head	1.8;
access;
symbols
	RELEASE_5_2_1:1.7
	RELEASE_5_2_0:1.7
	RELEASE_4_9_0:1.1;
locks; strict;
comment	@# @;


1.8
date	2004.01.13.20.41.19;	author pav;	state dead;
branches;
next	1.7;

1.7
date	2003.11.25.14.08.02;	author bms;	state Exp;
branches;
next	1.6;

1.6
date	2003.11.09.16.00.18;	author jeh;	state dead;
branches;
next	1.5;

1.5
date	2003.10.10.07.26.28;	author krion;	state Exp;
branches;
next	1.4;

1.4
date	2003.10.02.21.31.37;	author osa;	state dead;
branches;
next	1.3;

1.3
date	2003.10.02.20.58.23;	author osa;	state Exp;
branches;
next	1.2;

1.2
date	2003.09.28.13.27.06;	author edwin;	state Exp;
branches;
next	1.1;

1.1
date	2003.06.18.04.46.34;	author foxfair;	state Exp;
branches;
next	;


desc
@@


1.8
log
@- Update to 2.02
  * Fix severe byte order related problem with "route-to" rules
    (much help from Joris Vandalon with testing here)
  * Make tcpdump's -w flag work for if_pfsync
  * Fix byte order and drop lock for icmp_error() calls.
    (note that it is necessary to allow icmp_error messages - from
    "block-policy return" - as FreeBSD does not know about pf's
    special tags, yet).

- update ALTQ-message to point to the new 5.2R-patchset from rofug.ro
  as well

PR:		ports/61318
Submitted by:	Max Laier <max@@love2party.net> (maintainer)
@
text
@--- pf/pf.c.orig	Fri Nov 21 14:32:14 2003
+++ pf/pf.c	Fri Nov 21 14:32:33 2003
@@@@ -1250,8 +1250,10 @@@@
 	struct tcphdr	*th;
 #if defined(__FreeBSD__)
 	struct ip 	*ip;
+#if (__FreeBSD_version < 501114)
 	struct route 	 ro;
 #endif
+#endif
 	char *opt;
 
 	/* maximum segment size tcp option */
@@@@ -1366,7 +1368,6 @@@@
 		h->ip_ttl = ttl ? ttl : ip_defttl;
 		h->ip_sum = 0;
 #if defined(__FreeBSD__)
-		bzero(&ro, sizeof(ro));
 		ip = mtod(m, struct ip *);
 		/*
 		 * XXX
@@@@ -1376,6 +1377,8 @@@@
 		 */
 		NTOHS(ip->ip_len);
 		NTOHS(ip->ip_off);
+#if (__FreeBSD_version < 501114)
+		bzero(&ro, sizeof(ro));
 		ip_rtaddr(ip->ip_dst, &ro);
 		PF_UNLOCK();
 		ip_output(m, (void *)NULL, &ro, 0, (void *)NULL,
@@@@ -1384,7 +1387,13 @@@@
 		if(ro.ro_rt) {
 			RTFREE(ro.ro_rt);
 		}
-#else
+#else /* __FreeBSD_version >= 501114 */
+		PF_UNLOCK();
+		ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL,
+			(void *)NULL);
+		PF_LOCK();
+#endif
+#else /* ! __FreeBSD__ */
 		ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL,
 		    (void *)NULL);
 #endif
@@@@ -2354,8 +2363,12 @@@@
 		dst->sin_len = sizeof(*dst);
 		dst->sin_addr = addr->v4;
 #if defined(__FreeBSD__)
+#ifdef RTF_PRCLONING
 		rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING));
-#else
+#else /* !RTF_PRCLONING */
+		rtalloc_ign(&ro, RTF_CLONING);
+#endif
+#else /* ! __FreeBSD__ */
 		rtalloc_noclone(&ro, NO_CLONING);
 #endif
 		rt = ro.ro_rt;
@@@@ -2370,9 +2383,13 @@@@
 		dst6->sin6_len = sizeof(*dst6);
 		dst6->sin6_addr = addr->v6;
 #if defined(__FreeBSD__)
+#ifdef RTF_PRCLONING
 		rtalloc_ign((struct route *)&ro6,
 		    (RTF_CLONING | RTF_PRCLONING));
-#else
+#else /* !RTF_PRCLONING */
+		rtalloc_ign((struct route *)&ro6, RTF_CLONING);
+#endif
+#else /* ! __FreeBSD__ */
 		rtalloc_noclone((struct route *)&ro6, NO_CLONING);
 #endif
 		rt = ro6.ro_rt;
@@@@ -4731,8 +4748,12 @@@@
 	dst->sin_len = sizeof(*dst);
 	dst->sin_addr = addr->v4;
 #if defined(__FreeBSD__)
+#ifdef RTF_PRCLONING
 	rtalloc_ign(&ro, (RTF_CLONING|RTF_PRCLONING));
-#else
+#else /* !RTF_PRCLONING */
+	rtalloc_ign(&ro, RTF_CLONING);
+#endif
+#else /* ! __FreeBSD__ */
 	rtalloc_noclone(&ro, NO_CLONING);
 #endif
 
@@@@ -5044,7 +5065,8 @@@@
 	m0->m_pkthdr.csum_flags &= ifp->if_hwassist;
 
 	if (ntohs(ip->ip_len) <= ifp->if_mtu ||
-		ifp->if_hwassist & CSUM_FRAGMENT) {
+	    (ifp->if_hwassist & CSUM_FRAGMENT &&
+		((ip->ip_off & htons(IP_DF)) == 0))) {
 		/*
 		 * ip->ip_len = htons(ip->ip_len);
 		 * ip->ip_off = htons(ip->ip_off);
@


1.7
log
@Supersedes ports/59442 and previous hasty-fix, and fixes the following:
 - Build with __FreeBSD_version > 501114 (see bms commit)
 - Build with new route.h (no RTF_PRCLONING)
 - Don't use hardware assistance on framentation when DF is set.
 - Allow pftcpdump -w to be used with pfsync.

Found-by:	bento / Pyun YongHyeon
Submitted by:	Max Laier
PR:		ports/59548
@
text
@@


1.6
log
@Bump port version to 2.00:
 - Build again with FreeBSD_version > 501113 (if_xname)
 - Fix some byte order problems with route-to rules
 - Stable release

PR:		589037
Submitted By:	MAINTAINER
@
text
@d1 11
a11 4
--- freebsd_tcpdump/print-tcp.c.orig	Thu Oct  9 19:55:02 2003
+++ freebsd_tcpdump/print-tcp.c	Thu Oct  9 19:56:28 2003
@@@@ -406,7 +406,11 @@@@
 	}
d13 57
a69 5
 	/* OS Fingerprint */
+#ifdef INET6
 	if (oflag && ip6 == NULL && (flags & (TH_SYN|TH_ACK)) == TH_SYN) {
+#else
+	if (oflag && (flags & (TH_SYN|TH_ACK)) == TH_SYN) {
d71 28
a98 3
 		struct pf_osfp_enlist *head = NULL;
 		struct pf_osfp_entry *fp;
 		unsigned long left;
@


1.5
log
@- Add patch to fix a build problem with NOINET6 defined.
- Bump PORTREVISION

PR:		57812
Submitted by:	maintainer
@
text
@@


1.4
log
@Remove NULL patch.
@
text
@d1 14
@


1.3
log
@Update to 1.66

PR:		ports/57452
Submitted by	Max Laier <max@@love2party.net> (maintainer)
@
text
@@


1.2
log
@Update port: security/pf - OpenBSD 3.4 pf

	Port update after API change in PFIL_HOOKS in -current and
	OpenBSD 3.4 Release.

PR:		 ports/57305
Submitted by:	Max Laier <max@@love2party.net>
@
text
@a0 24
--- pf/pf_ioctl.c.orig	Sun Sep 28 15:00:08 2003
+++ pf/pf_ioctl.c	Sun Sep 28 15:00:16 2003
@@@@ -201,7 +201,7 @@@@
 	/* psize */	nopsize,
 	/* flags */	0,
 	/* kqfilter */	nokqfilter,
-#else
+#elif (__FreeBSD_version < 501109)
 	.d_open =	pfopen,
 	.d_close =	pfclose,
 	.d_read =	noread,
@@@@ -215,6 +215,12 @@@@
 	.d_dump =	nodump,
 	.d_flags =	0,
 	.d_kqfilter =	nokqfilter,
+#else
+	.d_open =	pfopen,
+	.d_close =	pfclose,
+	.d_ioctl =	pfioctl,
+	.d_name =	PF_NAME,
+	.d_flags =	0,
 #endif
 };
 #endif /* __FreeBSD__ */
@


1.1
log
@PR:
Submitted by:	maintainer
Reviewed by:
Approved by:
Obtained from:
MFC after:
Add two patches to solve the following problems:

patch-ab
 - resolves a problem with a mbuf-tag in 5.1
 - Submitted by: Pyun YongHyeon <yongari@@kt-is.co.kr>

patch-ac
 - pulls in two critical fixes from OpenBSD patch branch
 - Obtained from: OpenBSD

Change BROKEN to IGNORE tag in Makefile, suggested by: kris@@
&& bump PORTREVISION.
@
text
@d1 24
a24 29
--- pf/pf.c	Wed May  7 09:33:21 2003
+++ pf/pf.c	Tue Jun 17 17:02:08 2003
@@@@ -2837,6 +2837,7 @@@@
 		/* check incoming packet for BINAT/RDR */
 		if ((rdr = pf_get_translation(PF_IN, ifp, pd->proto,
 		    saddr, 0, daddr, 0, &naddr, NULL, af)) != NULL) {
+			PF_ACPY(&baddr, daddr, af);
 			switch (af) {
 #ifdef INET
 			case AF_INET:
@@@@ -3179,7 +3180,7 @@@@
 	    /* Retrans: not more than one window back */
 	    (ackskew >= -MAXACKWINDOW) &&
 	    /* Acking not more than one window back */
-	    (ackskew <= MAXACKWINDOW)) {
+	    (ackskew <= (MAXACKWINDOW << sws))) {
 	    /* Acking not more than one window forward */
 
 		(*state)->packets++;
@@@@ -3346,7 +3347,7 @@@@
 			    SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
 			    ' ': '2',
 			    (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
-			    (ackskew <= MAXACKWINDOW) ? ' ' : '4',
+			    (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
 			    SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
 			    SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
 		}

@

