svn commit: r185880 - in vendor/pf/dist: authpf ftp-proxy man pfctl
pflogd
Max Laier
mlaier at FreeBSD.org
Wed Dec 10 12:59:27 PST 2008
Author: mlaier
Date: Wed Dec 10 20:59:26 2008
New Revision: 185880
URL: http://svn.freebsd.org/changeset/base/185880
Log:
Import OPENBSD_4_3_BASE
Modified:
vendor/pf/dist/authpf/Makefile
vendor/pf/dist/authpf/authpf.8
vendor/pf/dist/authpf/authpf.c
vendor/pf/dist/authpf/pathnames.h
vendor/pf/dist/ftp-proxy/filter.c
vendor/pf/dist/ftp-proxy/ftp-proxy.8
vendor/pf/dist/ftp-proxy/ftp-proxy.c
vendor/pf/dist/man/pf.4
vendor/pf/dist/man/pf.conf.5
vendor/pf/dist/man/pfsync.4
vendor/pf/dist/pfctl/parse.y
vendor/pf/dist/pfctl/pf_print_state.c
vendor/pf/dist/pfctl/pfctl.c
vendor/pf/dist/pfctl/pfctl.h
vendor/pf/dist/pfctl/pfctl_altq.c
vendor/pf/dist/pfctl/pfctl_optimize.c
vendor/pf/dist/pfctl/pfctl_parser.c
vendor/pf/dist/pfctl/pfctl_parser.h
vendor/pf/dist/pfctl/pfctl_qstats.c
vendor/pf/dist/pfctl/pfctl_radix.c
vendor/pf/dist/pflogd/pflogd.8
Modified: vendor/pf/dist/authpf/Makefile
==============================================================================
--- vendor/pf/dist/authpf/Makefile Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/authpf/Makefile Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,7 +1,11 @@
-# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $
+# $OpenBSD: Makefile,v 1.13 2008/02/14 01:49:17 mcbride Exp $
PROG= authpf
MAN= authpf.8
+
+LINKS= ${BINDIR}/authpf ${BINDIR}/authpf-noip
+MLINKS+=authpf.8 authpf-noip.8
+
BINOWN= root
BINGRP= authpf
BINMODE= 6555
Modified: vendor/pf/dist/authpf/authpf.8
==============================================================================
--- vendor/pf/dist/authpf/authpf.8 Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/authpf/authpf.8 Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.44 2007/05/31 19:20:22 jmc Exp $
+.\" $OpenBSD: authpf.8,v 1.45 2008/02/14 01:49:17 mcbride Exp $
.\"
.\" Copyright (c) 1998-2007 Bob Beck (beck at openbsd.org>. All rights reserved.
.\"
@@ -14,14 +14,16 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate$
+.Dd $Mdocdate: May 31 2007 $
.Dt AUTHPF 8
.Os
.Sh NAME
-.Nm authpf
+.Nm authpf ,
+.Nm authpf-noip
.Nd authenticating gateway user shell
.Sh SYNOPSIS
.Nm authpf
+.Nm authpf-noip
.Sh DESCRIPTION
.Nm
is a user shell for authenticating gateways.
@@ -30,43 +32,63 @@ It is used to change
rules when a user authenticates and starts a session with
.Xr sshd 8
and to undo these changes when the user's session exits.
-It is designed for changing filter and translation rules for an individual
-source IP address as long as a user maintains an active
-.Xr ssh 1
-session.
Typical use would be for a gateway that authenticates users before
allowing them Internet use, or a gateway that allows different users into
different places.
+Combined with properly set up filter rules and secure switches,
.Nm
-logs the successful start and end of a session to
-.Xr syslogd 8 .
-This, combined with properly set up filter rules and secure switches,
can be used to ensure users are held accountable for their network traffic.
-.Pp
-.Nm
-can add filter and translation rules using the syntax described in
-.Xr pf.conf 5 .
-.Nm
-requires that the
+It is meant to be used with users who can connect via
+.Xr ssh 1
+only, and requires the
.Xr pf 4
-system be enabled before use.
+subsystem to be enabled.
+.Pp
+.Nm authpf-noip
+is a user shell
+which allows multiple connections to take
+place from the same IP address.
+It is useful primarily in cases where connections are tunneled via
+the gateway system, and can be directly associated with the user name.
+It cannot ensure accountability when
+classifying connections by IP address;
+in this case the client's IP address
+is not provided to the packet filter via the
+.Ar client_ip
+macro or the
+.Ar authpf users
+table.
+Additionally, states associated with the client IP address
+are not purged when the session is ended.
+.Pp
+To use either
.Nm
-can also maintain the list of IP address of connected users
-in the "authpf_users"
-.Pa table .
+or
+.Nm authpf-noip ,
+the user's shell needs to be set to
+.Pa /usr/sbin/authpf
+or
+.Pa /usr/sbin/authpf-noip .
.Pp
.Nm
-is meant to be used with users who can connect via
+uses the
+.Xr pf.conf 5
+syntax to change filter and translation rules for an individual
+user or client IP address as long as a user maintains an active
.Xr ssh 1
-only.
-On startup,
+session, and logs the successful start and end of a session to
+.Xr syslogd 8 .
.Nm
retrieves the client's connecting IP address via the
.Ev SSH_CLIENT
environment variable and, after performing additional access checks,
reads a template file to determine what filter and translation rules
-(if any) to add.
-On session exit the same rules that were added at startup are removed.
+(if any) to add, and
+maintains the list of IP addresses of connected users in the
+.Ar authpf_users
+table.
+On session exit the same rules and table entries that were added at startup
+are removed, and all states associated with the client's IP address are purged.
.Pp
Each
.Nm
@@ -496,6 +518,31 @@ table <authpf_users> persist
anchor "authpf/*" from <authpf_users>
rdr-anchor "authpf/*" from <authpf_users>
.Ed
+.Pp
+.Sy Tunneled users
+\- normally
+.Nm
+allows only one session per client IP address.
+However in some cases, such as when connections are tunneled via
+.Xr ssh 1
+or
+.Xr ipsec 4 ,
+the connections can be authorized based on the userid of the user instead of
+the client IP address.
+In this case it is appropriate to use
+.Nm authpf-noip
+to allow multiple users behind a NAT gateway to connect.
+In the
+.Pa /etc/authpf/authpf.rules
+example below, the remote user could tunnel a remote desktop session to their
+workstation:
+.Bd -literal
+internal_if="bge0"
+workstation_ip="10.2.3.4"
+
+pass out on $internal_if from (self) to $workstation_ip port 3389 \e
+ user $user_id
+.Ed
.Sh FILES
.Bl -tag -width "/etc/authpf/authpf.conf" -compact
.It Pa /etc/authpf/authpf.conf
Modified: vendor/pf/dist/authpf/authpf.c
==============================================================================
--- vendor/pf/dist/authpf/authpf.c Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/authpf/authpf.c Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,4 +1,4 @@
-/* $OpenBSD: authpf.c,v 1.104 2007/02/24 17:35:08 beck Exp $ */
+/* $OpenBSD: authpf.c,v 1.107 2008/02/14 01:49:17 mcbride Exp $ */
/*
* Copyright (C) 1998 - 2007 Bob Beck (beck at openbsd.org).
@@ -46,6 +46,7 @@ static void print_message(char *);
static int allowed_luser(char *);
static int check_luser(char *, char *);
static int remove_stale_rulesets(void);
+static int recursive_ruleset_purge(char *, char *);
static int change_filter(int, const char *, const char *);
static int change_table(int, const char *);
static void authpf_kill_states(void);
@@ -54,6 +55,7 @@ int dev; /* pf device */
char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
char rulesetname[MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 2];
char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
+int user_ip = 1; /* controls whether $user_ip is set */
FILE *pidfp;
char luser[MAXLOGNAME]; /* username */
@@ -65,6 +67,7 @@ struct timeval Tstart, Tend; /* start an
volatile sig_atomic_t want_death;
static void need_death(int signo);
static __dead void do_death(int);
+extern char *__progname; /* program name */
/*
* User shell for authenticating gateways. Sole purpose is to allow
@@ -85,6 +88,9 @@ main(int argc, char *argv[])
char *shell;
login_cap_t *lc;
+ if (strcmp(__progname, "-authpf-noip") == 0)
+ user_ip = 0;
+
config = fopen(PATH_CONFFILE, "r");
if (config == NULL) {
syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);
@@ -139,7 +145,8 @@ main(int argc, char *argv[])
login_close(lc);
- if (strcmp(shell, PATH_AUTHPF_SHELL)) {
+ if (strcmp(shell, PATH_AUTHPF_SHELL) &&
+ strcmp(shell, PATH_AUTHPF_SHELL_NOIP)) {
syslog(LOG_ERR, "wrong shell for user %s, uid %u",
pw->pw_name, pw->pw_uid);
if (shell != pw->pw_shell)
@@ -171,8 +178,9 @@ main(int argc, char *argv[])
}
- /* Make our entry in /var/authpf as /var/authpf/ipaddr */
- n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc);
+ /* Make our entry in /var/authpf as ipaddr or username */
+ n = snprintf(pidfile, sizeof(pidfile), "%s/%s",
+ PATH_PIDFILE, user_ip ? ipsrc : luser);
if (n < 0 || (u_int)n >= sizeof(pidfile)) {
syslog(LOG_ERR, "path to pidfile too long");
goto die;
@@ -292,7 +300,7 @@ main(int argc, char *argv[])
printf("Unable to modify filters\r\n");
do_death(0);
}
- if (change_table(1, ipsrc) == -1) {
+ if (user_ip && change_table(1, ipsrc) == -1) {
printf("Unable to modify table\r\n");
change_filter(0, luser, ipsrc);
do_death(0);
@@ -349,6 +357,8 @@ read_config(FILE *f)
}
i++;
len = strlen(buf);
+ if (len == 0)
+ continue;
if (buf[len - 1] != '\n' && !feof(f)) {
syslog(LOG_ERR, "line %d too long in %s", i,
PATH_CONFFILE);
@@ -569,7 +579,7 @@ static int
remove_stale_rulesets(void)
{
struct pfioc_ruleset prs;
- u_int32_t nr, mnr;
+ u_int32_t nr;
memset(&prs, 0, sizeof(prs));
strlcpy(prs.path, anchorname, sizeof(prs.path));
@@ -580,13 +590,12 @@ remove_stale_rulesets(void)
return (1);
}
- mnr = prs.nr;
- nr = 0;
- while (nr < mnr) {
+ nr = prs.nr;
+ while (nr) {
char *s, *t;
pid_t pid;
- prs.nr = nr;
+ prs.nr = nr - 1;
if (ioctl(dev, DIOCGETRULESET, &prs))
return (1);
errno = 0;
@@ -598,111 +607,156 @@ remove_stale_rulesets(void)
if (!prs.name[0] || errno ||
(*s && (t == prs.name || *s != ')')))
return (1);
- if (kill(pid, 0) && errno != EPERM) {
- int i;
- struct pfioc_trans_e t_e[PF_RULESET_MAX+1];
- struct pfioc_trans t;
-
- bzero(&t, sizeof(t));
- bzero(t_e, sizeof(t_e));
- t.size = PF_RULESET_MAX+1;
- t.esize = sizeof(t_e[0]);
- t.array = t_e;
- for (i = 0; i < PF_RULESET_MAX+1; ++i) {
- t_e[i].rs_num = i;
- snprintf(t_e[i].anchor, sizeof(t_e[i].anchor),
- "%s/%s", anchorname, prs.name);
- }
- t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE;
- if ((ioctl(dev, DIOCXBEGIN, &t) ||
- ioctl(dev, DIOCXCOMMIT, &t)) &&
- errno != EINVAL)
+ if ((kill(pid, 0) && errno != EPERM) || pid == getpid()) {
+ if (recursive_ruleset_purge(anchorname, prs.name))
return (1);
- mnr--;
- } else
- nr++;
+ }
+ nr--;
}
return (0);
}
+static int
+recursive_ruleset_purge(char *an, char *rs)
+{
+ struct pfioc_trans_e *t_e = NULL;
+ struct pfioc_trans *t = NULL;
+ struct pfioc_ruleset *prs = NULL;
+ int i;
+
+
+ /* purge rules */
+ errno = 0;
+ if ((t = calloc(1, sizeof(struct pfioc_trans))) == NULL)
+ goto no_mem;
+ if ((t_e = calloc(PF_RULESET_MAX+1,
+ sizeof(struct pfioc_trans_e))) == NULL)
+ goto no_mem;
+ t->size = PF_RULESET_MAX+1;
+ t->esize = sizeof(struct pfioc_trans_e);
+ t->array = t_e;
+ for (i = 0; i < PF_RULESET_MAX+1; ++i) {
+ t_e[i].rs_num = i;
+ snprintf(t_e[i].anchor, sizeof(t_e[i].anchor), "%s/%s", an, rs);
+ }
+ t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE;
+ if ((ioctl(dev, DIOCXBEGIN, t) ||
+ ioctl(dev, DIOCXCOMMIT, t)) &&
+ errno != EINVAL)
+ goto cleanup;
+
+ /* purge any children */
+ if ((prs = calloc(1, sizeof(struct pfioc_ruleset))) == NULL)
+ goto no_mem;
+ snprintf(prs->path, sizeof(prs->path), "%s/%s", an, rs);
+ if (ioctl(dev, DIOCGETRULESETS, prs)) {
+ if (errno != EINVAL)
+ goto cleanup;
+ errno = 0;
+ } else {
+ int nr = prs->nr;
+
+ while (nr) {
+ prs->nr = 0;
+ if (ioctl(dev, DIOCGETRULESET, prs))
+ goto cleanup;
+
+ if (recursive_ruleset_purge(prs->path, prs->name))
+ goto cleanup;
+ nr--;
+ }
+ }
+
+no_mem:
+ if (errno == ENOMEM)
+ syslog(LOG_ERR, "calloc failed");
+
+cleanup:
+ free(t);
+ free(t_e);
+ free(prs);
+ return (errno);
+}
+
/*
* Add/remove filter entries for user "luser" from ip "ipsrc"
*/
static int
change_filter(int add, const char *luser, const char *ipsrc)
{
- char *pargv[13] = {
- "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
- "-D", "user_ip=X", "-D", "user_id=X", "-f",
- "file", NULL
- };
char *fdpath = NULL, *userstr = NULL, *ipstr = NULL;
char *rsn = NULL, *fn = NULL;
pid_t pid;
gid_t gid;
int s;
- if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) {
- syslog(LOG_ERR, "invalid luser/ipsrc");
- goto error;
- }
-
- if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)
- goto no_mem;
- if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
- goto no_mem;
- if (asprintf(&ipstr, "user_ip=%s", ipsrc) == -1)
- goto no_mem;
- if (asprintf(&userstr, "user_id=%s", luser) == -1)
- goto no_mem;
-
if (add) {
struct stat sb;
+ char *pargv[13] = {
+ "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
+ "-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL
+ };
+
+ if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) {
+ syslog(LOG_ERR, "invalid luser/ipsrc");
+ goto error;
+ }
- if (asprintf(&fn, "%s/%s/authpf.rules", PATH_USER_DIR, luser)
- == -1)
+ if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)
+ goto no_mem;
+ if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
+ goto no_mem;
+ if (asprintf(&ipstr, "user_ip=%s", ipsrc) == -1)
+ goto no_mem;
+ if (asprintf(&userstr, "user_id=%s", luser) == -1)
+ goto no_mem;
+ if (asprintf(&fn, "%s/%s/authpf.rules",
+ PATH_USER_DIR, luser) == -1)
goto no_mem;
if (stat(fn, &sb) == -1) {
free(fn);
if ((fn = strdup(PATH_PFRULES)) == NULL)
goto no_mem;
}
- }
- pargv[2] = fdpath;
- pargv[5] = rsn;
- pargv[7] = userstr;
- pargv[9] = ipstr;
- if (!add)
- pargv[11] = "/dev/null";
- else
- pargv[11] = fn;
+ pargv[2] = fdpath;
+ pargv[5] = rsn;
+ pargv[7] = userstr;
+ if (user_ip) {
+ pargv[9] = ipstr;
+ pargv[11] = fn;
+ } else {
+ pargv[8] = "-f";
+ pargv[9] = fn;
+ pargv[10] = NULL;
+ }
- switch (pid = fork()) {
- case -1:
- syslog(LOG_ERR, "fork failed");
- goto error;
- case 0:
- /* revoke group privs before exec */
- gid = getgid();
- if (setregid(gid, gid) == -1) {
- err(1, "setregid");
- }
- execvp(PATH_PFCTL, pargv);
- warn("exec of %s failed", PATH_PFCTL);
- _exit(1);
- }
-
- /* parent */
- waitpid(pid, &s, 0);
- if (s != 0) {
- syslog(LOG_ERR, "pfctl exited abnormally");
- goto error;
- }
+ switch (pid = fork()) {
+ case -1:
+ syslog(LOG_ERR, "fork failed");
+ goto error;
+ case 0:
+ /* revoke group privs before exec */
+ gid = getgid();
+ if (setregid(gid, gid) == -1) {
+ err(1, "setregid");
+ }
+ execvp(PATH_PFCTL, pargv);
+ warn("exec of %s failed", PATH_PFCTL);
+ _exit(1);
+ }
+
+ /* parent */
+ waitpid(pid, &s, 0);
+ if (s != 0) {
+ syslog(LOG_ERR, "pfctl exited abnormally");
+ goto error;
+ }
- if (add) {
gettimeofday(&Tstart, NULL);
syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser);
} else {
+ remove_stale_rulesets();
+
gettimeofday(&Tend, NULL);
syslog(LOG_INFO, "removed %s, user %s - duration %ld seconds",
ipsrc, luser, Tend.tv_sec - Tstart.tv_sec);
@@ -819,9 +873,10 @@ do_death(int active)
if (active) {
change_filter(0, luser, ipsrc);
- change_table(0, ipsrc);
- authpf_kill_states();
- remove_stale_rulesets();
+ if (user_ip) {
+ change_table(0, ipsrc);
+ authpf_kill_states();
+ }
}
if (pidfile[0] && (pidfp != NULL))
if (unlink(pidfile) == -1)
Modified: vendor/pf/dist/authpf/pathnames.h
==============================================================================
--- vendor/pf/dist/authpf/pathnames.h Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/authpf/pathnames.h Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,4 +1,4 @@
-/* $OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $ */
+/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */
/*
* Copyright (C) 2002 Chris Kuethe (ckuethe at ualberta.ca)
@@ -35,4 +35,5 @@
#define PATH_DEVFILE "/dev/pf"
#define PATH_PIDFILE "/var/authpf"
#define PATH_AUTHPF_SHELL "/usr/sbin/authpf"
+#define PATH_AUTHPF_SHELL_NOIP "/usr/sbin/authpf-noip"
#define PATH_PFCTL "/sbin/pfctl"
Modified: vendor/pf/dist/ftp-proxy/filter.c
==============================================================================
--- vendor/pf/dist/ftp-proxy/filter.c Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/ftp-proxy/filter.c Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,4 +1,4 @@
-/* $OpenBSD: filter.c,v 1.6 2007/08/01 09:31:41 henning Exp $ */
+/* $OpenBSD: filter.c,v 1.7 2008/02/26 18:52:53 henning Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd at sentia.nl>
@@ -277,15 +277,13 @@ prepare_rule(u_int32_t id, int rs_num, s
}
pfr.rule.dst.port_op = PF_OP_EQ;
pfr.rule.dst.port[0] = htons(d_port);
- if (tagname != NULL)
- strlcpy(pfr.rule.tagname, tagname, sizeof pfr.rule.tagname);
switch (rs_num) {
case PF_RULESET_FILTER:
/*
- * pass quick [log] inet[6] proto tcp \
+ * pass [quick] [log] inet[6] proto tcp \
* from $src to $dst port = $d_port flags S/SA keep state
- * (max 1) [queue qname]
+ * (max 1) [queue qname] [tag tagname]
*/
pfr.rule.action = PF_PASS;
pfr.rule.quick = 1;
@@ -296,6 +294,11 @@ prepare_rule(u_int32_t id, int rs_num, s
pfr.rule.max_states = 1;
if (qname != NULL)
strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
+ if (tagname != NULL) {
+ pfr.rule.quick = 0;
+ strlcpy(pfr.rule.tagname, tagname,
+ sizeof pfr.rule.tagname);
+ }
break;
case PF_RULESET_NAT:
/*
Modified: vendor/pf/dist/ftp-proxy/ftp-proxy.8
==============================================================================
--- vendor/pf/dist/ftp-proxy/ftp-proxy.8 Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/ftp-proxy/ftp-proxy.8 Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $
+.\" $OpenBSD: ftp-proxy.8,v 1.11 2008/02/26 18:52:53 henning Exp $
.\"
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd at sentia.nl>
.\"
@@ -21,7 +21,7 @@
.Nm ftp-proxy
.Nd Internet File Transfer Protocol proxy daemon
.Sh SYNOPSIS
-.Nm ftp-proxy
+.Nm
.Bk -words
.Op Fl 6Adrv
.Op Fl a Ar address
@@ -59,7 +59,7 @@ facility for this.
Assuming the FTP control connection is from $client to $server, the
proxy connected to the server using the $proxy source address, and
$port is negotiated, then
-.Nm ftp-proxy
+.Nm
adds the following rules to the various anchors.
(These example rules use inet, but the proxy also supports inet6.)
.Pp
@@ -132,9 +132,19 @@ connections to another proxy.
Rewrite sourceport to 20 in active mode to suit ancient clients that insist
on this RFC property.
.It Fl T Ar tag
-Automatically tag packets passing through the
+The filter rules will add tag
+.Ar tag
+to data connections, and not match quick.
+This way alternative rules that use the
+.Ar tagged
+keyword can be implemented following the
+.Nm
+anchor.
+These rules can use special
.Xr pf 4
-rule with the name supplied.
+features like route-to, reply-to, label, rtable, overload, etc. that
+.Nm
+does not implement itself.
.It Fl t Ar timeout
Number of seconds that the control connection can be idle, before the
proxy will disconnect.
@@ -177,7 +187,7 @@ does not allow the ruleset to be modifie
.Xr securelevel 7
higher than 1.
At that level
-.Nm ftp-proxy
+.Nm
cannot add rules to the anchors and FTP data connections may get blocked.
.Pp
Negotiated data connection ports below 1024 are not allowed.
@@ -186,5 +196,5 @@ The negotiated IP address for active mod
reasons.
This makes third party file transfers impossible.
.Pp
-.Nm ftp-proxy
+.Nm
chroots to "/var/empty" and changes to user "proxy" to drop privileges.
Modified: vendor/pf/dist/ftp-proxy/ftp-proxy.c
==============================================================================
--- vendor/pf/dist/ftp-proxy/ftp-proxy.c Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/ftp-proxy/ftp-proxy.c Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ftp-proxy.c,v 1.15 2007/08/15 15:18:02 camield Exp $ */
+/* $OpenBSD: ftp-proxy.c,v 1.16 2008/02/26 18:52:53 henning Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd at sentia.nl>
@@ -1117,6 +1117,7 @@ usage(void)
{
fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
" [-D level] [-m maxsessions]\n [-P port]"
- " [-p port] [-q queue] [-R address] [-T tag] [-t timeout]\n", __progname);
+ " [-p port] [-q queue] [-R address] [-T tag]\n"
+ " [-t timeout]\n", __progname);
exit(1);
}
Modified: vendor/pf/dist/man/pf.4
==============================================================================
--- vendor/pf/dist/man/pf.4 Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/man/pf.4 Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $
+.\" $OpenBSD: pf.4,v 1.60 2007/12/02 12:08:04 pascoe Exp $
.\"
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
.\"
@@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd $Mdocdate$
+.Dd $Mdocdate: May 31 2007 $
.Dt PF 4
.Os
.Sh NAME
@@ -292,14 +292,17 @@ if another process is concurrently updat
Add a state entry.
.Bd -literal
struct pfioc_state {
- u_int32_t nr;
- struct pf_state state;
+ struct pfsync_state state;
};
.Ed
.It Dv DIOCGETSTATE Fa "struct pfioc_state *ps"
-Extract the entry with the specified number
-.Va nr
-from the state table.
+Extract the entry identified by the
+.Va id
+and
+.Va creatorid
+fields of the
+.Va state
+structure from the state table.
.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk"
Remove matching entries from the state table.
This ioctl returns the number of killed states in
Modified: vendor/pf/dist/man/pf.conf.5
==============================================================================
--- vendor/pf/dist/man/pf.conf.5 Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/man/pf.conf.5 Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.383 2007/07/17 16:27:38 jmc Exp $
+.\" $OpenBSD: pf.conf.5,v 1.393 2008/02/11 07:46:32 jmc Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: June 26 2007 $
+.Dd $Mdocdate: Febuary 1 2008 $
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -78,6 +78,17 @@ By default
enforces this order (see
.Ar set require-order
below).
+.Pp
+Comments can be put anywhere in the file using a hash mark
+.Pq Sq # ,
+and extend to the end of the current line.
+.Pp
+Additional configuration files can be included with the
+.Ic include
+keyword, for example:
+.Bd -literal -offset indent
+include "/etc/pf/sub.filter.conf"
+.Ed
.Sh MACROS
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, and may contain letters, digits
@@ -327,7 +338,8 @@ With 9000 state table entries, the timeo
(tcp.first 60, tcp.established 43200).
.Pp
.It Ar set loginterface
-Enable collection of packet and byte count statistics for the given interface.
+Enable collection of packet and byte count statistics for the given
+interface or interface group.
These statistics can be viewed using
.Bd -literal -offset indent
# pfctl -s info
@@ -808,7 +820,7 @@ assigned.
.Ar Priority
mainly controls the time packets take to get sent out, while
.Ar bandwidth
-has primarily effects on throughput.
+primarily affects throughput.
.Ar hfsc
supports both link-sharing and guaranteed real-time services.
It employs a service curve based QoS model,
@@ -1163,7 +1175,7 @@ or to the firewall itself.
Note that redirecting external incoming connections to the loopback
address, as in
.Bd -literal -offset indent
-rdr on ne3 inet proto tcp to port spamd -\*(Gt 127.0.0.1 port smtp
+rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd
.Ed
.Pp
will effectively allow an external host to connect to daemons
@@ -1442,6 +1454,14 @@ the route back to the packet's source ad
Any address that matches the given table.
.El
.Pp
+Ranges of addresses are specified by using the
+.Sq -
+operator.
+For instance:
+.Dq 10.1.1.10 - 10.1.1.12
+means all addresses from 10.1.1.10 to 10.1.1.12,
+hence addresses 10.1.1.10, 10.1.1.11, and 10.1.1.12.
+.Pp
Interface names and interface group names can have modifiers appended:
.Pp
.Bl -tag -width xxxxxxxxxxxx -compact
@@ -2023,8 +2043,8 @@ must be specified explicitly to apply op
.Bl -tag -width xxxx -compact
.It Ar max Aq Ar number
Limits the number of concurrent states the rule may create.
-When this limit is reached, further packets matching the rule that would
-create state are dropped, until existing states time out.
+When this limit is reached, further packets that would create
+state will not match this rule until existing states time out.
.It Ar no-sync
Prevent state changes for states created by this rule from appearing on the
.Xr pfsync 4
@@ -2442,10 +2462,8 @@ into the anchor.
.Pp
Optionally,
.Ar anchor
-rules can specify the parameter's
-direction, interface, address family, protocol and source/destination
-address/port
-using the same syntax as filter rules.
+rules can specify packet filtering parameters using the same syntax as
+filter rules.
When parameters are used, the
.Ar anchor
rule is only evaluated for matching packets.
@@ -2526,8 +2544,8 @@ anchor "external" on egress {
.Ed
.Pp
Since the parser specification for anchor names is a string, any
-reference to an anchor name containing solidus
-.Pq Sq /
+reference to an anchor name containing
+.Sq /
characters will require double quote
.Pq Sq \&"
characters around the anchor name.
@@ -2749,10 +2767,11 @@ in BNF:
.Bd -literal
line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule |
antispoof-rule | altq-rule | queue-rule | trans-anchors |
- anchor-rule | anchor-close | load-anchor | table-rule | )
+ anchor-rule | anchor-close | load-anchor | table-rule |
+ include )
option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
- [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
+ [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
[ "optimization" [ "default" | "normal" |
"high-latency" | "satellite" |
"aggressive" | "conservative" ] ]
@@ -2821,7 +2840,7 @@ queue-rule = "queue" string [ "on" i
subqueue
anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
- [ af ] [ protospec ] [ hosts ] [ "{" ]
+ [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
anchor-close = "}"
@@ -2956,8 +2975,6 @@ Default location of OS fingerprints.
Protocol name database.
.It Pa /etc/services
Service name database.
-.It Pa /usr/share/pf
-Example rulesets.
.El
.Sh SEE ALSO
.Xr carp 4 ,
Modified: vendor/pf/dist/man/pfsync.4
==============================================================================
--- vendor/pf/dist/man/pfsync.4 Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/man/pfsync.4 Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $
+.\" $OpenBSD: pfsync.4,v 1.26 2007/09/20 20:50:07 mpf Exp $
.\"
.\" Copyright (c) 2002 Michael Shalayeff
.\" Copyright (c) 2003-2004 Ryan McBride
@@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate$
+.Dd $Mdocdate: May 31 2007 $
.Dt PFSYNC 4
.Os
.Sh NAME
@@ -199,8 +199,8 @@ traffic through.
The following should be added to the top of
.Pa /etc/pf.conf :
.Bd -literal -offset indent
-pass quick on { sis2 } proto pfsync
-pass on { sis0 sis1 } proto carp
+pass quick on { sis2 } proto pfsync keep state (no-sync)
+pass on { sis0 sis1 } proto carp keep state (no-sync)
.Ed
.Pp
If it is preferable that one firewall handle the traffic,
Modified: vendor/pf/dist/pfctl/parse.y
==============================================================================
--- vendor/pf/dist/pfctl/parse.y Wed Dec 10 20:57:16 2008 (r185879)
+++ vendor/pf/dist/pfctl/parse.y Wed Dec 10 20:59:26 2008 (r185880)
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.519 2007/06/21 19:30:03 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.536 2008/02/01 06:58:45 mcbride Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -29,6 +29,7 @@
%{
#include <sys/types.h>
#include <sys/socket.h>
+#include <sys/stat.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -43,6 +44,7 @@
#include <altq/altq_hfsc.h>
#include <stdio.h>
+#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <stdarg.h>
@@ -60,10 +62,7 @@
#include "pfctl.h"
static struct pfctl *pf = NULL;
-static FILE *fin = NULL;
static int debug = 0;
-static int lineno = 1;
-static int errors = 0;
static int rulestate = 0;
static u_int16_t returnicmpdefault =
(ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;
@@ -73,6 +72,39 @@ static int blockpolicy = PFRULE_DROP;
static int require_order = 1;
static int default_statelock;
+TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files);
+static struct file {
+ TAILQ_ENTRY(file) entry;
+ FILE *stream;
+ char *name;
+ int lineno;
+ int errors;
+} *file;
+struct file *pushfile(const char *, int);
+int popfile(void);
+int check_file_secrecy(int, const char *);
+int yyparse(void);
+int yylex(void);
+int yyerror(const char *, ...);
+int kw_cmp(const void *, const void *);
+int lookup(char *);
+int lgetc(int);
+int lungetc(int);
+int findeol(void);
+
+TAILQ_HEAD(symhead, sym) symhead = TAILQ_HEAD_INITIALIZER(symhead);
+struct sym {
+ TAILQ_ENTRY(sym) entry;
+ int used;
+ int persist;
+ char *nam;
+ char *val;
+};
+int symset(const char *, const char *, int);
+char *symget(const char *);
+
+int atoul(char *, u_long *);
+
enum {
PFCTL_STATE_NONE,
PFCTL_STATE_OPTION,
@@ -199,12 +231,12 @@ struct filter_opts {
char *tag;
char *match_tag;
u_int8_t match_tag_not;
- int rtableid;
+ u_int rtableid;
} filter_opts;
struct antispoof_opts {
char *label;
- int rtableid;
+ u_int rtableid;
} antispoof_opts;
struct scrub_opts {
@@ -218,7 +250,7 @@ struct scrub_opts {
int fragcache;
int randomid;
int reassemble_tcp;
- int rtableid;
+ u_int rtableid;
} scrub_opts;
struct queue_opts {
@@ -255,61 +287,42 @@ struct pool_opts {
struct node_hfsc_opts hfsc_opts;
-int yyerror(const char *, ...);
-int disallow_table(struct node_host *, const char *);
-int disallow_urpf_failed(struct node_host *, const char *);
-int disallow_alias(struct node_host *, const char *);
-int rule_consistent(struct pf_rule *, int);
-int filter_consistent(struct pf_rule *, int);
-int nat_consistent(struct pf_rule *);
-int rdr_consistent(struct pf_rule *);
-int process_tabledef(char *, struct table_opts *);
-int yyparse(void);
-void expand_label_str(char *, size_t, const char *, const char *);
-void expand_label_if(const char *, char *, size_t, const char *);
-void expand_label_addr(const char *, char *, size_t, u_int8_t,
- struct node_host *);
-void expand_label_port(const char *, char *, size_t, struct node_port *);
-void expand_label_proto(const char *, char *, size_t, u_int8_t);
-void expand_label_nr(const char *, char *, size_t);
-void expand_label(char *, size_t, const char *, u_int8_t, struct node_host *,
- struct node_port *, struct node_host *, struct node_port *,
- u_int8_t);
-void expand_rule(struct pf_rule *, struct node_if *, struct node_host *,
- struct node_proto *, struct node_os*, struct node_host *,
- struct node_port *, struct node_host *, struct node_port *,
- struct node_uid *, struct node_gid *, struct node_icmp *,
- const char *);
-int expand_altq(struct pf_altq *, struct node_if *, struct node_queue *,
- struct node_queue_bw bwspec, struct node_queue_opt *);
-int expand_queue(struct pf_altq *, struct node_if *, struct node_queue *,
- struct node_queue_bw, struct node_queue_opt *);
-int expand_skip_interface(struct node_if *);
+int disallow_table(struct node_host *, const char *);
+int disallow_urpf_failed(struct node_host *, const char *);
+int disallow_alias(struct node_host *, const char *);
+int rule_consistent(struct pf_rule *, int);
+int filter_consistent(struct pf_rule *, int);
+int nat_consistent(struct pf_rule *);
+int rdr_consistent(struct pf_rule *);
+int process_tabledef(char *, struct table_opts *);
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-all
mailing list