From owner-p4-projects@FreeBSD.ORG Tue Jul 3 22:58:20 2007 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 0800116A46D; Tue, 3 Jul 2007 22:58:20 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A3D9216A468 for ; Tue, 3 Jul 2007 22:58:19 +0000 (UTC) (envelope-from peter@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 91D2813C459 for ; Tue, 3 Jul 2007 22:58:19 +0000 (UTC) (envelope-from peter@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.8/8.13.8) with ESMTP id l63MwJEe036043 for ; Tue, 3 Jul 2007 22:58:19 GMT (envelope-from peter@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.8/8.13.8/Submit) id l63MwAEl036038 for perforce@freebsd.org; Tue, 3 Jul 2007 22:58:10 GMT (envelope-from peter@freebsd.org) Date: Tue, 3 Jul 2007 22:58:10 GMT Message-Id: <200707032258.l63MwAEl036038@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to peter@freebsd.org using -f From: Peter Wemm To: Perforce Change Reviews Cc: Subject: PERFORCE change 122811 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 22:58:20 -0000 http://perforce.freebsd.org/chv.cgi?CH=122811 Change 122811 by peter@peter_daintree on 2007/07/03 22:57:37 IFC @122807 Affected files ... .. //depot/projects/hammer/ObsoleteFiles.inc#29 integrate .. //depot/projects/hammer/UPDATING#103 integrate .. //depot/projects/hammer/bin/ed/Makefile#11 integrate .. //depot/projects/hammer/contrib/netcat/netcat.c#4 integrate .. //depot/projects/hammer/contrib/pf/authpf/authpf.8#5 integrate .. //depot/projects/hammer/contrib/pf/authpf/authpf.c#6 integrate .. //depot/projects/hammer/contrib/pf/ftp-proxy/filter.c#1 branch .. //depot/projects/hammer/contrib/pf/ftp-proxy/filter.h#1 branch .. //depot/projects/hammer/contrib/pf/ftp-proxy/ftp-proxy.8#5 integrate .. //depot/projects/hammer/contrib/pf/ftp-proxy/ftp-proxy.c#5 integrate .. //depot/projects/hammer/contrib/pf/ftp-proxy/getline.c#3 delete .. //depot/projects/hammer/contrib/pf/ftp-proxy/util.c#4 delete .. //depot/projects/hammer/contrib/pf/ftp-proxy/util.h#3 delete .. //depot/projects/hammer/contrib/pf/libevent/buffer.c#1 branch .. //depot/projects/hammer/contrib/pf/libevent/evbuffer.c#1 branch .. //depot/projects/hammer/contrib/pf/libevent/event-internal.h#1 branch .. //depot/projects/hammer/contrib/pf/libevent/event.c#1 branch .. //depot/projects/hammer/contrib/pf/libevent/event.h#1 branch .. //depot/projects/hammer/contrib/pf/libevent/evsignal.h#1 branch .. //depot/projects/hammer/contrib/pf/libevent/kqueue.c#1 branch .. //depot/projects/hammer/contrib/pf/libevent/log.c#1 branch .. //depot/projects/hammer/contrib/pf/libevent/log.h#1 branch .. //depot/projects/hammer/contrib/pf/libevent/poll.c#1 branch .. //depot/projects/hammer/contrib/pf/libevent/select.c#1 branch .. //depot/projects/hammer/contrib/pf/libevent/signal.c#1 branch .. //depot/projects/hammer/contrib/pf/man/pf.4#8 integrate .. //depot/projects/hammer/contrib/pf/man/pf.conf.5#12 integrate .. //depot/projects/hammer/contrib/pf/man/pf.os.5#5 integrate .. //depot/projects/hammer/contrib/pf/man/pflog.4#6 integrate .. //depot/projects/hammer/contrib/pf/man/pfsync.4#10 integrate .. //depot/projects/hammer/contrib/pf/pfctl/parse.y#6 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pf_print_state.c#4 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pfctl.8#5 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pfctl.c#5 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pfctl.h#5 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pfctl_altq.c#7 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pfctl_optimize.c#2 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pfctl_osfp.c#4 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pfctl_parser.c#6 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pfctl_parser.h#5 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pfctl_radix.c#4 integrate .. //depot/projects/hammer/contrib/pf/pfctl/pfctl_table.c#6 integrate .. //depot/projects/hammer/contrib/pf/pflogd/pflogd.8#5 integrate .. //depot/projects/hammer/contrib/pf/pflogd/pflogd.c#9 integrate .. //depot/projects/hammer/contrib/pf/pflogd/pflogd.h#2 integrate .. //depot/projects/hammer/contrib/pf/pflogd/privsep.c#3 integrate .. //depot/projects/hammer/contrib/pf/tftp-proxy/filter.c#1 branch .. //depot/projects/hammer/contrib/pf/tftp-proxy/filter.h#1 branch .. //depot/projects/hammer/contrib/pf/tftp-proxy/tftp-proxy.8#1 branch .. //depot/projects/hammer/contrib/pf/tftp-proxy/tftp-proxy.c#1 branch .. //depot/projects/hammer/contrib/telnet/telnet/externs.h#2 integrate .. //depot/projects/hammer/contrib/traceroute/traceroute.c#9 integrate .. //depot/projects/hammer/etc/mtree/BSD.include.dist#45 integrate .. //depot/projects/hammer/include/Makefile#67 integrate .. //depot/projects/hammer/lib/libc/net/sctp_sys_calls.c#7 integrate .. //depot/projects/hammer/lib/libipsec/Makefile#11 integrate .. //depot/projects/hammer/lib/libipsec/ipsec_dump_policy.c#4 integrate .. //depot/projects/hammer/lib/libipsec/ipsec_get_policylen.c#2 integrate .. //depot/projects/hammer/lib/libipsec/ipsec_set_policy.3#9 integrate .. //depot/projects/hammer/lib/libipsec/ipsec_strerror.3#7 integrate .. //depot/projects/hammer/lib/libipsec/ipsec_strerror.c#2 integrate .. //depot/projects/hammer/lib/libipsec/pfkey.c#4 integrate .. //depot/projects/hammer/lib/libipsec/pfkey_dump.c#7 integrate .. //depot/projects/hammer/lib/libipsec/policy_parse.y#3 integrate .. //depot/projects/hammer/lib/libipsec/policy_token.l#4 integrate .. //depot/projects/hammer/lib/libipsec/test-policy.c#3 integrate .. //depot/projects/hammer/libexec/Makefile#32 integrate .. //depot/projects/hammer/libexec/ftp-proxy/Makefile#3 delete .. //depot/projects/hammer/libexec/tftp-proxy/Makefile#1 branch .. //depot/projects/hammer/release/doc/en_US.ISO8859-1/relnotes/article.sgml#9 integrate .. //depot/projects/hammer/release/i386/fixit_crunch.conf#9 integrate .. //depot/projects/hammer/sbin/dhclient/dhclient-script#11 integrate .. //depot/projects/hammer/sbin/pfctl/Makefile#7 integrate .. //depot/projects/hammer/sbin/ping/ping.c#22 integrate .. //depot/projects/hammer/sbin/ping6/Makefile#6 integrate .. //depot/projects/hammer/sbin/ping6/ping6.c#10 integrate .. //depot/projects/hammer/sbin/setkey/Makefile#4 integrate .. //depot/projects/hammer/sbin/setkey/parse.y#3 integrate .. //depot/projects/hammer/sbin/setkey/setkey.c#2 integrate .. //depot/projects/hammer/sbin/setkey/test-pfkey.c#2 integrate .. //depot/projects/hammer/sbin/setkey/test-policy.c#2 integrate .. //depot/projects/hammer/sbin/setkey/token.l#3 integrate .. //depot/projects/hammer/share/man/man4/ath.4#34 integrate .. //depot/projects/hammer/share/man/man4/ieee80211.4#7 integrate .. //depot/projects/hammer/share/man/man4/msk.4#3 integrate .. //depot/projects/hammer/share/man/man4/wi.4#28 integrate .. //depot/projects/hammer/share/man/man7/hier.7#35 integrate .. //depot/projects/hammer/share/man/man9/ieee80211_ioctl.9#5 integrate .. //depot/projects/hammer/share/misc/committers-ports.dot#4 integrate .. //depot/projects/hammer/share/mk/sys.mk#23 integrate .. //depot/projects/hammer/sys/Makefile#16 integrate .. //depot/projects/hammer/sys/amd64/amd64/pmap.c#161 integrate .. //depot/projects/hammer/sys/amd64/conf/GENERIC#96 integrate .. //depot/projects/hammer/sys/amd64/conf/NOTES#100 integrate .. //depot/projects/hammer/sys/cam/scsi/scsi_da.c#43 integrate .. //depot/projects/hammer/sys/conf/NOTES#121 integrate .. //depot/projects/hammer/sys/conf/files#153 integrate .. //depot/projects/hammer/sys/conf/files.amd64#92 integrate .. //depot/projects/hammer/sys/conf/files.arm#9 integrate .. //depot/projects/hammer/sys/conf/files.i386#78 integrate .. //depot/projects/hammer/sys/conf/files.ia64#39 integrate .. //depot/projects/hammer/sys/conf/files.pc98#61 integrate .. //depot/projects/hammer/sys/conf/files.powerpc#23 integrate .. //depot/projects/hammer/sys/conf/files.sparc64#41 integrate .. //depot/projects/hammer/sys/conf/files.sun4v#3 integrate .. //depot/projects/hammer/sys/conf/options#108 integrate .. //depot/projects/hammer/sys/contrib/altq/altq/altq_cbq.c#4 integrate .. //depot/projects/hammer/sys/contrib/altq/altq/altq_hfsc.c#3 integrate .. //depot/projects/hammer/sys/contrib/altq/altq/altq_priq.c#3 integrate .. //depot/projects/hammer/sys/contrib/altq/altq/altq_red.c#3 integrate .. //depot/projects/hammer/sys/contrib/pf/net/if_pflog.c#19 integrate .. //depot/projects/hammer/sys/contrib/pf/net/if_pflog.h#8 integrate .. //depot/projects/hammer/sys/contrib/pf/net/if_pfsync.c#26 integrate .. //depot/projects/hammer/sys/contrib/pf/net/if_pfsync.h#7 integrate .. //depot/projects/hammer/sys/contrib/pf/net/pf.c#30 integrate .. //depot/projects/hammer/sys/contrib/pf/net/pf_if.c#9 integrate .. //depot/projects/hammer/sys/contrib/pf/net/pf_ioctl.c#24 integrate .. //depot/projects/hammer/sys/contrib/pf/net/pf_mtag.h#1 branch .. //depot/projects/hammer/sys/contrib/pf/net/pf_norm.c#13 integrate .. //depot/projects/hammer/sys/contrib/pf/net/pf_osfp.c#5 integrate .. //depot/projects/hammer/sys/contrib/pf/net/pf_ruleset.c#1 branch .. //depot/projects/hammer/sys/contrib/pf/net/pf_subr.c#3 integrate .. //depot/projects/hammer/sys/contrib/pf/net/pf_table.c#6 integrate .. //depot/projects/hammer/sys/contrib/pf/net/pfvar.h#13 integrate .. //depot/projects/hammer/sys/crypto/via/padlock.c#6 integrate .. //depot/projects/hammer/sys/dev/isp/isp.c#26 integrate .. //depot/projects/hammer/sys/dev/isp/isp_freebsd.h#22 integrate .. //depot/projects/hammer/sys/dev/isp/isp_library.c#7 integrate .. //depot/projects/hammer/sys/dev/isp/ispvar.h#20 integrate .. //depot/projects/hammer/sys/dev/snp/snp.c#22 integrate .. //depot/projects/hammer/sys/dev/sound/pci/hda/hdac.c#8 integrate .. //depot/projects/hammer/sys/dev/sound/pci/hda/hdac_private.h#5 integrate .. //depot/projects/hammer/sys/dev/sound/pcm/ac97_patch.c#9 integrate .. //depot/projects/hammer/sys/dev/usb/umass.c#45 integrate .. //depot/projects/hammer/sys/dev/usb/usbdevs#81 integrate .. //depot/projects/hammer/sys/fs/devfs/devfs_int.h#4 integrate .. //depot/projects/hammer/sys/fs/devfs/devfs_vnops.c#51 integrate .. //depot/projects/hammer/sys/i386/conf/GENERIC#54 integrate .. //depot/projects/hammer/sys/i386/conf/NOTES#90 integrate .. //depot/projects/hammer/sys/i386/i386/pmap.c#93 integrate .. //depot/projects/hammer/sys/kern/kern_conf.c#44 integrate .. //depot/projects/hammer/sys/kern/kern_descrip.c#69 integrate .. //depot/projects/hammer/sys/kern/kern_lockf.c#15 integrate .. //depot/projects/hammer/sys/kern/kern_priv.c#3 integrate .. //depot/projects/hammer/sys/kern/subr_smp.c#30 integrate .. //depot/projects/hammer/sys/kern/sysv_sem.c#27 integrate .. //depot/projects/hammer/sys/kern/tty_pts.c#6 integrate .. //depot/projects/hammer/sys/kern/tty_pty.c#34 integrate .. //depot/projects/hammer/sys/kern/tty_tty.c#13 integrate .. //depot/projects/hammer/sys/kern/uipc_syscalls.c#63 integrate .. //depot/projects/hammer/sys/modules/ipfw/Makefile#9 integrate .. //depot/projects/hammer/sys/modules/pf/Makefile#13 integrate .. //depot/projects/hammer/sys/net/if_ethersubr.c#64 integrate .. //depot/projects/hammer/sys/net/if_ppp.c#30 integrate .. //depot/projects/hammer/sys/net/pfkeyv2.h#8 integrate .. //depot/projects/hammer/sys/net80211/ieee80211_radiotap.h#9 integrate .. //depot/projects/hammer/sys/netinet/in_pcb.c#49 integrate .. //depot/projects/hammer/sys/netinet/in_pcb.h#34 integrate .. //depot/projects/hammer/sys/netinet/in_proto.c#23 integrate .. //depot/projects/hammer/sys/netinet/ip_fw2.c#83 integrate .. //depot/projects/hammer/sys/netinet/ip_icmp.c#34 integrate .. //depot/projects/hammer/sys/netinet/ip_input.c#66 integrate .. //depot/projects/hammer/sys/netinet/ip_ipsec.c#5 integrate .. //depot/projects/hammer/sys/netinet/ip_output.c#64 integrate .. //depot/projects/hammer/sys/netinet/raw_ip.c#48 integrate .. //depot/projects/hammer/sys/netinet/sctp_indata.c#10 integrate .. //depot/projects/hammer/sys/netinet/sctp_input.c#9 integrate .. //depot/projects/hammer/sys/netinet/sctp_input.h#5 integrate .. //depot/projects/hammer/sys/netinet/sctp_os_bsd.h#9 integrate .. //depot/projects/hammer/sys/netinet/sctp_output.c#9 integrate .. //depot/projects/hammer/sys/netinet/sctp_pcb.c#9 integrate .. //depot/projects/hammer/sys/netinet/sctp_usrreq.c#9 integrate .. //depot/projects/hammer/sys/netinet/sctp_var.h#6 integrate .. //depot/projects/hammer/sys/netinet/sctputil.c#11 integrate .. //depot/projects/hammer/sys/netinet/tcp_input.c#74 integrate .. //depot/projects/hammer/sys/netinet/tcp_output.c#43 integrate .. //depot/projects/hammer/sys/netinet/tcp_subr.c#66 integrate .. //depot/projects/hammer/sys/netinet/tcp_syncache.c#43 integrate .. //depot/projects/hammer/sys/netinet/udp_usrreq.c#48 integrate .. //depot/projects/hammer/sys/netinet6/ah.h#5 delete .. //depot/projects/hammer/sys/netinet6/ah6.h#4 delete .. //depot/projects/hammer/sys/netinet6/ah_aesxcbcmac.c#5 delete .. //depot/projects/hammer/sys/netinet6/ah_aesxcbcmac.h#3 delete .. //depot/projects/hammer/sys/netinet6/ah_core.c#13 delete .. //depot/projects/hammer/sys/netinet6/ah_input.c#8 delete .. //depot/projects/hammer/sys/netinet6/ah_output.c#9 delete .. //depot/projects/hammer/sys/netinet6/esp.h#4 delete .. //depot/projects/hammer/sys/netinet6/esp6.h#3 delete .. //depot/projects/hammer/sys/netinet6/esp_aesctr.c#6 delete .. //depot/projects/hammer/sys/netinet6/esp_aesctr.h#3 delete .. //depot/projects/hammer/sys/netinet6/esp_camellia.c#2 delete .. //depot/projects/hammer/sys/netinet6/esp_camellia.h#2 delete .. //depot/projects/hammer/sys/netinet6/esp_core.c#11 delete .. //depot/projects/hammer/sys/netinet6/esp_input.c#11 delete .. //depot/projects/hammer/sys/netinet6/esp_rijndael.c#7 delete .. //depot/projects/hammer/sys/netinet6/esp_rijndael.h#5 delete .. //depot/projects/hammer/sys/netinet6/icmp6.c#29 integrate .. //depot/projects/hammer/sys/netinet6/in6.h#17 integrate .. //depot/projects/hammer/sys/netinet6/in6_pcb.c#30 integrate .. //depot/projects/hammer/sys/netinet6/in6_proto.c#18 integrate .. //depot/projects/hammer/sys/netinet6/ip6_forward.c#18 integrate .. //depot/projects/hammer/sys/netinet6/ip6_input.c#31 integrate .. //depot/projects/hammer/sys/netinet6/ip6_ipsec.c#1 branch .. //depot/projects/hammer/sys/netinet6/ip6_ipsec.h#1 branch .. //depot/projects/hammer/sys/netinet6/ip6_output.c#43 integrate .. //depot/projects/hammer/sys/netinet6/ipcomp.h#3 delete .. //depot/projects/hammer/sys/netinet6/ipcomp6.h#3 delete .. //depot/projects/hammer/sys/netinet6/ipcomp_core.c#6 delete .. //depot/projects/hammer/sys/netinet6/ipcomp_input.c#6 delete .. //depot/projects/hammer/sys/netinet6/ipcomp_output.c#6 delete .. //depot/projects/hammer/sys/netinet6/ipsec.c#22 delete .. //depot/projects/hammer/sys/netinet6/ipsec.h#9 delete .. //depot/projects/hammer/sys/netinet6/ipsec6.h#6 delete .. //depot/projects/hammer/sys/netinet6/nd6.c#31 integrate .. //depot/projects/hammer/sys/netinet6/nd6_nbr.c#22 integrate .. //depot/projects/hammer/sys/netinet6/raw_ip6.c#30 integrate .. //depot/projects/hammer/sys/netinet6/sctp6_usrreq.c#9 integrate .. //depot/projects/hammer/sys/netinet6/udp6_output.c#17 integrate .. //depot/projects/hammer/sys/netinet6/udp6_usrreq.c#27 integrate .. //depot/projects/hammer/sys/netipsec/ipsec.c#18 integrate .. //depot/projects/hammer/sys/netipsec/ipsec.h#12 integrate .. //depot/projects/hammer/sys/netipsec/ipsec6.h#3 integrate .. //depot/projects/hammer/sys/netipsec/ipsec_mbuf.c#8 integrate .. //depot/projects/hammer/sys/netipsec/ipsec_output.c#11 integrate .. //depot/projects/hammer/sys/netipsec/key.c#17 integrate .. //depot/projects/hammer/sys/netipsec/key_debug.c#5 integrate .. //depot/projects/hammer/sys/netipsec/keysock.c#14 integrate .. //depot/projects/hammer/sys/netipsec/xform_ah.c#12 integrate .. //depot/projects/hammer/sys/netipsec/xform_ipip.c#11 integrate .. //depot/projects/hammer/sys/netkey/key.c#25 delete .. //depot/projects/hammer/sys/netkey/key.h#5 delete .. //depot/projects/hammer/sys/netkey/key_debug.c#8 delete .. //depot/projects/hammer/sys/netkey/key_debug.h#5 delete .. //depot/projects/hammer/sys/netkey/key_var.h#4 delete .. //depot/projects/hammer/sys/netkey/keydb.c#8 delete .. //depot/projects/hammer/sys/netkey/keydb.h#7 delete .. //depot/projects/hammer/sys/netkey/keysock.c#17 delete .. //depot/projects/hammer/sys/netkey/keysock.h#5 delete .. //depot/projects/hammer/sys/nfsclient/nfs_bio.c#43 integrate .. //depot/projects/hammer/sys/nfsclient/nfs_subs.c#28 integrate .. //depot/projects/hammer/sys/security/audit/audit.c#9 integrate .. //depot/projects/hammer/sys/security/audit/audit_bsm.c#9 integrate .. //depot/projects/hammer/sys/sys/conf.h#41 integrate .. //depot/projects/hammer/sys/sys/mbuf.h#60 integrate .. //depot/projects/hammer/sys/sys/param.h#88 integrate .. //depot/projects/hammer/sys/sys/systm.h#47 integrate .. //depot/projects/hammer/sys/ufs/ufs/dir.h#5 integrate .. //depot/projects/hammer/sys/vm/vm_pageout.c#44 integrate .. //depot/projects/hammer/tools/tools/tinybsd/conf/bridge/tinybsd.basefiles#3 integrate .. //depot/projects/hammer/tools/tools/tinybsd/conf/default/tinybsd.basefiles#3 integrate .. //depot/projects/hammer/tools/tools/tinybsd/conf/wireless/tinybsd.basefiles#3 integrate .. //depot/projects/hammer/tools/tools/tinybsd/conf/wrap/tinybsd.basefiles#3 integrate .. //depot/projects/hammer/usr.bin/netstat/Makefile#14 integrate .. //depot/projects/hammer/usr.bin/netstat/ipsec.c#7 integrate .. //depot/projects/hammer/usr.bin/netstat/main.c#23 integrate .. //depot/projects/hammer/usr.bin/netstat/netstat.h#17 integrate .. //depot/projects/hammer/usr.bin/netstat/pfkey.c#3 integrate .. //depot/projects/hammer/usr.bin/telnet/Makefile#9 integrate .. //depot/projects/hammer/usr.sbin/Makefile#78 integrate .. //depot/projects/hammer/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c#6 integrate .. //depot/projects/hammer/usr.sbin/ftp-proxy/Makefile#1 branch .. //depot/projects/hammer/usr.sbin/ftp-proxy/Makefile.inc#1 branch .. //depot/projects/hammer/usr.sbin/ftp-proxy/ftp-proxy/Makefile#1 branch .. //depot/projects/hammer/usr.sbin/ftp-proxy/libevent/Makefile#1 branch .. //depot/projects/hammer/usr.sbin/inetd/Makefile#8 integrate .. //depot/projects/hammer/usr.sbin/inetd/inetd.c#19 integrate .. //depot/projects/hammer/usr.sbin/rrenumd/Makefile#4 integrate .. //depot/projects/hammer/usr.sbin/rrenumd/rrenumd.c#4 integrate .. //depot/projects/hammer/usr.sbin/traceroute6/Makefile#4 integrate .. //depot/projects/hammer/usr.sbin/traceroute6/traceroute6.c#10 integrate .. //depot/projects/hammer/usr.sbin/wicontrol/Makefile#3 delete .. //depot/projects/hammer/usr.sbin/wicontrol/wicontrol.8#15 delete .. //depot/projects/hammer/usr.sbin/wicontrol/wicontrol.c#11 delete Differences ... ==== //depot/projects/hammer/ObsoleteFiles.inc#29 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $FreeBSD: src/ObsoleteFiles.inc,v 1.97 2007/06/25 05:06:52 rafan Exp $ +# $FreeBSD: src/ObsoleteFiles.inc,v 1.102 2007/07/03 13:06:45 mlaier Exp $ # # This file lists old files (OLD_FILES), libraries (OLD_LIBS) and # directories (OLD_DIRS) which should get removed at an update. Recently @@ -14,6 +14,30 @@ # The file is partitioned: OLD_FILES first, then OLD_LIBS and OLD_DIRS last. # +# 20070703: pf 4.1 import +OLD_FILES+=usr/libexec/ftp-proxy +# 20070701: KAME IPSec removal +OLD_FILES+=usr/include/netinet6/ah.h +OLD_FILES+=usr/include/netinet6/ah6.h +OLD_FILES+=usr/include/netinet6/ah_aesxcbcmac.h +OLD_FILES+=usr/include/netinet6/esp.h +OLD_FILES+=usr/include/netinet6/esp6.h +OLD_FILES+=usr/include/netinet6/esp_aesctr.h +OLD_FILES+=usr/include/netinet6/esp_camellia.h +OLD_FILES+=usr/include/netinet6/esp_rijndael.h +OLD_FILES+=usr/include/netinet6/ipsec.h +OLD_FILES+=usr/include/netinet6/ipsec6.h +OLD_FILES+=usr/include/netinet6/ipcomp.h +OLD_FILES+=usr/include/netinet6/ipcomp6.h +OLD_FILES+=usr/include/netkey/key.h +OLD_FILES+=usr/include/netkey/key_debug.h +OLD_FILES+=usr/include/netkey/key_var.h +OLD_FILES+=usr/include/netkey/keydb.h +OLD_FILES+=usr/include/netkey/keysock.h +OLD_DIRS+=usr/include/netkey +# 20070701: remove wicontrol +OLD_FILES+=usr/sbin/wicontrol +OLD_FILES+=usr/share/man/man8/wicontrol.8.gz # 20070625: umapfs removal OLD_FILES+=rescue/mount_umapfs OLD_FILES+=sbin/mount_umapfs @@ -3589,7 +3613,6 @@ # - usr/share/tmac/mm/locale # - usr/share/tmac/mm/se_locale # - var/yp/Makefile - # 20070519: GCC 4.2 OLD_LIBS+=usr/lib/libg2c.a OLD_LIBS+=usr/lib/libg2c.so ==== //depot/projects/hammer/UPDATING#103 (text+ko) ==== @@ -21,6 +21,26 @@ developers choose to disable these features on build machines to maximize performance. +20070702: + The packet filter (pf) code has been updated to OpenBSD 4.1 Please + note the changed syntax - keep state is now on by default. Also + note the fact that ftp-proxy(8) has been changed from bottom up and + has been moved from libexec to usr/sbin. Changes in the ALTQ + handling also affect users of IPFW's ALTQ capabilities. + +20070701: + Remove KAME IPsec in favor of FAST_IPSEC, which is now the + only IPsec supported by FreeBSD. The new IPsec stack + supports both IPv4 and IPv6. The kernel option will change + after the code changes have settled in. For now the kernel + option IPSEC is deprecated and FAST_IPSEC is the only option, that + will change after some settling time. + +20070701: + The wicontrol(8) utility has been removed from the base system. wi(4) + cards should be configured using ifconfig(8), see the man page for more + information. + 20070612: By default, /etc/rc.d/sendmail no longer rebuilds the aliases database if it is missing or older than the aliases file. If @@ -857,4 +877,4 @@ Contact Warner Losh if you have any questions about your use of this document. -$FreeBSD: src/UPDATING,v 1.497 2007/06/12 17:33:56 gshapiro Exp $ +$FreeBSD: src/UPDATING,v 1.500 2007/07/03 13:06:44 mlaier Exp $ ==== //depot/projects/hammer/bin/ed/Makefile#11 (text+ko) ==== @@ -1,4 +1,4 @@ -# $FreeBSD: src/bin/ed/Makefile,v 1.32 2006/03/17 18:54:20 ru Exp $ +# $FreeBSD: src/bin/ed/Makefile,v 1.33 2007/07/02 14:00:25 kensmith Exp $ .include @@ -7,11 +7,13 @@ LINKS= ${BINDIR}/ed ${BINDIR}/red MLINKS= ed.1 red.1 +.if !defined(RELEASE_CRUNCH) .if ${MK_OPENSSL} != "no" CFLAGS+=-DDES WARNS?= 2 DPADD= ${LIBCRYPTO} LDADD= -lcrypto .endif +.endif .include ==== //depot/projects/hammer/contrib/netcat/netcat.c#4 (text+ko) ==== @@ -25,7 +25,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $FreeBSD: src/contrib/netcat/netcat.c,v 1.5 2007/03/28 01:57:03 delphij Exp $ + * $FreeBSD: src/contrib/netcat/netcat.c,v 1.6 2007/07/01 12:08:04 gnn Exp $ */ /* @@ -42,7 +42,7 @@ #include #include #ifdef IPSEC -#include +#include #endif #include #include ==== //depot/projects/hammer/contrib/pf/authpf/authpf.8#5 (text+ko) ==== @@ -1,29 +1,19 @@ -.\" $FreeBSD: src/contrib/pf/authpf/authpf.8,v 1.2 2006/03/28 15:26:16 mlaier Exp $ -.\" $OpenBSD: authpf.8,v 1.38 2005/01/04 09:57:04 jmc Exp $ +.\" $FreeBSD: src/contrib/pf/authpf/authpf.8,v 1.3 2007/07/03 12:30:00 mlaier Exp $ +.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $ .\" -.\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved. +.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .Dd March 28, 2006 .Dt AUTHPF 8 @@ -230,8 +220,11 @@ hijack the session. Note that TCP keepalives are not sufficient for this, since they are not secure. -Also note that +Also note that the various SSH tunnelling mechanisms, +such as .Ar AllowTcpForwarding +and +.Ar PermitTunnel , should be disabled for .Nm users to prevent them from circumventing restrictions imposed by the @@ -429,8 +422,7 @@ external_if = "xl0" internal_if = "fxp0" -pass in log quick on $internal_if proto tcp from $user_ip to any \e - keep state +pass in log quick on $internal_if proto tcp from $user_ip to any pass in quick on $internal_if from $user_ip to any .Ed .Pp @@ -445,16 +437,15 @@ # rdr ftp for proxying by ftp-proxy(8) rdr on $internal_if proto tcp from $user_ip to any port 21 \e - -> 127.0.0.1 port 8081 + -> 127.0.0.1 port 8021 # allow out ftp, ssh, www and https only, and allow user to negotiate # ipsec with the ipsec server. pass in log quick on $internal_if proto tcp from $user_ip to any \e - port { 21, 22, 80, 443 } flags S/SA + port { 21, 22, 80, 443 } pass in quick on $internal_if proto tcp from $user_ip to any \e port { 21, 22, 80, 443 } -pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e - keep state +pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp pass in quick proto esp from $user_ip to $ipsec_gw .Ed .Pp @@ -469,7 +460,7 @@ # nat and tag connections... nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr pass in quick on $int_if from $user_ip to any -pass out log quick on $ext_if tagged $user_ip keep state +pass out log quick on $ext_if tagged $user_ip .Ed .Pp With the above rules added by @@ -495,7 +486,7 @@ .Bd -literal table persist pass in on $ext_if proto tcp from \e - to port { smtp imap } keep state + to port { smtp imap } .Ed .Pp It is also possible to use the "authpf_users" @@ -522,6 +513,7 @@ .Xr pf 4 , .Xr pf.conf 5 , .Xr fdescfs 5 , +.Xr securelevel 7 , .Xr ftp-proxy 8 .Sh HISTORY The ==== //depot/projects/hammer/contrib/pf/authpf/authpf.c#6 (text+ko) ==== @@ -1,32 +1,23 @@ -/* $OpenBSD: authpf.c,v 1.89 2005/02/10 04:24:15 joel Exp $ */ +/* $OpenBSD: authpf.c,v 1.104 2007/02/24 17:35:08 beck Exp $ */ /* - * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org). + * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org). * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include -__FBSDID("$FreeBSD: src/contrib/pf/authpf/authpf.c,v 1.7 2005/12/25 22:57:08 mlaier Exp $"); +__FBSDID("$FreeBSD: src/contrib/pf/authpf/authpf.c,v 1.8 2007/07/03 12:30:01 mlaier Exp $"); #include #include @@ -56,15 +47,13 @@ #include "pathnames.h" -extern int symset(const char *, const char *, int); - static int read_config(FILE *); static void print_message(char *); static int allowed_luser(char *); static int check_luser(char *, char *); static int remove_stale_rulesets(void); static int change_filter(int, const char *, const char *); -static int change_table(int, const char *, const char *); +static int change_table(int, const char *); static void authpf_kill_states(void); int dev; /* pf device */ @@ -73,7 +62,6 @@ char tablename[PF_TABLE_NAME_SIZE] = "authpf_users"; FILE *pidfp; -char *infile; /* file name printed by yyerror() in parse.y */ char luser[MAXLOGNAME]; /* username */ char ipsrc[256]; /* ip as a string */ char pidfile[MAXPATHLEN]; /* we save pid in this file. */ @@ -102,11 +90,16 @@ struct in6_addr ina; struct passwd *pw; char *cp; + gid_t gid; uid_t uid; char *shell; login_cap_t *lc; config = fopen(PATH_CONFFILE, "r"); + if (config == NULL) { + syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE); + exit(1); + } if ((cp = getenv("SSH_TTY")) == NULL) { syslog(LOG_ERR, "non-interactive session connection for authpf"); @@ -143,7 +136,6 @@ uid = getuid(); pw = getpwuid(uid); - endpwent(); if (pw == NULL) { syslog(LOG_ERR, "cannot find user for uid %u", uid); goto die; @@ -256,6 +248,8 @@ if (++lockcnt > 10) { syslog(LOG_ERR, "cannot kill previous authpf (pid %d)", otherpid); + fclose(pidfp); + pidfp = NULL; goto dogdeath; } sleep(1); @@ -265,12 +259,22 @@ * it's lock, giving us a chance to get it now */ fclose(pidfp); + pidfp = NULL; } while (1); + + /* whack the group list */ + gid = getegid(); + if (setgroups(1, &gid) == -1) { + syslog(LOG_INFO, "setgroups: %s", strerror(errno)); + do_death(0); + } /* revoke privs */ - seteuid(getuid()); - setuid(getuid()); - + uid = getuid(); + if (setresuid(uid, uid, uid) == -1) { + syslog(LOG_INFO, "setresuid: %s", strerror(errno)); + do_death(0); + } openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON); if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) { @@ -278,8 +282,8 @@ do_death(0); } - if (config == NULL || read_config(config)) { - syslog(LOG_INFO, "bad or nonexistent %s", PATH_CONFFILE); + if (read_config(config)) { + syslog(LOG_ERR, "invalid config file %s", PATH_CONFFILE); do_death(0); } @@ -298,7 +302,7 @@ printf("Unable to modify filters\r\n"); do_death(0); } - if (change_table(1, luser, ipsrc) == -1) { + if (change_table(1, ipsrc) == -1) { printf("Unable to modify table\r\n"); change_filter(0, luser, ipsrc); do_death(0); @@ -309,7 +313,7 @@ signal(SIGALRM, need_death); signal(SIGPIPE, need_death); signal(SIGHUP, need_death); - signal(SIGSTOP, need_death); + signal(SIGQUIT, need_death); signal(SIGTSTP, need_death); while (1) { printf("\r\nHello %s. ", luser); @@ -559,9 +563,11 @@ while (fputs(tmp, stdout) != EOF && !feof(f)) { if (fgets(tmp, sizeof(tmp), f) == NULL) { fflush(stdout); + fclose(f); return (0); } } + fclose(f); } fflush(stdout); return (0); @@ -645,6 +651,7 @@ char *fdpath = NULL, *userstr = NULL, *ipstr = NULL; char *rsn = NULL, *fn = NULL; pid_t pid; + gid_t gid; int s; if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) { @@ -684,8 +691,14 @@ switch (pid = fork()) { case -1: - err(1, "fork failed"); + syslog(LOG_ERR, "fork failed"); + goto error; case 0: + /* revoke group privs before exec */ + gid = getgid(); + if (setregid(gid, gid) == -1) { + err(1, "setregid"); + } execvp(PATH_PFCTL, pargv); warn("exec of %s failed", PATH_PFCTL); _exit(1); @@ -694,10 +707,8 @@ /* parent */ waitpid(pid, &s, 0); if (s != 0) { - if (WIFEXITED(s)) { - syslog(LOG_ERR, "pfctl exited abnormally"); - goto error; - } + syslog(LOG_ERR, "pfctl exited abnormally"); + goto error; } if (add) { @@ -718,16 +729,10 @@ syslog(LOG_ERR, "malloc failed"); error: free(fdpath); - fdpath = NULL; free(rsn); - rsn = NULL; free(userstr); - userstr = NULL; free(ipstr); - ipstr = NULL; free(fn); - fn = NULL; - infile = NULL; return (-1); } @@ -735,13 +740,14 @@ * Add/remove this IP from the "authpf_users" table. */ static int -change_table(int add, const char *luser, const char *ipsrc) +change_table(int add, const char *ipsrc) { struct pfioc_table io; struct pfr_addr addr; bzero(&io, sizeof(io)); - strlcpy(io.pfrio_table.pfrt_name, tablename, sizeof(io.pfrio_table)); + strlcpy(io.pfrio_table.pfrt_name, tablename, + sizeof(io.pfrio_table.pfrt_name)); io.pfrio_buffer = &addr; io.pfrio_esize = sizeof(addr); io.pfrio_size = 1; @@ -834,13 +840,11 @@ if (active) { change_filter(0, luser, ipsrc); - change_table(0, luser, ipsrc); + change_table(0, ipsrc); authpf_kill_states(); remove_stale_rulesets(); } - if (pidfp) - ftruncate(fileno(pidfp), 0); - if (pidfile[0]) + if (pidfile[0] && (pidfp != NULL)) if (unlink(pidfile) == -1) syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile); exit(ret); ==== //depot/projects/hammer/contrib/pf/ftp-proxy/ftp-proxy.8#5 (text+ko) ==== @@ -1,295 +1,185 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.42 2004/11/19 00:47:23 jmc Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.7 2006/12/30 13:01:54 camield Exp $ .\" -.\" Copyright (c) 1996-2001 -.\" Obtuse Systems Corporation, All rights reserved. +.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the University nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. .\" -.\" THIS SOFTWARE IS PROVIDED BY OBTUSE SYSTEMS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL OBTUSE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" $FreeBSD: src/contrib/pf/ftp-proxy/ftp-proxy.8,v 1.4 2005/05/03 16:55:19 mlaier Exp $ +.\" $FreeBSD: src/contrib/pf/ftp-proxy/ftp-proxy.8,v 1.5 2007/07/03 12:30:01 mlaier Exp $ .\" -.Dd August 17, 2001 +.Dd November 28, 2004 .Dt FTP-PROXY 8 .Os .Sh NAME .Nm ftp-proxy -.Nd Internet File Transfer Protocol proxy server +.Nd Internet File Transfer Protocol proxy daemon .Sh SYNOPSIS .Nm ftp-proxy -.Bk -words -.Op Fl AnrVw +.Op Fl 6Adrv .Op Fl a Ar address -.Op Fl D Ar debuglevel -.Op Fl g Ar group -.Op Fl M Ar maxport -.Op Fl m Ar minport -.Op Fl R Ar address[:port] -.Op Fl S Ar address +.Op Fl b Ar address +.Op Fl D Ar level +.Op Fl m Ar maxsessions +.Op Fl P Ar port +.Op Fl p Ar port +.Op Fl q Ar queue +.Op Fl R Ar address .Op Fl t Ar timeout -.Op Fl u Ar user -.Ek .Sh DESCRIPTION .Nm is a proxy for the Internet File Transfer Protocol. -The proxy uses +FTP control connections should be redirected into the proxy using the .Xr pf 4 -and expects to have the FTP control connection as described in -.Xr services 5 -redirected to it via a +.Ar rdr +command, after which the proxy connects to the server on behalf of +the client. +.Pp +The proxy allows data connections to pass, rewriting and redirecting +them so that the right addresses are used. +All connections from the client to the server have their source +address rewritten so they appear to come from the proxy. +Consequently, all connections from the server to the proxy have +their destination address rewritten, so they are redirected to the +client. +The proxy uses the .Xr pf 4 -.Em rdr -command. -An example of how to do that is further down in this document. +.Ar anchor +facility for this. +.Pp +Assuming the FTP control connection is from $client to $server, the +proxy connected to the server using the $proxy source address, and +$port is negotiated, then +.Nm ftp-proxy +adds the following rules to the various anchors. +(These example rules use inet, but the proxy also supports inet6.) +.Pp +In case of active mode (PORT or EPRT): +.Bd -literal -offset 2n +rdr from $server to $proxy port $port -> $client +pass quick inet proto tcp \e + from $server to $client port $port +.Ed +.Pp +In case of passive mode (PASV or EPSV): +.Bd -literal -offset 2n +nat from $client to $server port $port -> $proxy +pass in quick inet proto tcp \e + from $client to $server port $port +pass out quick inet proto tcp \e + from $proxy to $server port $port +.Ed .Pp The options are as follows: .Bl -tag -width Ds +.It Fl 6 +IPv6 mode. +The proxy will expect and use IPv6 addresses for all communication. +Only the extended FTP modes EPSV and EPRT are allowed with IPv6. +The proxy is in IPv4 mode by default. .It Fl A -Permit only anonymous FTP connections. -The proxy will allow connections to log in to other sites as the user -.Qq ftp -or -.Qq anonymous -only. -Any attempt to log in as another user will be blocked by the proxy. +Only permit anonymous FTP connections. +Either user "ftp" or user "anonymous" is allowed. .It Fl a Ar address -Specify the local IP address to use in -.Xr bind 2 -as the source for connections made by -.Nm ftp-proxy -when connecting to destination FTP servers. -This may be necessary if the interface address of -your default route is not reachable from the destinations -.Nm -is attempting connections to, or this address is different from the one -connections are being NATed to. -In the usual case this means that -.Ar address -should be a publicly visible IP address assigned to one of -the interfaces on the machine running -.Nm -and should be the same address to which you are translating traffic -if you are using the -.Fl n -option. -.It Fl D Ar debuglevel -Specify a debug level, where the proxy emits verbose debug output -into -.Xr syslogd 8 -at level -.Dv LOG_DEBUG . -Meaningful values of debuglevel are 0-3, where 0 is no debug output and -3 is lots of debug output, the default being 0. -.It Fl g Ar group -Specify the named group to drop group privileges to, after doing -.Xr pf 4 -lookups which require root. -By default, -.Nm -uses the default group of the user it drops privilege to. -.It Fl M Ar maxport -Specify the upper end of the port range the proxy will use for the -data connections it establishes. -The default is -.Dv IPPORT_HILASTAUTO -defined in -.Aq Pa netinet/in.h -as 65535. -.It Fl m Ar minport -Specify the lower end of the port range the proxy will use for all -data connections it establishes. -The default is -.Dv IPPORT_HIFIRSTAUTO -defined in -.Aq Pa netinet/in.h -as 49152. -.It Fl n -Activate network address translation -.Pq NAT -mode. -In this mode, the proxy will not attempt to proxy passive mode -.Pq PASV or EPSV -data connections. -In order for this to work, the machine running the proxy will need to -be forwarding packets and doing network address translation to allow -the outbound passive connections from the client to reach the server. -See -.Xr pf.conf 5 -for more details on NAT. -The proxy only ignores passive mode data connections when using this flag; -it will still proxy PORT and EPRT mode data connections. -Without this flag, >>> TRUNCATED FOR MAIL (1000 lines) <<<