aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMax Laier <mlaier@FreeBSD.org>2009-08-18 16:13:59 +0000
committerMax Laier <mlaier@FreeBSD.org>2009-08-18 16:13:59 +0000
commit739de636d7c95255cef4fc68a2c80cd8af54e502 (patch)
tree5fe04cbe5c5d58503b8de083ec567a80fad7da80
parent89a3159080a774bd9de50eaf1861a1f0c1657a9f (diff)
downloadsrc-vendor/pf.tar.gz
src-vendor/pf.zip
eri@ wants to start on porting the latest pf in his user space so we canvendor/pf/4.5vendor/pf
finally have a new version in 9.0. Import pf as of OPENBSD_4_5_BASE to help with that.
Notes
Notes: svn path=/vendor/pf/dist/; revision=196360 svn path=/vendor/pf/4.5/; revision=196361; tag=vendor/pf/4.5
-rw-r--r--authpf/Makefile2
-rw-r--r--authpf/authpf.88
-rw-r--r--authpf/authpf.c90
-rw-r--r--authpf/pathnames.h2
-rw-r--r--ftp-proxy/Makefile2
-rw-r--r--ftp-proxy/filter.c2
-rw-r--r--ftp-proxy/filter.h2
-rw-r--r--ftp-proxy/ftp-proxy.82
-rw-r--r--ftp-proxy/ftp-proxy.c2
-rw-r--r--libevent/buffer.c16
-rw-r--r--libevent/evbuffer.c8
-rw-r--r--libevent/event-internal.h2
-rw-r--r--libevent/event.c21
-rw-r--r--libevent/event.h17
-rw-r--r--libevent/evsignal.h2
-rw-r--r--libevent/kqueue.c28
-rw-r--r--libevent/log.c14
-rw-r--r--libevent/log.h2
-rw-r--r--libevent/poll.c7
-rw-r--r--libevent/select.c4
-rw-r--r--libevent/signal.c4
-rw-r--r--man/pf.49
-rw-r--r--man/pf.conf.526
-rw-r--r--man/pf.os.52
-rw-r--r--man/pflog.42
-rw-r--r--man/pflow.4113
-rw-r--r--man/pfsync.487
-rw-r--r--pfctl/Makefile2
-rw-r--r--pfctl/parse.y64
-rw-r--r--pfctl/pf_print_state.c6
-rw-r--r--pfctl/pfctl.82
-rw-r--r--pfctl/pfctl.c11
-rw-r--r--pfctl/pfctl.h2
-rw-r--r--pfctl/pfctl_altq.c2
-rw-r--r--pfctl/pfctl_optimize.c2
-rw-r--r--pfctl/pfctl_osfp.c2
-rw-r--r--pfctl/pfctl_parser.c6
-rw-r--r--pfctl/pfctl_parser.h2
-rw-r--r--pfctl/pfctl_qstats.c2
-rw-r--r--pfctl/pfctl_radix.c2
-rw-r--r--pfctl/pfctl_table.c2
-rw-r--r--pflogd/Makefile2
-rw-r--r--pflogd/pflogd.89
-rw-r--r--pflogd/pflogd.c37
-rw-r--r--pflogd/pflogd.h2
-rw-r--r--pflogd/privsep.c2
-rw-r--r--pflogd/privsep_fdpass.c2
-rw-r--r--tftp-proxy/Makefile2
-rw-r--r--tftp-proxy/filter.c2
-rw-r--r--tftp-proxy/filter.h2
-rw-r--r--tftp-proxy/tftp-proxy.82
-rw-r--r--tftp-proxy/tftp-proxy.c2
52 files changed, 447 insertions, 200 deletions
diff --git a/authpf/Makefile b/authpf/Makefile
index 100001a0a744..b0d26a6d3df8 100644
--- a/authpf/Makefile
+++ b/authpf/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.13 2008/02/14 01:49:17 mcbride Exp $
+# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $
PROG= authpf
MAN= authpf.8
diff --git a/authpf/authpf.8 b/authpf/authpf.8
index 6b6afa4616c3..4b6f13be4180 100644
--- a/authpf/authpf.8
+++ b/authpf/authpf.8
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: February 14 2008 $
+.Dd $Mdocdate: March 18 2008 $
.Dt AUTHPF 8
.Os
.Sh NAME
@@ -202,6 +202,9 @@ It is also possible to configure
to only allow specific users access.
This is done by listing their login names, one per line, in
.Pa /etc/authpf/authpf.allow .
+A group of users can also be indicated by prepending "%" to the group name,
+and all members of a login class can be indicated by prepending "@" to the
+login class name.
If "*" is found on a line, then all usernames match.
If
.Nm
@@ -314,7 +317,8 @@ They have a
wireless network which they would like to protect from unauthorized use.
To accomplish this, they create the file
.Pa /etc/authpf/authpf.allow
-which lists their login ids, one per line.
+which lists their login ids, group prepended with "%", or login class
+prepended with "@", one per line.
At this point, even if eve could authenticate to
.Xr sshd 8 ,
she would not be allowed to use the gateway.
diff --git a/authpf/authpf.c b/authpf/authpf.c
index 1416b0db917f..208de3ac5b65 100644
--- a/authpf/authpf.c
+++ b/authpf/authpf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authpf.c,v 1.107 2008/02/14 01:49:17 mcbride Exp $ */
+/* $OpenBSD: authpf.c,v 1.111 2009/01/10 17:17:32 todd Exp $ */
/*
* Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
@@ -32,6 +32,7 @@
#include <errno.h>
#include <login_cap.h>
#include <pwd.h>
+#include <grp.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
@@ -43,7 +44,7 @@
static int read_config(FILE *);
static void print_message(char *);
-static int allowed_luser(char *);
+static int allowed_luser(struct passwd *);
static int check_luser(char *, char *);
static int remove_stale_rulesets(void);
static int recursive_ruleset_purge(char *, char *);
@@ -58,6 +59,7 @@ char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
int user_ip = 1; /* controls whether $user_ip is set */
FILE *pidfp;
+int pidfd = -1;
char luser[MAXLOGNAME]; /* username */
char ipsrc[256]; /* ip as a string */
char pidfile[MAXPATHLEN]; /* we save pid in this file. */
@@ -78,7 +80,7 @@ extern char *__progname; /* program name */
int
main(int argc, char *argv[])
{
- int lockcnt = 0, n, pidfd;
+ int lockcnt = 0, n;
FILE *config;
struct in6_addr ina;
struct passwd *pw;
@@ -93,7 +95,7 @@ main(int argc, char *argv[])
config = fopen(PATH_CONFFILE, "r");
if (config == NULL) {
- syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);
+ syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE);
exit(1);
}
@@ -186,6 +188,14 @@ main(int argc, char *argv[])
goto die;
}
+ signal(SIGTERM, need_death);
+ signal(SIGINT, need_death);
+ signal(SIGALRM, need_death);
+ signal(SIGPIPE, need_death);
+ signal(SIGHUP, need_death);
+ signal(SIGQUIT, need_death);
+ signal(SIGTSTP, need_death);
+
/*
* If someone else is already using this ip, then this person
* wants to switch users - so kill the old process and exit
@@ -239,15 +249,17 @@ main(int argc, char *argv[])
}
/*
- * we try to kill the previous process and acquire the lock
+ * We try to kill the previous process and acquire the lock
* for 10 seconds, trying once a second. if we can't after
- * 10 attempts we log an error and give up
+ * 10 attempts we log an error and give up.
*/
- if (++lockcnt > 10) {
- syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
- otherpid);
+ if (want_death || ++lockcnt > 10) {
+ if (!want_death)
+ syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
+ otherpid);
fclose(pidfp);
pidfp = NULL;
+ pidfd = -1;
goto dogdeath;
}
sleep(1);
@@ -258,6 +270,7 @@ main(int argc, char *argv[])
*/
fclose(pidfp);
pidfp = NULL;
+ pidfd = -1;
} while (1);
/* whack the group list */
@@ -275,7 +288,7 @@ main(int argc, char *argv[])
}
openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
- if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) {
+ if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) {
syslog(LOG_INFO, "user %s prohibited", luser);
do_death(0);
}
@@ -306,13 +319,6 @@ main(int argc, char *argv[])
do_death(0);
}
- signal(SIGTERM, need_death);
- signal(SIGINT, need_death);
- signal(SIGALRM, need_death);
- signal(SIGPIPE, need_death);
- signal(SIGHUP, need_death);
- signal(SIGQUIT, need_death);
- signal(SIGTSTP, need_death);
while (1) {
printf("\r\nHello %s. ", luser);
printf("You are authenticated from host \"%s\"\r\n", ipsrc);
@@ -434,6 +440,7 @@ print_message(char *filename)
* allowed_luser checks to see if user "luser" is allowed to
* use this gateway by virtue of being listed in an allowed
* users file, namely /etc/authpf/authpf.allow .
+ * Users may be listed by <username>, %<group>, or @<login_class>.
*
* If /etc/authpf/authpf.allow does not exist, then we assume that
* all users who are allowed in by sshd(8) are permitted to
@@ -442,7 +449,7 @@ print_message(char *filename)
* the session terminates in the same manner as being banned.
*/
static int
-allowed_luser(char *luser)
+allowed_luser(struct passwd *pw)
{
char *buf, *lbuf;
int matched;
@@ -474,8 +481,14 @@ allowed_luser(char *luser)
* "public" gateway, such as it is, so let
* everyone use it.
*/
+ int gl_init = 0, ngroups = NGROUPS + 1;
+ gid_t groups[NGROUPS + 1];
+
lbuf = NULL;
+ matched = 0;
+
while ((buf = fgetln(f, &len))) {
+
if (buf[len - 1] == '\n')
buf[len - 1] = '\0';
else {
@@ -486,7 +499,40 @@ allowed_luser(char *luser)
buf = lbuf;
}
- matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0;
+ if (buf[0] == '@') {
+ /* check login class */
+ if (strcmp(pw->pw_class, buf + 1) == 0)
+ matched++;
+ } else if (buf[0] == '%') {
+ /* check group membership */
+ int cnt;
+ struct group *group;
+
+ if ((group = getgrnam(buf + 1)) == NULL) {
+ syslog(LOG_ERR,
+ "invalid group '%s' in %s (%s)",
+ buf + 1, PATH_ALLOWFILE,
+ strerror(errno));
+ return (0);
+ }
+
+ if (!gl_init) {
+ (void) getgrouplist(pw->pw_name,
+ pw->pw_gid, groups, &ngroups);
+ gl_init++;
+ }
+
+ for ( cnt = 0; cnt < ngroups; cnt++) {
+ if (group->gr_gid == groups[cnt]) {
+ matched++;
+ break;
+ }
+ }
+ } else {
+ /* check username and wildcard */
+ matched = strcmp(pw->pw_name, buf) == 0 ||
+ strcmp("*", buf) == 0;
+ }
if (lbuf != NULL) {
free(lbuf);
@@ -494,10 +540,10 @@ allowed_luser(char *luser)
}
if (matched)
- return (1); /* matched an allowed username */
+ return (1); /* matched an allowed user/group */
}
syslog(LOG_INFO, "denied access to %s: not listed in %s",
- luser, PATH_ALLOWFILE);
+ pw->pw_name, PATH_ALLOWFILE);
/* reuse buf */
buf = "\n\nSorry, you are not allowed to use this facility!\n";
@@ -878,7 +924,7 @@ do_death(int active)
authpf_kill_states();
}
}
- if (pidfile[0] && (pidfp != NULL))
+ if (pidfile[0] && pidfd != -1)
if (unlink(pidfile) == -1)
syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
exit(ret);
diff --git a/authpf/pathnames.h b/authpf/pathnames.h
index e02cf77c9fe6..494b6ecab95f 100644
--- a/authpf/pathnames.h
+++ b/authpf/pathnames.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */
+/* $OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $ */
/*
* Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
diff --git a/ftp-proxy/Makefile b/ftp-proxy/Makefile
index 9541b955e7f8..2c9e912bc10e 100644
--- a/ftp-proxy/Makefile
+++ b/ftp-proxy/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $
+# $OpenBSD: Makefile,v 1.2 2005/06/07 14:12:07 camield Exp $
PROG= ftp-proxy
SRCS= ftp-proxy.c filter.c
diff --git a/ftp-proxy/filter.c b/ftp-proxy/filter.c
index 80625a6fd9c8..05f3965c9ed0 100644
--- a/ftp-proxy/filter.c
+++ b/ftp-proxy/filter.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: filter.c,v 1.8 2008/06/13 07:25:26 claudio Exp $ */
+/* $OpenBSD: filter.c,v 1.7 2008/02/26 18:52:53 henning Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
diff --git a/ftp-proxy/filter.h b/ftp-proxy/filter.h
index 150bc49d3ce6..db33c574a0f2 100644
--- a/ftp-proxy/filter.h
+++ b/ftp-proxy/filter.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */
+/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
diff --git a/ftp-proxy/ftp-proxy.8 b/ftp-proxy/ftp-proxy.8
index 30a75415c18f..a11296134657 100644
--- a/ftp-proxy/ftp-proxy.8
+++ b/ftp-proxy/ftp-proxy.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ftp-proxy.8,v 1.11 2008/02/26 18:52:53 henning Exp $
+.\" $OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $
.\"
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
.\"
diff --git a/ftp-proxy/ftp-proxy.c b/ftp-proxy/ftp-proxy.c
index 131991a4bb8e..d0ac687e98e0 100644
--- a/ftp-proxy/ftp-proxy.c
+++ b/ftp-proxy/ftp-proxy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ftp-proxy.c,v 1.19 2008/06/13 07:25:26 claudio Exp $ */
+/* $OpenBSD: ftp-proxy.c,v 1.18 2008/04/22 02:22:22 joel Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
diff --git a/libevent/buffer.c b/libevent/buffer.c
index 0327eb549383..e01a5749d807 100644
--- a/libevent/buffer.c
+++ b/libevent/buffer.c
@@ -1,3 +1,5 @@
+/* $OpenBSD: buffer.c,v 1.14 2007/03/19 15:12:49 millert Exp $ */
+
/*
* Copyright (c) 2002, 2003 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -62,7 +64,7 @@ struct evbuffer *
evbuffer_new(void)
{
struct evbuffer *buffer;
-
+
buffer = calloc(1, sizeof(struct evbuffer));
return (buffer);
@@ -76,7 +78,7 @@ evbuffer_free(struct evbuffer *buffer)
free(buffer);
}
-/*
+/*
* This is a destructive add. The data from one buffer moves into
* the other buffer.
*/
@@ -104,16 +106,16 @@ evbuffer_add_buffer(struct evbuffer *outbuf, struct evbuffer *inbuf)
SWAP(outbuf, inbuf);
SWAP(inbuf, &tmp);
- /*
+ /*
* Optimization comes with a price; we need to notify the
* buffer if necessary of the changes. oldoff is the amount
- * of data that we transfered from inbuf to outbuf
+ * of data that we transferred from inbuf to outbuf
*/
if (inbuf->off != oldoff && inbuf->cb != NULL)
(*inbuf->cb)(inbuf, oldoff, inbuf->off, inbuf->cbarg);
if (oldoff && outbuf->cb != NULL)
(*outbuf->cb)(outbuf, 0, oldoff, outbuf->cbarg);
-
+
return (0);
}
@@ -196,7 +198,7 @@ evbuffer_remove(struct evbuffer *buf, void *data, size_t datlen)
memcpy(data, buf->buffer, nread);
evbuffer_drain(buf, nread);
-
+
return (nread);
}
@@ -371,7 +373,7 @@ evbuffer_read(struct evbuffer *buf, int fd, int howmuch)
if (n < EVBUFFER_MAX_READ)
n = EVBUFFER_MAX_READ;
}
-#endif
+#endif
if (howmuch < 0 || howmuch > n)
howmuch = n;
diff --git a/libevent/evbuffer.c b/libevent/evbuffer.c
index 52712bce5856..494e45f63e84 100644
--- a/libevent/evbuffer.c
+++ b/libevent/evbuffer.c
@@ -1,3 +1,5 @@
+/* $OpenBSD: evbuffer.c,v 1.10 2007/03/19 15:12:49 millert Exp $ */
+
/*
* Copyright (c) 2002-2004 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -64,7 +66,7 @@ bufferevent_add(struct event *ev, int timeout)
return (event_add(ev, ptv));
}
-/*
+/*
* This callback is executed when the size of the input buffer changes.
* We use it to apply back pressure on the reading side.
*/
@@ -73,7 +75,7 @@ void
bufferevent_read_pressure_cb(struct evbuffer *buf, size_t old, size_t now,
void *arg) {
struct bufferevent *bufev = arg;
- /*
+ /*
* If we are below the watermark then reschedule reading if it's
* still enabled.
*/
@@ -288,7 +290,7 @@ bufferevent_free(struct bufferevent *bufev)
*/
int
-bufferevent_write(struct bufferevent *bufev, void *data, size_t size)
+bufferevent_write(struct bufferevent *bufev, const void *data, size_t size)
{
int res;
diff --git a/libevent/event-internal.h b/libevent/event-internal.h
index 7fd4b6c690f3..a6dbe9b1445d 100644
--- a/libevent/event-internal.h
+++ b/libevent/event-internal.h
@@ -1,3 +1,5 @@
+/* $OpenBSD: event-internal.h,v 1.4 2007/03/19 15:12:49 millert Exp $ */
+
/*
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
diff --git a/libevent/event.c b/libevent/event.c
index 15bf14cf3b48..9362e4eca5e3 100644
--- a/libevent/event.c
+++ b/libevent/event.c
@@ -1,3 +1,5 @@
+/* $OpenBSD: event.c,v 1.18 2008/05/02 06:09:11 brad Exp $ */
+
/*
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -38,7 +40,7 @@
#include <sys/tree.h>
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
-#else
+#else
#include <sys/_time.h>
#endif
#include <sys/queue.h>
@@ -180,7 +182,7 @@ RB_PROTOTYPE(event_tree, event, ev_timeout_node, compare);
RB_GENERATE(event_tree, event, ev_timeout_node, compare);
-void *
+struct event_base *
event_init(void)
{
int i;
@@ -194,13 +196,13 @@ event_init(void)
detect_monotonic();
gettime(&base->event_tv);
-
+
RB_INIT(&base->timetree);
TAILQ_INIT(&base->eventqueue);
TAILQ_INIT(&base->sig.signalqueue);
base->sig.ev_signal_pair[0] = -1;
base->sig.ev_signal_pair[1] = -1;
-
+
base->evbase = NULL;
for (i = 0; eventops[i] && !base->evbase; i++) {
base->evsel = eventops[i];
@@ -321,7 +323,7 @@ event_process_active(struct event_base *base)
for (ev = TAILQ_FIRST(activeq); ev; ev = TAILQ_FIRST(activeq)) {
event_queue_remove(base, ev, EVLIST_ACTIVE);
-
+
/* Allows deletes to work */
ncalls = ev->ev_ncalls;
ev->ev_pncalls = &ncalls;
@@ -430,7 +432,7 @@ event_base_loop(struct event_base *base, int flags)
*/
timerclear(&tv);
}
-
+
/* If we have no events, we just exit */
if (!event_haveevents(base)) {
event_debug(("%s: no events registered.", __func__));
@@ -439,7 +441,6 @@ event_base_loop(struct event_base *base, int flags)
res = evsel->dispatch(base, evbase, tv_p);
-
if (res == -1)
return (-1);
@@ -652,7 +653,7 @@ event_add(struct event *ev, struct timeval *tv)
/* Abort loop */
*ev->ev_pncalls = 0;
}
-
+
event_queue_remove(base, ev, EVLIST_ACTIVE);
}
@@ -913,10 +914,10 @@ event_queue_insert(struct event_base *base, struct event *ev, int queue)
const char *
event_get_version(void)
{
- return (VERSION);
+ return (LIBEVENT_VERSION);
}
-/*
+/*
* No thread-safe interface needed - the information should be the same
* for all threads.
*/
diff --git a/libevent/event.h b/libevent/event.h
index 4c39939cc501..eb16e9044e2d 100644
--- a/libevent/event.h
+++ b/libevent/event.h
@@ -1,3 +1,5 @@
+/* $OpenBSD: event.h,v 1.19 2008/05/02 06:09:11 brad Exp $ */
+
/*
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -43,6 +45,8 @@ typedef unsigned char u_char;
typedef unsigned short u_short;
#endif
+#define LIBEVENT_VERSION "1.3e"
+
#define EVLIST_TIMEOUT 0x01
#define EVLIST_INSERTED 0x02
#define EVLIST_SIGNAL 0x04
@@ -141,7 +145,7 @@ struct eventop {
void (*dealloc)(struct event_base *, void *);
};
-void *event_init(void);
+struct event_base *event_init(void);
int event_dispatch(void);
int event_base_dispatch(struct event_base *);
void event_base_free(struct event_base *);
@@ -169,12 +173,6 @@ int event_base_loopexit(struct event_base *, struct timeval *);
#define evtimer_pending(ev, tv) event_pending(ev, EV_TIMEOUT, tv)
#define evtimer_initialized(ev) ((ev)->ev_flags & EVLIST_INIT)
-#define timeout_add(ev, tv) event_add(ev, tv)
-#define timeout_set(ev, cb, arg) event_set(ev, -1, 0, cb, arg)
-#define timeout_del(ev) event_del(ev)
-#define timeout_pending(ev, tv) event_pending(ev, EV_TIMEOUT, tv)
-#define timeout_initialized(ev) ((ev)->ev_flags & EVLIST_INIT)
-
#define signal_add(ev, tv) event_add(ev, tv)
#define signal_set(ev, x, cb, arg) \
event_set(ev, x, EV_SIGNAL|EV_PERSIST, cb, arg)
@@ -264,7 +262,8 @@ struct bufferevent *bufferevent_new(int fd,
int bufferevent_base_set(struct event_base *base, struct bufferevent *bufev);
int bufferevent_priority_set(struct bufferevent *bufev, int pri);
void bufferevent_free(struct bufferevent *bufev);
-int bufferevent_write(struct bufferevent *bufev, void *data, size_t size);
+int bufferevent_write(struct bufferevent *bufev,
+ const void *data, size_t size);
int bufferevent_write_buffer(struct bufferevent *bufev, struct evbuffer *buf);
size_t bufferevent_read(struct bufferevent *bufev, void *data, size_t size);
int bufferevent_enable(struct bufferevent *bufev, short event);
@@ -292,7 +291,7 @@ int evbuffer_read(struct evbuffer *, int, int);
u_char *evbuffer_find(struct evbuffer *, const u_char *, size_t);
void evbuffer_setcb(struct evbuffer *, void (*)(struct evbuffer *, size_t, size_t, void *), void *);
-/*
+/*
* Marshaling tagged data - We assume that all tags are inserted in their
* numeric order - so that unknown tags will always be higher than the
* known ones - and we can just ignore the end of an event buffer.
diff --git a/libevent/evsignal.h b/libevent/evsignal.h
index 7efbcabec896..6db8a0577473 100644
--- a/libevent/evsignal.h
+++ b/libevent/evsignal.h
@@ -1,3 +1,5 @@
+/* $OpenBSD: evsignal.h,v 1.2 2004/04/28 06:53:12 brad Exp $ */
+
/*
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
diff --git a/libevent/kqueue.c b/libevent/kqueue.c
index 059d94a0b4d5..6f865f5006e6 100644
--- a/libevent/kqueue.c
+++ b/libevent/kqueue.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kqueue.c,v 1.5 2002/07/10 14:41:31 art Exp $ */
+/* $OpenBSD: kqueue.c,v 1.23 2007/09/02 15:19:18 deraadt Exp $ */
/*
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
@@ -97,14 +97,14 @@ kq_init(struct event_base *base)
struct kqop *kqueueop;
/* Disable kqueue when this environment variable is set */
- if (getenv("EVENT_NOKQUEUE"))
+ if (!issetugid() && getenv("EVENT_NOKQUEUE"))
return (NULL);
if (!(kqueueop = calloc(1, sizeof(struct kqop))))
return (NULL);
/* Initalize the kernel queue */
-
+
if ((kq = kqueue()) == -1) {
event_warn("kqueue");
free (kqueueop);
@@ -114,12 +114,12 @@ kq_init(struct event_base *base)
kqueueop->kq = kq;
/* Initalize fields */
- kqueueop->changes = malloc(NEVENT * sizeof(struct kevent));
+ kqueueop->changes = calloc(NEVENT, sizeof(struct kevent));
if (kqueueop->changes == NULL) {
free (kqueueop);
return (NULL);
}
- kqueueop->events = malloc(NEVENT * sizeof(struct kevent));
+ kqueueop->events = calloc(NEVENT, sizeof(struct kevent));
if (kqueueop->events == NULL) {
free (kqueueop->changes);
free (kqueueop);
@@ -131,7 +131,7 @@ kq_init(struct event_base *base)
kqueueop->changes[0].ident = -1;
kqueueop->changes[0].filter = EVFILT_READ;
kqueueop->changes[0].flags = EV_ADD;
- /*
+ /*
* If kqueue works, then kevent will succeed, and it will
* stick an error in events[0]. If kqueue is broken, then
* kevent will fail.
@@ -195,7 +195,7 @@ kq_insert(struct kqop *kqop, struct kevent *kev)
memcpy(&kqop->changes[kqop->nchanges++], kev, sizeof(struct kevent));
event_debug(("%s: fd %d %s%s",
- __func__, kev->ident,
+ __func__, kev->ident,
kev->filter == EVFILT_READ ? "EVFILT_READ" : "EVFILT_WRITE",
kev->flags == EV_DELETE ? " (del)" : ""));
@@ -241,7 +241,7 @@ kq_dispatch(struct event_base *base, void *arg, struct timeval *tv)
int which = 0;
if (events[i].flags & EV_ERROR) {
- /*
+ /*
* Error messages that can happen, when a delete fails.
* EBADF happens when the file discriptor has been
* closed,
@@ -301,7 +301,7 @@ kq_add(void *arg, struct event *ev)
if (!(ev->ev_events & EV_PERSIST))
kev.flags |= EV_ONESHOT;
kev.udata = PTR_TO_UDATA(ev);
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
@@ -324,7 +324,7 @@ kq_add(void *arg, struct event *ev)
if (!(ev->ev_events & EV_PERSIST))
kev.flags |= EV_ONESHOT;
kev.udata = PTR_TO_UDATA(ev);
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
@@ -339,7 +339,7 @@ kq_add(void *arg, struct event *ev)
if (!(ev->ev_events & EV_PERSIST))
kev.flags |= EV_ONESHOT;
kev.udata = PTR_TO_UDATA(ev);
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
@@ -365,7 +365,7 @@ kq_del(void *arg, struct event *ev)
kev.ident = nsignal;
kev.filter = EVFILT_SIGNAL;
kev.flags = EV_DELETE;
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
@@ -381,7 +381,7 @@ kq_del(void *arg, struct event *ev)
kev.ident = ev->ev_fd;
kev.filter = EVFILT_READ;
kev.flags = EV_DELETE;
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
@@ -393,7 +393,7 @@ kq_del(void *arg, struct event *ev)
kev.ident = ev->ev_fd;
kev.filter = EVFILT_WRITE;
kev.flags = EV_DELETE;
-
+
if (kq_insert(kqop, &kev) == -1)
return (-1);
diff --git a/libevent/log.c b/libevent/log.c
index c9275e363fc5..95898bd8c131 100644
--- a/libevent/log.c
+++ b/libevent/log.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: err.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
+/* $OpenBSD: log.c,v 1.4 2005/05/04 03:17:48 brad Exp $ */
/*
* log.c
@@ -102,7 +102,7 @@ void
event_err(int eval, const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_ERR, errno, fmt, ap);
va_end(ap);
@@ -113,7 +113,7 @@ void
event_warn(const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_WARN, errno, fmt, ap);
va_end(ap);
@@ -123,7 +123,7 @@ void
event_errx(int eval, const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_ERR, -1, fmt, ap);
va_end(ap);
@@ -134,7 +134,7 @@ void
event_warnx(const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_WARN, -1, fmt, ap);
va_end(ap);
@@ -144,7 +144,7 @@ void
event_msgx(const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_MSG, -1, fmt, ap);
va_end(ap);
@@ -154,7 +154,7 @@ void
_event_debugx(const char *fmt, ...)
{
va_list ap;
-
+
va_start(ap, fmt);
_warn_helper(_EVENT_LOG_DEBUG, -1, fmt, ap);
va_end(ap);
diff --git a/libevent/log.h b/libevent/log.h
index 1f843cf984e0..9acc219d1814 100644
--- a/libevent/log.h
+++ b/libevent/log.h
@@ -1,3 +1,5 @@
+/* $OpenBSD: log.h,v 1.4 2007/03/19 15:12:49 millert Exp $ */
+
/*
* Copyright (c) 2000-2004 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
diff --git a/libevent/poll.c b/libevent/poll.c
index 123d36a56023..b2565c293b5f 100644
--- a/libevent/poll.c
+++ b/libevent/poll.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: poll.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
+/* $OpenBSD: poll.c,v 1.13 2006/11/26 15:24:34 brad Exp $ */
/*
* Copyright 2000-2003 Niels Provos <provos@citi.umich.edu>
@@ -89,7 +89,7 @@ poll_init(struct event_base *base)
struct pollop *pollop;
/* Disable poll when this environment variable is set */
- if (getenv("EVENT_NOPOLL"))
+ if (!issetugid() && getenv("EVENT_NOPOLL"))
return (NULL);
if (!(pollop = calloc(1, sizeof(struct pollop))))
@@ -179,6 +179,7 @@ poll_dispatch(struct event_base *base, void *arg, struct timeval *tv)
for (i = 0; i < nfds; i++) {
int what = pop->event_set[i].revents;
struct event *r_ev = NULL, *w_ev = NULL;
+
if (!what)
continue;
@@ -356,7 +357,7 @@ poll_del(void *arg, struct event *ev)
--pop->nfds;
if (i != pop->nfds) {
- /*
+ /*
* Shift the last pollfd down into the now-unoccupied
* position.
*/
diff --git a/libevent/select.c b/libevent/select.c
index d645f1a37030..2cc54ce8aef8 100644
--- a/libevent/select.c
+++ b/libevent/select.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
+/* $OpenBSD: select.c,v 1.13 2007/03/19 15:12:49 millert Exp $ */
/*
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
@@ -96,7 +96,7 @@ select_init(struct event_base *base)
struct selectop *sop;
/* Disable select when this environment variable is set */
- if (getenv("EVENT_NOSELECT"))
+ if (!issetugid() && getenv("EVENT_NOSELECT"))
return (NULL);
if (!(sop = calloc(1, sizeof(struct selectop))))
diff --git a/libevent/signal.c b/libevent/signal.c
index 6c0953d9e121..2364821848f7 100644
--- a/libevent/signal.c
+++ b/libevent/signal.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $ */
+/* $OpenBSD: signal.c,v 1.11 2007/03/19 15:12:49 millert Exp $ */
/*
* Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
@@ -85,7 +85,7 @@ evsignal_cb(int fd, short what, void *arg)
void
evsignal_init(struct event_base *base)
{
- /*
+ /*
* Our signal handler is going to write to one end of the socket
* pair to wake up our event loop. The event loop then scans for
* signals that got delivered.
diff --git a/man/pf.4 b/man/pf.4
index ab9ad88f82cc..8acf5e0610b8 100644
--- a/man/pf.4
+++ b/man/pf.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.4,v 1.60 2007/12/02 12:08:04 pascoe Exp $
+.\" $OpenBSD: pf.4,v 1.61 2008/09/04 13:50:37 jmc Exp $
.\"
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
.\"
@@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: September 4 2008 $
.Dt PF 4
.Os
.Sh NAME
@@ -1050,12 +1050,14 @@ internal interface description.
The filtering process is the same as for
.Dv DIOCIGETIFACES .
.Bd -literal
-#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
+#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
.Ed
.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
Works as
.Dv DIOCSETIFFLAG
above but clears the flags.
+.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
+Explicitly remove source tracking nodes.
.El
.Sh FILES
.Bl -tag -width /dev/pf -compact
@@ -1133,6 +1135,7 @@ main(int argc, char *argv[])
.Xr ioctl 2 ,
.Xr bridge 4 ,
.Xr pflog 4 ,
+.Xr pflow 4 ,
.Xr pfsync 4 ,
.Xr pfctl 8 ,
.Xr altq 9
diff --git a/man/pf.conf.5 b/man/pf.conf.5
index 5e49a3c24930..3adc6395f846 100644
--- a/man/pf.conf.5
+++ b/man/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.402 2008/06/11 07:21:00 jmc Exp $
+.\" $OpenBSD: pf.conf.5,v 1.405 2008/10/02 12:36:32 henning Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: June 10 2008 $
+.Dd $Mdocdate: October 2 2008 $
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -517,6 +517,16 @@ For example:
.Bd -literal -offset indent
set state-policy if-bound
.Ed
+.It Ar set state-defaults
+The
+.Ar state-defaults
+option sets the state options for states created from rules
+without an explicit
+.Ar keep state .
+For example:
+.Bd -literal -offset indent
+set state-defaults pflow, no-sync
+.Ed
.It Ar set hostid
The 32-bit
.Ar hostid
@@ -901,7 +911,7 @@ Defines a list of subqueues to create on an interface.
.El
.Pp
In the following example, the interface dc0
-should queue up to 5 Mbit/s in four second-level queues using
+should queue up to 5Mbps in four second-level queues using
Class Based Queueing.
Those four queues will be shown in a later example.
.Bd -literal -offset indent
@@ -1488,7 +1498,7 @@ Translates to the network(s) attached to the interface.
.It Ar :broadcast
Translates to the interface's broadcast address(es).
.It Ar :peer
-Translates to the point to point interface's peer address(es).
+Translates to the point-to-point interface's peer address(es).
.It Ar :0
Do not include interface aliases.
.El
@@ -2098,6 +2108,10 @@ easier.
This is intended to be used in situations where one does not see all
packets of a connection, e.g. in asymmetric routing situations.
Cannot be used with modulate or synproxy state.
+.It Ar pflow
+States created by this rule are exported on the
+.Xr pflow 4
+interface.
.El
.Pp
Multiple options can be specified, separated by commas:
@@ -2821,6 +2835,7 @@ option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
[ "loginterface" ( interface-name | "none" ) ] |
[ "block-policy" ( "drop" | "return" ) ] |
[ "state-policy" ( "if-bound" | "floating" ) ]
+ [ "state-defaults" state-opts ]
[ "require-order" ( "yes" | "no" ) ]
[ "fingerprints" filename ] |
[ "skip on" ifspec ] |
@@ -2963,7 +2978,7 @@ tos = ( "lowdelay" | "throughput" | "reliability" |
[ "0x" ] number )
state-opts = state-opt [ [ "," ] state-opts ]
-state-opt = ( "max" number | "no-sync" | timeout | sloppy |
+state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" |
"source-track" [ ( "rule" | "global" ) ] |
"max-src-nodes" number | "max-src-states" number |
"max-src-conn" number |
@@ -3026,6 +3041,7 @@ Service name database.
.Xr ip 4 ,
.Xr ip6 4 ,
.Xr pf 4 ,
+.Xr pflow 4 ,
.Xr pfsync 4 ,
.Xr route 4 ,
.Xr tcp 4 ,
diff --git a/man/pf.os.5 b/man/pf.os.5
index 7ee63ce52f48..0920f91acfce 100644
--- a/man/pf.os.5
+++ b/man/pf.os.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $
+.\" $OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $
.\"
.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
.\"
diff --git a/man/pflog.4 b/man/pflog.4
index 1b42a83f437f..cd5145e978c4 100644
--- a/man/pflog.4
+++ b/man/pflog.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $
+.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
.\"
.\" Copyright (c) 2001 Tobias Weingartner
.\" All rights reserved.
diff --git a/man/pflow.4 b/man/pflow.4
new file mode 100644
index 000000000000..9f6dbe331293
--- /dev/null
+++ b/man/pflow.4
@@ -0,0 +1,113 @@
+.\" $OpenBSD: pflow.4,v 1.8 2008/10/28 16:55:37 gollo Exp $
+.\"
+.\" Copyright (c) 2008 Henning Brauer <henning@openbsd.org>
+.\" Copyright (c) 2008 Joerg Goltermann <jg@osn.de>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALLWARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BELIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISINGOUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: October 28 2008 $
+.Dt PFLOW 4
+.Os
+.Sh NAME
+.Nm pflow
+.Nd kernel interface for pflow data export
+.Sh SYNOPSIS
+.Cd "pseudo-device pflow"
+.Sh DESCRIPTION
+The
+.Nm
+interface is a pseudo-device which exports
+.Nm
+accounting data from the kernel using
+.Xr udp 4
+packets.
+.Nm
+is compatible with netflow v5.
+The data is extracted from the
+.Xr pf 4
+state table.
+.Pp
+Multiple
+.Nm
+interfaces can be created at runtime using the
+.Ic ifconfig pflow Ns Ar N Ic create
+command.
+Each interface must be configured with a flow receiver IP address and
+port number.
+.Pp
+Only states created by a rule marked with the
+.Ar pflow
+keyword are exported by the
+.Nm
+interface.
+.Pp
+The
+.Nm
+interface will attempt to export multiple
+.Nm
+records in one
+UDP packet, but will not hold a record for longer than 30 seconds.
+The packet size and thus the maximum number of flows is controlled by the
+.Cm mtu
+parameter of
+.Xr ifconfig 8 .
+.Pp
+Each packet seen on this interface has one header and a variable number of
+flows.
+The header indicates the version of the protocol, number of
+flows in the packet, a unique sequence number, system time, and an engine
+ID and type.
+Header and flow structs are defined in
+.Aq Pa net/if_pflow.h .
+.Pp
+There is a one-to-one correspondence between packets seen by
+.Xr bpf 4
+on the
+.Nm
+interface and packets sent out to the flow receiver.
+That is, a packet with 30 flows on
+.Nm
+means that the same 30 flows were sent out to the receiver.
+.Pp
+The
+.Nm
+source and destination addresses are controlled by
+.Xr ifconfig 8 .
+.Cm flowsrc
+is the sender IP address of the UDP packet which can be used
+to identify the source of the data on the
+.Nm
+collector.
+.Cm flowdst
+defines the collector IP address and the port.
+The
+.Cm flowdst
+IP address and port must be defined to enable the export of flows.
+.Pp
+For example, the following command sets 10.0.0.1 as the source
+and 10.0.0.2:1234 as destination:
+.Bd -literal -offset indent
+# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234
+.Ed
+.Sh SEE ALSO
+.Xr netintro 4 ,
+.Xr pf 4 ,
+.Xr udp 4 ,
+.Xr pf.conf 5 ,
+.Xr ifconfig 8 ,
+.Xr tcpdump 8
+.Sh HISTORY
+The
+.Nm
+device first appeared in
+.Ox 4.5 .
diff --git a/man/pfsync.4 b/man/pfsync.4
index d10131457ad8..da64eaa94303 100644
--- a/man/pfsync.4
+++ b/man/pfsync.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfsync.4,v 1.27 2008/06/03 19:51:02 jmc Exp $
+.\" $OpenBSD: pfsync.4,v 1.26 2007/09/20 20:50:07 mpf Exp $
.\"
.\" Copyright (c) 2002 Michael Shalayeff
.\" Copyright (c) 2003-2004 Ryan McBride
@@ -29,7 +29,7 @@
.Os
.Sh NAME
.Nm pfsync
-.Nd packet filter state table logging interface
+.Nd packet filter state table sychronisation interface
.Sh SYNOPSIS
.Cd "pseudo-device pfsync"
.Sh DESCRIPTION
@@ -45,18 +45,18 @@ on the
interface.
If configured with a physical synchronisation interface,
.Nm
-will also send state changes out on that interface using IP multicast,
+will also send state changes out on that interface,
and insert state changes received on that interface from other systems
into the state table.
.Pp
By default, all local changes to the state table are exposed via
.Nm .
-However, state changes from packets received by
+State changes from packets received by
.Nm
over the network are not rebroadcast.
-States created by a rule marked with the
+Updates to states created by a rule marked with the
.Ar no-sync
-keyword are omitted from the
+keyword are ignored by the
.Nm
interface (see
.Xr pf.conf 5
@@ -64,33 +64,19 @@ for details).
.Pp
The
.Nm
-interface will attempt to collapse multiple updates of the same
-state into one message where possible.
-The maximum number of times this can be done before the update is sent out
-is controlled by the
+interface will attempt to collapse multiple state updates into a single
+packet where possible.
+The maximum number of times a single state can be updated before a
+.Nm
+packet will be sent out is controlled by the
.Ar maxupd
parameter to ifconfig
(see
.Xr ifconfig 8
and the example below for more details).
-.Pp
-Each packet retrieved on this interface has a header associated
-with it of length
-.Dv PFSYNC_HDRLEN .
-The header indicates the version of the protocol, address family,
-action taken on the following states, and the number of state
-table entries attached in this packet.
-This structure is defined in
-.Aq Pa net/if_pfsync.h
-as:
-.Bd -literal -offset indent
-struct pfsync_header {
- u_int8_t version;
- u_int8_t af;
- u_int8_t action;
- u_int8_t count;
-};
-.Ed
+The sending out of a
+.Nm
+packet will be delayed by a maximum of one second.
.Sh NETWORK SYNCHRONISATION
States can be synchronised between two or more firewalls using this
interface, by specifying a synchronisation interface using
@@ -102,14 +88,15 @@ interface:
.Ed
.Pp
By default, state change messages are sent out on the synchronisation
-interface using IP multicast packets.
-The protocol is IP protocol 240, PFSYNC, and the multicast group
-used is 224.0.0.240.
-When a peer address is specified using the
+interface using IP multicast packets to the 244.0.0.240 group address.
+An alternative destination address for
+.Nm
+packets can be specified using the
.Ic syncpeer
-keyword, the peer address is used as a destination for the pfsync traffic,
-and the traffic can then be protected using
-.Xr ipsec 4 .
+keyword.
+This can be used in combination with
+.Xr ipsec 4
+to protect the synchronisation traffic.
In such a configuration, the syncdev should be set to the
.Xr enc 4
interface, as this is where the traffic arrives when it is decapsulated,
@@ -125,27 +112,15 @@ Either run the pfsync protocol on a trusted network \- ideally a network
dedicated to pfsync messages such as a crossover cable between two firewalls,
or specify a peer address and protect the traffic with
.Xr ipsec 4 .
-.Pp
-There is a one-to-one correspondence between packets seen by
-.Xr bpf 4
-on the
-.Nm
-interface, and packets sent out on the synchronisation interface, i.e.\&
-a packet with 4 state deletion messages on
-.Nm
-means that the same 4 deletions were sent out on the synchronisation
-interface.
-However, the actual packet contents may differ as the messages
-sent over the network are "compressed" where possible, containing
-only the necessary information.
.Sh EXAMPLES
.Nm
and
.Xr carp 4
can be used together to provide automatic failover of a pair of firewalls
configured in parallel.
-One firewall handles all traffic \- if it dies or
-is shut down, the second firewall takes over automatically.
+One firewall will handle all traffic until it dies, is shut down, or is
+manually demoted, at which point the second firewall will take over
+automatically.
.Pp
Both firewalls in this example have three
.Xr sis 4
@@ -203,8 +178,8 @@ pass quick on { sis2 } proto pfsync keep state (no-sync)
pass on { sis0 sis1 } proto carp keep state (no-sync)
.Ed
.Pp
-If it is preferable that one firewall handle the traffic,
-the
+It is preferable that one firewall handle the forwarding of all the traffic,
+therefore the
.Ar advskew
on the backup firewall's
.Xr carp 4
@@ -243,3 +218,11 @@ The
.Nm
device first appeared in
.Ox 3.3 .
+.Pp
+The
+.Nm
+protocol and kernel implementation were significantly modified between
+.Ox 4.4
+and
+.Ox 4.5 .
+The two protocols are incompatible and will not interoperate.
diff --git a/pfctl/Makefile b/pfctl/Makefile
index df74f88c63f2..b0a24648053a 100644
--- a/pfctl/Makefile
+++ b/pfctl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.19 2006/12/24 18:52:43 miod Exp $
+# $OpenBSD: Makefile,v 1.18 2006/10/28 14:29:05 mcbride Exp $
PROG= pfctl
SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
diff --git a/pfctl/parse.y b/pfctl/parse.y
index 55c3a7553739..e4c47d1ac7fd 100644
--- a/pfctl/parse.y
+++ b/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.549 2008/07/03 16:09:34 deraadt Exp $ */
+/* $OpenBSD: parse.y,v 1.554 2008/10/17 12:59:53 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -153,7 +153,8 @@ enum { PF_STATE_OPT_MAX, PF_STATE_OPT_NOSYNC, PF_STATE_OPT_SRCTRACK,
PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN,
PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES,
PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK,
- PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY };
+ PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY,
+ PF_STATE_OPT_PFLOW };
enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE };
@@ -293,7 +294,8 @@ struct pool_opts {
} pool_opts;
-struct node_hfsc_opts hfsc_opts;
+struct node_hfsc_opts hfsc_opts;
+struct node_state_opt *keep_state_defaults = NULL;
int disallow_table(struct node_host *, const char *);
int disallow_urpf_failed(struct node_host *, const char *);
@@ -442,8 +444,8 @@ int parseport(char *, struct range *r, int);
%token QUEUE PRIORITY QLIMIT RTABLE
%token LOAD RULESET_OPTIMIZATION
%token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
-%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY
-%token TAGGED TAG IFBOUND FLOATING STATEPOLICY ROUTE SETTOS
+%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW
+%token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS
%token DIVERTTO DIVERTREPLY
%token <v.string> STRING
%token <v.number> NUMBER
@@ -552,7 +554,7 @@ optimizer : string {
else if (!strcmp($1, "profile"))
$$ = PF_OPTIMIZE_BASIC | PF_OPTIMIZE_PROFILE;
else {
- yyerror("unknown ruleset-optimization %s", $$);
+ yyerror("unknown ruleset-optimization %s", $1);
YYERROR;
}
}
@@ -670,6 +672,13 @@ option : SET OPTIMIZATION STRING {
YYERROR;
}
}
+ | SET STATEDEFAULTS state_opt_list {
+ if (keep_state_defaults != NULL) {
+ yyerror("cannot redefine state-defaults");
+ YYERROR;
+ }
+ keep_state_defaults = $3;
+ }
;
stringall : STRING { $$ = $1; }
@@ -1245,6 +1254,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
r.action = PF_DROP;
r.direction = PF_IN;
r.log = $2.log;
+ r.logif = $2.logif;
r.quick = $2.quick;
r.af = $4;
if (rule_label(&r, $5.label))
@@ -1265,7 +1275,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
}
;
-antispoof_ifspc : FOR antispoof_if { $$ = $2; }
+antispoof_ifspc : FOR antispoof_if { $$ = $2; }
| FOR '{' optnl antispoof_iflst '}' { $$ = $4; }
;
@@ -1277,8 +1287,8 @@ antispoof_iflst : antispoof_if optnl { $$ = $1; }
}
;
-antispoof_if : if_item { $$ = $1; }
- | '(' if_item ')' {
+antispoof_if : if_item { $$ = $1; }
+ | '(' if_item ')' {
$2->dynamic = 1;
$$ = $2;
}
@@ -1831,6 +1841,7 @@ pfrule : action dir logquick interface route af proto fromto
int srctrack = 0;
int statelock = 0;
int adaptive = 0;
+ int defaults = 0;
if (check_rulestate(PFCTL_STATE_FILTER))
YYERROR;
@@ -1913,13 +1924,16 @@ pfrule : action dir logquick interface route af proto fromto
r.tos = $9.tos;
r.keep_state = $9.keep.action;
+ o = $9.keep.options;
/* 'keep state' by default on pass rules. */
if (!r.keep_state && !r.action &&
- !($9.marker & FOM_KEEP))
+ !($9.marker & FOM_KEEP)) {
r.keep_state = PF_STATE_NORMAL;
+ o = keep_state_defaults;
+ defaults = 1;
+ }
- o = $9.keep.options;
while (o) {
struct node_state_opt *p = o;
@@ -2060,6 +2074,15 @@ pfrule : action dir logquick interface route af proto fromto
}
r.rule_flag |= PFRULE_STATESLOPPY;
break;
+ case PF_STATE_OPT_PFLOW:
+ if (r.rule_flag & PFRULE_PFLOW) {
+ yyerror("state pflow "
+ "option: multiple "
+ "definitions");
+ YYERROR;
+ }
+ r.rule_flag |= PFRULE_PFLOW;
+ break;
case PF_STATE_OPT_TIMEOUT:
if (o->data.timeout.number ==
PFTM_ADAPTIVE_START ||
@@ -2077,7 +2100,8 @@ pfrule : action dir logquick interface route af proto fromto
o->data.timeout.seconds;
}
o = o->next;
- free(p);
+ if (!defaults)
+ free(p);
}
/* 'flags S/SA' by default on stateful rules */
@@ -3540,6 +3564,14 @@ state_opt_item : MAXIMUM NUMBER {
$$->next = NULL;
$$->tail = $$;
}
+ | PFLOW {
+ $$ = calloc(1, sizeof(struct node_state_opt));
+ if ($$ == NULL)
+ err(1, "state_opt_item: calloc");
+ $$->type = PF_STATE_OPT_PFLOW;
+ $$->next = NULL;
+ $$->tail = $$;
+ }
| STRING NUMBER {
int i;
@@ -5255,6 +5287,7 @@ lookup(char *s)
{ "out", OUT},
{ "overload", OVERLOAD},
{ "pass", PASS},
+ { "pflow", PFLOW},
{ "port", PORT},
{ "priority", PRIORITY},
{ "priq", PRIQ},
@@ -5289,6 +5322,7 @@ lookup(char *s)
{ "source-hash", SOURCEHASH},
{ "source-track", SOURCETRACK},
{ "state", STATE},
+ { "state-defaults", STATEDEFAULTS},
{ "state-policy", STATEPOLICY},
{ "static-port", STATICPORT},
{ "sticky-address", STICKYADDRESS},
@@ -5397,11 +5431,13 @@ findeol(void)
int c;
parsebuf = NULL;
- pushback_index = 0;
/* skip to either EOF or the first real EOL */
while (1) {
- c = lgetc(0);
+ if (pushback_index)
+ c = pushback_buffer[--pushback_index];
+ else
+ c = lgetc(0);
if (c == '\n') {
file->lineno++;
break;
diff --git a/pfctl/pf_print_state.c b/pfctl/pf_print_state.c
index e95f2b04a063..7996127f8c52 100644
--- a/pfctl/pf_print_state.c
+++ b/pfctl/pf_print_state.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_print_state.c,v 1.51 2008/06/29 08:42:15 mcbride Exp $ */
+/* $OpenBSD: pf_print_state.c,v 1.52 2008/08/12 16:40:18 david Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -306,7 +306,7 @@ print_state(struct pfsync_state *s, int opts)
printf(" age %.2u:%.2u:%.2u", creation, min, sec);
sec = expire % 60;
expire /= 60;
- min = s->expire % 60;
+ min = expire % 60;
expire /= 60;
printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
@@ -325,6 +325,8 @@ print_state(struct pfsync_state *s, int opts)
printf(", rule %u", ntohl(s->rule));
if (s->state_flags & PFSTATE_SLOPPY)
printf(", sloppy");
+ if (s->state_flags & PFSTATE_PFLOW)
+ printf(", pflow");
if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
printf(", source-track");
if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
diff --git a/pfctl/pfctl.8 b/pfctl/pfctl.8
index 9ce34ce41125..f483e65b1487 100644
--- a/pfctl/pfctl.8
+++ b/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.139 2008/06/11 07:23:36 jmc Exp $
+.\" $OpenBSD: pfctl.8,v 1.138 2008/06/10 20:55:02 mcbride Exp $
.\"
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
.\"
diff --git a/pfctl/pfctl.c b/pfctl/pfctl.c
index f01b6a92717f..12dab0c33043 100644
--- a/pfctl/pfctl.c
+++ b/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.277 2008/07/24 10:52:43 henning Exp $ */
+/* $OpenBSD: pfctl.c,v 1.278 2008/08/31 20:18:17 jmc Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -230,10 +230,11 @@ usage(void)
fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
- fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
- fprintf(stderr, "[-k host | network | label | id]\n");
- fprintf(stderr, "\t[-o level] [-p device] [-s modifier]\n");
- fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
+ fprintf(stderr, "\t[-f file] [-i interface] [-K host | network]\n");
+ fprintf(stderr, "\t[-k host | network | label | id] ");
+ fprintf(stderr, "[-o level] [-p device]\n");
+ fprintf(stderr, "\t[-s modifier] ");
+ fprintf(stderr, "[-t table -T command [address ...]] [-x level]\n");
exit(1);
}
diff --git a/pfctl/pfctl.h b/pfctl/pfctl.h
index f9db55072dd9..918999cc166f 100644
--- a/pfctl/pfctl.h
+++ b/pfctl/pfctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.h,v 1.43 2008/05/29 01:00:53 mcbride Exp $ */
+/* $OpenBSD: pfctl.h,v 1.42 2007/12/05 12:01:47 chl Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
diff --git a/pfctl/pfctl_altq.c b/pfctl/pfctl_altq.c
index 0a174e5f46b6..c3cd9bf3ac53 100644
--- a/pfctl/pfctl_altq.c
+++ b/pfctl/pfctl_altq.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_altq.c,v 1.94 2008/07/25 17:43:44 martynas Exp $ */
+/* $OpenBSD: pfctl_altq.c,v 1.93 2007/10/15 02:16:35 deraadt Exp $ */
/*
* Copyright (c) 2002
diff --git a/pfctl/pfctl_optimize.c b/pfctl/pfctl_optimize.c
index bbed611d2fe4..08cfcf7295c7 100644
--- a/pfctl/pfctl_optimize.c
+++ b/pfctl/pfctl_optimize.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_optimize.c,v 1.18 2008/05/07 06:23:30 markus Exp $ */
+/* $OpenBSD: pfctl_optimize.c,v 1.17 2008/05/06 03:45:21 mpf Exp $ */
/*
* Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org>
diff --git a/pfctl/pfctl_osfp.c b/pfctl/pfctl_osfp.c
index 7018d6cd3657..df789811ddb5 100644
--- a/pfctl/pfctl_osfp.c
+++ b/pfctl/pfctl_osfp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_osfp.c,v 1.15 2006/12/13 05:10:15 itojun Exp $ */
+/* $OpenBSD: pfctl_osfp.c,v 1.14 2006/04/08 02:13:14 ray Exp $ */
/*
* Copyright (c) 2003 Mike Frantzen <frantzen@openbsd.org>
diff --git a/pfctl/pfctl_parser.c b/pfctl/pfctl_parser.c
index 7368dbe7d3c4..a9141840fb8e 100644
--- a/pfctl/pfctl_parser.c
+++ b/pfctl/pfctl_parser.c
@@ -934,6 +934,12 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
printf("sloppy");
opts = 0;
}
+ if (r->rule_flag & PFRULE_PFLOW) {
+ if (!opts)
+ printf(", ");
+ printf("pflow");
+ opts = 0;
+ }
for (i = 0; i < PFTM_MAX; ++i)
if (r->timeout[i]) {
int j;
diff --git a/pfctl/pfctl_parser.h b/pfctl/pfctl_parser.h
index 97b0325ddc73..8e8f3c3549e9 100644
--- a/pfctl/pfctl_parser.h
+++ b/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.h,v 1.87 2007/10/13 16:35:18 deraadt Exp $ */
+/* $OpenBSD: pfctl_parser.h,v 1.86 2006/10/31 23:46:25 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
diff --git a/pfctl/pfctl_qstats.c b/pfctl/pfctl_qstats.c
index ba0c18aef5b3..22f0f6bf2567 100644
--- a/pfctl/pfctl_qstats.c
+++ b/pfctl/pfctl_qstats.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_qstats.c,v 1.31 2007/10/15 02:16:35 deraadt Exp $ */
+/* $OpenBSD: pfctl_qstats.c,v 1.30 2004/04/27 21:47:32 kjc Exp $ */
/*
* Copyright (c) Henning Brauer <henning@openbsd.org>
diff --git a/pfctl/pfctl_radix.c b/pfctl/pfctl_radix.c
index becd0305b836..585c5bd3342c 100644
--- a/pfctl/pfctl_radix.c
+++ b/pfctl/pfctl_radix.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_radix.c,v 1.28 2007/12/05 12:01:47 chl Exp $ */
+/* $OpenBSD: pfctl_radix.c,v 1.27 2005/05/21 21:03:58 henning Exp $ */
/*
* Copyright (c) 2002 Cedric Berger
diff --git a/pfctl/pfctl_table.c b/pfctl/pfctl_table.c
index fa4ae6a6e188..a9da9e66d273 100644
--- a/pfctl/pfctl_table.c
+++ b/pfctl/pfctl_table.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_table.c,v 1.68 2008/06/21 10:34:08 mcbride Exp $ */
+/* $OpenBSD: pfctl_table.c,v 1.67 2008/06/10 20:55:02 mcbride Exp $ */
/*
* Copyright (c) 2002 Cedric Berger
diff --git a/pflogd/Makefile b/pflogd/Makefile
index 377cad99635b..e5383e35f6c5 100644
--- a/pflogd/Makefile
+++ b/pflogd/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.7 2006/11/26 11:31:08 deraadt Exp $
+# $OpenBSD: Makefile,v 1.6 2003/11/20 23:23:09 avsm Exp $
CFLAGS+=-Wall -Wmissing-prototypes -Wshadow
LDADD+= -lpcap -lutil
diff --git a/pflogd/pflogd.8 b/pflogd/pflogd.8
index e16f866ea85b..783559e0943a 100644
--- a/pflogd/pflogd.8
+++ b/pflogd/pflogd.8
@@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: January 14 2008 $
.Dt PFLOGD 8
.Os
.Sh NAME
@@ -95,6 +95,13 @@ or a
.Dv SIGALRM
is received.
.Pp
+.Nm
+will also log the pcap statistics for the
+.Xr pflog 4
+interface to syslog when a
+.Dv SIGUSR1
+is received.
+.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl D
diff --git a/pflogd/pflogd.c b/pflogd/pflogd.c
index cd7a273924ae..302635be21f7 100644
--- a/pflogd/pflogd.c
+++ b/pflogd/pflogd.c
@@ -58,7 +58,7 @@ int Debug = 0;
static int snaplen = DEF_SNAPLEN;
static int cur_snaplen = DEF_SNAPLEN;
-volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup;
+volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup, gotsig_usr1;
char *filename = PFLOGD_LOG_FILE;
char *interface = PFLOGD_DEFAULT_IF;
@@ -72,6 +72,7 @@ unsigned int delay = FLUSH_DELAY;
char *copy_argv(char * const *);
void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
+void log_pcap_stats(void);
int flush_buffer(FILE *);
int if_exists(char *);
int init_pcap(void);
@@ -82,6 +83,7 @@ int scan_dump(FILE *, off_t);
int set_snaplen(int);
void set_suspended(int);
void sig_alrm(int);
+void sig_usr1(int);
void sig_close(int);
void sig_hup(int);
void usage(void);
@@ -179,6 +181,12 @@ sig_alrm(int sig)
}
void
+sig_usr1(int sig)
+{
+ gotsig_usr1 = 1;
+}
+
+void
set_pcap_filter(void)
{
struct bpf_program bprog;
@@ -550,10 +558,21 @@ dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
return;
}
+void
+log_pcap_stats(void)
+{
+ struct pcap_stat pstat;
+ if (pcap_stats(hpcap, &pstat) < 0)
+ logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
+ else
+ logmsg(LOG_NOTICE,
+ "%u packets received, %u/%u dropped (kernel/pflogd)",
+ pstat.ps_recv, pstat.ps_drop, packets_dropped);
+}
+
int
main(int argc, char **argv)
{
- struct pcap_stat pstat;
int ch, np, ret, Xflag = 0;
pcap_handler phandler = dump_packet;
const char *errstr = NULL;
@@ -648,6 +667,7 @@ main(int argc, char **argv)
signal(SIGINT, sig_close);
signal(SIGQUIT, sig_close);
signal(SIGALRM, sig_alrm);
+ signal(SIGUSR1, sig_usr1);
signal(SIGHUP, sig_hup);
alarm(delay);
@@ -703,6 +723,11 @@ main(int argc, char **argv)
gotsig_alrm = 0;
alarm(delay);
}
+
+ if (gotsig_usr1) {
+ log_pcap_stats();
+ gotsig_usr1 = 0;
+ }
}
logmsg(LOG_NOTICE, "Exiting");
@@ -712,13 +737,7 @@ main(int argc, char **argv)
}
purge_buffer();
- if (pcap_stats(hpcap, &pstat) < 0)
- logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
- else
- logmsg(LOG_NOTICE,
- "%u packets received, %u/%u dropped (kernel/pflogd)",
- pstat.ps_recv, pstat.ps_drop, packets_dropped);
-
+ log_pcap_stats();
pcap_close(hpcap);
if (!Debug)
closelog();
diff --git a/pflogd/pflogd.h b/pflogd/pflogd.h
index 596e69692614..967f44a24afa 100644
--- a/pflogd/pflogd.h
+++ b/pflogd/pflogd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pflogd.h,v 1.3 2006/01/15 16:38:04 canacar Exp $ */
+/* $OpenBSD: pflogd.h,v 1.2 2004/01/15 20:15:14 canacar Exp $ */
/*
* Copyright (c) 2003 Can Erkin Acar
diff --git a/pflogd/privsep.c b/pflogd/privsep.c
index 1139cb40f96b..bba6b868f725 100644
--- a/pflogd/privsep.c
+++ b/pflogd/privsep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: privsep.c,v 1.16 2006/10/25 20:55:04 moritz Exp $ */
+/* $OpenBSD: privsep.c,v 1.15 2006/03/06 10:45:56 djm Exp $ */
/*
* Copyright (c) 2003 Can Erkin Acar
diff --git a/pflogd/privsep_fdpass.c b/pflogd/privsep_fdpass.c
index 0e6c3c4c1e80..ed56c0b6f4fb 100644
--- a/pflogd/privsep_fdpass.c
+++ b/pflogd/privsep_fdpass.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: privsep_fdpass.c,v 1.5 2008/03/24 16:11:08 deraadt Exp $ */
+/* $OpenBSD: privsep_fdpass.c,v 1.4 2008/03/15 16:19:02 deraadt Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
diff --git a/tftp-proxy/Makefile b/tftp-proxy/Makefile
index b5f4eefc0899..7f22f10b0d27 100644
--- a/tftp-proxy/Makefile
+++ b/tftp-proxy/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.1 2005/12/28 19:07:07 jcs Exp $
+# $OpenBSD$
PROG= tftp-proxy
SRCS= tftp-proxy.c filter.c
diff --git a/tftp-proxy/filter.c b/tftp-proxy/filter.c
index 61b3a1756bb1..2e055f529a68 100644
--- a/tftp-proxy/filter.c
+++ b/tftp-proxy/filter.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: filter.c,v 1.2 2007/06/23 15:51:21 jcs Exp $ */
+/* $OpenBSD: filter.c,v 1.1 2005/12/28 19:07:07 jcs Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
diff --git a/tftp-proxy/filter.h b/tftp-proxy/filter.h
index 04d43f737cbb..c75d278826d6 100644
--- a/tftp-proxy/filter.h
+++ b/tftp-proxy/filter.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: filter.h,v 1.1 2005/12/28 19:07:07 jcs Exp $ */
+/* $OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
diff --git a/tftp-proxy/tftp-proxy.8 b/tftp-proxy/tftp-proxy.8
index 511b641bce38..e03443887114 100644
--- a/tftp-proxy/tftp-proxy.8
+++ b/tftp-proxy/tftp-proxy.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tftp-proxy.8,v 1.2 2007/05/31 19:19:41 jmc Exp $
+.\" $OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $
.\"
.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org>
.\"
diff --git a/tftp-proxy/tftp-proxy.c b/tftp-proxy/tftp-proxy.c
index d2d2875717a6..399143ba93da 100644
--- a/tftp-proxy/tftp-proxy.c
+++ b/tftp-proxy/tftp-proxy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tftp-proxy.c,v 1.6 2008/04/13 00:22:17 djm Exp $
+/* $OpenBSD: tftp-proxy.c,v 1.5 2008/03/24 16:11:00 deraadt Exp $
*
* Copyright (c) 2005 DLS Internet Services
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>