PERFORCE change 76467 for review
Robert Watson
rwatson at FreeBSD.org
Tue May 3 22:42:01 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=76467
Change 76467 by rwatson at rwatson_tislabs on 2005/05/03 22:41:13
Integrated TrustedBSD MAC branch:
pf update
ipfilter update
powerd
ipi spin lock amd64 fix
kdb stop nmi
yet more ata
much vfs locking
ksem.h
uma critical sections
Affected files ...
.. //depot/projects/trustedbsd/mac/Makefile.inc1#55 integrate
.. //depot/projects/trustedbsd/mac/UPDATING#46 integrate
.. //depot/projects/trustedbsd/mac/bin/ps/ps.1#24 integrate
.. //depot/projects/trustedbsd/mac/contrib/bsnmp/snmpd/main.c#7 integrate
.. //depot/projects/trustedbsd/mac/contrib/ipfilter/lib/printstate.c#2 integrate
.. //depot/projects/trustedbsd/mac/contrib/ipfilter/tools/ippool.c#2 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/authpf/authpf.8#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/authpf/authpf.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/authpf/pathnames.h#2 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/ftp-proxy/ftp-proxy.8#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/ftp-proxy/ftp-proxy.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/ftp-proxy/getline.c#2 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/ftp-proxy/util.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/ftp-proxy/util.h#2 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/man/pf.4#5 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/man/pf.conf.5#5 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/man/pf.os.5#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/man/pflog.4#4 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/man/pfsync.4#5 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/parse.y#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pf_print_state.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl.8#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl.h#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl_altq.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl_optimize.c#1 branch
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl_osfp.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl_parser.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl_parser.h#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl_qstats.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl_radix.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pfctl/pfctl_table.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pflogd/pflogd.8#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pflogd/pflogd.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pflogd/pidfile.c#3 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pflogd/privsep.c#2 integrate
.. //depot/projects/trustedbsd/mac/contrib/pf/pflogd/privsep_fdpass.c#2 integrate
.. //depot/projects/trustedbsd/mac/etc/Makefile#43 integrate
.. //depot/projects/trustedbsd/mac/etc/rc#28 integrate
.. //depot/projects/trustedbsd/mac/etc/rc.d/Makefile#25 integrate
.. //depot/projects/trustedbsd/mac/etc/rc.d/initdiskless#17 delete
.. //depot/projects/trustedbsd/mac/etc/rc.d/jail#9 integrate
.. //depot/projects/trustedbsd/mac/etc/rc.d/preseedrandom#3 delete
.. //depot/projects/trustedbsd/mac/etc/rc.d/rcconf.sh#4 integrate
.. //depot/projects/trustedbsd/mac/etc/rc.initdiskless#2 integrate
.. //depot/projects/trustedbsd/mac/games/caesar/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/games/caesar/caesar.c#4 integrate
.. //depot/projects/trustedbsd/mac/games/pom/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/games/pom/pom.c#4 integrate
.. //depot/projects/trustedbsd/mac/gnu/lib/libobjc/Makefile#9 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/gen/getbootfile.c#4 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/gen/getgrouplist.c#7 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getaddrinfo.3#9 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getaddrinfo.c#18 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/gethostbydns.c#14 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/gethostbyht.c#6 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/gethostbyname.3#9 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/gethostbynis.c#7 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/gethostnamadr.c#7 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getipnodebyname.3#6 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getnameinfo.3#7 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getnameinfo.c#6 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getnetbydns.c#8 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getnetbyht.c#6 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getnetbynis.c#4 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getnetent.3#5 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getnetnamadr.c#5 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getprotoent.c#5 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/getservent.c#9 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/map_v4v6.c#4 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/name6.c#17 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/netdb_private.h#4 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/yp/yplib.c#9 integrate
.. //depot/projects/trustedbsd/mac/lib/libpmc/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/lib/libpmc/libpmc.c#2 integrate
.. //depot/projects/trustedbsd/mac/lib/libpmc/pmc.3#2 integrate
.. //depot/projects/trustedbsd/mac/lib/libpmc/pmc.h#2 integrate
.. //depot/projects/trustedbsd/mac/lib/libthr/Makefile#8 integrate
.. //depot/projects/trustedbsd/mac/lib/libthr/arch/i386/i386/pthread_md.c#3 integrate
.. //depot/projects/trustedbsd/mac/lib/libthr/arch/i386/include/pthread_md.h#2 integrate
.. //depot/projects/trustedbsd/mac/lib/libthr/support/Makefile.inc#1 branch
.. //depot/projects/trustedbsd/mac/lib/libthr/thread/thr_create.c#8 integrate
.. //depot/projects/trustedbsd/mac/lib/msun/src/s_ceill.c#3 integrate
.. //depot/projects/trustedbsd/mac/lib/msun/src/s_floorl.c#3 integrate
.. //depot/projects/trustedbsd/mac/lib/msun/src/s_truncl.c#3 integrate
.. //depot/projects/trustedbsd/mac/release/Makefile#61 integrate
.. //depot/projects/trustedbsd/mac/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#77 integrate
.. //depot/projects/trustedbsd/mac/release/doc/zh_CN.GB2312/relnotes/common/new.sgml#4 integrate
.. //depot/projects/trustedbsd/mac/release/scripts/package-split.py#3 integrate
.. //depot/projects/trustedbsd/mac/release/scripts/package-trees.sh#2 integrate
.. //depot/projects/trustedbsd/mac/rescue/rescue/Makefile#12 integrate
.. //depot/projects/trustedbsd/mac/sbin/atm/atm/atm.h#4 integrate
.. //depot/projects/trustedbsd/mac/sbin/atm/atmconfig/atmconfig_device.h#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/atm/ilmid/ilmid.c#11 integrate
.. //depot/projects/trustedbsd/mac/sbin/dump/traverse.c#16 integrate
.. //depot/projects/trustedbsd/mac/sbin/fdisk/fdisk.c#20 integrate
.. //depot/projects/trustedbsd/mac/sbin/fdisk_pc98/Makefile#5 integrate
.. //depot/projects/trustedbsd/mac/sbin/fdisk_pc98/fdisk.c#11 integrate
.. //depot/projects/trustedbsd/mac/sbin/geom/core/geom.c#4 integrate
.. //depot/projects/trustedbsd/mac/sbin/ggate/shared/ggate.h#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/ifconfig/ifpfsync.c#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipf/ipf/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipf/ipftest/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipf/ipmon/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipf/ipnat/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipf/ippool/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipf/ipresend/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipf/ipsend/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipf/libipf/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/sbin/natd/natd.c#11 integrate
.. //depot/projects/trustedbsd/mac/sbin/pfctl/Makefile#3 integrate
.. //depot/projects/trustedbsd/mac/share/man/man4/ath.4#12 integrate
.. //depot/projects/trustedbsd/mac/share/man/man4/hwpmc.4#2 integrate
.. //depot/projects/trustedbsd/mac/share/man/man5/rc.conf.5#39 integrate
.. //depot/projects/trustedbsd/mac/share/man/man9/taskqueue.9#11 integrate
.. //depot/projects/trustedbsd/mac/share/mk/sys.mk#19 integrate
.. //depot/projects/trustedbsd/mac/sys/amd64/amd64/mp_machdep.c#8 integrate
.. //depot/projects/trustedbsd/mac/sys/amd64/amd64/trap.c#14 integrate
.. //depot/projects/trustedbsd/mac/sys/amd64/conf/NOTES#6 integrate
.. //depot/projects/trustedbsd/mac/sys/amd64/include/smp.h#6 integrate
.. //depot/projects/trustedbsd/mac/sys/conf/NOTES#61 integrate
.. //depot/projects/trustedbsd/mac/sys/conf/files#114 integrate
.. //depot/projects/trustedbsd/mac/sys/conf/files.amd64#16 integrate
.. //depot/projects/trustedbsd/mac/sys/conf/files.i386#45 integrate
.. //depot/projects/trustedbsd/mac/sys/conf/files.pc98#38 integrate
.. //depot/projects/trustedbsd/mac/sys/conf/kern.post.mk#36 integrate
.. //depot/projects/trustedbsd/mac/sys/conf/options#72 integrate
.. //depot/projects/trustedbsd/mac/sys/conf/options.amd64#9 integrate
.. //depot/projects/trustedbsd/mac/sys/conf/options.i386#25 integrate
.. //depot/projects/trustedbsd/mac/sys/conf/options.pc98#26 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/ipfilter/netinet/ip_compat.h#12 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/ipfilter/netinet/ip_frag.c#12 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/if_pflog.c#5 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/if_pflog.h#3 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/if_pfsync.c#5 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/if_pfsync.h#3 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/pf.c#10 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/pf_if.c#4 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/pf_ioctl.c#6 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/pf_norm.c#4 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/pf_osfp.c#3 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/pf_subr.c#2 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/pf_table.c#3 integrate
.. //depot/projects/trustedbsd/mac/sys/contrib/pf/net/pfvar.h#3 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/aac/aac_disk.c#18 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/arcmsr/arcmsr.c#2 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/asr/asr.c#20 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-all.c#38 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-all.h#23 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-card.c#23 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-cbus.c#13 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-chipset.c#20 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-disk.c#30 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-dma.c#31 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-isa.c#18 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-lowlevel.c#11 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-pci.c#33 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-pci.h#16 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-queue.c#11 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-raid.c#25 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata-raid.h#18 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/ata_if.m#2 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/atapi-cam.c#18 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/atapi-cd.c#30 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/atapi-fd.c#20 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ata/atapi-tape.c#20 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/ciss/ciss.c#25 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/hwpmc/hwpmc_amd.c#3 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/hwpmc/hwpmc_intel.c#2 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/hwpmc/hwpmc_mod.c#3 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/hwpmc/hwpmc_piv.c#3 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/hwpmc/hwpmc_ppro.c#3 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/pci/pci.c#35 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/pci/pci_pci.c#20 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/pci/pcireg.h#8 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/pci/pcivar.h#12 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/twa/tw_osl_cam.c#2 integrate
.. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vfsops.c#25 integrate
.. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#56 integrate
.. //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs_vnops.c#33 integrate
.. //depot/projects/trustedbsd/mac/sys/fs/unionfs/union_vnops.c#23 integrate
.. //depot/projects/trustedbsd/mac/sys/geom/geom_pc98_enc.c#3 integrate
.. //depot/projects/trustedbsd/mac/sys/geom/vinum/geom_vinum_init.c#3 integrate
.. //depot/projects/trustedbsd/mac/sys/i386/conf/NOTES#53 integrate
.. //depot/projects/trustedbsd/mac/sys/i386/conf/PAE#9 integrate
.. //depot/projects/trustedbsd/mac/sys/i386/i386/mp_machdep.c#36 integrate
.. //depot/projects/trustedbsd/mac/sys/i386/i386/trap.c#34 integrate
.. //depot/projects/trustedbsd/mac/sys/i386/include/pmc_mdep.h#3 integrate
.. //depot/projects/trustedbsd/mac/sys/i386/include/smp.h#14 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/imgact_aout.c#20 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/imgact_elf.c#35 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/kern_descrip.c#57 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/kern_exec.c#77 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/subr_devstat.c#12 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/subr_kdb.c#4 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/subr_smp.c#21 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/subr_taskqueue.c#13 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/uipc_sem.c#25 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_aio.c#41 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_bio.c#44 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_cluster.c#28 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_default.c#33 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_mount.c#37 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_subr.c#73 integrate
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_usrreq.c#26 integrate
.. //depot/projects/trustedbsd/mac/sys/nfsclient/nfs_vfsops.c#38 integrate
.. //depot/projects/trustedbsd/mac/sys/pc98/conf/NOTES#20 integrate
.. //depot/projects/trustedbsd/mac/sys/posix4/ksem.h#6 integrate
.. //depot/projects/trustedbsd/mac/sys/powerpc/conf/GENERIC#25 integrate
.. //depot/projects/trustedbsd/mac/sys/powerpc/powermac/ata_kauai.c#8 integrate
.. //depot/projects/trustedbsd/mac/sys/powerpc/powermac/ata_macio.c#15 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/diskpc98.h#8 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/param.h#39 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/pmc.h#3 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/ptrace.h#7 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/smp.h#10 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/taskqueue.h#7 integrate
.. //depot/projects/trustedbsd/mac/sys/ufs/ffs/ffs_rawread.c#14 integrate
.. //depot/projects/trustedbsd/mac/sys/ufs/ffs/ffs_softdep.c#29 integrate
.. //depot/projects/trustedbsd/mac/sys/vm/swap_pager.c#33 integrate
.. //depot/projects/trustedbsd/mac/sys/vm/uma_core.c#32 integrate
.. //depot/projects/trustedbsd/mac/sys/vm/uma_int.h#16 integrate
.. //depot/projects/trustedbsd/mac/sys/vm/vm_fault.c#30 integrate
.. //depot/projects/trustedbsd/mac/sys/vm/vm_map.c#39 integrate
.. //depot/projects/trustedbsd/mac/sys/vm/vm_object.c#44 integrate
.. //depot/projects/trustedbsd/mac/sys/vm/vm_object.h#21 integrate
.. //depot/projects/trustedbsd/mac/sys/vm/vnode_pager.c#35 integrate
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/README#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/all.sh#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t0/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t0/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t0/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t0/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t0/libtest.a#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t0/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t1/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t1/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t1/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t1/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t1/libtest.a#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t1/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t2/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t2/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t2/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t2/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t2/libtest.a#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/archives/t2/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t0/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t0/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t0/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t0/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t1/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t1/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t1/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t1/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t2/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t2/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t2/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t2/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t3/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t3/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t3/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/basic/t3/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/common.sh#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t0/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t0/TEST1.a#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t0/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t0/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t0/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t0/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t1/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t1/TEST1.a#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t1/TEST2.a#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t1/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t1/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t1/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t1/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t2/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t2/TEST1.a#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t2/TEST2.a#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t2/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t2/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t2/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/suffixes/t2/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/variables/t0/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/variables/t0/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/variables/t0/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/variables/t0/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/variables/t1/expected.status#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/variables/t1/expected.stderr#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/variables/t1/expected.stdout#1 branch
.. //depot/projects/trustedbsd/mac/tools/regression/usr.bin/make/variables/t1/test.t#1 branch
.. //depot/projects/trustedbsd/mac/tools/tools/tinderbox/etc/default.rc#4 integrate
.. //depot/projects/trustedbsd/mac/tools/tools/tinderbox/tinderbox.pl#11 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/Makefile#33 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/brandelf/brandelf.c#5 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/compress/zopen.c#6 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/id/id.1#6 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/id/id.c#10 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/make/Makefile#13 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/make/cond.c#12 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/make/directive_hash.c#2 delete
.. //depot/projects/trustedbsd/mac/usr.bin/make/directive_hash.h#2 delete
.. //depot/projects/trustedbsd/mac/usr.bin/make/globals.h#3 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/make/hash_tables.c#1 branch
.. //depot/projects/trustedbsd/mac/usr.bin/make/hash_tables.h#1 branch
.. //depot/projects/trustedbsd/mac/usr.bin/make/main.c#25 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/make/make.h#8 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/make/nonints.h#11 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/make/parse.c#19 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/mkuzip/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/mkuzip/mkuzip.c#2 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/rs/rs.c#6 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/systat/pigs.c#6 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/adduser/adduser.sh#9 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/authpf/Makefile#2 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/burncd/burncd.8#17 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/faithd/ftp.c#6 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/jail/jail.8#19 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/pmccontrol/pmccontrol.c#2 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/pmcstat/pmcstat.c#2 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/ppp/ppp.8.m4#20 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/rpc.yppasswdd/yppasswdd_main.c#7 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/sysinstall/dist.c#24 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/sysinstall/menus.c#36 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/ypserv/Makefile.yp#5 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/ypserv/yp_dnslookup.c#6 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/ypserv/yp_extern.h#3 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/ypserv/yp_server.c#5 integrate
Differences ...
==== //depot/projects/trustedbsd/mac/Makefile.inc1#55 (text+ko) ====
@@ -1,5 +1,5 @@
#
-# $FreeBSD: src/Makefile.inc1,v 1.492 2005/04/06 01:55:43 peter Exp $
+# $FreeBSD: src/Makefile.inc1,v 1.494 2005/05/01 17:36:09 imp Exp $
#
# Make command line options:
# -DNO_DYNAMICROOT do not link /bin and /sbin dynamically
==== //depot/projects/trustedbsd/mac/UPDATING#46 (text+ko) ====
@@ -21,6 +21,11 @@
developers choose to disable these features on build machines
to maximize performance.
+20050503:
+ The packet filter (pf) code has been updated to OpenBSD 3.7
+ Please note the changed anchor syntax and the fact that
+ authpf(8) now needs a mounted fdescfs(5) to function.
+
20050415:
The NO_MIXED_MODE kernel option has been removed from the i386
amd64 platforms as its use has been superceded by the new local
@@ -331,4 +336,4 @@
Contact Warner Losh if you have any questions about your use of
this document.
-$FreeBSD: src/UPDATING,v 1.401 2005/04/18 14:33:18 scottl Exp $
+$FreeBSD: src/UPDATING,v 1.402 2005/05/03 17:43:13 mlaier Exp $
==== //depot/projects/trustedbsd/mac/bin/ps/ps.1#24 (text+ko) ====
@@ -27,7 +27,7 @@
.\" SUCH DAMAGE.
.\"
.\" @(#)ps.1 8.3 (Berkeley) 4/18/94
-.\" $FreeBSD: src/bin/ps/ps.1,v 1.85 2005/03/20 10:40:36 pjd Exp $
+.\" $FreeBSD: src/bin/ps/ps.1,v 1.86 2005/04/29 11:10:27 maxim Exp $
.\"
.Dd March 20, 2005
.Dt PS 1
@@ -103,7 +103,7 @@
.Bl -tag -width indent
.It Fl a
Display information about other users' processes as well as your own.
-This will skip any processes which do not have a controlling teminal,
+This will skip any processes which do not have a controlling terminal,
unless the
.Fl x
option is also specified.
==== //depot/projects/trustedbsd/mac/contrib/bsnmp/snmpd/main.c#7 (text+ko) ====
@@ -1634,9 +1634,7 @@
timer_start(u_int ticks, void (*func)(void *), void *udata, struct lmodule *mod)
{
struct timer *tp;
-#ifdef USE_LIBBEGEMOT
- struct timeval due;
-#else
+#ifndef USE_LIBBEGEMOT
struct timespec due;
#endif
@@ -1644,15 +1642,8 @@
syslog(LOG_CRIT, "out of memory for timer");
exit(1);
}
-#ifdef USE_LIBBEGEMOT
- (void)gettimeofday(&due, NULL);
- due.tv_sec += ticks / 100;
- due.tv_usec += (ticks % 100) * 10000;
- if (due.tv_usec >= 1000000) {
- due.tv_sec++;
- due.tv_usec -= 1000000;
- }
-#else
+
+#ifndef USE_LIBBEGEMOT
due = evAddTime(evNowTime(),
evConsTime(ticks / 100, (ticks % 100) * 10000));
#endif
@@ -1664,8 +1655,7 @@
LIST_INSERT_HEAD(&timer_list, tp, link);
#ifdef USE_LIBBEGEMOT
- if ((tp->id = poll_start_timer(due.tv_sec * 1000 + due.tv_usec / 1000,
- 0, tfunc, tp)) < 0) {
+ if ((tp->id = poll_start_timer(ticks * 10, 0, tfunc, tp)) < 0) {
syslog(LOG_ERR, "cannot set timer: %m");
exit(1);
}
==== //depot/projects/trustedbsd/mac/contrib/ipfilter/lib/printstate.c#2 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $FreeBSD: src/contrib/ipfilter/lib/printstate.c,v 1.2 2005/04/25 18:20:12 darrenr Exp $ */
+/* $FreeBSD: src/contrib/ipfilter/lib/printstate.c,v 1.3 2005/04/28 21:36:30 darrenr Exp $ */
/*
* Copyright (C) 2002 by Darren Reed.
@@ -64,7 +64,7 @@
ips.is_icmp.ici_seq, ips.is_icmp.ici_type);
#ifdef USE_QUAD_T
- PRINTF("\tforward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n\tbackward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n",
+ PRINTF("\tforward: pkts in %lld bytes in %lld pkts out %lld bytes out %lld\n\tbackward: pkts in %lld bytes in %lld pkts out %lld bytes out %lld\n",
ips.is_pkts[0], ips.is_bytes[0],
ips.is_pkts[1], ips.is_bytes[1],
ips.is_pkts[2], ips.is_bytes[2],
==== //depot/projects/trustedbsd/mac/contrib/ipfilter/tools/ippool.c#2 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $FreeBSD: src/contrib/ipfilter/tools/ippool.c,v 1.2 2005/04/25 18:20:15 darrenr Exp $ */
+/* $FreeBSD: src/contrib/ipfilter/tools/ippool.c,v 1.3 2005/04/28 16:26:33 darrenr Exp $ */
/*
* Copyright (C) 2003 by Darren Reed.
@@ -639,7 +639,7 @@
}
}
- printf("%u object%s flushed\n", flush.iplf_count,
+ printf("%zd object%s flushed\n", flush.iplf_count,
(flush.iplf_count == 1) ? "" : "s");
return 0;
==== //depot/projects/trustedbsd/mac/contrib/pf/authpf/authpf.8#3 (text+ko) ====
@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.31 2003/12/10 04:10:37 beck Exp $
+.\" $OpenBSD: authpf.8,v 1.38 2005/01/04 09:57:04 jmc Exp $
.\"
.\" Copyright (c) 2002 Bob Beck (beck at openbsd.org>. All rights reserved.
.\"
@@ -60,6 +60,10 @@
requires that the
.Xr pf 4
system be enabled before use.
+.Nm
+can also maintain the list of IP address of connected users
+in the "authpf_users"
+.Pa table .
.Pp
.Nm
is meant to be used with users who can connect via
@@ -93,11 +97,16 @@
.Nm
rules:
.Bd -literal -offset indent
-nat-anchor authpf
-rdr-anchor authpf
-binat-anchor authpf
-anchor authpf
+nat-anchor "authpf/*"
+rdr-anchor "authpf/*"
+binat-anchor "authpf/*"
+anchor "authpf/*"
.Ed
+.Pp
+The "/*" at the end of the anchor name is required for
+.Xr pf 4
+to process the rulesets attached to the anchor by
+.Nm authpf .
.Sh FILTER AND TRANSLATION RULES
Filter and translation rules for
.Nm
@@ -113,10 +122,14 @@
.Em user_id
is assigned the user name.
.Pp
-Filter and nat rules will first be searched for in
+Filter and translation rules are stored in a file called
+.Pa authpf.rules .
+This file will first be searched for in
.Pa /etc/authpf/users/$USER/
and then in
.Pa /etc/authpf/ .
+Only one of these files will be used if both are present.
+.Pp
Per-user rules from the
.Pa /etc/authpf/users/$USER/
directory are intended to be used when non-default rules
@@ -124,21 +137,11 @@
It is important to ensure that a user can not write or change
these configuration files.
.Pp
-Filter and translation rules are loaded from the file
-.Pa /etc/authpf/users/$USER/authpf.rules .
-If this file does not exist the file
-.Pa /etc/authpf/authpf.rules
-is used.
The
.Pa authpf.rules
file must exist in one of the above locations for
.Nm
to run.
-.Pp
-Translation rules are also loaded from this file.
-The use of translation rules in an
-.Pa authpf.rules
-file is optional.
.Sh CONFIGURATION
Options are controlled by the
.Pa /etc/authpf/authpf.conf
@@ -154,6 +157,10 @@
Use the specified
.Pa anchor
name instead of "authpf".
+.It table=name
+Use the specified
+.Pa table
+name instead of "authpf_users".
.El
.Sh USER MESSAGES
On successful invocation,
@@ -218,9 +225,15 @@
hijack the session.
Note that TCP keepalives are not sufficient for
this, since they are not secure.
+Also note that
+.Ar AllowTcpForwarding
+should be disabled for
+.Nm
+users to prevent them from circumventing restrictions imposed by the
+packet filter ruleset.
.Pp
.Nm
-will remove statetable entries that were created during a user's
+will remove state table entries that were created during a user's
session.
This ensures that there will be no unauthenticated traffic
allowed to pass after the controlling
@@ -391,15 +404,15 @@
# ssh and use us as a dns server.
internal_if="fxp1"
gateway_addr="10.0.1.1"
-nat-anchor authpf
-rdr-anchor authpf
-binat-anchor authpf
+nat-anchor "authpf/*"
+rdr-anchor "authpf/*"
+binat-anchor "authpf/*"
block in on $internal_if from any to any
pass in quick on $internal_if proto tcp from any to $gateway_addr \e
port = ssh
pass in quick on $internal_if proto udp from any to $gateway_addr \e
port = domain
-anchor authpf
+anchor "authpf/*"
.Ed
.Pp
.Sy For a switched, wired net
@@ -465,6 +478,33 @@
129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
16384 <mss 1460,nop,nop,sackOK> (DF)
.Ed
+.Pp
+.Sy Using the authpf_users table
+\- Simple
+.Nm
+settings can be implemented without an anchor by just using the "authpf_users"
+.Pa table .
+For example, the following
+.Xr pf.conf 5
+lines will give SMTP and IMAP access to logged in users:
+.Bd -literal
+table <authpf_users> persist
+pass in on $ext_if proto tcp from <authpf_users> \e
+ to port { smtp imap } keep state
+.Ed
+.Pp
+It is also possible to use the "authpf_users"
+.Pa table
+in combination with anchors.
+For example,
+.Xr pf 4
+processing can be sped up by looking up the anchor
+only for packets coming from logged in users:
+.Bd -literal
+table <authpf_users> persist
+anchor "authpf/*" from <authpf_users>
+rdr-anchor "authpf/*" from <authpf_users>
+.Ed
.Sh FILES
.Bl -tag -width "/etc/authpf/authpf.conf" -compact
.It Pa /etc/authpf/authpf.conf
==== //depot/projects/trustedbsd/mac/contrib/pf/authpf/authpf.c#3 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $OpenBSD: authpf.c,v 1.75 2004/01/29 01:55:10 deraadt Exp $ */
+/* $OpenBSD: authpf.c,v 1.89 2005/02/10 04:24:15 joel Exp $ */
/*
* Copyright (C) 1998 - 2002 Bob Beck (beck at openbsd.org).
@@ -26,13 +26,15 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/contrib/pf/authpf/authpf.c,v 1.5 2004/06/16 23:39:30 mlaier Exp $");
+__FBSDID("$FreeBSD: src/contrib/pf/authpf/authpf.c,v 1.6 2005/05/03 16:55:19 mlaier Exp $");
#include <sys/param.h>
#include <sys/file.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
+#include <sys/stat.h>
#include <sys/time.h>
+#include <sys/wait.h>
#include <net/if.h>
#include <net/pfvar.h>
@@ -40,6 +42,7 @@
#include <err.h>
#include <errno.h>
+#include <login_cap.h>
#include <pwd.h>
#include <signal.h>
#include <stdio.h>
@@ -48,9 +51,6 @@
#include <syslog.h>
#include <unistd.h>
-#include <pfctl_parser.h>
-#include <pfctl.h>
-
#include "pathnames.h"
extern int symset(const char *, const char *, int);
@@ -61,11 +61,13 @@
static int check_luser(char *, char *);
static int remove_stale_rulesets(void);
static int change_filter(int, const char *, const char *);
+static int change_table(int, const char *, const char *);
static void authpf_kill_states(void);
int dev; /* pf device */
char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
-char rulesetname[PF_RULESET_NAME_SIZE];
+char rulesetname[MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 2];
+char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
FILE *pidfp;
char *infile; /* file name printed by yyerror() in parse.y */
@@ -94,10 +96,12 @@
{
int lockcnt = 0, n, pidfd;
FILE *config;
- struct in_addr ina;
+ struct in6_addr ina;
struct passwd *pw;
char *cp;
uid_t uid;
+ char *shell;
+ login_cap_t *lc;
config = fopen(PATH_CONFFILE, "r");
@@ -121,7 +125,8 @@
exit(1);
}
*cp = '\0';
- if (inet_pton(AF_INET, ipsrc, &ina) != 1) {
+ if (inet_pton(AF_INET, ipsrc, &ina) != 1 &&
+ inet_pton(AF_INET6, ipsrc, &ina) != 1) {
syslog(LOG_ERR,
"cannot determine IP from SSH_CLIENT %s", ipsrc);
exit(1);
@@ -135,16 +140,31 @@
uid = getuid();
pw = getpwuid(uid);
+ endpwent();
if (pw == NULL) {
syslog(LOG_ERR, "cannot find user for uid %u", uid);
goto die;
}
- if (strcmp(pw->pw_shell, PATH_AUTHPF_SHELL)) {
+
+ if ((lc = login_getclass(pw->pw_class)) != NULL)
+ shell = (char *)login_getcapstr(lc, "shell", pw->pw_shell,
+ pw->pw_shell);
+ else
+ shell = pw->pw_shell;
+
+ login_close(lc);
+
+ if (strcmp(shell, PATH_AUTHPF_SHELL)) {
syslog(LOG_ERR, "wrong shell for user %s, uid %u",
pw->pw_name, pw->pw_uid);
+ if (shell != pw->pw_shell)
+ free(shell);
goto die;
}
+ if (shell != pw->pw_shell)
+ free(shell);
+
/*
* Paranoia, but this data _does_ come from outside authpf, and
* truncation would be bad.
@@ -155,11 +175,11 @@
}
if ((n = snprintf(rulesetname, sizeof(rulesetname), "%s(%ld)",
- luser, (long)getpid())) < 0 || n >= sizeof(rulesetname)) {
+ luser, (long)getpid())) < 0 || (u_int)n >= sizeof(rulesetname)) {
syslog(LOG_INFO, "%s(%ld) too large, ruleset name will be %ld",
luser, (long)getpid(), (long)getpid());
if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld",
- (long)getpid())) < 0 || n >= sizeof(rulesetname)) {
+ (long)getpid())) < 0 || (u_int)n >= sizeof(rulesetname)) {
syslog(LOG_ERR, "pid too large for ruleset name");
goto die;
}
@@ -269,12 +289,17 @@
rewind(pidfp);
fprintf(pidfp, "%ld\n%s\n", (long)getpid(), luser);
fflush(pidfp);
- (void) ftruncate(fileno(pidfp), ftell(pidfp));
+ (void) ftruncate(fileno(pidfp), ftello(pidfp));
if (change_filter(1, luser, ipsrc) == -1) {
printf("Unable to modify filters\r\n");
do_death(0);
}
+ if (change_table(1, luser, ipsrc) == -1) {
+ printf("Unable to modify table\r\n");
+ change_filter(0, luser, ipsrc);
+ do_death(0);
+ }
signal(SIGTERM, need_death);
signal(SIGINT, need_death);
@@ -284,7 +309,7 @@
signal(SIGSTOP, need_death);
signal(SIGTSTP, need_death);
while (1) {
- printf("\r\nHello %s, ", luser);
+ printf("\r\nHello %s. ", luser);
printf("You are authenticated from host \"%s\"\r\n", ipsrc);
setproctitle("%s@%s", luser, ipsrc);
print_message(PATH_MESSAGE);
@@ -359,6 +384,11 @@
sizeof(anchorname)) >= sizeof(anchorname))
goto parse_error;
}
+ if (strcasecmp(pair[0], "table") == 0) {
+ if (!pair[1][0] || strlcpy(tablename, pair[1],
+ sizeof(tablename)) >= sizeof(tablename))
+ goto parse_error;
+ }
} while (!feof(f) && !ferror(f));
fclose(f);
return (0);
@@ -542,12 +572,10 @@
remove_stale_rulesets(void)
{
struct pfioc_ruleset prs;
- const int action[PF_RULESET_MAX] = { PF_SCRUB,
- PF_PASS, PF_NAT, PF_BINAT, PF_RDR };
u_int32_t nr, mnr;
memset(&prs, 0, sizeof(prs));
- strlcpy(prs.anchor, anchorname, sizeof(prs.anchor));
+ strlcpy(prs.path, anchorname, sizeof(prs.path));
if (ioctl(dev, DIOCGETRULESETS, &prs)) {
if (errno == EINVAL)
return (0);
@@ -574,20 +602,25 @@
(*s && (t == prs.name || *s != ')')))
return (1);
if (kill(pid, 0) && errno != EPERM) {
- int i;
+ int i;
+ struct pfioc_trans_e t_e[PF_RULESET_MAX+1];
+ struct pfioc_trans t;
- for (i = 0; i < PF_RULESET_MAX; ++i) {
- struct pfioc_rule pr;
-
- memset(&pr, 0, sizeof(pr));
- memcpy(pr.anchor, prs.anchor, sizeof(pr.anchor));
- memcpy(pr.ruleset, prs.name, sizeof(pr.ruleset));
- pr.rule.action = action[i];
- if ((ioctl(dev, DIOCBEGINRULES, &pr) ||
- ioctl(dev, DIOCCOMMITRULES, &pr)) &&
- errno != EINVAL)
- return (1);
+ bzero(&t, sizeof(t));
+ bzero(t_e, sizeof(t_e));
+ t.size = PF_RULESET_MAX+1;
+ t.esize = sizeof(t_e[0]);
+ t.array = t_e;
+ for (i = 0; i < PF_RULESET_MAX+1; ++i) {
+ t_e[i].rs_num = i;
+ snprintf(t_e[i].anchor, sizeof(t_e[i].anchor),
+ "%s/%s", anchorname, prs.name);
}
+ t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE;
+ if ((ioctl(dev, DIOCXBEGIN, &t) ||
+ ioctl(dev, DIOCXCOMMIT, &t)) &&
+ errno != EINVAL)
+ return (1);
mnr--;
} else
nr++;
@@ -601,85 +634,67 @@
static int
change_filter(int add, const char *luser, const char *ipsrc)
{
- char fn[MAXPATHLEN];
- FILE *f = NULL;
- struct pfctl pf;
- struct pfr_buffer t;
- int i;
+ char *pargv[13] = {
+ "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
+ "-D", "user_ip=X", "-D", "user_id=X", "-f",
+ "file", NULL
+ };
+ char *fdpath = NULL, *userstr = NULL, *ipstr = NULL;
+ char *rsn = NULL, *fn = NULL;
+ pid_t pid;
+ int s;
if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) {
syslog(LOG_ERR, "invalid luser/ipsrc");
goto error;
}
+ if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)
+ goto no_mem;
+ if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
+ goto no_mem;
+ if (asprintf(&ipstr, "user_ip=%s", ipsrc) == -1)
+ goto no_mem;
+ if (asprintf(&userstr, "user_id=%s", luser) == -1)
+ goto no_mem;
+
if (add) {
- if ((i = snprintf(fn, sizeof(fn), "%s/%s/authpf.rules",
- PATH_USER_DIR, luser)) < 0 || i >= sizeof(fn)) {
- syslog(LOG_ERR, "user rule path too long");
- goto error;
- }
- if ((f = fopen(fn, "r")) == NULL && errno != ENOENT) {
- syslog(LOG_ERR, "cannot open %s (%m)", fn);
- goto error;
- }
- if (f == NULL) {
- if (strlcpy(fn, PATH_PFRULES, sizeof(fn)) >=
- sizeof(fn)) {
- syslog(LOG_ERR, "rule path too long");
- goto error;
- }
- if ((f = fopen(fn, "r")) == NULL) {
- syslog(LOG_ERR, "cannot open %s (%m)", fn);
- goto error;
- }
+ struct stat sb;
+
+ if (asprintf(&fn, "%s/%s/authpf.rules", PATH_USER_DIR, luser)
+ == -1)
+ goto no_mem;
+ if (stat(fn, &sb) == -1) {
+ free(fn);
+ if ((fn = strdup(PATH_PFRULES)) == NULL)
+ goto no_mem;
}
}
+ pargv[2] = fdpath;
+ pargv[5] = rsn;
+ pargv[7] = userstr;
+ pargv[9] = ipstr;
+ if (!add)
+ pargv[11] = "/dev/null";
+ else
+ pargv[11] = fn;
- if (pfctl_load_fingerprints(dev, 0)) {
- syslog(LOG_ERR, "unable to load kernel's OS fingerprints");
- goto error;
- }
- bzero(&t, sizeof(t));
- t.pfrb_type = PFRB_TRANS;
- memset(&pf, 0, sizeof(pf));
- for (i = 0; i < PF_RULESET_MAX; ++i) {
- if (pfctl_add_trans(&t, i, anchorname, rulesetname)) {
- syslog(LOG_ERR, "pfctl_add_trans %m");
- goto error;
- }
- }
- if (pfctl_trans(dev, &t, DIOCXBEGIN, 0)) {
- syslog(LOG_ERR, "DIOCXBEGIN (%s) %m", add?"add":"remove");
- goto error;
+ switch (pid = fork()) {
+ case -1:
+ err(1, "fork failed");
+ case 0:
+ execvp(PATH_PFCTL, pargv);
+ warn("exec of %s failed", PATH_PFCTL);
+ _exit(1);
}
- if (add) {
- if (symset("user_ip", ipsrc, 0) ||
- symset("user_id", luser, 0)) {
- syslog(LOG_ERR, "symset");
- goto error;
- }
-
- pf.dev = dev;
- pf.trans = &t;
- pf.anchor = anchorname;
- pf.ruleset = rulesetname;
-
- infile = fn;
- if (parse_rules(f, &pf) < 0) {
- syslog(LOG_ERR, "syntax error in rule file: "
- "authpf rules not loaded");
+ /* parent */
+ waitpid(pid, &s, 0);
+ if (s != 0) {
+ if (WIFEXITED(s)) {
+ syslog(LOG_ERR, "pfctl exited abnormally");
goto error;
}
-
- infile = NULL;
- fclose(f);
- f = NULL;
- }
-
- if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) {
- syslog(LOG_ERR, "DIOCXCOMMIT (%s) %m", add?"add":"remove");
- goto error;
}
if (add) {
@@ -691,18 +706,63 @@
ipsrc, luser, Tend.tv_sec - Tstart.tv_sec);
}
return (0);
-
+no_mem:
+ syslog(LOG_ERR, "malloc failed");
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list