Put authpf user's IP addresses in the <authpf_users> table.

ok deraadt@ dhartmei@ markus@ mcbride@

2 files changed, 89 insertions, 2 deletions

diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8
index b6977da2fce..239fd671f35 100644
--- a/usr.sbin/authpf/authpf.8
+++ b/usr.sbin/authpf/authpf.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.31 2003/12/10 04:10:37 beck Exp $
+.\" $OpenBSD: authpf.8,v 1.32 2004/04/28 05:06:12 cedric Exp $
 .\"
 .\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>.  All rights reserved.
 .\"
@@ -60,6 +60,10 @@ can add filter and translation rules using the syntax described in
 requires that the
 .Xr pf 4
 system be enabled before use.
+.Nm
+can also maintain the list of IP address of connected users
+in the "authpf_users"
+.Pa table .
 .Pp
 .Nm
 is meant to be used with users who can connect via
@@ -154,6 +158,10 @@ Currently, the allowed values are as follows:
 Use the specified
 .Pa anchor
 name instead of "authpf".
+.It table=name
+Use the specified
+.Pa table
+name instead of "authpf_users".
 .El
 .Sh USER MESSAGES
 On successful invocation,
@@ -465,6 +473,33 @@ Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
 129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
 16384 <mss 1460,nop,nop,sackOK> (DF)
 .Ed
+.Pp
+.Sy Using "authpf_user" table.
+Simple
+.Nm
+settings can be implemented without anchor by just using the "authpf_user"
+.Pa table .
+For example, the following
+.Xr pf.conf 5
+lines will give SMTP and IMAP access to logged in users:
+.Bd -literal
+table <authpf_users> persist
+pass in on $ext_if proto tcp from <authpf_users> \e
+        to port { smtp imap } keep state
+.Ed
+.Pp
+It is also possible to use the "authpf_user"
+.Pa table
+in combination with anchors.
+For example, 
+.Xr pf 4
+processing can be speed up by looking up the anchor
+only for packets coming from logged in users:
+.Bd -literal
+table <authpf_users> persist
+anchor authpf from <authpf_users>
+rdr-anchor authpf from <authpf_users>
+.Ed
 .Sh FILES
 .Bl -tag -width "/etc/authpf/authpf.conf" -compact
 .It Pa /etc/authpf/authpf.conf
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c
index 57a125bc8f2..9b6517054fa 100644
--- a/usr.sbin/authpf/authpf.c
+++ b/usr.sbin/authpf/authpf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: authpf.c,v 1.79 2004/04/28 00:22:39 djm Exp $	*/
+/*	$OpenBSD: authpf.c,v 1.80 2004/04/28 05:06:13 cedric Exp $	*/
 
 /*
  * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org).
@@ -57,10 +57,12 @@ static int	allowed_luser(char *);
 static int	check_luser(char *, char *);
 static int	remove_stale_rulesets(void);
 static int	change_filter(int, const char *, const char *);
+static int	change_table(int, const char *, const char *);
 static void	authpf_kill_states(void);
 
 int	dev;			/* pf device */
 char	anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
+char	tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
 char	rulesetname[PF_RULESET_NAME_SIZE];
 
 FILE	*pidfp;
@@ -268,6 +270,11 @@ main(int argc, char *argv[])
 		printf("Unable to modify filters\r\n");
 		do_death(0);
 	}
+	if (change_table(1, luser, ipsrc) == -1) {
+		printf("Unable to modify table\r\n");
+		change_filter(0, luser, ipsrc);
+		do_death(0);
+	}
 
 	signal(SIGTERM, need_death);
 	signal(SIGINT, need_death);
@@ -350,6 +357,11 @@ read_config(FILE *f)
 			    sizeof(anchorname)) >= sizeof(anchorname))
 				goto parse_error;
 		}
+		if (strcasecmp(pair[0], "table") == 0) {
+			if (!pair[1][0] || strlcpy(tablename, pair[1],
+			    sizeof(tablename)) >= sizeof(tablename))
+				goto parse_error;
+		}
 	} while (!feof(f) && !ferror(f));
 	fclose(f);
 	return (0);
@@ -681,6 +693,45 @@ error:
 }
 
 /*
+ * Add/remove this IP from the "authpf_users" table.
+ */
+static int
+change_table(int add, const char *luser, const char *ipsrc)
+{
+	struct pfioc_table	io;
+	struct pfr_addr		addr;
+
+	bzero(&io, sizeof(io));
+	strlcpy(io.pfrio_table.pfrt_name, tablename, sizeof(io.pfrio_table));
+	io.pfrio_buffer = &addr;
+	io.pfrio_esize = sizeof(addr);
+	io.pfrio_size = 1;
+
+	bzero(&addr, sizeof(addr));
+	if (ipsrc == NULL || !ipsrc[0])
+		return (-1);
+	if (inet_pton(AF_INET, ipsrc, &addr.pfra_ip4addr) == 1) {
+		addr.pfra_af = AF_INET;
+		addr.pfra_net = 32;
+	} else if (inet_pton(AF_INET6, ipsrc, &addr.pfra_ip6addr) == 1) {
+		addr.pfra_af = AF_INET6;
+		addr.pfra_net = 128;
+	} else {
+		syslog(LOG_ERR, "invalid ipsrc");
+		return (-1);
+	}
+
+	if (ioctl(dev, add ? DIOCRADDADDRS : DIOCRDELADDRS, &io) &&
+	    errno != ESRCH) {
+		syslog(LOG_ERR, "cannot %s %s from table %s: %s",
+		    add ? "add" : "remove", ipsrc, tablename,
+		    strerror(errno));
+		return (-1);
+	}
+	return (0);
+}
+
+/*
  * This is to kill off states that would otherwise be left behind stateful
  * rules. This means we don't need to allow in more traffic than we really
  * want to, since we don't have to worry about any luser sessions lasting
@@ -740,6 +791,7 @@ do_death(int active)
 
 	if (active) {
 		change_filter(0, luser, ipsrc);
+		change_table(0, luser, ipsrc);
 		authpf_kill_states();
 		remove_stale_rulesets();
 	}