summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCamiel Dobbelaar <camield@cvs.openbsd.org>2005-06-07 04:37:33 +0000
committerCamiel Dobbelaar <camield@cvs.openbsd.org>2005-06-07 04:37:33 +0000
commit18b04af3af812d2a0deba6da7478775abd5b0c79 (patch)
tree2fa55f6673dc18c446be29c4eaa590d050660635
parent359425b989195df1f76342a9bff387f589aafd5f (diff)
Introduce verbose option to control the logging of the pf rules.
ok beck mpf
-rw-r--r--usr.sbin/ftp-proxy/filter.c13
-rw-r--r--usr.sbin/ftp-proxy/filter.h2
-rw-r--r--usr.sbin/ftp-proxy/ftp-proxy.815
-rw-r--r--usr.sbin/ftp-proxy/ftp-proxy.c14
4 files changed, 30 insertions, 14 deletions
diff --git a/usr.sbin/ftp-proxy/filter.c b/usr.sbin/ftp-proxy/filter.c
index b4e958aa64f..f2e987f356e 100644
--- a/usr.sbin/ftp-proxy/filter.c
+++ b/usr.sbin/ftp-proxy/filter.c
@@ -50,7 +50,7 @@ static struct pfioc_pooladdr pfp;
static struct pfioc_rule pfr;
static struct pfioc_trans pft;
static struct pfioc_trans_e pfte[TRANS_SIZE];
-static int dev;
+static int dev, rule_log;
static char *qname;
int
@@ -157,12 +157,17 @@ do_rollback(void)
}
void
-init_filter(char *opt_qname)
+init_filter(char *opt_qname, int opt_verbose)
{
struct pf_status status;
qname = opt_qname;
+ if (opt_verbose == 1)
+ rule_log = PF_LOG;
+ else if (opt_verbose == 2)
+ rule_log = PF_LOG_ALL;
+
dev = open("/dev/pf", O_RDWR);
if (dev == -1)
err(1, "/dev/pf");
@@ -273,13 +278,13 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
switch (rs_num) {
case PF_RULESET_FILTER:
/*
- * pass quick log inet[6] proto tcp \
+ * pass quick [log] inet[6] proto tcp \
* from $src to $dst port = $d_port flags S/SAFR keep state
* (max 1) [queue qname]
*/
pfr.rule.action = PF_PASS;
pfr.rule.quick = 1;
- pfr.rule.log = 1;
+ pfr.rule.log = rule_log;
pfr.rule.keep_state = 1;
pfr.rule.flags = TH_SYN;
pfr.rule.flagset = (TH_SYN|TH_ACK|TH_FIN|TH_RST);
diff --git a/usr.sbin/ftp-proxy/filter.h b/usr.sbin/ftp-proxy/filter.h
index cfb75b77dbf..3f0888a48a3 100644
--- a/usr.sbin/ftp-proxy/filter.h
+++ b/usr.sbin/ftp-proxy/filter.h
@@ -24,6 +24,6 @@ int add_rdr(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t,
struct sockaddr *, u_int16_t);
int do_commit(void);
int do_rollback(void);
-void init_filter(char *);
+void init_filter(char *, int);
int prepare_commit(u_int32_t);
int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *);
diff --git a/usr.sbin/ftp-proxy/ftp-proxy.8 b/usr.sbin/ftp-proxy/ftp-proxy.8
index ce84dbdcccf..5c6349cf5a6 100644
--- a/usr.sbin/ftp-proxy/ftp-proxy.8
+++ b/usr.sbin/ftp-proxy/ftp-proxy.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ftp-proxy.8,v 1.2 2005/05/31 21:47:20 jmc Exp $
+.\" $OpenBSD: ftp-proxy.8,v 1.3 2005/06/07 04:37:32 camield Exp $
.\"
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
.\"
@@ -22,7 +22,7 @@
.Nd Internet File Transfer Protocol proxy daemon
.Sh SYNOPSIS
.Nm ftp-proxy
-.Op Fl 6Adr
+.Op Fl 6Adrv
.Op Fl a Ar address
.Op Fl b Ar address
.Op Fl D Ar level
@@ -63,16 +63,16 @@ adds the following rules to the various anchors.
In case of active mode (PORT or EPRT):
.Bd -literal -offset 2n
rdr from $server to $proxy port $port -> $client
-pass log quick inet proto tcp \e
+pass quick inet proto tcp \e
from $server to $client port $port flags S/SAFR keep state
.Ed
.Pp
In case of passive mode (PASV or EPSV):
.Bd -literal -offset 2n
nat from $client to $server port $port -> $proxy
-pass in log quick inet proto tcp \e
+pass in quick inet proto tcp \e
from $client to $server port $port flags S/SAFR keep state
-pass out log quick inet proto tcp \e
+pass out quick inet proto tcp \e
from $proxy to $server port $port flags S/SAFR keep state
.Ed
.Pp
@@ -133,6 +133,11 @@ proxy will disconnect.
The default is 24 hours.
Do not set this too low, because the control connection is usually
idle when large data transfers are taking place.
+.It Fl v
+Set the 'log' flag on pf rules committed by
+.Nm .
+Use twice to set the 'log-all' flag.
+The pf rules do not log by default.
.El
.Sh CONFIGURATION
To make use of the proxy,
diff --git a/usr.sbin/ftp-proxy/ftp-proxy.c b/usr.sbin/ftp-proxy/ftp-proxy.c
index dfefecd925b..2c7c2c2109d 100644
--- a/usr.sbin/ftp-proxy/ftp-proxy.c
+++ b/usr.sbin/ftp-proxy/ftp-proxy.c
@@ -115,7 +115,7 @@ struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
*qname;
int anonymous_only, caught_sig, daemonize, id_count, ipv6_mode, loglevel,
- max_sessions, rfc_mode, session_count, timeout;
+ max_sessions, rfc_mode, session_count, timeout, verbose;
extern char *__progname;
void
@@ -594,12 +594,13 @@ main(int argc, char *argv[])
qname = NULL;
rfc_mode = 0;
timeout = 24 * 3600;
+ verbose = 0;
/* Other initialization. */
id_count = 1;
session_count = 0;
- while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:")) != -1) {
+ while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:v")) != -1) {
switch (ch) {
case '6':
ipv6_mode = 1;
@@ -648,6 +649,11 @@ main(int argc, char *argv[])
if (timeout < 0)
errx(1, "bad timeout");
break;
+ case 'v':
+ verbose++;
+ if (verbose > 2)
+ usage();
+ break;
default:
usage();
}
@@ -718,7 +724,7 @@ main(int argc, char *argv[])
freeaddrinfo(res);
/* Initialize pf. */
- init_filter(qname);
+ init_filter(qname, verbose);
if (daemonize) {
if (daemon(0, 0) == -1)
@@ -1085,7 +1091,7 @@ sock_ntop(struct sockaddr *sa)
void
usage(void)
{
- fprintf(stderr, "usage: %s [-6Adr] [-a address] [-b address]"
+ fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
" [-D level] [-m maxsessions]\n [-P port]"
" [-p port] [-q queue] [-R address] [-t timeout]\n", __progname);
exit(1);