system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-10-04 07:31:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Import OPENBSD_4_2_BASE

Browse source
This commit is contained in:
Max Laier 2008-12-10 20:54:37 +00:00
parent d46fa87826
commit b39deb12b6
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor/pf/dist/; revision=185876
svn path=/vendor/pf/4.2/; revision=185877; tag=vendor/pf/4.2
30 changed files with 287 additions and 931 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
authpf/Makefile Normal file
View file

@ -0,0 +1,11 @@
# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $
PROG= authpf
MAN= authpf.8
BINOWN= root
BINGRP= authpf
BINMODE= 6555
SRCS= authpf.c
CFLAGS+= -Wall
.include <bsd.prog.mk>

4
authpf/authpf.8
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $
.\" $OpenBSD: authpf.8,v 1.44 2007/05/31 19:20:22 jmc Exp $
.\"
.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved.
.\"
@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd January 10, 2002
.Dd $Mdocdate$
.Dt AUTHPF 8
.Os
.Sh NAME

13
ftp-proxy/Makefile Normal file
View file

@ -0,0 +1,13 @@
# $OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $
PROG= ftp-proxy
SRCS= ftp-proxy.c filter.c
MAN= ftp-proxy.8
CFLAGS+= -I${.CURDIR}
CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith \
-Wno-uninitialized
LDADD+= -levent
DPADD+= ${LIBEVENT}
.include <bsd.prog.mk>

9
ftp-proxy/filter.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: filter.c,v 1.5 2006/12/01 07:31:21 camield Exp $ */
/* $OpenBSD: filter.c,v 1.6 2007/08/01 09:31:41 henning Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@ -53,7 +53,7 @@ static struct pfioc_rule pfr;
static struct pfioc_trans pft;
static struct pfioc_trans_e pfte[TRANS_SIZE];
static int dev, rule_log;
static char *qname;
static char *qname, *tagname;
int
add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
@ -159,11 +159,12 @@ do_rollback(void)
}
void
init_filter(char *opt_qname, int opt_verbose)
init_filter(char *opt_qname, char *opt_tagname, int opt_verbose)
{
struct pf_status status;
qname = opt_qname;
tagname = opt_tagname;
if (opt_verbose == 1)
rule_log = PF_LOG;
@ -276,6 +277,8 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
}
pfr.rule.dst.port_op = PF_OP_EQ;
pfr.rule.dst.port[0] = htons(d_port);
if (tagname != NULL)
strlcpy(pfr.rule.tagname, tagname, sizeof pfr.rule.tagname);
switch (rs_num) {
case PF_RULESET_FILTER:

4
ftp-proxy/filter.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@ -26,6 +26,6 @@ int add_rdr(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t,
struct sockaddr *, u_int16_t);
int do_commit(void);
int do_rollback(void);
void init_filter(char *, int);
void init_filter(char *, char *, int);
int prepare_commit(u_int32_t);
int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *);

11
ftp-proxy/ftp-proxy.8
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: ftp-proxy.8,v 1.7 2006/12/30 13:01:54 camield Exp $
.\" $OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $
.\"
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
.\"
@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd November 28, 2004
.Dd $Mdocdate$
.Dt FTP-PROXY 8
.Os
.Sh NAME
@ -22,6 +22,7 @@
.Nd Internet File Transfer Protocol proxy daemon
.Sh SYNOPSIS
.Nm ftp-proxy
.Bk -words
.Op Fl 6Adrv
.Op Fl a Ar address
.Op Fl b Ar address
@ -31,7 +32,9 @@
.Op Fl p Ar port
.Op Fl q Ar queue
.Op Fl R Ar address
.Op Fl T Ar tag
.Op Fl t Ar timeout
.Ek
.Sh DESCRIPTION
.Nm
is a proxy for the Internet File Transfer Protocol.
@ -128,6 +131,10 @@ connections to another proxy.
.It Fl r
Rewrite sourceport to 20 in active mode to suit ancient clients that insist
on this RFC property.
.It Fl T Ar tag
Automatically tag packets passing through the
.Xr pf 4
rule with the name supplied.
.It Fl t Ar timeout
Number of seconds that the control connection can be idle, before the
proxy will disconnect.

59
ftp-proxy/ftp-proxy.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ftp-proxy.c,v 1.13 2006/12/30 13:24:00 camield Exp $ */
/* $OpenBSD: ftp-proxy.c,v 1.15 2007/08/15 15:18:02 camield Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@ -102,6 +102,7 @@ u_int16_t pick_proxy_port(void);
void proxy_reply(int, struct sockaddr *, u_int16_t);
void server_error(struct bufferevent *, short, void *);
int server_parse(struct session *s);
int allow_data_connection(struct session *s);
void server_read(struct bufferevent *, void *);
const char *sock_ntop(struct sockaddr *);
void usage(void);
@ -113,7 +114,7 @@ char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN];
struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
*qname;
*qname, *tagname;
int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
rfc_mode, session_count, timeout, verbose;
extern char *__progname;
@ -149,8 +150,19 @@ client_parse(struct session *s)
return (1);
if (linebuf[0] == 'P' || linebuf[0] == 'p' ||
linebuf[0] == 'E' || linebuf[0] == 'e')
return (client_parse_cmd(s));
linebuf[0] == 'E' || linebuf[0] == 'e') {
if (!client_parse_cmd(s))
return (0);
/*
* Allow active mode connections immediately, instead of
* waiting for a positive reply from the server. Some
* rare servers/proxies try to probe or setup the data
* connection before an actual transfer request.
*/
if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT)
return (allow_data_connection(s));
}
if (anonymous_only && (linebuf[0] == 'U' || linebuf[0] == 'u'))
return (client_parse_anon(s));
@ -588,6 +600,7 @@ main(int argc, char *argv[])
max_sessions = 100;
qname = NULL;
rfc_mode = 0;
tagname = NULL;
timeout = 24 * 3600;
verbose = 0;
@ -595,7 +608,7 @@ main(int argc, char *argv[])
id_count = 1;
session_count = 0;
while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:v")) != -1) {
while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) {
switch (ch) {
case '6':
ipv6_mode = 1;
@ -640,6 +653,11 @@ main(int argc, char *argv[])
case 'r':
rfc_mode = 1;
break;
case 'T':
if (strlen(optarg) >= PF_TAG_NAME_SIZE)
errx(1, "tagname too long");
tagname = optarg;
break;
case 't':
timeout = strtonum(optarg, 0, 86400, &errstr);
if (errstr)
@ -720,7 +738,7 @@ main(int argc, char *argv[])
freeaddrinfo(res);
/* Initialize pf. */
init_filter(qname, verbose);
init_filter(qname, tagname, verbose);
if (daemonize) {
if (daemon(0, 0) == -1)
@ -888,12 +906,26 @@ server_error(struct bufferevent *bufev, short what, void *arg)
int
server_parse(struct session *s)
{
struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa;
int prepared = 0;
if (s->cmd == CMD_NONE || linelen < 4 || linebuf[0] != '2')
goto out;
if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) ||
(s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0))
return (allow_data_connection(s));
out:
s->cmd = CMD_NONE;
s->port = 0;
return (1);
}
int
allow_data_connection(struct session *s)
{
struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa;
int prepared = 0;
/*
* The pf rules below do quite some NAT rewriting, to keep up
* appearances. Points to keep in mind:
@ -918,8 +950,7 @@ server_parse(struct session *s)
orig_sa = sstosa(&s->server_ss);
/* Passive modes. */
if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) ||
(s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0)) {
if (s->cmd == CMD_PASV || s->cmd == CMD_EPSV) {
s->port = parse_port(s->cmd);
if (s->port < MIN_PORT) {
logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id,
@ -960,8 +991,7 @@ server_parse(struct session *s)
}
/* Active modes. */
if ((s->cmd == CMD_PORT || s->cmd == CMD_EPRT) &&
strncmp("200 ", linebuf, 4) == 0) {
if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) {
logmsg(LOG_INFO, "#%d active: server to client port %d"
" via port %d", s->id, s->port, s->proxy_port);
@ -1011,7 +1041,6 @@ server_parse(struct session *s)
goto fail;
}
out:
s->cmd = CMD_NONE;
s->port = 0;
@ -1088,6 +1117,6 @@ usage(void)
{
fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
" [-D level] [-m maxsessions]\n [-P port]"
" [-p port] [-q queue] [-R address] [-t timeout]\n", __progname);
" [-p port] [-q queue] [-R address] [-T tag] [-t timeout]\n", __progname);
exit(1);
}

259
ftp-proxy/getline.c
View file

@ -1,259 +0,0 @@
/* $OpenBSD: getline.c,v 1.16 2004/09/16 04:50:51 deraadt Exp $ */
/*
* Copyright (c) 1985, 1988 Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)ftpcmd.y 5.24 (Berkeley) 2/25/91
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/telnet.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sysexits.h>
#include <syslog.h>
#include <unistd.h>
#include "util.h"
int refill_buffer(struct csiob *iobp);
/*
* Refill the io buffer if we KNOW that data is available
*
* Returns 1 if any new data was obtained, 0 otherwise.
*/
int
refill_buffer(struct csiob *iobp)
{
int rqlen, rlen;
if (!(iobp->data_available))
return(0);
if (iobp->got_eof)
return(0);
/*
* The buffer has been entirely consumed if next_byte == io_buffer_len.
* Otherwise, there is some still-to-be-used data in io_buffer.
* Shuffle it to the start of the buffer.
* Note that next_byte will never exceed io_buffer_len.
* Also, note that we MUST use bcopy because the two regions could
* overlap (memcpy isn't defined to work properly with overlapping
* regions).
*/
if (iobp->next_byte < iobp->io_buffer_len) {
int dst_ix = 0;
int src_ix = iobp->next_byte;
int amount = iobp->io_buffer_len - iobp->next_byte;
bcopy(&iobp->io_buffer[src_ix], &iobp->io_buffer[dst_ix],
amount);
iobp->io_buffer_len = amount;
} else if (iobp->next_byte == iobp->io_buffer_len)
iobp->io_buffer_len = 0;
else {
syslog(LOG_ERR, "next_byte(%d) > io_buffer_len(%d)",
iobp->next_byte, iobp->io_buffer_len);
exit(EX_OSERR);
}
iobp->next_byte = 0;
/* don't do tiny reads, grow first if we need to */
rqlen = iobp->io_buffer_size - iobp->io_buffer_len;
if (rqlen <= 128) {
unsigned char *tmp;
iobp->io_buffer_size += 128;
tmp = realloc(iobp->io_buffer, iobp->io_buffer_size);
if (tmp == NULL) {
syslog(LOG_INFO, "Insufficient memory");
exit(EX_UNAVAILABLE);
}
iobp->io_buffer = tmp;
rqlen = iobp->io_buffer_size - iobp->io_buffer_len;
}
/*
* Always leave an unused byte at the end of the buffer
* because the debug output uses that byte from time to time
* to ensure that something that is being printed is \0 terminated.
*/
rqlen -= 1;
doread:
rlen = read(iobp->fd, &iobp->io_buffer[iobp->io_buffer_len], rqlen);
iobp->data_available = 0;
switch (rlen) {
case -1:
if (errno == EAGAIN || errno == EINTR)
goto doread;
if (errno != ECONNRESET) {
syslog(LOG_INFO, "read() failed on socket from %s (%m)",
iobp->who);
exit(EX_DATAERR);
}
/* fall through to EOF case */
case 0:
iobp->got_eof = 1;
return(0);
break;
default:
iobp->io_buffer_len += rlen;
break;
}
return(1);
}
/*
* telnet_getline - a hacked up version of fgets to ignore TELNET escape codes.
*
* This code is derived from the getline routine found in the UC Berkeley
* ftpd code.
*
*/
int
telnet_getline(struct csiob *iobp, struct csiob *telnet_passthrough)
{
unsigned char ch;
int ix;
unsigned char tbuf[100];
iobp->line_buffer[0] = '\0';
/*
* If the buffer is empty then refill it right away.
*/
if (iobp->next_byte == iobp->io_buffer_len)
if (!refill_buffer(iobp))
return(0);
/*
* Is there a telnet command in the buffer?
*/
ch = iobp->io_buffer[iobp->next_byte];
if (ch == IAC) {
/*
* Yes - buffer must have at least three bytes in it
*/
if (iobp->io_buffer_len - iobp->next_byte < 3) {
if (!refill_buffer(iobp))
return(0);
if (iobp->io_buffer_len - iobp->next_byte < 3)
return(0);
}
iobp->next_byte++;
ch = iobp->io_buffer[iobp->next_byte++];
switch (ch) {
case WILL:
case WONT:
case DO:
case DONT:
tbuf[0] = IAC;
tbuf[1] = ch;
tbuf[2] = iobp->io_buffer[iobp->next_byte++];
(void)send(telnet_passthrough->fd, tbuf, 3,
telnet_passthrough->send_oob_flags);
break;
case IAC:
break;
default:
break;
}
return(1);
} else {
int clen;
/*
* Is there a newline in the buffer?
*/
for (ix = iobp->next_byte; ix < iobp->io_buffer_len;
ix += 1) {
if (iobp->io_buffer[ix] == '\n')
break;
if (iobp->io_buffer[ix] == '\0') {
syslog(LOG_INFO,
"got NUL byte from %s - bye!",
iobp->who);
exit(EX_DATAERR);
}
}
if (ix == iobp->io_buffer_len) {
if (!refill_buffer(iobp))
return(0);
/*
* Empty line returned
* will try again soon!
*/
return(1);
}
/*
* Expand the line buffer if it isn't big enough. We
* use a fudge factor of 5 rather than trying to
* figure out exactly how to account for the '\0 \r\n' and
* such. The correct fudge factor is 0, 1 or 2 but
* anything higher also works. We also grow it by a
* bunch to avoid having to do this often. Yes this is
* nasty.
*/
if (ix - iobp->next_byte > iobp->line_buffer_size - 5) {
unsigned char *tmp;
iobp->line_buffer_size = 256 + ix - iobp->next_byte;
tmp = realloc(iobp->line_buffer,
iobp->line_buffer_size);
if (tmp == NULL) {
syslog(LOG_INFO, "Insufficient memory");
exit(EX_UNAVAILABLE);
}
iobp->line_buffer = tmp;
}
/* +1 is for the newline */
clen = (ix+1) - iobp->next_byte;
memcpy(iobp->line_buffer, &iobp->io_buffer[iobp->next_byte],
clen);
iobp->next_byte += clen;
iobp->line_buffer[clen] = '\0';
return(1);
}
}

306
ftp-proxy/util.c
View file

@ -1,306 +0,0 @@
/* $OpenBSD: util.c,v 1.19 2004/07/06 19:49:11 dhartmei Exp $ */
/*
* Copyright (c) 1996-2001
* Obtuse Systems Corporation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the Obtuse Systems nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE OBTUSE SYSTEMS AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OBTUSE
* SYSTEMS CORPORATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/file.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <net/if.h>
#include <net/pfvar.h>
#include <arpa/inet.h>
#include <ctype.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <sysexits.h>
#include <syslog.h>
#include <unistd.h>
#include "util.h"
extern int ReverseMode;
int Debug_Level;
int Use_Rdns;
in_addr_t Bind_Addr = INADDR_NONE;
void debuglog(int debug_level, const char *fmt, ...);
void
debuglog(int debug_level, const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
if (Debug_Level >= debug_level)
vsyslog(LOG_DEBUG, fmt, ap);
va_end(ap);
}
int
get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr,
struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr)
{
struct pfioc_natlook natlook;
socklen_t slen;
int fd;
slen = sizeof(*proxy_sa_ptr);
if (getsockname(connected_fd, (struct sockaddr *)proxy_sa_ptr,
&slen) != 0) {
syslog(LOG_ERR, "getsockname() failed (%m)");
return(-1);
}
slen = sizeof(*client_sa_ptr);
if (getpeername(connected_fd, (struct sockaddr *)client_sa_ptr,
&slen) != 0) {
syslog(LOG_ERR, "getpeername() failed (%m)");
return(-1);
}
if (ReverseMode)
return(0);
/*
* Build up the pf natlook structure.
* Just for IPv4 right now
*/
memset((void *)&natlook, 0, sizeof(natlook));
natlook.af = AF_INET;
natlook.saddr.addr32[0] = client_sa_ptr->sin_addr.s_addr;
natlook.daddr.addr32[0] = proxy_sa_ptr->sin_addr.s_addr;
natlook.proto = IPPROTO_TCP;
natlook.sport = client_sa_ptr->sin_port;
natlook.dport = proxy_sa_ptr->sin_port;
natlook.direction = PF_OUT;
/*
* Open the pf device and lookup the mapping pair to find
* the original address we were supposed to connect to.
*/
fd = open("/dev/pf", O_RDWR);
if (fd == -1) {
syslog(LOG_ERR, "cannot open /dev/pf (%m)");
exit(EX_UNAVAILABLE);
}
if (ioctl(fd, DIOCNATLOOK, &natlook) == -1) {
syslog(LOG_INFO,
"pf nat lookup failed %s:%hu (%m)",
inet_ntoa(client_sa_ptr->sin_addr),
ntohs(client_sa_ptr->sin_port));
close(fd);
return(-1);
}
close(fd);
/*
* Now jam the original address and port back into the into
* destination sockaddr_in for the proxy to deal with.
*/
memset((void *)real_server_sa_ptr, 0, sizeof(struct sockaddr_in));
real_server_sa_ptr->sin_port = natlook.rdport;
real_server_sa_ptr->sin_addr.s_addr = natlook.rdaddr.addr32[0];
real_server_sa_ptr->sin_len = sizeof(struct sockaddr_in);
real_server_sa_ptr->sin_family = AF_INET;
return(0);
}
/*
* Transfer one unit of data across a pair of sockets
*
* A unit of data is as much as we get with a single read(2) call.
*/
int
xfer_data(const char *what_read,int from_fd, int to_fd, struct in_addr from,
struct in_addr to)
{
int rlen, offset, xerrno, mark, flags = 0;
char tbuf[4096];
/*
* Are we at the OOB mark?
*/
if (ioctl(from_fd, SIOCATMARK, &mark) < 0) {
xerrno = errno;
syslog(LOG_ERR, "cannot ioctl(SIOCATMARK) socket from %s (%m)",
what_read);
errno = xerrno;
return(-1);
}
if (mark)
flags = MSG_OOB; /* Yes - at the OOB mark */
snarf:
rlen = recv(from_fd, tbuf, sizeof(tbuf), flags);
if (rlen == -1 && flags == MSG_OOB && errno == EINVAL) {
/* OOB didn't work */
flags = 0;
rlen = recv(from_fd, tbuf, sizeof(tbuf), flags);
}
if (rlen == 0) {
debuglog(3, "EOF on read socket");
return(0);
} else if (rlen == -1) {
if (errno == EAGAIN || errno == EINTR)
goto snarf;
xerrno = errno;
syslog(LOG_ERR, "xfer_data (%s): failed (%m) with flags 0%o",
what_read, flags);
errno = xerrno;
return(-1);
} else {
offset = 0;
debuglog(3, "got %d bytes from socket", rlen);
while (offset < rlen) {
int wlen;
fling:
wlen = send(to_fd, &tbuf[offset], rlen - offset,
flags);
if (wlen == 0) {
debuglog(3, "zero-length write");
goto fling;
} else if (wlen == -1) {
if (errno == EAGAIN || errno == EINTR)
goto fling;
xerrno = errno;
syslog(LOG_INFO, "write failed (%m)");
errno = xerrno;
return(-1);
} else {
debuglog(3, "wrote %d bytes to socket",wlen);
offset += wlen;
}
}
return(offset);
}
}
/*
* get_backchannel_socket gets us a socket bound somewhere in a
* particular range of ports
*/
int
get_backchannel_socket(int type, int min_port, int max_port, int start_port,
int direction, struct sockaddr_in *sap)
{
int count;
/*
* Make sure that direction is 'defined' and that min_port is not
* greater than max_port.
*/
if (direction != -1)
direction = 1;
/* by default we go up by one port until we find one */
if (min_port > max_port) {
errno = EINVAL;
return(-1);
}
count = 1 + max_port - min_port;
/*
* Pick a port we can bind to from within the range we want.
* If the caller specifies -1 as the starting port number then
* we pick one somewhere in the range to try.
* This is an optimization intended to speedup port selection and
* has NOTHING to do with security.
*/
if (start_port == -1)
start_port = (arc4random() % count) + min_port;
if (start_port < min_port || start_port > max_port) {
errno = EINVAL;
return(-1);
}
while (count-- > 0) {
struct sockaddr_in sa;
int one, fd;
fd = socket(AF_INET, type, 0);
bzero(&sa, sizeof sa);
sa.sin_family = AF_INET;
if (Bind_Addr == INADDR_NONE)
if (sap == NULL)
sa.sin_addr.s_addr = INADDR_ANY;
else
sa.sin_addr.s_addr = sap->sin_addr.s_addr;
else
sa.sin_addr.s_addr = Bind_Addr;
/*
* Indicate that we want to reuse a port if it happens that the
* port in question was a listen port recently.
*/
one = 1;
if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one,
sizeof(one)) == -1)
return(-1);
sa.sin_port = htons(start_port);
if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) == 0) {
if (sap != NULL)
*sap = sa;
return(fd);
}
if (errno != EADDRINUSE)
return(-1);
/* if it's in use, try the next port */
close(fd);
start_port += direction;
if (start_port < min_port)
start_port = max_port;
else if (start_port > max_port)
start_port = min_port;
}
errno = EAGAIN;
return(-1);
}

68
ftp-proxy/util.h
View file

@ -1,68 +0,0 @@
/* $OpenBSD: util.h,v 1.5 2005/02/24 15:49:08 dhartmei Exp $ */
/*
* Copyright (c) 1996-2001
* Obtuse Systems Corporation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the Obtuse Systems nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL OBTUSE SYSTEMS CORPORATION OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
struct proxy_channel {
int pc_to_fd, pc_from_fd;
int pc_alive;
int pc_nextbyte;
int pc_flags;
int pc_length;
int pc_size;
struct sockaddr_in pc_from_sa, pc_to_sa;
int (*pc_filter)( void ** databuf, int datalen);
char *pc_buffer;
};
struct csiob {
int fd;
int line_buffer_size, io_buffer_size, io_buffer_len, next_byte;
unsigned char *io_buffer, *line_buffer;
struct sockaddr_in sa, real_sa;
const char *who;
char alive, got_eof, data_available;
int send_oob_flags;
};
extern int telnet_getline(struct csiob *iobp,
struct csiob *telnet_passthrough);
extern int get_proxy_env(int fd, struct sockaddr_in *server_sa_ptr,
struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr);
extern int get_backchannel_socket(int type, int min_port, int max_port,
int start_port, int direction, struct sockaddr_in *sap);
extern int xfer_data(const char *what_read, int from_fd, int to_fd,
struct in_addr from, struct in_addr to);
extern char *ProgName;

4
man/pf.4
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: pf.4,v 1.58 2007/02/09 11:39:06 henning Exp $
.\" $OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $
.\"
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
.\"
@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd June 24, 2001
.Dd $Mdocdate$
.Dt PF 4
.Os
.Sh NAME

45
man/pf.conf.5
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: pf.conf.5,v 1.376 2006/12/01 07:23:26 camield Exp $
.\" $OpenBSD: pf.conf.5,v 1.383 2007/07/17 16:27:38 jmc Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 19, 2002
.Dd $Mdocdate: June 26 2007 $
.Dt PF.CONF 5
.Os
.Sh NAME
@ -402,9 +402,10 @@ set limit { states 20000, frags 20000, src-nodes 2000 }
.Bl -tag -width xxxxxxxx -compact
.It Ar none
Disable the ruleset optimizer.
This is the default behaviour.
.It Ar basic
Enable basic ruleset optimization, which does four things to improve the
Enable basic ruleset optimization.
This is the default behaviour.
Basic ruleset optimization does four things to improve the
performance of ruleset evaluations:
.Pp
.Bl -enum -compact
@ -1247,7 +1248,7 @@ block all
.Ed
.It Ar pass
The packet is passed;
state is created state unless the
state is created unless the
.Ar no state
option is specified.
.El
@ -1418,7 +1419,8 @@ This rule applies only to packets with the specified source and destination
addresses and ports.
.Pp
Addresses can be specified in CIDR notation (matching netblocks), as
symbolic host names or interface names, or as any of the following keywords:
symbolic host names, interface names or interface group names, or as any
of the following keywords:
.Pp
.Bl -tag -width xxxxxxxxxxxxxx -compact
.It Ar any
@ -1440,7 +1442,7 @@ the route back to the packet's source address.
Any address that matches the given table.
.El
.Pp
Interface names can have modifiers appended:
Interface names and interface group names can have modifiers appended:
.Pp
.Bl -tag -width xxxxxxxxxxxx -compact
.It Ar :network
@ -1603,7 +1605,7 @@ Flags not specified in
are ignored.
For stateful connections, the default is
.Ar flags S/SA .
To indicate that flags should not be checkd at all, specify
To indicate that flags should not be checked at all, specify
.Ar flags any .
The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
.Bl -tag -width Fl
@ -1687,13 +1689,14 @@ pass all tos 0x10
pass all tos 16
.Ed
.It Ar allow-opts
By default, packets which contain IP options are blocked.
By default, IPv4 packets with IP options or IPv6 packets with routing
extension headers are blocked.
When
.Ar allow-opts
is specified for a
.Ar pass
rule, packets that pass the filter based on that rule (last matching)
do so even if they contain IP options.
do so even if they contain IP options or routing extension headers.
For packets that match state, the rule that initially created the
state is used.
The implicit
@ -1914,7 +1917,7 @@ pool options.
Note that by default these associations are destroyed as soon as there are
no longer states which refer to them; in order to make the mappings last
beyond the lifetime of the states, increase the global options with
.Ar set timeout source-track
.Ar set timeout src.track .
See
.Sx STATEFUL TRACKING OPTIONS
for more ways to control the source tracking.
@ -2759,7 +2762,7 @@ option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
[ "state-policy" ( "if-bound" | "floating" ) ]
[ "require-order" ( "yes" | "no" ) ]
[ "fingerprints" filename ] |
[ "skip on" ( interface-name | "{" interface-list "}" ) ] |
[ "skip on" ifspec ] |
[ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] )
pf-rule = action [ ( "in" | "out" ) ]
@ -2801,8 +2804,7 @@ rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ portspec ] [ pooltype ] ]
antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
"for" ( interface-name | "{" interface-list "}" )
[ af ] [ "label" string ]
"for" ifspec [ af ] [ "label" string ]
table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
tableopts-list = tableopts-list tableopts | tableopts
@ -2810,8 +2812,8 @@ tableopts = "persist" | "const" | "file" string |
"{" [ tableaddr-list ] "}"
tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex |
interface-name | "self"
tableaddr = hostname | ifspec | "self" |
ipv4-dotted-quad | ipv6-coloned-hex
altq-rule = "altq on" interface-name queueopts-list
"queue" subqueue
@ -2842,8 +2844,10 @@ return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
icmpcode = ( icmp-code-name | icmp-code-number )
icmp6code = ( icmp6-code-name | icmp6-code-number )
ifspec = ( [ "!" ] interface-name ) | "{" interface-list "}"
interface-list = [ "!" ] interface-name [ [ "," ] interface-list ]
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}"
interface-list = [ "!" ] ( interface-name | interface-group )
[ [ "," ] interface-list ]
route = ( "route-to" | "reply-to" | "dup-to" )
( routehost | "{" routehost-list "}" )
[ pooltype ]
@ -2863,8 +2867,9 @@ ipspec = "any" | host | "{" host-list "}"
host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
redirhost = address [ "/" mask-bits ]
routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
address = ( interface-name | "(" interface-name ")" | hostname |
ipv4-dotted-quad | ipv6-coloned-hex )
address = ( interface-name | interface-group |
"(" ( interface-name | interface-group ) ")" |
hostname | ipv4-dotted-quad | ipv6-coloned-hex )
host-list = host [ [ "," ] host-list ]
redirhost-list = redirhost [ [ "," ] redirhost-list ]
routehost-list = routehost [ [ "," ] routehost-list ]

4
man/pf.os.5
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $
.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $
.\"
.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
.\"
@ -13,7 +13,7 @@
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.Dd August 18, 2003
.Dd $Mdocdate$
.Dt PF.OS 5
.Os
.Sh NAME

4
man/pflog.4
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $
.\"
.\" Copyright (c) 2001 Tobias Weingartner
.\" All rights reserved.
@ -23,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd December 10, 2001
.Dd $Mdocdate$
.Dt PFLOG 4
.Os
.Sh NAME

4
man/pfsync.4
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: pfsync.4,v 1.24 2006/10/23 07:05:49 jmc Exp $
.\" $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $
.\"
.\" Copyright (c) 2002 Michael Shalayeff
.\" Copyright (c) 2003-2004 Ryan McBride
@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 29, 2002
.Dd $Mdocdate$
.Dt PFSYNC 4
.Os
.Sh NAME

18
pfctl/Makefile Normal file
View file

@ -0,0 +1,18 @@
# $OpenBSD: Makefile,v 1.19 2006/12/24 18:52:43 miod Exp $
PROG= pfctl
SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
SRCS+= pfctl_osfp.c pfctl_radix.c pfctl_table.c pfctl_qstats.c
SRCS+= pfctl_optimize.c pf_ruleset.c
CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized
CFLAGS+= -Wstrict-prototypes -I${.CURDIR}
YFLAGS=
MAN= pfctl.8
# Ruleset and Anchor handling
.PATH: ${.CURDIR}/../../sys/net
LDADD+= -lm
DPADD+= ${LIBM}
.include <bsd.prog.mk>

15
pfctl/parse.y
View file

@ -1,4 +1,4 @@
/* $OpenBSD: parse.y,v 1.517 2007/02/03 23:26:40 dhartmei Exp $ */
/* $OpenBSD: parse.y,v 1.519 2007/06/21 19:30:03 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -425,7 +425,7 @@ typedef struct {
%type <v.number> tos not yesno
%type <v.i> no dir af fragcache optimizer
%type <v.i> sourcetrack flush unaryop statelock
%type <v.b> action nataction natpass scrubaction
%type <v.b> action nataction natpasslog scrubaction
%type <v.b> flags flag blockspec
%type <v.range> port rport
%type <v.hashkey> hashkey
@ -3439,12 +3439,13 @@ redirection : /* empty */ { $$ = NULL; }
}
;
natpass : /* empty */ { $$.b1 = $$.b2 = 0; }
| PASS { $$.b1 = 1; $$.b2 = 0; }
natpasslog : /* empty */ { $$.b1 = $$.b2 = 0; $$.w2 = 0; }
| PASS { $$.b1 = 1; $$.b2 = 0; $$.w2 = 0; }
| PASS log { $$.b1 = 1; $$.b2 = $2.log; $$.w2 = $2.logif; }
| log { $$.b1 = 0; $$.b2 = $1.log; $$.w2 = $1.logif; }
;
nataction : no NAT natpass {
nataction : no NAT natpasslog {
if ($1 && $3.b1) {
yyerror("\"pass\" not valid with \"no\"");
YYERROR;
@ -3457,7 +3458,7 @@ nataction : no NAT natpass {
$$.w = $3.b2;
$$.w2 = $3.w2;
}
| no RDR natpass {
| no RDR natpasslog {
if ($1 && $3.b1) {
yyerror("\"pass\" not valid with \"no\"");
YYERROR;
@ -3631,7 +3632,7 @@ natrule : nataction interface af proto fromto tag tagged rtable
}
;
binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag
binatrule : no BINAT natpasslog interface af proto FROM host TO ipspec tag
tagged rtable redirection
{
struct pf_rule binat;

31
pfctl/pf_print_state.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pf_print_state.c,v 1.44 2007/03/01 17:20:53 deraadt Exp $ */
/* $OpenBSD: pf_print_state.c,v 1.45 2007/05/31 04:13:37 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -151,7 +151,7 @@ print_name(struct pf_addr *addr, sa_family_t af)
}
void
print_host(struct pf_state_host *h, sa_family_t af, int opts)
print_host(struct pfsync_state_host *h, sa_family_t af, int opts)
{
u_int16_t p = ntohs(h->port);
@ -180,7 +180,7 @@ print_host(struct pf_state_host *h, sa_family_t af, int opts)
}
void
print_seq(struct pf_state_peer *p)
print_seq(struct pfsync_state_peer *p)
{
if (p->seqdiff)
printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo,
@ -190,9 +190,9 @@ print_seq(struct pf_state_peer *p)
}
void
print_state(struct pf_state *s, int opts)
print_state(struct pfsync_state *s, int opts)
{
struct pf_state_peer *src, *dst;
struct pfsync_state_peer *src, *dst;
struct protoent *p;
int min, sec;
@ -203,7 +203,7 @@ print_state(struct pf_state *s, int opts)
src = &s->dst;
dst = &s->src;
}
printf("%s ", s->u.ifname);
printf("%s ", s->ifname);
if ((p = getprotobynumber(s->proto)) != NULL)
printf("%s ", p->p_name);
else
@ -278,20 +278,23 @@ print_state(struct pf_state *s, int opts)
s->expire /= 60;
printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec);
printf(", %llu:%llu pkts, %llu:%llu bytes",
s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]);
if (s->anchor.nr != -1)
printf(", anchor %u", s->anchor.nr);
if (s->rule.nr != -1)
printf(", rule %u", s->rule.nr);
if (s->src_node != NULL)
pf_state_counter_from_pfsync(s->packets[0]),
pf_state_counter_from_pfsync(s->packets[1]),
pf_state_counter_from_pfsync(s->bytes[0]),
pf_state_counter_from_pfsync(s->bytes[1]));
if (s->anchor != -1)
printf(", anchor %u", s->anchor);
if (s->rule != -1)
printf(", rule %u", s->rule);
if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
printf(", source-track");
if (s->nat_src_node != NULL)
if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
printf(", sticky-address");
printf("\n");
}
if (opts & PF_OPT_VERBOSE2) {
printf(" id: %016llx creatorid: %08x%s\n",
betoh64(s->id), ntohl(s->creatorid),
pf_state_counter_from_pfsync(s->id), ntohl(s->creatorid),
((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : ""));
}
}

66
pfctl/pfctl.8
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: pfctl.8,v 1.128 2007/01/30 21:01:56 jmc Exp $
.\" $OpenBSD: pfctl.8,v 1.133 2007/07/01 11:38:51 henning Exp $
.\"
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
.\"
@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 20, 2002
.Dd $Mdocdate: May 31 2007 $
.Dt PFCTL 8
.Os
.Sh NAME
@ -42,14 +42,14 @@
.Op Fl i Ar interface
.Op Fl K Ar host | network
.Op Fl k Ar host | network
.Op Fl o Op Ar level
.Op Fl o Ar level
.Op Fl p Ar device
.Op Fl s Ar modifier
.Oo
.Fl t Ar table
.Xo
.Oo Fl t Ar table
.Fl T Ar command
.Op Ar address ...
.Oc
.Op Ar address ... Oc
.Xc
.Op Fl x Ar level
.Ek
.Sh DESCRIPTION
@ -209,7 +209,7 @@ Flush the NAT rules.
Flush the queue rules.
.It Fl F Cm rules
Flush the filter rules.
.It Fl F Cm state
.It Fl F Cm states
Flush the state table (NAT and filter).
.It Fl F Cm Sources
Flush the source tracking table.
@ -296,58 +296,20 @@ Do not actually load rules, just parse them.
.It Fl O
Load only the options present in the rule file.
Other rules and options are ignored.
.It Fl o Op Ar level
Control the ruleset optimizer.
The ruleset optimizer attempts to improve rulesets by removing rule
duplication and making better use of rule ordering.
.It Fl o Ar level
Control the ruleset optimizer, overriding any rule file settings.
.Pp
.Bl -tag -width xxxxxxxxxxxx -compact
.It Fl o Cm none
Disable the ruleset optimizer.
.It Fl o Cm basic
Enable basic ruleset optimizations.
This is the default behaviour.
.It Fl o Cm profile
Enable basic ruleset optimizations with profiling.
.El
.Pp
.Cm basic
optimization does does four things:
.Pp
.Bl -enum -compact
.It
remove duplicate rules
.It
remove rules that are a subset of another rule
.It
combine multiple rules into a table when advantageous
.It
re-order the rules to improve evaluation performance
.El
.Pp
If
.Cm profile
is specified, the currently loaded ruleset will be examined as a feedback
profile to tailor the optimization of the
.Ar quick
rules to the actual network behavior.
.Pp
It is important to note that the ruleset optimizer will modify the ruleset
to improve performance.
A side effect of the ruleset modification is that per-rule accounting
statistics will have different meanings than before.
If per-rule accounting is important for billing purposes or whatnot, either
the ruleset optimizer should not be used or a
.Ar label
field should be added to all of the accounting rules to act as optimization
barriers.
.Pp
To retain compatibility with previous behaviour, a single
.Fl o
without any options will enable
.Cm basic
optimizations, and a second
.Fl o
will enable profiling.
For further information on the ruleset optimizer, see
.Xr pf.conf 5 .
.It Fl p Ar device
Use the device file
.Ar device
@ -402,7 +364,7 @@ If
.Fl v
is specified, all anchors attached under the target anchor will be
displayed recursively.
.It Fl s Cm state
.It Fl s Cm states
Show the contents of the state table.
.It Fl s Cm Sources
Show the contents of the source tracking table.

41
pfctl/pfctl.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl.c,v 1.262 2007/03/01 17:20:53 deraadt Exp $ */
/* $OpenBSD: pfctl.c,v 1.268 2007/06/30 18:25:08 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -201,11 +201,11 @@ static const struct {
static const char *clearopt_list[] = {
"nat", "queue", "rules", "Sources",
"state", "info", "Tables", "osfp", "all", NULL
"states", "info", "Tables", "osfp", "all", NULL
};
static const char *showopt_list[] = {
"nat", "queue", "rules", "Anchors", "Sources", "state", "info",
"nat", "queue", "rules", "Anchors", "Sources", "states", "info",
"Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
"all", NULL
};
@ -220,7 +220,7 @@ static const char *debugopt_list[] = {
};
static const char *optiopt_list[] = {
"o", "none", "basic", "profile", NULL
"none", "basic", "profile", NULL
};
void
@ -231,8 +231,8 @@ usage(void)
fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
fprintf(stderr, "[-k host | network ]\n");
fprintf(stderr, "\t[-o [level]] [-p device] [-s modifier ]\n");
fprintf(stderr, "[-k host | network]\n");
fprintf(stderr, "\t[-o level] [-p device] [-s modifier]\n");
fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
exit(1);
}
@ -998,7 +998,7 @@ int
pfctl_show_states(int dev, const char *iface, int opts)
{
struct pfioc_states ps;
struct pf_state *p;
struct pfsync_state *p;
char *inbuf = NULL, *newinbuf = NULL;
unsigned len = 0;
int i, dotitle = (opts & PF_OPT_SHOWALL);
@ -1029,7 +1029,7 @@ pfctl_show_states(int dev, const char *iface, int opts)
}
p = ps.ps_states;
for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
if (iface != NULL && strcmp(p->u.ifname, iface))
if (iface != NULL && strcmp(p->ifname, iface))
continue;
if (dotitle) {
pfctl_print_title("STATES:");
@ -1954,7 +1954,7 @@ main(int argc, char *argv[])
int ch;
int mode = O_RDONLY;
int opts = 0;
int optimize = 0;
int optimize = PF_OPTIMIZE_BASIC;
char anchorname[MAXPATHLEN];
char *path;
FILE *fin = NULL;
@ -1963,7 +1963,7 @@ main(int argc, char *argv[])
usage();
while ((ch = getopt(argc, argv,
"a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) {
"a:AdD:eqf:F:ghi:k:K:mnNOo:p:rRs:t:T:vx:z")) != -1) {
switch (ch) {
case 'a':
anchoropt = optarg;
@ -2039,24 +2039,11 @@ main(int argc, char *argv[])
loadopt |= PFCTL_FLAG_FILTER;
break;
case 'o':
if (optarg) {
optiopt = pfctl_lookup_option(optarg,
optiopt_list);
if (optiopt == NULL) {
warnx("Unknown optimization '%s'",
optarg);
usage();
}
optiopt = pfctl_lookup_option(optarg, optiopt_list);
if (optiopt == NULL) {
warnx("Unknown optimization '%s'", optarg);
usage();
}
if (opts & PF_OPT_OPTIMIZE) {
if (optiopt != NULL) {
warnx("Cannot specify -o multiple times"
"with optimizer level");
usage();
}
optimize |= PF_OPTIMIZE_PROFILE;
}
optimize |= PF_OPTIMIZE_BASIC;
opts |= PF_OPT_OPTIMIZE;
break;
case 'O':

8
pfctl/pfctl.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl.h,v 1.40 2007/02/09 11:25:27 henning Exp $ */
/* $OpenBSD: pfctl.h,v 1.41 2007/05/31 04:13:37 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -112,9 +112,9 @@ struct pf_altq *pfaltq_lookup(const char *);
char *rate2str(double);
void print_addr(struct pf_addr_wrap *, sa_family_t, int);
void print_host(struct pf_state_host *, sa_family_t, int);
void print_seq(struct pf_state_peer *);
void print_state(struct pf_state *, int);
void print_host(struct pfsync_state_host *, sa_family_t, int);
void print_seq(struct pfsync_state_peer *);
void print_state(struct pfsync_state *, int);
int unmask(struct pf_addr *, sa_family_t);
int pfctl_cmdline_symset(char *);

6
pfctl/pfctl_altq.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pfctl_altq.c,v 1.91 2006/11/28 00:08:50 henning Exp $ */
/* $OpenBSD: pfctl_altq.c,v 1.92 2007/05/27 05:15:17 claudio Exp $ */
/*
* Copyright (c) 2002
@ -1091,8 +1091,6 @@ getifspeed(char *ifname)
ifr.ifr_data = (caddr_t)&ifrdat;
if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1)
err(1, "SIOCGIFDATA");
if (shutdown(s, SHUT_RDWR) == -1)
err(1, "shutdown");
if (close(s))
err(1, "close");
return ((u_int32_t)ifrdat.ifi_baudrate);
@ -1112,8 +1110,6 @@ getifmtu(char *ifname)
errx(1, "getifmtu: strlcpy");
if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == -1)
err(1, "SIOCGIFMTU");
if (shutdown(s, SHUT_RDWR) == -1)
err(1, "shutdown");
if (close(s))
err(1, "close");
if (ifr.ifr_mtu > 0)

11
pflogd/Makefile Normal file
View file

@ -0,0 +1,11 @@
# $OpenBSD: Makefile,v 1.7 2006/11/26 11:31:08 deraadt Exp $
CFLAGS+=-Wall -Wmissing-prototypes -Wshadow
LDADD+= -lpcap -lutil
DPADD+= ${LIBPCAP} ${LIBUTIL}
PROG= pflogd
SRCS= pflogd.c privsep.c privsep_fdpass.c
MAN= pflogd.8
.include <bsd.prog.mk>

15
pflogd/pflogd.8
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: pflogd.8,v 1.32 2006/12/08 10:26:38 joel Exp $
.\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $
.\"
.\" Copyright (c) 2001 Can Erkin Acar. All rights reserved.
.\"
@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd July 9, 2001
.Dd $Mdocdate$
.Dt PFLOGD 8
.Os
.Sh NAME
@ -32,12 +32,15 @@
.Nd packet filter logging daemon
.Sh SYNOPSIS
.Nm pflogd
.Bk -words
.Op Fl Dx
.Op Fl d Ar delay
.Op Fl f Ar filename
.Op Fl i Ar interface
.Op Fl p Ar pidfile
.Op Fl s Ar snaplen
.Op Ar expression
.Ek
.Sh DESCRIPTION
.Nm
is a background daemon which reads packets logged by
@ -114,6 +117,14 @@ By default,
.Nm
will use
.Ar pflog0 .
.It Fl p Ar pidfile
Writes a file containing the process ID of the program.
The file name has the form
.Pa /var/run/pidname.pid .
If the option is not given,
.Ar pidfile
defaults to
.Pa pflogd .
.It Fl s Ar snaplen
Analyze at most the first
.Ar snaplen

63
pflogd/pflogd.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pflogd.c,v 1.37 2006/10/26 13:34:47 jmc Exp $ */
/* $OpenBSD: pflogd.c,v 1.45 2007/06/06 14:11:26 henning Exp $ */
/*
* Copyright (c) 2001 Theo de Raadt
@ -34,6 +34,8 @@
#include <sys/ioctl.h>
#include <sys/file.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@ -42,6 +44,7 @@
#include <pcap.h>
#include <syslog.h>
#include <signal.h>
#include <err.h>
#include <errno.h>
#include <stdarg.h>
#include <fcntl.h>
@ -70,6 +73,7 @@ char *copy_argv(char * const *);
void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
int flush_buffer(FILE *);
int if_exists(char *);
int init_pcap(void);
void logmsg(int, const char *, ...);
void purge_buffer(void);
@ -151,8 +155,8 @@ __dead void
usage(void)
{
fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename]");
fprintf(stderr, " [-i interface] [-s snaplen]\n");
fprintf(stderr, " [expression]\n");
fprintf(stderr, " [-i interface] [-p pidfile]\n");
fprintf(stderr, " [-s snaplen] [expression]\n");
exit(1);
}
@ -188,6 +192,28 @@ set_pcap_filter(void)
}
}
int
if_exists(char *ifname)
{
int s;
struct ifreq ifr;
struct if_data ifrdat;
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
err(1, "socket");
bzero(&ifr, sizeof(ifr));
if (strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)) >=
sizeof(ifr.ifr_name))
errx(1, "main ifr_name: strlcpy");
ifr.ifr_data = (caddr_t)&ifrdat;
if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1)
return (0);
if (close(s))
err(1, "close");
return (1);
}
int
init_pcap(void)
{
@ -528,13 +554,16 @@ int
main(int argc, char **argv)
{
struct pcap_stat pstat;
int ch, np, Xflag = 0;
int ch, np, ret, Xflag = 0;
pcap_handler phandler = dump_packet;
const char *errstr = NULL;
char *pidf = NULL;
ret = 0;
closefrom(STDERR_FILENO + 1);
while ((ch = getopt(argc, argv, "Dxd:f:i:s:")) != -1) {
while ((ch = getopt(argc, argv, "Dxd:f:i:p:s:")) != -1) {
switch (ch) {
case 'D':
Debug = 1;
@ -550,6 +579,9 @@ main(int argc, char **argv)
case 'i':
interface = optarg;
break;
case 'p':
pidf = optarg;
break;
case 's':
snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
&errstr);
@ -571,13 +603,21 @@ main(int argc, char **argv)
argc -= optind;
argv += optind;
/* does interface exist */
if (!if_exists(interface)) {
warn("Failed to initialize: %s", interface);
logmsg(LOG_ERR, "Failed to initialize: %s", interface);
logmsg(LOG_ERR, "Exiting, init failure");
exit(1);
}
if (!Debug) {
openlog("pflogd", LOG_PID | LOG_CONS, LOG_DAEMON);
if (daemon(0, 0)) {
logmsg(LOG_WARNING, "Failed to become daemon: %s",
strerror(errno));
}
pidfile(NULL);
pidfile(pidf);
}
tzset();
@ -634,8 +674,15 @@ main(int argc, char **argv)
while (1) {
np = pcap_dispatch(hpcap, PCAP_NUM_PKTS,
phandler, (u_char *)dpcap);
if (np < 0)
if (np < 0) {
if (!if_exists(interface) == -1) {
logmsg(LOG_NOTICE, "interface %s went away",
interface);
ret = -1;
break;
}
logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap));
}
if (gotsig_close)
break;
@ -675,5 +722,5 @@ main(int argc, char **argv)
pcap_close(hpcap);
if (!Debug)
closelog();
return (0);
return (ret);
}

121
pflogd/pidfile.c
View file

@ -1,121 +0,0 @@
/* $OpenBSD: pidfile.c,v 1.5 2002/05/26 09:29:02 deraadt Exp $ */
/* $NetBSD: pidfile.c,v 1.4 2001/02/19 22:43:42 cgd Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Jason R. Thorpe.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the NetBSD
* Foundation, Inc. and its contributors.
* 4. Neither the name of The NetBSD Foundation nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static const char rcsid[] = "$OpenBSD: pidfile.c,v 1.5 2002/05/26 09:29:02 deraadt Exp $";
#endif /* LIBC_SCCS and not lint */
#include <sys/param.h>
#include <errno.h>
#include <paths.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#if defined(__FreeBSD__)
#include "pidfile.h"
#else
#include <util.h>
#endif
static char *pidfile_path;
static pid_t pidfile_pid;
static void pidfile_cleanup(void);
extern char *__progname;
int
pidfile(const char *basename)
{
FILE *f;
int save_errno;
pid_t pid;
if (basename == NULL)
basename = __progname;
if (pidfile_path != NULL) {
free(pidfile_path);
pidfile_path = NULL;
}
/* _PATH_VARRUN includes trailing / */
(void) asprintf(&pidfile_path, "%s%s.pid", _PATH_VARRUN, basename);
if (pidfile_path == NULL)
return (-1);
if ((f = fopen(pidfile_path, "w")) == NULL) {
save_errno = errno;
free(pidfile_path);
pidfile_path = NULL;
errno = save_errno;
return (-1);
}
pid = getpid();
if (fprintf(f, "%ld\n", (long)pid) <= 0 || fclose(f) != 0) {
save_errno = errno;
(void) unlink(pidfile_path);
free(pidfile_path);
pidfile_path = NULL;
errno = save_errno;
return (-1);
}
pidfile_pid = pid;
if (atexit(pidfile_cleanup) < 0) {
save_errno = errno;
(void) unlink(pidfile_path);
free(pidfile_path);
pidfile_path = NULL;
pidfile_pid = 0;
errno = save_errno;
return (-1);
}
return (0);
}
static void
pidfile_cleanup(void)
{
if (pidfile_path != NULL && pidfile_pid == getpid())
(void) unlink(pidfile_path);
}

1
pflogd/pidfile.h
View file

@ -1 +0,0 @@
int pidfile(const char *);

7
tftp-proxy/Makefile Normal file
View file

@ -0,0 +1,7 @@
# $OpenBSD: Makefile,v 1.1 2005/12/28 19:07:07 jcs Exp $
PROG= tftp-proxy
SRCS= tftp-proxy.c filter.c
MAN= tftp-proxy.8
.include <bsd.prog.mk>

6
tftp-proxy/filter.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: filter.c,v 1.1 2005/12/28 19:07:07 jcs Exp $ */
/* $OpenBSD: filter.c,v 1.2 2007/06/23 15:51:21 jcs Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@ -297,9 +297,9 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
pfr.rule.quick = 1;
pfr.rule.log = rule_log;
pfr.rule.keep_state = 1;
pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL);
pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
pfr.rule.flagset = (proto == IPPROTO_TCP ?
(TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL);
(TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0);
pfr.rule.max_states = 1;
if (qname != NULL)
strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);

4
tftp-proxy/tftp-proxy.8
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $
.\" $OpenBSD: tftp-proxy.8,v 1.2 2007/05/31 19:19:41 jmc Exp $
.\"
.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org>
.\"
@ -25,7 +25,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 28, 2005
.Dd $Mdocdate$
.Dt TFTP-PROXY 8
.Os
.Sh NAME