svn commit: r223645 - in projects/largeSMP: . bin/sh
cddl/contrib/opensolaris/cmd/zfs
cddl/contrib/opensolaris/lib/libzfs/common
contrib/libpcap/bpf/net contrib/ntp/ntpd contrib/pf/authpf
contrib/p...
Attilio Rao
attilio at FreeBSD.org
Tue Jun 28 14:40:18 UTC 2011
Author: attilio
Date: Tue Jun 28 14:40:17 2011
New Revision: 223645
URL: http://svn.freebsd.org/changeset/base/223645
Log:
MFC
Added:
projects/largeSMP/sys/contrib/pf/net/if_pflow.h
- copied unchanged from r223641, head/sys/contrib/pf/net/if_pflow.h
projects/largeSMP/sys/contrib/pf/net/pf_lb.c
- copied unchanged from r223641, head/sys/contrib/pf/net/pf_lb.c
projects/largeSMP/sys/modules/pfsync/
- copied from r223641, head/sys/modules/pfsync/
Deleted:
projects/largeSMP/sys/contrib/pf/net/pf_subr.c
projects/largeSMP/usr.bin/calendar/calendars/ru_RU.KOI8-R/calendar.msk
Modified:
projects/largeSMP/UPDATING
projects/largeSMP/bin/sh/arith_yacc.c
projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs.8
projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs_main.c
projects/largeSMP/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c
projects/largeSMP/contrib/libpcap/bpf/net/bpf_filter.c
projects/largeSMP/contrib/ntp/ntpd/ntp_io.c
projects/largeSMP/contrib/pf/authpf/authpf.8
projects/largeSMP/contrib/pf/authpf/authpf.c
projects/largeSMP/contrib/pf/authpf/pathnames.h
projects/largeSMP/contrib/pf/ftp-proxy/filter.c
projects/largeSMP/contrib/pf/ftp-proxy/filter.h
projects/largeSMP/contrib/pf/ftp-proxy/ftp-proxy.8
projects/largeSMP/contrib/pf/ftp-proxy/ftp-proxy.c
projects/largeSMP/contrib/pf/man/pf.4
projects/largeSMP/contrib/pf/man/pf.conf.5
projects/largeSMP/contrib/pf/man/pf.os.5
projects/largeSMP/contrib/pf/man/pflog.4
projects/largeSMP/contrib/pf/man/pfsync.4
projects/largeSMP/contrib/pf/pfctl/parse.y
projects/largeSMP/contrib/pf/pfctl/pf_print_state.c
projects/largeSMP/contrib/pf/pfctl/pfctl.8
projects/largeSMP/contrib/pf/pfctl/pfctl.c
projects/largeSMP/contrib/pf/pfctl/pfctl.h
projects/largeSMP/contrib/pf/pfctl/pfctl_altq.c
projects/largeSMP/contrib/pf/pfctl/pfctl_optimize.c
projects/largeSMP/contrib/pf/pfctl/pfctl_osfp.c
projects/largeSMP/contrib/pf/pfctl/pfctl_parser.c
projects/largeSMP/contrib/pf/pfctl/pfctl_parser.h
projects/largeSMP/contrib/pf/pfctl/pfctl_qstats.c
projects/largeSMP/contrib/pf/pfctl/pfctl_radix.c
projects/largeSMP/contrib/pf/pfctl/pfctl_table.c
projects/largeSMP/contrib/pf/pflogd/pflogd.8
projects/largeSMP/contrib/pf/pflogd/pflogd.c
projects/largeSMP/contrib/pf/pflogd/privsep.c
projects/largeSMP/contrib/pf/pflogd/privsep_fdpass.c
projects/largeSMP/contrib/traceroute/traceroute.c
projects/largeSMP/contrib/tzdata/antarctica
projects/largeSMP/contrib/tzdata/asia
projects/largeSMP/contrib/tzdata/europe
projects/largeSMP/contrib/tzdata/southamerica
projects/largeSMP/contrib/tzdata/zone.tab
projects/largeSMP/etc/devd/usb.conf
projects/largeSMP/lib/csu/powerpc64/Makefile
projects/largeSMP/lib/libc/gen/getutxent.3
projects/largeSMP/lib/libc/gen/posix_spawn.3
projects/largeSMP/lib/libc/gen/posix_spawn.c
projects/largeSMP/lib/libc/gen/pututxline.c
projects/largeSMP/lib/libc/stdlib/ptsname.c
projects/largeSMP/lib/libmd/sha256.3
projects/largeSMP/lib/libmd/sha512.3
projects/largeSMP/lib/libusb/libusb10.c
projects/largeSMP/sbin/hastctl/Makefile
projects/largeSMP/sbin/hastd/Makefile
projects/largeSMP/sbin/hastd/subr.c
projects/largeSMP/sbin/pflogd/Makefile
projects/largeSMP/share/misc/iso3166
projects/largeSMP/share/mk/bsd.own.mk
projects/largeSMP/sys/boot/i386/zfsboot/zfsldr.S
projects/largeSMP/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c
projects/largeSMP/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_dataset.c
projects/largeSMP/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_cache.c
projects/largeSMP/sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h
projects/largeSMP/sys/conf/files
projects/largeSMP/sys/contrib/altq/altq/altq_red.c
projects/largeSMP/sys/contrib/pf/net/if_pflog.c
projects/largeSMP/sys/contrib/pf/net/if_pflog.h
projects/largeSMP/sys/contrib/pf/net/if_pfsync.c
projects/largeSMP/sys/contrib/pf/net/if_pfsync.h
projects/largeSMP/sys/contrib/pf/net/pf.c
projects/largeSMP/sys/contrib/pf/net/pf_if.c
projects/largeSMP/sys/contrib/pf/net/pf_ioctl.c
projects/largeSMP/sys/contrib/pf/net/pf_mtag.h
projects/largeSMP/sys/contrib/pf/net/pf_norm.c
projects/largeSMP/sys/contrib/pf/net/pf_osfp.c
projects/largeSMP/sys/contrib/pf/net/pf_ruleset.c
projects/largeSMP/sys/contrib/pf/net/pf_table.c
projects/largeSMP/sys/contrib/pf/net/pfvar.h
projects/largeSMP/sys/dev/acpica/acpi_thermal.c
projects/largeSMP/sys/dev/an/if_an.c
projects/largeSMP/sys/dev/ath/ath_hal/ah_eeprom_9287.h
projects/largeSMP/sys/dev/ath/ath_hal/ar9002/ar9287_attach.c
projects/largeSMP/sys/dev/dc/dcphy.c
projects/largeSMP/sys/dev/dc/pnphy.c
projects/largeSMP/sys/dev/en/if_en_pci.c
projects/largeSMP/sys/dev/et/if_et.c
projects/largeSMP/sys/dev/fdc/fdc_pccard.c
projects/largeSMP/sys/dev/fxp/if_fxp.c
projects/largeSMP/sys/dev/iicbus/if_ic.c
projects/largeSMP/sys/dev/mfi/mfi_cam.c
projects/largeSMP/sys/dev/my/if_my.c
projects/largeSMP/sys/dev/pty/pty.c
projects/largeSMP/sys/dev/sis/if_sis.c
projects/largeSMP/sys/dev/snp/snp.c
projects/largeSMP/sys/dev/syscons/scterm-teken.c
projects/largeSMP/sys/dev/tdfx/tdfx_pci.c
projects/largeSMP/sys/dev/usb/usb_msctest.c
projects/largeSMP/sys/geom/part/g_part_ebr.c
projects/largeSMP/sys/geom/part/g_part_mbr.c
projects/largeSMP/sys/kern/tty.c
projects/largeSMP/sys/kern/tty_inq.c
projects/largeSMP/sys/kern/tty_outq.c
projects/largeSMP/sys/kern/tty_pts.c
projects/largeSMP/sys/kern/tty_ttydisc.c
projects/largeSMP/sys/modules/Makefile
projects/largeSMP/sys/modules/ipdivert/Makefile
projects/largeSMP/sys/modules/pf/Makefile
projects/largeSMP/sys/modules/pflog/Makefile
projects/largeSMP/sys/net/if.c
projects/largeSMP/sys/net80211/ieee80211_dfs.c
projects/largeSMP/sys/netinet/in_gif.c
projects/largeSMP/sys/netinet/ip_divert.c
projects/largeSMP/sys/netinet/ip_icmp.c
projects/largeSMP/sys/netinet/ipfw/ip_fw2.c
projects/largeSMP/sys/netinet/ipfw/ip_fw_pfil.c
projects/largeSMP/sys/netinet/raw_ip.c
projects/largeSMP/sys/netinet/sctp_uio.h
projects/largeSMP/sys/netinet6/icmp6.c
projects/largeSMP/sys/netinet6/in6_gif.c
projects/largeSMP/sys/netipsec/ipsec_input.c
projects/largeSMP/sys/netipsec/ipsec_output.c
projects/largeSMP/sys/netipsec/xform_ipip.c
projects/largeSMP/sys/sys/diskmbr.h
projects/largeSMP/sys/sys/mbuf.h
projects/largeSMP/sys/sys/param.h
projects/largeSMP/sys/teken/demo/teken_demo.c
projects/largeSMP/sys/teken/gensequences
projects/largeSMP/sys/teken/libteken/teken.3
projects/largeSMP/sys/teken/teken.c
projects/largeSMP/sys/teken/teken_subr.h
projects/largeSMP/usr.bin/calendar/calendars/ru_RU.KOI8-R/calendar.all
projects/largeSMP/usr.bin/tar/write.c
projects/largeSMP/usr.sbin/ftp-proxy/ftp-proxy/Makefile
Directory Properties:
projects/largeSMP/ (props changed)
projects/largeSMP/cddl/contrib/opensolaris/ (props changed)
projects/largeSMP/contrib/bind9/ (props changed)
projects/largeSMP/contrib/binutils/ (props changed)
projects/largeSMP/contrib/bzip2/ (props changed)
projects/largeSMP/contrib/compiler-rt/ (props changed)
projects/largeSMP/contrib/dialog/ (props changed)
projects/largeSMP/contrib/ee/ (props changed)
projects/largeSMP/contrib/expat/ (props changed)
projects/largeSMP/contrib/file/ (props changed)
projects/largeSMP/contrib/gcc/ (props changed)
projects/largeSMP/contrib/gdb/ (props changed)
projects/largeSMP/contrib/gdtoa/ (props changed)
projects/largeSMP/contrib/gnu-sort/ (props changed)
projects/largeSMP/contrib/groff/ (props changed)
projects/largeSMP/contrib/less/ (props changed)
projects/largeSMP/contrib/libpcap/ (props changed)
projects/largeSMP/contrib/libstdc++/ (props changed)
projects/largeSMP/contrib/llvm/ (props changed)
projects/largeSMP/contrib/llvm/tools/clang/ (props changed)
projects/largeSMP/contrib/ncurses/ (props changed)
projects/largeSMP/contrib/netcat/ (props changed)
projects/largeSMP/contrib/ntp/ (props changed)
projects/largeSMP/contrib/one-true-awk/ (props changed)
projects/largeSMP/contrib/openbsm/ (props changed)
projects/largeSMP/contrib/openpam/ (props changed)
projects/largeSMP/contrib/pf/ (props changed)
projects/largeSMP/contrib/sendmail/ (props changed)
projects/largeSMP/contrib/tcpdump/ (props changed)
projects/largeSMP/contrib/tcsh/ (props changed)
projects/largeSMP/contrib/tnftp/ (props changed)
projects/largeSMP/contrib/top/ (props changed)
projects/largeSMP/contrib/top/install-sh (props changed)
projects/largeSMP/contrib/tzcode/stdtime/ (props changed)
projects/largeSMP/contrib/tzcode/zic/ (props changed)
projects/largeSMP/contrib/tzdata/ (props changed)
projects/largeSMP/contrib/wpa/ (props changed)
projects/largeSMP/contrib/xz/ (props changed)
projects/largeSMP/crypto/openssh/ (props changed)
projects/largeSMP/crypto/openssl/ (props changed)
projects/largeSMP/gnu/lib/ (props changed)
projects/largeSMP/gnu/usr.bin/binutils/ (props changed)
projects/largeSMP/gnu/usr.bin/cc/cc_tools/ (props changed)
projects/largeSMP/gnu/usr.bin/gdb/ (props changed)
projects/largeSMP/lib/libc/ (props changed)
projects/largeSMP/lib/libc/stdtime/ (props changed)
projects/largeSMP/lib/libutil/ (props changed)
projects/largeSMP/lib/libz/ (props changed)
projects/largeSMP/sbin/ (props changed)
projects/largeSMP/sbin/ipfw/ (props changed)
projects/largeSMP/share/mk/bsd.arch.inc.mk (props changed)
projects/largeSMP/share/zoneinfo/ (props changed)
projects/largeSMP/sys/ (props changed)
projects/largeSMP/sys/amd64/include/xen/ (props changed)
projects/largeSMP/sys/boot/ (props changed)
projects/largeSMP/sys/boot/i386/efi/ (props changed)
projects/largeSMP/sys/boot/ia64/efi/ (props changed)
projects/largeSMP/sys/boot/ia64/ski/ (props changed)
projects/largeSMP/sys/boot/powerpc/boot1.chrp/ (props changed)
projects/largeSMP/sys/boot/powerpc/ofw/ (props changed)
projects/largeSMP/sys/cddl/contrib/opensolaris/ (props changed)
projects/largeSMP/sys/conf/ (props changed)
projects/largeSMP/sys/contrib/dev/acpica/ (props changed)
projects/largeSMP/sys/contrib/octeon-sdk/ (props changed)
projects/largeSMP/sys/contrib/pf/ (props changed)
projects/largeSMP/sys/contrib/x86emu/ (props changed)
projects/largeSMP/usr.bin/calendar/ (props changed)
projects/largeSMP/usr.bin/csup/ (props changed)
projects/largeSMP/usr.bin/procstat/ (props changed)
projects/largeSMP/usr.sbin/ndiscvt/ (props changed)
projects/largeSMP/usr.sbin/zic/ (props changed)
Modified: projects/largeSMP/UPDATING
==============================================================================
--- projects/largeSMP/UPDATING Tue Jun 28 14:26:34 2011 (r223644)
+++ projects/largeSMP/UPDATING Tue Jun 28 14:40:17 2011 (r223645)
@@ -22,6 +22,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 9.
machines to maximize performance. (To disable malloc debugging, run
ln -s aj /etc/malloc.conf.)
+20110628:
+ The packet filter (pf) code has been updated to OpenBSD 4.5.
+ You need to update userland tools to be in sync with kernel.
+
20110608:
The following sysctls and tunables are retired on x86 platforms:
machdep.hlt_cpus
Modified: projects/largeSMP/bin/sh/arith_yacc.c
==============================================================================
--- projects/largeSMP/bin/sh/arith_yacc.c Tue Jun 28 14:26:34 2011 (r223644)
+++ projects/largeSMP/bin/sh/arith_yacc.c Tue Jun 28 14:40:17 2011 (r223645)
@@ -35,7 +35,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
-#include <sys/limits.h>
+#include <limits.h>
#include <errno.h>
#include <inttypes.h>
#include <stdlib.h>
Modified: projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs.8
==============================================================================
--- projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs.8 Tue Jun 28 14:26:34 2011 (r223644)
+++ projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs.8 Tue Jun 28 14:40:17 2011 (r223645)
@@ -6,6 +6,7 @@
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.\" Copyright 2011 by Delphix. All rights reserved.
.TH zfs 1M "24 Sep 2009" "SunOS 5.11" "System Administration Commands"
.SH NAME
zfs \- configures ZFS file systems
@@ -389,7 +390,7 @@ This property can also be referred to by
.ad
.sp .6
.RS 4n
-The compression ratio achieved for this dataset, expressed as a multiplier. Compression can be turned on by running: \fBzfs set compression=on \fIdataset\fR\fR. The default value is \fBoff\fR.
+For non-snapshots, the compression ratio achieved for the \fBused\fR space of this dataset, expressed as a multiplier. The \fBused\fR property includes descendant datasets, and, for clones, does not include the space shared with the origin snapshot. For snapshots, the \fBcompressratio\fR is the same as the \fBrefcompressratio\fR property. Compression can be turned on by running: \fBzfs set compression=on \fIdataset\fR\fR. The default value is \fBoff\fR.
.RE
.sp
@@ -453,6 +454,17 @@ This property can also be referred to by
.ne 2
.mk
.na
+\fB\fBrefcompressratio\fR\fR
+.ad
+.sp .6
+.RS 4n
+The compression ratio achieved for the \fBreferenced\fR space of this dataset, expressed as a multiplier. See also the \fBcompressratio\fR property.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
\fB\fBtype\fR\fR
.ad
.sp .6
@@ -1278,7 +1290,7 @@ Recursively destroy all dependents, incl
Force an unmount of any file systems using the \fBunmount -f\fR command. This option has no effect on non-file systems or unmounted file systems.
.RE
-Extreme care should be taken when applying either the \fB-r\fR or the \fB-f\fR options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use.
+Extreme care should be taken when applying either the \fB-r\fR or the \fB-R\fR options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use.
.RE
.sp
Modified: projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs_main.c
==============================================================================
--- projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs_main.c Tue Jun 28 14:26:34 2011 (r223644)
+++ projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs_main.c Tue Jun 28 14:40:17 2011 (r223645)
@@ -21,7 +21,7 @@
/*
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2010 Nexenta Systems, Inc. All rights reserved.
+ * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
*/
#include <assert.h>
@@ -1292,7 +1292,7 @@ static int
zfs_do_get(int argc, char **argv)
{
zprop_get_cbdata_t cb = { 0 };
- int i, c, flags = 0;
+ int i, c, flags = ZFS_ITER_ARGS_CAN_BE_PATHS;
char *value, *fields;
int ret;
int limit = 0;
Modified: projects/largeSMP/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c
==============================================================================
--- projects/largeSMP/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c Tue Jun 28 14:26:34 2011 (r223644)
+++ projects/largeSMP/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c Tue Jun 28 14:40:17 2011 (r223645)
@@ -22,6 +22,7 @@
/*
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright 2010 Nexenta Systems, Inc. All rights reserved.
+ * Copyright (c) 2011 by Delphix. All rights reserved.
*/
#include <ctype.h>
@@ -2038,6 +2039,7 @@ zfs_prop_get(zfs_handle_t *zhp, zfs_prop
}
break;
+ case ZFS_PROP_REFRATIO:
case ZFS_PROP_COMPRESSRATIO:
if (get_numeric_property(zhp, prop, src, &source, &val) != 0)
return (-1);
Modified: projects/largeSMP/contrib/libpcap/bpf/net/bpf_filter.c
==============================================================================
--- projects/largeSMP/contrib/libpcap/bpf/net/bpf_filter.c Tue Jun 28 14:26:34 2011 (r223644)
+++ projects/largeSMP/contrib/libpcap/bpf/net/bpf_filter.c Tue Jun 28 14:40:17 2011 (r223645)
@@ -405,7 +405,18 @@ bpf_filter(pc, p, wirelen, buflen)
continue;
case BPF_JMP|BPF_JA:
+#if defined(KERNEL) || defined(_KERNEL)
+ /*
+ * No backward jumps allowed.
+ */
pc += pc->k;
+#else
+ /*
+ * XXX - we currently implement "ip6 protochain"
+ * with backward jumps, so sign-extend pc->k.
+ */
+ pc += (bpf_int32)pc->k;
+#endif
continue;
case BPF_JMP|BPF_JGT|BPF_K:
Modified: projects/largeSMP/contrib/ntp/ntpd/ntp_io.c
==============================================================================
--- projects/largeSMP/contrib/ntp/ntpd/ntp_io.c Tue Jun 28 14:26:34 2011 (r223644)
+++ projects/largeSMP/contrib/ntp/ntpd/ntp_io.c Tue Jun 28 14:40:17 2011 (r223645)
@@ -2716,14 +2716,14 @@ sendpkt(
for (slot = ERRORCACHESIZE; --slot >= 0; )
if(dest->ss_family == AF_INET) {
- if (badaddrs[slot].port == ((struct sockaddr_in*)dest)->sin_port &&
+ if (badaddrs[slot].port == SRCPORT(dest) &&
badaddrs[slot].addr.s_addr == ((struct sockaddr_in*)dest)->sin_addr.s_addr)
break;
}
#ifdef INCLUDE_IPV6_SUPPORT
else if (dest->ss_family == AF_INET6) {
- if (badaddrs6[slot].port == ((struct sockaddr_in6*)dest)->sin6_port &&
- badaddrs6[slot].addr.s6_addr == ((struct sockaddr_in6*)dest)->sin6_addr.s6_addr)
+ if (badaddrs6[slot].port == SRCPORT(dest) &&
+ !memcmp(&badaddrs6[slot].addr, &((struct sockaddr_in6*)dest)->sin6_addr, sizeof(struct in6_addr)))
break;
}
#endif /* INCLUDE_IPV6_SUPPORT */
Modified: projects/largeSMP/contrib/pf/authpf/authpf.8
==============================================================================
--- projects/largeSMP/contrib/pf/authpf/authpf.8 Tue Jun 28 14:26:34 2011 (r223644)
+++ projects/largeSMP/contrib/pf/authpf/authpf.8 Tue Jun 28 14:40:17 2011 (r223645)
@@ -1,5 +1,5 @@
.\" $FreeBSD$
-.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $
+.\" $OpenBSD: authpf.8,v 1.47 2009/01/06 03:11:50 mcbride Exp $
.\"
.\" Copyright (c) 1998-2007 Bob Beck (beck at openbsd.org>. All rights reserved.
.\"
@@ -15,14 +15,16 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd March 28, 2006
+.Dd January 6 2009
.Dt AUTHPF 8
.Os
.Sh NAME
-.Nm authpf
+.Nm authpf ,
+.Nm authpf-noip
.Nd authenticating gateway user shell
.Sh SYNOPSIS
.Nm authpf
+.Nm authpf-noip
.Sh DESCRIPTION
.Nm
is a user shell for authenticating gateways.
@@ -31,47 +33,63 @@ It is used to change
rules when a user authenticates and starts a session with
.Xr sshd 8
and to undo these changes when the user's session exits.
-It is designed for changing filter and translation rules for an individual
-source IP address as long as a user maintains an active
-.Xr ssh 1
-session.
Typical use would be for a gateway that authenticates users before
allowing them Internet use, or a gateway that allows different users into
different places.
+Combined with properly set up filter rules and secure switches,
.Nm
-logs the successful start and end of a session to
-.Xr syslogd 8 .
-This, combined with properly set up filter rules and secure switches,
can be used to ensure users are held accountable for their network traffic.
-.Pp
-.Nm
-can add filter and translation rules using the syntax described in
-.Xr pf.conf 5 .
-.Nm
-requires that the
+It is meant to be used with users who can connect via
+.Xr ssh 1
+only, and requires the
.Xr pf 4
-system be enabled and a
-.Xr fdescfs 5
-file system be mounted at
-.Pa /dev/fd
-before use.
+subsystem to be enabled.
+.Pp
+.Nm authpf-noip
+is a user shell
+which allows multiple connections to take
+place from the same IP address.
+It is useful primarily in cases where connections are tunneled via
+the gateway system, and can be directly associated with the user name.
+It cannot ensure accountability when
+classifying connections by IP address;
+in this case the client's IP address
+is not provided to the packet filter via the
+.Ar client_ip
+macro or the
+.Ar authpf_users
+table.
+Additionally, states associated with the client IP address
+are not purged when the session is ended.
+.Pp
+To use either
.Nm
-can also maintain the list of IP address of connected users
-in the "authpf_users"
-.Pa table .
+or
+.Nm authpf-noip ,
+the user's shell needs to be set to
+.Pa /usr/sbin/authpf
+or
+.Pa /usr/sbin/authpf-noip .
.Pp
.Nm
-is meant to be used with users who can connect via
+uses the
+.Xr pf.conf 5
+syntax to change filter and translation rules for an individual
+user or client IP address as long as a user maintains an active
.Xr ssh 1
-only.
-On startup,
+session, and logs the successful start and end of a session to
+.Xr syslogd 8 .
.Nm
retrieves the client's connecting IP address via the
.Ev SSH_CLIENT
environment variable and, after performing additional access checks,
reads a template file to determine what filter and translation rules
-(if any) to add.
-On session exit the same rules that were added at startup are removed.
+(if any) to add, and
+maintains the list of IP addresses of connected users in the
+.Ar authpf_users
+table.
+On session exit the same rules and table entries that were added at startup
+are removed, and all states associated with the client's IP address are purged.
.Pp
Each
.Nm
@@ -185,6 +203,9 @@ It is also possible to configure
to only allow specific users access.
This is done by listing their login names, one per line, in
.Pa /etc/authpf/authpf.allow .
+A group of users can also be indicated by prepending "%" to the group name,
+and all members of a login class can be indicated by prepending "@" to the
+login class name.
If "*" is found on a line, then all usernames match.
If
.Nm
@@ -297,7 +318,8 @@ They have a
wireless network which they would like to protect from unauthorized use.
To accomplish this, they create the file
.Pa /etc/authpf/authpf.allow
-which lists their login ids, one per line.
+which lists their login ids, group prepended with "%", or login class
+prepended with "@", one per line.
At this point, even if eve could authenticate to
.Xr sshd 8 ,
she would not be allowed to use the gateway.
@@ -501,6 +523,31 @@ table <authpf_users> persist
anchor "authpf/*" from <authpf_users>
rdr-anchor "authpf/*" from <authpf_users>
.Ed
+.Pp
+.Sy Tunneled users
+\- normally
+.Nm
+allows only one session per client IP address.
+However in some cases, such as when connections are tunneled via
+.Xr ssh 1
+or
+.Xr ipsec 4 ,
+the connections can be authorized based on the userid of the user instead of
+the client IP address.
+In this case it is appropriate to use
+.Nm authpf-noip
+to allow multiple users behind a NAT gateway to connect.
+In the
+.Pa /etc/authpf/authpf.rules
+example below, the remote user could tunnel a remote desktop session to their
+workstation:
+.Bd -literal
+internal_if="bge0"
+workstation_ip="10.2.3.4"
+
+pass out on $internal_if from (self) to $workstation_ip port 3389 \e
+ user $user_id
+.Ed
.Sh FILES
.Bl -tag -width "/etc/authpf/authpf.conf" -compact
.It Pa /etc/authpf/authpf.conf
@@ -512,7 +559,6 @@ rdr-anchor "authpf/*" from <authpf_users
.Sh SEE ALSO
.Xr pf 4 ,
.Xr pf.conf 5 ,
-.Xr fdescfs 5 ,
.Xr securelevel 7 ,
.Xr ftp-proxy 8
.Sh HISTORY
Modified: projects/largeSMP/contrib/pf/authpf/authpf.c
==============================================================================
--- projects/largeSMP/contrib/pf/authpf/authpf.c Tue Jun 28 14:26:34 2011 (r223644)
+++ projects/largeSMP/contrib/pf/authpf/authpf.c Tue Jun 28 14:40:17 2011 (r223645)
@@ -1,4 +1,4 @@
-/* $OpenBSD: authpf.c,v 1.104 2007/02/24 17:35:08 beck Exp $ */
+/* $OpenBSD: authpf.c,v 1.112 2009/01/10 19:08:53 miod Exp $ */
/*
* Copyright (C) 1998 - 2007 Bob Beck (beck at openbsd.org).
@@ -19,7 +19,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
-#include <sys/param.h>
+#include <sys/types.h>
#include <sys/file.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
@@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
#endif
#include <login_cap.h>
#include <pwd.h>
+#include <grp.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
@@ -48,10 +49,11 @@ __FBSDID("$FreeBSD$");
#include "pathnames.h"
static int read_config(FILE *);
-static void print_message(char *);
-static int allowed_luser(char *);
-static int check_luser(char *, char *);
+static void print_message(const char *);
+static int allowed_luser(struct passwd *);
+static int check_luser(const char *, char *);
static int remove_stale_rulesets(void);
+static int recursive_ruleset_purge(char *, char *);
static int change_filter(int, const char *, const char *);
static int change_table(int, const char *);
static void authpf_kill_states(void);
@@ -60,8 +62,10 @@ int dev; /* pf device */
char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
char rulesetname[MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 2];
char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
+int user_ip = 1; /* controls whether $user_ip is set */
FILE *pidfp;
+int pidfd = -1;
char luser[MAXLOGNAME]; /* username */
char ipsrc[256]; /* ip as a string */
char pidfile[MAXPATHLEN]; /* we save pid in this file. */
@@ -75,6 +79,7 @@ static __dead2 void do_death(int);
#else
static __dead void do_death(int);
#endif
+extern char *__progname; /* program name */
/*
* User shell for authenticating gateways. Sole purpose is to allow
@@ -83,21 +88,24 @@ static __dead void do_death(int);
* up. Meant to be used only from ssh(1) connections.
*/
int
-main(int argc, char *argv[])
+main(void)
{
- int lockcnt = 0, n, pidfd;
+ int lockcnt = 0, n;
FILE *config;
struct in6_addr ina;
struct passwd *pw;
char *cp;
gid_t gid;
uid_t uid;
- char *shell;
+ const char *shell;
login_cap_t *lc;
+ if (strcmp(__progname, "-authpf-noip") == 0)
+ user_ip = 0;
+
config = fopen(PATH_CONFFILE, "r");
if (config == NULL) {
- syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);
+ syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE);
exit(1);
}
@@ -142,23 +150,34 @@ main(int argc, char *argv[])
}
if ((lc = login_getclass(pw->pw_class)) != NULL)
- shell = (char *)login_getcapstr(lc, "shell", pw->pw_shell,
+ shell = login_getcapstr(lc, "shell", pw->pw_shell,
pw->pw_shell);
else
shell = pw->pw_shell;
+#ifndef __FreeBSD__
login_close(lc);
+#endif
- if (strcmp(shell, PATH_AUTHPF_SHELL)) {
+ if (strcmp(shell, PATH_AUTHPF_SHELL) &&
+ strcmp(shell, PATH_AUTHPF_SHELL_NOIP)) {
syslog(LOG_ERR, "wrong shell for user %s, uid %u",
pw->pw_name, pw->pw_uid);
+#ifdef __FreeBSD__
+ login_close(lc);
+#else
if (shell != pw->pw_shell)
free(shell);
+#endif
goto die;
}
+#ifdef __FreeBSD__
+ login_close(lc);
+#else
if (shell != pw->pw_shell)
free(shell);
+#endif
/*
* Paranoia, but this data _does_ come from outside authpf, and
@@ -181,13 +200,22 @@ main(int argc, char *argv[])
}
- /* Make our entry in /var/authpf as /var/authpf/ipaddr */
- n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc);
+ /* Make our entry in /var/authpf as ipaddr or username */
+ n = snprintf(pidfile, sizeof(pidfile), "%s/%s",
+ PATH_PIDFILE, user_ip ? ipsrc : luser);
if (n < 0 || (u_int)n >= sizeof(pidfile)) {
syslog(LOG_ERR, "path to pidfile too long");
goto die;
}
+ signal(SIGTERM, need_death);
+ signal(SIGINT, need_death);
+ signal(SIGALRM, need_death);
+ signal(SIGPIPE, need_death);
+ signal(SIGHUP, need_death);
+ signal(SIGQUIT, need_death);
+ signal(SIGTSTP, need_death);
+
/*
* If someone else is already using this ip, then this person
* wants to switch users - so kill the old process and exit
@@ -241,15 +269,17 @@ main(int argc, char *argv[])
}
/*
- * we try to kill the previous process and acquire the lock
+ * We try to kill the previous process and acquire the lock
* for 10 seconds, trying once a second. if we can't after
- * 10 attempts we log an error and give up
+ * 10 attempts we log an error and give up.
*/
- if (++lockcnt > 10) {
- syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
- otherpid);
+ if (want_death || ++lockcnt > 10) {
+ if (!want_death)
+ syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
+ otherpid);
fclose(pidfp);
pidfp = NULL;
+ pidfd = -1;
goto dogdeath;
}
sleep(1);
@@ -260,6 +290,7 @@ main(int argc, char *argv[])
*/
fclose(pidfp);
pidfp = NULL;
+ pidfd = -1;
} while (1);
/* whack the group list */
@@ -277,7 +308,7 @@ main(int argc, char *argv[])
}
openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
- if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) {
+ if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) {
syslog(LOG_INFO, "user %s prohibited", luser);
do_death(0);
}
@@ -302,19 +333,12 @@ main(int argc, char *argv[])
printf("Unable to modify filters\r\n");
do_death(0);
}
- if (change_table(1, ipsrc) == -1) {
+ if (user_ip && change_table(1, ipsrc) == -1) {
printf("Unable to modify table\r\n");
change_filter(0, luser, ipsrc);
do_death(0);
}
- signal(SIGTERM, need_death);
- signal(SIGINT, need_death);
- signal(SIGALRM, need_death);
- signal(SIGPIPE, need_death);
- signal(SIGHUP, need_death);
- signal(SIGQUIT, need_death);
- signal(SIGTSTP, need_death);
while (1) {
printf("\r\nHello %s. ", luser);
printf("You are authenticated from host \"%s\"\r\n", ipsrc);
@@ -337,8 +361,6 @@ dogdeath:
sleep(180); /* them lusers read reaaaaal slow */
die:
do_death(0);
-
- /* NOTREACHED */
}
/*
@@ -361,6 +383,8 @@ read_config(FILE *f)
}
i++;
len = strlen(buf);
+ if (len == 0)
+ continue;
if (buf[len - 1] != '\n' && !feof(f)) {
syslog(LOG_ERR, "line %d too long in %s", i,
PATH_CONFFILE);
@@ -413,7 +437,7 @@ parse_error:
* they've been bad or we're unavailable.
*/
static void
-print_message(char *filename)
+print_message(const char *filename)
{
char buf[1024];
FILE *f;
@@ -436,6 +460,7 @@ print_message(char *filename)
* allowed_luser checks to see if user "luser" is allowed to
* use this gateway by virtue of being listed in an allowed
* users file, namely /etc/authpf/authpf.allow .
+ * Users may be listed by <username>, %<group>, or @<login_class>.
*
* If /etc/authpf/authpf.allow does not exist, then we assume that
* all users who are allowed in by sshd(8) are permitted to
@@ -444,9 +469,9 @@ print_message(char *filename)
* the session terminates in the same manner as being banned.
*/
static int
-allowed_luser(char *luser)
+allowed_luser(struct passwd *pw)
{
- char *buf, *lbuf;
+ char *buf,*lbuf;
int matched;
size_t len;
FILE *f;
@@ -476,8 +501,14 @@ allowed_luser(char *luser)
* "public" gateway, such as it is, so let
* everyone use it.
*/
+ int gl_init = 0, ngroups = NGROUPS + 1;
+ gid_t groups[NGROUPS + 1];
+
lbuf = NULL;
+ matched = 0;
+
while ((buf = fgetln(f, &len))) {
+
if (buf[len - 1] == '\n')
buf[len - 1] = '\0';
else {
@@ -488,7 +519,40 @@ allowed_luser(char *luser)
buf = lbuf;
}
- matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0;
+ if (buf[0] == '@') {
+ /* check login class */
+ if (strcmp(pw->pw_class, buf + 1) == 0)
+ matched++;
+ } else if (buf[0] == '%') {
+ /* check group membership */
+ int cnt;
+ struct group *group;
+
+ if ((group = getgrnam(buf + 1)) == NULL) {
+ syslog(LOG_ERR,
+ "invalid group '%s' in %s (%s)",
+ buf + 1, PATH_ALLOWFILE,
+ strerror(errno));
+ return (0);
+ }
+
+ if (!gl_init) {
+ (void) getgrouplist(pw->pw_name,
+ pw->pw_gid, groups, &ngroups);
+ gl_init++;
+ }
+
+ for ( cnt = 0; cnt < ngroups; cnt++) {
+ if (group->gr_gid == groups[cnt]) {
+ matched++;
+ break;
+ }
+ }
+ } else {
+ /* check username and wildcard */
+ matched = strcmp(pw->pw_name, buf) == 0 ||
+ strcmp("*", buf) == 0;
+ }
if (lbuf != NULL) {
free(lbuf);
@@ -496,13 +560,13 @@ allowed_luser(char *luser)
}
if (matched)
- return (1); /* matched an allowed username */
+ return (1); /* matched an allowed user/group */
}
syslog(LOG_INFO, "denied access to %s: not listed in %s",
- luser, PATH_ALLOWFILE);
+ pw->pw_name, PATH_ALLOWFILE);
/* reuse buf */
- buf = "\n\nSorry, you are not allowed to use this facility!\n";
+ sprintf(buf, "%s", "\n\nSorry, you are not allowed to use this facility!\n");
fputs(buf, stdout);
}
fflush(stdout);
@@ -520,13 +584,13 @@ allowed_luser(char *luser)
* going to be un-banned.)
*/
static int
-check_luser(char *luserdir, char *luser)
+check_luser(const char *luserdir, char *l_user)
{
FILE *f;
int n;
char tmp[MAXPATHLEN];
- n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, luser);
+ n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, l_user);
if (n < 0 || (u_int)n >= sizeof(tmp)) {
syslog(LOG_ERR, "provided banned directory line too long (%s)",
luserdir);
@@ -555,7 +619,7 @@ check_luser(char *luserdir, char *luser)
* tell what they can do and where they can go.
*/
syslog(LOG_INFO, "denied access to %s: %s exists",
- luser, tmp);
+ l_user, tmp);
/* reuse tmp */
strlcpy(tmp, "\n\n-**- Sorry, you have been banned! -**-\n\n",
@@ -581,7 +645,7 @@ static int
remove_stale_rulesets(void)
{
struct pfioc_ruleset prs;
- u_int32_t nr, mnr;
+ u_int32_t nr;
memset(&prs, 0, sizeof(prs));
strlcpy(prs.path, anchorname, sizeof(prs.path));
@@ -592,13 +656,12 @@ remove_stale_rulesets(void)
return (1);
}
- mnr = prs.nr;
- nr = 0;
- while (nr < mnr) {
+ nr = prs.nr;
+ while (nr) {
char *s, *t;
pid_t pid;
- prs.nr = nr;
+ prs.nr = nr - 1;
if (ioctl(dev, DIOCGETRULESET, &prs))
return (1);
errno = 0;
@@ -610,119 +673,159 @@ remove_stale_rulesets(void)
if (!prs.name[0] || errno ||
(*s && (t == prs.name || *s != ')')))
return (1);
- if (kill(pid, 0) && errno != EPERM) {
- int i;
- struct pfioc_trans_e t_e[PF_RULESET_MAX+1];
- struct pfioc_trans t;
-
- bzero(&t, sizeof(t));
- bzero(t_e, sizeof(t_e));
- t.size = PF_RULESET_MAX+1;
- t.esize = sizeof(t_e[0]);
- t.array = t_e;
- for (i = 0; i < PF_RULESET_MAX+1; ++i) {
- t_e[i].rs_num = i;
- snprintf(t_e[i].anchor, sizeof(t_e[i].anchor),
- "%s/%s", anchorname, prs.name);
- }
- t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE;
- if ((ioctl(dev, DIOCXBEGIN, &t) ||
- ioctl(dev, DIOCXCOMMIT, &t)) &&
- errno != EINVAL)
+ if ((kill(pid, 0) && errno != EPERM) || pid == getpid()) {
+ if (recursive_ruleset_purge(anchorname, prs.name))
return (1);
- mnr--;
- } else
- nr++;
+ }
+ nr--;
}
return (0);
}
+static int
+recursive_ruleset_purge(char *an, char *rs)
+{
+ struct pfioc_trans_e *t_e = NULL;
+ struct pfioc_trans *t = NULL;
+ struct pfioc_ruleset *prs = NULL;
+ int i;
+
+
+ /* purge rules */
+ errno = 0;
+ if ((t = calloc(1, sizeof(struct pfioc_trans))) == NULL)
+ goto no_mem;
+ if ((t_e = calloc(PF_RULESET_MAX+1,
+ sizeof(struct pfioc_trans_e))) == NULL)
+ goto no_mem;
+ t->size = PF_RULESET_MAX+1;
+ t->esize = sizeof(struct pfioc_trans_e);
+ t->array = t_e;
+ for (i = 0; i < PF_RULESET_MAX+1; ++i) {
+ t_e[i].rs_num = i;
+ snprintf(t_e[i].anchor, sizeof(t_e[i].anchor), "%s/%s", an, rs);
+ }
+ t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE;
+ if ((ioctl(dev, DIOCXBEGIN, t) ||
+ ioctl(dev, DIOCXCOMMIT, t)) &&
+ errno != EINVAL)
+ goto cleanup;
+
+ /* purge any children */
+ if ((prs = calloc(1, sizeof(struct pfioc_ruleset))) == NULL)
+ goto no_mem;
+ snprintf(prs->path, sizeof(prs->path), "%s/%s", an, rs);
+ if (ioctl(dev, DIOCGETRULESETS, prs)) {
+ if (errno != EINVAL)
+ goto cleanup;
+ errno = 0;
+ } else {
+ int nr = prs->nr;
+
+ while (nr) {
+ prs->nr = 0;
+ if (ioctl(dev, DIOCGETRULESET, prs))
+ goto cleanup;
+
+ if (recursive_ruleset_purge(prs->path, prs->name))
+ goto cleanup;
+ nr--;
+ }
+ }
+
+no_mem:
+ if (errno == ENOMEM)
+ syslog(LOG_ERR, "calloc failed");
+
+cleanup:
+ free(t);
+ free(t_e);
+ free(prs);
+ return (errno);
+}
+
/*
* Add/remove filter entries for user "luser" from ip "ipsrc"
*/
static int
-change_filter(int add, const char *luser, const char *ipsrc)
+change_filter(int add, const char *l_user, const char *ip_src)
{
- char *pargv[13] = {
- "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
- "-D", "user_ip=X", "-D", "user_id=X", "-f",
- "file", NULL
- };
char *fdpath = NULL, *userstr = NULL, *ipstr = NULL;
char *rsn = NULL, *fn = NULL;
pid_t pid;
gid_t gid;
int s;
- if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) {
- syslog(LOG_ERR, "invalid luser/ipsrc");
- goto error;
- }
-
- if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)
- goto no_mem;
- if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
- goto no_mem;
- if (asprintf(&ipstr, "user_ip=%s", ipsrc) == -1)
- goto no_mem;
- if (asprintf(&userstr, "user_id=%s", luser) == -1)
- goto no_mem;
-
if (add) {
struct stat sb;
+ char *pargv[13] = {
+ "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
+ "-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL
+ };
- if (asprintf(&fn, "%s/%s/authpf.rules", PATH_USER_DIR, luser)
- == -1)
+ if (l_user == NULL || !l_user[0] || ip_src == NULL || !ip_src[0]) {
+ syslog(LOG_ERR, "invalid luser/ipsrc");
+ goto error;
+ }
+
+ if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)
+ goto no_mem;
+ if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
+ goto no_mem;
+ if (asprintf(&ipstr, "user_ip=%s", ip_src) == -1)
+ goto no_mem;
+ if (asprintf(&userstr, "user_id=%s", l_user) == -1)
+ goto no_mem;
+ if (asprintf(&fn, "%s/%s/authpf.rules",
+ PATH_USER_DIR, l_user) == -1)
goto no_mem;
if (stat(fn, &sb) == -1) {
free(fn);
if ((fn = strdup(PATH_PFRULES)) == NULL)
goto no_mem;
}
- }
- pargv[2] = fdpath;
- pargv[5] = rsn;
- pargv[7] = userstr;
- pargv[9] = ipstr;
- if (!add)
- pargv[11] = "/dev/null";
- else
- pargv[11] = fn;
+ pargv[2] = fdpath;
+ pargv[5] = rsn;
+ pargv[7] = userstr;
+ if (user_ip) {
+ pargv[9] = ipstr;
+ pargv[11] = fn;
+ } else {
+ pargv[8] = "-f";
+ pargv[9] = fn;
+ pargv[10] = NULL;
+ }
- switch (pid = fork()) {
- case -1:
- syslog(LOG_ERR, "fork failed");
- goto error;
- case 0:
- /* revoke group privs before exec */
- gid = getgid();
- if (setregid(gid, gid) == -1) {
- err(1, "setregid");
- }
- execvp(PATH_PFCTL, pargv);
- warn("exec of %s failed", PATH_PFCTL);
- _exit(1);
- }
-
- /* parent */
- waitpid(pid, &s, 0);
- if (s != 0) {
- syslog(LOG_ERR, "pfctl exited abnormally");
- goto error;
- }
+ switch (pid = fork()) {
+ case -1:
+ syslog(LOG_ERR, "fork failed");
+ goto error;
+ case 0:
+ /* revoke group privs before exec */
+ gid = getgid();
+ if (setregid(gid, gid) == -1) {
+ err(1, "setregid");
+ }
+ execvp(PATH_PFCTL, pargv);
+ warn("exec of %s failed", PATH_PFCTL);
+ _exit(1);
+ }
+
+ /* parent */
+ waitpid(pid, &s, 0);
+ if (s != 0) {
+ syslog(LOG_ERR, "pfctl exited abnormally");
+ goto error;
+ }
- if (add) {
gettimeofday(&Tstart, NULL);
- syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser);
+ syslog(LOG_INFO, "allowing %s, user %s", ip_src, l_user);
} else {
+ remove_stale_rulesets();
+
gettimeofday(&Tend, NULL);
-#ifdef __FreeBSD__
- syslog(LOG_INFO, "removed %s, user %s - duration %jd seconds",
- ipsrc, luser, (intmax_t)(Tend.tv_sec - Tstart.tv_sec));
-#else
- syslog(LOG_INFO, "removed %s, user %s - duration %ld seconds",
- ipsrc, luser, Tend.tv_sec - Tstart.tv_sec);
-#endif
+ syslog(LOG_INFO, "removed %s, user %s - duration %ju seconds",
+ ip_src, l_user, (uintmax_t)(Tend.tv_sec - Tstart.tv_sec));
}
return (0);
no_mem:
@@ -740,7 +843,7 @@ error:
* Add/remove this IP from the "authpf_users" table.
*/
static int
-change_table(int add, const char *ipsrc)
+change_table(int add, const char *ip_src)
{
struct pfioc_table io;
struct pfr_addr addr;
@@ -753,12 +856,12 @@ change_table(int add, const char *ipsrc)
io.pfrio_size = 1;
bzero(&addr, sizeof(addr));
- if (ipsrc == NULL || !ipsrc[0])
+ if (ip_src == NULL || !ip_src[0])
return (-1);
- if (inet_pton(AF_INET, ipsrc, &addr.pfra_ip4addr) == 1) {
+ if (inet_pton(AF_INET, ip_src, &addr.pfra_ip4addr) == 1) {
addr.pfra_af = AF_INET;
addr.pfra_net = 32;
- } else if (inet_pton(AF_INET6, ipsrc, &addr.pfra_ip6addr) == 1) {
+ } else if (inet_pton(AF_INET6, ip_src, &addr.pfra_ip6addr) == 1) {
addr.pfra_af = AF_INET6;
addr.pfra_net = 128;
} else {
@@ -769,7 +872,7 @@ change_table(int add, const char *ipsrc)
if (ioctl(dev, add ? DIOCRADDADDRS : DIOCRDELADDRS, &io) &&
errno != ESRCH) {
syslog(LOG_ERR, "cannot %s %s from table %s: %s",
- add ? "add" : "remove", ipsrc, tablename,
+ add ? "add" : "remove", ip_src, tablename,
strerror(errno));
return (-1);
}
@@ -821,7 +924,7 @@ authpf_kill_states(void)
/* signal handler that makes us go away properly */
static void
-need_death(int signo)
+need_death(int signo __unused)
{
want_death = 1;
}
@@ -840,11 +943,12 @@ do_death(int active)
if (active) {
change_filter(0, luser, ipsrc);
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-projects
mailing list