Only one possible bug...
Counters are not counting:
[EMAIL PROTECTED]> ipfstat -ih 0 block in log body quick proto tcp from any to any with short 0 block in log body quick from any to any with opt lsrr ... ...
(All are zero).
[EMAIL PROTECTED]> ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 6
input packets: blocked 1634 passed 15909 nomatch 2 counted 0 short 0
output packets: blocked 416 passed 19106 nomatch 0 counted 0 short 0
input packets logged: blocked 138 passed 0
output packets logged: blocked 410 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 401 lost 0
packet state(out): kept 784 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 596 (out): 979
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 5 failed: 6
Fastroute successes: 378 failures: 5
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 7344
Packet log flags set: (0)
none
[EMAIL PROTECTED]> uname -a SunOS sunspot-thin2 5.8 Generic_117350-18 sun4m sparc SUNW,SPARCstation-5
[EMAIL PROTECTED]> gcc -v
Reading specs from /usr/local/lib/gcc/sparc-sun-solaris2.8/3.4.2/specs
Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls --disable-libgcj --enable-languages=c,c++
Thread model: posix
gcc version 3.4.2
On Sun, 13 Mar 2005, Darren Reed wrote:
With a whole host of patches for Solaris that have improved things in any number of ways and some more attention from me on other aspects of the code, I think the quality of ipfilter has made a very worthwhile leap in the last month.
Thanks to a lot of time spent reviewing code, patching and being generally helpful making sure things turned out for the better, John Wehle has had a very positive influence on this release of code - thanks. I could have looked at that code (even being told there were problems) and not seen them, sometimes it just takes new eyes and patience.
MD5 (ip_fil4.1.7.tar.gz) = a83b60195cc7aa466c40f514a08e3845 MD5 (pfil-2.1.6.tar.gz) = 54254788f63a21e2936f3bc0175f5e42
Darren
4.1.7 - Released 13 March 2005
Using the GRE call field is almost impossible because it is unbalanced and both call fields are not present in each v1 header.
Fix a problem where it was possible to load duplicate rules into ipf
patch from John Wehle to address problems with fastroute on solaris
Copying data out for ipf -z failed because it tried to copy out to an address that is a kernel pointer in user space.
add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP
synch up with NetBSD's changes
fix problems parsing long lines of text in the ftp proxy where they would not be parsed properly and stop the session from working
enhance the PPTP proxy so that it tries to decode messages in the TCP stream so it knows when to create and destroy the state/nat sessions for GRE. There are also 4 new regression tests for it, testing map/rdr rules.
impose some limits on the size of data that can be moved with SIOCSTPUT in the NAT code and also prevent a duplicate session entry from being created using this method.
add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL to check if it is possible to create an outgoing transparent NAT mapping to compliment the redirect being investigated.
Linux requires that the checksums in the IP header get adjusted
only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers in SIOCSTPUT to prevent bad data being loaded from userspace.
make the byte counting for state correct (was counting data from ICMP packet twice)
print out the keyword "frag-body" if the flag is set.
fix ipfs loading/restoring NAT sessions
patch from Frank to correctly format IP addresses in ipfstat -t output
parsing port numbers in ipf/ipnat was confusing as the port number was returned in an int that was also overloaded to be the suceess/failure. instead, change the port using pass by reference and only use the return value for indicating success or failure.
4.1.6 - Released 19 February 2005
