This commit was generated by cvs2svn to compensate for changes in r145837,

which included commits to RCS files with non-trunk default branches.

contrib/pf/authpf/authpf.8

@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.31 2003/12/10 04:10:37 beck Exp $
+.\" $OpenBSD: authpf.8,v 1.38 2005/01/04 09:57:04 jmc Exp $
 .\"
 .\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>.  All rights reserved.
 .\"
@@ -60,6 +60,10 @@ can add filter and translation rules using the syntax described in
 requires that the
 .Xr pf 4
 system be enabled before use.
+.Nm
+can also maintain the list of IP address of connected users
+in the "authpf_users"
+.Pa table .
 .Pp
 .Nm
 is meant to be used with users who can connect via
@@ -93,11 +97,16 @@ in order to cause evaluation of any
 .Nm
 rules:
 .Bd -literal -offset indent
-nat-anchor authpf
-rdr-anchor authpf
-binat-anchor authpf
-anchor authpf
+nat-anchor "authpf/*"
+rdr-anchor "authpf/*"
+binat-anchor "authpf/*"
+anchor "authpf/*"
 .Ed
+.Pp
+The "/*" at the end of the anchor name is required for
+.Xr pf 4
+to process the rulesets attached to the anchor by
+.Nm authpf .
 .Sh FILTER AND TRANSLATION RULES
 Filter and translation rules for
 .Nm
@@ -113,10 +122,14 @@ Additionally, the macro
 .Em user_id
 is assigned the user name.
 .Pp
-Filter and nat rules will first be searched for in
+Filter and translation rules are stored in a file called
+.Pa authpf.rules .
+This file will first be searched for in
 .Pa /etc/authpf/users/$USER/
 and then in
 .Pa /etc/authpf/ .
+Only one of these files will be used if both are present.
+.Pp
 Per-user rules from the
 .Pa /etc/authpf/users/$USER/
 directory are intended to be used when non-default rules
@@ -124,21 +137,11 @@ are needed on an individual user basis.
 It is important to ensure that a user can not write or change
 these configuration files.
 .Pp
-Filter and translation rules are loaded from the file
-.Pa /etc/authpf/users/$USER/authpf.rules .
-If this file does not exist the file
-.Pa /etc/authpf/authpf.rules
-is used.
 The
 .Pa authpf.rules
 file must exist in one of the above locations for
 .Nm
 to run.
-.Pp
-Translation rules are also loaded from this file.
-The use of translation rules in an
-.Pa authpf.rules
-file is optional.
 .Sh CONFIGURATION
 Options are controlled by the
 .Pa /etc/authpf/authpf.conf
@@ -154,6 +157,10 @@ Currently, the allowed values are as follows:
 Use the specified
 .Pa anchor
 name instead of "authpf".
+.It table=name
+Use the specified
+.Pa table
+name instead of "authpf_users".
 .El
 .Sh USER MESSAGES
 On successful invocation,
@@ -218,9 +225,15 @@ it becomes unresponsive, or if arp or address spoofing is used to
 hijack the session.
 Note that TCP keepalives are not sufficient for
 this, since they are not secure.
+Also note that
+.Ar AllowTcpForwarding
+should be disabled for
+.Nm
+users to prevent them from circumventing restrictions imposed by the
+packet filter ruleset.
 .Pp
 .Nm
-will remove statetable entries that were created during a user's
+will remove state table entries that were created during a user's
 session.
 This ensures that there will be no unauthenticated traffic
 allowed to pass after the controlling
@@ -391,15 +404,15 @@ Example
 # ssh and use us as a dns server.
 internal_if="fxp1"
 gateway_addr="10.0.1.1"
-nat-anchor authpf
-rdr-anchor authpf
-binat-anchor authpf
+nat-anchor "authpf/*"
+rdr-anchor "authpf/*"
+binat-anchor "authpf/*"
 block in on $internal_if from any to any
 pass in quick on $internal_if proto tcp from any to $gateway_addr \e
       port = ssh
 pass in quick on $internal_if proto udp from any to $gateway_addr \e
       port = domain
-anchor authpf
+anchor "authpf/*"
 .Ed
 .Pp
 .Sy For a switched, wired net
@@ -465,6 +478,33 @@ Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
 129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
 16384 <mss 1460,nop,nop,sackOK> (DF)
 .Ed
+.Pp
+.Sy Using the authpf_users table
+\- Simple
+.Nm
+settings can be implemented without an anchor by just using the "authpf_users"
+.Pa table .
+For example, the following
+.Xr pf.conf 5
+lines will give SMTP and IMAP access to logged in users:
+.Bd -literal
+table <authpf_users> persist
+pass in on $ext_if proto tcp from <authpf_users> \e
+        to port { smtp imap } keep state
+.Ed
+.Pp
+It is also possible to use the "authpf_users"
+.Pa table
+in combination with anchors.
+For example,
+.Xr pf 4
+processing can be sped up by looking up the anchor
+only for packets coming from logged in users:
+.Bd -literal
+table <authpf_users> persist
+anchor "authpf/*" from <authpf_users>
+rdr-anchor "authpf/*" from <authpf_users>
+.Ed
 .Sh FILES
 .Bl -tag -width "/etc/authpf/authpf.conf" -compact
 .It Pa /etc/authpf/authpf.conf

contrib/pf/authpf/pathnames.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pathnames.h,v 1.6 2003/06/03 20:38:59 beck Exp $	*/
+/*	$OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $	*/
 
 /*
  * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
@@ -35,3 +35,4 @@
 #define PATH_DEVFILE		"/dev/pf"
 #define PATH_PIDFILE		"/var/authpf"
 #define PATH_AUTHPF_SHELL	"/usr/sbin/authpf"
+#define PATH_PFCTL		"/sbin/pfctl"

contrib/pf/ftp-proxy/getline.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: getline.c,v 1.15 2003/06/28 01:04:57 deraadt Exp $ */
+/*	$OpenBSD: getline.c,v 1.16 2004/09/16 04:50:51 deraadt Exp $ */
 
 /*
  * Copyright (c) 1985, 1988 Regents of the University of California.
@@ -96,7 +96,7 @@ refill_buffer(struct csiob *iobp)
 	/* don't do tiny reads, grow first if we need to */
 	rqlen = iobp->io_buffer_size - iobp->io_buffer_len;
 	if (rqlen <= 128) {
-		char *tmp;
+		unsigned char *tmp;
 
 		iobp->io_buffer_size += 128;
 		tmp = realloc(iobp->io_buffer, iobp->io_buffer_size);
@@ -152,7 +152,7 @@ telnet_getline(struct csiob *iobp, struct csiob *telnet_passthrough)
 {
 	unsigned char ch;
 	int ix;
-	char tbuf[100];
+	unsigned char tbuf[100];
 
 	iobp->line_buffer[0] = '\0';
 
@@ -236,7 +236,7 @@ telnet_getline(struct csiob *iobp, struct csiob *telnet_passthrough)
 		 * nasty.
 		 */
 		if (ix - iobp->next_byte > iobp->line_buffer_size - 5) {
-			char *tmp;
+			unsigned char *tmp;
 
 			iobp->line_buffer_size = 256 + ix - iobp->next_byte;
 			tmp = realloc(iobp->line_buffer,

contrib/pf/ftp-proxy/util.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: util.c,v 1.18 2004/01/22 16:10:30 beck Exp $ */
+/*	$OpenBSD: util.c,v 1.19 2004/07/06 19:49:11 dhartmei Exp $ */
 
 /*
  * Copyright (c) 1996-2001
@@ -56,6 +56,8 @@
 
 #include "util.h"
 
+extern int ReverseMode;
+
 int Debug_Level;
 int Use_Rdns;
 in_addr_t Bind_Addr = INADDR_NONE;
@@ -75,14 +77,14 @@ debuglog(int debug_level, const char *fmt, ...)
 
 int
 get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr,
-    struct sockaddr_in *client_sa_ptr)
+    struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr)
 {
 	struct pfioc_natlook natlook;
 	socklen_t slen;
 	int fd;
 
-	slen = sizeof(*real_server_sa_ptr);
-	if (getsockname(connected_fd, (struct sockaddr *)real_server_sa_ptr,
+	slen = sizeof(*proxy_sa_ptr);
+	if (getsockname(connected_fd, (struct sockaddr *)proxy_sa_ptr,
 	    &slen) != 0) {
 		syslog(LOG_ERR, "getsockname() failed (%m)");
 		return(-1);
@@ -94,6 +96,9 @@ get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr,
 		return(-1);
 	}
 
+	if (ReverseMode)
+		return(0);
+
 	/*
 	 * Build up the pf natlook structure.
 	 * Just for IPv4 right now
@@ -101,10 +106,10 @@ get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr,
 	memset((void *)&natlook, 0, sizeof(natlook));
 	natlook.af = AF_INET;
 	natlook.saddr.addr32[0] = client_sa_ptr->sin_addr.s_addr;
-	natlook.daddr.addr32[0] = real_server_sa_ptr->sin_addr.s_addr;
+	natlook.daddr.addr32[0] = proxy_sa_ptr->sin_addr.s_addr;
 	natlook.proto = IPPROTO_TCP;
 	natlook.sport = client_sa_ptr->sin_port;
-	natlook.dport = real_server_sa_ptr->sin_port;
+	natlook.dport = proxy_sa_ptr->sin_port;
 	natlook.direction = PF_OUT;
 
 	/*

contrib/pf/ftp-proxy/util.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: util.h,v 1.3 2002/05/23 10:22:14 deraadt Exp $ */
+/*	$OpenBSD: util.h,v 1.5 2005/02/24 15:49:08 dhartmei Exp $ */
 
 /*
  * Copyright (c) 1996-2001
@@ -46,7 +46,7 @@ struct csiob {
 	int line_buffer_size, io_buffer_size, io_buffer_len, next_byte;
 	unsigned char *io_buffer, *line_buffer;
 	struct sockaddr_in sa, real_sa;
-	char *who;
+	const char *who;
 	char alive, got_eof, data_available;
 	int send_oob_flags;
 };
@@ -55,7 +55,7 @@ extern int telnet_getline(struct csiob *iobp,
     struct csiob *telnet_passthrough);
 
 extern int get_proxy_env(int fd, struct sockaddr_in *server_sa_ptr,
-    struct sockaddr_in *client_sa_ptr);
+    struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr);
 
 extern int get_backchannel_socket(int type, int min_port, int max_port,
     int start_port, int direction, struct sockaddr_in *sap);

contrib/pf/man/pf.os.5

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.os.5,v 1.5 2003/10/25 07:55:27 jmc Exp $
+.\"	$OpenBSD: pf.os.5,v 1.6 2004/03/31 11:13:03 dhartmei Exp $
 .\"
 .\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
 .\"
@@ -160,7 +160,7 @@ exact same TCP options in the same order.
 .Pp
 The
 .Ar class
-field is the class, genre or vender of the operating system.
+field is the class, genre or vendor of the operating system.
 .Pp
 The
 .Ar version

contrib/pf/pfctl/pfctl.8

@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.110 2004/03/20 09:31:42 david Exp $
+.\" $OpenBSD: pfctl.8,v 1.118 2005/01/05 23:41:45 jmc Exp $
 .\"
 .\" Copyright (c) 2001 Kjell Wooding.  All rights reserved.
 .\"
@@ -33,17 +33,23 @@
 .Sh SYNOPSIS
 .Nm pfctl
 .Bk -words
-.Op Fl AdeghNnOqRrvz
-.Op Fl a Ar anchor Ns Op Ar :ruleset
-.Op Fl D Ar macro=value
+.Op Fl AdeghmNnOoqRrvz
+.Op Fl a Ar anchor
+.Xo
+.Oo Fl D
+.Ar macro Ns = Ns Ar value Oc
+.Xc
 .Op Fl F Ar modifier
 .Op Fl f Ar file
 .Op Fl i Ar interface
 .Op Fl k Ar host
 .Op Fl p Ar device
 .Op Fl s Ar modifier
-.Op Fl T Ar command Op Ar address ...
-.Op Fl t Ar table
+.Oo Xo
+.Fl t Ar table
+.Fl T Ar command
+.Op Ar address ... Oc
+.Xc
 .Op Fl x Ar level
 .Ek
 .Sh DESCRIPTION
@@ -72,9 +78,14 @@ supported.
 Translation rules are described in
 .Xr pf.conf 5 .
 .Pp
-When the variable pf is set to YES in
-.Xr rc.conf 8 ,
-the rule file specified with the variable pf_rules
+When the variable
+.Va pf
+is set to
+.Dv YES
+in
+.Xr rc.conf.local 8 ,
+the rule file specified with the variable
+.Va pf_rules
 is loaded automatically by the
 .Xr rc 8
 scripts and the packet filter is enabled.
@@ -85,7 +96,7 @@ Forwarding can be enabled by setting the
 variables
 .Em net.inet.ip.forwarding
 and/or
-.Em net.inet6.ip6.forwarding ,
+.Em net.inet6.ip6.forwarding
 to 1.
 Set them permanently in
 .Xr sysctl.conf 5 .
@@ -98,48 +109,59 @@ The options are as follows:
 .It Fl A
 Load only the queue rules present in the rule file.
 Other rules and options are ignored.
-.It Fl a Ar anchor Ns Op Ar :ruleset
+.It Fl a Ar anchor
 Apply flags
 .Fl f ,
-.Fl F
+.Fl F ,
 and
 .Fl s
 only to the rules in the specified
-.Ar anchor
-and optional named ruleset
-.Ar ruleset .
+.Ar anchor .
 In addition to the main ruleset,
 .Nm
-can load and manipulate additional rulesets by name.
-Named rulesets are attached at
-.Ar anchor
-points, which are also referenced by name.
+can load and manipulate additional rulesets by name,
+called anchors.
+The main ruleset is the default anchor.
+.Pp
+Anchors are referenced by name and may be nested,
+with the various components of the anchor path separated by
+.Sq /
+characters, similar to how file system hierarchies are laid out.
+The last component of the anchor path is where ruleset operations are
+performed.
+.Pp
 Evaluation of
 .Ar anchor
 rules from the main ruleset is described in
 .Xr pf.conf 5 .
-For example, to show all filter rules inside anchor
-.Li foo :
+.Pp
+For example, the following will show all filter rules (see the
+.Fl s
+flag below) inside the anchor
+.Li authpf/smith(1234) ,
+which would have been created for user smith by
+.Xr authpf 8 ,
+PID 1234:
 .Bd -literal -offset indent
-# pfctl -a foo -s rules
+# pfctl -a "authpf/smith(1234)" -s rules
 .Ed
 .Pp
-Private tables can also be put inside subrulesets, either by having table
+Private tables can also be put inside anchors, either by having table
 statements in the
 .Xr pf.conf 5
-file that is loaded in the anchor, or by using regular table commands as in:
+file that is loaded in the anchor, or by using regular table commands, as in:
 .Bd -literal -offset indent
-# pfctl -a foo:bar -t mytable -T add 1.2.3.4 5.6.7.8
+# pfctl -a foo/bar -t mytable -T add 1.2.3.4 5.6.7.8
 .Ed
 .Pp
 When a rule referring to a table is loaded in an anchor, the rule will use the
-private table if one is defined, and then fallback to the table defined in the
+private table if one is defined, and then fall back to the table defined in the
 main ruleset, if there is one.
-This is similar to C rules for variables.
+This is similar to C rules for variable scope.
 It is possible to create distinct tables with the same name in the global
 ruleset and in an anchor, but this is often bad design and a warning will be
 issued in that case.
-.It Fl D Ar macro=value
+.It Fl D Ar macro Ns = Ns Ar value
 Define
 .Ar macro
 to be set to
@@ -158,23 +180,23 @@ Flush the filter parameters specified by
 (may be abbreviated):
 .Pp
 .Bl -tag -width xxxxxxxxxxxx -compact
-.It Fl F Ar nat
+.It Fl F Cm nat
 Flush the NAT rules.
-.It Fl F Ar queue
+.It Fl F Cm queue
 Flush the queue rules.
-.It Fl F Ar rules
+.It Fl F Cm rules
 Flush the filter rules.
-.It Fl F Ar state
+.It Fl F Cm state
 Flush the state table (NAT and filter).
-.It Fl F Ar Sources
+.It Fl F Cm Sources
 Flush the source tracking table.
-.It Fl F Ar info
+.It Fl F Cm info
 Flush the filter information (statistics that are not bound to rules).
-.It Fl F Ar Tables
+.It Fl F Cm Tables
 Flush the tables.
-.It Fl F Ar osfp
+.It Fl F Cm osfp
 Flush the passive operating system fingerprints.
-.It Fl F Ar all
+.It Fl F Cm all
 Flush all of the above.
 .El
 .It Fl f Ar file
@@ -216,6 +238,13 @@ to
 .Bd -literal -offset indent
 # pfctl -k host1 -k host2
 .Ed
+.It Fl m
+Merge in explicitly given options without resetting those
+which are omitted.
+Allows single options to be modified without disturbing the others:
+.Bd -literal -offset indent
+# echo "set loginterface fxp0" | pfctl -mf -
+.Ed
 .It Fl N
 Load only the NAT rules present in the rule file.
 Other rules and options are ignored.
@@ -224,6 +253,39 @@ Do not actually load rules, just parse them.
 .It Fl O
 Load only the options present in the rule file.
 Other rules and options are ignored.
+.It Fl o
+Enable the ruleset optimizer.
+The ruleset optimizer attempts to improve rulesets by removing rule
+duplication and making better use of rule ordering.
+Specifically, it does four things:
+.Pp
+.Bl -enum -compact
+.It
+remove duplicate rules
+.It
+remove rules that are a subset of another rule
+.It
+combine multiple rules into a table when advantageous
+.It
+re-order the rules to improve evaluation performance
+.El
+.Pp
+A second
+.Fl o
+may be specified to use the currently loaded ruleset as a feedback profile
+to tailor the optimization of the
+.Ar quick
+rules to the actual network behavior.
+.Pp
+It is important to note that the ruleset optimizer will modify the ruleset
+to improve performance.
+A side effect of the ruleset modification is that per-rule accounting
+statistics will have different meanings than before.
+If per-rule accounting is important for billing purposes or whatnot, either
+the ruleset optimizer should not be used or a
+.Ar label
+field should be added to all of the accounting rules to act as optimization
+barriers.
 .It Fl p Ar device
 Use the device file
 .Ar device
@@ -242,9 +304,9 @@ Show the filter parameters specified by
 (may be abbreviated):
 .Pp
 .Bl -tag -width xxxxxxxxxxxxx -compact
-.It Fl s Ar nat
+.It Fl s Cm nat
 Show the currently loaded NAT rules.
-.It Fl s Ar queue
+.It Fl s Cm queue
 Show the currently loaded queue rules.
 When used together with
 .Fl v ,
@@ -254,51 +316,58 @@ When used together with
 .Nm
 will loop and show updated queue statistics every five seconds, including
 measured bandwidth and packets per second.
-.It Fl s Ar rules
+.It Fl s Cm rules
 Show the currently loaded filter rules.
 When used together with
 .Fl v ,
 the per-rule statistics (number of evaluations,
 packets and bytes) are also shown.
-Note that the 'skip step' optimization done automatically by the kernel
+Note that the
+.Dq skip step
+optimization done automatically by the kernel
 will skip evaluation of rules where possible.
 Packets passed statefully are counted in the rule that created the state
 (even though the rule isn't evaluated more than once for the entire
 connection).
-.It Fl s Ar Anchors
-Show the currently loaded anchors.
+.It Fl s Cm Anchors
+Show the currently loaded anchors directly attached to the main ruleset.
 If
 .Fl a Ar anchor
-is specified as well, the named rulesets currently loaded in the specified
-anchor are shown instead.
-.It Fl s Ar state
+is specified as well, the anchors loaded directly below the given
+.Ar anchor
+are shown instead.
+If
+.Fl v
+is specified, all anchors attached under the target anchor will be
+displayed recursively.
+.It Fl s Cm state
 Show the contents of the state table.
-.It Fl s Ar Sources
+.It Fl s Cm Sources
 Show the contents of the source tracking table.
-.It Fl s Ar info
+.It Fl s Cm info
 Show filter information (statistics and counters).
 When used together with
 .Fl v ,
 source tracking statistics are also shown.
-.It Fl s Ar labels
+.It Fl s Cm labels
 Show per-rule statistics (label, evaluations, packets, bytes) of
 filter rules with labels, useful for accounting.
-.It Fl s Ar timeouts
+.It Fl s Cm timeouts
 Show the current global timeouts.
-.It Fl s Ar memory
+.It Fl s Cm memory
 Show the current pool memory hard limits.
-.It Fl s Ar Tables
+.It Fl s Cm Tables
 Show the list of tables.
-.It Fl s Ar osfp
+.It Fl s Cm osfp
 Show the list of operating system fingerprints.
-.It Fl s Ar Interfaces
+.It Fl s Cm Interfaces
 Show the list of interfaces and interface drivers available to PF.
 When used together with a double
 .Fl v ,
 interface statistics are also shown.
 .Fl i
 can be used to select an interface or a group of interfaces.
-.It Fl s Ar all
+.It Fl s Cm all
 Show all of the above, except for the lists of interfaces and operating
 system fingerprints.
 .El
@@ -309,25 +378,25 @@ Specify the
 Commands include:
 .Pp
 .Bl -tag -width xxxxxxxxxxxx -compact
-.It Fl T Ar kill
+.It Fl T Cm kill
 Kill a table.
-.It Fl T Ar flush
+.It Fl T Cm flush
 Flush all addresses of a table.
-.It Fl T Ar add
+.It Fl T Cm add
 Add one or more addresses in a table.
 Automatically create a nonexisting table.
-.It Fl T Ar delete
+.It Fl T Cm delete
 Delete one or more addresses from a table.
-.It Fl T Ar replace
+.It Fl T Cm replace
 Replace the addresses of the table.
 Automatically create a nonexisting table.
-.It Fl T Ar show
+.It Fl T Cm show
 Show the content (addresses) of a table.
-.It Fl T Ar test
+.It Fl T Cm test
 Test if the given addresses match a table.
-.It Fl T Ar zero
+.It Fl T Cm zero
 Clear all the statistics of a table.
-.It Fl T Ar load
+.It Fl T Cm load
 Load only the table definitions from
 .Xr pf.conf 5 .
 This is used in conjunction with the
@@ -339,16 +408,18 @@ flag, as in:
 .El
 .Pp
 For the
-.Ar add ,
-.Ar delete ,
-.Ar replace
+.Cm add ,
+.Cm delete ,
+.Cm replace ,
 and
-.Ar test
+.Cm test
 commands, the list of addresses can be specified either directly on the command
 line and/or in an unformatted text file, using the
 .Fl f
 flag.
-Comments starting with a "#" are allowed in the text file.
+Comments starting with a
+.Sq #
+are allowed in the text file.
 With these commands, the
 .Fl v
 flag can also be used once or twice, in which case
@@ -365,11 +436,17 @@ The address/network has been changed (negated).
 .It D
 The address/network has been deleted.
 .It M
-The address matches (test operation only).
+The address matches
+.Po
+.Cm test
+operation only
+.Pc .
 .It X
 The address/network is duplicated and therefore ignored.
 .It Y
-The address/network cannot be added/deleted due to conflicting "!" attribute.
+The address/network cannot be added/deleted due to conflicting
+.Sq \&!
+attributes.
 .It Z
 The address/network has been cleared (statistics).
 .El
@@ -381,8 +458,8 @@ flag of
 For example, the following commands define a wide open firewall which will keep
 track of packets going to or coming from the
 .Ox
-ftp server.
-The following commands configure the firewall and send 10 pings to the ftp
+FTP server.
+The following commands configure the firewall and send 10 pings to the FTP
 server:
 .Bd -literal -offset indent
 # printf "table <test> { ftp.openbsd.org }\en \e
@@ -391,11 +468,11 @@ server:
 .Ed
 .Pp
 We can now use the table
-.Ar show
+.Cm show
 command to output, for each address and packet direction, the number of packets
 and bytes that are being passed or blocked by rules referencing the table.
 The time at which the current accounting started is also shown with the
-.Ar Cleared
+.Dq Cleared
 line.
 .Bd -literal -offset indent
 # pfctl -t test -vTshow
@@ -411,7 +488,8 @@ Similarly, it is possible to view global information about the tables
 by using the
 .Fl v
 modifier twice and the
-.Ar show Tables
+.Fl s
+.Cm Tables
 command.
 This will display the number of addresses on each table,
 the number of rules which reference the table, and the global
@@ -432,16 +510,18 @@ packet statistics for the whole table:
 .Ed
 .Pp
 As we can see here, only one packet \- the initial ping request \- matched the
-table; but all packets passing as the result of the state are correctly
+table, but all packets passing as the result of the state are correctly
 accounted for.
 Reloading the table(s) or ruleset will not affect packet accounting in any way.
 The two
-.Ar XPass
+.Dq XPass
 counters are incremented instead of the
-.Ar Pass
-counters when a "stateful" packet is passed but doesn't match the table
-anymore.
-This will happen in our example if someone flushes the table while the ping
+.Dq Pass
+counters when a
+.Dq stateful
+packet is passed but doesn't match the table anymore.
+This will happen in our example if someone flushes the table while the
+.Xr ping 8
 command is running.
 .Pp
 When used with a single
@@ -455,11 +535,11 @@ The flags are defined as follows:
 For constant tables, which cannot be altered outside
 .Xr pf.conf 5 .
 .It p
-For persistent tables, which don't get automatically flushed when no rules
+For persistent tables, which don't get automatically killed when no rules
 refer to them.
 .It a
 For tables which are part of the
-.Ar active
+.Em active
 tableset.
 Tables without this flag do not really exist, cannot contain addresses, and are
 only listed if the
@@ -467,7 +547,7 @@ only listed if the
 flag is given.
 .It i
 For tables which are part of the
-.Ar inactive
+.Em inactive
 tableset.
 This flag can only be witnessed briefly during the loading of
 .Xr pf.conf 5 .
@@ -475,7 +555,7 @@ This flag can only be witnessed briefly during the loading of
 For tables which are referenced (used) by rules.
 .It h
 This flag is set when a table in the main ruleset is hidden by one or more
-tables of the same name in sub-rulesets (anchors).
+tables of the same name from anchors attached below it.
 .El
 .It Fl t Ar table
 Specify the name of the table.
@@ -484,20 +564,20 @@ Produce more verbose output.
 A second use of
 .Fl v
 will produce even more verbose output including ruleset warnings.
-See previous section for its effect on table commands.
+See the previous section for its effect on table commands.
 .It Fl x Ar level
 Set the debug
 .Ar level
 (may be abbreviated) to one of the following:
 .Pp
 .Bl -tag -width xxxxxxxxxxxx -compact
-.It Fl x Ar none
+.It Fl x Cm none
 Don't generate debug messages.
-.It Fl x Ar urgent
+.It Fl x Cm urgent
 Generate debug messages only for serious errors.
-.It Fl x Ar misc
+.It Fl x Cm misc
 Generate debug messages for various errors.
-.It Fl x Ar loud
+.It Fl x Cm loud
 Generate debug messages for common conditions.
 .El
 .It Fl z
@@ -507,12 +587,15 @@ Clear per-rule statistics.
 .Bl -tag -width "/etc/pf.conf" -compact
 .It Pa /etc/pf.conf
 Packet filter rules file.
+.It Pa /etc/pf.os
+Passive operating system fingerprint database.
 .El
 .Sh SEE ALSO
 .Xr pf 4 ,
 .Xr pf.conf 5 ,
 .Xr pf.os 5 ,
 .Xr sysctl.conf 5 ,
+.Xr authpf 8 ,
 .Xr ftp-proxy 8 ,
 .Xr rc 8 ,
 .Xr rc.conf 8 ,

contrib/pf/pfctl/pfctl_osfp.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_osfp.c,v 1.8 2004/02/27 10:42:00 henning Exp $ */
+/*	$OpenBSD: pfctl_osfp.c,v 1.12 2005/02/17 13:18:00 aaron Exp $ */
 
 /*
  * Copyright (c) 2003 Mike Frantzen <frantzen@openbsd.org>
@@ -97,8 +97,8 @@ pfctl_file_fingerprints(int dev, int opts, const char *fp_filename)
 
 	pfctl_flush_my_fingerprints(&classes);
 
-	if ((in = fopen(fp_filename, "r")) == NULL) {
-		warn("fopen(%s)", fp_filename);
+	if ((in = pfctl_fopen(fp_filename, "r")) == NULL) {
+		warn("%s", fp_filename);
 		return (1);
 	}
 	class = version = subtype = desc = tcpopts = NULL;
@@ -276,9 +276,9 @@ pfctl_flush_my_fingerprints(struct name_list *list)
 	while ((nm = LIST_FIRST(list)) != NULL) {
 		LIST_REMOVE(nm, nm_entry);
 		pfctl_flush_my_fingerprints(&nm->nm_sublist);
-		fingerprint_count--;
 		free(nm);
 	}
+	fingerprint_count = 0;
 	class_count = 0;
 }
 
@@ -348,7 +348,7 @@ pfctl_get_fingerprint(const char *name)
 
 		if ((wr_name = strdup(name)) == NULL)
 			err(1, "malloc");
-		if ((ptr = index(wr_name, ' ')) == NULL) {
+		if ((ptr = strchr(wr_name, ' ')) == NULL) {
 			free(wr_name);
 			return (PF_OSFP_NOMATCH);
 		}
@@ -508,9 +508,9 @@ found:
 		strlcat(buf, " ", len);
 		strlcat(buf, version_name, len);
 		if (subtype_name) {
-			if (index(version_name, ' '))
+			if (strchr(version_name, ' '))
 				strlcat(buf, " ", len);
-			else if (index(version_name, '.') &&
+			else if (strchr(version_name, '.') &&
 			    isdigit(*subtype_name))
 				strlcat(buf, ".", len);
 			else
@@ -702,9 +702,8 @@ fingerprint_name_entry(struct name_list *list, char *name)
 		nm_entry = calloc(1, sizeof(*nm_entry));
 		if (nm_entry == NULL)
 			err(1, "calloc");
-			LIST_INIT(&nm_entry->nm_sublist);
-			strlcpy(nm_entry->nm_name, name,
-			    sizeof(nm_entry->nm_name));
+		LIST_INIT(&nm_entry->nm_sublist);
+		strlcpy(nm_entry->nm_name, name, sizeof(nm_entry->nm_name));
 	}
 	LIST_INSERT_HEAD(list, nm_entry, nm_entry);
 	return (nm_entry);

contrib/pf/pfctl/pfctl_radix.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_radix.c,v 1.24 2004/02/10 18:29:30 henning Exp $ */
+/*	$OpenBSD: pfctl_radix.c,v 1.26 2004/06/14 20:44:22 cedric Exp $ */
 
 /*
  * Copyright (c) 2002 Cedric Berger
@@ -392,44 +392,6 @@ pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
 	return (0);
 }
 
-int
-pfr_ina_begin(struct pfr_table *trs, int *ticket, int *ndel, int flags)
-{
-	struct pfioc_table io;
-
-	bzero(&io, sizeof io);
-	if (trs != NULL)
-		io.pfrio_table = *trs;
-	io.pfrio_flags = flags;
-	if (ioctl(dev, DIOCRINABEGIN, &io))
-		return (-1);
-	if (ndel != NULL)
-		*ndel = io.pfrio_ndel;
-	if (ticket != NULL)
-		*ticket = io.pfrio_ticket;
-	return (0);
-}
-
-int
-pfr_ina_commit(struct pfr_table *trs, int ticket, int *nadd, int *nchange,
-    int flags)
-{
-	struct pfioc_table io;
-
-	bzero(&io, sizeof io);
-	if (trs != NULL)
-		io.pfrio_table = *trs;
-	io.pfrio_flags = flags;
-	io.pfrio_ticket = ticket;
-	if (ioctl(dev, DIOCRINACOMMIT, &io))
-		return (-1);
-	if (nadd != NULL)
-		*nadd = io.pfrio_nadd;
-	if (nchange != NULL)
-		*nchange = io.pfrio_nchange;
-	return (0);
-}
-
 int
 pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
     int *nadd, int *naddr, int ticket, int flags)
@@ -605,7 +567,7 @@ pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork,
 	if (!strcmp(file, "-"))
 		fp = stdin;
 	else {
-		fp = fopen(file, "r");
+		fp = pfctl_fopen(file, "r");
 		if (fp == NULL)
 			return (-1);
 	}

contrib/pf/pflogd/pflogd.8

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pflogd.8,v 1.24 2004/01/16 10:45:49 jmc Exp $
+.\"	$OpenBSD: pflogd.8,v 1.25 2005/01/02 18:15:02 jmc Exp $
 .\"
 .\" Copyright (c) 2001 Can Erkin Acar.  All rights reserved.
 .\"
@@ -161,7 +161,8 @@ Interface name equals "kue0".
 Rule number equals 10.
 .It reason match
 Reason equals match.
-Also accepts "bad-offset", "fragment", "short", "normalize" and "memory".
+Also accepts "bad-offset", "fragment", "bad-timestamp", "short",
+"normalize" and "memory".
 .It action pass
 Action equals pass.
 Also accepts "block".

contrib/pf/pflogd/privsep_fdpass.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: privsep_fdpass.c,v 1.1 2003/10/22 18:51:55 canacar Exp $	*/
+/*	$OpenBSD: privsep_fdpass.c,v 1.2 2004/08/13 02:51:48 djm Exp $	*/
 
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -108,6 +108,10 @@ receive_fd(int sock)
 		    __func__, (long)n);
 	if (result == 0) {
 		cmsg = CMSG_FIRSTHDR(&msg);
+		if (cmsg == NULL) {
+			warnx("%s: no message header", __func__);
+			return -1;
+		}
 		if (cmsg->cmsg_type != SCM_RIGHTS)
 			warnx("%s: expected type %d got %d", __func__,
 			    SCM_RIGHTS, cmsg->cmsg_type);