Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src merge after importing pf from openbsd 3.6. (userland part)
details: https://anonhg.NetBSD.org/src/rev/6fdecc5735f1
branches: trunk
changeset: 571222:6fdecc5735f1
user: yamt <yamt%NetBSD.org@localhost>
date: Sun Nov 14 11:26:43 2004 +0000
description:
merge after importing pf from openbsd 3.6. (userland part)
some files were imported to the different places from the previous version.
v3_5:
etc/pf.conf
etc/pf.os
etc/spamd.conf
share/man/man4/pf.4
share/man/man4/pflog.4
share/man/man5/pf.conf.5
share/man/man5/pf.os.5
share/man/man5/spamd.conf.5
v3_6:
dist/pf/etc/pf.conf
dist/pf/etc/pf.os
dist/pf/etc/spamd.conf
dist/pf/share/man/man4/pf.4
dist/pf/share/man/man4/pflog.4
dist/pf/share/man/man5/pf.conf.5
dist/pf/share/man/man5/pf.os.5
dist/pf/share/man/man5/spamd.conf.5
diffstat:
dist/pf/etc/pf.conf | 1 +
dist/pf/etc/pf.os | 1 +
dist/pf/etc/spamd.conf | 1 +
dist/pf/libexec/ftp-proxy/ftp-proxy.8 | 21 +-
dist/pf/libexec/ftp-proxy/ftp-proxy.c | 88 +-
dist/pf/libexec/ftp-proxy/ipf.c | 18 +-
dist/pf/libexec/ftp-proxy/util.c | 19 +-
dist/pf/libexec/ftp-proxy/util.h | 7 +-
dist/pf/libexec/spamd-setup/spamd-setup.c | 9 +-
dist/pf/libexec/spamd/grey.c | 55 +-
dist/pf/libexec/spamd/spamd.c | 97 +-
dist/pf/libexec/spamlogd/spamlogd.8 | 34 +-
dist/pf/libexec/spamlogd/spamlogd.c | 14 +-
dist/pf/sbin/pfctl/parse.y | 222 +-
dist/pf/sbin/pfctl/pfctl.8 | 257 +-
dist/pf/sbin/pfctl/pfctl.c | 439 +--
dist/pf/sbin/pfctl/pfctl.h | 17 +-
dist/pf/sbin/pfctl/pfctl_altq.c | 57 +-
dist/pf/sbin/pfctl/pfctl_optimize.c | 3 +-
dist/pf/sbin/pfctl/pfctl_osfp.c | 8 +-
dist/pf/sbin/pfctl/pfctl_parser.c | 117 +-
dist/pf/sbin/pfctl/pfctl_parser.h | 48 +-
dist/pf/sbin/pfctl/pfctl_qstats.c | 10 +-
dist/pf/sbin/pfctl/pfctl_radix.c | 44 +-
dist/pf/sbin/pfctl/pfctl_table.c | 42 +-
dist/pf/share/man/man4/pf.4 | 1 +
dist/pf/share/man/man4/pflog.4 | 1 +
dist/pf/share/man/man5/pf.conf.5 | 1 +
dist/pf/share/man/man5/pf.os.5 | 1 +
dist/pf/share/man/man5/spamd.conf.5 | 1 +
dist/pf/usr.sbin/authpf/Makefile | 15 +-
dist/pf/usr.sbin/authpf/authpf.8 | 64 +-
dist/pf/usr.sbin/authpf/authpf.c | 429 +--
dist/pf/usr.sbin/authpf/pathnames.h | 5 +-
etc/Makefile | 4 +-
etc/pf.conf | 30 -
etc/pf.os | 643 -------
etc/spamd.conf | 87 -
share/man/man4/Makefile | 5 +-
share/man/man4/pf.4 | 1115 ------------
share/man/man4/pflog.4 | 90 -
share/man/man5/Makefile | 5 +-
share/man/man5/pf.conf.5 | 2661 -----------------------------
share/man/man5/pf.os.5 | 243 --
share/man/man5/spamd.conf.5 | 191 --
share/pf/Makefile | 14 -
share/pf/ackpri | 32 -
share/pf/faq-example1 | 47 -
share/pf/faq-example2 | 88 -
share/pf/faq-example3 | 118 -
share/pf/queue1 | 22 -
share/pf/queue2 | 28 -
share/pf/queue3 | 15 -
share/pf/queue4 | 19 -
share/pf/spamd | 7 -
usr.sbin/pf/Makefile | 5 +-
usr.sbin/pf/Makefile.inc | 7 +-
usr.sbin/pf/authpf/Makefile | 15 +-
usr.sbin/pf/etc/Makefile | 14 +
usr.sbin/pf/man/Makefile | 5 +
usr.sbin/pf/man/man4/Makefile | 9 +
usr.sbin/pf/man/man5/Makefile | 11 +
usr.sbin/pf/pfctl/Makefile | 5 +-
63 files changed, 1169 insertions(+), 6513 deletions(-)
diffs (truncated from 10076 to 300 lines):
diff -r 50ee592ce911 -r 6fdecc5735f1 dist/pf/etc/pf.conf
--- a/dist/pf/etc/pf.conf Sun Nov 14 11:12:16 2004 +0000
+++ b/dist/pf/etc/pf.conf Sun Nov 14 11:26:43 2004 +0000
@@ -1,3 +1,4 @@
+# $NetBSD: pf.conf,v 1.2 2004/11/14 11:26:47 yamt Exp $
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
diff -r 50ee592ce911 -r 6fdecc5735f1 dist/pf/etc/pf.os
--- a/dist/pf/etc/pf.os Sun Nov 14 11:12:16 2004 +0000
+++ b/dist/pf/etc/pf.os Sun Nov 14 11:26:43 2004 +0000
@@ -1,3 +1,4 @@
+# $NetBSD: pf.os,v 1.2 2004/11/14 11:26:47 yamt Exp $
# $OpenBSD: pf.os,v 1.17 2004/04/28 01:01:27 deraadt Exp $
# passive OS fingerprinting
# -------------------------
diff -r 50ee592ce911 -r 6fdecc5735f1 dist/pf/etc/spamd.conf
--- a/dist/pf/etc/spamd.conf Sun Nov 14 11:12:16 2004 +0000
+++ b/dist/pf/etc/spamd.conf Sun Nov 14 11:26:43 2004 +0000
@@ -1,3 +1,4 @@
+# $NetBSD: spamd.conf,v 1.2 2004/11/14 11:26:47 yamt Exp $
# $OpenBSD: spamd.conf,v 1.9 2004/01/21 08:07:39 deraadt Exp $
#
# spamd config file, read by spamd-setup(8) for spamd(8)
diff -r 50ee592ce911 -r 6fdecc5735f1 dist/pf/libexec/ftp-proxy/ftp-proxy.8
--- a/dist/pf/libexec/ftp-proxy/ftp-proxy.8 Sun Nov 14 11:12:16 2004 +0000
+++ b/dist/pf/libexec/ftp-proxy/ftp-proxy.8 Sun Nov 14 11:26:43 2004 +0000
@@ -1,5 +1,5 @@
-.\" $NetBSD: ftp-proxy.8,v 1.4 2004/06/30 13:29:43 darrenr Exp $
-.\" $OpenBSD: ftp-proxy.8,v 1.40 2004/03/16 08:50:07 jmc Exp $
+.\" $NetBSD: ftp-proxy.8,v 1.5 2004/11/14 11:26:47 yamt Exp $
+.\" $OpenBSD: ftp-proxy.8,v 1.41 2004/07/06 19:49:11 dhartmei Exp $
.\"
.\" Copyright (c) 1996-2001
.\" Obtuse Systems Corporation, All rights reserved.
@@ -53,6 +53,8 @@
.Op Fl g Ar group
.Op Fl M Ar maxport
.Op Fl m Ar minport
+.Op Fl R Ar address[:port]
+.Op Fl S Ar address
.Op Fl t Ar timeout
.Op Fl u Ar user
.Sh DESCRIPTION
@@ -163,6 +165,21 @@
lookups for logging and libwrap use.
By default,
the proxy does not look up hostnames for libwrap or logging purposes.
+.It Fl R Ar address:[port]
+Reverse proxy mode for FTP servers running behind a NAT gateway.
+In this mode, no redirection is needed.
+The proxy is run from
+.Xr inetd 8
+on the port that external clients connect to (usually 21).
+Control connections and passive data connections are forwarded
+to the server.
+.It Fl S Ar address
+Source address to use for data connections made by the proxy.
+Useful when there are multiple addresses (aliases) available
+to the proxy.
+Clients may expect data connections to have the same source
+address as the control connections, and reject or drop other
+connections.
.It Fl t Ar timeout
Specifies a timeout, in seconds.
The proxy will exit and close open connections if it sees no data
diff -r 50ee592ce911 -r 6fdecc5735f1 dist/pf/libexec/ftp-proxy/ftp-proxy.c
--- a/dist/pf/libexec/ftp-proxy/ftp-proxy.c Sun Nov 14 11:12:16 2004 +0000
+++ b/dist/pf/libexec/ftp-proxy/ftp-proxy.c Sun Nov 14 11:26:43 2004 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: ftp-proxy.c,v 1.6 2004/11/11 09:50:00 yamt Exp $ */
-/* $OpenBSD: ftp-proxy.c,v 1.35 2004/03/14 21:51:44 dhartmei Exp $ */
+/* $NetBSD: ftp-proxy.c,v 1.7 2004/11/14 11:26:47 yamt Exp $ */
+/* $OpenBSD: ftp-proxy.c,v 1.37 2004/07/11 01:54:36 brad Exp $ */
/*
* Copyright (c) 1996-2001
@@ -129,6 +129,8 @@
struct sockaddr_in real_server_sa;
struct sockaddr_in client_listen_sa;
struct sockaddr_in server_listen_sa;
+struct sockaddr_in proxy_sa;
+struct in_addr src_addr;
int client_listen_socket = -1; /* Only used in PASV mode */
int client_data_socket = -1; /* Connected socket to real client */
@@ -139,6 +141,7 @@
int AnonFtpOnly;
int Verbose;
int NatMode;
+int ReverseMode;
char ClientName[NI_MAXHOST];
char RealServerName[NI_MAXHOST];
@@ -174,10 +177,12 @@
{
syslog(LOG_NOTICE,
"usage: %s -i [-AnrVw] [-a address] [-D debuglevel [-g group]"
- " [-M maxport] [-m minport] [-t timeout] [-u user]", __progname);
+ " [-M maxport] [-m minport] [-t timeout] [-u user]"
+ " [-R address[:port]] [-S address]", __progname);
syslog(LOG_NOTICE,
"usage: %s -p [-AnrVw] [-a address] [-D debuglevel [-g group]"
- " [-M maxport] [-m minport] [-t timeout] [-u user]", __progname);
+ " [-M maxport] [-m minport] [-t timeout] [-u user]"
+ " [-R address[:port]] [-S address]", __progname);
exit(EX_USAGE);
}
@@ -567,7 +572,7 @@
salen = 1;
listen_sa.sin_family = AF_INET;
- bzero(&listen_sa.sin_addr, sizeof(struct in_addr));
+ bcopy(&src_addr, &listen_sa.sin_addr, sizeof(struct in_addr));
listen_sa.sin_port = htons(20);
if (setsockopt(client_data_socket, SOL_SOCKET, SO_REUSEADDR,
@@ -941,7 +946,10 @@
new_dataconn(0);
connection_mode = PASV_MODE;
- iap = &(server->sa.sin_addr);
+ if (ReverseMode)
+ iap = &(proxy_sa.sin_addr);
+ else
+ iap = &(server->sa.sin_addr);
debuglog(1, "we want client to use %s:%u", inet_ntoa(*iap),
htons(client_listen_sa.sin_port));
@@ -980,9 +988,10 @@
{
struct csiob client_iob, server_iob;
struct sigaction new_sa, old_sa;
- int sval, ch, flags, i, err;
+ int sval, ch, flags, i;
socklen_t salen;
int one = 1;
+ int err;
int ipf = 0;
int pf = 0;
long timeout_seconds = 0;
@@ -991,7 +1000,7 @@
int use_tcpwrapper = 0;
#endif /* LIBWRAP */
- while ((ch = getopt(argc, argv, "a:D:g:m:M:t:T:u:AinpVwr")) != -1) {
+ while ((ch = getopt(argc, argv, "a:D:g:m:M:R:S:t:u:AinpVwr")) != -1) {
char *p;
switch (ch) {
case 'a':
@@ -1044,6 +1053,41 @@
case 'r':
Use_Rdns = 1; /* look up hostnames */
break;
+ case 'R': {
+ char *s, *t;
+
+ if (!*optarg)
+ usage();
+ if ((s = strdup(optarg)) == NULL) {
+ syslog (LOG_NOTICE,
+ "Insufficient memory (malloc failed)");
+ exit(EX_UNAVAILABLE);
+ }
+ memset(&real_server_sa, 0, sizeof(real_server_sa));
+ real_server_sa.sin_len = sizeof(struct sockaddr_in);
+ real_server_sa.sin_family = AF_INET;
+ t = strchr(s, ':');
+ if (t == NULL)
+ real_server_sa.sin_port = htons(21);
+ else {
+ long port = strtol(t + 1, &p, 10);
+
+ if (*p || port <= 0 || port > 65535)
+ usage();
+ real_server_sa.sin_port = htons(port);
+ *t = 0;
+ }
+ real_server_sa.sin_addr.s_addr = inet_addr(s);
+ if (real_server_sa.sin_addr.s_addr == INADDR_NONE)
+ usage();
+ free(s);
+ ReverseMode = 1;
+ break;
+ }
+ case 'S':
+ if (!inet_aton(optarg, &src_addr))
+ usage();
+ break;
case 't':
timeout_seconds = strtol(optarg, &p, 10);
if (!*optarg || *p)
@@ -1086,10 +1130,32 @@
memset(&client_iob, 0, sizeof(client_iob));
memset(&server_iob, 0, sizeof(server_iob));
- if (pf && get_proxy_env(0, &real_server_sa, &client_iob.sa) == -1)
+ if (pf && get_proxy_env(0, &real_server_sa, &client_iob.sa,
+ &proxy_sa) == -1)
+ exit(EX_PROTOCOL);
+ if (ipf && ipf_get_proxy_env(0, &real_server_sa, &client_iob.sa,
+ &proxy_sa) == -1)
exit(EX_PROTOCOL);
- if (ipf && ipf_get_proxy_env(0, &real_server_sa, &client_iob.sa) == -1)
- exit(EX_PROTOCOL);
+
+ /*
+ * We may now drop root privs, as we have done our ioctl for
+ * pf. If we do drop root, we can't make backchannel connections
+ * for PORT and EPRT come from port 20, which is not strictly
+ * RFC compliant. This shouldn't cause problems for all but
+ * the stupidest ftp clients and the stupidest packet filters.
+ */
+ drop_privs();
+
+ /*
+ * We check_host after get_proxy_env so that checks are done
+ * against the original destination endpoint, not the endpoint
+ * of our side of the rdr. This allows the use of tcpwrapper
+ * rules to restrict destinations as well as sources of connections
+ * for ftp.
+ */
+ if (Use_Rdns)
+ flags = 0;
+ else
/*
* We may now drop root privs, as we have done our ioctl for
diff -r 50ee592ce911 -r 6fdecc5735f1 dist/pf/libexec/ftp-proxy/ipf.c
--- a/dist/pf/libexec/ftp-proxy/ipf.c Sun Nov 14 11:12:16 2004 +0000
+++ b/dist/pf/libexec/ftp-proxy/ipf.c Sun Nov 14 11:26:43 2004 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipf.c,v 1.1 2004/06/30 13:29:43 darrenr Exp $ */
+/* $NetBSD: ipf.c,v 1.2 2004/11/14 11:26:47 yamt Exp $ */
/*
* Copyright (c) 2004 The NetBSD Foundation, Inc.
@@ -55,14 +55,15 @@
#include "util.h"
+extern int ReverseMode;
+
static natlookup_t natlook;
static int natfd;
int
ipf_get_proxy_env(int connected_fd, struct sockaddr_in *server,
- struct sockaddr_in *client)
+ struct sockaddr_in *client, struct sockaddr_in *proxy_sa_ptr)
{
- struct sockaddr_in lsin;
socklen_t namelen;
ipfobj_t obj;
@@ -70,8 +71,8 @@
* Get IP# and port # of the local end of the connection
* (at the origin)
*/
- namelen = sizeof(lsin);
- if (getsockname(connected_fd, (struct sockaddr *)&lsin,
+ namelen = sizeof(*proxy_sa_ptr);
+ if (getsockname(connected_fd, (struct sockaddr *)proxy_sa_ptr,
&namelen) != 0) {
syslog(LOG_ERR, "getsockname() failed (%m)");
exit(EX_OSERR);
@@ -88,6 +89,9 @@
exit(EX_OSERR);
}
+ if (ReverseMode)
+ return(0);
+
/*
* Build up the ipf object description structure.
*/
@@ -102,9 +106,9 @@
memset((void *)&natlook, 0, sizeof(natlook));
natlook.nl_flags = IPN_TCPUDP;
natlook.nl_outip = client->sin_addr;
- natlook.nl_inip = lsin.sin_addr;
+ natlook.nl_inip = proxy_sa_ptr->sin_addr;
natlook.nl_outport = ntohs(client->sin_port);
- natlook.nl_inport = ntohs(lsin.sin_port);
+ natlook.nl_inport = ntohs(proxy_sa_ptr->sin_port);
/*
* Open the NAT device and lookup the mapping pair.
diff -r 50ee592ce911 -r 6fdecc5735f1 dist/pf/libexec/ftp-proxy/util.c
--- a/dist/pf/libexec/ftp-proxy/util.c Sun Nov 14 11:12:16 2004 +0000
+++ b/dist/pf/libexec/ftp-proxy/util.c Sun Nov 14 11:26:43 2004 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: util.c,v 1.4 2004/11/11 09:50:00 yamt Exp $ */
-/* $OpenBSD: util.c,v 1.18 2004/01/22 16:10:30 beck Exp $ */
+/* $NetBSD: util.c,v 1.5 2004/11/14 11:26:47 yamt Exp $ */
+/* $OpenBSD: util.c,v 1.19 2004/07/06 19:49:11 dhartmei Exp $ */
/*
* Copyright (c) 1996-2001
Home |
Main Index |
Thread Index |
Old Index