PERFORCE change 55202 for review
Marcel Moolenaar
marcel at FreeBSD.org
Fri Jun 18 01:16:49 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=55202
Change 55202 by marcel at marcel_nfs on 2004/06/18 01:15:41
IFC @55196
Affected files ...
.. //depot/projects/gdb/Makefile.inc1#11 integrate
.. //depot/projects/gdb/contrib/pf/authpf/authpf.8#2 integrate
.. //depot/projects/gdb/contrib/pf/authpf/authpf.c#3 integrate
.. //depot/projects/gdb/contrib/pf/ftp-proxy/ftp-proxy.8#3 integrate
.. //depot/projects/gdb/contrib/pf/ftp-proxy/ftp-proxy.c#3 integrate
.. //depot/projects/gdb/contrib/pf/ftp-proxy/util.c#2 integrate
.. //depot/projects/gdb/contrib/pf/man/pf.4#3 integrate
.. //depot/projects/gdb/contrib/pf/man/pf.conf.5#2 integrate
.. //depot/projects/gdb/contrib/pf/man/pf.os.5#2 integrate
.. //depot/projects/gdb/contrib/pf/man/pflog.4#3 integrate
.. //depot/projects/gdb/contrib/pf/man/pfsync.4#3 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/parse.y#4 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pf_print_state.c#2 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pfctl.8#2 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pfctl.c#3 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pfctl.h#3 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pfctl_altq.c#4 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pfctl_osfp.c#2 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pfctl_parser.c#3 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pfctl_parser.h#3 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pfctl_qstats.c#3 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pfctl_radix.c#2 integrate
.. //depot/projects/gdb/contrib/pf/pfctl/pfctl_table.c#3 integrate
.. //depot/projects/gdb/contrib/pf/pflogd/pflogd.8#2 integrate
.. //depot/projects/gdb/contrib/pf/pflogd/pflogd.c#3 integrate
.. //depot/projects/gdb/contrib/pf/pflogd/pflogd.h#1 branch
.. //depot/projects/gdb/contrib/pf/pflogd/pidfile.c#3 integrate
.. //depot/projects/gdb/contrib/pf/pflogd/privsep.c#1 branch
.. //depot/projects/gdb/contrib/pf/pflogd/privsep_fdpass.c#1 branch
.. //depot/projects/gdb/gnu/usr.bin/binutils/libbfd/Makefile.sparc64#2 integrate
.. //depot/projects/gdb/gnu/usr.bin/binutils/libbfd/sparc64/elf64-sparc.c-bad-rtld.diff#1 branch
.. //depot/projects/gdb/lib/libarchive/archive_read_extract.c#16 integrate
.. //depot/projects/gdb/lib/libc/posix1e/Makefile.inc#2 integrate
.. //depot/projects/gdb/lib/libc/posix1e/mac_get.3#2 integrate
.. //depot/projects/gdb/lib/libc/sys/clock_gettime.2#2 integrate
.. //depot/projects/gdb/lib/libkvm/kvm_proc.c#5 integrate
.. //depot/projects/gdb/libexec/Makefile#4 integrate
.. //depot/projects/gdb/libexec/rtld-elf/Makefile#4 integrate
.. //depot/projects/gdb/libexec/rtld-elf/arm/Makefile.inc#2 integrate
.. //depot/projects/gdb/sbin/geom/class/concat/geom_concat.c#2 integrate
.. //depot/projects/gdb/sbin/geom/class/stripe/geom_stripe.c#2 integrate
.. //depot/projects/gdb/sbin/pfctl/Makefile#2 integrate
.. //depot/projects/gdb/sbin/pflogd/Makefile#2 integrate
.. //depot/projects/gdb/share/man/man3/pthread_barrier_destroy.3#2 integrate
.. //depot/projects/gdb/share/man/man3/pthread_barrierattr.3#2 integrate
.. //depot/projects/gdb/share/man/man3/pthread_rwlock_timedrdlock.3#2 integrate
.. //depot/projects/gdb/share/man/man3/pthread_rwlock_timedwrlock.3#2 integrate
.. //depot/projects/gdb/share/man/man3/pthread_spin_init.3#2 integrate
.. //depot/projects/gdb/share/man/man3/pthread_spin_lock.3#2 integrate
.. //depot/projects/gdb/share/man/man4/acpi_video.4#2 integrate
.. //depot/projects/gdb/share/man/man4/bfe.4#3 integrate
.. //depot/projects/gdb/share/man/man4/dcons.4#2 integrate
.. //depot/projects/gdb/share/man/man4/dcons_crom.4#2 integrate
.. //depot/projects/gdb/share/man/man4/en.4#2 integrate
.. //depot/projects/gdb/share/man/man4/fla.4#2 integrate
.. //depot/projects/gdb/share/man/man4/gem.4#2 integrate
.. //depot/projects/gdb/share/man/man4/harp.4#2 integrate
.. //depot/projects/gdb/share/man/man4/hme.4#3 integrate
.. //depot/projects/gdb/share/man/man4/idt.4#2 integrate
.. //depot/projects/gdb/share/man/man4/man4.i386/arl.4#3 integrate
.. //depot/projects/gdb/sys/amd64/amd64/pmap.c#14 integrate
.. //depot/projects/gdb/sys/arm/arm/nexus_io.c#3 integrate
.. //depot/projects/gdb/sys/arm/include/bus.h#3 integrate
.. //depot/projects/gdb/sys/arm/sa11x0/assabet_machdep.c#2 integrate
.. //depot/projects/gdb/sys/arm/sa11x0/sa11x0_io.c#3 integrate
.. //depot/projects/gdb/sys/boot/i386/boot0/boot0.S#4 integrate
.. //depot/projects/gdb/sys/boot/pc98/libpc98/biosdisk.c#3 integrate
.. //depot/projects/gdb/sys/cam/scsi/scsi_target.c#4 integrate
.. //depot/projects/gdb/sys/coda/coda.h#3 integrate
.. //depot/projects/gdb/sys/coda/coda_fbsd.c#5 integrate
.. //depot/projects/gdb/sys/coda/coda_venus.c#4 integrate
.. //depot/projects/gdb/sys/compat/freebsd32/freebsd32_misc.c#6 integrate
.. //depot/projects/gdb/sys/compat/linux/linux_stats.c#5 integrate
.. //depot/projects/gdb/sys/compat/svr4/svr4_socket.c#2 integrate
.. //depot/projects/gdb/sys/compat/svr4/svr4_socket.h#2 integrate
.. //depot/projects/gdb/sys/compat/svr4/svr4_stream.c#3 integrate
.. //depot/projects/gdb/sys/compat/svr4/svr4_types.h#3 integrate
.. //depot/projects/gdb/sys/conf/files#29 integrate
.. //depot/projects/gdb/sys/contrib/pf/net/if_pflog.c#7 integrate
.. //depot/projects/gdb/sys/contrib/pf/net/if_pflog.h#3 integrate
.. //depot/projects/gdb/sys/contrib/pf/net/if_pfsync.c#7 integrate
.. //depot/projects/gdb/sys/contrib/pf/net/if_pfsync.h#3 integrate
.. //depot/projects/gdb/sys/contrib/pf/net/pf.c#7 integrate
.. //depot/projects/gdb/sys/contrib/pf/net/pf_if.c#1 branch
.. //depot/projects/gdb/sys/contrib/pf/net/pf_ioctl.c#9 integrate
.. //depot/projects/gdb/sys/contrib/pf/net/pf_norm.c#4 integrate
.. //depot/projects/gdb/sys/contrib/pf/net/pf_osfp.c#3 integrate
.. //depot/projects/gdb/sys/contrib/pf/net/pf_subr.c#1 branch
.. //depot/projects/gdb/sys/contrib/pf/net/pf_table.c#3 integrate
.. //depot/projects/gdb/sys/contrib/pf/net/pfvar.h#4 integrate
.. //depot/projects/gdb/sys/contrib/pf/netinet/in4_cksum.c#2 integrate
.. //depot/projects/gdb/sys/dev/an/if_an.c#4 integrate
.. //depot/projects/gdb/sys/dev/ata/ata-chipset.c#10 integrate
.. //depot/projects/gdb/sys/dev/ata/atapi-cam.c#4 integrate
.. //depot/projects/gdb/sys/dev/cp/if_cp.c#5 integrate
.. //depot/projects/gdb/sys/dev/ctau/if_ct.c#5 integrate
.. //depot/projects/gdb/sys/dev/cx/if_cx.c#9 integrate
.. //depot/projects/gdb/sys/dev/cy/cy.c#8 integrate
.. //depot/projects/gdb/sys/dev/dcons/dcons.c#10 integrate
.. //depot/projects/gdb/sys/dev/digi/digi.c#8 integrate
.. //depot/projects/gdb/sys/dev/firewire/fwdev.c#8 integrate
.. //depot/projects/gdb/sys/dev/led/led.c#7 integrate
.. //depot/projects/gdb/sys/dev/nmdm/nmdm.c#9 integrate
.. //depot/projects/gdb/sys/dev/snp/snp.c#6 integrate
.. //depot/projects/gdb/sys/dev/sound/pcm/dsp.c#5 integrate
.. //depot/projects/gdb/sys/dev/sound/pcm/mixer.c#5 integrate
.. //depot/projects/gdb/sys/dev/syscons/syscons.c#11 integrate
.. //depot/projects/gdb/sys/dev/vinum/vinum.c#4 integrate
.. //depot/projects/gdb/sys/dev/vinum/vinumconfig.c#4 integrate
.. //depot/projects/gdb/sys/dev/vinum/vinumio.c#5 integrate
.. //depot/projects/gdb/sys/fs/devfs/devfs_vnops.c#4 integrate
.. //depot/projects/gdb/sys/fs/fifofs/fifo_vnops.c#7 integrate
.. //depot/projects/gdb/sys/fs/portalfs/portal_vnops.c#5 integrate
.. //depot/projects/gdb/sys/fs/specfs/spec_vnops.c#10 integrate
.. //depot/projects/gdb/sys/geom/geom_dev.c#5 integrate
.. //depot/projects/gdb/sys/i386/i386/bios.c#6 integrate
.. //depot/projects/gdb/sys/i386/i386/pmap.c#9 integrate
.. //depot/projects/gdb/sys/isofs/cd9660/cd9660_node.h#4 integrate
.. //depot/projects/gdb/sys/isofs/cd9660/cd9660_rrip.c#3 integrate
.. //depot/projects/gdb/sys/kern/kern_acct.c#4 integrate
.. //depot/projects/gdb/sys/kern/kern_conf.c#7 integrate
.. //depot/projects/gdb/sys/kern/kern_proc.c#9 integrate
.. //depot/projects/gdb/sys/kern/kern_shutdown.c#8 integrate
.. //depot/projects/gdb/sys/kern/kern_time.c#3 integrate
.. //depot/projects/gdb/sys/kern/sys_socket.c#5 integrate
.. //depot/projects/gdb/sys/kern/tty_cons.c#7 integrate
.. //depot/projects/gdb/sys/kern/tty_pty.c#10 integrate
.. //depot/projects/gdb/sys/kern/tty_tty.c#4 integrate
.. //depot/projects/gdb/sys/kern/uipc_socket.c#10 integrate
.. //depot/projects/gdb/sys/kern/uipc_socket2.c#10 integrate
.. //depot/projects/gdb/sys/kern/uipc_usrreq.c#9 integrate
.. //depot/projects/gdb/sys/kern/vfs_aio.c#4 integrate
.. //depot/projects/gdb/sys/kern/vfs_bio.c#8 integrate
.. //depot/projects/gdb/sys/kern/vfs_mount.c#7 integrate
.. //depot/projects/gdb/sys/kern/vfs_subr.c#11 integrate
.. //depot/projects/gdb/sys/modules/Makefile#13 integrate
.. //depot/projects/gdb/sys/modules/pf/Makefile#3 integrate
.. //depot/projects/gdb/sys/modules/pflog/Makefile#3 delete
.. //depot/projects/gdb/sys/modules/pfsync/Makefile#3 delete
.. //depot/projects/gdb/sys/net/bpf.c#7 integrate
.. //depot/projects/gdb/sys/net/if_tap.c#7 integrate
.. //depot/projects/gdb/sys/net/if_tun.c#7 integrate
.. //depot/projects/gdb/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c#7 integrate
.. //depot/projects/gdb/sys/netgraph/bluetooth/drivers/ubtbcmfw/ubtbcmfw.c#5 integrate
.. //depot/projects/gdb/sys/netgraph/bluetooth/socket/ng_btsocket_rfcomm.c#7 integrate
.. //depot/projects/gdb/sys/netgraph/ng_ksocket.c#6 integrate
.. //depot/projects/gdb/sys/netinet/in.h#4 integrate
.. //depot/projects/gdb/sys/netinet/in_proto.c#5 integrate
.. //depot/projects/gdb/sys/netsmb/smb_dev.c#6 integrate
.. //depot/projects/gdb/sys/netsmb/smb_trantcp.c#4 integrate
.. //depot/projects/gdb/sys/nfs4client/nfs4_vn_subs.c#2 integrate
.. //depot/projects/gdb/sys/nfsclient/nfs_bio.c#7 integrate
.. //depot/projects/gdb/sys/nfsclient/nfs_subs.c#7 integrate
.. //depot/projects/gdb/sys/nfsserver/nfs_serv.c#8 integrate
.. //depot/projects/gdb/sys/nfsserver/nfs_syscalls.c#8 integrate
.. //depot/projects/gdb/sys/sys/_types.h#5 integrate
.. //depot/projects/gdb/sys/sys/acct.h#3 integrate
.. //depot/projects/gdb/sys/sys/conf.h#8 integrate
.. //depot/projects/gdb/sys/sys/mbuf.h#12 integrate
.. //depot/projects/gdb/sys/sys/param.h#15 integrate
.. //depot/projects/gdb/sys/sys/snoop.h#2 integrate
.. //depot/projects/gdb/sys/sys/stat.h#4 integrate
.. //depot/projects/gdb/sys/sys/systm.h#8 integrate
.. //depot/projects/gdb/sys/sys/tty.h#7 integrate
.. //depot/projects/gdb/sys/sys/types.h#8 integrate
.. //depot/projects/gdb/sys/sys/user.h#5 integrate
.. //depot/projects/gdb/sys/sys/vnode.h#7 integrate
.. //depot/projects/gdb/sys/vm/swap_pager.c#6 integrate
.. //depot/projects/gdb/sys/vm/vm_page.c#10 integrate
.. //depot/projects/gdb/sys/vm/vm_param.h#3 integrate
.. //depot/projects/gdb/usr.bin/fstat/fstat.c#3 integrate
.. //depot/projects/gdb/usr.bin/fstat/fstat.h#2 integrate
.. //depot/projects/gdb/usr.bin/kdump/mkioctls#3 integrate
.. //depot/projects/gdb/usr.bin/pkill/pkill.c#3 integrate
.. //depot/projects/gdb/usr.sbin/boot0cfg/boot0cfg.8#3 integrate
.. //depot/projects/gdb/usr.sbin/pw/psdate.c#2 integrate
.. //depot/projects/gdb/usr.sbin/pw/pw_user.c#2 integrate
.. //depot/projects/gdb/usr.sbin/pw/pw_vpw.c#2 integrate
Differences ...
==== //depot/projects/gdb/Makefile.inc1#11 (text+ko) ====
@@ -1,5 +1,5 @@
#
-# $FreeBSD: src/Makefile.inc1,v 1.427 2004/05/17 16:19:51 ru Exp $
+# $FreeBSD: src/Makefile.inc1,v 1.430 2004/06/17 08:06:41 obrien Exp $
#
# Make command line options:
# -DNO_DYNAMICROOT do not link /bin and /sbin dynamically
@@ -62,7 +62,10 @@
.if !defined(NOSHARE)
SUBDIR+=share
.endif
-SUBDIR+=sys usr.bin usr.sbin etc
+.if ${MACHINE_ARCH} != "alpha"
+SUBDIR+=sys
+.endif
+SUBDIR+=usr.bin usr.sbin etc
# These are last, since it is nice to at least get the base system
# rebuilt before you do them.
==== //depot/projects/gdb/contrib/pf/authpf/authpf.8#2 (text+ko) ====
@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.30 2003/08/17 23:24:47 henning Exp $
+.\" $OpenBSD: authpf.8,v 1.31 2003/12/10 04:10:37 beck Exp $
.\"
.\" Copyright (c) 2002 Bob Beck (beck at openbsd.org>. All rights reserved.
.\"
@@ -84,9 +84,9 @@
processes.
By default, the
.Pa anchor
-name "authpf" is used, and the ruleset names equal the PIDs of the
+name "authpf" is used, and the ruleset names equal the username and PID of the
.Nm
-processes.
+processes as "username(pid)".
The following rules need to be added to the main ruleset
.Pa /etc/pf.conf
in order to cause evaluation of any
@@ -263,7 +263,8 @@
.Pa /etc/authpf/authpf.conf
file.
.Sh EXAMPLES
-\fBControl Files\fP - To illustrate the user-specific access control
+.Sy Control Files
+\- To illustrate the user-specific access control
mechanisms, let us consider a typical user named bob.
Normally, as long as bob can authenticate himself, the
.Nm
@@ -298,7 +299,8 @@
Though bob is listed in the allow file, he is prevented from using
this gateway due to the existence of a ban file.
.Pp
-\fBDistributed Authentication\fP - It is often desirable to interface with a
+.Sy Distributed Authentication
+\- It is often desirable to interface with a
distributed password system rather than forcing the sysadmins to keep a large
number of local password files in sync.
The
@@ -332,7 +334,8 @@
as their shell except for root who will get
.Pa /bin/csh .
.Pp
-\fBSSH Configuration\fP - As stated earlier,
+.Sy SSH Configuration
+\- As stated earlier,
.Xr sshd 8
must be properly configured to detect and defeat network attacks.
To that end, the following options should be added to
@@ -346,7 +349,8 @@
This ensures that unresponsive or spoofed sessions are terminated within a
minute, since a hijacker should not be able to spoof ssh keepalive messages.
.Pp
-\fBBanners\fP - Once authenticated, the user is shown the contents of
+.Sy Banners
+\- Once authenticated, the user is shown the contents of
.Pa /etc/authpf/authpf.message .
This message may be a screen-full of the appropriate use policy, the contents
of
@@ -366,7 +370,8 @@
an email to remove at bulkmailerz.net.
.Ed
.Pp
-\fBPacket Filter Rules\fP - In areas where this gateway is used to protect a
+.Sy Packet Filter Rules
+\- In areas where this gateway is used to protect a
wireless network (a hub with several hundred ports), the default rule set as
well as the per-user rules should probably allow very few things beyond
encrypted protocols like
@@ -378,15 +383,14 @@
given authentication accounts, you might want to allow out everything.
In this context, a secure switch is one that tries to prevent address table
overflow attacks.
-The examples below assume a switched wired net.
.Pp
Example
.Pa /etc/pf.conf :
.Bd -literal
# by default we allow internal clients to talk to us using
# ssh and use us as a dns server.
-internal_if=\&"fxp1\&"
-gateway_addr=\&"10.0.1.1\&"
+internal_if="fxp1"
+gateway_addr="10.0.1.1"
nat-anchor authpf
rdr-anchor authpf
binat-anchor authpf
@@ -398,26 +402,28 @@
anchor authpf
.Ed
.Pp
-Example
-.Pa /etc/authpf/authpf.rules :
+.Sy For a switched, wired net
+\- This example
+.Pa /etc/authpf/authpf.rules
+makes no real restrictions; it turns the IP address on and off, logging
+TCP connections.
.Bd -literal
-# no real restrictions here, basically turn the network jack off or on.
-
-external_if = \&"xl0\&"
-internal_if = \&"fxp0\&"
+external_if = "xl0"
+internal_if = "fxp0"
pass in log quick on $internal_if proto tcp from $user_ip to any \e
keep state
pass in quick on $internal_if from $user_ip to any
.Ed
.Pp
-Another example
+.Sy For a wireless or shared net
+\- This example
.Pa /etc/authpf/authpf.rules
-for an insecure network (such as a public wireless network) where
+could be used for an insecure network (such as a public wireless network) where
we might need to be a bit more restrictive.
.Bd -literal
-internal_if=\&"fxp1\&"
-ipsec_gw=\&"10.2.3.4\&"
+internal_if="fxp1"
+ipsec_gw="10.2.3.4"
# rdr ftp for proxying by ftp-proxy(8)
rdr on $internal_if proto tcp from $user_ip to any port 21 \e
@@ -433,6 +439,32 @@
keep state
pass in quick proto esp from $user_ip to $ipsec_gw
.Ed
+.Pp
+.Sy Dealing with NAT
+\- The following
+.Pa /etc/authpf/authpf.rules
+shows how to deal with NAT, using tags:
+.Bd -literal
+ext_if = "fxp1"
+ext_addr = 129.128.11.10
+int_if = "fxp0"
+# nat and tag connections...
+nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr
+pass in quick on $int_if from $user_ip to any
+pass out log quick on $ext_if tagged $user_ip keep state
+.Ed
+.Pp
+With the above rules added by
+.Nm ,
+outbound connections corresponding to each users NAT'ed connections
+will be logged as in the example below, where the user may be identified
+from the ruleset name.
+.Bd -literal
+# tcpdump -n -e -ttt -i pflog0
+Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
+129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
+16384 <mss 1460,nop,nop,sackOK> (DF)
+.Ed
.Sh FILES
.Bl -tag -width "/etc/authpf/authpf.conf" -compact
.It Pa /etc/authpf/authpf.conf
==== //depot/projects/gdb/contrib/pf/authpf/authpf.c#3 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $OpenBSD: authpf.c,v 1.68 2003/08/21 19:13:23 frantzen Exp $ */
+/* $OpenBSD: authpf.c,v 1.75 2004/01/29 01:55:10 deraadt Exp $ */
/*
* Copyright (C) 1998 - 2002 Bob Beck (beck at openbsd.org).
@@ -26,7 +26,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/contrib/pf/authpf/authpf.c,v 1.4 2004/03/16 17:24:06 obrien Exp $");
+__FBSDID("$FreeBSD: src/contrib/pf/authpf/authpf.c,v 1.5 2004/06/16 23:39:30 mlaier Exp $");
#include <sys/param.h>
#include <sys/file.h>
@@ -49,6 +49,7 @@
#include <unistd.h>
#include <pfctl_parser.h>
+#include <pfctl.h>
#include "pathnames.h"
@@ -98,12 +99,6 @@
char *cp;
uid_t uid;
- if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld",
- (long)getpid())) < 0 || n >= sizeof(rulesetname)) {
- syslog(LOG_ERR, "pid too large for ruleset name");
- exit(1);
- }
-
config = fopen(PATH_CONFFILE, "r");
if ((cp = getenv("SSH_TTY")) == NULL) {
@@ -131,7 +126,6 @@
"cannot determine IP from SSH_CLIENT %s", ipsrc);
exit(1);
}
-
/* open the pf device */
dev = open(PATH_DEVFILE, O_RDWR);
if (dev == -1) {
@@ -160,6 +154,18 @@
goto die;
}
+ if ((n = snprintf(rulesetname, sizeof(rulesetname), "%s(%ld)",
+ luser, (long)getpid())) < 0 || n >= sizeof(rulesetname)) {
+ syslog(LOG_INFO, "%s(%ld) too large, ruleset name will be %ld",
+ luser, (long)getpid(), (long)getpid());
+ if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld",
+ (long)getpid())) < 0 || n >= sizeof(rulesetname)) {
+ syslog(LOG_ERR, "pid too large for ruleset name");
+ goto die;
+ }
+ }
+
+
/* Make our entry in /var/authpf as /var/authpf/ipaddr */
n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc);
if (n < 0 || (u_int)n >= sizeof(pidfile)) {
@@ -242,15 +248,22 @@
seteuid(getuid());
setuid(getuid());
- if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser))
+ openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
+
+ if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) {
+ syslog(LOG_INFO, "user %s prohibited", luser);
do_death(0);
+ }
- openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
- if (config == NULL || read_config(config))
+ if (config == NULL || read_config(config)) {
+ syslog(LOG_INFO, "bad or nonexistent %s", PATH_CONFFILE);
do_death(0);
+ }
- if (remove_stale_rulesets())
+ if (remove_stale_rulesets()) {
+ syslog(LOG_INFO, "error removing stale rulesets");
do_death(0);
+ }
/* We appear to be making headway, so actually mark our pid */
rewind(pidfp);
@@ -260,7 +273,7 @@
if (change_filter(1, luser, ipsrc) == -1) {
printf("Unable to modify filters\r\n");
- do_death(1);
+ do_death(0);
}
signal(SIGTERM, need_death);
@@ -545,15 +558,20 @@
mnr = prs.nr;
nr = 0;
while (nr < mnr) {
- char *s;
+ char *s, *t;
pid_t pid;
prs.nr = nr;
if (ioctl(dev, DIOCGETRULESET, &prs))
return (1);
errno = 0;
- pid = strtoul(prs.name, &s, 10);
- if (!prs.name[0] || errno || *s)
+ if ((t = strchr(prs.name, '(')) == NULL)
+ t = prs.name;
+ else
+ t++;
+ pid = strtoul(t, &s, 10);
+ if (!prs.name[0] || errno ||
+ (*s && (t == prs.name || *s != ')')))
return (1);
if (kill(pid, 0) && errno != EPERM) {
int i;
@@ -585,14 +603,11 @@
{
char fn[MAXPATHLEN];
FILE *f = NULL;
- const int action[PF_RULESET_MAX] = { PF_SCRUB,
- PF_PASS, PF_NAT, PF_BINAT, PF_RDR };
struct pfctl pf;
- struct pfioc_rule pr[PF_RULESET_MAX];
+ struct pfr_buffer t;
int i;
- if (luser == NULL || !luser[0] || strlen(luser) >=
- PF_RULESET_NAME_SIZE || ipsrc == NULL || !ipsrc[0]) {
+ if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) {
syslog(LOG_ERR, "invalid luser/ipsrc");
goto error;
}
@@ -624,18 +639,18 @@
syslog(LOG_ERR, "unable to load kernel's OS fingerprints");
goto error;
}
-
+ bzero(&t, sizeof(t));
+ t.pfrb_type = PFRB_TRANS;
memset(&pf, 0, sizeof(pf));
for (i = 0; i < PF_RULESET_MAX; ++i) {
- memset(&pr[i], 0, sizeof(pr[i]));
- pr[i].rule.action = action[i];
- strlcpy(pr[i].anchor, anchorname, sizeof(pr[i].anchor));
- strlcpy(pr[i].ruleset, rulesetname, sizeof(pr[i].ruleset));
- if (ioctl(dev, DIOCBEGINRULES, &pr[i])) {
- syslog(LOG_ERR, "DIOCBEGINRULES %m");
+ if (pfctl_add_trans(&t, i, anchorname, rulesetname)) {
+ syslog(LOG_ERR, "pfctl_add_trans %m");
goto error;
}
- pf.prule[i] = &pr[i];
+ }
+ if (pfctl_trans(dev, &t, DIOCXBEGIN, 0)) {
+ syslog(LOG_ERR, "DIOCXBEGIN (%s) %m", add?"add":"remove");
+ goto error;
}
if (add) {
@@ -646,6 +661,10 @@
}
pf.dev = dev;
+ pf.trans = &t;
+ pf.anchor = anchorname;
+ pf.ruleset = rulesetname;
+
infile = fn;
if (parse_rules(f, &pf) < 0) {
syslog(LOG_ERR, "syntax error in rule file: "
@@ -658,16 +677,10 @@
f = NULL;
}
- for (i = 0; i < PF_RULESET_MAX; ++i)
- /*
- * ignore EINVAL on removal, it means the anchor was
- * already automatically removed by the kernel.
- */
- if (ioctl(dev, DIOCCOMMITRULES, &pr[i]) &&
- (add || errno != EINVAL)) {
- syslog(LOG_ERR, "DIOCCOMMITRULES %m");
- goto error;
- }
+ if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) {
+ syslog(LOG_ERR, "DIOCXCOMMIT (%s) %m", add?"add":"remove");
+ goto error;
+ }
if (add) {
gettimeofday(&Tstart, NULL);
@@ -682,6 +695,8 @@
error:
if (f != NULL)
fclose(f);
+ if (pfctl_trans(dev, &t, DIOCXROLLBACK, 0))
+ syslog(LOG_ERR, "DIOCXROLLBACK (%s) %m", add?"add":"remove");
infile = NULL;
return (-1);
@@ -761,37 +776,44 @@
int
pfctl_add_rule(struct pfctl *pf, struct pf_rule *r)
{
- struct pfioc_rule *pr;
+ u_int8_t rs_num;
+ struct pfioc_rule pr;
switch (r->action) {
case PF_PASS:
case PF_DROP:
- pr = pf->prule[PF_RULESET_FILTER];
+ rs_num = PF_RULESET_FILTER;
break;
case PF_SCRUB:
- pr = pf->prule[PF_RULESET_SCRUB];
+ rs_num = PF_RULESET_SCRUB;
break;
case PF_NAT:
case PF_NONAT:
- pr = pf->prule[PF_RULESET_NAT];
+ rs_num = PF_RULESET_NAT;
break;
case PF_RDR:
case PF_NORDR:
- pr = pf->prule[PF_RULESET_RDR];
+ rs_num = PF_RULESET_RDR;
break;
case PF_BINAT:
case PF_NOBINAT:
- pr = pf->prule[PF_RULESET_BINAT];
+ rs_num = PF_RULESET_BINAT;
break;
default:
syslog(LOG_ERR, "invalid rule action %d", r->action);
return (1);
}
+
+ bzero(&pr, sizeof(pr));
+ strlcpy(pr.anchor, pf->anchor, sizeof(pr.anchor));
+ strlcpy(pr.ruleset, pf->ruleset, sizeof(pr.ruleset));
if (pfctl_add_pool(pf, &r->rpool, r->af))
return (1);
- pr->pool_ticket = pf->paddr.ticket;
- memcpy(&pr->rule, r, sizeof(pr->rule));
- if (ioctl(pf->dev, DIOCADDRULE, pr)) {
+ pr.ticket = pfctl_get_ticket(pf->trans, rs_num, pf->anchor,
+ pf->ruleset);
+ pr.pool_ticket = pf->paddr.ticket;
+ memcpy(&pr.rule, r, sizeof(pr.rule));
+ if (ioctl(pf->dev, DIOCADDRULE, &pr)) {
syslog(LOG_ERR, "DIOCADDRULE %m");
return (1);
}
@@ -852,6 +874,13 @@
}
int
+pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
+{
+ fprintf(stderr, "set hostid not supported in authpf\n");
+ return (1);
+}
+
+int
pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
{
fprintf(stderr, "set timeout not supported in authpf\n");
@@ -866,6 +895,13 @@
}
int
+pfctl_set_debug(struct pfctl *pf, char *d)
+{
+ fprintf(stderr, "set debug not supported in authpf\n");
+ return (1);
+}
+
+int
pfctl_define_table(char *name, int flags, int addrs, const char *anchor,
const char *ruleset, struct pfr_buffer *ab, u_int32_t ticket)
{
@@ -875,10 +911,14 @@
int
pfctl_rules(int dev, char *filename, int opts, char *anchorname,
- char *rulesetname)
+ char *rulesetname, struct pfr_buffer *t)
{
/* never called, no anchors inside anchors, but we need the stub */
fprintf(stderr, "load anchor not supported from authpf\n");
return (1);
}
+void
+pfctl_print_title(char *title)
+{
+}
==== //depot/projects/gdb/contrib/pf/ftp-proxy/ftp-proxy.8#3 (text+ko) ====
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ftp-proxy.8,v 1.37 2003/09/05 12:27:47 jmc Exp $
+.\" $OpenBSD: ftp-proxy.8,v 1.40 2004/03/16 08:50:07 jmc Exp $
.\"
.\" Copyright (c) 1996-2001
.\" Obtuse Systems Corporation, All rights reserved.
@@ -27,7 +27,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/contrib/pf/ftp-proxy/ftp-proxy.8,v 1.2 2004/05/27 23:51:05 mlaier Exp $
+.\" $FreeBSD: src/contrib/pf/ftp-proxy/ftp-proxy.8,v 1.3 2004/06/16 23:39:30 mlaier Exp $
.\"
.Dd August 17, 2001
.Dt FTP-PROXY 8
@@ -38,10 +38,11 @@
.Sh SYNOPSIS
.Nm ftp-proxy
.Op Fl AnrVw
+.Op Fl a Ar address
.Op Fl D Ar debuglevel
.Op Fl g Ar group
+.Op Fl M Ar maxport
.Op Fl m Ar minport
-.Op Fl M Ar maxport
.Op Fl t Ar timeout
.Op Fl u Ar user
.Sh DESCRIPTION
@@ -67,6 +68,26 @@
.Qq anonymous
only.
Any attempt to log in as another user will be blocked by the proxy.
+.It Fl a Ar address
+Specify the local IP address to use in
+.Xr bind 2
+as the source for connections made by
+.Nm ftp-proxy
+when connecting to destination FTP servers.
+This may be necessary if the interface address of
+your default route is not reachable from the destinations
+.Nm
+is attempting connections to, or this address is different from the one
+connections are being NATed to.
+In the usual case this means that
+.Ar address
+should be a publicly visible IP address assigned to one of
+the interfaces on the machine running
+.Nm
+and should be the same address to which you are translating traffic
+if you are using the
+.Fl n
+option.
.It Fl D Ar debuglevel
Specify a debug level, where the proxy emits verbose debug output
into
@@ -82,6 +103,14 @@
By default,
.Nm
uses the default group of the user it drops privilege to.
+.It Fl M Ar maxport
+Specify the upper end of the port range the proxy will use for the
+data connections it establishes.
+The default is
+.Dv IPPORT_HILASTAUTO
+defined in
+.Aq Pa netinet/in.h
+as 65535.
.It Fl m Ar minport
Specify the lower end of the port range the proxy will use for all
data connections it establishes.
@@ -90,14 +119,6 @@
defined in
.Aq Pa netinet/in.h
as 49152.
-.It Fl M Ar maxport
-Specify the upper end of the port range the proxy will use for the
-data connections it establishes.
-The default is
-.Dv IPPORT_HILASTAUTO
-defined in
-.Aq Pa netinet/in.h
-as 65535.
.It Fl n
Activate network address translation
.Pq NAT
@@ -175,8 +196,8 @@
.Xr pf.conf 5
rule such as
.Bd -literal -offset 2n
-int_if = xl0
-rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
+int_if = \&"xl0\&"
+rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
.Ed
.Pp
.Xr inetd 8
==== //depot/projects/gdb/contrib/pf/ftp-proxy/ftp-proxy.c#3 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $OpenBSD: ftp-proxy.c,v 1.33 2003/08/22 21:50:34 david Exp $ */
+/* $OpenBSD: ftp-proxy.c,v 1.35 2004/03/14 21:51:44 dhartmei Exp $ */
/*
* Copyright (c) 1996-2001
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/contrib/pf/ftp-proxy/ftp-proxy.c,v 1.4 2004/03/16 17:24:06 obrien Exp $");
+__FBSDID("$FreeBSD: src/contrib/pf/ftp-proxy/ftp-proxy.c,v 1.5 2004/06/16 23:39:31 mlaier Exp $");
/*
* ftp proxy, Originally based on juniper_ftp_proxy from the Obtuse
@@ -151,6 +151,7 @@
extern int Debug_Level;
extern int Use_Rdns;
+extern in_addr_t Bind_Addr;
extern char *__progname;
typedef enum {
@@ -174,9 +175,8 @@
usage(void)
{
syslog(LOG_NOTICE,
- "usage: %s [-AnrVw] [-D debuglevel] [-g group] %s %s",
- __progname, "[-m minport] [-M maxport] [-t timeout]",
- "[-u user]");
+ "usage: %s [-AnrVw] [-a address] [-D debuglevel [-g group]"
+ " [-M maxport] [-m minport] [-t timeout] [-u user]", __progname);
exit(EX_USAGE);
}
@@ -976,9 +976,18 @@
int use_tcpwrapper = 0;
#endif /* LIBWRAP */
- while ((ch = getopt(argc, argv, "D:g:m:M:t:u:AnVwr")) != -1) {
+ while ((ch = getopt(argc, argv, "a:D:g:m:M:t:u:AnVwr")) != -1) {
char *p;
switch (ch) {
+ case 'a':
+ if (!*optarg)
+ usage();
+ if ((Bind_Addr = inet_addr(optarg)) == INADDR_NONE) {
+ syslog(LOG_NOTICE,
+ "%s: invalid address", optarg);
+ usage();
+ }
+ break;
case 'A':
AnonFtpOnly = 1; /* restrict to anon usernames only */
break;
==== //depot/projects/gdb/contrib/pf/ftp-proxy/util.c#2 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $OpenBSD: util.c,v 1.16 2003/06/28 01:04:57 deraadt Exp $ */
+/* $OpenBSD: util.c,v 1.18 2004/01/22 16:10:30 beck Exp $ */
/*
* Copyright (c) 1996-2001
@@ -58,6 +58,7 @@
int Debug_Level;
int Use_Rdns;
+in_addr_t Bind_Addr = INADDR_NONE;
void debuglog(int debug_level, const char *fmt, ...);
@@ -77,7 +78,8 @@
struct sockaddr_in *client_sa_ptr)
{
struct pfioc_natlook natlook;
- int slen, fd;
+ socklen_t slen;
+ int fd;
slen = sizeof(*real_server_sa_ptr);
if (getsockname(connected_fd, (struct sockaddr *)real_server_sa_ptr,
@@ -257,10 +259,13 @@
bzero(&sa, sizeof sa);
sa.sin_family = AF_INET;
- if (sap == NULL)
- sa.sin_addr.s_addr = INADDR_ANY;
+ if (Bind_Addr == INADDR_NONE)
+ if (sap == NULL)
+ sa.sin_addr.s_addr = INADDR_ANY;
+ else
+ sa.sin_addr.s_addr = sap->sin_addr.s_addr;
else
- sa.sin_addr.s_addr = sap->sin_addr.s_addr;
+ sa.sin_addr.s_addr = Bind_Addr;
/*
* Indicate that we want to reuse a port if it happens that the
==== //depot/projects/gdb/contrib/pf/man/pf.4#3 (text+ko) ====
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.4,v 1.37 2003/08/28 09:41:22 jmc Exp $
+.\" $OpenBSD: pf.4,v 1.48 2004/03/27 17:15:30 henning Exp $
.\"
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
.\"
@@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/contrib/pf/man/pf.4,v 1.2 2004/04/18 13:59:12 mlaier Exp $
+.\" $FreeBSD: src/contrib/pf/man/pf.4,v 1.3 2004/06/16 23:39:31 mlaier Exp $
.\"
.Dd June 24, 2001
.Dt PF 4
@@ -75,11 +75,7 @@
Starts the ALTQ bandwidth control system.
.It Dv DIOCSTOPALTQ
Stops the ALTQ bandwidth control system.
-.It Dv DIOCBEGINADDRS Fa "u_int32_t"
-Clears the buffer address pool
-and returns a ticket for subsequent DIOCADDADDR, DIOCADDRULE and
-DIOCCHANGERULE calls.
-.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr"
+.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr"
.Bd -literal
struct pfioc_pooladdr {
u_int32_t action;
@@ -95,16 +91,17 @@
};
.Ed
.Pp
+Clears the buffer address pool
+and returns a
+.Va ticket
+for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls.
+.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr"
+.Pp
Adds pool address
.Va addr
to the buffer address pool to be used in the following
DIOCADDRULE or DIOCCHANGERULE call.
All other members of the structure are ignored.
-.It Dv DIOCBEGINRULES Fa "u_int32_t"
-Clears the inactive ruleset for the type of rule indicated by
-.Va rule.action
-and returns a ticket for subsequent
-DIOCADDRULE and DIOCCOMMITRULES calls.
.It Dv DIOCADDRULE Fa "struct pfioc_rule"
.Bd -literal
struct pfioc_rule {
@@ -123,7 +120,7 @@
at the end of the inactive ruleset.
Requires
.Va ticket
-obtained through preceding DIOCBEGINRULES call, and
+obtained through preceding DIOCXBEGIN call, and
.Va pool_ticket
obtained through DIOCBEGINADDRS call.
DIOCADDADDR must also be called if any pool addresses are required.
@@ -136,26 +133,16 @@
and
.Va action
are ignored.
-.It Dv DIOCCOMMITRULES Fa "u_int32_t"
-Switch inactive to active filter ruleset.
-Requires
-.Va ticket .
-.It Dv DIOCBEGINALTQS Fa "u_int32_t"
-Clears the inactive list of queues and returns a ticket for subsequent
-DIOCADDALTQ and DIOCCOMMITALTQS calls.
.It Dv DIOCADDALTQ Fa "struct pfioc_altq"
Adds
.Bd -literal
struct pfioc_altq {
+ u_int32_t action;
u_int32_t ticket;
u_int32_t nr;
struct pf_altq altq;
};
.Ed
-.It Dv DIOCCOMMITALTQS Fa "u_int32_t"
-Switch inactive to active list of queues.
-Requires
-.Va ticket .
.It Dv DIOCGETRULES Fa "struct pfioc_rule"
Returns
.Va ticket
@@ -227,8 +214,6 @@
.Va nbytes
for the queue specified by
.Va nr .
-.It Dv DIOCCLRSTATES
-Clears the state table.
.It Dv DIOCADDSTATE Fa "struct pfioc_state"
Adds a state entry.
.It Dv DIOCGETSTATE Fa "struct pfioc_state"
@@ -249,8 +234,16 @@
int psk_proto;
struct pf_rule_addr psk_src;
struct pf_rule_addr psk_dst;
+ char psk_ifname[IFNAMSIZ];
};
.Ed
+.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill"
+Clears all states.
+It works like
+.Dv DIOCKILLSTATES ,
+but ignores the psk_af, psk_proto, psk_src and psk_dst fields of the
+.Fa pfioc_state_kill
+structure.
.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if"
.Bd -literal
struct pfioc_if {
@@ -262,14 +255,19 @@
.It Dv DIOCGETSTATUS Fa "struct pf_status"
.Bd -literal
struct pf_status {
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the p4-projects
mailing list