diff options
| author | Max Laier <mlaier@FreeBSD.org> | 2008-12-10 20:54:37 +0000 |
|---|---|---|
| committer | Max Laier <mlaier@FreeBSD.org> | 2008-12-10 20:54:37 +0000 |
| commit | b39deb12b639171038aee6f8770d9bbd44c34fd1 (patch) | |
| tree | 37d43f190cb4a8b1aa5c8cf2b4c9039df5e702d4 | |
| parent | d46fa87826758f8723e0b266bbfc4e286fababdb (diff) | |
Notes
| -rw-r--r-- | authpf/Makefile | 11 | ||||
| -rw-r--r-- | authpf/authpf.8 | 4 | ||||
| -rw-r--r-- | ftp-proxy/Makefile | 13 | ||||
| -rw-r--r-- | ftp-proxy/filter.c | 9 | ||||
| -rw-r--r-- | ftp-proxy/filter.h | 4 | ||||
| -rw-r--r-- | ftp-proxy/ftp-proxy.8 | 11 | ||||
| -rw-r--r-- | ftp-proxy/ftp-proxy.c | 59 | ||||
| -rw-r--r-- | ftp-proxy/getline.c | 259 | ||||
| -rw-r--r-- | ftp-proxy/util.c | 306 | ||||
| -rw-r--r-- | ftp-proxy/util.h | 68 | ||||
| -rw-r--r-- | man/pf.4 | 4 | ||||
| -rw-r--r-- | man/pf.conf.5 | 45 | ||||
| -rw-r--r-- | man/pf.os.5 | 4 | ||||
| -rw-r--r-- | man/pflog.4 | 4 | ||||
| -rw-r--r-- | man/pfsync.4 | 4 | ||||
| -rw-r--r-- | pfctl/Makefile | 18 | ||||
| -rw-r--r-- | pfctl/parse.y | 15 | ||||
| -rw-r--r-- | pfctl/pf_print_state.c | 31 | ||||
| -rw-r--r-- | pfctl/pfctl.8 | 66 | ||||
| -rw-r--r-- | pfctl/pfctl.c | 41 | ||||
| -rw-r--r-- | pfctl/pfctl.h | 8 | ||||
| -rw-r--r-- | pfctl/pfctl_altq.c | 6 | ||||
| -rw-r--r-- | pflogd/Makefile | 11 | ||||
| -rw-r--r-- | pflogd/pflogd.8 | 15 | ||||
| -rw-r--r-- | pflogd/pflogd.c | 63 | ||||
| -rw-r--r-- | pflogd/pidfile.c | 121 | ||||
| -rw-r--r-- | pflogd/pidfile.h | 1 | ||||
| -rw-r--r-- | tftp-proxy/Makefile | 7 | ||||
| -rw-r--r-- | tftp-proxy/filter.c | 6 | ||||
| -rw-r--r-- | tftp-proxy/tftp-proxy.8 | 4 |
30 files changed, 287 insertions, 931 deletions
diff --git a/authpf/Makefile b/authpf/Makefile new file mode 100644 index 0000000000000..3e0538a8d2334 --- /dev/null +++ b/authpf/Makefile @@ -0,0 +1,11 @@ +# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $ + +PROG= authpf +MAN= authpf.8 +BINOWN= root +BINGRP= authpf +BINMODE= 6555 +SRCS= authpf.c +CFLAGS+= -Wall + +.include <bsd.prog.mk> diff --git a/authpf/authpf.8 b/authpf/authpf.8 index ee0dcaa423b36..566d3a9627c68 100644 --- a/authpf/authpf.8 +++ b/authpf/authpf.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $ +.\" $OpenBSD: authpf.8,v 1.44 2007/05/31 19:20:22 jmc Exp $ .\" .\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd January 10, 2002 +.Dd $Mdocdate$ .Dt AUTHPF 8 .Os .Sh NAME diff --git a/ftp-proxy/Makefile b/ftp-proxy/Makefile new file mode 100644 index 0000000000000..9541b955e7f85 --- /dev/null +++ b/ftp-proxy/Makefile @@ -0,0 +1,13 @@ +# $OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $ + +PROG= ftp-proxy +SRCS= ftp-proxy.c filter.c +MAN= ftp-proxy.8 + +CFLAGS+= -I${.CURDIR} +CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith \ + -Wno-uninitialized +LDADD+= -levent +DPADD+= ${LIBEVENT} + +.include <bsd.prog.mk> diff --git a/ftp-proxy/filter.c b/ftp-proxy/filter.c index f86429db51d37..b33c541457aab 100644 --- a/ftp-proxy/filter.c +++ b/ftp-proxy/filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.c,v 1.5 2006/12/01 07:31:21 camield Exp $ */ +/* $OpenBSD: filter.c,v 1.6 2007/08/01 09:31:41 henning Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -53,7 +53,7 @@ static struct pfioc_rule pfr; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; static int dev, rule_log; -static char *qname; +static char *qname, *tagname; int add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, @@ -159,11 +159,12 @@ do_rollback(void) } void -init_filter(char *opt_qname, int opt_verbose) +init_filter(char *opt_qname, char *opt_tagname, int opt_verbose) { struct pf_status status; qname = opt_qname; + tagname = opt_tagname; if (opt_verbose == 1) rule_log = PF_LOG; @@ -276,6 +277,8 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, } pfr.rule.dst.port_op = PF_OP_EQ; pfr.rule.dst.port[0] = htons(d_port); + if (tagname != NULL) + strlcpy(pfr.rule.tagname, tagname, sizeof pfr.rule.tagname); switch (rs_num) { case PF_RULESET_FILTER: diff --git a/ftp-proxy/filter.h b/ftp-proxy/filter.h index 6779c5974467e..150bc49d3ce63 100644 --- a/ftp-proxy/filter.h +++ b/ftp-proxy/filter.h @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */ +/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -26,6 +26,6 @@ int add_rdr(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t, struct sockaddr *, u_int16_t); int do_commit(void); int do_rollback(void); -void init_filter(char *, int); +void init_filter(char *, char *, int); int prepare_commit(u_int32_t); int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *); diff --git a/ftp-proxy/ftp-proxy.8 b/ftp-proxy/ftp-proxy.8 index 44e6e59d22f5e..d48997b05a65f 100644 --- a/ftp-proxy/ftp-proxy.8 +++ b/ftp-proxy/ftp-proxy.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.7 2006/12/30 13:01:54 camield Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $ .\" .\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd November 28, 2004 +.Dd $Mdocdate$ .Dt FTP-PROXY 8 .Os .Sh NAME @@ -22,6 +22,7 @@ .Nd Internet File Transfer Protocol proxy daemon .Sh SYNOPSIS .Nm ftp-proxy +.Bk -words .Op Fl 6Adrv .Op Fl a Ar address .Op Fl b Ar address @@ -31,7 +32,9 @@ .Op Fl p Ar port .Op Fl q Ar queue .Op Fl R Ar address +.Op Fl T Ar tag .Op Fl t Ar timeout +.Ek .Sh DESCRIPTION .Nm is a proxy for the Internet File Transfer Protocol. @@ -128,6 +131,10 @@ connections to another proxy. .It Fl r Rewrite sourceport to 20 in active mode to suit ancient clients that insist on this RFC property. +.It Fl T Ar tag +Automatically tag packets passing through the +.Xr pf 4 +rule with the name supplied. .It Fl t Ar timeout Number of seconds that the control connection can be idle, before the proxy will disconnect. diff --git a/ftp-proxy/ftp-proxy.c b/ftp-proxy/ftp-proxy.c index 99e417472fb27..3a691859c3296 100644 --- a/ftp-proxy/ftp-proxy.c +++ b/ftp-proxy/ftp-proxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ftp-proxy.c,v 1.13 2006/12/30 13:24:00 camield Exp $ */ +/* $OpenBSD: ftp-proxy.c,v 1.15 2007/08/15 15:18:02 camield Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -102,6 +102,7 @@ u_int16_t pick_proxy_port(void); void proxy_reply(int, struct sockaddr *, u_int16_t); void server_error(struct bufferevent *, short, void *); int server_parse(struct session *s); +int allow_data_connection(struct session *s); void server_read(struct bufferevent *, void *); const char *sock_ntop(struct sockaddr *); void usage(void); @@ -113,7 +114,7 @@ char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN]; struct sockaddr_storage fixed_server_ss, fixed_proxy_ss; char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port, - *qname; + *qname, *tagname; int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions, rfc_mode, session_count, timeout, verbose; extern char *__progname; @@ -149,8 +150,19 @@ client_parse(struct session *s) return (1); if (linebuf[0] == 'P' || linebuf[0] == 'p' || - linebuf[0] == 'E' || linebuf[0] == 'e') - return (client_parse_cmd(s)); + linebuf[0] == 'E' || linebuf[0] == 'e') { + if (!client_parse_cmd(s)) + return (0); + + /* + * Allow active mode connections immediately, instead of + * waiting for a positive reply from the server. Some + * rare servers/proxies try to probe or setup the data + * connection before an actual transfer request. + */ + if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) + return (allow_data_connection(s)); + } if (anonymous_only && (linebuf[0] == 'U' || linebuf[0] == 'u')) return (client_parse_anon(s)); @@ -588,6 +600,7 @@ main(int argc, char *argv[]) max_sessions = 100; qname = NULL; rfc_mode = 0; + tagname = NULL; timeout = 24 * 3600; verbose = 0; @@ -595,7 +608,7 @@ main(int argc, char *argv[]) id_count = 1; session_count = 0; - while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:v")) != -1) { + while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) { switch (ch) { case '6': ipv6_mode = 1; @@ -640,6 +653,11 @@ main(int argc, char *argv[]) case 'r': rfc_mode = 1; break; + case 'T': + if (strlen(optarg) >= PF_TAG_NAME_SIZE) + errx(1, "tagname too long"); + tagname = optarg; + break; case 't': timeout = strtonum(optarg, 0, 86400, &errstr); if (errstr) @@ -720,7 +738,7 @@ main(int argc, char *argv[]) freeaddrinfo(res); /* Initialize pf. */ - init_filter(qname, verbose); + init_filter(qname, tagname, verbose); if (daemonize) { if (daemon(0, 0) == -1) @@ -888,12 +906,26 @@ server_error(struct bufferevent *bufev, short what, void *arg) int server_parse(struct session *s) { - struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa; - int prepared = 0; - if (s->cmd == CMD_NONE || linelen < 4 || linebuf[0] != '2') goto out; + if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) || + (s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0)) + return (allow_data_connection(s)); + + out: + s->cmd = CMD_NONE; + s->port = 0; + + return (1); +} + +int +allow_data_connection(struct session *s) +{ + struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa; + int prepared = 0; + /* * The pf rules below do quite some NAT rewriting, to keep up * appearances. Points to keep in mind: @@ -918,8 +950,7 @@ server_parse(struct session *s) orig_sa = sstosa(&s->server_ss); /* Passive modes. */ - if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) || - (s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0)) { + if (s->cmd == CMD_PASV || s->cmd == CMD_EPSV) { s->port = parse_port(s->cmd); if (s->port < MIN_PORT) { logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id, @@ -960,8 +991,7 @@ server_parse(struct session *s) } /* Active modes. */ - if ((s->cmd == CMD_PORT || s->cmd == CMD_EPRT) && - strncmp("200 ", linebuf, 4) == 0) { + if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) { logmsg(LOG_INFO, "#%d active: server to client port %d" " via port %d", s->id, s->port, s->proxy_port); @@ -1011,7 +1041,6 @@ server_parse(struct session *s) goto fail; } - out: s->cmd = CMD_NONE; s->port = 0; @@ -1088,6 +1117,6 @@ usage(void) { fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]" " [-D level] [-m maxsessions]\n [-P port]" - " [-p port] [-q queue] [-R address] [-t timeout]\n", __progname); + " [-p port] [-q queue] [-R address] [-T tag] [-t timeout]\n", __progname); exit(1); } diff --git a/ftp-proxy/getline.c b/ftp-proxy/getline.c deleted file mode 100644 index 97ffd48c6e301..0000000000000 --- a/ftp-proxy/getline.c +++ /dev/null @@ -1,259 +0,0 @@ -/* $OpenBSD: getline.c,v 1.16 2004/09/16 04:50:51 deraadt Exp $ */ - -/* - * Copyright (c) 1985, 1988 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)ftpcmd.y 5.24 (Berkeley) 2/25/91 - */ - -#include <sys/types.h> -#include <sys/socket.h> - -#include <netinet/in.h> -#include <arpa/telnet.h> - -#include <errno.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <sysexits.h> -#include <syslog.h> -#include <unistd.h> - -#include "util.h" - -int refill_buffer(struct csiob *iobp); - -/* - * Refill the io buffer if we KNOW that data is available - * - * Returns 1 if any new data was obtained, 0 otherwise. - */ - -int -refill_buffer(struct csiob *iobp) -{ - int rqlen, rlen; - - if (!(iobp->data_available)) - return(0); - - if (iobp->got_eof) - return(0); - - /* - * The buffer has been entirely consumed if next_byte == io_buffer_len. - * Otherwise, there is some still-to-be-used data in io_buffer. - * Shuffle it to the start of the buffer. - * Note that next_byte will never exceed io_buffer_len. - * Also, note that we MUST use bcopy because the two regions could - * overlap (memcpy isn't defined to work properly with overlapping - * regions). - */ - if (iobp->next_byte < iobp->io_buffer_len) { - int dst_ix = 0; - int src_ix = iobp->next_byte; - int amount = iobp->io_buffer_len - iobp->next_byte; - - bcopy(&iobp->io_buffer[src_ix], &iobp->io_buffer[dst_ix], - amount); - iobp->io_buffer_len = amount; - } else if (iobp->next_byte == iobp->io_buffer_len) - iobp->io_buffer_len = 0; - else { - syslog(LOG_ERR, "next_byte(%d) > io_buffer_len(%d)", - iobp->next_byte, iobp->io_buffer_len); - exit(EX_OSERR); - } - - iobp->next_byte = 0; - - /* don't do tiny reads, grow first if we need to */ - rqlen = iobp->io_buffer_size - iobp->io_buffer_len; - if (rqlen <= 128) { - unsigned char *tmp; - - iobp->io_buffer_size += 128; - tmp = realloc(iobp->io_buffer, iobp->io_buffer_size); - if (tmp == NULL) { - syslog(LOG_INFO, "Insufficient memory"); - exit(EX_UNAVAILABLE); - } - iobp->io_buffer = tmp; - rqlen = iobp->io_buffer_size - iobp->io_buffer_len; - } - - /* - * Always leave an unused byte at the end of the buffer - * because the debug output uses that byte from time to time - * to ensure that something that is being printed is \0 terminated. - */ - rqlen -= 1; - - doread: - rlen = read(iobp->fd, &iobp->io_buffer[iobp->io_buffer_len], rqlen); - iobp->data_available = 0; - switch (rlen) { - case -1: - if (errno == EAGAIN || errno == EINTR) - goto doread; - if (errno != ECONNRESET) { - syslog(LOG_INFO, "read() failed on socket from %s (%m)", - iobp->who); - exit(EX_DATAERR); - } - /* fall through to EOF case */ - case 0: - iobp->got_eof = 1; - return(0); - break; - default: - iobp->io_buffer_len += rlen; - break; - } - return(1); -} - -/* - * telnet_getline - a hacked up version of fgets to ignore TELNET escape codes. - * - * This code is derived from the getline routine found in the UC Berkeley - * ftpd code. - * - */ - -int -telnet_getline(struct csiob *iobp, struct csiob *telnet_passthrough) -{ - unsigned char ch; - int ix; - unsigned char tbuf[100]; - - iobp->line_buffer[0] = '\0'; - - /* - * If the buffer is empty then refill it right away. - */ - if (iobp->next_byte == iobp->io_buffer_len) - if (!refill_buffer(iobp)) - return(0); - - /* - * Is there a telnet command in the buffer? - */ - ch = iobp->io_buffer[iobp->next_byte]; - if (ch == IAC) { - /* - * Yes - buffer must have at least three bytes in it - */ - if (iobp->io_buffer_len - iobp->next_byte < 3) { - if (!refill_buffer(iobp)) - return(0); - if (iobp->io_buffer_len - iobp->next_byte < 3) - return(0); - } - - iobp->next_byte++; - ch = iobp->io_buffer[iobp->next_byte++]; - - switch (ch) { - case WILL: - case WONT: - case DO: - case DONT: - tbuf[0] = IAC; - tbuf[1] = ch; - tbuf[2] = iobp->io_buffer[iobp->next_byte++]; - (void)send(telnet_passthrough->fd, tbuf, 3, - telnet_passthrough->send_oob_flags); - break; - case IAC: - break; - default: - break; - } - return(1); - } else { - int clen; - - /* - * Is there a newline in the buffer? - */ - for (ix = iobp->next_byte; ix < iobp->io_buffer_len; - ix += 1) { - if (iobp->io_buffer[ix] == '\n') - break; - if (iobp->io_buffer[ix] == '\0') { - syslog(LOG_INFO, - "got NUL byte from %s - bye!", - iobp->who); - exit(EX_DATAERR); - } - } - - if (ix == iobp->io_buffer_len) { - if (!refill_buffer(iobp)) - return(0); - /* - * Empty line returned - * will try again soon! - */ - return(1); - } - - /* - * Expand the line buffer if it isn't big enough. We - * use a fudge factor of 5 rather than trying to - * figure out exactly how to account for the '\0 \r\n' and - * such. The correct fudge factor is 0, 1 or 2 but - * anything higher also works. We also grow it by a - * bunch to avoid having to do this often. Yes this is - * nasty. - */ - if (ix - iobp->next_byte > iobp->line_buffer_size - 5) { - unsigned char *tmp; - - iobp->line_buffer_size = 256 + ix - iobp->next_byte; - tmp = realloc(iobp->line_buffer, - iobp->line_buffer_size); - if (tmp == NULL) { - syslog(LOG_INFO, "Insufficient memory"); - exit(EX_UNAVAILABLE); - } - iobp->line_buffer = tmp; - } - - /* +1 is for the newline */ - clen = (ix+1) - iobp->next_byte; - memcpy(iobp->line_buffer, &iobp->io_buffer[iobp->next_byte], - clen); - iobp->next_byte += clen; - iobp->line_buffer[clen] = '\0'; - return(1); - } -} diff --git a/ftp-proxy/util.c b/ftp-proxy/util.c deleted file mode 100644 index 61c9f1f1bc8ad..0000000000000 --- a/ftp-proxy/util.c +++ /dev/null @@ -1,306 +0,0 @@ -/* $OpenBSD: util.c,v 1.19 2004/07/06 19:49:11 dhartmei Exp $ */ - -/* - * Copyright (c) 1996-2001 - * Obtuse Systems Corporation. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the Obtuse Systems nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE OBTUSE SYSTEMS AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OBTUSE - * SYSTEMS CORPORATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/file.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <net/if.h> -#include <net/pfvar.h> - -#include <arpa/inet.h> - -#include <ctype.h> -#include <errno.h> -#include <netdb.h> -#include <signal.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <stdarg.h> -#include <sysexits.h> -#include <syslog.h> -#include <unistd.h> - -#include "util.h" - -extern int ReverseMode; - -int Debug_Level; -int Use_Rdns; -in_addr_t Bind_Addr = INADDR_NONE; - -void debuglog(int debug_level, const char *fmt, ...); - -void -debuglog(int debug_level, const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - - if (Debug_Level >= debug_level) - vsyslog(LOG_DEBUG, fmt, ap); - va_end(ap); -} - -int -get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr, - struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr) -{ - struct pfioc_natlook natlook; - socklen_t slen; - int fd; - - slen = sizeof(*proxy_sa_ptr); - if (getsockname(connected_fd, (struct sockaddr *)proxy_sa_ptr, - &slen) != 0) { - syslog(LOG_ERR, "getsockname() failed (%m)"); - return(-1); - } - slen = sizeof(*client_sa_ptr); - if (getpeername(connected_fd, (struct sockaddr *)client_sa_ptr, - &slen) != 0) { - syslog(LOG_ERR, "getpeername() failed (%m)"); - return(-1); - } - - if (ReverseMode) - return(0); - - /* - * Build up the pf natlook structure. - * Just for IPv4 right now - */ - memset((void *)&natlook, 0, sizeof(natlook)); - natlook.af = AF_INET; - natlook.saddr.addr32[0] = client_sa_ptr->sin_addr.s_addr; - natlook.daddr.addr32[0] = proxy_sa_ptr->sin_addr.s_addr; - natlook.proto = IPPROTO_TCP; - natlook.sport = client_sa_ptr->sin_port; - natlook.dport = proxy_sa_ptr->sin_port; - natlook.direction = PF_OUT; - - /* - * Open the pf device and lookup the mapping pair to find - * the original address we were supposed to connect to. - */ - fd = open("/dev/pf", O_RDWR); - if (fd == -1) { - syslog(LOG_ERR, "cannot open /dev/pf (%m)"); - exit(EX_UNAVAILABLE); - } - - if (ioctl(fd, DIOCNATLOOK, &natlook) == -1) { - syslog(LOG_INFO, - "pf nat lookup failed %s:%hu (%m)", - inet_ntoa(client_sa_ptr->sin_addr), - ntohs(client_sa_ptr->sin_port)); - close(fd); - return(-1); - } - close(fd); - - /* - * Now jam the original address and port back into the into - * destination sockaddr_in for the proxy to deal with. - */ - memset((void *)real_server_sa_ptr, 0, sizeof(struct sockaddr_in)); - real_server_sa_ptr->sin_port = natlook.rdport; - real_server_sa_ptr->sin_addr.s_addr = natlook.rdaddr.addr32[0]; - real_server_sa_ptr->sin_len = sizeof(struct sockaddr_in); - real_server_sa_ptr->sin_family = AF_INET; - return(0); -} - - -/* - * Transfer one unit of data across a pair of sockets - * - * A unit of data is as much as we get with a single read(2) call. - */ -int -xfer_data(const char *what_read,int from_fd, int to_fd, struct in_addr from, - struct in_addr to) -{ - int rlen, offset, xerrno, mark, flags = 0; - char tbuf[4096]; - - /* - * Are we at the OOB mark? - */ - if (ioctl(from_fd, SIOCATMARK, &mark) < 0) { - xerrno = errno; - syslog(LOG_ERR, "cannot ioctl(SIOCATMARK) socket from %s (%m)", - what_read); - errno = xerrno; - return(-1); - } - if (mark) - flags = MSG_OOB; /* Yes - at the OOB mark */ - -snarf: - rlen = recv(from_fd, tbuf, sizeof(tbuf), flags); - if (rlen == -1 && flags == MSG_OOB && errno == EINVAL) { - /* OOB didn't work */ - flags = 0; - rlen = recv(from_fd, tbuf, sizeof(tbuf), flags); - } - if (rlen == 0) { - debuglog(3, "EOF on read socket"); - return(0); - } else if (rlen == -1) { - if (errno == EAGAIN || errno == EINTR) - goto snarf; - xerrno = errno; - syslog(LOG_ERR, "xfer_data (%s): failed (%m) with flags 0%o", - what_read, flags); - errno = xerrno; - return(-1); - } else { - offset = 0; - debuglog(3, "got %d bytes from socket", rlen); - - while (offset < rlen) { - int wlen; - fling: - wlen = send(to_fd, &tbuf[offset], rlen - offset, - flags); - if (wlen == 0) { - debuglog(3, "zero-length write"); - goto fling; - } else if (wlen == -1) { - if (errno == EAGAIN || errno == EINTR) - goto fling; - xerrno = errno; - syslog(LOG_INFO, "write failed (%m)"); - errno = xerrno; - return(-1); - } else { - debuglog(3, "wrote %d bytes to socket",wlen); - offset += wlen; - } - } - return(offset); - } -} - -/* - * get_backchannel_socket gets us a socket bound somewhere in a - * particular range of ports - */ -int -get_backchannel_socket(int type, int min_port, int max_port, int start_port, - int direction, struct sockaddr_in *sap) -{ - int count; - - /* - * Make sure that direction is 'defined' and that min_port is not - * greater than max_port. - */ - if (direction != -1) - direction = 1; - - /* by default we go up by one port until we find one */ - if (min_port > max_port) { - errno = EINVAL; - return(-1); - } - - count = 1 + max_port - min_port; - - /* - * Pick a port we can bind to from within the range we want. - * If the caller specifies -1 as the starting port number then - * we pick one somewhere in the range to try. - * This is an optimization intended to speedup port selection and - * has NOTHING to do with security. - */ - if (start_port == -1) - start_port = (arc4random() % count) + min_port; - - if (start_port < min_port || start_port > max_port) { - errno = EINVAL; - return(-1); - } - - while (count-- > 0) { - struct sockaddr_in sa; - int one, fd; - - fd = socket(AF_INET, type, 0); - - bzero(&sa, sizeof sa); - sa.sin_family = AF_INET; - if (Bind_Addr == INADDR_NONE) - if (sap == NULL) - sa.sin_addr.s_addr = INADDR_ANY; - else - sa.sin_addr.s_addr = sap->sin_addr.s_addr; - else - sa.sin_addr.s_addr = Bind_Addr; - - /* - * Indicate that we want to reuse a port if it happens that the - * port in question was a listen port recently. - */ - one = 1; - if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one, - sizeof(one)) == -1) - return(-1); - - sa.sin_port = htons(start_port); - - if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) == 0) { - if (sap != NULL) - *sap = sa; - return(fd); - } - - if (errno != EADDRINUSE) - return(-1); - - /* if it's in use, try the next port */ - close(fd); - - start_port += direction; - if (start_port < min_port) - start_port = max_port; - else if (start_port > max_port) - start_port = min_port; - } - errno = EAGAIN; - return(-1); -} diff --git a/ftp-proxy/util.h b/ftp-proxy/util.h deleted file mode 100644 index ce1e9159393c7..0000000000000 --- a/ftp-proxy/util.h +++ /dev/null @@ -1,68 +0,0 @@ -/* $OpenBSD: util.h,v 1.5 2005/02/24 15:49:08 dhartmei Exp $ */ - -/* - * Copyright (c) 1996-2001 - * Obtuse Systems Corporation. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 4. Neither the name of the Obtuse Systems nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL OBTUSE SYSTEMS CORPORATION OR - * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; - * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -struct proxy_channel { - int pc_to_fd, pc_from_fd; - int pc_alive; - int pc_nextbyte; - int pc_flags; - int pc_length; - int pc_size; - struct sockaddr_in pc_from_sa, pc_to_sa; - int (*pc_filter)( void ** databuf, int datalen); - char *pc_buffer; -}; - -struct csiob { - int fd; - int line_buffer_size, io_buffer_size, io_buffer_len, next_byte; - unsigned char *io_buffer, *line_buffer; - struct sockaddr_in sa, real_sa; - const char *who; - char alive, got_eof, data_available; - int send_oob_flags; -}; - -extern int telnet_getline(struct csiob *iobp, - struct csiob *telnet_passthrough); - -extern int get_proxy_env(int fd, struct sockaddr_in *server_sa_ptr, - struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr); - -extern int get_backchannel_socket(int type, int min_port, int max_port, - int start_port, int direction, struct sockaddr_in *sap); - -extern int xfer_data(const char *what_read, int from_fd, int to_fd, - struct in_addr from, struct in_addr to); - -extern char *ProgName; - - diff --git a/man/pf.4 b/man/pf.4 index 1164202d234bd..3b6cec93ad4ae 100644 --- a/man/pf.4 +++ b/man/pf.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.4,v 1.58 2007/02/09 11:39:06 henning Exp $ +.\" $OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $ .\" .\" Copyright (C) 2001, Kjell Wooding. All rights reserved. .\" @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd June 24, 2001 +.Dd $Mdocdate$ .Dt PF 4 .Os .Sh NAME diff --git a/man/pf.conf.5 b/man/pf.conf.5 index bb210fc7fc093..b6b609e733cb2 100644 --- a/man/pf.conf.5 +++ b/man/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.376 2006/12/01 07:23:26 camield Exp $ +.\" $OpenBSD: pf.conf.5,v 1.383 2007/07/17 16:27:38 jmc Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2002 +.Dd $Mdocdate: June 26 2007 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -402,9 +402,10 @@ set limit { states 20000, frags 20000, src-nodes 2000 } .Bl -tag -width xxxxxxxx -compact .It Ar none Disable the ruleset optimizer. -This is the default behaviour. .It Ar basic -Enable basic ruleset optimization, which does four things to improve the +Enable basic ruleset optimization. +This is the default behaviour. +Basic ruleset optimization does four things to improve the performance of ruleset evaluations: .Pp .Bl -enum -compact @@ -1247,7 +1248,7 @@ block all .Ed .It Ar pass The packet is passed; -state is created state unless the +state is created unless the .Ar no state option is specified. .El @@ -1418,7 +1419,8 @@ This rule applies only to packets with the specified source and destination addresses and ports. .Pp Addresses can be specified in CIDR notation (matching netblocks), as -symbolic host names or interface names, or as any of the following keywords: +symbolic host names, interface names or interface group names, or as any +of the following keywords: .Pp .Bl -tag -width xxxxxxxxxxxxxx -compact .It Ar any @@ -1440,7 +1442,7 @@ the route back to the packet's source address. Any address that matches the given table. .El .Pp -Interface names can have modifiers appended: +Interface names and interface group names can have modifiers appended: .Pp .Bl -tag -width xxxxxxxxxxxx -compact .It Ar :network @@ -1603,7 +1605,7 @@ Flags not specified in are ignored. For stateful connections, the default is .Ar flags S/SA . -To indicate that flags should not be checkd at all, specify +To indicate that flags should not be checked at all, specify .Ar flags any . The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R. .Bl -tag -width Fl @@ -1687,13 +1689,14 @@ pass all tos 0x10 pass all tos 16 .Ed .It Ar allow-opts -By default, packets which contain IP options are blocked. +By default, IPv4 packets with IP options or IPv6 packets with routing +extension headers are blocked. When .Ar allow-opts is specified for a .Ar pass rule, packets that pass the filter based on that rule (last matching) -do so even if they contain IP options. +do so even if they contain IP options or routing extension headers. For packets that match state, the rule that initially created the state is used. The implicit @@ -1914,7 +1917,7 @@ pool options. Note that by default these associations are destroyed as soon as there are no longer states which refer to them; in order to make the mappings last beyond the lifetime of the states, increase the global options with -.Ar set timeout source-track +.Ar set timeout src.track . See .Sx STATEFUL TRACKING OPTIONS for more ways to control the source tracking. @@ -2759,7 +2762,7 @@ option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | [ "state-policy" ( "if-bound" | "floating" ) ] [ "require-order" ( "yes" | "no" ) ] [ "fingerprints" filename ] | - [ "skip on" ( interface-name | "{" interface-list "}" ) ] | + [ "skip on" ifspec ] | [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] ) pf-rule = action [ ( "in" | "out" ) ] @@ -2801,8 +2804,7 @@ rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ portspec ] [ pooltype ] ] antispoof-rule = "antispoof" [ "log" ] [ "quick" ] - "for" ( interface-name | "{" interface-list "}" ) - [ af ] [ "label" string ] + "for" ifspec [ af ] [ "label" string ] table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ] tableopts-list = tableopts-list tableopts | tableopts @@ -2810,8 +2812,8 @@ tableopts = "persist" | "const" | "file" string | "{" [ tableaddr-list ] "}" tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ] -tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex | - interface-name | "self" +tableaddr = hostname | ifspec | "self" | + ipv4-dotted-quad | ipv6-coloned-hex altq-rule = "altq on" interface-name queueopts-list "queue" subqueue @@ -2842,8 +2844,10 @@ return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] | icmpcode = ( icmp-code-name | icmp-code-number ) icmp6code = ( icmp6-code-name | icmp6-code-number ) -ifspec = ( [ "!" ] interface-name ) | "{" interface-list "}" -interface-list = [ "!" ] interface-name [ [ "," ] interface-list ] +ifspec = ( [ "!" ] ( interface-name | interface-group ) ) | + "{" interface-list "}" +interface-list = [ "!" ] ( interface-name | interface-group ) + [ [ "," ] interface-list ] route = ( "route-to" | "reply-to" | "dup-to" ) ( routehost | "{" routehost-list "}" ) [ pooltype ] @@ -2863,8 +2867,9 @@ ipspec = "any" | host | "{" host-list "}" host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) redirhost = address [ "/" mask-bits ] routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" -address = ( interface-name | "(" interface-name ")" | hostname | - ipv4-dotted-quad | ipv6-coloned-hex ) +address = ( interface-name | interface-group | + "(" ( interface-name | interface-group ) ")" | + hostname | ipv4-dotted-quad | ipv6-coloned-hex ) host-list = host [ [ "," ] host-list ] redirhost-list = redirhost [ [ "," ] redirhost-list ] routehost-list = routehost [ [ "," ] routehost-list ] diff --git a/man/pf.os.5 b/man/pf.os.5 index 69e8344885ea9..7ee63ce52f482 100644 --- a/man/pf.os.5 +++ b/man/pf.os.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $ +.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ .\" .\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> .\" @@ -13,7 +13,7 @@ .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.Dd August 18, 2003 +.Dd $Mdocdate$ .Dt PF.OS 5 .Os .Sh NAME diff --git a/man/pflog.4 b/man/pflog.4 index 2b2e22b887718..1b42a83f437f3 100644 --- a/man/pflog.4 +++ b/man/pflog.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $ +.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $ .\" .\" Copyright (c) 2001 Tobias Weingartner .\" All rights reserved. @@ -23,7 +23,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 10, 2001 +.Dd $Mdocdate$ .Dt PFLOG 4 .Os .Sh NAME diff --git a/man/pfsync.4 b/man/pfsync.4 index 43f13b2f30cd8..07f61874b6d1a 100644 --- a/man/pfsync.4 +++ b/man/pfsync.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfsync.4,v 1.24 2006/10/23 07:05:49 jmc Exp $ +.\" $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $ .\" .\" Copyright (c) 2002 Michael Shalayeff .\" Copyright (c) 2003-2004 Ryan McBride @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 29, 2002 +.Dd $Mdocdate$ .Dt PFSYNC 4 .Os .Sh NAME diff --git a/pfctl/Makefile b/pfctl/Makefile new file mode 100644 index 0000000000000..df74f88c63f26 --- /dev/null +++ b/pfctl/Makefile @@ -0,0 +1,18 @@ +# $OpenBSD: Makefile,v 1.19 2006/12/24 18:52:43 miod Exp $ + +PROG= pfctl +SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c +SRCS+= pfctl_osfp.c pfctl_radix.c pfctl_table.c pfctl_qstats.c +SRCS+= pfctl_optimize.c pf_ruleset.c +CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized +CFLAGS+= -Wstrict-prototypes -I${.CURDIR} +YFLAGS= +MAN= pfctl.8 + +# Ruleset and Anchor handling +.PATH: ${.CURDIR}/../../sys/net + +LDADD+= -lm +DPADD+= ${LIBM} + +.include <bsd.prog.mk> diff --git a/pfctl/parse.y b/pfctl/parse.y index ef5d77b6ec4ca..a491f3ead7da7 100644 --- a/pfctl/parse.y +++ b/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.517 2007/02/03 23:26:40 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.519 2007/06/21 19:30:03 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -425,7 +425,7 @@ typedef struct { %type <v.number> tos not yesno %type <v.i> no dir af fragcache optimizer %type <v.i> sourcetrack flush unaryop statelock -%type <v.b> action nataction natpass scrubaction +%type <v.b> action nataction natpasslog scrubaction %type <v.b> flags flag blockspec %type <v.range> port rport %type <v.hashkey> hashkey @@ -3439,12 +3439,13 @@ redirection : /* empty */ { $$ = NULL; } } ; -natpass : /* empty */ { $$.b1 = $$.b2 = 0; } - | PASS { $$.b1 = 1; $$.b2 = 0; } +natpasslog : /* empty */ { $$.b1 = $$.b2 = 0; $$.w2 = 0; } + | PASS { $$.b1 = 1; $$.b2 = 0; $$.w2 = 0; } | PASS log { $$.b1 = 1; $$.b2 = $2.log; $$.w2 = $2.logif; } + | log { $$.b1 = 0; $$.b2 = $1.log; $$.w2 = $1.logif; } ; -nataction : no NAT natpass { +nataction : no NAT natpasslog { if ($1 && $3.b1) { yyerror("\"pass\" not valid with \"no\""); YYERROR; @@ -3457,7 +3458,7 @@ nataction : no NAT natpass { $$.w = $3.b2; $$.w2 = $3.w2; } - | no RDR natpass { + | no RDR natpasslog { if ($1 && $3.b1) { yyerror("\"pass\" not valid with \"no\""); YYERROR; @@ -3631,7 +3632,7 @@ natrule : nataction interface af proto fromto tag tagged rtable } ; -binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag +binatrule : no BINAT natpasslog interface af proto FROM host TO ipspec tag tagged rtable redirection { struct pf_rule binat; diff --git a/pfctl/pf_print_state.c b/pfctl/pf_print_state.c index e36b1fd94bff1..e4830a1268f67 100644 --- a/pfctl/pf_print_state.c +++ b/pfctl/pf_print_state.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_print_state.c,v 1.44 2007/03/01 17:20:53 deraadt Exp $ */ +/* $OpenBSD: pf_print_state.c,v 1.45 2007/05/31 04:13:37 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -151,7 +151,7 @@ print_name(struct pf_addr *addr, sa_family_t af) } void -print_host(struct pf_state_host *h, sa_family_t af, int opts) +print_host(struct pfsync_state_host *h, sa_family_t af, int opts) { u_int16_t p = ntohs(h->port); @@ -180,7 +180,7 @@ print_host(struct pf_state_host *h, sa_family_t af, int opts) } void -print_seq(struct pf_state_peer *p) +print_seq(struct pfsync_state_peer *p) { if (p->seqdiff) printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo, @@ -190,9 +190,9 @@ print_seq(struct pf_state_peer *p) } void -print_state(struct pf_state *s, int opts) +print_state(struct pfsync_state *s, int opts) { - struct pf_state_peer *src, *dst; + struct pfsync_state_peer *src, *dst; struct protoent *p; int min, sec; @@ -203,7 +203,7 @@ print_state(struct pf_state *s, int opts) src = &s->dst; dst = &s->src; } - printf("%s ", s->u.ifname); + printf("%s ", s->ifname); if ((p = getprotobynumber(s->proto)) != NULL) printf("%s ", p->p_name); else @@ -278,20 +278,23 @@ print_state(struct pf_state *s, int opts) s->expire /= 60; printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec); printf(", %llu:%llu pkts, %llu:%llu bytes", - s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]); - if (s->anchor.nr != -1) - printf(", anchor %u", s->anchor.nr); - if (s->rule.nr != -1) - printf(", rule %u", s->rule.nr); - if (s->src_node != NULL) + pf_state_counter_from_pfsync(s->packets[0]), + pf_state_counter_from_pfsync(s->packets[1]), + pf_state_counter_from_pfsync(s->bytes[0]), + pf_state_counter_from_pfsync(s->bytes[1])); + if (s->anchor != -1) + printf(", anchor %u", s->anchor); + if (s->rule != -1) + printf(", rule %u", s->rule); + if (s->sync_flags & PFSYNC_FLAG_SRCNODE) printf(", source-track"); - if (s->nat_src_node != NULL) + if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE) printf(", sticky-address"); printf("\n"); } if (opts & PF_OPT_VERBOSE2) { printf(" id: %016llx creatorid: %08x%s\n", - betoh64(s->id), ntohl(s->creatorid), + pf_state_counter_from_pfsync(s->id), ntohl(s->creatorid), ((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : "")); } } diff --git a/pfctl/pfctl.8 b/pfctl/pfctl.8 index b5be8a1f624a3..4dfbc407aaeaf 100644 --- a/pfctl/pfctl.8 +++ b/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.128 2007/01/30 21:01:56 jmc Exp $ +.\" $OpenBSD: pfctl.8,v 1.133 2007/07/01 11:38:51 henning Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 20, 2002 +.Dd $Mdocdate: May 31 2007 $ .Dt PFCTL 8 .Os .Sh NAME @@ -42,14 +42,14 @@ .Op Fl i Ar interface .Op Fl K Ar host | network .Op Fl k Ar host | network -.Op Fl o Op Ar level +.Op Fl o Ar level .Op Fl p Ar device .Op Fl s Ar modifier -.Oo -.Fl t Ar table +.Xo +.Oo Fl t Ar table .Fl T Ar command -.Op Ar address ... -.Oc +.Op Ar address ... Oc +.Xc .Op Fl x Ar level .Ek .Sh DESCRIPTION @@ -209,7 +209,7 @@ Flush the NAT rules. Flush the queue rules. .It Fl F Cm rules Flush the filter rules. -.It Fl F Cm state +.It Fl F Cm states Flush the state table (NAT and filter). .It Fl F Cm Sources Flush the source tracking table. @@ -296,58 +296,20 @@ Do not actually load rules, just parse them. .It Fl O Load only the options present in the rule file. Other rules and options are ignored. -.It Fl o Op Ar level -Control the ruleset optimizer. -The ruleset optimizer attempts to improve rulesets by removing rule -duplication and making better use of rule ordering. +.It Fl o Ar level +Control the ruleset optimizer, overriding any rule file settings. .Pp .Bl -tag -width xxxxxxxxxxxx -compact .It Fl o Cm none Disable the ruleset optimizer. .It Fl o Cm basic Enable basic ruleset optimizations. +This is the default behaviour. .It Fl o Cm profile Enable basic ruleset optimizations with profiling. .El -.Pp -.Cm basic -optimization does does four things: -.Pp -.Bl -enum -compact -.It -remove duplicate rules -.It -remove rules that are a subset of another rule -.It -combine multiple rules into a table when advantageous -.It -re-order the rules to improve evaluation performance -.El -.Pp -If -.Cm profile -is specified, the currently loaded ruleset will be examined as a feedback -profile to tailor the optimization of the -.Ar quick -rules to the actual network behavior. -.Pp -It is important to note that the ruleset optimizer will modify the ruleset -to improve performance. -A side effect of the ruleset modification is that per-rule accounting -statistics will have different meanings than before. -If per-rule accounting is important for billing purposes or whatnot, either -the ruleset optimizer should not be used or a -.Ar label -field should be added to all of the accounting rules to act as optimization -barriers. -.Pp -To retain compatibility with previous behaviour, a single -.Fl o -without any options will enable -.Cm basic -optimizations, and a second -.Fl o -will enable profiling. +For further information on the ruleset optimizer, see +.Xr pf.conf 5 . .It Fl p Ar device Use the device file .Ar device @@ -402,7 +364,7 @@ If .Fl v is specified, all anchors attached under the target anchor will be displayed recursively. -.It Fl s Cm state +.It Fl s Cm states Show the contents of the state table. .It Fl s Cm Sources Show the contents of the source tracking table. diff --git a/pfctl/pfctl.c b/pfctl/pfctl.c index cf338c7d40bce..0aeb0fc780713 100644 --- a/pfctl/pfctl.c +++ b/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.262 2007/03/01 17:20:53 deraadt Exp $ */ +/* $OpenBSD: pfctl.c,v 1.268 2007/06/30 18:25:08 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -201,11 +201,11 @@ static const struct { static const char *clearopt_list[] = { "nat", "queue", "rules", "Sources", - "state", "info", "Tables", "osfp", "all", NULL + "states", "info", "Tables", "osfp", "all", NULL }; static const char *showopt_list[] = { - "nat", "queue", "rules", "Anchors", "Sources", "state", "info", + "nat", "queue", "rules", "Anchors", "Sources", "states", "info", "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp", "all", NULL }; @@ -220,7 +220,7 @@ static const char *debugopt_list[] = { }; static const char *optiopt_list[] = { - "o", "none", "basic", "profile", NULL + "none", "basic", "profile", NULL }; void @@ -231,8 +231,8 @@ usage(void) fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname); fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n"); fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] "); - fprintf(stderr, "[-k host | network ]\n"); - fprintf(stderr, "\t[-o [level]] [-p device] [-s modifier ]\n"); + fprintf(stderr, "[-k host | network]\n"); + fprintf(stderr, "\t[-o level] [-p device] [-s modifier]\n"); fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n"); exit(1); } @@ -998,7 +998,7 @@ int pfctl_show_states(int dev, const char *iface, int opts) { struct pfioc_states ps; - struct pf_state *p; + struct pfsync_state *p; char *inbuf = NULL, *newinbuf = NULL; unsigned len = 0; int i, dotitle = (opts & PF_OPT_SHOWALL); @@ -1029,7 +1029,7 @@ pfctl_show_states(int dev, const char *iface, int opts) } p = ps.ps_states; for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) { - if (iface != NULL && strcmp(p->u.ifname, iface)) + if (iface != NULL && strcmp(p->ifname, iface)) continue; if (dotitle) { pfctl_print_title("STATES:"); @@ -1954,7 +1954,7 @@ main(int argc, char *argv[]) int ch; int mode = O_RDONLY; int opts = 0; - int optimize = 0; + int optimize = PF_OPTIMIZE_BASIC; char anchorname[MAXPATHLEN]; char *path; FILE *fin = NULL; @@ -1963,7 +1963,7 @@ main(int argc, char *argv[]) usage(); while ((ch = getopt(argc, argv, - "a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) { + "a:AdD:eqf:F:ghi:k:K:mnNOo:p:rRs:t:T:vx:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; @@ -2039,24 +2039,11 @@ main(int argc, char *argv[]) loadopt |= PFCTL_FLAG_FILTER; break; case 'o': - if (optarg) { - optiopt = pfctl_lookup_option(optarg, - optiopt_list); - if (optiopt == NULL) { - warnx("Unknown optimization '%s'", - optarg); - usage(); - } - } - if (opts & PF_OPT_OPTIMIZE) { - if (optiopt != NULL) { - warnx("Cannot specify -o multiple times" - "with optimizer level"); - usage(); - } - optimize |= PF_OPTIMIZE_PROFILE; + optiopt = pfctl_lookup_option(optarg, optiopt_list); + if (optiopt == NULL) { + warnx("Unknown optimization '%s'", optarg); + usage(); } - optimize |= PF_OPTIMIZE_BASIC; opts |= PF_OPT_OPTIMIZE; break; case 'O': diff --git a/pfctl/pfctl.h b/pfctl/pfctl.h index 9450a5586a04b..49cf6e75ec751 100644 --- a/pfctl/pfctl.h +++ b/pfctl/pfctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.h,v 1.40 2007/02/09 11:25:27 henning Exp $ */ +/* $OpenBSD: pfctl.h,v 1.41 2007/05/31 04:13:37 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -112,9 +112,9 @@ struct pf_altq *pfaltq_lookup(const char *); char *rate2str(double); void print_addr(struct pf_addr_wrap *, sa_family_t, int); -void print_host(struct pf_state_host *, sa_family_t, int); -void print_seq(struct pf_state_peer *); -void print_state(struct pf_state *, int); +void print_host(struct pfsync_state_host *, sa_family_t, int); +void print_seq(struct pfsync_state_peer *); +void print_state(struct pfsync_state *, int); int unmask(struct pf_addr *, sa_family_t); int pfctl_cmdline_symset(char *); diff --git a/pfctl/pfctl_altq.c b/pfctl/pfctl_altq.c index b4faaa0446452..b2397fcd07853 100644 --- a/pfctl/pfctl_altq.c +++ b/pfctl/pfctl_altq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_altq.c,v 1.91 2006/11/28 00:08:50 henning Exp $ */ +/* $OpenBSD: pfctl_altq.c,v 1.92 2007/05/27 05:15:17 claudio Exp $ */ /* * Copyright (c) 2002 @@ -1091,8 +1091,6 @@ getifspeed(char *ifname) ifr.ifr_data = (caddr_t)&ifrdat; if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1) err(1, "SIOCGIFDATA"); - if (shutdown(s, SHUT_RDWR) == -1) - err(1, "shutdown"); if (close(s)) err(1, "close"); return ((u_int32_t)ifrdat.ifi_baudrate); @@ -1112,8 +1110,6 @@ getifmtu(char *ifname) errx(1, "getifmtu: strlcpy"); if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == -1) err(1, "SIOCGIFMTU"); - if (shutdown(s, SHUT_RDWR) == -1) - err(1, "shutdown"); if (close(s)) err(1, "close"); if (ifr.ifr_mtu > 0) diff --git a/pflogd/Makefile b/pflogd/Makefile new file mode 100644 index 0000000000000..377cad99635b8 --- /dev/null +++ b/pflogd/Makefile @@ -0,0 +1,11 @@ +# $OpenBSD: Makefile,v 1.7 2006/11/26 11:31:08 deraadt Exp $ + +CFLAGS+=-Wall -Wmissing-prototypes -Wshadow +LDADD+= -lpcap -lutil +DPADD+= ${LIBPCAP} ${LIBUTIL} + +PROG= pflogd +SRCS= pflogd.c privsep.c privsep_fdpass.c +MAN= pflogd.8 + +.include <bsd.prog.mk> diff --git a/pflogd/pflogd.8 b/pflogd/pflogd.8 index cbb7802419e6c..4c5762b380b95 100644 --- a/pflogd/pflogd.8 +++ b/pflogd/pflogd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pflogd.8,v 1.32 2006/12/08 10:26:38 joel Exp $ +.\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 9, 2001 +.Dd $Mdocdate$ .Dt PFLOGD 8 .Os .Sh NAME @@ -32,12 +32,15 @@ .Nd packet filter logging daemon .Sh SYNOPSIS .Nm pflogd +.Bk -words .Op Fl Dx .Op Fl d Ar delay .Op Fl f Ar filename .Op Fl i Ar interface +.Op Fl p Ar pidfile .Op Fl s Ar snaplen .Op Ar expression +.Ek .Sh DESCRIPTION .Nm is a background daemon which reads packets logged by @@ -114,6 +117,14 @@ By default, .Nm will use .Ar pflog0 . +.It Fl p Ar pidfile +Writes a file containing the process ID of the program. +The file name has the form +.Pa /var/run/pidname.pid . +If the option is not given, +.Ar pidfile +defaults to +.Pa pflogd . .It Fl s Ar snaplen Analyze at most the first .Ar snaplen diff --git a/pflogd/pflogd.c b/pflogd/pflogd.c index 168deb12edd0e..cd7a273924aec 100644 --- a/pflogd/pflogd.c +++ b/pflogd/pflogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pflogd.c,v 1.37 2006/10/26 13:34:47 jmc Exp $ */ +/* $OpenBSD: pflogd.c,v 1.45 2007/06/06 14:11:26 henning Exp $ */ /* * Copyright (c) 2001 Theo de Raadt @@ -34,6 +34,8 @@ #include <sys/ioctl.h> #include <sys/file.h> #include <sys/stat.h> +#include <sys/socket.h> +#include <net/if.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -42,6 +44,7 @@ #include <pcap.h> #include <syslog.h> #include <signal.h> +#include <err.h> #include <errno.h> #include <stdarg.h> #include <fcntl.h> @@ -70,6 +73,7 @@ char *copy_argv(char * const *); void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *); void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *); int flush_buffer(FILE *); +int if_exists(char *); int init_pcap(void); void logmsg(int, const char *, ...); void purge_buffer(void); @@ -151,8 +155,8 @@ __dead void usage(void) { fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename]"); - fprintf(stderr, " [-i interface] [-s snaplen]\n"); - fprintf(stderr, " [expression]\n"); + fprintf(stderr, " [-i interface] [-p pidfile]\n"); + fprintf(stderr, " [-s snaplen] [expression]\n"); exit(1); } @@ -189,6 +193,28 @@ set_pcap_filter(void) } int +if_exists(char *ifname) +{ + int s; + struct ifreq ifr; + struct if_data ifrdat; + + if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) + err(1, "socket"); + bzero(&ifr, sizeof(ifr)); + if (strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)) >= + sizeof(ifr.ifr_name)) + errx(1, "main ifr_name: strlcpy"); + ifr.ifr_data = (caddr_t)&ifrdat; + if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1) + return (0); + if (close(s)) + err(1, "close"); + + return (1); +} + +int init_pcap(void) { hpcap = pcap_open_live(interface, snaplen, 1, PCAP_TO_MS, errbuf); @@ -528,13 +554,16 @@ int main(int argc, char **argv) { struct pcap_stat pstat; - int ch, np, Xflag = 0; + int ch, np, ret, Xflag = 0; pcap_handler phandler = dump_packet; const char *errstr = NULL; + char *pidf = NULL; + + ret = 0; closefrom(STDERR_FILENO + 1); - while ((ch = getopt(argc, argv, "Dxd:f:i:s:")) != -1) { + while ((ch = getopt(argc, argv, "Dxd:f:i:p:s:")) != -1) { switch (ch) { case 'D': Debug = 1; @@ -550,6 +579,9 @@ main(int argc, char **argv) case 'i': interface = optarg; break; + case 'p': + pidf = optarg; + break; case 's': snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN, &errstr); @@ -571,13 +603,21 @@ main(int argc, char **argv) argc -= optind; argv += optind; + /* does interface exist */ + if (!if_exists(interface)) { + warn("Failed to initialize: %s", interface); + logmsg(LOG_ERR, "Failed to initialize: %s", interface); + logmsg(LOG_ERR, "Exiting, init failure"); + exit(1); + } + if (!Debug) { openlog("pflogd", LOG_PID | LOG_CONS, LOG_DAEMON); if (daemon(0, 0)) { logmsg(LOG_WARNING, "Failed to become daemon: %s", strerror(errno)); } - pidfile(NULL); + pidfile(pidf); } tzset(); @@ -634,8 +674,15 @@ main(int argc, char **argv) while (1) { np = pcap_dispatch(hpcap, PCAP_NUM_PKTS, phandler, (u_char *)dpcap); - if (np < 0) + if (np < 0) { + if (!if_exists(interface) == -1) { + logmsg(LOG_NOTICE, "interface %s went away", + interface); + ret = -1; + break; + } logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap)); + } if (gotsig_close) break; @@ -675,5 +722,5 @@ main(int argc, char **argv) pcap_close(hpcap); if (!Debug) closelog(); - return (0); + return (ret); } diff --git a/pflogd/pidfile.c b/pflogd/pidfile.c deleted file mode 100644 index 61eca262efe2c..0000000000000 --- a/pflogd/pidfile.c +++ /dev/null @@ -1,121 +0,0 @@ -/* $OpenBSD: pidfile.c,v 1.5 2002/05/26 09:29:02 deraadt Exp $ */ -/* $NetBSD: pidfile.c,v 1.4 2001/02/19 22:43:42 cgd Exp $ */ - -/*- - * Copyright (c) 1999 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Jason R. Thorpe. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the NetBSD - * Foundation, Inc. and its contributors. - * 4. Neither the name of The NetBSD Foundation nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$OpenBSD: pidfile.c,v 1.5 2002/05/26 09:29:02 deraadt Exp $"; -#endif /* LIBC_SCCS and not lint */ - -#include <sys/param.h> -#include <errno.h> -#include <paths.h> -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#if defined(__FreeBSD__) -#include "pidfile.h" -#else -#include <util.h> -#endif - -static char *pidfile_path; -static pid_t pidfile_pid; - -static void pidfile_cleanup(void); - -extern char *__progname; - -int -pidfile(const char *basename) -{ - FILE *f; - int save_errno; - pid_t pid; - - if (basename == NULL) - basename = __progname; - - if (pidfile_path != NULL) { - free(pidfile_path); - pidfile_path = NULL; - } - - /* _PATH_VARRUN includes trailing / */ - (void) asprintf(&pidfile_path, "%s%s.pid", _PATH_VARRUN, basename); - if (pidfile_path == NULL) - return (-1); - - if ((f = fopen(pidfile_path, "w")) == NULL) { - save_errno = errno; - free(pidfile_path); - pidfile_path = NULL; - errno = save_errno; - return (-1); - } - - pid = getpid(); - if (fprintf(f, "%ld\n", (long)pid) <= 0 || fclose(f) != 0) { - save_errno = errno; - (void) unlink(pidfile_path); - free(pidfile_path); - pidfile_path = NULL; - errno = save_errno; - return (-1); - } - - pidfile_pid = pid; - if (atexit(pidfile_cleanup) < 0) { - save_errno = errno; - (void) unlink(pidfile_path); - free(pidfile_path); - pidfile_path = NULL; - pidfile_pid = 0; - errno = save_errno; - return (-1); - } - - return (0); -} - -static void -pidfile_cleanup(void) -{ - - if (pidfile_path != NULL && pidfile_pid == getpid()) - (void) unlink(pidfile_path); -} diff --git a/pflogd/pidfile.h b/pflogd/pidfile.h deleted file mode 100644 index 542325fdcdad0..0000000000000 --- a/pflogd/pidfile.h +++ /dev/null @@ -1 +0,0 @@ -int pidfile(const char *); diff --git a/tftp-proxy/Makefile b/tftp-proxy/Makefile new file mode 100644 index 0000000000000..b5f4eefc0899c --- /dev/null +++ b/tftp-proxy/Makefile @@ -0,0 +1,7 @@ +# $OpenBSD: Makefile,v 1.1 2005/12/28 19:07:07 jcs Exp $ + +PROG= tftp-proxy +SRCS= tftp-proxy.c filter.c +MAN= tftp-proxy.8 + +.include <bsd.prog.mk> diff --git a/tftp-proxy/filter.c b/tftp-proxy/filter.c index cd6ce3cd1e7a6..61b3a1756bb1c 100644 --- a/tftp-proxy/filter.c +++ b/tftp-proxy/filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.c,v 1.1 2005/12/28 19:07:07 jcs Exp $ */ +/* $OpenBSD: filter.c,v 1.2 2007/06/23 15:51:21 jcs Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -297,9 +297,9 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, pfr.rule.quick = 1; pfr.rule.log = rule_log; pfr.rule.keep_state = 1; - pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL); + pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0); pfr.rule.flagset = (proto == IPPROTO_TCP ? - (TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL); + (TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0); pfr.rule.max_states = 1; if (qname != NULL) strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname); diff --git a/tftp-proxy/tftp-proxy.8 b/tftp-proxy/tftp-proxy.8 index b9098ef4d17d0..511b641bce38e 100644 --- a/tftp-proxy/tftp-proxy.8 +++ b/tftp-proxy/tftp-proxy.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $ +.\" $OpenBSD: tftp-proxy.8,v 1.2 2007/05/31 19:19:41 jmc Exp $ .\" .\" Copyright (c) 2005 joshua stein <jcs@openbsd.org> .\" @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 28, 2005 +.Dd $Mdocdate$ .Dt TFTP-PROXY 8 .Os .Sh NAME |