d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

eri@ wants to start on porting the latest pf in his user space so we can

Browse Source 
finally have a new version in 9.0.  Import pf as of OPENBSD_4_5_BASE to help
with that.
This commit is contained in:
Max Laier 2009-08-18 16:13:59 +00:00
parent 89a3159080
commit 739de636d7
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor/pf/dist/; revision=196360
svn path=/vendor/pf/4.5/; revision=196361; tag=vendor/pf/4.5
52 changed files with 447 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
authpf/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.13 2008/02/14 01:49:17 mcbride Exp $
# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $
PROG= authpf
MAN= authpf.8

8
authpf/authpf.8
View File

@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: February 14 2008 $
.Dd $Mdocdate: March 18 2008 $
.Dt AUTHPF 8
.Os
.Sh NAME
@ -202,6 +202,9 @@ It is also possible to configure
to only allow specific users access.
This is done by listing their login names, one per line, in
.Pa /etc/authpf/authpf.allow .
A group of users can also be indicated by prepending "%" to the group name,
and all members of a login class can be indicated by prepending "@" to the
login class name.
If "*" is found on a line, then all usernames match.
If
.Nm
@ -314,7 +317,8 @@ They have a
wireless network which they would like to protect from unauthorized use.
To accomplish this, they create the file
.Pa /etc/authpf/authpf.allow
which lists their login ids, one per line.
which lists their login ids, group prepended with "%", or login class
prepended with "@", one per line.
At this point, even if eve could authenticate to
.Xr sshd 8 ,
she would not be allowed to use the gateway.

90
authpf/authpf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: authpf.c,v 1.107 2008/02/14 01:49:17 mcbride Exp $ */
/* $OpenBSD: authpf.c,v 1.111 2009/01/10 17:17:32 todd Exp $ */
/*
* Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
@ -32,6 +32,7 @@
#include <errno.h>
#include <login_cap.h>
#include <pwd.h>
#include <grp.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
@ -43,7 +44,7 @@
static int read_config(FILE *);
static void print_message(char *);
static int allowed_luser(char *);
static int allowed_luser(struct passwd *);
static int check_luser(char *, char *);
static int remove_stale_rulesets(void);
static int recursive_ruleset_purge(char *, char *);
@ -58,6 +59,7 @@ char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
int user_ip = 1; /* controls whether $user_ip is set */
FILE *pidfp;
int pidfd = -1;
char luser[MAXLOGNAME]; /* username */
char ipsrc[256]; /* ip as a string */
char pidfile[MAXPATHLEN]; /* we save pid in this file. */
@ -78,7 +80,7 @@ extern char *__progname; /* program name */
int
main(int argc, char *argv[])
{
int lockcnt = 0, n, pidfd;
int lockcnt = 0, n;
FILE *config;
struct in6_addr ina;
struct passwd *pw;
@ -93,7 +95,7 @@ main(int argc, char *argv[])
config = fopen(PATH_CONFFILE, "r");
if (config == NULL) {
syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);
syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE);
exit(1);
}
@ -186,6 +188,14 @@ main(int argc, char *argv[])
goto die;
}
signal(SIGTERM, need_death);
signal(SIGINT, need_death);
signal(SIGALRM, need_death);
signal(SIGPIPE, need_death);
signal(SIGHUP, need_death);
signal(SIGQUIT, need_death);
signal(SIGTSTP, need_death);
/*
* If someone else is already using this ip, then this person
* wants to switch users - so kill the old process and exit
@ -239,15 +249,17 @@ main(int argc, char *argv[])
}
/*
* we try to kill the previous process and acquire the lock
* We try to kill the previous process and acquire the lock
* for 10 seconds, trying once a second. if we can't after
* 10 attempts we log an error and give up
* 10 attempts we log an error and give up.
*/
if (++lockcnt > 10) {
syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
otherpid);
if (want_death || ++lockcnt > 10) {
if (!want_death)
syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
otherpid);
fclose(pidfp);
pidfp = NULL;
pidfd = -1;
goto dogdeath;
}
sleep(1);
@ -258,6 +270,7 @@ main(int argc, char *argv[])
*/
fclose(pidfp);
pidfp = NULL;
pidfd = -1;
} while (1);
/* whack the group list */
@ -275,7 +288,7 @@ main(int argc, char *argv[])
}
openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) {
if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) {
syslog(LOG_INFO, "user %s prohibited", luser);
do_death(0);
}
@ -306,13 +319,6 @@ main(int argc, char *argv[])
do_death(0);
}
signal(SIGTERM, need_death);
signal(SIGINT, need_death);
signal(SIGALRM, need_death);
signal(SIGPIPE, need_death);
signal(SIGHUP, need_death);
signal(SIGQUIT, need_death);
signal(SIGTSTP, need_death);
while (1) {
printf("\r\nHello %s. ", luser);
printf("You are authenticated from host \"%s\"\r\n", ipsrc);
@ -434,6 +440,7 @@ print_message(char *filename)
* allowed_luser checks to see if user "luser" is allowed to
* use this gateway by virtue of being listed in an allowed
* users file, namely /etc/authpf/authpf.allow .
* Users may be listed by <username>, %<group>, or @<login_class>.
*
* If /etc/authpf/authpf.allow does not exist, then we assume that
* all users who are allowed in by sshd(8) are permitted to
@ -442,7 +449,7 @@ print_message(char *filename)
* the session terminates in the same manner as being banned.
*/
static int
allowed_luser(char *luser)
allowed_luser(struct passwd *pw)
{
char *buf, *lbuf;
int matched;
@ -474,8 +481,14 @@ allowed_luser(char *luser)
* "public" gateway, such as it is, so let
* everyone use it.
*/
int gl_init = 0, ngroups = NGROUPS + 1;
gid_t groups[NGROUPS + 1];
lbuf = NULL;
matched = 0;
while ((buf = fgetln(f, &len))) {
if (buf[len - 1] == '\n')
buf[len - 1] = '\0';
else {
@ -486,7 +499,40 @@ allowed_luser(char *luser)
buf = lbuf;
}
matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0;
if (buf[0] == '@') {
/* check login class */
if (strcmp(pw->pw_class, buf + 1) == 0)
matched++;
} else if (buf[0] == '%') {
/* check group membership */
int cnt;
struct group *group;
if ((group = getgrnam(buf + 1)) == NULL) {
syslog(LOG_ERR,
"invalid group '%s' in %s (%s)",
buf + 1, PATH_ALLOWFILE,
strerror(errno));
return (0);
}
if (!gl_init) {
(void) getgrouplist(pw->pw_name,
pw->pw_gid, groups, &ngroups);
gl_init++;
}
for ( cnt = 0; cnt < ngroups; cnt++) {
if (group->gr_gid == groups[cnt]) {
matched++;
break;
}
}
} else {
/* check username and wildcard */
matched = strcmp(pw->pw_name, buf) == 0 ||
strcmp("*", buf) == 0;
}
if (lbuf != NULL) {
free(lbuf);
@ -494,10 +540,10 @@ allowed_luser(char *luser)
}
if (matched)
return (1); /* matched an allowed username */
return (1); /* matched an allowed user/group */
}
syslog(LOG_INFO, "denied access to %s: not listed in %s",
luser, PATH_ALLOWFILE);
pw->pw_name, PATH_ALLOWFILE);
/* reuse buf */
buf = "\n\nSorry, you are not allowed to use this facility!\n";
@ -878,7 +924,7 @@ do_death(int active)
authpf_kill_states();
}
}
if (pidfile[0] && (pidfp != NULL))
if (pidfile[0] && pidfd != -1)
if (unlink(pidfile) == -1)
syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
exit(ret);

2
authpf/pathnames.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */
/* $OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $ */
/*
* Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)

2
ftp-proxy/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $
# $OpenBSD: Makefile,v 1.2 2005/06/07 14:12:07 camield Exp $
PROG= ftp-proxy
SRCS= ftp-proxy.c filter.c

2
ftp-proxy/filter.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: filter.c,v 1.8 2008/06/13 07:25:26 claudio Exp $ */
/* $OpenBSD: filter.c,v 1.7 2008/02/26 18:52:53 henning Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>

2
ftp-proxy/filter.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */
/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>

2
ftp-proxy/ftp-proxy.8
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ftp-proxy.8,v 1.11 2008/02/26 18:52:53 henning Exp $
.\" $OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $
.\"
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
.\"

2
ftp-proxy/ftp-proxy.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ftp-proxy.c,v 1.19 2008/06/13 07:25:26 claudio Exp $ */
/* $OpenBSD: ftp-proxy.c,v 1.18 2008/04/22 02:22:22 joel Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>

16
libevent/buffer.c
View File

@ -1,3 +1,5 @@
/* $OpenBSD: buffer.c,v 1.14 2007/03/19 15:12:49 millert Exp $ */
/*
* Copyright (c) 2002, 2003 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@ -62,7 +64,7 @@ struct evbuffer *
evbuffer_new(void)
{
struct evbuffer *buffer;
buffer = calloc(1, sizeof(struct evbuffer));
return (buffer);
@ -76,7 +78,7 @@ evbuffer_free(struct evbuffer *buffer)
free(buffer);
}
/*
/*
* This is a destructive add. The data from one buffer moves into
* the other buffer.
*/
@ -104,16 +106,16 @@ evbuffer_add_buffer(struct evbuffer *outbuf, struct evbuffer *inbuf)
SWAP(outbuf, inbuf);
SWAP(inbuf, &tmp);
/*
/*
* Optimization comes with a price; we need to notify the
* buffer if necessary of the changes. oldoff is the amount
* of data that we transfered from inbuf to outbuf
* of data that we transferred from inbuf to outbuf
*/
if (inbuf->off != oldoff && inbuf->cb != NULL)
(*inbuf->cb)(inbuf, oldoff, inbuf->off, inbuf->cbarg);
if (oldoff && outbuf->cb != NULL)
(*outbuf->cb)(outbuf, 0, oldoff, outbuf->cbarg);
return (0);
}
@ -196,7 +198,7 @@ evbuffer_remove(struct evbuffer *buf, void *data, size_t datlen)
memcpy(data, buf->buffer, nread);
evbuffer_drain(buf, nread);
return (nread);
}
@ -371,7 +373,7 @@ evbuffer_read(struct evbuffer *buf, int fd, int howmuch)
if (n < EVBUFFER_MAX_READ)
n = EVBUFFER_MAX_READ;
}
#endif
#endif
if (howmuch < 0 || howmuch > n)
howmuch = n;

8
libevent/evbuffer.c
View File

@ -1,3 +1,5 @@
/* $OpenBSD: evbuffer.c,v 1.10 2007/03/19 15:12:49 millert Exp $ */
/*
* Copyright (c) 2002-2004 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@ -64,7 +66,7 @@ bufferevent_add(struct event *ev, int timeout)
return (event_add(ev, ptv));
}
/*
/*
* This callback is executed when the size of the input buffer changes.
* We use it to apply back pressure on the reading side.
*/
@ -73,7 +75,7 @@ void
bufferevent_read_pressure_cb(struct evbuffer *buf, size_t old, size_t now,
void *arg) {
struct bufferevent *bufev = arg;
/*
/*
* If we are below the watermark then reschedule reading if it's
* still enabled.
*/
@ -288,7 +290,7 @@ bufferevent_free(struct bufferevent *bufev)
*/
int
bufferevent_write(struct bufferevent *bufev, void *data, size_t size)
bufferevent_write(struct bufferevent *bufev, const void *data, size_t size)
{
int res;

2
libevent/event-internal.h
View File

@ -1,3 +1,5 @@
/* $OpenBSD: event-internal.h,v 1.4 2007/03/19 15:12:49 millert Exp $ */
/*
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
* All rights reserved.

21
libevent/event.c
View File

@ -1,3 +1,5 @@
/* $OpenBSD: event.c,v 1.18 2008/05/02 06:09:11 brad Exp $ */
/*
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@ -38,7 +40,7 @@
#include <sys/tree.h>
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#else
#else
#include <sys/_time.h>
#endif
#include <sys/queue.h>
@ -180,7 +182,7 @@ RB_PROTOTYPE(event_tree, event, ev_timeout_node, compare);
RB_GENERATE(event_tree, event, ev_timeout_node, compare);
void *
struct event_base *
event_init(void)
{
int i;
@ -194,13 +196,13 @@ event_init(void)
detect_monotonic();
gettime(&base->event_tv);
RB_INIT(&base->timetree);
TAILQ_INIT(&base->eventqueue);
TAILQ_INIT(&base->sig.signalqueue);
base->sig.ev_signal_pair[0] = -1;
base->sig.ev_signal_pair[1] = -1;
base->evbase = NULL;
for (i = 0; eventops[i] && !base->evbase; i++) {
base->evsel = eventops[i];
@ -321,7 +323,7 @@ event_process_active(struct event_base *base)
for (ev = TAILQ_FIRST(activeq); ev; ev = TAILQ_FIRST(activeq)) {
event_queue_remove(base, ev, EVLIST_ACTIVE);
/* Allows deletes to work */
ncalls = ev->ev_ncalls;
ev->ev_pncalls = &ncalls;
@ -430,7 +432,7 @@ event_base_loop(struct event_base *base, int flags)
*/
timerclear(&tv);
}
/* If we have no events, we just exit */
if (!event_haveevents(base)) {
event_debug(("%s: no events registered.", __func__));
@ -439,7 +441,6 @@ event_base_loop(struct event_base *base, int flags)
res = evsel->dispatch(base, evbase, tv_p);
if (res == -1)
return (-1);
@ -652,7 +653,7 @@ event_add(struct event *ev, struct timeval *tv)
/* Abort loop */
*ev->ev_pncalls = 0;
}
event_queue_remove(base, ev, EVLIST_ACTIVE);
}
@ -913,10 +914,10 @@ event_queue_insert(struct event_base *base, struct event *ev, int queue)
const char *
event_get_version(void)
{
return (VERSION);
return (LIBEVENT_VERSION);
}
/*
/*
* No thread-safe interface needed - the information should be the same
* for all threads.
*/

17
libevent/event.h
View File

@ -1,3 +1,5 @@
/* $OpenBSD: event.h,v 1.19 2008/05/02 06:09:11 brad Exp $ */
/*
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@ -43,6 +45,8 @@ typedef unsigned char u_char;
typedef unsigned short u_short;
#endif
#define LIBEVENT_VERSION "1.3e"
#define EVLIST_TIMEOUT 0x01
#define EVLIST_INSERTED 0x02
#define EVLIST_SIGNAL 0x04
@ -141,7 +145,7 @@ struct eventop {
void (*dealloc)(struct event_base *, void *);
};
void *event_init(void);
struct event_base *event_init(void);
int event_dispatch(void);
int event_base_dispatch(struct event_base *);
void event_base_free(struct event_base *);
@ -169,12 +173,6 @@ int event_base_loopexit(struct event_base *, struct timeval *);
#define evtimer_pending(ev, tv) event_pending(ev, EV_TIMEOUT, tv)
#define evtimer_initialized(ev) ((ev)->ev_flags & EVLIST_INIT)
#define timeout_add(ev, tv) event_add(ev, tv)
#define timeout_set(ev, cb, arg) event_set(ev, -1, 0, cb, arg)
#define timeout_del(ev) event_del(ev)
#define timeout_pending(ev, tv) event_pending(ev, EV_TIMEOUT, tv)
#define timeout_initialized(ev) ((ev)->ev_flags & EVLIST_INIT)
#define signal_add(ev, tv) event_add(ev, tv)
#define signal_set(ev, x, cb, arg) \
event_set(ev, x, EV_SIGNAL|EV_PERSIST, cb, arg)
@ -264,7 +262,8 @@ struct bufferevent *bufferevent_new(int fd,
int bufferevent_base_set(struct event_base *base, struct bufferevent *bufev);
int bufferevent_priority_set(struct bufferevent *bufev, int pri);
void bufferevent_free(struct bufferevent *bufev);
int bufferevent_write(struct bufferevent *bufev, void *data, size_t size);
int bufferevent_write(struct bufferevent *bufev,
const void *data, size_t size);
int bufferevent_write_buffer(struct bufferevent *bufev, struct evbuffer *buf);
size_t bufferevent_read(struct bufferevent *bufev, void *data, size_t size);
int bufferevent_enable(struct bufferevent *bufev, short event);
@ -292,7 +291,7 @@ int evbuffer_read(struct evbuffer *, int, int);
u_char *evbuffer_find(struct evbuffer *, const u_char *, size_t);
void evbuffer_setcb(struct evbuffer *, void (*)(struct evbuffer *, size_t, size_t, void *), void *);
/*
/*
* Marshaling tagged data - We assume that all tags are inserted in their
* numeric order - so that unknown tags will always be higher than the
* known ones - and we can just ignore the end of an event buffer.

2
libevent/evsignal.h
View File

@ -1,3 +1,5 @@
/* $OpenBSD: evsignal.h,v 1.2 2004/04/28 06:53:12 brad Exp $ */
/*
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.

28
libevent/kqueue.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kqueue.c,v 1.5 2002/07/10 14:41:31 art Exp $ */
/* $OpenBSD: kqueue.c,v 1.23 2007/09/02 15:19:18 deraadt Exp $ */
/*
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
@ -97,14 +97,14 @@ kq_init(struct event_base *base)
struct kqop *kqueueop;
/* Disable kqueue when this environment variable is set */
if (getenv("EVENT_NOKQUEUE"))
if (!issetugid() && getenv("EVENT_NOKQUEUE"))
return (NULL);
if (!(kqueueop = calloc(1, sizeof(struct kqop))))
return (NULL);
/* Initalize the kernel queue */
if ((kq = kqueue()) == -1) {
event_warn("kqueue");
free (kqueueop);
@ -114,12 +114,12 @@ kq_init(struct event_base *base)
kqueueop->kq = kq;
/* Initalize fields */
kqueueop->changes = malloc(NEVENT * sizeof(struct kevent));
kqueueop->changes = calloc(NEVENT, sizeof(struct kevent));
if (kqueueop->changes == NULL) {
free (kqueueop);
return (NULL);
}
kqueueop->events = malloc(NEVENT * sizeof(struct kevent));
kqueueop->events = calloc(NEVENT, sizeof(struct kevent));
if (kqueueop->events == NULL) {
free (kqueueop->changes);
free (kqueueop);
@ -131,7 +131,7 @@ kq_init(struct event_base *base)
kqueueop->changes[0].ident = -1;
kqueueop->changes[0].filter = EVFILT_READ;
kqueueop->changes[0].flags = EV_ADD;
/*
/*
* If kqueue works, then kevent will succeed, and it will
* stick an error in events[0]. If kqueue is broken, then
* kevent will fail.
@ -195,7 +195,7 @@ kq_insert(struct kqop *kqop, struct kevent *kev)
memcpy(&kqop->changes[kqop->nchanges++], kev, sizeof(struct kevent));
event_debug(("%s: fd %d %s%s",
__func__, kev->ident,
__func__, kev->ident,
kev->filter == EVFILT_READ ? "EVFILT_READ" : "EVFILT_WRITE",
kev->flags == EV_DELETE ? " (del)" : ""));
@ -241,7 +241,7 @@ kq_dispatch(struct event_base *base, void *arg, struct timeval *tv)
int which = 0;
if (events[i].flags & EV_ERROR) {
/*
/*
* Error messages that can happen, when a delete fails.
* EBADF happens when the file discriptor has been
* closed,
@ -301,7 +301,7 @@ kq_add(void *arg, struct event *ev)
if (!(ev->ev_events & EV_PERSIST))
kev.flags |= EV_ONESHOT;
kev.udata = PTR_TO_UDATA(ev);
if (kq_insert(kqop, &kev) == -1)
return (-1);
@ -324,7 +324,7 @@ kq_add(void *arg, struct event *ev)
if (!(ev->ev_events & EV_PERSIST))
kev.flags |= EV_ONESHOT;
kev.udata = PTR_TO_UDATA(ev);
if (kq_insert(kqop, &kev) == -1)
return (-1);
@ -339,7 +339,7 @@ kq_add(void *arg, struct event *ev)
if (!(ev->ev_events & EV_PERSIST))
kev.flags |= EV_ONESHOT;
kev.udata = PTR_TO_UDATA(ev);
if (kq_insert(kqop, &kev) == -1)
return (-1);
@ -365,7 +365,7 @@ kq_del(void *arg, struct event *ev)
kev.ident = nsignal;
kev.filter = EVFILT_SIGNAL;
kev.flags = EV_DELETE;
if (kq_insert(kqop, &kev) == -1)
return (-1);
@ -381,7 +381,7 @@ kq_del(void *arg, struct event *ev)
kev.ident = ev->ev_fd;
kev.filter = EVFILT_READ;
kev.flags = EV_DELETE;
if (kq_insert(kqop, &kev) == -1)
return (-1);
@ -393,7 +393,7 @@ kq_del(void *arg, struct event *ev)
kev.ident = ev->ev_fd;
kev.filter = EVFILT_WRITE;
kev.flags = EV_DELETE;
if (kq_insert(kqop, &kev) == -1)
return (-1);

14
libevent/log.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: err.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
/* $OpenBSD: log.c,v 1.4 2005/05/04 03:17:48 brad Exp $ */
/*
* log.c
@ -102,7 +102,7 @@ void
event_err(int eval, const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_ERR, errno, fmt, ap);
va_end(ap);
@ -113,7 +113,7 @@ void
event_warn(const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_WARN, errno, fmt, ap);
va_end(ap);
@ -123,7 +123,7 @@ void
event_errx(int eval, const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_ERR, -1, fmt, ap);
va_end(ap);
@ -134,7 +134,7 @@ void
event_warnx(const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_WARN, -1, fmt, ap);
va_end(ap);
@ -144,7 +144,7 @@ void
event_msgx(const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_MSG, -1, fmt, ap);
va_end(ap);
@ -154,7 +154,7 @@ void
_event_debugx(const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_DEBUG, -1, fmt, ap);
va_end(ap);

2
libevent/log.h
View File

@ -1,3 +1,5 @@
/* $OpenBSD: log.h,v 1.4 2007/03/19 15:12:49 millert Exp $ */
/*
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
* All rights reserved.

7
libevent/poll.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: poll.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
/* $OpenBSD: poll.c,v 1.13 2006/11/26 15:24:34 brad Exp $ */
/*
* Copyright 2000-2003 Niels Provos <provos@citi.umich.edu>
@ -89,7 +89,7 @@ poll_init(struct event_base *base)
struct pollop *pollop;
/* Disable poll when this environment variable is set */
if (getenv("EVENT_NOPOLL"))
if (!issetugid() && getenv("EVENT_NOPOLL"))
return (NULL);
if (!(pollop = calloc(1, sizeof(struct pollop))))
@ -179,6 +179,7 @@ poll_dispatch(struct event_base *base, void *arg, struct timeval *tv)
for (i = 0; i < nfds; i++) {
int what = pop->event_set[i].revents;
struct event *r_ev = NULL, *w_ev = NULL;
if (!what)
continue;
@ -356,7 +357,7 @@ poll_del(void *arg, struct event *ev)
--pop->nfds;
if (i != pop->nfds) {
/*
/*
* Shift the last pollfd down into the now-unoccupied
* position.
*/

4
libevent/select.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
/* $OpenBSD: select.c,v 1.13 2007/03/19 15:12:49 millert Exp $ */
/*
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
@ -96,7 +96,7 @@ select_init(struct event_base *base)
struct selectop *sop;
/* Disable select when this environment variable is set */
if (getenv("EVENT_NOSELECT"))
if (!issetugid() && getenv("EVENT_NOSELECT"))
return (NULL);
if (!(sop = calloc(1, sizeof(struct selectop))))

4
libevent/signal.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
/* $OpenBSD: signal.c,v 1.11 2007/03/19 15:12:49 millert Exp $ */
/*
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
@ -85,7 +85,7 @@ evsignal_cb(int fd, short what, void *arg)
void
evsignal_init(struct event_base *base)
{
/*
/*
* Our signal handler is going to write to one end of the socket
* pair to wake up our event loop. The event loop then scans for
* signals that got delivered.

9
man/pf.4
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pf.4,v 1.60 2007/12/02 12:08:04 pascoe Exp $
.\" $OpenBSD: pf.4,v 1.61 2008/09/04 13:50:37 jmc Exp $
.\"
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
.\"
@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd $Mdocdate: May 31 2007 $
.Dd $Mdocdate: September 4 2008 $
.Dt PF 4
.Os
.Sh NAME
@ -1050,12 +1050,14 @@ internal interface description.
The filtering process is the same as for
.Dv DIOCIGETIFACES .
.Bd -literal
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
.Ed
.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
Works as
.Dv DIOCSETIFFLAG
above but clears the flags.
.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
Explicitly remove source tracking nodes.
.El
.Sh FILES
.Bl -tag -width /dev/pf -compact
@ -1133,6 +1135,7 @@ main(int argc, char *argv[])
.Xr ioctl 2 ,
.Xr bridge 4 ,
.Xr pflog 4 ,
.Xr pflow 4 ,
.Xr pfsync 4 ,
.Xr pfctl 8 ,
.Xr altq 9

26
man/pf.conf.5
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pf.conf.5,v 1.402 2008/06/11 07:21:00 jmc Exp $
.\" $OpenBSD: pf.conf.5,v 1.405 2008/10/02 12:36:32 henning Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: June 10 2008 $
.Dd $Mdocdate: October 2 2008 $
.Dt PF.CONF 5
.Os
.Sh NAME
@ -517,6 +517,16 @@ For example:
.Bd -literal -offset indent
set state-policy if-bound
.Ed
.It Ar set state-defaults
The
.Ar state-defaults
option sets the state options for states created from rules
without an explicit
.Ar keep state .
For example:
.Bd -literal -offset indent
set state-defaults pflow, no-sync
.Ed
.It Ar set hostid
The 32-bit
.Ar hostid
@ -901,7 +911,7 @@ Defines a list of subqueues to create on an interface.
.El
.Pp
In the following example, the interface dc0
should queue up to 5 Mbit/s in four second-level queues using
should queue up to 5Mbps in four second-level queues using
Class Based Queueing.
Those four queues will be shown in a later example.
.Bd -literal -offset indent
@ -1488,7 +1498,7 @@ Translates to the network(s) attached to the interface.
.It Ar :broadcast
Translates to the interface's broadcast address(es).
.It Ar :peer
Translates to the point to point interface's peer address(es).
Translates to the point-to-point interface's peer address(es).
.It Ar :0
Do not include interface aliases.
.El
@ -2098,6 +2108,10 @@ easier.
This is intended to be used in situations where one does not see all
packets of a connection, e.g. in asymmetric routing situations.
Cannot be used with modulate or synproxy state.
.It Ar pflow
States created by this rule are exported on the
.Xr pflow 4
interface.
.El
.Pp
Multiple options can be specified, separated by commas:
@ -2821,6 +2835,7 @@ option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
[ "loginterface" ( interface-name | "none" ) ] |
[ "block-policy" ( "drop" | "return" ) ] |
[ "state-policy" ( "if-bound" | "floating" ) ]
[ "state-defaults" state-opts ]
[ "require-order" ( "yes" | "no" ) ]
[ "fingerprints" filename ] |
[ "skip on" ifspec ] |
@ -2963,7 +2978,7 @@ tos = ( "lowdelay" | "throughput" | "reliability" |
[ "0x" ] number )
state-opts = state-opt [ [ "," ] state-opts ]
state-opt = ( "max" number | "no-sync" | timeout | sloppy |
state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" |
"source-track" [ ( "rule" | "global" ) ] |
"max-src-nodes" number | "max-src-states" number |
"max-src-conn" number |
@ -3026,6 +3041,7 @@ Service name database.
.Xr ip 4 ,
.Xr ip6 4 ,
.Xr pf 4 ,
.Xr pflow 4 ,
.Xr pfsync 4 ,
.Xr route 4 ,
.Xr tcp 4 ,

2
man/pf.os.5
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $
.\" $OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $
.\"
.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
.\"

2
man/pflog.4
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $
.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
.\"
.\" Copyright (c) 2001 Tobias Weingartner
.\" All rights reserved.

113
man/pflow.4 Normal file
View File

@ -0,0 +1,113 @@
.\" $OpenBSD: pflow.4,v 1.8 2008/10/28 16:55:37 gollo Exp $
.\"
.\" Copyright (c) 2008 Henning Brauer <henning@openbsd.org>
.\" Copyright (c) 2008 Joerg Goltermann <jg@osn.de>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALLWARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BELIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISINGOUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: October 28 2008 $
.Dt PFLOW 4
.Os
.Sh NAME
.Nm pflow
.Nd kernel interface for pflow data export
.Sh SYNOPSIS
.Cd "pseudo-device pflow"
.Sh DESCRIPTION
The
.Nm
interface is a pseudo-device which exports
.Nm
accounting data from the kernel using
.Xr udp 4
packets.
.Nm
is compatible with netflow v5.
The data is extracted from the
.Xr pf 4
state table.
.Pp
Multiple
.Nm
interfaces can be created at runtime using the
.Ic ifconfig pflow Ns Ar N Ic create
command.
Each interface must be configured with a flow receiver IP address and
port number.
.Pp
Only states created by a rule marked with the
.Ar pflow
keyword are exported by the
.Nm
interface.
.Pp
The
.Nm
interface will attempt to export multiple
.Nm
records in one
UDP packet, but will not hold a record for longer than 30 seconds.
The packet size and thus the maximum number of flows is controlled by the
.Cm mtu
parameter of
.Xr ifconfig 8 .
.Pp
Each packet seen on this interface has one header and a variable number of
flows.
The header indicates the version of the protocol, number of
flows in the packet, a unique sequence number, system time, and an engine
ID and type.
Header and flow structs are defined in
.Aq Pa net/if_pflow.h .
.Pp
There is a one-to-one correspondence between packets seen by
.Xr bpf 4
on the
.Nm
interface and packets sent out to the flow receiver.
That is, a packet with 30 flows on
.Nm
means that the same 30 flows were sent out to the receiver.
.Pp
The
.Nm
source and destination addresses are controlled by
.Xr ifconfig 8 .
.Cm flowsrc
is the sender IP address of the UDP packet which can be used
to identify the source of the data on the
.Nm
collector.
.Cm flowdst
defines the collector IP address and the port.
The
.Cm flowdst
IP address and port must be defined to enable the export of flows.
.Pp
For example, the following command sets 10.0.0.1 as the source
and 10.0.0.2:1234 as destination:
.Bd -literal -offset indent
# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234
.Ed
.Sh SEE ALSO
.Xr netintro 4 ,
.Xr pf 4 ,
.Xr udp 4 ,
.Xr pf.conf 5 ,
.Xr ifconfig 8 ,
.Xr tcpdump 8
.Sh HISTORY
The
.Nm
device first appeared in
.Ox 4.5 .

87
man/pfsync.4
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pfsync.4,v 1.27 2008/06/03 19:51:02 jmc Exp $
.\" $OpenBSD: pfsync.4,v 1.26 2007/09/20 20:50:07 mpf Exp $
.\"
.\" Copyright (c) 2002 Michael Shalayeff
.\" Copyright (c) 2003-2004 Ryan McBride
@ -29,7 +29,7 @@
.Os
.Sh NAME
.Nm pfsync
.Nd packet filter state table logging interface
.Nd packet filter state table sychronisation interface
.Sh SYNOPSIS
.Cd "pseudo-device pfsync"
.Sh DESCRIPTION
@ -45,18 +45,18 @@ on the
interface.
If configured with a physical synchronisation interface,
.Nm
will also send state changes out on that interface using IP multicast,
will also send state changes out on that interface,
and insert state changes received on that interface from other systems
into the state table.
.Pp
By default, all local changes to the state table are exposed via
.Nm .
However, state changes from packets received by
State changes from packets received by
.Nm
over the network are not rebroadcast.
States created by a rule marked with the
Updates to states created by a rule marked with the
.Ar no-sync
keyword are omitted from the
keyword are ignored by the
.Nm
interface (see
.Xr pf.conf 5
@ -64,33 +64,19 @@ for details).
.Pp
The
.Nm
interface will attempt to collapse multiple updates of the same
state into one message where possible.
The maximum number of times this can be done before the update is sent out
is controlled by the
interface will attempt to collapse multiple state updates into a single
packet where possible.
The maximum number of times a single state can be updated before a
.Nm
packet will be sent out is controlled by the
.Ar maxupd
parameter to ifconfig
(see
.Xr ifconfig 8
and the example below for more details).
.Pp
Each packet retrieved on this interface has a header associated
with it of length
.Dv PFSYNC_HDRLEN .
The header indicates the version of the protocol, address family,
action taken on the following states, and the number of state
table entries attached in this packet.
This structure is defined in
.Aq Pa net/if_pfsync.h
as:
.Bd -literal -offset indent
struct pfsync_header {
u_int8_t version;
u_int8_t af;
u_int8_t action;
u_int8_t count;
};
.Ed
The sending out of a
.Nm
packet will be delayed by a maximum of one second.
.Sh NETWORK SYNCHRONISATION
States can be synchronised between two or more firewalls using this
interface, by specifying a synchronisation interface using
@ -102,14 +88,15 @@ interface:
.Ed
.Pp
By default, state change messages are sent out on the synchronisation
interface using IP multicast packets.
The protocol is IP protocol 240, PFSYNC, and the multicast group
used is 224.0.0.240.
When a peer address is specified using the
interface using IP multicast packets to the 244.0.0.240 group address.
An alternative destination address for
.Nm
packets can be specified using the
.Ic syncpeer
keyword, the peer address is used as a destination for the pfsync traffic,
and the traffic can then be protected using
.Xr ipsec 4 .
keyword.
This can be used in combination with
.Xr ipsec 4
to protect the synchronisation traffic.
In such a configuration, the syncdev should be set to the
.Xr enc 4
interface, as this is where the traffic arrives when it is decapsulated,
@ -125,27 +112,15 @@ Either run the pfsync protocol on a trusted network \- ideally a network
dedicated to pfsync messages such as a crossover cable between two firewalls,
or specify a peer address and protect the traffic with
.Xr ipsec 4 .
.Pp
There is a one-to-one correspondence between packets seen by
.Xr bpf 4
on the
.Nm
interface, and packets sent out on the synchronisation interface, i.e.\&
a packet with 4 state deletion messages on
.Nm
means that the same 4 deletions were sent out on the synchronisation
interface.
However, the actual packet contents may differ as the messages
sent over the network are "compressed" where possible, containing
only the necessary information.
.Sh EXAMPLES
.Nm
and
.Xr carp 4
can be used together to provide automatic failover of a pair of firewalls
configured in parallel.
One firewall handles all traffic \- if it dies or
is shut down, the second firewall takes over automatically.
One firewall will handle all traffic until it dies, is shut down, or is
manually demoted, at which point the second firewall will take over
automatically.
.Pp
Both firewalls in this example have three
.Xr sis 4
@ -203,8 +178,8 @@ pass quick on { sis2 } proto pfsync keep state (no-sync)
pass on { sis0 sis1 } proto carp keep state (no-sync)
.Ed
.Pp
If it is preferable that one firewall handle the traffic,
the
It is preferable that one firewall handle the forwarding of all the traffic,
therefore the
.Ar advskew
on the backup firewall's
.Xr carp 4
@ -243,3 +218,11 @@ The
.Nm
device first appeared in
.Ox 3.3 .
.Pp
The
.Nm
protocol and kernel implementation were significantly modified between
.Ox 4.4
and
.Ox 4.5 .
The two protocols are incompatible and will not interoperate.

2
pfctl/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.19 2006/12/24 18:52:43 miod Exp $
# $OpenBSD: Makefile,v 1.18 2006/10/28 14:29:05 mcbride Exp $
PROG= pfctl
SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c

64
pfctl/parse.y
View File

@ -1,4 +1,4 @@
/* $OpenBSD: parse.y,v 1.549 2008/07/03 16:09:34 deraadt Exp $ */
/* $OpenBSD: parse.y,v 1.554 2008/10/17 12:59:53 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -153,7 +153,8 @@ enum { PF_STATE_OPT_MAX, PF_STATE_OPT_NOSYNC, PF_STATE_OPT_SRCTRACK,
PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN,
PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES,
PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK,
PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY };
PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY,
PF_STATE_OPT_PFLOW };
enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE };
@ -293,7 +294,8 @@ struct pool_opts {
} pool_opts;
struct node_hfsc_opts hfsc_opts;
struct node_hfsc_opts hfsc_opts;
struct node_state_opt *keep_state_defaults = NULL;
int disallow_table(struct node_host *, const char *);
int disallow_urpf_failed(struct node_host *, const char *);
@ -442,8 +444,8 @@ int parseport(char *, struct range *r, int);
%token QUEUE PRIORITY QLIMIT RTABLE
%token LOAD RULESET_OPTIMIZATION
%token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY
%token TAGGED TAG IFBOUND FLOATING STATEPOLICY ROUTE SETTOS
%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW
%token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS
%token DIVERTTO DIVERTREPLY
%token <v.string> STRING
%token <v.number> NUMBER
@ -552,7 +554,7 @@ optimizer : string {
else if (!strcmp($1, "profile"))
$$ = PF_OPTIMIZE_BASIC | PF_OPTIMIZE_PROFILE;
else {
yyerror("unknown ruleset-optimization %s", $$);
yyerror("unknown ruleset-optimization %s", $1);
YYERROR;
}
}
@ -670,6 +672,13 @@ option : SET OPTIMIZATION STRING {
YYERROR;
}
}
| SET STATEDEFAULTS state_opt_list {
if (keep_state_defaults != NULL) {
yyerror("cannot redefine state-defaults");
YYERROR;
}
keep_state_defaults = $3;
}
;
stringall : STRING { $$ = $1; }
@ -1245,6 +1254,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
r.action = PF_DROP;
r.direction = PF_IN;
r.log = $2.log;
r.logif = $2.logif;
r.quick = $2.quick;
r.af = $4;
if (rule_label(&r, $5.label))
@ -1265,7 +1275,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
}
;
antispoof_ifspc : FOR antispoof_if { $$ = $2; }
antispoof_ifspc : FOR antispoof_if { $$ = $2; }
| FOR '{' optnl antispoof_iflst '}' { $$ = $4; }
;
@ -1277,8 +1287,8 @@ antispoof_iflst : antispoof_if optnl { $$ = $1; }
}
;
antispoof_if : if_item { $$ = $1; }
| '(' if_item ')' {
antispoof_if : if_item { $$ = $1; }
| '(' if_item ')' {
$2->dynamic = 1;
$$ = $2;
}
@ -1831,6 +1841,7 @@ pfrule : action dir logquick interface route af proto fromto
int srctrack = 0;
int statelock = 0;
int adaptive = 0;
int defaults = 0;
if (check_rulestate(PFCTL_STATE_FILTER))
YYERROR;
@ -1913,13 +1924,16 @@ pfrule : action dir logquick interface route af proto fromto
r.tos = $9.tos;
r.keep_state = $9.keep.action;
o = $9.keep.options;
/* 'keep state' by default on pass rules. */
if (!r.keep_state && !r.action &&
!($9.marker & FOM_KEEP))
!($9.marker & FOM_KEEP)) {
r.keep_state = PF_STATE_NORMAL;
o = keep_state_defaults;
defaults = 1;
}
o = $9.keep.options;
while (o) {
struct node_state_opt *p = o;
@ -2060,6 +2074,15 @@ pfrule : action dir logquick interface route af proto fromto
}
r.rule_flag |= PFRULE_STATESLOPPY;
break;
case PF_STATE_OPT_PFLOW:
if (r.rule_flag & PFRULE_PFLOW) {
yyerror("state pflow "
"option: multiple "
"definitions");
YYERROR;
}
r.rule_flag |= PFRULE_PFLOW;
break;
case PF_STATE_OPT_TIMEOUT:
if (o->data.timeout.number ==
PFTM_ADAPTIVE_START ||
@ -2077,7 +2100,8 @@ pfrule : action dir logquick interface route af proto fromto
o->data.timeout.seconds;
}
o = o->next;
free(p);
if (!defaults)
free(p);
}
/* 'flags S/SA' by default on stateful rules */
@ -3540,6 +3564,14 @@ state_opt_item : MAXIMUM NUMBER {
$$->next = NULL;
$$->tail = $$;
}
| PFLOW {
$$ = calloc(1, sizeof(struct node_state_opt));
if ($$ == NULL)
err(1, "state_opt_item: calloc");
$$->type = PF_STATE_OPT_PFLOW;
$$->next = NULL;
$$->tail = $$;
}
| STRING NUMBER {
int i;
@ -5255,6 +5287,7 @@ lookup(char *s)
{ "out", OUT},
{ "overload", OVERLOAD},
{ "pass", PASS},
{ "pflow", PFLOW},
{ "port", PORT},
{ "priority", PRIORITY},
{ "priq", PRIQ},
@ -5289,6 +5322,7 @@ lookup(char *s)
{ "source-hash", SOURCEHASH},
{ "source-track", SOURCETRACK},
{ "state", STATE},
{ "state-defaults", STATEDEFAULTS},
{ "state-policy", STATEPOLICY},
{ "static-port", STATICPORT},
{ "sticky-address", STICKYADDRESS},
@ -5397,11 +5431,13 @@ findeol(void)
int c;
parsebuf = NULL;
pushback_index = 0;
/* skip to either EOF or the first real EOL */
while (1) {
c = lgetc(0);
if (pushback_index)
c = pushback_buffer[--pushback_index];
else
c = lgetc(0);
if (c == '\n') {
file->lineno++;
break;

6
pfctl/pf_print_state.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pf_print_state.c,v 1.51 2008/06/29 08:42:15 mcbride Exp $ */
/* $OpenBSD: pf_print_state.c,v 1.52 2008/08/12 16:40:18 david Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -306,7 +306,7 @@ print_state(struct pfsync_state *s, int opts)
printf(" age %.2u:%.2u:%.2u", creation, min, sec);
sec = expire % 60;
expire /= 60;
min = s->expire % 60;
min = expire % 60;
expire /= 60;
printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
@ -325,6 +325,8 @@ print_state(struct pfsync_state *s, int opts)
printf(", rule %u", ntohl(s->rule));
if (s->state_flags & PFSTATE_SLOPPY)
printf(", sloppy");
if (s->state_flags & PFSTATE_PFLOW)
printf(", pflow");
if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
printf(", source-track");
if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)

2
pfctl/pfctl.8
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: pfctl.8,v 1.139 2008/06/11 07:23:36 jmc Exp $
.\" $OpenBSD: pfctl.8,v 1.138 2008/06/10 20:55:02 mcbride Exp $
.\"
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
.\"

11
pfctl/pfctl.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl.c,v 1.277 2008/07/24 10:52:43 henning Exp $ */
/* $OpenBSD: pfctl.c,v 1.278 2008/08/31 20:18:17 jmc Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -230,10 +230,11 @@ usage(void)
fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
fprintf(stderr, "[-k host | network | label | id]\n");
fprintf(stderr, "\t[-o level] [-p device] [-s modifier]\n");
fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network]\n");
fprintf(stderr, "\t[-k host | network | label | id] ");
fprintf(stderr, "[-o level] [-p device]\n");
fprintf(stderr, "\t[-s modifier] ");
fprintf(stderr, "[-t table -T command [address ...]] [-x level]\n");
exit(1);
}

2
pfctl/pfctl.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl.h,v 1.43 2008/05/29 01:00:53 mcbride Exp $ */
/* $OpenBSD: pfctl.h,v 1.42 2007/12/05 12:01:47 chl Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier

2
pfctl/pfctl_altq.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_altq.c,v 1.94 2008/07/25 17:43:44 martynas Exp $ */
/* $OpenBSD: pfctl_altq.c,v 1.93 2007/10/15 02:16:35 deraadt Exp $ */
/*
* Copyright (c) 2002

2
pfctl/pfctl_optimize.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_optimize.c,v 1.18 2008/05/07 06:23:30 markus Exp $ */
/* $OpenBSD: pfctl_optimize.c,v 1.17 2008/05/06 03:45:21 mpf Exp $ */
/*
* Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org>

2
pfctl/pfctl_osfp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_osfp.c,v 1.15 2006/12/13 05:10:15 itojun Exp $ */
/* $OpenBSD: pfctl_osfp.c,v 1.14 2006/04/08 02:13:14 ray Exp $ */
/*
* Copyright (c) 2003 Mike Frantzen <frantzen@openbsd.org>

6
pfctl/pfctl_parser.c
View File

@ -934,6 +934,12 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
printf("sloppy");
opts = 0;
}
if (r->rule_flag & PFRULE_PFLOW) {
if (!opts)
printf(", ");
printf("pflow");
opts = 0;
}
for (i = 0; i < PFTM_MAX; ++i)
if (r->timeout[i]) {
int j;

2
pfctl/pfctl_parser.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_parser.h,v 1.87 2007/10/13 16:35:18 deraadt Exp $ */
/* $OpenBSD: pfctl_parser.h,v 1.86 2006/10/31 23:46:25 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier

2
pfctl/pfctl_qstats.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_qstats.c,v 1.31 2007/10/15 02:16:35 deraadt Exp $ */
/* $OpenBSD: pfctl_qstats.c,v 1.30 2004/04/27 21:47:32 kjc Exp $ */
/*
* Copyright (c) Henning Brauer <henning@openbsd.org>

2
pfctl/pfctl_radix.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_radix.c,v 1.28 2007/12/05 12:01:47 chl Exp $ */
/* $OpenBSD: pfctl_radix.c,v 1.27 2005/05/21 21:03:58 henning Exp $ */
/*
* Copyright (c) 2002 Cedric Berger

2
pfctl/pfctl_table.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_table.c,v 1.68 2008/06/21 10:34:08 mcbride Exp $ */
/* $OpenBSD: pfctl_table.c,v 1.67 2008/06/10 20:55:02 mcbride Exp $ */
/*
* Copyright (c) 2002 Cedric Berger

2
pflogd/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.7 2006/11/26 11:31:08 deraadt Exp $
# $OpenBSD: Makefile,v 1.6 2003/11/20 23:23:09 avsm Exp $
CFLAGS+=-Wall -Wmissing-prototypes -Wshadow
LDADD+= -lpcap -lutil

9
pflogd/pflogd.8
View File

@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: May 31 2007 $
.Dd $Mdocdate: January 14 2008 $
.Dt PFLOGD 8
.Os
.Sh NAME
@ -95,6 +95,13 @@ or a
.Dv SIGALRM
is received.
.Pp
.Nm
will also log the pcap statistics for the
.Xr pflog 4
interface to syslog when a
.Dv SIGUSR1
is received.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl D

37
pflogd/pflogd.c
View File

@ -58,7 +58,7 @@ int Debug = 0;
static int snaplen = DEF_SNAPLEN;
static int cur_snaplen = DEF_SNAPLEN;
volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup;
volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup, gotsig_usr1;
char *filename = PFLOGD_LOG_FILE;
char *interface = PFLOGD_DEFAULT_IF;
@ -72,6 +72,7 @@ unsigned int delay = FLUSH_DELAY;
char *copy_argv(char * const *);
void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
void log_pcap_stats(void);
int flush_buffer(FILE *);
int if_exists(char *);
int init_pcap(void);
@ -82,6 +83,7 @@ int scan_dump(FILE *, off_t);
int set_snaplen(int);
void set_suspended(int);
void sig_alrm(int);
void sig_usr1(int);
void sig_close(int);
void sig_hup(int);
void usage(void);
@ -178,6 +180,12 @@ sig_alrm(int sig)
gotsig_alrm = 1;
}
void
sig_usr1(int sig)
{
gotsig_usr1 = 1;
}
void
set_pcap_filter(void)
{
@ -550,10 +558,21 @@ dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
return;
}
void
log_pcap_stats(void)
{
struct pcap_stat pstat;
if (pcap_stats(hpcap, &pstat) < 0)
logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
else
logmsg(LOG_NOTICE,
"%u packets received, %u/%u dropped (kernel/pflogd)",
pstat.ps_recv, pstat.ps_drop, packets_dropped);
}
int
main(int argc, char **argv)
{
struct pcap_stat pstat;
int ch, np, ret, Xflag = 0;
pcap_handler phandler = dump_packet;
const char *errstr = NULL;
@ -648,6 +667,7 @@ main(int argc, char **argv)
signal(SIGINT, sig_close);
signal(SIGQUIT, sig_close);
signal(SIGALRM, sig_alrm);
signal(SIGUSR1, sig_usr1);
signal(SIGHUP, sig_hup);
alarm(delay);
@ -703,6 +723,11 @@ main(int argc, char **argv)
gotsig_alrm = 0;
alarm(delay);
}
if (gotsig_usr1) {
log_pcap_stats();
gotsig_usr1 = 0;
}
}
logmsg(LOG_NOTICE, "Exiting");
@ -712,13 +737,7 @@ main(int argc, char **argv)
}
purge_buffer();
if (pcap_stats(hpcap, &pstat) < 0)
logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
else
logmsg(LOG_NOTICE,
"%u packets received, %u/%u dropped (kernel/pflogd)",
pstat.ps_recv, pstat.ps_drop, packets_dropped);
log_pcap_stats();
pcap_close(hpcap);
if (!Debug)
closelog();

2
pflogd/pflogd.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pflogd.h,v 1.3 2006/01/15 16:38:04 canacar Exp $ */
/* $OpenBSD: pflogd.h,v 1.2 2004/01/15 20:15:14 canacar Exp $ */
/*
* Copyright (c) 2003 Can Erkin Acar

2
pflogd/privsep.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: privsep.c,v 1.16 2006/10/25 20:55:04 moritz Exp $ */
/* $OpenBSD: privsep.c,v 1.15 2006/03/06 10:45:56 djm Exp $ */
/*
* Copyright (c) 2003 Can Erkin Acar

2
pflogd/privsep_fdpass.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: privsep_fdpass.c,v 1.5 2008/03/24 16:11:08 deraadt Exp $ */
/* $OpenBSD: privsep_fdpass.c,v 1.4 2008/03/15 16:19:02 deraadt Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>

2
tftp-proxy/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.1 2005/12/28 19:07:07 jcs Exp $
# $OpenBSD$
PROG= tftp-proxy
SRCS= tftp-proxy.c filter.c

2
tftp-proxy/filter.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: filter.c,v 1.2 2007/06/23 15:51:21 jcs Exp $ */
/* $OpenBSD: filter.c,v 1.1 2005/12/28 19:07:07 jcs Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>

2
tftp-proxy/filter.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: filter.h,v 1.1 2005/12/28 19:07:07 jcs Exp $ */
/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>

2
tftp-proxy/tftp-proxy.8
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: tftp-proxy.8,v 1.2 2007/05/31 19:19:41 jmc Exp $
.\" $OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $
.\"
.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org>
.\"

2
tftp-proxy/tftp-proxy.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tftp-proxy.c,v 1.6 2008/04/13 00:22:17 djm Exp $
/* $OpenBSD: tftp-proxy.c,v 1.5 2008/03/24 16:11:00 deraadt Exp $
*
* Copyright (c) 2005 DLS Internet Services
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>