Date: Tue, 28 Jun 2011 14:40:18 +0000 (UTC) From: Attilio Rao <attilio@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r223645 - in projects/largeSMP: . bin/sh cddl/contrib/opensolaris/cmd/zfs cddl/contrib/opensolaris/lib/libzfs/common contrib/libpcap/bpf/net contrib/ntp/ntpd contrib/pf/authpf contrib/p... Message-ID: <201106281440.p5SEeIRb053642@svn.freebsd.org>
index | next in thread | raw e-mail
Author: attilio Date: Tue Jun 28 14:40:17 2011 New Revision: 223645 URL: http://svn.freebsd.org/changeset/base/223645 Log: MFC Added: projects/largeSMP/sys/contrib/pf/net/if_pflow.h - copied unchanged from r223641, head/sys/contrib/pf/net/if_pflow.h projects/largeSMP/sys/contrib/pf/net/pf_lb.c - copied unchanged from r223641, head/sys/contrib/pf/net/pf_lb.c projects/largeSMP/sys/modules/pfsync/ - copied from r223641, head/sys/modules/pfsync/ Deleted: projects/largeSMP/sys/contrib/pf/net/pf_subr.c projects/largeSMP/usr.bin/calendar/calendars/ru_RU.KOI8-R/calendar.msk Modified: projects/largeSMP/UPDATING projects/largeSMP/bin/sh/arith_yacc.c projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs.8 projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs_main.c projects/largeSMP/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c projects/largeSMP/contrib/libpcap/bpf/net/bpf_filter.c projects/largeSMP/contrib/ntp/ntpd/ntp_io.c projects/largeSMP/contrib/pf/authpf/authpf.8 projects/largeSMP/contrib/pf/authpf/authpf.c projects/largeSMP/contrib/pf/authpf/pathnames.h projects/largeSMP/contrib/pf/ftp-proxy/filter.c projects/largeSMP/contrib/pf/ftp-proxy/filter.h projects/largeSMP/contrib/pf/ftp-proxy/ftp-proxy.8 projects/largeSMP/contrib/pf/ftp-proxy/ftp-proxy.c projects/largeSMP/contrib/pf/man/pf.4 projects/largeSMP/contrib/pf/man/pf.conf.5 projects/largeSMP/contrib/pf/man/pf.os.5 projects/largeSMP/contrib/pf/man/pflog.4 projects/largeSMP/contrib/pf/man/pfsync.4 projects/largeSMP/contrib/pf/pfctl/parse.y projects/largeSMP/contrib/pf/pfctl/pf_print_state.c projects/largeSMP/contrib/pf/pfctl/pfctl.8 projects/largeSMP/contrib/pf/pfctl/pfctl.c projects/largeSMP/contrib/pf/pfctl/pfctl.h projects/largeSMP/contrib/pf/pfctl/pfctl_altq.c projects/largeSMP/contrib/pf/pfctl/pfctl_optimize.c projects/largeSMP/contrib/pf/pfctl/pfctl_osfp.c projects/largeSMP/contrib/pf/pfctl/pfctl_parser.c projects/largeSMP/contrib/pf/pfctl/pfctl_parser.h projects/largeSMP/contrib/pf/pfctl/pfctl_qstats.c projects/largeSMP/contrib/pf/pfctl/pfctl_radix.c projects/largeSMP/contrib/pf/pfctl/pfctl_table.c projects/largeSMP/contrib/pf/pflogd/pflogd.8 projects/largeSMP/contrib/pf/pflogd/pflogd.c projects/largeSMP/contrib/pf/pflogd/privsep.c projects/largeSMP/contrib/pf/pflogd/privsep_fdpass.c projects/largeSMP/contrib/traceroute/traceroute.c projects/largeSMP/contrib/tzdata/antarctica projects/largeSMP/contrib/tzdata/asia projects/largeSMP/contrib/tzdata/europe projects/largeSMP/contrib/tzdata/southamerica projects/largeSMP/contrib/tzdata/zone.tab projects/largeSMP/etc/devd/usb.conf projects/largeSMP/lib/csu/powerpc64/Makefile projects/largeSMP/lib/libc/gen/getutxent.3 projects/largeSMP/lib/libc/gen/posix_spawn.3 projects/largeSMP/lib/libc/gen/posix_spawn.c projects/largeSMP/lib/libc/gen/pututxline.c projects/largeSMP/lib/libc/stdlib/ptsname.c projects/largeSMP/lib/libmd/sha256.3 projects/largeSMP/lib/libmd/sha512.3 projects/largeSMP/lib/libusb/libusb10.c projects/largeSMP/sbin/hastctl/Makefile projects/largeSMP/sbin/hastd/Makefile projects/largeSMP/sbin/hastd/subr.c projects/largeSMP/sbin/pflogd/Makefile projects/largeSMP/share/misc/iso3166 projects/largeSMP/share/mk/bsd.own.mk projects/largeSMP/sys/boot/i386/zfsboot/zfsldr.S projects/largeSMP/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c projects/largeSMP/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_dataset.c projects/largeSMP/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_cache.c projects/largeSMP/sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h projects/largeSMP/sys/conf/files projects/largeSMP/sys/contrib/altq/altq/altq_red.c projects/largeSMP/sys/contrib/pf/net/if_pflog.c projects/largeSMP/sys/contrib/pf/net/if_pflog.h projects/largeSMP/sys/contrib/pf/net/if_pfsync.c projects/largeSMP/sys/contrib/pf/net/if_pfsync.h projects/largeSMP/sys/contrib/pf/net/pf.c projects/largeSMP/sys/contrib/pf/net/pf_if.c projects/largeSMP/sys/contrib/pf/net/pf_ioctl.c projects/largeSMP/sys/contrib/pf/net/pf_mtag.h projects/largeSMP/sys/contrib/pf/net/pf_norm.c projects/largeSMP/sys/contrib/pf/net/pf_osfp.c projects/largeSMP/sys/contrib/pf/net/pf_ruleset.c projects/largeSMP/sys/contrib/pf/net/pf_table.c projects/largeSMP/sys/contrib/pf/net/pfvar.h projects/largeSMP/sys/dev/acpica/acpi_thermal.c projects/largeSMP/sys/dev/an/if_an.c projects/largeSMP/sys/dev/ath/ath_hal/ah_eeprom_9287.h projects/largeSMP/sys/dev/ath/ath_hal/ar9002/ar9287_attach.c projects/largeSMP/sys/dev/dc/dcphy.c projects/largeSMP/sys/dev/dc/pnphy.c projects/largeSMP/sys/dev/en/if_en_pci.c projects/largeSMP/sys/dev/et/if_et.c projects/largeSMP/sys/dev/fdc/fdc_pccard.c projects/largeSMP/sys/dev/fxp/if_fxp.c projects/largeSMP/sys/dev/iicbus/if_ic.c projects/largeSMP/sys/dev/mfi/mfi_cam.c projects/largeSMP/sys/dev/my/if_my.c projects/largeSMP/sys/dev/pty/pty.c projects/largeSMP/sys/dev/sis/if_sis.c projects/largeSMP/sys/dev/snp/snp.c projects/largeSMP/sys/dev/syscons/scterm-teken.c projects/largeSMP/sys/dev/tdfx/tdfx_pci.c projects/largeSMP/sys/dev/usb/usb_msctest.c projects/largeSMP/sys/geom/part/g_part_ebr.c projects/largeSMP/sys/geom/part/g_part_mbr.c projects/largeSMP/sys/kern/tty.c projects/largeSMP/sys/kern/tty_inq.c projects/largeSMP/sys/kern/tty_outq.c projects/largeSMP/sys/kern/tty_pts.c projects/largeSMP/sys/kern/tty_ttydisc.c projects/largeSMP/sys/modules/Makefile projects/largeSMP/sys/modules/ipdivert/Makefile projects/largeSMP/sys/modules/pf/Makefile projects/largeSMP/sys/modules/pflog/Makefile projects/largeSMP/sys/net/if.c projects/largeSMP/sys/net80211/ieee80211_dfs.c projects/largeSMP/sys/netinet/in_gif.c projects/largeSMP/sys/netinet/ip_divert.c projects/largeSMP/sys/netinet/ip_icmp.c projects/largeSMP/sys/netinet/ipfw/ip_fw2.c projects/largeSMP/sys/netinet/ipfw/ip_fw_pfil.c projects/largeSMP/sys/netinet/raw_ip.c projects/largeSMP/sys/netinet/sctp_uio.h projects/largeSMP/sys/netinet6/icmp6.c projects/largeSMP/sys/netinet6/in6_gif.c projects/largeSMP/sys/netipsec/ipsec_input.c projects/largeSMP/sys/netipsec/ipsec_output.c projects/largeSMP/sys/netipsec/xform_ipip.c projects/largeSMP/sys/sys/diskmbr.h projects/largeSMP/sys/sys/mbuf.h projects/largeSMP/sys/sys/param.h projects/largeSMP/sys/teken/demo/teken_demo.c projects/largeSMP/sys/teken/gensequences projects/largeSMP/sys/teken/libteken/teken.3 projects/largeSMP/sys/teken/teken.c projects/largeSMP/sys/teken/teken_subr.h projects/largeSMP/usr.bin/calendar/calendars/ru_RU.KOI8-R/calendar.all projects/largeSMP/usr.bin/tar/write.c projects/largeSMP/usr.sbin/ftp-proxy/ftp-proxy/Makefile Directory Properties: projects/largeSMP/ (props changed) projects/largeSMP/cddl/contrib/opensolaris/ (props changed) projects/largeSMP/contrib/bind9/ (props changed) projects/largeSMP/contrib/binutils/ (props changed) projects/largeSMP/contrib/bzip2/ (props changed) projects/largeSMP/contrib/compiler-rt/ (props changed) projects/largeSMP/contrib/dialog/ (props changed) projects/largeSMP/contrib/ee/ (props changed) projects/largeSMP/contrib/expat/ (props changed) projects/largeSMP/contrib/file/ (props changed) projects/largeSMP/contrib/gcc/ (props changed) projects/largeSMP/contrib/gdb/ (props changed) projects/largeSMP/contrib/gdtoa/ (props changed) projects/largeSMP/contrib/gnu-sort/ (props changed) projects/largeSMP/contrib/groff/ (props changed) projects/largeSMP/contrib/less/ (props changed) projects/largeSMP/contrib/libpcap/ (props changed) projects/largeSMP/contrib/libstdc++/ (props changed) projects/largeSMP/contrib/llvm/ (props changed) projects/largeSMP/contrib/llvm/tools/clang/ (props changed) projects/largeSMP/contrib/ncurses/ (props changed) projects/largeSMP/contrib/netcat/ (props changed) projects/largeSMP/contrib/ntp/ (props changed) projects/largeSMP/contrib/one-true-awk/ (props changed) projects/largeSMP/contrib/openbsm/ (props changed) projects/largeSMP/contrib/openpam/ (props changed) projects/largeSMP/contrib/pf/ (props changed) projects/largeSMP/contrib/sendmail/ (props changed) projects/largeSMP/contrib/tcpdump/ (props changed) projects/largeSMP/contrib/tcsh/ (props changed) projects/largeSMP/contrib/tnftp/ (props changed) projects/largeSMP/contrib/top/ (props changed) projects/largeSMP/contrib/top/install-sh (props changed) projects/largeSMP/contrib/tzcode/stdtime/ (props changed) projects/largeSMP/contrib/tzcode/zic/ (props changed) projects/largeSMP/contrib/tzdata/ (props changed) projects/largeSMP/contrib/wpa/ (props changed) projects/largeSMP/contrib/xz/ (props changed) projects/largeSMP/crypto/openssh/ (props changed) projects/largeSMP/crypto/openssl/ (props changed) projects/largeSMP/gnu/lib/ (props changed) projects/largeSMP/gnu/usr.bin/binutils/ (props changed) projects/largeSMP/gnu/usr.bin/cc/cc_tools/ (props changed) projects/largeSMP/gnu/usr.bin/gdb/ (props changed) projects/largeSMP/lib/libc/ (props changed) projects/largeSMP/lib/libc/stdtime/ (props changed) projects/largeSMP/lib/libutil/ (props changed) projects/largeSMP/lib/libz/ (props changed) projects/largeSMP/sbin/ (props changed) projects/largeSMP/sbin/ipfw/ (props changed) projects/largeSMP/share/mk/bsd.arch.inc.mk (props changed) projects/largeSMP/share/zoneinfo/ (props changed) projects/largeSMP/sys/ (props changed) projects/largeSMP/sys/amd64/include/xen/ (props changed) projects/largeSMP/sys/boot/ (props changed) projects/largeSMP/sys/boot/i386/efi/ (props changed) projects/largeSMP/sys/boot/ia64/efi/ (props changed) projects/largeSMP/sys/boot/ia64/ski/ (props changed) projects/largeSMP/sys/boot/powerpc/boot1.chrp/ (props changed) projects/largeSMP/sys/boot/powerpc/ofw/ (props changed) projects/largeSMP/sys/cddl/contrib/opensolaris/ (props changed) projects/largeSMP/sys/conf/ (props changed) projects/largeSMP/sys/contrib/dev/acpica/ (props changed) projects/largeSMP/sys/contrib/octeon-sdk/ (props changed) projects/largeSMP/sys/contrib/pf/ (props changed) projects/largeSMP/sys/contrib/x86emu/ (props changed) projects/largeSMP/usr.bin/calendar/ (props changed) projects/largeSMP/usr.bin/csup/ (props changed) projects/largeSMP/usr.bin/procstat/ (props changed) projects/largeSMP/usr.sbin/ndiscvt/ (props changed) projects/largeSMP/usr.sbin/zic/ (props changed) Modified: projects/largeSMP/UPDATING ============================================================================== --- projects/largeSMP/UPDATING Tue Jun 28 14:26:34 2011 (r223644) +++ projects/largeSMP/UPDATING Tue Jun 28 14:40:17 2011 (r223645) @@ -22,6 +22,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 9. machines to maximize performance. (To disable malloc debugging, run ln -s aj /etc/malloc.conf.) +20110628: + The packet filter (pf) code has been updated to OpenBSD 4.5. + You need to update userland tools to be in sync with kernel. + 20110608: The following sysctls and tunables are retired on x86 platforms: machdep.hlt_cpus Modified: projects/largeSMP/bin/sh/arith_yacc.c ============================================================================== --- projects/largeSMP/bin/sh/arith_yacc.c Tue Jun 28 14:26:34 2011 (r223644) +++ projects/largeSMP/bin/sh/arith_yacc.c Tue Jun 28 14:40:17 2011 (r223645) @@ -35,7 +35,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); -#include <sys/limits.h> +#include <limits.h> #include <errno.h> #include <inttypes.h> #include <stdlib.h> Modified: projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs.8 ============================================================================== --- projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs.8 Tue Jun 28 14:26:34 2011 (r223644) +++ projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs.8 Tue Jun 28 14:40:17 2011 (r223645) @@ -6,6 +6,7 @@ .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] +.\" Copyright 2011 by Delphix. All rights reserved. .TH zfs 1M "24 Sep 2009" "SunOS 5.11" "System Administration Commands" .SH NAME zfs \- configures ZFS file systems @@ -389,7 +390,7 @@ This property can also be referred to by .ad .sp .6 .RS 4n -The compression ratio achieved for this dataset, expressed as a multiplier. Compression can be turned on by running: \fBzfs set compression=on \fIdataset\fR\fR. The default value is \fBoff\fR. +For non-snapshots, the compression ratio achieved for the \fBused\fR space of this dataset, expressed as a multiplier. The \fBused\fR property includes descendant datasets, and, for clones, does not include the space shared with the origin snapshot. For snapshots, the \fBcompressratio\fR is the same as the \fBrefcompressratio\fR property. Compression can be turned on by running: \fBzfs set compression=on \fIdataset\fR\fR. The default value is \fBoff\fR. .RE .sp @@ -453,6 +454,17 @@ This property can also be referred to by .ne 2 .mk .na +\fB\fBrefcompressratio\fR\fR +.ad +.sp .6 +.RS 4n +The compression ratio achieved for the \fBreferenced\fR space of this dataset, expressed as a multiplier. See also the \fBcompressratio\fR property. +.RE + +.sp +.ne 2 +.mk +.na \fB\fBtype\fR\fR .ad .sp .6 @@ -1278,7 +1290,7 @@ Recursively destroy all dependents, incl Force an unmount of any file systems using the \fBunmount -f\fR command. This option has no effect on non-file systems or unmounted file systems. .RE -Extreme care should be taken when applying either the \fB-r\fR or the \fB-f\fR options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. +Extreme care should be taken when applying either the \fB-r\fR or the \fB-R\fR options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. .RE .sp Modified: projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs_main.c ============================================================================== --- projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs_main.c Tue Jun 28 14:26:34 2011 (r223644) +++ projects/largeSMP/cddl/contrib/opensolaris/cmd/zfs/zfs_main.c Tue Jun 28 14:40:17 2011 (r223645) @@ -21,7 +21,7 @@ /* * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2010 Nexenta Systems, Inc. All rights reserved. + * Copyright 2011 Nexenta Systems, Inc. All rights reserved. */ #include <assert.h> @@ -1292,7 +1292,7 @@ static int zfs_do_get(int argc, char **argv) { zprop_get_cbdata_t cb = { 0 }; - int i, c, flags = 0; + int i, c, flags = ZFS_ITER_ARGS_CAN_BE_PATHS; char *value, *fields; int ret; int limit = 0; Modified: projects/largeSMP/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c ============================================================================== --- projects/largeSMP/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c Tue Jun 28 14:26:34 2011 (r223644) +++ projects/largeSMP/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c Tue Jun 28 14:40:17 2011 (r223645) @@ -22,6 +22,7 @@ /* * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright 2010 Nexenta Systems, Inc. All rights reserved. + * Copyright (c) 2011 by Delphix. All rights reserved. */ #include <ctype.h> @@ -2038,6 +2039,7 @@ zfs_prop_get(zfs_handle_t *zhp, zfs_prop } break; + case ZFS_PROP_REFRATIO: case ZFS_PROP_COMPRESSRATIO: if (get_numeric_property(zhp, prop, src, &source, &val) != 0) return (-1); Modified: projects/largeSMP/contrib/libpcap/bpf/net/bpf_filter.c ============================================================================== --- projects/largeSMP/contrib/libpcap/bpf/net/bpf_filter.c Tue Jun 28 14:26:34 2011 (r223644) +++ projects/largeSMP/contrib/libpcap/bpf/net/bpf_filter.c Tue Jun 28 14:40:17 2011 (r223645) @@ -405,7 +405,18 @@ bpf_filter(pc, p, wirelen, buflen) continue; case BPF_JMP|BPF_JA: +#if defined(KERNEL) || defined(_KERNEL) + /* + * No backward jumps allowed. + */ pc += pc->k; +#else + /* + * XXX - we currently implement "ip6 protochain" + * with backward jumps, so sign-extend pc->k. + */ + pc += (bpf_int32)pc->k; +#endif continue; case BPF_JMP|BPF_JGT|BPF_K: Modified: projects/largeSMP/contrib/ntp/ntpd/ntp_io.c ============================================================================== --- projects/largeSMP/contrib/ntp/ntpd/ntp_io.c Tue Jun 28 14:26:34 2011 (r223644) +++ projects/largeSMP/contrib/ntp/ntpd/ntp_io.c Tue Jun 28 14:40:17 2011 (r223645) @@ -2716,14 +2716,14 @@ sendpkt( for (slot = ERRORCACHESIZE; --slot >= 0; ) if(dest->ss_family == AF_INET) { - if (badaddrs[slot].port == ((struct sockaddr_in*)dest)->sin_port && + if (badaddrs[slot].port == SRCPORT(dest) && badaddrs[slot].addr.s_addr == ((struct sockaddr_in*)dest)->sin_addr.s_addr) break; } #ifdef INCLUDE_IPV6_SUPPORT else if (dest->ss_family == AF_INET6) { - if (badaddrs6[slot].port == ((struct sockaddr_in6*)dest)->sin6_port && - badaddrs6[slot].addr.s6_addr == ((struct sockaddr_in6*)dest)->sin6_addr.s6_addr) + if (badaddrs6[slot].port == SRCPORT(dest) && + !memcmp(&badaddrs6[slot].addr, &((struct sockaddr_in6*)dest)->sin6_addr, sizeof(struct in6_addr))) break; } #endif /* INCLUDE_IPV6_SUPPORT */ Modified: projects/largeSMP/contrib/pf/authpf/authpf.8 ============================================================================== --- projects/largeSMP/contrib/pf/authpf/authpf.8 Tue Jun 28 14:26:34 2011 (r223644) +++ projects/largeSMP/contrib/pf/authpf/authpf.8 Tue Jun 28 14:40:17 2011 (r223645) @@ -1,5 +1,5 @@ .\" $FreeBSD$ -.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $ +.\" $OpenBSD: authpf.8,v 1.47 2009/01/06 03:11:50 mcbride Exp $ .\" .\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. .\" @@ -15,14 +15,16 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd March 28, 2006 +.Dd January 6 2009 .Dt AUTHPF 8 .Os .Sh NAME -.Nm authpf +.Nm authpf , +.Nm authpf-noip .Nd authenticating gateway user shell .Sh SYNOPSIS .Nm authpf +.Nm authpf-noip .Sh DESCRIPTION .Nm is a user shell for authenticating gateways. @@ -31,47 +33,63 @@ It is used to change rules when a user authenticates and starts a session with .Xr sshd 8 and to undo these changes when the user's session exits. -It is designed for changing filter and translation rules for an individual -source IP address as long as a user maintains an active -.Xr ssh 1 -session. Typical use would be for a gateway that authenticates users before allowing them Internet use, or a gateway that allows different users into different places. +Combined with properly set up filter rules and secure switches, .Nm -logs the successful start and end of a session to -.Xr syslogd 8 . -This, combined with properly set up filter rules and secure switches, can be used to ensure users are held accountable for their network traffic. -.Pp -.Nm -can add filter and translation rules using the syntax described in -.Xr pf.conf 5 . -.Nm -requires that the +It is meant to be used with users who can connect via +.Xr ssh 1 +only, and requires the .Xr pf 4 -system be enabled and a -.Xr fdescfs 5 -file system be mounted at -.Pa /dev/fd -before use. +subsystem to be enabled. +.Pp +.Nm authpf-noip +is a user shell +which allows multiple connections to take +place from the same IP address. +It is useful primarily in cases where connections are tunneled via +the gateway system, and can be directly associated with the user name. +It cannot ensure accountability when +classifying connections by IP address; +in this case the client's IP address +is not provided to the packet filter via the +.Ar client_ip +macro or the +.Ar authpf_users +table. +Additionally, states associated with the client IP address +are not purged when the session is ended. +.Pp +To use either .Nm -can also maintain the list of IP address of connected users -in the "authpf_users" -.Pa table . +or +.Nm authpf-noip , +the user's shell needs to be set to +.Pa /usr/sbin/authpf +or +.Pa /usr/sbin/authpf-noip . .Pp .Nm -is meant to be used with users who can connect via +uses the +.Xr pf.conf 5 +syntax to change filter and translation rules for an individual +user or client IP address as long as a user maintains an active .Xr ssh 1 -only. -On startup, +session, and logs the successful start and end of a session to +.Xr syslogd 8 . .Nm retrieves the client's connecting IP address via the .Ev SSH_CLIENT environment variable and, after performing additional access checks, reads a template file to determine what filter and translation rules -(if any) to add. -On session exit the same rules that were added at startup are removed. +(if any) to add, and +maintains the list of IP addresses of connected users in the +.Ar authpf_users +table. +On session exit the same rules and table entries that were added at startup +are removed, and all states associated with the client's IP address are purged. .Pp Each .Nm @@ -185,6 +203,9 @@ It is also possible to configure to only allow specific users access. This is done by listing their login names, one per line, in .Pa /etc/authpf/authpf.allow . +A group of users can also be indicated by prepending "%" to the group name, +and all members of a login class can be indicated by prepending "@" to the +login class name. If "*" is found on a line, then all usernames match. If .Nm @@ -297,7 +318,8 @@ They have a wireless network which they would like to protect from unauthorized use. To accomplish this, they create the file .Pa /etc/authpf/authpf.allow -which lists their login ids, one per line. +which lists their login ids, group prepended with "%", or login class +prepended with "@", one per line. At this point, even if eve could authenticate to .Xr sshd 8 , she would not be allowed to use the gateway. @@ -501,6 +523,31 @@ table <authpf_users> persist anchor "authpf/*" from <authpf_users> rdr-anchor "authpf/*" from <authpf_users> .Ed +.Pp +.Sy Tunneled users +\- normally +.Nm +allows only one session per client IP address. +However in some cases, such as when connections are tunneled via +.Xr ssh 1 +or +.Xr ipsec 4 , +the connections can be authorized based on the userid of the user instead of +the client IP address. +In this case it is appropriate to use +.Nm authpf-noip +to allow multiple users behind a NAT gateway to connect. +In the +.Pa /etc/authpf/authpf.rules +example below, the remote user could tunnel a remote desktop session to their +workstation: +.Bd -literal +internal_if="bge0" +workstation_ip="10.2.3.4" + +pass out on $internal_if from (self) to $workstation_ip port 3389 \e + user $user_id +.Ed .Sh FILES .Bl -tag -width "/etc/authpf/authpf.conf" -compact .It Pa /etc/authpf/authpf.conf @@ -512,7 +559,6 @@ rdr-anchor "authpf/*" from <authpf_users .Sh SEE ALSO .Xr pf 4 , .Xr pf.conf 5 , -.Xr fdescfs 5 , .Xr securelevel 7 , .Xr ftp-proxy 8 .Sh HISTORY Modified: projects/largeSMP/contrib/pf/authpf/authpf.c ============================================================================== --- projects/largeSMP/contrib/pf/authpf/authpf.c Tue Jun 28 14:26:34 2011 (r223644) +++ projects/largeSMP/contrib/pf/authpf/authpf.c Tue Jun 28 14:40:17 2011 (r223645) @@ -1,4 +1,4 @@ -/* $OpenBSD: authpf.c,v 1.104 2007/02/24 17:35:08 beck Exp $ */ +/* $OpenBSD: authpf.c,v 1.112 2009/01/10 19:08:53 miod Exp $ */ /* * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org). @@ -19,7 +19,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); -#include <sys/param.h> +#include <sys/types.h> #include <sys/file.h> #include <sys/ioctl.h> #include <sys/socket.h> @@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$"); #endif #include <login_cap.h> #include <pwd.h> +#include <grp.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> @@ -48,10 +49,11 @@ __FBSDID("$FreeBSD$"); #include "pathnames.h" static int read_config(FILE *); -static void print_message(char *); -static int allowed_luser(char *); -static int check_luser(char *, char *); +static void print_message(const char *); +static int allowed_luser(struct passwd *); +static int check_luser(const char *, char *); static int remove_stale_rulesets(void); +static int recursive_ruleset_purge(char *, char *); static int change_filter(int, const char *, const char *); static int change_table(int, const char *); static void authpf_kill_states(void); @@ -60,8 +62,10 @@ int dev; /* pf device */ char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf"; char rulesetname[MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 2]; char tablename[PF_TABLE_NAME_SIZE] = "authpf_users"; +int user_ip = 1; /* controls whether $user_ip is set */ FILE *pidfp; +int pidfd = -1; char luser[MAXLOGNAME]; /* username */ char ipsrc[256]; /* ip as a string */ char pidfile[MAXPATHLEN]; /* we save pid in this file. */ @@ -75,6 +79,7 @@ static __dead2 void do_death(int); #else static __dead void do_death(int); #endif +extern char *__progname; /* program name */ /* * User shell for authenticating gateways. Sole purpose is to allow @@ -83,21 +88,24 @@ static __dead void do_death(int); * up. Meant to be used only from ssh(1) connections. */ int -main(int argc, char *argv[]) +main(void) { - int lockcnt = 0, n, pidfd; + int lockcnt = 0, n; FILE *config; struct in6_addr ina; struct passwd *pw; char *cp; gid_t gid; uid_t uid; - char *shell; + const char *shell; login_cap_t *lc; + if (strcmp(__progname, "-authpf-noip") == 0) + user_ip = 0; + config = fopen(PATH_CONFFILE, "r"); if (config == NULL) { - syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE); + syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE); exit(1); } @@ -142,23 +150,34 @@ main(int argc, char *argv[]) } if ((lc = login_getclass(pw->pw_class)) != NULL) - shell = (char *)login_getcapstr(lc, "shell", pw->pw_shell, + shell = login_getcapstr(lc, "shell", pw->pw_shell, pw->pw_shell); else shell = pw->pw_shell; +#ifndef __FreeBSD__ login_close(lc); +#endif - if (strcmp(shell, PATH_AUTHPF_SHELL)) { + if (strcmp(shell, PATH_AUTHPF_SHELL) && + strcmp(shell, PATH_AUTHPF_SHELL_NOIP)) { syslog(LOG_ERR, "wrong shell for user %s, uid %u", pw->pw_name, pw->pw_uid); +#ifdef __FreeBSD__ + login_close(lc); +#else if (shell != pw->pw_shell) free(shell); +#endif goto die; } +#ifdef __FreeBSD__ + login_close(lc); +#else if (shell != pw->pw_shell) free(shell); +#endif /* * Paranoia, but this data _does_ come from outside authpf, and @@ -181,13 +200,22 @@ main(int argc, char *argv[]) } - /* Make our entry in /var/authpf as /var/authpf/ipaddr */ - n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc); + /* Make our entry in /var/authpf as ipaddr or username */ + n = snprintf(pidfile, sizeof(pidfile), "%s/%s", + PATH_PIDFILE, user_ip ? ipsrc : luser); if (n < 0 || (u_int)n >= sizeof(pidfile)) { syslog(LOG_ERR, "path to pidfile too long"); goto die; } + signal(SIGTERM, need_death); + signal(SIGINT, need_death); + signal(SIGALRM, need_death); + signal(SIGPIPE, need_death); + signal(SIGHUP, need_death); + signal(SIGQUIT, need_death); + signal(SIGTSTP, need_death); + /* * If someone else is already using this ip, then this person * wants to switch users - so kill the old process and exit @@ -241,15 +269,17 @@ main(int argc, char *argv[]) } /* - * we try to kill the previous process and acquire the lock + * We try to kill the previous process and acquire the lock * for 10 seconds, trying once a second. if we can't after - * 10 attempts we log an error and give up + * 10 attempts we log an error and give up. */ - if (++lockcnt > 10) { - syslog(LOG_ERR, "cannot kill previous authpf (pid %d)", - otherpid); + if (want_death || ++lockcnt > 10) { + if (!want_death) + syslog(LOG_ERR, "cannot kill previous authpf (pid %d)", + otherpid); fclose(pidfp); pidfp = NULL; + pidfd = -1; goto dogdeath; } sleep(1); @@ -260,6 +290,7 @@ main(int argc, char *argv[]) */ fclose(pidfp); pidfp = NULL; + pidfd = -1; } while (1); /* whack the group list */ @@ -277,7 +308,7 @@ main(int argc, char *argv[]) } openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON); - if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) { + if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) { syslog(LOG_INFO, "user %s prohibited", luser); do_death(0); } @@ -302,19 +333,12 @@ main(int argc, char *argv[]) printf("Unable to modify filters\r\n"); do_death(0); } - if (change_table(1, ipsrc) == -1) { + if (user_ip && change_table(1, ipsrc) == -1) { printf("Unable to modify table\r\n"); change_filter(0, luser, ipsrc); do_death(0); } - signal(SIGTERM, need_death); - signal(SIGINT, need_death); - signal(SIGALRM, need_death); - signal(SIGPIPE, need_death); - signal(SIGHUP, need_death); - signal(SIGQUIT, need_death); - signal(SIGTSTP, need_death); while (1) { printf("\r\nHello %s. ", luser); printf("You are authenticated from host \"%s\"\r\n", ipsrc); @@ -337,8 +361,6 @@ dogdeath: sleep(180); /* them lusers read reaaaaal slow */ die: do_death(0); - - /* NOTREACHED */ } /* @@ -361,6 +383,8 @@ read_config(FILE *f) } i++; len = strlen(buf); + if (len == 0) + continue; if (buf[len - 1] != '\n' && !feof(f)) { syslog(LOG_ERR, "line %d too long in %s", i, PATH_CONFFILE); @@ -413,7 +437,7 @@ parse_error: * they've been bad or we're unavailable. */ static void -print_message(char *filename) +print_message(const char *filename) { char buf[1024]; FILE *f; @@ -436,6 +460,7 @@ print_message(char *filename) * allowed_luser checks to see if user "luser" is allowed to * use this gateway by virtue of being listed in an allowed * users file, namely /etc/authpf/authpf.allow . + * Users may be listed by <username>, %<group>, or @<login_class>. * * If /etc/authpf/authpf.allow does not exist, then we assume that * all users who are allowed in by sshd(8) are permitted to @@ -444,9 +469,9 @@ print_message(char *filename) * the session terminates in the same manner as being banned. */ static int -allowed_luser(char *luser) +allowed_luser(struct passwd *pw) { - char *buf, *lbuf; + char *buf,*lbuf; int matched; size_t len; FILE *f; @@ -476,8 +501,14 @@ allowed_luser(char *luser) * "public" gateway, such as it is, so let * everyone use it. */ + int gl_init = 0, ngroups = NGROUPS + 1; + gid_t groups[NGROUPS + 1]; + lbuf = NULL; + matched = 0; + while ((buf = fgetln(f, &len))) { + if (buf[len - 1] == '\n') buf[len - 1] = '\0'; else { @@ -488,7 +519,40 @@ allowed_luser(char *luser) buf = lbuf; } - matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0; + if (buf[0] == '@') { + /* check login class */ + if (strcmp(pw->pw_class, buf + 1) == 0) + matched++; + } else if (buf[0] == '%') { + /* check group membership */ + int cnt; + struct group *group; + + if ((group = getgrnam(buf + 1)) == NULL) { + syslog(LOG_ERR, + "invalid group '%s' in %s (%s)", + buf + 1, PATH_ALLOWFILE, + strerror(errno)); + return (0); + } + + if (!gl_init) { + (void) getgrouplist(pw->pw_name, + pw->pw_gid, groups, &ngroups); + gl_init++; + } + + for ( cnt = 0; cnt < ngroups; cnt++) { + if (group->gr_gid == groups[cnt]) { + matched++; + break; + } + } + } else { + /* check username and wildcard */ + matched = strcmp(pw->pw_name, buf) == 0 || + strcmp("*", buf) == 0; + } if (lbuf != NULL) { free(lbuf); @@ -496,13 +560,13 @@ allowed_luser(char *luser) } if (matched) - return (1); /* matched an allowed username */ + return (1); /* matched an allowed user/group */ } syslog(LOG_INFO, "denied access to %s: not listed in %s", - luser, PATH_ALLOWFILE); + pw->pw_name, PATH_ALLOWFILE); /* reuse buf */ - buf = "\n\nSorry, you are not allowed to use this facility!\n"; + sprintf(buf, "%s", "\n\nSorry, you are not allowed to use this facility!\n"); fputs(buf, stdout); } fflush(stdout); @@ -520,13 +584,13 @@ allowed_luser(char *luser) * going to be un-banned.) */ static int -check_luser(char *luserdir, char *luser) +check_luser(const char *luserdir, char *l_user) { FILE *f; int n; char tmp[MAXPATHLEN]; - n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, luser); + n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, l_user); if (n < 0 || (u_int)n >= sizeof(tmp)) { syslog(LOG_ERR, "provided banned directory line too long (%s)", luserdir); @@ -555,7 +619,7 @@ check_luser(char *luserdir, char *luser) * tell what they can do and where they can go. */ syslog(LOG_INFO, "denied access to %s: %s exists", - luser, tmp); + l_user, tmp); /* reuse tmp */ strlcpy(tmp, "\n\n-**- Sorry, you have been banned! -**-\n\n", @@ -581,7 +645,7 @@ static int remove_stale_rulesets(void) { struct pfioc_ruleset prs; - u_int32_t nr, mnr; + u_int32_t nr; memset(&prs, 0, sizeof(prs)); strlcpy(prs.path, anchorname, sizeof(prs.path)); @@ -592,13 +656,12 @@ remove_stale_rulesets(void) return (1); } - mnr = prs.nr; - nr = 0; - while (nr < mnr) { + nr = prs.nr; + while (nr) { char *s, *t; pid_t pid; - prs.nr = nr; + prs.nr = nr - 1; if (ioctl(dev, DIOCGETRULESET, &prs)) return (1); errno = 0; @@ -610,119 +673,159 @@ remove_stale_rulesets(void) if (!prs.name[0] || errno || (*s && (t == prs.name || *s != ')'))) return (1); - if (kill(pid, 0) && errno != EPERM) { - int i; - struct pfioc_trans_e t_e[PF_RULESET_MAX+1]; - struct pfioc_trans t; - - bzero(&t, sizeof(t)); - bzero(t_e, sizeof(t_e)); - t.size = PF_RULESET_MAX+1; - t.esize = sizeof(t_e[0]); - t.array = t_e; - for (i = 0; i < PF_RULESET_MAX+1; ++i) { - t_e[i].rs_num = i; - snprintf(t_e[i].anchor, sizeof(t_e[i].anchor), - "%s/%s", anchorname, prs.name); - } - t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE; - if ((ioctl(dev, DIOCXBEGIN, &t) || - ioctl(dev, DIOCXCOMMIT, &t)) && - errno != EINVAL) + if ((kill(pid, 0) && errno != EPERM) || pid == getpid()) { + if (recursive_ruleset_purge(anchorname, prs.name)) return (1); - mnr--; - } else - nr++; + } + nr--; } return (0); } +static int +recursive_ruleset_purge(char *an, char *rs) +{ + struct pfioc_trans_e *t_e = NULL; + struct pfioc_trans *t = NULL; + struct pfioc_ruleset *prs = NULL; + int i; + + + /* purge rules */ + errno = 0; + if ((t = calloc(1, sizeof(struct pfioc_trans))) == NULL) + goto no_mem; + if ((t_e = calloc(PF_RULESET_MAX+1, + sizeof(struct pfioc_trans_e))) == NULL) + goto no_mem; + t->size = PF_RULESET_MAX+1; + t->esize = sizeof(struct pfioc_trans_e); + t->array = t_e; + for (i = 0; i < PF_RULESET_MAX+1; ++i) { + t_e[i].rs_num = i; + snprintf(t_e[i].anchor, sizeof(t_e[i].anchor), "%s/%s", an, rs); + } + t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE; + if ((ioctl(dev, DIOCXBEGIN, t) || + ioctl(dev, DIOCXCOMMIT, t)) && + errno != EINVAL) + goto cleanup; + + /* purge any children */ + if ((prs = calloc(1, sizeof(struct pfioc_ruleset))) == NULL) + goto no_mem; + snprintf(prs->path, sizeof(prs->path), "%s/%s", an, rs); + if (ioctl(dev, DIOCGETRULESETS, prs)) { + if (errno != EINVAL) + goto cleanup; + errno = 0; + } else { + int nr = prs->nr; + + while (nr) { + prs->nr = 0; + if (ioctl(dev, DIOCGETRULESET, prs)) + goto cleanup; + + if (recursive_ruleset_purge(prs->path, prs->name)) + goto cleanup; + nr--; + } + } + +no_mem: + if (errno == ENOMEM) + syslog(LOG_ERR, "calloc failed"); + +cleanup: + free(t); + free(t_e); + free(prs); + return (errno); +} + /* * Add/remove filter entries for user "luser" from ip "ipsrc" */ static int -change_filter(int add, const char *luser, const char *ipsrc) +change_filter(int add, const char *l_user, const char *ip_src) { - char *pargv[13] = { - "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset", - "-D", "user_ip=X", "-D", "user_id=X", "-f", - "file", NULL - }; char *fdpath = NULL, *userstr = NULL, *ipstr = NULL; char *rsn = NULL, *fn = NULL; pid_t pid; gid_t gid; int s; - if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) { - syslog(LOG_ERR, "invalid luser/ipsrc"); - goto error; - } - - if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1) - goto no_mem; - if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1) - goto no_mem; - if (asprintf(&ipstr, "user_ip=%s", ipsrc) == -1) - goto no_mem; - if (asprintf(&userstr, "user_id=%s", luser) == -1) - goto no_mem; - if (add) { struct stat sb; + char *pargv[13] = { + "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset", + "-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL + }; - if (asprintf(&fn, "%s/%s/authpf.rules", PATH_USER_DIR, luser) - == -1) + if (l_user == NULL || !l_user[0] || ip_src == NULL || !ip_src[0]) { + syslog(LOG_ERR, "invalid luser/ipsrc"); + goto error; + } + + if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1) + goto no_mem; + if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1) + goto no_mem; + if (asprintf(&ipstr, "user_ip=%s", ip_src) == -1) + goto no_mem; + if (asprintf(&userstr, "user_id=%s", l_user) == -1) + goto no_mem; + if (asprintf(&fn, "%s/%s/authpf.rules", + PATH_USER_DIR, l_user) == -1) goto no_mem; if (stat(fn, &sb) == -1) { free(fn); if ((fn = strdup(PATH_PFRULES)) == NULL) goto no_mem; } - } - pargv[2] = fdpath; - pargv[5] = rsn; - pargv[7] = userstr; - pargv[9] = ipstr; - if (!add) - pargv[11] = "/dev/null"; - else - pargv[11] = fn; + pargv[2] = fdpath; + pargv[5] = rsn; + pargv[7] = userstr; + if (user_ip) { + pargv[9] = ipstr; + pargv[11] = fn; + } else { + pargv[8] = "-f"; + pargv[9] = fn; + pargv[10] = NULL; + } - switch (pid = fork()) { - case -1: - syslog(LOG_ERR, "fork failed"); - goto error; - case 0: - /* revoke group privs before exec */ - gid = getgid(); - if (setregid(gid, gid) == -1) { - err(1, "setregid"); - } - execvp(PATH_PFCTL, pargv); - warn("exec of %s failed", PATH_PFCTL); - _exit(1); - } - - /* parent */ - waitpid(pid, &s, 0); - if (s != 0) { - syslog(LOG_ERR, "pfctl exited abnormally"); - goto error; - } + switch (pid = fork()) { + case -1: + syslog(LOG_ERR, "fork failed"); + goto error; + case 0: + /* revoke group privs before exec */ + gid = getgid(); + if (setregid(gid, gid) == -1) { + err(1, "setregid"); + } + execvp(PATH_PFCTL, pargv); + warn("exec of %s failed", PATH_PFCTL); + _exit(1); + } + + /* parent */ + waitpid(pid, &s, 0); + if (s != 0) { + syslog(LOG_ERR, "pfctl exited abnormally"); + goto error; + } - if (add) { gettimeofday(&Tstart, NULL); - syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser); + syslog(LOG_INFO, "allowing %s, user %s", ip_src, l_user); } else { + remove_stale_rulesets(); + gettimeofday(&Tend, NULL); -#ifdef __FreeBSD__ - syslog(LOG_INFO, "removed %s, user %s - duration %jd seconds", - ipsrc, luser, (intmax_t)(Tend.tv_sec - Tstart.tv_sec)); -#else - syslog(LOG_INFO, "removed %s, user %s - duration %ld seconds", - ipsrc, luser, Tend.tv_sec - Tstart.tv_sec); -#endif + syslog(LOG_INFO, "removed %s, user %s - duration %ju seconds", + ip_src, l_user, (uintmax_t)(Tend.tv_sec - Tstart.tv_sec)); } return (0); no_mem: @@ -740,7 +843,7 @@ error: * Add/remove this IP from the "authpf_users" table. */ static int -change_table(int add, const char *ipsrc) +change_table(int add, const char *ip_src) { struct pfioc_table io; struct pfr_addr addr; @@ -753,12 +856,12 @@ change_table(int add, const char *ipsrc) io.pfrio_size = 1; bzero(&addr, sizeof(addr)); - if (ipsrc == NULL || !ipsrc[0]) + if (ip_src == NULL || !ip_src[0]) return (-1); - if (inet_pton(AF_INET, ipsrc, &addr.pfra_ip4addr) == 1) { + if (inet_pton(AF_INET, ip_src, &addr.pfra_ip4addr) == 1) { addr.pfra_af = AF_INET; addr.pfra_net = 32; - } else if (inet_pton(AF_INET6, ipsrc, &addr.pfra_ip6addr) == 1) { + } else if (inet_pton(AF_INET6, ip_src, &addr.pfra_ip6addr) == 1) { addr.pfra_af = AF_INET6; addr.pfra_net = 128; } else { @@ -769,7 +872,7 @@ change_table(int add, const char *ipsrc) if (ioctl(dev, add ? DIOCRADDADDRS : DIOCRDELADDRS, &io) && errno != ESRCH) { syslog(LOG_ERR, "cannot %s %s from table %s: %s", - add ? "add" : "remove", ipsrc, tablename, + add ? "add" : "remove", ip_src, tablename, strerror(errno)); return (-1); } @@ -821,7 +924,7 @@ authpf_kill_states(void) /* signal handler that makes us go away properly */ static void -need_death(int signo) +need_death(int signo __unused) { want_death = 1; } @@ -840,11 +943,12 @@ do_death(int active) if (active) { change_filter(0, luser, ipsrc); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201106281440.p5SEeIRb053642>