Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules
On 16. Dec 2011, at 02:58 , Peter Jeremy wrote: On 2011-Jun-28 11:57:25 +, Bjoern A. Zeeb b...@freebsd.org wrote: Author: bz Date: Tue Jun 28 11:57:25 2011 New Revision: 223637 URL: http://svn.freebsd.org/changeset/base/223637 Log: Update packet filter (pf) code to OpenBSD 4.5. Further to my mail last Wednesday, I've found nested #ifdef __FreeBSD__ conditionals in pf_ioctl.c as well - it looks like conditional code was added to support network stack virtualisation without noting that the code was already protectd by a #ifdef __FreeBSD__. I have run unifdef on the code before but didn't want to do a sweeping commit before 9.0 was handled. The virtualization #ifdefs should go anyway from the middle of the code and be done with the #define so that Open could easily pick it up if we'd be at the same level. Expect that this will be dealt with eventually. -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. ___ svn-src-head@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org
Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules
On 2011-Jun-28 11:57:25 +, Bjoern A. Zeeb b...@freebsd.org wrote: Author: bz Date: Tue Jun 28 11:57:25 2011 New Revision: 223637 URL: http://svn.freebsd.org/changeset/base/223637 Log: Update packet filter (pf) code to OpenBSD 4.5. Further to my mail last Wednesday, I've found nested #ifdef __FreeBSD__ conditionals in pf_ioctl.c as well - it looks like conditional code was added to support network stack virtualisation without noting that the code was already protectd by a #ifdef __FreeBSD__. And cross-checking the $OpenBSD$ tags in the FreeBSD repo against the OpenBSD CVSweb throws up consistent off-by-one errors - as an example, src/sys/contrib/pf/net/if_pfsync.h in FreeBSD 9.0 states $OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $ but the actual content matches if_pfsync.h v1.36 in OpenBSD CVSweb. Is it possible that the pf code was checked out of an OpenBSD repo without the correct $OpenBSD$ tag expansion? This caused me a degree of confusion whilst trying to correlate the FreeBSD code with the OpenBSD code to try and update bin/124825 -- Peter Jeremy pgpETpzB0eUVO.pgp Description: PGP signature
Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules
Peter, On Fri, Dec 16, 2011 at 01:58:51PM +1100, Peter Jeremy wrote: P On 2011-Jun-28 11:57:25 +, Bjoern A. Zeeb b...@freebsd.org wrote: P Author: bz P Date: Tue Jun 28 11:57:25 2011 P New Revision: 223637 P URL: http://svn.freebsd.org/changeset/base/223637 P P Log: P Update packet filter (pf) code to OpenBSD 4.5. P P Further to my mail last Wednesday, I've found nested #ifdef __FreeBSD__ P conditionals in pf_ioctl.c as well - it looks like conditional code was P added to support network stack virtualisation without noting that the P code was already protectd by a #ifdef __FreeBSD__. P P And cross-checking the $OpenBSD$ tags in the FreeBSD repo against the P OpenBSD CVSweb throws up consistent off-by-one errors - as an example, P src/sys/contrib/pf/net/if_pfsync.h in FreeBSD 9.0 states P $OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $ P but the actual content matches if_pfsync.h v1.36 in OpenBSD CVSweb. P Is it possible that the pf code was checked out of an OpenBSD repo P without the correct $OpenBSD$ tag expansion? P P This caused me a degree of confusion whilst trying to correlate the P FreeBSD code with the OpenBSD code to try and update bin/124825 Particular changes were picked from OpenBSD after the r223637, to make pfsync(4) function properly. For example: http://svnweb.freebsd.org/base?view=revisionrevision=226663 -- Totus tuus, Glebius. ___ svn-src-head@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org
Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules
On 2011-Jun-28 11:57:25 +, Bjoern A. Zeeb b...@freebsd.org wrote: Author: bz Date: Tue Jun 28 11:57:25 2011 New Revision: 223637 URL: http://svn.freebsd.org/changeset/base/223637 Log: Update packet filter (pf) code to OpenBSD 4.5. This is very belated but I've just found the following preprocessor conditionals in sys/contrib/pf/net/pfvar.h as a result of this commit (covering lines 214..282): #ifdef __FreeBSD__ ... #ifdef __FreeBSD__ ... #else ... #endif /* __FreeBSD__ */ ... #endif /* __FreeBSD__ */ Was there a mismerge here? -- Peter Jeremy pgppOpwYJHEVh.pgp Description: PGP signature
svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s...
Author: bz Date: Tue Jun 28 11:57:25 2011 New Revision: 223637 URL: http://svn.freebsd.org/changeset/base/223637 Log: Update packet filter (pf) code to OpenBSD 4.5. You need to update userland (world and ports) tools to be in sync with the kernel. Submitted by: mlaier Submitted by: eri Added: head/sys/contrib/pf/net/if_pflow.h (contents, props changed) head/sys/contrib/pf/net/pf_lb.c (contents, props changed) head/sys/modules/pfsync/ head/sys/modules/pfsync/Makefile (contents, props changed) Deleted: head/sys/contrib/pf/net/pf_subr.c Modified: head/UPDATING head/contrib/pf/authpf/authpf.8 head/contrib/pf/authpf/authpf.c head/contrib/pf/authpf/pathnames.h head/contrib/pf/ftp-proxy/filter.c head/contrib/pf/ftp-proxy/filter.h head/contrib/pf/ftp-proxy/ftp-proxy.8 head/contrib/pf/ftp-proxy/ftp-proxy.c head/contrib/pf/man/pf.4 head/contrib/pf/man/pf.conf.5 head/contrib/pf/man/pf.os.5 head/contrib/pf/man/pflog.4 head/contrib/pf/man/pfsync.4 head/contrib/pf/pfctl/parse.y head/contrib/pf/pfctl/pf_print_state.c head/contrib/pf/pfctl/pfctl.8 head/contrib/pf/pfctl/pfctl.c head/contrib/pf/pfctl/pfctl.h head/contrib/pf/pfctl/pfctl_altq.c head/contrib/pf/pfctl/pfctl_optimize.c head/contrib/pf/pfctl/pfctl_osfp.c head/contrib/pf/pfctl/pfctl_parser.c head/contrib/pf/pfctl/pfctl_parser.h head/contrib/pf/pfctl/pfctl_qstats.c head/contrib/pf/pfctl/pfctl_radix.c head/contrib/pf/pfctl/pfctl_table.c head/contrib/pf/pflogd/pflogd.8 head/contrib/pf/pflogd/pflogd.c head/contrib/pf/pflogd/privsep.c head/contrib/pf/pflogd/privsep_fdpass.c head/sbin/pflogd/Makefile head/sys/conf/files head/sys/contrib/altq/altq/altq_red.c head/sys/contrib/pf/net/if_pflog.c head/sys/contrib/pf/net/if_pflog.h head/sys/contrib/pf/net/if_pfsync.c head/sys/contrib/pf/net/if_pfsync.h head/sys/contrib/pf/net/pf.c head/sys/contrib/pf/net/pf_if.c head/sys/contrib/pf/net/pf_ioctl.c head/sys/contrib/pf/net/pf_mtag.h head/sys/contrib/pf/net/pf_norm.c head/sys/contrib/pf/net/pf_osfp.c head/sys/contrib/pf/net/pf_ruleset.c head/sys/contrib/pf/net/pf_table.c head/sys/contrib/pf/net/pfvar.h head/sys/modules/Makefile head/sys/modules/pf/Makefile head/sys/modules/pflog/Makefile head/sys/netinet/in_gif.c head/sys/netinet/ip_icmp.c head/sys/netinet/ipfw/ip_fw2.c head/sys/netinet/raw_ip.c head/sys/netinet6/icmp6.c head/sys/netinet6/in6_gif.c head/sys/netipsec/ipsec_input.c head/sys/netipsec/ipsec_output.c head/sys/netipsec/xform_ipip.c head/sys/sys/mbuf.h head/sys/sys/param.h head/usr.sbin/ftp-proxy/ftp-proxy/Makefile Modified: head/UPDATING == --- head/UPDATING Tue Jun 28 11:03:39 2011(r223636) +++ head/UPDATING Tue Jun 28 11:57:25 2011(r223637) @@ -22,6 +22,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 9. machines to maximize performance. (To disable malloc debugging, run ln -s aj /etc/malloc.conf.) +20110628: + The packet filter (pf) code has been updated to OpenBSD 4.5. + You need to update userland tools to be in sync with kernel. + 20110608: The following sysctls and tunables are retired on x86 platforms: machdep.hlt_cpus Modified: head/contrib/pf/authpf/authpf.8 == --- head/contrib/pf/authpf/authpf.8 Tue Jun 28 11:03:39 2011 (r223636) +++ head/contrib/pf/authpf/authpf.8 Tue Jun 28 11:57:25 2011 (r223637) @@ -1,5 +1,5 @@ .\ $FreeBSD$ -.\ $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $ +.\ $OpenBSD: authpf.8,v 1.47 2009/01/06 03:11:50 mcbride Exp $ .\ .\ Copyright (c) 1998-2007 Bob Beck (b...@openbsd.org. All rights reserved. .\ @@ -15,14 +15,16 @@ .\ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\ -.Dd March 28, 2006 +.Dd January 6 2009 .Dt AUTHPF 8 .Os .Sh NAME -.Nm authpf +.Nm authpf , +.Nm authpf-noip .Nd authenticating gateway user shell .Sh SYNOPSIS .Nm authpf +.Nm authpf-noip .Sh DESCRIPTION .Nm is a user shell for authenticating gateways. @@ -31,47 +33,63 @@ It is used to change rules when a user authenticates and starts a session with .Xr sshd 8 and to undo these changes when the user's session exits. -It is designed for changing filter and translation rules for an individual -source IP address as long as a user maintains an active -.Xr ssh 1 -session. Typical use would be for a gateway that authenticates users before allowing them Internet use, or a gateway that allows different users into different places. +Combined with properly set up filter rules and secure switches, .Nm -logs the successful start and end of a session to -.Xr syslogd 8 . -This, combined with properly set up filter rules and secure switches, can be used
