Date: Mon, 1 Apr 2019 06:04:53 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: Kristof Provost <kp@freebsd.org> Cc: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: Re: svn commit: r345760 - in head: contrib/pf sys/netpfil/pf sbin/pfctl Message-ID: <201904011304.x31D4sCH015086@gndrsh.dnsmgr.net> In-Reply-To: <20190401055318.GI7163@vega.codepro.be>
next in thread | previous in thread | raw e-mail | index | archive | help
> Author: kp > Date: Mon Apr 1 06:51:32 2019 > New Revision: 345760 > URL: https://svnweb.freebsd.org/changeset/base/345625 > > Log: > pf: Remove obsolete pf > > pf in FreeBSD lags years behind OpenBSD's pf. > Remove it. > > Users are advised to migrate to ipf. WOW! Where was any discussion on arch@ or any other place had about this action. I have just come back from ietf/104 with very specific requests about the state of this code.... This is totally outside of the normal deprecation model, you have not even committed a warning that this is gone_in_14, which would be more proper model following. > Deleted: > head/contrib/pf/authpf/authpf.8 > head/contrib/pf/authpf/authpf.c > head/contrib/pf/authpf/pathnames.h > head/contrib/pf/ftp-proxy/filter.c > head/contrib/pf/ftp-proxy/filter.h > head/contrib/pf/ftp-proxy/ftp-proxy.8 > head/contrib/pf/ftp-proxy/ftp-proxy.c > head/contrib/pf/libevent/buffer.c > head/contrib/pf/libevent/evbuffer.c > head/contrib/pf/libevent/event-internal.h > head/contrib/pf/libevent/event.c > head/contrib/pf/libevent/event.h > head/contrib/pf/libevent/evsignal.h > head/contrib/pf/libevent/kqueue.c > head/contrib/pf/libevent/log.c > head/contrib/pf/libevent/log.h > head/contrib/pf/libevent/poll.c > head/contrib/pf/libevent/select.c > head/contrib/pf/libevent/signal.c > head/contrib/pf/pflogd/pflogd.8 > head/contrib/pf/pflogd/pflogd.c > head/contrib/pf/pflogd/pflogd.h > head/contrib/pf/pflogd/pidfile.c > head/contrib/pf/pflogd/pidfile.h > head/contrib/pf/pflogd/privsep.c > head/contrib/pf/pflogd/privsep_fdpass.c > head/contrib/pf/tftp-proxy/filter.c > head/contrib/pf/tftp-proxy/filter.h > head/contrib/pf/tftp-proxy/tftp-proxy.8 > head/contrib/pf/tftp-proxy/tftp-proxy.c > head/contrib/tcpdump/print-pflog.c > head/contrib/tcpdump/print-pfsync.c > head/sbin/pfctl/Makefile > head/sbin/pfctl/parse.y > head/sbin/pfctl/pf.os > head/sbin/pfctl/pf_print_state.c > head/sbin/pfctl/pfctl.8 > head/sbin/pfctl/pfctl.c > head/sbin/pfctl/pfctl.h > head/sbin/pfctl/pfctl_altq.c > head/sbin/pfctl/pfctl_optimize.c > head/sbin/pfctl/pfctl_osfp.c > head/sbin/pfctl/pfctl_parser.c > head/sbin/pfctl/pfctl_parser.h > head/sbin/pfctl/pfctl_qstats.c > head/sbin/pfctl/pfctl_radix.c > head/sbin/pfctl/pfctl_table.c > head/sys/modules/pf/Makefile > head/sys/modules/pflog/Makefile > head/sys/modules/pfsync/Makefile > head/sys/netpfil/pf/if_pflog.c > head/sys/netpfil/pf/if_pfsync.c > head/sys/netpfil/pf/in4_cksum.c > head/sys/netpfil/pf/pf.c > head/sys/netpfil/pf/pf.h > head/sys/netpfil/pf/pf_altq.h > head/sys/netpfil/pf/pf_if.c > head/sys/netpfil/pf/pf_ioctl.c > head/sys/netpfil/pf/pf_lb.c > head/sys/netpfil/pf/pf_mtag.h > head/sys/netpfil/pf/pf_norm.c > head/sys/netpfil/pf/pf_osfp.c > head/sys/netpfil/pf/pf_ruleset.c > head/sys/netpfil/pf/pf_table.c > > Index: contrib/pf/authpf/authpf.8 > =================================================================== > --- contrib/pf/authpf/authpf.8 (revision 345223) > +++ contrib/pf/authpf/authpf.8 (working copy) > @@ -1,584 +0,0 @@ > -.\" $FreeBSD$ > -.\" $OpenBSD: authpf.8,v 1.47 2009/01/06 03:11:50 mcbride Exp $ > -.\" > -.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. > -.\" > -.\" Permission to use, copy, modify, and distribute this software for any > -.\" purpose with or without fee is hereby granted, provided that the above > -.\" copyright notice and this permission notice appear in all copies. > -.\" > -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES > -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF > -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR > -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES > -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN > -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF > -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > -.\" > -.Dd January 29 2014 > -.Dt AUTHPF 8 > -.Os > -.Sh NAME > -.Nm authpf , > -.Nm authpf-noip > -.Nd authenticating gateway user shell > -.Sh SYNOPSIS > -.Nm authpf > -.Nm authpf-noip > -.Sh DESCRIPTION > -.Nm > -is a user shell for authenticating gateways. > -It is used to change > -.Xr pf 4 > -rules when a user authenticates and starts a session with > -.Xr sshd 8 > -and to undo these changes when the user's session exits. > -Typical use would be for a gateway that authenticates users before > -allowing them Internet use, or a gateway that allows different users into > -different places. > -Combined with properly set up filter rules and secure switches, > -.Nm > -can be used to ensure users are held accountable for their network traffic. > -It is meant to be used with users who can connect via > -.Xr ssh 1 > -only, and requires the > -.Xr pf 4 > -subsystem and an > -.Xr fdescfs 5 > -file system mounted at > -.Pa /dev/fd > -to be enabled. > -.Pp > -.Nm authpf-noip > -is a user shell > -which allows multiple connections to take > -place from the same IP address. > -It is useful primarily in cases where connections are tunneled via > -the gateway system, and can be directly associated with the user name. > -It cannot ensure accountability when > -classifying connections by IP address; > -in this case the client's IP address > -is not provided to the packet filter via the > -.Ar client_ip > -macro or the > -.Ar authpf_users > -table. > -Additionally, states associated with the client IP address > -are not purged when the session is ended. > -.Pp > -To use either > -.Nm > -or > -.Nm authpf-noip , > -the user's shell needs to be set to > -.Pa /usr/sbin/authpf > -or > -.Pa /usr/sbin/authpf-noip . > -.Pp > -.Nm > -uses the > -.Xr pf.conf 5 > -syntax to change filter and translation rules for an individual > -user or client IP address as long as a user maintains an active > -.Xr ssh 1 > -session, and logs the successful start and end of a session to > -.Xr syslogd 8 . > -.Nm > -retrieves the client's connecting IP address via the > -.Ev SSH_CLIENT > -environment variable and, after performing additional access checks, > -reads a template file to determine what filter and translation rules > -(if any) to add, and > -maintains the list of IP addresses of connected users in the > -.Ar authpf_users > -table. > -On session exit the same rules and table entries that were added at startup > -are removed, and all states associated with the client's IP address are purged. > -.Pp > -Each > -.Nm > -process stores its rules in a separate ruleset inside a > -.Xr pf 4 > -.Pa anchor > -shared by all > -.Nm > -processes. > -By default, the > -.Pa anchor > -name "authpf" is used, and the ruleset names equal the username and PID of the > -.Nm > -processes as "username(pid)". > -The following rules need to be added to the main ruleset > -.Pa /etc/pf.conf > -in order to cause evaluation of any > -.Nm > -rules: > -.Bd -literal -offset indent > -nat-anchor "authpf/*" > -rdr-anchor "authpf/*" > -binat-anchor "authpf/*" > -anchor "authpf/*" > -.Ed > -.Pp > -The "/*" at the end of the anchor name is required for > -.Xr pf 4 > -to process the rulesets attached to the anchor by > -.Nm authpf . > -.Sh FILTER AND TRANSLATION RULES > -Filter and translation rules for > -.Nm > -use the same format described in > -.Xr pf.conf 5 . > -The only difference is that these rules may (and probably should) use > -the macro > -.Em user_ip , > -which is assigned the connecting IP address whenever > -.Nm > -is run. > -Additionally, the macro > -.Em user_id > -is assigned the user name. > -.Pp > -Filter and translation rules are stored in a file called > -.Pa authpf.rules . > -This file will first be searched for in > -.Pa /etc/authpf/users/$USER/ > -and then in > -.Pa /etc/authpf/ . > -Only one of these files will be used if both are present. > -.Pp > -Per-user rules from the > -.Pa /etc/authpf/users/$USER/ > -directory are intended to be used when non-default rules > -are needed on an individual user basis. > -It is important to ensure that a user can not write or change > -these configuration files. > -.Pp > -The > -.Pa authpf.rules > -file must exist in one of the above locations for > -.Nm > -to run. > -.Sh CONFIGURATION > -Options are controlled by the > -.Pa /etc/authpf/authpf.conf > -file. > -If the file is empty, defaults are used for all > -configuration options. > -The file consists of pairs of the form > -.Li name=value , > -one per line. > -Currently, the allowed values are as follows: > -.Bl -tag -width Ds > -.It anchor=name > -Use the specified > -.Pa anchor > -name instead of "authpf". > -.It table=name > -Use the specified > -.Pa table > -name instead of "authpf_users". > -.El > -.Sh USER MESSAGES > -On successful invocation, > -.Nm > -displays a message telling the user he or she has been authenticated. > -It will additionally display the contents of the file > -.Pa /etc/authpf/authpf.message > -if the file exists and is readable. > -.Pp > -There exist two methods for providing additional granularity to the control > -offered by > -.Nm > -- it is possible to set the gateway to explicitly allow users who have > -authenticated to > -.Xr ssh 1 > -and deny access to only a few troublesome individuals. > -This is done by creating a file with the banned user's login name as the > -filename in > -.Pa /etc/authpf/banned/ . > -The contents of this file will be displayed to a banned user, thus providing > -a method for informing the user that they have been banned, and where they can > -go and how to get there if they want to have their service restored. > -This is the default behaviour. > -.Pp > -It is also possible to configure > -.Nm > -to only allow specific users access. > -This is done by listing their login names, one per line, in > -.Pa /etc/authpf/authpf.allow . > -A group of users can also be indicated by prepending "%" to the group name, > -and all members of a login class can be indicated by prepending "@" to the > -login class name. > -If "*" is found on a line, then all usernames match. > -If > -.Nm > -is unable to verify the user's permission to use the gateway, it will > -print a brief message and die. > -It should be noted that a ban takes precedence over an allow. > -.Pp > -On failure, messages will be logged to > -.Xr syslogd 8 > -for the system administrator. > -The user does not see these, but will be told the system is unavailable due to > -technical difficulties. > -The contents of the file > -.Pa /etc/authpf/authpf.problem > -will also be displayed if the file exists and is readable. > -.Sh CONFIGURATION ISSUES > -.Nm > -maintains the changed filter rules as long as the user maintains an > -active session. > -It is important to remember however, that the existence > -of this session means the user is authenticated. > -Because of this, it is important to configure > -.Xr sshd 8 > -to ensure the security of the session, and to ensure that the network > -through which users connect is secure. > -.Xr sshd 8 > -should be configured to use the > -.Ar ClientAliveInterval > -and > -.Ar ClientAliveCountMax > -parameters to ensure that a ssh session is terminated quickly if > -it becomes unresponsive, or if arp or address spoofing is used to > -hijack the session. > -Note that TCP keepalives are not sufficient for > -this, since they are not secure. > -Also note that the various SSH tunnelling mechanisms, > -such as > -.Ar AllowTcpForwarding > -and > -.Ar PermitTunnel , > -should be disabled for > -.Nm > -users to prevent them from circumventing restrictions imposed by the > -packet filter ruleset. > -.Pp > -.Nm > -will remove state table entries that were created during a user's > -session. > -This ensures that there will be no unauthenticated traffic > -allowed to pass after the controlling > -.Xr ssh 1 > -session has been closed. > -.Pp > -.Nm > -is designed for gateway machines which typically do not have regular > -(non-administrative) users using the machine. > -An administrator must remember that > -.Nm > -can be used to modify the filter rules through the environment in > -which it is run, and as such could be used to modify the filter rules > -(based on the contents of the configuration files) by regular > -users. > -In the case where a machine has regular users using it, as well > -as users with > -.Nm > -as their shell, the regular users should be prevented from running > -.Nm > -by using the > -.Pa /etc/authpf/authpf.allow > -or > -.Pa /etc/authpf/banned/ > -facilities. > -.Pp > -.Nm > -modifies the packet filter and address translation rules, and because > -of this it needs to be configured carefully. > -.Nm > -will not run and will exit silently if the > -.Pa /etc/authpf/authpf.conf > -file does not exist. > -After considering the effect > -.Nm > -may have on the main packet filter rules, the system administrator may > -enable > -.Nm > -by creating an appropriate > -.Pa /etc/authpf/authpf.conf > -file. > -.Sh EXAMPLES > -.Sy Control Files > -\- To illustrate the user-specific access control > -mechanisms, let us consider a typical user named bob. > -Normally, as long as bob can authenticate himself, the > -.Nm > -program will load the appropriate rules. > -Enter the > -.Pa /etc/authpf/banned/ > -directory. > -If bob has somehow fallen from grace in the eyes of the > -powers-that-be, they can prohibit him from using the gateway by creating > -the file > -.Pa /etc/authpf/banned/bob > -containing a message about why he has been banned from using the network. > -Once bob has done suitable penance, his access may be restored by moving or > -removing the file > -.Pa /etc/authpf/banned/bob . > -.Pp > -Now consider a workgroup containing alice, bob, carol and dave. > -They have a > -wireless network which they would like to protect from unauthorized use. > -To accomplish this, they create the file > -.Pa /etc/authpf/authpf.allow > -which lists their login ids, group prepended with "%", or login class > -prepended with "@", one per line. > -At this point, even if eve could authenticate to > -.Xr sshd 8 , > -she would not be allowed to use the gateway. > -Adding and removing users from > -the work group is a simple matter of maintaining a list of allowed userids. > -If bob once again manages to annoy the powers-that-be, they can ban him from > -using the gateway by creating the familiar > -.Pa /etc/authpf/banned/bob > -file. > -Though bob is listed in the allow file, he is prevented from using > -this gateway due to the existence of a ban file. > -.Pp > -.Sy Distributed Authentication > -\- It is often desirable to interface with a > -distributed password system rather than forcing the sysadmins to keep a large > -number of local password files in sync. > -The > -.Xr login.conf 5 > -mechanism in > -.Ox > -can be used to fork the right shell. > -To make that happen, > -.Xr login.conf 5 > -should have entries that look something like this: > -.Bd -literal -offset indent > -shell-default:shell=/bin/csh > - > -default:\e > - ... > - :shell=/usr/sbin/authpf > - > -daemon:\e > - ... > - :shell=/bin/csh:\e > - :tc=default: > - > -staff:\e > - ... > - :shell=/bin/csh:\e > - :tc=default: > -.Ed > -.Pp > -Using a default password file, all users will get > -.Nm > -as their shell except for root who will get > -.Pa /bin/csh . > -.Pp > -.Sy SSH Configuration > -\- As stated earlier, > -.Xr sshd 8 > -must be properly configured to detect and defeat network attacks. > -To that end, the following options should be added to > -.Xr sshd_config 5 : > -.Bd -literal -offset indent > -Protocol 2 > -ClientAliveInterval 15 > -ClientAliveCountMax 3 > -.Ed > -.Pp > -This ensures that unresponsive or spoofed sessions are terminated within a > -minute, since a hijacker should not be able to spoof ssh keepalive messages. > -.Pp > -.Sy Banners > -\- Once authenticated, the user is shown the contents of > -.Pa /etc/authpf/authpf.message . > -This message may be a screen-full of the appropriate use policy, the contents > -of > -.Pa /etc/motd > -or something as simple as the following: > -.Bd -literal -offset indent > -This means you will be held accountable by the powers that be > -for traffic originating from your machine, so please play nice. > -.Ed > -.Pp > -To tell the user where to go when the system is broken, > -.Pa /etc/authpf/authpf.problem > -could contain something like this: > -.Bd -literal -offset indent > -Sorry, there appears to be some system problem. To report this > -problem so we can fix it, please phone 1-900-314-1597 or send > -an email to remove@bulkmailerz.net. > -.Ed > -.Pp > -.Sy Packet Filter Rules > -\- In areas where this gateway is used to protect a > -wireless network (a hub with several hundred ports), the default rule set as > -well as the per-user rules should probably allow very few things beyond > -encrypted protocols like > -.Xr ssh 1 , > -.Xr ssl 8 , > -or > -.Xr ipsec 4 . > -On a securely switched network, with plug-in jacks for visitors who are > -given authentication accounts, you might want to allow out everything. > -In this context, a secure switch is one that tries to prevent address table > -overflow attacks. > -.Pp > -Example > -.Pa /etc/pf.conf : > -.Bd -literal > -# by default we allow internal clients to talk to us using > -# ssh and use us as a dns server. > -internal_if="fxp1" > -gateway_addr="10.0.1.1" > -nat-anchor "authpf/*" > -rdr-anchor "authpf/*" > -binat-anchor "authpf/*" > -block in on $internal_if from any to any > -pass in quick on $internal_if proto tcp from any to $gateway_addr \e > - port = ssh > -pass in quick on $internal_if proto udp from any to $gateway_addr \e > - port = domain > -anchor "authpf/*" > -.Ed > -.Pp > -.Sy For a switched, wired net > -\- This example > -.Pa /etc/authpf/authpf.rules > -makes no real restrictions; it turns the IP address on and off, logging > -TCP connections. > -.Bd -literal > -external_if = "xl0" > -internal_if = "fxp0" > - > -pass in log quick on $internal_if proto tcp from $user_ip to any > -pass in quick on $internal_if from $user_ip to any > -.Ed > -.Pp > -.Sy For a wireless or shared net > -\- This example > -.Pa /etc/authpf/authpf.rules > -could be used for an insecure network (such as a public wireless network) where > -we might need to be a bit more restrictive. > -.Bd -literal > -internal_if="fxp1" > -ipsec_gw="10.2.3.4" > - > -# rdr ftp for proxying by ftp-proxy(8) > -rdr on $internal_if proto tcp from $user_ip to any port 21 \e > - -> 127.0.0.1 port 8021 > - > -# allow out ftp, ssh, www and https only, and allow user to negotiate > -# ipsec with the ipsec server. > -pass in log quick on $internal_if proto tcp from $user_ip to any \e > - port { 21, 22, 80, 443 } > -pass in quick on $internal_if proto tcp from $user_ip to any \e > - port { 21, 22, 80, 443 } > -pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp > -pass in quick proto esp from $user_ip to $ipsec_gw > -.Ed > -.Pp > -.Sy Dealing with NAT > -\- The following > -.Pa /etc/authpf/authpf.rules > -shows how to deal with NAT, using tags: > -.Bd -literal > -ext_if = "fxp1" > -ext_addr = 129.128.11.10 > -int_if = "fxp0" > -# nat and tag connections... > -nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr > -pass in quick on $int_if from $user_ip to any > -pass out log quick on $ext_if tagged $user_ip > -.Ed > -.Pp > -With the above rules added by > -.Nm , > -outbound connections corresponding to each users NAT'ed connections > -will be logged as in the example below, where the user may be identified > -from the ruleset name. > -.Bd -literal > -# tcpdump -n -e -ttt -i pflog0 > -Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e > -129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e > -16384 <mss 1460,nop,nop,sackOK> (DF) > -.Ed > -.Pp > -.Sy Using the authpf_users table > -\- Simple > -.Nm > -settings can be implemented without an anchor by just using the "authpf_users" > -.Pa table . > -For example, the following > -.Xr pf.conf 5 > -lines will give SMTP and IMAP access to logged in users: > -.Bd -literal > -table <authpf_users> persist > -pass in on $ext_if proto tcp from <authpf_users> \e > - to port { smtp imap } > -.Ed > -.Pp > -It is also possible to use the "authpf_users" > -.Pa table > -in combination with anchors. > -For example, > -.Xr pf 4 > -processing can be sped up by looking up the anchor > -only for packets coming from logged in users: > -.Bd -literal > -table <authpf_users> persist > -anchor "authpf/*" from <authpf_users> > -rdr-anchor "authpf/*" from <authpf_users> > -.Ed > -.Pp > -.Sy Tunneled users > -\- normally > -.Nm > -allows only one session per client IP address. > -However in some cases, such as when connections are tunneled via > -.Xr ssh 1 > -or > -.Xr ipsec 4 , > -the connections can be authorized based on the userid of the user instead of > -the client IP address. > -In this case it is appropriate to use > -.Nm authpf-noip > -to allow multiple users behind a NAT gateway to connect. > -In the > -.Pa /etc/authpf/authpf.rules > -example below, the remote user could tunnel a remote desktop session to their > -workstation: > -.Bd -literal > -internal_if="bge0" > -workstation_ip="10.2.3.4" > - > -pass out on $internal_if from (self) to $workstation_ip port 3389 \e > - user $user_id > -.Ed > -.Sh FILES > -.Bl -tag -width "/etc/authpf/authpf.conf" -compact > -.It Pa /etc/authpf/authpf.conf > -.It Pa /etc/authpf/authpf.allow > -.It Pa /etc/authpf/authpf.rules > -.It Pa /etc/authpf/authpf.message > -.It Pa /etc/authpf/authpf.problem > -.El > -.Sh SEE ALSO > -.Xr pf 4 , > -.Xr fdescfs 5 , > -.Xr pf.conf 5 , > -.Xr securelevel 7 , > -.Xr ftp-proxy 8 > -.Sh HISTORY > -The > -.Nm > -program first appeared in > -.Ox 3.1 . > -.Sh BUGS > -Configuration issues are tricky. > -The authenticating > -.Xr ssh 1 > -connection may be secured, but if the network is not secured the user may > -expose insecure protocols to attackers on the same network, or enable other > -attackers on the network to pretend to be the user by spoofing their IP > -address. > -.Pp > -.Nm > -is not designed to prevent users from denying service to other users. > Index: contrib/pf/authpf/pathnames.h > =================================================================== > --- contrib/pf/authpf/pathnames.h (revision 345223) > +++ contrib/pf/authpf/pathnames.h (working copy) > @@ -1,39 +0,0 @@ > -/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */ > - > -/* > - * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca) > - * > - * Redistribution and use in source and binary forms, with or without > - * modification, are permitted provided that the following conditions > - * are met: > - * 1. Redistributions of source code must retain the above copyright > - * notice, this list of conditions and the following disclaimer. > - * 2. Redistributions in binary form must reproduce the above copyright > - * notice, this list of conditions and the following disclaimer in the > - * documentation and/or other materials provided with the distribution. > - * > - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND > - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE > - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE > - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE > - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL > - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS > - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) > - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT > - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY > - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > - * SUCH DAMAGE. > - */ > - > -#define PATH_CONFFILE "/etc/authpf/authpf.conf" > -#define PATH_ALLOWFILE "/etc/authpf/authpf.allow" > -#define PATH_PFRULES "/etc/authpf/authpf.rules" > -#define PATH_PROBLEM "/etc/authpf/authpf.problem" > -#define PATH_MESSAGE "/etc/authpf/authpf.message" > -#define PATH_USER_DIR "/etc/authpf/users" > -#define PATH_BAN_DIR "/etc/authpf/banned" > -#define PATH_DEVFILE "/dev/pf" > -#define PATH_PIDFILE "/var/authpf" > -#define PATH_AUTHPF_SHELL "/usr/sbin/authpf" > -#define PATH_AUTHPF_SHELL_NOIP "/usr/sbin/authpf-noip" > -#define PATH_PFCTL "/sbin/pfctl" > Index: contrib/pf/ftp-proxy/filter.c > =================================================================== > --- contrib/pf/ftp-proxy/filter.c (revision 345223) > +++ contrib/pf/ftp-proxy/filter.c (working copy) > @@ -1,393 +0,0 @@ > -/* $OpenBSD: filter.c,v 1.8 2008/06/13 07:25:26 claudio Exp $ */ > - > -/* > - * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> > - * > - * Permission to use, copy, modify, and distribute this software for any > - * purpose with or without fee is hereby granted, provided that the above > - * copyright notice and this permission notice appear in all copies. > - * > - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES > - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF > - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR > - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES > - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN > - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF > - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > - */ > - > -#include <sys/ioctl.h> > -#include <sys/types.h> > -#include <sys/socket.h> > - > -#include <net/if.h> > -#include <net/pfvar.h> > -#include <netinet/in.h> > -#include <netinet/tcp.h> > -#include <arpa/inet.h> > - > -#include <err.h> > -#include <errno.h> > -#include <fcntl.h> > -#include <stdio.h> > -#include <string.h> > -#include <unistd.h> > - > -#include "filter.h" > - > -/* From netinet/in.h, but only _KERNEL_ gets them. */ > -#define satosin(sa) ((struct sockaddr_in *)(sa)) > -#define satosin6(sa) ((struct sockaddr_in6 *)(sa)) > - > -enum { TRANS_FILTER = 0, TRANS_NAT, TRANS_RDR, TRANS_SIZE }; > - > -int prepare_rule(u_int32_t, int, struct sockaddr *, struct sockaddr *, > - u_int16_t); > -int server_lookup4(struct sockaddr_in *, struct sockaddr_in *, > - struct sockaddr_in *); > -int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, > - struct sockaddr_in6 *); > - > -static struct pfioc_pooladdr pfp; > -static struct pfioc_rule pfr; > -static struct pfioc_trans pft; > -static struct pfioc_trans_e pfte[TRANS_SIZE]; > -static int dev, rule_log; > -static const char *qname, *tagname; > - > -int > -add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, > - struct sockaddr *dst, u_int16_t d_port) > -{ > - if (!src || !dst || !d_port) { > - errno = EINVAL; > - return (-1); > - } > - > - if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port) == -1) > - return (-1); > - > - pfr.rule.direction = dir; > - if (ioctl(dev, DIOCADDRULE, &pfr) == -1) > - return (-1); > - > - return (0); > -} > - > -int > -add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, > - u_int16_t d_port, struct sockaddr *nat, u_int16_t nat_range_low, > - u_int16_t nat_range_high) > -{ > - if (!src || !dst || !d_port || !nat || !nat_range_low || > - (src->sa_family != nat->sa_family)) { > - errno = EINVAL; > - return (-1); > - } > - > - if (prepare_rule(id, PF_RULESET_NAT, src, dst, d_port) == -1) > - return (-1); > - > - if (nat->sa_family == AF_INET) { > - memcpy(&pfp.addr.addr.v.a.addr.v4, > - &satosin(nat)->sin_addr.s_addr, 4); > - memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4); > - } else { > - memcpy(&pfp.addr.addr.v.a.addr.v6, > - &satosin6(nat)->sin6_addr.s6_addr, 16); > - memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); > - } > - if (ioctl(dev, DIOCADDADDR, &pfp) == -1) > - return (-1); > - > - pfr.rule.rpool.proxy_port[0] = nat_range_low; > - pfr.rule.rpool.proxy_port[1] = nat_range_high; > - if (ioctl(dev, DIOCADDRULE, &pfr) == -1) > - return (-1); > - > - return (0); > -} > - > -int > -add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, > - u_int16_t d_port, struct sockaddr *rdr, u_int16_t rdr_port) > -{ > - if (!src || !dst || !d_port || !rdr || !rdr_port || > - (src->sa_family != rdr->sa_family)) { > - errno = EINVAL; > - return (-1); > - } > - > - if (prepare_rule(id, PF_RULESET_RDR, src, dst, d_port) == -1) > - return (-1); > - > - if (rdr->sa_family == AF_INET) { > - memcpy(&pfp.addr.addr.v.a.addr.v4, > - &satosin(rdr)->sin_addr.s_addr, 4); > - memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4); > - } else { > - memcpy(&pfp.addr.addr.v.a.addr.v6, > - &satosin6(rdr)->sin6_addr.s6_addr, 16); > - memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); > - } > - if (ioctl(dev, DIOCADDADDR, &pfp) == -1) > - return (-1); > - > - pfr.rule.rpool.proxy_port[0] = rdr_port; > - if (ioctl(dev, DIOCADDRULE, &pfr) == -1) > - return (-1); > - > - return (0); > -} > - > -int > -do_commit(void) > -{ > - if (ioctl(dev, DIOCXCOMMIT, &pft) == -1) > - return (-1); > - > - return (0); > -} > - > -int > -do_rollback(void) > -{ > - if (ioctl(dev, DIOCXROLLBACK, &pft) == -1) > - return (-1); > - > - return (0); > -} > - > -void > -init_filter(const char *opt_qname, const char *opt_tagname, int opt_verbose) > -{ > - struct pf_status status; > - > - qname = opt_qname; > - tagname = opt_tagname; > - > - if (opt_verbose == 1) > - rule_log = PF_LOG; > - else if (opt_verbose == 2) > - rule_log = PF_LOG_ALL; > - > - dev = open("/dev/pf", O_RDWR); > - if (dev == -1) > - err(1, "open /dev/pf"); > - if (ioctl(dev, DIOCGETSTATUS, &status) == -1) > - err(1, "DIOCGETSTATUS"); > - if (!status.running) > - errx(1, "pf is disabled"); > -} > - > -int > -prepare_commit(u_int32_t id) > -{ > - char an[PF_ANCHOR_NAME_SIZE]; > - int i; > - > - memset(&pft, 0, sizeof pft); > - pft.size = TRANS_SIZE; > - pft.esize = sizeof pfte[0]; > - pft.array = pfte; > - > - snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, > - getpid(), id); > - for (i = 0; i < TRANS_SIZE; i++) { > - memset(&pfte[i], 0, sizeof pfte[0]); > - strlcpy(pfte[i].anchor, an, PF_ANCHOR_NAME_SIZE); > - switch (i) { > - case TRANS_FILTER: > - pfte[i].rs_num = PF_RULESET_FILTER; > - break; > - case TRANS_NAT: > - pfte[i].rs_num = PF_RULESET_NAT; > - break; > - case TRANS_RDR: > - pfte[i].rs_num = PF_RULESET_RDR; > - break; > - default: > - errno = EINVAL; > - return (-1); > - } > - } > - > - if (ioctl(dev, DIOCXBEGIN, &pft) == -1) > - return (-1); > - > - return (0); > -} > - > -int > -prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, > - struct sockaddr *dst, u_int16_t d_port) > -{ > - char an[PF_ANCHOR_NAME_SIZE]; > - > - if ((src->sa_family != AF_INET && src->sa_family != AF_INET6) || > - (src->sa_family != dst->sa_family)) { > - errno = EPROTONOSUPPORT; > - return (-1); > - } > - > - memset(&pfp, 0, sizeof pfp); > - memset(&pfr, 0, sizeof pfr); > - snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, > - getpid(), id); > - strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE); > - strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE); > - > - switch (rs_num) { > - case PF_RULESET_FILTER: > - pfr.ticket = pfte[TRANS_FILTER].ticket; > - break; > - case PF_RULESET_NAT: > - pfr.ticket = pfte[TRANS_NAT].ticket; > - break; > - case PF_RULESET_RDR: > - pfr.ticket = pfte[TRANS_RDR].ticket; > - break; > - default: > - errno = EINVAL; > - return (-1); > - } > - if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) > - return (-1); > - pfr.pool_ticket = pfp.ticket; > - > - /* Generic for all rule types. */ > - pfr.rule.af = src->sa_family; > - pfr.rule.proto = IPPROTO_TCP; > - pfr.rule.src.addr.type = PF_ADDR_ADDRMASK; > - pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; > - if (src->sa_family == AF_INET) { > - memcpy(&pfr.rule.src.addr.v.a.addr.v4, > - &satosin(src)->sin_addr.s_addr, 4); > - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4); > - memcpy(&pfr.rule.dst.addr.v.a.addr.v4, > - &satosin(dst)->sin_addr.s_addr, 4); > - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4); > - } else { > - memcpy(&pfr.rule.src.addr.v.a.addr.v6, > - &satosin6(src)->sin6_addr.s6_addr, 16); > - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16); > - memcpy(&pfr.rule.dst.addr.v.a.addr.v6, > - &satosin6(dst)->sin6_addr.s6_addr, 16); > - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16); > - } > - pfr.rule.dst.port_op = PF_OP_EQ; > - pfr.rule.dst.port[0] = htons(d_port); > - > - switch (rs_num) { > - case PF_RULESET_FILTER: > - /* > - * pass [quick] [log] inet[6] proto tcp \ > - * from $src to $dst port = $d_port flags S/SA keep state > - * (max 1) [queue qname] [tag tagname] > - */ > - pfr.rule.action = PF_PASS; > - pfr.rule.quick = 1; > - pfr.rule.log = rule_log; > - pfr.rule.keep_state = 1; > - pfr.rule.flags = TH_SYN; > - pfr.rule.flagset = (TH_SYN|TH_ACK); > - pfr.rule.max_states = 1; > - if (qname != NULL) > - strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname); > - if (tagname != NULL) { > - pfr.rule.quick = 0; > - strlcpy(pfr.rule.tagname, tagname, > - sizeof pfr.rule.tagname); > - } > - break; > - case PF_RULESET_NAT: > - /* > - * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat > - */ > - pfr.rule.action = PF_NAT; > - break; > - case PF_RULESET_RDR: > - /* > - * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr > - */ > - pfr.rule.action = PF_RDR; > - break; > - default: > - errno = EINVAL; > - return (-1); > - } > - > - return (0); > -} > - > -int > -server_lookup(struct sockaddr *client, struct sockaddr *proxy, > - struct sockaddr *server) > -{ > - if (client->sa_family == AF_INET) > - return (server_lookup4(satosin(client), satosin(proxy), > - satosin(server))); > - > - if (client->sa_family == AF_INET6) > - return (server_lookup6(satosin6(client), satosin6(proxy), > - satosin6(server))); > - > - errno = EPROTONOSUPPORT; > - return (-1); > -} > - > -int > -server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy, > - struct sockaddr_in *server) > -{ > - struct pfioc_natlook pnl; > - > - memset(&pnl, 0, sizeof pnl); > - pnl.direction = PF_OUT; > - pnl.af = AF_INET; > - pnl.proto = IPPROTO_TCP; > - memcpy(&pnl.saddr.v4, &client->sin_addr.s_addr, sizeof pnl.saddr.v4); > - memcpy(&pnl.daddr.v4, &proxy->sin_addr.s_addr, sizeof pnl.daddr.v4); > - pnl.sport = client->sin_port; > - pnl.dport = proxy->sin_port; > - > - if (ioctl(dev, DIOCNATLOOK, &pnl) == -1) > - return (-1); > - > - memset(server, 0, sizeof(struct sockaddr_in)); > - server->sin_len = sizeof(struct sockaddr_in); > - server->sin_family = AF_INET; > - memcpy(&server->sin_addr.s_addr, &pnl.rdaddr.v4, > - sizeof server->sin_addr.s_addr); > - server->sin_port = pnl.rdport; > > *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** > > -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904011304.x31D4sCH015086>