Date: Wed, 10 Dec 2008 20:54:37 +0000 (UTC) From: Max Laier <mlaier@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r185876 - in vendor/pf/dist: authpf ftp-proxy man pfctl pflogd tftp-proxy Message-ID: <200812102054.mBAKsb8n042234@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mlaier Date: Wed Dec 10 20:54:37 2008 New Revision: 185876 URL: http://svn.freebsd.org/changeset/base/185876 Log: Import OPENBSD_4_2_BASE Added: vendor/pf/dist/authpf/Makefile (contents, props changed) vendor/pf/dist/ftp-proxy/Makefile (contents, props changed) vendor/pf/dist/pfctl/Makefile (contents, props changed) vendor/pf/dist/pflogd/Makefile (contents, props changed) vendor/pf/dist/tftp-proxy/Makefile (contents, props changed) Deleted: vendor/pf/dist/ftp-proxy/getline.c vendor/pf/dist/ftp-proxy/util.c vendor/pf/dist/ftp-proxy/util.h vendor/pf/dist/pflogd/pidfile.c vendor/pf/dist/pflogd/pidfile.h Modified: vendor/pf/dist/authpf/authpf.8 vendor/pf/dist/ftp-proxy/filter.c vendor/pf/dist/ftp-proxy/filter.h vendor/pf/dist/ftp-proxy/ftp-proxy.8 vendor/pf/dist/ftp-proxy/ftp-proxy.c vendor/pf/dist/man/pf.4 vendor/pf/dist/man/pf.conf.5 vendor/pf/dist/man/pf.os.5 vendor/pf/dist/man/pflog.4 vendor/pf/dist/man/pfsync.4 vendor/pf/dist/pfctl/parse.y vendor/pf/dist/pfctl/pf_print_state.c vendor/pf/dist/pfctl/pfctl.8 vendor/pf/dist/pfctl/pfctl.c vendor/pf/dist/pfctl/pfctl.h vendor/pf/dist/pfctl/pfctl_altq.c vendor/pf/dist/pflogd/pflogd.8 vendor/pf/dist/pflogd/pflogd.c vendor/pf/dist/tftp-proxy/filter.c vendor/pf/dist/tftp-proxy/tftp-proxy.8 Added: vendor/pf/dist/authpf/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ vendor/pf/dist/authpf/Makefile Wed Dec 10 20:54:37 2008 (r185876) @@ -0,0 +1,11 @@ +# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $ + +PROG= authpf +MAN= authpf.8 +BINOWN= root +BINGRP= authpf +BINMODE= 6555 +SRCS= authpf.c +CFLAGS+= -Wall + +.include <bsd.prog.mk> Modified: vendor/pf/dist/authpf/authpf.8 ============================================================================== --- vendor/pf/dist/authpf/authpf.8 Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/authpf/authpf.8 Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $ +.\" $OpenBSD: authpf.8,v 1.44 2007/05/31 19:20:22 jmc Exp $ .\" .\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd January 10, 2002 +.Dd $Mdocdate$ .Dt AUTHPF 8 .Os .Sh NAME Added: vendor/pf/dist/ftp-proxy/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ vendor/pf/dist/ftp-proxy/Makefile Wed Dec 10 20:54:37 2008 (r185876) @@ -0,0 +1,13 @@ +# $OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $ + +PROG= ftp-proxy +SRCS= ftp-proxy.c filter.c +MAN= ftp-proxy.8 + +CFLAGS+= -I${.CURDIR} +CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith \ + -Wno-uninitialized +LDADD+= -levent +DPADD+= ${LIBEVENT} + +.include <bsd.prog.mk> Modified: vendor/pf/dist/ftp-proxy/filter.c ============================================================================== --- vendor/pf/dist/ftp-proxy/filter.c Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/ftp-proxy/filter.c Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.c,v 1.5 2006/12/01 07:31:21 camield Exp $ */ +/* $OpenBSD: filter.c,v 1.6 2007/08/01 09:31:41 henning Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -53,7 +53,7 @@ static struct pfioc_rule pfr; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; static int dev, rule_log; -static char *qname; +static char *qname, *tagname; int add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, @@ -159,11 +159,12 @@ do_rollback(void) } void -init_filter(char *opt_qname, int opt_verbose) +init_filter(char *opt_qname, char *opt_tagname, int opt_verbose) { struct pf_status status; qname = opt_qname; + tagname = opt_tagname; if (opt_verbose == 1) rule_log = PF_LOG; @@ -276,6 +277,8 @@ prepare_rule(u_int32_t id, int rs_num, s } pfr.rule.dst.port_op = PF_OP_EQ; pfr.rule.dst.port[0] = htons(d_port); + if (tagname != NULL) + strlcpy(pfr.rule.tagname, tagname, sizeof pfr.rule.tagname); switch (rs_num) { case PF_RULESET_FILTER: Modified: vendor/pf/dist/ftp-proxy/filter.h ============================================================================== --- vendor/pf/dist/ftp-proxy/filter.h Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/ftp-proxy/filter.h Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */ +/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -26,6 +26,6 @@ int add_rdr(u_int32_t, struct sockaddr * struct sockaddr *, u_int16_t); int do_commit(void); int do_rollback(void); -void init_filter(char *, int); +void init_filter(char *, char *, int); int prepare_commit(u_int32_t); int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *); Modified: vendor/pf/dist/ftp-proxy/ftp-proxy.8 ============================================================================== --- vendor/pf/dist/ftp-proxy/ftp-proxy.8 Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/ftp-proxy/ftp-proxy.8 Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.7 2006/12/30 13:01:54 camield Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $ .\" .\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd November 28, 2004 +.Dd $Mdocdate$ .Dt FTP-PROXY 8 .Os .Sh NAME @@ -22,6 +22,7 @@ .Nd Internet File Transfer Protocol proxy daemon .Sh SYNOPSIS .Nm ftp-proxy +.Bk -words .Op Fl 6Adrv .Op Fl a Ar address .Op Fl b Ar address @@ -31,7 +32,9 @@ .Op Fl p Ar port .Op Fl q Ar queue .Op Fl R Ar address +.Op Fl T Ar tag .Op Fl t Ar timeout +.Ek .Sh DESCRIPTION .Nm is a proxy for the Internet File Transfer Protocol. @@ -128,6 +131,10 @@ connections to another proxy. .It Fl r Rewrite sourceport to 20 in active mode to suit ancient clients that insist on this RFC property. +.It Fl T Ar tag +Automatically tag packets passing through the +.Xr pf 4 +rule with the name supplied. .It Fl t Ar timeout Number of seconds that the control connection can be idle, before the proxy will disconnect. Modified: vendor/pf/dist/ftp-proxy/ftp-proxy.c ============================================================================== --- vendor/pf/dist/ftp-proxy/ftp-proxy.c Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/ftp-proxy/ftp-proxy.c Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -/* $OpenBSD: ftp-proxy.c,v 1.13 2006/12/30 13:24:00 camield Exp $ */ +/* $OpenBSD: ftp-proxy.c,v 1.15 2007/08/15 15:18:02 camield Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -102,6 +102,7 @@ u_int16_t pick_proxy_port(void); void proxy_reply(int, struct sockaddr *, u_int16_t); void server_error(struct bufferevent *, short, void *); int server_parse(struct session *s); +int allow_data_connection(struct session *s); void server_read(struct bufferevent *, void *); const char *sock_ntop(struct sockaddr *); void usage(void); @@ -113,7 +114,7 @@ char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLE struct sockaddr_storage fixed_server_ss, fixed_proxy_ss; char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port, - *qname; + *qname, *tagname; int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions, rfc_mode, session_count, timeout, verbose; extern char *__progname; @@ -149,8 +150,19 @@ client_parse(struct session *s) return (1); if (linebuf[0] == 'P' || linebuf[0] == 'p' || - linebuf[0] == 'E' || linebuf[0] == 'e') - return (client_parse_cmd(s)); + linebuf[0] == 'E' || linebuf[0] == 'e') { + if (!client_parse_cmd(s)) + return (0); + + /* + * Allow active mode connections immediately, instead of + * waiting for a positive reply from the server. Some + * rare servers/proxies try to probe or setup the data + * connection before an actual transfer request. + */ + if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) + return (allow_data_connection(s)); + } if (anonymous_only && (linebuf[0] == 'U' || linebuf[0] == 'u')) return (client_parse_anon(s)); @@ -588,6 +600,7 @@ main(int argc, char *argv[]) max_sessions = 100; qname = NULL; rfc_mode = 0; + tagname = NULL; timeout = 24 * 3600; verbose = 0; @@ -595,7 +608,7 @@ main(int argc, char *argv[]) id_count = 1; session_count = 0; - while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:v")) != -1) { + while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) { switch (ch) { case '6': ipv6_mode = 1; @@ -640,6 +653,11 @@ main(int argc, char *argv[]) case 'r': rfc_mode = 1; break; + case 'T': + if (strlen(optarg) >= PF_TAG_NAME_SIZE) + errx(1, "tagname too long"); + tagname = optarg; + break; case 't': timeout = strtonum(optarg, 0, 86400, &errstr); if (errstr) @@ -720,7 +738,7 @@ main(int argc, char *argv[]) freeaddrinfo(res); /* Initialize pf. */ - init_filter(qname, verbose); + init_filter(qname, tagname, verbose); if (daemonize) { if (daemon(0, 0) == -1) @@ -888,12 +906,26 @@ server_error(struct bufferevent *bufev, int server_parse(struct session *s) { - struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa; - int prepared = 0; - if (s->cmd == CMD_NONE || linelen < 4 || linebuf[0] != '2') goto out; + if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) || + (s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0)) + return (allow_data_connection(s)); + + out: + s->cmd = CMD_NONE; + s->port = 0; + + return (1); +} + +int +allow_data_connection(struct session *s) +{ + struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa; + int prepared = 0; + /* * The pf rules below do quite some NAT rewriting, to keep up * appearances. Points to keep in mind: @@ -918,8 +950,7 @@ server_parse(struct session *s) orig_sa = sstosa(&s->server_ss); /* Passive modes. */ - if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) || - (s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0)) { + if (s->cmd == CMD_PASV || s->cmd == CMD_EPSV) { s->port = parse_port(s->cmd); if (s->port < MIN_PORT) { logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id, @@ -960,8 +991,7 @@ server_parse(struct session *s) } /* Active modes. */ - if ((s->cmd == CMD_PORT || s->cmd == CMD_EPRT) && - strncmp("200 ", linebuf, 4) == 0) { + if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) { logmsg(LOG_INFO, "#%d active: server to client port %d" " via port %d", s->id, s->port, s->proxy_port); @@ -1011,7 +1041,6 @@ server_parse(struct session *s) goto fail; } - out: s->cmd = CMD_NONE; s->port = 0; @@ -1088,6 +1117,6 @@ usage(void) { fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]" " [-D level] [-m maxsessions]\n [-P port]" - " [-p port] [-q queue] [-R address] [-t timeout]\n", __progname); + " [-p port] [-q queue] [-R address] [-T tag] [-t timeout]\n", __progname); exit(1); } Modified: vendor/pf/dist/man/pf.4 ============================================================================== --- vendor/pf/dist/man/pf.4 Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/man/pf.4 Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.4,v 1.58 2007/02/09 11:39:06 henning Exp $ +.\" $OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $ .\" .\" Copyright (C) 2001, Kjell Wooding. All rights reserved. .\" @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd June 24, 2001 +.Dd $Mdocdate$ .Dt PF 4 .Os .Sh NAME Modified: vendor/pf/dist/man/pf.conf.5 ============================================================================== --- vendor/pf/dist/man/pf.conf.5 Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/man/pf.conf.5 Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.376 2006/12/01 07:23:26 camield Exp $ +.\" $OpenBSD: pf.conf.5,v 1.383 2007/07/17 16:27:38 jmc Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2002 +.Dd $Mdocdate: June 26 2007 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -402,9 +402,10 @@ set limit { states 20000, frags 20000, s .Bl -tag -width xxxxxxxx -compact .It Ar none Disable the ruleset optimizer. -This is the default behaviour. .It Ar basic -Enable basic ruleset optimization, which does four things to improve the +Enable basic ruleset optimization. +This is the default behaviour. +Basic ruleset optimization does four things to improve the performance of ruleset evaluations: .Pp .Bl -enum -compact @@ -1247,7 +1248,7 @@ block all .Ed .It Ar pass The packet is passed; -state is created state unless the +state is created unless the .Ar no state option is specified. .El @@ -1418,7 +1419,8 @@ This rule applies only to packets with t addresses and ports. .Pp Addresses can be specified in CIDR notation (matching netblocks), as -symbolic host names or interface names, or as any of the following keywords: +symbolic host names, interface names or interface group names, or as any +of the following keywords: .Pp .Bl -tag -width xxxxxxxxxxxxxx -compact .It Ar any @@ -1440,7 +1442,7 @@ the route back to the packet's source ad Any address that matches the given table. .El .Pp -Interface names can have modifiers appended: +Interface names and interface group names can have modifiers appended: .Pp .Bl -tag -width xxxxxxxxxxxx -compact .It Ar :network @@ -1603,7 +1605,7 @@ Flags not specified in are ignored. For stateful connections, the default is .Ar flags S/SA . -To indicate that flags should not be checkd at all, specify +To indicate that flags should not be checked at all, specify .Ar flags any . The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R. .Bl -tag -width Fl @@ -1687,13 +1689,14 @@ pass all tos 0x10 pass all tos 16 .Ed .It Ar allow-opts -By default, packets which contain IP options are blocked. +By default, IPv4 packets with IP options or IPv6 packets with routing +extension headers are blocked. When .Ar allow-opts is specified for a .Ar pass rule, packets that pass the filter based on that rule (last matching) -do so even if they contain IP options. +do so even if they contain IP options or routing extension headers. For packets that match state, the rule that initially created the state is used. The implicit @@ -1914,7 +1917,7 @@ pool options. Note that by default these associations are destroyed as soon as there are no longer states which refer to them; in order to make the mappings last beyond the lifetime of the states, increase the global options with -.Ar set timeout source-track +.Ar set timeout src.track . See .Sx STATEFUL TRACKING OPTIONS for more ways to control the source tracking. @@ -2759,7 +2762,7 @@ option = "set" ( [ "timeout" ( t [ "state-policy" ( "if-bound" | "floating" ) ] [ "require-order" ( "yes" | "no" ) ] [ "fingerprints" filename ] | - [ "skip on" ( interface-name | "{" interface-list "}" ) ] | + [ "skip on" ifspec ] | [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] ) pf-rule = action [ ( "in" | "out" ) ] @@ -2801,8 +2804,7 @@ rdr-rule = [ "no" ] "rdr" [ "pass" [ portspec ] [ pooltype ] ] antispoof-rule = "antispoof" [ "log" ] [ "quick" ] - "for" ( interface-name | "{" interface-list "}" ) - [ af ] [ "label" string ] + "for" ifspec [ af ] [ "label" string ] table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ] tableopts-list = tableopts-list tableopts | tableopts @@ -2810,8 +2812,8 @@ tableopts = "persist" | "const" | " "{" [ tableaddr-list ] "}" tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ] -tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex | - interface-name | "self" +tableaddr = hostname | ifspec | "self" | + ipv4-dotted-quad | ipv6-coloned-hex altq-rule = "altq on" interface-name queueopts-list "queue" subqueue @@ -2842,8 +2844,10 @@ return = "drop" | "return" | "re icmpcode = ( icmp-code-name | icmp-code-number ) icmp6code = ( icmp6-code-name | icmp6-code-number ) -ifspec = ( [ "!" ] interface-name ) | "{" interface-list "}" -interface-list = [ "!" ] interface-name [ [ "," ] interface-list ] +ifspec = ( [ "!" ] ( interface-name | interface-group ) ) | + "{" interface-list "}" +interface-list = [ "!" ] ( interface-name | interface-group ) + [ [ "," ] interface-list ] route = ( "route-to" | "reply-to" | "dup-to" ) ( routehost | "{" routehost-list "}" ) [ pooltype ] @@ -2863,8 +2867,9 @@ ipspec = "any" | host | "{" host host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) redirhost = address [ "/" mask-bits ] routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" -address = ( interface-name | "(" interface-name ")" | hostname | - ipv4-dotted-quad | ipv6-coloned-hex ) +address = ( interface-name | interface-group | + "(" ( interface-name | interface-group ) ")" | + hostname | ipv4-dotted-quad | ipv6-coloned-hex ) host-list = host [ [ "," ] host-list ] redirhost-list = redirhost [ [ "," ] redirhost-list ] routehost-list = routehost [ [ "," ] routehost-list ] Modified: vendor/pf/dist/man/pf.os.5 ============================================================================== --- vendor/pf/dist/man/pf.os.5 Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/man/pf.os.5 Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $ +.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ .\" .\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> .\" @@ -13,7 +13,7 @@ .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.Dd August 18, 2003 +.Dd $Mdocdate$ .Dt PF.OS 5 .Os .Sh NAME Modified: vendor/pf/dist/man/pflog.4 ============================================================================== --- vendor/pf/dist/man/pflog.4 Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/man/pflog.4 Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $ +.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $ .\" .\" Copyright (c) 2001 Tobias Weingartner .\" All rights reserved. @@ -23,7 +23,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 10, 2001 +.Dd $Mdocdate$ .Dt PFLOG 4 .Os .Sh NAME Modified: vendor/pf/dist/man/pfsync.4 ============================================================================== --- vendor/pf/dist/man/pfsync.4 Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/man/pfsync.4 Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfsync.4,v 1.24 2006/10/23 07:05:49 jmc Exp $ +.\" $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $ .\" .\" Copyright (c) 2002 Michael Shalayeff .\" Copyright (c) 2003-2004 Ryan McBride @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 29, 2002 +.Dd $Mdocdate$ .Dt PFSYNC 4 .Os .Sh NAME Added: vendor/pf/dist/pfctl/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ vendor/pf/dist/pfctl/Makefile Wed Dec 10 20:54:37 2008 (r185876) @@ -0,0 +1,18 @@ +# $OpenBSD: Makefile,v 1.19 2006/12/24 18:52:43 miod Exp $ + +PROG= pfctl +SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c +SRCS+= pfctl_osfp.c pfctl_radix.c pfctl_table.c pfctl_qstats.c +SRCS+= pfctl_optimize.c pf_ruleset.c +CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized +CFLAGS+= -Wstrict-prototypes -I${.CURDIR} +YFLAGS= +MAN= pfctl.8 + +# Ruleset and Anchor handling +.PATH: ${.CURDIR}/../../sys/net + +LDADD+= -lm +DPADD+= ${LIBM} + +.include <bsd.prog.mk> Modified: vendor/pf/dist/pfctl/parse.y ============================================================================== --- vendor/pf/dist/pfctl/parse.y Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/pfctl/parse.y Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.517 2007/02/03 23:26:40 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.519 2007/06/21 19:30:03 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -425,7 +425,7 @@ typedef struct { %type <v.number> tos not yesno %type <v.i> no dir af fragcache optimizer %type <v.i> sourcetrack flush unaryop statelock -%type <v.b> action nataction natpass scrubaction +%type <v.b> action nataction natpasslog scrubaction %type <v.b> flags flag blockspec %type <v.range> port rport %type <v.hashkey> hashkey @@ -3439,12 +3439,13 @@ redirection : /* empty */ { $$ = NULL; } ; -natpass : /* empty */ { $$.b1 = $$.b2 = 0; } - | PASS { $$.b1 = 1; $$.b2 = 0; } +natpasslog : /* empty */ { $$.b1 = $$.b2 = 0; $$.w2 = 0; } + | PASS { $$.b1 = 1; $$.b2 = 0; $$.w2 = 0; } | PASS log { $$.b1 = 1; $$.b2 = $2.log; $$.w2 = $2.logif; } + | log { $$.b1 = 0; $$.b2 = $1.log; $$.w2 = $1.logif; } ; -nataction : no NAT natpass { +nataction : no NAT natpasslog { if ($1 && $3.b1) { yyerror("\"pass\" not valid with \"no\""); YYERROR; @@ -3457,7 +3458,7 @@ nataction : no NAT natpass { $$.w = $3.b2; $$.w2 = $3.w2; } - | no RDR natpass { + | no RDR natpasslog { if ($1 && $3.b1) { yyerror("\"pass\" not valid with \"no\""); YYERROR; @@ -3631,7 +3632,7 @@ natrule : nataction interface af proto } ; -binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag +binatrule : no BINAT natpasslog interface af proto FROM host TO ipspec tag tagged rtable redirection { struct pf_rule binat; Modified: vendor/pf/dist/pfctl/pf_print_state.c ============================================================================== --- vendor/pf/dist/pfctl/pf_print_state.c Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/pfctl/pf_print_state.c Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_print_state.c,v 1.44 2007/03/01 17:20:53 deraadt Exp $ */ +/* $OpenBSD: pf_print_state.c,v 1.45 2007/05/31 04:13:37 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -151,7 +151,7 @@ print_name(struct pf_addr *addr, sa_fami } void -print_host(struct pf_state_host *h, sa_family_t af, int opts) +print_host(struct pfsync_state_host *h, sa_family_t af, int opts) { u_int16_t p = ntohs(h->port); @@ -180,7 +180,7 @@ print_host(struct pf_state_host *h, sa_f } void -print_seq(struct pf_state_peer *p) +print_seq(struct pfsync_state_peer *p) { if (p->seqdiff) printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo, @@ -190,9 +190,9 @@ print_seq(struct pf_state_peer *p) } void -print_state(struct pf_state *s, int opts) +print_state(struct pfsync_state *s, int opts) { - struct pf_state_peer *src, *dst; + struct pfsync_state_peer *src, *dst; struct protoent *p; int min, sec; @@ -203,7 +203,7 @@ print_state(struct pf_state *s, int opts src = &s->dst; dst = &s->src; } - printf("%s ", s->u.ifname); + printf("%s ", s->ifname); if ((p = getprotobynumber(s->proto)) != NULL) printf("%s ", p->p_name); else @@ -278,20 +278,23 @@ print_state(struct pf_state *s, int opts s->expire /= 60; printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec); printf(", %llu:%llu pkts, %llu:%llu bytes", - s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]); - if (s->anchor.nr != -1) - printf(", anchor %u", s->anchor.nr); - if (s->rule.nr != -1) - printf(", rule %u", s->rule.nr); - if (s->src_node != NULL) + pf_state_counter_from_pfsync(s->packets[0]), + pf_state_counter_from_pfsync(s->packets[1]), + pf_state_counter_from_pfsync(s->bytes[0]), + pf_state_counter_from_pfsync(s->bytes[1])); + if (s->anchor != -1) + printf(", anchor %u", s->anchor); + if (s->rule != -1) + printf(", rule %u", s->rule); + if (s->sync_flags & PFSYNC_FLAG_SRCNODE) printf(", source-track"); - if (s->nat_src_node != NULL) + if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE) printf(", sticky-address"); printf("\n"); } if (opts & PF_OPT_VERBOSE2) { printf(" id: %016llx creatorid: %08x%s\n", - betoh64(s->id), ntohl(s->creatorid), + pf_state_counter_from_pfsync(s->id), ntohl(s->creatorid), ((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : "")); } } Modified: vendor/pf/dist/pfctl/pfctl.8 ============================================================================== --- vendor/pf/dist/pfctl/pfctl.8 Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/pfctl/pfctl.8 Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.128 2007/01/30 21:01:56 jmc Exp $ +.\" $OpenBSD: pfctl.8,v 1.133 2007/07/01 11:38:51 henning Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 20, 2002 +.Dd $Mdocdate: May 31 2007 $ .Dt PFCTL 8 .Os .Sh NAME @@ -42,14 +42,14 @@ .Op Fl i Ar interface .Op Fl K Ar host | network .Op Fl k Ar host | network -.Op Fl o Op Ar level +.Op Fl o Ar level .Op Fl p Ar device .Op Fl s Ar modifier -.Oo -.Fl t Ar table +.Xo +.Oo Fl t Ar table .Fl T Ar command -.Op Ar address ... -.Oc +.Op Ar address ... Oc +.Xc .Op Fl x Ar level .Ek .Sh DESCRIPTION @@ -209,7 +209,7 @@ Flush the NAT rules. Flush the queue rules. .It Fl F Cm rules Flush the filter rules. -.It Fl F Cm state +.It Fl F Cm states Flush the state table (NAT and filter). .It Fl F Cm Sources Flush the source tracking table. @@ -296,58 +296,20 @@ Do not actually load rules, just parse t .It Fl O Load only the options present in the rule file. Other rules and options are ignored. -.It Fl o Op Ar level -Control the ruleset optimizer. -The ruleset optimizer attempts to improve rulesets by removing rule -duplication and making better use of rule ordering. +.It Fl o Ar level +Control the ruleset optimizer, overriding any rule file settings. .Pp .Bl -tag -width xxxxxxxxxxxx -compact .It Fl o Cm none Disable the ruleset optimizer. .It Fl o Cm basic Enable basic ruleset optimizations. +This is the default behaviour. .It Fl o Cm profile Enable basic ruleset optimizations with profiling. .El -.Pp -.Cm basic -optimization does does four things: -.Pp -.Bl -enum -compact -.It -remove duplicate rules -.It -remove rules that are a subset of another rule -.It -combine multiple rules into a table when advantageous -.It -re-order the rules to improve evaluation performance -.El -.Pp -If -.Cm profile -is specified, the currently loaded ruleset will be examined as a feedback -profile to tailor the optimization of the -.Ar quick -rules to the actual network behavior. -.Pp -It is important to note that the ruleset optimizer will modify the ruleset -to improve performance. -A side effect of the ruleset modification is that per-rule accounting -statistics will have different meanings than before. -If per-rule accounting is important for billing purposes or whatnot, either -the ruleset optimizer should not be used or a -.Ar label -field should be added to all of the accounting rules to act as optimization -barriers. -.Pp -To retain compatibility with previous behaviour, a single -.Fl o -without any options will enable -.Cm basic -optimizations, and a second -.Fl o -will enable profiling. +For further information on the ruleset optimizer, see +.Xr pf.conf 5 . .It Fl p Ar device Use the device file .Ar device @@ -402,7 +364,7 @@ If .Fl v is specified, all anchors attached under the target anchor will be displayed recursively. -.It Fl s Cm state +.It Fl s Cm states Show the contents of the state table. .It Fl s Cm Sources Show the contents of the source tracking table. Modified: vendor/pf/dist/pfctl/pfctl.c ============================================================================== --- vendor/pf/dist/pfctl/pfctl.c Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/pfctl/pfctl.c Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.262 2007/03/01 17:20:53 deraadt Exp $ */ +/* $OpenBSD: pfctl.c,v 1.268 2007/06/30 18:25:08 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -201,11 +201,11 @@ static const struct { static const char *clearopt_list[] = { "nat", "queue", "rules", "Sources", - "state", "info", "Tables", "osfp", "all", NULL + "states", "info", "Tables", "osfp", "all", NULL }; static const char *showopt_list[] = { - "nat", "queue", "rules", "Anchors", "Sources", "state", "info", + "nat", "queue", "rules", "Anchors", "Sources", "states", "info", "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp", "all", NULL }; @@ -220,7 +220,7 @@ static const char *debugopt_list[] = { }; static const char *optiopt_list[] = { - "o", "none", "basic", "profile", NULL + "none", "basic", "profile", NULL }; void @@ -231,8 +231,8 @@ usage(void) fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname); fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n"); fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] "); - fprintf(stderr, "[-k host | network ]\n"); - fprintf(stderr, "\t[-o [level]] [-p device] [-s modifier ]\n"); + fprintf(stderr, "[-k host | network]\n"); + fprintf(stderr, "\t[-o level] [-p device] [-s modifier]\n"); fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n"); exit(1); } @@ -998,7 +998,7 @@ int pfctl_show_states(int dev, const char *iface, int opts) { struct pfioc_states ps; - struct pf_state *p; + struct pfsync_state *p; char *inbuf = NULL, *newinbuf = NULL; unsigned len = 0; int i, dotitle = (opts & PF_OPT_SHOWALL); @@ -1029,7 +1029,7 @@ pfctl_show_states(int dev, const char *i } p = ps.ps_states; for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) { - if (iface != NULL && strcmp(p->u.ifname, iface)) + if (iface != NULL && strcmp(p->ifname, iface)) continue; if (dotitle) { pfctl_print_title("STATES:"); @@ -1954,7 +1954,7 @@ main(int argc, char *argv[]) int ch; int mode = O_RDONLY; int opts = 0; - int optimize = 0; + int optimize = PF_OPTIMIZE_BASIC; char anchorname[MAXPATHLEN]; char *path; FILE *fin = NULL; @@ -1963,7 +1963,7 @@ main(int argc, char *argv[]) usage(); while ((ch = getopt(argc, argv, - "a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) { + "a:AdD:eqf:F:ghi:k:K:mnNOo:p:rRs:t:T:vx:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; @@ -2039,24 +2039,11 @@ main(int argc, char *argv[]) loadopt |= PFCTL_FLAG_FILTER; break; case 'o': - if (optarg) { - optiopt = pfctl_lookup_option(optarg, - optiopt_list); - if (optiopt == NULL) { - warnx("Unknown optimization '%s'", - optarg); - usage(); - } - } - if (opts & PF_OPT_OPTIMIZE) { - if (optiopt != NULL) { - warnx("Cannot specify -o multiple times" - "with optimizer level"); - usage(); - } - optimize |= PF_OPTIMIZE_PROFILE; + optiopt = pfctl_lookup_option(optarg, optiopt_list); + if (optiopt == NULL) { + warnx("Unknown optimization '%s'", optarg); + usage(); } - optimize |= PF_OPTIMIZE_BASIC; opts |= PF_OPT_OPTIMIZE; break; case 'O': Modified: vendor/pf/dist/pfctl/pfctl.h ============================================================================== --- vendor/pf/dist/pfctl/pfctl.h Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/pfctl/pfctl.h Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.h,v 1.40 2007/02/09 11:25:27 henning Exp $ */ +/* $OpenBSD: pfctl.h,v 1.41 2007/05/31 04:13:37 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -112,9 +112,9 @@ struct pf_altq *pfaltq_lookup(const char char *rate2str(double); void print_addr(struct pf_addr_wrap *, sa_family_t, int); -void print_host(struct pf_state_host *, sa_family_t, int); -void print_seq(struct pf_state_peer *); -void print_state(struct pf_state *, int); +void print_host(struct pfsync_state_host *, sa_family_t, int); +void print_seq(struct pfsync_state_peer *); +void print_state(struct pfsync_state *, int); int unmask(struct pf_addr *, sa_family_t); int pfctl_cmdline_symset(char *); Modified: vendor/pf/dist/pfctl/pfctl_altq.c ============================================================================== --- vendor/pf/dist/pfctl/pfctl_altq.c Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/pfctl/pfctl_altq.c Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_altq.c,v 1.91 2006/11/28 00:08:50 henning Exp $ */ +/* $OpenBSD: pfctl_altq.c,v 1.92 2007/05/27 05:15:17 claudio Exp $ */ /* * Copyright (c) 2002 @@ -1091,8 +1091,6 @@ getifspeed(char *ifname) ifr.ifr_data = (caddr_t)&ifrdat; if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1) err(1, "SIOCGIFDATA"); - if (shutdown(s, SHUT_RDWR) == -1) - err(1, "shutdown"); if (close(s)) err(1, "close"); return ((u_int32_t)ifrdat.ifi_baudrate); @@ -1112,8 +1110,6 @@ getifmtu(char *ifname) errx(1, "getifmtu: strlcpy"); if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == -1) err(1, "SIOCGIFMTU"); - if (shutdown(s, SHUT_RDWR) == -1) - err(1, "shutdown"); if (close(s)) err(1, "close"); if (ifr.ifr_mtu > 0) Added: vendor/pf/dist/pflogd/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ vendor/pf/dist/pflogd/Makefile Wed Dec 10 20:54:37 2008 (r185876) @@ -0,0 +1,11 @@ +# $OpenBSD: Makefile,v 1.7 2006/11/26 11:31:08 deraadt Exp $ + +CFLAGS+=-Wall -Wmissing-prototypes -Wshadow +LDADD+= -lpcap -lutil +DPADD+= ${LIBPCAP} ${LIBUTIL} + +PROG= pflogd +SRCS= pflogd.c privsep.c privsep_fdpass.c +MAN= pflogd.8 + +.include <bsd.prog.mk> Modified: vendor/pf/dist/pflogd/pflogd.8 ============================================================================== --- vendor/pf/dist/pflogd/pflogd.8 Wed Dec 10 20:44:18 2008 (r185875) +++ vendor/pf/dist/pflogd/pflogd.8 Wed Dec 10 20:54:37 2008 (r185876) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pflogd.8,v 1.32 2006/12/08 10:26:38 joel Exp $ +.\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 9, 2001 +.Dd $Mdocdate$ .Dt PFLOGD 8 .Os .Sh NAME @@ -32,12 +32,15 @@ .Nd packet filter logging daemon .Sh SYNOPSIS .Nm pflogd +.Bk -words .Op Fl Dx .Op Fl d Ar delay .Op Fl f Ar filename .Op Fl i Ar interface +.Op Fl p Ar pidfile .Op Fl s Ar snaplen .Op Ar expression +.Ek .Sh DESCRIPTION .Nm is a background daemon which reads packets logged by @@ -114,6 +117,14 @@ By default, .Nm will use .Ar pflog0 . +.It Fl p Ar pidfile +Writes a file containing the process ID of the program. +The file name has the form +.Pa /var/run/pidname.pid . +If the option is not given, +.Ar pidfile +defaults to +.Pa pflogd . *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812102054.mBAKsb8n042234>