doc/share/security/patches/SA-01:08/ipfw-4.x.patch

Index: sbin/ip6fw/ip6fw.c
===================================================================
RCS file: /usr/home/ncvs/src/sbin/ip6fw/ip6fw.c,v
retrieving revision 1.1
diff -u -r1.1 ip6fw.c
--- sbin/ip6fw/ip6fw.c	2000/01/29 13:54:44	1.1
+++ sbin/ip6fw/ip6fw.c	2001/01/22 19:43:54
@@ -363,7 +363,7 @@
 		if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_OPTS)   PRINTOPT("!opts");
 	}
 
-	if (chain->fw_tcpf & IPV6_FW_TCPF_ESTAB)
+	if (chain->fw_ipflg & IPV6_FW_IF_TCPEST)
 		printf(" established");
 	else if (chain->fw_tcpf == IPV6_FW_TCPF_SYN &&
 	    chain->fw_tcpnf == IPV6_FW_TCPF_ACK)
@@ -1052,7 +1052,7 @@
 		}
 		if (rule.fw_prot == IPPROTO_TCP) {
 			if (!strncmp(*av,"established",strlen(*av))) {
-				rule.fw_tcpf  |= IPV6_FW_TCPF_ESTAB;
+				rule.fw_ipflg |= IPV6_FW_IF_TCPEST;
 				av++; ac--; continue;
 			}
 			if (!strncmp(*av,"setup",strlen(*av))) {
Index: sys/netinet6/ip6_fw.c
===================================================================
RCS file: /usr/home/ncvs/src/sys/netinet6/ip6_fw.c,v
retrieving revision 1.2.2.3
diff -u -r1.2.2.3 ip6_fw.c
--- sys/netinet6/ip6_fw.c	2000/10/24 19:27:39	1.2.2.3
+++ sys/netinet6/ip6_fw.c	2001/01/22 19:43:54
@@ -149,9 +149,15 @@
 {
 	u_char		flg_set, flg_clr;
 	
-	if ((f->fw_tcpf & IPV6_FW_TCPF_ESTAB) &&
-	    (tcp6->th_flags & (IPV6_FW_TCPF_RST | IPV6_FW_TCPF_ACK)))
-		return 1;
+	/*
+	 * If an established connection is required, reject packets that
+	 * have only SYN of RST|ACK|SYN set.  Otherwise, fall through to
+	 * other flag requirements.
+	 */
+	if ((f->fw_ipflg & IPV6_FW_IF_TCPEST) &&
+	    ((tcp6->th_flags & (IPV6_FW_TCPF_RST | IPV6_FW_TCPF_ACK |
+	    IPV6_FW_TCPF_SYN)) == IPV6_FW_TCPF_SYN))
+		return 0;
 
 	flg_set = tcp6->th_flags & f->fw_tcpf;
 	flg_clr = tcp6->th_flags & f->fw_tcpnf;
@@ -571,7 +577,9 @@
 			}
 			PULLUP_TO(off + 14);
 			tcp6 = (struct tcphdr *) ((caddr_t)ip6 + off);
-			if (f->fw_tcpf != f->fw_tcpnf && !tcp6flg_match(tcp6, f))
+			if (((f->fw_tcpf != f->fw_tcpnf) ||
+			   (f->fw_ipflg & IPV6_FW_IF_TCPEST))  &&
+			   !tcp6flg_match(tcp6, f))
 				continue;
 			src_port = ntohs(tcp6->th_sport);
 			dst_port = ntohs(tcp6->th_dport);
Index: sys/netinet6/ip6_fw.h
===================================================================
RCS file: /usr/home/ncvs/src/sys/netinet6/ip6_fw.h,v
retrieving revision 1.3.2.2
diff -u -r1.3.2.2 ip6_fw.h
--- sys/netinet6/ip6_fw.h	2000/10/24 19:27:39	1.3.2.2
+++ sys/netinet6/ip6_fw.h	2001/01/22 19:43:54
@@ -59,6 +59,7 @@
     u_short fw_number;			/* Rule number */
     u_short fw_flg;			/* Flags word */
 #define IPV6_FW_MAX_PORTS	10	/* A reasonable maximum */
+    u_int fw_ipflg;			/* IP flags word */
     u_short fw_pts[IPV6_FW_MAX_PORTS];	/* Array of port numbers to match */
     u_char fw_ip6opt,fw_ip6nopt;	/* IPv6 options set/unset */
     u_char fw_tcpf,fw_tcpnf;		/* TCP flags set/unset */
@@ -137,6 +138,11 @@
 
 #define IPV6_FW_F_MASK	0xFFFF	/* All possible flag bits mask		*/
 
+/* 
+ * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. */
+#define	IPV6_FW_IF_TCPEST 0x00000020	/* established TCP connection	*/
+#define IPV6_FW_IF_TCPMSK 0x00000020	/* mask of all TCP values */
+
 /*
  * For backwards compatibility with rules specifying "via iface" but
  * not restricted to only "in" or "out" packets, we define this combination
@@ -171,7 +177,6 @@
 #define IPV6_FW_TCPF_PSH	TH_PUSH
 #define IPV6_FW_TCPF_ACK	TH_ACK
 #define IPV6_FW_TCPF_URG	TH_URG
-#define IPV6_FW_TCPF_ESTAB	0x40
 
 /*
  * Main firewall chains definitions and global var's definitions.

Index: sbin/ipfw/ipfw.c
===================================================================
RCS file: /usr/home/ncvs/src/sbin/ipfw/ipfw.c,v
retrieving revision 1.80.2.7
retrieving revision 1.80.2.8
diff -u -r1.80.2.7 -r1.80.2.8
--- sbin/ipfw/ipfw.c	2000/10/17 13:44:55	1.80.2.7
+++ sbin/ipfw/ipfw.c	2001/01/10 03:43:33	1.80.2.8
@@ -426,7 +426,7 @@
 		if (chain->fw_ipnopt & IP_FW_IPOPT_TS)   PRINTOPT("!ts");
 	} 
 
-	if (chain->fw_tcpf & IP_FW_TCPF_ESTAB) 
+	if (chain->fw_ipflg & IP_FW_IF_TCPEST)
 		printf(" established");
 	else if (chain->fw_tcpf == IP_FW_TCPF_SYN &&
 	    chain->fw_tcpnf == IP_FW_TCPF_ACK)
@@ -1893,7 +1893,7 @@
 		}
 		if (rule.fw_prot == IPPROTO_TCP) {
 			if (!strncmp(*av,"established",strlen(*av))) { 
-				rule.fw_tcpf  |= IP_FW_TCPF_ESTAB;
+				rule.fw_ipflg |= IP_FW_IF_TCPEST;
 				av++; ac--; continue;
 			}
 			if (!strncmp(*av,"setup",strlen(*av))) { 
Index: sys/netinet/ip_fw.c
===================================================================
RCS file: /usr/home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.10
retrieving revision 1.131.2.11
diff -u -r1.131.2.10 -r1.131.2.11
--- sys/netinet/ip_fw.c	2000/11/07 09:50:58	1.131.2.10
+++ sys/netinet/ip_fw.c	2001/01/10 03:43:34	1.131.2.11
@@ -244,10 +244,16 @@
 tcpflg_match(struct tcphdr *tcp, struct ip_fw *f)
 {
 	u_char		flg_set, flg_clr;
-	
-	if ((f->fw_tcpf & IP_FW_TCPF_ESTAB) &&
-	    (tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK)))
-		return 1;
+
+	/*
+	 * If an established connection is required, reject packets that
+	 * have only SYN of RST|ACK|SYN set.  Otherwise, fall through to
+	 * other flag requirements.
+	 */
+	if ((f->fw_ipflg & IP_FW_IF_TCPEST) &&
+	    ((tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK |
+	    IP_FW_TCPF_SYN)) == IP_FW_TCPF_SYN))
+		return 0;
 
 	flg_set = tcp->th_flags & f->fw_tcpf;
 	flg_clr = tcp->th_flags & f->fw_tcpnf;
@@ -1208,7 +1214,9 @@
 
 			if (f->fw_tcpopt != f->fw_tcpnopt && !tcpopts_match(tcp, f))
 				continue;
-			if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f))
+			if (((f->fw_tcpf != f->fw_tcpnf) ||
+			    (f->fw_ipflg & IP_FW_IF_TCPEST))  &&
+			    !tcpflg_match(tcp, f))
 				continue;
 			goto check_ports;
 		    }
Index: sys/netinet/tcp.h
===================================================================
RCS file: /usr/home/ncvs/src/sys/netinet/tcp.h,v
retrieving revision 1.13
retrieving revision 1.13.2.2
diff -u -r1.13 -r1.13.2.2
--- sys/netinet/tcp.h	2000/01/09 19:17:25	1.13
+++ sys/netinet/tcp.h	2001/01/09 18:25:18	1.13.2.2
@@ -67,7 +67,9 @@
 #define	TH_PUSH	0x08
 #define	TH_ACK	0x10
 #define	TH_URG	0x20
-#define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG)
+#define	TH_ECE	0x40
+#define	TH_CWR	0x80
+#define	TH_FLAGS	(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
 
 	u_short	th_win;			/* window */
 	u_short	th_sum;			/* checksum */
Index: sys/netinet/ip_fw.h
===================================================================
RCS file: /usr/home/ncvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.47.2.3
retrieving revision 1.47.2.5
diff -u -r1.47.2.3 -r1.47.2.5
--- sys/netinet/ip_fw.h	2000/08/22 00:33:18	1.47.2.3
+++ sys/netinet/ip_fw.h	2001/01/10 03:43:34	1.47.2.5
@@ -62,6 +62,7 @@
 #define IP_FW_ICMPTYPES_DIM	(IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
 	unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
 	} fw_uar;
+    u_int fw_ipflg;			/* IP flags word */
     u_char fw_ipopt,fw_ipnopt;		/* IP options set/unset */
     u_char fw_tcpopt,fw_tcpnopt;	/* TCP options set/unset */
     u_char fw_tcpf,fw_tcpnf;		/* TCP flags set/unset */
@@ -208,6 +209,12 @@
 #define IP_FW_F_MASK	0x1FFFFFFF	/* All possible flag bits mask		*/
 
 /*
+ * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols.
+ */
+#define	IP_FW_IF_TCPEST	0x00000020	/* established TCP connection */
+#define	IP_FW_IF_TCPMSK	0x00000020	/* mask of all TCP values */
+
+/*
  * For backwards compatibility with rules specifying "via iface" but
  * not restricted to only "in" or "out" packets, we define this combination
  * of bits to represent this configuration.
@@ -247,7 +254,6 @@
 #define IP_FW_TCPF_PSH		TH_PUSH
 #define IP_FW_TCPF_ACK		TH_ACK
 #define IP_FW_TCPF_URG		TH_URG
-#define IP_FW_TCPF_ESTAB	0x40
 
 /*
  * Main firewall chains definitions and global var's definitions.