0a1,2
> /* $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_proxy.c 145522 2005-04-25 18:43:14Z darrenr $ */
>
2c4
< * Copyright (C) 1997-2002 by Darren Reed.
---
> * Copyright (C) 1997-2003 by Darren Reed.
6,8c8,12
<
< #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
< # define _KERNEL
---
> #if defined(KERNEL) || defined(_KERNEL)
> # undef KERNEL
> # undef _KERNEL
> # define KERNEL 1
> # define _KERNEL 1
10,13d13
<
< #if defined(__sgi) && (IRIX > 602)
< # include <sys/ptimers.h>
< #endif
19,21d18
< #if !defined(__FreeBSD_version)
< # include <sys/ioctl.h>
< #endif
23c20
< #if !defined(_KERNEL) && !defined(KERNEL)
---
> #if !defined(_KERNEL) && !defined(__KERNEL__)
26a24,30
> # include <ctype.h>
> # define _KERNEL
> # ifdef __OpenBSD__
> struct file;
> # endif
> # include <sys/uio.h>
> # undef _KERNEL
28c32
< #ifndef linux
---
> #if !defined(linux)
33,36c37,39
< # if !defined(linux)
< # include <sys/systm.h>
< # else
< # include <linux/string.h>
---
> # if !defined(__NetBSD__) && !defined(sun) && !defined(__osf__) && \
> !defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi)
> # include <sys/ctype.h>
38,40c41,42
< #endif
< #if !defined(__SVR4) && !defined(__svr4__)
< # ifndef linux
---
> # include <sys/systm.h>
> # if !defined(__SVR4) && !defined(__svr4__)
42a45,51
> #endif
> #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
> # include <sys/filio.h>
> # include <sys/fcntl.h>
> # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
> # include "opt_ipfilter.h"
> # endif
43a53,55
> # include <sys/ioctl.h>
> #endif
> #if defined(__SVR4) || defined(__svr4__)
78,80c90,100
< #if !defined(lint)
< /* static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.6 2001/07/15 22:06:15 darrenr Exp $"; */
< static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/ip_proxy.c 139255 2004-12-24 09:14:26Z darrenr $";
---
> #include "netinet/ip_ftp_pxy.c"
> #include "netinet/ip_rcmd_pxy.c"
> # include "netinet/ip_pptp_pxy.c"
> #if defined(_KERNEL)
> # include "netinet/ip_irc_pxy.c"
> # include "netinet/ip_raudio_pxy.c"
> # include "netinet/ip_h323_pxy.c"
> # ifdef IPFILTER_PRO
> # include "netinet/ip_msnrpc_pxy.c"
> # endif
> # include "netinet/ip_netbios_pxy.c"
81a102,103
> #include "netinet/ip_ipsec_pxy.c"
> #include "netinet/ip_rpcb_pxy.c"
83,84c105,108
< #ifdef USE_MUTEX
< extern KRWLOCK_T ipf_nat, ipf_state;
---
> /* END OF INCLUDES */
>
> #if !defined(lint)
> static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.12 2005/03/03 14:28:24 darrenr Exp";
89,91d112
<
< #define PROXY_DEBUG 0
<
94d114
< #include "netinet/ip_ftp_pxy.c"
96,99c116,118
< #include "netinet/ip_rcmd_pxy.c"
< #include "netinet/ip_raudio_pxy.c"
< #include "netinet/ip_netbios_pxy.c"
< #include "netinet/ip_ipsec_pxy.c"
---
> int ipf_proxy_debug = 0;
> #else
> int ipf_proxy_debug = 2;
101d119
<
107c125
< { NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL,
---
> { NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, ippr_ftp_fini,
109a128,131
> #ifdef IPF_IRC_PROXY
> { NULL, "irc", (char)IPPROTO_TCP, 0, 0, ippr_irc_init, ippr_irc_fini,
> ippr_irc_new, NULL, NULL, ippr_irc_out, NULL, NULL },
> #endif
111,112c133,134
< { NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, NULL,
< ippr_rcmd_new, NULL, NULL, ippr_rcmd_out, NULL },
---
> { NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_fini,
> ippr_rcmd_new, NULL, ippr_rcmd_in, ippr_rcmd_out, NULL, NULL },
115,116c137,138
< { NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, NULL,
< ippr_raudio_new, NULL, ippr_raudio_in, ippr_raudio_out, NULL },
---
> { NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, ippr_raudio_fini,
> ippr_raudio_new, NULL, ippr_raudio_in, ippr_raudio_out, NULL, NULL },
118,121c140,142
< #ifdef IPF_IPSEC_PROXY
< { NULL, "ipsec", (char)IPPROTO_UDP, 0, 0, ippr_ipsec_init, NULL,
< ippr_ipsec_new, ippr_ipsec_del, NULL, ippr_ipsec_out,
< ippr_ipsec_match },
---
> #ifdef IPF_MSNRPC_PROXY
> { NULL, "msnrpc", (char)IPPROTO_TCP, 0, 0, ippr_msnrpc_init, ippr_msnrpc_fini,
> ippr_msnrpc_new, NULL, ippr_msnrpc_in, ippr_msnrpc_out, NULL, NULL },
124,125c145,146
< { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL,
< NULL, NULL, NULL, ippr_netbios_out, NULL },
---
> { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, ippr_netbios_fini,
> NULL, NULL, NULL, ippr_netbios_out, NULL, NULL },
126a148,157
> #ifdef IPF_IPSEC_PROXY
> { NULL, "ipsec", (char)IPPROTO_UDP, 0, 0,
> ippr_ipsec_init, ippr_ipsec_fini, ippr_ipsec_new, ippr_ipsec_del,
> ippr_ipsec_inout, ippr_ipsec_inout, ippr_ipsec_match, NULL },
> #endif
> #ifdef IPF_PPTP_PROXY
> { NULL, "pptp", (char)IPPROTO_TCP, 0, 0,
> ippr_pptp_init, ippr_pptp_fini, ippr_pptp_new, ippr_pptp_del,
> ippr_pptp_inout, ippr_pptp_inout, NULL, NULL },
> #endif
128,133c159,174
< { NULL, "h323", (char)IPPROTO_TCP, 0, 0, ippr_h323_init, NULL,
< ippr_h323_new, ippr_h323_del, ippr_h323_in, ippr_h323_out, NULL },
< { NULL, "h245", (char)IPPROTO_TCP, 0, 0, ippr_h245_init, NULL,
< ippr_h245_new, NULL, NULL, ippr_h245_out, NULL },
< #endif
< { NULL, "", '\0', 0, 0, NULL, NULL, NULL }
---
> { NULL, "h323", (char)IPPROTO_TCP, 0, 0, ippr_h323_init, ippr_h323_fini,
> ippr_h323_new, ippr_h323_del, ippr_h323_in, NULL, NULL },
> { NULL, "h245", (char)IPPROTO_TCP, 0, 0, NULL, NULL,
> ippr_h245_new, NULL, NULL, ippr_h245_out, NULL },
> #endif
> #ifdef IPF_RPCB_PROXY
> # if 0
> { NULL, "rpcbt", (char)IPPROTO_TCP, 0, 0,
> ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
> ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
> # endif
> { NULL, "rpcbu", (char)IPPROTO_UDP, 0, 0,
> ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
> ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
> #endif
> { NULL, "", '\0', 0, 0, NULL, NULL, NULL, NULL }
136d176
<
149c189,192
< sizeof(ap->apr_label)))
---
> sizeof(ap->apr_label))) {
> if (ipf_proxy_debug > 1)
> printf("appr_add: %s/%d already present (B)\n",
> a->apr_label, a->apr_p);
150a194
> }
152c196
< for (a = ap_proxylist; a && a->apr_p; a = a->apr_next)
---
> for (a = ap_proxylist; a->apr_p; a = a->apr_next)
155c199,202
< sizeof(ap->apr_label)))
---
> sizeof(ap->apr_label))) {
> if (ipf_proxy_debug > 1)
> printf("appr_add: %s/%d already present (D)\n",
> a->apr_label, a->apr_p);
156a204
> }
159c207,209
< return (*ap->apr_init)();
---
> if (ap->apr_init != NULL)
> return (*ap->apr_init)();
> return 0;
163a214,245
> * Check to see if the proxy this control request has come through for
> * exists, and if it does and it has a control function then invoke that
> * control function.
> */
> int appr_ctl(ctl)
> ap_ctl_t *ctl;
> {
> aproxy_t *a;
> int error;
>
> a = appr_lookup(ctl->apc_p, ctl->apc_label);
> if (a == NULL) {
> if (ipf_proxy_debug > 1)
> printf("appr_ctl: can't find %s/%d\n",
> ctl->apc_label, ctl->apc_p);
> error = ESRCH;
> } else if (a->apr_ctl == NULL) {
> if (ipf_proxy_debug > 1)
> printf("appr_ctl: no ctl function for %s/%d\n",
> ctl->apc_label, ctl->apc_p);
> error = ENXIO;
> } else {
> error = (*a->apr_ctl)(a, ctl);
> if ((error != 0) && (ipf_proxy_debug > 1))
> printf("appr_ctl: %s/%d ctl error %d\n",
> a->apr_label, a->apr_p, error);
> }
> return error;
> }
>
>
> /*
173c255
< for (app = &ap_proxylist; (a = *app); app = &a->apr_next)
---
> for (app = &ap_proxylist; ((a = *app) != NULL); app = &a->apr_next)
177c259,262
< if (ap->apr_ref != 0)
---
> if (ap->apr_ref != 0) {
> if (ipf_proxy_debug > 2)
> printf("appr_del: orphaning %s/%d\n",
> ap->apr_label, ap->apr_p);
178a264
> }
180a267,268
> if (ipf_proxy_debug > 1)
> printf("appr_del: proxy %lx not found\n", (u_long)ap);
188,189c276,277
< int appr_ok(ip, tcp, nat)
< ip_t *ip;
---
> int appr_ok(fin, tcp, nat)
> fr_info_t *fin;
197c285
< (ip->ip_p != apr->apr_p))
---
> (fin->fin_p != apr->apr_p))
199c287
< if (((tcp != NULL) && (tcp->th_dport != dport)) || (!tcp && dport))
---
> if ((tcp == NULL) && dport)
204a293,340
> int appr_ioctl(data, cmd, mode)
> caddr_t data;
> ioctlcmd_t cmd;
> int mode;
> {
> ap_ctl_t ctl;
> caddr_t ptr;
> int error;
>
> mode = mode; /* LINT */
>
> switch (cmd)
> {
> case SIOCPROXY :
> BCOPYIN(data, &ctl, sizeof(ctl));
> ptr = NULL;
>
> if (ctl.apc_dsize > 0) {
> KMALLOCS(ptr, caddr_t, ctl.apc_dsize);
> if (ptr == NULL)
> error = ENOMEM;
> else {
> error = copyinptr(ctl.apc_data, ptr,
> ctl.apc_dsize);
> if (error == 0)
> ctl.apc_data = ptr;
> }
> } else {
> ctl.apc_data = NULL;
> error = 0;
> }
>
> if (error == 0)
> error = appr_ctl(&ctl);
>
> if ((ctl.apc_dsize > 0) && (ptr != NULL) &&
> (ctl.apc_data == ptr)) {
> KFREES(ptr, ctl.apc_dsize);
> }
> break;
>
> default :
> error = EINVAL;
> }
> return error;
> }
>
>
214a351
> int result;
217c354,362
< if (ipn == NULL)
---
> if (ipf_proxy_debug > 8)
> printf("appr_match(%lx,%lx) aps %lx ptr %lx\n",
> (u_long)fin, (u_long)nat, (u_long)nat->nat_aps,
> (u_long)ipn);
>
> if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0) {
> if (ipf_proxy_debug > 0)
> printf("appr_match: flx 0x%x (BAD|SHORT)\n",
> fin->fin_flx);
218a364,365
> }
>
220,221c367,370
< if ((apr == NULL) || (apr->apr_flags & APR_DELETE) ||
< (nat->nat_aps == NULL))
---
> if ((apr == NULL) || (apr->apr_flags & APR_DELETE)) {
> if (ipf_proxy_debug > 0)
> printf("appr_match:apr %lx apr_flags 0x%x\n",
> (u_long)apr, apr ? apr->apr_flags : 0);
223,224c372,378
< if (apr->apr_match != NULL)
< if ((*apr->apr_match)(fin, nat->nat_aps, nat) != 0)
---
> }
>
> if (apr->apr_match != NULL) {
> result = (*apr->apr_match)(fin, nat->nat_aps, nat);
> if (result != 0) {
> if (ipf_proxy_debug > 4)
> printf("appr_match: result %d\n", result);
225a380,381
> }
> }
235c391
< int appr_new(fin, ip, nat)
---
> int appr_new(fin, nat)
237d392
< ip_t *ip;
243c398,404
< if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL))
---
> if (ipf_proxy_debug > 8)
> printf("appr_new(%lx,%lx) \n", (u_long)fin, (u_long)nat);
>
> if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL)) {
> if (ipf_proxy_debug > 0)
> printf("appr_new: nat_ptr %lx nat_aps %lx\n",
> (u_long)nat->nat_ptr, (u_long)nat->nat_aps);
244a406
> }
248c410,414
< if (!apr || (apr->apr_flags & APR_DELETE) || (ip->ip_p != apr->apr_p))
---
> if ((apr->apr_flags & APR_DELETE) ||
> (fin->fin_p != apr->apr_p)) {
> if (ipf_proxy_debug > 2)
> printf("appr_new: apr_flags 0x%x p %d/%d\n",
> apr->apr_flags, fin->fin_p, apr->apr_p);
249a416
> }
252c419,422
< if (!aps)
---
> if (!aps) {
> if (ipf_proxy_debug > 0)
> printf("appr_new: malloc failed (%lu)\n",
> (u_long)sizeof(ap_session_t));
253a424,425
> }
>
255c427
< aps->aps_p = ip->ip_p;
---
> aps->aps_p = fin->fin_p;
260c432
< if ((*apr->apr_new)(fin, ip, aps, nat) == -1) {
---
> if ((*apr->apr_new)(fin, aps, nat) == -1) {
264a437,439
> if (ipf_proxy_debug > 2)
> printf("appr_new: new(%lx) failed\n",
> (u_long)apr->apr_new);
277,278c452,455
< * check to see if a packet should be passed through an active proxy routine
< * if one has been setup for it.
---
> * Check to see if a packet should be passed through an active proxy routine
> * if one has been setup for it. We don't need to check the checksum here if
> * IPFILTER_CKSUM is defined because if it is, a failed check causes FI_BAD
> * to be set.
280,281c457
< int appr_check(ip, fin, nat)
< ip_t *ip;
---
> int appr_check(fin, nat)
286c462,464
< mb_t *m = fin->fin_qfm;
---
> # if defined(ICK_VALID)
> mb_t *m;
> # endif
289a468
> udphdr_t *udp = NULL;
292c471
< u_32_t sum;
---
> ip_t *ip;
294a474,476
> #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
> u_32_t s1, s2, sd;
> #endif
296,312c478,492
< aps = nat->nat_aps;
< if ((aps != NULL) && (aps->aps_p == ip->ip_p)) {
< if (ip->ip_p == IPPROTO_TCP) {
< tcp = (tcphdr_t *)fin->fin_dp;
< /*
< * verify that the checksum is correct. If not, then
< * don't do anything with this packet.
< */
< #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
< if (dohwcksum && (m->b_ick_flag == ICK_VALID)) {
< sum = tcp->th_sum;
< dosum = 0;
< }
< if (dosum)
< sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
< #else
< sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
---
> if (fin->fin_flx & FI_BAD) {
> if (ipf_proxy_debug > 0)
> printf("appr_check: flx 0x%x (BAD)\n", fin->fin_flx);
> return -1;
> }
>
> #ifndef IPFILTER_CKSUM
> if ((fin->fin_out == 0) && (fr_checkl4sum(fin) == -1)) {
> if (ipf_proxy_debug > 0)
> printf("appr_check: l4 checksum failure %d\n",
> fin->fin_p);
> if (fin->fin_p == IPPROTO_TCP)
> frstats[fin->fin_out].fr_tcpbad++;
> return -1;
> }
314,318c494,505
< if (sum != tcp->th_sum) {
< #if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
< printf("proxy tcp checksum failure\n");
< #endif
< frstats[fin->fin_out].fr_tcpbad++;
---
>
> aps = nat->nat_aps;
> if ((aps != NULL) && (aps->aps_p == fin->fin_p)) {
> /*
> * If there is data in this packet to be proxied then try and
> * get it all into the one buffer, else drop it.
> */
> #if defined(MENTAT) || defined(HAVE_M_PULLDOWN)
> if ((fin->fin_dlen > 0) && !(fin->fin_flx & FI_COALESCE))
> if (fr_coalesce(fin) == -1) {
> if (ipf_proxy_debug > 0)
> printf("appr_check: fr_coalesce failed %x\n", fin->fin_flx);
320a508,509
> #endif
> ip = fin->fin_ip;
321a511,520
> switch (fin->fin_p)
> {
> case IPPROTO_TCP :
> tcp = (tcphdr_t *)fin->fin_dp;
>
> #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
> m = fin->fin_qfm;
> if (dohwcksum && (m->b_ick_flag == ICK_VALID))
> dosum = 0;
> #endif
326,327c525,532
< if ((tcp->th_flags & TH_RST) != 0)
< return 0;
---
> if ((fin->fin_tcpf & TH_RST) != 0)
> break;
> /*FALLTHROUGH*/
> case IPPROTO_UDP :
> udp = (udphdr_t *)fin->fin_dp;
> break;
> default :
> break;
334c539
< err = (*apr->apr_outpkt)(fin, ip, aps, nat);
---
> err = (*apr->apr_outpkt)(fin, aps, nat);
337c542
< err = (*apr->apr_inpkt)(fin, ip, aps, nat);
---
> err = (*apr->apr_inpkt)(fin, aps, nat);
341,344c546,550
< if (rv == 1) {
< #if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
< printf("proxy says bad packet received\n");
< #endif
---
> if (((ipf_proxy_debug > 0) && (rv != 0)) ||
> (ipf_proxy_debug > 8))
> printf("appr_check: out %d err %x rv %d\n",
> fin->fin_out, err, rv);
> if (rv == 1)
346c552
< }
---
>
348,350d553
< #if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
< printf("proxy says free app proxy data\n");
< #endif
355a559,583
> /*
> * If err != 0 then the data size of the packet has changed
> * so we need to recalculate the header checksums for the
> * packet.
> */
> #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
> if (err != 0) {
> short adjlen = err & 0xffff;
>
> s1 = LONG_SUM(ip->ip_len - adjlen);
> s2 = LONG_SUM(ip->ip_len);
> CALC_SUMD(s1, s2, sd);
> fix_outcksum(fin, &ip->ip_sum, sd);
> }
> #endif
>
> /*
> * For TCP packets, we may need to adjust the sequence and
> * acknowledgement numbers to reflect changes in size of the
> * data stream.
> *
> * For both TCP and UDP, recalculate the layer 4 checksum,
> * regardless, as we can't tell (here) if data has been
> * changed or not.
> */
360c588,589
< tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
---
> tcp->th_sum = fr_cksum(fin->fin_qfm, ip,
> IPPROTO_TCP, tcp);
362c591,592
< tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
---
> tcp->th_sum = fr_cksum(fin->fin_m, ip,
> IPPROTO_TCP, tcp);
363a594,602
> } else if ((udp != NULL) && (udp->uh_sum != 0)) {
> #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
> if (dosum)
> udp->uh_sum = fr_cksum(fin->fin_qfm, ip,
> IPPROTO_UDP, udp);
> #else
> udp->uh_sum = fr_cksum(fin->fin_m, ip,
> IPPROTO_UDP, udp);
> #endif
365c604
< aps->aps_bytes += ip->ip_len;
---
> aps->aps_bytes += fin->fin_plen;
381a621,623
> if (ipf_proxy_debug > 8)
> printf("appr_lookup(%d,%s)\n", pr, name);
>
394a637,638
> if (ipf_proxy_debug > 2)
> printf("appr_lookup: failed for %d/%s\n", pr, name);
415c659
< for (ap = &ap_sess_list; (a = *ap); ap = &a->aps_next)
---
> for (ap = &ap_sess_list; ((a = *ap) != NULL); ap = &a->aps_next)
451c695
< nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
---
> nlen -= (IP_HL(ip) << 2) + (TCP_OFF(tcp) << 2);
463,466c707,710
< #if PROXY_DEBUG
< printf("proxy out switch set seq %d -> %d %x > %x\n",
< sel, !sel, seq1, aps->aps_seqmin[!sel]);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("proxy out switch set seq %d -> %d %x > %x\n",
> sel, !sel, seq1,
> aps->aps_seqmin[!sel]);
483,487c727,730
< #if PROXY_DEBUG
< printf("proxy seq set %d at %x to %d + %d\n", sel,
< aps->aps_seqmin[sel], aps->aps_seqoff[sel],
< inc);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("proxy seq set %d at %x to %d + %d\n",
> sel, aps->aps_seqmin[sel],
> aps->aps_seqoff[sel], inc);
498,501c741,744
< #if PROXY_DEBUG
< printf("proxy out switch set ack %d -> %d %x > %x\n",
< sel, !sel, seq1, aps->aps_ackmin[!sel]);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("proxy out switch set ack %d -> %d %x > %x\n",
> sel, !sel, seq1,
> aps->aps_ackmin[!sel]);
517,520c760,762
< #if PROXY_DEBUG
< printf("proxy in switch set ack %d -> %d %x > %x\n",
< sel, !sel, seq1, aps->aps_ackmin[!sel]);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("proxy in switch set ack %d -> %d %x > %x\n",
> sel, !sel, seq1, aps->aps_ackmin[!sel]);
537,541c779,783
< #if PROXY_DEBUG
< printf("proxy ack set %d at %x to %d + %d\n", !sel,
< aps->aps_seqmin[!sel], aps->aps_seqoff[sel],
< inc);
< #endif
---
>
> if (ipf_proxy_debug > 7)
> printf("proxy ack set %d at %x to %d + %d\n",
> !sel, aps->aps_seqmin[!sel],
> aps->aps_seqoff[sel], inc);
552,555c794,796
< #if PROXY_DEBUG
< printf("proxy in switch set seq %d -> %d %x > %x\n",
< sel, !sel, seq1, aps->aps_seqmin[!sel]);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("proxy in switch set seq %d -> %d %x > %x\n",
> sel, !sel, seq1, aps->aps_seqmin[!sel]);
560,564c801,804
< #if PROXY_DEBUG
< printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel,
< aps->aps_seqoff[sel], seq1,
< aps->aps_seqmin[sel]);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("sel %d seqoff %d seq1 %x seqmin %x\n",
> sel, aps->aps_seqoff[sel], seq1,
> aps->aps_seqmin[sel]);
572,575c812,815
< #if PROXY_DEBUG
< printf("appr_fixseqack: seq %x ack %x\n", ntohl(tcp->th_seq),
< ntohl(tcp->th_ack));
< #endif
---
>
> if (ipf_proxy_debug > 8)
> printf("appr_fixseqack: seq %x ack %x\n",
> ntohl(tcp->th_seq), ntohl(tcp->th_ack));
590,592c830,834
< err = (*ap->apr_init)();
< if (err != 0)
< break;
---
> if (ap->apr_init != NULL) {
> err = (*ap->apr_init)();
> if (err != 0)
> break;
> }
607c849
< if (ap->apr_fini)
---
> if (ap->apr_fini != NULL)
610c852
< if (ap->apr_fini)
---
> if (ap->apr_fini != NULL)
> /* $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_proxy.c 145522 2005-04-25 18:43:14Z darrenr $ */
>
2c4
< * Copyright (C) 1997-2002 by Darren Reed.
---
> * Copyright (C) 1997-2003 by Darren Reed.
6,8c8,12
<
< #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
< # define _KERNEL
---
> #if defined(KERNEL) || defined(_KERNEL)
> # undef KERNEL
> # undef _KERNEL
> # define KERNEL 1
> # define _KERNEL 1
10,13d13
<
< #if defined(__sgi) && (IRIX > 602)
< # include <sys/ptimers.h>
< #endif
19,21d18
< #if !defined(__FreeBSD_version)
< # include <sys/ioctl.h>
< #endif
23c20
< #if !defined(_KERNEL) && !defined(KERNEL)
---
> #if !defined(_KERNEL) && !defined(__KERNEL__)
26a24,30
> # include <ctype.h>
> # define _KERNEL
> # ifdef __OpenBSD__
> struct file;
> # endif
> # include <sys/uio.h>
> # undef _KERNEL
28c32
< #ifndef linux
---
> #if !defined(linux)
33,36c37,39
< # if !defined(linux)
< # include <sys/systm.h>
< # else
< # include <linux/string.h>
---
> # if !defined(__NetBSD__) && !defined(sun) && !defined(__osf__) && \
> !defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi)
> # include <sys/ctype.h>
38,40c41,42
< #endif
< #if !defined(__SVR4) && !defined(__svr4__)
< # ifndef linux
---
> # include <sys/systm.h>
> # if !defined(__SVR4) && !defined(__svr4__)
42a45,51
> #endif
> #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
> # include <sys/filio.h>
> # include <sys/fcntl.h>
> # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
> # include "opt_ipfilter.h"
> # endif
43a53,55
> # include <sys/ioctl.h>
> #endif
> #if defined(__SVR4) || defined(__svr4__)
78,80c90,100
< #if !defined(lint)
< /* static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.6 2001/07/15 22:06:15 darrenr Exp $"; */
< static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/ip_proxy.c 139255 2004-12-24 09:14:26Z darrenr $";
---
> #include "netinet/ip_ftp_pxy.c"
> #include "netinet/ip_rcmd_pxy.c"
> # include "netinet/ip_pptp_pxy.c"
> #if defined(_KERNEL)
> # include "netinet/ip_irc_pxy.c"
> # include "netinet/ip_raudio_pxy.c"
> # include "netinet/ip_h323_pxy.c"
> # ifdef IPFILTER_PRO
> # include "netinet/ip_msnrpc_pxy.c"
> # endif
> # include "netinet/ip_netbios_pxy.c"
81a102,103
> #include "netinet/ip_ipsec_pxy.c"
> #include "netinet/ip_rpcb_pxy.c"
83,84c105,108
< #ifdef USE_MUTEX
< extern KRWLOCK_T ipf_nat, ipf_state;
---
> /* END OF INCLUDES */
>
> #if !defined(lint)
> static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.12 2005/03/03 14:28:24 darrenr Exp";
89,91d112
<
< #define PROXY_DEBUG 0
<
94d114
< #include "netinet/ip_ftp_pxy.c"
96,99c116,118
< #include "netinet/ip_rcmd_pxy.c"
< #include "netinet/ip_raudio_pxy.c"
< #include "netinet/ip_netbios_pxy.c"
< #include "netinet/ip_ipsec_pxy.c"
---
> int ipf_proxy_debug = 0;
> #else
> int ipf_proxy_debug = 2;
101d119
<
107c125
< { NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL,
---
> { NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, ippr_ftp_fini,
109a128,131
> #ifdef IPF_IRC_PROXY
> { NULL, "irc", (char)IPPROTO_TCP, 0, 0, ippr_irc_init, ippr_irc_fini,
> ippr_irc_new, NULL, NULL, ippr_irc_out, NULL, NULL },
> #endif
111,112c133,134
< { NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, NULL,
< ippr_rcmd_new, NULL, NULL, ippr_rcmd_out, NULL },
---
> { NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_fini,
> ippr_rcmd_new, NULL, ippr_rcmd_in, ippr_rcmd_out, NULL, NULL },
115,116c137,138
< { NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, NULL,
< ippr_raudio_new, NULL, ippr_raudio_in, ippr_raudio_out, NULL },
---
> { NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, ippr_raudio_fini,
> ippr_raudio_new, NULL, ippr_raudio_in, ippr_raudio_out, NULL, NULL },
118,121c140,142
< #ifdef IPF_IPSEC_PROXY
< { NULL, "ipsec", (char)IPPROTO_UDP, 0, 0, ippr_ipsec_init, NULL,
< ippr_ipsec_new, ippr_ipsec_del, NULL, ippr_ipsec_out,
< ippr_ipsec_match },
---
> #ifdef IPF_MSNRPC_PROXY
> { NULL, "msnrpc", (char)IPPROTO_TCP, 0, 0, ippr_msnrpc_init, ippr_msnrpc_fini,
> ippr_msnrpc_new, NULL, ippr_msnrpc_in, ippr_msnrpc_out, NULL, NULL },
124,125c145,146
< { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL,
< NULL, NULL, NULL, ippr_netbios_out, NULL },
---
> { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, ippr_netbios_fini,
> NULL, NULL, NULL, ippr_netbios_out, NULL, NULL },
126a148,157
> #ifdef IPF_IPSEC_PROXY
> { NULL, "ipsec", (char)IPPROTO_UDP, 0, 0,
> ippr_ipsec_init, ippr_ipsec_fini, ippr_ipsec_new, ippr_ipsec_del,
> ippr_ipsec_inout, ippr_ipsec_inout, ippr_ipsec_match, NULL },
> #endif
> #ifdef IPF_PPTP_PROXY
> { NULL, "pptp", (char)IPPROTO_TCP, 0, 0,
> ippr_pptp_init, ippr_pptp_fini, ippr_pptp_new, ippr_pptp_del,
> ippr_pptp_inout, ippr_pptp_inout, NULL, NULL },
> #endif
128,133c159,174
< { NULL, "h323", (char)IPPROTO_TCP, 0, 0, ippr_h323_init, NULL,
< ippr_h323_new, ippr_h323_del, ippr_h323_in, ippr_h323_out, NULL },
< { NULL, "h245", (char)IPPROTO_TCP, 0, 0, ippr_h245_init, NULL,
< ippr_h245_new, NULL, NULL, ippr_h245_out, NULL },
< #endif
< { NULL, "", '\0', 0, 0, NULL, NULL, NULL }
---
> { NULL, "h323", (char)IPPROTO_TCP, 0, 0, ippr_h323_init, ippr_h323_fini,
> ippr_h323_new, ippr_h323_del, ippr_h323_in, NULL, NULL },
> { NULL, "h245", (char)IPPROTO_TCP, 0, 0, NULL, NULL,
> ippr_h245_new, NULL, NULL, ippr_h245_out, NULL },
> #endif
> #ifdef IPF_RPCB_PROXY
> # if 0
> { NULL, "rpcbt", (char)IPPROTO_TCP, 0, 0,
> ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
> ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
> # endif
> { NULL, "rpcbu", (char)IPPROTO_UDP, 0, 0,
> ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
> ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
> #endif
> { NULL, "", '\0', 0, 0, NULL, NULL, NULL, NULL }
136d176
<
149c189,192
< sizeof(ap->apr_label)))
---
> sizeof(ap->apr_label))) {
> if (ipf_proxy_debug > 1)
> printf("appr_add: %s/%d already present (B)\n",
> a->apr_label, a->apr_p);
150a194
> }
152c196
< for (a = ap_proxylist; a && a->apr_p; a = a->apr_next)
---
> for (a = ap_proxylist; a->apr_p; a = a->apr_next)
155c199,202
< sizeof(ap->apr_label)))
---
> sizeof(ap->apr_label))) {
> if (ipf_proxy_debug > 1)
> printf("appr_add: %s/%d already present (D)\n",
> a->apr_label, a->apr_p);
156a204
> }
159c207,209
< return (*ap->apr_init)();
---
> if (ap->apr_init != NULL)
> return (*ap->apr_init)();
> return 0;
163a214,245
> * Check to see if the proxy this control request has come through for
> * exists, and if it does and it has a control function then invoke that
> * control function.
> */
> int appr_ctl(ctl)
> ap_ctl_t *ctl;
> {
> aproxy_t *a;
> int error;
>
> a = appr_lookup(ctl->apc_p, ctl->apc_label);
> if (a == NULL) {
> if (ipf_proxy_debug > 1)
> printf("appr_ctl: can't find %s/%d\n",
> ctl->apc_label, ctl->apc_p);
> error = ESRCH;
> } else if (a->apr_ctl == NULL) {
> if (ipf_proxy_debug > 1)
> printf("appr_ctl: no ctl function for %s/%d\n",
> ctl->apc_label, ctl->apc_p);
> error = ENXIO;
> } else {
> error = (*a->apr_ctl)(a, ctl);
> if ((error != 0) && (ipf_proxy_debug > 1))
> printf("appr_ctl: %s/%d ctl error %d\n",
> a->apr_label, a->apr_p, error);
> }
> return error;
> }
>
>
> /*
173c255
< for (app = &ap_proxylist; (a = *app); app = &a->apr_next)
---
> for (app = &ap_proxylist; ((a = *app) != NULL); app = &a->apr_next)
177c259,262
< if (ap->apr_ref != 0)
---
> if (ap->apr_ref != 0) {
> if (ipf_proxy_debug > 2)
> printf("appr_del: orphaning %s/%d\n",
> ap->apr_label, ap->apr_p);
178a264
> }
180a267,268
> if (ipf_proxy_debug > 1)
> printf("appr_del: proxy %lx not found\n", (u_long)ap);
188,189c276,277
< int appr_ok(ip, tcp, nat)
< ip_t *ip;
---
> int appr_ok(fin, tcp, nat)
> fr_info_t *fin;
197c285
< (ip->ip_p != apr->apr_p))
---
> (fin->fin_p != apr->apr_p))
199c287
< if (((tcp != NULL) && (tcp->th_dport != dport)) || (!tcp && dport))
---
> if ((tcp == NULL) && dport)
204a293,340
> int appr_ioctl(data, cmd, mode)
> caddr_t data;
> ioctlcmd_t cmd;
> int mode;
> {
> ap_ctl_t ctl;
> caddr_t ptr;
> int error;
>
> mode = mode; /* LINT */
>
> switch (cmd)
> {
> case SIOCPROXY :
> BCOPYIN(data, &ctl, sizeof(ctl));
> ptr = NULL;
>
> if (ctl.apc_dsize > 0) {
> KMALLOCS(ptr, caddr_t, ctl.apc_dsize);
> if (ptr == NULL)
> error = ENOMEM;
> else {
> error = copyinptr(ctl.apc_data, ptr,
> ctl.apc_dsize);
> if (error == 0)
> ctl.apc_data = ptr;
> }
> } else {
> ctl.apc_data = NULL;
> error = 0;
> }
>
> if (error == 0)
> error = appr_ctl(&ctl);
>
> if ((ctl.apc_dsize > 0) && (ptr != NULL) &&
> (ctl.apc_data == ptr)) {
> KFREES(ptr, ctl.apc_dsize);
> }
> break;
>
> default :
> error = EINVAL;
> }
> return error;
> }
>
>
214a351
> int result;
217c354,362
< if (ipn == NULL)
---
> if (ipf_proxy_debug > 8)
> printf("appr_match(%lx,%lx) aps %lx ptr %lx\n",
> (u_long)fin, (u_long)nat, (u_long)nat->nat_aps,
> (u_long)ipn);
>
> if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0) {
> if (ipf_proxy_debug > 0)
> printf("appr_match: flx 0x%x (BAD|SHORT)\n",
> fin->fin_flx);
218a364,365
> }
>
220,221c367,370
< if ((apr == NULL) || (apr->apr_flags & APR_DELETE) ||
< (nat->nat_aps == NULL))
---
> if ((apr == NULL) || (apr->apr_flags & APR_DELETE)) {
> if (ipf_proxy_debug > 0)
> printf("appr_match:apr %lx apr_flags 0x%x\n",
> (u_long)apr, apr ? apr->apr_flags : 0);
223,224c372,378
< if (apr->apr_match != NULL)
< if ((*apr->apr_match)(fin, nat->nat_aps, nat) != 0)
---
> }
>
> if (apr->apr_match != NULL) {
> result = (*apr->apr_match)(fin, nat->nat_aps, nat);
> if (result != 0) {
> if (ipf_proxy_debug > 4)
> printf("appr_match: result %d\n", result);
225a380,381
> }
> }
235c391
< int appr_new(fin, ip, nat)
---
> int appr_new(fin, nat)
237d392
< ip_t *ip;
243c398,404
< if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL))
---
> if (ipf_proxy_debug > 8)
> printf("appr_new(%lx,%lx) \n", (u_long)fin, (u_long)nat);
>
> if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL)) {
> if (ipf_proxy_debug > 0)
> printf("appr_new: nat_ptr %lx nat_aps %lx\n",
> (u_long)nat->nat_ptr, (u_long)nat->nat_aps);
244a406
> }
248c410,414
< if (!apr || (apr->apr_flags & APR_DELETE) || (ip->ip_p != apr->apr_p))
---
> if ((apr->apr_flags & APR_DELETE) ||
> (fin->fin_p != apr->apr_p)) {
> if (ipf_proxy_debug > 2)
> printf("appr_new: apr_flags 0x%x p %d/%d\n",
> apr->apr_flags, fin->fin_p, apr->apr_p);
249a416
> }
252c419,422
< if (!aps)
---
> if (!aps) {
> if (ipf_proxy_debug > 0)
> printf("appr_new: malloc failed (%lu)\n",
> (u_long)sizeof(ap_session_t));
253a424,425
> }
>
255c427
< aps->aps_p = ip->ip_p;
---
> aps->aps_p = fin->fin_p;
260c432
< if ((*apr->apr_new)(fin, ip, aps, nat) == -1) {
---
> if ((*apr->apr_new)(fin, aps, nat) == -1) {
264a437,439
> if (ipf_proxy_debug > 2)
> printf("appr_new: new(%lx) failed\n",
> (u_long)apr->apr_new);
277,278c452,455
< * check to see if a packet should be passed through an active proxy routine
< * if one has been setup for it.
---
> * Check to see if a packet should be passed through an active proxy routine
> * if one has been setup for it. We don't need to check the checksum here if
> * IPFILTER_CKSUM is defined because if it is, a failed check causes FI_BAD
> * to be set.
280,281c457
< int appr_check(ip, fin, nat)
< ip_t *ip;
---
> int appr_check(fin, nat)
286c462,464
< mb_t *m = fin->fin_qfm;
---
> # if defined(ICK_VALID)
> mb_t *m;
> # endif
289a468
> udphdr_t *udp = NULL;
292c471
< u_32_t sum;
---
> ip_t *ip;
294a474,476
> #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
> u_32_t s1, s2, sd;
> #endif
296,312c478,492
< aps = nat->nat_aps;
< if ((aps != NULL) && (aps->aps_p == ip->ip_p)) {
< if (ip->ip_p == IPPROTO_TCP) {
< tcp = (tcphdr_t *)fin->fin_dp;
< /*
< * verify that the checksum is correct. If not, then
< * don't do anything with this packet.
< */
< #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
< if (dohwcksum && (m->b_ick_flag == ICK_VALID)) {
< sum = tcp->th_sum;
< dosum = 0;
< }
< if (dosum)
< sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
< #else
< sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
---
> if (fin->fin_flx & FI_BAD) {
> if (ipf_proxy_debug > 0)
> printf("appr_check: flx 0x%x (BAD)\n", fin->fin_flx);
> return -1;
> }
>
> #ifndef IPFILTER_CKSUM
> if ((fin->fin_out == 0) && (fr_checkl4sum(fin) == -1)) {
> if (ipf_proxy_debug > 0)
> printf("appr_check: l4 checksum failure %d\n",
> fin->fin_p);
> if (fin->fin_p == IPPROTO_TCP)
> frstats[fin->fin_out].fr_tcpbad++;
> return -1;
> }
314,318c494,505
< if (sum != tcp->th_sum) {
< #if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
< printf("proxy tcp checksum failure\n");
< #endif
< frstats[fin->fin_out].fr_tcpbad++;
---
>
> aps = nat->nat_aps;
> if ((aps != NULL) && (aps->aps_p == fin->fin_p)) {
> /*
> * If there is data in this packet to be proxied then try and
> * get it all into the one buffer, else drop it.
> */
> #if defined(MENTAT) || defined(HAVE_M_PULLDOWN)
> if ((fin->fin_dlen > 0) && !(fin->fin_flx & FI_COALESCE))
> if (fr_coalesce(fin) == -1) {
> if (ipf_proxy_debug > 0)
> printf("appr_check: fr_coalesce failed %x\n", fin->fin_flx);
320a508,509
> #endif
> ip = fin->fin_ip;
321a511,520
> switch (fin->fin_p)
> {
> case IPPROTO_TCP :
> tcp = (tcphdr_t *)fin->fin_dp;
>
> #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
> m = fin->fin_qfm;
> if (dohwcksum && (m->b_ick_flag == ICK_VALID))
> dosum = 0;
> #endif
326,327c525,532
< if ((tcp->th_flags & TH_RST) != 0)
< return 0;
---
> if ((fin->fin_tcpf & TH_RST) != 0)
> break;
> /*FALLTHROUGH*/
> case IPPROTO_UDP :
> udp = (udphdr_t *)fin->fin_dp;
> break;
> default :
> break;
334c539
< err = (*apr->apr_outpkt)(fin, ip, aps, nat);
---
> err = (*apr->apr_outpkt)(fin, aps, nat);
337c542
< err = (*apr->apr_inpkt)(fin, ip, aps, nat);
---
> err = (*apr->apr_inpkt)(fin, aps, nat);
341,344c546,550
< if (rv == 1) {
< #if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
< printf("proxy says bad packet received\n");
< #endif
---
> if (((ipf_proxy_debug > 0) && (rv != 0)) ||
> (ipf_proxy_debug > 8))
> printf("appr_check: out %d err %x rv %d\n",
> fin->fin_out, err, rv);
> if (rv == 1)
346c552
< }
---
>
348,350d553
< #if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
< printf("proxy says free app proxy data\n");
< #endif
355a559,583
> /*
> * If err != 0 then the data size of the packet has changed
> * so we need to recalculate the header checksums for the
> * packet.
> */
> #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
> if (err != 0) {
> short adjlen = err & 0xffff;
>
> s1 = LONG_SUM(ip->ip_len - adjlen);
> s2 = LONG_SUM(ip->ip_len);
> CALC_SUMD(s1, s2, sd);
> fix_outcksum(fin, &ip->ip_sum, sd);
> }
> #endif
>
> /*
> * For TCP packets, we may need to adjust the sequence and
> * acknowledgement numbers to reflect changes in size of the
> * data stream.
> *
> * For both TCP and UDP, recalculate the layer 4 checksum,
> * regardless, as we can't tell (here) if data has been
> * changed or not.
> */
360c588,589
< tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
---
> tcp->th_sum = fr_cksum(fin->fin_qfm, ip,
> IPPROTO_TCP, tcp);
362c591,592
< tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
---
> tcp->th_sum = fr_cksum(fin->fin_m, ip,
> IPPROTO_TCP, tcp);
363a594,602
> } else if ((udp != NULL) && (udp->uh_sum != 0)) {
> #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
> if (dosum)
> udp->uh_sum = fr_cksum(fin->fin_qfm, ip,
> IPPROTO_UDP, udp);
> #else
> udp->uh_sum = fr_cksum(fin->fin_m, ip,
> IPPROTO_UDP, udp);
> #endif
365c604
< aps->aps_bytes += ip->ip_len;
---
> aps->aps_bytes += fin->fin_plen;
381a621,623
> if (ipf_proxy_debug > 8)
> printf("appr_lookup(%d,%s)\n", pr, name);
>
394a637,638
> if (ipf_proxy_debug > 2)
> printf("appr_lookup: failed for %d/%s\n", pr, name);
415c659
< for (ap = &ap_sess_list; (a = *ap); ap = &a->aps_next)
---
> for (ap = &ap_sess_list; ((a = *ap) != NULL); ap = &a->aps_next)
451c695
< nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
---
> nlen -= (IP_HL(ip) << 2) + (TCP_OFF(tcp) << 2);
463,466c707,710
< #if PROXY_DEBUG
< printf("proxy out switch set seq %d -> %d %x > %x\n",
< sel, !sel, seq1, aps->aps_seqmin[!sel]);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("proxy out switch set seq %d -> %d %x > %x\n",
> sel, !sel, seq1,
> aps->aps_seqmin[!sel]);
483,487c727,730
< #if PROXY_DEBUG
< printf("proxy seq set %d at %x to %d + %d\n", sel,
< aps->aps_seqmin[sel], aps->aps_seqoff[sel],
< inc);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("proxy seq set %d at %x to %d + %d\n",
> sel, aps->aps_seqmin[sel],
> aps->aps_seqoff[sel], inc);
498,501c741,744
< #if PROXY_DEBUG
< printf("proxy out switch set ack %d -> %d %x > %x\n",
< sel, !sel, seq1, aps->aps_ackmin[!sel]);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("proxy out switch set ack %d -> %d %x > %x\n",
> sel, !sel, seq1,
> aps->aps_ackmin[!sel]);
517,520c760,762
< #if PROXY_DEBUG
< printf("proxy in switch set ack %d -> %d %x > %x\n",
< sel, !sel, seq1, aps->aps_ackmin[!sel]);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("proxy in switch set ack %d -> %d %x > %x\n",
> sel, !sel, seq1, aps->aps_ackmin[!sel]);
537,541c779,783
< #if PROXY_DEBUG
< printf("proxy ack set %d at %x to %d + %d\n", !sel,
< aps->aps_seqmin[!sel], aps->aps_seqoff[sel],
< inc);
< #endif
---
>
> if (ipf_proxy_debug > 7)
> printf("proxy ack set %d at %x to %d + %d\n",
> !sel, aps->aps_seqmin[!sel],
> aps->aps_seqoff[sel], inc);
552,555c794,796
< #if PROXY_DEBUG
< printf("proxy in switch set seq %d -> %d %x > %x\n",
< sel, !sel, seq1, aps->aps_seqmin[!sel]);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("proxy in switch set seq %d -> %d %x > %x\n",
> sel, !sel, seq1, aps->aps_seqmin[!sel]);
560,564c801,804
< #if PROXY_DEBUG
< printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel,
< aps->aps_seqoff[sel], seq1,
< aps->aps_seqmin[sel]);
< #endif
---
> if (ipf_proxy_debug > 7)
> printf("sel %d seqoff %d seq1 %x seqmin %x\n",
> sel, aps->aps_seqoff[sel], seq1,
> aps->aps_seqmin[sel]);
572,575c812,815
< #if PROXY_DEBUG
< printf("appr_fixseqack: seq %x ack %x\n", ntohl(tcp->th_seq),
< ntohl(tcp->th_ack));
< #endif
---
>
> if (ipf_proxy_debug > 8)
> printf("appr_fixseqack: seq %x ack %x\n",
> ntohl(tcp->th_seq), ntohl(tcp->th_ack));
590,592c830,834
< err = (*ap->apr_init)();
< if (err != 0)
< break;
---
> if (ap->apr_init != NULL) {
> err = (*ap->apr_init)();
> if (err != 0)
> break;
> }
607c849
< if (ap->apr_fini)
---
> if (ap->apr_fini != NULL)
610c852
< if (ap->apr_fini)
---
> if (ap->apr_fini != NULL)