Import OPENBSD_4_2_BASE
This commit is contained in:
parent
d46fa87826
commit
b39deb12b6
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/vendor/pf/dist/; revision=185876 svn path=/vendor/pf/4.2/; revision=185877; tag=vendor/pf/4.2
11
authpf/Makefile
Normal file
11
authpf/Makefile
Normal file
@ -0,0 +1,11 @@
|
||||
# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $
|
||||
|
||||
PROG= authpf
|
||||
MAN= authpf.8
|
||||
BINOWN= root
|
||||
BINGRP= authpf
|
||||
BINMODE= 6555
|
||||
SRCS= authpf.c
|
||||
CFLAGS+= -Wall
|
||||
|
||||
.include <bsd.prog.mk>
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $
|
||||
.\" $OpenBSD: authpf.8,v 1.44 2007/05/31 19:20:22 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved.
|
||||
.\"
|
||||
@ -14,7 +14,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd January 10, 2002
|
||||
.Dd $Mdocdate$
|
||||
.Dt AUTHPF 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
13
ftp-proxy/Makefile
Normal file
13
ftp-proxy/Makefile
Normal file
@ -0,0 +1,13 @@
|
||||
# $OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $
|
||||
|
||||
PROG= ftp-proxy
|
||||
SRCS= ftp-proxy.c filter.c
|
||||
MAN= ftp-proxy.8
|
||||
|
||||
CFLAGS+= -I${.CURDIR}
|
||||
CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith \
|
||||
-Wno-uninitialized
|
||||
LDADD+= -levent
|
||||
DPADD+= ${LIBEVENT}
|
||||
|
||||
.include <bsd.prog.mk>
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: filter.c,v 1.5 2006/12/01 07:31:21 camield Exp $ */
|
||||
/* $OpenBSD: filter.c,v 1.6 2007/08/01 09:31:41 henning Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
@ -53,7 +53,7 @@ static struct pfioc_rule pfr;
|
||||
static struct pfioc_trans pft;
|
||||
static struct pfioc_trans_e pfte[TRANS_SIZE];
|
||||
static int dev, rule_log;
|
||||
static char *qname;
|
||||
static char *qname, *tagname;
|
||||
|
||||
int
|
||||
add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
|
||||
@ -159,11 +159,12 @@ do_rollback(void)
|
||||
}
|
||||
|
||||
void
|
||||
init_filter(char *opt_qname, int opt_verbose)
|
||||
init_filter(char *opt_qname, char *opt_tagname, int opt_verbose)
|
||||
{
|
||||
struct pf_status status;
|
||||
|
||||
qname = opt_qname;
|
||||
tagname = opt_tagname;
|
||||
|
||||
if (opt_verbose == 1)
|
||||
rule_log = PF_LOG;
|
||||
@ -276,6 +277,8 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
|
||||
}
|
||||
pfr.rule.dst.port_op = PF_OP_EQ;
|
||||
pfr.rule.dst.port[0] = htons(d_port);
|
||||
if (tagname != NULL)
|
||||
strlcpy(pfr.rule.tagname, tagname, sizeof pfr.rule.tagname);
|
||||
|
||||
switch (rs_num) {
|
||||
case PF_RULESET_FILTER:
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
|
||||
/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
@ -26,6 +26,6 @@ int add_rdr(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t,
|
||||
struct sockaddr *, u_int16_t);
|
||||
int do_commit(void);
|
||||
int do_rollback(void);
|
||||
void init_filter(char *, int);
|
||||
void init_filter(char *, char *, int);
|
||||
int prepare_commit(u_int32_t);
|
||||
int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *);
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ftp-proxy.8,v 1.7 2006/12/30 13:01:54 camield Exp $
|
||||
.\" $OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
.\"
|
||||
@ -14,7 +14,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd November 28, 2004
|
||||
.Dd $Mdocdate$
|
||||
.Dt FTP-PROXY 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -22,6 +22,7 @@
|
||||
.Nd Internet File Transfer Protocol proxy daemon
|
||||
.Sh SYNOPSIS
|
||||
.Nm ftp-proxy
|
||||
.Bk -words
|
||||
.Op Fl 6Adrv
|
||||
.Op Fl a Ar address
|
||||
.Op Fl b Ar address
|
||||
@ -31,7 +32,9 @@
|
||||
.Op Fl p Ar port
|
||||
.Op Fl q Ar queue
|
||||
.Op Fl R Ar address
|
||||
.Op Fl T Ar tag
|
||||
.Op Fl t Ar timeout
|
||||
.Ek
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a proxy for the Internet File Transfer Protocol.
|
||||
@ -128,6 +131,10 @@ connections to another proxy.
|
||||
.It Fl r
|
||||
Rewrite sourceport to 20 in active mode to suit ancient clients that insist
|
||||
on this RFC property.
|
||||
.It Fl T Ar tag
|
||||
Automatically tag packets passing through the
|
||||
.Xr pf 4
|
||||
rule with the name supplied.
|
||||
.It Fl t Ar timeout
|
||||
Number of seconds that the control connection can be idle, before the
|
||||
proxy will disconnect.
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ftp-proxy.c,v 1.13 2006/12/30 13:24:00 camield Exp $ */
|
||||
/* $OpenBSD: ftp-proxy.c,v 1.15 2007/08/15 15:18:02 camield Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
@ -102,6 +102,7 @@ u_int16_t pick_proxy_port(void);
|
||||
void proxy_reply(int, struct sockaddr *, u_int16_t);
|
||||
void server_error(struct bufferevent *, short, void *);
|
||||
int server_parse(struct session *s);
|
||||
int allow_data_connection(struct session *s);
|
||||
void server_read(struct bufferevent *, void *);
|
||||
const char *sock_ntop(struct sockaddr *);
|
||||
void usage(void);
|
||||
@ -113,7 +114,7 @@ char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN];
|
||||
|
||||
struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
|
||||
char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
|
||||
*qname;
|
||||
*qname, *tagname;
|
||||
int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
|
||||
rfc_mode, session_count, timeout, verbose;
|
||||
extern char *__progname;
|
||||
@ -149,8 +150,19 @@ client_parse(struct session *s)
|
||||
return (1);
|
||||
|
||||
if (linebuf[0] == 'P' || linebuf[0] == 'p' ||
|
||||
linebuf[0] == 'E' || linebuf[0] == 'e')
|
||||
return (client_parse_cmd(s));
|
||||
linebuf[0] == 'E' || linebuf[0] == 'e') {
|
||||
if (!client_parse_cmd(s))
|
||||
return (0);
|
||||
|
||||
/*
|
||||
* Allow active mode connections immediately, instead of
|
||||
* waiting for a positive reply from the server. Some
|
||||
* rare servers/proxies try to probe or setup the data
|
||||
* connection before an actual transfer request.
|
||||
*/
|
||||
if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT)
|
||||
return (allow_data_connection(s));
|
||||
}
|
||||
|
||||
if (anonymous_only && (linebuf[0] == 'U' || linebuf[0] == 'u'))
|
||||
return (client_parse_anon(s));
|
||||
@ -588,6 +600,7 @@ main(int argc, char *argv[])
|
||||
max_sessions = 100;
|
||||
qname = NULL;
|
||||
rfc_mode = 0;
|
||||
tagname = NULL;
|
||||
timeout = 24 * 3600;
|
||||
verbose = 0;
|
||||
|
||||
@ -595,7 +608,7 @@ main(int argc, char *argv[])
|
||||
id_count = 1;
|
||||
session_count = 0;
|
||||
|
||||
while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:v")) != -1) {
|
||||
while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) {
|
||||
switch (ch) {
|
||||
case '6':
|
||||
ipv6_mode = 1;
|
||||
@ -640,6 +653,11 @@ main(int argc, char *argv[])
|
||||
case 'r':
|
||||
rfc_mode = 1;
|
||||
break;
|
||||
case 'T':
|
||||
if (strlen(optarg) >= PF_TAG_NAME_SIZE)
|
||||
errx(1, "tagname too long");
|
||||
tagname = optarg;
|
||||
break;
|
||||
case 't':
|
||||
timeout = strtonum(optarg, 0, 86400, &errstr);
|
||||
if (errstr)
|
||||
@ -720,7 +738,7 @@ main(int argc, char *argv[])
|
||||
freeaddrinfo(res);
|
||||
|
||||
/* Initialize pf. */
|
||||
init_filter(qname, verbose);
|
||||
init_filter(qname, tagname, verbose);
|
||||
|
||||
if (daemonize) {
|
||||
if (daemon(0, 0) == -1)
|
||||
@ -888,12 +906,26 @@ server_error(struct bufferevent *bufev, short what, void *arg)
|
||||
int
|
||||
server_parse(struct session *s)
|
||||
{
|
||||
struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa;
|
||||
int prepared = 0;
|
||||
|
||||
if (s->cmd == CMD_NONE || linelen < 4 || linebuf[0] != '2')
|
||||
goto out;
|
||||
|
||||
if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) ||
|
||||
(s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0))
|
||||
return (allow_data_connection(s));
|
||||
|
||||
out:
|
||||
s->cmd = CMD_NONE;
|
||||
s->port = 0;
|
||||
|
||||
return (1);
|
||||
}
|
||||
|
||||
int
|
||||
allow_data_connection(struct session *s)
|
||||
{
|
||||
struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa;
|
||||
int prepared = 0;
|
||||
|
||||
/*
|
||||
* The pf rules below do quite some NAT rewriting, to keep up
|
||||
* appearances. Points to keep in mind:
|
||||
@ -918,8 +950,7 @@ server_parse(struct session *s)
|
||||
orig_sa = sstosa(&s->server_ss);
|
||||
|
||||
/* Passive modes. */
|
||||
if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) ||
|
||||
(s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0)) {
|
||||
if (s->cmd == CMD_PASV || s->cmd == CMD_EPSV) {
|
||||
s->port = parse_port(s->cmd);
|
||||
if (s->port < MIN_PORT) {
|
||||
logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id,
|
||||
@ -960,8 +991,7 @@ server_parse(struct session *s)
|
||||
}
|
||||
|
||||
/* Active modes. */
|
||||
if ((s->cmd == CMD_PORT || s->cmd == CMD_EPRT) &&
|
||||
strncmp("200 ", linebuf, 4) == 0) {
|
||||
if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) {
|
||||
logmsg(LOG_INFO, "#%d active: server to client port %d"
|
||||
" via port %d", s->id, s->port, s->proxy_port);
|
||||
|
||||
@ -1011,7 +1041,6 @@ server_parse(struct session *s)
|
||||
goto fail;
|
||||
}
|
||||
|
||||
out:
|
||||
s->cmd = CMD_NONE;
|
||||
s->port = 0;
|
||||
|
||||
@ -1088,6 +1117,6 @@ usage(void)
|
||||
{
|
||||
fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
|
||||
" [-D level] [-m maxsessions]\n [-P port]"
|
||||
" [-p port] [-q queue] [-R address] [-t timeout]\n", __progname);
|
||||
" [-p port] [-q queue] [-R address] [-T tag] [-t timeout]\n", __progname);
|
||||
exit(1);
|
||||
}
|
||||
|
@ -1,259 +0,0 @@
|
||||
/* $OpenBSD: getline.c,v 1.16 2004/09/16 04:50:51 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1985, 1988 Regents of the University of California.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the University nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)ftpcmd.y 5.24 (Berkeley) 2/25/91
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/telnet.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sysexits.h>
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "util.h"
|
||||
|
||||
int refill_buffer(struct csiob *iobp);
|
||||
|
||||
/*
|
||||
* Refill the io buffer if we KNOW that data is available
|
||||
*
|
||||
* Returns 1 if any new data was obtained, 0 otherwise.
|
||||
*/
|
||||
|
||||
int
|
||||
refill_buffer(struct csiob *iobp)
|
||||
{
|
||||
int rqlen, rlen;
|
||||
|
||||
if (!(iobp->data_available))
|
||||
return(0);
|
||||
|
||||
if (iobp->got_eof)
|
||||
return(0);
|
||||
|
||||
/*
|
||||
* The buffer has been entirely consumed if next_byte == io_buffer_len.
|
||||
* Otherwise, there is some still-to-be-used data in io_buffer.
|
||||
* Shuffle it to the start of the buffer.
|
||||
* Note that next_byte will never exceed io_buffer_len.
|
||||
* Also, note that we MUST use bcopy because the two regions could
|
||||
* overlap (memcpy isn't defined to work properly with overlapping
|
||||
* regions).
|
||||
*/
|
||||
if (iobp->next_byte < iobp->io_buffer_len) {
|
||||
int dst_ix = 0;
|
||||
int src_ix = iobp->next_byte;
|
||||
int amount = iobp->io_buffer_len - iobp->next_byte;
|
||||
|
||||
bcopy(&iobp->io_buffer[src_ix], &iobp->io_buffer[dst_ix],
|
||||
amount);
|
||||
iobp->io_buffer_len = amount;
|
||||
} else if (iobp->next_byte == iobp->io_buffer_len)
|
||||
iobp->io_buffer_len = 0;
|
||||
else {
|
||||
syslog(LOG_ERR, "next_byte(%d) > io_buffer_len(%d)",
|
||||
iobp->next_byte, iobp->io_buffer_len);
|
||||
exit(EX_OSERR);
|
||||
}
|
||||
|
||||
iobp->next_byte = 0;
|
||||
|
||||
/* don't do tiny reads, grow first if we need to */
|
||||
rqlen = iobp->io_buffer_size - iobp->io_buffer_len;
|
||||
if (rqlen <= 128) {
|
||||
unsigned char *tmp;
|
||||
|
||||
iobp->io_buffer_size += 128;
|
||||
tmp = realloc(iobp->io_buffer, iobp->io_buffer_size);
|
||||
if (tmp == NULL) {
|
||||
syslog(LOG_INFO, "Insufficient memory");
|
||||
exit(EX_UNAVAILABLE);
|
||||
}
|
||||
iobp->io_buffer = tmp;
|
||||
rqlen = iobp->io_buffer_size - iobp->io_buffer_len;
|
||||
}
|
||||
|
||||
/*
|
||||
* Always leave an unused byte at the end of the buffer
|
||||
* because the debug output uses that byte from time to time
|
||||
* to ensure that something that is being printed is \0 terminated.
|
||||
*/
|
||||
rqlen -= 1;
|
||||
|
||||
doread:
|
||||
rlen = read(iobp->fd, &iobp->io_buffer[iobp->io_buffer_len], rqlen);
|
||||
iobp->data_available = 0;
|
||||
switch (rlen) {
|
||||
case -1:
|
||||
if (errno == EAGAIN || errno == EINTR)
|
||||
goto doread;
|
||||
if (errno != ECONNRESET) {
|
||||
syslog(LOG_INFO, "read() failed on socket from %s (%m)",
|
||||
iobp->who);
|
||||
exit(EX_DATAERR);
|
||||
}
|
||||
/* fall through to EOF case */
|
||||
case 0:
|
||||
iobp->got_eof = 1;
|
||||
return(0);
|
||||
break;
|
||||
default:
|
||||
iobp->io_buffer_len += rlen;
|
||||
break;
|
||||
}
|
||||
return(1);
|
||||
}
|
||||
|
||||
/*
|
||||
* telnet_getline - a hacked up version of fgets to ignore TELNET escape codes.
|
||||
*
|
||||
* This code is derived from the getline routine found in the UC Berkeley
|
||||
* ftpd code.
|
||||
*
|
||||
*/
|
||||
|
||||
int
|
||||
telnet_getline(struct csiob *iobp, struct csiob *telnet_passthrough)
|
||||
{
|
||||
unsigned char ch;
|
||||
int ix;
|
||||
unsigned char tbuf[100];
|
||||
|
||||
iobp->line_buffer[0] = '\0';
|
||||
|
||||
/*
|
||||
* If the buffer is empty then refill it right away.
|
||||
*/
|
||||
if (iobp->next_byte == iobp->io_buffer_len)
|
||||
if (!refill_buffer(iobp))
|
||||
return(0);
|
||||
|
||||
/*
|
||||
* Is there a telnet command in the buffer?
|
||||
*/
|
||||
ch = iobp->io_buffer[iobp->next_byte];
|
||||
if (ch == IAC) {
|
||||
/*
|
||||
* Yes - buffer must have at least three bytes in it
|
||||
*/
|
||||
if (iobp->io_buffer_len - iobp->next_byte < 3) {
|
||||
if (!refill_buffer(iobp))
|
||||
return(0);
|
||||
if (iobp->io_buffer_len - iobp->next_byte < 3)
|
||||
return(0);
|
||||
}
|
||||
|
||||
iobp->next_byte++;
|
||||
ch = iobp->io_buffer[iobp->next_byte++];
|
||||
|
||||
switch (ch) {
|
||||
case WILL:
|
||||
case WONT:
|
||||
case DO:
|
||||
case DONT:
|
||||
tbuf[0] = IAC;
|
||||
tbuf[1] = ch;
|
||||
tbuf[2] = iobp->io_buffer[iobp->next_byte++];
|
||||
(void)send(telnet_passthrough->fd, tbuf, 3,
|
||||
telnet_passthrough->send_oob_flags);
|
||||
break;
|
||||
case IAC:
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return(1);
|
||||
} else {
|
||||
int clen;
|
||||
|
||||
/*
|
||||
* Is there a newline in the buffer?
|
||||
*/
|
||||
for (ix = iobp->next_byte; ix < iobp->io_buffer_len;
|
||||
ix += 1) {
|
||||
if (iobp->io_buffer[ix] == '\n')
|
||||
break;
|
||||
if (iobp->io_buffer[ix] == '\0') {
|
||||
syslog(LOG_INFO,
|
||||
"got NUL byte from %s - bye!",
|
||||
iobp->who);
|
||||
exit(EX_DATAERR);
|
||||
}
|
||||
}
|
||||
|
||||
if (ix == iobp->io_buffer_len) {
|
||||
if (!refill_buffer(iobp))
|
||||
return(0);
|
||||
/*
|
||||
* Empty line returned
|
||||
* will try again soon!
|
||||
*/
|
||||
return(1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Expand the line buffer if it isn't big enough. We
|
||||
* use a fudge factor of 5 rather than trying to
|
||||
* figure out exactly how to account for the '\0 \r\n' and
|
||||
* such. The correct fudge factor is 0, 1 or 2 but
|
||||
* anything higher also works. We also grow it by a
|
||||
* bunch to avoid having to do this often. Yes this is
|
||||
* nasty.
|
||||
*/
|
||||
if (ix - iobp->next_byte > iobp->line_buffer_size - 5) {
|
||||
unsigned char *tmp;
|
||||
|
||||
iobp->line_buffer_size = 256 + ix - iobp->next_byte;
|
||||
tmp = realloc(iobp->line_buffer,
|
||||
iobp->line_buffer_size);
|
||||
if (tmp == NULL) {
|
||||
syslog(LOG_INFO, "Insufficient memory");
|
||||
exit(EX_UNAVAILABLE);
|
||||
}
|
||||
iobp->line_buffer = tmp;
|
||||
}
|
||||
|
||||
/* +1 is for the newline */
|
||||
clen = (ix+1) - iobp->next_byte;
|
||||
memcpy(iobp->line_buffer, &iobp->io_buffer[iobp->next_byte],
|
||||
clen);
|
||||
iobp->next_byte += clen;
|
||||
iobp->line_buffer[clen] = '\0';
|
||||
return(1);
|
||||
}
|
||||
}
|
306
ftp-proxy/util.c
306
ftp-proxy/util.c
@ -1,306 +0,0 @@
|
||||
/* $OpenBSD: util.c,v 1.19 2004/07/06 19:49:11 dhartmei Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1996-2001
|
||||
* Obtuse Systems Corporation. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the Obtuse Systems nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OBTUSE SYSTEMS AND CONTRIBUTORS
|
||||
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OBTUSE
|
||||
* SYSTEMS CORPORATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/file.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <net/if.h>
|
||||
#include <net/pfvar.h>
|
||||
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
#include <signal.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <sysexits.h>
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "util.h"
|
||||
|
||||
extern int ReverseMode;
|
||||
|
||||
int Debug_Level;
|
||||
int Use_Rdns;
|
||||
in_addr_t Bind_Addr = INADDR_NONE;
|
||||
|
||||
void debuglog(int debug_level, const char *fmt, ...);
|
||||
|
||||
void
|
||||
debuglog(int debug_level, const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
va_start(ap, fmt);
|
||||
|
||||
if (Debug_Level >= debug_level)
|
||||
vsyslog(LOG_DEBUG, fmt, ap);
|
||||
va_end(ap);
|
||||
}
|
||||
|
||||
int
|
||||
get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr,
|
||||
struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr)
|
||||
{
|
||||
struct pfioc_natlook natlook;
|
||||
socklen_t slen;
|
||||
int fd;
|
||||
|
||||
slen = sizeof(*proxy_sa_ptr);
|
||||
if (getsockname(connected_fd, (struct sockaddr *)proxy_sa_ptr,
|
||||
&slen) != 0) {
|
||||
syslog(LOG_ERR, "getsockname() failed (%m)");
|
||||
return(-1);
|
||||
}
|
||||
slen = sizeof(*client_sa_ptr);
|
||||
if (getpeername(connected_fd, (struct sockaddr *)client_sa_ptr,
|
||||
&slen) != 0) {
|
||||
syslog(LOG_ERR, "getpeername() failed (%m)");
|
||||
return(-1);
|
||||
}
|
||||
|
||||
if (ReverseMode)
|
||||
return(0);
|
||||
|
||||
/*
|
||||
* Build up the pf natlook structure.
|
||||
* Just for IPv4 right now
|
||||
*/
|
||||
memset((void *)&natlook, 0, sizeof(natlook));
|
||||
natlook.af = AF_INET;
|
||||
natlook.saddr.addr32[0] = client_sa_ptr->sin_addr.s_addr;
|
||||
natlook.daddr.addr32[0] = proxy_sa_ptr->sin_addr.s_addr;
|
||||
natlook.proto = IPPROTO_TCP;
|
||||
natlook.sport = client_sa_ptr->sin_port;
|
||||
natlook.dport = proxy_sa_ptr->sin_port;
|
||||
natlook.direction = PF_OUT;
|
||||
|
||||
/*
|
||||
* Open the pf device and lookup the mapping pair to find
|
||||
* the original address we were supposed to connect to.
|
||||
*/
|
||||
fd = open("/dev/pf", O_RDWR);
|
||||
if (fd == -1) {
|
||||
syslog(LOG_ERR, "cannot open /dev/pf (%m)");
|
||||
exit(EX_UNAVAILABLE);
|
||||
}
|
||||
|
||||
if (ioctl(fd, DIOCNATLOOK, &natlook) == -1) {
|
||||
syslog(LOG_INFO,
|
||||
"pf nat lookup failed %s:%hu (%m)",
|
||||
inet_ntoa(client_sa_ptr->sin_addr),
|
||||
ntohs(client_sa_ptr->sin_port));
|
||||
close(fd);
|
||||
return(-1);
|
||||
}
|
||||
close(fd);
|
||||
|
||||
/*
|
||||
* Now jam the original address and port back into the into
|
||||
* destination sockaddr_in for the proxy to deal with.
|
||||
*/
|
||||
memset((void *)real_server_sa_ptr, 0, sizeof(struct sockaddr_in));
|
||||
real_server_sa_ptr->sin_port = natlook.rdport;
|
||||
real_server_sa_ptr->sin_addr.s_addr = natlook.rdaddr.addr32[0];
|
||||
real_server_sa_ptr->sin_len = sizeof(struct sockaddr_in);
|
||||
real_server_sa_ptr->sin_family = AF_INET;
|
||||
return(0);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Transfer one unit of data across a pair of sockets
|
||||
*
|
||||
* A unit of data is as much as we get with a single read(2) call.
|
||||
*/
|
||||
int
|
||||
xfer_data(const char *what_read,int from_fd, int to_fd, struct in_addr from,
|
||||
struct in_addr to)
|
||||
{
|
||||
int rlen, offset, xerrno, mark, flags = 0;
|
||||
char tbuf[4096];
|
||||
|
||||
/*
|
||||
* Are we at the OOB mark?
|
||||
*/
|
||||
if (ioctl(from_fd, SIOCATMARK, &mark) < 0) {
|
||||
xerrno = errno;
|
||||
syslog(LOG_ERR, "cannot ioctl(SIOCATMARK) socket from %s (%m)",
|
||||
what_read);
|
||||
errno = xerrno;
|
||||
return(-1);
|
||||
}
|
||||
if (mark)
|
||||
flags = MSG_OOB; /* Yes - at the OOB mark */
|
||||
|
||||
snarf:
|
||||
rlen = recv(from_fd, tbuf, sizeof(tbuf), flags);
|
||||
if (rlen == -1 && flags == MSG_OOB && errno == EINVAL) {
|
||||
/* OOB didn't work */
|
||||
flags = 0;
|
||||
rlen = recv(from_fd, tbuf, sizeof(tbuf), flags);
|
||||
}
|
||||
if (rlen == 0) {
|
||||
debuglog(3, "EOF on read socket");
|
||||
return(0);
|
||||
} else if (rlen == -1) {
|
||||
if (errno == EAGAIN || errno == EINTR)
|
||||
goto snarf;
|
||||
xerrno = errno;
|
||||
syslog(LOG_ERR, "xfer_data (%s): failed (%m) with flags 0%o",
|
||||
what_read, flags);
|
||||
errno = xerrno;
|
||||
return(-1);
|
||||
} else {
|
||||
offset = 0;
|
||||
debuglog(3, "got %d bytes from socket", rlen);
|
||||
|
||||
while (offset < rlen) {
|
||||
int wlen;
|
||||
fling:
|
||||
wlen = send(to_fd, &tbuf[offset], rlen - offset,
|
||||
flags);
|
||||
if (wlen == 0) {
|
||||
debuglog(3, "zero-length write");
|
||||
goto fling;
|
||||
} else if (wlen == -1) {
|
||||
if (errno == EAGAIN || errno == EINTR)
|
||||
goto fling;
|
||||
xerrno = errno;
|
||||
syslog(LOG_INFO, "write failed (%m)");
|
||||
errno = xerrno;
|
||||
return(-1);
|
||||
} else {
|
||||
debuglog(3, "wrote %d bytes to socket",wlen);
|
||||
offset += wlen;
|
||||
}
|
||||
}
|
||||
return(offset);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* get_backchannel_socket gets us a socket bound somewhere in a
|
||||
* particular range of ports
|
||||
*/
|
||||
int
|
||||
get_backchannel_socket(int type, int min_port, int max_port, int start_port,
|
||||
int direction, struct sockaddr_in *sap)
|
||||
{
|
||||
int count;
|
||||
|
||||
/*
|
||||
* Make sure that direction is 'defined' and that min_port is not
|
||||
* greater than max_port.
|
||||
*/
|
||||
if (direction != -1)
|
||||
direction = 1;
|
||||
|
||||
/* by default we go up by one port until we find one */
|
||||
if (min_port > max_port) {
|
||||
errno = EINVAL;
|
||||
return(-1);
|
||||
}
|
||||
|
||||
count = 1 + max_port - min_port;
|
||||
|
||||
/*
|
||||
* Pick a port we can bind to from within the range we want.
|
||||
* If the caller specifies -1 as the starting port number then
|
||||
* we pick one somewhere in the range to try.
|
||||
* This is an optimization intended to speedup port selection and
|
||||
* has NOTHING to do with security.
|
||||
*/
|
||||
if (start_port == -1)
|
||||
start_port = (arc4random() % count) + min_port;
|
||||
|
||||
if (start_port < min_port || start_port > max_port) {
|
||||
errno = EINVAL;
|
||||
return(-1);
|
||||
}
|
||||
|
||||
while (count-- > 0) {
|
||||
struct sockaddr_in sa;
|
||||
int one, fd;
|
||||
|
||||
fd = socket(AF_INET, type, 0);
|
||||
|
||||
bzero(&sa, sizeof sa);
|
||||
sa.sin_family = AF_INET;
|
||||
if (Bind_Addr == INADDR_NONE)
|
||||
if (sap == NULL)
|
||||
sa.sin_addr.s_addr = INADDR_ANY;
|
||||
else
|
||||
sa.sin_addr.s_addr = sap->sin_addr.s_addr;
|
||||
else
|
||||
sa.sin_addr.s_addr = Bind_Addr;
|
||||
|
||||
/*
|
||||
* Indicate that we want to reuse a port if it happens that the
|
||||
* port in question was a listen port recently.
|
||||
*/
|
||||
one = 1;
|
||||
if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one,
|
||||
sizeof(one)) == -1)
|
||||
return(-1);
|
||||
|
||||
sa.sin_port = htons(start_port);
|
||||
|
||||
if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) == 0) {
|
||||
if (sap != NULL)
|
||||
*sap = sa;
|
||||
return(fd);
|
||||
}
|
||||
|
||||
if (errno != EADDRINUSE)
|
||||
return(-1);
|
||||
|
||||
/* if it's in use, try the next port */
|
||||
close(fd);
|
||||
|
||||
start_port += direction;
|
||||
if (start_port < min_port)
|
||||
start_port = max_port;
|
||||
else if (start_port > max_port)
|
||||
start_port = min_port;
|
||||
}
|
||||
errno = EAGAIN;
|
||||
return(-1);
|
||||
}
|
@ -1,68 +0,0 @@
|
||||
/* $OpenBSD: util.h,v 1.5 2005/02/24 15:49:08 dhartmei Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1996-2001
|
||||
* Obtuse Systems Corporation. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 4. Neither the name of the Obtuse Systems nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL OBTUSE SYSTEMS CORPORATION OR
|
||||
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
||||
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
||||
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
||||
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
||||
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
||||
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
struct proxy_channel {
|
||||
int pc_to_fd, pc_from_fd;
|
||||
int pc_alive;
|
||||
int pc_nextbyte;
|
||||
int pc_flags;
|
||||
int pc_length;
|
||||
int pc_size;
|
||||
struct sockaddr_in pc_from_sa, pc_to_sa;
|
||||
int (*pc_filter)( void ** databuf, int datalen);
|
||||
char *pc_buffer;
|
||||
};
|
||||
|
||||
struct csiob {
|
||||
int fd;
|
||||
int line_buffer_size, io_buffer_size, io_buffer_len, next_byte;
|
||||
unsigned char *io_buffer, *line_buffer;
|
||||
struct sockaddr_in sa, real_sa;
|
||||
const char *who;
|
||||
char alive, got_eof, data_available;
|
||||
int send_oob_flags;
|
||||
};
|
||||
|
||||
extern int telnet_getline(struct csiob *iobp,
|
||||
struct csiob *telnet_passthrough);
|
||||
|
||||
extern int get_proxy_env(int fd, struct sockaddr_in *server_sa_ptr,
|
||||
struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr);
|
||||
|
||||
extern int get_backchannel_socket(int type, int min_port, int max_port,
|
||||
int start_port, int direction, struct sockaddr_in *sap);
|
||||
|
||||
extern int xfer_data(const char *what_read, int from_fd, int to_fd,
|
||||
struct in_addr from, struct in_addr to);
|
||||
|
||||
extern char *ProgName;
|
||||
|
||||
|
4
man/pf.4
4
man/pf.4
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pf.4,v 1.58 2007/02/09 11:39:06 henning Exp $
|
||||
.\" $OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
|
||||
.\"
|
||||
@ -26,7 +26,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd June 24, 2001
|
||||
.Dd $Mdocdate$
|
||||
.Dt PF 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pf.conf.5,v 1.376 2006/12/01 07:23:26 camield Exp $
|
||||
.\" $OpenBSD: pf.conf.5,v 1.383 2007/07/17 16:27:38 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002, Daniel Hartmeier
|
||||
.\" All rights reserved.
|
||||
@ -27,7 +27,7 @@
|
||||
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd November 19, 2002
|
||||
.Dd $Mdocdate: June 26 2007 $
|
||||
.Dt PF.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -402,9 +402,10 @@ set limit { states 20000, frags 20000, src-nodes 2000 }
|
||||
.Bl -tag -width xxxxxxxx -compact
|
||||
.It Ar none
|
||||
Disable the ruleset optimizer.
|
||||
This is the default behaviour.
|
||||
.It Ar basic
|
||||
Enable basic ruleset optimization, which does four things to improve the
|
||||
Enable basic ruleset optimization.
|
||||
This is the default behaviour.
|
||||
Basic ruleset optimization does four things to improve the
|
||||
performance of ruleset evaluations:
|
||||
.Pp
|
||||
.Bl -enum -compact
|
||||
@ -1247,7 +1248,7 @@ block all
|
||||
.Ed
|
||||
.It Ar pass
|
||||
The packet is passed;
|
||||
state is created state unless the
|
||||
state is created unless the
|
||||
.Ar no state
|
||||
option is specified.
|
||||
.El
|
||||
@ -1418,7 +1419,8 @@ This rule applies only to packets with the specified source and destination
|
||||
addresses and ports.
|
||||
.Pp
|
||||
Addresses can be specified in CIDR notation (matching netblocks), as
|
||||
symbolic host names or interface names, or as any of the following keywords:
|
||||
symbolic host names, interface names or interface group names, or as any
|
||||
of the following keywords:
|
||||
.Pp
|
||||
.Bl -tag -width xxxxxxxxxxxxxx -compact
|
||||
.It Ar any
|
||||
@ -1440,7 +1442,7 @@ the route back to the packet's source address.
|
||||
Any address that matches the given table.
|
||||
.El
|
||||
.Pp
|
||||
Interface names can have modifiers appended:
|
||||
Interface names and interface group names can have modifiers appended:
|
||||
.Pp
|
||||
.Bl -tag -width xxxxxxxxxxxx -compact
|
||||
.It Ar :network
|
||||
@ -1603,7 +1605,7 @@ Flags not specified in
|
||||
are ignored.
|
||||
For stateful connections, the default is
|
||||
.Ar flags S/SA .
|
||||
To indicate that flags should not be checkd at all, specify
|
||||
To indicate that flags should not be checked at all, specify
|
||||
.Ar flags any .
|
||||
The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
|
||||
.Bl -tag -width Fl
|
||||
@ -1687,13 +1689,14 @@ pass all tos 0x10
|
||||
pass all tos 16
|
||||
.Ed
|
||||
.It Ar allow-opts
|
||||
By default, packets which contain IP options are blocked.
|
||||
By default, IPv4 packets with IP options or IPv6 packets with routing
|
||||
extension headers are blocked.
|
||||
When
|
||||
.Ar allow-opts
|
||||
is specified for a
|
||||
.Ar pass
|
||||
rule, packets that pass the filter based on that rule (last matching)
|
||||
do so even if they contain IP options.
|
||||
do so even if they contain IP options or routing extension headers.
|
||||
For packets that match state, the rule that initially created the
|
||||
state is used.
|
||||
The implicit
|
||||
@ -1914,7 +1917,7 @@ pool options.
|
||||
Note that by default these associations are destroyed as soon as there are
|
||||
no longer states which refer to them; in order to make the mappings last
|
||||
beyond the lifetime of the states, increase the global options with
|
||||
.Ar set timeout source-track
|
||||
.Ar set timeout src.track .
|
||||
See
|
||||
.Sx STATEFUL TRACKING OPTIONS
|
||||
for more ways to control the source tracking.
|
||||
@ -2759,7 +2762,7 @@ option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
|
||||
[ "state-policy" ( "if-bound" | "floating" ) ]
|
||||
[ "require-order" ( "yes" | "no" ) ]
|
||||
[ "fingerprints" filename ] |
|
||||
[ "skip on" ( interface-name | "{" interface-list "}" ) ] |
|
||||
[ "skip on" ifspec ] |
|
||||
[ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] )
|
||||
|
||||
pf-rule = action [ ( "in" | "out" ) ]
|
||||
@ -2801,8 +2804,7 @@ rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
|
||||
[ portspec ] [ pooltype ] ]
|
||||
|
||||
antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
|
||||
"for" ( interface-name | "{" interface-list "}" )
|
||||
[ af ] [ "label" string ]
|
||||
"for" ifspec [ af ] [ "label" string ]
|
||||
|
||||
table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
|
||||
tableopts-list = tableopts-list tableopts | tableopts
|
||||
@ -2810,8 +2812,8 @@ tableopts = "persist" | "const" | "file" string |
|
||||
"{" [ tableaddr-list ] "}"
|
||||
tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
|
||||
tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
|
||||
tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex |
|
||||
interface-name | "self"
|
||||
tableaddr = hostname | ifspec | "self" |
|
||||
ipv4-dotted-quad | ipv6-coloned-hex
|
||||
|
||||
altq-rule = "altq on" interface-name queueopts-list
|
||||
"queue" subqueue
|
||||
@ -2842,8 +2844,10 @@ return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
|
||||
icmpcode = ( icmp-code-name | icmp-code-number )
|
||||
icmp6code = ( icmp6-code-name | icmp6-code-number )
|
||||
|
||||
ifspec = ( [ "!" ] interface-name ) | "{" interface-list "}"
|
||||
interface-list = [ "!" ] interface-name [ [ "," ] interface-list ]
|
||||
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
|
||||
"{" interface-list "}"
|
||||
interface-list = [ "!" ] ( interface-name | interface-group )
|
||||
[ [ "," ] interface-list ]
|
||||
route = ( "route-to" | "reply-to" | "dup-to" )
|
||||
( routehost | "{" routehost-list "}" )
|
||||
[ pooltype ]
|
||||
@ -2863,8 +2867,9 @@ ipspec = "any" | host | "{" host-list "}"
|
||||
host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
|
||||
redirhost = address [ "/" mask-bits ]
|
||||
routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
|
||||
address = ( interface-name | "(" interface-name ")" | hostname |
|
||||
ipv4-dotted-quad | ipv6-coloned-hex )
|
||||
address = ( interface-name | interface-group |
|
||||
"(" ( interface-name | interface-group ) ")" |
|
||||
hostname | ipv4-dotted-quad | ipv6-coloned-hex )
|
||||
host-list = host [ [ "," ] host-list ]
|
||||
redirhost-list = redirhost [ [ "," ] redirhost-list ]
|
||||
routehost-list = routehost [ [ "," ] routehost-list ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $
|
||||
.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
|
||||
.\"
|
||||
@ -13,7 +13,7 @@
|
||||
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.Dd August 18, 2003
|
||||
.Dd $Mdocdate$
|
||||
.Dt PF.OS 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
|
||||
.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2001 Tobias Weingartner
|
||||
.\" All rights reserved.
|
||||
@ -23,7 +23,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd December 10, 2001
|
||||
.Dd $Mdocdate$
|
||||
.Dt PFLOG 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pfsync.4,v 1.24 2006/10/23 07:05:49 jmc Exp $
|
||||
.\" $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002 Michael Shalayeff
|
||||
.\" Copyright (c) 2003-2004 Ryan McBride
|
||||
@ -24,7 +24,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd November 29, 2002
|
||||
.Dd $Mdocdate$
|
||||
.Dt PFSYNC 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
18
pfctl/Makefile
Normal file
18
pfctl/Makefile
Normal file
@ -0,0 +1,18 @@
|
||||
# $OpenBSD: Makefile,v 1.19 2006/12/24 18:52:43 miod Exp $
|
||||
|
||||
PROG= pfctl
|
||||
SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
|
||||
SRCS+= pfctl_osfp.c pfctl_radix.c pfctl_table.c pfctl_qstats.c
|
||||
SRCS+= pfctl_optimize.c pf_ruleset.c
|
||||
CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized
|
||||
CFLAGS+= -Wstrict-prototypes -I${.CURDIR}
|
||||
YFLAGS=
|
||||
MAN= pfctl.8
|
||||
|
||||
# Ruleset and Anchor handling
|
||||
.PATH: ${.CURDIR}/../../sys/net
|
||||
|
||||
LDADD+= -lm
|
||||
DPADD+= ${LIBM}
|
||||
|
||||
.include <bsd.prog.mk>
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: parse.y,v 1.517 2007/02/03 23:26:40 dhartmei Exp $ */
|
||||
/* $OpenBSD: parse.y,v 1.519 2007/06/21 19:30:03 henning Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
@ -425,7 +425,7 @@ typedef struct {
|
||||
%type <v.number> tos not yesno
|
||||
%type <v.i> no dir af fragcache optimizer
|
||||
%type <v.i> sourcetrack flush unaryop statelock
|
||||
%type <v.b> action nataction natpass scrubaction
|
||||
%type <v.b> action nataction natpasslog scrubaction
|
||||
%type <v.b> flags flag blockspec
|
||||
%type <v.range> port rport
|
||||
%type <v.hashkey> hashkey
|
||||
@ -3439,12 +3439,13 @@ redirection : /* empty */ { $$ = NULL; }
|
||||
}
|
||||
;
|
||||
|
||||
natpass : /* empty */ { $$.b1 = $$.b2 = 0; }
|
||||
| PASS { $$.b1 = 1; $$.b2 = 0; }
|
||||
natpasslog : /* empty */ { $$.b1 = $$.b2 = 0; $$.w2 = 0; }
|
||||
| PASS { $$.b1 = 1; $$.b2 = 0; $$.w2 = 0; }
|
||||
| PASS log { $$.b1 = 1; $$.b2 = $2.log; $$.w2 = $2.logif; }
|
||||
| log { $$.b1 = 0; $$.b2 = $1.log; $$.w2 = $1.logif; }
|
||||
;
|
||||
|
||||
nataction : no NAT natpass {
|
||||
nataction : no NAT natpasslog {
|
||||
if ($1 && $3.b1) {
|
||||
yyerror("\"pass\" not valid with \"no\"");
|
||||
YYERROR;
|
||||
@ -3457,7 +3458,7 @@ nataction : no NAT natpass {
|
||||
$$.w = $3.b2;
|
||||
$$.w2 = $3.w2;
|
||||
}
|
||||
| no RDR natpass {
|
||||
| no RDR natpasslog {
|
||||
if ($1 && $3.b1) {
|
||||
yyerror("\"pass\" not valid with \"no\"");
|
||||
YYERROR;
|
||||
@ -3631,7 +3632,7 @@ natrule : nataction interface af proto fromto tag tagged rtable
|
||||
}
|
||||
;
|
||||
|
||||
binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag
|
||||
binatrule : no BINAT natpasslog interface af proto FROM host TO ipspec tag
|
||||
tagged rtable redirection
|
||||
{
|
||||
struct pf_rule binat;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pf_print_state.c,v 1.44 2007/03/01 17:20:53 deraadt Exp $ */
|
||||
/* $OpenBSD: pf_print_state.c,v 1.45 2007/05/31 04:13:37 mcbride Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Daniel Hartmeier
|
||||
@ -151,7 +151,7 @@ print_name(struct pf_addr *addr, sa_family_t af)
|
||||
}
|
||||
|
||||
void
|
||||
print_host(struct pf_state_host *h, sa_family_t af, int opts)
|
||||
print_host(struct pfsync_state_host *h, sa_family_t af, int opts)
|
||||
{
|
||||
u_int16_t p = ntohs(h->port);
|
||||
|
||||
@ -180,7 +180,7 @@ print_host(struct pf_state_host *h, sa_family_t af, int opts)
|
||||
}
|
||||
|
||||
void
|
||||
print_seq(struct pf_state_peer *p)
|
||||
print_seq(struct pfsync_state_peer *p)
|
||||
{
|
||||
if (p->seqdiff)
|
||||
printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo,
|
||||
@ -190,9 +190,9 @@ print_seq(struct pf_state_peer *p)
|
||||
}
|
||||
|
||||
void
|
||||
print_state(struct pf_state *s, int opts)
|
||||
print_state(struct pfsync_state *s, int opts)
|
||||
{
|
||||
struct pf_state_peer *src, *dst;
|
||||
struct pfsync_state_peer *src, *dst;
|
||||
struct protoent *p;
|
||||
int min, sec;
|
||||
|
||||
@ -203,7 +203,7 @@ print_state(struct pf_state *s, int opts)
|
||||
src = &s->dst;
|
||||
dst = &s->src;
|
||||
}
|
||||
printf("%s ", s->u.ifname);
|
||||
printf("%s ", s->ifname);
|
||||
if ((p = getprotobynumber(s->proto)) != NULL)
|
||||
printf("%s ", p->p_name);
|
||||
else
|
||||
@ -278,20 +278,23 @@ print_state(struct pf_state *s, int opts)
|
||||
s->expire /= 60;
|
||||
printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec);
|
||||
printf(", %llu:%llu pkts, %llu:%llu bytes",
|
||||
s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]);
|
||||
if (s->anchor.nr != -1)
|
||||
printf(", anchor %u", s->anchor.nr);
|
||||
if (s->rule.nr != -1)
|
||||
printf(", rule %u", s->rule.nr);
|
||||
if (s->src_node != NULL)
|
||||
pf_state_counter_from_pfsync(s->packets[0]),
|
||||
pf_state_counter_from_pfsync(s->packets[1]),
|
||||
pf_state_counter_from_pfsync(s->bytes[0]),
|
||||
pf_state_counter_from_pfsync(s->bytes[1]));
|
||||
if (s->anchor != -1)
|
||||
printf(", anchor %u", s->anchor);
|
||||
if (s->rule != -1)
|
||||
printf(", rule %u", s->rule);
|
||||
if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
|
||||
printf(", source-track");
|
||||
if (s->nat_src_node != NULL)
|
||||
if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
|
||||
printf(", sticky-address");
|
||||
printf("\n");
|
||||
}
|
||||
if (opts & PF_OPT_VERBOSE2) {
|
||||
printf(" id: %016llx creatorid: %08x%s\n",
|
||||
betoh64(s->id), ntohl(s->creatorid),
|
||||
pf_state_counter_from_pfsync(s->id), ntohl(s->creatorid),
|
||||
((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : ""));
|
||||
}
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pfctl.8,v 1.128 2007/01/30 21:01:56 jmc Exp $
|
||||
.\" $OpenBSD: pfctl.8,v 1.133 2007/07/01 11:38:51 henning Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
|
||||
.\"
|
||||
@ -24,7 +24,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd November 20, 2002
|
||||
.Dd $Mdocdate: May 31 2007 $
|
||||
.Dt PFCTL 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -42,14 +42,14 @@
|
||||
.Op Fl i Ar interface
|
||||
.Op Fl K Ar host | network
|
||||
.Op Fl k Ar host | network
|
||||
.Op Fl o Op Ar level
|
||||
.Op Fl o Ar level
|
||||
.Op Fl p Ar device
|
||||
.Op Fl s Ar modifier
|
||||
.Oo
|
||||
.Fl t Ar table
|
||||
.Xo
|
||||
.Oo Fl t Ar table
|
||||
.Fl T Ar command
|
||||
.Op Ar address ...
|
||||
.Oc
|
||||
.Op Ar address ... Oc
|
||||
.Xc
|
||||
.Op Fl x Ar level
|
||||
.Ek
|
||||
.Sh DESCRIPTION
|
||||
@ -209,7 +209,7 @@ Flush the NAT rules.
|
||||
Flush the queue rules.
|
||||
.It Fl F Cm rules
|
||||
Flush the filter rules.
|
||||
.It Fl F Cm state
|
||||
.It Fl F Cm states
|
||||
Flush the state table (NAT and filter).
|
||||
.It Fl F Cm Sources
|
||||
Flush the source tracking table.
|
||||
@ -296,58 +296,20 @@ Do not actually load rules, just parse them.
|
||||
.It Fl O
|
||||
Load only the options present in the rule file.
|
||||
Other rules and options are ignored.
|
||||
.It Fl o Op Ar level
|
||||
Control the ruleset optimizer.
|
||||
The ruleset optimizer attempts to improve rulesets by removing rule
|
||||
duplication and making better use of rule ordering.
|
||||
.It Fl o Ar level
|
||||
Control the ruleset optimizer, overriding any rule file settings.
|
||||
.Pp
|
||||
.Bl -tag -width xxxxxxxxxxxx -compact
|
||||
.It Fl o Cm none
|
||||
Disable the ruleset optimizer.
|
||||
.It Fl o Cm basic
|
||||
Enable basic ruleset optimizations.
|
||||
This is the default behaviour.
|
||||
.It Fl o Cm profile
|
||||
Enable basic ruleset optimizations with profiling.
|
||||
.El
|
||||
.Pp
|
||||
.Cm basic
|
||||
optimization does does four things:
|
||||
.Pp
|
||||
.Bl -enum -compact
|
||||
.It
|
||||
remove duplicate rules
|
||||
.It
|
||||
remove rules that are a subset of another rule
|
||||
.It
|
||||
combine multiple rules into a table when advantageous
|
||||
.It
|
||||
re-order the rules to improve evaluation performance
|
||||
.El
|
||||
.Pp
|
||||
If
|
||||
.Cm profile
|
||||
is specified, the currently loaded ruleset will be examined as a feedback
|
||||
profile to tailor the optimization of the
|
||||
.Ar quick
|
||||
rules to the actual network behavior.
|
||||
.Pp
|
||||
It is important to note that the ruleset optimizer will modify the ruleset
|
||||
to improve performance.
|
||||
A side effect of the ruleset modification is that per-rule accounting
|
||||
statistics will have different meanings than before.
|
||||
If per-rule accounting is important for billing purposes or whatnot, either
|
||||
the ruleset optimizer should not be used or a
|
||||
.Ar label
|
||||
field should be added to all of the accounting rules to act as optimization
|
||||
barriers.
|
||||
.Pp
|
||||
To retain compatibility with previous behaviour, a single
|
||||
.Fl o
|
||||
without any options will enable
|
||||
.Cm basic
|
||||
optimizations, and a second
|
||||
.Fl o
|
||||
will enable profiling.
|
||||
For further information on the ruleset optimizer, see
|
||||
.Xr pf.conf 5 .
|
||||
.It Fl p Ar device
|
||||
Use the device file
|
||||
.Ar device
|
||||
@ -402,7 +364,7 @@ If
|
||||
.Fl v
|
||||
is specified, all anchors attached under the target anchor will be
|
||||
displayed recursively.
|
||||
.It Fl s Cm state
|
||||
.It Fl s Cm states
|
||||
Show the contents of the state table.
|
||||
.It Fl s Cm Sources
|
||||
Show the contents of the source tracking table.
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl.c,v 1.262 2007/03/01 17:20:53 deraadt Exp $ */
|
||||
/* $OpenBSD: pfctl.c,v 1.268 2007/06/30 18:25:08 henning Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Daniel Hartmeier
|
||||
@ -201,11 +201,11 @@ static const struct {
|
||||
|
||||
static const char *clearopt_list[] = {
|
||||
"nat", "queue", "rules", "Sources",
|
||||
"state", "info", "Tables", "osfp", "all", NULL
|
||||
"states", "info", "Tables", "osfp", "all", NULL
|
||||
};
|
||||
|
||||
static const char *showopt_list[] = {
|
||||
"nat", "queue", "rules", "Anchors", "Sources", "state", "info",
|
||||
"nat", "queue", "rules", "Anchors", "Sources", "states", "info",
|
||||
"Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
|
||||
"all", NULL
|
||||
};
|
||||
@ -220,7 +220,7 @@ static const char *debugopt_list[] = {
|
||||
};
|
||||
|
||||
static const char *optiopt_list[] = {
|
||||
"o", "none", "basic", "profile", NULL
|
||||
"none", "basic", "profile", NULL
|
||||
};
|
||||
|
||||
void
|
||||
@ -231,8 +231,8 @@ usage(void)
|
||||
fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
|
||||
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
|
||||
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
|
||||
fprintf(stderr, "[-k host | network ]\n");
|
||||
fprintf(stderr, "\t[-o [level]] [-p device] [-s modifier ]\n");
|
||||
fprintf(stderr, "[-k host | network]\n");
|
||||
fprintf(stderr, "\t[-o level] [-p device] [-s modifier]\n");
|
||||
fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
|
||||
exit(1);
|
||||
}
|
||||
@ -998,7 +998,7 @@ int
|
||||
pfctl_show_states(int dev, const char *iface, int opts)
|
||||
{
|
||||
struct pfioc_states ps;
|
||||
struct pf_state *p;
|
||||
struct pfsync_state *p;
|
||||
char *inbuf = NULL, *newinbuf = NULL;
|
||||
unsigned len = 0;
|
||||
int i, dotitle = (opts & PF_OPT_SHOWALL);
|
||||
@ -1029,7 +1029,7 @@ pfctl_show_states(int dev, const char *iface, int opts)
|
||||
}
|
||||
p = ps.ps_states;
|
||||
for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
|
||||
if (iface != NULL && strcmp(p->u.ifname, iface))
|
||||
if (iface != NULL && strcmp(p->ifname, iface))
|
||||
continue;
|
||||
if (dotitle) {
|
||||
pfctl_print_title("STATES:");
|
||||
@ -1954,7 +1954,7 @@ main(int argc, char *argv[])
|
||||
int ch;
|
||||
int mode = O_RDONLY;
|
||||
int opts = 0;
|
||||
int optimize = 0;
|
||||
int optimize = PF_OPTIMIZE_BASIC;
|
||||
char anchorname[MAXPATHLEN];
|
||||
char *path;
|
||||
FILE *fin = NULL;
|
||||
@ -1963,7 +1963,7 @@ main(int argc, char *argv[])
|
||||
usage();
|
||||
|
||||
while ((ch = getopt(argc, argv,
|
||||
"a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) {
|
||||
"a:AdD:eqf:F:ghi:k:K:mnNOo:p:rRs:t:T:vx:z")) != -1) {
|
||||
switch (ch) {
|
||||
case 'a':
|
||||
anchoropt = optarg;
|
||||
@ -2039,24 +2039,11 @@ main(int argc, char *argv[])
|
||||
loadopt |= PFCTL_FLAG_FILTER;
|
||||
break;
|
||||
case 'o':
|
||||
if (optarg) {
|
||||
optiopt = pfctl_lookup_option(optarg,
|
||||
optiopt_list);
|
||||
if (optiopt == NULL) {
|
||||
warnx("Unknown optimization '%s'",
|
||||
optarg);
|
||||
usage();
|
||||
}
|
||||
optiopt = pfctl_lookup_option(optarg, optiopt_list);
|
||||
if (optiopt == NULL) {
|
||||
warnx("Unknown optimization '%s'", optarg);
|
||||
usage();
|
||||
}
|
||||
if (opts & PF_OPT_OPTIMIZE) {
|
||||
if (optiopt != NULL) {
|
||||
warnx("Cannot specify -o multiple times"
|
||||
"with optimizer level");
|
||||
usage();
|
||||
}
|
||||
optimize |= PF_OPTIMIZE_PROFILE;
|
||||
}
|
||||
optimize |= PF_OPTIMIZE_BASIC;
|
||||
opts |= PF_OPT_OPTIMIZE;
|
||||
break;
|
||||
case 'O':
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl.h,v 1.40 2007/02/09 11:25:27 henning Exp $ */
|
||||
/* $OpenBSD: pfctl.h,v 1.41 2007/05/31 04:13:37 mcbride Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Daniel Hartmeier
|
||||
@ -112,9 +112,9 @@ struct pf_altq *pfaltq_lookup(const char *);
|
||||
char *rate2str(double);
|
||||
|
||||
void print_addr(struct pf_addr_wrap *, sa_family_t, int);
|
||||
void print_host(struct pf_state_host *, sa_family_t, int);
|
||||
void print_seq(struct pf_state_peer *);
|
||||
void print_state(struct pf_state *, int);
|
||||
void print_host(struct pfsync_state_host *, sa_family_t, int);
|
||||
void print_seq(struct pfsync_state_peer *);
|
||||
void print_state(struct pfsync_state *, int);
|
||||
int unmask(struct pf_addr *, sa_family_t);
|
||||
|
||||
int pfctl_cmdline_symset(char *);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl_altq.c,v 1.91 2006/11/28 00:08:50 henning Exp $ */
|
||||
/* $OpenBSD: pfctl_altq.c,v 1.92 2007/05/27 05:15:17 claudio Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2002
|
||||
@ -1091,8 +1091,6 @@ getifspeed(char *ifname)
|
||||
ifr.ifr_data = (caddr_t)&ifrdat;
|
||||
if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1)
|
||||
err(1, "SIOCGIFDATA");
|
||||
if (shutdown(s, SHUT_RDWR) == -1)
|
||||
err(1, "shutdown");
|
||||
if (close(s))
|
||||
err(1, "close");
|
||||
return ((u_int32_t)ifrdat.ifi_baudrate);
|
||||
@ -1112,8 +1110,6 @@ getifmtu(char *ifname)
|
||||
errx(1, "getifmtu: strlcpy");
|
||||
if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == -1)
|
||||
err(1, "SIOCGIFMTU");
|
||||
if (shutdown(s, SHUT_RDWR) == -1)
|
||||
err(1, "shutdown");
|
||||
if (close(s))
|
||||
err(1, "close");
|
||||
if (ifr.ifr_mtu > 0)
|
||||
|
11
pflogd/Makefile
Normal file
11
pflogd/Makefile
Normal file
@ -0,0 +1,11 @@
|
||||
# $OpenBSD: Makefile,v 1.7 2006/11/26 11:31:08 deraadt Exp $
|
||||
|
||||
CFLAGS+=-Wall -Wmissing-prototypes -Wshadow
|
||||
LDADD+= -lpcap -lutil
|
||||
DPADD+= ${LIBPCAP} ${LIBUTIL}
|
||||
|
||||
PROG= pflogd
|
||||
SRCS= pflogd.c privsep.c privsep_fdpass.c
|
||||
MAN= pflogd.8
|
||||
|
||||
.include <bsd.prog.mk>
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pflogd.8,v 1.32 2006/12/08 10:26:38 joel Exp $
|
||||
.\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2001 Can Erkin Acar. All rights reserved.
|
||||
.\"
|
||||
@ -24,7 +24,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd July 9, 2001
|
||||
.Dd $Mdocdate$
|
||||
.Dt PFLOGD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -32,12 +32,15 @@
|
||||
.Nd packet filter logging daemon
|
||||
.Sh SYNOPSIS
|
||||
.Nm pflogd
|
||||
.Bk -words
|
||||
.Op Fl Dx
|
||||
.Op Fl d Ar delay
|
||||
.Op Fl f Ar filename
|
||||
.Op Fl i Ar interface
|
||||
.Op Fl p Ar pidfile
|
||||
.Op Fl s Ar snaplen
|
||||
.Op Ar expression
|
||||
.Ek
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a background daemon which reads packets logged by
|
||||
@ -114,6 +117,14 @@ By default,
|
||||
.Nm
|
||||
will use
|
||||
.Ar pflog0 .
|
||||
.It Fl p Ar pidfile
|
||||
Writes a file containing the process ID of the program.
|
||||
The file name has the form
|
||||
.Pa /var/run/pidname.pid .
|
||||
If the option is not given,
|
||||
.Ar pidfile
|
||||
defaults to
|
||||
.Pa pflogd .
|
||||
.It Fl s Ar snaplen
|
||||
Analyze at most the first
|
||||
.Ar snaplen
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pflogd.c,v 1.37 2006/10/26 13:34:47 jmc Exp $ */
|
||||
/* $OpenBSD: pflogd.c,v 1.45 2007/06/06 14:11:26 henning Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Theo de Raadt
|
||||
@ -34,6 +34,8 @@
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/socket.h>
|
||||
#include <net/if.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@ -42,6 +44,7 @@
|
||||
#include <pcap.h>
|
||||
#include <syslog.h>
|
||||
#include <signal.h>
|
||||
#include <err.h>
|
||||
#include <errno.h>
|
||||
#include <stdarg.h>
|
||||
#include <fcntl.h>
|
||||
@ -70,6 +73,7 @@ char *copy_argv(char * const *);
|
||||
void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
|
||||
void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
|
||||
int flush_buffer(FILE *);
|
||||
int if_exists(char *);
|
||||
int init_pcap(void);
|
||||
void logmsg(int, const char *, ...);
|
||||
void purge_buffer(void);
|
||||
@ -151,8 +155,8 @@ __dead void
|
||||
usage(void)
|
||||
{
|
||||
fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename]");
|
||||
fprintf(stderr, " [-i interface] [-s snaplen]\n");
|
||||
fprintf(stderr, " [expression]\n");
|
||||
fprintf(stderr, " [-i interface] [-p pidfile]\n");
|
||||
fprintf(stderr, " [-s snaplen] [expression]\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -188,6 +192,28 @@ set_pcap_filter(void)
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
if_exists(char *ifname)
|
||||
{
|
||||
int s;
|
||||
struct ifreq ifr;
|
||||
struct if_data ifrdat;
|
||||
|
||||
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
|
||||
err(1, "socket");
|
||||
bzero(&ifr, sizeof(ifr));
|
||||
if (strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)) >=
|
||||
sizeof(ifr.ifr_name))
|
||||
errx(1, "main ifr_name: strlcpy");
|
||||
ifr.ifr_data = (caddr_t)&ifrdat;
|
||||
if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1)
|
||||
return (0);
|
||||
if (close(s))
|
||||
err(1, "close");
|
||||
|
||||
return (1);
|
||||
}
|
||||
|
||||
int
|
||||
init_pcap(void)
|
||||
{
|
||||
@ -528,13 +554,16 @@ int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
struct pcap_stat pstat;
|
||||
int ch, np, Xflag = 0;
|
||||
int ch, np, ret, Xflag = 0;
|
||||
pcap_handler phandler = dump_packet;
|
||||
const char *errstr = NULL;
|
||||
char *pidf = NULL;
|
||||
|
||||
ret = 0;
|
||||
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
while ((ch = getopt(argc, argv, "Dxd:f:i:s:")) != -1) {
|
||||
while ((ch = getopt(argc, argv, "Dxd:f:i:p:s:")) != -1) {
|
||||
switch (ch) {
|
||||
case 'D':
|
||||
Debug = 1;
|
||||
@ -550,6 +579,9 @@ main(int argc, char **argv)
|
||||
case 'i':
|
||||
interface = optarg;
|
||||
break;
|
||||
case 'p':
|
||||
pidf = optarg;
|
||||
break;
|
||||
case 's':
|
||||
snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
|
||||
&errstr);
|
||||
@ -571,13 +603,21 @@ main(int argc, char **argv)
|
||||
argc -= optind;
|
||||
argv += optind;
|
||||
|
||||
/* does interface exist */
|
||||
if (!if_exists(interface)) {
|
||||
warn("Failed to initialize: %s", interface);
|
||||
logmsg(LOG_ERR, "Failed to initialize: %s", interface);
|
||||
logmsg(LOG_ERR, "Exiting, init failure");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (!Debug) {
|
||||
openlog("pflogd", LOG_PID | LOG_CONS, LOG_DAEMON);
|
||||
if (daemon(0, 0)) {
|
||||
logmsg(LOG_WARNING, "Failed to become daemon: %s",
|
||||
strerror(errno));
|
||||
}
|
||||
pidfile(NULL);
|
||||
pidfile(pidf);
|
||||
}
|
||||
|
||||
tzset();
|
||||
@ -634,8 +674,15 @@ main(int argc, char **argv)
|
||||
while (1) {
|
||||
np = pcap_dispatch(hpcap, PCAP_NUM_PKTS,
|
||||
phandler, (u_char *)dpcap);
|
||||
if (np < 0)
|
||||
if (np < 0) {
|
||||
if (!if_exists(interface) == -1) {
|
||||
logmsg(LOG_NOTICE, "interface %s went away",
|
||||
interface);
|
||||
ret = -1;
|
||||
break;
|
||||
}
|
||||
logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap));
|
||||
}
|
||||
|
||||
if (gotsig_close)
|
||||
break;
|
||||
@ -675,5 +722,5 @@ main(int argc, char **argv)
|
||||
pcap_close(hpcap);
|
||||
if (!Debug)
|
||||
closelog();
|
||||
return (0);
|
||||
return (ret);
|
||||
}
|
||||
|
121
pflogd/pidfile.c
121
pflogd/pidfile.c
@ -1,121 +0,0 @@
|
||||
/* $OpenBSD: pidfile.c,v 1.5 2002/05/26 09:29:02 deraadt Exp $ */
|
||||
/* $NetBSD: pidfile.c,v 1.4 2001/02/19 22:43:42 cgd Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1999 The NetBSD Foundation, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This code is derived from software contributed to The NetBSD Foundation
|
||||
* by Jason R. Thorpe.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* This product includes software developed by the NetBSD
|
||||
* Foundation, Inc. and its contributors.
|
||||
* 4. Neither the name of The NetBSD Foundation nor the names of its
|
||||
* contributors may be used to endorse or promote products derived
|
||||
* from this software without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
||||
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
||||
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
||||
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#if defined(LIBC_SCCS) && !defined(lint)
|
||||
static const char rcsid[] = "$OpenBSD: pidfile.c,v 1.5 2002/05/26 09:29:02 deraadt Exp $";
|
||||
#endif /* LIBC_SCCS and not lint */
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <errno.h>
|
||||
#include <paths.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#if defined(__FreeBSD__)
|
||||
#include "pidfile.h"
|
||||
#else
|
||||
#include <util.h>
|
||||
#endif
|
||||
|
||||
static char *pidfile_path;
|
||||
static pid_t pidfile_pid;
|
||||
|
||||
static void pidfile_cleanup(void);
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
int
|
||||
pidfile(const char *basename)
|
||||
{
|
||||
FILE *f;
|
||||
int save_errno;
|
||||
pid_t pid;
|
||||
|
||||
if (basename == NULL)
|
||||
basename = __progname;
|
||||
|
||||
if (pidfile_path != NULL) {
|
||||
free(pidfile_path);
|
||||
pidfile_path = NULL;
|
||||
}
|
||||
|
||||
/* _PATH_VARRUN includes trailing / */
|
||||
(void) asprintf(&pidfile_path, "%s%s.pid", _PATH_VARRUN, basename);
|
||||
if (pidfile_path == NULL)
|
||||
return (-1);
|
||||
|
||||
if ((f = fopen(pidfile_path, "w")) == NULL) {
|
||||
save_errno = errno;
|
||||
free(pidfile_path);
|
||||
pidfile_path = NULL;
|
||||
errno = save_errno;
|
||||
return (-1);
|
||||
}
|
||||
|
||||
pid = getpid();
|
||||
if (fprintf(f, "%ld\n", (long)pid) <= 0 || fclose(f) != 0) {
|
||||
save_errno = errno;
|
||||
(void) unlink(pidfile_path);
|
||||
free(pidfile_path);
|
||||
pidfile_path = NULL;
|
||||
errno = save_errno;
|
||||
return (-1);
|
||||
}
|
||||
|
||||
pidfile_pid = pid;
|
||||
if (atexit(pidfile_cleanup) < 0) {
|
||||
save_errno = errno;
|
||||
(void) unlink(pidfile_path);
|
||||
free(pidfile_path);
|
||||
pidfile_path = NULL;
|
||||
pidfile_pid = 0;
|
||||
errno = save_errno;
|
||||
return (-1);
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
pidfile_cleanup(void)
|
||||
{
|
||||
|
||||
if (pidfile_path != NULL && pidfile_pid == getpid())
|
||||
(void) unlink(pidfile_path);
|
||||
}
|
@ -1 +0,0 @@
|
||||
int pidfile(const char *);
|
7
tftp-proxy/Makefile
Normal file
7
tftp-proxy/Makefile
Normal file
@ -0,0 +1,7 @@
|
||||
# $OpenBSD: Makefile,v 1.1 2005/12/28 19:07:07 jcs Exp $
|
||||
|
||||
PROG= tftp-proxy
|
||||
SRCS= tftp-proxy.c filter.c
|
||||
MAN= tftp-proxy.8
|
||||
|
||||
.include <bsd.prog.mk>
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: filter.c,v 1.1 2005/12/28 19:07:07 jcs Exp $ */
|
||||
/* $OpenBSD: filter.c,v 1.2 2007/06/23 15:51:21 jcs Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
@ -297,9 +297,9 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
|
||||
pfr.rule.quick = 1;
|
||||
pfr.rule.log = rule_log;
|
||||
pfr.rule.keep_state = 1;
|
||||
pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL);
|
||||
pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
|
||||
pfr.rule.flagset = (proto == IPPROTO_TCP ?
|
||||
(TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL);
|
||||
(TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0);
|
||||
pfr.rule.max_states = 1;
|
||||
if (qname != NULL)
|
||||
strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $
|
||||
.\" $OpenBSD: tftp-proxy.8,v 1.2 2007/05/31 19:19:41 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org>
|
||||
.\"
|
||||
@ -25,7 +25,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd November 28, 2005
|
||||
.Dd $Mdocdate$
|
||||
.Dt TFTP-PROXY 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
Loading…
Reference in New Issue
Block a user