summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBob Beck <beck@cvs.openbsd.org>2004-04-25 18:40:43 +0000
committerBob Beck <beck@cvs.openbsd.org>2004-04-25 18:40:43 +0000
commitb9b8cbe237104b8529ebf001a6cdf08ead1bf4ba (patch)
treee04b77bf84f561be709f50aeacf39003e650cef8
parent06b3f31be74aaa1319e130b45c47717e7decd1b1 (diff)
Make authpf exec pfctl instead of sucking in code from pfctl
ok cedric@
-rw-r--r--usr.sbin/authpf/Makefile10
-rw-r--r--usr.sbin/authpf/authpf.c304
-rw-r--r--usr.sbin/authpf/pathnames.h3
3 files changed, 70 insertions, 247 deletions
diff --git a/usr.sbin/authpf/Makefile b/usr.sbin/authpf/Makefile
index 0b4cb33192a..f2d43a658b0 100644
--- a/usr.sbin/authpf/Makefile
+++ b/usr.sbin/authpf/Makefile
@@ -1,18 +1,14 @@
-# $OpenBSD: Makefile,v 1.10 2003/11/20 23:23:09 avsm Exp $
+# $OpenBSD: Makefile,v 1.11 2004/04/25 18:40:42 beck Exp $
PROG= authpf
MAN= authpf.8
BINOWN= root
BINGRP= authpf
BINMODE= 6555
-SRCS= authpf.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
-SRCS+= pfctl_radix.c pfctl_osfp.c
-CFLAGS+= -I${.CURDIR}/../../sbin/pfctl -Wall
-.PATH: ${.CURDIR}/../../sbin/pfctl
+SRCS= authpf.c
+CFLAGS+= -Wall
LDADD+= -lm
DPADD+= ${LIBM}
-CLEANFILES+=y.tab.h
-
.include <bsd.prog.mk>
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c
index 2c431cc51ba..018652111cc 100644
--- a/usr.sbin/authpf/authpf.c
+++ b/usr.sbin/authpf/authpf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authpf.c,v 1.76 2004/04/09 12:42:06 cedric Exp $ */
+/* $OpenBSD: authpf.c,v 1.77 2004/04/25 18:40:42 beck Exp $ */
/*
* Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org).
@@ -29,7 +29,9 @@
#include <sys/file.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
+#include <sys/stat.h>
#include <sys/time.h>
+#include <sys/wait.h>
#include <net/if.h>
#include <net/pfvar.h>
@@ -45,9 +47,6 @@
#include <syslog.h>
#include <unistd.h>
-#include <pfctl_parser.h>
-#include <pfctl.h>
-
#include "pathnames.h"
extern int symset(const char *, const char *, int);
@@ -592,87 +591,68 @@ remove_stale_rulesets(void)
static int
change_filter(int add, const char *luser, const char *ipsrc)
{
- char fn[MAXPATHLEN];
- FILE *f = NULL;
- struct pfctl pf;
- struct pfr_buffer t;
- int i;
+ char *pargv[13]= {
+ "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor:ruleset",
+ "-D", "user_ip=X", "-D", "user_id=X", "-f",
+ "file", NULL
+ };
+ char *fdpath = NULL;
+ char *userstr= NULL;
+ char *ipstr = NULL;
+ char *rsn = NULL;
+ char *fn = NULL;
+ int pid, s;
if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) {
syslog(LOG_ERR, "invalid luser/ipsrc");
goto error;
}
- if (add) {
- if ((i = snprintf(fn, sizeof(fn), "%s/%s/authpf.rules",
- PATH_USER_DIR, luser)) < 0 || i >= sizeof(fn)) {
- syslog(LOG_ERR, "user rule path too long");
- goto error;
- }
- if ((f = fopen(fn, "r")) == NULL && errno != ENOENT) {
- syslog(LOG_ERR, "cannot open %s (%m)", fn);
- goto error;
- }
- if (f == NULL) {
- if (strlcpy(fn, PATH_PFRULES, sizeof(fn)) >=
- sizeof(fn)) {
- syslog(LOG_ERR, "rule path too long");
- goto error;
- }
- if ((f = fopen(fn, "r")) == NULL) {
- syslog(LOG_ERR, "cannot open %s (%m)", fn);
- goto error;
- }
- }
- }
-
- if (pfctl_load_fingerprints(dev, 0)) {
- syslog(LOG_ERR, "unable to load kernel's OS fingerprints");
- goto error;
- }
- bzero(&t, sizeof(t));
- t.pfrb_type = PFRB_TRANS;
- memset(&pf, 0, sizeof(pf));
- for (i = 0; i < PF_RULESET_MAX; ++i) {
- if (pfctl_add_trans(&t, i, anchorname, rulesetname)) {
- syslog(LOG_ERR, "pfctl_add_trans %m");
- goto error;
- }
- }
- if (pfctl_trans(dev, &t, DIOCXBEGIN, 0)) {
- syslog(LOG_ERR, "DIOCXBEGIN (%s) %m", add?"add":"remove");
- goto error;
- }
+ if (asprintf(&rsn, "%s:%s", anchorname, rulesetname) == -1)
+ goto no_mem;
+ if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
+ goto no_mem;
+ if (asprintf(&ipstr, "user_ip=%s", ipsrc) == -1)
+ goto no_mem;
+ if (asprintf(&userstr, "user_id=%s", luser) == -1)
+ goto no_mem;
if (add) {
- if (symset("user_ip", ipsrc, 0) ||
- symset("user_id", luser, 0)) {
- syslog(LOG_ERR, "symset");
- goto error;
+ struct stat sb;
+ if (asprintf(&fn, "%s/%s/authpf.rules", PATH_USER_DIR, luser)
+ == -1)
+ goto no_mem;
+ if (stat(fn, &sb) == -1) {
+ free(fn);
+ if ((fn = strdup(PATH_PFRULES)) == NULL)
+ goto no_mem;
}
-
- pf.dev = dev;
- pf.trans = &t;
- pf.anchor = anchorname;
- pf.ruleset = rulesetname;
-
- infile = fn;
- if (parse_rules(f, &pf) < 0) {
- syslog(LOG_ERR, "syntax error in rule file: "
- "authpf rules not loaded");
+ }
+ pargv[2] = fdpath;
+ pargv[5] = rsn;
+ pargv[7] = userstr;
+ pargv[9] = ipstr;
+ if (!add) {
+ pargv[11]="/dev/null";
+ } else {
+ pargv[11]=fn;
+ }
+ switch (pid = fork()) {
+ case -1:
+ err(1, "fork failed");
+ case 0:
+ execvp(PATH_PFCTL, pargv);
+ err(1, "exec of %s failed", PATH_PFCTL);
+ }
+ /* parent */
+ waitpid(pid, &s, 0);
+ if (s != 0) {
+ if (WIFEXITED(s)) {
+ syslog(LOG_ERR, "pfctl exited abnormally");
goto error;
}
-
- infile = NULL;
- fclose(f);
- f = NULL;
- }
-
- if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) {
- syslog(LOG_ERR, "DIOCXCOMMIT (%s) %m", add?"add":"remove");
- goto error;
}
-
+
if (add) {
gettimeofday(&Tstart, NULL);
syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser);
@@ -682,13 +662,19 @@ change_filter(int add, const char *luser, const char *ipsrc)
ipsrc, luser, Tend.tv_sec - Tstart.tv_sec);
}
return (0);
-
+no_mem:
+ syslog(LOG_ERR, "malloc failed");
error:
- if (f != NULL)
- fclose(f);
- if (pfctl_trans(dev, &t, DIOCXROLLBACK, 0))
- syslog(LOG_ERR, "DIOCXROLLBACK (%s) %m", add?"add":"remove");
-
+ free(fdpath);
+ fdpath = NULL;
+ free(rsn);
+ rsn = NULL;
+ free(userstr);
+ userstr = NULL;
+ free(ipstr);
+ ipstr = NULL;
+ free(fn);
+ fn = NULL;
infile = NULL;
return (-1);
}
@@ -755,163 +741,3 @@ do_death(int active)
syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
exit(ret);
}
-
-/*
- * callbacks for parse_rules(void)
- */
-
-int
-pfctl_add_rule(struct pfctl *pf, struct pf_rule *r)
-{
- u_int8_t rs_num;
- struct pfioc_rule pr;
-
- switch (r->action) {
- case PF_PASS:
- case PF_DROP:
- rs_num = PF_RULESET_FILTER;
- break;
- case PF_SCRUB:
- rs_num = PF_RULESET_SCRUB;
- break;
- case PF_NAT:
- case PF_NONAT:
- rs_num = PF_RULESET_NAT;
- break;
- case PF_RDR:
- case PF_NORDR:
- rs_num = PF_RULESET_RDR;
- break;
- case PF_BINAT:
- case PF_NOBINAT:
- rs_num = PF_RULESET_BINAT;
- break;
- default:
- syslog(LOG_ERR, "invalid rule action %d", r->action);
- return (1);
- }
-
- bzero(&pr, sizeof(pr));
- strlcpy(pr.anchor, pf->anchor, sizeof(pr.anchor));
- strlcpy(pr.ruleset, pf->ruleset, sizeof(pr.ruleset));
- if (pfctl_add_pool(pf, &r->rpool, r->af))
- return (1);
- pr.ticket = pfctl_get_ticket(pf->trans, rs_num, pf->anchor,
- pf->ruleset);
- pr.pool_ticket = pf->paddr.ticket;
- memcpy(&pr.rule, r, sizeof(pr.rule));
- if (ioctl(pf->dev, DIOCADDRULE, &pr)) {
- syslog(LOG_ERR, "DIOCADDRULE %m");
- return (1);
- }
- pfctl_clear_pool(&r->rpool);
- return (0);
-}
-
-int
-pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af)
-{
- struct pf_pooladdr *pa;
-
- if (ioctl(pf->dev, DIOCBEGINADDRS, &pf->paddr)) {
- syslog(LOG_ERR, "DIOCBEGINADDRS %m");
- return (1);
- }
- pf->paddr.af = af;
- TAILQ_FOREACH(pa, &p->list, entries) {
- memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr));
- if (ioctl(pf->dev, DIOCADDADDR, &pf->paddr)) {
- syslog(LOG_ERR, "DIOCADDADDR %m");
- return (1);
- }
- }
- return (0);
-}
-
-void
-pfctl_clear_pool(struct pf_pool *pool)
-{
- struct pf_pooladdr *pa;
-
- while ((pa = TAILQ_FIRST(&pool->list)) != NULL) {
- TAILQ_REMOVE(&pool->list, pa, entries);
- free(pa);
- }
-}
-
-int
-pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
-{
- fprintf(stderr, "altq rules not supported in authpf\n");
- return (1);
-}
-
-int
-pfctl_set_optimization(struct pfctl *pf, const char *opt)
-{
- fprintf(stderr, "set optimization not supported in authpf\n");
- return (1);
-}
-
-int
-pfctl_set_logif(struct pfctl *pf, char *ifname)
-{
- fprintf(stderr, "set loginterface not supported in authpf\n");
- return (1);
-}
-
-int
-pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
-{
- fprintf(stderr, "set hostid not supported in authpf\n");
- return (1);
-}
-
-int
-pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
-{
- fprintf(stderr, "set timeout not supported in authpf\n");
- return (1);
-}
-
-int
-pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit)
-{
- fprintf(stderr, "set limit not supported in authpf\n");
- return (1);
-}
-
-int
-pfctl_set_debug(struct pfctl *pf, char *d)
-{
- fprintf(stderr, "set debug not supported in authpf\n");
- return (1);
-}
-
-int
-pfctl_define_table(char *name, int flags, int addrs, const char *anchor,
- const char *ruleset, struct pfr_buffer *ab, u_int32_t ticket)
-{
- fprintf(stderr, "table definitions not yet supported in authpf\n");
- return (1);
-}
-
-int
-pfctl_rules(int dev, char *filename, int opts, char *anchorname,
- char *rulesetname, struct pfr_buffer *t)
-{
- /* never called, no anchors inside anchors, but we need the stub */
- fprintf(stderr, "load anchor not supported from authpf\n");
- return (1);
-}
-
-void
-pfctl_print_title(char *title)
-{
-}
-
-FILE *
-pfctl_fopen(const char *name, const char *mode)
-{
- return fopen(name, mode);
-}
diff --git a/usr.sbin/authpf/pathnames.h b/usr.sbin/authpf/pathnames.h
index 97d1d7426b0..358bfd0c106 100644
--- a/usr.sbin/authpf/pathnames.h
+++ b/usr.sbin/authpf/pathnames.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pathnames.h,v 1.6 2003/06/03 20:38:59 beck Exp $ */
+/* $OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $ */
/*
* Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
@@ -35,3 +35,4 @@
#define PATH_DEVFILE "/dev/pf"
#define PATH_PIDFILE "/var/authpf"
#define PATH_AUTHPF_SHELL "/usr/sbin/authpf"
+#define PATH_PFCTL "/sbin/pfctl"