Date: Fri, 18 Jun 2004 01:16:27 GMT From: Marcel Moolenaar <marcel@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 55202 for review Message-ID: <200406180116.i5I1GRaM062626@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=55202 Change 55202 by marcel@marcel_nfs on 2004/06/18 01:15:41 IFC @55196 Affected files ... .. //depot/projects/gdb/Makefile.inc1#11 integrate .. //depot/projects/gdb/contrib/pf/authpf/authpf.8#2 integrate .. //depot/projects/gdb/contrib/pf/authpf/authpf.c#3 integrate .. //depot/projects/gdb/contrib/pf/ftp-proxy/ftp-proxy.8#3 integrate .. //depot/projects/gdb/contrib/pf/ftp-proxy/ftp-proxy.c#3 integrate .. //depot/projects/gdb/contrib/pf/ftp-proxy/util.c#2 integrate .. //depot/projects/gdb/contrib/pf/man/pf.4#3 integrate .. //depot/projects/gdb/contrib/pf/man/pf.conf.5#2 integrate .. //depot/projects/gdb/contrib/pf/man/pf.os.5#2 integrate .. //depot/projects/gdb/contrib/pf/man/pflog.4#3 integrate .. //depot/projects/gdb/contrib/pf/man/pfsync.4#3 integrate .. //depot/projects/gdb/contrib/pf/pfctl/parse.y#4 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pf_print_state.c#2 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pfctl.8#2 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pfctl.c#3 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pfctl.h#3 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pfctl_altq.c#4 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pfctl_osfp.c#2 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pfctl_parser.c#3 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pfctl_parser.h#3 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pfctl_qstats.c#3 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pfctl_radix.c#2 integrate .. //depot/projects/gdb/contrib/pf/pfctl/pfctl_table.c#3 integrate .. //depot/projects/gdb/contrib/pf/pflogd/pflogd.8#2 integrate .. //depot/projects/gdb/contrib/pf/pflogd/pflogd.c#3 integrate .. //depot/projects/gdb/contrib/pf/pflogd/pflogd.h#1 branch .. //depot/projects/gdb/contrib/pf/pflogd/pidfile.c#3 integrate .. //depot/projects/gdb/contrib/pf/pflogd/privsep.c#1 branch .. //depot/projects/gdb/contrib/pf/pflogd/privsep_fdpass.c#1 branch .. //depot/projects/gdb/gnu/usr.bin/binutils/libbfd/Makefile.sparc64#2 integrate .. //depot/projects/gdb/gnu/usr.bin/binutils/libbfd/sparc64/elf64-sparc.c-bad-rtld.diff#1 branch .. //depot/projects/gdb/lib/libarchive/archive_read_extract.c#16 integrate .. //depot/projects/gdb/lib/libc/posix1e/Makefile.inc#2 integrate .. //depot/projects/gdb/lib/libc/posix1e/mac_get.3#2 integrate .. //depot/projects/gdb/lib/libc/sys/clock_gettime.2#2 integrate .. //depot/projects/gdb/lib/libkvm/kvm_proc.c#5 integrate .. //depot/projects/gdb/libexec/Makefile#4 integrate .. //depot/projects/gdb/libexec/rtld-elf/Makefile#4 integrate .. //depot/projects/gdb/libexec/rtld-elf/arm/Makefile.inc#2 integrate .. //depot/projects/gdb/sbin/geom/class/concat/geom_concat.c#2 integrate .. //depot/projects/gdb/sbin/geom/class/stripe/geom_stripe.c#2 integrate .. //depot/projects/gdb/sbin/pfctl/Makefile#2 integrate .. //depot/projects/gdb/sbin/pflogd/Makefile#2 integrate .. //depot/projects/gdb/share/man/man3/pthread_barrier_destroy.3#2 integrate .. //depot/projects/gdb/share/man/man3/pthread_barrierattr.3#2 integrate .. //depot/projects/gdb/share/man/man3/pthread_rwlock_timedrdlock.3#2 integrate .. //depot/projects/gdb/share/man/man3/pthread_rwlock_timedwrlock.3#2 integrate .. //depot/projects/gdb/share/man/man3/pthread_spin_init.3#2 integrate .. //depot/projects/gdb/share/man/man3/pthread_spin_lock.3#2 integrate .. //depot/projects/gdb/share/man/man4/acpi_video.4#2 integrate .. //depot/projects/gdb/share/man/man4/bfe.4#3 integrate .. //depot/projects/gdb/share/man/man4/dcons.4#2 integrate .. //depot/projects/gdb/share/man/man4/dcons_crom.4#2 integrate .. //depot/projects/gdb/share/man/man4/en.4#2 integrate .. //depot/projects/gdb/share/man/man4/fla.4#2 integrate .. //depot/projects/gdb/share/man/man4/gem.4#2 integrate .. //depot/projects/gdb/share/man/man4/harp.4#2 integrate .. //depot/projects/gdb/share/man/man4/hme.4#3 integrate .. //depot/projects/gdb/share/man/man4/idt.4#2 integrate .. //depot/projects/gdb/share/man/man4/man4.i386/arl.4#3 integrate .. //depot/projects/gdb/sys/amd64/amd64/pmap.c#14 integrate .. //depot/projects/gdb/sys/arm/arm/nexus_io.c#3 integrate .. //depot/projects/gdb/sys/arm/include/bus.h#3 integrate .. //depot/projects/gdb/sys/arm/sa11x0/assabet_machdep.c#2 integrate .. //depot/projects/gdb/sys/arm/sa11x0/sa11x0_io.c#3 integrate .. //depot/projects/gdb/sys/boot/i386/boot0/boot0.S#4 integrate .. //depot/projects/gdb/sys/boot/pc98/libpc98/biosdisk.c#3 integrate .. //depot/projects/gdb/sys/cam/scsi/scsi_target.c#4 integrate .. //depot/projects/gdb/sys/coda/coda.h#3 integrate .. //depot/projects/gdb/sys/coda/coda_fbsd.c#5 integrate .. //depot/projects/gdb/sys/coda/coda_venus.c#4 integrate .. //depot/projects/gdb/sys/compat/freebsd32/freebsd32_misc.c#6 integrate .. //depot/projects/gdb/sys/compat/linux/linux_stats.c#5 integrate .. //depot/projects/gdb/sys/compat/svr4/svr4_socket.c#2 integrate .. //depot/projects/gdb/sys/compat/svr4/svr4_socket.h#2 integrate .. //depot/projects/gdb/sys/compat/svr4/svr4_stream.c#3 integrate .. //depot/projects/gdb/sys/compat/svr4/svr4_types.h#3 integrate .. //depot/projects/gdb/sys/conf/files#29 integrate .. //depot/projects/gdb/sys/contrib/pf/net/if_pflog.c#7 integrate .. //depot/projects/gdb/sys/contrib/pf/net/if_pflog.h#3 integrate .. //depot/projects/gdb/sys/contrib/pf/net/if_pfsync.c#7 integrate .. //depot/projects/gdb/sys/contrib/pf/net/if_pfsync.h#3 integrate .. //depot/projects/gdb/sys/contrib/pf/net/pf.c#7 integrate .. //depot/projects/gdb/sys/contrib/pf/net/pf_if.c#1 branch .. //depot/projects/gdb/sys/contrib/pf/net/pf_ioctl.c#9 integrate .. //depot/projects/gdb/sys/contrib/pf/net/pf_norm.c#4 integrate .. //depot/projects/gdb/sys/contrib/pf/net/pf_osfp.c#3 integrate .. //depot/projects/gdb/sys/contrib/pf/net/pf_subr.c#1 branch .. //depot/projects/gdb/sys/contrib/pf/net/pf_table.c#3 integrate .. //depot/projects/gdb/sys/contrib/pf/net/pfvar.h#4 integrate .. //depot/projects/gdb/sys/contrib/pf/netinet/in4_cksum.c#2 integrate .. //depot/projects/gdb/sys/dev/an/if_an.c#4 integrate .. //depot/projects/gdb/sys/dev/ata/ata-chipset.c#10 integrate .. //depot/projects/gdb/sys/dev/ata/atapi-cam.c#4 integrate .. //depot/projects/gdb/sys/dev/cp/if_cp.c#5 integrate .. //depot/projects/gdb/sys/dev/ctau/if_ct.c#5 integrate .. //depot/projects/gdb/sys/dev/cx/if_cx.c#9 integrate .. //depot/projects/gdb/sys/dev/cy/cy.c#8 integrate .. //depot/projects/gdb/sys/dev/dcons/dcons.c#10 integrate .. //depot/projects/gdb/sys/dev/digi/digi.c#8 integrate .. //depot/projects/gdb/sys/dev/firewire/fwdev.c#8 integrate .. //depot/projects/gdb/sys/dev/led/led.c#7 integrate .. //depot/projects/gdb/sys/dev/nmdm/nmdm.c#9 integrate .. //depot/projects/gdb/sys/dev/snp/snp.c#6 integrate .. //depot/projects/gdb/sys/dev/sound/pcm/dsp.c#5 integrate .. //depot/projects/gdb/sys/dev/sound/pcm/mixer.c#5 integrate .. //depot/projects/gdb/sys/dev/syscons/syscons.c#11 integrate .. //depot/projects/gdb/sys/dev/vinum/vinum.c#4 integrate .. //depot/projects/gdb/sys/dev/vinum/vinumconfig.c#4 integrate .. //depot/projects/gdb/sys/dev/vinum/vinumio.c#5 integrate .. //depot/projects/gdb/sys/fs/devfs/devfs_vnops.c#4 integrate .. //depot/projects/gdb/sys/fs/fifofs/fifo_vnops.c#7 integrate .. //depot/projects/gdb/sys/fs/portalfs/portal_vnops.c#5 integrate .. //depot/projects/gdb/sys/fs/specfs/spec_vnops.c#10 integrate .. //depot/projects/gdb/sys/geom/geom_dev.c#5 integrate .. //depot/projects/gdb/sys/i386/i386/bios.c#6 integrate .. //depot/projects/gdb/sys/i386/i386/pmap.c#9 integrate .. //depot/projects/gdb/sys/isofs/cd9660/cd9660_node.h#4 integrate .. //depot/projects/gdb/sys/isofs/cd9660/cd9660_rrip.c#3 integrate .. //depot/projects/gdb/sys/kern/kern_acct.c#4 integrate .. //depot/projects/gdb/sys/kern/kern_conf.c#7 integrate .. //depot/projects/gdb/sys/kern/kern_proc.c#9 integrate .. //depot/projects/gdb/sys/kern/kern_shutdown.c#8 integrate .. //depot/projects/gdb/sys/kern/kern_time.c#3 integrate .. //depot/projects/gdb/sys/kern/sys_socket.c#5 integrate .. //depot/projects/gdb/sys/kern/tty_cons.c#7 integrate .. //depot/projects/gdb/sys/kern/tty_pty.c#10 integrate .. //depot/projects/gdb/sys/kern/tty_tty.c#4 integrate .. //depot/projects/gdb/sys/kern/uipc_socket.c#10 integrate .. //depot/projects/gdb/sys/kern/uipc_socket2.c#10 integrate .. //depot/projects/gdb/sys/kern/uipc_usrreq.c#9 integrate .. //depot/projects/gdb/sys/kern/vfs_aio.c#4 integrate .. //depot/projects/gdb/sys/kern/vfs_bio.c#8 integrate .. //depot/projects/gdb/sys/kern/vfs_mount.c#7 integrate .. //depot/projects/gdb/sys/kern/vfs_subr.c#11 integrate .. //depot/projects/gdb/sys/modules/Makefile#13 integrate .. //depot/projects/gdb/sys/modules/pf/Makefile#3 integrate .. //depot/projects/gdb/sys/modules/pflog/Makefile#3 delete .. //depot/projects/gdb/sys/modules/pfsync/Makefile#3 delete .. //depot/projects/gdb/sys/net/bpf.c#7 integrate .. //depot/projects/gdb/sys/net/if_tap.c#7 integrate .. //depot/projects/gdb/sys/net/if_tun.c#7 integrate .. //depot/projects/gdb/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c#7 integrate .. //depot/projects/gdb/sys/netgraph/bluetooth/drivers/ubtbcmfw/ubtbcmfw.c#5 integrate .. //depot/projects/gdb/sys/netgraph/bluetooth/socket/ng_btsocket_rfcomm.c#7 integrate .. //depot/projects/gdb/sys/netgraph/ng_ksocket.c#6 integrate .. //depot/projects/gdb/sys/netinet/in.h#4 integrate .. //depot/projects/gdb/sys/netinet/in_proto.c#5 integrate .. //depot/projects/gdb/sys/netsmb/smb_dev.c#6 integrate .. //depot/projects/gdb/sys/netsmb/smb_trantcp.c#4 integrate .. //depot/projects/gdb/sys/nfs4client/nfs4_vn_subs.c#2 integrate .. //depot/projects/gdb/sys/nfsclient/nfs_bio.c#7 integrate .. //depot/projects/gdb/sys/nfsclient/nfs_subs.c#7 integrate .. //depot/projects/gdb/sys/nfsserver/nfs_serv.c#8 integrate .. //depot/projects/gdb/sys/nfsserver/nfs_syscalls.c#8 integrate .. //depot/projects/gdb/sys/sys/_types.h#5 integrate .. //depot/projects/gdb/sys/sys/acct.h#3 integrate .. //depot/projects/gdb/sys/sys/conf.h#8 integrate .. //depot/projects/gdb/sys/sys/mbuf.h#12 integrate .. //depot/projects/gdb/sys/sys/param.h#15 integrate .. //depot/projects/gdb/sys/sys/snoop.h#2 integrate .. //depot/projects/gdb/sys/sys/stat.h#4 integrate .. //depot/projects/gdb/sys/sys/systm.h#8 integrate .. //depot/projects/gdb/sys/sys/tty.h#7 integrate .. //depot/projects/gdb/sys/sys/types.h#8 integrate .. //depot/projects/gdb/sys/sys/user.h#5 integrate .. //depot/projects/gdb/sys/sys/vnode.h#7 integrate .. //depot/projects/gdb/sys/vm/swap_pager.c#6 integrate .. //depot/projects/gdb/sys/vm/vm_page.c#10 integrate .. //depot/projects/gdb/sys/vm/vm_param.h#3 integrate .. //depot/projects/gdb/usr.bin/fstat/fstat.c#3 integrate .. //depot/projects/gdb/usr.bin/fstat/fstat.h#2 integrate .. //depot/projects/gdb/usr.bin/kdump/mkioctls#3 integrate .. //depot/projects/gdb/usr.bin/pkill/pkill.c#3 integrate .. //depot/projects/gdb/usr.sbin/boot0cfg/boot0cfg.8#3 integrate .. //depot/projects/gdb/usr.sbin/pw/psdate.c#2 integrate .. //depot/projects/gdb/usr.sbin/pw/pw_user.c#2 integrate .. //depot/projects/gdb/usr.sbin/pw/pw_vpw.c#2 integrate Differences ... ==== //depot/projects/gdb/Makefile.inc1#11 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $FreeBSD: src/Makefile.inc1,v 1.427 2004/05/17 16:19:51 ru Exp $ +# $FreeBSD: src/Makefile.inc1,v 1.430 2004/06/17 08:06:41 obrien Exp $ # # Make command line options: # -DNO_DYNAMICROOT do not link /bin and /sbin dynamically @@ -62,7 +62,10 @@ .if !defined(NOSHARE) SUBDIR+=share .endif -SUBDIR+=sys usr.bin usr.sbin etc +.if ${MACHINE_ARCH} != "alpha" +SUBDIR+=sys +.endif +SUBDIR+=usr.bin usr.sbin etc # These are last, since it is nice to at least get the base system # rebuilt before you do them. ==== //depot/projects/gdb/contrib/pf/authpf/authpf.8#2 (text+ko) ==== @@ -1,4 +1,4 @@ -.\" $OpenBSD: authpf.8,v 1.30 2003/08/17 23:24:47 henning Exp $ +.\" $OpenBSD: authpf.8,v 1.31 2003/12/10 04:10:37 beck Exp $ .\" .\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved. .\" @@ -84,9 +84,9 @@ processes. By default, the .Pa anchor -name "authpf" is used, and the ruleset names equal the PIDs of the +name "authpf" is used, and the ruleset names equal the username and PID of the .Nm -processes. +processes as "username(pid)". The following rules need to be added to the main ruleset .Pa /etc/pf.conf in order to cause evaluation of any @@ -263,7 +263,8 @@ .Pa /etc/authpf/authpf.conf file. .Sh EXAMPLES -\fBControl Files\fP - To illustrate the user-specific access control +.Sy Control Files +\- To illustrate the user-specific access control mechanisms, let us consider a typical user named bob. Normally, as long as bob can authenticate himself, the .Nm @@ -298,7 +299,8 @@ Though bob is listed in the allow file, he is prevented from using this gateway due to the existence of a ban file. .Pp -\fBDistributed Authentication\fP - It is often desirable to interface with a +.Sy Distributed Authentication +\- It is often desirable to interface with a distributed password system rather than forcing the sysadmins to keep a large number of local password files in sync. The @@ -332,7 +334,8 @@ as their shell except for root who will get .Pa /bin/csh . .Pp -\fBSSH Configuration\fP - As stated earlier, +.Sy SSH Configuration +\- As stated earlier, .Xr sshd 8 must be properly configured to detect and defeat network attacks. To that end, the following options should be added to @@ -346,7 +349,8 @@ This ensures that unresponsive or spoofed sessions are terminated within a minute, since a hijacker should not be able to spoof ssh keepalive messages. .Pp -\fBBanners\fP - Once authenticated, the user is shown the contents of +.Sy Banners +\- Once authenticated, the user is shown the contents of .Pa /etc/authpf/authpf.message . This message may be a screen-full of the appropriate use policy, the contents of @@ -366,7 +370,8 @@ an email to remove@bulkmailerz.net. .Ed .Pp -\fBPacket Filter Rules\fP - In areas where this gateway is used to protect a +.Sy Packet Filter Rules +\- In areas where this gateway is used to protect a wireless network (a hub with several hundred ports), the default rule set as well as the per-user rules should probably allow very few things beyond encrypted protocols like @@ -378,15 +383,14 @@ given authentication accounts, you might want to allow out everything. In this context, a secure switch is one that tries to prevent address table overflow attacks. -The examples below assume a switched wired net. .Pp Example .Pa /etc/pf.conf : .Bd -literal # by default we allow internal clients to talk to us using # ssh and use us as a dns server. -internal_if=\&"fxp1\&" -gateway_addr=\&"10.0.1.1\&" +internal_if="fxp1" +gateway_addr="10.0.1.1" nat-anchor authpf rdr-anchor authpf binat-anchor authpf @@ -398,26 +402,28 @@ anchor authpf .Ed .Pp -Example -.Pa /etc/authpf/authpf.rules : +.Sy For a switched, wired net +\- This example +.Pa /etc/authpf/authpf.rules +makes no real restrictions; it turns the IP address on and off, logging +TCP connections. .Bd -literal -# no real restrictions here, basically turn the network jack off or on. - -external_if = \&"xl0\&" -internal_if = \&"fxp0\&" +external_if = "xl0" +internal_if = "fxp0" pass in log quick on $internal_if proto tcp from $user_ip to any \e keep state pass in quick on $internal_if from $user_ip to any .Ed .Pp -Another example +.Sy For a wireless or shared net +\- This example .Pa /etc/authpf/authpf.rules -for an insecure network (such as a public wireless network) where +could be used for an insecure network (such as a public wireless network) where we might need to be a bit more restrictive. .Bd -literal -internal_if=\&"fxp1\&" -ipsec_gw=\&"10.2.3.4\&" +internal_if="fxp1" +ipsec_gw="10.2.3.4" # rdr ftp for proxying by ftp-proxy(8) rdr on $internal_if proto tcp from $user_ip to any port 21 \e @@ -433,6 +439,32 @@ keep state pass in quick proto esp from $user_ip to $ipsec_gw .Ed +.Pp +.Sy Dealing with NAT +\- The following +.Pa /etc/authpf/authpf.rules +shows how to deal with NAT, using tags: +.Bd -literal +ext_if = "fxp1" +ext_addr = 129.128.11.10 +int_if = "fxp0" +# nat and tag connections... +nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr +pass in quick on $int_if from $user_ip to any +pass out log quick on $ext_if tagged $user_ip keep state +.Ed +.Pp +With the above rules added by +.Nm , +outbound connections corresponding to each users NAT'ed connections +will be logged as in the example below, where the user may be identified +from the ruleset name. +.Bd -literal +# tcpdump -n -e -ttt -i pflog0 +Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e +129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e +16384 <mss 1460,nop,nop,sackOK> (DF) +.Ed .Sh FILES .Bl -tag -width "/etc/authpf/authpf.conf" -compact .It Pa /etc/authpf/authpf.conf ==== //depot/projects/gdb/contrib/pf/authpf/authpf.c#3 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $OpenBSD: authpf.c,v 1.68 2003/08/21 19:13:23 frantzen Exp $ */ +/* $OpenBSD: authpf.c,v 1.75 2004/01/29 01:55:10 deraadt Exp $ */ /* * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org). @@ -26,7 +26,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/contrib/pf/authpf/authpf.c,v 1.4 2004/03/16 17:24:06 obrien Exp $"); +__FBSDID("$FreeBSD: src/contrib/pf/authpf/authpf.c,v 1.5 2004/06/16 23:39:30 mlaier Exp $"); #include <sys/param.h> #include <sys/file.h> @@ -49,6 +49,7 @@ #include <unistd.h> #include <pfctl_parser.h> +#include <pfctl.h> #include "pathnames.h" @@ -98,12 +99,6 @@ char *cp; uid_t uid; - if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld", - (long)getpid())) < 0 || n >= sizeof(rulesetname)) { - syslog(LOG_ERR, "pid too large for ruleset name"); - exit(1); - } - config = fopen(PATH_CONFFILE, "r"); if ((cp = getenv("SSH_TTY")) == NULL) { @@ -131,7 +126,6 @@ "cannot determine IP from SSH_CLIENT %s", ipsrc); exit(1); } - /* open the pf device */ dev = open(PATH_DEVFILE, O_RDWR); if (dev == -1) { @@ -160,6 +154,18 @@ goto die; } + if ((n = snprintf(rulesetname, sizeof(rulesetname), "%s(%ld)", + luser, (long)getpid())) < 0 || n >= sizeof(rulesetname)) { + syslog(LOG_INFO, "%s(%ld) too large, ruleset name will be %ld", + luser, (long)getpid(), (long)getpid()); + if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld", + (long)getpid())) < 0 || n >= sizeof(rulesetname)) { + syslog(LOG_ERR, "pid too large for ruleset name"); + goto die; + } + } + + /* Make our entry in /var/authpf as /var/authpf/ipaddr */ n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc); if (n < 0 || (u_int)n >= sizeof(pidfile)) { @@ -242,15 +248,22 @@ seteuid(getuid()); setuid(getuid()); - if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) + openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON); + + if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) { + syslog(LOG_INFO, "user %s prohibited", luser); do_death(0); + } - openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON); - if (config == NULL || read_config(config)) + if (config == NULL || read_config(config)) { + syslog(LOG_INFO, "bad or nonexistent %s", PATH_CONFFILE); do_death(0); + } - if (remove_stale_rulesets()) + if (remove_stale_rulesets()) { + syslog(LOG_INFO, "error removing stale rulesets"); do_death(0); + } /* We appear to be making headway, so actually mark our pid */ rewind(pidfp); @@ -260,7 +273,7 @@ if (change_filter(1, luser, ipsrc) == -1) { printf("Unable to modify filters\r\n"); - do_death(1); + do_death(0); } signal(SIGTERM, need_death); @@ -545,15 +558,20 @@ mnr = prs.nr; nr = 0; while (nr < mnr) { - char *s; + char *s, *t; pid_t pid; prs.nr = nr; if (ioctl(dev, DIOCGETRULESET, &prs)) return (1); errno = 0; - pid = strtoul(prs.name, &s, 10); - if (!prs.name[0] || errno || *s) + if ((t = strchr(prs.name, '(')) == NULL) + t = prs.name; + else + t++; + pid = strtoul(t, &s, 10); + if (!prs.name[0] || errno || + (*s && (t == prs.name || *s != ')'))) return (1); if (kill(pid, 0) && errno != EPERM) { int i; @@ -585,14 +603,11 @@ { char fn[MAXPATHLEN]; FILE *f = NULL; - const int action[PF_RULESET_MAX] = { PF_SCRUB, - PF_PASS, PF_NAT, PF_BINAT, PF_RDR }; struct pfctl pf; - struct pfioc_rule pr[PF_RULESET_MAX]; + struct pfr_buffer t; int i; - if (luser == NULL || !luser[0] || strlen(luser) >= - PF_RULESET_NAME_SIZE || ipsrc == NULL || !ipsrc[0]) { + if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) { syslog(LOG_ERR, "invalid luser/ipsrc"); goto error; } @@ -624,18 +639,18 @@ syslog(LOG_ERR, "unable to load kernel's OS fingerprints"); goto error; } - + bzero(&t, sizeof(t)); + t.pfrb_type = PFRB_TRANS; memset(&pf, 0, sizeof(pf)); for (i = 0; i < PF_RULESET_MAX; ++i) { - memset(&pr[i], 0, sizeof(pr[i])); - pr[i].rule.action = action[i]; - strlcpy(pr[i].anchor, anchorname, sizeof(pr[i].anchor)); - strlcpy(pr[i].ruleset, rulesetname, sizeof(pr[i].ruleset)); - if (ioctl(dev, DIOCBEGINRULES, &pr[i])) { - syslog(LOG_ERR, "DIOCBEGINRULES %m"); + if (pfctl_add_trans(&t, i, anchorname, rulesetname)) { + syslog(LOG_ERR, "pfctl_add_trans %m"); goto error; } - pf.prule[i] = &pr[i]; + } + if (pfctl_trans(dev, &t, DIOCXBEGIN, 0)) { + syslog(LOG_ERR, "DIOCXBEGIN (%s) %m", add?"add":"remove"); + goto error; } if (add) { @@ -646,6 +661,10 @@ } pf.dev = dev; + pf.trans = &t; + pf.anchor = anchorname; + pf.ruleset = rulesetname; + infile = fn; if (parse_rules(f, &pf) < 0) { syslog(LOG_ERR, "syntax error in rule file: " @@ -658,16 +677,10 @@ f = NULL; } - for (i = 0; i < PF_RULESET_MAX; ++i) - /* - * ignore EINVAL on removal, it means the anchor was - * already automatically removed by the kernel. - */ - if (ioctl(dev, DIOCCOMMITRULES, &pr[i]) && - (add || errno != EINVAL)) { - syslog(LOG_ERR, "DIOCCOMMITRULES %m"); - goto error; - } + if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) { + syslog(LOG_ERR, "DIOCXCOMMIT (%s) %m", add?"add":"remove"); + goto error; + } if (add) { gettimeofday(&Tstart, NULL); @@ -682,6 +695,8 @@ error: if (f != NULL) fclose(f); + if (pfctl_trans(dev, &t, DIOCXROLLBACK, 0)) + syslog(LOG_ERR, "DIOCXROLLBACK (%s) %m", add?"add":"remove"); infile = NULL; return (-1); @@ -761,37 +776,44 @@ int pfctl_add_rule(struct pfctl *pf, struct pf_rule *r) { - struct pfioc_rule *pr; + u_int8_t rs_num; + struct pfioc_rule pr; switch (r->action) { case PF_PASS: case PF_DROP: - pr = pf->prule[PF_RULESET_FILTER]; + rs_num = PF_RULESET_FILTER; break; case PF_SCRUB: - pr = pf->prule[PF_RULESET_SCRUB]; + rs_num = PF_RULESET_SCRUB; break; case PF_NAT: case PF_NONAT: - pr = pf->prule[PF_RULESET_NAT]; + rs_num = PF_RULESET_NAT; break; case PF_RDR: case PF_NORDR: - pr = pf->prule[PF_RULESET_RDR]; + rs_num = PF_RULESET_RDR; break; case PF_BINAT: case PF_NOBINAT: - pr = pf->prule[PF_RULESET_BINAT]; + rs_num = PF_RULESET_BINAT; break; default: syslog(LOG_ERR, "invalid rule action %d", r->action); return (1); } + + bzero(&pr, sizeof(pr)); + strlcpy(pr.anchor, pf->anchor, sizeof(pr.anchor)); + strlcpy(pr.ruleset, pf->ruleset, sizeof(pr.ruleset)); if (pfctl_add_pool(pf, &r->rpool, r->af)) return (1); - pr->pool_ticket = pf->paddr.ticket; - memcpy(&pr->rule, r, sizeof(pr->rule)); - if (ioctl(pf->dev, DIOCADDRULE, pr)) { + pr.ticket = pfctl_get_ticket(pf->trans, rs_num, pf->anchor, + pf->ruleset); + pr.pool_ticket = pf->paddr.ticket; + memcpy(&pr.rule, r, sizeof(pr.rule)); + if (ioctl(pf->dev, DIOCADDRULE, &pr)) { syslog(LOG_ERR, "DIOCADDRULE %m"); return (1); } @@ -852,6 +874,13 @@ } int +pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid) +{ + fprintf(stderr, "set hostid not supported in authpf\n"); + return (1); +} + +int pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet) { fprintf(stderr, "set timeout not supported in authpf\n"); @@ -866,6 +895,13 @@ } int +pfctl_set_debug(struct pfctl *pf, char *d) +{ + fprintf(stderr, "set debug not supported in authpf\n"); + return (1); +} + +int pfctl_define_table(char *name, int flags, int addrs, const char *anchor, const char *ruleset, struct pfr_buffer *ab, u_int32_t ticket) { @@ -875,10 +911,14 @@ int pfctl_rules(int dev, char *filename, int opts, char *anchorname, - char *rulesetname) + char *rulesetname, struct pfr_buffer *t) { /* never called, no anchors inside anchors, but we need the stub */ fprintf(stderr, "load anchor not supported from authpf\n"); return (1); } +void +pfctl_print_title(char *title) +{ +} ==== //depot/projects/gdb/contrib/pf/ftp-proxy/ftp-proxy.8#3 (text+ko) ==== @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.37 2003/09/05 12:27:47 jmc Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.40 2004/03/16 08:50:07 jmc Exp $ .\" .\" Copyright (c) 1996-2001 .\" Obtuse Systems Corporation, All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/contrib/pf/ftp-proxy/ftp-proxy.8,v 1.2 2004/05/27 23:51:05 mlaier Exp $ +.\" $FreeBSD: src/contrib/pf/ftp-proxy/ftp-proxy.8,v 1.3 2004/06/16 23:39:30 mlaier Exp $ .\" .Dd August 17, 2001 .Dt FTP-PROXY 8 @@ -38,10 +38,11 @@ .Sh SYNOPSIS .Nm ftp-proxy .Op Fl AnrVw +.Op Fl a Ar address .Op Fl D Ar debuglevel .Op Fl g Ar group +.Op Fl M Ar maxport .Op Fl m Ar minport -.Op Fl M Ar maxport .Op Fl t Ar timeout .Op Fl u Ar user .Sh DESCRIPTION @@ -67,6 +68,26 @@ .Qq anonymous only. Any attempt to log in as another user will be blocked by the proxy. +.It Fl a Ar address +Specify the local IP address to use in +.Xr bind 2 +as the source for connections made by +.Nm ftp-proxy +when connecting to destination FTP servers. +This may be necessary if the interface address of +your default route is not reachable from the destinations +.Nm +is attempting connections to, or this address is different from the one +connections are being NATed to. +In the usual case this means that +.Ar address +should be a publicly visible IP address assigned to one of +the interfaces on the machine running +.Nm +and should be the same address to which you are translating traffic +if you are using the +.Fl n +option. .It Fl D Ar debuglevel Specify a debug level, where the proxy emits verbose debug output into @@ -82,6 +103,14 @@ By default, .Nm uses the default group of the user it drops privilege to. +.It Fl M Ar maxport +Specify the upper end of the port range the proxy will use for the +data connections it establishes. +The default is +.Dv IPPORT_HILASTAUTO +defined in +.Aq Pa netinet/in.h +as 65535. .It Fl m Ar minport Specify the lower end of the port range the proxy will use for all data connections it establishes. @@ -90,14 +119,6 @@ defined in .Aq Pa netinet/in.h as 49152. -.It Fl M Ar maxport -Specify the upper end of the port range the proxy will use for the -data connections it establishes. -The default is -.Dv IPPORT_HILASTAUTO -defined in -.Aq Pa netinet/in.h -as 65535. .It Fl n Activate network address translation .Pq NAT @@ -175,8 +196,8 @@ .Xr pf.conf 5 rule such as .Bd -literal -offset 2n -int_if = xl0 -rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 +int_if = \&"xl0\&" +rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 .Ed .Pp .Xr inetd 8 ==== //depot/projects/gdb/contrib/pf/ftp-proxy/ftp-proxy.c#3 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $OpenBSD: ftp-proxy.c,v 1.33 2003/08/22 21:50:34 david Exp $ */ +/* $OpenBSD: ftp-proxy.c,v 1.35 2004/03/14 21:51:44 dhartmei Exp $ */ /* * Copyright (c) 1996-2001 @@ -31,7 +31,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/contrib/pf/ftp-proxy/ftp-proxy.c,v 1.4 2004/03/16 17:24:06 obrien Exp $"); +__FBSDID("$FreeBSD: src/contrib/pf/ftp-proxy/ftp-proxy.c,v 1.5 2004/06/16 23:39:31 mlaier Exp $"); /* * ftp proxy, Originally based on juniper_ftp_proxy from the Obtuse @@ -151,6 +151,7 @@ extern int Debug_Level; extern int Use_Rdns; +extern in_addr_t Bind_Addr; extern char *__progname; typedef enum { @@ -174,9 +175,8 @@ usage(void) { syslog(LOG_NOTICE, - "usage: %s [-AnrVw] [-D debuglevel] [-g group] %s %s", - __progname, "[-m minport] [-M maxport] [-t timeout]", - "[-u user]"); + "usage: %s [-AnrVw] [-a address] [-D debuglevel [-g group]" + " [-M maxport] [-m minport] [-t timeout] [-u user]", __progname); exit(EX_USAGE); } @@ -976,9 +976,18 @@ int use_tcpwrapper = 0; #endif /* LIBWRAP */ - while ((ch = getopt(argc, argv, "D:g:m:M:t:u:AnVwr")) != -1) { + while ((ch = getopt(argc, argv, "a:D:g:m:M:t:u:AnVwr")) != -1) { char *p; switch (ch) { + case 'a': + if (!*optarg) + usage(); + if ((Bind_Addr = inet_addr(optarg)) == INADDR_NONE) { + syslog(LOG_NOTICE, + "%s: invalid address", optarg); + usage(); + } + break; case 'A': AnonFtpOnly = 1; /* restrict to anon usernames only */ break; ==== //depot/projects/gdb/contrib/pf/ftp-proxy/util.c#2 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.16 2003/06/28 01:04:57 deraadt Exp $ */ +/* $OpenBSD: util.c,v 1.18 2004/01/22 16:10:30 beck Exp $ */ /* * Copyright (c) 1996-2001 @@ -58,6 +58,7 @@ int Debug_Level; int Use_Rdns; +in_addr_t Bind_Addr = INADDR_NONE; void debuglog(int debug_level, const char *fmt, ...); @@ -77,7 +78,8 @@ struct sockaddr_in *client_sa_ptr) { struct pfioc_natlook natlook; - int slen, fd; + socklen_t slen; + int fd; slen = sizeof(*real_server_sa_ptr); if (getsockname(connected_fd, (struct sockaddr *)real_server_sa_ptr, @@ -257,10 +259,13 @@ bzero(&sa, sizeof sa); sa.sin_family = AF_INET; - if (sap == NULL) - sa.sin_addr.s_addr = INADDR_ANY; + if (Bind_Addr == INADDR_NONE) + if (sap == NULL) + sa.sin_addr.s_addr = INADDR_ANY; + else + sa.sin_addr.s_addr = sap->sin_addr.s_addr; else - sa.sin_addr.s_addr = sap->sin_addr.s_addr; + sa.sin_addr.s_addr = Bind_Addr; /* * Indicate that we want to reuse a port if it happens that the ==== //depot/projects/gdb/contrib/pf/man/pf.4#3 (text+ko) ==== @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.4,v 1.37 2003/08/28 09:41:22 jmc Exp $ +.\" $OpenBSD: pf.4,v 1.48 2004/03/27 17:15:30 henning Exp $ .\" .\" Copyright (C) 2001, Kjell Wooding. All rights reserved. .\" @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/contrib/pf/man/pf.4,v 1.2 2004/04/18 13:59:12 mlaier Exp $ +.\" $FreeBSD: src/contrib/pf/man/pf.4,v 1.3 2004/06/16 23:39:31 mlaier Exp $ .\" .Dd June 24, 2001 .Dt PF 4 @@ -75,11 +75,7 @@ Starts the ALTQ bandwidth control system. .It Dv DIOCSTOPALTQ Stops the ALTQ bandwidth control system. -.It Dv DIOCBEGINADDRS Fa "u_int32_t" -Clears the buffer address pool -and returns a ticket for subsequent DIOCADDADDR, DIOCADDRULE and -DIOCCHANGERULE calls. -.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr" +.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr" .Bd -literal struct pfioc_pooladdr { u_int32_t action; @@ -95,16 +91,17 @@ }; .Ed .Pp +Clears the buffer address pool +and returns a +.Va ticket +for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls. +.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr" +.Pp Adds pool address .Va addr to the buffer address pool to be used in the following DIOCADDRULE or DIOCCHANGERULE call. All other members of the structure are ignored. -.It Dv DIOCBEGINRULES Fa "u_int32_t" -Clears the inactive ruleset for the type of rule indicated by -.Va rule.action -and returns a ticket for subsequent -DIOCADDRULE and DIOCCOMMITRULES calls. .It Dv DIOCADDRULE Fa "struct pfioc_rule" .Bd -literal struct pfioc_rule { @@ -123,7 +120,7 @@ at the end of the inactive ruleset. Requires .Va ticket -obtained through preceding DIOCBEGINRULES call, and +obtained through preceding DIOCXBEGIN call, and .Va pool_ticket obtained through DIOCBEGINADDRS call. DIOCADDADDR must also be called if any pool addresses are required. @@ -136,26 +133,16 @@ and .Va action are ignored. -.It Dv DIOCCOMMITRULES Fa "u_int32_t" -Switch inactive to active filter ruleset. -Requires -.Va ticket . -.It Dv DIOCBEGINALTQS Fa "u_int32_t" -Clears the inactive list of queues and returns a ticket for subsequent -DIOCADDALTQ and DIOCCOMMITALTQS calls. .It Dv DIOCADDALTQ Fa "struct pfioc_altq" Adds .Bd -literal struct pfioc_altq { + u_int32_t action; u_int32_t ticket; u_int32_t nr; struct pf_altq altq; }; .Ed -.It Dv DIOCCOMMITALTQS Fa "u_int32_t" -Switch inactive to active list of queues. -Requires -.Va ticket . .It Dv DIOCGETRULES Fa "struct pfioc_rule" Returns .Va ticket @@ -227,8 +214,6 @@ .Va nbytes for the queue specified by .Va nr . -.It Dv DIOCCLRSTATES -Clears the state table. .It Dv DIOCADDSTATE Fa "struct pfioc_state" Adds a state entry. .It Dv DIOCGETSTATE Fa "struct pfioc_state" @@ -249,8 +234,16 @@ int psk_proto; struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; + char psk_ifname[IFNAMSIZ]; }; .Ed +.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill" +Clears all states. +It works like +.Dv DIOCKILLSTATES , +but ignores the psk_af, psk_proto, psk_src and psk_dst fields of the +.Fa pfioc_state_kill +structure. .It Dv DIOCSETSTATUSIF Fa "struct pfioc_if" .Bd -literal struct pfioc_if { @@ -262,14 +255,19 @@ .It Dv DIOCGETSTATUS Fa "struct pf_status" .Bd -literal struct pf_status { >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406180116.i5I1GRaM062626>