svn commit: r345760 - in head: contrib/pf sys/netpfil/pf sbin/pfctl

Kristof Provost kp at freebsd.org
Mon Apr 1 05:53:30 UTC 2019


Author: kp
Date: Mon Apr 1 06:51:32 2019
New Revision: 345760
URL: https://svnweb.freebsd.org/changeset/base/345625

Log:
  pf: Remove obsolete pf

  pf in FreeBSD lags years behind OpenBSD's pf.
  Remove it.

  Users are advised to migrate to ipf.

Deleted:
  head/contrib/pf/authpf/authpf.8
  head/contrib/pf/authpf/authpf.c           
  head/contrib/pf/authpf/pathnames.h       
  head/contrib/pf/ftp-proxy/filter.c       
  head/contrib/pf/ftp-proxy/filter.h       
  head/contrib/pf/ftp-proxy/ftp-proxy.8    
  head/contrib/pf/ftp-proxy/ftp-proxy.c
  head/contrib/pf/libevent/buffer.c        
  head/contrib/pf/libevent/evbuffer.c      
  head/contrib/pf/libevent/event-internal.h
  head/contrib/pf/libevent/event.c        
  head/contrib/pf/libevent/event.h        
  head/contrib/pf/libevent/evsignal.h     
  head/contrib/pf/libevent/kqueue.c       
  head/contrib/pf/libevent/log.c          
  head/contrib/pf/libevent/log.h          
  head/contrib/pf/libevent/poll.c         
  head/contrib/pf/libevent/select.c       
  head/contrib/pf/libevent/signal.c       
  head/contrib/pf/pflogd/pflogd.8         
  head/contrib/pf/pflogd/pflogd.c         
  head/contrib/pf/pflogd/pflogd.h         
  head/contrib/pf/pflogd/pidfile.c        
  head/contrib/pf/pflogd/pidfile.h        
  head/contrib/pf/pflogd/privsep.c        
  head/contrib/pf/pflogd/privsep_fdpass.c 
  head/contrib/pf/tftp-proxy/filter.c     
  head/contrib/pf/tftp-proxy/filter.h     
  head/contrib/pf/tftp-proxy/tftp-proxy.8 
  head/contrib/pf/tftp-proxy/tftp-proxy.c 
  head/contrib/tcpdump/print-pflog.c      
  head/contrib/tcpdump/print-pfsync.c
  head/sbin/pfctl/Makefile
  head/sbin/pfctl/parse.y
  head/sbin/pfctl/pf.os
  head/sbin/pfctl/pf_print_state.c
  head/sbin/pfctl/pfctl.8
  head/sbin/pfctl/pfctl.c
  head/sbin/pfctl/pfctl.h
  head/sbin/pfctl/pfctl_altq.c
  head/sbin/pfctl/pfctl_optimize.c
  head/sbin/pfctl/pfctl_osfp.c
  head/sbin/pfctl/pfctl_parser.c
  head/sbin/pfctl/pfctl_parser.h
  head/sbin/pfctl/pfctl_qstats.c
  head/sbin/pfctl/pfctl_radix.c
  head/sbin/pfctl/pfctl_table.c
  head/sys/modules/pf/Makefile
  head/sys/modules/pflog/Makefile
  head/sys/modules/pfsync/Makefile
  head/sys/netpfil/pf/if_pflog.c
  head/sys/netpfil/pf/if_pfsync.c
  head/sys/netpfil/pf/in4_cksum.c
  head/sys/netpfil/pf/pf.c  
  head/sys/netpfil/pf/pf.h  
  head/sys/netpfil/pf/pf_altq.h 
  head/sys/netpfil/pf/pf_if.c   
  head/sys/netpfil/pf/pf_ioctl.c
  head/sys/netpfil/pf/pf_lb.c   
  head/sys/netpfil/pf/pf_mtag.h
  head/sys/netpfil/pf/pf_norm.c
  head/sys/netpfil/pf/pf_osfp.c
  head/sys/netpfil/pf/pf_ruleset.c
  head/sys/netpfil/pf/pf_table.c

Index: contrib/pf/authpf/authpf.8
===================================================================
--- contrib/pf/authpf/authpf.8	(revision 345223)
+++ contrib/pf/authpf/authpf.8	(working copy)
@@ -1,584 +0,0 @@
-.\" $FreeBSD$
-.\" $OpenBSD: authpf.8,v 1.47 2009/01/06 03:11:50 mcbride Exp $
-.\"
-.\" Copyright (c) 1998-2007 Bob Beck (beck at openbsd.org>.  All rights reserved.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd January 29 2014
-.Dt AUTHPF 8
-.Os
-.Sh NAME
-.Nm authpf ,
-.Nm authpf-noip
-.Nd authenticating gateway user shell
-.Sh SYNOPSIS
-.Nm authpf
-.Nm authpf-noip
-.Sh DESCRIPTION
-.Nm
-is a user shell for authenticating gateways.
-It is used to change
-.Xr pf 4
-rules when a user authenticates and starts a session with
-.Xr sshd 8
-and to undo these changes when the user's session exits.
-Typical use would be for a gateway that authenticates users before
-allowing them Internet use, or a gateway that allows different users into
-different places.
-Combined with properly set up filter rules and secure switches,
-.Nm
-can be used to ensure users are held accountable for their network traffic.
-It is meant to be used with users who can connect via
-.Xr ssh 1
-only, and requires the
-.Xr pf 4
-subsystem and an
-.Xr fdescfs 5
-file system mounted at
-.Pa /dev/fd
-to be enabled.
-.Pp
-.Nm authpf-noip
-is a user shell
-which allows multiple connections to take
-place from the same IP address.
-It is useful primarily in cases where connections are tunneled via
-the gateway system, and can be directly associated with the user name.
-It cannot ensure accountability when
-classifying connections by IP address;
-in this case the client's IP address
-is not provided to the packet filter via the
-.Ar client_ip
-macro or the
-.Ar authpf_users
-table.
-Additionally, states associated with the client IP address
-are not purged when the session is ended.
-.Pp
-To use either
-.Nm
-or
-.Nm authpf-noip ,
-the user's shell needs to be set to
-.Pa /usr/sbin/authpf
-or
-.Pa /usr/sbin/authpf-noip .
-.Pp
-.Nm
-uses the
-.Xr pf.conf 5
-syntax to change filter and translation rules for an individual
-user or client IP address as long as a user maintains an active
-.Xr ssh 1
-session, and logs the successful start and end of a session to
-.Xr syslogd 8 .
-.Nm
-retrieves the client's connecting IP address via the
-.Ev SSH_CLIENT
-environment variable and, after performing additional access checks,
-reads a template file to determine what filter and translation rules
-(if any) to add, and
-maintains the list of IP addresses of connected users in the
-.Ar authpf_users
-table.
-On session exit the same rules and table entries that were added at startup
-are removed, and all states associated with the client's IP address are purged.
-.Pp
-Each
-.Nm
-process stores its rules in a separate ruleset inside a
-.Xr pf 4
-.Pa anchor
-shared by all
-.Nm
-processes.
-By default, the
-.Pa anchor
-name "authpf" is used, and the ruleset names equal the username and PID of the
-.Nm
-processes as "username(pid)".
-The following rules need to be added to the main ruleset
-.Pa /etc/pf.conf
-in order to cause evaluation of any
-.Nm
-rules:
-.Bd -literal -offset indent
-nat-anchor "authpf/*"
-rdr-anchor "authpf/*"
-binat-anchor "authpf/*"
-anchor "authpf/*"
-.Ed
-.Pp
-The "/*" at the end of the anchor name is required for
-.Xr pf 4
-to process the rulesets attached to the anchor by
-.Nm authpf .
-.Sh FILTER AND TRANSLATION RULES
-Filter and translation rules for
-.Nm
-use the same format described in
-.Xr pf.conf 5 .
-The only difference is that these rules may (and probably should) use
-the macro
-.Em user_ip ,
-which is assigned the connecting IP address whenever
-.Nm
-is run.
-Additionally, the macro
-.Em user_id
-is assigned the user name.
-.Pp
-Filter and translation rules are stored in a file called
-.Pa authpf.rules .
-This file will first be searched for in
-.Pa /etc/authpf/users/$USER/
-and then in
-.Pa /etc/authpf/ .
-Only one of these files will be used if both are present.
-.Pp
-Per-user rules from the
-.Pa /etc/authpf/users/$USER/
-directory are intended to be used when non-default rules
-are needed on an individual user basis.
-It is important to ensure that a user can not write or change
-these configuration files.
-.Pp
-The
-.Pa authpf.rules
-file must exist in one of the above locations for
-.Nm
-to run.
-.Sh CONFIGURATION
-Options are controlled by the
-.Pa /etc/authpf/authpf.conf
-file.
-If the file is empty, defaults are used for all
-configuration options.
-The file consists of pairs of the form
-.Li name=value ,
-one per line.
-Currently, the allowed values are as follows:
-.Bl -tag -width Ds
-.It anchor=name
-Use the specified
-.Pa anchor
-name instead of "authpf".
-.It table=name
-Use the specified
-.Pa table
-name instead of "authpf_users".
-.El
-.Sh USER MESSAGES
-On successful invocation,
-.Nm
-displays a message telling the user he or she has been authenticated.
-It will additionally display the contents of the file
-.Pa /etc/authpf/authpf.message
-if the file exists and is readable.
-.Pp
-There exist two methods for providing additional granularity to the control
-offered by
-.Nm
-- it is possible to set the gateway to explicitly allow users who have
-authenticated to
-.Xr ssh 1
-and deny access to only a few troublesome individuals.
-This is done by creating a file with the banned user's login name as the
-filename in
-.Pa /etc/authpf/banned/ .
-The contents of this file will be displayed to a banned user, thus providing
-a method for informing the user that they have been banned, and where they can
-go and how to get there if they want to have their service restored.
-This is the default behaviour.
-.Pp
-It is also possible to configure
-.Nm
-to only allow specific users access.
-This is done by listing their login names, one per line, in
-.Pa /etc/authpf/authpf.allow .
-A group of users can also be indicated by prepending "%" to the group name,
-and all members of a login class can be indicated by prepending "@" to the
-login class name.
-If "*" is found on a line, then all usernames match.
-If
-.Nm
-is unable to verify the user's permission to use the gateway, it will
-print a brief message and die.
-It should be noted that a ban takes precedence over an allow.
-.Pp
-On failure, messages will be logged to
-.Xr syslogd 8
-for the system administrator.
-The user does not see these, but will be told the system is unavailable due to
-technical difficulties.
-The contents of the file
-.Pa /etc/authpf/authpf.problem
-will also be displayed if the file exists and is readable.
-.Sh CONFIGURATION ISSUES
-.Nm
-maintains the changed filter rules as long as the user maintains an
-active session.
-It is important to remember however, that the existence
-of this session means the user is authenticated.
-Because of this, it is important to configure
-.Xr sshd 8
-to ensure the security of the session, and to ensure that the network
-through which users connect is secure.
-.Xr sshd 8
-should be configured to use the
-.Ar ClientAliveInterval
-and
-.Ar ClientAliveCountMax
-parameters to ensure that a ssh session is terminated quickly if
-it becomes unresponsive, or if arp or address spoofing is used to
-hijack the session.
-Note that TCP keepalives are not sufficient for
-this, since they are not secure.
-Also note that the various SSH tunnelling mechanisms,
-such as
-.Ar AllowTcpForwarding
-and
-.Ar PermitTunnel ,
-should be disabled for
-.Nm
-users to prevent them from circumventing restrictions imposed by the
-packet filter ruleset.
-.Pp
-.Nm
-will remove state table entries that were created during a user's
-session.
-This ensures that there will be no unauthenticated traffic
-allowed to pass after the controlling
-.Xr ssh 1
-session has been closed.
-.Pp
-.Nm
-is designed for gateway machines which typically do not have regular
-(non-administrative) users using the machine.
-An administrator must remember that
-.Nm
-can be used to modify the filter rules through the environment in
-which it is run, and as such could be used to modify the filter rules
-(based on the contents of the configuration files) by regular
-users.
-In the case where a machine has regular users using it, as well
-as users with
-.Nm
-as their shell, the regular users should be prevented from running
-.Nm
-by using the
-.Pa /etc/authpf/authpf.allow
-or
-.Pa /etc/authpf/banned/
-facilities.
-.Pp
-.Nm
-modifies the packet filter and address translation rules, and because
-of this it needs to be configured carefully.
-.Nm
-will not run and will exit silently if the
-.Pa /etc/authpf/authpf.conf
-file does not exist.
-After considering the effect
-.Nm
-may have on the main packet filter rules, the system administrator may
-enable
-.Nm
-by creating an appropriate
-.Pa /etc/authpf/authpf.conf
-file.
-.Sh EXAMPLES
-.Sy Control Files
-\- To illustrate the user-specific access control
-mechanisms, let us consider a typical user named bob.
-Normally, as long as bob can authenticate himself, the
-.Nm
-program will load the appropriate rules.
-Enter the
-.Pa /etc/authpf/banned/
-directory.
-If bob has somehow fallen from grace in the eyes of the
-powers-that-be, they can prohibit him from using the gateway by creating
-the file
-.Pa /etc/authpf/banned/bob
-containing a message about why he has been banned from using the network.
-Once bob has done suitable penance, his access may be restored by moving or
-removing the file
-.Pa /etc/authpf/banned/bob .
-.Pp
-Now consider a workgroup containing alice, bob, carol and dave.
-They have a
-wireless network which they would like to protect from unauthorized use.
-To accomplish this, they create the file
-.Pa /etc/authpf/authpf.allow
-which lists their login ids, group prepended with "%", or login class
-prepended with "@", one per line.
-At this point, even if eve could authenticate to
-.Xr sshd 8 ,
-she would not be allowed to use the gateway.
-Adding and removing users from
-the work group is a simple matter of maintaining a list of allowed userids.
-If bob once again manages to annoy the powers-that-be, they can ban him from
-using the gateway by creating the familiar
-.Pa /etc/authpf/banned/bob
-file.
-Though bob is listed in the allow file, he is prevented from using
-this gateway due to the existence of a ban file.
-.Pp
-.Sy Distributed Authentication
-\- It is often desirable to interface with a
-distributed password system rather than forcing the sysadmins to keep a large
-number of local password files in sync.
-The
-.Xr login.conf 5
-mechanism in
-.Ox
-can be used to fork the right shell.
-To make that happen,
-.Xr login.conf 5
-should have entries that look something like this:
-.Bd -literal -offset indent
-shell-default:shell=/bin/csh
-
-default:\e
-	...
-	:shell=/usr/sbin/authpf
-
-daemon:\e
-	...
-	:shell=/bin/csh:\e
-	:tc=default:
-
-staff:\e
-	...
-	:shell=/bin/csh:\e
-	:tc=default:
-.Ed
-.Pp
-Using a default password file, all users will get
-.Nm
-as their shell except for root who will get
-.Pa /bin/csh .
-.Pp
-.Sy SSH Configuration
-\- As stated earlier,
-.Xr sshd 8
-must be properly configured to detect and defeat network attacks.
-To that end, the following options should be added to
-.Xr sshd_config 5 :
-.Bd -literal -offset indent
-Protocol 2
-ClientAliveInterval 15
-ClientAliveCountMax 3
-.Ed
-.Pp
-This ensures that unresponsive or spoofed sessions are terminated within a
-minute, since a hijacker should not be able to spoof ssh keepalive messages.
-.Pp
-.Sy Banners
-\- Once authenticated, the user is shown the contents of
-.Pa /etc/authpf/authpf.message .
-This message may be a screen-full of the appropriate use policy, the contents
-of
-.Pa /etc/motd
-or something as simple as the following:
-.Bd -literal -offset indent
-This means you will be held accountable by the powers that be
-for traffic originating from your machine, so please play nice.
-.Ed
-.Pp
-To tell the user where to go when the system is broken,
-.Pa /etc/authpf/authpf.problem
-could contain something like this:
-.Bd -literal -offset indent
-Sorry, there appears to be some system problem. To report this
-problem so we can fix it, please phone 1-900-314-1597 or send
-an email to remove at bulkmailerz.net.
-.Ed
-.Pp
-.Sy Packet Filter Rules
-\- In areas where this gateway is used to protect a
-wireless network (a hub with several hundred ports), the default rule set as
-well as the per-user rules should probably allow very few things beyond
-encrypted protocols like
-.Xr ssh 1 ,
-.Xr ssl 8 ,
-or
-.Xr ipsec 4 .
-On a securely switched network, with plug-in jacks for visitors who are
-given authentication accounts, you might want to allow out everything.
-In this context, a secure switch is one that tries to prevent address table
-overflow attacks.
-.Pp
-Example
-.Pa /etc/pf.conf :
-.Bd -literal
-# by default we allow internal clients to talk to us using
-# ssh and use us as a dns server.
-internal_if="fxp1"
-gateway_addr="10.0.1.1"
-nat-anchor "authpf/*"
-rdr-anchor "authpf/*"
-binat-anchor "authpf/*"
-block in on $internal_if from any to any
-pass in quick on $internal_if proto tcp from any to $gateway_addr \e
-      port = ssh
-pass in quick on $internal_if proto udp from any to $gateway_addr \e
-      port = domain
-anchor "authpf/*"
-.Ed
-.Pp
-.Sy For a switched, wired net
-\- This example
-.Pa /etc/authpf/authpf.rules
-makes no real restrictions; it turns the IP address on and off, logging
-TCP connections.
-.Bd -literal
-external_if = "xl0"
-internal_if = "fxp0"
-
-pass in log quick on $internal_if proto tcp from $user_ip to any
-pass in quick on $internal_if from $user_ip to any
-.Ed
-.Pp
-.Sy For a wireless or shared net
-\- This example
-.Pa /etc/authpf/authpf.rules
-could be used for an insecure network (such as a public wireless network) where
-we might need to be a bit more restrictive.
-.Bd -literal
-internal_if="fxp1"
-ipsec_gw="10.2.3.4"
-
-# rdr ftp for proxying by ftp-proxy(8)
-rdr on $internal_if proto tcp from $user_ip to any port 21 \e
-      -> 127.0.0.1 port 8021
-
-# allow out ftp, ssh, www and https only, and allow user to negotiate
-# ipsec with the ipsec server.
-pass in log quick on $internal_if proto tcp from $user_ip to any \e
-      port { 21, 22, 80, 443 }
-pass in quick on $internal_if proto tcp from $user_ip to any \e
-      port { 21, 22, 80, 443 }
-pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp
-pass in quick proto esp from $user_ip to $ipsec_gw
-.Ed
-.Pp
-.Sy Dealing with NAT
-\- The following
-.Pa /etc/authpf/authpf.rules
-shows how to deal with NAT, using tags:
-.Bd -literal
-ext_if = "fxp1"
-ext_addr = 129.128.11.10
-int_if = "fxp0"
-# nat and tag connections...
-nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr
-pass in quick on $int_if from $user_ip to any
-pass out log quick on $ext_if tagged $user_ip
-.Ed
-.Pp
-With the above rules added by
-.Nm ,
-outbound connections corresponding to each users NAT'ed connections
-will be logged as in the example below, where the user may be identified
-from the ruleset name.
-.Bd -literal
-# tcpdump -n -e -ttt -i pflog0
-Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
-129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
-16384 <mss 1460,nop,nop,sackOK> (DF)
-.Ed
-.Pp
-.Sy Using the authpf_users table
-\- Simple
-.Nm
-settings can be implemented without an anchor by just using the "authpf_users"
-.Pa table .
-For example, the following
-.Xr pf.conf 5
-lines will give SMTP and IMAP access to logged in users:
-.Bd -literal
-table <authpf_users> persist
-pass in on $ext_if proto tcp from <authpf_users> \e
-        to port { smtp imap }
-.Ed
-.Pp
-It is also possible to use the "authpf_users"
-.Pa table
-in combination with anchors.
-For example,
-.Xr pf 4
-processing can be sped up by looking up the anchor
-only for packets coming from logged in users:
-.Bd -literal
-table <authpf_users> persist
-anchor "authpf/*" from <authpf_users>
-rdr-anchor "authpf/*" from <authpf_users>
-.Ed
-.Pp
-.Sy Tunneled users
-\- normally
-.Nm
-allows only one session per client IP address.
-However in some cases, such as when connections are tunneled via
-.Xr ssh 1
-or
-.Xr ipsec 4 ,
-the connections can be authorized based on the userid of the user instead of
-the client IP address.
-In this case it is appropriate to use
-.Nm authpf-noip
-to allow multiple users behind a NAT gateway to connect.
-In the
-.Pa /etc/authpf/authpf.rules
-example below, the remote user could tunnel a remote desktop session to their
-workstation:
-.Bd -literal
-internal_if="bge0"
-workstation_ip="10.2.3.4"
-
-pass out on $internal_if from (self) to $workstation_ip port 3389 \e
-       user $user_id
-.Ed
-.Sh FILES
-.Bl -tag -width "/etc/authpf/authpf.conf" -compact
-.It Pa /etc/authpf/authpf.conf
-.It Pa /etc/authpf/authpf.allow
-.It Pa /etc/authpf/authpf.rules
-.It Pa /etc/authpf/authpf.message
-.It Pa /etc/authpf/authpf.problem
-.El
-.Sh SEE ALSO
-.Xr pf 4 ,
-.Xr fdescfs 5 ,
-.Xr pf.conf 5 ,
-.Xr securelevel 7 ,
-.Xr ftp-proxy 8
-.Sh HISTORY
-The
-.Nm
-program first appeared in
-.Ox 3.1 .
-.Sh BUGS
-Configuration issues are tricky.
-The authenticating
-.Xr ssh 1
-connection may be secured, but if the network is not secured the user may
-expose insecure protocols to attackers on the same network, or enable other
-attackers on the network to pretend to be the user by spoofing their IP
-address.
-.Pp
-.Nm
-is not designed to prevent users from denying service to other users.
Index: contrib/pf/authpf/pathnames.h
===================================================================
--- contrib/pf/authpf/pathnames.h	(revision 345223)
+++ contrib/pf/authpf/pathnames.h	(working copy)
@@ -1,39 +0,0 @@
-/*	$OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $	*/
-
-/*
- * Copyright (C) 2002 Chris Kuethe (ckuethe at ualberta.ca)
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#define PATH_CONFFILE		"/etc/authpf/authpf.conf"
-#define PATH_ALLOWFILE		"/etc/authpf/authpf.allow"
-#define PATH_PFRULES		"/etc/authpf/authpf.rules"
-#define PATH_PROBLEM		"/etc/authpf/authpf.problem"
-#define PATH_MESSAGE		"/etc/authpf/authpf.message"
-#define PATH_USER_DIR		"/etc/authpf/users"
-#define PATH_BAN_DIR		"/etc/authpf/banned"
-#define PATH_DEVFILE		"/dev/pf"
-#define PATH_PIDFILE		"/var/authpf"
-#define PATH_AUTHPF_SHELL	"/usr/sbin/authpf"
-#define PATH_AUTHPF_SHELL_NOIP	"/usr/sbin/authpf-noip"
-#define PATH_PFCTL		"/sbin/pfctl"
Index: contrib/pf/ftp-proxy/filter.c
===================================================================
--- contrib/pf/ftp-proxy/filter.c	(revision 345223)
+++ contrib/pf/ftp-proxy/filter.c	(working copy)
@@ -1,393 +0,0 @@
-/*	$OpenBSD: filter.c,v 1.8 2008/06/13 07:25:26 claudio Exp $ */
-
-/*
- * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd at sentia.nl>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <sys/ioctl.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <net/if.h>
-#include <net/pfvar.h>
-#include <netinet/in.h>
-#include <netinet/tcp.h>
-#include <arpa/inet.h>
-
-#include <err.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "filter.h"
-
-/* From netinet/in.h, but only _KERNEL_ gets them. */
-#define satosin(sa)	((struct sockaddr_in *)(sa))
-#define satosin6(sa)	((struct sockaddr_in6 *)(sa))
-
-enum { TRANS_FILTER = 0, TRANS_NAT, TRANS_RDR, TRANS_SIZE };
-
-int prepare_rule(u_int32_t, int, struct sockaddr *, struct sockaddr *,
-    u_int16_t);
-int server_lookup4(struct sockaddr_in *, struct sockaddr_in *,
-    struct sockaddr_in *);
-int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
-    struct sockaddr_in6 *);
-
-static struct pfioc_pooladdr	pfp;
-static struct pfioc_rule	pfr;
-static struct pfioc_trans	pft;
-static struct pfioc_trans_e	pfte[TRANS_SIZE];
-static int dev, rule_log;
-static const char *qname, *tagname;
-
-int
-add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
-    struct sockaddr *dst, u_int16_t d_port)
-{
-	if (!src || !dst || !d_port) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port) == -1)
-		return (-1);
-
-	pfr.rule.direction = dir;
-	if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
-		return (-1);
-
-	return (0);
-}
-
-int
-add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
-    u_int16_t d_port, struct sockaddr *nat, u_int16_t nat_range_low,
-    u_int16_t nat_range_high)
-{
-	if (!src || !dst || !d_port || !nat || !nat_range_low ||
-	    (src->sa_family != nat->sa_family)) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (prepare_rule(id, PF_RULESET_NAT, src, dst, d_port) == -1)
-		return (-1);
-
-	if (nat->sa_family == AF_INET) {
-		memcpy(&pfp.addr.addr.v.a.addr.v4,
-		    &satosin(nat)->sin_addr.s_addr, 4);
-		memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4);
-	} else {
-		memcpy(&pfp.addr.addr.v.a.addr.v6,
-		    &satosin6(nat)->sin6_addr.s6_addr, 16);
-		memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
-	}
-	if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
-		return (-1);
-
-	pfr.rule.rpool.proxy_port[0] = nat_range_low;
-	pfr.rule.rpool.proxy_port[1] = nat_range_high;
-	if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
-		return (-1);
-
-	return (0);
-}
-
-int
-add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
-    u_int16_t d_port, struct sockaddr *rdr, u_int16_t rdr_port)
-{
-	if (!src || !dst || !d_port || !rdr || !rdr_port ||
-	    (src->sa_family != rdr->sa_family)) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (prepare_rule(id, PF_RULESET_RDR, src, dst, d_port) == -1)
-		return (-1);
-
-	if (rdr->sa_family == AF_INET) {
-		memcpy(&pfp.addr.addr.v.a.addr.v4,
-		    &satosin(rdr)->sin_addr.s_addr, 4);
-		memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4);
-	} else {
-		memcpy(&pfp.addr.addr.v.a.addr.v6,
-		    &satosin6(rdr)->sin6_addr.s6_addr, 16);
-		memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
-	}
-	if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
-		return (-1);
-
-	pfr.rule.rpool.proxy_port[0] = rdr_port;
-	if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
-		return (-1);
-
-	return (0);
-}
-
-int
-do_commit(void)
-{
-	if (ioctl(dev, DIOCXCOMMIT, &pft) == -1)
-		return (-1);
-
-	return (0);
-}
-
-int
-do_rollback(void)
-{
-	if (ioctl(dev, DIOCXROLLBACK, &pft) == -1)
-		return (-1);
-	
-	return (0);
-}
-
-void
-init_filter(const char *opt_qname, const char *opt_tagname, int opt_verbose)
-{
-	struct pf_status status;
-
-	qname = opt_qname;
-	tagname = opt_tagname;
-
-	if (opt_verbose == 1)
-		rule_log = PF_LOG;
-	else if (opt_verbose == 2)
-		rule_log = PF_LOG_ALL;
-
-	dev = open("/dev/pf", O_RDWR);	
-	if (dev == -1)
-		err(1, "open /dev/pf");
-	if (ioctl(dev, DIOCGETSTATUS, &status) == -1)
-		err(1, "DIOCGETSTATUS");
-	if (!status.running)
-		errx(1, "pf is disabled");
-}
-
-int
-prepare_commit(u_int32_t id)
-{
-	char an[PF_ANCHOR_NAME_SIZE];
-	int i;
-
-	memset(&pft, 0, sizeof pft);
-	pft.size = TRANS_SIZE;
-	pft.esize = sizeof pfte[0];
-	pft.array = pfte;
-
-	snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
-	    getpid(), id);
-	for (i = 0; i < TRANS_SIZE; i++) {
-		memset(&pfte[i], 0, sizeof pfte[0]);
-		strlcpy(pfte[i].anchor, an, PF_ANCHOR_NAME_SIZE);
-		switch (i) {
-		case TRANS_FILTER:
-			pfte[i].rs_num = PF_RULESET_FILTER;
-			break;
-		case TRANS_NAT:
-			pfte[i].rs_num = PF_RULESET_NAT;
-			break;
-		case TRANS_RDR:
-			pfte[i].rs_num = PF_RULESET_RDR;
-			break;
-		default:
-			errno = EINVAL;
-			return (-1);
-		}
-	}
-
-	if (ioctl(dev, DIOCXBEGIN, &pft) == -1)
-		return (-1);
-
-	return (0);
-}
-	
-int
-prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
-    struct sockaddr *dst, u_int16_t d_port)
-{
-	char an[PF_ANCHOR_NAME_SIZE];
-
-	if ((src->sa_family != AF_INET && src->sa_family != AF_INET6) ||
-	    (src->sa_family != dst->sa_family)) {
-	    	errno = EPROTONOSUPPORT;
-		return (-1);
-	}
-
-	memset(&pfp, 0, sizeof pfp);
-	memset(&pfr, 0, sizeof pfr);
-	snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
-	    getpid(), id);
-	strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
-	strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
-
-	switch (rs_num) {
-	case PF_RULESET_FILTER:
-		pfr.ticket = pfte[TRANS_FILTER].ticket;
-		break;
-	case PF_RULESET_NAT:
-		pfr.ticket = pfte[TRANS_NAT].ticket;
-		break;
-	case PF_RULESET_RDR:
-		pfr.ticket = pfte[TRANS_RDR].ticket;
-		break;
-	default:
-		errno = EINVAL;
-		return (-1);
-	}
-	if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
-		return (-1);
-	pfr.pool_ticket = pfp.ticket;
-
-	/* Generic for all rule types. */
-	pfr.rule.af = src->sa_family;
-	pfr.rule.proto = IPPROTO_TCP;
-	pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
-	pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
-	if (src->sa_family == AF_INET) {
-		memcpy(&pfr.rule.src.addr.v.a.addr.v4,
-		    &satosin(src)->sin_addr.s_addr, 4);
-		memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
-		memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
-		    &satosin(dst)->sin_addr.s_addr, 4);
-		memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
-	} else {
-		memcpy(&pfr.rule.src.addr.v.a.addr.v6,
-		    &satosin6(src)->sin6_addr.s6_addr, 16);
-		memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
-		memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
-		    &satosin6(dst)->sin6_addr.s6_addr, 16);
-		memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
-	}
-	pfr.rule.dst.port_op = PF_OP_EQ;
-	pfr.rule.dst.port[0] = htons(d_port);
-
-	switch (rs_num) {
-	case PF_RULESET_FILTER:
-		/*
-		 * pass [quick] [log] inet[6] proto tcp \
-		 *     from $src to $dst port = $d_port flags S/SA keep state
-		 *     (max 1) [queue qname] [tag tagname]
-		 */
-		pfr.rule.action = PF_PASS;
-		pfr.rule.quick = 1;
-		pfr.rule.log = rule_log;
-		pfr.rule.keep_state = 1;
-		pfr.rule.flags = TH_SYN;
-		pfr.rule.flagset = (TH_SYN|TH_ACK);
-		pfr.rule.max_states = 1;
-		if (qname != NULL)
-			strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
-		if (tagname != NULL) {
-			pfr.rule.quick = 0;
-			strlcpy(pfr.rule.tagname, tagname,
-                                sizeof pfr.rule.tagname);
-		}
-		break;
-	case PF_RULESET_NAT:
-		/*
-		 * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
-		 */
-		pfr.rule.action = PF_NAT;
-		break;
-	case PF_RULESET_RDR:
-		/*
-		 * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
-		 */
-		pfr.rule.action = PF_RDR;
-		break;
-	default:
-		errno = EINVAL;
-		return (-1);
-	}
-
-	return (0);
-}
-
-int
-server_lookup(struct sockaddr *client, struct sockaddr *proxy,
-    struct sockaddr *server)
-{
-	if (client->sa_family == AF_INET)
-		return (server_lookup4(satosin(client), satosin(proxy),
-		    satosin(server)));
-	
-	if (client->sa_family == AF_INET6)
-		return (server_lookup6(satosin6(client), satosin6(proxy),
-		    satosin6(server)));
-
-	errno = EPROTONOSUPPORT;
-	return (-1);
-}
-
-int
-server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy,
-    struct sockaddr_in *server)
-{
-	struct pfioc_natlook pnl;
-
-	memset(&pnl, 0, sizeof pnl);
-	pnl.direction = PF_OUT;
-	pnl.af = AF_INET;
-	pnl.proto = IPPROTO_TCP;
-	memcpy(&pnl.saddr.v4, &client->sin_addr.s_addr, sizeof pnl.saddr.v4);
-	memcpy(&pnl.daddr.v4, &proxy->sin_addr.s_addr, sizeof pnl.daddr.v4);
-	pnl.sport = client->sin_port;
-	pnl.dport = proxy->sin_port;
-	
-	if (ioctl(dev, DIOCNATLOOK, &pnl) == -1)
-		return (-1);
-
-	memset(server, 0, sizeof(struct sockaddr_in));
-	server->sin_len = sizeof(struct sockaddr_in);
-	server->sin_family = AF_INET;
-	memcpy(&server->sin_addr.s_addr, &pnl.rdaddr.v4,
-	    sizeof server->sin_addr.s_addr);
-	server->sin_port = pnl.rdport;

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-src-projects mailing list