+ n->in_use++;
*np = n;
}
***************
*** 803,806 ****
--- 809,813 ----
n->in_rnext->in_prnext = n->in_prnext;
*n->in_prnext = n->in_rnext;
+ n->in_use--;
}
***************
*** 827,830 ****
--- 834,838 ----
n->in_mnext->in_pmnext = n->in_pmnext;
*n->in_pmnext = n->in_mnext;
+ n->in_use--;
}
***************
*** 856,859 ****
--- 864,872 ----
u_int hv, rhv;
+ if (np == NULL) {
+ softn->ipf_nat_stats.ns_hm_nullnp++;
+ return NULL;
+ }
+
hv = (src.s_addr ^ dst.s_addr);
hv += src.s_addr;
***************
*** 871,879 ****
}
- if (np == NULL) {
- softn->ipf_nat_stats.ns_hm_nullnp++;
- return NULL;
- }
-
KMALLOC(hm, hostmap_t *);
if (hm) {
--- 884,887 ----
***************
*** 889,892 ****
--- 897,901 ----
softn->ipf_hm_maptable[hv] = hm;
hm->hm_ipnat = np;
+ np->in_use++;
hm->hm_osrcip = src;
hm->hm_odstip = dst;
***************
*** 915,919 ****
/* ------------------------------------------------------------------------ */
void
! ipf_nat_hostmapdel(hmp)
struct hostmap **hmp;
{
--- 924,929 ----
/* ------------------------------------------------------------------------ */
void
! ipf_nat_hostmapdel(softc, hmp)
! ipf_main_softc_t *softc;
struct hostmap **hmp;
{
***************
*** 925,928 ****
--- 935,939 ----
hm->hm_ref--;
if (hm->hm_ref == 0) {
+ ipf_nat_rulederef(softc, &hm->hm_ipnat);
if (hm->hm_hnext)
hm->hm_hnext->hm_phnext = hm->hm_phnext;
***************
*** 1079,1084 ****
{
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
- ipnat_t *nat, *nt, *n = NULL, **np = NULL;
int error = 0, ret, arg, getlock;
ipnat_t natd;
SPL_INT(s);
--- 1090,1095 ----
{
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
int error = 0, ret, arg, getlock;
+ ipnat_t *nat, *nt, *n = NULL;
ipnat_t natd;
SPL_INT(s);
***************
*** 1168,1173 ****
MUTEX_ENTER(&softn->ipf_nat_io);
! for (np = &softn->ipf_nat_list; ((n = *np) != NULL);
! np = &n->in_next)
if (ipf_nat_cmp_rules(nat, n) == 0)
break;
--- 1179,1183 ----
MUTEX_ENTER(&softn->ipf_nat_io);
! for (n = softn->ipf_nat_list; n != NULL; n = n->in_next)
if (ipf_nat_cmp_rules(nat, n) == 0)
break;
***************
*** 1244,1248 ****
if (nat != nt)
bcopy((char *)nat, (char *)nt, sizeof(*n));
! error = ipf_nat_siocaddnat(softc, softn, nt, np, getlock);
MUTEX_EXIT(&softn->ipf_nat_io);
if (error == 0)
--- 1254,1258 ----
if (nat != nt)
bcopy((char *)nat, (char *)nt, sizeof(*n));
! error = ipf_nat_siocaddnat(softc, softn, nt, getlock);
MUTEX_EXIT(&softn->ipf_nat_io);
if (error == 0)
***************
*** 1274,1278 ****
n->in_flags |= IPN_PURGE;
}
! ipf_nat_siocdelnat(softc, softn, n, np, getlock);
MUTEX_EXIT(&softn->ipf_nat_io);
--- 1284,1288 ----
n->in_flags |= IPN_PURGE;
}
! ipf_nat_siocdelnat(softc, softn, n, getlock);
MUTEX_EXIT(&softn->ipf_nat_io);
***************
*** 1507,1514 ****
/* ------------------------------------------------------------------------ */
static int
! ipf_nat_siocaddnat(softc, softn, n, np, getlock)
ipf_main_softc_t *softc;
ipf_nat_softc_t *softn;
! ipnat_t *n, **np;
int getlock;
{
--- 1517,1524 ----
/* ------------------------------------------------------------------------ */
static int
! ipf_nat_siocaddnat(softc, softn, n, getlock)
ipf_main_softc_t *softc;
ipf_nat_softc_t *softn;
! ipnat_t *n;
int getlock;
{
***************
*** 1548,1552 ****
}
n->in_next = NULL;
! *np = n;
if (n->in_redir & NAT_REDIRECT) {
--- 1558,1565 ----
}
n->in_next = NULL;
! n->in_pnext = softn->ipf_nat_list_tail;
! *n->in_pnext = n;
! softn->ipf_nat_list_tail = &n->in_next;
! n->in_use++;
if (n->in_redir & NAT_REDIRECT) {
***************
*** 1739,1743 ****
/* softn(I) - pointer to NAT context structure */
/* n(I) - pointer to new NAT rule */
- /* np(I) - pointer to where to insert new NAT rule */
/* getlock(I) - flag indicating if lock on is held */
/* Mutex Locks: ipf_nat_io */
--- 1752,1755 ----
***************
*** 1748,1755 ****
/* ------------------------------------------------------------------------ */
static void
! ipf_nat_siocdelnat(softc, softn, n, np, getlock)
ipf_main_softc_t *softc;
ipf_nat_softc_t *softn;
! ipnat_t *n, **np;
int getlock;
{
--- 1760,1767 ----
/* ------------------------------------------------------------------------ */
static void
! ipf_nat_siocdelnat(softc, softn, n, getlock)
ipf_main_softc_t *softc;
ipf_nat_softc_t *softn;
! ipnat_t *n;
int getlock;
{
***************
*** 1761,1765 ****
WRITE_ENTER(&softc->ipf_nat);
}
- *np = n->in_next;
ipf_nat_delrule(softc, softn, n, 1);
--- 1773,1776 ----
***************
*** 1803,1810 ****
if (n->in_redir & NAT_REDIRECT) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_rdr);
}
if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_map);
}
--- 1814,1825 ----
if (n->in_redir & NAT_REDIRECT) {
! if ((n->in_flags & IPN_PROXYRULE) == 0) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_rdr);
! }
}
if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
! if ((n->in_flags & IPN_PROXYRULE) == 0) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_map);
! }
}
***************
*** 1825,1829 ****
}
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules);
MUTEX_DESTROY(&n->in_lock);
--- 1840,1846 ----
}
! if ((n->in_flags & IPN_PROXYRULE) == 0) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules);
! }
MUTEX_DESTROY(&n->in_lock);
***************
*** 2440,2443 ****
--- 2457,2461 ----
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
int madeorphan = 0, bkt, removed = 0;
+ nat_stat_side_t *nss;
struct ipnat *ipn;
***************
*** 2453,2465 ****
bkt = nat->nat_hv[0] % softn->ipf_nat_table_sz;
! softn->ipf_nat_stats.ns_side[0].ns_bucketlen[bkt]--;
! if (softn->ipf_nat_stats.ns_side[0].ns_bucketlen[bkt] == 0) {
! softn->ipf_nat_stats.ns_side[0].ns_inuse--;
}
bkt = nat->nat_hv[1] % softn->ipf_nat_table_sz;
! softn->ipf_nat_stats.ns_side[1].ns_bucketlen[bkt]--;
! if (softn->ipf_nat_stats.ns_side[1].ns_bucketlen[bkt] == 0) {
! softn->ipf_nat_stats.ns_side[1].ns_inuse--;
}
--- 2471,2485 ----
bkt = nat->nat_hv[0] % softn->ipf_nat_table_sz;
! nss = &softn->ipf_nat_stats.ns_side[0];
! nss->ns_bucketlen[bkt]--;
! if (nss->ns_bucketlen[bkt] == 0) {
! nss->ns_inuse--;
}
bkt = nat->nat_hv[1] % softn->ipf_nat_table_sz;
! nss = &softn->ipf_nat_stats.ns_side[1];
! nss->ns_bucketlen[bkt]--;
! if (nss->ns_bucketlen[bkt] == 0) {
! nss->ns_inuse--;
}
***************
*** 2506,2509 ****
--- 2526,2534 ----
}
+ if (nat->nat_sync) {
+ ipf_sync_del_nat(softc->ipf_sync_soft, nat->nat_sync);
+ nat->nat_sync = NULL;
+ }
+
if (logtype == NL_EXPIRE)
softn->ipf_nat_stats.ns_expire++;
***************
*** 2543,2549 ****
softn->ipf_nat_stats.ns_proto[nat->nat_pr[0]]--;
- if (nat->nat_sync)
- ipf_sync_del_nat(softc->ipf_sync_soft,nat->nat_sync);
-
if (nat->nat_fr != NULL) {
(void) ipf_derefrule(softc, &nat->nat_fr);
--- 2568,2571 ----
***************
*** 2551,2555 ****
if (nat->nat_hm != NULL) {
! ipf_nat_hostmapdel(&nat->nat_hm);
}
--- 2573,2577 ----
if (nat->nat_hm != NULL) {
! ipf_nat_hostmapdel(softc, &nat->nat_hm);
}
***************
*** 2566,2572 ****
}
MUTEX_DESTROY(&nat->nat_lock);
- aps_free(softc, nat->nat_aps);
softn->ipf_nat_stats.ns_active--;
--- 2588,2598 ----
}
+ if (nat->nat_aps != NULL) {
+ ipf_proxy_free(softc, nat->nat_aps);
+ nat->nat_aps = NULL;
+ }
+
MUTEX_DESTROY(&nat->nat_lock);
softn->ipf_nat_stats.ns_active--;
***************
*** 2641,2645 ****
ipf_nat_softc_t *softn;
{
! ipnat_t *n, **np = &softn->ipf_nat_list;
int i = 0;
--- 2667,2671 ----
ipf_nat_softc_t *softn;
{
! ipnat_t *n;
int i = 0;
***************
*** 2655,2660 ****
}
! while ((n = *np) != NULL) {
! *np = n->in_next;
ipf_nat_delrule(softc, softn, n, 0);
i++;
--- 2681,2685 ----
}
! while ((n = softn->ipf_nat_list) != NULL) {
ipf_nat_delrule(softc, softn, n, 0);
i++;
***************
*** 2688,2691 ****
--- 2713,2725 ----
int purge;
{
+
+ if (np->in_pnext != NULL) {
+ *np->in_pnext = np->in_next;
+ if (np->in_next != NULL)
+ np->in_next->in_pnext = np->in_pnext;
+ if (softn->ipf_nat_list_tail == &np->in_next)
+ softn->ipf_nat_list_tail = np->in_pnext;
+ }
+
if ((purge == 1) && ((np->in_flags & IPN_PURGE) != 0)) {
nat_t *next;
***************
*** 2724,2733 ****
}
! np->in_next = NULL;
! if (np->in_use == 0) {
! ipf_nat_free_rule(softc, softn, np);
! } else {
! np->in_flags |= IPN_DELETE;
! }
}
--- 2758,2763 ----
}
! np->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &np);
}
***************
*** 2800,2804 ****
in.s_addr = hm->hm_nsrcip.s_addr;
} else if ((l == 1) && (hm != NULL)) {
! ipf_nat_hostmapdel(&hm);
}
in.s_addr = ntohl(in.s_addr);
--- 2830,2834 ----
in.s_addr = hm->hm_nsrcip.s_addr;
} else if ((l == 1) && (hm != NULL)) {
! ipf_nat_hostmapdel(softc, &hm);
}
in.s_addr = ntohl(in.s_addr);
***************
*** 3058,3062 ****
ni->nai_np = np;
move = 0;
! ipf_nat_hostmapdel(&hm);
}
}
--- 3088,3092 ----
ni->nai_np = np;
move = 0;
! ipf_nat_hostmapdel(softc, &hm);
}
}
***************
*** 3089,3093 ****
}
if (hm != NULL)
! ipf_nat_hostmapdel(&hm);
} else if ((np->in_ndstaddr == 0) && (np->in_ndstmsk == 0xffffffff)) {
--- 3119,3123 ----
}
if (hm != NULL)
! ipf_nat_hostmapdel(softc, &hm);
} else if ((np->in_ndstaddr == 0) && (np->in_ndstmsk == 0xffffffff)) {
***************
*** 3353,3361 ****
nat->nat_dlocal = np->in_dlocal;
! if ((np->in_apr != NULL) && ((nat->nat_flags & NAT_SLAVE) == 0))
if (ipf_proxy_new(fin, nat) == -1) {
NBUMPSIDED(fin->fin_out, ns_appr_fail);
goto badnat;
}
nat->nat_ifps[0] = np->in_ifps[0];
--- 3383,3392 ----
nat->nat_dlocal = np->in_dlocal;
! if ((np->in_apr != NULL) && ((nat->nat_flags & NAT_SLAVE) == 0)) {
if (ipf_proxy_new(fin, nat) == -1) {
NBUMPSIDED(fin->fin_out, ns_appr_fail);
goto badnat;
}
+ }
nat->nat_ifps[0] = np->in_ifps[0];
***************
*** 3394,3398 ****
NBUMPSIDE(fin->fin_out, ns_badnatnew);
if ((hm = nat->nat_hm) != NULL)
! ipf_nat_hostmapdel(&hm);
KFREE(nat);
nat = NULL;
--- 3425,3429 ----
NBUMPSIDE(fin->fin_out, ns_badnatnew);
if ((hm = nat->nat_hm) != NULL)
! ipf_nat_hostmapdel(softc, &hm);
KFREE(nat);
nat = NULL;
***************
*** 3513,3516 ****
--- 3544,3549 ----
* nat_insert failed, so cleanup time...
*/
+ if (nat->nat_sync != NULL)
+ ipf_sync_del_nat(softc->ipf_sync_soft, nat->nat_sync);
return -1;
}
***************
*** 3518,3526 ****
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat_insert */
! /* Returns: int - 0 == sucess, -1 == failure */
! /* Parameters: nat(I) - pointer to NAT structure */
! /* rev(I) - flag indicating forward/reverse direction of packet */
! /* Write Lock: ipf_nat */
/* */
/* Insert a NAT entry into the hash tables for searching and add it to the */
--- 3551,3560 ----
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat_insert */
! /* Returns: int - 0 == sucess, -1 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softn(I) - pointer to NAT context structure */
! /* nat(I) - pointer to NAT structure */
! /* Write Lock: ipf_nat */
/* */
/* Insert a NAT entry into the hash tables for searching and add it to the */
***************
*** 3533,3540 ****
nat_t *nat;
{
! u_int hv0, hv1, rhv0, rhv1;
u_int sp, dp;
ipnat_t *in;
- nat_t **natp;
/*
--- 3567,3573 ----
nat_t *nat;
{
! u_int hv0, hv1;
u_int sp, dp;
ipnat_t *in;
/*
***************
*** 3553,3558 ****
dp = 0;
}
! rhv0 = NAT_HASH_FN(nat->nat_osrcaddr, sp, 0xffffffff);
! rhv0 = NAT_HASH_FN(nat->nat_odstaddr, rhv0 + dp, 0xffffffff);
/*
* TRACE nat_osrcaddr, nat_osport, nat_odstaddr,
--- 3586,3591 ----
dp = 0;
}
! hv0 = NAT_HASH_FN(nat->nat_osrcaddr, sp, 0xffffffff);
! hv0 = NAT_HASH_FN(nat->nat_odstaddr, hv0 + dp, 0xffffffff);
/*
* TRACE nat_osrcaddr, nat_osport, nat_odstaddr,
***************
*** 3570,3575 ****
dp = 0;
}
! rhv1 = NAT_HASH_FN(nat->nat_nsrcaddr, sp, 0xffffffff);
! rhv1 = NAT_HASH_FN(nat->nat_ndstaddr, rhv1 + dp, 0xffffffff);
/*
* TRACE nat_nsrcaddr, nat_nsport, nat_ndstaddr,
--- 3603,3608 ----
dp = 0;
}
! hv1 = NAT_HASH_FN(nat->nat_nsrcaddr, sp, 0xffffffff);
! hv1 = NAT_HASH_FN(nat->nat_ndstaddr, hv1 + dp, 0xffffffff);
/*
* TRACE nat_nsrcaddr, nat_nsport, nat_ndstaddr,
***************
*** 3577,3617 ****
*/
} else {
! rhv0 = NAT_HASH_FN(nat->nat_osrcaddr, 0, 0xffffffff);
! rhv0 = NAT_HASH_FN(nat->nat_odstaddr, rhv0, 0xffffffff);
! /* TRACE nat_osrcaddr, nat_odstaddr, rhv0 */
!
! rhv1 = NAT_HASH_FN(nat->nat_nsrcaddr, 0, 0xffffffff);
! rhv1 = NAT_HASH_FN(nat->nat_ndstaddr, rhv1, 0xffffffff);
! /* TRACE nat_nsrcaddr, nat_ndstaddr, rhv1 */
! }
! hv0 = rhv0 % softn->ipf_nat_table_sz;
! hv1 = rhv1 % softn->ipf_nat_table_sz;
!
! if (softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv0] >=
! softn->ipf_nat_maxbucket) {
! DT1(ns_bucket_max_0, int,
! softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv0]);
! NBUMPSIDE(0, ns_bucket_max);
! return -1;
! }
! if (softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv1] >=
! softn->ipf_nat_maxbucket) {
! DT1(ns_bucket_max_1, int,
! softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv1]);
! NBUMPSIDE(1, ns_bucket_max);
! return -1;
}
! if (nat->nat_dir == NAT_INBOUND || nat->nat_dir == NAT_ENCAPIN ||
! nat->nat_dir == NAT_DIVERTIN) {
! u_int swap;
!
! swap = hv0;
! hv0 = hv1;
! hv1 = swap;
! }
! nat->nat_hv[0] = rhv0;
! nat->nat_hv[1] = rhv1;
MUTEX_INIT(&nat->nat_lock, "nat entry lock");
--- 3610,3624 ----
*/
} else {
! hv0 = NAT_HASH_FN(nat->nat_osrcaddr, 0, 0xffffffff);
! hv0 = NAT_HASH_FN(nat->nat_odstaddr, hv0, 0xffffffff);
! /* TRACE nat_osrcaddr, nat_odstaddr, hv0 */
! hv1 = NAT_HASH_FN(nat->nat_nsrcaddr, 0, 0xffffffff);
! hv1 = NAT_HASH_FN(nat->nat_ndstaddr, hv1, 0xffffffff);
! /* TRACE nat_nsrcaddr, nat_ndstaddr, hv1 */
}
! nat->nat_hv[0] = hv0;
! nat->nat_hv[1] = hv1;
MUTEX_INIT(&nat->nat_lock, "nat entry lock");
***************
*** 3645,3648 ****
--- 3652,3705 ----
}
+ return ipf_nat_hashtab_add(softc, softn, nat);
+ }
+
+
+ /* ------------------------------------------------------------------------ */
+ /* Function: ipf_nat_hashtab_add */
+ /* Parameters: softc(I) - pointer to soft context main structure */
+ /* softn(I) - pointer to NAT context structure */
+ /* nat(I) - pointer to NAT structure */
+ /* */
+ /* Handle the insertion of a NAT entry into the table/list. */
+ /* ------------------------------------------------------------------------ */
+ int
+ ipf_nat_hashtab_add(softc, softn, nat)
+ ipf_main_softc_t *softc;
+ ipf_nat_softc_t *softn;
+ nat_t *nat;
+ {
+ nat_t **natp;
+ u_int hv0;
+ u_int hv1;
+
+ hv0 = nat->nat_hv[0] % softn->ipf_nat_table_sz;
+ hv1 = nat->nat_hv[1] % softn->ipf_nat_table_sz;
+
+ if (nat->nat_dir == NAT_INBOUND || nat->nat_dir == NAT_ENCAPIN ||
+ nat->nat_dir == NAT_DIVERTIN) {
+ u_int swap;
+
+ swap = hv0;
+ hv0 = hv1;
+ hv1 = swap;
+ }
+
+ if (softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv0] >=
+ softn->ipf_nat_maxbucket) {
+ DT1(ns_bucket_max_0, int,
+ softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv0]);
+ NBUMPSIDE(0, ns_bucket_max);
+ return -1;
+ }
+
+ if (softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv1] >=
+ softn->ipf_nat_maxbucket) {
+ DT1(ns_bucket_max_1, int,
+ softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv1]);
+ NBUMPSIDE(1, ns_bucket_max);
+ return -1;
+ }
+
/*
* The ordering of operations in the list and hash table insertion
***************
*** 3688,3693 ****
NBUMPSIDE(1, ns_bucketlen[hv1]);
- /* ---- */
-
ipf_nat_setqueue(softc, softn, nat);
--- 3745,3748 ----
***************
*** 4900,4905 ****
/* Function: ipf_nat_update */
/* Returns: Nil */
! /* Parameters: fin(I) - pointer to packet information */
! /* nat(I) - pointer to NAT structure */
/* */
/* Updates the lifetime of a NAT table entry for non-TCP packets. Must be */
--- 4955,4960 ----
/* Function: ipf_nat_update */
/* Returns: Nil */
! /* Parameters: fin(I) - pointer to packet information */
! /* nat(I) - pointer to NAT structure */
/* */
/* Updates the lifetime of a NAT table entry for non-TCP packets. Must be */
***************
*** 6450,6462 ****
{
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
! ipnat_t *in;
! in = *inp;
*inp = NULL;
! in->in_space++;
! in->in_use--;
! if (in->in_use == 0 && (in->in_flags & IPN_DELETE)) {
! ipf_nat_free_rule(softc, softn, in);
! }
}
--- 6505,6516 ----
{
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
! ipnat_t *np;
! np = *inp;
*inp = NULL;
! np->in_space++;
! np->in_use--;
! if (np->in_use == 0)
! ipf_nat_free_rule(softc, softn, np);
}
***************
*** 6881,6885 ****
if (hm != NULL) {
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_hostmapdel(&hm);
RWLOCK_EXIT(&softc->ipf_nat);
}
--- 6935,6939 ----
if (hm != NULL) {
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_hostmapdel(softc, &hm);
RWLOCK_EXIT(&softc->ipf_nat);
}
***************
*** 8532,8535 ****
--- 8586,8590 ----
u_int maxbucket;
u_int newsize;
+ int error;
u_int hv;
int i;
***************
*** 8542,8545 ****
--- 8597,8604 ----
return 0;
+ newtab[0] = NULL;
+ newtab[1] = NULL;
+ bucketlens[0] = NULL;
+ bucketlens[1] = NULL;
/*
* 4 tables depend on the NAT table size: the inbound looking table,
***************
*** 8548,8577 ****
KMALLOCS(newtab[0], nat_t **, newsize * sizeof(nat_t *));
if (newtab == NULL) {
! IPFERROR(60063);
! return ENOMEM;
}
KMALLOCS(newtab[1], nat_t **, newsize * sizeof(nat_t *));
if (newtab == NULL) {
! KFREES(newtab[0], newsize * sizeof(nat_t *));
! IPFERROR(60064);
! return ENOMEM;
}
KMALLOCS(bucketlens[0], u_int *, newsize * sizeof(u_int));
if (bucketlens[0] == NULL) {
! KFREES(newtab[0], newsize * sizeof(nat_t *));
! KFREES(newtab[1], newsize * sizeof(nat_t *));
! IPFERROR(60065);
! return ENOMEM;
}
KMALLOCS(bucketlens[1], u_int *, newsize * sizeof(u_int));
if (bucketlens[1] == NULL) {
! KFREES(bucketlens[0], newsize * sizeof(u_int));
! KFREES(newtab[0], newsize * sizeof(nat_t *));
! KFREES(newtab[1], newsize * sizeof(nat_t *));
! IPFERROR(60066);
! return ENOMEM;
}
--- 8607,8630 ----
KMALLOCS(newtab[0], nat_t **, newsize * sizeof(nat_t *));
if (newtab == NULL) {
! error = 60063;
! goto badrehash;
}
KMALLOCS(newtab[1], nat_t **, newsize * sizeof(nat_t *));
if (newtab == NULL) {
! error = 60064;
! goto badrehash;
}
KMALLOCS(bucketlens[0], u_int *, newsize * sizeof(u_int));
if (bucketlens[0] == NULL) {
! error = 60065;
! goto badrehash;
}
KMALLOCS(bucketlens[1], u_int *, newsize * sizeof(u_int));
if (bucketlens[1] == NULL) {
! error = 60066;
! goto badrehash;
}
***************
*** 8616,8619 ****
--- 8669,8684 ----
softn->ipf_nat_stats.ns_side[1].ns_bucketlen = bucketlens[1];
+ if (softn->ipf_nat_stats.ns_side6[0].ns_bucketlen != NULL) {
+ KFREES(softn->ipf_nat_stats.ns_side6[0].ns_bucketlen,
+ softn->ipf_nat_table_sz * sizeof(u_int));
+ }
+ softn->ipf_nat_stats.ns_side6[0].ns_bucketlen = bucketlens[0];
+
+ if (softn->ipf_nat_stats.ns_side6[1].ns_bucketlen != NULL) {
+ KFREES(softn->ipf_nat_stats.ns_side6[1].ns_bucketlen,
+ softn->ipf_nat_table_sz * sizeof(u_int));
+ }
+ softn->ipf_nat_stats.ns_side6[1].ns_bucketlen = bucketlens[1];
+
softn->ipf_nat_maxbucket = maxbucket;
softn->ipf_nat_table_sz = newsize;
***************
*** 8625,8628 ****
--- 8690,8695 ----
softn->ipf_nat_stats.ns_side[0].ns_inuse = 0;
softn->ipf_nat_stats.ns_side[1].ns_inuse = 0;
+ softn->ipf_nat_stats.ns_side6[0].ns_inuse = 0;
+ softn->ipf_nat_stats.ns_side6[1].ns_inuse = 0;
for (nat = softn->ipf_nat_instances; nat != NULL; nat = nat->nat_next) {
***************
*** 8660,8663 ****
--- 8727,8746 ----
return 0;
+
+ badrehash:
+ if (bucketlens[1] != NULL) {
+ KFREES(bucketlens[0], newsize * sizeof(u_int));
+ }
+ if (bucketlens[0] != NULL) {
+ KFREES(bucketlens[0], newsize * sizeof(u_int));
+ }
+ if (newtab[0] != NULL) {
+ KFREES(newtab[0], newsize * sizeof(nat_t *));
+ }
+ if (newtab[1] != NULL) {
+ KFREES(newtab[1], newsize * sizeof(nat_t *));
+ }
+ IPFERROR(error);
+ return ENOMEM;
}
***************
*** 8964,8969 ****
int error = 0;
- n->in_use = 0;
-
if ((n->in_flags & IPN_SIPRANGE) != 0)
n->in_nsrcatype = FRI_RANGE;
--- 9047,9050 ----
|
|
From: Darren <dar...@us...> - 2012-07-13 06:38:25
|
Update of /cvsroot/ipfilter/ipfilter
In directory vz-cvs-4.sog:/tmp/cvs-serv12232
Modified Files:
fil.c ip_ipsec_pxy.c ip_nat.c ip_nat.h ip_nat6.c ip_pool.c
ip_pptp_pxy.c ip_proxy.c ip_proxy.h ip_rcmd_pxy.c
ip_rpcb_pxy.c ip_tftp_pxy.c
Log Message:
3542979 NAT session list management is too simple
3542978 ipv4 and ipv6 nat insert have common hash insertion
3542977 ipnat_t refence tracking incomplete
3542975 proxies must use ipnat_t separately
Index: ip_proxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_proxy.c,v
retrieving revision 1.29
retrieving revision 1.30
diff -C2 -d -r1.29 -r1.30
*** ip_proxy.c 6 Jul 2012 14:35:55 -0000 1.29
--- ip_proxy.c 13 Jul 2012 06:38:23 -0000 1.30
***************
*** 144,148 ****
ipf_p_tftp_soft_create, ipf_p_tftp_soft_destroy,
NULL, NULL,
! ipf_p_tftp_new, ipf_p_tftp_del, ipf_p_tftp_in, ipf_p_tftp_out, NULL,
NULL, NULL, NULL, NULL },
#endif
--- 144,149 ----
ipf_p_tftp_soft_create, ipf_p_tftp_soft_destroy,
NULL, NULL,
! ipf_p_tftp_new, ipf_p_tftp_del,
! ipf_p_tftp_in, ipf_p_tftp_out, NULL,
NULL, NULL, NULL, NULL },
#endif
***************
*** 1114,1118 ****
/* ------------------------------------------------------------------------ */
! /* Function: aps_free */
/* Returns: Nil */
/* Parameters: softc(I) - pointer to soft context main structure */
--- 1115,1119 ----
/* ------------------------------------------------------------------------ */
! /* Function: ipf_proxy_free */
/* Returns: Nil */
/* Parameters: softc(I) - pointer to soft context main structure */
***************
*** 1124,1128 ****
/* ------------------------------------------------------------------------ */
void
! aps_free(softc, aps)
ipf_main_softc_t *softc;
ap_session_t *aps;
--- 1125,1129 ----
/* ------------------------------------------------------------------------ */
void
! ipf_proxy_free(softc, aps)
ipf_main_softc_t *softc;
ap_session_t *aps;
Index: ip_ipsec_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_ipsec_pxy.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -C2 -d -r1.16 -r1.17
*** ip_ipsec_pxy.c 15 Nov 2011 13:32:35 -0000 1.16
--- ip_ipsec_pxy.c 13 Jul 2012 06:38:23 -0000 1.17
***************
*** 13,16 ****
--- 13,29 ----
+ /*
+ * IPSec proxy
+ */
+ typedef struct ipf_ipsec_softc_s {
+ frentry_t ipsec_fr;
+ int ipsec_proxy_init;
+ int ipsec_proxy_ttl;
+ ipftq_t *ipsec_nat_tqe;
+ ipftq_t *ipsec_state_tqe;
+ char ipsec_buffer[1500];
+ } ipf_ipsec_softc_t;
+
+
void *ipf_p_ipsec_soft_create(ipf_main_softc_t *);
void ipf_p_ipsec_soft_destroy(ipf_main_softc_t *, void *);
***************
*** 24,36 ****
int ipf_p_ipsec_match(fr_info_t *, ap_session_t *, nat_t *);
- typedef struct ipf_ipsec_softc_s {
- frentry_t ipsec_fr;
- int ipsec_proxy_init;
- int ipsec_proxy_ttl;
- ipftq_t *ipsec_nat_tqe;
- ipftq_t *ipsec_state_tqe;
- char ipsec_buffer[1500];
- } ipf_ipsec_softc_t;
-
/*
--- 37,40 ----
***************
*** 138,148 ****
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
#endif
ipsec_pxy_t *ipsec;
ipnat_t *ipn, *np;
fr_info_t fi;
char *ptr;
! int p, off, dlen, ttl;
! mb_t *m;
ip_t *ip;
off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff;
--- 142,153 ----
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
#endif
+ int p, off, dlen, ttl;
ipsec_pxy_t *ipsec;
ipnat_t *ipn, *np;
fr_info_t fi;
char *ptr;
! int size;
ip_t *ip;
+ mb_t *m;
off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff;
***************
*** 162,172 ****
np = nat->nat_ptr;
! aps->aps_psiz = sizeof(*ipsec) + np->in_namelen;
! KMALLOCS(aps->aps_data, ipsec_pxy_t *, aps->aps_psiz);
! if (aps->aps_data == NULL)
return -1;
! ipsec = aps->aps_data;
bzero((char *)ipsec, sizeof(*ipsec));
/*
--- 167,186 ----
np = nat->nat_ptr;
! size = np->in_size;
! KMALLOC(ipsec, ipsec_pxy_t *);
! if (ipsec == NULL)
return -1;
! KMALLOCS(ipn, ipnat_t *, size);
! if (ipn == NULL) {
! KFREE(ipsec);
! return -1;
! }
!
! aps->aps_data = ipsec;
! aps->aps_psiz = sizeof(*ipsec);
bzero((char *)ipsec, sizeof(*ipsec));
+ bzero((char *)ipn, size);
+ ipsec->ipsc_rule = ipn;
/*
***************
*** 175,179 ****
* describe ESP but UDP instead.
*/
! ipn = &ipsec->ipsc_rule;
ttl = IPF_TTLVAL(softi->ipsec_nat_tqe->ifq_ttl);
ipn->in_tqehead[0] = ipf_nat_add_tq(softc, ttl);
--- 189,193 ----
* describe ESP but UDP instead.
*/
! ipn->in_size = size;
ttl = IPF_TTLVAL(softi->ipsec_nat_tqe->ifq_ttl);
ipn->in_tqehead[0] = ipf_nat_add_tq(softc, ttl);
***************
*** 196,199 ****
--- 210,214 ----
ipn->in_pr[0] = IPPROTO_ESP;
ipn->in_pr[1] = IPPROTO_ESP;
+ ipn->in_flags = (np->in_flags | IPN_PROXYRULE);
MUTEX_INIT(&ipn->in_lock, "IPSec proxy NAT rule");
***************
*** 297,301 ****
MUTEX_ENTER(&softn->ipf_nat_new);
! ipsec->ipsc_nat = ipf_nat_add(&fi, &ipsec->ipsc_rule,
&ipsec->ipsc_nat,
NAT_SLAVE|SI_WILDP,
--- 312,316 ----
MUTEX_ENTER(&softn->ipf_nat_new);
! ipsec->ipsc_nat = ipf_nat_add(&fi, ipsec->ipsc_rule,
&ipsec->ipsc_nat,
NAT_SLAVE|SI_WILDP,
***************
*** 408,411 ****
--- 423,428 ----
ipsec->ipsc_state = NULL;
ipsec->ipsc_nat = NULL;
+ ipsec->ipsc_rule->in_flags |= IPN_DELETE;
+ ipf_nat_rulederef(softc, &ipsec->ipsc_rule);
}
}
Index: ip_tftp_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_tftp_pxy.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** ip_tftp_pxy.c 6 Jul 2012 14:35:55 -0000 1.5
--- ip_tftp_pxy.c 13 Jul 2012 06:38:23 -0000 1.6
***************
*** 43,47 ****
int ti_lasterror;
char ti_filename[80];
! ipnat_t ti_rule;
} tftpinfo_t;
--- 43,47 ----
int ti_lasterror;
char ti_filename[80];
! ipnat_t *ti_rule;
} tftpinfo_t;
***************
*** 171,191 ****
tftpinfo_t *ti;
ipnat_t *ipn;
KMALLOC(ti, tftpinfo_t *);
if (ti == NULL)
return -1;
!
! nat = nat; /* LINT */
! fin = fin; /* LINT */
!
! aps->aps_psiz = sizeof(*ti);
aps->aps_data = ti;
bzero((char *)ti, sizeof(*ti));
udp = (udphdr_t *)fin->fin_dp;
aps->aps_sport = udp->uh_sport;
aps->aps_dport = udp->uh_dport;
! ipn = &ti->ti_rule;
ipn->in_ifps[0] = nat->nat_ifps[0];
ipn->in_ifps[1] = nat->nat_ifps[1];
--- 171,202 ----
tftpinfo_t *ti;
ipnat_t *ipn;
+ ipnat_t *np;
+ int size;
+
+ fin = fin; /* LINT */
+
+ np = nat->nat_ptr;
+ size = np->in_size;
KMALLOC(ti, tftpinfo_t *);
if (ti == NULL)
return -1;
! KMALLOCS(ipn, ipnat_t *, size);
! if (ipn == NULL) {
! KFREE(ti);
! return -1;
! }
aps->aps_data = ti;
+ aps->aps_psiz = sizeof(*ti);
bzero((char *)ti, sizeof(*ti));
+ bzero((char *)ipn, size);
+ ti->ti_rule = ipn;
+
udp = (udphdr_t *)fin->fin_dp;
aps->aps_sport = udp->uh_sport;
aps->aps_dport = udp->uh_dport;
! ipn->in_size = size;
ipn->in_ifps[0] = nat->nat_ifps[0];
ipn->in_ifps[1] = nat->nat_ifps[1];
***************
*** 195,199 ****
ipn->in_ippip = 1;
! if ((nat->nat_ptr->in_redir & NAT_REDIRECT) != 0) {
ipn->in_redir = NAT_MAP;
ipn->in_snip = ntohl(nat->nat_odstaddr);
--- 206,210 ----
ipn->in_ippip = 1;
! if ((np->in_redir & NAT_REDIRECT) != 0) {
ipn->in_redir = NAT_MAP;
ipn->in_snip = ntohl(nat->nat_odstaddr);
***************
*** 221,231 ****
ipn->in_pr[0] = IPPROTO_UDP;
ipn->in_pr[1] = IPPROTO_UDP;
! ipn->in_flags = IPN_UDP|IPN_FIXEDDPORT;
MUTEX_INIT(&ipn->in_lock, "tftp proxy NAT rule");
! ipn->in_namelen = nat->nat_ptr->in_namelen;
! bcopy(nat->nat_ptr->in_names, ipn->in_ifnames, ipn->in_namelen);
! ipn->in_ifnames[0] = nat->nat_ptr->in_ifnames[0];
! ipn->in_ifnames[1] = nat->nat_ptr->in_ifnames[1];
ti->ti_lastcmd = 0;
--- 232,242 ----
ipn->in_pr[0] = IPPROTO_UDP;
ipn->in_pr[1] = IPPROTO_UDP;
! ipn->in_flags = IPN_UDP|IPN_FIXEDDPORT|IPN_PROXYRULE;
MUTEX_INIT(&ipn->in_lock, "tftp proxy NAT rule");
! ipn->in_namelen = np->in_namelen;
! bcopy(np->in_names, ipn->in_ifnames, ipn->in_namelen);
! ipn->in_ifnames[0] = np->in_ifnames[0];
! ipn->in_ifnames[1] = np->in_ifnames[1];
ti->ti_lastcmd = 0;
***************
*** 244,248 ****
tftp = aps->aps_data;
if (tftp != NULL) {
! MUTEX_DESTROY(&tftp->ti_rule.in_lock);
}
}
--- 255,260 ----
tftp = aps->aps_data;
if (tftp != NULL) {
! tftp->ti_rule->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &tftp->ti_rule);
}
}
***************
*** 289,298 ****
bzero((char *)&udp, sizeof(udp));
udp.uh_sport = 0; /* XXX - don't specify remote port */
! udp.uh_dport = ti->ti_rule.in_ndport;
udp.uh_ulen = htons(sizeof(udp));
udp.uh_sum = 0;
fi.fin_dp = (char *)&udp;
fi.fin_fr = &tftpfr;
! fi.fin_dport = ntohs(ti->ti_rule.in_ndport);
fi.fin_sport = 0;
fi.fin_dlen = sizeof(udp);
--- 301,310 ----
bzero((char *)&udp, sizeof(udp));
udp.uh_sport = 0; /* XXX - don't specify remote port */
! udp.uh_dport = ti->ti_rule->in_ndport;
udp.uh_ulen = htons(sizeof(udp));
udp.uh_sum = 0;
fi.fin_dp = (char *)&udp;
fi.fin_fr = &tftpfr;
! fi.fin_dport = ntohs(ti->ti_rule->in_ndport);
fi.fin_sport = 0;
fi.fin_dlen = sizeof(udp);
***************
*** 316,320 ****
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, &ti->ti_rule, NULL, nflags, dir);
MUTEX_EXIT(&softn->ipf_nat_new);
if (nat2 != NULL) {
--- 328,332 ----
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, ti->ti_rule, NULL, nflags, dir);
MUTEX_EXIT(&softn->ipf_nat_new);
if (nat2 != NULL) {
***************
*** 322,325 ****
--- 334,348 ----
ipf_nat_update(&fi, nat2);
fi.fin_ifp = NULL;
+ if (ti->ti_rule->in_redir == NAT_MAP) {
+ fi.fin_fi.fi_saddr = nat->nat_ndstaddr;
+ ip->ip_src = nat->nat_ndstip;
+ fi.fin_fi.fi_daddr = nat->nat_nsrcaddr;
+ ip->ip_dst = nat->nat_nsrcip;
+ } else {
+ fi.fin_fi.fi_saddr = nat->nat_odstaddr;
+ ip->ip_src = nat->nat_odstip;
+ fi.fin_fi.fi_daddr = nat->nat_osrcaddr;
+ ip->ip_dst = nat->nat_osrcip;
+ }
if (ipf_state_add(softc, &fi, NULL, SI_W_SPORT) != 0) {
ipf_nat_setpending(softc, nat2);
Index: ip_proxy.h
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_proxy.h,v
retrieving revision 1.11
retrieving revision 1.12
diff -C2 -d -r1.11 -r1.12
*** ip_proxy.h 29 May 2012 12:47:41 -0000 1.11
--- ip_proxy.h 13 Jul 2012 06:38:23 -0000 1.12
***************
*** 180,183 ****
--- 180,198 ----
/*
+ * IPsec proxy
+ */
+ typedef u_32_t ipsec_cookie_t[2];
+
+ typedef struct ipsec_pxy {
+ ipsec_cookie_t ipsc_icookie;
+ ipsec_cookie_t ipsc_rcookie;
+ int ipsc_rckset;
+ nat_t *ipsc_nat;
+ struct ipstate *ipsc_state;
+ ipnat_t *ipsc_rule;
+ } ipsec_pxy_t;
+
+
+ /*
* For the irc proxy.
*/
***************
*** 195,207 ****
/*
- * For the rcmd proxy. rcmd_rule must be last for names in ipnat_t
- */
- typedef struct rcmdinfo {
- u_32_t rcmd_port; /* Port number seen */
- u_32_t rcmd_portseq; /* Sequence number where port is first seen */
- ipnat_t rcmd_rule; /* Template rule for back connection */
- } rcmdinfo_t;
-
- /*
* For the DNS "proxy"
*/
--- 210,213 ----
***************
*** 258,298 ****
/*
- * IPSec proxy. ipsc_rule must be last for names in ipnat_t
- */
- typedef u_32_t ipsec_cookie_t[2];
-
- typedef struct ipsec_pxy {
- ipsec_cookie_t ipsc_icookie;
- ipsec_cookie_t ipsc_rcookie;
- int ipsc_rckset;
- nat_t *ipsc_nat;
- struct ipstate *ipsc_state;
- ipnat_t ipsc_rule;
- } ipsec_pxy_t;
-
- /*
- * PPTP proxy. pptp_rule must be last for names in ipnat_t
- */
- typedef struct pptp_side {
- u_32_t pptps_nexthdr;
- u_32_t pptps_next;
- int pptps_state;
- int pptps_gothdr;
- int pptps_len;
- int pptps_bytes;
- char *pptps_wptr;
- char pptps_buffer[512];
- } pptp_side_t;
-
- typedef struct pptp_pxy {
- nat_t *pptp_nat;
- struct ipstate *pptp_state;
- u_short pptp_call[2];
- pptp_side_t pptp_side[2];
- ipnat_t pptp_rule;
- } pptp_pxy_t;
-
-
- /*
* Sun RPCBIND proxy
*/
--- 264,267 ----
***************
*** 478,482 ****
extern int ipf_proxy_new(fr_info_t *, struct nat *);
extern int ipf_proxy_ok(fr_info_t *, tcphdr_t *, struct ipnat *);
! extern void aps_free(ipf_main_softc_t *, ap_session_t *);
extern int ipf_proxy_main_load(void);
extern int ipf_proxy_main_unload(void);
--- 447,451 ----
extern int ipf_proxy_new(fr_info_t *, struct nat *);
extern int ipf_proxy_ok(fr_info_t *, tcphdr_t *, struct ipnat *);
! extern void ipf_proxy_free(ipf_main_softc_t *, ap_session_t *);
extern int ipf_proxy_main_load(void);
extern int ipf_proxy_main_unload(void);
Index: fil.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/fil.c,v
retrieving revision 1.122
retrieving revision 1.123
diff -C2 -d -r1.122 -r1.123
*** fil.c 13 Jul 2012 06:17:49 -0000 1.122
--- fil.c 13 Jul 2012 06:38:23 -0000 1.123
***************
*** 7724,7728 ****
case IPFGENITER_HOSTMAP :
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_hostmapdel((hostmap_t **)datap);
RWLOCK_EXIT(&softc->ipf_nat);
break;
--- 7724,7728 ----
case IPFGENITER_HOSTMAP :
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_hostmapdel(softc, (hostmap_t **)datap);
RWLOCK_EXIT(&softc->ipf_nat);
break;
Index: ip_pptp_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_pptp_pxy.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -C2 -d -r1.15 -r1.16
*** ip_pptp_pxy.c 15 Nov 2011 13:32:35 -0000 1.15
--- ip_pptp_pxy.c 13 Jul 2012 06:38:23 -0000 1.16
***************
*** 10,17 ****
#define IPF_PPTP_PROXY
typedef struct pptp_hdr {
! u_short pptph_len;
! u_short pptph_type;
! u_32_t pptph_cookie;
} pptp_hdr_t;
--- 10,41 ----
#define IPF_PPTP_PROXY
+
+
+ /*
+ * PPTP proxy
+ */
+ typedef struct pptp_side {
+ u_32_t pptps_nexthdr;
+ u_32_t pptps_next;
+ int pptps_state;
+ int pptps_gothdr;
+ int pptps_len;
+ int pptps_bytes;
+ char *pptps_wptr;
+ char pptps_buffer[512];
+ } pptp_side_t;
+
+ typedef struct pptp_pxy {
+ nat_t *pptp_nat;
+ struct ipstate *pptp_state;
+ u_short pptp_call[2];
+ pptp_side_t pptp_side[2];
+ ipnat_t *pptp_rule;
+ } pptp_pxy_t;
+
typedef struct pptp_hdr {
! u_short pptph_len;
! u_short pptph_type;
! u_32_t pptph_cookie;
} pptp_hdr_t;
***************
*** 91,98 ****
{
pptp_pxy_t *pptp;
! ipnat_t *ipn, *np;
ip_t *ip;
ip = fin->fin_ip;
if (ipf_nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_osrcip,
--- 115,126 ----
{
pptp_pxy_t *pptp;
! ipnat_t *ipn;
! ipnat_t *np;
! int size;
ip_t *ip;
ip = fin->fin_ip;
+ np = nat->nat_ptr;
+ size = np->in_size;
if (ipf_nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_osrcip,
***************
*** 102,114 ****
return -1;
}
- np = nat->nat_ptr;
! aps->aps_psiz = sizeof(*pptp) + np->in_namelen;
! KMALLOCS(aps->aps_data, pptp_pxy_t *, aps->aps_psiz);
! if (aps->aps_data == NULL) {
if (ipf_p_pptp_debug > 0)
printf("ipf_p_pptp_new: malloc for aps_data failed\n");
return -1;
}
/*
--- 130,151 ----
return -1;
}
! KMALLOC(pptp, pptp_pxy_t *);
! if (pptp == NULL) {
if (ipf_p_pptp_debug > 0)
printf("ipf_p_pptp_new: malloc for aps_data failed\n");
return -1;
}
+ KMALLOCS(ipn, ipnat_t *, size);
+ if (ipn == NULL) {
+ KFREE(pptp);
+ return -1;
+ }
+
+ aps->aps_data = pptp;
+ aps->aps_psiz = sizeof(*pptp);
+ bzero((char *)pptp, sizeof(*pptp));
+ bzero((char *)ipn, size);
+ pptp->pptp_rule = ipn;
/*
***************
*** 117,123 ****
* describe GRE but TCP instead.
*/
! pptp = aps->aps_data;
! bzero((char *)pptp, sizeof(*pptp));
! ipn = &pptp->pptp_rule;
ipn->in_ifps[0] = fin->fin_ifp;
ipn->in_apr = NULL;
--- 154,158 ----
* describe GRE but TCP instead.
*/
! ipn->in_size = size;
ipn->in_ifps[0] = fin->fin_ifp;
ipn->in_apr = NULL;
***************
*** 136,139 ****
--- 171,175 ----
ipn->in_odstmsk = 0xffffffff;
ipn->in_ndstmsk = 0xffffffff;
+ ipn->in_flags = (np->in_flags | IPN_PROXYRULE);
MUTEX_INIT(&ipn->in_lock, "pptp proxy NAT rule");
***************
*** 204,211 ****
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, &pptp->pptp_rule, &pptp->pptp_nat,
NAT_SLAVE, nat->nat_dir);
MUTEX_EXIT(&softn->ipf_nat_new);
- pptp->pptp_nat = nat2;
if (nat2 != NULL) {
(void) ipf_nat_proto(&fi, nat2, 0);
--- 240,246 ----
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, pptp->pptp_rule, &pptp->pptp_nat,
NAT_SLAVE, nat->nat_dir);
MUTEX_EXIT(&softn->ipf_nat_new);
if (nat2 != NULL) {
(void) ipf_nat_proto(&fi, nat2, 0);
***************
*** 537,541 ****
if (pptp->pptp_nat != NULL)
ipf_nat_setpending(softc, pptp->pptp_nat);
! MUTEX_DESTROY(&pptp->pptp_rule.in_lock);
}
}
--- 572,577 ----
if (pptp->pptp_nat != NULL)
ipf_nat_setpending(softc, pptp->pptp_nat);
! pptp->pptp_rule->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &pptp->pptp_rule);
}
}
Index: ip_pool.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_pool.c,v
retrieving revision 1.39
retrieving revision 1.40
diff -C2 -d -r1.39 -r1.40
*** ip_pool.c 6 Jul 2012 14:35:55 -0000 1.39
--- ip_pool.c 13 Jul 2012 06:38:23 -0000 1.40
***************
*** 417,421 ****
#endif
if (node.ipn_mask.adf_len != node.ipn_addr.adf_len) {
- printf("%d != %d\n",node.ipn_mask.adf_len, node.ipn_addr.adf_len);
IPFERROR(70029);
return EINVAL;
--- 417,420 ----
Index: ip_nat6.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat6.c,v
retrieving revision 1.36
retrieving revision 1.37
diff -C2 -d -r1.36 -r1.37
*** ip_nat6.c 13 Jul 2012 06:14:41 -0000 1.36
--- ip_nat6.c 13 Jul 2012 06:38:23 -0000 1.37
***************
*** 136,139 ****
--- 136,140 ----
#define NINCLSIDE6(y,x) ATOMIC_INCL(softn->ipf_nat_stats.ns_side6[y].x)
+ #define NBUMPSIDE(y,x) softn->ipf_nat_stats.ns_side[y].x++
#define NBUMPSIDE6(y,x) softn->ipf_nat_stats.ns_side6[y].x++
#define NBUMPSIDE6D(y,x) \
***************
*** 252,255 ****
--- 253,257 ----
n->in_prnext = np;
n->in_hv[0] = hv;
+ n->in_use++;
*np = n;
}
***************
*** 293,296 ****
--- 295,299 ----
n->in_pmnext = np;
n->in_hv[1] = hv;
+ n->in_use++;
*np = n;
}
***************
*** 321,324 ****
--- 324,328 ----
n->in_rnext->in_prnext = n->in_prnext;
*n->in_prnext = n->in_rnext;
+ n->in_use--;
}
***************
*** 348,351 ****
--- 352,356 ----
n->in_mnext->in_pmnext = n->in_pmnext;
*n->in_pmnext = n->in_mnext;
+ n->in_use--;
}
***************
*** 401,404 ****
--- 406,410 ----
n->in_prnext = np;
n->in_hv[0] = hv;
+ n->in_use++;
*np = n;
} else if (n->in_redir & NAT_REDIRECT) {
***************
*** 411,414 ****
--- 417,421 ----
n->in_pmnext = np;
n->in_hv[1] = hv;
+ n->in_use++;
*np = n;
}
***************
*** 483,486 ****
--- 490,494 ----
softn->ipf_hm_maptable[hv] = hm;
hm->hm_ipnat = np;
+ np->in_use++;
hm->hm_osrcip6 = *src;
hm->hm_odstip6 = *dst;
***************
*** 568,572 ****
in = hm->hm_nsrcip6;
} else if ((l == 1) && (hm != NULL)) {
! ipf_nat_hostmapdel(&hm);
}
--- 576,580 ----
in = hm->hm_nsrcip6;
} else if ((l == 1) && (hm != NULL)) {
! ipf_nat_hostmapdel(softc, &hm);
}
***************
*** 1185,1189 ****
NBUMPSIDE6(fin->fin_out, ns_badnatnew);
if ((hm = nat->nat_hm) != NULL)
! ipf_nat_hostmapdel(&hm);
KFREE(nat);
nat = NULL;
--- 1193,1197 ----
NBUMPSIDE6(fin->fin_out, ns_badnatnew);
if ((hm = nat->nat_hm) != NULL)
! ipf_nat_hostmapdel(softc, &hm);
KFREE(nat);
nat = NULL;
***************
*** 1313,1321 ****
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat6_insert */
! /* Returns: int - 0 == sucess, -1 == failure */
! /* Parameters: nat(I) - pointer to NAT structure */
! /* rev(I) - flag indicating forward/reverse direction of packet */
! /* Write Lock: ipf_nat */
/* */
/* Insert a NAT entry into the hash tables for searching and add it to the */
--- 1321,1330 ----
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat6_insert */
! /* Returns: int - 0 == sucess, -1 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softn(I) - pointer to NAT context structure */
! /* nat(I) - pointer to NAT structure */
! /* Write Lock: ipf_nat */
/* */
/* Insert a NAT entry into the hash tables for searching and add it to the */
***************
*** 1330,1334 ****
u_int hv1, hv2;
u_32_t sp, dp;
- nat_t **natp;
ipnat_t *in;
--- 1339,1342 ----
***************
*** 1349,1353 ****
}
hv1 = NAT_HASH_FN6(&nat->nat_osrc6, sp, 0xffffffff);
! hv1 = NAT_HASH_FN6(&nat->nat_odst6, hv1 + dp, softn->ipf_nat_table_sz);
/*
--- 1357,1362 ----
}
hv1 = NAT_HASH_FN6(&nat->nat_osrc6, sp, 0xffffffff);
! hv1 = NAT_HASH_FN6(&nat->nat_odst6, hv1 + dp,
! softn->ipf_nat_table_sz);
/*
***************
*** 1367,1371 ****
}
hv2 = NAT_HASH_FN6(&nat->nat_nsrc6, sp, 0xffffffff);
! hv2 = NAT_HASH_FN6(&nat->nat_ndst6, hv2 + dp, softn->ipf_nat_table_sz);
/*
* TRACE nat6_nsrcaddr, nat6_nsport, nat6_ndstaddr,
--- 1376,1381 ----
}
hv2 = NAT_HASH_FN6(&nat->nat_nsrc6, sp, 0xffffffff);
! hv2 = NAT_HASH_FN6(&nat->nat_ndst6, hv2 + dp,
! softn->ipf_nat_table_sz);
/*
* TRACE nat6_nsrcaddr, nat6_nsport, nat6_ndstaddr,
***************
*** 1384,1406 ****
}
- if (softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv1] >=
- softn->ipf_nat_maxbucket) {
- NBUMPSIDE6D(0, ns_bucket_max);
- return -1;
- }
-
- if (softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv2] >=
- softn->ipf_nat_maxbucket) {
- NBUMPSIDE6D(1, ns_bucket_max);
- return -1;
- }
- if (nat->nat_dir == NAT_INBOUND || nat->nat_dir == NAT_ENCAPIN ||
- nat->nat_dir == NAT_DIVERTIN) {
- u_int swap;
-
- swap = hv2;
- hv2 = hv1;
- hv1 = swap;
- }
nat->nat_hv[0] = hv1;
nat->nat_hv[1] = hv2;
--- 1394,1397 ----
***************
*** 1409,1417 ****
in = nat->nat_ptr;
! nat->nat_ref = 1;
! nat->nat_bytes[0] = 0;
! nat->nat_pkts[0] = 0;
! nat->nat_bytes[1] = 0;
! nat->nat_pkts[1] = 0;
nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0';
--- 1400,1404 ----
in = nat->nat_ptr;
! nat->nat_ref = nat->nat_me ? 2 : 1;
nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0';
***************
*** 1441,1475 ****
}
! nat->nat_next = softn->ipf_nat_instances;
! nat->nat_pnext = &softn->ipf_nat_instances;
! if (softn->ipf_nat_instances)
! softn->ipf_nat_instances->nat_pnext = &nat->nat_next;
! softn->ipf_nat_instances = nat;
!
! natp = &softn->ipf_nat_table[0][hv1];
! if (*natp)
! (*natp)->nat_phnext[0] = &nat->nat_hnext[0];
! else
! NBUMPSIDE6(0, ns_inuse);
! nat->nat_phnext[0] = natp;
! nat->nat_hnext[0] = *natp;
! *natp = nat;
! softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv1]++;
!
! natp = &softn->ipf_nat_table[1][hv2];
! if (*natp)
! (*natp)->nat_phnext[1] = &nat->nat_hnext[1];
! else
! NBUMPSIDE6(1, ns_inuse);
! nat->nat_phnext[1] = natp;
! nat->nat_hnext[1] = *natp;
! *natp = nat;
! softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv2]++;
!
! ipf_nat_setqueue(softc, softn, nat);
!
! softn->ipf_nat_stats.ns_side[1].ns_added++;
! softn->ipf_nat_stats.ns_active++;
! return 0;
}
--- 1428,1432 ----
}
! return ipf_nat_hashtab_add(softc, softn, nat);
}
Index: ip_nat.h
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat.h,v
retrieving revision 1.25
retrieving revision 1.26
diff -C2 -d -r1.25 -r1.26
*** ip_nat.h 6 Jul 2012 14:35:55 -0000 1.25
--- ip_nat.h 13 Jul 2012 06:38:23 -0000 1.26
***************
*** 232,236 ****
u_long in_hits;
int in_size;
! u_int in_use;
u_int in_hv[2];
int in_flineno; /* conf. file line number */
--- 232,236 ----
u_long in_hits;
int in_size;
! int in_use;
u_int in_hv[2];
int in_flineno; /* conf. file line number */
***************
*** 366,369 ****
--- 366,370 ----
#define IPN_SEQUENTIAL 0x400000
#define IPN_PURGE 0x800000
+ #define IPN_PROXYRULE 0x1000000
#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_SIPRANGE|IPN_SPLIT|\
IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|IPN_NO|\
***************
*** 643,646 ****
--- 644,648 ----
nat_t *ipf_nat_instances;
ipnat_t *ipf_nat_list;
+ ipnat_t **ipf_nat_list_tail;
ipnat_t **ipf_nat_map_rules;
ipnat_t **ipf_nat_rdr_rules;
***************
*** 679,683 ****
extern void ipf_nat_deref(ipf_main_softc_t *, nat_t **);
extern void ipf_nat_expire(ipf_main_softc_t *);
! extern void ipf_nat_hostmapdel(hostmap_t **);
extern int ipf_nat_hostmap_rehash(ipf_main_softc_t *,
ipftuneable_t *, ipftuneval_t *);
--- 681,687 ----
extern void ipf_nat_deref(ipf_main_softc_t *, nat_t **);
extern void ipf_nat_expire(ipf_main_softc_t *);
! extern int ipf_nat_hashtab_add(ipf_main_softc_t *, ipf_nat_softc_t *,
! nat_t *);
! extern void ipf_nat_hostmapdel(ipf_main_softc_t *, hostmap_t **);
extern int ipf_nat_hostmap_rehash(ipf_main_softc_t *,
ipftuneable_t *, ipftuneval_t *);
Index: ip_rcmd_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_rcmd_pxy.c,v
retrieving revision 1.19
retrieving revision 1.20
diff -C2 -d -r1.19 -r1.20
*** ip_rcmd_pxy.c 15 Nov 2011 13:32:35 -0000 1.19
--- ip_rcmd_pxy.c 13 Jul 2012 06:38:23 -0000 1.20
***************
*** 12,15 ****
--- 12,21 ----
#define IPF_RCMD_PROXY
+ typedef struct rcmdinfo {
+ u_32_t rcmd_port; /* Port number seen */
+ u_32_t rcmd_portseq; /* Sequence number where port is first seen */
+ ipnat_t *rcmd_rule; /* Template rule for back connection */
+ } rcmdinfo_t;
+
void ipf_p_rcmd_main_load(void);
void ipf_p_rcmd_main_unload(void);
***************
*** 66,75 ****
rcmdinfo_t *rc;
ipnat_t *ipn;
fin = fin; /* LINT */
- nat = nat; /* LINT */
! aps->aps_psiz = sizeof(rcmdinfo_t) + nat->nat_ptr->in_namelen + 1;
! KMALLOCS(rc, rcmdinfo_t *, aps->aps_psiz);
if (rc == NULL) {
#ifdef IP_RCMD_PROXY_DEBUG
--- 72,83 ----
rcmdinfo_t *rc;
ipnat_t *ipn;
+ ipnat_t *np;
+ int size;
fin = fin; /* LINT */
! np = nat->nat_ptr;
! size = np->in_size;
! KMALLOC(rc, rcmdinfo_t *);
if (rc == NULL) {
#ifdef IP_RCMD_PROXY_DEBUG
***************
*** 79,88 ****
}
aps->aps_data = rc;
bzero((char *)rc, sizeof(*rc));
aps->aps_sport = tcp->th_sport;
aps->aps_dport = tcp->th_dport;
! ipn = &rc->rcmd_rule;
ipn->in_ifps[0] = nat->nat_ifps[0];
ipn->in_ifps[1] = nat->nat_ifps[1];
--- 87,106 ----
}
+ KMALLOCS(ipn, ipnat_t *, size);
+ if (ipn == NULL) {
+ KFREE(rc);
+ return -1;
+ }
+
aps->aps_data = rc;
+ aps->aps_psiz = sizeof(*rc);
bzero((char *)rc, sizeof(*rc));
+ bzero((char *)ipn, size);
+ rc->rcmd_rule = ipn;
+
aps->aps_sport = tcp->th_sport;
aps->aps_dport = tcp->th_dport;
! ipn->in_size = size;
ipn->in_ifps[0] = nat->nat_ifps[0];
ipn->in_ifps[1] = nat->nat_ifps[1];
***************
*** 92,96 ****
ipn->in_ippip = 1;
! if ((nat->nat_ptr->in_redir & NAT_REDIRECT) != 0) {
ipn->in_redir = NAT_MAP;
ipn->in_snip = ntohl(nat->nat_odstaddr);
--- 110,114 ----
ipn->in_ippip = 1;
! if ((np->in_redir & NAT_REDIRECT) != 0) {
ipn->in_redir = NAT_MAP;
ipn->in_snip = ntohl(nat->nat_odstaddr);
***************
*** 116,123 ****
ipn->in_pr[0] = IPPROTO_TCP;
ipn->in_pr[1] = IPPROTO_TCP;
MUTEX_INIT(&ipn->in_lock, "rcmd proxy NAT rule");
! ipn->in_namelen = nat->nat_ptr->in_namelen;
! bcopy(nat->nat_ptr->in_names, ipn->in_ifnames, ipn->in_namelen);
ipn->in_ifnames[0] = nat->nat_ptr->in_ifnames[0];
ipn->in_ifnames[1] = nat->nat_ptr->in_ifnames[1];
--- 134,142 ----
ipn->in_pr[0] = IPPROTO_TCP;
ipn->in_pr[1] = IPPROTO_TCP;
+ ipn->in_flags = (np->in_flags | IPN_PROXYRULE);
MUTEX_INIT(&ipn->in_lock, "rcmd proxy NAT rule");
! ipn->in_namelen = np->in_namelen;
! bcopy(np->in_names, ipn->in_ifnames, ipn->in_namelen);
ipn->in_ifnames[0] = nat->nat_ptr->in_ifnames[0];
ipn->in_ifnames[1] = nat->nat_ptr->in_ifnames[1];
***************
*** 136,140 ****
rci = aps->aps_data;
if (rci != NULL) {
! MUTEX_DESTROY(&rci->rcmd_rule.in_lock);
}
}
--- 155,160 ----
rci = aps->aps_data;
if (rci != NULL) {
! rci->rcmd_rule->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &rci->rcmd_rule);
}
}
***************
*** 284,288 ****
nflags |= NAT_SLAVE|IPN_TCP;
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, &rc->rcmd_rule, NULL, nflags,
direction);
MUTEX_EXIT(&softn->ipf_nat_new);
--- 304,308 ----
nflags |= NAT_SLAVE|IPN_TCP;
MUTEX_ENTER(&softn->ipf_nat_new);
! nat2 = ipf_nat_add(&fi, rc->rcmd_rule, NULL, nflags,
direction);
MUTEX_EXIT(&softn->ipf_nat_new);
Index: ip_rpcb_pxy.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_rpcb_pxy.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -C2 -d -r1.14 -r1.15
*** ip_rpcb_pxy.c 29 Jul 2009 06:13:00 -0000 1.14
--- ip_rpcb_pxy.c 13 Jul 2012 06:38:23 -0000 1.15
***************
*** 1257,1260 ****
--- 1257,1261 ----
}
+ natl->nat_ptr = ipn;
fi.fin_saddr = natl->nat_nsrcaddr;
fi.fin_daddr = natl->nat_ndstaddr;
Index: ip_nat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat.c,v
retrieving revision 1.93
retrieving revision 1.94
diff -C2 -d -r1.93 -r1.94
*** ip_nat.c 13 Jul 2012 06:14:41 -0000 1.93
--- ip_nat.c 13 Jul 2012 06:38:23 -0000 1.94
***************
*** 256,262 ****
ipf_nat_softc_t *, ipnat_t *);
static int ipf_nat_siocaddnat(ipf_main_softc_t *, ipf_nat_softc_t *,
! ipnat_t *, ipnat_t **, int);
static void ipf_nat_siocdelnat(ipf_main_softc_t *, ipf_nat_softc_t *,
! ipnat_t *, ipnat_t **, int);
static void ipf_nat_tabmove(ipf_nat_softc_t *, nat_t *);
--- 256,262 ----
ipf_nat_softc_t *, ipnat_t *);
static int ipf_nat_siocaddnat(ipf_main_softc_t *, ipf_nat_softc_t *,
! ipnat_t *, int);
static void ipf_nat_siocdelnat(ipf_main_softc_t *, ipf_nat_softc_t *,
! ipnat_t *, int);
static void ipf_nat_tabmove(ipf_nat_softc_t *, nat_t *);
***************
*** 329,332 ****
--- 329,334 ----
}
+ softn->ipf_nat_list_tail = &softn->ipf_nat_list;
+
softn->ipf_nat_table_max = NAT_TABLE_MAX;
softn->ipf_nat_table_sz = NAT_TABLE_SZ;
***************
*** 664,667 ****
--- 666,670 ----
n->in_prnext = np;
n->in_hv[0] = hv;
+ n->in_use++;
*np = n;
}
***************
*** 705,708 ****
--- 708,712 ----
n->in_pmnext = np;
n->in_hv[1] = rhv;
+ n->in_use++;
*np = n;
}
***************
*** 759,762 ****
--- 763,767 ----
n->in_prnext = np;
n->in_hv[0] = rhv;
+ n->in_use++;
*np = n;
}
***************
*** 770,773 ****
--- 775,779 ----
n->in_pmnext = np;
n->in_hv[1] = rhv;
+ n->in_use++;
*np = n;
}
***************
*** 798,801 ****
--- 804,808 ----
n->in_rnext->in_prnext = n->in_prnext;
*n->in_prnext = n->in_rnext;
+ n->in_use--;
}
***************
*** 822,825 ****
--- 829,833 ----
n->in_mnext->in_pmnext = n->in_pmnext;
*n->in_pmnext = n->in_mnext;
+ n->in_use--;
}
***************
*** 851,854 ****
--- 859,867 ----
u_int hv, rhv;
+ if (np == NULL) {
+ softn->ipf_nat_stats.ns_hm_nullnp++;
+ return NULL;
+ }
+
hv = (src.s_addr ^ dst.s_addr);
hv += src.s_addr;
***************
*** 866,874 ****
}
- if (np == NULL) {
- softn->ipf_nat_stats.ns_hm_nullnp++;
- return NULL;
- }
-
KMALLOC(hm, hostmap_t *);
if (hm) {
--- 879,882 ----
***************
*** 884,887 ****
--- 892,896 ----
softn->ipf_hm_maptable[hv] = hm;
hm->hm_ipnat = np;
+ np->in_use++;
hm->hm_osrcip = src;
hm->hm_odstip = dst;
***************
*** 910,914 ****
/* ------------------------------------------------------------------------ */
void
! ipf_nat_hostmapdel(hmp)
struct hostmap **hmp;
{
--- 919,924 ----
/* ------------------------------------------------------------------------ */
void
! ipf_nat_hostmapdel(softc, hmp)
! ipf_main_softc_t *softc;
struct hostmap **hmp;
{
***************
*** 920,923 ****
--- 930,934 ----
hm->hm_ref--;
if (hm->hm_ref == 0) {
+ ipf_nat_rulederef(softc, &hm->hm_ipnat);
if (hm->hm_hnext)
hm->hm_hnext->hm_phnext = hm->hm_phnext;
***************
*** 1074,1079 ****
{
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
- ipnat_t *nat, *nt, *n = NULL, **np = NULL;
int error = 0, ret, arg, getlock;
ipnat_t natd;
SPL_INT(s);
--- 1085,1090 ----
{
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
int error = 0, ret, arg, getlock;
+ ipnat_t *nat, *nt, *n = NULL;
ipnat_t natd;
SPL_INT(s);
***************
*** 1158,1163 ****
}
MUTEX_ENTER(&softn->ipf_nat_io);
! for (np = &softn->ipf_nat_list; ((n = *np) != NULL);
! np = &n->in_next)
if (ipf_nat_cmp_rules(nat, n) == 0)
break;
--- 1169,1173 ----
}
MUTEX_ENTER(&softn->ipf_nat_io);
! for (n = softn->ipf_nat_list; n != NULL; n = n->in_next)
if (ipf_nat_cmp_rules(nat, n) == 0)
break;
***************
*** 1234,1238 ****
if (nat != nt)
bcopy((char *)nat, (char *)nt, sizeof(*n));
! error = ipf_nat_siocaddnat(softc, softn, nt, np, getlock);
MUTEX_EXIT(&softn->ipf_nat_io);
if (error == 0)
--- 1244,1248 ----
if (nat != nt)
bcopy((char *)nat, (char *)nt, sizeof(*n));
! error = ipf_nat_siocaddnat(softc, softn, nt, getlock);
MUTEX_EXIT(&softn->ipf_nat_io);
if (error == 0)
***************
*** 1264,1268 ****
n->in_flags |= IPN_PURGE;
}
! ipf_nat_siocdelnat(softc, softn, n, np, getlock);
MUTEX_EXIT(&softn->ipf_nat_io);
--- 1274,1278 ----
n->in_flags |= IPN_PURGE;
}
! ipf_nat_siocdelnat(softc, softn, n, getlock);
MUTEX_EXIT(&softn->ipf_nat_io);
***************
*** 1497,1504 ****
/* ------------------------------------------------------------------------ */
static int
! ipf_nat_siocaddnat(softc, softn, n, np, getlock)
ipf_main_softc_t *softc;
ipf_nat_softc_t *softn;
! ipnat_t *n, **np;
int getlock;
{
--- 1507,1514 ----
/* ------------------------------------------------------------------------ */
static int
! ipf_nat_siocaddnat(softc, softn, n, getlock)
ipf_main_softc_t *softc;
ipf_nat_softc_t *softn;
! ipnat_t *n;
int getlock;
{
***************
*** 1578,1582 ****
}
n->in_next = NULL;
! *np = n;
if (n->in_redir & NAT_REDIRECT) {
--- 1588,1595 ----
}
n->in_next = NULL;
! n->in_pnext = softn->ipf_nat_list_tail;
! *n->in_pnext = n;
! softn->ipf_nat_list_tail = &n->in_next;
! n->in_use++;
if (n->in_redir & NAT_REDIRECT) {
***************
*** 1769,1773 ****
/* softn(I) - pointer to NAT context structure */
/* n(I) - pointer to new NAT rule */
- /* np(I) - pointer to where to insert new NAT rule */
/* getlock(I) - flag indicating if lock on is held */
/* Mutex Locks: ipf_nat_io */
--- 1782,1785 ----
***************
*** 1778,1785 ****
/* ------------------------------------------------------------------------ */
static void
! ipf_nat_siocdelnat(softc, softn, n, np, getlock)
ipf_main_softc_t *softc;
ipf_nat_softc_t *softn;
! ipnat_t *n, **np;
int getlock;
{
--- 1790,1797 ----
/* ------------------------------------------------------------------------ */
static void
! ipf_nat_siocdelnat(softc, softn, n, getlock)
ipf_main_softc_t *softc;
ipf_nat_softc_t *softn;
! ipnat_t *n;
int getlock;
{
***************
*** 1838,1845 ****
if (n->in_redir & NAT_REDIRECT) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_rdr);
}
if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_map);
}
--- 1850,1861 ----
if (n->in_redir & NAT_REDIRECT) {
! if ((n->in_flags & IPN_PROXYRULE) == 0) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_rdr);
! }
}
if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
! if ((n->in_flags & IPN_PROXYRULE) == 0) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_map);
! }
}
***************
*** 1860,1864 ****
}
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules);
MUTEX_DESTROY(&n->in_lock);
--- 1876,1882 ----
}
! if ((n->in_flags & IPN_PROXYRULE) == 0) {
! ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules);
! }
MUTEX_DESTROY(&n->in_lock);
***************
*** 2475,2478 ****
--- 2493,2497 ----
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
int madeorphan = 0, bkt, removed = 0;
+ nat_stat_side_t *nss;
struct ipnat *ipn;
***************
*** 2488,2500 ****
bkt = nat->nat_hv[0] % softn->ipf_nat_table_sz;
! softn->ipf_nat_stats.ns_side[0].ns_bucketlen[bkt]--;
! if (softn->ipf_nat_stats.ns_side[0].ns_bucketlen[bkt] == 0) {
! softn->ipf_nat_stats.ns_side[0].ns_inuse--;
}
bkt = nat->nat_hv[1] % softn->ipf_nat_table_sz;
! softn->ipf_nat_stats.ns_side[1].ns_bucketlen[bkt]--;
! if (softn->ipf_nat_stats.ns_side[1].ns_bucketlen[bkt] == 0) {
! softn->ipf_nat_stats.ns_side[1].ns_inuse--;
}
--- 2507,2521 ----
bkt = nat->nat_hv[0] % softn->ipf_nat_table_sz;
! nss = &softn->ipf_nat_stats.ns_side[0];
! nss->ns_bucketlen[bkt]--;
! if (nss->ns_bucketlen[bkt] == 0) {
! nss->ns_inuse--;
}
bkt = nat->nat_hv[1] % softn->ipf_nat_table_sz;
! nss = &softn->ipf_nat_stats.ns_side[1];
! nss->ns_bucketlen[bkt]--;
! if (nss->ns_bucketlen[bkt] == 0) {
! nss->ns_inuse--;
}
***************
*** 2541,2544 ****
--- 2562,2570 ----
}
+ if (nat->nat_sync) {
+ ipf_sync_del_nat(softc->ipf_sync_soft, nat->nat_sync);
+ nat->nat_sync = NULL;
+ }
+
if (logtype == NL_EXPIRE)
softn->ipf_nat_stats.ns_expire++;
***************
*** 2580,2586 ****
softn->ipf_nat_stats.ns_proto[nat->nat_pr[0]]--;
- if (nat->nat_sync)
- ipf_sync_del_nat(softc->ipf_sync_soft,nat->nat_sync);
-
if (nat->nat_fr != NULL) {
(void) ipf_derefrule(softc, &nat->nat_fr);
--- 2606,2609 ----
***************
*** 2588,2592 ****
if (nat->nat_hm != NULL) {
! ipf_nat_hostmapdel(&nat->nat_hm);
}
--- 2611,2615 ----
if (nat->nat_hm != NULL) {
! ipf_nat_hostmapdel(softc, &nat->nat_hm);
}
***************
*** 2603,2609 ****
}
MUTEX_DESTROY(&nat->nat_lock);
- aps_free(softc, nat->nat_aps);
softn->ipf_nat_stats.ns_active--;
--- 2626,2636 ----
}
+ if (nat->nat_aps != NULL) {
+ ipf_proxy_free(softc, nat->nat_aps);
+ nat->nat_aps = NULL;
+ }
+
MUTEX_DESTROY(&nat->nat_lock);
softn->ipf_nat_stats.ns_active--;
***************
*** 2678,2682 ****
ipf_nat_softc_t *softn;
{
! ipnat_t *n, **np = &softn->ipf_nat_list;
int i = 0;
--- 2705,2709 ----
ipf_nat_softc_t *softn;
{
! ipnat_t *n;
int i = 0;
***************
*** 2692,2697 ****
}
! while ((n = *np) != NULL) {
! *np = n->in_next;
ipf_nat_delrule(softc, softn, n, 0);
i++;
--- 2719,2723 ----
}
! while ((n = softn->ipf_nat_list) != NULL) {
ipf_nat_delrule(softc, softn, n, 0);
i++;
***************
*** 2725,2728 ****
--- 2751,2763 ----
int purge;
{
+
+ if (np->in_pnext != NULL) {
+ *np->in_pnext = np->in_next;
+ if (np->in_next != NULL)
+ np->in_next->in_pnext = np->in_pnext;
+ if (softn->ipf_nat_list_tail == &np->in_next)
+ softn->ipf_nat_list_tail = np->in_pnext;
+ }
+
if ((purge == 1) && ((np->in_flags & IPN_PURGE) != 0)) {
nat_t *next;
***************
*** 2736,2745 ****
}
! np->in_next = NULL;
! if (np->in_use == 0) {
! ipf_nat_free_rule(softc, softn, np);
! } else {
! np->in_flags |= IPN_DELETE;
! }
}
--- 2771,2776 ----
}
! np->in_flags |= IPN_DELETE;
! ipf_nat_rulederef(softc, &np);
}
***************
*** 2812,2816 ****
in.s_addr = hm->hm_nsrcip.s_addr;
} else if ((l == 1) && (hm != NULL)) {
! ipf_nat_hostmapdel(&hm);
}
in.s_addr = ntohl(in.s_addr);
--- 2843,2847 ----
in.s_addr = hm->hm_nsrcip.s_addr;
} else if ((l == 1) && (hm != NULL)) {
! ipf_nat_hostmapdel(softc, &hm);
}
in.s_addr = ntohl(in.s_addr);
***************
*** 3070,3074 ****
ni->nai_np = np;
move = 0;
! ipf_nat_hostmapdel(&hm);
}
}
--- 3101,3105 ----
ni->nai_np = np;
move = 0;
! ipf_nat_hostmapdel(softc, &hm);
}
}
***************
*** 3101,3105 ****
}
if (hm != NULL)
! ipf_nat_hostmapdel(&hm);
} else if ((np->in_ndstaddr == 0) && (np->in_ndstmsk == 0xffffffff)) {
--- 3132,3136 ----
}
if (hm != NULL)
! ipf_nat_hostmapdel(softc, &hm);
} else if ((np->in_ndstaddr == 0) && (np->in_ndstmsk == 0xffffffff)) {
***************
*** 3404,3408 ****
NBUMPSIDE(fin->fin_out, ns_badnatnew);
if ((hm = nat->nat_hm) != NULL)
! ipf_nat_hostmapdel(&hm);
KFREE(nat);
nat = NULL;
--- 3435,3439 ----
NBUMPSIDE(fin->fin_out, ns_badnatnew);
if ((hm = nat->nat_hm) != NULL)
! ipf_nat_hostmapdel(softc, &hm);
KFREE(nat);
nat = NULL;
***************
*** 3523,3526 ****
--- 3554,3559 ----
* nat_insert failed, so cleanup time...
*/
+ if (nat->nat_sync != NULL)
+ ipf_sync_del_nat(softc->ipf_sync_soft, nat->nat_sync);
return -1;
}
***************
*** 3528,3536 ****
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat_insert */
! /* Returns: int - 0 == sucess, -1 == failure */
! /* Parameters: nat(I) - pointer to NAT structure */
! /* rev(I) - flag indicating forward/reverse direction of packet */
! /* Write Lock: ipf_nat */
/* */
/* Insert a NAT entry into the hash tables for searching and add it to the */
--- 3561,3570 ----
/* ------------------------------------------------------------------------ */
! /* Function: ipf_nat_insert */
! /* Returns: int - 0 == sucess, -1 == failure */
! /* Parameters: softc(I) - pointer to soft context main structure */
! /* softn(I) - pointer to NAT context structure */
! /* nat(I) - pointer to NAT structure */
! /* Write Lock: ipf_nat */
/* */
/* Insert a NAT entry into the hash tables for searching and add it to the */
***************
*** 3543,3550 ****
nat_t *nat;
{
! u_int hv0, hv1, rhv0, rhv1;
u_int sp, dp;
ipnat_t *in;
- nat_t **natp;
/*
--- 3577,3583 ----
nat_t *nat;
{
! u_int hv0, hv1;
u_int sp, dp;
ipnat_t *in;
/*
***************
*** 3563,3568 ****
dp = 0;
}
! rhv0 = NAT_HASH_FN(nat->nat_osrcaddr, sp, 0xffffffff);
! rhv0 = NAT_HASH_FN(nat->nat_odstaddr, rhv0 + dp, 0xffffffff);
/*
* TRACE nat_osrcaddr, nat_osport, nat_odstaddr,
--- 3596,3601 ----
dp = 0;
}
! hv0 = NAT_HASH_FN(nat->nat_osrcaddr, sp, 0xffffffff);
! hv0 = NAT_HASH_FN(nat->nat_odstaddr, hv0 + dp, 0xffffffff);
/*
* TRACE nat_osrcaddr, nat_osport, nat_odstaddr,
***************
*** 3580,3585 ****
dp = 0;
}
! rhv1 = NAT_HASH_FN(nat->nat_nsrcaddr, sp, 0xffffffff);
! rhv1 = NAT_HASH_FN(nat->nat_ndstaddr, rhv1 + dp, 0xffffffff);
/*
* TRACE nat_nsrcaddr, nat_nsport, nat_ndstaddr,
--- 3613,3618 ----
dp = 0;
}
! hv1 = NAT_HASH_FN(nat->nat_nsrcaddr, sp, 0xffffffff);
! hv1 = NAT_HASH_FN(nat->nat_ndstaddr, hv1 + dp, 0xffffffff);
/*
* TRACE nat_nsrcaddr, nat_nsport, nat_ndstaddr,
***************
*** 3587,3627 ****
*/
} else {
! rhv0 = NAT_HASH_FN(nat->nat_osrcaddr, 0, 0xffffffff);
! rhv0 = NAT_HASH_FN(nat->nat_odstaddr, rhv0, 0xffffffff);
! /* TRACE nat_osrcaddr, nat_odstaddr, rhv0 */
!
! rhv1 = NAT_HASH_FN(nat->nat_nsrcaddr, 0, 0xffffffff);
! rhv1 = NAT_HASH_FN(nat->nat_ndstaddr, rhv1, 0xffffffff);
! /* TRACE nat_nsrcaddr, nat_ndstaddr, rhv1 */
! }
! hv0 = rhv0 % softn->ipf_nat_table_sz;
! hv1 = rhv1 % softn->ipf_nat_table_sz;
!
! if (softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv0] >=
! softn->ipf_nat_maxbucket) {
! DT1(ns_bucket_max_0, int,
! softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv0]);
! NBUMPSIDE(0, ns_bucket_max);
! return -1;
! }
! if (softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv1] >=
! softn->ipf_nat_maxbucket) {
! DT1(ns_bucket_max_1, int,
! softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv1]);
! NBUMPSIDE(1, ns_bucket_max);
! return -1;
}
! if (nat->nat_dir == NAT_INBOUND || nat->nat_dir == NAT_ENCAPIN ||
! nat->nat_dir == NAT_DIVERTIN) {
! u_int swap;
!
! swap = hv0;
! hv0 = hv1;
! hv1 = swap;
! }
! nat->nat_hv[0] = rhv0;
! nat->nat_hv[1] = rhv1;
MUTEX_INIT(&nat->nat_lock, "nat entry lock");
--- 3620,3634 ----
*/
} else {
! hv0 = NAT_HASH_FN(nat->nat_osrcaddr, 0, 0xffffffff);
! hv0 = NAT_HASH_FN(nat->nat_odstaddr, hv0, 0xffffffff);
! /* TRACE nat_osrcaddr, nat_odstaddr, hv0 */
! hv1 = NAT_HASH_FN(nat->nat_nsrcaddr, 0, 0xffffffff);
! hv1 = NAT_HASH_FN(nat->nat_ndstaddr, hv1, 0xffffffff);
! /* TRACE nat_nsrcaddr, nat_ndstaddr, hv1 */
}
! nat->nat_hv[0] = hv0;
! nat->nat_hv[1] = hv1;
MUTEX_INIT(&nat->nat_lock, "nat entry lock");
***************
*** 3655,3658 ****
--- 3662,3715 ----
}
+ return ipf_nat_hashtab_add(softc, softn, nat);
+ }
+
+
+ /* ------------------------------------------------------------------------ */
+ /* Function: ipf_nat_hashtab_add */
+ /* Parameters: softc(I) - pointer to soft context main structure */
+ /* softn(I) - pointer to NAT context structure */
+ /* nat(I) - pointer to NAT structure */
+ /* */
+ /* Handle the insertion of a NAT entry into the table/list. */
+ /* ------------------------------------------------------------------------ */
+ int
+ ipf_nat_hashtab_add(softc, softn, nat)
+ ipf_main_softc_t *softc;
+ ipf_nat_softc_t *softn;
+ nat_t *nat;
+ {
+ nat_t **natp;
+ u_int hv0;
+ u_int hv1;
+
+ hv0 = nat->nat_hv[0] % softn->ipf_nat_table_sz;
+ hv1 = nat->nat_hv[1] % softn->ipf_nat_table_sz;
+
+ if (nat->nat_dir == NAT_INBOUND || nat->nat_dir == NAT_ENCAPIN ||
+ nat->nat_dir == NAT_DIVERTIN) {
+ u_int swap;
+
+ swap = hv0;
+ hv0 = hv1;
+ hv1 = swap;
+ }
+
+ if (softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv0] >=
+ softn->ipf_nat_maxbucket) {
+ DT1(ns_bucket_max_0, int,
+ softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv0]);
+ NBUMPSIDE(0, ns_bucket_max);
+ return -1;
+ }
+
+ if (softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv1] >=
+ softn->ipf_nat_maxbucket) {
+ DT1(ns_bucket_max_1, int,
+ softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv1]);
+ NBUMPSIDE(1, ns_bucket_max);
+ return -1;
+ }
+
/*
* The ordering of operations in the list and hash table insertion
***************
*** 3698,3703 ****
NBUMPSIDE(1, ns_bucketlen[hv1]);
- /* ---- */
-
ipf_nat_setqueue(softc, softn, nat);
--- 3755,3758 ----
***************
*** 4910,4915 ****
/* Function: ipf_nat_update */
/* Returns: Nil */
! /* Parameters: fin(I) - pointer to packet information */
! /* nat(I) - pointer to NAT structure */
/* */
/* Updates the lifetime of a NAT table entry for non-TCP packets. Must be */
--- 4965,4970 ----
/* Function: ipf_nat_update */
/* Returns: Nil */
! /* Parameters: fin(I) - pointer to packet information */
! /* nat(I) - pointer to NAT structure */
/* */
/* Updates the lifetime of a NAT table entry for non-TCP packets. Must be */
***************
*** 6460,6472 ****
{
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
! ipnat_t *in;
! in = *inp;
*inp = NULL;
! in->in_space++;
! in->in_use--;
! if (in->in_use == 0 && (in->in_flags & IPN_DELETE)) {
! ipf_nat_free_rule(softc, softn, in);
! }
}
--- 6515,6526 ----
{
ipf_nat_softc_t *softn = softc->ipf_nat_soft;
! ipnat_t *np;
! np = *inp;
*inp = NULL;
! np->in_space++;
! np->in_use--;
! if (np->in_use == 0)
! ipf_nat_free_rule(softc, softn, np);
}
***************
*** 6891,6895 ****
if (hm != NULL) {
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_hostmapdel(&hm);
RWLOCK_EXIT(&softc->ipf_nat);
}
--- 6945,6949 ----
if (hm != NULL) {
WRITE_ENTER(&softc->ipf_nat);
! ipf_nat_hostmapdel(softc, &hm);
RWLOCK_EXIT(&softc->ipf_nat);
}
***************
*** 8542,8545 ****
--- 8596,8600 ----
u_int maxbucket;
u_int newsize;
+ int error;
u_int hv;
int i;
***************
*** 8552,8555 ****
--- 8607,8614 ----
return 0;
+ newtab[0] = NULL;
+ newtab[1] = NULL;
+ bucketlens[0] = NULL;
+ bucketlens[1] = NULL;
/*
* 4 tables depend on the NAT table size: the inbound looking table,
***************
*** 8558,8587 ****
KMALLOCS(newtab[0], nat_t **, newsize * sizeof(nat_t *));
if (newtab == NULL) {
! IPFERROR(60063);
! return ENOMEM;
}
KMALLOCS(newtab[1], nat_t **, newsize * sizeof(nat_t *));
if (newtab == NULL) {
! KFREES(newtab[0], newsize * sizeof(nat_t *));
! IPFERROR(60064);
! return ENOMEM;
}
KMALLOCS(bucketlens[0], u_int *, newsize * sizeof(u_int));
if (bucketlens[0] == NULL) {
! KFREES(newtab[0], newsize * sizeof(nat_t *));
! KFREES(newtab[1], newsize * sizeof(nat_t *));
! IPFERROR(60065);
! return ENOMEM;
}
KMALLOCS(bucketlens[1], u_int *, newsize * sizeof(u_int));
if (bucketlens[1] == NULL) {
! KFREES(bucketlens[0], newsize * sizeof(u_int));
! KFREES(newtab[0], newsize * sizeof(nat_t *));
! KFREES(newtab[1], newsize * sizeof(nat_t *));
! IPFERROR(60066);
! return ENOMEM;
}
--- 8617,8640 ----
KMALLOCS(newtab[0], nat_t **, newsize * sizeof(nat_t *));
if (newtab == NULL) {
! error = 60063;
! goto badrehash;
}
KMALLOCS(newtab[1], nat_t **, newsize * sizeof(nat_t *));
if (newtab == NULL) {
! error = 60064;
! goto badrehash;
}
KMALLOCS(bucketlens[0], u_int *, newsize * sizeof(u_int));
if (bucketlens[0] == NULL) {
! error = 60065;
! goto badrehash;
}
KMALLOCS(bucketlens[1], u_int *, newsize * sizeof(u_int));
if (bucketlens[1] == NULL) {
! error = 60066;
! goto badrehash;
}
***************
*** 8626,8629 ****
--- 8679,8694 ----
softn->ipf_nat_stats.ns_side[1].ns_bucketlen = bucketlens[1];
+ if (softn->ipf_nat_stats.ns_side6[0].ns_bucketlen != NULL) {
+ KFREES(softn->ipf_nat_stats.ns_side6[0].ns_bucketlen,
+ softn->ipf_nat_table_sz * sizeof(u_int));
+ }
+ softn->ipf_nat_stats.ns_side6[0].ns_bucketlen = bucketlens[0];
+
+ if (softn->ipf_nat_stats.ns_side6[1].ns_bucketlen != NULL) {
+ KFREES(softn->ipf_nat_stats.ns_side6[1].ns_bucketlen,
+ softn->ipf_nat_table_sz * sizeof(u_int));
+ }
+ softn->ipf_nat_stats.ns_side6[1].ns_bucketlen = bucketlens[1];
+
softn->ipf_nat_maxbucket = maxbucket;
softn->ipf_nat_table_sz = newsize;
***************
*** 8635,8638 ****
--- 8700,8705 ----
softn->ipf_nat_stats.ns_side[0].ns_inuse = 0;
softn->ipf_nat_stats.ns_side[1].ns_inuse = 0;
+ softn->ipf_nat_stats.ns_side6[0].ns_inuse = 0;
+ softn->ipf_nat_stats.ns_side6[1].ns_inuse = 0;
for (nat = softn->ipf_nat_instances; nat != NULL; nat = nat->nat_next) {
***************
*** 8670,8673 ****
--- 8737,8756 ----
return 0;
+
+ badrehash:
+ if (bucketlens[1] != NULL) {
+ KFREES(bucketlens[0], newsize * sizeof(u_int));
+ }
+ if (bucketlens[0] != NULL) {
+ KFREES(bucketlens[0], newsize * sizeof(u_int));
+ }
+ if (newtab[0] != NULL) {
+ KFREES(newtab[0], newsize * sizeof(nat_t *));
+ }
+ if (newtab[1] != NULL) {
+ KFREES(newtab[1], newsize * sizeof(nat_t *));
+ }
+ IPFERROR(error);
+ return ENOMEM;
}
|
|
From: Darren <dar...@us...> - 2012-07-13 06:23:29
|
Update of /cvsroot/ipfilter/ipfilter/lib
In directory vz-cvs-4.sog:/tmp/cvs-serv11985/lib
Modified Files:
Tag: v5-1-RELEASE
printipfexpr.c
Log Message:
3542980 printing ipv6 expressions is wrong
Index: printipfexpr.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/lib/printipfexpr.c,v
retrieving revision 1.3.2.2
retrieving revision 1.3.2.3
diff -C2 -d -r1.3.2.2 -r1.3.2.3
*** printipfexpr.c 9 Jun 2012 06:29:49 -0000 1.3.2.2
--- printipfexpr.c 13 Jul 2012 06:23:27 -0000 1.3.2.3
***************
*** 97,111 ****
#ifdef USE_INET6
case IPF_EXP_IP6_ADDR :
! PRINTF("ip6.addr= ");
printhostsv6(array + i);
break;
case IPF_EXP_IP6_SRCADDR :
! PRINTF("ip6.src= ");
printhostsv6(array + i);
break;
case IPF_EXP_IP6_DSTADDR :
! PRINTF("ip6.dst= ");
printhostsv6(array + i);
break;
--- 97,111 ----
#ifdef USE_INET6
case IPF_EXP_IP6_ADDR :
! PRINTF("ip6.addr %s= ", not ? "!" : "");
printhostsv6(array + i);
break;
case IPF_EXP_IP6_SRCADDR :
! PRINTF("ip6.src %s= ", not ? "!" : "");
printhostsv6(array + i);
break;
case IPF_EXP_IP6_DSTADDR :
! PRINTF("ip6.dst %s= ", not ? "!" : "");
printhostsv6(array + i);
break;
|
|
From: Darren <dar...@us...> - 2012-07-13 06:23:22
|
Update of /cvsroot/ipfilter/ipfilter/lib
In directory vz-cvs-4.sog:/tmp/cvs-serv11964/lib
Modified Files:
printipfexpr.c
Log Message:
3542980 printing ipv6 expressions is wrong
Index: printipfexpr.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/lib/printipfexpr.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** printipfexpr.c 9 Jun 2012 06:29:30 -0000 1.6
--- printipfexpr.c 13 Jul 2012 06:23:20 -0000 1.7
***************
*** 97,111 ****
#ifdef USE_INET6
case IPF_EXP_IP6_ADDR :
! PRINTF("ip6.addr= ");
printhostsv6(array + i);
break;
case IPF_EXP_IP6_SRCADDR :
! PRINTF("ip6.src= ");
printhostsv6(array + i);
break;
case IPF_EXP_IP6_DSTADDR :
! PRINTF("ip6.dst= ");
printhostsv6(array + i);
break;
--- 97,111 ----
#ifdef USE_INET6
case IPF_EXP_IP6_ADDR :
! PRINTF("ip6.addr %s= ", not ? "!" : "");
printhostsv6(array + i);
break;
case IPF_EXP_IP6_SRCADDR :
! PRINTF("ip6.src %s= ", not ? "!" : "");
printhostsv6(array + i);
break;
case IPF_EXP_IP6_DSTADDR :
! PRINTF("ip6.dst %s= ", not ? "!" : "");
printhostsv6(array + i);
break;
|
|
From: Darren <dar...@us...> - 2012-07-13 06:19:25
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv11921/tools
Modified Files:
Tag: v5-1-RELEASE
ippool_y.y
Log Message:
3542983 ippool cannot handle more than one ipv6 address
Index: ippool_y.y
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ippool_y.y,v
retrieving revision 1.14.2.5
retrieving revision 1.14.2.6
diff -C2 -d -r1.14.2.5 -r1.14.2.6
*** ippool_y.y 9 Jul 2012 15:50:41 -0000 1.14.2.5
--- ippool_y.y 13 Jul 2012 06:19:23 -0000 1.14.2.6
***************
*** 524,529 ****
dstentries:
! dstentry ';' { $$ = $1; }
! | dstentry ';' dstentries { $1->ipfd_next = $3; $$ = $1; }
;
--- 524,529 ----
dstentries:
! dstentry next { $$ = $1; }
! | dstentry next dstentries { $1->ipfd_next = $3; $$ = $1; }
;
|
|
From: Darren <dar...@us...> - 2012-07-13 06:19:14
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv11906/tools
Modified Files:
ippool_y.y
Log Message:
3542983 ippool cannot handle more than one ipv6 address
Index: ippool_y.y
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ippool_y.y,v
retrieving revision 1.19
retrieving revision 1.20
diff -C2 -d -r1.19 -r1.20
*** ippool_y.y 9 Jul 2012 15:50:22 -0000 1.19
--- ippool_y.y 13 Jul 2012 06:19:12 -0000 1.20
***************
*** 524,529 ****
dstentries:
! dstentry ';' { $$ = $1; }
! | dstentry ';' dstentries { $1->ipfd_next = $3; $$ = $1; }
;
--- 524,529 ----
dstentries:
! dstentry next { $$ = $1; }
! | dstentry next dstentries { $1->ipfd_next = $3; $$ = $1; }
;
|
|
From: Darren <dar...@us...> - 2012-07-13 06:18:14
|
Update of /cvsroot/ipfilter/ipfilter
In directory vz-cvs-4.sog:/tmp/cvs-serv11884
Modified Files:
Tag: v5-1-RELEASE
fil.c
Log Message:
3543018 mask array shifted incorrectly.
Index: fil.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/fil.c,v
retrieving revision 1.68.2.53
retrieving revision 1.68.2.54
diff -C2 -d -r1.68.2.53 -r1.68.2.54
*** fil.c 13 Jul 2012 06:15:08 -0000 1.68.2.53
--- fil.c 13 Jul 2012 06:18:12 -0000 1.68.2.54
***************
*** 10045,10049 ****
for (i = 0; i < 33; i++) {
if (ntohl(mtab->imt4_active[i]) < mask) {
! for (j = i + 1; j < 33; j++)
mtab->imt4_active[j] = mtab->imt4_active[j - 1];
mtab->imt4_active[i] = htonl(mask);
--- 10045,10049 ----
for (i = 0; i < 33; i++) {
if (ntohl(mtab->imt4_active[i]) < mask) {
! for (j = 32; j > i; j--)
mtab->imt4_active[j] = mtab->imt4_active[j - 1];
mtab->imt4_active[i] = htonl(mask);
***************
*** 10126,10130 ****
for (i = 0; i < 129; i++) {
if (IP6_LT(&mtab->imt6_active[i], mask)) {
! for (j = i + 1; j < 129; j++)
mtab->imt6_active[j] = mtab->imt6_active[j - 1];
mtab->imt6_active[i] = *mask;
--- 10126,10130 ----
for (i = 0; i < 129; i++) {
if (IP6_LT(&mtab->imt6_active[i], mask)) {
! for (j = 128; j > i; j--)
mtab->imt6_active[j] = mtab->imt6_active[j - 1];
mtab->imt6_active[i] = *mask;
|
|
From: Darren <dar...@us...> - 2012-07-13 06:17:51
|
Update of /cvsroot/ipfilter/ipfilter
In directory vz-cvs-4.sog:/tmp/cvs-serv11872
Modified Files:
fil.c
Log Message:
3543018 mask array shifted incorrectly.
Index: fil.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/fil.c,v
retrieving revision 1.121
retrieving revision 1.122
diff -C2 -d -r1.121 -r1.122
*** fil.c 13 Jul 2012 06:14:41 -0000 1.121
--- fil.c 13 Jul 2012 06:17:49 -0000 1.122
***************
*** 10134,10138 ****
for (i = 0; i < 33; i++) {
if (ntohl(mtab->imt4_active[i]) < mask) {
! for (j = i + 1; j < 33; j++)
mtab->imt4_active[j] = mtab->imt4_active[j - 1];
mtab->imt4_active[i] = htonl(mask);
--- 10134,10138 ----
for (i = 0; i < 33; i++) {
if (ntohl(mtab->imt4_active[i]) < mask) {
! for (j = 32; j > i; j--)
mtab->imt4_active[j] = mtab->imt4_active[j - 1];
mtab->imt4_active[i] = htonl(mask);
***************
*** 10215,10219 ****
for (i = 0; i < 129; i++) {
if (IP6_LT(&mtab->imt6_active[i], mask)) {
! for (j = i + 1; j < 129; j++)
mtab->imt6_active[j] = mtab->imt6_active[j - 1];
mtab->imt6_active[i] = *mask;
--- 10215,10219 ----
for (i = 0; i < 129; i++) {
if (IP6_LT(&mtab->imt6_active[i], mask)) {
! for (j = 128; j > i; j--)
mtab->imt6_active[j] = mtab->imt6_active[j - 1];
mtab->imt6_active[i] = *mask;
|
|
From: Darren <dar...@us...> - 2012-07-13 06:15:10
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv11817/tools
Modified Files:
Tag: v5-1-RELEASE
ipfstat.c
Log Message:
3542974 reason for dropping packet is lost
Index: ipfstat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ipfstat.c,v
retrieving revision 1.18.2.10
retrieving revision 1.18.2.11
diff -C2 -d -r1.18.2.10 -r1.18.2.11
*** ipfstat.c 6 Jul 2012 14:26:56 -0000 1.18.2.10
--- ipfstat.c 13 Jul 2012 06:15:08 -0000 1.18.2.11
***************
*** 100,103 ****
--- 100,123 ----
frgroup_t *grtail = NULL;
+ char *blockreasons[FRB_MAX_VALUE + 1] = {
+ "packet blocked",
+ "log rule failure",
+ "pps rate exceeded",
+ "jumbogram",
+ "makefrip failed",
+ "cannot add state",
+ "IP ID update failed",
+ "log-or-block failed",
+ "decapsulate failure",
+ "cannot create new auth entry",
+ "packet queued for auth",
+ "buffer coalesce failure",
+ "buffer pullup failure",
+ "auth feedback",
+ "bad fragment",
+ "IPv4 NAT failure",
+ "IPv6 NAT failure"
+ };
+
#ifdef STATETOP
#define STSTRSIZE 80
***************
*** 702,705 ****
--- 722,727 ----
ipf_statistics_t *frs;
{
+ int i;
+
PRINTF("%lu\t%s bad packets\n", frs->fr_bad, side);
#ifdef USE_INET6
***************
*** 724,727 ****
--- 746,752 ----
PRINTF("%lu\t%s pullups failed\n", frs->fr_pull[1], side);
PRINTF("%lu\t%s TCP checksum failures\n", frs->fr_tcpbad, side);
+ for (i = 0; i <= FRB_MAX_VALUE; i++)
+ PRINTF("%lu\t%s block reason %s\n",
+ frs->fr_blocked[i], side, blockreasons[i]);
}
***************
*** 1032,1043 ****
printed = printlivelist(fiop, i, set, fp, NULL, NULL);
if (printed == 0) {
! FPRINTF(stderr, "empty list for %s%s\n",
! (opts & OPT_INACTIVE) ? "inactive " : "",
filters[i]);
}
} else {
if (!fp) {
! FPRINTF(stderr, "empty list for %s%s\n",
! (opts & OPT_INACTIVE) ? "inactive " : "",
filters[i]);
} else {
--- 1057,1068 ----
printed = printlivelist(fiop, i, set, fp, NULL, NULL);
if (printed == 0) {
! FPRINTF(stderr, "# empty list for %s%s\n",
! (opts & OPT_INACTIVE) ? "inactive " : "",
filters[i]);
}
} else {
if (!fp) {
! FPRINTF(stderr, "# empty list for %s%s\n",
! (opts & OPT_INACTIVE) ? "inactive " : "",
filters[i]);
} else {
|
|
From: Darren <dar...@us...> - 2012-07-13 06:14:43
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv11799/tools
Modified Files:
ipfstat.c
Log Message:
3542974 reason for dropping packet is lost
Index: ipfstat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ipfstat.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -C2 -d -r1.28 -r1.29
*** ipfstat.c 6 Jul 2012 14:26:45 -0000 1.28
--- ipfstat.c 13 Jul 2012 06:14:41 -0000 1.29
***************
*** 104,107 ****
--- 104,127 ----
static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH };
+ char *blockreasons[FRB_MAX_VALUE + 1] = {
+ "packet blocked",
+ "log rule failure",
+ "pps rate exceeded",
+ "jumbogram",
+ "makefrip failed",
+ "cannot add state",
+ "IP ID update failed",
+ "log-or-block failed",
+ "decapsulate failure",
+ "cannot create new auth entry",
+ "packet queued for auth",
+ "buffer coalesce failure",
+ "buffer pullup failure",
+ "auth feedback",
+ "bad fragment",
+ "IPv4 NAT failure",
+ "IPv6 NAT failure"
+ };
+
#ifdef STATETOP
#define STSTRSIZE 80
***************
*** 716,719 ****
--- 736,741 ----
ipf_statistics_t *frs;
{
+ int i;
+
PRINTF("%lu\t%s bad packets\n", frs->fr_bad, side);
#ifdef USE_INET6
***************
*** 738,741 ****
--- 760,766 ----
PRINTF("%lu\t%s pullups failed\n", frs->fr_pull[1], side);
PRINTF("%lu\t%s TCP checksum failures\n", frs->fr_tcpbad, side);
+ for (i = 0; i <= FRB_MAX_VALUE; i++)
+ PRINTF("%lu\t%s block reason %s\n",
+ frs->fr_blocked[i], side, blockreasons[i]);
}
***************
*** 891,902 ****
NULL, ipf_walker);
if (printed == 0) {
! FPRINTF(stderr, "empty list for %s%s\n",
! (opts & OPT_INACTIVE) ? "inactive " : "",
filters[i]);
}
} else {
if (!fp) {
! FPRINTF(stderr, "empty list for %s%s\n",
! (opts & OPT_INACTIVE) ? "inactive " : "",
filters[i]);
return;
--- 916,927 ----
NULL, ipf_walker);
if (printed == 0) {
! FPRINTF(stderr, "# empty list for %s%s\n",
! (opts & OPT_INACTIVE) ? "inactive " : "",
filters[i]);
}
} else {
if (!fp) {
! FPRINTF(stderr, "# empty list for %s%s\n",
! (opts & OPT_INACTIVE) ? "inactive " : "",
filters[i]);
return;
|
|
From: Darren <dar...@us...> - 2012-07-13 06:03:15
|
Update of /cvsroot/ipfilter/ipfilter/tools In directory vz-cvs-4.sog:/tmp/cvs-serv11535/tools Modified Files: ipf_y.y Log Message: 3542982 line numbers not recorded/displayed correctly by ipf Index: ipf_y.y =================================================================== RCS file: /cvsroot/ipfilter/ipfilter/tools/ipf_y.y,v retrieving revision 1.33 retrieving revision 1.34 diff -C2 -d -r1.33 -r1.34 *** ipf_y.y 6 Jul 2012 14:35:55 -0000 1.33 --- ipf_y.y 13 Jul 2012 06:03:13 -0000 1.34 *************** *** 2057,2060 **** --- 2057,2061 ---- fr->fr_logtag = FR_NOLOGTAG; fr->fr_type = FR_T_NONE; + fr->fr_flineno = yylineNum; if (use_inet6 == 1) *************** *** 2425,2429 **** char msg[80]; ! sprintf(msg, "%d:ioctl(zero rule)", yylineNum); return ipf_perror_fd(fd, ioctlfunc, msg); } --- 2426,2431 ---- char msg[80]; ! sprintf(msg, "%d:ioctl(zero rule)", ! fr->fr_flineno); return ipf_perror_fd(fd, ioctlfunc, msg); } *************** *** 2445,2449 **** sprintf(msg, "%d:ioctl(delete rule)", ! yylineNum); return ipf_perror_fd(fd, ioctlfunc, msg); } --- 2447,2451 ---- sprintf(msg, "%d:ioctl(delete rule)", ! fr->fr_flineno); return ipf_perror_fd(fd, ioctlfunc, msg); } *************** *** 2455,2459 **** sprintf(msg, "%d:ioctl(add/insert rule)", ! yylineNum); return ipf_perror_fd(fd, ioctlfunc, msg); } --- 2457,2461 ---- sprintf(msg, "%d:ioctl(add/insert rule)", ! fr->fr_flineno); return ipf_perror_fd(fd, ioctlfunc, msg); } |
|
From: Darren <dar...@us...> - 2012-07-13 06:03:07
|
Update of /cvsroot/ipfilter/ipfilter/tools
In directory vz-cvs-4.sog:/tmp/cvs-serv11524/tools
Modified Files:
Tag: v5-1-RELEASE
ipf_y.y
Log Message:
3542982 line numbers not recorded/displayed correctly by ipf
Index: ipf_y.y
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ipf_y.y,v
retrieving revision 1.22.2.10
retrieving revision 1.22.2.11
diff -C2 -d -r1.22.2.10 -r1.22.2.11
*** ipf_y.y 6 Jul 2012 14:35:37 -0000 1.22.2.10
--- ipf_y.y 13 Jul 2012 06:03:05 -0000 1.22.2.11
***************
*** 2065,2068 ****
--- 2065,2069 ----
fr->fr_logtag = FR_NOLOGTAG;
fr->fr_type = FR_T_NONE;
+ fr->fr_flineno = yylineNum;
if (use_inet6 == 1)
***************
*** 2433,2437 ****
char msg[80];
! sprintf(msg, "%d:ioctl(zero rule)", yylineNum);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
--- 2434,2439 ----
char msg[80];
! sprintf(msg, "%d:ioctl(zero rule)",
! fr->fr_flineno);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
***************
*** 2453,2457 ****
sprintf(msg, "%d:ioctl(delete rule)",
! yylineNum);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
--- 2455,2459 ----
sprintf(msg, "%d:ioctl(delete rule)",
! fr->fr_flineno);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
***************
*** 2463,2467 ****
sprintf(msg, "%d:ioctl(add/insert rule)",
! yylineNum);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
--- 2465,2469 ----
sprintf(msg, "%d:ioctl(add/insert rule)",
! fr->fr_flineno);
return ipf_perror_fd(fd, ioctlfunc, msg);
}
|
|
From: Darren <dar...@us...> - 2012-07-13 06:02:11
|
Update of /cvsroot/ipfilter/ipfilter/lib
In directory vz-cvs-4.sog:/tmp/cvs-serv11497/lib
Modified Files:
Tag: v5-1-RELEASE
printlookup.c
Log Message:
3542981 exclamation mark cuases trouble with pools
Index: printlookup.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/lib/printlookup.c,v
retrieving revision 1.6.2.1
retrieving revision 1.6.2.2
diff -C2 -d -r1.6.2.1 -r1.6.2.2
*** printlookup.c 26 Jan 2012 05:44:26 -0000 1.6.2.1
--- printlookup.c 13 Jul 2012 06:02:09 -0000 1.6.2.2
***************
*** 40,45 ****
PRINTF("%s", name);
}
-
- if (mask->iplookupptr == NULL)
- PRINTF("(!)");
}
--- 40,42 ----
|
|
From: Darren <dar...@us...> - 2012-07-13 06:02:04
|
Update of /cvsroot/ipfilter/ipfilter/lib
In directory vz-cvs-4.sog:/tmp/cvs-serv11482/lib
Modified Files:
printlookup.c
Log Message:
3542981 exclamation mark cuases trouble with pools
Index: printlookup.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/lib/printlookup.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** printlookup.c 1 Mar 2009 12:48:32 -0000 1.6
--- printlookup.c 13 Jul 2012 06:02:02 -0000 1.7
***************
*** 40,45 ****
PRINTF("%s", name);
}
-
- if (mask->iplookupptr == NULL)
- PRINTF("(!)");
}
--- 40,42 ----
|
|
From: Darren <dar...@us...> - 2012-07-09 16:43:52
|
Update of /cvsroot/ipfilter/ipfilter/test/input In directory vz-cvs-4.sog:/tmp/cvs-serv11639/test/input Modified Files: f24.dist Log Message: 3541655 test suite checksums incorrect Index: f24.dist =================================================================== RCS file: /cvsroot/ipfilter/ipfilter/test/input/f24.dist,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** f24.dist 17 Nov 2011 20:26:50 -0000 1.1 --- f24.dist 9 Jul 2012 16:43:49 -0000 1.2 *************** *** 13,17 **** [in,NIC0] ! 4500 004c fc96 2006 4011 d9b4 c0a8 01fe c0a8 0101 cbe7 50c0 1300 0200 0100 0078 8c00 0603 6e73 31c0 13c0 1300 0200 0100 --- 13,17 ---- [in,NIC0] ! 4500 004c fc96 2007 4011 d9b4 c0a8 01fe c0a8 0101 cbe7 50c0 1300 0200 0100 0078 8c00 0603 6e73 31c0 13c0 1300 0200 0100 |