Author: mlaier
Date: Tue Aug 18 16:13:59 2009
New Revision: 196360
URL: http://svn.freebsd.org/changeset/base/196360
Log:
eri@ wants to start on porting the latest pf in his user space so we can
finally have a new version in 9.0. Import pf as of OPENBSD_4_5_BASE to help
with that.
Added:
vendor/pf/dist/man/pflow.4
Modified:
vendor/pf/dist/authpf/Makefile
vendor/pf/dist/authpf/authpf.8
vendor/pf/dist/authpf/authpf.c
vendor/pf/dist/authpf/pathnames.h
vendor/pf/dist/ftp-proxy/Makefile
vendor/pf/dist/ftp-proxy/filter.c
vendor/pf/dist/ftp-proxy/filter.h
vendor/pf/dist/ftp-proxy/ftp-proxy.8
vendor/pf/dist/ftp-proxy/ftp-proxy.c
vendor/pf/dist/libevent/buffer.c
vendor/pf/dist/libevent/evbuffer.c
vendor/pf/dist/libevent/event-internal.h
vendor/pf/dist/libevent/event.c
vendor/pf/dist/libevent/event.h
vendor/pf/dist/libevent/evsignal.h
vendor/pf/dist/libevent/kqueue.c
vendor/pf/dist/libevent/log.c
vendor/pf/dist/libevent/log.h
vendor/pf/dist/libevent/poll.c
vendor/pf/dist/libevent/select.c
vendor/pf/dist/libevent/signal.c
vendor/pf/dist/man/pf.4
vendor/pf/dist/man/pf.conf.5
vendor/pf/dist/man/pf.os.5
vendor/pf/dist/man/pflog.4
vendor/pf/dist/man/pfsync.4
vendor/pf/dist/pfctl/Makefile
vendor/pf/dist/pfctl/parse.y
vendor/pf/dist/pfctl/pf_print_state.c
vendor/pf/dist/pfctl/pfctl.8
vendor/pf/dist/pfctl/pfctl.c
vendor/pf/dist/pfctl/pfctl.h
vendor/pf/dist/pfctl/pfctl_altq.c
vendor/pf/dist/pfctl/pfctl_optimize.c
vendor/pf/dist/pfctl/pfctl_osfp.c
vendor/pf/dist/pfctl/pfctl_parser.c
vendor/pf/dist/pfctl/pfctl_parser.h
vendor/pf/dist/pfctl/pfctl_qstats.c
vendor/pf/dist/pfctl/pfctl_radix.c
vendor/pf/dist/pfctl/pfctl_table.c
vendor/pf/dist/pflogd/Makefile
vendor/pf/dist/pflogd/pflogd.8
vendor/pf/dist/pflogd/pflogd.c
vendor/pf/dist/pflogd/pflogd.h
vendor/pf/dist/pflogd/privsep.c
vendor/pf/dist/pflogd/privsep_fdpass.c
vendor/pf/dist/tftp-proxy/Makefile
vendor/pf/dist/tftp-proxy/filter.c
vendor/pf/dist/tftp-proxy/filter.h
vendor/pf/dist/tftp-proxy/tftp-proxy.8
vendor/pf/dist/tftp-proxy/tftp-proxy.c
Changes in other areas also in this revision:
Added:
vendor-sys/pf/dist/net/if_pflow.c
vendor-sys/pf/dist/net/if_pflow.h
vendor-sys/pf/dist/net/pf_lb.c
Modified:
vendor-sys/pf/dist/net/if_pflog.c
vendor-sys/pf/dist/net/if_pflog.h
vendor-sys/pf/dist/net/if_pfsync.c
vendor-sys/pf/dist/net/if_pfsync.h
vendor-sys/pf/dist/net/pf.c
vendor-sys/pf/dist/net/pf_if.c
vendor-sys/pf/dist/net/pf_ioctl.c
vendor-sys/pf/dist/net/pf_norm.c
vendor-sys/pf/dist/net/pf_osfp.c
vendor-sys/pf/dist/net/pf_ruleset.c
vendor-sys/pf/dist/net/pf_table.c
vendor-sys/pf/dist/net/pfvar.h
vendor-sys/pf/dist/netinet/in4_cksum.c
Modified: vendor/pf/dist/authpf/Makefile
==============================================================================
--- vendor/pf/dist/authpf/Makefile Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/authpf/Makefile Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.13 2008/02/14 01:49:17 mcbride Exp $
+# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $
PROG= authpf
MAN= authpf.8
Modified: vendor/pf/dist/authpf/authpf.8
==============================================================================
--- vendor/pf/dist/authpf/authpf.8 Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/authpf/authpf.8 Tue Aug 18 16:13:59 2009
(r196360)
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: February 14 2008 $
+.Dd $Mdocdate: March 18 2008 $
.Dt AUTHPF 8
.Os
.Sh NAME
@@ -202,6 +202,9 @@ It is also possible to configure
to only allow specific users access.
This is done by listing their login names, one per line, in
.Pa /etc/authpf/authpf.allow .
+A group of users can also be indicated by prepending "%" to the group name,
+and all members of a login class can be indicated by prepending "@" to the
+login class name.
If "*" is found on a line, then all usernames match.
If
.Nm
@@ -314,7 +317,8 @@ They have a
wireless network which they would like to protect from unauthorized use.
To accomplish this, they create the file
.Pa /etc/authpf/authpf.allow
-which lists their login ids, one per line.
+which lists their login ids, group prepended with "%", or login class
+prepended with "@", one per line.
At this point, even if eve could authenticate to
.Xr sshd 8 ,
she would not be allowed to use the gateway.
Modified: vendor/pf/dist/authpf/authpf.c
==============================================================================
--- vendor/pf/dist/authpf/authpf.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/authpf/authpf.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: authpf.c,v 1.107 2008/02/14 01:49:17 mcbride Exp $ */
+/* $OpenBSD: authpf.c,v 1.111 2009/01/10 17:17:32 todd Exp $ */
/*
* Copyright (C) 1998 - 2007 Bob Beck (b...@openbsd.org).
@@ -32,6 +32,7 @@
#include <errno.h>
#include <login_cap.h>
#include <pwd.h>
+#include <grp.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
@@ -43,7 +44,7 @@
static int read_config(FILE *);
static void print_message(char *);
-static int allowed_luser(char *);
+static int allowed_luser(struct passwd *);
static int check_luser(char *, char *);
static int remove_stale_rulesets(void);
static int recursive_ruleset_purge(char *, char *);
@@ -58,6 +59,7 @@ char tablename[PF_TABLE_NAME_SIZE] = "au
int user_ip = 1; /* controls whether $user_ip is set */
FILE *pidfp;
+int pidfd = -1;
char luser[MAXLOGNAME]; /* username */
char ipsrc[256]; /* ip as a string */
char pidfile[MAXPATHLEN]; /* we save pid in this file. */
@@ -78,7 +80,7 @@ extern char *__progname; /* program name
int
main(int argc, char *argv[])
{
- int lockcnt = 0, n, pidfd;
+ int lockcnt = 0, n;
FILE *config;
struct in6_addr ina;
struct passwd *pw;
@@ -93,7 +95,7 @@ main(int argc, char *argv[])
config = fopen(PATH_CONFFILE, "r");
if (config == NULL) {
- syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);
+ syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE);
exit(1);
}
@@ -186,6 +188,14 @@ main(int argc, char *argv[])
goto die;
}
+ signal(SIGTERM, need_death);
+ signal(SIGINT, need_death);
+ signal(SIGALRM, need_death);
+ signal(SIGPIPE, need_death);
+ signal(SIGHUP, need_death);
+ signal(SIGQUIT, need_death);
+ signal(SIGTSTP, need_death);
+
/*
* If someone else is already using this ip, then this person
* wants to switch users - so kill the old process and exit
@@ -239,15 +249,17 @@ main(int argc, char *argv[])
}
/*
- * we try to kill the previous process and acquire the lock
+ * We try to kill the previous process and acquire the lock
* for 10 seconds, trying once a second. if we can't after
- * 10 attempts we log an error and give up
+ * 10 attempts we log an error and give up.
*/
- if (++lockcnt > 10) {
- syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
- otherpid);
+ if (want_death || ++lockcnt > 10) {
+ if (!want_death)
+ syslog(LOG_ERR, "cannot kill previous authpf
(pid %d)",
+ otherpid);
fclose(pidfp);
pidfp = NULL;
+ pidfd = -1;
goto dogdeath;
}
sleep(1);
@@ -258,6 +270,7 @@ main(int argc, char *argv[])
*/
fclose(pidfp);
pidfp = NULL;
+ pidfd = -1;
} while (1);
/* whack the group list */
@@ -275,7 +288,7 @@ main(int argc, char *argv[])
}
openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
- if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) {
+ if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) {
syslog(LOG_INFO, "user %s prohibited", luser);
do_death(0);
}
@@ -306,13 +319,6 @@ main(int argc, char *argv[])
do_death(0);
}
- signal(SIGTERM, need_death);
- signal(SIGINT, need_death);
- signal(SIGALRM, need_death);
- signal(SIGPIPE, need_death);
- signal(SIGHUP, need_death);
- signal(SIGQUIT, need_death);
- signal(SIGTSTP, need_death);
while (1) {
printf("\r\nHello %s. ", luser);
printf("You are authenticated from host \"%s\"\r\n", ipsrc);
@@ -434,6 +440,7 @@ print_message(char *filename)
* allowed_luser checks to see if user "luser" is allowed to
* use this gateway by virtue of being listed in an allowed
* users file, namely /etc/authpf/authpf.allow .
+ * Users may be listed by <username>, %<group>, or @<login_class>.
*
* If /etc/authpf/authpf.allow does not exist, then we assume that
* all users who are allowed in by sshd(8) are permitted to
@@ -442,7 +449,7 @@ print_message(char *filename)
* the session terminates in the same manner as being banned.
*/
static int
-allowed_luser(char *luser)
+allowed_luser(struct passwd *pw)
{
char *buf, *lbuf;
int matched;
@@ -474,8 +481,14 @@ allowed_luser(char *luser)
* "public" gateway, such as it is, so let
* everyone use it.
*/
+ int gl_init = 0, ngroups = NGROUPS + 1;
+ gid_t groups[NGROUPS + 1];
+
lbuf = NULL;
+ matched = 0;
+
while ((buf = fgetln(f, &len))) {
+
if (buf[len - 1] == '\n')
buf[len - 1] = '\0';
else {
@@ -486,7 +499,40 @@ allowed_luser(char *luser)
buf = lbuf;
}
- matched = strcmp(luser, buf) == 0 || strcmp("*", buf)
== 0;
+ if (buf[0] == '@') {
+ /* check login class */
+ if (strcmp(pw->pw_class, buf + 1) == 0)
+ matched++;
+ } else if (buf[0] == '%') {
+ /* check group membership */
+ int cnt;
+ struct group *group;
+
+ if ((group = getgrnam(buf + 1)) == NULL) {
+ syslog(LOG_ERR,
+ "invalid group '%s' in %s (%s)",
+ buf + 1, PATH_ALLOWFILE,
+ strerror(errno));
+ return (0);
+ }
+
+ if (!gl_init) {
+ (void) getgrouplist(pw->pw_name,
+ pw->pw_gid, groups, &ngroups);
+ gl_init++;
+ }
+
+ for ( cnt = 0; cnt < ngroups; cnt++) {
+ if (group->gr_gid == groups[cnt]) {
+ matched++;
+ break;
+ }
+ }
+ } else {
+ /* check username and wildcard */
+ matched = strcmp(pw->pw_name, buf) == 0 ||
+ strcmp("*", buf) == 0;
+ }
if (lbuf != NULL) {
free(lbuf);
@@ -494,10 +540,10 @@ allowed_luser(char *luser)
}
if (matched)
- return (1); /* matched an allowed username */
+ return (1); /* matched an allowed user/group */
}
syslog(LOG_INFO, "denied access to %s: not listed in %s",
- luser, PATH_ALLOWFILE);
+ pw->pw_name, PATH_ALLOWFILE);
/* reuse buf */
buf = "\n\nSorry, you are not allowed to use this facility!\n";
@@ -878,7 +924,7 @@ do_death(int active)
authpf_kill_states();
}
}
- if (pidfile[0] && (pidfp != NULL))
+ if (pidfile[0] && pidfd != -1)
if (unlink(pidfile) == -1)
syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
exit(ret);
Modified: vendor/pf/dist/authpf/pathnames.h
==============================================================================
--- vendor/pf/dist/authpf/pathnames.h Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/authpf/pathnames.h Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */
+/* $OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $ */
/*
* Copyright (C) 2002 Chris Kuethe (ckue...@ualberta.ca)
Modified: vendor/pf/dist/ftp-proxy/Makefile
==============================================================================
--- vendor/pf/dist/ftp-proxy/Makefile Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/ftp-proxy/Makefile Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $
+# $OpenBSD: Makefile,v 1.2 2005/06/07 14:12:07 camield Exp $
PROG= ftp-proxy
SRCS= ftp-proxy.c filter.c
Modified: vendor/pf/dist/ftp-proxy/filter.c
==============================================================================
--- vendor/pf/dist/ftp-proxy/filter.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/ftp-proxy/filter.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: filter.c,v 1.8 2008/06/13 07:25:26 claudio Exp $ */
+/* $OpenBSD: filter.c,v 1.7 2008/02/26 18:52:53 henning Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <c...@sentia.nl>
Modified: vendor/pf/dist/ftp-proxy/filter.h
==============================================================================
--- vendor/pf/dist/ftp-proxy/filter.h Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/ftp-proxy/filter.h Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */
+/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <c...@sentia.nl>
Modified: vendor/pf/dist/ftp-proxy/ftp-proxy.8
==============================================================================
--- vendor/pf/dist/ftp-proxy/ftp-proxy.8 Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/ftp-proxy/ftp-proxy.8 Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ftp-proxy.8,v 1.11 2008/02/26 18:52:53 henning Exp $
+.\" $OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $
.\"
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <c...@sentia.nl>
.\"
Modified: vendor/pf/dist/ftp-proxy/ftp-proxy.c
==============================================================================
--- vendor/pf/dist/ftp-proxy/ftp-proxy.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/ftp-proxy/ftp-proxy.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ftp-proxy.c,v 1.19 2008/06/13 07:25:26 claudio Exp $ */
+/* $OpenBSD: ftp-proxy.c,v 1.18 2008/04/22 02:22:22 joel Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <c...@sentia.nl>
Modified: vendor/pf/dist/libevent/buffer.c
==============================================================================
--- vendor/pf/dist/libevent/buffer.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/buffer.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,3 +1,5 @@
+/* $OpenBSD: buffer.c,v 1.14 2007/03/19 15:12:49 millert Exp $ */
+
/*
* Copyright (c) 2002, 2003 Niels Provos <pro...@citi.umich.edu>
* All rights reserved.
@@ -62,7 +64,7 @@ struct evbuffer *
evbuffer_new(void)
{
struct evbuffer *buffer;
-
+
buffer = calloc(1, sizeof(struct evbuffer));
return (buffer);
@@ -76,7 +78,7 @@ evbuffer_free(struct evbuffer *buffer)
free(buffer);
}
-/*
+/*
* This is a destructive add. The data from one buffer moves into
* the other buffer.
*/
@@ -104,16 +106,16 @@ evbuffer_add_buffer(struct evbuffer *out
SWAP(outbuf, inbuf);
SWAP(inbuf, &tmp);
- /*
+ /*
* Optimization comes with a price; we need to notify the
* buffer if necessary of the changes. oldoff is the amount
- * of data that we transfered from inbuf to outbuf
+ * of data that we transferred from inbuf to outbuf
*/
if (inbuf->off != oldoff && inbuf->cb != NULL)
(*inbuf->cb)(inbuf, oldoff, inbuf->off, inbuf->cbarg);
if (oldoff && outbuf->cb != NULL)
(*outbuf->cb)(outbuf, 0, oldoff, outbuf->cbarg);
-
+
return (0);
}
@@ -196,7 +198,7 @@ evbuffer_remove(struct evbuffer *buf, vo
memcpy(data, buf->buffer, nread);
evbuffer_drain(buf, nread);
-
+
return (nread);
}
@@ -371,7 +373,7 @@ evbuffer_read(struct evbuffer *buf, int
if (n < EVBUFFER_MAX_READ)
n = EVBUFFER_MAX_READ;
}
-#endif
+#endif
if (howmuch < 0 || howmuch > n)
howmuch = n;
Modified: vendor/pf/dist/libevent/evbuffer.c
==============================================================================
--- vendor/pf/dist/libevent/evbuffer.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/evbuffer.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,3 +1,5 @@
+/* $OpenBSD: evbuffer.c,v 1.10 2007/03/19 15:12:49 millert Exp $ */
+
/*
* Copyright (c) 2002-2004 Niels Provos <pro...@citi.umich.edu>
* All rights reserved.
@@ -64,7 +66,7 @@ bufferevent_add(struct event *ev, int ti
return (event_add(ev, ptv));
}
-/*
+/*
* This callback is executed when the size of the input buffer changes.
* We use it to apply back pressure on the reading side.
*/
@@ -73,7 +75,7 @@ void
bufferevent_read_pressure_cb(struct evbuffer *buf, size_t old, size_t now,
void *arg) {
struct bufferevent *bufev = arg;
- /*
+ /*
* If we are below the watermark then reschedule reading if it's
* still enabled.
*/
@@ -288,7 +290,7 @@ bufferevent_free(struct bufferevent *buf
*/
int
-bufferevent_write(struct bufferevent *bufev, void *data, size_t size)
+bufferevent_write(struct bufferevent *bufev, const void *data, size_t size)
{
int res;
Modified: vendor/pf/dist/libevent/event-internal.h
==============================================================================
--- vendor/pf/dist/libevent/event-internal.h Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/event-internal.h Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,3 +1,5 @@
+/* $OpenBSD: event-internal.h,v 1.4 2007/03/19 15:12:49 millert Exp $
*/
+
/*
* Copyright (c) 2000-2004 Niels Provos <pro...@citi.umich.edu>
* All rights reserved.
Modified: vendor/pf/dist/libevent/event.c
==============================================================================
--- vendor/pf/dist/libevent/event.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/event.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,3 +1,5 @@
+/* $OpenBSD: event.c,v 1.18 2008/05/02 06:09:11 brad Exp $ */
+
/*
* Copyright (c) 2000-2004 Niels Provos <pro...@citi.umich.edu>
* All rights reserved.
@@ -38,7 +40,7 @@
#include <sys/tree.h>
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
-#else
+#else
#include <sys/_time.h>
#endif
#include <sys/queue.h>
@@ -180,7 +182,7 @@ RB_PROTOTYPE(event_tree, event, ev_timeo
RB_GENERATE(event_tree, event, ev_timeout_node, compare);
-void *
+struct event_base *
event_init(void)
{
int i;
@@ -194,13 +196,13 @@ event_init(void)
detect_monotonic();
gettime(&base->event_tv);
-
+
RB_INIT(&base->timetree);
TAILQ_INIT(&base->eventqueue);
TAILQ_INIT(&base->sig.signalqueue);
base->sig.ev_signal_pair[0] = -1;
base->sig.ev_signal_pair[1] = -1;
-
+
base->evbase = NULL;
for (i = 0; eventops[i] && !base->evbase; i++) {
base->evsel = eventops[i];
@@ -321,7 +323,7 @@ event_process_active(struct event_base *
for (ev = TAILQ_FIRST(activeq); ev; ev = TAILQ_FIRST(activeq)) {
event_queue_remove(base, ev, EVLIST_ACTIVE);
-
+
/* Allows deletes to work */
ncalls = ev->ev_ncalls;
ev->ev_pncalls = &ncalls;
@@ -430,7 +432,7 @@ event_base_loop(struct event_base *base,
*/
timerclear(&tv);
}
-
+
/* If we have no events, we just exit */
if (!event_haveevents(base)) {
event_debug(("%s: no events registered.", __func__));
@@ -439,7 +441,6 @@ event_base_loop(struct event_base *base,
res = evsel->dispatch(base, evbase, tv_p);
-
if (res == -1)
return (-1);
@@ -652,7 +653,7 @@ event_add(struct event *ev, struct timev
/* Abort loop */
*ev->ev_pncalls = 0;
}
-
+
event_queue_remove(base, ev, EVLIST_ACTIVE);
}
@@ -913,10 +914,10 @@ event_queue_insert(struct event_base *ba
const char *
event_get_version(void)
{
- return (VERSION);
+ return (LIBEVENT_VERSION);
}
-/*
+/*
* No thread-safe interface needed - the information should be the same
* for all threads.
*/
Modified: vendor/pf/dist/libevent/event.h
==============================================================================
--- vendor/pf/dist/libevent/event.h Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/event.h Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,3 +1,5 @@
+/* $OpenBSD: event.h,v 1.19 2008/05/02 06:09:11 brad Exp $ */
+
/*
* Copyright (c) 2000-2004 Niels Provos <pro...@citi.umich.edu>
* All rights reserved.
@@ -43,6 +45,8 @@ typedef unsigned char u_char;
typedef unsigned short u_short;
#endif
+#define LIBEVENT_VERSION "1.3e"
+
#define EVLIST_TIMEOUT 0x01
#define EVLIST_INSERTED 0x02
#define EVLIST_SIGNAL 0x04
@@ -141,7 +145,7 @@ struct eventop {
void (*dealloc)(struct event_base *, void *);
};
-void *event_init(void);
+struct event_base *event_init(void);
int event_dispatch(void);
int event_base_dispatch(struct event_base *);
void event_base_free(struct event_base *);
@@ -169,12 +173,6 @@ int event_base_loopexit(struct event_bas
#define evtimer_pending(ev, tv) event_pending(ev, EV_TIMEOUT,
tv)
#define evtimer_initialized(ev) ((ev)->ev_flags & EVLIST_INIT)
-#define timeout_add(ev, tv) event_add(ev, tv)
-#define timeout_set(ev, cb, arg) event_set(ev, -1, 0, cb, arg)
-#define timeout_del(ev) event_del(ev)
-#define timeout_pending(ev, tv) event_pending(ev, EV_TIMEOUT,
tv)
-#define timeout_initialized(ev) ((ev)->ev_flags & EVLIST_INIT)
-
#define signal_add(ev, tv) event_add(ev, tv)
#define signal_set(ev, x, cb, arg) \
event_set(ev, x, EV_SIGNAL|EV_PERSIST, cb, arg)
@@ -264,7 +262,8 @@ struct bufferevent *bufferevent_new(int
int bufferevent_base_set(struct event_base *base, struct bufferevent *bufev);
int bufferevent_priority_set(struct bufferevent *bufev, int pri);
void bufferevent_free(struct bufferevent *bufev);
-int bufferevent_write(struct bufferevent *bufev, void *data, size_t size);
+int bufferevent_write(struct bufferevent *bufev,
+ const void *data, size_t size);
int bufferevent_write_buffer(struct bufferevent *bufev, struct evbuffer *buf);
size_t bufferevent_read(struct bufferevent *bufev, void *data, size_t size);
int bufferevent_enable(struct bufferevent *bufev, short event);
@@ -292,7 +291,7 @@ int evbuffer_read(struct evbuffer *, int
u_char *evbuffer_find(struct evbuffer *, const u_char *, size_t);
void evbuffer_setcb(struct evbuffer *, void (*)(struct evbuffer *, size_t,
size_t, void *), void *);
-/*
+/*
* Marshaling tagged data - We assume that all tags are inserted in their
* numeric order - so that unknown tags will always be higher than the
* known ones - and we can just ignore the end of an event buffer.
Modified: vendor/pf/dist/libevent/evsignal.h
==============================================================================
--- vendor/pf/dist/libevent/evsignal.h Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/evsignal.h Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,3 +1,5 @@
+/* $OpenBSD: evsignal.h,v 1.2 2004/04/28 06:53:12 brad Exp $ */
+
/*
* Copyright 2000-2002 Niels Provos <pro...@citi.umich.edu>
* All rights reserved.
Modified: vendor/pf/dist/libevent/kqueue.c
==============================================================================
--- vendor/pf/dist/libevent/kqueue.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/kqueue.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: kqueue.c,v 1.5 2002/07/10 14:41:31 art Exp $ */
+/* $OpenBSD: kqueue.c,v 1.23 2007/09/02 15:19:18 deraadt Exp $ */
/*
* Copyright 2000-2002 Niels Provos <pro...@citi.umich.edu>
@@ -97,14 +97,14 @@ kq_init(struct event_base *base)
struct kqop *kqueueop;
/* Disable kqueue when this environment variable is set */
- if (getenv("EVENT_NOKQUEUE"))
+ if (!issetugid() && getenv("EVENT_NOKQUEUE"))
return (NULL);
if (!(kqueueop = calloc(1, sizeof(struct kqop))))
return (NULL);
/* Initalize the kernel queue */
-
+
if ((kq = kqueue()) == -1) {
event_warn("kqueue");
free (kqueueop);
@@ -114,12 +114,12 @@ kq_init(struct event_base *base)
kqueueop->kq = kq;
/* Initalize fields */
- kqueueop->changes = malloc(NEVENT * sizeof(struct kevent));
+ kqueueop->changes = calloc(NEVENT, sizeof(struct kevent));
if (kqueueop->changes == NULL) {
free (kqueueop);
return (NULL);
}
- kqueueop->events = malloc(NEVENT * sizeof(struct kevent));
+ kqueueop->events = calloc(NEVENT, sizeof(struct kevent));
if (kqueueop->events == NULL) {
free (kqueueop->changes);
free (kqueueop);
@@ -131,7 +131,7 @@ kq_init(struct event_base *base)
kqueueop->changes[0].ident = -1;
kqueueop->changes[0].filter = EVFILT_READ;
kqueueop->changes[0].flags = EV_ADD;
- /*
+ /*
* If kqueue works, then kevent will succeed, and it will
* stick an error in events[0]. If kqueue is broken, then
* kevent will fail.
@@ -195,7 +195,7 @@ kq_insert(struct kqop *kqop, struct keve
memcpy(&kqop->changes[kqop->nchanges++], kev, sizeof(struct kevent));
event_debug(("%s: fd %d %s%s",
- __func__, kev->ident,
+ __func__, kev->ident,
kev->filter == EVFILT_READ ? "EVFILT_READ" : "EVFILT_WRITE",
kev->flags == EV_DELETE ? " (del)" : ""));
@@ -241,7 +241,7 @@ kq_dispatch(struct event_base *base, voi
int which = 0;
if (events[i].flags & EV_ERROR) {
- /*
+ /*
* Error messages that can happen, when a delete fails.
* EBADF happens when the file discriptor has been
* closed,
@@ -301,7 +301,7 @@ kq_add(void *arg, struct event *ev)
if (!(ev->ev_events & EV_PERSIST))
kev.flags |= EV_ONESHOT;
kev.udata = PTR_TO_UDATA(ev);
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
@@ -324,7 +324,7 @@ kq_add(void *arg, struct event *ev)
if (!(ev->ev_events & EV_PERSIST))
kev.flags |= EV_ONESHOT;
kev.udata = PTR_TO_UDATA(ev);
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
@@ -339,7 +339,7 @@ kq_add(void *arg, struct event *ev)
if (!(ev->ev_events & EV_PERSIST))
kev.flags |= EV_ONESHOT;
kev.udata = PTR_TO_UDATA(ev);
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
@@ -365,7 +365,7 @@ kq_del(void *arg, struct event *ev)
kev.ident = nsignal;
kev.filter = EVFILT_SIGNAL;
kev.flags = EV_DELETE;
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
@@ -381,7 +381,7 @@ kq_del(void *arg, struct event *ev)
kev.ident = ev->ev_fd;
kev.filter = EVFILT_READ;
kev.flags = EV_DELETE;
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
@@ -393,7 +393,7 @@ kq_del(void *arg, struct event *ev)
kev.ident = ev->ev_fd;
kev.filter = EVFILT_WRITE;
kev.flags = EV_DELETE;
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
Modified: vendor/pf/dist/libevent/log.c
==============================================================================
--- vendor/pf/dist/libevent/log.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/log.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: err.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
+/* $OpenBSD: log.c,v 1.4 2005/05/04 03:17:48 brad Exp $ */
/*
* log.c
@@ -102,7 +102,7 @@ void
event_err(int eval, const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_ERR, errno, fmt, ap);
va_end(ap);
@@ -113,7 +113,7 @@ void
event_warn(const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_WARN, errno, fmt, ap);
va_end(ap);
@@ -123,7 +123,7 @@ void
event_errx(int eval, const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_ERR, -1, fmt, ap);
va_end(ap);
@@ -134,7 +134,7 @@ void
event_warnx(const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_WARN, -1, fmt, ap);
va_end(ap);
@@ -144,7 +144,7 @@ void
event_msgx(const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_MSG, -1, fmt, ap);
va_end(ap);
@@ -154,7 +154,7 @@ void
_event_debugx(const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_DEBUG, -1, fmt, ap);
va_end(ap);
Modified: vendor/pf/dist/libevent/log.h
==============================================================================
--- vendor/pf/dist/libevent/log.h Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/log.h Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,3 +1,5 @@
+/* $OpenBSD: log.h,v 1.4 2007/03/19 15:12:49 millert Exp $ */
+
/*
* Copyright (c) 2000-2004 Niels Provos <pro...@citi.umich.edu>
* All rights reserved.
Modified: vendor/pf/dist/libevent/poll.c
==============================================================================
--- vendor/pf/dist/libevent/poll.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/poll.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: poll.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
+/* $OpenBSD: poll.c,v 1.13 2006/11/26 15:24:34 brad Exp $ */
/*
* Copyright 2000-2003 Niels Provos <pro...@citi.umich.edu>
@@ -89,7 +89,7 @@ poll_init(struct event_base *base)
struct pollop *pollop;
/* Disable poll when this environment variable is set */
- if (getenv("EVENT_NOPOLL"))
+ if (!issetugid() && getenv("EVENT_NOPOLL"))
return (NULL);
if (!(pollop = calloc(1, sizeof(struct pollop))))
@@ -179,6 +179,7 @@ poll_dispatch(struct event_base *base, v
for (i = 0; i < nfds; i++) {
int what = pop->event_set[i].revents;
struct event *r_ev = NULL, *w_ev = NULL;
+
if (!what)
continue;
@@ -356,7 +357,7 @@ poll_del(void *arg, struct event *ev)
--pop->nfds;
if (i != pop->nfds) {
- /*
+ /*
* Shift the last pollfd down into the now-unoccupied
* position.
*/
Modified: vendor/pf/dist/libevent/select.c
==============================================================================
--- vendor/pf/dist/libevent/select.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/select.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
+/* $OpenBSD: select.c,v 1.13 2007/03/19 15:12:49 millert Exp $ */
/*
* Copyright 2000-2002 Niels Provos <pro...@citi.umich.edu>
@@ -96,7 +96,7 @@ select_init(struct event_base *base)
struct selectop *sop;
/* Disable select when this environment variable is set */
- if (getenv("EVENT_NOSELECT"))
+ if (!issetugid() && getenv("EVENT_NOSELECT"))
return (NULL);
if (!(sop = calloc(1, sizeof(struct selectop))))
Modified: vendor/pf/dist/libevent/signal.c
==============================================================================
--- vendor/pf/dist/libevent/signal.c Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/libevent/signal.c Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
+/* $OpenBSD: signal.c,v 1.11 2007/03/19 15:12:49 millert Exp $ */
/*
* Copyright 2000-2002 Niels Provos <pro...@citi.umich.edu>
@@ -85,7 +85,7 @@ evsignal_cb(int fd, short what, void *ar
void
evsignal_init(struct event_base *base)
{
- /*
+ /*
* Our signal handler is going to write to one end of the socket
* pair to wake up our event loop. The event loop then scans for
* signals that got delivered.
Modified: vendor/pf/dist/man/pf.4
==============================================================================
--- vendor/pf/dist/man/pf.4 Tue Aug 18 14:00:25 2009 (r196359)
+++ vendor/pf/dist/man/pf.4 Tue Aug 18 16:13:59 2009 (r196360)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.4,v 1.60 2007/12/02 12:08:04 pascoe Exp $
+.\" $OpenBSD: pf.4,v 1.61 2008/09/04 13:50:37 jmc Exp $
.\"
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
.\"
@@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: September 4 2008 $
.Dt PF 4
.Os
.Sh NAME
@@ -1050,12 +1050,14 @@ internal interface description.
The filtering process is the same as for
.Dv DIOCIGETIFACES .
.Bd -literal
-#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
+#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
.Ed
.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
Works as
.Dv DIOCSETIFFLAG
above but clears the flags.
+.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
+Explicitly remove source tracking nodes.
.El
.Sh FILES
.Bl -tag -width /dev/pf -compact
@@ -1133,6 +1135,7 @@ main(int argc, char *argv[])
.Xr ioctl 2 ,
.Xr bridge 4 ,
.Xr pflog 4 ,
+.Xr pflow 4 ,
.Xr pfsync 4 ,
.Xr pfctl 8 ,
.Xr altq 9
Modified: vendor/pf/dist/man/pf.conf.5
==============================================================================
--- vendor/pf/dist/man/pf.conf.5 Tue Aug 18 14:00:25 2009
(r196359)
+++ vendor/pf/dist/man/pf.conf.5 Tue Aug 18 16:13:59 2009
(r196360)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.402 2008/06/11 07:21:00 jmc Exp $
+.\" $OpenBSD: pf.conf.5,v 1.405 2008/10/02 12:36:32 henning Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: June 10 2008 $
+.Dd $Mdocdate: October 2 2008 $
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -517,6 +517,16 @@ For example:
.Bd -literal -offset indent
set state-policy if-bound
.Ed
+.It Ar set state-defaults
+The
+.Ar state-defaults
+option sets the state options for states created from rules
+without an explicit
+.Ar keep state .
+For example:
+.Bd -literal -offset indent
+set state-defaults pflow, no-sync
+.Ed
.It Ar set hostid
The 32-bit
.Ar hostid
@@ -901,7 +911,7 @@ Defines a list of subqueues to create on
.El
.Pp
In the following example, the interface dc0
-should queue up to 5 Mbit/s in four second-level queues using
+should queue up to 5Mbps in four second-level queues using
Class Based Queueing.
Those four queues will be shown in a later example.
.Bd -literal -offset indent
@@ -1488,7 +1498,7 @@ Translates to the network(s) attached to
.It Ar :broadcast
Translates to the interface's broadcast address(es).
.It Ar :peer
-Translates to the point to point interface's peer address(es).
+Translates to the point-to-point interface's peer address(es).
.It Ar :0
Do not include interface aliases.
.El
@@ -2098,6 +2108,10 @@ easier.
This is intended to be used in situations where one does not see all
packets of a connection, e.g. in asymmetric routing situations.
Cannot be used with modulate or synproxy state.
+.It Ar pflow
+States created by this rule are exported on the
+.Xr pflow 4
+interface.
.El
.Pp
Multiple options can be specified, separated by commas:
@@ -2821,6 +2835,7 @@ option = "set" ( [ "timeout" ( t
[ "loginterface" ( interface-name | "none" ) ] |
[ "block-policy" ( "drop" | "return" ) ] |
[ "state-policy" ( "if-bound" | "floating" ) ]
+ [ "state-defaults" state-opts ]
[ "require-order" ( "yes" | "no" ) ]
[ "fingerprints" filename ] |
[ "skip on" ifspec ] |
@@ -2963,7 +2978,7 @@ tos = ( "lowdelay" | "through
[ "0x" ] number )
state-opts = state-opt [ [ "," ] state-opts ]
-state-opt = ( "max" number | "no-sync" | timeout | sloppy |
+state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" |
"source-track" [ ( "rule" | "global" ) ] |
"max-src-nodes" number | "max-src-states" number |
"max-src-conn" number |
@@ -3026,6 +3041,7 @@ Service name database.
.Xr ip 4 ,
.Xr ip6 4 ,
.Xr pf 4 ,
+.Xr pflow 4 ,
.Xr pfsync 4 ,
.Xr route 4 ,
.Xr tcp 4 ,
Modified: vendor/pf/dist/man/pf.os.5
==============================================================================
--- vendor/pf/dist/man/pf.os.5 Tue Aug 18 14:00:25 2009 (r196359)
+++ vendor/pf/dist/man/pf.os.5 Tue Aug 18 16:13:59 2009 (r196360)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $
+.\" $OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $
.\"
.\" Copyright (c) 2003 Mike Frantzen <frant...@w4g.org>
.\"
Modified: vendor/pf/dist/man/pflog.4
==============================================================================
--- vendor/pf/dist/man/pflog.4 Tue Aug 18 14:00:25 2009 (r196359)
+++ vendor/pf/dist/man/pflog.4 Tue Aug 18 16:13:59 2009 (r196360)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $
+.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
.\"
.\" Copyright (c) 2001 Tobias Weingartner
.\" All rights reserved.
Added: vendor/pf/dist/man/pflow.4
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ vendor/pf/dist/man/pflow.4 Tue Aug 18 16:13:59 2009 (r196360)
@@ -0,0 +1,113 @@
+.\" $OpenBSD: pflow.4,v 1.8 2008/10/28 16:55:37 gollo Exp $
+.\"
+.\" Copyright (c) 2008 Henning Brauer <henn...@openbsd.org>
+.\" Copyright (c) 2008 Joerg Goltermann <j...@osn.de>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALLWARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BELIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISINGOUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: October 28 2008 $
+.Dt PFLOW 4
+.Os
+.Sh NAME
+.Nm pflow
+.Nd kernel interface for pflow data export
+.Sh SYNOPSIS
+.Cd "pseudo-device pflow"
+.Sh DESCRIPTION
+The
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
