Re: IPFilter 4.1.29

Darren Reed wrote:
> After what seems like an eternity, well 6 months,
> I've bumped the revision of IPFilter from 4.1.28
> to 4.1.29 to capture all of the bug fixes since.
>
> It was almost compelete with a build bug, but I
> uncovered the hidden window in the nick of time.
>
> The files can be downloaded from the usual places,
> http://coombs.anu.edu.au/~avalon/ip_fil4.1.29.tar.gz
> http://coombs.anu.edu.au/~avalon/patch-4.1.29.gz
> and their hashes are:
> MD5 (ip_fil4.1.29.tar.gz) = 51f15ec90faa736cfb7bea27846dff71
> MD5 (patch-4.1.29.gz) = 594f0bb2f3c7d4bed98a2cc726005759
>
> Cheers,
> Darren
>
> 4.1.29 - Release 14 April 2008
>
> * #ifdef warning fixes from Victor M Blood (FreeBSD) - #1821249
>
> * An error in NAT'ing a packet that is being fed through the fastroute
> code (i.e return-icmp/return-rst/to/dup-to) can lead to a memory leak
> with mbufs
>
> * NetBSD has removed rnh_walktree
>
> * Remove exit/enter of ipf_global lock as they are now no longer held by
> what calls fr_auth_ioctl()
>
> * add in checks to see that a symbol is defined before using it in a test
> case with C preprocessor #if statements
>
> * add setting TCP TIME_WAIT timer to list of tuneables
>
> * call of _pullup() high up in _icmp() means later checks for fin_dlen
> that are less than 8 are not required.
>
> * cleanup some errors in merging patches
>
> * merge changes from netbsd for updated poll apis
>
> * merge white space cleanup
>
> * preserve and restore the fin_flx bits from the packet before it is
> authorised to after it is.
>
> * remove old comment that is no longer accurate
>
> * sunos5x86 Makefile target has been removed from the Makefile
>
> * try and optimise fr_movequeue and short cut some cases where there
> is no requirement to change the position of the object on the list.
>
> * update ip_compat.h for NetBSD changes with POLLWAKEUP
>
> * use defined() in #if statements to make sure something has a value
> before its use
>
> 1785476 more state entries might be created for single connection
>
> 1821247 holding ipf_global lock over call to fr_ioctlswitch() causes
> a panic for FreeBSD with INVARIANTS - move holding locks in ioctl
> processing to only where they are necessary.
>
> 1821358 errors can lead to mbufs not being freed
>
> 1825877 variables called min should be renamed to xmin
>
> 1835705 It is impossible to delete a state using SIOCDELST ioctl
>
> 1839009 Auth rules with both "quick" and "keep state" don't work
>
> 1839023 OS freeze: race condition in the auth code.
>
> 1839028 Potential problems in auth code
>
> 1855763 Fixed bug (#1838530) is reintoduced in the recent CVS commit
>
> 1872740 the ipfr_size tunable is ignored
>
> 1886836 open on devices not compiled in always succeed
>
> 1886965 sync code does not wakeup sleeping polls
>
> 1890025 sync code uses state table for nat objects
>
> 1915176 Use of "age X/Y" can lead to panic
>
> 4.1.28 - Release 16 October 2007
> Ok, then the patch below might be of use to you then.
>
> Darren
>
>

Darren is there some reason you did not include this code which you
sent to me that fixes bug 1887931?

Regards,
Steve


Ok, then the patch below might be of use to you then.

Darren



diff -c -r2.195.2.105 ip_nat.c
*** ip_nat.c 21 Dec 2007 23:03:24 -0000 2.195.2.105
--- ip_nat.c 8 Feb 2008 02:27:04 -0000
***************
*** 3804,3809 ****
--- 3804,3813 ----
* If there is no current entry in the nat table for
this IP#,
* create one for it (if there is a matching rule).
*/
+ if ((fin->fin_off != 0) && (fin->fin_flx & FI_TCPUDP)) {
+ natfailed = -1;
+ goto nonatfrag;
+ }
RWLOCK_EXIT(&ipf_nat);
msk = 0xffffffff;
nmsk = nat_masks;
***************
*** 3861,3866 ****
--- 3865,3871 ----
MUTEX_DOWNGRADE(&ipf_nat);
}

+ nonatfrag:
if (nat != NULL) {
rval = fr_natout(fin, nat, natadd, nflags);
if (rval == 1) {
***************
*** 4095,4100 ****
--- 4100,4109 ----
} else {
u_32_t hv, msk, rmsk;

+ if ((fin->fin_off != 0) && (fin->fin_flx & FI_TCPUDP)) {
+ natfailed = -1;
+ goto nonatfrag;
+ }
RWLOCK_EXIT(&ipf_nat);
rmsk = rdr_masks;
msk = 0xffffffff;
***************
*** 4155,4160 ****
--- 4164,4171 ----
}
MUTEX_DOWNGRADE(&ipf_nat);
}
+
+ nonatfrag:
if (nat != NULL) {
rval = fr_natin(fin, nat, natadd, nflags);
if (rval == 1) {