| authpf.c (127082) | authpf.c (130617) |
|---|---|
| 1/* $OpenBSD: authpf.c,v 1.68 2003/08/21 19:13:23 frantzen Exp $ */ | 1/* $OpenBSD: authpf.c,v 1.75 2004/01/29 01:55:10 deraadt Exp $ */ |
| 2 3/* 4 * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org). 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright --- 11 unchanged lines hidden (view full) --- 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28#include <sys/cdefs.h> | 2 3/* 4 * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org). 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright --- 11 unchanged lines hidden (view full) --- 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28#include <sys/cdefs.h> |
| 29__FBSDID("$FreeBSD: head/contrib/pf/authpf/authpf.c 127082 2004-03-16 17:24:06Z obrien $"); | 29__FBSDID("$FreeBSD: head/contrib/pf/authpf/authpf.c 130617 2004-06-16 23:39:33Z mlaier $"); |
| 30 31#include <sys/param.h> 32#include <sys/file.h> 33#include <sys/ioctl.h> 34#include <sys/socket.h> 35#include <sys/time.h> 36 37#include <net/if.h> --- 6 unchanged lines hidden (view full) --- 44#include <signal.h> 45#include <stdio.h> 46#include <stdlib.h> 47#include <string.h> 48#include <syslog.h> 49#include <unistd.h> 50 51#include <pfctl_parser.h> | 30 31#include <sys/param.h> 32#include <sys/file.h> 33#include <sys/ioctl.h> 34#include <sys/socket.h> 35#include <sys/time.h> 36 37#include <net/if.h> --- 6 unchanged lines hidden (view full) --- 44#include <signal.h> 45#include <stdio.h> 46#include <stdlib.h> 47#include <string.h> 48#include <syslog.h> 49#include <unistd.h> 50 51#include <pfctl_parser.h> |
| 52#include <pfctl.h> |
|
| 52 53#include "pathnames.h" 54 55extern int symset(const char *, const char *, int); 56 57static int read_config(FILE *); 58static void print_message(char *); 59static int allowed_luser(char *); --- 33 unchanged lines hidden (view full) --- 93{ 94 int lockcnt = 0, n, pidfd; 95 FILE *config; 96 struct in_addr ina; 97 struct passwd *pw; 98 char *cp; 99 uid_t uid; 100 | 53 54#include "pathnames.h" 55 56extern int symset(const char *, const char *, int); 57 58static int read_config(FILE *); 59static void print_message(char *); 60static int allowed_luser(char *); --- 33 unchanged lines hidden (view full) --- 94{ 95 int lockcnt = 0, n, pidfd; 96 FILE *config; 97 struct in_addr ina; 98 struct passwd *pw; 99 char *cp; 100 uid_t uid; 101 |
| 101 if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld", 102 (long)getpid())) < 0 || n >= sizeof(rulesetname)) { 103 syslog(LOG_ERR, "pid too large for ruleset name"); 104 exit(1); 105 } 106 | |
| 107 config = fopen(PATH_CONFFILE, "r"); 108 109 if ((cp = getenv("SSH_TTY")) == NULL) { 110 syslog(LOG_ERR, "non-interactive session connection for authpf"); 111 exit(1); 112 } 113 114 if ((cp = getenv("SSH_CLIENT")) == NULL) { --- 11 unchanged lines hidden (view full) --- 126 exit(1); 127 } 128 *cp = '\0'; 129 if (inet_pton(AF_INET, ipsrc, &ina) != 1) { 130 syslog(LOG_ERR, 131 "cannot determine IP from SSH_CLIENT %s", ipsrc); 132 exit(1); 133 } | 102 config = fopen(PATH_CONFFILE, "r"); 103 104 if ((cp = getenv("SSH_TTY")) == NULL) { 105 syslog(LOG_ERR, "non-interactive session connection for authpf"); 106 exit(1); 107 } 108 109 if ((cp = getenv("SSH_CLIENT")) == NULL) { --- 11 unchanged lines hidden (view full) --- 121 exit(1); 122 } 123 *cp = '\0'; 124 if (inet_pton(AF_INET, ipsrc, &ina) != 1) { 125 syslog(LOG_ERR, 126 "cannot determine IP from SSH_CLIENT %s", ipsrc); 127 exit(1); 128 } |
| 134 | |
| 135 /* open the pf device */ 136 dev = open(PATH_DEVFILE, O_RDWR); 137 if (dev == -1) { 138 syslog(LOG_ERR, "cannot open packet filter device (%m)"); 139 goto die; 140 } 141 142 uid = getuid(); --- 12 unchanged lines hidden (view full) --- 155 * Paranoia, but this data _does_ come from outside authpf, and 156 * truncation would be bad. 157 */ 158 if (strlcpy(luser, pw->pw_name, sizeof(luser)) >= sizeof(luser)) { 159 syslog(LOG_ERR, "username too long: %s", pw->pw_name); 160 goto die; 161 } 162 | 129 /* open the pf device */ 130 dev = open(PATH_DEVFILE, O_RDWR); 131 if (dev == -1) { 132 syslog(LOG_ERR, "cannot open packet filter device (%m)"); 133 goto die; 134 } 135 136 uid = getuid(); --- 12 unchanged lines hidden (view full) --- 149 * Paranoia, but this data _does_ come from outside authpf, and 150 * truncation would be bad. 151 */ 152 if (strlcpy(luser, pw->pw_name, sizeof(luser)) >= sizeof(luser)) { 153 syslog(LOG_ERR, "username too long: %s", pw->pw_name); 154 goto die; 155 } 156 |
| 157 if ((n = snprintf(rulesetname, sizeof(rulesetname), "%s(%ld)", 158 luser, (long)getpid())) < 0 || n >= sizeof(rulesetname)) { 159 syslog(LOG_INFO, "%s(%ld) too large, ruleset name will be %ld", 160 luser, (long)getpid(), (long)getpid()); 161 if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld", 162 (long)getpid())) < 0 || n >= sizeof(rulesetname)) { 163 syslog(LOG_ERR, "pid too large for ruleset name"); 164 goto die; 165 } 166 } 167 168 |
|
| 163 /* Make our entry in /var/authpf as /var/authpf/ipaddr */ 164 n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc); 165 if (n < 0 || (u_int)n >= sizeof(pidfile)) { 166 syslog(LOG_ERR, "path to pidfile too long"); 167 goto die; 168 } 169 170 /* --- 66 unchanged lines hidden (view full) --- 237 */ 238 fclose(pidfp); 239 } while (1); 240 241 /* revoke privs */ 242 seteuid(getuid()); 243 setuid(getuid()); 244 | 169 /* Make our entry in /var/authpf as /var/authpf/ipaddr */ 170 n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc); 171 if (n < 0 || (u_int)n >= sizeof(pidfile)) { 172 syslog(LOG_ERR, "path to pidfile too long"); 173 goto die; 174 } 175 176 /* --- 66 unchanged lines hidden (view full) --- 243 */ 244 fclose(pidfp); 245 } while (1); 246 247 /* revoke privs */ 248 seteuid(getuid()); 249 setuid(getuid()); 250 |
| 245 if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) | 251 openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON); 252 253 if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) { 254 syslog(LOG_INFO, "user %s prohibited", luser); |
| 246 do_death(0); | 255 do_death(0); |
| 256 } |
|
| 247 | 257 |
| 248 openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON); 249 if (config == NULL || read_config(config)) | 258 if (config == NULL || read_config(config)) { 259 syslog(LOG_INFO, "bad or nonexistent %s", PATH_CONFFILE); |
| 250 do_death(0); | 260 do_death(0); |
| 261 } |
|
| 251 | 262 |
| 252 if (remove_stale_rulesets()) | 263 if (remove_stale_rulesets()) { 264 syslog(LOG_INFO, "error removing stale rulesets"); |
| 253 do_death(0); | 265 do_death(0); |
| 266 } |
|
| 254 255 /* We appear to be making headway, so actually mark our pid */ 256 rewind(pidfp); 257 fprintf(pidfp, "%ld\n%s\n", (long)getpid(), luser); 258 fflush(pidfp); 259 (void) ftruncate(fileno(pidfp), ftell(pidfp)); 260 261 if (change_filter(1, luser, ipsrc) == -1) { 262 printf("Unable to modify filters\r\n"); | 267 268 /* We appear to be making headway, so actually mark our pid */ 269 rewind(pidfp); 270 fprintf(pidfp, "%ld\n%s\n", (long)getpid(), luser); 271 fflush(pidfp); 272 (void) ftruncate(fileno(pidfp), ftell(pidfp)); 273 274 if (change_filter(1, luser, ipsrc) == -1) { 275 printf("Unable to modify filters\r\n"); |
| 263 do_death(1); | 276 do_death(0); |
| 264 } 265 266 signal(SIGTERM, need_death); 267 signal(SIGINT, need_death); 268 signal(SIGALRM, need_death); 269 signal(SIGPIPE, need_death); 270 signal(SIGHUP, need_death); 271 signal(SIGSTOP, need_death); --- 268 unchanged lines hidden (view full) --- 540 return (0); 541 else 542 return (1); 543 } 544 545 mnr = prs.nr; 546 nr = 0; 547 while (nr < mnr) { | 277 } 278 279 signal(SIGTERM, need_death); 280 signal(SIGINT, need_death); 281 signal(SIGALRM, need_death); 282 signal(SIGPIPE, need_death); 283 signal(SIGHUP, need_death); 284 signal(SIGSTOP, need_death); --- 268 unchanged lines hidden (view full) --- 553 return (0); 554 else 555 return (1); 556 } 557 558 mnr = prs.nr; 559 nr = 0; 560 while (nr < mnr) { |
| 548 char *s; | 561 char *s, *t; |
| 549 pid_t pid; 550 551 prs.nr = nr; 552 if (ioctl(dev, DIOCGETRULESET, &prs)) 553 return (1); 554 errno = 0; | 562 pid_t pid; 563 564 prs.nr = nr; 565 if (ioctl(dev, DIOCGETRULESET, &prs)) 566 return (1); 567 errno = 0; |
| 555 pid = strtoul(prs.name, &s, 10); 556 if (!prs.name[0] || errno || *s) | 568 if ((t = strchr(prs.name, '(')) == NULL) 569 t = prs.name; 570 else 571 t++; 572 pid = strtoul(t, &s, 10); 573 if (!prs.name[0] || errno || 574 (*s && (t == prs.name || *s != ')'))) |
| 557 return (1); 558 if (kill(pid, 0) && errno != EPERM) { 559 int i; 560 561 for (i = 0; i < PF_RULESET_MAX; ++i) { 562 struct pfioc_rule pr; 563 564 memset(&pr, 0, sizeof(pr)); --- 15 unchanged lines hidden (view full) --- 580/* 581 * Add/remove filter entries for user "luser" from ip "ipsrc" 582 */ 583static int 584change_filter(int add, const char *luser, const char *ipsrc) 585{ 586 char fn[MAXPATHLEN]; 587 FILE *f = NULL; | 575 return (1); 576 if (kill(pid, 0) && errno != EPERM) { 577 int i; 578 579 for (i = 0; i < PF_RULESET_MAX; ++i) { 580 struct pfioc_rule pr; 581 582 memset(&pr, 0, sizeof(pr)); --- 15 unchanged lines hidden (view full) --- 598/* 599 * Add/remove filter entries for user "luser" from ip "ipsrc" 600 */ 601static int 602change_filter(int add, const char *luser, const char *ipsrc) 603{ 604 char fn[MAXPATHLEN]; 605 FILE *f = NULL; |
| 588 const int action[PF_RULESET_MAX] = { PF_SCRUB, 589 PF_PASS, PF_NAT, PF_BINAT, PF_RDR }; | |
| 590 struct pfctl pf; | 606 struct pfctl pf; |
| 591 struct pfioc_rule pr[PF_RULESET_MAX]; | 607 struct pfr_buffer t; |
| 592 int i; 593 | 608 int i; 609 |
| 594 if (luser == NULL || !luser[0] || strlen(luser) >= 595 PF_RULESET_NAME_SIZE || ipsrc == NULL || !ipsrc[0]) { | 610 if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) { |
| 596 syslog(LOG_ERR, "invalid luser/ipsrc"); 597 goto error; 598 } 599 600 if (add) { 601 if ((i = snprintf(fn, sizeof(fn), "%s/%s/authpf.rules", 602 PATH_USER_DIR, luser)) < 0 || i >= sizeof(fn)) { 603 syslog(LOG_ERR, "user rule path too long"); --- 15 unchanged lines hidden (view full) --- 619 } 620 } 621 } 622 623 if (pfctl_load_fingerprints(dev, 0)) { 624 syslog(LOG_ERR, "unable to load kernel's OS fingerprints"); 625 goto error; 626 } | 611 syslog(LOG_ERR, "invalid luser/ipsrc"); 612 goto error; 613 } 614 615 if (add) { 616 if ((i = snprintf(fn, sizeof(fn), "%s/%s/authpf.rules", 617 PATH_USER_DIR, luser)) < 0 || i >= sizeof(fn)) { 618 syslog(LOG_ERR, "user rule path too long"); --- 15 unchanged lines hidden (view full) --- 634 } 635 } 636 } 637 638 if (pfctl_load_fingerprints(dev, 0)) { 639 syslog(LOG_ERR, "unable to load kernel's OS fingerprints"); 640 goto error; 641 } |
| 627 | 642 bzero(&t, sizeof(t)); 643 t.pfrb_type = PFRB_TRANS; |
| 628 memset(&pf, 0, sizeof(pf)); 629 for (i = 0; i < PF_RULESET_MAX; ++i) { | 644 memset(&pf, 0, sizeof(pf)); 645 for (i = 0; i < PF_RULESET_MAX; ++i) { |
| 630 memset(&pr[i], 0, sizeof(pr[i])); 631 pr[i].rule.action = action[i]; 632 strlcpy(pr[i].anchor, anchorname, sizeof(pr[i].anchor)); 633 strlcpy(pr[i].ruleset, rulesetname, sizeof(pr[i].ruleset)); 634 if (ioctl(dev, DIOCBEGINRULES, &pr[i])) { 635 syslog(LOG_ERR, "DIOCBEGINRULES %m"); | 646 if (pfctl_add_trans(&t, i, anchorname, rulesetname)) { 647 syslog(LOG_ERR, "pfctl_add_trans %m"); |
| 636 goto error; 637 } | 648 goto error; 649 } |
| 638 pf.prule[i] = &pr[i]; | |
| 639 } | 650 } |
| 651 if (pfctl_trans(dev, &t, DIOCXBEGIN, 0)) { 652 syslog(LOG_ERR, "DIOCXBEGIN (%s) %m", add?"add":"remove"); 653 goto error; 654 } |
|
| 640 641 if (add) { 642 if (symset("user_ip", ipsrc, 0) || 643 symset("user_id", luser, 0)) { 644 syslog(LOG_ERR, "symset"); 645 goto error; 646 } 647 648 pf.dev = dev; | 655 656 if (add) { 657 if (symset("user_ip", ipsrc, 0) || 658 symset("user_id", luser, 0)) { 659 syslog(LOG_ERR, "symset"); 660 goto error; 661 } 662 663 pf.dev = dev; |
| 664 pf.trans = &t; 665 pf.anchor = anchorname; 666 pf.ruleset = rulesetname; 667 |
|
| 649 infile = fn; 650 if (parse_rules(f, &pf) < 0) { 651 syslog(LOG_ERR, "syntax error in rule file: " 652 "authpf rules not loaded"); 653 goto error; 654 } 655 656 infile = NULL; 657 fclose(f); 658 f = NULL; 659 } 660 | 668 infile = fn; 669 if (parse_rules(f, &pf) < 0) { 670 syslog(LOG_ERR, "syntax error in rule file: " 671 "authpf rules not loaded"); 672 goto error; 673 } 674 675 infile = NULL; 676 fclose(f); 677 f = NULL; 678 } 679 |
| 661 for (i = 0; i < PF_RULESET_MAX; ++i) 662 /* 663 * ignore EINVAL on removal, it means the anchor was 664 * already automatically removed by the kernel. 665 */ 666 if (ioctl(dev, DIOCCOMMITRULES, &pr[i]) && 667 (add || errno != EINVAL)) { 668 syslog(LOG_ERR, "DIOCCOMMITRULES %m"); 669 goto error; 670 } | 680 if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) { 681 syslog(LOG_ERR, "DIOCXCOMMIT (%s) %m", add?"add":"remove"); 682 goto error; 683 } |
| 671 672 if (add) { 673 gettimeofday(&Tstart, NULL); 674 syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser); 675 } else { 676 gettimeofday(&Tend, NULL); 677 syslog(LOG_INFO, "removed %s, user %s - duration %ld seconds", 678 ipsrc, luser, Tend.tv_sec - Tstart.tv_sec); 679 } 680 return (0); 681 682error: 683 if (f != NULL) 684 fclose(f); | 684 685 if (add) { 686 gettimeofday(&Tstart, NULL); 687 syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser); 688 } else { 689 gettimeofday(&Tend, NULL); 690 syslog(LOG_INFO, "removed %s, user %s - duration %ld seconds", 691 ipsrc, luser, Tend.tv_sec - Tstart.tv_sec); 692 } 693 return (0); 694 695error: 696 if (f != NULL) 697 fclose(f); |
| 698 if (pfctl_trans(dev, &t, DIOCXROLLBACK, 0)) 699 syslog(LOG_ERR, "DIOCXROLLBACK (%s) %m", add?"add":"remove"); |
|
| 685 686 infile = NULL; 687 return (-1); 688} 689 690/* 691 * This is to kill off states that would otherwise be left behind stateful 692 * rules. This means we don't need to allow in more traffic than we really --- 63 unchanged lines hidden (view full) --- 756 757/* 758 * callbacks for parse_rules(void) 759 */ 760 761int 762pfctl_add_rule(struct pfctl *pf, struct pf_rule *r) 763{ | 700 701 infile = NULL; 702 return (-1); 703} 704 705/* 706 * This is to kill off states that would otherwise be left behind stateful 707 * rules. This means we don't need to allow in more traffic than we really --- 63 unchanged lines hidden (view full) --- 771 772/* 773 * callbacks for parse_rules(void) 774 */ 775 776int 777pfctl_add_rule(struct pfctl *pf, struct pf_rule *r) 778{ |
| 764 struct pfioc_rule *pr; | 779 u_int8_t rs_num; 780 struct pfioc_rule pr; |
| 765 766 switch (r->action) { 767 case PF_PASS: 768 case PF_DROP: | 781 782 switch (r->action) { 783 case PF_PASS: 784 case PF_DROP: |
| 769 pr = pf->prule[PF_RULESET_FILTER]; | 785 rs_num = PF_RULESET_FILTER; |
| 770 break; 771 case PF_SCRUB: | 786 break; 787 case PF_SCRUB: |
| 772 pr = pf->prule[PF_RULESET_SCRUB]; | 788 rs_num = PF_RULESET_SCRUB; |
| 773 break; 774 case PF_NAT: 775 case PF_NONAT: | 789 break; 790 case PF_NAT: 791 case PF_NONAT: |
| 776 pr = pf->prule[PF_RULESET_NAT]; | 792 rs_num = PF_RULESET_NAT; |
| 777 break; 778 case PF_RDR: 779 case PF_NORDR: | 793 break; 794 case PF_RDR: 795 case PF_NORDR: |
| 780 pr = pf->prule[PF_RULESET_RDR]; | 796 rs_num = PF_RULESET_RDR; |
| 781 break; 782 case PF_BINAT: 783 case PF_NOBINAT: | 797 break; 798 case PF_BINAT: 799 case PF_NOBINAT: |
| 784 pr = pf->prule[PF_RULESET_BINAT]; | 800 rs_num = PF_RULESET_BINAT; |
| 785 break; 786 default: 787 syslog(LOG_ERR, "invalid rule action %d", r->action); 788 return (1); 789 } | 801 break; 802 default: 803 syslog(LOG_ERR, "invalid rule action %d", r->action); 804 return (1); 805 } |
| 806 807 bzero(&pr, sizeof(pr)); 808 strlcpy(pr.anchor, pf->anchor, sizeof(pr.anchor)); 809 strlcpy(pr.ruleset, pf->ruleset, sizeof(pr.ruleset)); |
|
| 790 if (pfctl_add_pool(pf, &r->rpool, r->af)) 791 return (1); | 810 if (pfctl_add_pool(pf, &r->rpool, r->af)) 811 return (1); |
| 792 pr->pool_ticket = pf->paddr.ticket; 793 memcpy(&pr->rule, r, sizeof(pr->rule)); 794 if (ioctl(pf->dev, DIOCADDRULE, pr)) { | 812 pr.ticket = pfctl_get_ticket(pf->trans, rs_num, pf->anchor, 813 pf->ruleset); 814 pr.pool_ticket = pf->paddr.ticket; 815 memcpy(&pr.rule, r, sizeof(pr.rule)); 816 if (ioctl(pf->dev, DIOCADDRULE, &pr)) { |
| 795 syslog(LOG_ERR, "DIOCADDRULE %m"); 796 return (1); 797 } 798 pfctl_clear_pool(&r->rpool); 799 return (0); 800} 801 802int --- 44 unchanged lines hidden (view full) --- 847int 848pfctl_set_logif(struct pfctl *pf, char *ifname) 849{ 850 fprintf(stderr, "set loginterface not supported in authpf\n"); 851 return (1); 852} 853 854int | 817 syslog(LOG_ERR, "DIOCADDRULE %m"); 818 return (1); 819 } 820 pfctl_clear_pool(&r->rpool); 821 return (0); 822} 823 824int --- 44 unchanged lines hidden (view full) --- 869int 870pfctl_set_logif(struct pfctl *pf, char *ifname) 871{ 872 fprintf(stderr, "set loginterface not supported in authpf\n"); 873 return (1); 874} 875 876int |
| 877pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid) 878{ 879 fprintf(stderr, "set hostid not supported in authpf\n"); 880 return (1); 881} 882 883int |
|
| 855pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet) 856{ 857 fprintf(stderr, "set timeout not supported in authpf\n"); 858 return (1); 859} 860 861int 862pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit) 863{ 864 fprintf(stderr, "set limit not supported in authpf\n"); 865 return (1); 866} 867 868int | 884pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet) 885{ 886 fprintf(stderr, "set timeout not supported in authpf\n"); 887 return (1); 888} 889 890int 891pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit) 892{ 893 fprintf(stderr, "set limit not supported in authpf\n"); 894 return (1); 895} 896 897int |
| 898pfctl_set_debug(struct pfctl *pf, char *d) 899{ 900 fprintf(stderr, "set debug not supported in authpf\n"); 901 return (1); 902} 903 904int |
|
| 869pfctl_define_table(char *name, int flags, int addrs, const char *anchor, 870 const char *ruleset, struct pfr_buffer *ab, u_int32_t ticket) 871{ 872 fprintf(stderr, "table definitions not yet supported in authpf\n"); 873 return (1); 874} 875 876int 877pfctl_rules(int dev, char *filename, int opts, char *anchorname, | 905pfctl_define_table(char *name, int flags, int addrs, const char *anchor, 906 const char *ruleset, struct pfr_buffer *ab, u_int32_t ticket) 907{ 908 fprintf(stderr, "table definitions not yet supported in authpf\n"); 909 return (1); 910} 911 912int 913pfctl_rules(int dev, char *filename, int opts, char *anchorname, |
| 878 char *rulesetname) | 914 char *rulesetname, struct pfr_buffer *t) |
| 879{ 880 /* never called, no anchors inside anchors, but we need the stub */ 881 fprintf(stderr, "load anchor not supported from authpf\n"); 882 return (1); 883} 884 | 915{ 916 /* never called, no anchors inside anchors, but we need the stub */ 917 fprintf(stderr, "load anchor not supported from authpf\n"); 918 return (1); 919} 920 |
| 921void 922pfctl_print_title(char *title) 923{ 924} |
|