Committ changes from 3.4.31 -> 3.4.35

* fix bug parsing port comparisons in proxy rules
* make parsing errors in ipf/ipnat return an error rather than return
  indicating success.
* make parsing errors in ipf/ipnat return an error rather than return
  indicating success.
* make ipfstat work as a set{g,u}id thing - gave up privs before opening
  /dev/ipl
* fix ipfstat -A
* make "ipfstat -f" output more informative
* various changes to ipsend for sending packets with ipv4 options
* ipmon was not correctly calculating the length of the IPv6 packet (excluded
  ipv6 header length)

MFC:	1 week

contrib/ipfilter/Makefile

@@ -85,7 +85,7 @@ all:
 	@echo "solaris	- auto-selects SunOS4.1.x/Solaris 2.3-6/Solaris2.4-6x86"
 	@echo "netbsd	- compile for NetBSD"
 	@echo "openbsd	- compile for OpenBSD"
-	@echo "freebsd	- compile for FreeBSD 2.0, 2.1 or earlier"
+	@echo "freebsd20	- compile for FreeBSD 2.0, 2.1 or earlier"
 	@echo "freebsd22	- compile for FreeBSD-2.2 or greater"
 	@echo "freebsd3	- compile for FreeBSD-3.x"
 	@echo "freebsd4	- compile for FreeBSD-4.x"
@@ -124,7 +124,7 @@ freebsd22: include
 	else \
 		ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) ; \
 	fi
-	make freebsd
+	make freebsd20
 
 freebsd4: include
 	if [ x$INET6 = x ] ; then \
@@ -151,7 +151,7 @@ openbsd openbsd21: include
 	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
 	(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
 
-freebsd freebsd20 freebsd21: include
+freebsd20 freebsd21: include
 	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
 	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
 	(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
@@ -289,3 +289,27 @@ null:
 		exit 1; \
 	fi
 	-@echo make ok
+
+test-solaris test-sunos4 test-sunos5: solaris
+	(cd test && make clean && make)
+
+test-freebsd: freebsd
+	(cd test && make clean && make)
+
+test-freebsd22: freebsd22
+	(cd test && make clean && make)
+
+test-freebsd3: freebsd3
+	(cd test && make clean && make)
+
+test-freebsd4: freebsd4
+	(cd test && make clean && make)
+
+test-netbsd: netbsd
+	(cd test && make clean && make)
+
+test-openbsd: openbsd
+	(cd test && make clean && make)
+
+test-irix: irix
+	(cd test && make clean && make)

contrib/ipfilter/ipmon.c

@@ -994,7 +994,7 @@ int	blen;
 		p = (u_short)ip6->ip6_nxt;
 		s = (u_32_t *)&ip6->ip6_src;
 		d = (u_32_t *)&ip6->ip6_dst;
-		plen = ntohs(ip6->ip6_plen);
+		plen = hl + ntohs(ip6->ip6_plen);
 #else
 		sprintf(t, "ipv6");
 		goto printipflog;
@@ -1108,11 +1108,12 @@ int	blen;
 					ipc->ip_hl << 2, i);
 				t += strlen(t);
 				if (ipoff & IP_OFFMASK) {
-					(void) sprintf(t, " frag %s%s%hu@%hu",
-						ipoff & IP_MF ? "+" : "",
-						ipoff & IP_DF ? "-" : "",
+					(void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
+						ntohs(ipc->ip_id),
 						i - (ipc->ip_hl<<2),
-						(ipoff & IP_OFFMASK) << 3);
+						(ipoff & IP_OFFMASK) << 3,
+						ipoff & IP_MF ? "+" : "",
+						ipoff & IP_DF ? "-" : "");
 				}
 			}
 		}
@@ -1123,10 +1124,11 @@ int	blen;
 			hostname(res, v, d), proto, hl, plen);
 		t += strlen(t);
 		if (off & IP_OFFMASK)
-			(void) sprintf(t, " frag %s%s%hu@%hu",
+			(void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
+				ntohs(ip->ip_id),
+				plen - hl, (off & IP_OFFMASK) << 3,
 				ipoff & IP_MF ? "+" : "",
-				ipoff & IP_DF ? "-" : "",
-				plen - hl, (off & IP_OFFMASK) << 3);
+				ipoff & IP_DF ? "-" : "");
 	}
 	t += strlen(t);
 

contrib/ipfilter/ipsend/ipsend.5

@@ -1,3 +1,4 @@
+.\" $FreeBSD$
 .TH IPSEND 5
 .SH NAME
 ipsend \- IP packet description language
@@ -102,7 +103,7 @@ route installed in the kernel.
 is used to describe an IP (version 4) packet.  IP header fields can be
 specified, including options, followed by a data section which may contain
 further protocol headers.
-.SH IPV4
+.SH IPv4
 .TP
 .B hl <number>
 manually specifies the IP header length (automatically adjusts with the
@@ -116,7 +117,7 @@ set the type of service (TOS) field in the IP header.  Default is 0.
 .TP
 .B len <number>
 manually specifies the length of the IP packet.  The length will automatically
-be adjusted to accomodate data or further protocol headers.
+be adjusted to accommodate data or further protocol headers.
 .TP
 .B off <number>
 sets the fragment offset field of the IP packet.  Default is 0.
@@ -158,7 +159,7 @@ is used to indicate the a ICMP protocol header is to follow.  See the
 is used to indicate that raw data is to be included in the IP packet.  See the
 \fBDATA\fP section for details on options available.
 .SH "IPv4 Options"
-these keywords indicate that the releveant IP option should be added to the
+these keywords indicate that the relevant IP option should be added to the
 IP header (the header length field will be adjusted appropriately).
 .TP
 .B nop
@@ -210,7 +211,7 @@ Strict Source Route [RFC 791].
 Address Extension
 .TP
 .B visa
-Expermental Access Control.
+Experimental Access Control.
 .TP
 .B imitd
 IMI Traffic Descriptor.
@@ -314,7 +315,7 @@ bytes with any particular data).
 indicates that the string provided should be added to the current packet as
 data.  A string may be a consecutive list of characters and numbers (with
 no white spaces) or bounded by "'s (may not contain them, even if \\'d).
-The \\ charcater is recognised with the appropriate C escaped values, including
+The \\ character is recognised with the appropriate C escaped values, including
 octal numbers.
 .TP
 .B file <filename>

contrib/ipfilter/ipsend/ipsend.c

@@ -25,8 +25,10 @@
 #include <arpa/inet.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
+#include <netinet/ip_var.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
+#include <netinet/udp_var.h>
 #include <netinet/ip_icmp.h>
 #ifndef	linux
 #include <netinet/ip_var.h>
@@ -71,6 +73,7 @@ char	default_device[] = "lan0";
 
 static	void	usage __P((char *));
 static	void	do_icmp __P((ip_t *, char *));
+void udpcksum(ip_t *, struct udphdr *, int);
 int	main __P((int, char **));
 
 
@@ -170,6 +173,37 @@ struct in_addr gwip;
 	return send_packet(wfd, mtu, ip, gwip);
 }
 
+void
+udpcksum(ip_t *ip, struct udphdr *udp, int len)
+{
+	union pseudoh {
+		struct hdr {
+			u_short len;
+			u_char ttl;
+			u_char proto;
+			u_32_t src;
+			u_32_t dst;
+		} h;
+		u_short w[6];
+	} ph;
+	u_32_t temp32;
+	u_short cksum, *opts;
+
+	ph.h.len = htons(len);
+	ph.h.ttl = 0;
+	ph.h.proto = IPPROTO_UDP;
+	ph.h.src = ip->ip_src.s_addr;
+	ph.h.dst = ip->ip_dst.s_addr;
+	temp32 = 0;
+	opts = &ph.w[0];
+	temp32 += opts[0] + opts[1] + opts[2] + opts[3] + opts[4] + opts[5];
+	temp32 = (temp32 >> 16) + (temp32 & 65535);
+	temp32 += (temp32 >> 16);
+	udp->uh_sum = temp32 & 65535;
+	udp->uh_sum = chksum((u_short *)udp, len);
+	if (udp->uh_sum == 0)
+		udp->uh_sum = 0xffff;
+}
 
 int main(argc, argv)
 int	argc;
@@ -177,8 +211,10 @@ char	**argv;
 {
 	FILE	*langfile = NULL;
 	struct	tcpiphdr *ti;
+	struct	udpiphdr *ui;
 	struct	in_addr	gwip;
 	tcphdr_t	*tcp;
+	udphdr_t	*udp;
 	ip_t	*ip;
 	char	*name =  argv[0], host[MAXHOSTNAMELEN + 1];
 	char	*gateway = NULL, *dev = NULL;
@@ -190,7 +226,10 @@ char	**argv;
 	 */
 	ip = (ip_t *)calloc(1, 65536);
 	ti = (struct tcpiphdr *)ip;
+	ui = (struct udpiphdr *)ip;
 	tcp = (tcphdr_t *)&ti->ti_sport;
+	udp = (udphdr_t *)&ui->ui_sport;
+	ui->ui_ulen = htons(sizeof(*udp));
 	ip->ip_len = sizeof(*ip);
 	ip->ip_hl = sizeof(*ip) >> 2;
 
@@ -344,27 +383,35 @@ char	**argv;
 		exit(2);
 	    }
 
+	if (ip->ip_p != IPPROTO_TCP && ip->ip_p != IPPROTO_UDP) {
+		fprintf(stderr,"Unsupported protocol %d\n", ip->ip_p);
+		exit(2);
+	}
+
 	if (olen)
 	    {
-		caddr_t	ipo = (caddr_t)ip;
+		int hlen;
+		char *p;
 
 		printf("Options: %d\n", olen);
-		ti = (struct tcpiphdr *)malloc(olen + ip->ip_len);
-		if(!ti)
+		hlen = sizeof(*ip) + olen;
+		ip->ip_hl = hlen >> 2;
+		ip->ip_len += olen;
+		p = (char *)malloc(65536);
+		if(!p)
 		    {
 			fprintf(stderr,"malloc failed\n");
 			exit(2);
 		    } 
-
-		bcopy((char *)ip, (char *)ti, sizeof(*ip));
-		ip = (ip_t *)ti;
-		ip->ip_hl = (olen >> 2);
-		bcopy(options, (char *)(ip + 1), olen);
-		bcopy((char *)tcp, (char *)(ip + 1) + olen, sizeof(*tcp));
-		ip->ip_len += olen;
-		bcopy((char *)ip, (char *)ipo, ip->ip_len);
-		ip = (ip_t *)ipo;
-		tcp = (tcphdr_t *)((char *)(ip + 1) + olen);
+		bcopy(ip, p, sizeof(*ip));
+		bcopy(options, p + sizeof(*ip), olen);
+		bcopy(ip + 1, p + hlen, ip->ip_len - hlen);
+		ip = (ip_t *)p;
+		if (ip->ip_p == IPPROTO_TCP) {
+			tcp = (tcphdr_t *)((char *)ip + hlen);
+		} else {
+			udp = (udphdr_t *)((char *)ip + hlen);
+		}
 	    }
 
 	if (ip->ip_p == IPPROTO_TCP)
@@ -401,9 +448,13 @@ char	**argv;
 		printf("Flags:   %#x\n", tcp->th_flags);
 	printf("mtu:     %d\n", mtu);
 
+	if (ip->ip_p == IPPROTO_UDP) {
+		udp->uh_sum = 0;
+		udpcksum(ip, udp, (ip->ip_len) - (ip->ip_hl << 2));
+	}
 #ifdef	DOSOCKET
-	if (tcp->th_dport)
-		return do_socket(dev, mtu, ti, gwip);
+	if (ip->ip_p == IPPROTO_TCP && tcp->th_dport)
+		return do_socket(dev, mtu, (struct tcpiphdr *)ip, gwip);
 #endif
-	return send_packets(dev, mtu, (ip_t *)ti, gwip);
+	return send_packets(dev, mtu, ip, gwip);
 }

contrib/ipfilter/man/ipf.5

@@ -1,11 +1,11 @@
 .\" $FreeBSD$
 .TH IPF 5
 .SH NAME
-ipf, ipf.conf \- IP packet filter rule syntax
+ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax
 .SH DESCRIPTION
 .PP
 A rule file for \fBipf\fP may have any name or even be stdin.  As
-\fBipfstat\fP produces parseable rules as output when displaying the internal
+\fBipfstat\fP produces parsable rules as output when displaying the internal
 kernel filter lists, it is quite plausible to use its output to feed back
 into \fBipf\fP.  Thus, to remove all filters on input packets, the following
 could be done:
@@ -38,7 +38,7 @@ log	= "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
 call	= "call" [ "now" ] function-name .
 skip	= "skip" decnumber .
 dup	= "dup-to" interface-name[":"ipaddr] .
-froute	= "fastroute" | "to" interface-name .
+froute	= "fastroute" | "to" interface-name[":"ipaddr] .
 protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
 srcdst	= "all" | fromto .
 fromto	= "from" [ "!" ] object "to" [ "!" ] object .
@@ -117,7 +117,7 @@ below).
 Filters are installed by default at the end of the kernel's filter
 lists, prepending the rule with \fB@n\fP will cause it to be inserted
 as the n'th entry in the current list. This is especially useful when
-modifying and testing active filter rulesets. See ipf(1) for more
+modifying and testing active filter rulesets. See ipf(8) for more
 information.
 .SH ACTIONS
 .PP
@@ -137,7 +137,7 @@ with a rule which is being applied to TCP packets.  When using
 \fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify
 the actual unreachable `type'.  That is, whether it is a network
 unreachable, port unreachable or even administratively
-prohibitied. This is done by enclosing the ICMP code associated with
+prohibited. This is done by enclosing the ICMP code associated with
 it in parenthesis directly following \fBreturn-icmp\fP or
 \fBreturn-icmp-as-dest\fP as follows:
 .nf
@@ -387,7 +387,7 @@ against, e.g.:
 .TP
 .B icmp-type
 is only effective when used with \fBproto icmp\fP and must NOT be used
-in conjuction with \fBflags\fP.  There are a number of types, which can be
+in conjunction with \fBflags\fP.  There are a number of types, which can be
 referred to by an abbreviation recognised by this language, or the numbers
 with which they are associated can be used.  The most important from
 a security point of view is the ICMP redirect.
@@ -428,7 +428,7 @@ indicates that the rule should be put in group (number n) rather than group 0.
 .PP
 When a packet is logged, with either the \fBlog\fP action or option,
 the headers of the packet are written to the \fBipl\fP packet logging
-psuedo-device. Immediately following the \fBlog\fP keyword, the
+pseudo-device. Immediately following the \fBlog\fP keyword, the
 following qualifiers may be used (in order):
 .TP
 .B body

contrib/ipfilter/man/ipf.8

@@ -113,7 +113,7 @@ the current interface status list.
 .TP
 .B \-z
 For each rule in the input file, reset the statistics for it to zero and
-display the statistics prior to them being zero'd.
+display the statistics prior to them being zeroed.
 .TP
 .B \-Z
 Zero global statistics held in the kernel for filtering only (this doesn't

contrib/ipfilter/man/ipfstat.8

@@ -65,7 +65,7 @@ This option is only valid in combination with \fB\-t\fP. Limit the state top
 display to show only state entries whose destination IP address and port
 match the addport argument. The addrport specification is of the form
 ipaddress[,port].  The ipaddress and port should be either numerical or the
-string "any" (specifying any ip address resp. any port). If the \fB\-D\fP
+string "any" (specifying any IP address resp. any port). If the \fB\-D\fP
 option is not specified, it defaults to "\fB\-D\fP any,any".
 .TP
 .B \-f
@@ -141,7 +141,7 @@ kernel.
 Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In
 this mode the state table is displayed similar to the way \fBtop\fP displays
 the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP 
-commandline options can be used to restrict the state entries that will be 
+command line options can be used to restrict the state entries that will be 
 shown and to specify the frequency of display updates.
 .PP
 In state top mode, the following keys can be used to influence the displayed

contrib/ipfilter/man/ipmon.8

@@ -83,11 +83,11 @@ are displayed to the same output 'device' (stderr or syslog).
 .TP
 .B \-b
 For rules which log the body of a packet, generate hex output representing
-the packet contents afte the headers.
+the packet contents after the headers.
 .TP
 .B \-D
 Cause ipmon to turn itself into a daemon.  Using subshells or backgrounding
-of ipmon is not required to turn it into an orphan so it can run indefinately.
+of ipmon is not required to turn it into an orphan so it can run indefinitely.
 .TP
 .B "\-f <device>"
 specify an alternative device/file from which to read the log information
@@ -171,3 +171,5 @@ recorded data.
 .SH SEE ALSO
 ipl(4), ipf(8), ipfstat(8), ipnat(8)
 .\".SH BUGS
+.PP
+If you find any, please send email to me at darrenr@pobox.com