Date: Tue, 18 Aug 2009 16:13:59 +0000 (UTC) From: Max Laier <mlaier@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r196360 - vendor-sys/pf/dist/net vendor-sys/pf/dist/netinet vendor/pf/dist/authpf vendor/pf/dist/ftp-proxy vendor/pf/dist/libevent vendor/pf/dist/man vendor/pf/dist/pfctl vendor/pf/dist... Message-ID: <200908181613.n7IGDxSQ021986@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mlaier Date: Tue Aug 18 16:13:59 2009 New Revision: 196360 URL: http://svn.freebsd.org/changeset/base/196360 Log: eri@ wants to start on porting the latest pf in his user space so we can finally have a new version in 9.0. Import pf as of OPENBSD_4_5_BASE to help with that. Added: vendor/pf/dist/man/pflow.4 Modified: vendor/pf/dist/authpf/Makefile vendor/pf/dist/authpf/authpf.8 vendor/pf/dist/authpf/authpf.c vendor/pf/dist/authpf/pathnames.h vendor/pf/dist/ftp-proxy/Makefile vendor/pf/dist/ftp-proxy/filter.c vendor/pf/dist/ftp-proxy/filter.h vendor/pf/dist/ftp-proxy/ftp-proxy.8 vendor/pf/dist/ftp-proxy/ftp-proxy.c vendor/pf/dist/libevent/buffer.c vendor/pf/dist/libevent/evbuffer.c vendor/pf/dist/libevent/event-internal.h vendor/pf/dist/libevent/event.c vendor/pf/dist/libevent/event.h vendor/pf/dist/libevent/evsignal.h vendor/pf/dist/libevent/kqueue.c vendor/pf/dist/libevent/log.c vendor/pf/dist/libevent/log.h vendor/pf/dist/libevent/poll.c vendor/pf/dist/libevent/select.c vendor/pf/dist/libevent/signal.c vendor/pf/dist/man/pf.4 vendor/pf/dist/man/pf.conf.5 vendor/pf/dist/man/pf.os.5 vendor/pf/dist/man/pflog.4 vendor/pf/dist/man/pfsync.4 vendor/pf/dist/pfctl/Makefile vendor/pf/dist/pfctl/parse.y vendor/pf/dist/pfctl/pf_print_state.c vendor/pf/dist/pfctl/pfctl.8 vendor/pf/dist/pfctl/pfctl.c vendor/pf/dist/pfctl/pfctl.h vendor/pf/dist/pfctl/pfctl_altq.c vendor/pf/dist/pfctl/pfctl_optimize.c vendor/pf/dist/pfctl/pfctl_osfp.c vendor/pf/dist/pfctl/pfctl_parser.c vendor/pf/dist/pfctl/pfctl_parser.h vendor/pf/dist/pfctl/pfctl_qstats.c vendor/pf/dist/pfctl/pfctl_radix.c vendor/pf/dist/pfctl/pfctl_table.c vendor/pf/dist/pflogd/Makefile vendor/pf/dist/pflogd/pflogd.8 vendor/pf/dist/pflogd/pflogd.c vendor/pf/dist/pflogd/pflogd.h vendor/pf/dist/pflogd/privsep.c vendor/pf/dist/pflogd/privsep_fdpass.c vendor/pf/dist/tftp-proxy/Makefile vendor/pf/dist/tftp-proxy/filter.c vendor/pf/dist/tftp-proxy/filter.h vendor/pf/dist/tftp-proxy/tftp-proxy.8 vendor/pf/dist/tftp-proxy/tftp-proxy.c Changes in other areas also in this revision: Added: vendor-sys/pf/dist/net/if_pflow.c vendor-sys/pf/dist/net/if_pflow.h vendor-sys/pf/dist/net/pf_lb.c Modified: vendor-sys/pf/dist/net/if_pflog.c vendor-sys/pf/dist/net/if_pflog.h vendor-sys/pf/dist/net/if_pfsync.c vendor-sys/pf/dist/net/if_pfsync.h vendor-sys/pf/dist/net/pf.c vendor-sys/pf/dist/net/pf_if.c vendor-sys/pf/dist/net/pf_ioctl.c vendor-sys/pf/dist/net/pf_norm.c vendor-sys/pf/dist/net/pf_osfp.c vendor-sys/pf/dist/net/pf_ruleset.c vendor-sys/pf/dist/net/pf_table.c vendor-sys/pf/dist/net/pfvar.h vendor-sys/pf/dist/netinet/in4_cksum.c Modified: vendor/pf/dist/authpf/Makefile ============================================================================== --- vendor/pf/dist/authpf/Makefile Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/authpf/Makefile Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.13 2008/02/14 01:49:17 mcbride Exp $ +# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $ PROG= authpf MAN= authpf.8 Modified: vendor/pf/dist/authpf/authpf.8 ============================================================================== --- vendor/pf/dist/authpf/authpf.8 Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/authpf/authpf.8 Tue Aug 18 16:13:59 2009 (r196360) @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 14 2008 $ +.Dd $Mdocdate: March 18 2008 $ .Dt AUTHPF 8 .Os .Sh NAME @@ -202,6 +202,9 @@ It is also possible to configure to only allow specific users access. This is done by listing their login names, one per line, in .Pa /etc/authpf/authpf.allow . +A group of users can also be indicated by prepending "%" to the group name, +and all members of a login class can be indicated by prepending "@" to the +login class name. If "*" is found on a line, then all usernames match. If .Nm @@ -314,7 +317,8 @@ They have a wireless network which they would like to protect from unauthorized use. To accomplish this, they create the file .Pa /etc/authpf/authpf.allow -which lists their login ids, one per line. +which lists their login ids, group prepended with "%", or login class +prepended with "@", one per line. At this point, even if eve could authenticate to .Xr sshd 8 , she would not be allowed to use the gateway. Modified: vendor/pf/dist/authpf/authpf.c ============================================================================== --- vendor/pf/dist/authpf/authpf.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/authpf/authpf.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -/* $OpenBSD: authpf.c,v 1.107 2008/02/14 01:49:17 mcbride Exp $ */ +/* $OpenBSD: authpf.c,v 1.111 2009/01/10 17:17:32 todd Exp $ */ /* * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org). @@ -32,6 +32,7 @@ #include <errno.h> #include <login_cap.h> #include <pwd.h> +#include <grp.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> @@ -43,7 +44,7 @@ static int read_config(FILE *); static void print_message(char *); -static int allowed_luser(char *); +static int allowed_luser(struct passwd *); static int check_luser(char *, char *); static int remove_stale_rulesets(void); static int recursive_ruleset_purge(char *, char *); @@ -58,6 +59,7 @@ char tablename[PF_TABLE_NAME_SIZE] = "au int user_ip = 1; /* controls whether $user_ip is set */ FILE *pidfp; +int pidfd = -1; char luser[MAXLOGNAME]; /* username */ char ipsrc[256]; /* ip as a string */ char pidfile[MAXPATHLEN]; /* we save pid in this file. */ @@ -78,7 +80,7 @@ extern char *__progname; /* program name int main(int argc, char *argv[]) { - int lockcnt = 0, n, pidfd; + int lockcnt = 0, n; FILE *config; struct in6_addr ina; struct passwd *pw; @@ -93,7 +95,7 @@ main(int argc, char *argv[]) config = fopen(PATH_CONFFILE, "r"); if (config == NULL) { - syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE); + syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE); exit(1); } @@ -186,6 +188,14 @@ main(int argc, char *argv[]) goto die; } + signal(SIGTERM, need_death); + signal(SIGINT, need_death); + signal(SIGALRM, need_death); + signal(SIGPIPE, need_death); + signal(SIGHUP, need_death); + signal(SIGQUIT, need_death); + signal(SIGTSTP, need_death); + /* * If someone else is already using this ip, then this person * wants to switch users - so kill the old process and exit @@ -239,15 +249,17 @@ main(int argc, char *argv[]) } /* - * we try to kill the previous process and acquire the lock + * We try to kill the previous process and acquire the lock * for 10 seconds, trying once a second. if we can't after - * 10 attempts we log an error and give up + * 10 attempts we log an error and give up. */ - if (++lockcnt > 10) { - syslog(LOG_ERR, "cannot kill previous authpf (pid %d)", - otherpid); + if (want_death || ++lockcnt > 10) { + if (!want_death) + syslog(LOG_ERR, "cannot kill previous authpf (pid %d)", + otherpid); fclose(pidfp); pidfp = NULL; + pidfd = -1; goto dogdeath; } sleep(1); @@ -258,6 +270,7 @@ main(int argc, char *argv[]) */ fclose(pidfp); pidfp = NULL; + pidfd = -1; } while (1); /* whack the group list */ @@ -275,7 +288,7 @@ main(int argc, char *argv[]) } openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON); - if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) { + if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) { syslog(LOG_INFO, "user %s prohibited", luser); do_death(0); } @@ -306,13 +319,6 @@ main(int argc, char *argv[]) do_death(0); } - signal(SIGTERM, need_death); - signal(SIGINT, need_death); - signal(SIGALRM, need_death); - signal(SIGPIPE, need_death); - signal(SIGHUP, need_death); - signal(SIGQUIT, need_death); - signal(SIGTSTP, need_death); while (1) { printf("\r\nHello %s. ", luser); printf("You are authenticated from host \"%s\"\r\n", ipsrc); @@ -434,6 +440,7 @@ print_message(char *filename) * allowed_luser checks to see if user "luser" is allowed to * use this gateway by virtue of being listed in an allowed * users file, namely /etc/authpf/authpf.allow . + * Users may be listed by <username>, %<group>, or @<login_class>. * * If /etc/authpf/authpf.allow does not exist, then we assume that * all users who are allowed in by sshd(8) are permitted to @@ -442,7 +449,7 @@ print_message(char *filename) * the session terminates in the same manner as being banned. */ static int -allowed_luser(char *luser) +allowed_luser(struct passwd *pw) { char *buf, *lbuf; int matched; @@ -474,8 +481,14 @@ allowed_luser(char *luser) * "public" gateway, such as it is, so let * everyone use it. */ + int gl_init = 0, ngroups = NGROUPS + 1; + gid_t groups[NGROUPS + 1]; + lbuf = NULL; + matched = 0; + while ((buf = fgetln(f, &len))) { + if (buf[len - 1] == '\n') buf[len - 1] = '\0'; else { @@ -486,7 +499,40 @@ allowed_luser(char *luser) buf = lbuf; } - matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0; + if (buf[0] == '@') { + /* check login class */ + if (strcmp(pw->pw_class, buf + 1) == 0) + matched++; + } else if (buf[0] == '%') { + /* check group membership */ + int cnt; + struct group *group; + + if ((group = getgrnam(buf + 1)) == NULL) { + syslog(LOG_ERR, + "invalid group '%s' in %s (%s)", + buf + 1, PATH_ALLOWFILE, + strerror(errno)); + return (0); + } + + if (!gl_init) { + (void) getgrouplist(pw->pw_name, + pw->pw_gid, groups, &ngroups); + gl_init++; + } + + for ( cnt = 0; cnt < ngroups; cnt++) { + if (group->gr_gid == groups[cnt]) { + matched++; + break; + } + } + } else { + /* check username and wildcard */ + matched = strcmp(pw->pw_name, buf) == 0 || + strcmp("*", buf) == 0; + } if (lbuf != NULL) { free(lbuf); @@ -494,10 +540,10 @@ allowed_luser(char *luser) } if (matched) - return (1); /* matched an allowed username */ + return (1); /* matched an allowed user/group */ } syslog(LOG_INFO, "denied access to %s: not listed in %s", - luser, PATH_ALLOWFILE); + pw->pw_name, PATH_ALLOWFILE); /* reuse buf */ buf = "\n\nSorry, you are not allowed to use this facility!\n"; @@ -878,7 +924,7 @@ do_death(int active) authpf_kill_states(); } } - if (pidfile[0] && (pidfp != NULL)) + if (pidfile[0] && pidfd != -1) if (unlink(pidfile) == -1) syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile); exit(ret); Modified: vendor/pf/dist/authpf/pathnames.h ============================================================================== --- vendor/pf/dist/authpf/pathnames.h Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/authpf/pathnames.h Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */ +/* $OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $ */ /* * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca) Modified: vendor/pf/dist/ftp-proxy/Makefile ============================================================================== --- vendor/pf/dist/ftp-proxy/Makefile Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/ftp-proxy/Makefile Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $ +# $OpenBSD: Makefile,v 1.2 2005/06/07 14:12:07 camield Exp $ PROG= ftp-proxy SRCS= ftp-proxy.c filter.c Modified: vendor/pf/dist/ftp-proxy/filter.c ============================================================================== --- vendor/pf/dist/ftp-proxy/filter.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/ftp-proxy/filter.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.c,v 1.8 2008/06/13 07:25:26 claudio Exp $ */ +/* $OpenBSD: filter.c,v 1.7 2008/02/26 18:52:53 henning Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> Modified: vendor/pf/dist/ftp-proxy/filter.h ============================================================================== --- vendor/pf/dist/ftp-proxy/filter.h Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/ftp-proxy/filter.h Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */ +/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> Modified: vendor/pf/dist/ftp-proxy/ftp-proxy.8 ============================================================================== --- vendor/pf/dist/ftp-proxy/ftp-proxy.8 Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/ftp-proxy/ftp-proxy.8 Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.11 2008/02/26 18:52:53 henning Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $ .\" .\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> .\" Modified: vendor/pf/dist/ftp-proxy/ftp-proxy.c ============================================================================== --- vendor/pf/dist/ftp-proxy/ftp-proxy.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/ftp-proxy/ftp-proxy.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -/* $OpenBSD: ftp-proxy.c,v 1.19 2008/06/13 07:25:26 claudio Exp $ */ +/* $OpenBSD: ftp-proxy.c,v 1.18 2008/04/22 02:22:22 joel Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> Modified: vendor/pf/dist/libevent/buffer.c ============================================================================== --- vendor/pf/dist/libevent/buffer.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/buffer.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,3 +1,5 @@ +/* $OpenBSD: buffer.c,v 1.14 2007/03/19 15:12:49 millert Exp $ */ + /* * Copyright (c) 2002, 2003 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -62,7 +64,7 @@ struct evbuffer * evbuffer_new(void) { struct evbuffer *buffer; - + buffer = calloc(1, sizeof(struct evbuffer)); return (buffer); @@ -76,7 +78,7 @@ evbuffer_free(struct evbuffer *buffer) free(buffer); } -/* +/* * This is a destructive add. The data from one buffer moves into * the other buffer. */ @@ -104,16 +106,16 @@ evbuffer_add_buffer(struct evbuffer *out SWAP(outbuf, inbuf); SWAP(inbuf, &tmp); - /* + /* * Optimization comes with a price; we need to notify the * buffer if necessary of the changes. oldoff is the amount - * of data that we transfered from inbuf to outbuf + * of data that we transferred from inbuf to outbuf */ if (inbuf->off != oldoff && inbuf->cb != NULL) (*inbuf->cb)(inbuf, oldoff, inbuf->off, inbuf->cbarg); if (oldoff && outbuf->cb != NULL) (*outbuf->cb)(outbuf, 0, oldoff, outbuf->cbarg); - + return (0); } @@ -196,7 +198,7 @@ evbuffer_remove(struct evbuffer *buf, vo memcpy(data, buf->buffer, nread); evbuffer_drain(buf, nread); - + return (nread); } @@ -371,7 +373,7 @@ evbuffer_read(struct evbuffer *buf, int if (n < EVBUFFER_MAX_READ) n = EVBUFFER_MAX_READ; } -#endif +#endif if (howmuch < 0 || howmuch > n) howmuch = n; Modified: vendor/pf/dist/libevent/evbuffer.c ============================================================================== --- vendor/pf/dist/libevent/evbuffer.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/evbuffer.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,3 +1,5 @@ +/* $OpenBSD: evbuffer.c,v 1.10 2007/03/19 15:12:49 millert Exp $ */ + /* * Copyright (c) 2002-2004 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -64,7 +66,7 @@ bufferevent_add(struct event *ev, int ti return (event_add(ev, ptv)); } -/* +/* * This callback is executed when the size of the input buffer changes. * We use it to apply back pressure on the reading side. */ @@ -73,7 +75,7 @@ void bufferevent_read_pressure_cb(struct evbuffer *buf, size_t old, size_t now, void *arg) { struct bufferevent *bufev = arg; - /* + /* * If we are below the watermark then reschedule reading if it's * still enabled. */ @@ -288,7 +290,7 @@ bufferevent_free(struct bufferevent *buf */ int -bufferevent_write(struct bufferevent *bufev, void *data, size_t size) +bufferevent_write(struct bufferevent *bufev, const void *data, size_t size) { int res; Modified: vendor/pf/dist/libevent/event-internal.h ============================================================================== --- vendor/pf/dist/libevent/event-internal.h Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/event-internal.h Tue Aug 18 16:13:59 2009 (r196360) @@ -1,3 +1,5 @@ +/* $OpenBSD: event-internal.h,v 1.4 2007/03/19 15:12:49 millert Exp $ */ + /* * Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu> * All rights reserved. Modified: vendor/pf/dist/libevent/event.c ============================================================================== --- vendor/pf/dist/libevent/event.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/event.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,3 +1,5 @@ +/* $OpenBSD: event.c,v 1.18 2008/05/02 06:09:11 brad Exp $ */ + /* * Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -38,7 +40,7 @@ #include <sys/tree.h> #ifdef HAVE_SYS_TIME_H #include <sys/time.h> -#else +#else #include <sys/_time.h> #endif #include <sys/queue.h> @@ -180,7 +182,7 @@ RB_PROTOTYPE(event_tree, event, ev_timeo RB_GENERATE(event_tree, event, ev_timeout_node, compare); -void * +struct event_base * event_init(void) { int i; @@ -194,13 +196,13 @@ event_init(void) detect_monotonic(); gettime(&base->event_tv); - + RB_INIT(&base->timetree); TAILQ_INIT(&base->eventqueue); TAILQ_INIT(&base->sig.signalqueue); base->sig.ev_signal_pair[0] = -1; base->sig.ev_signal_pair[1] = -1; - + base->evbase = NULL; for (i = 0; eventops[i] && !base->evbase; i++) { base->evsel = eventops[i]; @@ -321,7 +323,7 @@ event_process_active(struct event_base * for (ev = TAILQ_FIRST(activeq); ev; ev = TAILQ_FIRST(activeq)) { event_queue_remove(base, ev, EVLIST_ACTIVE); - + /* Allows deletes to work */ ncalls = ev->ev_ncalls; ev->ev_pncalls = &ncalls; @@ -430,7 +432,7 @@ event_base_loop(struct event_base *base, */ timerclear(&tv); } - + /* If we have no events, we just exit */ if (!event_haveevents(base)) { event_debug(("%s: no events registered.", __func__)); @@ -439,7 +441,6 @@ event_base_loop(struct event_base *base, res = evsel->dispatch(base, evbase, tv_p); - if (res == -1) return (-1); @@ -652,7 +653,7 @@ event_add(struct event *ev, struct timev /* Abort loop */ *ev->ev_pncalls = 0; } - + event_queue_remove(base, ev, EVLIST_ACTIVE); } @@ -913,10 +914,10 @@ event_queue_insert(struct event_base *ba const char * event_get_version(void) { - return (VERSION); + return (LIBEVENT_VERSION); } -/* +/* * No thread-safe interface needed - the information should be the same * for all threads. */ Modified: vendor/pf/dist/libevent/event.h ============================================================================== --- vendor/pf/dist/libevent/event.h Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/event.h Tue Aug 18 16:13:59 2009 (r196360) @@ -1,3 +1,5 @@ +/* $OpenBSD: event.h,v 1.19 2008/05/02 06:09:11 brad Exp $ */ + /* * Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -43,6 +45,8 @@ typedef unsigned char u_char; typedef unsigned short u_short; #endif +#define LIBEVENT_VERSION "1.3e" + #define EVLIST_TIMEOUT 0x01 #define EVLIST_INSERTED 0x02 #define EVLIST_SIGNAL 0x04 @@ -141,7 +145,7 @@ struct eventop { void (*dealloc)(struct event_base *, void *); }; -void *event_init(void); +struct event_base *event_init(void); int event_dispatch(void); int event_base_dispatch(struct event_base *); void event_base_free(struct event_base *); @@ -169,12 +173,6 @@ int event_base_loopexit(struct event_bas #define evtimer_pending(ev, tv) event_pending(ev, EV_TIMEOUT, tv) #define evtimer_initialized(ev) ((ev)->ev_flags & EVLIST_INIT) -#define timeout_add(ev, tv) event_add(ev, tv) -#define timeout_set(ev, cb, arg) event_set(ev, -1, 0, cb, arg) -#define timeout_del(ev) event_del(ev) -#define timeout_pending(ev, tv) event_pending(ev, EV_TIMEOUT, tv) -#define timeout_initialized(ev) ((ev)->ev_flags & EVLIST_INIT) - #define signal_add(ev, tv) event_add(ev, tv) #define signal_set(ev, x, cb, arg) \ event_set(ev, x, EV_SIGNAL|EV_PERSIST, cb, arg) @@ -264,7 +262,8 @@ struct bufferevent *bufferevent_new(int int bufferevent_base_set(struct event_base *base, struct bufferevent *bufev); int bufferevent_priority_set(struct bufferevent *bufev, int pri); void bufferevent_free(struct bufferevent *bufev); -int bufferevent_write(struct bufferevent *bufev, void *data, size_t size); +int bufferevent_write(struct bufferevent *bufev, + const void *data, size_t size); int bufferevent_write_buffer(struct bufferevent *bufev, struct evbuffer *buf); size_t bufferevent_read(struct bufferevent *bufev, void *data, size_t size); int bufferevent_enable(struct bufferevent *bufev, short event); @@ -292,7 +291,7 @@ int evbuffer_read(struct evbuffer *, int u_char *evbuffer_find(struct evbuffer *, const u_char *, size_t); void evbuffer_setcb(struct evbuffer *, void (*)(struct evbuffer *, size_t, size_t, void *), void *); -/* +/* * Marshaling tagged data - We assume that all tags are inserted in their * numeric order - so that unknown tags will always be higher than the * known ones - and we can just ignore the end of an event buffer. Modified: vendor/pf/dist/libevent/evsignal.h ============================================================================== --- vendor/pf/dist/libevent/evsignal.h Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/evsignal.h Tue Aug 18 16:13:59 2009 (r196360) @@ -1,3 +1,5 @@ +/* $OpenBSD: evsignal.h,v 1.2 2004/04/28 06:53:12 brad Exp $ */ + /* * Copyright 2000-2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. Modified: vendor/pf/dist/libevent/kqueue.c ============================================================================== --- vendor/pf/dist/libevent/kqueue.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/kqueue.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -/* $OpenBSD: kqueue.c,v 1.5 2002/07/10 14:41:31 art Exp $ */ +/* $OpenBSD: kqueue.c,v 1.23 2007/09/02 15:19:18 deraadt Exp $ */ /* * Copyright 2000-2002 Niels Provos <provos@citi.umich.edu> @@ -97,14 +97,14 @@ kq_init(struct event_base *base) struct kqop *kqueueop; /* Disable kqueue when this environment variable is set */ - if (getenv("EVENT_NOKQUEUE")) + if (!issetugid() && getenv("EVENT_NOKQUEUE")) return (NULL); if (!(kqueueop = calloc(1, sizeof(struct kqop)))) return (NULL); /* Initalize the kernel queue */ - + if ((kq = kqueue()) == -1) { event_warn("kqueue"); free (kqueueop); @@ -114,12 +114,12 @@ kq_init(struct event_base *base) kqueueop->kq = kq; /* Initalize fields */ - kqueueop->changes = malloc(NEVENT * sizeof(struct kevent)); + kqueueop->changes = calloc(NEVENT, sizeof(struct kevent)); if (kqueueop->changes == NULL) { free (kqueueop); return (NULL); } - kqueueop->events = malloc(NEVENT * sizeof(struct kevent)); + kqueueop->events = calloc(NEVENT, sizeof(struct kevent)); if (kqueueop->events == NULL) { free (kqueueop->changes); free (kqueueop); @@ -131,7 +131,7 @@ kq_init(struct event_base *base) kqueueop->changes[0].ident = -1; kqueueop->changes[0].filter = EVFILT_READ; kqueueop->changes[0].flags = EV_ADD; - /* + /* * If kqueue works, then kevent will succeed, and it will * stick an error in events[0]. If kqueue is broken, then * kevent will fail. @@ -195,7 +195,7 @@ kq_insert(struct kqop *kqop, struct keve memcpy(&kqop->changes[kqop->nchanges++], kev, sizeof(struct kevent)); event_debug(("%s: fd %d %s%s", - __func__, kev->ident, + __func__, kev->ident, kev->filter == EVFILT_READ ? "EVFILT_READ" : "EVFILT_WRITE", kev->flags == EV_DELETE ? " (del)" : "")); @@ -241,7 +241,7 @@ kq_dispatch(struct event_base *base, voi int which = 0; if (events[i].flags & EV_ERROR) { - /* + /* * Error messages that can happen, when a delete fails. * EBADF happens when the file discriptor has been * closed, @@ -301,7 +301,7 @@ kq_add(void *arg, struct event *ev) if (!(ev->ev_events & EV_PERSIST)) kev.flags |= EV_ONESHOT; kev.udata = PTR_TO_UDATA(ev); - + if (kq_insert(kqop, &kev) == -1) return (-1); @@ -324,7 +324,7 @@ kq_add(void *arg, struct event *ev) if (!(ev->ev_events & EV_PERSIST)) kev.flags |= EV_ONESHOT; kev.udata = PTR_TO_UDATA(ev); - + if (kq_insert(kqop, &kev) == -1) return (-1); @@ -339,7 +339,7 @@ kq_add(void *arg, struct event *ev) if (!(ev->ev_events & EV_PERSIST)) kev.flags |= EV_ONESHOT; kev.udata = PTR_TO_UDATA(ev); - + if (kq_insert(kqop, &kev) == -1) return (-1); @@ -365,7 +365,7 @@ kq_del(void *arg, struct event *ev) kev.ident = nsignal; kev.filter = EVFILT_SIGNAL; kev.flags = EV_DELETE; - + if (kq_insert(kqop, &kev) == -1) return (-1); @@ -381,7 +381,7 @@ kq_del(void *arg, struct event *ev) kev.ident = ev->ev_fd; kev.filter = EVFILT_READ; kev.flags = EV_DELETE; - + if (kq_insert(kqop, &kev) == -1) return (-1); @@ -393,7 +393,7 @@ kq_del(void *arg, struct event *ev) kev.ident = ev->ev_fd; kev.filter = EVFILT_WRITE; kev.flags = EV_DELETE; - + if (kq_insert(kqop, &kev) == -1) return (-1); Modified: vendor/pf/dist/libevent/log.c ============================================================================== --- vendor/pf/dist/libevent/log.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/log.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -/* $OpenBSD: err.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */ +/* $OpenBSD: log.c,v 1.4 2005/05/04 03:17:48 brad Exp $ */ /* * log.c @@ -102,7 +102,7 @@ void event_err(int eval, const char *fmt, ...) { va_list ap; - + va_start(ap, fmt); _warn_helper(_EVENT_LOG_ERR, errno, fmt, ap); va_end(ap); @@ -113,7 +113,7 @@ void event_warn(const char *fmt, ...) { va_list ap; - + va_start(ap, fmt); _warn_helper(_EVENT_LOG_WARN, errno, fmt, ap); va_end(ap); @@ -123,7 +123,7 @@ void event_errx(int eval, const char *fmt, ...) { va_list ap; - + va_start(ap, fmt); _warn_helper(_EVENT_LOG_ERR, -1, fmt, ap); va_end(ap); @@ -134,7 +134,7 @@ void event_warnx(const char *fmt, ...) { va_list ap; - + va_start(ap, fmt); _warn_helper(_EVENT_LOG_WARN, -1, fmt, ap); va_end(ap); @@ -144,7 +144,7 @@ void event_msgx(const char *fmt, ...) { va_list ap; - + va_start(ap, fmt); _warn_helper(_EVENT_LOG_MSG, -1, fmt, ap); va_end(ap); @@ -154,7 +154,7 @@ void _event_debugx(const char *fmt, ...) { va_list ap; - + va_start(ap, fmt); _warn_helper(_EVENT_LOG_DEBUG, -1, fmt, ap); va_end(ap); Modified: vendor/pf/dist/libevent/log.h ============================================================================== --- vendor/pf/dist/libevent/log.h Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/log.h Tue Aug 18 16:13:59 2009 (r196360) @@ -1,3 +1,5 @@ +/* $OpenBSD: log.h,v 1.4 2007/03/19 15:12:49 millert Exp $ */ + /* * Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu> * All rights reserved. Modified: vendor/pf/dist/libevent/poll.c ============================================================================== --- vendor/pf/dist/libevent/poll.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/poll.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -/* $OpenBSD: poll.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */ +/* $OpenBSD: poll.c,v 1.13 2006/11/26 15:24:34 brad Exp $ */ /* * Copyright 2000-2003 Niels Provos <provos@citi.umich.edu> @@ -89,7 +89,7 @@ poll_init(struct event_base *base) struct pollop *pollop; /* Disable poll when this environment variable is set */ - if (getenv("EVENT_NOPOLL")) + if (!issetugid() && getenv("EVENT_NOPOLL")) return (NULL); if (!(pollop = calloc(1, sizeof(struct pollop)))) @@ -179,6 +179,7 @@ poll_dispatch(struct event_base *base, v for (i = 0; i < nfds; i++) { int what = pop->event_set[i].revents; struct event *r_ev = NULL, *w_ev = NULL; + if (!what) continue; @@ -356,7 +357,7 @@ poll_del(void *arg, struct event *ev) --pop->nfds; if (i != pop->nfds) { - /* + /* * Shift the last pollfd down into the now-unoccupied * position. */ Modified: vendor/pf/dist/libevent/select.c ============================================================================== --- vendor/pf/dist/libevent/select.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/select.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -/* $OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */ +/* $OpenBSD: select.c,v 1.13 2007/03/19 15:12:49 millert Exp $ */ /* * Copyright 2000-2002 Niels Provos <provos@citi.umich.edu> @@ -96,7 +96,7 @@ select_init(struct event_base *base) struct selectop *sop; /* Disable select when this environment variable is set */ - if (getenv("EVENT_NOSELECT")) + if (!issetugid() && getenv("EVENT_NOSELECT")) return (NULL); if (!(sop = calloc(1, sizeof(struct selectop)))) Modified: vendor/pf/dist/libevent/signal.c ============================================================================== --- vendor/pf/dist/libevent/signal.c Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/libevent/signal.c Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -/* $OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */ +/* $OpenBSD: signal.c,v 1.11 2007/03/19 15:12:49 millert Exp $ */ /* * Copyright 2000-2002 Niels Provos <provos@citi.umich.edu> @@ -85,7 +85,7 @@ evsignal_cb(int fd, short what, void *ar void evsignal_init(struct event_base *base) { - /* + /* * Our signal handler is going to write to one end of the socket * pair to wake up our event loop. The event loop then scans for * signals that got delivered. Modified: vendor/pf/dist/man/pf.4 ============================================================================== --- vendor/pf/dist/man/pf.4 Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/man/pf.4 Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.4,v 1.60 2007/12/02 12:08:04 pascoe Exp $ +.\" $OpenBSD: pf.4,v 1.61 2008/09/04 13:50:37 jmc Exp $ .\" .\" Copyright (C) 2001, Kjell Wooding. All rights reserved. .\" @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: September 4 2008 $ .Dt PF 4 .Os .Sh NAME @@ -1050,12 +1050,14 @@ internal interface description. The filtering process is the same as for .Dv DIOCIGETIFACES . .Bd -literal -#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ +#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ .Ed .It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" Works as .Dv DIOCSETIFFLAG above but clears the flags. +.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io" +Explicitly remove source tracking nodes. .El .Sh FILES .Bl -tag -width /dev/pf -compact @@ -1133,6 +1135,7 @@ main(int argc, char *argv[]) .Xr ioctl 2 , .Xr bridge 4 , .Xr pflog 4 , +.Xr pflow 4 , .Xr pfsync 4 , .Xr pfctl 8 , .Xr altq 9 Modified: vendor/pf/dist/man/pf.conf.5 ============================================================================== --- vendor/pf/dist/man/pf.conf.5 Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/man/pf.conf.5 Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.402 2008/06/11 07:21:00 jmc Exp $ +.\" $OpenBSD: pf.conf.5,v 1.405 2008/10/02 12:36:32 henning Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 10 2008 $ +.Dd $Mdocdate: October 2 2008 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -517,6 +517,16 @@ For example: .Bd -literal -offset indent set state-policy if-bound .Ed +.It Ar set state-defaults +The +.Ar state-defaults +option sets the state options for states created from rules +without an explicit +.Ar keep state . +For example: +.Bd -literal -offset indent +set state-defaults pflow, no-sync +.Ed .It Ar set hostid The 32-bit .Ar hostid @@ -901,7 +911,7 @@ Defines a list of subqueues to create on .El .Pp In the following example, the interface dc0 -should queue up to 5 Mbit/s in four second-level queues using +should queue up to 5Mbps in four second-level queues using Class Based Queueing. Those four queues will be shown in a later example. .Bd -literal -offset indent @@ -1488,7 +1498,7 @@ Translates to the network(s) attached to .It Ar :broadcast Translates to the interface's broadcast address(es). .It Ar :peer -Translates to the point to point interface's peer address(es). +Translates to the point-to-point interface's peer address(es). .It Ar :0 Do not include interface aliases. .El @@ -2098,6 +2108,10 @@ easier. This is intended to be used in situations where one does not see all packets of a connection, e.g. in asymmetric routing situations. Cannot be used with modulate or synproxy state. +.It Ar pflow +States created by this rule are exported on the +.Xr pflow 4 +interface. .El .Pp Multiple options can be specified, separated by commas: @@ -2821,6 +2835,7 @@ option = "set" ( [ "timeout" ( t [ "loginterface" ( interface-name | "none" ) ] | [ "block-policy" ( "drop" | "return" ) ] | [ "state-policy" ( "if-bound" | "floating" ) ] + [ "state-defaults" state-opts ] [ "require-order" ( "yes" | "no" ) ] [ "fingerprints" filename ] | [ "skip on" ifspec ] | @@ -2963,7 +2978,7 @@ tos = ( "lowdelay" | "through [ "0x" ] number ) state-opts = state-opt [ [ "," ] state-opts ] -state-opt = ( "max" number | "no-sync" | timeout | sloppy | +state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" | "source-track" [ ( "rule" | "global" ) ] | "max-src-nodes" number | "max-src-states" number | "max-src-conn" number | @@ -3026,6 +3041,7 @@ Service name database. .Xr ip 4 , .Xr ip6 4 , .Xr pf 4 , +.Xr pflow 4 , .Xr pfsync 4 , .Xr route 4 , .Xr tcp 4 , Modified: vendor/pf/dist/man/pf.os.5 ============================================================================== --- vendor/pf/dist/man/pf.os.5 Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/man/pf.os.5 Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ +.\" $OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $ .\" .\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> .\" Modified: vendor/pf/dist/man/pflog.4 ============================================================================== --- vendor/pf/dist/man/pflog.4 Tue Aug 18 14:00:25 2009 (r196359) +++ vendor/pf/dist/man/pflog.4 Tue Aug 18 16:13:59 2009 (r196360) @@ -1,4 +1,4 @@ -.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $ +.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $ .\" .\" Copyright (c) 2001 Tobias Weingartner .\" All rights reserved. Added: vendor/pf/dist/man/pflow.4 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ vendor/pf/dist/man/pflow.4 Tue Aug 18 16:13:59 2009 (r196360) @@ -0,0 +1,113 @@ +.\" $OpenBSD: pflow.4,v 1.8 2008/10/28 16:55:37 gollo Exp $ +.\" +.\" Copyright (c) 2008 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2008 Joerg Goltermann <jg@osn.de> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALLWARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BELIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISINGOUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: October 28 2008 $ +.Dt PFLOW 4 +.Os +.Sh NAME +.Nm pflow +.Nd kernel interface for pflow data export +.Sh SYNOPSIS +.Cd "pseudo-device pflow" +.Sh DESCRIPTION +The *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908181613.n7IGDxSQ021986>