mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-25 16:13:17 +00:00
eri@ wants to start on porting the latest pf in his user space so we can
finally have a new version in 9.0. Import pf as of OPENBSD_4_5_BASE to help with that.
This commit is contained in:
parent
89a3159080
commit
739de636d7
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/vendor/pf/dist/; revision=196360 svn path=/vendor/pf/4.5/; revision=196361; tag=vendor/pf/4.5
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.13 2008/02/14 01:49:17 mcbride Exp $
|
||||
# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $
|
||||
|
||||
PROG= authpf
|
||||
MAN= authpf.8
|
||||
|
@ -14,7 +14,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: February 14 2008 $
|
||||
.Dd $Mdocdate: March 18 2008 $
|
||||
.Dt AUTHPF 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -202,6 +202,9 @@ It is also possible to configure
|
||||
to only allow specific users access.
|
||||
This is done by listing their login names, one per line, in
|
||||
.Pa /etc/authpf/authpf.allow .
|
||||
A group of users can also be indicated by prepending "%" to the group name,
|
||||
and all members of a login class can be indicated by prepending "@" to the
|
||||
login class name.
|
||||
If "*" is found on a line, then all usernames match.
|
||||
If
|
||||
.Nm
|
||||
@ -314,7 +317,8 @@ They have a
|
||||
wireless network which they would like to protect from unauthorized use.
|
||||
To accomplish this, they create the file
|
||||
.Pa /etc/authpf/authpf.allow
|
||||
which lists their login ids, one per line.
|
||||
which lists their login ids, group prepended with "%", or login class
|
||||
prepended with "@", one per line.
|
||||
At this point, even if eve could authenticate to
|
||||
.Xr sshd 8 ,
|
||||
she would not be allowed to use the gateway.
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: authpf.c,v 1.107 2008/02/14 01:49:17 mcbride Exp $ */
|
||||
/* $OpenBSD: authpf.c,v 1.111 2009/01/10 17:17:32 todd Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
|
||||
@ -32,6 +32,7 @@
|
||||
#include <errno.h>
|
||||
#include <login_cap.h>
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <signal.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@ -43,7 +44,7 @@
|
||||
|
||||
static int read_config(FILE *);
|
||||
static void print_message(char *);
|
||||
static int allowed_luser(char *);
|
||||
static int allowed_luser(struct passwd *);
|
||||
static int check_luser(char *, char *);
|
||||
static int remove_stale_rulesets(void);
|
||||
static int recursive_ruleset_purge(char *, char *);
|
||||
@ -58,6 +59,7 @@ char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
|
||||
int user_ip = 1; /* controls whether $user_ip is set */
|
||||
|
||||
FILE *pidfp;
|
||||
int pidfd = -1;
|
||||
char luser[MAXLOGNAME]; /* username */
|
||||
char ipsrc[256]; /* ip as a string */
|
||||
char pidfile[MAXPATHLEN]; /* we save pid in this file. */
|
||||
@ -78,7 +80,7 @@ extern char *__progname; /* program name */
|
||||
int
|
||||
main(int argc, char *argv[])
|
||||
{
|
||||
int lockcnt = 0, n, pidfd;
|
||||
int lockcnt = 0, n;
|
||||
FILE *config;
|
||||
struct in6_addr ina;
|
||||
struct passwd *pw;
|
||||
@ -93,7 +95,7 @@ main(int argc, char *argv[])
|
||||
|
||||
config = fopen(PATH_CONFFILE, "r");
|
||||
if (config == NULL) {
|
||||
syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);
|
||||
syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -186,6 +188,14 @@ main(int argc, char *argv[])
|
||||
goto die;
|
||||
}
|
||||
|
||||
signal(SIGTERM, need_death);
|
||||
signal(SIGINT, need_death);
|
||||
signal(SIGALRM, need_death);
|
||||
signal(SIGPIPE, need_death);
|
||||
signal(SIGHUP, need_death);
|
||||
signal(SIGQUIT, need_death);
|
||||
signal(SIGTSTP, need_death);
|
||||
|
||||
/*
|
||||
* If someone else is already using this ip, then this person
|
||||
* wants to switch users - so kill the old process and exit
|
||||
@ -239,15 +249,17 @@ main(int argc, char *argv[])
|
||||
}
|
||||
|
||||
/*
|
||||
* we try to kill the previous process and acquire the lock
|
||||
* We try to kill the previous process and acquire the lock
|
||||
* for 10 seconds, trying once a second. if we can't after
|
||||
* 10 attempts we log an error and give up
|
||||
* 10 attempts we log an error and give up.
|
||||
*/
|
||||
if (++lockcnt > 10) {
|
||||
syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
|
||||
otherpid);
|
||||
if (want_death || ++lockcnt > 10) {
|
||||
if (!want_death)
|
||||
syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
|
||||
otherpid);
|
||||
fclose(pidfp);
|
||||
pidfp = NULL;
|
||||
pidfd = -1;
|
||||
goto dogdeath;
|
||||
}
|
||||
sleep(1);
|
||||
@ -258,6 +270,7 @@ main(int argc, char *argv[])
|
||||
*/
|
||||
fclose(pidfp);
|
||||
pidfp = NULL;
|
||||
pidfd = -1;
|
||||
} while (1);
|
||||
|
||||
/* whack the group list */
|
||||
@ -275,7 +288,7 @@ main(int argc, char *argv[])
|
||||
}
|
||||
openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
|
||||
|
||||
if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) {
|
||||
if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) {
|
||||
syslog(LOG_INFO, "user %s prohibited", luser);
|
||||
do_death(0);
|
||||
}
|
||||
@ -306,13 +319,6 @@ main(int argc, char *argv[])
|
||||
do_death(0);
|
||||
}
|
||||
|
||||
signal(SIGTERM, need_death);
|
||||
signal(SIGINT, need_death);
|
||||
signal(SIGALRM, need_death);
|
||||
signal(SIGPIPE, need_death);
|
||||
signal(SIGHUP, need_death);
|
||||
signal(SIGQUIT, need_death);
|
||||
signal(SIGTSTP, need_death);
|
||||
while (1) {
|
||||
printf("\r\nHello %s. ", luser);
|
||||
printf("You are authenticated from host \"%s\"\r\n", ipsrc);
|
||||
@ -434,6 +440,7 @@ print_message(char *filename)
|
||||
* allowed_luser checks to see if user "luser" is allowed to
|
||||
* use this gateway by virtue of being listed in an allowed
|
||||
* users file, namely /etc/authpf/authpf.allow .
|
||||
* Users may be listed by <username>, %<group>, or @<login_class>.
|
||||
*
|
||||
* If /etc/authpf/authpf.allow does not exist, then we assume that
|
||||
* all users who are allowed in by sshd(8) are permitted to
|
||||
@ -442,7 +449,7 @@ print_message(char *filename)
|
||||
* the session terminates in the same manner as being banned.
|
||||
*/
|
||||
static int
|
||||
allowed_luser(char *luser)
|
||||
allowed_luser(struct passwd *pw)
|
||||
{
|
||||
char *buf, *lbuf;
|
||||
int matched;
|
||||
@ -474,8 +481,14 @@ allowed_luser(char *luser)
|
||||
* "public" gateway, such as it is, so let
|
||||
* everyone use it.
|
||||
*/
|
||||
int gl_init = 0, ngroups = NGROUPS + 1;
|
||||
gid_t groups[NGROUPS + 1];
|
||||
|
||||
lbuf = NULL;
|
||||
matched = 0;
|
||||
|
||||
while ((buf = fgetln(f, &len))) {
|
||||
|
||||
if (buf[len - 1] == '\n')
|
||||
buf[len - 1] = '\0';
|
||||
else {
|
||||
@ -486,7 +499,40 @@ allowed_luser(char *luser)
|
||||
buf = lbuf;
|
||||
}
|
||||
|
||||
matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0;
|
||||
if (buf[0] == '@') {
|
||||
/* check login class */
|
||||
if (strcmp(pw->pw_class, buf + 1) == 0)
|
||||
matched++;
|
||||
} else if (buf[0] == '%') {
|
||||
/* check group membership */
|
||||
int cnt;
|
||||
struct group *group;
|
||||
|
||||
if ((group = getgrnam(buf + 1)) == NULL) {
|
||||
syslog(LOG_ERR,
|
||||
"invalid group '%s' in %s (%s)",
|
||||
buf + 1, PATH_ALLOWFILE,
|
||||
strerror(errno));
|
||||
return (0);
|
||||
}
|
||||
|
||||
if (!gl_init) {
|
||||
(void) getgrouplist(pw->pw_name,
|
||||
pw->pw_gid, groups, &ngroups);
|
||||
gl_init++;
|
||||
}
|
||||
|
||||
for ( cnt = 0; cnt < ngroups; cnt++) {
|
||||
if (group->gr_gid == groups[cnt]) {
|
||||
matched++;
|
||||
break;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
/* check username and wildcard */
|
||||
matched = strcmp(pw->pw_name, buf) == 0 ||
|
||||
strcmp("*", buf) == 0;
|
||||
}
|
||||
|
||||
if (lbuf != NULL) {
|
||||
free(lbuf);
|
||||
@ -494,10 +540,10 @@ allowed_luser(char *luser)
|
||||
}
|
||||
|
||||
if (matched)
|
||||
return (1); /* matched an allowed username */
|
||||
return (1); /* matched an allowed user/group */
|
||||
}
|
||||
syslog(LOG_INFO, "denied access to %s: not listed in %s",
|
||||
luser, PATH_ALLOWFILE);
|
||||
pw->pw_name, PATH_ALLOWFILE);
|
||||
|
||||
/* reuse buf */
|
||||
buf = "\n\nSorry, you are not allowed to use this facility!\n";
|
||||
@ -878,7 +924,7 @@ do_death(int active)
|
||||
authpf_kill_states();
|
||||
}
|
||||
}
|
||||
if (pidfile[0] && (pidfp != NULL))
|
||||
if (pidfile[0] && pidfd != -1)
|
||||
if (unlink(pidfile) == -1)
|
||||
syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
|
||||
exit(ret);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */
|
||||
/* $OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $
|
||||
# $OpenBSD: Makefile,v 1.2 2005/06/07 14:12:07 camield Exp $
|
||||
|
||||
PROG= ftp-proxy
|
||||
SRCS= ftp-proxy.c filter.c
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: filter.c,v 1.8 2008/06/13 07:25:26 claudio Exp $ */
|
||||
/* $OpenBSD: filter.c,v 1.7 2008/02/26 18:52:53 henning Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */
|
||||
/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ftp-proxy.8,v 1.11 2008/02/26 18:52:53 henning Exp $
|
||||
.\" $OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ftp-proxy.c,v 1.19 2008/06/13 07:25:26 claudio Exp $ */
|
||||
/* $OpenBSD: ftp-proxy.c,v 1.18 2008/04/22 02:22:22 joel Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
|
@ -1,3 +1,5 @@
|
||||
/* $OpenBSD: buffer.c,v 1.14 2007/03/19 15:12:49 millert Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2002, 2003 Niels Provos <provos@citi.umich.edu>
|
||||
* All rights reserved.
|
||||
@ -62,7 +64,7 @@ struct evbuffer *
|
||||
evbuffer_new(void)
|
||||
{
|
||||
struct evbuffer *buffer;
|
||||
|
||||
|
||||
buffer = calloc(1, sizeof(struct evbuffer));
|
||||
|
||||
return (buffer);
|
||||
@ -76,7 +78,7 @@ evbuffer_free(struct evbuffer *buffer)
|
||||
free(buffer);
|
||||
}
|
||||
|
||||
/*
|
||||
/*
|
||||
* This is a destructive add. The data from one buffer moves into
|
||||
* the other buffer.
|
||||
*/
|
||||
@ -104,16 +106,16 @@ evbuffer_add_buffer(struct evbuffer *outbuf, struct evbuffer *inbuf)
|
||||
SWAP(outbuf, inbuf);
|
||||
SWAP(inbuf, &tmp);
|
||||
|
||||
/*
|
||||
/*
|
||||
* Optimization comes with a price; we need to notify the
|
||||
* buffer if necessary of the changes. oldoff is the amount
|
||||
* of data that we transfered from inbuf to outbuf
|
||||
* of data that we transferred from inbuf to outbuf
|
||||
*/
|
||||
if (inbuf->off != oldoff && inbuf->cb != NULL)
|
||||
(*inbuf->cb)(inbuf, oldoff, inbuf->off, inbuf->cbarg);
|
||||
if (oldoff && outbuf->cb != NULL)
|
||||
(*outbuf->cb)(outbuf, 0, oldoff, outbuf->cbarg);
|
||||
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -196,7 +198,7 @@ evbuffer_remove(struct evbuffer *buf, void *data, size_t datlen)
|
||||
|
||||
memcpy(data, buf->buffer, nread);
|
||||
evbuffer_drain(buf, nread);
|
||||
|
||||
|
||||
return (nread);
|
||||
}
|
||||
|
||||
@ -371,7 +373,7 @@ evbuffer_read(struct evbuffer *buf, int fd, int howmuch)
|
||||
if (n < EVBUFFER_MAX_READ)
|
||||
n = EVBUFFER_MAX_READ;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
if (howmuch < 0 || howmuch > n)
|
||||
howmuch = n;
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
/* $OpenBSD: evbuffer.c,v 1.10 2007/03/19 15:12:49 millert Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2002-2004 Niels Provos <provos@citi.umich.edu>
|
||||
* All rights reserved.
|
||||
@ -64,7 +66,7 @@ bufferevent_add(struct event *ev, int timeout)
|
||||
return (event_add(ev, ptv));
|
||||
}
|
||||
|
||||
/*
|
||||
/*
|
||||
* This callback is executed when the size of the input buffer changes.
|
||||
* We use it to apply back pressure on the reading side.
|
||||
*/
|
||||
@ -73,7 +75,7 @@ void
|
||||
bufferevent_read_pressure_cb(struct evbuffer *buf, size_t old, size_t now,
|
||||
void *arg) {
|
||||
struct bufferevent *bufev = arg;
|
||||
/*
|
||||
/*
|
||||
* If we are below the watermark then reschedule reading if it's
|
||||
* still enabled.
|
||||
*/
|
||||
@ -288,7 +290,7 @@ bufferevent_free(struct bufferevent *bufev)
|
||||
*/
|
||||
|
||||
int
|
||||
bufferevent_write(struct bufferevent *bufev, void *data, size_t size)
|
||||
bufferevent_write(struct bufferevent *bufev, const void *data, size_t size)
|
||||
{
|
||||
int res;
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
/* $OpenBSD: event-internal.h,v 1.4 2007/03/19 15:12:49 millert Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
|
||||
* All rights reserved.
|
||||
|
@ -1,3 +1,5 @@
|
||||
/* $OpenBSD: event.c,v 1.18 2008/05/02 06:09:11 brad Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
|
||||
* All rights reserved.
|
||||
@ -38,7 +40,7 @@
|
||||
#include <sys/tree.h>
|
||||
#ifdef HAVE_SYS_TIME_H
|
||||
#include <sys/time.h>
|
||||
#else
|
||||
#else
|
||||
#include <sys/_time.h>
|
||||
#endif
|
||||
#include <sys/queue.h>
|
||||
@ -180,7 +182,7 @@ RB_PROTOTYPE(event_tree, event, ev_timeout_node, compare);
|
||||
RB_GENERATE(event_tree, event, ev_timeout_node, compare);
|
||||
|
||||
|
||||
void *
|
||||
struct event_base *
|
||||
event_init(void)
|
||||
{
|
||||
int i;
|
||||
@ -194,13 +196,13 @@ event_init(void)
|
||||
|
||||
detect_monotonic();
|
||||
gettime(&base->event_tv);
|
||||
|
||||
|
||||
RB_INIT(&base->timetree);
|
||||
TAILQ_INIT(&base->eventqueue);
|
||||
TAILQ_INIT(&base->sig.signalqueue);
|
||||
base->sig.ev_signal_pair[0] = -1;
|
||||
base->sig.ev_signal_pair[1] = -1;
|
||||
|
||||
|
||||
base->evbase = NULL;
|
||||
for (i = 0; eventops[i] && !base->evbase; i++) {
|
||||
base->evsel = eventops[i];
|
||||
@ -321,7 +323,7 @@ event_process_active(struct event_base *base)
|
||||
|
||||
for (ev = TAILQ_FIRST(activeq); ev; ev = TAILQ_FIRST(activeq)) {
|
||||
event_queue_remove(base, ev, EVLIST_ACTIVE);
|
||||
|
||||
|
||||
/* Allows deletes to work */
|
||||
ncalls = ev->ev_ncalls;
|
||||
ev->ev_pncalls = &ncalls;
|
||||
@ -430,7 +432,7 @@ event_base_loop(struct event_base *base, int flags)
|
||||
*/
|
||||
timerclear(&tv);
|
||||
}
|
||||
|
||||
|
||||
/* If we have no events, we just exit */
|
||||
if (!event_haveevents(base)) {
|
||||
event_debug(("%s: no events registered.", __func__));
|
||||
@ -439,7 +441,6 @@ event_base_loop(struct event_base *base, int flags)
|
||||
|
||||
res = evsel->dispatch(base, evbase, tv_p);
|
||||
|
||||
|
||||
if (res == -1)
|
||||
return (-1);
|
||||
|
||||
@ -652,7 +653,7 @@ event_add(struct event *ev, struct timeval *tv)
|
||||
/* Abort loop */
|
||||
*ev->ev_pncalls = 0;
|
||||
}
|
||||
|
||||
|
||||
event_queue_remove(base, ev, EVLIST_ACTIVE);
|
||||
}
|
||||
|
||||
@ -913,10 +914,10 @@ event_queue_insert(struct event_base *base, struct event *ev, int queue)
|
||||
const char *
|
||||
event_get_version(void)
|
||||
{
|
||||
return (VERSION);
|
||||
return (LIBEVENT_VERSION);
|
||||
}
|
||||
|
||||
/*
|
||||
/*
|
||||
* No thread-safe interface needed - the information should be the same
|
||||
* for all threads.
|
||||
*/
|
||||
|
@ -1,3 +1,5 @@
|
||||
/* $OpenBSD: event.h,v 1.19 2008/05/02 06:09:11 brad Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
|
||||
* All rights reserved.
|
||||
@ -43,6 +45,8 @@ typedef unsigned char u_char;
|
||||
typedef unsigned short u_short;
|
||||
#endif
|
||||
|
||||
#define LIBEVENT_VERSION "1.3e"
|
||||
|
||||
#define EVLIST_TIMEOUT 0x01
|
||||
#define EVLIST_INSERTED 0x02
|
||||
#define EVLIST_SIGNAL 0x04
|
||||
@ -141,7 +145,7 @@ struct eventop {
|
||||
void (*dealloc)(struct event_base *, void *);
|
||||
};
|
||||
|
||||
void *event_init(void);
|
||||
struct event_base *event_init(void);
|
||||
int event_dispatch(void);
|
||||
int event_base_dispatch(struct event_base *);
|
||||
void event_base_free(struct event_base *);
|
||||
@ -169,12 +173,6 @@ int event_base_loopexit(struct event_base *, struct timeval *);
|
||||
#define evtimer_pending(ev, tv) event_pending(ev, EV_TIMEOUT, tv)
|
||||
#define evtimer_initialized(ev) ((ev)->ev_flags & EVLIST_INIT)
|
||||
|
||||
#define timeout_add(ev, tv) event_add(ev, tv)
|
||||
#define timeout_set(ev, cb, arg) event_set(ev, -1, 0, cb, arg)
|
||||
#define timeout_del(ev) event_del(ev)
|
||||
#define timeout_pending(ev, tv) event_pending(ev, EV_TIMEOUT, tv)
|
||||
#define timeout_initialized(ev) ((ev)->ev_flags & EVLIST_INIT)
|
||||
|
||||
#define signal_add(ev, tv) event_add(ev, tv)
|
||||
#define signal_set(ev, x, cb, arg) \
|
||||
event_set(ev, x, EV_SIGNAL|EV_PERSIST, cb, arg)
|
||||
@ -264,7 +262,8 @@ struct bufferevent *bufferevent_new(int fd,
|
||||
int bufferevent_base_set(struct event_base *base, struct bufferevent *bufev);
|
||||
int bufferevent_priority_set(struct bufferevent *bufev, int pri);
|
||||
void bufferevent_free(struct bufferevent *bufev);
|
||||
int bufferevent_write(struct bufferevent *bufev, void *data, size_t size);
|
||||
int bufferevent_write(struct bufferevent *bufev,
|
||||
const void *data, size_t size);
|
||||
int bufferevent_write_buffer(struct bufferevent *bufev, struct evbuffer *buf);
|
||||
size_t bufferevent_read(struct bufferevent *bufev, void *data, size_t size);
|
||||
int bufferevent_enable(struct bufferevent *bufev, short event);
|
||||
@ -292,7 +291,7 @@ int evbuffer_read(struct evbuffer *, int, int);
|
||||
u_char *evbuffer_find(struct evbuffer *, const u_char *, size_t);
|
||||
void evbuffer_setcb(struct evbuffer *, void (*)(struct evbuffer *, size_t, size_t, void *), void *);
|
||||
|
||||
/*
|
||||
/*
|
||||
* Marshaling tagged data - We assume that all tags are inserted in their
|
||||
* numeric order - so that unknown tags will always be higher than the
|
||||
* known ones - and we can just ignore the end of an event buffer.
|
||||
|
@ -1,3 +1,5 @@
|
||||
/* $OpenBSD: evsignal.h,v 1.2 2004/04/28 06:53:12 brad Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
|
||||
* All rights reserved.
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kqueue.c,v 1.5 2002/07/10 14:41:31 art Exp $ */
|
||||
/* $OpenBSD: kqueue.c,v 1.23 2007/09/02 15:19:18 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
|
||||
@ -97,14 +97,14 @@ kq_init(struct event_base *base)
|
||||
struct kqop *kqueueop;
|
||||
|
||||
/* Disable kqueue when this environment variable is set */
|
||||
if (getenv("EVENT_NOKQUEUE"))
|
||||
if (!issetugid() && getenv("EVENT_NOKQUEUE"))
|
||||
return (NULL);
|
||||
|
||||
if (!(kqueueop = calloc(1, sizeof(struct kqop))))
|
||||
return (NULL);
|
||||
|
||||
/* Initalize the kernel queue */
|
||||
|
||||
|
||||
if ((kq = kqueue()) == -1) {
|
||||
event_warn("kqueue");
|
||||
free (kqueueop);
|
||||
@ -114,12 +114,12 @@ kq_init(struct event_base *base)
|
||||
kqueueop->kq = kq;
|
||||
|
||||
/* Initalize fields */
|
||||
kqueueop->changes = malloc(NEVENT * sizeof(struct kevent));
|
||||
kqueueop->changes = calloc(NEVENT, sizeof(struct kevent));
|
||||
if (kqueueop->changes == NULL) {
|
||||
free (kqueueop);
|
||||
return (NULL);
|
||||
}
|
||||
kqueueop->events = malloc(NEVENT * sizeof(struct kevent));
|
||||
kqueueop->events = calloc(NEVENT, sizeof(struct kevent));
|
||||
if (kqueueop->events == NULL) {
|
||||
free (kqueueop->changes);
|
||||
free (kqueueop);
|
||||
@ -131,7 +131,7 @@ kq_init(struct event_base *base)
|
||||
kqueueop->changes[0].ident = -1;
|
||||
kqueueop->changes[0].filter = EVFILT_READ;
|
||||
kqueueop->changes[0].flags = EV_ADD;
|
||||
/*
|
||||
/*
|
||||
* If kqueue works, then kevent will succeed, and it will
|
||||
* stick an error in events[0]. If kqueue is broken, then
|
||||
* kevent will fail.
|
||||
@ -195,7 +195,7 @@ kq_insert(struct kqop *kqop, struct kevent *kev)
|
||||
memcpy(&kqop->changes[kqop->nchanges++], kev, sizeof(struct kevent));
|
||||
|
||||
event_debug(("%s: fd %d %s%s",
|
||||
__func__, kev->ident,
|
||||
__func__, kev->ident,
|
||||
kev->filter == EVFILT_READ ? "EVFILT_READ" : "EVFILT_WRITE",
|
||||
kev->flags == EV_DELETE ? " (del)" : ""));
|
||||
|
||||
@ -241,7 +241,7 @@ kq_dispatch(struct event_base *base, void *arg, struct timeval *tv)
|
||||
int which = 0;
|
||||
|
||||
if (events[i].flags & EV_ERROR) {
|
||||
/*
|
||||
/*
|
||||
* Error messages that can happen, when a delete fails.
|
||||
* EBADF happens when the file discriptor has been
|
||||
* closed,
|
||||
@ -301,7 +301,7 @@ kq_add(void *arg, struct event *ev)
|
||||
if (!(ev->ev_events & EV_PERSIST))
|
||||
kev.flags |= EV_ONESHOT;
|
||||
kev.udata = PTR_TO_UDATA(ev);
|
||||
|
||||
|
||||
if (kq_insert(kqop, &kev) == -1)
|
||||
return (-1);
|
||||
|
||||
@ -324,7 +324,7 @@ kq_add(void *arg, struct event *ev)
|
||||
if (!(ev->ev_events & EV_PERSIST))
|
||||
kev.flags |= EV_ONESHOT;
|
||||
kev.udata = PTR_TO_UDATA(ev);
|
||||
|
||||
|
||||
if (kq_insert(kqop, &kev) == -1)
|
||||
return (-1);
|
||||
|
||||
@ -339,7 +339,7 @@ kq_add(void *arg, struct event *ev)
|
||||
if (!(ev->ev_events & EV_PERSIST))
|
||||
kev.flags |= EV_ONESHOT;
|
||||
kev.udata = PTR_TO_UDATA(ev);
|
||||
|
||||
|
||||
if (kq_insert(kqop, &kev) == -1)
|
||||
return (-1);
|
||||
|
||||
@ -365,7 +365,7 @@ kq_del(void *arg, struct event *ev)
|
||||
kev.ident = nsignal;
|
||||
kev.filter = EVFILT_SIGNAL;
|
||||
kev.flags = EV_DELETE;
|
||||
|
||||
|
||||
if (kq_insert(kqop, &kev) == -1)
|
||||
return (-1);
|
||||
|
||||
@ -381,7 +381,7 @@ kq_del(void *arg, struct event *ev)
|
||||
kev.ident = ev->ev_fd;
|
||||
kev.filter = EVFILT_READ;
|
||||
kev.flags = EV_DELETE;
|
||||
|
||||
|
||||
if (kq_insert(kqop, &kev) == -1)
|
||||
return (-1);
|
||||
|
||||
@ -393,7 +393,7 @@ kq_del(void *arg, struct event *ev)
|
||||
kev.ident = ev->ev_fd;
|
||||
kev.filter = EVFILT_WRITE;
|
||||
kev.flags = EV_DELETE;
|
||||
|
||||
|
||||
if (kq_insert(kqop, &kev) == -1)
|
||||
return (-1);
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: err.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
|
||||
/* $OpenBSD: log.c,v 1.4 2005/05/04 03:17:48 brad Exp $ */
|
||||
|
||||
/*
|
||||
* log.c
|
||||
@ -102,7 +102,7 @@ void
|
||||
event_err(int eval, const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
|
||||
va_start(ap, fmt);
|
||||
_warn_helper(_EVENT_LOG_ERR, errno, fmt, ap);
|
||||
va_end(ap);
|
||||
@ -113,7 +113,7 @@ void
|
||||
event_warn(const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
|
||||
va_start(ap, fmt);
|
||||
_warn_helper(_EVENT_LOG_WARN, errno, fmt, ap);
|
||||
va_end(ap);
|
||||
@ -123,7 +123,7 @@ void
|
||||
event_errx(int eval, const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
|
||||
va_start(ap, fmt);
|
||||
_warn_helper(_EVENT_LOG_ERR, -1, fmt, ap);
|
||||
va_end(ap);
|
||||
@ -134,7 +134,7 @@ void
|
||||
event_warnx(const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
|
||||
va_start(ap, fmt);
|
||||
_warn_helper(_EVENT_LOG_WARN, -1, fmt, ap);
|
||||
va_end(ap);
|
||||
@ -144,7 +144,7 @@ void
|
||||
event_msgx(const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
|
||||
va_start(ap, fmt);
|
||||
_warn_helper(_EVENT_LOG_MSG, -1, fmt, ap);
|
||||
va_end(ap);
|
||||
@ -154,7 +154,7 @@ void
|
||||
_event_debugx(const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
|
||||
va_start(ap, fmt);
|
||||
_warn_helper(_EVENT_LOG_DEBUG, -1, fmt, ap);
|
||||
va_end(ap);
|
||||
|
@ -1,3 +1,5 @@
|
||||
/* $OpenBSD: log.h,v 1.4 2007/03/19 15:12:49 millert Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
|
||||
* All rights reserved.
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: poll.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
|
||||
/* $OpenBSD: poll.c,v 1.13 2006/11/26 15:24:34 brad Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2000-2003 Niels Provos <provos@citi.umich.edu>
|
||||
@ -89,7 +89,7 @@ poll_init(struct event_base *base)
|
||||
struct pollop *pollop;
|
||||
|
||||
/* Disable poll when this environment variable is set */
|
||||
if (getenv("EVENT_NOPOLL"))
|
||||
if (!issetugid() && getenv("EVENT_NOPOLL"))
|
||||
return (NULL);
|
||||
|
||||
if (!(pollop = calloc(1, sizeof(struct pollop))))
|
||||
@ -179,6 +179,7 @@ poll_dispatch(struct event_base *base, void *arg, struct timeval *tv)
|
||||
for (i = 0; i < nfds; i++) {
|
||||
int what = pop->event_set[i].revents;
|
||||
struct event *r_ev = NULL, *w_ev = NULL;
|
||||
|
||||
if (!what)
|
||||
continue;
|
||||
|
||||
@ -356,7 +357,7 @@ poll_del(void *arg, struct event *ev)
|
||||
|
||||
--pop->nfds;
|
||||
if (i != pop->nfds) {
|
||||
/*
|
||||
/*
|
||||
* Shift the last pollfd down into the now-unoccupied
|
||||
* position.
|
||||
*/
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
|
||||
/* $OpenBSD: select.c,v 1.13 2007/03/19 15:12:49 millert Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
|
||||
@ -96,7 +96,7 @@ select_init(struct event_base *base)
|
||||
struct selectop *sop;
|
||||
|
||||
/* Disable select when this environment variable is set */
|
||||
if (getenv("EVENT_NOSELECT"))
|
||||
if (!issetugid() && getenv("EVENT_NOSELECT"))
|
||||
return (NULL);
|
||||
|
||||
if (!(sop = calloc(1, sizeof(struct selectop))))
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
|
||||
/* $OpenBSD: signal.c,v 1.11 2007/03/19 15:12:49 millert Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
|
||||
@ -85,7 +85,7 @@ evsignal_cb(int fd, short what, void *arg)
|
||||
void
|
||||
evsignal_init(struct event_base *base)
|
||||
{
|
||||
/*
|
||||
/*
|
||||
* Our signal handler is going to write to one end of the socket
|
||||
* pair to wake up our event loop. The event loop then scans for
|
||||
* signals that got delivered.
|
||||
|
9
man/pf.4
9
man/pf.4
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pf.4,v 1.60 2007/12/02 12:08:04 pascoe Exp $
|
||||
.\" $OpenBSD: pf.4,v 1.61 2008/09/04 13:50:37 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
|
||||
.\"
|
||||
@ -26,7 +26,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: May 31 2007 $
|
||||
.Dd $Mdocdate: September 4 2008 $
|
||||
.Dt PF 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -1050,12 +1050,14 @@ internal interface description.
|
||||
The filtering process is the same as for
|
||||
.Dv DIOCIGETIFACES .
|
||||
.Bd -literal
|
||||
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
|
||||
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
|
||||
.Ed
|
||||
.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
|
||||
Works as
|
||||
.Dv DIOCSETIFFLAG
|
||||
above but clears the flags.
|
||||
.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
|
||||
Explicitly remove source tracking nodes.
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width /dev/pf -compact
|
||||
@ -1133,6 +1135,7 @@ main(int argc, char *argv[])
|
||||
.Xr ioctl 2 ,
|
||||
.Xr bridge 4 ,
|
||||
.Xr pflog 4 ,
|
||||
.Xr pflow 4 ,
|
||||
.Xr pfsync 4 ,
|
||||
.Xr pfctl 8 ,
|
||||
.Xr altq 9
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pf.conf.5,v 1.402 2008/06/11 07:21:00 jmc Exp $
|
||||
.\" $OpenBSD: pf.conf.5,v 1.405 2008/10/02 12:36:32 henning Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002, Daniel Hartmeier
|
||||
.\" All rights reserved.
|
||||
@ -27,7 +27,7 @@
|
||||
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: June 10 2008 $
|
||||
.Dd $Mdocdate: October 2 2008 $
|
||||
.Dt PF.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -517,6 +517,16 @@ For example:
|
||||
.Bd -literal -offset indent
|
||||
set state-policy if-bound
|
||||
.Ed
|
||||
.It Ar set state-defaults
|
||||
The
|
||||
.Ar state-defaults
|
||||
option sets the state options for states created from rules
|
||||
without an explicit
|
||||
.Ar keep state .
|
||||
For example:
|
||||
.Bd -literal -offset indent
|
||||
set state-defaults pflow, no-sync
|
||||
.Ed
|
||||
.It Ar set hostid
|
||||
The 32-bit
|
||||
.Ar hostid
|
||||
@ -901,7 +911,7 @@ Defines a list of subqueues to create on an interface.
|
||||
.El
|
||||
.Pp
|
||||
In the following example, the interface dc0
|
||||
should queue up to 5 Mbit/s in four second-level queues using
|
||||
should queue up to 5Mbps in four second-level queues using
|
||||
Class Based Queueing.
|
||||
Those four queues will be shown in a later example.
|
||||
.Bd -literal -offset indent
|
||||
@ -1488,7 +1498,7 @@ Translates to the network(s) attached to the interface.
|
||||
.It Ar :broadcast
|
||||
Translates to the interface's broadcast address(es).
|
||||
.It Ar :peer
|
||||
Translates to the point to point interface's peer address(es).
|
||||
Translates to the point-to-point interface's peer address(es).
|
||||
.It Ar :0
|
||||
Do not include interface aliases.
|
||||
.El
|
||||
@ -2098,6 +2108,10 @@ easier.
|
||||
This is intended to be used in situations where one does not see all
|
||||
packets of a connection, e.g. in asymmetric routing situations.
|
||||
Cannot be used with modulate or synproxy state.
|
||||
.It Ar pflow
|
||||
States created by this rule are exported on the
|
||||
.Xr pflow 4
|
||||
interface.
|
||||
.El
|
||||
.Pp
|
||||
Multiple options can be specified, separated by commas:
|
||||
@ -2821,6 +2835,7 @@ option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
|
||||
[ "loginterface" ( interface-name | "none" ) ] |
|
||||
[ "block-policy" ( "drop" | "return" ) ] |
|
||||
[ "state-policy" ( "if-bound" | "floating" ) ]
|
||||
[ "state-defaults" state-opts ]
|
||||
[ "require-order" ( "yes" | "no" ) ]
|
||||
[ "fingerprints" filename ] |
|
||||
[ "skip on" ifspec ] |
|
||||
@ -2963,7 +2978,7 @@ tos = ( "lowdelay" | "throughput" | "reliability" |
|
||||
[ "0x" ] number )
|
||||
|
||||
state-opts = state-opt [ [ "," ] state-opts ]
|
||||
state-opt = ( "max" number | "no-sync" | timeout | sloppy |
|
||||
state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" |
|
||||
"source-track" [ ( "rule" | "global" ) ] |
|
||||
"max-src-nodes" number | "max-src-states" number |
|
||||
"max-src-conn" number |
|
||||
@ -3026,6 +3041,7 @@ Service name database.
|
||||
.Xr ip 4 ,
|
||||
.Xr ip6 4 ,
|
||||
.Xr pf 4 ,
|
||||
.Xr pflow 4 ,
|
||||
.Xr pfsync 4 ,
|
||||
.Xr route 4 ,
|
||||
.Xr tcp 4 ,
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $
|
||||
.\" $OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $
|
||||
.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2001 Tobias Weingartner
|
||||
.\" All rights reserved.
|
||||
|
113
man/pflow.4
Normal file
113
man/pflow.4
Normal file
@ -0,0 +1,113 @@
|
||||
.\" $OpenBSD: pflow.4,v 1.8 2008/10/28 16:55:37 gollo Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2008 Henning Brauer <henning@openbsd.org>
|
||||
.\" Copyright (c) 2008 Joerg Goltermann <jg@osn.de>
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALLWARRANTIES
|
||||
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BELIABLE FOR
|
||||
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISINGOUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: October 28 2008 $
|
||||
.Dt PFLOW 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm pflow
|
||||
.Nd kernel interface for pflow data export
|
||||
.Sh SYNOPSIS
|
||||
.Cd "pseudo-device pflow"
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
interface is a pseudo-device which exports
|
||||
.Nm
|
||||
accounting data from the kernel using
|
||||
.Xr udp 4
|
||||
packets.
|
||||
.Nm
|
||||
is compatible with netflow v5.
|
||||
The data is extracted from the
|
||||
.Xr pf 4
|
||||
state table.
|
||||
.Pp
|
||||
Multiple
|
||||
.Nm
|
||||
interfaces can be created at runtime using the
|
||||
.Ic ifconfig pflow Ns Ar N Ic create
|
||||
command.
|
||||
Each interface must be configured with a flow receiver IP address and
|
||||
port number.
|
||||
.Pp
|
||||
Only states created by a rule marked with the
|
||||
.Ar pflow
|
||||
keyword are exported by the
|
||||
.Nm
|
||||
interface.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
interface will attempt to export multiple
|
||||
.Nm
|
||||
records in one
|
||||
UDP packet, but will not hold a record for longer than 30 seconds.
|
||||
The packet size and thus the maximum number of flows is controlled by the
|
||||
.Cm mtu
|
||||
parameter of
|
||||
.Xr ifconfig 8 .
|
||||
.Pp
|
||||
Each packet seen on this interface has one header and a variable number of
|
||||
flows.
|
||||
The header indicates the version of the protocol, number of
|
||||
flows in the packet, a unique sequence number, system time, and an engine
|
||||
ID and type.
|
||||
Header and flow structs are defined in
|
||||
.Aq Pa net/if_pflow.h .
|
||||
.Pp
|
||||
There is a one-to-one correspondence between packets seen by
|
||||
.Xr bpf 4
|
||||
on the
|
||||
.Nm
|
||||
interface and packets sent out to the flow receiver.
|
||||
That is, a packet with 30 flows on
|
||||
.Nm
|
||||
means that the same 30 flows were sent out to the receiver.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
source and destination addresses are controlled by
|
||||
.Xr ifconfig 8 .
|
||||
.Cm flowsrc
|
||||
is the sender IP address of the UDP packet which can be used
|
||||
to identify the source of the data on the
|
||||
.Nm
|
||||
collector.
|
||||
.Cm flowdst
|
||||
defines the collector IP address and the port.
|
||||
The
|
||||
.Cm flowdst
|
||||
IP address and port must be defined to enable the export of flows.
|
||||
.Pp
|
||||
For example, the following command sets 10.0.0.1 as the source
|
||||
and 10.0.0.2:1234 as destination:
|
||||
.Bd -literal -offset indent
|
||||
# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234
|
||||
.Ed
|
||||
.Sh SEE ALSO
|
||||
.Xr netintro 4 ,
|
||||
.Xr pf 4 ,
|
||||
.Xr udp 4 ,
|
||||
.Xr pf.conf 5 ,
|
||||
.Xr ifconfig 8 ,
|
||||
.Xr tcpdump 8
|
||||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
device first appeared in
|
||||
.Ox 4.5 .
|
87
man/pfsync.4
87
man/pfsync.4
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pfsync.4,v 1.27 2008/06/03 19:51:02 jmc Exp $
|
||||
.\" $OpenBSD: pfsync.4,v 1.26 2007/09/20 20:50:07 mpf Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002 Michael Shalayeff
|
||||
.\" Copyright (c) 2003-2004 Ryan McBride
|
||||
@ -29,7 +29,7 @@
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm pfsync
|
||||
.Nd packet filter state table logging interface
|
||||
.Nd packet filter state table sychronisation interface
|
||||
.Sh SYNOPSIS
|
||||
.Cd "pseudo-device pfsync"
|
||||
.Sh DESCRIPTION
|
||||
@ -45,18 +45,18 @@ on the
|
||||
interface.
|
||||
If configured with a physical synchronisation interface,
|
||||
.Nm
|
||||
will also send state changes out on that interface using IP multicast,
|
||||
will also send state changes out on that interface,
|
||||
and insert state changes received on that interface from other systems
|
||||
into the state table.
|
||||
.Pp
|
||||
By default, all local changes to the state table are exposed via
|
||||
.Nm .
|
||||
However, state changes from packets received by
|
||||
State changes from packets received by
|
||||
.Nm
|
||||
over the network are not rebroadcast.
|
||||
States created by a rule marked with the
|
||||
Updates to states created by a rule marked with the
|
||||
.Ar no-sync
|
||||
keyword are omitted from the
|
||||
keyword are ignored by the
|
||||
.Nm
|
||||
interface (see
|
||||
.Xr pf.conf 5
|
||||
@ -64,33 +64,19 @@ for details).
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
interface will attempt to collapse multiple updates of the same
|
||||
state into one message where possible.
|
||||
The maximum number of times this can be done before the update is sent out
|
||||
is controlled by the
|
||||
interface will attempt to collapse multiple state updates into a single
|
||||
packet where possible.
|
||||
The maximum number of times a single state can be updated before a
|
||||
.Nm
|
||||
packet will be sent out is controlled by the
|
||||
.Ar maxupd
|
||||
parameter to ifconfig
|
||||
(see
|
||||
.Xr ifconfig 8
|
||||
and the example below for more details).
|
||||
.Pp
|
||||
Each packet retrieved on this interface has a header associated
|
||||
with it of length
|
||||
.Dv PFSYNC_HDRLEN .
|
||||
The header indicates the version of the protocol, address family,
|
||||
action taken on the following states, and the number of state
|
||||
table entries attached in this packet.
|
||||
This structure is defined in
|
||||
.Aq Pa net/if_pfsync.h
|
||||
as:
|
||||
.Bd -literal -offset indent
|
||||
struct pfsync_header {
|
||||
u_int8_t version;
|
||||
u_int8_t af;
|
||||
u_int8_t action;
|
||||
u_int8_t count;
|
||||
};
|
||||
.Ed
|
||||
The sending out of a
|
||||
.Nm
|
||||
packet will be delayed by a maximum of one second.
|
||||
.Sh NETWORK SYNCHRONISATION
|
||||
States can be synchronised between two or more firewalls using this
|
||||
interface, by specifying a synchronisation interface using
|
||||
@ -102,14 +88,15 @@ interface:
|
||||
.Ed
|
||||
.Pp
|
||||
By default, state change messages are sent out on the synchronisation
|
||||
interface using IP multicast packets.
|
||||
The protocol is IP protocol 240, PFSYNC, and the multicast group
|
||||
used is 224.0.0.240.
|
||||
When a peer address is specified using the
|
||||
interface using IP multicast packets to the 244.0.0.240 group address.
|
||||
An alternative destination address for
|
||||
.Nm
|
||||
packets can be specified using the
|
||||
.Ic syncpeer
|
||||
keyword, the peer address is used as a destination for the pfsync traffic,
|
||||
and the traffic can then be protected using
|
||||
.Xr ipsec 4 .
|
||||
keyword.
|
||||
This can be used in combination with
|
||||
.Xr ipsec 4
|
||||
to protect the synchronisation traffic.
|
||||
In such a configuration, the syncdev should be set to the
|
||||
.Xr enc 4
|
||||
interface, as this is where the traffic arrives when it is decapsulated,
|
||||
@ -125,27 +112,15 @@ Either run the pfsync protocol on a trusted network \- ideally a network
|
||||
dedicated to pfsync messages such as a crossover cable between two firewalls,
|
||||
or specify a peer address and protect the traffic with
|
||||
.Xr ipsec 4 .
|
||||
.Pp
|
||||
There is a one-to-one correspondence between packets seen by
|
||||
.Xr bpf 4
|
||||
on the
|
||||
.Nm
|
||||
interface, and packets sent out on the synchronisation interface, i.e.\&
|
||||
a packet with 4 state deletion messages on
|
||||
.Nm
|
||||
means that the same 4 deletions were sent out on the synchronisation
|
||||
interface.
|
||||
However, the actual packet contents may differ as the messages
|
||||
sent over the network are "compressed" where possible, containing
|
||||
only the necessary information.
|
||||
.Sh EXAMPLES
|
||||
.Nm
|
||||
and
|
||||
.Xr carp 4
|
||||
can be used together to provide automatic failover of a pair of firewalls
|
||||
configured in parallel.
|
||||
One firewall handles all traffic \- if it dies or
|
||||
is shut down, the second firewall takes over automatically.
|
||||
One firewall will handle all traffic until it dies, is shut down, or is
|
||||
manually demoted, at which point the second firewall will take over
|
||||
automatically.
|
||||
.Pp
|
||||
Both firewalls in this example have three
|
||||
.Xr sis 4
|
||||
@ -203,8 +178,8 @@ pass quick on { sis2 } proto pfsync keep state (no-sync)
|
||||
pass on { sis0 sis1 } proto carp keep state (no-sync)
|
||||
.Ed
|
||||
.Pp
|
||||
If it is preferable that one firewall handle the traffic,
|
||||
the
|
||||
It is preferable that one firewall handle the forwarding of all the traffic,
|
||||
therefore the
|
||||
.Ar advskew
|
||||
on the backup firewall's
|
||||
.Xr carp 4
|
||||
@ -243,3 +218,11 @@ The
|
||||
.Nm
|
||||
device first appeared in
|
||||
.Ox 3.3 .
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
protocol and kernel implementation were significantly modified between
|
||||
.Ox 4.4
|
||||
and
|
||||
.Ox 4.5 .
|
||||
The two protocols are incompatible and will not interoperate.
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.19 2006/12/24 18:52:43 miod Exp $
|
||||
# $OpenBSD: Makefile,v 1.18 2006/10/28 14:29:05 mcbride Exp $
|
||||
|
||||
PROG= pfctl
|
||||
SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: parse.y,v 1.549 2008/07/03 16:09:34 deraadt Exp $ */
|
||||
/* $OpenBSD: parse.y,v 1.554 2008/10/17 12:59:53 henning Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
@ -153,7 +153,8 @@ enum { PF_STATE_OPT_MAX, PF_STATE_OPT_NOSYNC, PF_STATE_OPT_SRCTRACK,
|
||||
PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN,
|
||||
PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES,
|
||||
PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK,
|
||||
PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY };
|
||||
PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY,
|
||||
PF_STATE_OPT_PFLOW };
|
||||
|
||||
enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE };
|
||||
|
||||
@ -293,7 +294,8 @@ struct pool_opts {
|
||||
} pool_opts;
|
||||
|
||||
|
||||
struct node_hfsc_opts hfsc_opts;
|
||||
struct node_hfsc_opts hfsc_opts;
|
||||
struct node_state_opt *keep_state_defaults = NULL;
|
||||
|
||||
int disallow_table(struct node_host *, const char *);
|
||||
int disallow_urpf_failed(struct node_host *, const char *);
|
||||
@ -442,8 +444,8 @@ int parseport(char *, struct range *r, int);
|
||||
%token QUEUE PRIORITY QLIMIT RTABLE
|
||||
%token LOAD RULESET_OPTIMIZATION
|
||||
%token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
|
||||
%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY
|
||||
%token TAGGED TAG IFBOUND FLOATING STATEPOLICY ROUTE SETTOS
|
||||
%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW
|
||||
%token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS
|
||||
%token DIVERTTO DIVERTREPLY
|
||||
%token <v.string> STRING
|
||||
%token <v.number> NUMBER
|
||||
@ -552,7 +554,7 @@ optimizer : string {
|
||||
else if (!strcmp($1, "profile"))
|
||||
$$ = PF_OPTIMIZE_BASIC | PF_OPTIMIZE_PROFILE;
|
||||
else {
|
||||
yyerror("unknown ruleset-optimization %s", $$);
|
||||
yyerror("unknown ruleset-optimization %s", $1);
|
||||
YYERROR;
|
||||
}
|
||||
}
|
||||
@ -670,6 +672,13 @@ option : SET OPTIMIZATION STRING {
|
||||
YYERROR;
|
||||
}
|
||||
}
|
||||
| SET STATEDEFAULTS state_opt_list {
|
||||
if (keep_state_defaults != NULL) {
|
||||
yyerror("cannot redefine state-defaults");
|
||||
YYERROR;
|
||||
}
|
||||
keep_state_defaults = $3;
|
||||
}
|
||||
;
|
||||
|
||||
stringall : STRING { $$ = $1; }
|
||||
@ -1245,6 +1254,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
|
||||
r.action = PF_DROP;
|
||||
r.direction = PF_IN;
|
||||
r.log = $2.log;
|
||||
r.logif = $2.logif;
|
||||
r.quick = $2.quick;
|
||||
r.af = $4;
|
||||
if (rule_label(&r, $5.label))
|
||||
@ -1265,7 +1275,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
|
||||
}
|
||||
;
|
||||
|
||||
antispoof_ifspc : FOR antispoof_if { $$ = $2; }
|
||||
antispoof_ifspc : FOR antispoof_if { $$ = $2; }
|
||||
| FOR '{' optnl antispoof_iflst '}' { $$ = $4; }
|
||||
;
|
||||
|
||||
@ -1277,8 +1287,8 @@ antispoof_iflst : antispoof_if optnl { $$ = $1; }
|
||||
}
|
||||
;
|
||||
|
||||
antispoof_if : if_item { $$ = $1; }
|
||||
| '(' if_item ')' {
|
||||
antispoof_if : if_item { $$ = $1; }
|
||||
| '(' if_item ')' {
|
||||
$2->dynamic = 1;
|
||||
$$ = $2;
|
||||
}
|
||||
@ -1831,6 +1841,7 @@ pfrule : action dir logquick interface route af proto fromto
|
||||
int srctrack = 0;
|
||||
int statelock = 0;
|
||||
int adaptive = 0;
|
||||
int defaults = 0;
|
||||
|
||||
if (check_rulestate(PFCTL_STATE_FILTER))
|
||||
YYERROR;
|
||||
@ -1913,13 +1924,16 @@ pfrule : action dir logquick interface route af proto fromto
|
||||
|
||||
r.tos = $9.tos;
|
||||
r.keep_state = $9.keep.action;
|
||||
o = $9.keep.options;
|
||||
|
||||
/* 'keep state' by default on pass rules. */
|
||||
if (!r.keep_state && !r.action &&
|
||||
!($9.marker & FOM_KEEP))
|
||||
!($9.marker & FOM_KEEP)) {
|
||||
r.keep_state = PF_STATE_NORMAL;
|
||||
o = keep_state_defaults;
|
||||
defaults = 1;
|
||||
}
|
||||
|
||||
o = $9.keep.options;
|
||||
while (o) {
|
||||
struct node_state_opt *p = o;
|
||||
|
||||
@ -2060,6 +2074,15 @@ pfrule : action dir logquick interface route af proto fromto
|
||||
}
|
||||
r.rule_flag |= PFRULE_STATESLOPPY;
|
||||
break;
|
||||
case PF_STATE_OPT_PFLOW:
|
||||
if (r.rule_flag & PFRULE_PFLOW) {
|
||||
yyerror("state pflow "
|
||||
"option: multiple "
|
||||
"definitions");
|
||||
YYERROR;
|
||||
}
|
||||
r.rule_flag |= PFRULE_PFLOW;
|
||||
break;
|
||||
case PF_STATE_OPT_TIMEOUT:
|
||||
if (o->data.timeout.number ==
|
||||
PFTM_ADAPTIVE_START ||
|
||||
@ -2077,7 +2100,8 @@ pfrule : action dir logquick interface route af proto fromto
|
||||
o->data.timeout.seconds;
|
||||
}
|
||||
o = o->next;
|
||||
free(p);
|
||||
if (!defaults)
|
||||
free(p);
|
||||
}
|
||||
|
||||
/* 'flags S/SA' by default on stateful rules */
|
||||
@ -3540,6 +3564,14 @@ state_opt_item : MAXIMUM NUMBER {
|
||||
$$->next = NULL;
|
||||
$$->tail = $$;
|
||||
}
|
||||
| PFLOW {
|
||||
$$ = calloc(1, sizeof(struct node_state_opt));
|
||||
if ($$ == NULL)
|
||||
err(1, "state_opt_item: calloc");
|
||||
$$->type = PF_STATE_OPT_PFLOW;
|
||||
$$->next = NULL;
|
||||
$$->tail = $$;
|
||||
}
|
||||
| STRING NUMBER {
|
||||
int i;
|
||||
|
||||
@ -5255,6 +5287,7 @@ lookup(char *s)
|
||||
{ "out", OUT},
|
||||
{ "overload", OVERLOAD},
|
||||
{ "pass", PASS},
|
||||
{ "pflow", PFLOW},
|
||||
{ "port", PORT},
|
||||
{ "priority", PRIORITY},
|
||||
{ "priq", PRIQ},
|
||||
@ -5289,6 +5322,7 @@ lookup(char *s)
|
||||
{ "source-hash", SOURCEHASH},
|
||||
{ "source-track", SOURCETRACK},
|
||||
{ "state", STATE},
|
||||
{ "state-defaults", STATEDEFAULTS},
|
||||
{ "state-policy", STATEPOLICY},
|
||||
{ "static-port", STATICPORT},
|
||||
{ "sticky-address", STICKYADDRESS},
|
||||
@ -5397,11 +5431,13 @@ findeol(void)
|
||||
int c;
|
||||
|
||||
parsebuf = NULL;
|
||||
pushback_index = 0;
|
||||
|
||||
/* skip to either EOF or the first real EOL */
|
||||
while (1) {
|
||||
c = lgetc(0);
|
||||
if (pushback_index)
|
||||
c = pushback_buffer[--pushback_index];
|
||||
else
|
||||
c = lgetc(0);
|
||||
if (c == '\n') {
|
||||
file->lineno++;
|
||||
break;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pf_print_state.c,v 1.51 2008/06/29 08:42:15 mcbride Exp $ */
|
||||
/* $OpenBSD: pf_print_state.c,v 1.52 2008/08/12 16:40:18 david Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Daniel Hartmeier
|
||||
@ -306,7 +306,7 @@ print_state(struct pfsync_state *s, int opts)
|
||||
printf(" age %.2u:%.2u:%.2u", creation, min, sec);
|
||||
sec = expire % 60;
|
||||
expire /= 60;
|
||||
min = s->expire % 60;
|
||||
min = expire % 60;
|
||||
expire /= 60;
|
||||
printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
|
||||
|
||||
@ -325,6 +325,8 @@ print_state(struct pfsync_state *s, int opts)
|
||||
printf(", rule %u", ntohl(s->rule));
|
||||
if (s->state_flags & PFSTATE_SLOPPY)
|
||||
printf(", sloppy");
|
||||
if (s->state_flags & PFSTATE_PFLOW)
|
||||
printf(", pflow");
|
||||
if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
|
||||
printf(", source-track");
|
||||
if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: pfctl.8,v 1.139 2008/06/11 07:23:36 jmc Exp $
|
||||
.\" $OpenBSD: pfctl.8,v 1.138 2008/06/10 20:55:02 mcbride Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl.c,v 1.277 2008/07/24 10:52:43 henning Exp $ */
|
||||
/* $OpenBSD: pfctl.c,v 1.278 2008/08/31 20:18:17 jmc Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Daniel Hartmeier
|
||||
@ -230,10 +230,11 @@ usage(void)
|
||||
|
||||
fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
|
||||
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
|
||||
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
|
||||
fprintf(stderr, "[-k host | network | label | id]\n");
|
||||
fprintf(stderr, "\t[-o level] [-p device] [-s modifier]\n");
|
||||
fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
|
||||
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network]\n");
|
||||
fprintf(stderr, "\t[-k host | network | label | id] ");
|
||||
fprintf(stderr, "[-o level] [-p device]\n");
|
||||
fprintf(stderr, "\t[-s modifier] ");
|
||||
fprintf(stderr, "[-t table -T command [address ...]] [-x level]\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl.h,v 1.43 2008/05/29 01:00:53 mcbride Exp $ */
|
||||
/* $OpenBSD: pfctl.h,v 1.42 2007/12/05 12:01:47 chl Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Daniel Hartmeier
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl_altq.c,v 1.94 2008/07/25 17:43:44 martynas Exp $ */
|
||||
/* $OpenBSD: pfctl_altq.c,v 1.93 2007/10/15 02:16:35 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2002
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl_optimize.c,v 1.18 2008/05/07 06:23:30 markus Exp $ */
|
||||
/* $OpenBSD: pfctl_optimize.c,v 1.17 2008/05/06 03:45:21 mpf Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org>
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl_osfp.c,v 1.15 2006/12/13 05:10:15 itojun Exp $ */
|
||||
/* $OpenBSD: pfctl_osfp.c,v 1.14 2006/04/08 02:13:14 ray Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2003 Mike Frantzen <frantzen@openbsd.org>
|
||||
|
@ -934,6 +934,12 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
|
||||
printf("sloppy");
|
||||
opts = 0;
|
||||
}
|
||||
if (r->rule_flag & PFRULE_PFLOW) {
|
||||
if (!opts)
|
||||
printf(", ");
|
||||
printf("pflow");
|
||||
opts = 0;
|
||||
}
|
||||
for (i = 0; i < PFTM_MAX; ++i)
|
||||
if (r->timeout[i]) {
|
||||
int j;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl_parser.h,v 1.87 2007/10/13 16:35:18 deraadt Exp $ */
|
||||
/* $OpenBSD: pfctl_parser.h,v 1.86 2006/10/31 23:46:25 mcbride Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Daniel Hartmeier
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl_qstats.c,v 1.31 2007/10/15 02:16:35 deraadt Exp $ */
|
||||
/* $OpenBSD: pfctl_qstats.c,v 1.30 2004/04/27 21:47:32 kjc Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) Henning Brauer <henning@openbsd.org>
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl_radix.c,v 1.28 2007/12/05 12:01:47 chl Exp $ */
|
||||
/* $OpenBSD: pfctl_radix.c,v 1.27 2005/05/21 21:03:58 henning Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2002 Cedric Berger
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pfctl_table.c,v 1.68 2008/06/21 10:34:08 mcbride Exp $ */
|
||||
/* $OpenBSD: pfctl_table.c,v 1.67 2008/06/10 20:55:02 mcbride Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2002 Cedric Berger
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.7 2006/11/26 11:31:08 deraadt Exp $
|
||||
# $OpenBSD: Makefile,v 1.6 2003/11/20 23:23:09 avsm Exp $
|
||||
|
||||
CFLAGS+=-Wall -Wmissing-prototypes -Wshadow
|
||||
LDADD+= -lpcap -lutil
|
||||
|
@ -24,7 +24,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: May 31 2007 $
|
||||
.Dd $Mdocdate: January 14 2008 $
|
||||
.Dt PFLOGD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -95,6 +95,13 @@ or a
|
||||
.Dv SIGALRM
|
||||
is received.
|
||||
.Pp
|
||||
.Nm
|
||||
will also log the pcap statistics for the
|
||||
.Xr pflog 4
|
||||
interface to syslog when a
|
||||
.Dv SIGUSR1
|
||||
is received.
|
||||
.Pp
|
||||
The options are as follows:
|
||||
.Bl -tag -width Ds
|
||||
.It Fl D
|
||||
|
@ -58,7 +58,7 @@ int Debug = 0;
|
||||
static int snaplen = DEF_SNAPLEN;
|
||||
static int cur_snaplen = DEF_SNAPLEN;
|
||||
|
||||
volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup;
|
||||
volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup, gotsig_usr1;
|
||||
|
||||
char *filename = PFLOGD_LOG_FILE;
|
||||
char *interface = PFLOGD_DEFAULT_IF;
|
||||
@ -72,6 +72,7 @@ unsigned int delay = FLUSH_DELAY;
|
||||
char *copy_argv(char * const *);
|
||||
void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
|
||||
void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
|
||||
void log_pcap_stats(void);
|
||||
int flush_buffer(FILE *);
|
||||
int if_exists(char *);
|
||||
int init_pcap(void);
|
||||
@ -82,6 +83,7 @@ int scan_dump(FILE *, off_t);
|
||||
int set_snaplen(int);
|
||||
void set_suspended(int);
|
||||
void sig_alrm(int);
|
||||
void sig_usr1(int);
|
||||
void sig_close(int);
|
||||
void sig_hup(int);
|
||||
void usage(void);
|
||||
@ -178,6 +180,12 @@ sig_alrm(int sig)
|
||||
gotsig_alrm = 1;
|
||||
}
|
||||
|
||||
void
|
||||
sig_usr1(int sig)
|
||||
{
|
||||
gotsig_usr1 = 1;
|
||||
}
|
||||
|
||||
void
|
||||
set_pcap_filter(void)
|
||||
{
|
||||
@ -550,10 +558,21 @@ dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
log_pcap_stats(void)
|
||||
{
|
||||
struct pcap_stat pstat;
|
||||
if (pcap_stats(hpcap, &pstat) < 0)
|
||||
logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
|
||||
else
|
||||
logmsg(LOG_NOTICE,
|
||||
"%u packets received, %u/%u dropped (kernel/pflogd)",
|
||||
pstat.ps_recv, pstat.ps_drop, packets_dropped);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
struct pcap_stat pstat;
|
||||
int ch, np, ret, Xflag = 0;
|
||||
pcap_handler phandler = dump_packet;
|
||||
const char *errstr = NULL;
|
||||
@ -648,6 +667,7 @@ main(int argc, char **argv)
|
||||
signal(SIGINT, sig_close);
|
||||
signal(SIGQUIT, sig_close);
|
||||
signal(SIGALRM, sig_alrm);
|
||||
signal(SIGUSR1, sig_usr1);
|
||||
signal(SIGHUP, sig_hup);
|
||||
alarm(delay);
|
||||
|
||||
@ -703,6 +723,11 @@ main(int argc, char **argv)
|
||||
gotsig_alrm = 0;
|
||||
alarm(delay);
|
||||
}
|
||||
|
||||
if (gotsig_usr1) {
|
||||
log_pcap_stats();
|
||||
gotsig_usr1 = 0;
|
||||
}
|
||||
}
|
||||
|
||||
logmsg(LOG_NOTICE, "Exiting");
|
||||
@ -712,13 +737,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
purge_buffer();
|
||||
|
||||
if (pcap_stats(hpcap, &pstat) < 0)
|
||||
logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
|
||||
else
|
||||
logmsg(LOG_NOTICE,
|
||||
"%u packets received, %u/%u dropped (kernel/pflogd)",
|
||||
pstat.ps_recv, pstat.ps_drop, packets_dropped);
|
||||
|
||||
log_pcap_stats();
|
||||
pcap_close(hpcap);
|
||||
if (!Debug)
|
||||
closelog();
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pflogd.h,v 1.3 2006/01/15 16:38:04 canacar Exp $ */
|
||||
/* $OpenBSD: pflogd.h,v 1.2 2004/01/15 20:15:14 canacar Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2003 Can Erkin Acar
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: privsep.c,v 1.16 2006/10/25 20:55:04 moritz Exp $ */
|
||||
/* $OpenBSD: privsep.c,v 1.15 2006/03/06 10:45:56 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2003 Can Erkin Acar
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: privsep_fdpass.c,v 1.5 2008/03/24 16:11:08 deraadt Exp $ */
|
||||
/* $OpenBSD: privsep_fdpass.c,v 1.4 2008/03/15 16:19:02 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.1 2005/12/28 19:07:07 jcs Exp $
|
||||
# $OpenBSD$
|
||||
|
||||
PROG= tftp-proxy
|
||||
SRCS= tftp-proxy.c filter.c
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: filter.c,v 1.2 2007/06/23 15:51:21 jcs Exp $ */
|
||||
/* $OpenBSD: filter.c,v 1.1 2005/12/28 19:07:07 jcs Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: filter.h,v 1.1 2005/12/28 19:07:07 jcs Exp $ */
|
||||
/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: tftp-proxy.8,v 1.2 2007/05/31 19:19:41 jmc Exp $
|
||||
.\" $OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org>
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: tftp-proxy.c,v 1.6 2008/04/13 00:22:17 djm Exp $
|
||||
/* $OpenBSD: tftp-proxy.c,v 1.5 2008/03/24 16:11:00 deraadt Exp $
|
||||
*
|
||||
* Copyright (c) 2005 DLS Internet Services
|
||||
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
||||
|
Loading…
Reference in New Issue
Block a user