[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[darrenr@cyber.com.au: Re: IPF 1.3.7 in OpenBSD 2.0 ("-current")]



From: Darren Reed <darrenr_(_at_)_cyber_(_dot_)_com_(_dot_)_au>
Subject: Re: IPF 1.3.7 in OpenBSD 2.0 ("-current")
To: kstailey_(_at_)_sun4c_(_dot_)_openbsd_(_dot_)_org (Kenneth Stailey)
Date: Thu, 13 Feb 1997 00:06:37 +1100 (EST)
Cc: ipfilter_(_at_)_postbox_(_dot_)_anu_(_dot_)_edu_(_dot_)_au, tech_(_at_)_openbsd_(_dot_)_org
In-Reply-To: <199702112313_(_dot_)_QAA27445_(_at_)_sun4c_(_dot_)_openbsd_(_dot_)_org> from "Kenneth Stailey" at Feb 11, 97 04:13:45 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text

In some mail I received from Kenneth Stailey, sie wrote
> 
> I just put IPF 1.3.7 in OpenBSD 2.0 ("-current".)  NAT seems to work modulo
> an occasional panic() in ip_natexpire().  Be careful when using NAT.

Hmmm, that loop should probably be wrapped in an splnet()/splx() pair
(try the patch below for size).

> There is a bug in the NAT FTP checksum fixup code that prevents ftp
> from working, you can log on but not do stuff that uses the PORT
> command.

It was never designed to change FTP PORT commands.  Although market
pressure seems to dictate that it shoud...

> I made a few changes:
> 
> iplinit() calls ipldetach() at the end:
> 
> #ifndef	IPFILTER_LKM
> void
> iplinit()
> {
> 	(void) iplattach();
> 	ip_init();
> 	(void) ipldetach();	/* XXX */
> }
> #endif
> 
> This prevents chaos since the existing software does not lock us out by
> default.  It also allows diskless machines to boot.

Hmmm, there used to be a "default value" for this when it was compiled...
...ah, yes, "NOMATCH" (should give this a better name)...if you had
"options NOMATCH=FR_PASS" (or however you write it for OpenBSD config),
it would compile the kernel the same as the LKM and default pass packets.

Darren

RCS file: /devel/CVS/IP-Filter/ip_nat.c,v
retrieving revision 2.0.1.10
diff -c -r2.0.1.10 ip_nat.c
*** 2.0.1.10    1997/02/08 06:38:49
--- ip_nat.c    1997/02/12 12:55:39
***************
*** 873,880 ****
--- 873,882 ----
  void ip_natexpire()
  {
        register struct nat *nat, **natp;
+       int s;
  
        MUTEX_ENTER(&ipf_nat);
+       SPLNET(s);
        for (natp = &nat_instances; (nat = *natp); natp = &nat->nat_next) {
                if (--nat->nat_age)
                        continue;
***************
*** 882,886 ****
--- 884,889 ----
                nat_delete(nat);
                nat_stats.ns_expire++;
        }
+       SPLX(s);
        MUTEX_EXIT(&ipf_nat);
  }



Visit your host, monkey.org