d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IFC @ r223696 to pick up dfr's userboot

Browse Source
This commit is contained in:
Peter Grehan 2011-06-30 17:37:42 +00:00
commit 23300944db
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/projects/bhyve/; revision=223698
499 changed files with 26773 additions and 10232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
UPDATING
View File

@ -22,6 +22,12 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 9.x IS SLOW:
machines to maximize performance. (To disable malloc debugging, run
ln -s aj /etc/malloc.conf.)
20110628:
The packet filter (pf) code has been updated to OpenBSD 4.5.
You need to update userland tools to be in sync with kernel.
This update breaks backward compatibility with earlier pfsync(4)
versions. Care must be taken when updating redundant firewall setups.
20110608:
The following sysctls and tunables are retired on x86 platforms:
machdep.hlt_cpus

1
bin/rcp/rcp.c
View File

@ -71,7 +71,6 @@ __FBSDID("$FreeBSD$");
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <string.h>
#include <unistd.h>
#include "extern.h"

10
bin/realpath/realpath.1
View File

@ -33,7 +33,7 @@
.\" From: src/bin/pwd/pwd.1,v 1.11 2000/11/20 11:39:39 ru Exp
.\" $FreeBSD$
.\"
.Dd November 24, 2000
.Dd June 21, 2011
.Dt REALPATH 1
.Os
.Sh NAME
@ -42,8 +42,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl q
.Ar path
.Op Ar ...
.Op Ar path ...
.Sh DESCRIPTION
The
.Nm
@ -57,6 +56,11 @@ and
.Pa /../
in
.Ar path .
If
.Ar path
is absent, the current working directory
.Pq Sq Pa .\&
is assumed.
.Pp
If
.Fl q

16
bin/realpath/realpath.c
View File

@ -44,7 +44,8 @@ main(int argc, char *argv[])
{
char buf[PATH_MAX];
char *p;
int ch, i, qflag, rval;
const char *path;
int ch, qflag, rval;
qflag = 0;
while ((ch = getopt(argc, argv, "q")) != -1) {
@ -59,17 +60,16 @@ main(int argc, char *argv[])
}
argc -= optind;
argv += optind;
if (argc < 1)
usage();
path = *argv != NULL ? *argv++ : ".";
rval = 0;
for (i = 0; i < argc; i++) {
if ((p = realpath(argv[i], buf)) == NULL) {
do {
if ((p = realpath(path, buf)) == NULL) {
if (!qflag)
warn("%s", argv[i]);
warn("%s", path);
rval = 1;
} else
(void)printf("%s\n", p);
}
} while ((path = *argv++) != NULL);
exit(rval);
}
@ -77,6 +77,6 @@ static void
usage(void)
{
(void)fprintf(stderr, "usage: realpath [-q] path [...]\n");
(void)fprintf(stderr, "usage: realpath [-q] [path ...]\n");
exit(1);
}

2
bin/sh/arith_yacc.c
View File

@ -35,7 +35,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/limits.h>
#include <limits.h>
#include <errno.h>
#include <inttypes.h>
#include <stdlib.h>

1
bin/sh/mkinit.c
View File

@ -55,7 +55,6 @@ __FBSDID("$FreeBSD$");
*/
#include <sys/cdefs.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>

30
bin/sh/sh.1
View File

@ -32,7 +32,7 @@
.\" from: @(#)sh.1 8.6 (Berkeley) 5/4/95
.\" $FreeBSD$
.\"
.Dd June 18, 2011
.Dd June 24, 2011
.Dt SH 1
.Os
.Sh NAME
@ -994,11 +994,22 @@ described later),
separated by
.Ql \&|
characters.
Tilde expansion, parameter expansion, command substitution,
arithmetic expansion and quote removal are applied to the word.
Then, each pattern is expanded in turn using tilde expansion,
parameter expansion, command substitution and arithmetic expansion and
the expanded form of the word is checked against it.
If a match is found, the corresponding list is executed.
If the selected list is terminated by the control operator
.Ql ;&
instead of
.Ql ;; ,
execution continues with the next list.
execution continues with the next list,
continuing until a list terminated with
.Ql ;;
or the end of the
.Ic case
command.
The exit code of the
.Ic case
command is the exit code of the last command executed in the list or
@ -1618,15 +1629,15 @@ There are two restrictions on this: first, a pattern cannot match
a string containing a slash, and second,
a pattern cannot match a string starting with a period
unless the first character of the pattern is a period.
The next section describes the patterns used for both
Pathname Expansion and the
The next section describes the patterns used for
Pathname Expansion,
the four varieties of parameter expansion for substring processing and the
.Ic case
command.
.Ss Shell Patterns
A pattern consists of normal characters, which match themselves,
and meta-characters.
The meta-characters are
.Ql \&! ,
.Ql * ,
.Ql \&? ,
and
@ -1656,7 +1667,7 @@ matches a
.Ql \&[
rather than introducing a character class.
A character class matches any of the characters between the square brackets.
A range of characters may be specified using a minus sign.
A locale-dependent range of characters may be specified using a minus sign.
A named class of characters (see
.Xr wctype 3 )
may be specified by surrounding the name with
@ -1669,12 +1680,17 @@ is a shell pattern that matches a single letter.
The character class may be complemented by making an exclamation point
.Pq Ql !\&
the first character of the character class.
A caret
.Pq Ql ^
has the same effect but is non-standard.
.Pp
To include a
.Ql \&]
in a character class, make it the first character listed
(after the
.Ql \&! ,
.Ql \&!
or
.Ql ^ ,
if any).
To include a
.Ql - ,

16
cddl/contrib/opensolaris/cmd/zfs/zfs.8
View File

@ -6,6 +6,7 @@
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.\" Copyright 2011 by Delphix. All rights reserved.
.TH zfs 1M "24 Sep 2009" "SunOS 5.11" "System Administration Commands"
.SH NAME
zfs \- configures ZFS file systems
@ -389,7 +390,7 @@ This property can also be referred to by its shortened column name, \fBavail\fR.
.ad
.sp .6
.RS 4n
The compression ratio achieved for this dataset, expressed as a multiplier. Compression can be turned on by running: \fBzfs set compression=on \fIdataset\fR\fR. The default value is \fBoff\fR.
For non-snapshots, the compression ratio achieved for the \fBused\fR space of this dataset, expressed as a multiplier. The \fBused\fR property includes descendant datasets, and, for clones, does not include the space shared with the origin snapshot. For snapshots, the \fBcompressratio\fR is the same as the \fBrefcompressratio\fR property. Compression can be turned on by running: \fBzfs set compression=on \fIdataset\fR\fR. The default value is \fBoff\fR.
.RE
.sp
@ -449,6 +450,17 @@ The amount of data that is accessible by this dataset, which may or may not be s
This property can also be referred to by its shortened column name, \fBrefer\fR.
.RE
.sp
.ne 2
.mk
.na
\fB\fBrefcompressratio\fR\fR
.ad
.sp .6
.RS 4n
The compression ratio achieved for the \fBreferenced\fR space of this dataset, expressed as a multiplier. See also the \fBcompressratio\fR property.
.RE
.sp
.ne 2
.mk
@ -1278,7 +1290,7 @@ Recursively destroy all dependents, including cloned file systems outside the ta
Force an unmount of any file systems using the \fBunmount -f\fR command. This option has no effect on non-file systems or unmounted file systems.
.RE
Extreme care should be taken when applying either the \fB-r\fR or the \fB-f\fR options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use.
Extreme care should be taken when applying either the \fB-r\fR or the \fB-R\fR options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use.
.RE
.sp

4
cddl/contrib/opensolaris/cmd/zfs/zfs_main.c
View File

@ -21,7 +21,7 @@
/*
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright 2010 Nexenta Systems, Inc. All rights reserved.
* Copyright 2011 Nexenta Systems, Inc. All rights reserved.
*/
#include <assert.h>
@ -1292,7 +1292,7 @@ static int
zfs_do_get(int argc, char **argv)
{
zprop_get_cbdata_t cb = { 0 };
int i, c, flags = 0;
int i, c, flags = ZFS_ITER_ARGS_CAN_BE_PATHS;
char *value, *fields;
int ret;
int limit = 0;

2
cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c
View File

@ -22,6 +22,7 @@
/*
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright 2010 Nexenta Systems, Inc. All rights reserved.
* Copyright (c) 2011 by Delphix. All rights reserved.
*/
#include <ctype.h>
@ -2038,6 +2039,7 @@ zfs_prop_get(zfs_handle_t *zhp, zfs_prop_t prop, char *propbuf, size_t proplen,
}
break;
case ZFS_PROP_REFRATIO:
case ZFS_PROP_COMPRESSRATIO:
if (get_numeric_property(zhp, prop, src, &source, &val) != 0)
return (-1);

10
contrib/binutils/gas/config/tc-arm.c
View File

@ -9973,6 +9973,13 @@ do_t_rbit (void)
inst.instruction |= inst.operands[1].reg << 16;
}
static void
do_t_rd_rm (void)
{
inst.instruction |= inst.operands[0].reg << 8;
inst.instruction |= inst.operands[1].reg;
}
static void
do_t_rev (void)
{
@ -14901,6 +14908,9 @@ static const struct asm_opcode insns[] =
TCE(rsb, 0600000, ebc00000, 3, (RR, oRR, SH), arit, t_rsb),
TC3(rsbs, 0700000, ebd00000, 3, (RR, oRR, SH), arit, t_rsb),
TCE(rrx, 1a00060, ea4f0030, 2, (RR, RR), rd_rm, t_rd_rm),
TCE(rrxs, 1b00060, ea5f0030, 2, (RR, RR), rd_rm, t_rd_rm),
#undef THUMB_VARIANT
#define THUMB_VARIANT &arm_ext_v6
TCE(cpy, 1a00000, 4600, 2, (RR, RR), rd_rm, t_cpy),

11
contrib/libpcap/bpf/net/bpf_filter.c
View File

@ -405,7 +405,18 @@ bpf_filter(pc, p, wirelen, buflen)
continue;
case BPF_JMP|BPF_JA:
#if defined(KERNEL) || defined(_KERNEL)
/*
* No backward jumps allowed.
*/
pc += pc->k;
#else
/*
* XXX - we currently implement "ip6 protochain"
* with backward jumps, so sign-extend pc->k.
*/
pc += (bpf_int32)pc->k;
#endif
continue;
case BPF_JMP|BPF_JGT|BPF_K:

13
contrib/ntp/ntpd/ntp_config.c
View File

@ -414,7 +414,7 @@ enum gnn_type {
static int getnetnum P((const char *, struct sockaddr_storage *, int,
enum gnn_type));
static void save_resolve P((char *, int, int, int, int, u_int, int,
keyid_t, u_char *));
keyid_t, u_char *, u_char));
static void do_resolve_internal P((void));
static void abort_resolve P((void));
#if !defined(VMS) && !defined(SYS_WINNT)
@ -870,9 +870,9 @@ getconfig(
stoa(&peeraddr));
}
} else if (errflg == -1) {
save_resolve(tokens[1], hmode, peerversion,
save_resolve(tokens[istart - 1], hmode, peerversion,
minpoll, maxpoll, peerflags, ttl,
peerkey, peerkeystr);
peerkey, peerkeystr, peeraddr.ss_family);
}
break;
@ -2325,7 +2325,8 @@ save_resolve(
u_int flags,
int ttl,
keyid_t keyid,
u_char *keystr
u_char *keystr,
u_char peeraf
)
{
#ifndef SYS_VXWORKS
@ -2365,11 +2366,11 @@ save_resolve(
}
#endif
(void)fprintf(res_fp, "%s %d %d %d %d %d %d %u %s\n", name,
(void)fprintf(res_fp, "%s %u %d %d %d %d %d %d %u %s\n", name, peeraf,
mode, version, minpoll, maxpoll, flags, ttl, keyid, keystr);
#ifdef DEBUG
if (debug > 1)
printf("config: %s %d %d %d %d %x %d %u %s\n", name, mode,
printf("config: %s %u %d %d %d %d %x %d %u %s\n", name, peeraf, mode,
version, minpoll, maxpoll, flags, ttl, keyid, keystr);
#endif

43
contrib/ntp/ntpd/ntp_intres.c
View File

@ -29,6 +29,7 @@
#include <stdio.h>
#include <ctype.h>
#include <resolv.h>
#include <signal.h>
/**/
@ -111,15 +112,16 @@ static int resolve_value; /* next value of resolve timer */
* is supposed to consist of entries in the following order
*/
#define TOK_HOSTNAME 0
#define TOK_HMODE 1
#define TOK_VERSION 2
#define TOK_MINPOLL 3
#define TOK_MAXPOLL 4
#define TOK_FLAGS 5
#define TOK_TTL 6
#define TOK_KEYID 7
#define TOK_KEYSTR 8
#define NUMTOK 9
#define TOK_PEERAF 1
#define TOK_HMODE 2
#define TOK_VERSION 3
#define TOK_MINPOLL 4
#define TOK_MAXPOLL 5
#define TOK_FLAGS 6
#define TOK_TTL 7
#define TOK_KEYID 8
#define TOK_KEYSTR 9
#define NUMTOK 10
#define MAXLINESIZE 512
@ -140,7 +142,7 @@ char *req_file; /* name of the file with configuration info */
static void checkparent P((void));
static void removeentry P((struct conf_entry *));
static void addentry P((char *, int, int, int, int, u_int,
int, keyid_t, char *));
int, keyid_t, char *, u_char));
static int findhostaddr P((struct conf_entry *));
static void openntp P((void));
static int request P((struct conf_peer *));
@ -397,7 +399,8 @@ addentry(
u_int flags,
int ttl,
keyid_t keyid,
char *keystr
char *keystr,
u_char peeraf
)
{
register char *cp;
@ -407,7 +410,7 @@ addentry(
#ifdef DEBUG
if (debug > 1)
msyslog(LOG_INFO,
"intres: <%s> %d %d %d %d %x %d %x %s\n", name,
"intres: <%s> %u %d %d %d %d %x %d %x %s\n", name, peeraf,
mode, version, minpoll, maxpoll, flags, ttl, keyid,
keystr);
#endif
@ -422,6 +425,7 @@ addentry(
ce->ce_peeraddr6 = in6addr_any;
#endif
ANYSOCK(&ce->peer_store);
ce->peer_store.ss_family = peeraf; /* Save AF for getaddrinfo hints. */
ce->ce_hmode = (u_char)mode;
ce->ce_version = (u_char)version;
ce->ce_minpoll = (u_char)minpoll;
@ -482,7 +486,8 @@ findhostaddr(
entry->ce_name));
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_family = entry->peer_store.ss_family;
hints.ai_socktype = SOCK_DGRAM;
/*
* If the IPv6 stack is not available look only for IPv4 addresses
*/
@ -1051,6 +1056,13 @@ readconf(
}
}
if (intval[TOK_PEERAF] != AF_UNSPEC && intval[TOK_PEERAF] !=
AF_INET && intval[TOK_PEERAF] != AF_INET6) {
msyslog(LOG_ERR, "invalid peer address family (%u) in "
"file %s", intval[TOK_PEERAF], name);
exit(1);
}
if (intval[TOK_HMODE] != MODE_ACTIVE &&
intval[TOK_HMODE] != MODE_CLIENT &&
intval[TOK_HMODE] != MODE_BROADCAST) {
@ -1107,7 +1119,7 @@ readconf(
addentry(token[TOK_HOSTNAME], (int)intval[TOK_HMODE],
(int)intval[TOK_VERSION], (int)intval[TOK_MINPOLL],
(int)intval[TOK_MAXPOLL], flags, (int)intval[TOK_TTL],
intval[TOK_KEYID], token[TOK_KEYSTR]);
intval[TOK_KEYID], token[TOK_KEYSTR], (u_char)intval[TOK_PEERAF]);
}
}
@ -1129,6 +1141,9 @@ doconfigure(
dores ? "with" : "without" );
#endif
if (dores) /* Reload /etc/resolv.conf - bug 1226 */
res_init();
ce = confentries;
while (ce != NULL) {
#ifdef DEBUG

6
contrib/ntp/ntpd/ntp_io.c
View File

@ -2716,14 +2716,14 @@ sendpkt(
for (slot = ERRORCACHESIZE; --slot >= 0; )
if(dest->ss_family == AF_INET) {
if (badaddrs[slot].port == ((struct sockaddr_in*)dest)->sin_port &&
if (badaddrs[slot].port == SRCPORT(dest) &&
badaddrs[slot].addr.s_addr == ((struct sockaddr_in*)dest)->sin_addr.s_addr)
break;
}
#ifdef INCLUDE_IPV6_SUPPORT
else if (dest->ss_family == AF_INET6) {
if (badaddrs6[slot].port == ((struct sockaddr_in6*)dest)->sin6_port &&
badaddrs6[slot].addr.s6_addr == ((struct sockaddr_in6*)dest)->sin6_addr.s6_addr)
if (badaddrs6[slot].port == SRCPORT(dest) &&
!memcmp(&badaddrs6[slot].addr, &((struct sockaddr_in6*)dest)->sin6_addr, sizeof(struct in6_addr)))
break;
}
#endif /* INCLUDE_IPV6_SUPPORT */

116
contrib/pf/authpf/authpf.8
View File

@ -1,5 +1,5 @@
.\" $FreeBSD$
.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $
.\" $OpenBSD: authpf.8,v 1.47 2009/01/06 03:11:50 mcbride Exp $
.\"
.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved.
.\"
@ -15,14 +15,16 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd March 28, 2006
.Dd January 6 2009
.Dt AUTHPF 8
.Os
.Sh NAME
.Nm authpf
.Nm authpf ,
.Nm authpf-noip
.Nd authenticating gateway user shell
.Sh SYNOPSIS
.Nm authpf
.Nm authpf-noip
.Sh DESCRIPTION
.Nm
is a user shell for authenticating gateways.
@ -31,47 +33,63 @@ It is used to change
rules when a user authenticates and starts a session with
.Xr sshd 8
and to undo these changes when the user's session exits.
It is designed for changing filter and translation rules for an individual
source IP address as long as a user maintains an active
.Xr ssh 1
session.
Typical use would be for a gateway that authenticates users before
allowing them Internet use, or a gateway that allows different users into
different places.
Combined with properly set up filter rules and secure switches,
.Nm
logs the successful start and end of a session to
.Xr syslogd 8 .
This, combined with properly set up filter rules and secure switches,
can be used to ensure users are held accountable for their network traffic.
.Pp
.Nm
can add filter and translation rules using the syntax described in
.Xr pf.conf 5 .
.Nm
requires that the
.Xr pf 4
system be enabled and a
.Xr fdescfs 5
file system be mounted at
.Pa /dev/fd
before use.
.Nm
can also maintain the list of IP address of connected users
in the "authpf_users"
.Pa table .
.Pp
.Nm
is meant to be used with users who can connect via
It is meant to be used with users who can connect via
.Xr ssh 1
only.
On startup,
only, and requires the
.Xr pf 4
subsystem to be enabled.
.Pp
.Nm authpf-noip
is a user shell
which allows multiple connections to take
place from the same IP address.
It is useful primarily in cases where connections are tunneled via
the gateway system, and can be directly associated with the user name.
It cannot ensure accountability when
classifying connections by IP address;
in this case the client's IP address
is not provided to the packet filter via the
.Ar client_ip
macro or the
.Ar authpf_users
table.
Additionally, states associated with the client IP address
are not purged when the session is ended.
.Pp
To use either
.Nm
or
.Nm authpf-noip ,
the user's shell needs to be set to
.Pa /usr/sbin/authpf
or
.Pa /usr/sbin/authpf-noip .
.Pp
.Nm
uses the
.Xr pf.conf 5
syntax to change filter and translation rules for an individual
user or client IP address as long as a user maintains an active
.Xr ssh 1
session, and logs the successful start and end of a session to
.Xr syslogd 8 .
.Nm
retrieves the client's connecting IP address via the
.Ev SSH_CLIENT
environment variable and, after performing additional access checks,
reads a template file to determine what filter and translation rules
(if any) to add.
On session exit the same rules that were added at startup are removed.
(if any) to add, and
maintains the list of IP addresses of connected users in the
.Ar authpf_users
table.
On session exit the same rules and table entries that were added at startup
are removed, and all states associated with the client's IP address are purged.
.Pp
Each
.Nm
@ -185,6 +203,9 @@ It is also possible to configure
to only allow specific users access.
This is done by listing their login names, one per line, in
.Pa /etc/authpf/authpf.allow .
A group of users can also be indicated by prepending "%" to the group name,
and all members of a login class can be indicated by prepending "@" to the
login class name.
If "*" is found on a line, then all usernames match.
If
.Nm
@ -297,7 +318,8 @@ They have a
wireless network which they would like to protect from unauthorized use.
To accomplish this, they create the file
.Pa /etc/authpf/authpf.allow
which lists their login ids, one per line.
which lists their login ids, group prepended with "%", or login class
prepended with "@", one per line.
At this point, even if eve could authenticate to
.Xr sshd 8 ,
she would not be allowed to use the gateway.
@ -501,6 +523,31 @@ table <authpf_users> persist
anchor "authpf/*" from <authpf_users>
rdr-anchor "authpf/*" from <authpf_users>
.Ed
.Pp
.Sy Tunneled users
\- normally
.Nm
allows only one session per client IP address.
However in some cases, such as when connections are tunneled via
.Xr ssh 1
or
.Xr ipsec 4 ,
the connections can be authorized based on the userid of the user instead of
the client IP address.
In this case it is appropriate to use
.Nm authpf-noip
to allow multiple users behind a NAT gateway to connect.
In the
.Pa /etc/authpf/authpf.rules
example below, the remote user could tunnel a remote desktop session to their
workstation:
.Bd -literal
internal_if="bge0"
workstation_ip="10.2.3.4"
pass out on $internal_if from (self) to $workstation_ip port 3389 \e
user $user_id
.Ed
.Sh FILES
.Bl -tag -width "/etc/authpf/authpf.conf" -compact
.It Pa /etc/authpf/authpf.conf
@ -512,7 +559,6 @@ rdr-anchor "authpf/*" from <authpf_users>
.Sh SEE ALSO
.Xr pf 4 ,
.Xr pf.conf 5 ,
.Xr fdescfs 5 ,
.Xr securelevel 7 ,
.Xr ftp-proxy 8
.Sh HISTORY

376
contrib/pf/authpf/authpf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: authpf.c,v 1.104 2007/02/24 17:35:08 beck Exp $ */
/* $OpenBSD: authpf.c,v 1.112 2009/01/10 19:08:53 miod Exp $ */
/*
* Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
@ -19,7 +19,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/file.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
#endif
#include <login_cap.h>
#include <pwd.h>
#include <grp.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
@ -48,10 +49,11 @@ __FBSDID("$FreeBSD$");
#include "pathnames.h"
static int read_config(FILE *);
static void print_message(char *);
static int allowed_luser(char *);
static int check_luser(char *, char *);
static void print_message(const char *);
static int allowed_luser(struct passwd *);
static int check_luser(const char *, char *);
static int remove_stale_rulesets(void);
static int recursive_ruleset_purge(char *, char *);
static int change_filter(int, const char *, const char *);
static int change_table(int, const char *);
static void authpf_kill_states(void);
@ -60,8 +62,10 @@ int dev; /* pf device */
char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
char rulesetname[MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 2];
char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
int user_ip = 1; /* controls whether $user_ip is set */
FILE *pidfp;
int pidfd = -1;
char luser[MAXLOGNAME]; /* username */
char ipsrc[256]; /* ip as a string */
char pidfile[MAXPATHLEN]; /* we save pid in this file. */
@ -75,6 +79,7 @@ static __dead2 void do_death(int);
#else
static __dead void do_death(int);
#endif
extern char *__progname; /* program name */
/*
* User shell for authenticating gateways. Sole purpose is to allow
@ -83,21 +88,24 @@ static __dead void do_death(int);
* up. Meant to be used only from ssh(1) connections.
*/
int
main(int argc, char *argv[])
main(void)
{
int lockcnt = 0, n, pidfd;
int lockcnt = 0, n;
FILE *config;
struct in6_addr ina;
struct passwd *pw;
char *cp;
gid_t gid;
uid_t uid;
char *shell;
const char *shell;
login_cap_t *lc;
if (strcmp(__progname, "-authpf-noip") == 0)
user_ip = 0;
config = fopen(PATH_CONFFILE, "r");
if (config == NULL) {
syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);
syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE);
exit(1);
}
@ -142,23 +150,34 @@ main(int argc, char *argv[])
}
if ((lc = login_getclass(pw->pw_class)) != NULL)
shell = (char *)login_getcapstr(lc, "shell", pw->pw_shell,
shell = login_getcapstr(lc, "shell", pw->pw_shell,
pw->pw_shell);
else
shell = pw->pw_shell;
#ifndef __FreeBSD__
login_close(lc);
#endif
if (strcmp(shell, PATH_AUTHPF_SHELL)) {
if (strcmp(shell, PATH_AUTHPF_SHELL) &&
strcmp(shell, PATH_AUTHPF_SHELL_NOIP)) {
syslog(LOG_ERR, "wrong shell for user %s, uid %u",
pw->pw_name, pw->pw_uid);
#ifdef __FreeBSD__
login_close(lc);
#else
if (shell != pw->pw_shell)
free(shell);
#endif
goto die;
}
#ifdef __FreeBSD__
login_close(lc);
#else
if (shell != pw->pw_shell)
free(shell);
#endif
/*
* Paranoia, but this data _does_ come from outside authpf, and
@ -181,13 +200,22 @@ main(int argc, char *argv[])
}
/* Make our entry in /var/authpf as /var/authpf/ipaddr */
n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc);
/* Make our entry in /var/authpf as ipaddr or username */
n = snprintf(pidfile, sizeof(pidfile), "%s/%s",
PATH_PIDFILE, user_ip ? ipsrc : luser);
if (n < 0 || (u_int)n >= sizeof(pidfile)) {
syslog(LOG_ERR, "path to pidfile too long");
goto die;
}
signal(SIGTERM, need_death);
signal(SIGINT, need_death);
signal(SIGALRM, need_death);
signal(SIGPIPE, need_death);
signal(SIGHUP, need_death);
signal(SIGQUIT, need_death);
signal(SIGTSTP, need_death);
/*
* If someone else is already using this ip, then this person
* wants to switch users - so kill the old process and exit
@ -241,15 +269,17 @@ main(int argc, char *argv[])
}
/*
* we try to kill the previous process and acquire the lock
* We try to kill the previous process and acquire the lock
* for 10 seconds, trying once a second. if we can't after
* 10 attempts we log an error and give up
* 10 attempts we log an error and give up.
*/
if (++lockcnt > 10) {
syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
otherpid);
if (want_death || ++lockcnt > 10) {
if (!want_death)
syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
otherpid);
fclose(pidfp);
pidfp = NULL;
pidfd = -1;
goto dogdeath;
}
sleep(1);
@ -260,6 +290,7 @@ main(int argc, char *argv[])
*/
fclose(pidfp);
pidfp = NULL;
pidfd = -1;
} while (1);
/* whack the group list */
@ -277,7 +308,7 @@ main(int argc, char *argv[])
}
openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) {
if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) {
syslog(LOG_INFO, "user %s prohibited", luser);
do_death(0);
}
@ -302,19 +333,12 @@ main(int argc, char *argv[])
printf("Unable to modify filters\r\n");
do_death(0);
}
if (change_table(1, ipsrc) == -1) {
if (user_ip && change_table(1, ipsrc) == -1) {
printf("Unable to modify table\r\n");
change_filter(0, luser, ipsrc);
do_death(0);
}
signal(SIGTERM, need_death);
signal(SIGINT, need_death);
signal(SIGALRM, need_death);
signal(SIGPIPE, need_death);
signal(SIGHUP, need_death);
signal(SIGQUIT, need_death);
signal(SIGTSTP, need_death);
while (1) {
printf("\r\nHello %s. ", luser);
printf("You are authenticated from host \"%s\"\r\n", ipsrc);
@ -337,8 +361,6 @@ main(int argc, char *argv[])
sleep(180); /* them lusers read reaaaaal slow */
die:
do_death(0);
/* NOTREACHED */
}
/*
@ -361,6 +383,8 @@ read_config(FILE *f)
}
i++;
len = strlen(buf);
if (len == 0)
continue;
if (buf[len - 1] != '\n' && !feof(f)) {
syslog(LOG_ERR, "line %d too long in %s", i,
PATH_CONFFILE);
@ -413,7 +437,7 @@ read_config(FILE *f)
* they've been bad or we're unavailable.
*/
static void
print_message(char *filename)
print_message(const char *filename)
{
char buf[1024];
FILE *f;
@ -436,6 +460,7 @@ print_message(char *filename)
* allowed_luser checks to see if user "luser" is allowed to
* use this gateway by virtue of being listed in an allowed
* users file, namely /etc/authpf/authpf.allow .
* Users may be listed by <username>, %<group>, or @<login_class>.
*
* If /etc/authpf/authpf.allow does not exist, then we assume that
* all users who are allowed in by sshd(8) are permitted to
@ -444,9 +469,9 @@ print_message(char *filename)
* the session terminates in the same manner as being banned.
*/
static int
allowed_luser(char *luser)
allowed_luser(struct passwd *pw)
{
char *buf, *lbuf;
char *buf,*lbuf;
int matched;
size_t len;
FILE *f;
@ -476,8 +501,14 @@ allowed_luser(char *luser)
* "public" gateway, such as it is, so let
* everyone use it.
*/
int gl_init = 0, ngroups = NGROUPS + 1;
gid_t groups[NGROUPS + 1];
lbuf = NULL;
matched = 0;
while ((buf = fgetln(f, &len))) {
if (buf[len - 1] == '\n')
buf[len - 1] = '\0';
else {
@ -488,7 +519,40 @@ allowed_luser(char *luser)
buf = lbuf;
}
matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0;
if (buf[0] == '@') {
/* check login class */
if (strcmp(pw->pw_class, buf + 1) == 0)
matched++;
} else if (buf[0] == '%') {
/* check group membership */
int cnt;
struct group *group;
if ((group = getgrnam(buf + 1)) == NULL) {
syslog(LOG_ERR,
"invalid group '%s' in %s (%s)",
buf + 1, PATH_ALLOWFILE,
strerror(errno));
return (0);
}
if (!gl_init) {
(void) getgrouplist(pw->pw_name,
pw->pw_gid, groups, &ngroups);
gl_init++;
}
for ( cnt = 0; cnt < ngroups; cnt++) {
if (group->gr_gid == groups[cnt]) {
matched++;
break;
}
}
} else {
/* check username and wildcard */
matched = strcmp(pw->pw_name, buf) == 0 ||
strcmp("*", buf) == 0;
}
if (lbuf != NULL) {
free(lbuf);
@ -496,13 +560,13 @@ allowed_luser(char *luser)
}
if (matched)
return (1); /* matched an allowed username */
return (1); /* matched an allowed user/group */
}
syslog(LOG_INFO, "denied access to %s: not listed in %s",
luser, PATH_ALLOWFILE);
pw->pw_name, PATH_ALLOWFILE);
/* reuse buf */
buf = "\n\nSorry, you are not allowed to use this facility!\n";
sprintf(buf, "%s", "\n\nSorry, you are not allowed to use this facility!\n");
fputs(buf, stdout);
}
fflush(stdout);
@ -520,13 +584,13 @@ allowed_luser(char *luser)
* going to be un-banned.)
*/
static int
check_luser(char *luserdir, char *luser)
check_luser(const char *luserdir, char *l_user)
{
FILE *f;
int n;
char tmp[MAXPATHLEN];
n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, luser);
n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, l_user);
if (n < 0 || (u_int)n >= sizeof(tmp)) {
syslog(LOG_ERR, "provided banned directory line too long (%s)",
luserdir);
@ -555,7 +619,7 @@ check_luser(char *luserdir, char *luser)
* tell what they can do and where they can go.
*/
syslog(LOG_INFO, "denied access to %s: %s exists",
luser, tmp);
l_user, tmp);
/* reuse tmp */
strlcpy(tmp, "\n\n-**- Sorry, you have been banned! -**-\n\n",
@ -581,7 +645,7 @@ static int
remove_stale_rulesets(void)
{
struct pfioc_ruleset prs;
u_int32_t nr, mnr;
u_int32_t nr;
memset(&prs, 0, sizeof(prs));
strlcpy(prs.path, anchorname, sizeof(prs.path));
@ -592,13 +656,12 @@ remove_stale_rulesets(void)
return (1);
}
mnr = prs.nr;
nr = 0;
while (nr < mnr) {
nr = prs.nr;
while (nr) {
char *s, *t;
pid_t pid;
prs.nr = nr;
prs.nr = nr - 1;
if (ioctl(dev, DIOCGETRULESET, &prs))
return (1);
errno = 0;
@ -610,119 +673,159 @@ remove_stale_rulesets(void)
if (!prs.name[0] || errno ||
(*s && (t == prs.name || *s != ')')))
return (1);
if (kill(pid, 0) && errno != EPERM) {
int i;
struct pfioc_trans_e t_e[PF_RULESET_MAX+1];
struct pfioc_trans t;
bzero(&t, sizeof(t));
bzero(t_e, sizeof(t_e));
t.size = PF_RULESET_MAX+1;
t.esize = sizeof(t_e[0]);
t.array = t_e;
for (i = 0; i < PF_RULESET_MAX+1; ++i) {
t_e[i].rs_num = i;
snprintf(t_e[i].anchor, sizeof(t_e[i].anchor),
"%s/%s", anchorname, prs.name);
}
t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE;
if ((ioctl(dev, DIOCXBEGIN, &t) ||
ioctl(dev, DIOCXCOMMIT, &t)) &&
errno != EINVAL)
if ((kill(pid, 0) && errno != EPERM) || pid == getpid()) {
if (recursive_ruleset_purge(anchorname, prs.name))
return (1);
mnr--;
} else
nr++;
}
nr--;
}
return (0);
}
static int
recursive_ruleset_purge(char *an, char *rs)
{
struct pfioc_trans_e *t_e = NULL;
struct pfioc_trans *t = NULL;
struct pfioc_ruleset *prs = NULL;
int i;
/* purge rules */
errno = 0;
if ((t = calloc(1, sizeof(struct pfioc_trans))) == NULL)
goto no_mem;
if ((t_e = calloc(PF_RULESET_MAX+1,
sizeof(struct pfioc_trans_e))) == NULL)
goto no_mem;
t->size = PF_RULESET_MAX+1;
t->esize = sizeof(struct pfioc_trans_e);
t->array = t_e;
for (i = 0; i < PF_RULESET_MAX+1; ++i) {
t_e[i].rs_num = i;
snprintf(t_e[i].anchor, sizeof(t_e[i].anchor), "%s/%s", an, rs);
}
t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE;
if ((ioctl(dev, DIOCXBEGIN, t) ||
ioctl(dev, DIOCXCOMMIT, t)) &&
errno != EINVAL)
goto cleanup;
/* purge any children */
if ((prs = calloc(1, sizeof(struct pfioc_ruleset))) == NULL)
goto no_mem;
snprintf(prs->path, sizeof(prs->path), "%s/%s", an, rs);
if (ioctl(dev, DIOCGETRULESETS, prs)) {
if (errno != EINVAL)
goto cleanup;
errno = 0;
} else {
int nr = prs->nr;
while (nr) {
prs->nr = 0;
if (ioctl(dev, DIOCGETRULESET, prs))
goto cleanup;
if (recursive_ruleset_purge(prs->path, prs->name))
goto cleanup;
nr--;
}
}
no_mem:
if (errno == ENOMEM)
syslog(LOG_ERR, "calloc failed");
cleanup:
free(t);
free(t_e);
free(prs);
return (errno);
}
/*
* Add/remove filter entries for user "luser" from ip "ipsrc"
*/
static int
change_filter(int add, const char *luser, const char *ipsrc)
change_filter(int add, const char *l_user, const char *ip_src)
{
char *pargv[13] = {
"pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
"-D", "user_ip=X", "-D", "user_id=X", "-f",
"file", NULL
};
char *fdpath = NULL, *userstr = NULL, *ipstr = NULL;
char *rsn = NULL, *fn = NULL;
pid_t pid;
gid_t gid;
int s;
if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) {
syslog(LOG_ERR, "invalid luser/ipsrc");
goto error;
}
if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)
goto no_mem;
if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
goto no_mem;
if (asprintf(&ipstr, "user_ip=%s", ipsrc) == -1)
goto no_mem;
if (asprintf(&userstr, "user_id=%s", luser) == -1)
goto no_mem;
if (add) {
struct stat sb;
char *pargv[13] = {
"pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
"-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL
};
if (asprintf(&fn, "%s/%s/authpf.rules", PATH_USER_DIR, luser)
== -1)
if (l_user == NULL || !l_user[0] || ip_src == NULL || !ip_src[0]) {
syslog(LOG_ERR, "invalid luser/ipsrc");
goto error;
}
if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)
goto no_mem;
if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
goto no_mem;
if (asprintf(&ipstr, "user_ip=%s", ip_src) == -1)
goto no_mem;
if (asprintf(&userstr, "user_id=%s", l_user) == -1)
goto no_mem;
if (asprintf(&fn, "%s/%s/authpf.rules",
PATH_USER_DIR, l_user) == -1)
goto no_mem;
if (stat(fn, &sb) == -1) {
free(fn);
if ((fn = strdup(PATH_PFRULES)) == NULL)
goto no_mem;
}
}
pargv[2] = fdpath;
pargv[5] = rsn;
pargv[7] = userstr;
pargv[9] = ipstr;
if (!add)
pargv[11] = "/dev/null";
else
pargv[11] = fn;
switch (pid = fork()) {
case -1:
syslog(LOG_ERR, "fork failed");
goto error;
case 0:
/* revoke group privs before exec */
gid = getgid();
if (setregid(gid, gid) == -1) {
err(1, "setregid");
pargv[2] = fdpath;
pargv[5] = rsn;
pargv[7] = userstr;
if (user_ip) {
pargv[9] = ipstr;
pargv[11] = fn;
} else {
pargv[8] = "-f";
pargv[9] = fn;
pargv[10] = NULL;
}
execvp(PATH_PFCTL, pargv);
warn("exec of %s failed", PATH_PFCTL);
_exit(1);
}
/* parent */
waitpid(pid, &s, 0);
if (s != 0) {
syslog(LOG_ERR, "pfctl exited abnormally");
goto error;
}
switch (pid = fork()) {
case -1:
syslog(LOG_ERR, "fork failed");
goto error;
case 0:
/* revoke group privs before exec */
gid = getgid();
if (setregid(gid, gid) == -1) {
err(1, "setregid");
}
execvp(PATH_PFCTL, pargv);
warn("exec of %s failed", PATH_PFCTL);
_exit(1);
}
/* parent */
waitpid(pid, &s, 0);
if (s != 0) {
syslog(LOG_ERR, "pfctl exited abnormally");
goto error;
}
if (add) {
gettimeofday(&Tstart, NULL);
syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser);
syslog(LOG_INFO, "allowing %s, user %s", ip_src, l_user);
} else {
remove_stale_rulesets();
gettimeofday(&Tend, NULL);
#ifdef __FreeBSD__
syslog(LOG_INFO, "removed %s, user %s - duration %jd seconds",
ipsrc, luser, (intmax_t)(Tend.tv_sec - Tstart.tv_sec));
#else
syslog(LOG_INFO, "removed %s, user %s - duration %ld seconds",
ipsrc, luser, Tend.tv_sec - Tstart.tv_sec);
#endif
syslog(LOG_INFO, "removed %s, user %s - duration %ju seconds",
ip_src, l_user, (uintmax_t)(Tend.tv_sec - Tstart.tv_sec));
}
return (0);
no_mem:
@ -740,7 +843,7 @@ change_filter(int add, const char *luser, const char *ipsrc)
* Add/remove this IP from the "authpf_users" table.
*/
static int
change_table(int add, const char *ipsrc)
change_table(int add, const char *ip_src)
{
struct pfioc_table io;
struct pfr_addr addr;
@ -753,12 +856,12 @@ change_table(int add, const char *ipsrc)
io.pfrio_size = 1;
bzero(&addr, sizeof(addr));
if (ipsrc == NULL || !ipsrc[0])
if (ip_src == NULL || !ip_src[0])
return (-1);
if (inet_pton(AF_INET, ipsrc, &addr.pfra_ip4addr) == 1) {
if (inet_pton(AF_INET, ip_src, &addr.pfra_ip4addr) == 1) {
addr.pfra_af = AF_INET;
addr.pfra_net = 32;
} else if (inet_pton(AF_INET6, ipsrc, &addr.pfra_ip6addr) == 1) {
} else if (inet_pton(AF_INET6, ip_src, &addr.pfra_ip6addr) == 1) {
addr.pfra_af = AF_INET6;
addr.pfra_net = 128;
} else {
@ -769,7 +872,7 @@ change_table(int add, const char *ipsrc)
if (ioctl(dev, add ? DIOCRADDADDRS : DIOCRDELADDRS, &io) &&
errno != ESRCH) {
syslog(LOG_ERR, "cannot %s %s from table %s: %s",
add ? "add" : "remove", ipsrc, tablename,
add ? "add" : "remove", ip_src, tablename,
strerror(errno));
return (-1);
}
@ -821,7 +924,7 @@ authpf_kill_states(void)
/* signal handler that makes us go away properly */
static void
need_death(int signo)
need_death(int signo __unused)
{
want_death = 1;
}
@ -840,11 +943,12 @@ do_death(int active)
if (active) {
change_filter(0, luser, ipsrc);
change_table(0, ipsrc);
authpf_kill_states();
remove_stale_rulesets();
if (user_ip) {
change_table(0, ipsrc);
authpf_kill_states();
}
}
if (pidfile[0] && (pidfp != NULL))
if (pidfile[0] && pidfd != -1)
if (unlink(pidfile) == -1)
syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
exit(ret);

3
contrib/pf/authpf/pathnames.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $ */
/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */
/*
* Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
@ -35,4 +35,5 @@
#define PATH_DEVFILE "/dev/pf"
#define PATH_PIDFILE "/var/authpf"
#define PATH_AUTHPF_SHELL "/usr/sbin/authpf"
#define PATH_AUTHPF_SHELL_NOIP "/usr/sbin/authpf-noip"
#define PATH_PFCTL "/sbin/pfctl"

18
contrib/pf/ftp-proxy/filter.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: filter.c,v 1.5 2006/12/01 07:31:21 camield Exp $ */
/* $OpenBSD: filter.c,v 1.8 2008/06/13 07:25:26 claudio Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@ -53,7 +53,7 @@ static struct pfioc_rule pfr;
static struct pfioc_trans pft;
static struct pfioc_trans_e pfte[TRANS_SIZE];
static int dev, rule_log;
static char *qname;
static const char *qname, *tagname;
int
add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
@ -159,11 +159,12 @@ do_rollback(void)
}
void
init_filter(char *opt_qname, int opt_verbose)
init_filter(const char *opt_qname, const char *opt_tagname, int opt_verbose)
{
struct pf_status status;
qname = opt_qname;
tagname = opt_tagname;
if (opt_verbose == 1)
rule_log = PF_LOG;
@ -172,7 +173,7 @@ init_filter(char *opt_qname, int opt_verbose)
dev = open("/dev/pf", O_RDWR);
if (dev == -1)
err(1, "/dev/pf");
err(1, "open /dev/pf");
if (ioctl(dev, DIOCGETSTATUS, &status) == -1)
err(1, "DIOCGETSTATUS");
if (!status.running)
@ -280,9 +281,9 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
switch (rs_num) {
case PF_RULESET_FILTER:
/*
* pass quick [log] inet[6] proto tcp \
* pass [quick] [log] inet[6] proto tcp \
* from $src to $dst port = $d_port flags S/SA keep state
* (max 1) [queue qname]
* (max 1) [queue qname] [tag tagname]
*/
pfr.rule.action = PF_PASS;
pfr.rule.quick = 1;
@ -293,6 +294,11 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
pfr.rule.max_states = 1;
if (qname != NULL)
strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
if (tagname != NULL) {
pfr.rule.quick = 0;
strlcpy(pfr.rule.tagname, tagname,
sizeof pfr.rule.tagname);
}
break;
case PF_RULESET_NAT:
/*

4
contrib/pf/ftp-proxy/filter.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@ -26,6 +26,6 @@ int add_rdr(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t,
struct sockaddr *, u_int16_t);
int do_commit(void);
int do_rollback(void);
void init_filter(char *, int);
void init_filter(const char *, const char *, int);
int prepare_commit(u_int32_t);
int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *);

29
contrib/pf/ftp-proxy/ftp-proxy.8
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ftp-proxy.8,v 1.7 2006/12/30 13:01:54 camield Exp $
.\" $OpenBSD: ftp-proxy.8,v 1.11 2008/02/26 18:52:53 henning Exp $
.\"
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
.\"
@ -16,14 +16,15 @@
.\"
.\" $FreeBSD$
.\"
.Dd November 28, 2004
.Dd February 26, 2008
.Dt FTP-PROXY 8
.Os
.Sh NAME
.Nm ftp-proxy
.Nd Internet File Transfer Protocol proxy daemon
.Sh SYNOPSIS
.Nm ftp-proxy
.Nm
.Bk -words
.Op Fl 6Adrv
.Op Fl a Ar address
.Op Fl b Ar address
@ -33,7 +34,9 @@
.Op Fl p Ar port
.Op Fl q Ar queue
.Op Fl R Ar address
.Op Fl T Ar tag
.Op Fl t Ar timeout
.Ek
.Sh DESCRIPTION
.Nm
is a proxy for the Internet File Transfer Protocol.
@ -58,7 +61,7 @@ facility for this.
Assuming the FTP control connection is from $client to $server, the
proxy connected to the server using the $proxy source address, and
$port is negotiated, then
.Nm ftp-proxy
.Nm
adds the following rules to the various anchors.
(These example rules use inet, but the proxy also supports inet6.)
.Pp
@ -130,6 +133,20 @@ connections to another proxy.
.It Fl r
Rewrite sourceport to 20 in active mode to suit ancient clients that insist
on this RFC property.
.It Fl T Ar tag
The filter rules will add tag
.Ar tag
to data connections, and not match quick.
This way alternative rules that use the
.Ar tagged
keyword can be implemented following the
.Nm
anchor.
These rules can use special
.Xr pf 4
features like route-to, reply-to, label, rtable, overload, etc. that
.Nm
does not implement itself.
.It Fl t Ar timeout
Number of seconds that the control connection can be idle, before the
proxy will disconnect.
@ -172,7 +189,7 @@ does not allow the ruleset to be modified if the system is running at a
.Xr securelevel 7
higher than 1.
At that level
.Nm ftp-proxy
.Nm
cannot add rules to the anchors and FTP data connections may get blocked.
.Pp
Negotiated data connection ports below 1024 are not allowed.
@ -181,5 +198,5 @@ The negotiated IP address for active modes is ignored for security
reasons.
This makes third party file transfers impossible.
.Pp
.Nm ftp-proxy
.Nm
chroots to "/var/empty" and changes to user "proxy" to drop privileges.

139
contrib/pf/ftp-proxy/ftp-proxy.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ftp-proxy.c,v 1.13 2006/12/30 13:24:00 camield Exp $ */
/* $OpenBSD: ftp-proxy.c,v 1.19 2008/06/13 07:25:26 claudio Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@ -61,6 +61,14 @@ __FBSDID("$FreeBSD$");
#define PF_NAT_PROXY_PORT_LOW 50001
#define PF_NAT_PROXY_PORT_HIGH 65535
#ifndef LIST_END
#define LIST_END(a) NULL
#endif
#ifndef getrtable
#define getrtable(a) 0
#endif
#define sstosa(ss) ((struct sockaddr *)(ss))
enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV };
@ -94,7 +102,7 @@ int client_parse_cmd(struct session *s);
void client_read(struct bufferevent *, void *);
int drop_privs(void);
void end_session(struct session *);
int exit_daemon(void);
void exit_daemon(void);
int getline(char *, size_t *);
void handle_connection(const int, short, void *);
void handle_signal(int, short, void *);
@ -105,6 +113,7 @@ u_int16_t pick_proxy_port(void);
void proxy_reply(int, struct sockaddr *, u_int16_t);
void server_error(struct bufferevent *, short, void *);
int server_parse(struct session *s);
int allow_data_connection(struct session *s);
void server_read(struct bufferevent *, void *);
const char *sock_ntop(struct sockaddr *);
void usage(void);
@ -115,14 +124,14 @@ size_t linelen;
char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN];
struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
*qname;
const char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
*qname, *tagname;
int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
rfc_mode, session_count, timeout, verbose;
extern char *__progname;
void
client_error(struct bufferevent *bufev, short what, void *arg)
client_error(struct bufferevent *bufev __unused, short what, void *arg)
{
struct session *s = arg;
@ -152,8 +161,19 @@ client_parse(struct session *s)
return (1);
if (linebuf[0] == 'P' || linebuf[0] == 'p' ||
linebuf[0] == 'E' || linebuf[0] == 'e')
return (client_parse_cmd(s));
linebuf[0] == 'E' || linebuf[0] == 'e') {
if (!client_parse_cmd(s))
return (0);
/*
* Allow active mode connections immediately, instead of
* waiting for a positive reply from the server. Some
* rare servers/proxies try to probe or setup the data
* connection before an actual transfer request.
*/
if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT)
return (allow_data_connection(s));
}
if (anonymous_only && (linebuf[0] == 'U' || linebuf[0] == 'u'))
return (client_parse_anon(s));
@ -220,14 +240,14 @@ void
client_read(struct bufferevent *bufev, void *arg)
{
struct session *s = arg;
size_t buf_avail, read;
size_t buf_avail, clientread;
int n;
do {
buf_avail = sizeof s->cbuf - s->cbuf_valid;
read = bufferevent_read(bufev, s->cbuf + s->cbuf_valid,
clientread = bufferevent_read(bufev, s->cbuf + s->cbuf_valid,
buf_avail);
s->cbuf_valid += read;
s->cbuf_valid += clientread;
while ((n = getline(s->cbuf, &s->cbuf_valid)) > 0) {
logmsg(LOG_DEBUG, "#%d client: %s", s->id, linebuf);
@ -244,7 +264,7 @@ client_read(struct bufferevent *bufev, void *arg)
end_session(s);
return;
}
} while (read == buf_avail);
} while (clientread == buf_avail);
}
int
@ -269,10 +289,16 @@ drop_privs(void)
void
end_session(struct session *s)
{
int err;
int serr;
logmsg(LOG_INFO, "#%d ending session", s->id);
/* Flush output buffers. */
if (s->client_bufev && s->client_fd != -1)
evbuffer_write(s->client_bufev->output, s->client_fd);
if (s->server_bufev && s->server_fd != -1)
evbuffer_write(s->server_bufev->output, s->server_fd);
if (s->client_fd != -1)
close(s->client_fd);
if (s->server_fd != -1)
@ -284,33 +310,29 @@ end_session(struct session *s)
bufferevent_free(s->server_bufev);
/* Remove rulesets by commiting empty ones. */
err = 0;
serr = 0;
if (prepare_commit(s->id) == -1)
err = errno;
serr = errno;
else if (do_commit() == -1) {
err = errno;
serr = errno;
do_rollback();
}
if (err)
if (serr)
logmsg(LOG_ERR, "#%d pf rule removal failed: %s", s->id,
strerror(err));
strerror(serr));
LIST_REMOVE(s, entry);
free(s);
session_count--;
}
int
void
exit_daemon(void)
{
struct session *s, *next;
#ifdef __FreeBSD__
LIST_FOREACH_SAFE(s, &sessions, entry, next) {
#else
for (s = LIST_FIRST(&sessions); s != LIST_END(&sessions); s = next) {
next = LIST_NEXT(s, entry);
#endif
end_session(s);
}
@ -318,9 +340,6 @@ exit_daemon(void)
closelog();
exit(0);
/* NOTREACHED */
return (-1);
}
int
@ -361,7 +380,7 @@ getline(char *buf, size_t *valid)
}
void
handle_connection(const int listen_fd, short event, void *ev)
handle_connection(const int listen_fd, short event __unused, void *ev __unused)
{
struct sockaddr_storage tmp_ss;
struct sockaddr *client_sa, *server_sa, *fixed_server_sa;
@ -508,13 +527,13 @@ handle_connection(const int listen_fd, short event, void *ev)
}
void
handle_signal(int sig, short event, void *arg)
handle_signal(int sig, short event __unused, void *arg __unused)
{
/*
* Signal handler rules don't apply, libevent decouples for us.
*/
logmsg(LOG_ERR, "%s exiting on signal %d", __progname, sig);
logmsg(LOG_ERR, "exiting on signal %d", sig);
exit_daemon();
}
@ -567,10 +586,7 @@ logmsg(int pri, const char *message, ...)
/* We don't care about truncation. */
vsnprintf(buf, sizeof buf, message, ap);
#ifdef __FreeBSD__
/* XXX: strnvis might be nice to have */
strvisx(visbuf, buf,
MIN((sizeof(visbuf) / 4) - 1, strlen(buf)),
VIS_CSTYLE | VIS_NL);
strvis(visbuf, buf, VIS_CSTYLE | VIS_NL);
#else
strnvis(visbuf, buf, sizeof visbuf, VIS_CSTYLE | VIS_NL);
#endif
@ -602,6 +618,7 @@ main(int argc, char *argv[])
max_sessions = 100;
qname = NULL;
rfc_mode = 0;
tagname = NULL;
timeout = 24 * 3600;
verbose = 0;
@ -609,7 +626,7 @@ main(int argc, char *argv[])
id_count = 1;
session_count = 0;
while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:v")) != -1) {
while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) {
switch (ch) {
case '6':
ipv6_mode = 1;
@ -654,6 +671,11 @@ main(int argc, char *argv[])
case 'r':
rfc_mode = 1;
break;
case 'T':
if (strlen(optarg) >= PF_TAG_NAME_SIZE)
errx(1, "tagname too long");
tagname = optarg;
break;
case 't':
timeout = strtonum(optarg, 0, 86400, &errstr);
if (errstr)
@ -734,7 +756,7 @@ main(int argc, char *argv[])
freeaddrinfo(res);
/* Initialize pf. */
init_filter(qname, verbose);
init_filter(qname, tagname, verbose);
if (daemonize) {
if (daemon(0, 0) == -1)
@ -830,14 +852,15 @@ u_int16_t
pick_proxy_port(void)
{
/* Random should be good enough for avoiding port collisions. */
return (IPPORT_HIFIRSTAUTO + (arc4random() %
(IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO)));
return (IPPORT_HIFIRSTAUTO +
arc4random_uniform(IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO));
}
void
proxy_reply(int cmd, struct sockaddr *sa, u_int16_t port)
{
int i, r;
u_int i;
int r = 0;
switch (cmd) {
case CMD_PORT:
@ -864,7 +887,7 @@ proxy_reply(int cmd, struct sockaddr *sa, u_int16_t port)
break;
}
if (r < 0 || r >= sizeof linebuf) {
if (r < 0 || ((u_int)r) >= sizeof linebuf) {
logmsg(LOG_ERR, "proxy_reply failed: %d", r);
linebuf[0] = '\0';
linelen = 0;
@ -881,7 +904,7 @@ proxy_reply(int cmd, struct sockaddr *sa, u_int16_t port)
}
void
server_error(struct bufferevent *bufev, short what, void *arg)
server_error(struct bufferevent *bufev __unused, short what, void *arg)
{
struct session *s = arg;
@ -902,12 +925,26 @@ server_error(struct bufferevent *bufev, short what, void *arg)
int
server_parse(struct session *s)
{
struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa;
int prepared = 0;
if (s->cmd == CMD_NONE || linelen < 4 || linebuf[0] != '2')
goto out;
if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) ||
(s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0))
return (allow_data_connection(s));
out:
s->cmd = CMD_NONE;
s->port = 0;
return (1);
}
int
allow_data_connection(struct session *s)
{
struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa;
int prepared = 0;
/*
* The pf rules below do quite some NAT rewriting, to keep up
* appearances. Points to keep in mind:
@ -932,8 +969,7 @@ server_parse(struct session *s)
orig_sa = sstosa(&s->server_ss);
/* Passive modes. */
if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) ||
(s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0)) {
if (s->cmd == CMD_PASV || s->cmd == CMD_EPSV) {
s->port = parse_port(s->cmd);
if (s->port < MIN_PORT) {
logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id,
@ -974,8 +1010,7 @@ server_parse(struct session *s)
}
/* Active modes. */
if ((s->cmd == CMD_PORT || s->cmd == CMD_EPRT) &&
strncmp("200 ", linebuf, 4) == 0) {
if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) {
logmsg(LOG_INFO, "#%d active: server to client port %d"
" via port %d", s->id, s->port, s->proxy_port);
@ -1025,7 +1060,6 @@ server_parse(struct session *s)
goto fail;
}
out:
s->cmd = CMD_NONE;
s->port = 0;
@ -1042,16 +1076,16 @@ void
server_read(struct bufferevent *bufev, void *arg)
{
struct session *s = arg;
size_t buf_avail, read;
size_t buf_avail, srvread;
int n;
bufferevent_settimeout(bufev, timeout, 0);
do {
buf_avail = sizeof s->sbuf - s->sbuf_valid;
read = bufferevent_read(bufev, s->sbuf + s->sbuf_valid,
srvread = bufferevent_read(bufev, s->sbuf + s->sbuf_valid,
buf_avail);
s->sbuf_valid += read;
s->sbuf_valid += srvread;
while ((n = getline(s->sbuf, &s->sbuf_valid)) > 0) {
logmsg(LOG_DEBUG, "#%d server: %s", s->id, linebuf);
@ -1068,7 +1102,7 @@ server_read(struct bufferevent *bufev, void *arg)
end_session(s);
return;
}
} while (read == buf_avail);
} while (srvread == buf_avail);
}
const char *
@ -1102,6 +1136,7 @@ usage(void)
{
fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
" [-D level] [-m maxsessions]\n [-P port]"
" [-p port] [-q queue] [-R address] [-t timeout]\n", __progname);
" [-p port] [-q queue] [-R address] [-T tag]\n"
" [-t timeout]\n", __progname);
exit(1);
}

22
contrib/pf/man/pf.4
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pf.4,v 1.58 2007/02/09 11:39:06 henning Exp $
.\" $OpenBSD: pf.4,v 1.62 2008/09/10 14:57:37 jmc Exp $
.\"
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
.\"
@ -28,7 +28,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd February 7, 2005
.Dd September 10 2008
.Dt PF 4
.Os
.Sh NAME
@ -294,14 +294,17 @@ if another process is concurrently updating a ruleset.
Add a state entry.
.Bd -literal
struct pfioc_state {
u_int32_t nr;
struct pf_state state;
struct pfsync_state state;
};
.Ed
.It Dv DIOCGETSTATE Fa "struct pfioc_state *ps"
Extract the entry with the specified number
.Va nr
from the state table.
Extract the entry identified by the
.Va id
and
.Va creatorid
fields of the
.Va state
structure from the state table.
.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk"
Remove matching entries from the state table.
This ioctl returns the number of killed states in
@ -1049,12 +1052,14 @@ internal interface description.
The filtering process is the same as for
.Dv DIOCIGETIFACES .
.Bd -literal
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
.Ed
.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
Works as
.Dv DIOCSETIFFLAG
above but clears the flags.
.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
Explicitly remove source tracking nodes.
.El
.Sh FILES
.Bl -tag -width /dev/pf -compact
@ -1133,6 +1138,7 @@ main(int argc, char *argv[])
.Xr altq 4 ,
.Xr if_bridge 4 ,
.Xr pflog 4 ,
.Xr pflow 4 ,
.Xr pfsync 4 ,
.Xr pfctl 8 ,
.Xr altq 9

178
contrib/pf/man/pf.conf.5
View File

@ -1,5 +1,5 @@
.\" $FreeBSD$
.\" $OpenBSD: pf.conf.5,v 1.393 2008/02/11 07:46:32 jmc Exp $
.\" $FreeBSD$
.\" $OpenBSD: pf.conf.5,v 1.406 2009/01/31 19:37:12 sobrado Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@ -28,7 +28,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd June 10, 2008
.Dd January 31 2009
.Dt PF.CONF 5
.Os
.Sh NAME
@ -79,6 +79,17 @@ By default
enforces this order (see
.Ar set require-order
below).
.Pp
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
and extend to the end of the current line.
.Pp
Additional configuration files can be included with the
.Ic include
keyword, for example:
.Bd -literal -offset indent
include "/etc/pf/sub.filter.conf"
.Ed
.Sh MACROS
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, and may contain letters, digits
@ -154,7 +165,7 @@ A table initialized with the empty list,
will be cleared on load.
.El
.Pp
Tables may be defined with the following two attributes:
Tables may be defined with the following attributes:
.Bl -tag -width persist
.It Ar persist
The
@ -173,6 +184,11 @@ can be used to add or remove addresses from the table at any time, even
when running with
.Xr securelevel 7
= 2.
.It Ar counters
The
.Ar counters
flag enables per-address packet and byte counters which can be displayed with
.Xr pfctl 8 .
.El
.Pp
For example,
@ -328,7 +344,8 @@ With 9000 state table entries, the timeout values are scaled to 50%
(tcp.first 60, tcp.established 43200).
.Pp
.It Ar set loginterface
Enable collection of packet and byte count statistics for the given interface.
Enable collection of packet and byte count statistics for the given
interface or interface group.
These statistics can be viewed using
.Bd -literal -offset indent
# pfctl -s info
@ -403,9 +420,10 @@ set limit { states 20000, frags 20000, src-nodes 2000 }
.Bl -tag -width xxxxxxxx -compact
.It Ar none
Disable the ruleset optimizer.
This is the default behaviour.
.It Ar basic
Enable basic ruleset optimization, which does four things to improve the
Enable basic ruleset optimization.
This is the default behaviour.
Basic ruleset optimization does four things to improve the
performance of ruleset evaluations:
.Pp
.Bl -enum -compact
@ -500,6 +518,16 @@ For example:
.Bd -literal -offset indent
set state-policy if-bound
.Ed
.It Ar set state-defaults
The
.Ar state-defaults
option sets the state options for states created from rules
without an explicit
.Ar keep state .
For example:
.Bd -literal -offset indent
set state-defaults pflow, no-sync
.Ed
.It Ar set hostid
The 32-bit
.Ar hostid
@ -617,6 +645,19 @@ modifier to ensure unique IP identifiers.
Enforces a minimum TTL for matching IP packets.
.It Ar max-mss Aq Ar number
Enforces a maximum MSS for matching TCP packets.
.It Xo Ar set-tos Aq Ar string
.No \*(Ba Aq Ar number
.Xc
Enforces a
.Em TOS
for matching IP packets.
.Em TOS
may be
given as one of
.Ar lowdelay ,
.Ar throughput ,
.Ar reliability ,
or as either hex or decimal.
.It Ar random-id
Replaces the IP identification field with random values to compensate
for predictable values generated by many hosts.
@ -725,7 +766,7 @@ much in the same way as
works in the packet filter (see below).
This mechanism should be used when it is necessary to exclude specific packets
from broader scrub rules.
.Sh QUEUEING/ALTQ
.Sh QUEUEING
The ALTQ system is currently not available in the GENERIC kernel nor as
loadable modules.
In order to use the herein after called queueing options one has to use a
@ -816,7 +857,7 @@ assigned.
.Ar Priority
mainly controls the time packets take to get sent out, while
.Ar bandwidth
has primarily effects on throughput.
primarily affects throughput.
.Ar hfsc
supports both link-sharing and guaranteed real-time services.
It employs a service curve based QoS model,
@ -879,7 +920,7 @@ Defines a list of subqueues to create on an interface.
.El
.Pp
In the following example, the interface dc0
should queue up to 5 Mbit/s in four second-level queues using
should queue up to 5Mbps in four second-level queues using
Class Based Queueing.
Those four queues will be shown in a later example.
.Bd -literal -offset indent
@ -1171,7 +1212,7 @@ or to the firewall itself.
Note that redirecting external incoming connections to the loopback
address, as in
.Bd -literal -offset indent
rdr on ne3 inet proto tcp to port spamd -\*(Gt 127.0.0.1 port smtp
rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd
.Ed
.Pp
will effectively allow an external host to connect to daemons
@ -1256,7 +1297,7 @@ block all
.Ed
.It Ar pass
The packet is passed;
state is created state unless the
state is created unless the
.Ar no state
option is specified.
.El
@ -1432,7 +1473,8 @@ This rule applies only to packets with the specified source and destination
addresses and ports.
.Pp
Addresses can be specified in CIDR notation (matching netblocks), as
symbolic host names or interface names, or as any of the following keywords:
symbolic host names, interface names or interface group names, or as any
of the following keywords:
.Pp
.Bl -tag -width xxxxxxxxxxxxxx -compact
.It Ar any
@ -1454,7 +1496,15 @@ the route back to the packet's source address.
Any address that matches the given table.
.El
.Pp
Interface names can have modifiers appended:
Ranges of addresses are specified by using the
.Sq -
operator.
For instance:
.Dq 10.1.1.10 - 10.1.1.12
means all addresses from 10.1.1.10 to 10.1.1.12,
hence addresses 10.1.1.10, 10.1.1.11, and 10.1.1.12.
.Pp
Interface names and interface group names can have modifiers appended:
.Pp
.Bl -tag -width xxxxxxxxxxxx -compact
.It Ar :network
@ -1462,7 +1512,7 @@ Translates to the network(s) attached to the interface.
.It Ar :broadcast
Translates to the interface's broadcast address(es).
.It Ar :peer
Translates to the point to point interface's peer address(es).
Translates to the point-to-point interface's peer address(es).
.It Ar :0
Do not include interface aliases.
.El
@ -1552,17 +1602,6 @@ This is equivalent to "from any to any".
Similar to
.Ar user ,
this rule only applies to packets of sockets owned by the specified group.
.Pp
The use of
.Ar group
or
.Ar user
in
.Va debug.mpsafenet Ns = Ns 1
environments may result in a deadlock.
Please see the
.Sx BUGS
section for details.
.It Ar user Aq Ar user
This rule only applies to packets of sockets owned by the specified user.
For outgoing connections initiated from the firewall, this is the user
@ -1628,7 +1667,7 @@ Flags not specified in
are ignored.
For stateful connections, the default is
.Ar flags S/SA .
To indicate that flags should not be checkd at all, specify
To indicate that flags should not be checked at all, specify
.Ar flags any .
The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
.Bl -tag -width Fl
@ -1780,7 +1819,7 @@ of
.Em lowdelay
and TCP ACKs with no data payload will be assigned to the second one.
See
.Sx QUEUEING/ALTQ
.Sx QUEUEING
for setup details.
.Pp
For example:
@ -1811,7 +1850,8 @@ or
rules in addition to filter rules.
Tags take the same macros as labels (see above).
.It Ar tagged Aq Ar string
Used with filter or translation rules to specify that packets must already
Used with filter, translation or scrub rules
to specify that packets must already
be tagged with the given tag in order to match the rule.
Inverse tag matching can also be done
by specifying the
@ -1822,6 +1862,22 @@ keyword.
.It Ar rtable Aq Ar number
Used to select an alternate routing table for the routing lookup.
Only effective before the route lookup happened, i.e. when filtering inbound.
.It Xo Ar divert-to Aq Ar host
.Ar port Aq Ar port
.Xc
Used to redirect packets to a local socket bound to
.Ar host
and
.Ar port .
The packets will not be modified, so
.Xr getsockname 2
on the socket will return the original destination address of the packet.
.It Ar divert-reply
Used to receive replies for sockets that are bound to addresses
which are not local to the machine.
See
.Xr setsockopt 2
for information on how to bind these sockets.
.It Ar probability Aq Ar number
A probability attribute can be attached to a rule, with a value set between
0 and 1, bounds not included.
@ -1940,7 +1996,7 @@ pool options.
Note that by default these associations are destroyed as soon as there are
no longer states which refer to them; in order to make the mappings last
beyond the lifetime of the states, increase the global options with
.Ar set timeout source-track
.Ar set timeout src.track .
See
.Sx STATEFUL TRACKING OPTIONS
for more ways to control the source tracking.
@ -2026,7 +2082,7 @@ Rules with
will not work if
.Xr pf 4
operates on a
.Xr if_bridge 4 .
.Xr bridge 4 .
.Pp
Example:
.Bd -literal -offset indent
@ -2046,8 +2102,8 @@ must be specified explicitly to apply options to a rule.
.Bl -tag -width xxxx -compact
.It Ar max Aq Ar number
Limits the number of concurrent states the rule may create.
When this limit is reached, further packets matching the rule that would
create state are dropped, until existing states time out.
When this limit is reached, further packets that would create
state will not match this rule until existing states time out.
.It Ar no-sync
Prevent state changes for states created by this rule from appearing on the
.Xr pfsync 4
@ -2064,8 +2120,12 @@ Uses a sloppy TCP connection tracker that does not check sequence
numbers at all, which makes insertion and ICMP teardown attacks way
easier.
This is intended to be used in situations where one does not see all
packets of a connection, i.e. in asymmetric routing situations.
packets of a connection, e.g. in asymmetric routing situations.
Cannot be used with modulate or synproxy state.
.It Ar pflow
States created by this rule are exported on the
.Xr pflow 4
interface.
.El
.Pp
Multiple options can be specified, separated by commas:
@ -2472,10 +2532,8 @@ into the anchor.
.Pp
Optionally,
.Ar anchor
rules can specify the parameter's
direction, interface, address family, protocol and source/destination
address/port
using the same syntax as filter rules.
rules can specify packet filtering parameters using the same syntax as
filter rules.
When parameters are used, the
.Ar anchor
rule is only evaluated for matching packets.
@ -2779,10 +2837,11 @@ in BNF:
.Bd -literal
line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule |
antispoof-rule | altq-rule | queue-rule | trans-anchors |
anchor-rule | anchor-close | load-anchor | table-rule | )
anchor-rule | anchor-close | load-anchor | table-rule |
include )
option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
[ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
[ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
[ "optimization" [ "default" | "normal" |
"high-latency" | "satellite" |
"aggressive" | "conservative" ] ]
@ -2790,9 +2849,10 @@ option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
[ "loginterface" ( interface-name | "none" ) ] |
[ "block-policy" ( "drop" | "return" ) ] |
[ "state-policy" ( "if-bound" | "floating" ) ]
[ "state-defaults" state-opts ]
[ "require-order" ( "yes" | "no" ) ]
[ "fingerprints" filename ] |
[ "skip on" ( interface-name | "{" interface-list "}" ) ] |
[ "skip on" ifspec ] |
[ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] )
pf-rule = action [ ( "in" | "out" ) ]
@ -2804,10 +2864,10 @@ logopts = logopt [ "," logopts ]
logopt = "all" | "user" | "to" interface-name
filteropt-list = filteropt-list filteropt | filteropt
filteropt = user | group | flags | icmp-type | icmp6-type | tos |
filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
( "no" | "keep" | "modulate" | "synproxy" ) "state"
[ "(" state-opts ")" ] |
"fragment" | "no-df" | "min-ttl" number |
"fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
"max-mss" number | "random-id" | "reassemble tcp" |
fragmentation | "allow-opts" |
"label" string | "tag" string | [ ! ] "tagged" string |
@ -2834,17 +2894,16 @@ rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ portspec ] [ pooltype ] ]
antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
"for" ( interface-name | "{" interface-list "}" )
[ af ] [ "label" string ]
"for" ifspec [ af ] [ "label" string ]
table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
tableopts-list = tableopts-list tableopts | tableopts
tableopts = "persist" | "const" | "file" string |
tableopts = "persist" | "const" | "counters" | "file" string |
"{" [ tableaddr-list ] "}"
tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex |
interface-name | "self"
tableaddr = hostname | ifspec | "self" |
ipv4-dotted-quad | ipv6-coloned-hex
altq-rule = "altq on" interface-name queueopts-list
"queue" subqueue
@ -2852,7 +2911,7 @@ queue-rule = "queue" string [ "on" interface-name ] queueopts-list
subqueue
anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
[ af ] [ protospec ] [ hosts ] [ "{" ]
[ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
anchor-close = "}"
@ -2875,8 +2934,10 @@ return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
icmpcode = ( icmp-code-name | icmp-code-number )
icmp6code = ( icmp6-code-name | icmp6-code-number )
ifspec = ( [ "!" ] interface-name ) | "{" interface-list "}"
interface-list = [ "!" ] interface-name [ [ "," ] interface-list ]
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}"
interface-list = [ "!" ] ( interface-name | interface-group )
[ [ "," ] interface-list ]
route = ( "route-to" | "reply-to" | "dup-to" )
( routehost | "{" routehost-list "}" )
[ pooltype ]
@ -2896,8 +2957,9 @@ ipspec = "any" | host | "{" host-list "}"
host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
redirhost = address [ "/" mask-bits ]
routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
address = ( interface-name | "(" interface-name ")" | hostname |
ipv4-dotted-quad | ipv6-coloned-hex )
address = ( interface-name | interface-group |
"(" ( interface-name | interface-group ) ")" |
hostname | ipv4-dotted-quad | ipv6-coloned-hex )
host-list = host [ [ "," ] host-list ]
redirhost-list = redirhost [ [ "," ] redirhost-list ]
routehost-list = routehost [ [ "," ] routehost-list ]
@ -2926,11 +2988,11 @@ icmp-type-code = ( icmp-type-name | icmp-type-number )
[ "code" ( icmp-code-name | icmp-code-number ) ]
icmp-list = icmp-type-code [ [ "," ] icmp-list ]
tos = "tos" ( "lowdelay" | "throughput" | "reliability" |
tos = ( "lowdelay" | "throughput" | "reliability" |
[ "0x" ] number )
state-opts = state-opt [ [ "," ] state-opts ]
state-opt = ( "max" number | "no-sync" | timeout | sloppy |
state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" |
"source-track" [ ( "rule" | "global" ) ] |
"max-src-nodes" number | "max-src-states" number |
"max-src-conn" number |
@ -2971,9 +3033,10 @@ realtime-sc = "realtime" sc-spec
upperlimit-sc = "upperlimit" sc-spec
sc-spec = ( bandwidth-spec |
"(" bandwidth-spec number bandwidth-spec ")" )
include = "include" filename
.Ed
.Sh FILES
.Bl -tag -width "/usr/share/examples/pf" -compact
.Bl -tag -width "/etc/protocols" -compact
.It Pa /etc/hosts
Host name database.
.It Pa /etc/pf.conf
@ -2984,8 +3047,6 @@ Default location of OS fingerprints.
Protocol name database.
.It Pa /etc/services
Service name database.
.It Pa /usr/share/examples/pf
Example rulesets.
.El
.Sh BUGS
Due to a lock order reversal (LOR) with the socket layer, the use of the
@ -3017,6 +3078,7 @@ Rules with a route label do not match any traffic.
.Xr ip 4 ,
.Xr ip6 4 ,
.Xr pf 4 ,
.Xr pflow 4 ,
.Xr pfsync 4 ,
.Xr route 4 ,
.Xr tcp 4 ,

8
contrib/pf/man/pf.os.5
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $
.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $
.\"
.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
.\"
@ -16,7 +16,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd August 18, 2003
.Dd May 31 2007
.Dt PF.OS 5
.Os
.Sh NAME
@ -217,7 +217,7 @@ almost translates into the following fingerprint
57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0
.Ed
.Sh SEE ALSO
.Xr tcpdump 1 ,
.Xr pf 4 ,
.Xr pf.conf 5 ,
.Xr pfctl 8
.Xr pfctl 8 ,
.Xr tcpdump 1

10
contrib/pf/man/pflog.4
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $
.\"
.\" Copyright (c) 2001 Tobias Weingartner
.\" All rights reserved.
@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd December 10, 2001
.Dd May 31 2007
.Dt PFLOG 4
.Os
.Sh NAME
@ -36,7 +36,7 @@
.Sh DESCRIPTION
The
.Nm pflog
interface is a pseudo-device which makes visible all packets logged by
interface is a device which makes visible all packets logged by
the packet filter,
.Xr pf 4 .
Logged packets can easily be monitored in real
@ -91,13 +91,13 @@ and monitor all packets logged on it:
# tcpdump -n -e -ttt -i pflog1
.Ed
.Sh SEE ALSO
.Xr tcpdump 1
.Xr inet 4 ,
.Xr inet6 4 ,
.Xr netintro 4 ,
.Xr pf 4 ,
.Xr ifconfig 8 ,
.Xr pflogd 8
.Xr pflogd 8 ,
.Xr tcpdump 1
.Sh HISTORY
The
.Nm

141
contrib/pf/man/pfsync.4
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pfsync.4,v 1.24 2006/10/23 07:05:49 jmc Exp $
.\" $OpenBSD: pfsync.4,v 1.28 2009/02/17 10:05:18 dlg Exp $
.\"
.\" Copyright (c) 2002 Michael Shalayeff
.\" Copyright (c) 2003-2004 Ryan McBride
@ -26,12 +26,12 @@
.\"
.\" $FreeBSD$
.\"
.Dd June 6, 2006
.Dd February 17 2009
.Dt PFSYNC 4
.Os
.Sh NAME
.Nm pfsync
.Nd packet filter state table logging interface
.Nd packet filter state table sychronisation interface
.Sh SYNOPSIS
.Cd "device pfsync"
.Sh DESCRIPTION
@ -40,26 +40,25 @@ The
interface is a pseudo-device which exposes certain changes to the state
table used by
.Xr pf 4 .
.\" XXX: not yet!
.\" State changes can be viewed by invoking
.\" .Xr tcpdump 1
.\" on the
.\" .Nm
.\" interface.
State changes can be viewed by invoking
.Xr tcpdump 1
on the
.Nm
interface.
If configured with a physical synchronisation interface,
.Nm
will send state changes out on that interface using IP multicast,
will also send state changes out on that interface,
and insert state changes received on that interface from other systems
into the state table.
.Pp
By default, all local changes to the state table are exposed via
.Nm .
However, state changes from packets received by
State changes from packets received by
.Nm
over the network are not rebroadcast.
States created by a rule marked with the
Updates to states created by a rule marked with the
.Ar no-sync
keyword are omitted from the
keyword are ignored by the
.Nm
interface (see
.Xr pf.conf 5
@ -67,33 +66,19 @@ for details).
.Pp
The
.Nm
interface will attempt to collapse multiple updates of the same
state into one message where possible.
The maximum number of times this can be done before the update is sent out
is controlled by the
interface will attempt to collapse multiple state updates into a single
packet where possible.
The maximum number of times a single state can be updated before a
.Nm
packet will be sent out is controlled by the
.Ar maxupd
parameter to ifconfig
(see
.Xr ifconfig 8
and the example below for more details).
.Pp
Each packet retrieved on this interface has a header associated
with it of length
.Dv PFSYNC_HDRLEN .
The header indicates the version of the protocol, address family,
action taken on the following states, and the number of state
table entries attached in this packet.
This structure is defined in
.Aq Pa net/if_pfsync.h
as:
.Bd -literal -offset indent
struct pfsync_header {
u_int8_t version;
u_int8_t af;
u_int8_t action;
u_int8_t count;
};
.Ed
The sending out of a
.Nm
packet will be delayed by a maximum of one second.
.Sh NETWORK SYNCHRONISATION
States can be synchronised between two or more firewalls using this
interface, by specifying a synchronisation interface using
@ -104,18 +89,16 @@ interface:
# ifconfig pfsync0 syncdev fxp0
.Ed
.Pp
It is important that the underlying synchronisation interface is up
and has an IP address assigned.
.Pp
By default, state change messages are sent out on the synchronisation
interface using IP multicast packets.
The protocol is IP protocol 240, PFSYNC, and the multicast group
used is 224.0.0.240.
When a peer address is specified using the
interface using IP multicast packets to the 244.0.0.240 group address.
An alternative destination address for
.Nm
packets can be specified using the
.Ic syncpeer
keyword, the peer address is used as a destination for the pfsync traffic,
and the traffic can then be protected using
.Xr ipsec 4 .
keyword.
This can be used in combination with
.Xr ipsec 4
to protect the synchronisation traffic.
In such a configuration, the syncdev should be set to the
.Xr enc 4
interface, as this is where the traffic arrives when it is decapsulated,
@ -127,50 +110,19 @@ e.g.:
It is important that the pfsync traffic be well secured
as there is no authentication on the protocol and it would
be trivial to spoof packets which create states, bypassing the pf ruleset.
Either run the pfsync protocol on a trusted network \- ideally a network
Either run the pfsync protocol on a trusted network \- ideally a network
dedicated to pfsync messages such as a crossover cable between two firewalls,
or specify a peer address and protect the traffic with
.Xr ipsec 4 .
.Pp
For
.Nm
to start its operation automatically at the system boot time,
.Va pfsync_enable
and
.Va pfsync_syncdev
variables should be used in
.Xr rc.conf 5 .
It is not advisable to set up
.Nm
with common network interface configuration variables of
.Xr rc.conf 5
because
.Nm
must start after its
.Cm syncdev ,
which cannot be always ensured in the latter case.
.\" XXX: not yet!
.\" .Pp
.\" There is a one-to-one correspondence between packets seen by
.\" .Xr bpf 4
.\" on the
.\" .Nm
.\" interface, and packets sent out on the synchronisation interface, i.e.\&
.\" a packet with 4 state deletion messages on
.\" .Nm
.\" means that the same 4 deletions were sent out on the synchronisation
.\" interface.
.\" However, the actual packet contents may differ as the messages
.\" sent over the network are "compressed" where possible, containing
.\" only the necessary information.
.Sh EXAMPLES
.Nm
and
.Xr carp 4
can be used together to provide automatic failover of a pair of firewalls
configured in parallel.
One firewall handles all traffic \- if it dies or
is shut down, the second firewall takes over automatically.
One firewall will handle all traffic until it dies, is shut down, or is
manually demoted, at which point the second firewall will take over
automatically.
.Pp
Both firewalls in this example have three
.Xr sis 4
@ -208,12 +160,12 @@ traffic through.
The following should be added to the top of
.Pa /etc/pf.conf :
.Bd -literal -offset indent
pass quick on { sis2 } proto pfsync
pass on { sis0 sis1 } proto carp
pass quick on { sis2 } proto pfsync keep state (no-sync)
pass on { sis0 sis1 } proto carp keep state (no-sync)
.Ed
.Pp
If it is preferable that one firewall handle the traffic,
the
It is preferable that one firewall handle the forwarding of all the traffic,
therefore the
.Ar advskew
on the backup firewall's
.Xr carp 4
@ -221,6 +173,7 @@ interfaces should be set to something higher than
the primary's.
For example, if firewall B is the backup, its
carp1 configuration would look like this:
would look like this:
.Bd -literal -offset indent
ifconfig_carp1="vhid 2 pass bar advskew 100 192.168.0.1/24"
.Ed
@ -230,16 +183,10 @@ The following must also be added to
.Bd -literal -offset indent
net.inet.carp.preempt=1
.Ed
.Sh BUGS
Possibility to view state changes using
.Xr tcpdump 1
has not been ported from
.Ox
yet.
.Sh SEE ALSO
.Xr bpf 4 ,
.Xr carp 4 ,
.Xr ifconfig 8 ,
.Xr enc 4 ,
.Xr inet 4 ,
.Xr inet6 4 ,
.Xr ipsec 4 ,
@ -247,16 +194,20 @@ yet.
.Xr pf 4 ,
.Xr pf.conf 5 ,
.Xr protocols 5 ,
.Xr rc.conf 5
.Xr rc.conf 5 ,
.Xr ifconfig 8 ,
.Xr ifstated 8 ,
.Xr tcpdump 8
.Xr tcpdump 1
.Sh HISTORY
The
.Nm
device first appeared in
.Ox 3.3 .
.Pp
The
.Nm
device was imported to
.Fx 5.3 .
protocol and kernel implementation were significantly modified between
.Ox 4.4
and
.Ox 4.5 .
The two protocols are incompatible and will not interoperate.

1566
contrib/pf/pfctl/parse.y
View File

File diff suppressed because it is too large Load Diff

150
contrib/pf/pfctl/pf_print_state.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pf_print_state.c,v 1.44 2007/03/01 17:20:53 deraadt Exp $ */
/* $OpenBSD: pf_print_state.c,v 1.52 2008/08/12 16:40:18 david Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -35,7 +35,10 @@ __FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/socket.h>
#ifdef __FreeBSD__
#include <sys/endian.h>
#define betoh64 be64toh
#endif
#include <net/if.h>
#define TCPSTATES
#include <netinet/tcp_fsm.h>
@ -83,6 +86,19 @@ print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
else
printf("<%s>", addr->v.tblname);
return;
case PF_ADDR_RANGE: {
char buf[48];
if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL)
printf("?");
else
printf("%s", buf);
if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL)
printf(" - ?");
else
printf(" - %s", buf);
break;
}
case PF_ADDR_ADDRMASK:
if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
PF_AZERO(&addr->v.a.mask, AF_INET6))
@ -112,7 +128,8 @@ print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
}
/* mask if not _both_ address and mask are zero */
if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
if (addr->type != PF_ADDR_RANGE &&
!(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
PF_AZERO(&addr->v.a.mask, AF_INET6))) {
int bits = unmask(&addr->v.a.mask, af);
@ -155,17 +172,15 @@ print_name(struct pf_addr *addr, sa_family_t af)
}
void
print_host(struct pf_state_host *h, sa_family_t af, int opts)
print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts)
{
u_int16_t p = ntohs(h->port);
if (opts & PF_OPT_USEDNS)
print_name(&h->addr, af);
print_name(addr, af);
else {
struct pf_addr_wrap aw;
memset(&aw, 0, sizeof(aw));
aw.v.a.addr = h->addr;
aw.v.a.addr = *addr;
if (af == AF_INET)
aw.v.a.mask.addr32[0] = 0xffffffff;
else {
@ -175,57 +190,72 @@ print_host(struct pf_state_host *h, sa_family_t af, int opts)
print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
}
if (p) {
if (port) {
if (af == AF_INET)
printf(":%u", p);
printf(":%u", ntohs(port));
else
printf("[%u]", p);
printf("[%u]", ntohs(port));
}
}
void
print_seq(struct pf_state_peer *p)
print_seq(struct pfsync_state_peer *p)
{
if (p->seqdiff)
printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo,
p->seqdiff);
printf("[%u + %u](+%u)", ntohl(p->seqlo),
ntohl(p->seqhi) - ntohl(p->seqlo), ntohl(p->seqdiff));
else
printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo);
printf("[%u + %u]", ntohl(p->seqlo),
ntohl(p->seqhi) - ntohl(p->seqlo));
}
void
print_state(struct pf_state *s, int opts)
print_state(struct pfsync_state *s, int opts)
{
struct pf_state_peer *src, *dst;
struct pfsync_state_peer *src, *dst;
struct pfsync_state_key *sk, *nk;
struct protoent *p;
int min, sec;
if (s->direction == PF_OUT) {
src = &s->src;
dst = &s->dst;
sk = &s->key[PF_SK_STACK];
nk = &s->key[PF_SK_WIRE];
if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
sk->port[0] = nk->port[0];
} else {
src = &s->dst;
dst = &s->src;
sk = &s->key[PF_SK_WIRE];
nk = &s->key[PF_SK_STACK];
if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
sk->port[1] = nk->port[1];
}
printf("%s ", s->u.ifname);
printf("%s ", s->ifname);
if ((p = getprotobynumber(s->proto)) != NULL)
printf("%s ", p->p_name);
else
printf("%u ", s->proto);
if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) ||
(s->lan.port != s->gwy.port)) {
print_host(&s->lan, s->af, opts);
if (s->direction == PF_OUT)
printf(" -> ");
else
printf(" <- ");
print_host(&nk->addr[1], nk->port[1], s->af, opts);
if (PF_ANEQ(&nk->addr[1], &sk->addr[1], s->af) ||
nk->port[1] != sk->port[1]) {
printf(" (");
print_host(&sk->addr[1], sk->port[1], s->af, opts);
printf(")");
}
print_host(&s->gwy, s->af, opts);
if (s->direction == PF_OUT)
printf(" -> ");
else
printf(" <- ");
print_host(&s->ext, s->af, opts);
print_host(&nk->addr[0], nk->port[0], s->af, opts);
if (PF_ANEQ(&nk->addr[0], &sk->addr[0], s->af) ||
nk->port[0] != sk->port[0]) {
printf(" (");
print_host(&sk->addr[0], sk->port[0], s->af, opts);
printf(")");
}
printf(" ");
if (s->proto == IPPROTO_TCP) {
@ -271,45 +301,63 @@ print_state(struct pf_state *s, int opts)
}
if (opts & PF_OPT_VERBOSE) {
sec = s->creation % 60;
s->creation /= 60;
min = s->creation % 60;
s->creation /= 60;
printf(" age %.2u:%.2u:%.2u", s->creation, min, sec);
sec = s->expire % 60;
s->expire /= 60;
min = s->expire % 60;
s->expire /= 60;
printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec);
u_int64_t packets[2];
u_int64_t bytes[2];
u_int32_t creation = ntohl(s->creation);
u_int32_t expire = ntohl(s->expire);
sec = creation % 60;
creation /= 60;
min = creation % 60;
creation /= 60;
printf(" age %.2u:%.2u:%.2u", creation, min, sec);
sec = expire % 60;
expire /= 60;
min = expire % 60;
expire /= 60;
printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
bcopy(s->packets[0], &packets[0], sizeof(u_int64_t));
bcopy(s->packets[1], &packets[1], sizeof(u_int64_t));
bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t));
bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t));
printf(", %llu:%llu pkts, %llu:%llu bytes",
#ifdef __FreeBSD__
(unsigned long long)s->packets[0],
(unsigned long long)s->packets[1],
(unsigned long long)s->bytes[0],
(unsigned long long)s->bytes[1]);
(unsigned long long)betoh64(packets[0]),
(unsigned long long)betoh64(packets[1]),
(unsigned long long)betoh64(bytes[0]),
(unsigned long long)betoh64(bytes[1]));
#else
s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]);
betoh64(packets[0]),
betoh64(packets[1]),
betoh64(bytes[0]),
betoh64(bytes[1]));
#endif
if (s->anchor.nr != -1)
printf(", anchor %u", s->anchor.nr);
if (s->rule.nr != -1)
printf(", rule %u", s->rule.nr);
if (ntohl(s->anchor) != -1)
printf(", anchor %u", ntohl(s->anchor));
if (ntohl(s->rule) != -1)
printf(", rule %u", ntohl(s->rule));
if (s->state_flags & PFSTATE_SLOPPY)
printf(", sloppy");
if (s->src_node != NULL)
if (s->state_flags & PFSTATE_PFLOW)
printf(", pflow");
if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
printf(", source-track");
if (s->nat_src_node != NULL)
if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
printf(", sticky-address");
printf("\n");
}
if (opts & PF_OPT_VERBOSE2) {
printf(" id: %016llx creatorid: %08x%s\n",
u_int64_t id;
bcopy(&s->id, &id, sizeof(u_int64_t));
printf(" id: %016llx creatorid: %08x",
#ifdef __FreeBSD__
(unsigned long long)be64toh(s->id), ntohl(s->creatorid),
(unsigned long long)betoh64(id), ntohl(s->creatorid));
#else
betoh64(s->id), ntohl(s->creatorid),
betoh64(id), ntohl(s->creatorid));
#endif
((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : ""));
printf("\n");
}
}

135
contrib/pf/pfctl/pfctl.8
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pfctl.8,v 1.128 2007/01/30 21:01:56 jmc Exp $
.\" $OpenBSD: pfctl.8,v 1.138 2008/06/10 20:55:02 mcbride Exp $
.\"
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
.\"
@ -26,12 +26,12 @@
.\"
.\" $FreeBSD$
.\"
.Dd June 13, 2011
.Dd June 21, 2011
.Dt PFCTL 8
.Os
.Sh NAME
.Nm pfctl
.Nd "control the packet filter (PF) and network address translation (NAT) device"
.Nd control the packet filter (PF) device
.Sh SYNOPSIS
.Nm pfctl
.Bk -words
@ -43,15 +43,18 @@
.Op Fl f Ar file
.Op Fl i Ar interface
.Op Fl K Ar host | network
.Op Fl k Ar host | network
.Op Fl o Op Ar level
.Xo
.Oo Fl k
.Ar host | network | label | id
.Oc Xc
.Op Fl o Ar level
.Op Fl p Ar device
.Op Fl s Ar modifier
.Oo
.Fl t Ar table
.Xo
.Oo Fl t Ar table
.Fl T Ar command
.Op Ar address ...
.Oc
.Op Ar address ... Oc
.Xc
.Op Fl x Ar level
.Ek
.Sh DESCRIPTION
@ -85,7 +88,7 @@ When the variable
is set to
.Dv YES
in
.Xr rc.conf.local 5 ,
.Xr rc.conf.local 8 ,
the rule file specified with the variable
.Va pf_rules
is loaded automatically by the
@ -211,7 +214,7 @@ Flush the NAT rules.
Flush the queue rules.
.It Fl F Cm rules
Flush the filter rules.
.It Fl F Cm state
.It Fl F Cm states
Flush the state table (NAT and filter).
.It Fl F Cm Sources
Flush the source tracking table.
@ -251,22 +254,28 @@ or
.Fl K Ar network
option may be specified, which will kill all the source tracking
entries from the first host/network to the second.
.It Fl k Ar host | network
Kill all of the state entries originating from the specified
.Ar host
.It Xo
.Fl k
.Ar host | network | label | id
.Xc
Kill all of the state entries matching the specified
.Ar host ,
.Ar network ,
.Ar label ,
or
.Ar network .
.Ar id .
.Pp
For example, to kill all of the state entries originating from
.Dq host :
.Pp
.Dl # pfctl -k host
.Pp
A second
.Fl k Ar host
or
.Fl k Ar network
option may be specified, which will kill all the state entries
from the first host/network to the second.
For example, to kill all of the state entries originating from
.Dq host :
.Pp
.Dl # pfctl -k host
.Pp
To kill all of the state entries from
.Dq host1
to
@ -283,6 +292,32 @@ To kill all states with the target
.Dq host2 :
.Pp
.Dl # pfctl -k 0.0.0.0/0 -k host2
.Pp
It is also possible to kill states by rule label or state ID.
In this mode the first
.Fl k
argument is used to specify the type
of the second argument.
The following command would kill all states that have been created
from rules carrying the label
.Dq foobar :
.Pp
.Dl # pfctl -k label -k foobar
.Pp
To kill one specific state by its unique state ID
(as shown by pfctl -s state -vv),
use the
.Ar id
modifier and as a second argument the state ID and optional creator ID.
To kill a state with ID 4823e84500000003 use:
.Pp
.Dl # pfctl -k id -k 4823e84500000003
.Pp
To kill a state with ID 4823e84500000018 created from a backup
firewall with hostid 00000002 use:
.Pp
.Dl # pfctl -k id -k 4823e84500000018/2
.Pp
.It Fl m
Merge in explicitly given options without resetting those
which are omitted.
@ -298,58 +333,20 @@ Do not actually load rules, just parse them.
.It Fl O
Load only the options present in the rule file.
Other rules and options are ignored.
.It Fl o Op Ar level
Control the ruleset optimizer.
The ruleset optimizer attempts to improve rulesets by removing rule
duplication and making better use of rule ordering.
.It Fl o Ar level
Control the ruleset optimizer, overriding any rule file settings.
.Pp
.Bl -tag -width xxxxxxxxxxxx -compact
.It Fl o Cm none
Disable the ruleset optimizer.
.It Fl o Cm basic
Enable basic ruleset optimizations.
This is the default behaviour.
.It Fl o Cm profile
Enable basic ruleset optimizations with profiling.
.El
.Pp
.Cm basic
optimization does does four things:
.Pp
.Bl -enum -compact
.It
remove duplicate rules
.It
remove rules that are a subset of another rule
.It
combine multiple rules into a table when advantageous
.It
re-order the rules to improve evaluation performance
.El
.Pp
If
.Cm profile
is specified, the currently loaded ruleset will be examined as a feedback
profile to tailor the optimization of the
.Ar quick
rules to the actual network behavior.
.Pp
It is important to note that the ruleset optimizer will modify the ruleset
to improve performance.
A side effect of the ruleset modification is that per-rule accounting
statistics will have different meanings than before.
If per-rule accounting is important for billing purposes or whatnot, either
the ruleset optimizer should not be used or a
.Ar label
field should be added to all of the accounting rules to act as optimization
barriers.
.Pp
To retain compatibility with previous behaviour, a single
.Fl o
without any options will enable
.Cm basic
optimizations, and a second
.Fl o
will enable profiling.
For further information on the ruleset optimizer, see
.Xr pf.conf 5 .
.It Fl P
Do not perform service name lookup for port specific rules,
instead display the ports numerically.
@ -407,7 +404,7 @@ If
.Fl v
is specified, all anchors attached under the target anchor will be
displayed recursively.
.It Fl s Cm state
.It Fl s Cm states
Show the contents of the state table.
.It Fl s Cm Sources
Show the contents of the source tracking table.
@ -418,7 +415,7 @@ When used together with
source tracking statistics are also shown.
.It Fl s Cm labels
Show per-rule statistics (label, evaluations, packets total, bytes total,
packets in, bytes in, packets out, bytes out) of
packets in, bytes in, packets out, bytes out, state creations) of
filter rules with labels, useful for accounting.
.It Fl s Cm timeouts
Show the current global timeouts.
@ -529,7 +526,7 @@ attributes.
The address/network has been cleared (statistics).
.El
.Pp
Each table maintains a set of counters that can be retrieved using the
Each table can maintain a set of counters that can be retrieved using the
.Fl v
flag of
.Nm .
@ -540,7 +537,7 @@ FTP server.
The following commands configure the firewall and send 10 pings to the FTP
server:
.Bd -literal -offset indent
# printf "table <test> { ftp.openbsd.org }\en \e
# printf "table <test> counters { ftp.openbsd.org }\en \e
pass out to <test>\en" | pfctl -f-
# ping -qc10 ftp.openbsd.org
.Ed
@ -574,7 +571,7 @@ the number of rules which reference the table, and the global
packet statistics for the whole table:
.Bd -literal -offset indent
# pfctl -vvsTables
--a-r- test
--a-r-C test
Addresses: 1
Cleared: Thu Feb 13 18:55:18 2003
References: [ Anchors: 0 Rules: 1 ]
@ -634,6 +631,8 @@ For tables which are referenced (used) by rules.
.It h
This flag is set when a table in the main ruleset is hidden by one or more
tables of the same name from anchors attached below it.
.It C
This flag is set when per-address counters are enabled on the table.
.El
.It Fl t Ar table
Specify the name of the table.

231
contrib/pf/pfctl/pfctl.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl.c,v 1.262 2007/03/01 17:20:53 deraadt Exp $ */
/* $OpenBSD: pfctl.c,v 1.278 2008/08/31 20:18:17 jmc Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -39,6 +39,10 @@ __FBSDID("$FreeBSD$");
#include <sys/socket.h>
#include <sys/stat.h>
#ifdef __FreeBSD__
#include <sys/endian.h>
#endif
#include <net/if.h>
#include <netinet/in.h>
#include <net/pfvar.h>
@ -59,10 +63,6 @@ __FBSDID("$FreeBSD$");
#include "pfctl_parser.h"
#include "pfctl.h"
#ifdef __FreeBSD__
#define HTONL(x) (x) = htonl((__uint32_t)(x))
#endif
void usage(void);
int pfctl_enable(int, int);
int pfctl_disable(int, int);
@ -75,7 +75,9 @@ int pfctl_clear_src_nodes(int, int);
int pfctl_clear_states(int, const char *, int);
void pfctl_addrprefix(char *, struct pf_addr *);
int pfctl_kill_src_nodes(int, const char *, int);
int pfctl_kill_states(int, const char *, int);
int pfctl_net_kill_states(int, const char *, int);
int pfctl_label_kill_states(int, const char *, int);
int pfctl_id_kill_states(int, const char *, int);
void pfctl_init_options(struct pfctl *);
int pfctl_load_options(struct pfctl *);
int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
@ -126,8 +128,6 @@ int dev = -1;
int first_title = 1;
int labels = 0;
const char *infile;
#define INDENT(d, o) do { \
if (o) { \
int i; \
@ -208,11 +208,11 @@ static const struct {
static const char *clearopt_list[] = {
"nat", "queue", "rules", "Sources",
"state", "info", "Tables", "osfp", "all", NULL
"states", "info", "Tables", "osfp", "all", NULL
};
static const char *showopt_list[] = {
"nat", "queue", "rules", "Anchors", "Sources", "state", "info",
"nat", "queue", "rules", "Anchors", "Sources", "states", "info",
"Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
"all", NULL
};
@ -227,7 +227,7 @@ static const char *debugopt_list[] = {
};
static const char *optiopt_list[] = {
"o", "none", "basic", "profile", NULL
"none", "basic", "profile", NULL
};
void
@ -237,10 +237,11 @@ usage(void)
fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname);
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
fprintf(stderr, "[-k host | network ]\n");
fprintf(stderr, "\t[-o [level]] [-p device] [-s modifier ]\n");
fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network]\n");
fprintf(stderr, "\t[-k host | network | label | id] ");
fprintf(stderr, "[-o level] [-p device]\n");
fprintf(stderr, "\t[-s modifier] ");
fprintf(stderr, "[-t table -T command [address ...]] [-x level]\n");
exit(1);
}
@ -389,7 +390,7 @@ pfctl_clear_states(int dev, const char *iface, int opts)
if (ioctl(dev, DIOCCLRSTATES, &psk))
err(1, "DIOCCLRSTATES");
if ((opts & PF_OPT_QUIET) == 0)
fprintf(stderr, "%d states cleared\n", psk.psk_af);
fprintf(stderr, "%d states cleared\n", psk.psk_killed);
return (0);
}
@ -528,17 +529,13 @@ pfctl_kill_src_nodes(int dev, const char *iface, int opts)
if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
err(1, "DIOCKILLSRCNODES");
killed += psnk.psnk_af;
/* fixup psnk.psnk_af */
psnk.psnk_af = resp[1]->ai_family;
killed += psnk.psnk_killed;
}
freeaddrinfo(res[1]);
} else {
if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
err(1, "DIOCKILLSRCNODES");
killed += psnk.psnk_af;
/* fixup psnk.psnk_af */
psnk.psnk_af = res[0]->ai_family;
killed += psnk.psnk_killed;
}
}
@ -551,7 +548,7 @@ pfctl_kill_src_nodes(int dev, const char *iface, int opts)
}
int
pfctl_kill_states(int dev, const char *iface, int opts)
pfctl_net_kill_states(int dev, const char *iface, int opts)
{
struct pfioc_state_kill psk;
struct addrinfo *res[2], *resp[2];
@ -638,17 +635,13 @@ pfctl_kill_states(int dev, const char *iface, int opts)
if (ioctl(dev, DIOCKILLSTATES, &psk))
err(1, "DIOCKILLSTATES");
killed += psk.psk_af;
/* fixup psk.psk_af */
psk.psk_af = resp[1]->ai_family;
killed += psk.psk_killed;
}
freeaddrinfo(res[1]);
} else {
if (ioctl(dev, DIOCKILLSTATES, &psk))
err(1, "DIOCKILLSTATES");
killed += psk.psk_af;
/* fixup psk.psk_af */
psk.psk_af = res[0]->ai_family;
killed += psk.psk_killed;
}
}
@ -660,6 +653,68 @@ pfctl_kill_states(int dev, const char *iface, int opts)
return (0);
}
int
pfctl_label_kill_states(int dev, const char *iface, int opts)
{
struct pfioc_state_kill psk;
if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
warnx("no label specified");
usage();
}
memset(&psk, 0, sizeof(psk));
if (iface != NULL && strlcpy(psk.psk_ifname, iface,
sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
errx(1, "invalid interface: %s", iface);
if (strlcpy(psk.psk_label, state_kill[1], sizeof(psk.psk_label)) >=
sizeof(psk.psk_label))
errx(1, "label too long: %s", state_kill[1]);
if (ioctl(dev, DIOCKILLSTATES, &psk))
err(1, "DIOCKILLSTATES");
if ((opts & PF_OPT_QUIET) == 0)
fprintf(stderr, "killed %d states\n", psk.psk_killed);
return (0);
}
int
pfctl_id_kill_states(int dev, const char *iface, int opts)
{
struct pfioc_state_kill psk;
if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
warnx("no id specified");
usage();
}
memset(&psk, 0, sizeof(psk));
if ((sscanf(state_kill[1], "%jx/%x",
&psk.psk_pfcmp.id, &psk.psk_pfcmp.creatorid)) == 2)
HTONL(psk.psk_pfcmp.creatorid);
else if ((sscanf(state_kill[1], "%jx", &psk.psk_pfcmp.id)) == 1) {
psk.psk_pfcmp.creatorid = 0;
} else {
warnx("wrong id format specified");
usage();
}
if (psk.psk_pfcmp.id == 0) {
warnx("cannot kill id 0");
usage();
}
psk.psk_pfcmp.id = htobe64(psk.psk_pfcmp.id);
if (ioctl(dev, DIOCKILLSTATES, &psk))
err(1, "DIOCKILLSTATES");
if ((opts & PF_OPT_QUIET) == 0)
fprintf(stderr, "killed %d states\n", psk.psk_killed);
return (0);
}
int
pfctl_get_pool(int dev, struct pf_pool *pool, u_int32_t nr,
u_int32_t ticket, int r_action, char *anchorname)
@ -747,10 +802,12 @@ pfctl_print_rule_counters(struct pf_rule *rule, int opts)
(unsigned long long)(rule->packets[0] +
rule->packets[1]),
(unsigned long long)(rule->bytes[0] +
rule->bytes[1]), rule->states);
rule->bytes[1]), rule->states_cur);
if (!(opts & PF_OPT_DEBUG))
printf(" [ Inserted: uid %u pid %u ]\n",
(unsigned)rule->cuid, (unsigned)rule->cpid);
printf(" [ Inserted: uid %u pid %u "
"State Creations: %-6u]\n",
(unsigned)rule->cuid, (unsigned)rule->cpid,
rule->states_tot);
}
}
@ -818,19 +875,6 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
switch (format) {
case PFCTL_SHOW_LABELS:
if (pr.rule.label[0]) {
printf("%s ", pr.rule.label);
printf("%llu %llu %llu %llu %llu %llu %llu\n",
(unsigned long long)pr.rule.evaluations,
(unsigned long long)(pr.rule.packets[0] +
pr.rule.packets[1]),
(unsigned long long)(pr.rule.bytes[0] +
pr.rule.bytes[1]),
(unsigned long long)pr.rule.packets[0],
(unsigned long long)pr.rule.bytes[0],
(unsigned long long)pr.rule.packets[1],
(unsigned long long)pr.rule.bytes[1]);
}
break;
case PFCTL_SHOW_RULES:
if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
@ -864,8 +908,9 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
switch (format) {
case PFCTL_SHOW_LABELS:
if (pr.rule.label[0]) {
printf("%s ", pr.rule.label);
printf("%llu %llu %llu %llu %llu %llu %llu\n",
printf("%s %llu %llu %llu %llu"
" %llu %llu %llu %llu\n",
pr.rule.label,
(unsigned long long)pr.rule.evaluations,
(unsigned long long)(pr.rule.packets[0] +
pr.rule.packets[1]),
@ -874,7 +919,8 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
(unsigned long long)pr.rule.packets[0],
(unsigned long long)pr.rule.bytes[0],
(unsigned long long)pr.rule.packets[1],
(unsigned long long)pr.rule.bytes[1]);
(unsigned long long)pr.rule.bytes[1],
(unsigned long long)pr.rule.states_tot);
}
break;
case PFCTL_SHOW_RULES:
@ -967,7 +1013,7 @@ pfctl_show_src_nodes(int dev, int opts)
struct pfioc_src_nodes psn;
struct pf_src_node *p;
char *inbuf = NULL, *newinbuf = NULL;
unsigned len = 0;
unsigned int len = 0;
int i;
memset(&psn, 0, sizeof(psn));
@ -1010,9 +1056,9 @@ int
pfctl_show_states(int dev, const char *iface, int opts)
{
struct pfioc_states ps;
struct pf_state *p;
struct pfsync_state *p;
char *inbuf = NULL, *newinbuf = NULL;
unsigned len = 0;
unsigned int len = 0;
int i, dotitle = (opts & PF_OPT_SHOWALL);
memset(&ps, 0, sizeof(ps));
@ -1041,7 +1087,7 @@ pfctl_show_states(int dev, const char *iface, int opts)
}
p = ps.ps_states;
for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
if (iface != NULL && strcmp(p->u.ifname, iface))
if (iface != NULL && strcmp(p->ifname, iface))
continue;
if (dotitle) {
pfctl_print_title("STATES:");
@ -1163,7 +1209,7 @@ pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
r->anchor->ruleset.anchor = r->anchor;
if (strlcpy(r->anchor->path, anchor_call,
sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path))
errx(1, "pfctl_add_rule: strlcpy");
errx(1, "pfctl_add_rule: strlcpy");
if ((p = strrchr(anchor_call, '/')) != NULL) {
if (!strlen(p))
err(1, "pfctl_add_rule: bad anchor name %s",
@ -1172,7 +1218,7 @@ pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
p = (char *)anchor_call;
if (strlcpy(r->anchor->name, p,
sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name))
errx(1, "pfctl_add_rule: strlcpy");
errx(1, "pfctl_add_rule: strlcpy");
}
if ((rule = calloc(1, sizeof(*rule))) == NULL)
@ -1197,7 +1243,7 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
return (1);
}
if (a == pf->astack[0] && ((altqsupport &&
(pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
(pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
return (2);
}
@ -1350,7 +1396,7 @@ pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
}
int
pfctl_rules(int dev, char *filename, FILE *fin, int opts, int optimize,
pfctl_rules(int dev, char *filename, int opts, int optimize,
char *anchorname, struct pfr_buffer *trans)
{
#define ERR(x) do { warn(x); goto _error; } while(0)
@ -1386,7 +1432,6 @@ pfctl_rules(int dev, char *filename, FILE *fin, int opts, int optimize,
if (strlcpy(trs.pfrt_anchor, anchorname,
sizeof(trs.pfrt_anchor)) >= sizeof(trs.pfrt_anchor))
ERRX("pfctl_rules: strlcpy");
infile = filename;
pf.dev = dev;
pf.opts = opts;
pf.optimize = optimize;
@ -1430,7 +1475,7 @@ pfctl_rules(int dev, char *filename, FILE *fin, int opts, int optimize,
pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname);
}
if (parse_rules(fin, &pf) < 0) {
if (parse_config(filename, &pf) < 0) {
if ((opts & PF_OPT_NOACTION) == 0)
ERRX("Syntax error in config file: "
"pf rules not loaded");
@ -1456,11 +1501,6 @@ pfctl_rules(int dev, char *filename, FILE *fin, int opts, int optimize,
if (check_commit_altq(dev, opts) != 0)
ERRX("errors in altq config");
if (fin != stdin) {
fclose(fin);
fin = NULL;
}
/* process "load anchor" directives */
if (!anchorname[0])
if (pfctl_load_anchors(dev, &pf, t) == -1)
@ -1482,8 +1522,6 @@ pfctl_rules(int dev, char *filename, FILE *fin, int opts, int optimize,
err(1, "DIOCXROLLBACK");
exit(1);
} else { /* sub ruleset */
if (fin != NULL && fin != stdin)
fclose(fin);
return (-1);
}
@ -1515,7 +1553,8 @@ pfctl_fopen(const char *name, const char *mode)
void
pfctl_init_options(struct pfctl *pf)
{
int mib[2], mem;
int64_t mem;
int mib[2];
size_t size;
pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
@ -1546,9 +1585,14 @@ pfctl_init_options(struct pfctl *pf)
pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
mib[0] = CTL_HW;
#ifdef __FreeBSD__
mib[1] = HW_PHYSMEM;
#else
mib[1] = HW_PHYSMEM64;
#endif
size = sizeof(mem);
(void) sysctl(mib, 2, &mem, &size, NULL, 0);
if (sysctl(mib, 2, &mem, &size, NULL, 0) == -1)
err(1, "sysctl");
if (mem <= 100*1024*1024)
pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL;
@ -1572,7 +1616,7 @@ pfctl_load_options(struct pfctl *pf)
}
/*
* If we've set the limit, but havn't explicitly set adaptive
* If we've set the limit, but haven't explicitly set adaptive
* timeouts, do it now with a start of 60% and end of 120%.
*/
if (pf->limit_set[PF_LIMIT_STATES] &&
@ -1897,9 +1941,6 @@ pfctl_debug(int dev, u_int32_t level, int opts)
int
pfctl_test_altqsupport(int dev, int opts)
{
#if defined(__FreeBSD__) && !defined(ENABLE_ALTQ)
return (0);
#else
struct pfioc_altq pa;
if (ioctl(dev, DIOCGETALTQS, &pa)) {
@ -1912,7 +1953,6 @@ pfctl_test_altqsupport(int dev, int opts)
err(1, "DIOCGETALTQS");
}
return (1);
#endif
}
int
@ -1971,16 +2011,15 @@ main(int argc, char *argv[])
int ch;
int mode = O_RDONLY;
int opts = 0;
int optimize = 0;
int optimize = PF_OPTIMIZE_BASIC;
char anchorname[MAXPATHLEN];
char *path;
FILE *fin = NULL;
if (argc < 2)
usage();
while ((ch = getopt(argc, argv,
"a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) {
"a:AdD:eqf:F:ghi:k:K:mnNOo:Pp:rRs:t:T:vx:z")) != -1) {
switch (ch) {
case 'a':
anchoropt = optarg;
@ -2056,24 +2095,11 @@ main(int argc, char *argv[])
loadopt |= PFCTL_FLAG_FILTER;
break;
case 'o':
if (optarg) {
optiopt = pfctl_lookup_option(optarg,
optiopt_list);
if (optiopt == NULL) {
warnx("Unknown optimization '%s'",
optarg);
usage();
}
optiopt = pfctl_lookup_option(optarg, optiopt_list);
if (optiopt == NULL) {
warnx("Unknown optimization '%s'", optarg);
usage();
}
if (opts & PF_OPT_OPTIMIZE) {
if (optiopt != NULL) {
warnx("Cannot specify -o multiple times"
"with optimizer level");
usage();
}
optimize |= PF_OPTIMIZE_PROFILE;
}
optimize |= PF_OPTIMIZE_BASIC;
opts |= PF_OPT_OPTIMIZE;
break;
case 'O':
@ -2303,8 +2329,14 @@ main(int argc, char *argv[])
break;
}
}
if (state_killers)
pfctl_kill_states(dev, ifaceopt, opts);
if (state_killers) {
if (!strcmp(state_kill[0], "label"))
pfctl_label_kill_states(dev, ifaceopt, opts);
else if (!strcmp(state_kill[0], "id"))
pfctl_id_kill_states(dev, ifaceopt, opts);
else
pfctl_net_kill_states(dev, ifaceopt, opts);
}
if (src_node_killers)
pfctl_kill_src_nodes(dev, ifaceopt, opts);
@ -2329,15 +2361,6 @@ main(int argc, char *argv[])
}
}
if (rulesopt != NULL) {
if (strcmp(rulesopt, "-") == 0) {
fin = stdin;
rulesopt = "stdin";
} else {
if ((fin = pfctl_fopen(rulesopt, "r")) == NULL)
err(1, "%s", rulesopt);
}
}
if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) &&
!anchorname[0])
if (pfctl_clear_interface_flags(dev, opts | PF_OPT_QUIET))
@ -2352,7 +2375,7 @@ main(int argc, char *argv[])
if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
errx(1, "anchor names beginning with '_' cannot "
"be modified from the command line");
if (pfctl_rules(dev, rulesopt, fin, opts, optimize,
if (pfctl_rules(dev, rulesopt, opts, optimize,
anchorname, NULL))
error = 1;
else if (!(opts & PF_OPT_NOACTION) &&

13
contrib/pf/pfctl/pfctl.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl.h,v 1.40 2007/02/09 11:25:27 henning Exp $ */
/* $OpenBSD: pfctl.h,v 1.42 2007/12/05 12:01:47 chl Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -49,7 +49,6 @@ struct pfr_buffer {
(var) != NULL; \
(var) = pfr_buf_next((buf), (var)))
void pfr_set_fd(int);
int pfr_get_fd(void);
int pfr_clr_tables(struct pfr_table *, int *, int);
int pfr_add_tables(struct pfr_table *, int, int *, int);
@ -64,9 +63,7 @@ int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
int *, int *, int *, int);
int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int);
int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int);
int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, int);
int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *, int);
int pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int);
int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *,
int *, int, int);
void pfr_buf_clear(struct pfr_buffer *);
@ -91,6 +88,8 @@ FILE *pfctl_fopen(const char *, const char *);
#ifdef __FreeBSD__
extern int altqsupport;
extern int dummynetsupport;
#define HTONL(x) (x) = htonl((__uint32_t)(x))
#endif
#ifndef DEFAULT_PRIORITY
@ -117,9 +116,9 @@ struct pf_altq *pfaltq_lookup(const char *);
char *rate2str(double);
void print_addr(struct pf_addr_wrap *, sa_family_t, int);
void print_host(struct pf_state_host *, sa_family_t, int);
void print_seq(struct pf_state_peer *);
void print_state(struct pf_state *, int);
void print_host(struct pf_addr *, u_int16_t p, sa_family_t, int);
void print_seq(struct pfsync_state_peer *);
void print_state(struct pfsync_state *, int);
int unmask(struct pf_addr *, sa_family_t);
int pfctl_cmdline_symset(char *);

25
contrib/pf/pfctl/pfctl_altq.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_altq.c,v 1.91 2006/11/28 00:08:50 henning Exp $ */
/* $OpenBSD: pfctl_altq.c,v 1.93 2007/10/15 02:16:35 deraadt Exp $ */
/*
* Copyright (c) 2002
@ -21,7 +21,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
@ -78,7 +78,7 @@ static int gsc_add_seg(struct gen_sc *, double, double, double,
static double sc_x2y(struct service_curve *, double);
#ifdef __FreeBSD__
u_int32_t getifspeed(int, char *);
u_int32_t getifspeed(int, char *);
#else
u_int32_t getifspeed(char *);
#endif
@ -145,8 +145,8 @@ qname_to_qid(const char *qname)
}
void
print_altq(const struct pf_altq *a, unsigned level, struct node_queue_bw *bw,
struct node_queue_opt *qopts)
print_altq(const struct pf_altq *a, unsigned int level,
struct node_queue_bw *bw, struct node_queue_opt *qopts)
{
if (a->qname[0] != 0) {
print_queue(a, level, bw, 1, qopts);
@ -157,6 +157,7 @@ print_altq(const struct pf_altq *a, unsigned level, struct node_queue_bw *bw,
if (a->local_flags & PFALTQ_FLAG_IF_REMOVED)
printf("INACTIVE ");
#endif
printf("altq on %s ", a->ifname);
switch (a->scheduler) {
@ -186,10 +187,11 @@ print_altq(const struct pf_altq *a, unsigned level, struct node_queue_bw *bw,
}
void
print_queue(const struct pf_altq *a, unsigned level, struct node_queue_bw *bw,
int print_interface, struct node_queue_opt *qopts)
print_queue(const struct pf_altq *a, unsigned int level,
struct node_queue_bw *bw, int print_interface,
struct node_queue_opt *qopts)
{
unsigned i;
unsigned int i;
#ifdef __FreeBSD__
if (a->local_flags & PFALTQ_FLAG_IF_REMOVED)
@ -893,9 +895,6 @@ print_hfsc_opts(const struct pf_altq *a, const struct node_queue_opt *qopts)
/*
* admission control using generalized service curve
*/
#ifndef INFINITY
#define INFINITY HUGE_VAL /* positive infinity defined in <math.h> */
#endif
/* add a new service curve to a generalized service curve */
static void
@ -1132,8 +1131,6 @@ getifspeed(char *ifname)
ifr.ifr_data = (caddr_t)&ifrdat;
if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1)
err(1, "SIOCGIFDATA");
if (shutdown(s, SHUT_RDWR) == -1)
err(1, "shutdown");
if (close(s))
err(1, "close");
return ((u_int32_t)ifrdat.ifi_baudrate);
@ -1158,8 +1155,6 @@ getifmtu(char *ifname)
#else
err(1, "SIOCGIFMTU");
#endif
if (shutdown(s, SHUT_RDWR) == -1)
err(1, "shutdown");
if (close(s))
err(1, "close");
if (ifr.ifr_mtu > 0)

15
contrib/pf/pfctl/pfctl_optimize.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_optimize.c,v 1.13 2006/10/31 14:17:45 mcbride Exp $ */
/* $OpenBSD: pfctl_optimize.c,v 1.17 2008/05/06 03:45:21 mpf Exp $ */
/*
* Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org>
@ -185,7 +185,8 @@ struct pf_rule_field {
PF_RULE_FIELD(packets, DC),
PF_RULE_FIELD(bytes, DC),
PF_RULE_FIELD(kif, DC),
PF_RULE_FIELD(states, DC),
PF_RULE_FIELD(states_cur, DC),
PF_RULE_FIELD(states_tot, DC),
PF_RULE_FIELD(src_nodes, DC),
PF_RULE_FIELD(nr, DC),
PF_RULE_FIELD(entries, DC),
@ -201,6 +202,7 @@ struct pf_rule_field {
PF_RULE_FIELD(natpass, NEVER),
PF_RULE_FIELD(max_mss, NEVER),
PF_RULE_FIELD(min_ttl, NEVER),
PF_RULE_FIELD(set_tos, NEVER),
};
@ -398,7 +400,7 @@ optimize_superblock(struct pfctl *pf, struct superblock *block)
* out rules.
*/
/* shortcut. there will be alot of 1-rule superblocks */
/* shortcut. there will be a lot of 1-rule superblocks */
if (!TAILQ_NEXT(TAILQ_FIRST(&block->sb_rules), por_entry))
return (0);
@ -1320,8 +1322,9 @@ pf_opt_create_table(struct pfctl *pf, struct pf_opt_tbl *tbl)
if (pfctl_define_table(tbl->pt_name, PFR_TFLAG_CONST, 1,
pf->anchor->name, tbl->pt_buf, pf->anchor->ruleset.tticket)) {
warn("failed to create table %s", tbl->pt_name);
pf->astack[0]->name, tbl->pt_buf, pf->astack[0]->ruleset.tticket)) {
warn("failed to create table %s in %s",
tbl->pt_name, pf->astack[0]->name);
return (1);
}
return (0);
@ -1424,7 +1427,7 @@ superblock_inclusive(struct superblock *block, struct pf_opt_rule *por)
return (0);
/*
* Have to handle interface groups seperately. Consider the following
* Have to handle interface groups separately. Consider the following
* rules:
* block on EXTIFS to any port 22
* pass on em0 to any port 22

2
contrib/pf/pfctl/pfctl_osfp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_osfp.c,v 1.15 2006/12/13 05:10:15 itojun Exp $ */
/* $OpenBSD: pfctl_osfp.c,v 1.14 2006/04/08 02:13:14 ray Exp $ */
/*
* Copyright (c) 2003 Mike Frantzen <frantzen@openbsd.org>

41
contrib/pf/pfctl/pfctl_parser.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_parser.c,v 1.234 2006/10/31 23:46:24 mcbride Exp $ */
/* $OpenBSD: pfctl_parser.c,v 1.240 2008/06/10 20:55:02 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -52,7 +52,6 @@ __FBSDID("$FreeBSD$");
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <limits.h>
#include <netdb.h>
#include <stdarg.h>
#include <errno.h>
@ -500,7 +499,7 @@ print_status(struct pf_status *s, int opts)
running = s->running ? "Enabled" : "Disabled";
if (s->since) {
unsigned sec, min, hrs, day = runtime;
unsigned int sec, min, hrs, day = runtime;
sec = day % 60;
day /= 60;
@ -581,7 +580,11 @@ print_status(struct pf_status *s, int opts)
s->src_nodes, "");
for (i = 0; i < SCNT_MAX; i++) {
printf(" %-25s %14lld ", pf_scounters[i],
(unsigned long long)s->scounters[i]);
#ifdef __FreeBSD__
(long long)s->scounters[i]);
#else
s->scounters[i]);
#endif
if (runtime > 0)
printf("%14.1f/s\n",
(double)s->scounters[i] / (double)runtime);
@ -952,6 +955,12 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric)
printf("sloppy");
opts = 0;
}
if (r->rule_flag & PFRULE_PFLOW) {
if (!opts)
printf(", ");
printf("pflow");
opts = 0;
}
for (i = 0; i < PFTM_MAX; ++i)
if (r->timeout[i]) {
int j;
@ -979,6 +988,8 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric)
printf(" min-ttl %d", r->min_ttl);
if (r->max_mss)
printf(" max-mss %d", r->max_mss);
if (r->rule_flag & PFRULE_SET_TOS)
printf(" set-tos 0x%2.2x", r->set_tos);
if (r->allow_opts)
printf(" allow-opts");
if (r->action == PF_SCRUB) {
@ -1007,6 +1018,26 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric)
}
if (r->rtableid != -1)
printf(" rtable %u", r->rtableid);
if (r->divert.port) {
#ifdef __FreeBSD__
printf(" divert-to %u", ntohs(r->divert.port));
#else
if (PF_AZERO(&r->divert.addr, r->af)) {
printf(" divert-reply");
} else {
/* XXX cut&paste from print_addr */
char buf[48];
printf(" divert-to ");
if (inet_ntop(r->af, &r->divert.addr, buf,
sizeof(buf)) == NULL)
printf("?");
else
printf("%s", buf);
printf(" port %u", ntohs(r->divert.port));
}
#endif
}
if (!anchor_call[0] && (r->action == PF_NAT ||
r->action == PF_BINAT || r->action == PF_RDR)) {
printf(" -> ");
@ -1027,6 +1058,8 @@ print_tabledef(const char *name, int flags, int addrs,
printf(" const");
if (flags & PFR_TFLAG_PERSIST)
printf(" persist");
if (flags & PFR_TFLAG_COUNTERS)
printf(" counters");
SIMPLEQ_FOREACH(ti, nodes, entries) {
if (ti->file) {
printf(" file \"%s\"", ti->file);

12
contrib/pf/pfctl/pfctl_parser.h
View File

@ -172,10 +172,10 @@ struct node_queue_opt {
#define SIMPLEQ_END(head) NULL
#define SIMPLEQ_EMPTY STAILQ_EMPTY
#define SIMPLEQ_NEXT STAILQ_NEXT
/*#define SIMPLEQ_FOREACH STAILQ_FOREACH*/
#define SIMPLEQ_FOREACH(var, head, field) \
for((var) = SIMPLEQ_FIRST(head); \
(var) != SIMPLEQ_END(head); \
/*#define SIMPLEQ_FOREACH STAILQ_FOREACH*/
#define SIMPLEQ_FOREACH(var, head, field) \
for((var) = SIMPLEQ_FIRST(head); \
(var) != SIMPLEQ_END(head); \
(var) = SIMPLEQ_NEXT(var, field))
#define SIMPLEQ_INIT STAILQ_INIT
#define SIMPLEQ_INSERT_HEAD STAILQ_INSERT_HEAD
@ -213,7 +213,7 @@ struct pf_opt_rule {
TAILQ_HEAD(pf_opt_queue, pf_opt_rule);
int pfctl_rules(int, char *, FILE *, int, int, char *, struct pfr_buffer *);
int pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *);
int pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *);
int pfctl_add_rule(struct pfctl *, struct pf_rule *, const char *);
@ -230,7 +230,7 @@ int pfctl_set_hostid(struct pfctl *, u_int32_t);
int pfctl_set_debug(struct pfctl *, char *);
int pfctl_set_interface_flags(struct pfctl *, char *, int, int);
int parse_rules(FILE *, struct pfctl *);
int parse_config(char *, struct pfctl *);
int parse_flags(char *);
int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);

14
contrib/pf/pfctl/pfctl_qstats.c
View File

@ -73,7 +73,7 @@ void pfctl_insert_altq_node(struct pf_altq_node **,
struct pf_altq_node *pfctl_find_altq_node(struct pf_altq_node *,
const char *, const char *);
void pfctl_print_altq_node(int, const struct pf_altq_node *,
unsigned, int);
unsigned, int);
void print_cbqstats(struct queue_stats);
void print_priqstats(struct queue_stats);
void print_hfscstats(struct queue_stats);
@ -185,8 +185,8 @@ pfctl_update_qstats(int dev, struct pf_altq_node **root)
}
}
#ifdef __FreeBSD__
else if (pa.altq.local_flags & PFALTQ_FLAG_IF_REMOVED) {
memset(&qstats.data, 0, sizeof(qstats.data));
else if (pa.altq.local_flags & PFALTQ_FLAG_IF_REMOVED) {
memset(&qstats.data, 0, sizeof(qstats.data));
if ((node = pfctl_find_altq_node(*root, pa.altq.qname,
pa.altq.ifname)) != NULL) {
memcpy(&node->qstats.data, &qstats.data,
@ -194,7 +194,7 @@ pfctl_update_qstats(int dev, struct pf_altq_node **root)
update_avg(node);
} else {
pfctl_insert_altq_node(root, pa.altq, qstats);
}
}
}
#endif
}
@ -262,8 +262,8 @@ pfctl_find_altq_node(struct pf_altq_node *root, const char *qname,
}
void
pfctl_print_altq_node(int dev, const struct pf_altq_node *node, unsigned level,
int opts)
pfctl_print_altq_node(int dev, const struct pf_altq_node *node,
unsigned int level, int opts)
{
const struct pf_altq_node *child;
@ -302,11 +302,11 @@ pfctl_print_altq_nodestat(int dev, const struct pf_altq_node *a)
{
if (a->altq.qid == 0)
return;
#ifdef __FreeBSD__
if (a->altq.local_flags & PFALTQ_FLAG_IF_REMOVED)
return;
#endif
switch (a->altq.scheduler) {
case ALTQT_CBQ:
print_cbqstats(a->qstats);

52
contrib/pf/pfctl/pfctl_radix.c
View File

@ -30,6 +30,9 @@
*
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
@ -299,29 +302,6 @@ pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size,
return (0);
}
int
pfr_clr_astats(struct pfr_table *tbl, struct pfr_addr *addr, int size,
int *nzero, int flags)
{
struct pfioc_table io;
if (tbl == NULL || size < 0 || (size && addr == NULL)) {
errno = EINVAL;
return (-1);
}
bzero(&io, sizeof io);
io.pfrio_flags = flags;
io.pfrio_table = *tbl;
io.pfrio_buffer = addr;
io.pfrio_esize = sizeof(*addr);
io.pfrio_size = size;
if (ioctl(dev, DIOCRCLRASTATS, &io))
return (-1);
if (nzero != NULL)
*nzero = io.pfrio_nzero;
return (0);
}
int
pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags)
{
@ -343,32 +323,6 @@ pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags)
return (0);
}
int
pfr_set_tflags(struct pfr_table *tbl, int size, int setflag, int clrflag,
int *nchange, int *ndel, int flags)
{
struct pfioc_table io;
if (size < 0 || (size && !tbl)) {
errno = EINVAL;
return (-1);
}
bzero(&io, sizeof io);
io.pfrio_flags = flags;
io.pfrio_buffer = tbl;
io.pfrio_esize = sizeof(*tbl);
io.pfrio_size = size;
io.pfrio_setflag = setflag;
io.pfrio_clrflag = clrflag;
if (ioctl(dev, DIOCRSETTFLAGS, &io))
return (-1);
if (nchange)
*nchange = io.pfrio_nchange;
if (ndel)
*ndel = io.pfrio_ndel;
return (0);
}
int
pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
int *nmatch, int flags)

15
contrib/pf/pfctl/pfctl_table.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_table.c,v 1.66 2007/03/01 17:20:54 deraadt Exp $ */
/* $OpenBSD: pfctl_table.c,v 1.67 2008/06/10 20:55:02 mcbride Exp $ */
/*
* Copyright (c) 2002 Cedric Berger
@ -275,12 +275,14 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
if (b.pfrb_size <= b.pfrb_msize)
break;
}
PFRB_FOREACH(p, &b)
PFRB_FOREACH(p, &b) {
((struct pfr_astats *)p)->pfras_a.pfra_fback = 0;
if (time(NULL) - ((struct pfr_astats *)p)->pfras_tzero >
lifetime)
lifetime)
if (pfr_buf_add(&b2,
&((struct pfr_astats *)p)->pfras_a))
err(1, "duplicate buffer");
}
if (opts & PF_OPT_VERBOSE)
flags |= PFR_FLAG_FEEDBACK;
@ -367,13 +369,14 @@ print_table(struct pfr_table *ta, int verbose, int debug)
if (!debug && !(ta->pfrt_flags & PFR_TFLAG_ACTIVE))
return;
if (verbose) {
printf("%c%c%c%c%c%c\t%s",
printf("%c%c%c%c%c%c%c\t%s",
(ta->pfrt_flags & PFR_TFLAG_CONST) ? 'c' : '-',
(ta->pfrt_flags & PFR_TFLAG_PERSIST) ? 'p' : '-',
(ta->pfrt_flags & PFR_TFLAG_ACTIVE) ? 'a' : '-',
(ta->pfrt_flags & PFR_TFLAG_INACTIVE) ? 'i' : '-',
(ta->pfrt_flags & PFR_TFLAG_REFERENCED) ? 'r' : '-',
(ta->pfrt_flags & PFR_TFLAG_REFDANCHOR) ? 'h' : '-',
(ta->pfrt_flags & PFR_TFLAG_COUNTERS) ? 'C' : '-',
ta->pfrt_name);
if (ta->pfrt_anchor[0])
printf("\t%s", ta->pfrt_anchor);
@ -428,7 +431,7 @@ void
print_addrx(struct pfr_addr *ad, struct pfr_addr *rad, int dns)
{
char ch, buf[256] = "{error}";
char fb[] = { ' ', 'M', 'A', 'D', 'C', 'Z', 'X', ' ', 'Y' };
char fb[] = { ' ', 'M', 'A', 'D', 'C', 'Z', 'X', ' ', 'Y', ' ' };
unsigned int fback, hostnet;
fback = (rad != NULL) ? rad->pfra_fback : ad->pfra_fback;
@ -477,6 +480,8 @@ print_astats(struct pfr_astats *as, int dns)
print_addrx(&as->pfras_a, NULL, dns);
printf("\tCleared: %s", ctime(&time));
if (as->pfras_a.pfra_fback == PFR_FB_NOCOUNT)
return;
for (dir = 0; dir < PFR_DIR_MAX; dir++)
for (op = 0; op < PFR_OP_ADDR_MAX; op++)
printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n",

22
contrib/pf/pflogd/pflogd.8
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pflogd.8,v 1.32 2006/12/08 10:26:38 joel Exp $
.\" $OpenBSD: pflogd.8,v 1.37 2008/10/22 08:16:49 henning Exp $
.\"
.\" Copyright (c) 2001 Can Erkin Acar. All rights reserved.
.\"
@ -26,7 +26,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd July 9, 2001
.Dd October 22 2008
.Dt PFLOGD 8
.Os
.Sh NAME
@ -34,12 +34,14 @@
.Nd packet filter logging daemon
.Sh SYNOPSIS
.Nm pflogd
.Bk -words
.Op Fl Dx
.Op Fl d Ar delay
.Op Fl f Ar filename
.Op Fl i Ar interface
.Op Fl s Ar snaplen
.Op Ar expression
.Ek
.Sh DESCRIPTION
.Nm
is a background daemon which reads packets logged by
@ -94,6 +96,13 @@ or a
.Dv SIGALRM
is received.
.Pp
.Nm
will also log the pcap statistics for the
.Xr pflog 4
interface to syslog when a
.Dv SIGUSR1
is received.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl D
@ -116,6 +125,11 @@ By default,
.Nm
will use
.Ar pflog0 .
Writes a file containing the process ID of the program to
.Pa /var/run .
The file name has the form
The default is
.Ar pflogd .
.It Fl s Ar snaplen
Analyze at most the first
.Ar snaplen
@ -204,12 +218,12 @@ the wi0 interface:
# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
.Ed
.Sh SEE ALSO
.Xr tcpdump 1 ,
.Xr pcap 3 ,
.Xr pf 4 ,
.Xr pflog 4 ,
.Xr pf.conf 5 ,
.Xr newsyslog 8
.Xr newsyslog 8 ,
.Xr tcpdump 1
.Sh HISTORY
The
.Nm

134
contrib/pf/pflogd/pflogd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pflogd.c,v 1.37 2006/10/26 13:34:47 jmc Exp $ */
/* $OpenBSD: pflogd.c,v 1.46 2008/10/22 08:16:49 henning Exp $ */
/*
* Copyright (c) 2001 Theo de Raadt
@ -37,9 +37,8 @@ __FBSDID("$FreeBSD$");
#include <sys/ioctl.h>
#include <sys/file.h>
#include <sys/stat.h>
#ifdef __FreeBSD__
#include <net/bpf.h> /* BIOCLOCK */
#endif
#include <sys/socket.h>
#include <net/if.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@ -48,15 +47,16 @@ __FBSDID("$FreeBSD$");
#include <pcap.h>
#include <syslog.h>
#include <signal.h>
#include <err.h>
#include <errno.h>
#include <stdarg.h>
#include <fcntl.h>
#ifdef __FreeBSD__
#include <ifaddrs.h>
#include "pidfile.h"
#else
#include <util.h>
#endif
#include "pflogd.h"
pcap_t *hpcap;
@ -66,7 +66,7 @@ int Debug = 0;
static int snaplen = DEF_SNAPLEN;
static int cur_snaplen = DEF_SNAPLEN;
volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup;
volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup, gotsig_usr1;
char *filename = PFLOGD_LOG_FILE;
char *interface = PFLOGD_DEFAULT_IF;
@ -80,7 +80,9 @@ unsigned int delay = FLUSH_DELAY;
char *copy_argv(char * const *);
void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
void log_pcap_stats(void);
int flush_buffer(FILE *);
int if_exists(char *);
int init_pcap(void);
void logmsg(int, const char *, ...);
void purge_buffer(void);
@ -89,6 +91,7 @@ int scan_dump(FILE *, off_t);
int set_snaplen(int);
void set_suspended(int);
void sig_alrm(int);
void sig_usr1(int);
void sig_close(int);
void sig_hup(int);
void usage(void);
@ -166,8 +169,8 @@ __dead void
usage(void)
{
fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename]");
fprintf(stderr, " [-i interface] [-s snaplen]\n");
fprintf(stderr, " [expression]\n");
fprintf(stderr, " [-i interface] [-p pidfile]\n");
fprintf(stderr, " [-s snaplen] [expression]\n");
exit(1);
}
@ -189,6 +192,12 @@ sig_alrm(int sig)
gotsig_alrm = 1;
}
void
sig_usr1(int sig)
{
gotsig_usr1 = 1;
}
void
set_pcap_filter(void)
{
@ -203,6 +212,51 @@ set_pcap_filter(void)
}
}
int
if_exists(char *ifname)
{
#ifdef __FreeBSD__
struct ifaddrs *ifdata, *mb;
int exists = 0;
getifaddrs(&ifdata);
if (ifdata == NULL)
return (0);
for (mb = ifdata; mb != NULL; mb = mb->ifa_next) {
if (mb == NULL)
continue;
if (strlen(ifname) != strlen(mb->ifa_name))
continue;
if (strncmp(ifname, mb->ifa_name, strlen(ifname)) != 0)
continue;
exists = 1;
break;
}
freeifaddrs(ifdata);
return (exists);
#else
int s;
struct ifreq ifr;
struct if_data ifrdat;
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
err(1, "socket");
bzero(&ifr, sizeof(ifr));
if (strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)) >=
sizeof(ifr.ifr_name))
errx(1, "main ifr_name: strlcpy");
ifr.ifr_data = (caddr_t)&ifrdat;
if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1)
return (0);
if (close(s))
err(1, "close");
return (1);
#endif
}
int
init_pcap(void)
{
@ -554,10 +608,10 @@ dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
return;
}
append:
append:
#ifdef __FreeBSD__
sh.ts.tv_sec = (bpf_int32)h->ts.tv_sec;
sh.ts.tv_usec = (bpf_int32)h->ts.tv_usec;
sh.ts.tv_sec = (bpf_int32)h->ts.tv_sec;
sh.ts.tv_usec = (bpf_int32)h->ts.tv_usec;
sh.caplen = h->caplen;
sh.len = h->len;
@ -575,17 +629,31 @@ dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
return;
}
void
log_pcap_stats(void)
{
struct pcap_stat pstat;
if (pcap_stats(hpcap, &pstat) < 0)
logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
else
logmsg(LOG_NOTICE,
"%u packets received, %u/%u dropped (kernel/pflogd)",
pstat.ps_recv, pstat.ps_drop, packets_dropped);
}
int
main(int argc, char **argv)
{
struct pcap_stat pstat;
int ch, np, Xflag = 0;
int ch, np, ret, Xflag = 0;
pcap_handler phandler = dump_packet;
const char *errstr = NULL;
char *pidf = NULL;
ret = 0;
closefrom(STDERR_FILENO + 1);
while ((ch = getopt(argc, argv, "Dxd:f:i:s:")) != -1) {
while ((ch = getopt(argc, argv, "Dxd:f:i:p:s:")) != -1) {
switch (ch) {
case 'D':
Debug = 1;
@ -601,6 +669,9 @@ main(int argc, char **argv)
case 'i':
interface = optarg;
break;
case 'p':
pidf = optarg;
break;
case 's':
snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
&errstr);
@ -622,13 +693,21 @@ main(int argc, char **argv)
argc -= optind;
argv += optind;
/* does interface exist */
if (!if_exists(interface)) {
warn("Failed to initialize: %s", interface);
logmsg(LOG_ERR, "Failed to initialize: %s", interface);
logmsg(LOG_ERR, "Exiting, init failure");
exit(1);
}
if (!Debug) {
openlog("pflogd", LOG_PID | LOG_CONS, LOG_DAEMON);
if (daemon(0, 0)) {
logmsg(LOG_WARNING, "Failed to become daemon: %s",
strerror(errno));
}
pidfile(NULL);
pidfile(pidf);
}
tzset();
@ -659,6 +738,7 @@ main(int argc, char **argv)
signal(SIGINT, sig_close);
signal(SIGQUIT, sig_close);
signal(SIGALRM, sig_alrm);
signal(SIGUSR1, sig_usr1);
signal(SIGHUP, sig_hup);
alarm(delay);
@ -686,13 +766,12 @@ main(int argc, char **argv)
np = pcap_dispatch(hpcap, PCAP_NUM_PKTS,
phandler, (u_char *)dpcap);
if (np < 0) {
#ifdef __FreeBSD__
if (errno == ENXIO) {
logmsg(LOG_ERR,
"Device not/no longer configured");
if (!if_exists(interface) == -1) {
logmsg(LOG_NOTICE, "interface %s went away",
interface);
ret = -1;
break;
}
#endif
logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap));
}
@ -715,6 +794,11 @@ main(int argc, char **argv)
gotsig_alrm = 0;
alarm(delay);
}
if (gotsig_usr1) {
log_pcap_stats();
gotsig_usr1 = 0;
}
}
logmsg(LOG_NOTICE, "Exiting");
@ -724,15 +808,9 @@ main(int argc, char **argv)
}
purge_buffer();
if (pcap_stats(hpcap, &pstat) < 0)
logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
else
logmsg(LOG_NOTICE,
"%u packets received, %u/%u dropped (kernel/pflogd)",
pstat.ps_recv, pstat.ps_drop, packets_dropped);
log_pcap_stats();
pcap_close(hpcap);
if (!Debug)
closelog();
return (0);
return (ret);
}

8
contrib/pf/pflogd/privsep.c
View File

@ -23,6 +23,7 @@ __FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <net/bpf.h>
@ -31,20 +32,13 @@ __FBSDID("$FreeBSD$");
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#ifndef __FreeBSD__
#include <pcap.h>
#include <pcap-int.h>
#endif
#include <pwd.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef __FreeBSD__
/* XXX: pcap pollutes namespace with strlcpy if not present previously */
#include <pcap.h>
#include <pcap-int.h>
#endif
#include <syslog.h>
#include <unistd.h>
#include "pflogd.h"

20
contrib/pf/pflogd/privsep_fdpass.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: privsep_fdpass.c,v 1.2 2004/08/13 02:51:48 djm Exp $ */
/* $OpenBSD: privsep_fdpass.c,v 1.5 2008/03/24 16:11:08 deraadt Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
@ -50,7 +50,10 @@ void
send_fd(int sock, int fd)
{
struct msghdr msg;
char tmp[CMSG_SPACE(sizeof(int))];
union {
struct cmsghdr hdr;
char buf[CMSG_SPACE(sizeof(int))];
} cmsgbuf;
struct cmsghdr *cmsg;
struct iovec vec;
int result = 0;
@ -59,8 +62,8 @@ send_fd(int sock, int fd)
memset(&msg, 0, sizeof(msg));
if (fd >= 0) {
msg.msg_control = (caddr_t)tmp;
msg.msg_controllen = CMSG_LEN(sizeof(int));
msg.msg_control = (caddr_t)&cmsgbuf.buf;
msg.msg_controllen = sizeof(cmsgbuf.buf);
cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_len = CMSG_LEN(sizeof(int));
cmsg->cmsg_level = SOL_SOCKET;
@ -86,7 +89,10 @@ int
receive_fd(int sock)
{
struct msghdr msg;
char tmp[CMSG_SPACE(sizeof(int))];
union {
struct cmsghdr hdr;
char buf[CMSG_SPACE(sizeof(int))];
} cmsgbuf;
struct cmsghdr *cmsg;
struct iovec vec;
ssize_t n;
@ -98,8 +104,8 @@ receive_fd(int sock)
vec.iov_len = sizeof(int);
msg.msg_iov = &vec;
msg.msg_iovlen = 1;
msg.msg_control = tmp;
msg.msg_controllen = sizeof(tmp);
msg.msg_control = &cmsgbuf.buf;
msg.msg_controllen = sizeof(cmsgbuf.buf);
if ((n = recvmsg(sock, &msg, 0)) == -1)
warn("%s: recvmsg", __func__);

2
contrib/traceroute/traceroute.c
View File

@ -1618,7 +1618,7 @@ gethostinfo(register char *hostname)
register char **p;
register u_int32_t addr, *ap;
if (strlen(hostname) > 64) {
if (strlen(hostname) >= MAXHOSTNAMELEN) {
Fprintf(stderr, "%s: hostname \"%.32s...\" is too long\n",
prog, hostname);
exit(1);

14
contrib/tzdata/antarctica
View File

@ -1,5 +1,5 @@
# <pre>
# @(#)antarctica 8.8
# @(#)antarctica 8.9
# This file is in the public domain, so clarified as of
# 2009-05-17 by Arthur David Olson.
@ -19,18 +19,6 @@
# I made up all time zone abbreviations mentioned here; corrections welcome!
# FORMAT is `zzz' and GMTOFF is 0 for locations while uninhabited.
# These rules are stolen from the `europe' file.
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule RussAQ 1981 1984 - Apr 1 0:00 1:00 S
Rule RussAQ 1981 1983 - Oct 1 0:00 0 -
Rule RussAQ 1984 1991 - Sep lastSun 2:00s 0 -
Rule RussAQ 1985 1991 - Mar lastSun 2:00s 1:00 S
Rule RussAQ 1992 only - Mar lastSat 23:00 1:00 S
Rule RussAQ 1992 only - Sep lastSat 23:00 0 -
Rule RussAQ 1993 max - Mar lastSun 2:00s 1:00 S
Rule RussAQ 1993 1995 - Sep lastSun 2:00s 0 -
Rule RussAQ 1996 max - Oct lastSun 2:00s 0 -
# These rules are stolen from the `southamerica' file.
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule ArgAQ 1964 1966 - Mar 1 0:00 0 -

6
contrib/tzdata/asia
View File

@ -1,4 +1,4 @@
# @(#)asia 8.64
# @(#)asia 8.65
# This file is in the public domain, so clarified as of
# 2009-05-17 by Arthur David Olson.
@ -77,6 +77,10 @@ Rule RussiaAsia 1993 max - Mar lastSun 2:00s 1:00 S
Rule RussiaAsia 1993 1995 - Sep lastSun 2:00s 0 -
Rule RussiaAsia 1996 max - Oct lastSun 2:00s 0 -
# From Arthur David Olson (2011-06-15):
# While Russia abandoned DST in 2011, Armenia may choose to
# follow Russia's "old" rules.
# Afghanistan
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Asia/Kabul 4:36:48 - LMT 1890

70
contrib/tzdata/europe
View File

@ -1,5 +1,5 @@
# <pre>
# @(#)europe 8.32
# @(#)europe 8.33
# This file is in the public domain, so clarified as of
# 2009-05-17 by Arthur David Olson.
@ -565,6 +565,26 @@ Rule Russia 1993 max - Mar lastSun 2:00s 1:00 S
Rule Russia 1993 1995 - Sep lastSun 2:00s 0 -
Rule Russia 1996 max - Oct lastSun 2:00s 0 -
# From Alexander Krivenyshev (2011-06-14):
# According to Kremlin press service, Russian President Dmitry Medvedev
# signed a federal law "On calculation of time" on June 9, 2011.
# According to the law Russia is abolishing daylight saving time.
#
# Medvedev signed a law "On the Calculation of Time" (in russian):
# <a href="http://bmockbe.ru/events/?ID=7583">
# http://bmockbe.ru/events/?ID=7583
# </a>
#
# Medvedev signed a law on the calculation of the time (in russian):
# <a href="http://www.regnum.ru/news/polit/1413906.html">
# http://www.regnum.ru/news/polit/1413906.html
# </a>
# From Arthur David Olson (2011-06-15):
# Take "abolishing daylight saving time" to mean that time is now considered
# to be standard.
# At least for now, keep the "old" Russia rules for the benefit of Belarus.
# These are for backward compatibility with older versions.
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
@ -2013,7 +2033,8 @@ Zone Europe/Kaliningrad 1:22:00 - LMT 1893 Apr
1:00 C-Eur CE%sT 1945
2:00 Poland CE%sT 1946
3:00 Russia MSK/MSD 1991 Mar 31 2:00s
2:00 Russia EE%sT
2:00 Russia EE%sT 2011 Mar 27 2:00s
3:00 - EET
#
# From Oscar van Vlijmen (2001-08-25): [This region consists of]
# Respublika Adygeya, Arkhangel'skaya oblast',
@ -2042,7 +2063,8 @@ Zone Europe/Moscow 2:30:20 - LMT 1880
2:00 - EET 1930 Jun 21
3:00 Russia MSK/MSD 1991 Mar 31 2:00s
2:00 Russia EE%sT 1992 Jan 19 2:00s
3:00 Russia MSK/MSD
3:00 Russia MSK/MSD 2011 Mar 27 2:00s
4:00 - MSK
#
# Astrakhanskaya oblast', Kirovskaya oblast', Saratovskaya oblast',
# Volgogradskaya oblast'. Shanks & Pottenger say Kirov is still at +0400
@ -2055,7 +2077,8 @@ Zone Europe/Volgograd 2:57:40 - LMT 1920 Jan 3
4:00 Russia VOL%sT 1989 Mar 26 2:00s # Volgograd T
3:00 Russia VOL%sT 1991 Mar 31 2:00s
4:00 - VOLT 1992 Mar 29 2:00s
3:00 Russia VOL%sT
3:00 Russia VOL%sT 2011 Mar 27 2:00s
4:00 - VOLT
#
# From Oscar van Vlijmen (2001-08-25): [This region consists of]
# Samarskaya oblast', Udmyrtskaya respublika
@ -2067,7 +2090,8 @@ Zone Europe/Samara 3:20:36 - LMT 1919 Jul 1 2:00
2:00 Russia KUY%sT 1991 Sep 29 2:00s
3:00 - KUYT 1991 Oct 20 3:00
4:00 Russia SAM%sT 2010 Mar 28 2:00s # Samara Time
3:00 Russia SAM%sT
3:00 Russia SAM%sT 2011 Mar 27 2:00s
4:00 - SAMT
#
# From Oscar van Vlijmen (2001-08-25): [This region consists of]
@ -2080,7 +2104,8 @@ Zone Asia/Yekaterinburg 4:02:24 - LMT 1919 Jul 15 4:00
4:00 - SVET 1930 Jun 21 # Sverdlovsk Time
5:00 Russia SVE%sT 1991 Mar 31 2:00s
4:00 Russia SVE%sT 1992 Jan 19 2:00s
5:00 Russia YEK%sT # Yekaterinburg Time
5:00 Russia YEK%sT 2011 Mar 27 2:00s
6:00 - YEKT # Yekaterinburg Time
#
# From Oscar van Vlijmen (2001-08-25): [This region consists of]
# Respublika Altaj, Altajskij kraj, Omskaya oblast'.
@ -2088,7 +2113,8 @@ Zone Asia/Omsk 4:53:36 - LMT 1919 Nov 14
5:00 - OMST 1930 Jun 21 # Omsk TIme
6:00 Russia OMS%sT 1991 Mar 31 2:00s
5:00 Russia OMS%sT 1992 Jan 19 2:00s
6:00 Russia OMS%sT
6:00 Russia OMS%sT 2011 Mar 27 2:00s
7:00 - OMST
#
# From Paul Eggert (2006-08-19): I'm guessing about Tomsk here; it's
# not clear when it switched from +7 to +6.
@ -2098,7 +2124,8 @@ Zone Asia/Novosibirsk 5:31:40 - LMT 1919 Dec 14 6:00
7:00 Russia NOV%sT 1991 Mar 31 2:00s
6:00 Russia NOV%sT 1992 Jan 19 2:00s
7:00 Russia NOV%sT 1993 May 23 # say Shanks & P.
6:00 Russia NOV%sT
6:00 Russia NOV%sT 2011 Mar 27 2:00s
7:00 - NOVT
# From Alexander Krivenyshev (2009-10-13):
# Kemerovo oblast' (Kemerovo region) in Russia will change current time zone on
@ -2131,7 +2158,8 @@ Zone Asia/Novokuznetsk 5:48:48 - NMT 1920 Jan 6
7:00 Russia KRA%sT 1991 Mar 31 2:00s
6:00 Russia KRA%sT 1992 Jan 19 2:00s
7:00 Russia KRA%sT 2010 Mar 28 2:00s
6:00 Russia NOV%sT # Novosibirsk/Novokuznetsk Time
6:00 Russia NOV%sT 2011 Mar 27 2:00s
7:00 - NOVT # Novosibirsk/Novokuznetsk Time
#
# From Oscar van Vlijmen (2001-08-25): [This region consists of]
@ -2142,7 +2170,8 @@ Zone Asia/Krasnoyarsk 6:11:20 - LMT 1920 Jan 6
6:00 - KRAT 1930 Jun 21 # Krasnoyarsk Time
7:00 Russia KRA%sT 1991 Mar 31 2:00s
6:00 Russia KRA%sT 1992 Jan 19 2:00s
7:00 Russia KRA%sT
7:00 Russia KRA%sT 2011 Mar 27 2:00s
8:00 - KRAT
#
# From Oscar van Vlijmen (2001-08-25): [This region consists of]
# Respublika Buryatiya, Irkutskaya oblast',
@ -2152,7 +2181,8 @@ Zone Asia/Irkutsk 6:57:20 - LMT 1880
7:00 - IRKT 1930 Jun 21 # Irkutsk Time
8:00 Russia IRK%sT 1991 Mar 31 2:00s
7:00 Russia IRK%sT 1992 Jan 19 2:00s
8:00 Russia IRK%sT
8:00 Russia IRK%sT 2011 Mar 27 2:00s
9:00 - IRKT
#
# From Oscar van Vlijmen (2003-10-18): [This region consists of]
# Aginskij Buryatskij avtonomnyj okrug, Amurskaya oblast',
@ -2175,7 +2205,8 @@ Zone Asia/Yakutsk 8:38:40 - LMT 1919 Dec 15
8:00 - YAKT 1930 Jun 21 # Yakutsk Time
9:00 Russia YAK%sT 1991 Mar 31 2:00s
8:00 Russia YAK%sT 1992 Jan 19 2:00s
9:00 Russia YAK%sT
9:00 Russia YAK%sT 2011 Mar 27 2:00s
10:00 - YAKT
#
# From Oscar van Vlijmen (2003-10-18): [This region consists of]
# Evrejskaya avtonomnaya oblast', Khabarovskij kraj, Primorskij kraj,
@ -2188,7 +2219,8 @@ Zone Asia/Vladivostok 8:47:44 - LMT 1922 Nov 15
9:00 - VLAT 1930 Jun 21 # Vladivostok Time
10:00 Russia VLA%sT 1991 Mar 31 2:00s
9:00 Russia VLA%sST 1992 Jan 19 2:00s
10:00 Russia VLA%sT
10:00 Russia VLA%sT 2011 Mar 27 2:00s
11:00 - VLAT
#
# Sakhalinskaya oblast'.
# The Zone name should be Yuzhno-Sakhalinsk, but that's too long.
@ -2198,7 +2230,8 @@ Zone Asia/Sakhalin 9:30:48 - LMT 1905 Aug 23
11:00 Russia SAK%sT 1991 Mar 31 2:00s # Sakhalin T.
10:00 Russia SAK%sT 1992 Jan 19 2:00s
11:00 Russia SAK%sT 1997 Mar lastSun 2:00s
10:00 Russia SAK%sT
10:00 Russia SAK%sT 2011 Mar 27 2:00s
11:00 - SAKT
#
# From Oscar van Vlijmen (2003-10-18): [This region consists of]
# Magadanskaya oblast', Respublika Sakha (Yakutiya).
@ -2211,7 +2244,8 @@ Zone Asia/Magadan 10:03:12 - LMT 1924 May 2
10:00 - MAGT 1930 Jun 21 # Magadan Time
11:00 Russia MAG%sT 1991 Mar 31 2:00s
10:00 Russia MAG%sT 1992 Jan 19 2:00s
11:00 Russia MAG%sT
11:00 Russia MAG%sT 2011 Mar 27 2:00s
12:00 - MAGT
#
# From Oscar van Vlijmen (2001-08-25): [This region consists of]
# Kamchatskaya oblast', Koryakskij avtonomnyj okrug.
@ -2222,7 +2256,8 @@ Zone Asia/Kamchatka 10:34:36 - LMT 1922 Nov 10
12:00 Russia PET%sT 1991 Mar 31 2:00s
11:00 Russia PET%sT 1992 Jan 19 2:00s
12:00 Russia PET%sT 2010 Mar 28 2:00s
11:00 Russia PET%sT
11:00 Russia PET%sT 2011 Mar 27 2:00s
12:00 - PETT
#
# Chukotskij avtonomnyj okrug
Zone Asia/Anadyr 11:49:56 - LMT 1924 May 2
@ -2231,7 +2266,8 @@ Zone Asia/Anadyr 11:49:56 - LMT 1924 May 2
12:00 Russia ANA%sT 1991 Mar 31 2:00s
11:00 Russia ANA%sT 1992 Jan 19 2:00s
12:00 Russia ANA%sT 2010 Mar 28 2:00s
11:00 Russia ANA%sT
11:00 Russia ANA%sT 2011 Mar 27 2:00s
12:00 - ANAT
# Serbia
# Zone NAME GMTOFF RULES FORMAT [UNTIL]

10
contrib/tzdata/southamerica
View File

@ -1,5 +1,5 @@
# <pre>
# @(#)southamerica 8.49
# @(#)southamerica 8.50
# This file is in the public domain, so clarified as of
# 2009-05-17 by Arthur David Olson.
@ -1276,6 +1276,14 @@ Zone America/Curacao -4:35:44 - LMT 1912 Feb 12 # Willemstad
-4:30 - ANT 1965 # Netherlands Antilles Time
-4:00 - AST
# From Arthur David Olson (2011-06-15):
# At least for now, use links for places with new iso3166 codes.
# The name "Lower Prince's Quarter" is both longer than fourteen charaters
# and contains an apostrophe; use "Lower_Princes" below.
Link America/Curacao America/Lower_Princes # Sint Maarten
Link America/Curacao America/Kralendijk # Bonaire, Sint Estatius and Saba
# Ecuador
#
# From Paul Eggert (2007-03-04):

6
contrib/tzdata/zone.tab
View File

@ -1,5 +1,5 @@
# <pre>
# @(#)zone.tab 8.43
# @(#)zone.tab 8.45
# This file is in the public domain, so clarified as of
# 2009-05-17 by Arthur David Olson.
#
@ -32,7 +32,6 @@ AG +1703-06148 America/Antigua
AI +1812-06304 America/Anguilla
AL +4120+01950 Europe/Tirane
AM +4011+04430 Asia/Yerevan
AN +1211-06900 America/Curacao
AO -0848+01314 Africa/Luanda
AQ -7750+16636 Antarctica/McMurdo McMurdo Station, Ross Island
AQ -9000+00000 Antarctica/South_Pole Amundsen-Scott Station, South Pole
@ -87,6 +86,7 @@ BL +1753-06251 America/St_Barthelemy
BM +3217-06446 Atlantic/Bermuda
BN +0456+11455 Asia/Brunei
BO -1630-06809 America/La_Paz
BQ +120903-0681636 America/Kralendijk
BR -0351-03225 America/Noronha Atlantic islands
BR -0127-04829 America/Belem Amapa, E Para
BR -0343-03830 America/Fortaleza NE Brazil (MA, PI, CE, RN, PB)
@ -155,6 +155,7 @@ CO +0436-07405 America/Bogota
CR +0956-08405 America/Costa_Rica
CU +2308-08222 America/Havana
CV +1455-02331 Atlantic/Cape_Verde
CW +1211-06900 America/Curacao
CX -1025+10543 Indian/Christmas
CY +3510+03322 Asia/Nicosia
CZ +5005+01426 Europe/Prague
@ -362,6 +363,7 @@ SO +0204+04522 Africa/Mogadishu
SR +0550-05510 America/Paramaribo
ST +0020+00644 Africa/Sao_Tome
SV +1342-08912 America/El_Salvador
SX +180305-0630250 America/Lower_Princes
SY +3330+03618 Asia/Damascus
SZ -2618+03106 Africa/Mbabane
TC +2128-07108 America/Grand_Turk

2
etc/devd/Makefile
View File

@ -1,6 +1,6 @@
# $FreeBSD$
FILES= asus.conf uath.conf
FILES= asus.conf uath.conf usb.conf
NO_OBJ=
FILESDIR= /etc/devd

4
etc/devd/uath.conf
View File

@ -3,13 +3,13 @@
# Atheros USB wireless network device specific devd events
# Accton
# SMCWUSB-G and SMCWUSBT-G2
# SMCWUSBT-G2
notify 100 {
match "system" "USB";
match "subsystem" "DEVICE";
match "type" "ATTACH";
match "vendor" "0x083a";
match "product" "(0x4505|0x4507)";
match "product" "0x4507";
action "/usr/sbin/uathload -d /dev/$cdev";
};

4267
etc/devd/usb.conf Normal file
View File

File diff suppressed because it is too large Load Diff

2
etc/network.subr
View File

@ -94,7 +94,7 @@ ifconfig_up()
# ifconfig_IF
ifconfig_args=`ifconfig_getargs $1`
if [ -n "${ifconfig_args}" ]; then
ifconfig $1 ${ifconfig_args}
eval ifconfig $1 ${ifconfig_args}
_cfg=0
fi

3
etc/rc.d/netwait
View File

@ -14,7 +14,8 @@
. /etc/rc.subr
name="netwait"
rc_var=`set_rcvar`
rcvar=`set_rcvar`
start_cmd="${name}_start"
stop_cmd=":"

2
etc/rc.d/quota
View File

@ -14,6 +14,7 @@
name="quota"
rcvar=`set_rcvar`
load_rc_config $name
start_cmd="quota_start"
stop_cmd="/usr/sbin/quotaoff ${quotaoff_flags}"
@ -30,5 +31,4 @@ quota_start()
echo ' done.'
}
load_rc_config $name
run_rc_command "$1"

94
etc/regdomain.xml
View File

@ -83,7 +83,7 @@
<flags>IEEE80211_CHAN_HT20</flags>
</band>
<band>
<freqband ref="F1_2412_2462"/>
<freqband ref="H4_2412_2462"/>
<maxpower>30</maxpower>
<flags>IEEE80211_CHAN_G</flags>
<flags>IEEE80211_CHAN_HT40</flags>
@ -96,7 +96,7 @@
<flags>IEEE80211_CHAN_HT20</flags>
</band>
<band>
<freqband ref="F1_5180_5240"/>
<freqband ref="H4_5180_5240"/>
<maxpower>17</maxpower>
<flags>IEEE80211_CHAN_HT40</flags>
</band>
@ -106,7 +106,7 @@
<flags>IEEE80211_CHAN_HT20</flags>
</band>
<band>
<freqband ref="F1_5745_5805"/>
<freqband ref="H4_5745_5805"/>
<maxpower>23</maxpower>
<flags>IEEE80211_CHAN_HT40</flags>
</band>
@ -137,6 +137,24 @@
<freqband ref="F1_5180_5240"/>
<maxpower>17</maxpower>
</band>
<band>
<freqband ref="F1_5260_5320"/>
<maxpower>23</maxpower>
<flags>IEEE80211_CHAN_PASSIVE</flags>
<flags>IEEE80211_CHAN_DFS</flags>
</band>
<band>
<freqband ref="F1_5500_5580"/>
<maxpower>23</maxpower>
<flags>IEEE80211_CHAN_PASSIVE</flags>
<flags>IEEE80211_CHAN_DFS</flags>
</band>
<band>
<freqband ref="F1_5660_5700"/>
<maxpower>23</maxpower>
<flags>IEEE80211_CHAN_PASSIVE</flags>
<flags>IEEE80211_CHAN_DFS</flags>
</band>
<band>
<freqband ref="F1_5745_5805"/>
<maxpower>23</maxpower>
@ -175,6 +193,48 @@
<maxpower>17</maxpower>
<flags>IEEE80211_CHAN_HT40</flags>
</band>
<band>
<freqband ref="F1_5260_5320"/>
<maxpower>23</maxpower>
<flags>IEEE80211_CHAN_HT20</flags>
<flags>IEEE80211_CHAN_PASSIVE</flags>
<flags>IEEE80211_CHAN_DFS</flags>
</band>
<band>
<freqband ref="H4_5260_5320"/>
<maxpower>23</maxpower>
<flags>IEEE80211_CHAN_HT40</flags>
<flags>IEEE80211_CHAN_PASSIVE</flags>
<flags>IEEE80211_CHAN_DFS</flags>
</band>
<band>
<freqband ref="F1_5500_5580"/>
<maxpower>23</maxpower>
<flags>IEEE80211_CHAN_HT20</flags>
<flags>IEEE80211_CHAN_PASSIVE</flags>
<flags>IEEE80211_CHAN_DFS</flags>
</band>
<band>
<freqband ref="H4_5500_5580"/>
<maxpower>23</maxpower>
<flags>IEEE80211_CHAN_HT40</flags>
<flags>IEEE80211_CHAN_PASSIVE</flags>
<flags>IEEE80211_CHAN_DFS</flags>
</band>
<band>
<freqband ref="F1_5660_5700"/>
<maxpower>23</maxpower>
<flags>IEEE80211_CHAN_HT20</flags>
<flags>IEEE80211_CHAN_PASSIVE</flags>
<flags>IEEE80211_CHAN_DFS</flags>
</band>
<band>
<freqband ref="H4_5660_5700"/>
<maxpower>23</maxpower>
<flags>IEEE80211_CHAN_HT40</flags>
<flags>IEEE80211_CHAN_PASSIVE</flags>
<flags>IEEE80211_CHAN_DFS</flags>
</band>
<band>
<freqband ref="F1_5745_5805"/>
<maxpower>23</maxpower>
@ -231,7 +291,7 @@
<flags>IEEE80211_CHAN_HT20</flags>
</band>
<band>
<freqband ref="F1_2412_2462"/>
<freqband ref="H4_2412_2462"/>
<maxpower>30</maxpower>
<flags>IEEE80211_CHAN_G</flags>
<flags>IEEE80211_CHAN_HT40</flags>
@ -321,9 +381,9 @@
<sku>0x30</sku>
<netband mode="11b">
<band>
<freqband ref="F1_2412_2472"/>
<maxpower>30</maxpower>
<flags>IEEE80211_CHAN_B</flags>
<freqband ref="F1_2412_2472"/>
<maxpower>30</maxpower>
<flags>IEEE80211_CHAN_B</flags>
</band>
</netband>
<netband mode="11g">
@ -1624,6 +1684,16 @@
<chanwidth>40</chanwidth> <chansep>20</chansep>
<flags>IEEE80211_CHAN_A</flags>
</freqband>
<freqband id="F1_5500_5580">
<freqstart>5500</freqstart> <freqend>5580</freqend>
<chanwidth>20</chanwidth> <chansep>20</chansep>
<flags>IEEE80211_CHAN_A</flags>
</freqband>
<freqband id="H4_5500_5580">
<freqstart>5500</freqstart> <freqend>5580</freqend>
<chanwidth>40</chanwidth> <chansep>20</chansep>
<flags>IEEE80211_CHAN_A</flags>
</freqband>
<freqband id="F1_5500_5620">
<freqstart>5500</freqstart> <freqend>5620</freqend>
<chanwidth>20</chanwidth> <chansep>20</chansep>
@ -1644,6 +1714,16 @@
<chanwidth>20</chanwidth> <chansep>20</chansep>
<flags>IEEE80211_CHAN_A</flags>
</freqband>
<freqband id="F1_5660_5700">
<freqstart>5660</freqstart> <freqend>5700</freqend>
<chanwidth>20</chanwidth> <chansep>20</chansep>
<flags>IEEE80211_CHAN_A</flags>
</freqband>
<freqband id="H4_5660_5700">
<freqstart>5660</freqstart> <freqend>5700</freqend>
<chanwidth>40</chanwidth> <chansep>20</chansep>
<flags>IEEE80211_CHAN_A</flags>
</freqband>
<freqband id="H4_5725_5825">
<freqstart>5725</freqstart> <freqend>5825</freqend>
<chanwidth>40</chanwidth> <chansep>20</chansep>

2
kerberos5/Makefile
View File

@ -1,6 +1,6 @@
# $FreeBSD$
SUBDIR= doc tools lib libexec usr.bin usr.sbin
SUBDIR= doc lib libexec usr.bin usr.sbin
# These are the programs which depend on Kerberos.
KPROGS= lib/libpam \

14
lib/csu/powerpc64/Makefile
View File

@ -4,15 +4,14 @@
SRCS= crt1.c crti.S crtn.S
OBJS= ${SRCS:N*.h:R:S/$/.o/g}
OBJS+= gcrt1.o
CFLAGS+= -Wall -Wno-unused \
-I${.CURDIR}/../common \
OBJS+= Scrt1.o gcrt1.o
CFLAGS+= -I${.CURDIR}/../common \
-I${.CURDIR}/../../libc/include
all: ${OBJS}
CLEANFILES= ${OBJS}
CLEANFILES+= crt1.s gcrt1.s
CLEANFILES+= crt1.s gcrt1.s Scrt1.s
# See the comment in lib/csu/common/crtbrand.c for the reason crt1.c is not
# directly compiled to .o files.
@ -31,6 +30,13 @@ gcrt1.s: crt1.c
gcrt1.o: gcrt1.s
${CC} ${CFLAGS} -c -o ${.TARGET} gcrt1.s
Scrt1.s: crt1.c
${CC} ${CFLAGS} -fPIC -DPIC -S -o ${.TARGET} ${.CURDIR}/crt1.c
sed -i "" -e '/\.note\.ABI-tag/s/progbits/note/' ${.TARGET}
Scrt1.o: Scrt1.s
${CC} ${CFLAGS} -c -o ${.TARGET} Scrt1.s
realinstall:
${INSTALL} -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} \
${OBJS} ${DESTDIR}${LIBDIR}

4
lib/libc/gen/getutxent.3
View File

@ -175,7 +175,7 @@ prefix, corresponding with the device used to facilitate the user login
session.
If no TTY character device is used, this field is left blank.
This field is only applicable to entries of type
.Dv USER_PROCESS
.Dv USER_PROCESS
and
.Dv LOGIN_PROCESS .
.It Fa ut_host
@ -473,7 +473,7 @@ are extensions.
.Sh HISTORY
These functions appeared in
.Fx 9.0 .
They replaced the
They replaced the
.In utmp.h
interface.
.Sh AUTHORS

2
lib/libc/gen/posix_spawn.3
View File

@ -167,7 +167,7 @@ group IDs for the child process are changed as specified in the
attributes object referenced by
.Fa attrp .
.It
The file actions specified by the spawn file actions object are
The file actions specified by the spawn file actions object are
performed in the order in which they were added to the spawn file
actions object.
.It

4
lib/libc/gen/posix_spawn.c
View File

@ -182,7 +182,7 @@ process_file_actions(const posix_spawn_file_actions_t fa)
if (error)
return (error);
}
return (0);
return (0);
}
static int
@ -193,7 +193,7 @@ do_posix_spawn(pid_t *pid, const char *path,
{
pid_t p;
volatile int error = 0;
p = vfork();
switch (p) {
case -1:

4
lib/libc/gen/pututxline.c
View File

@ -57,7 +57,7 @@ futx_open(const char *file)
errno = EFTYPE;
return (NULL);
}
fp = fdopen(fd, "r+");
if (fp == NULL) {
_close(fd);
@ -103,7 +103,7 @@ utx_active_add(const struct futx *fu)
/* Allow us to overwrite unused records. */
if (partial == -1) {
partial = ftello(fp);
/*
/*
* Distinguish errors from valid values so we
* don't overwrite good data by accident.
*/

2
lib/libc/stdlib/malloc.c
View File

@ -234,7 +234,7 @@ __FBSDID("$FreeBSD$");
#ifdef __sparc64__
# define LG_QUANTUM 4
# define LG_SIZEOF_PTR 3
# define TLS_MODEL /* default */
# define TLS_MODEL __attribute__((tls_model("initial-exec")))
#endif
#ifdef __amd64__
# define LG_QUANTUM 4

2
lib/libc/stdlib/ptsname.c
View File

@ -82,7 +82,7 @@ ptsname(int fildes)
/* Make sure fildes points to a master device. */
if (__isptmaster(fildes) != 0)
goto done;
if (fdevname_r(fildes, pt_slave + (sizeof _PATH_DEV - 1),
sizeof pt_slave - (sizeof _PATH_DEV - 1)) != NULL)
ret = pt_slave;

2
lib/libmd/sha256.3
View File

@ -127,7 +127,7 @@ argument is non-null it must point to at least 65 characters of buffer space.
.Xr sha 3
.Sh HISTORY
These functions appeared in
.Fx 4.0 .
.Fx 6.0 .
.Sh AUTHORS
The core hash routines were implemented by Colin Percival based on
the published

2
lib/libmd/sha512.3
View File

@ -127,7 +127,7 @@ argument is non-null it must point to at least 65 characters of buffer space.
.Xr sha 3
.Sh HISTORY
These functions appeared in
.Fx 4.0 .
.Fx 9.0 .
.Sh AUTHORS
The core hash routines were implemented by Colin Percival based on
the published

2
lib/libprocstat/Makefile
View File

@ -19,6 +19,8 @@ INCS= libprocstat.h
CFLAGS+= -I. -I${.CURDIR} -D_KVM_VNODE
SHLIB_MAJOR= 1
WITHOUT_MAN= yes
DPADD= ${LIBKVM} ${LIBUTIL}
LDADD= -lkvm -lutil
.if ${MK_NCP} != "no"
CFLAGS+= -DLIBPROCSTAT_NWFS

183
lib/libstand/tftp.c
View File

@ -64,13 +64,13 @@ struct tftp_handle;
static int tftp_open(const char *path, struct open_file *f);
static int tftp_close(struct open_file *f);
static void tftp_parse_oack(struct tftp_handle *h, char *buf, size_t len);
static int tftp_parse_oack(struct tftp_handle *h, char *buf, size_t len);
static int tftp_read(struct open_file *f, void *buf, size_t size, size_t *resid);
static int tftp_write(struct open_file *f, void *buf, size_t size, size_t *resid);
static off_t tftp_seek(struct open_file *f, off_t offset, int where);
static int tftp_set_blksize(struct tftp_handle *h, const char *str);
static int tftp_stat(struct open_file *f, struct stat *sb);
static ssize_t sendrecv_tftp(struct tftp_handle *h,
static ssize_t sendrecv_tftp(struct tftp_handle *h,
ssize_t (*sproc)(struct iodesc *, void *, size_t),
void *sbuf, size_t ssize,
ssize_t (*rproc)(struct tftp_handle *h, void *, ssize_t, time_t, unsigned short *),
@ -93,7 +93,7 @@ static int tftpport = 2000;
static int is_open = 0;
/*
* The legacy TFTP_BLKSIZE value was 512.
* The legacy TFTP_BLKSIZE value was SEGSIZE(512).
* TFTP_REQUESTED_BLKSIZE of 1428 is (Ethernet MTU, less the TFTP, UDP and
* IP header lengths).
*/
@ -102,7 +102,7 @@ static int is_open = 0;
/*
* Choose a blksize big enough so we can test with Ethernet
* Jumbo frames in the future.
*/
*/
#define TFTP_MAX_BLKSIZE 9008
struct tftp_handle {
@ -113,7 +113,7 @@ struct tftp_handle {
int off;
char *path; /* saved for re-requests */
unsigned int tftp_blksize;
unsigned long tftp_tsize;
unsigned long tftp_tsize;
struct {
u_char header[HEADER_SIZE];
struct tftphdr t;
@ -121,7 +121,8 @@ struct tftp_handle {
} __packed __aligned(4) lastdata;
};
static const int tftperrors[8] = {
#define TFTP_MAX_ERRCODE EOPTNEG
static const int tftperrors[TFTP_MAX_ERRCODE + 1] = {
0, /* ??? */
ENOENT,
EPERM,
@ -129,10 +130,57 @@ static const int tftperrors[8] = {
EINVAL, /* ??? */
EINVAL, /* ??? */
EEXIST,
EINVAL /* ??? */
EINVAL, /* ??? */
EINVAL, /* Option negotiation failed. */
};
static ssize_t
static int tftp_getnextblock(struct tftp_handle *h);
/* send error message back. */
static void
tftp_senderr(struct tftp_handle *h, u_short errcode, const char *msg)
{
struct {
u_char header[HEADER_SIZE];
struct tftphdr t;
u_char space[63]; /* +1 from t */
} __packed __aligned(4) wbuf;
char *wtail;
int len;
len = strlen(msg);
if (len > sizeof(wbuf.space))
len = sizeof(wbuf.space);
wbuf.t.th_opcode = htons((u_short) ERROR);
wbuf.t.th_code = htons(errcode);
wtail = wbuf.t.th_msg;
bcopy(msg, wtail, len);
wtail[len] = '\0';
wtail += len + 1;
sendudp(h->iodesc, &wbuf.t, wtail - (char *) &wbuf.t);
}
static void
tftp_sendack(struct tftp_handle *h)
{
struct {
u_char header[HEADER_SIZE];
struct tftphdr t;
} __packed __aligned(4) wbuf;
char *wtail;
wbuf.t.th_opcode = htons((u_short) ACK);
wtail = (char *) &wbuf.t.th_block;
wbuf.t.th_block = htons((u_short) h->currblock);
wtail += 2;
sendudp(h->iodesc, &wbuf.t, wtail - (char *) &wbuf.t);
}
static ssize_t
recvtftp(struct tftp_handle *h, void *pkt, ssize_t len, time_t tleft,
unsigned short *rtype)
{
@ -170,7 +218,7 @@ recvtftp(struct tftp_handle *h, void *pkt, ssize_t len, time_t tleft,
return got;
}
case ERROR:
if ((unsigned) ntohs(t->th_code) >= 8) {
if ((unsigned) ntohs(t->th_code) > TFTP_MAX_ERRCODE) {
printf("illegal tftp error %d\n", ntohs(t->th_code));
errno = EIO;
} else {
@ -182,14 +230,30 @@ recvtftp(struct tftp_handle *h, void *pkt, ssize_t len, time_t tleft,
return (-1);
case OACK: {
struct udphdr *uh;
int tftp_oack_len = len - sizeof(t->th_opcode);
tftp_parse_oack(h, t->th_u.tu_stuff, tftp_oack_len);
int tftp_oack_len;
/*
* Unexpected OACK. TFTP transfer already in progress.
* Drop the pkt.
*/
if (d->xid != 1) {
return (-1);
}
/*
* Remember which port this OACK came from,
* because we need to send the ACK back to it.
* Remember which port this OACK came from, because we need
* to send the ACK or errors back to it.
*/
uh = (struct udphdr *) pkt - 1;
d->destport = uh->uh_sport;
/* Parse options ACK-ed by the server. */
tftp_oack_len = len - sizeof(t->th_opcode);
if (tftp_parse_oack(h, t->th_u.tu_stuff, tftp_oack_len) != 0) {
tftp_senderr(h, EOPTNEG, "Malformed OACK");
errno = EIO;
return (-1);
}
return (0);
}
default:
@ -201,7 +265,7 @@ recvtftp(struct tftp_handle *h, void *pkt, ssize_t len, time_t tleft,
}
/* send request, expect first block (or error) */
static int
static int
tftp_makereq(struct tftp_handle *h)
{
struct {
@ -250,26 +314,28 @@ tftp_makereq(struct tftp_handle *h)
h->iodesc->destport = htons(IPPORT_TFTP);
h->iodesc->xid = 1; /* expected block */
h->currblock = 0;
h->islastblock = 0;
h->validsize = 0;
res = sendrecv_tftp(h, &sendudp, &wbuf.t, wtail - (char *) &wbuf.t,
&recvtftp, t, sizeof(*t) + h->tftp_blksize, &rtype);
if (rtype == OACK) {
wbuf.t.th_opcode = htons((u_short)ACK);
wtail = (char *) &wbuf.t.th_block;
wbuf.t.th_block = htons(0);
wtail += 2;
rtype = 0;
res = sendrecv_tftp(h, &sendudp, &wbuf.t, wtail - (char *) &wbuf.t,
&recvtftp, t, sizeof(*t) + h->tftp_blksize, &rtype);
}
if (rtype == OACK)
return (tftp_getnextblock(h));
/* Server ignored our blksize request, revert to TFTP default. */
h->tftp_blksize = SEGSIZE;
switch (rtype) {
case DATA: {
h->currblock = 1;
h->validsize = res;
h->islastblock = 0;
if (res < h->tftp_blksize)
if (res < h->tftp_blksize) {
h->islastblock = 1; /* very short file */
tftp_sendack(h);
}
return (0);
}
case ERROR:
@ -320,7 +386,7 @@ tftp_getnextblock(struct tftp_handle *h)
return (0);
}
static int
static int
tftp_open(const char *path, struct open_file *f)
{
struct tftp_handle *tftpfile;
@ -365,7 +431,7 @@ tftp_open(const char *path, struct open_file *f)
return (0);
}
static int
static int
tftp_read(struct open_file *f, void *addr, size_t size,
size_t *resid /* out */)
{
@ -381,9 +447,11 @@ tftp_read(struct open_file *f, void *addr, size_t size,
needblock = tftpfile->off / tftpfile->tftp_blksize + 1;
if (tftpfile->currblock > needblock) /* seek backwards */
if (tftpfile->currblock > needblock) { /* seek backwards */
tftp_senderr(tftpfile, 0, "No error: read aborted");
tftp_makereq(tftpfile); /* no error check, it worked
* for open */
}
while (tftpfile->currblock < needblock) {
int res;
@ -452,7 +520,7 @@ tftp_close(struct open_file *f)
return (0);
}
static int
static int
tftp_write(struct open_file *f __unused, void *start __unused, size_t size __unused,
size_t *resid __unused /* out */)
{
@ -473,7 +541,7 @@ tftp_stat(struct open_file *f, struct stat *sb)
return (0);
}
static off_t
static off_t
tftp_seek(struct open_file *f, off_t offset, int where)
{
struct tftp_handle *tftpfile;
@ -494,7 +562,7 @@ tftp_seek(struct open_file *f, off_t offset, int where)
}
static ssize_t
sendrecv_tftp(struct tftp_handle *h,
sendrecv_tftp(struct tftp_handle *h,
ssize_t (*sproc)(struct iodesc *, void *, size_t),
void *sbuf, size_t ssize,
ssize_t (*rproc)(struct tftp_handle *, void *, ssize_t, time_t, unsigned short *),
@ -562,9 +630,9 @@ tftp_set_blksize(struct tftp_handle *h, const char *str)
/*
* Only accept blksize value if it is numeric.
* RFC2348 specifies that acceptable valuesare 8-65464
* 8-65464 . Let's choose a limit less than MAXRSPACE
*/
* RFC2348 specifies that acceptable values are 8-65464.
* Let's choose a limit less than MAXRSPACE.
*/
if (*endptr == '\0' && new_blksize >= 8
&& new_blksize <= TFTP_MAX_BLKSIZE) {
h->tftp_blksize = new_blksize;
@ -597,13 +665,12 @@ tftp_set_blksize(struct tftp_handle *h, const char *str)
* optN, valueN
* The final option/value acknowledgment pair.
*/
static void
static int
tftp_parse_oack(struct tftp_handle *h, char *buf, size_t len)
{
/*
* We parse the OACK strings into an array
* of name-value pairs.
*
*/
char *tftp_options[128] = { 0 };
char *val = buf;
@ -612,18 +679,22 @@ tftp_parse_oack(struct tftp_handle *h, char *buf, size_t len)
int blksize_is_set = 0;
int tsize = 0;
while ( option_idx < 128 && i < len ) {
if (buf[i] == '\0') {
if (&buf[i] > val) {
tftp_options[option_idx] = val;
val = &buf[i] + 1;
++option_idx;
}
}
++i;
unsigned int orig_blksize;
while (option_idx < 128 && i < len) {
if (buf[i] == '\0') {
if (&buf[i] > val) {
tftp_options[option_idx] = val;
val = &buf[i] + 1;
++option_idx;
}
}
++i;
}
/* Save the block size we requested for sanity check later. */
orig_blksize = h->tftp_blksize;
/*
* Parse individual TFTP options.
* * "blksize" is specified in RFC2348.
@ -631,27 +702,37 @@ tftp_parse_oack(struct tftp_handle *h, char *buf, size_t len)
*/
for (i = 0; i < option_idx; i += 2) {
if (strcasecmp(tftp_options[i], "blksize") == 0) {
if (i + 1 < option_idx) {
if (i + 1 < option_idx)
blksize_is_set =
tftp_set_blksize(h, tftp_options[i + 1]);
}
} else if (strcasecmp(tftp_options[i], "tsize") == 0) {
if (i + 1 < option_idx) {
if (i + 1 < option_idx)
tsize = strtol(tftp_options[i + 1], (char **)NULL, 10);
}
} else {
/* Do not allow any options we did not expect to be ACKed. */
printf("unexpected tftp option '%s'\n", tftp_options[i]);
return (-1);
}
}
if (!blksize_is_set) {
/*
* If TFTP blksize was not set, try defaulting
* to the legacy TFTP blksize of 512
* to the legacy TFTP blksize of SEGSIZE(512)
*/
h->tftp_blksize = 512;
h->tftp_blksize = SEGSIZE;
} else if (h->tftp_blksize > orig_blksize) {
/*
* Server should not be proposing block sizes that
* exceed what we said we can handle.
*/
printf("unexpected blksize %u\n", h->tftp_blksize);
return (-1);
}
#ifdef TFTP_DEBUG
printf("tftp_blksize: %u\n", h->tftp_blksize);
printf("tftp_tsize: %lu\n", h->tftp_tsize);
#endif
return 0;
}

4
lib/libusb/Makefile
View File

@ -22,7 +22,7 @@ MLINKS+= libusb.3 usb.3
# libusb 0.1 compat
INCS+= usb.h
SRCS+= libusb20_compat01.c
SRCS+= libusb01.c
# libusb 1.0 compat
INCS+= libusb.h
@ -184,6 +184,8 @@ MLINKS += libusb20.3 libusb20_dev_get_device_desc.3
MLINKS += libusb20.3 libusb20_dev_alloc_config.3
MLINKS += libusb20.3 libusb20_dev_alloc.3
MLINKS += libusb20.3 libusb20_dev_get_address.3
MLINKS += libusb20.3 libusb20_dev_get_parent_address.3
MLINKS += libusb20.3 libusb20_dev_get_parent_port.3
MLINKS += libusb20.3 libusb20_dev_get_bus_number.3
MLINKS += libusb20.3 libusb20_dev_get_mode.3
MLINKS += libusb20.3 libusb20_dev_get_speed.3

0
lib/libusb/libusb20_compat01.c → lib/libusb/libusb01.c
View File

2
lib/libusb/libusb10.c
View File

@ -636,7 +636,7 @@ libusb_clear_halt(struct libusb20_device *pdev, uint8_t endpoint)
return (LIBUSB_ERROR_INVALID_PARAM);
CTX_LOCK(dev->ctx);
err = libusb20_tr_open(xfer, 0, 0, endpoint);
err = libusb20_tr_open(xfer, 0, 1, endpoint);
CTX_UNLOCK(dev->ctx);
if (err != 0 && err != LIBUSB20_ERROR_BUSY)

23
lib/libusb/libusb20.3
View File

@ -159,6 +159,10 @@ USB access library (libusb -lusb)
.Ft uint8_t
.Fn libusb20_dev_get_address "struct libusb20_device *pdev"
.Ft uint8_t
.Fn libusb20_dev_get_parent_address "struct libusb20_device *pdev"
.Ft uint8_t
.Fn libusb20_dev_get_parent_port "struct libusb20_device *pdev"
.Ft uint8_t
.Fn libusb20_dev_get_bus_number "struct libusb20_device *pdev"
.Ft uint8_t
.Fn libusb20_dev_get_mode "struct libusb20_device *pdev"
@ -756,12 +760,31 @@ is an internal function to allocate a new USB device.
.Fn libusb20_dev_get_address
returns the internal and not necessarily the real
hardware address of the given USB device.
Valid addresses start at one.
.
.Pp
.
.Fn libusb20_dev_get_parent_address
returns the internal and not necessarily the real hardware address of
the given parent USB HUB device.
This value is zero for the root HUB which usually has a device address
equal to one.
Valid addresses start at one.
.
.Pp
.
.Fn libusb20_dev_get_parent_port
returns the port number on the parent USB HUB device.
This value is zero for the root HUB which usually has a device address
equal to one.
Valid port numbers start at one.
.
.Pp
.
.Fn libusb20_dev_get_bus_number
returns the internal bus number which the given USB
device belongs to.
Valid bus numbers start at zero.
.
.Pp
.

12
lib/libusb/libusb20.c
View File

@ -1056,6 +1056,18 @@ libusb20_dev_get_address(struct libusb20_device *pdev)
return (pdev->device_address);
}
uint8_t
libusb20_dev_get_parent_address(struct libusb20_device *pdev)
{
return (pdev->parent_address);
}
uint8_t
libusb20_dev_get_parent_port(struct libusb20_device *pdev)
{
return (pdev->parent_port);
}
uint8_t
libusb20_dev_get_bus_number(struct libusb20_device *pdev)
{

2
lib/libusb/libusb20.h
View File

@ -262,6 +262,8 @@ struct LIBUSB20_DEVICE_DESC_DECODED *libusb20_dev_get_device_desc(struct libusb2
struct libusb20_config *libusb20_dev_alloc_config(struct libusb20_device *pdev, uint8_t config_index);
struct libusb20_device *libusb20_dev_alloc(void);
uint8_t libusb20_dev_get_address(struct libusb20_device *pdev);
uint8_t libusb20_dev_get_parent_address(struct libusb20_device *pdev);
uint8_t libusb20_dev_get_parent_port(struct libusb20_device *pdev);
uint8_t libusb20_dev_get_bus_number(struct libusb20_device *pdev);
uint8_t libusb20_dev_get_mode(struct libusb20_device *pdev);
uint8_t libusb20_dev_get_speed(struct libusb20_device *pdev);

2
lib/libusb/libusb20_int.h
View File

@ -226,6 +226,8 @@ struct libusb20_device {
uint8_t usb_mode;
uint8_t usb_speed;
uint8_t is_opened;
uint8_t parent_address;
uint8_t parent_port;
char usb_desc[96];
};

5
lib/libusb/libusb20_ugen20.c
View File

@ -195,6 +195,11 @@ ugen20_enumerate(struct libusb20_device *pdev, const char *id)
break;
}
/* get parent HUB index and port */
pdev->parent_address = devinfo.udi_hubindex;
pdev->parent_port = devinfo.udi_hubport;
/* generate a nice description for printout */
snprintf(pdev->usb_desc, sizeof(pdev->usb_desc),

11
libexec/ftpd/ftpd.c
View File

@ -1191,9 +1191,9 @@ end_login(void)
ftpd_logwtmp(wtmpid, NULL, NULL);
pw = NULL;
#ifdef LOGIN_CAP
setusercontext(NULL, getpwuid(0), 0,
LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK|
LOGIN_SETMAC);
setusercontext(NULL, getpwuid(0), 0, LOGIN_SETALL & ~(LOGIN_SETLOGIN |
LOGIN_SETUSER | LOGIN_SETGROUP | LOGIN_SETPATH |
LOGIN_SETENV));
#endif
#ifdef USE_PAM
if (pamh) {
@ -1465,9 +1465,8 @@ pass(char *passwd)
return;
}
}
setusercontext(lc, pw, 0,
LOGIN_SETLOGIN|LOGIN_SETGROUP|LOGIN_SETPRIORITY|
LOGIN_SETRESOURCES|LOGIN_SETUMASK|LOGIN_SETMAC);
setusercontext(lc, pw, 0, LOGIN_SETALL &
~(LOGIN_SETUSER | LOGIN_SETPATH | LOGIN_SETENV));
#else
setlogin(pw->pw_name);
(void) initgroups(pw->pw_name, pw->pw_gid);

35
libexec/tftpd/tftp-file.c
View File

@ -27,6 +27,8 @@
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <netinet/in.h>
@ -249,9 +251,34 @@ read_close(void)
}
int
synchnet(int peer __unused)
{
/* When an error has occurred, it is possible that the two sides
* are out of synch. Ie: that what I think is the other side's
* response to packet N is really their response to packet N-1.
*
* So, to try to prevent that, we flush all the input queued up
* for us on the network connection on our host.
*
* We return the number of packets we flushed (mostly for reporting
* when trace is active).
*/
return 0;
int
synchnet(int peer) /* socket to flush */
{
int i, j = 0;
char rbuf[MAXPKTSIZE];
struct sockaddr_storage from;
socklen_t fromlen;
while (1) {
(void) ioctl(peer, FIONREAD, &i);
if (i) {
j++;
fromlen = sizeof from;
(void) recvfrom(peer, rbuf, sizeof (rbuf), 0,
(struct sockaddr *)&from, &fromlen);
} else {
return(j);
}
}
}

60
libexec/tftpd/tftpd.8
View File

@ -32,7 +32,7 @@
.\" @(#)tftpd.8 8.1 (Berkeley) 6/4/93
.\" $FreeBSD$
.\"
.Dd September 14, 2000
.Dd June 22, 2011
.Dt TFTPD 8
.Os
.Sh NAME
@ -150,9 +150,27 @@ compatible format string for the creation of the suffix if
.Fl W
is specified.
By default the string "%Y%m%d" is used.
.It Fl d
.It Fl d, d Ar [value]
Enables debug output.
If specified twice, it will log DATA and ACK packets too.
If
.Ar value
is not specified, then the debug level is increased by one
for each instance of
.Fl d
which is specified.
.Pp
If
.Ar value
is specified, then the debug level is set to
.Ar value .
The debug level is a bitmask implemented in
.Pa src/libexec/tftpd/tftp-utils.h .
Valid values are 0 (DEBUG_NONE), 1 (DEBUG_PACKETS), 2, (DEBUG_SIMPLE),
4 (DEBUG_OPTIONS), and 8 (DEBUG_ACCESS). Multiple debug values can be combined
in the bitmask by logically OR'ing the values. For example, specifying
.Fl d
.Ar 15
will enable all the debug values.
.It Fl l
Log all requests using
.Xr syslog 3
@ -217,12 +235,34 @@ option.
.Xr services 5 ,
.Xr syslog.conf 5 ,
.Xr inetd 8
.Pp
The following RFC's are supported:
.Rs
.%A K. R. Sollins
RFC 1350
.%T The TFTP Protocol (Revision 2)
.%D July 1992
.%O RFC 1350, STD 33
.Re
.Rs
RFC 2347
.%T TFTP Option Extension
.Re
.Rs
RFC 2348
.%T TFTP Blocksize Option
.Re
.Rs
RFC 2349
.%T TFTP Timeout Interval and Transfer Size Options
.Re
.Pp
The non-standard
.Cm rollover
and
.Cm blksize2
TFTP options are mentioned here:
.Rs
.%T Extending TFTP
.%U http://www.compuphase.com/tftp.htm
.Re
.Sh HISTORY
The
.Nm
@ -253,9 +293,15 @@ was introduced in
support for the TFTP Blocksize Option (RFC2348) and the blksize2 option
was introduced in
.Fx 7.4 .
.Pp
Edwin Groothuis <edwin@FreeBSD.org> performed a major rewrite of the
.Nm
and
.Xr tftp 1
code to support RFC2348.
.Sh NOTES
Files larger than 33488896 octets (65535 blocks) cannot be transferred
without client and server supporting the the TFTP blocksize option (RFC2348),
without client and server supporting the TFTP blocksize option (RFC2348),
or the non-standard TFTP rollover option.
.Pp
Many tftp clients will not transfer files over 16744448 octets (32767 blocks).

4
libexec/ulog-helper/Makefile
View File

@ -5,7 +5,7 @@ BINOWN= root
BINMODE=4555
NO_MAN=
DPADD= ${LIBULOG} ${LIBMD}
LDADD= -lulog -lmd
DPADD= ${LIBULOG}
LDADD= -lulog
.include <bsd.prog.mk>

24
libexec/ulog-helper/ulog-helper.c
View File

@ -36,11 +36,11 @@ __FBSDID("$FreeBSD$");
/*
* This setuid helper utility writes user login records to disk.
* Unprivileged processes are not capable of writing records to utmp,
* wtmp and lastlog, but we do want to allow this for pseudo-terminals.
* Because a file descriptor to a pseudo-terminal master device can only
* be obtained by processes using the pseudo-terminal, we expect such a
* descriptor on stdin.
* Unprivileged processes are not capable of writing records to utmpx,
* but we do want to allow this for pseudo-terminals. Because a file
* descriptor to a pseudo-terminal master device can only be obtained by
* processes using the pseudo-terminal, we expect such a descriptor on
* stdin.
*
* It uses the real user ID of the calling process to determine the
* username. It does allow users to log arbitrary hostnames.
@ -49,26 +49,22 @@ __FBSDID("$FreeBSD$");
int
main(int argc, char *argv[])
{
const char *line;
const char *line, *user, *host;
/* Device line name. */
if ((line = ptsname(STDIN_FILENO)) == NULL)
return (EX_USAGE);
if ((argc == 2 || argc == 3) && strcmp(argv[1], "login") == 0) {
struct passwd *pwd;
const char *host = NULL;
/* Username. */
pwd = getpwuid(getuid());
if (pwd == NULL)
user = user_from_uid(getuid(), 1);
if (user == NULL)
return (EX_OSERR);
/* Hostname. */
if (argc == 3)
host = argv[2];
host = argc == 3 ? argv[2] : NULL;
ulog_login(line, pwd->pw_name, host);
ulog_login(line, user, host);
return (EX_OK);
} else if (argc == 2 && strcmp(argv[1], "logout") == 0) {
ulog_logout(line);

3
release/doc/en_US.ISO8859-1/readme/article.sgml
View File

@ -184,8 +184,7 @@
<para>Lists of locations that mirror &os; can be found in the
<ulink
url="&url.books.handbook;/mirrors-ftp.html">FTP
Sites</ulink> section of the Handbook, or on the <ulink
url="http://mirrorlist.FreeBSD.org/"></ulink> Web pages.
Sites</ulink> section of the Handbook.
Finding a close (in networking terms) mirror from which to
download the distribution is highly recommended.</para>

4
release/doc/share/sgml/release.ent
View File

@ -36,8 +36,8 @@
<!-- The manpaths for man page references -->
<!ENTITY release.man.url "http://www.FreeBSD.org/cgi/man.cgi">
<!ENTITY release.manpath.xorg "7.4">
<!ENTITY release.manpath.netbsd "5.0.1">
<!ENTITY release.manpath.xorg "7.5.1">
<!ENTITY release.manpath.netbsd "5.1">
<!ENTITY release.manpath.freebsd-ports "Ports">
<!ENTITY release.manpath.freebsd "9-current">

1
sbin/fsck_ffs/suj.c
View File

@ -2261,6 +2261,7 @@ suj_build(void)
blk_build((struct jblkrec *)rec);
break;
case JOP_TRUNC:
case JOP_SYNC:
ino_build_trunc((struct jtrncrec *)rec);
break;
default:

13
sbin/geom/class/part/geom_part.c
View File

@ -362,7 +362,7 @@ gpart_autofill_resize(struct gctl_req *req)
goto done;
}
offset = pp->lg_stripeoffset / pp->lg_sectorsize;
offset = (pp->lg_stripeoffset / pp->lg_sectorsize) % alignment;
last = (off_t)strtoimax(find_geomcfg(gp, "last"), NULL, 0);
LIST_FOREACH(pp, &gp->lg_provider, lg_provider) {
s = find_provcfg(pp, "index");
@ -497,10 +497,10 @@ gpart_autofill(struct gctl_req *req)
alignment = len;
/* Adjust parameters to stripeoffset */
offset = pp->lg_stripeoffset / pp->lg_sectorsize;
offset = (pp->lg_stripeoffset / pp->lg_sectorsize) % alignment;
start = ALIGNUP(start + offset, alignment);
if (size + offset > alignment)
size = ALIGNDOWN(size + offset, alignment);
if (size > alignment)
size = ALIGNDOWN(size, alignment);
first = (off_t)strtoimax(find_geomcfg(gp, "first"), NULL, 0);
last = (off_t)strtoimax(find_geomcfg(gp, "last"), NULL, 0);
@ -1208,8 +1208,11 @@ gpart_bootcode(struct gctl_req *req, unsigned int fl)
if (idx == 0)
errx(EXIT_FAILURE, "missing -i option");
gpart_write_partcode(gp, idx, partcode, partsize);
} else
} else {
if (partsize != VTOC_BOOTSIZE)
errx(EXIT_FAILURE, "invalid bootcode");
gpart_write_partcode_vtoc8(gp, idx, partcode);
}
} else
if (bootcode == NULL)
errx(EXIT_FAILURE, "no -b nor -p");

14
sbin/growfs/growfs.8
View File

@ -37,12 +37,12 @@
.\" $TSHeader: src/sbin/growfs/growfs.8,v 1.3 2000/12/12 19:31:00 tomsoft Exp $
.\" $FreeBSD$
.\"
.Dd May 8, 2011
.Dd June 29, 2011
.Dt GROWFS 8
.Os
.Sh NAME
.Nm growfs
.Nd grow size of an existing UFS file system
.Nd expand an existing UFS file system
.Sh SYNOPSIS
.Nm
.Op Fl Ny
@ -60,11 +60,11 @@ the disk must be labeled to a bigger size using
.Xr bsdlabel 8 .
If you wish to grow a file system beyond the boundary of
the slice it resides in, you must re-size the slice using
.Xr fdisk 8
.Xr gpart 8
before running
.Nm .
If you are using volumes you must enlarge them by using
.Xr vinum 8 .
.Xr gvinum 8 .
The
.Nm
utility extends the size of the file system on the specified special file.
@ -119,12 +119,12 @@ up to 2GB if there is enough space in
.Sh SEE ALSO
.Xr bsdlabel 8 ,
.Xr dumpfs 8 ,
.Xr fdisk 8 ,
.Xr ffsinfo 8 ,
.Xr fsck 8 ,
.Xr gpart 8 ,
.Xr gvinum 8 ,
.Xr newfs 8 ,
.Xr tunefs 8 ,
.Xr vinum 8
.Xr tunefs 8
.Sh HISTORY
The
.Nm

12
sbin/growfs/growfs.c
View File

@ -2146,8 +2146,8 @@ main(int argc, char **argv)
if(ExpertFlag == 0) {
for(j=0; j<FSMAXSNAP; j++) {
if(sblock.fs_snapinum[j]) {
errx(1, "active snapshot found in file system\n"
" please remove all snapshots before "
errx(1, "active snapshot found in file system; "
"please remove all snapshots before "
"using growfs");
}
if(!sblock.fs_snapinum[j]) { /* list is dense */
@ -2159,16 +2159,16 @@ main(int argc, char **argv)
if (ExpertFlag == 0 && Nflag == 0) {
printf("We strongly recommend you to make a backup "
"before growing the Filesystem\n\n"
" Did you backup your data (Yes/No) ? ");
"before growing the file system.\n"
"Did you backup your data (Yes/No)? ");
fgets(reply, (int)sizeof(reply), stdin);
if (strcmp(reply, "Yes\n")){
printf("\n Nothing done \n");
printf("\nNothing done\n");
exit (0);
}
}
printf("new file systemsize is: %jd frags\n", (intmax_t)sblock.fs_size);
printf("New file system size is %jd frags\n", (intmax_t)sblock.fs_size);
/*
* Try to access our new last block in the file system. Even if we

1
sbin/hastctl/Makefile
View File

@ -21,6 +21,7 @@ MAN= hastctl.8
NO_WFORMAT=
CFLAGS+=-I${.CURDIR}/../hastd
CFLAGS+=-DHAVE_CAPSICUM
CFLAGS+=-DINET
.if ${MK_INET6_SUPPORT} != "no"
CFLAGS+=-DINET6

3
sbin/hastd/Makefile
View File

@ -20,8 +20,9 @@ SRCS+= y.tab.h
MAN= hastd.8 hast.conf.5
NO_WFORMAT=
CFLAGS+=-DPROTO_TCP_DEFAULT_PORT=8457
CFLAGS+=-I${.CURDIR}
CFLAGS+=-DHAVE_CAPSICUM
CFLAGS+=-DPROTO_TCP_DEFAULT_PORT=8457
CFLAGS+=-DINET
.if ${MK_INET6_SUPPORT} != "no"
CFLAGS+=-DINET6

13
sbin/hastd/activemap.c
View File

@ -205,7 +205,7 @@ keepdirty_find(struct activemap *amp, int extent)
return (kd);
}
static void
static bool
keepdirty_add(struct activemap *amp, int extent)
{
struct keepdirty *kd;
@ -217,7 +217,7 @@ keepdirty_add(struct activemap *amp, int extent)
*/
TAILQ_REMOVE(&amp->am_keepdirty, kd, kd_next);
TAILQ_INSERT_HEAD(&amp->am_keepdirty, kd, kd_next);
return;
return (false);
}
/*
* Add new element, but first remove the most unused one if
@ -238,6 +238,8 @@ keepdirty_add(struct activemap *amp, int extent)
amp->am_nkeepdirty++;
TAILQ_INSERT_HEAD(&amp->am_keepdirty, kd, kd_next);
}
return (true);
}
static void
@ -308,9 +310,9 @@ activemap_write_start(struct activemap *amp, off_t offset, off_t length)
assert(!bit_test(amp->am_memmap, ext));
bit_set(amp->am_memmap, ext);
amp->am_ndirty++;
modified = true;
}
keepdirty_add(amp, ext);
if (keepdirty_add(amp, ext))
modified = true;
}
return (modified);
@ -345,7 +347,8 @@ activemap_write_complete(struct activemap *amp, off_t offset, off_t length)
if (--amp->am_memtab[ext] == 0) {
bit_clear(amp->am_memmap, ext);
amp->am_ndirty--;
modified = true;
if (keepdirty_find(amp, ext) == NULL)
modified = true;
}
}

7
sbin/hastd/primary.c
View File

@ -1687,8 +1687,11 @@ ggate_send_thread(void *arg)
}
if (ggio->gctl_error == 0 && ggio->gctl_cmd == BIO_WRITE) {
mtx_lock(&res->hr_amp_lock);
activemap_write_complete(res->hr_amp,
ggio->gctl_offset, ggio->gctl_length);
if (activemap_write_complete(res->hr_amp,
ggio->gctl_offset, ggio->gctl_length)) {
res->hr_stat_activemap_update++;
(void)hast_activemap_flush(res);
}
mtx_unlock(&res->hr_amp_lock);
}
if (ggio->gctl_cmd == BIO_WRITE) {

12
sbin/hastd/subr.c
View File

@ -31,7 +31,9 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#ifdef HAVE_CAPSICUM
#include <sys/capability.h>
#endif
#include <sys/param.h>
#include <sys/disk.h>
#include <sys/ioctl.h>
@ -230,9 +232,15 @@ drop_privs(struct hast_resource *res)
* ioctls and secondary uses ioctls to handle BIO_DELETE and BIO_FLUSH.
* For now capsicum is only used to sandbox hastctl.
*/
if (res == NULL)
#ifdef HAVE_CAPSICUM
if (res == NULL) {
capsicum = (cap_enter() == 0);
else
if (!capsicum) {
pjdlog_common(LOG_DEBUG, 1, errno,
"Unable to sandbox using capsicum");
}
} else
#endif
capsicum = false;
/*

89
sbin/ipfw/ipfw.8
View File

@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd June 14, 2011
.Dd June 29, 2011
.Dt IPFW 8
.Os
.Sh NAME
@ -822,6 +822,78 @@ skipto, but care should be used, as no destination caching
is possible in this case so the rules are always walked to find it,
starting from the
.Cm skipto .
.It Cm call Ar number | tablearg
The current rule number is saved in the internal stack and
ruleset processing continues with the first rule numbered
.Ar number
or higher.
If later a rule with the
.Cm return
action is encountered, the processing returns to the first rule
with number of this
.Cm call
rule plus one or higher
(the same behaviour as with packets returning from
.Xr divert 4
socket after a
.Cm divert
action).
This could be used to make somewhat like an assembly language
.Dq subroutine
calls to rules with common checks for different interfaces, etc.
.Pp
Rule with any number could be called, not just forward jumps as with
.Cm skipto .
So, to prevent endless loops in case of mistakes, both
.Cm call
and
.Cm return
actions don't do any jumps and simply go to the next rule if memory
can't be allocated or stack overflowed/undeflowed.
.Pp
Internally stack for rule numbers is implemented using
.Xr mbuf_tags 9
facility and currently has size of 16 entries.
As mbuf tags are lost when packet leaves the kernel,
.Cm divert
should not be used in subroutines to avoid endless loops
and other undesired effects.
.It Cm return
Takes rule number saved to internal stack by the last
.Cm call
action and returns ruleset processing to the first rule
with number greater than number of corresponding
.Cm call
rule. See description of the
.Cm call
action for more details.
.Pp
Note that
.Cm return
rules usually end a
.Dq subroutine
and thus are unconditional, but
.Nm
command-line utility currently requires every action except
.Cm check-state
to have body.
While it is sometimes useful to return only on some packets,
usually you want to print just
.Dq return
for readability.
A workaround for this is to use new syntax and
.Fl c
switch:
.Pp
.Bd -literal -offset indent
# Add a rule without actual body
ipfw add 2999 return via any
# List rules without "from any to any" part
ipfw -c list
.Ed
.Pp
This cosmetic annoyance may be fixed in future releases.
.It Cm tee Ar port
Send a copy of packets matching this rule to the
.Xr divert 4
@ -3253,3 +3325,18 @@ for the respective conversations.
To avoid failures of network error detection and path MTU discovery,
ICMP error messages may need to be allowed explicitly through static
rules.
.Pp
Rules using
.Cm call
and
.Cm return
actions may lead to confusing behaviour if ruleset has mistakes,
and/or interaction with other subsystems (netgraph, dummynet, etc.) is used.
One possible case for this is packet leaving
.Nm
in subroutine on the input pass, while later on output encountering unpaired
.Cm return
first.
As the call stack is kept intact after input pass, packet will suddenly
return to the rule number used on input pass, not on output one.
Order of processing should be checked carefully to avoid such mistakes.

16
sbin/ipfw/ipfw2.c
View File

@ -214,6 +214,8 @@ static struct _s_x rule_actions[] = {
{ "nat", TOK_NAT },
{ "reass", TOK_REASS },
{ "setfib", TOK_SETFIB },
{ "call", TOK_CALL },
{ "return", TOK_RETURN },
{ NULL, 0 } /* terminator */
};
@ -1136,6 +1138,13 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
printf("reass");
break;
case O_CALLRETURN:
if (cmd->len & F_NOT)
printf("return");
else
PRINT_UINT_ARG("call ", cmd->arg1);
break;
default:
printf("** unrecognized action %d len %d ",
cmd->opcode, cmd->len);
@ -2771,6 +2780,9 @@ ipfw_add(char *av[])
goto chkarg;
case TOK_TEE:
action->opcode = O_TEE;
goto chkarg;
case TOK_CALL:
action->opcode = O_CALLRETURN;
chkarg:
if (!av[0])
errx(EX_USAGE, "missing argument for %s", *(av - 1));
@ -2863,6 +2875,10 @@ ipfw_add(char *av[])
action->opcode = O_REASS;
break;
case TOK_RETURN:
fill_cmd(action, O_CALLRETURN, F_NOT, 0);
break;
default:
errx(EX_DATAERR, "invalid action %s\n", av[-1]);
}

2
sbin/ipfw/ipfw2.h
View File

@ -99,6 +99,8 @@ enum tokens {
TOK_CHECKSTATE,
TOK_NAT,
TOK_REASS,
TOK_CALL,
TOK_RETURN,
TOK_ALTQ,
TOK_LOG,

15
sbin/ipfw/main.c
View File

@ -262,7 +262,7 @@ ipfw_main(int oldac, char **oldav)
save_av = av;
optind = optreset = 1; /* restart getopt() */
while ((ch = getopt(ac, av, "abcdefhinNqs:STtv")) != -1)
while ((ch = getopt(ac, av, "abcdefhinNp:qs:STtv")) != -1)
switch (ch) {
case 'a':
do_acct = 1;
@ -306,6 +306,10 @@ ipfw_main(int oldac, char **oldav)
co.do_resolv = 1;
break;
case 'p':
errx(EX_USAGE, "An absolute pathname must be used "
"with -p option.");
case 'q':
co.do_quiet = 1;
break;
@ -603,9 +607,12 @@ main(int ac, char *av[])
* as a file to be preprocessed.
*/
if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0)
ipfw_readfile(ac, av);
else {
if (ac > 1 && av[ac - 1][0] == '/') {
if (access(av[ac - 1], R_OK) == 0)
ipfw_readfile(ac, av);
else
err(EX_USAGE, "pathname: %s", av[ac - 1]);
} else {
if (ipfw_main(ac, av)) {
errx(EX_USAGE,
"usage: ipfw [options]\n"

54
sbin/ipfw/nat.c
View File

@ -738,7 +738,8 @@ ipfw_config_nat(int ac, char **av)
char *id, *buf, **av1, *end;
size_t len;
av++; ac--;
av++;
ac--;
/* Nat id. */
if (ac == 0)
errx(EX_DATAERR, "missing nat id");
@ -746,7 +747,8 @@ ipfw_config_nat(int ac, char **av)
i = (int)strtol(id, &end, 0);
if (i <= 0 || *end != '\0')
errx(EX_DATAERR, "illegal nat id: %s", id);
av++; ac--;
av++;
ac--;
if (ac == 0)
errx(EX_DATAERR, "missing option");
@ -755,11 +757,13 @@ ipfw_config_nat(int ac, char **av)
av1 = av;
while (ac1 > 0) {
tok = match_token(nat_params, *av1);
ac1--; av1++;
ac1--;
av1++;
switch (tok) {
case TOK_IP:
case TOK_IF:
ac1--; av1++;
ac1--;
av1++;
break;
case TOK_ALOG:
case TOK_DENY_INC:
@ -775,30 +779,40 @@ ipfw_config_nat(int ac, char **av)
errx(EX_DATAERR, "redirect_addr: "
"not enough arguments");
len += estimate_redir_addr(&ac1, &av1);
av1 += 2; ac1 -= 2;
av1 += 2;
ac1 -= 2;
break;
case TOK_REDIR_PORT:
if (ac1 < 3)
errx(EX_DATAERR, "redirect_port: "
"not enough arguments");
av1++; ac1--;
av1++;
ac1--;
len += estimate_redir_port(&ac1, &av1);
av1 += 2; ac1 -= 2;
av1 += 2;
ac1 -= 2;
/* Skip optional remoteIP/port */
if (ac1 != 0 && isdigit(**av1))
av1++; ac1--;
if (ac1 != 0 && isdigit(**av1)) {
av1++;
ac1--;
}
break;
case TOK_REDIR_PROTO:
if (ac1 < 2)
errx(EX_DATAERR, "redirect_proto: "
"not enough arguments");
len += sizeof(struct cfg_redir);
av1 += 2; ac1 -= 2;
av1 += 2;
ac1 -= 2;
/* Skip optional remoteIP/port */
if (ac1 != 0 && isdigit(**av1))
av1++; ac1--;
if (ac1 != 0 && isdigit(**av1))
av1++; ac1--;
if (ac1 != 0 && isdigit(**av1)) {
av1++;
ac1--;
}
if (ac1 != 0 && isdigit(**av1)) {
av1++;
ac1--;
}
break;
default:
errx(EX_DATAERR, "unrecognised option ``%s''", av1[-1]);
@ -816,7 +830,8 @@ ipfw_config_nat(int ac, char **av)
while (ac > 0) {
tok = match_token(nat_params, *av);
ac--; av++;
ac--;
av++;
switch (tok) {
case TOK_IP:
if (ac == 0)
@ -824,13 +839,15 @@ ipfw_config_nat(int ac, char **av)
if (!inet_aton(av[0], &(n->ip)))
errx(EX_DATAERR, "bad ip address ``%s''",
av[0]);
ac--; av++;
ac--;
av++;
break;
case TOK_IF:
if (ac == 0)
errx(EX_DATAERR, "missing option");
set_addr_dynamic(av[0], n);
ac--; av++;
ac--;
av++;
break;
case TOK_ALOG:
n->mode |= PKT_ALIAS_LOG;
@ -909,7 +926,8 @@ ipfw_show_nat(int ac, char **av)
data = NULL;
frule = 0;
lrule = IPFW_DEFAULT_RULE; /* max ipfw rule number */
ac--; av++;
ac--;
av++;
if (co.test_only)
return;

3
sbin/newfs/newfs.8
View File

@ -28,7 +28,7 @@
.\" @(#)newfs.8 8.6 (Berkeley) 5/3/95
.\" $FreeBSD$
.\"
.Dd May 25, 2011
.Dd June 22, 2011
.Dt NEWFS 8
.Os
.Sh NAME
@ -297,6 +297,7 @@ on file systems that contain many small files.
.Xr dumpfs 8 ,
.Xr fsck 8 ,
.Xr gjournal 8 ,
.Xr growfs 8 ,
.Xr makefs 8 ,
.Xr mount 8 ,
.Xr tunefs 8 ,

2
sbin/pflogd/Makefile
View File

@ -8,7 +8,7 @@ MAN= pflogd.8
CFLAGS+=-include ${.CURDIR}/../../lib/libpcap/config.h
LDADD= -lpcap -lutil
LDADD= -lpcap
DPADD= ${LIBPCAP} ${LIBUTIL}
WARNS?= 2

Some files were not shown because too many files have changed in this diff Show More