When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Use <fcntl.h> instead of <sys/file.h> for open() and friends.
Delete a bunch of unnecessary #includes and sort to match style(9)
while doing the above cleanup.

ok deraadt@ krw@

Use the monotonic clock to compute the session duration.

Ensures the correct duration is logged even if the system
time is changed during the session.

ok jca@

- Add missing goto in order to avoid a dereference of a null object
- While here remove lint comment

OK millert@

Remove a NULL-check before free().

Include <netinet/in.h> before <net/pfvar.h>. In a future change when
ports is ready, <net/pfvar.h> will stop including a pile of balony.

switch to PATH_MAX

remove stupid cast

use setresgid()
ok guenther millert

Handle big time_t

ok deraadt@

fix build with gcc 2

Per group support for authpf rules files in /etc/authpf/groups.
largely by Frank Timmers <frankt@smurfnet.eu> with fixups by me
and jmc@.

Fix file descriptor leak reported by someone on the mailing list long time
ago. OK beck@

remove trailing spaces and tabs; no binary change.

written with help from henning@, who suggested ensuring that there
are no changes in the digests for object files, thanks!

ok henning@

search for authpf.message in $USER dirs also
from Rafal Bisingier ravbc at man dot pozman dot pl, ok beck@

Make the tree compile again. Henning and I are both quite sure this is
correct.

Uninitialized variable introduced in 1.110.

variable declaration before use, found by vax, no cookie

Support group and login class in authpf.allow (%<group>, @<class>)

ok beck

protect better against races from incoming signals; slightly changed
from 5394 by tracking the fd instead of the fp.
ok beck

grammar; PR 5394

Add authpf-noip, which allows multiple users to connect from a single IP;
forces users to write sane rulesets for this by not providing $user_ip or
updating the authpf table.

testing and prodding by mtu, manpage heavily worked over by jmc
ok beck dhartmei henning

Clean anchors recursively and directly via ioctls rather than using pfctl
with '-f /dev/null'. Properly clears the user's anchor even when anchors
are nested inside it (And avoids having to fork() on exit to run pfctl)

ok beck@, with testing by mtu@

handle empty strings returned by fgets

ok ray@

exit right away if the config file isn't there, rather than
doing a whole bunch of needless screwing around
noticed by Stefan Krah <stefan-usenet@bytereef.org>

license + copyright

Pr 5395 from Stefan Krah <stefan-usenet@bytereef.org>
cleanup:
remove unused arg
no need to clear locals
return -1 to allow pid cleanup to happen if fork fails

this ftruncate is really not needed now, if we're just unlinking.
ok millert@

close 5389 and 5390,
unused variable and a chance to unlink the pidfile without lock
if we couldn't kill a preexisting authpf process.
spotted by Stefan Krah <sfk1@bigfoot.com>.

handle SIGQUIT instead of SIGSTOP, from Stefan Krah

FILE * leak

fix incorrect sizeof(), spotted by ckuethe
ok deraadt@

correct err() usage and remove the do_death which is unneeded in
the child proceess, (as noticed by <evol@online.ptt.ru>)

Backout previous change back to 1.92 - My fault, committed diff
from unclean tree.

Mine, so modernize license

calling do_death() after err makes us exit is not smart, and is in
fact unnecessary, my usage of err() here also repeated the formatted
error message twice. - We don't need do_death() here, and fix err
to print the message a bit more sanely.
Noticed by Andrey Matveev <evol@online.ptt.ru> - Thanks

make authpf give up group privs before exec'ing pfctl - makes it
so the new taint enforcement for /dev/fd/X opens don't kill it

branches: 1.91.2;
useless endpwent

more setres[ug]id; ok deraadt@

branches: 1.89.2;
Minor punctuation nit.

ok henning@

warn(3) + _exit(2) instead of err(3) in the forked child
From: Andrey Matveev <andrushock@korovino.net>

-Wsign-compare clean, Andrey Matveev <andrushock@korovino.net>

ftruncate() with ftello() instead of ftell(); ok millert

spacing

Use new ioctls. ok beck@ henning@

Use '/' instead of ':' as separator for anchor path components. Note that
the parser now needs quotes around paths containing separators.
ok mcbride@

Allow recursive anchors (anchors within anchors, up to 64
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@

as the authpf manpage describes, the connecting user's shell can be
overloaded via login.conf. When verifying that the user's login shell is
indeed authpf it is not sufficient to look at (struct passwd)->pw_shell,
we also have to use login_getclass etc to check wether the shell gets
overloaded.
ok millert@ beck@

Put authpf user's IP addresses in the <authpf_users> table.
ok deraadt@ dhartmei@ markus@ mcbride@

IPv6 support; ok beck@

clean; ok beck

Make authpf exec pfctl instead of sucking in code from pfctl
ok cedric@

Do not try to load directories. found+ok mpech@

MORE BULLSHIT BECAUSE THIS PIECE OF SHIT IS INTERTWINED WITH PFCTL

handle ruleset names containing usernames, fixes PR 3627, ok Bob

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

- fix a few exit cases that would exit with no log
- add username to added ruleset names when possible
- add much needed example to man page showing how to use NAT with tagging
to track NATed authpfed connections.
ok henning@ dhartmei@, man page cleanup by jmc@

catch up with pfctl changes

Rearchitecture of the userland/kernel IOCTL interface for transactions.
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:

- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.

WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.

The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):

- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE

They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:

- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK

Ok dhartmei@ mcbride@

erm, committing to teh right repository helps sometimes.
don't reject usernames > 15 chars; username is not used as ruleset name any
more, thus, this restriction is gone.
PR3491, fix from dhartmei

stuff needed for passive OS fingerprinting PF rules

tickets are now u_int32_t, not int, fixes tree breakage; from Andrey Smagin

Better parsing and -v support for tables:

- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.

ok dhartmei@

Fix a bug that caused removal of previous users' rules when more then one
user loggged in concurrently. And fix a smaller bug which prevented
complete removal of a user's state entries on logout. Bug report and
testing by Ed Powers.

Bye bye atexit(), bye bye globals...
The pfctl.c part will probably need some further improvements.
ok henning@

This patch finally cleanup pfctl_table.c. No more global buffer,
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.

I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)

ok dhartmei@ henning@

() to (void)

/etc/authpf.allow -> /etc/authpf/authpf.allow in comments
spotted by Joel Knight again

clean

(long)getpid(); andrushock@korovino.net

remove term 3, with permission from Chris Kuethe for pathnames.h

Be polite about leaving invalid data around in globals, just in case
someone comes along later, modifies the code, and runs into a problem.
OK beck@

catch up with pfctl changes

Allow tables to be loaded into anchors.
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@

authpf is supposed to die if the /etc/authpf/authpf.conf is not present.
pr # 3217, patch from frisco@blackant.net

branches: 1.53.2;
sync to pfctl; BAD HENNING BAD BAD BAD NO COOKIE

adjust after pfctl changes

typos and minor KNF; from andrushock, thanks!

adjust after pfctl change; parse_rules doesn't take opts seperately any more

do setprocticle; ok camield

remove some unused includes, from Andrey Matveev

mop up, from krw

Permit initialisation of a table content from a file in pf.conf.
Cleaning up of the table options parsing, more flexible.
idea+cleanup deraadt@, ok dhartmei@, pass all regress tests.

Add support for active/inactive tablesets in the kernel.
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@

Add function to search for and remove stale rulesets from other authpf
processes which have terminated unexpectedly. ok beck@

nicer syslog

Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table
name. ok henning@, mcbride@, cedric@

Scrub and filter rules are separated now, adjust authpf accordingly.

Set a macro $user_id to the user name, just like $user_ip is already set
to the IP address. From discussion with Michael Lucas. ok henning@

KNF

Instead of inserting and removing rules at the top/bottom of the main
ruleset, make authpf manage its rules inside anchors.

redundant memset

KNF

Fix tree breakage; match changes to struct pfctl (now contains an array
of pointers to pfioc_rule).

Fix from henning@

ok dhartmei@

Match merge of pf_nat/pf_binat/pf_rdr structs into pf_rule
- Move pf_compare* functions here
- fix ioctls.

Introduce anchors and named rule sets, allowing to load additional rule
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.

Idea and ok deraadt@

catch up to -v -v change in pfctl(8)

KNF

Match pf_ioctl.c cleanup; if we're doing a DIOCCHANGE* operation which uses
old*, we need to call DIOCBEGINADDRS twice: once for the old rule/rdr/nat,
and once for the new one.

ok dhartmei@ henning@

don't try to do ioctl with PF_OPT_NOACTION

does not impact fuction of authpf, but make it consistent with the rest of
the add_* family

ok dhartmei@

add code to load lists of redirection addresses for nat/rdr/route-to/etc.

Disallow non-interactive sessions, to avoid problem of users scp'ing
to authpf gateway - noticed by Devan Reade <gdr@gno.org>, ok henning

be more precise

hacks to make the tree build; henning gets a carrot up the nose next time i meet him

- be even more careful with data supplied from outside
- check explicitly for negative values from snprintf (-pedantic)
- use MAXLOGNAME
- use parentheses with all sizeof's for consistency

hooks for options.
we don't support setting pf options via authpf, but need the hooks here, too.
ok dhartmei@, kjell@

fix a typo that could create a fd leak

ok beck@

fix breakage from the stupid way theo and I commited that last big pile of
changes.

I broke this. Remove separate (optional) nat calls

comment and error message cleanup, from Brian Poole <raj@cerias.purdue.edu>

fix a few nits in theo's commit, make this install and run setgid authpf
so that it can remove the files it creates in /var/authpf

twist time, space, and other aspects of reality so that we can revoke privs,
and... as early as possible. (this does not work, beck has the next half
of this coming in a few minutes)

Do not allow user to run authpf if user's shell is not /usr/sbin/authpf to
prevent users from playing with $SSH_CLIENT.

KNF before more major hacking

KNF

Unbreak from pfvar.h change.

make sure we fflush() after a sending a message and fix a typo in a comment
ok beck@ and deraadt@

don't trust USER from the environment - bad, allows users to see files
they shouldn't

minor KNF

Free memory. Patch from millert@.

fix authpf_kill_states()

move location of per-user config files; beck ok

ensure that rules files are owned and writable only by root,
along their entire path, change docs accordingly. This ensures
that people don't accidentally use the $HOME config files to
override real settings unless root meant to do it.

don't need this anymore

typo in comment

-Tattling is bad, users should be allowed to run anything on the system
without it generating logs
-exit with 0 and 1 instead of EX_FOO
-make read_config (with the test and exit) the first thing that
happens in main, no openlog or memset first.

-Make the /etc/authpf/authpf.conf config file required.
-Change authpf to install setuid by default, and exit with a tattling
syslog message if a user runs it without a config file present.
-Change man page to reflect this.

authpf - authenticating gateway shell for use with ssh(1) to make
authenticating gateway type firewalls.

caveats - needs to be setuid to opertate (but does not install that way)
consult the man page for configuration issues.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Use <fcntl.h> instead of <sys/file.h> for open() and friends.
Delete a bunch of unnecessary #includes and sort to match style(9)
while doing the above cleanup.

ok deraadt@ krw@

Use the monotonic clock to compute the session duration.

Ensures the correct duration is logged even if the system
time is changed during the session.

ok jca@

- Add missing goto in order to avoid a dereference of a null object
- While here remove lint comment

OK millert@

Remove a NULL-check before free().

Include <netinet/in.h> before <net/pfvar.h>. In a future change when
ports is ready, <net/pfvar.h> will stop including a pile of balony.

switch to PATH_MAX

remove stupid cast

use setresgid()
ok guenther millert

Handle big time_t

ok deraadt@

fix build with gcc 2

Per group support for authpf rules files in /etc/authpf/groups.
largely by Frank Timmers <frankt@smurfnet.eu> with fixups by me
and jmc@.

Fix file descriptor leak reported by someone on the mailing list long time
ago. OK beck@

remove trailing spaces and tabs; no binary change.

written with help from henning@, who suggested ensuring that there
are no changes in the digests for object files, thanks!

ok henning@

search for authpf.message in $USER dirs also
from Rafal Bisingier ravbc at man dot pozman dot pl, ok beck@

Make the tree compile again. Henning and I are both quite sure this is
correct.

Uninitialized variable introduced in 1.110.

variable declaration before use, found by vax, no cookie

Support group and login class in authpf.allow (%<group>, @<class>)

ok beck

protect better against races from incoming signals; slightly changed
from 5394 by tracking the fd instead of the fp.
ok beck

grammar; PR 5394

Add authpf-noip, which allows multiple users to connect from a single IP;
forces users to write sane rulesets for this by not providing $user_ip or
updating the authpf table.

testing and prodding by mtu, manpage heavily worked over by jmc
ok beck dhartmei henning

Clean anchors recursively and directly via ioctls rather than using pfctl
with '-f /dev/null'. Properly clears the user's anchor even when anchors
are nested inside it (And avoids having to fork() on exit to run pfctl)

ok beck@, with testing by mtu@

handle empty strings returned by fgets

ok ray@

exit right away if the config file isn't there, rather than
doing a whole bunch of needless screwing around
noticed by Stefan Krah <stefan-usenet@bytereef.org>

license + copyright

Pr 5395 from Stefan Krah <stefan-usenet@bytereef.org>
cleanup:
remove unused arg
no need to clear locals
return -1 to allow pid cleanup to happen if fork fails

this ftruncate is really not needed now, if we're just unlinking.
ok millert@

close 5389 and 5390,
unused variable and a chance to unlink the pidfile without lock
if we couldn't kill a preexisting authpf process.
spotted by Stefan Krah <sfk1@bigfoot.com>.

handle SIGQUIT instead of SIGSTOP, from Stefan Krah

FILE * leak

fix incorrect sizeof(), spotted by ckuethe
ok deraadt@

correct err() usage and remove the do_death which is unneeded in
the child proceess, (as noticed by <evol@online.ptt.ru>)

Backout previous change back to 1.92 - My fault, committed diff
from unclean tree.

Mine, so modernize license

calling do_death() after err makes us exit is not smart, and is in
fact unnecessary, my usage of err() here also repeated the formatted
error message twice. - We don't need do_death() here, and fix err
to print the message a bit more sanely.
Noticed by Andrey Matveev <evol@online.ptt.ru> - Thanks

make authpf give up group privs before exec'ing pfctl - makes it
so the new taint enforcement for /dev/fd/X opens don't kill it

branches: 1.91.2;
useless endpwent

more setres[ug]id; ok deraadt@

branches: 1.89.2;
Minor punctuation nit.

ok henning@

warn(3) + _exit(2) instead of err(3) in the forked child
From: Andrey Matveev <andrushock@korovino.net>

-Wsign-compare clean, Andrey Matveev <andrushock@korovino.net>

ftruncate() with ftello() instead of ftell(); ok millert

spacing

Use new ioctls. ok beck@ henning@

Use '/' instead of ':' as separator for anchor path components. Note that
the parser now needs quotes around paths containing separators.
ok mcbride@

Allow recursive anchors (anchors within anchors, up to 64
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@

as the authpf manpage describes, the connecting user's shell can be
overloaded via login.conf. When verifying that the user's login shell is
indeed authpf it is not sufficient to look at (struct passwd)->pw_shell,
we also have to use login_getclass etc to check wether the shell gets
overloaded.
ok millert@ beck@

Put authpf user's IP addresses in the <authpf_users> table.
ok deraadt@ dhartmei@ markus@ mcbride@

IPv6 support; ok beck@

clean; ok beck

Make authpf exec pfctl instead of sucking in code from pfctl
ok cedric@

Do not try to load directories. found+ok mpech@

MORE BULLSHIT BECAUSE THIS PIECE OF SHIT IS INTERTWINED WITH PFCTL

handle ruleset names containing usernames, fixes PR 3627, ok Bob

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

- fix a few exit cases that would exit with no log
- add username to added ruleset names when possible
- add much needed example to man page showing how to use NAT with tagging
to track NATed authpfed connections.
ok henning@ dhartmei@, man page cleanup by jmc@

catch up with pfctl changes

Rearchitecture of the userland/kernel IOCTL interface for transactions.
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:

- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.

WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.

The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):

- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE

They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:

- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK

Ok dhartmei@ mcbride@

erm, committing to teh right repository helps sometimes.
don't reject usernames > 15 chars; username is not used as ruleset name any
more, thus, this restriction is gone.
PR3491, fix from dhartmei

stuff needed for passive OS fingerprinting PF rules

tickets are now u_int32_t, not int, fixes tree breakage; from Andrey Smagin

Better parsing and -v support for tables:

- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.

ok dhartmei@

Fix a bug that caused removal of previous users' rules when more then one
user loggged in concurrently. And fix a smaller bug which prevented
complete removal of a user's state entries on logout. Bug report and
testing by Ed Powers.

Bye bye atexit(), bye bye globals...
The pfctl.c part will probably need some further improvements.
ok henning@

This patch finally cleanup pfctl_table.c. No more global buffer,
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.

I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)

ok dhartmei@ henning@

() to (void)

/etc/authpf.allow -> /etc/authpf/authpf.allow in comments
spotted by Joel Knight again

clean

(long)getpid(); andrushock@korovino.net

remove term 3, with permission from Chris Kuethe for pathnames.h

Be polite about leaving invalid data around in globals, just in case
someone comes along later, modifies the code, and runs into a problem.
OK beck@

catch up with pfctl changes

Allow tables to be loaded into anchors.
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@

authpf is supposed to die if the /etc/authpf/authpf.conf is not present.
pr # 3217, patch from frisco@blackant.net

branches: 1.53.2;
sync to pfctl; BAD HENNING BAD BAD BAD NO COOKIE

adjust after pfctl changes

typos and minor KNF; from andrushock, thanks!

adjust after pfctl change; parse_rules doesn't take opts seperately any more

do setprocticle; ok camield

remove some unused includes, from Andrey Matveev

mop up, from krw

Permit initialisation of a table content from a file in pf.conf.
Cleaning up of the table options parsing, more flexible.
idea+cleanup deraadt@, ok dhartmei@, pass all regress tests.

Add support for active/inactive tablesets in the kernel.
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@

Add function to search for and remove stale rulesets from other authpf
processes which have terminated unexpectedly. ok beck@

nicer syslog

Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table
name. ok henning@, mcbride@, cedric@

Scrub and filter rules are separated now, adjust authpf accordingly.

Set a macro $user_id to the user name, just like $user_ip is already set
to the IP address. From discussion with Michael Lucas. ok henning@

KNF

Instead of inserting and removing rules at the top/bottom of the main
ruleset, make authpf manage its rules inside anchors.

redundant memset

KNF

Fix tree breakage; match changes to struct pfctl (now contains an array
of pointers to pfioc_rule).

Fix from henning@

ok dhartmei@

Match merge of pf_nat/pf_binat/pf_rdr structs into pf_rule
- Move pf_compare* functions here
- fix ioctls.

Introduce anchors and named rule sets, allowing to load additional rule
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.

Idea and ok deraadt@

catch up to -v -v change in pfctl(8)

KNF

Match pf_ioctl.c cleanup; if we're doing a DIOCCHANGE* operation which uses
old*, we need to call DIOCBEGINADDRS twice: once for the old rule/rdr/nat,
and once for the new one.

ok dhartmei@ henning@

don't try to do ioctl with PF_OPT_NOACTION

does not impact fuction of authpf, but make it consistent with the rest of
the add_* family

ok dhartmei@

add code to load lists of redirection addresses for nat/rdr/route-to/etc.

Disallow non-interactive sessions, to avoid problem of users scp'ing
to authpf gateway - noticed by Devan Reade <gdr@gno.org>, ok henning

be more precise

hacks to make the tree build; henning gets a carrot up the nose next time i meet him

- be even more careful with data supplied from outside
- check explicitly for negative values from snprintf (-pedantic)
- use MAXLOGNAME
- use parentheses with all sizeof's for consistency

hooks for options.
we don't support setting pf options via authpf, but need the hooks here, too.
ok dhartmei@, kjell@

fix a typo that could create a fd leak

ok beck@

fix breakage from the stupid way theo and I commited that last big pile of
changes.

I broke this. Remove separate (optional) nat calls

comment and error message cleanup, from Brian Poole <raj@cerias.purdue.edu>

fix a few nits in theo's commit, make this install and run setgid authpf
so that it can remove the files it creates in /var/authpf

twist time, space, and other aspects of reality so that we can revoke privs,
and... as early as possible. (this does not work, beck has the next half
of this coming in a few minutes)

Do not allow user to run authpf if user's shell is not /usr/sbin/authpf to
prevent users from playing with $SSH_CLIENT.

KNF before more major hacking

KNF

Unbreak from pfvar.h change.

make sure we fflush() after a sending a message and fix a typo in a comment
ok beck@ and deraadt@

don't trust USER from the environment - bad, allows users to see files
they shouldn't

minor KNF

Free memory. Patch from millert@.

fix authpf_kill_states()

move location of per-user config files; beck ok

ensure that rules files are owned and writable only by root,
along their entire path, change docs accordingly. This ensures
that people don't accidentally use the $HOME config files to
override real settings unless root meant to do it.

don't need this anymore

typo in comment

-Tattling is bad, users should be allowed to run anything on the system
without it generating logs
-exit with 0 and 1 instead of EX_FOO
-make read_config (with the test and exit) the first thing that
happens in main, no openlog or memset first.

-Make the /etc/authpf/authpf.conf config file required.
-Change authpf to install setuid by default, and exit with a tattling
syslog message if a user runs it without a config file present.
-Change man page to reflect this.

authpf - authenticating gateway shell for use with ssh(1) to make
authenticating gateway type firewalls.

caveats - needs to be setuid to opertate (but does not install that way)
consult the man page for configuration issues.

Use <fcntl.h> instead of <sys/file.h> for open() and friends.
Delete a bunch of unnecessary #includes and sort to match style(9)
while doing the above cleanup.

ok deraadt@ krw@

Use the monotonic clock to compute the session duration.

Ensures the correct duration is logged even if the system
time is changed during the session.

ok jca@

- Add missing goto in order to avoid a dereference of a null object
- While here remove lint comment

OK millert@

Remove a NULL-check before free().

Include <netinet/in.h> before <net/pfvar.h>. In a future change when
ports is ready, <net/pfvar.h> will stop including a pile of balony.

switch to PATH_MAX

remove stupid cast

use setresgid()
ok guenther millert

Handle big time_t

ok deraadt@

fix build with gcc 2

Per group support for authpf rules files in /etc/authpf/groups.
largely by Frank Timmers <frankt@smurfnet.eu> with fixups by me
and jmc@.

Fix file descriptor leak reported by someone on the mailing list long time
ago. OK beck@

remove trailing spaces and tabs; no binary change.

written with help from henning@, who suggested ensuring that there
are no changes in the digests for object files, thanks!

ok henning@

search for authpf.message in $USER dirs also
from Rafal Bisingier ravbc at man dot pozman dot pl, ok beck@

Make the tree compile again. Henning and I are both quite sure this is
correct.

Uninitialized variable introduced in 1.110.

variable declaration before use, found by vax, no cookie

Support group and login class in authpf.allow (%<group>, @<class>)

ok beck

protect better against races from incoming signals; slightly changed
from 5394 by tracking the fd instead of the fp.
ok beck

grammar; PR 5394

Add authpf-noip, which allows multiple users to connect from a single IP;
forces users to write sane rulesets for this by not providing $user_ip or
updating the authpf table.

testing and prodding by mtu, manpage heavily worked over by jmc
ok beck dhartmei henning

Clean anchors recursively and directly via ioctls rather than using pfctl
with '-f /dev/null'. Properly clears the user's anchor even when anchors
are nested inside it (And avoids having to fork() on exit to run pfctl)

ok beck@, with testing by mtu@

handle empty strings returned by fgets

ok ray@

exit right away if the config file isn't there, rather than
doing a whole bunch of needless screwing around
noticed by Stefan Krah <stefan-usenet@bytereef.org>

license + copyright

Pr 5395 from Stefan Krah <stefan-usenet@bytereef.org>
cleanup:
remove unused arg
no need to clear locals
return -1 to allow pid cleanup to happen if fork fails

this ftruncate is really not needed now, if we're just unlinking.
ok millert@

close 5389 and 5390,
unused variable and a chance to unlink the pidfile without lock
if we couldn't kill a preexisting authpf process.
spotted by Stefan Krah <sfk1@bigfoot.com>.

handle SIGQUIT instead of SIGSTOP, from Stefan Krah

FILE * leak

fix incorrect sizeof(), spotted by ckuethe
ok deraadt@

correct err() usage and remove the do_death which is unneeded in
the child proceess, (as noticed by <evol@online.ptt.ru>)

Backout previous change back to 1.92 - My fault, committed diff
from unclean tree.

Mine, so modernize license

calling do_death() after err makes us exit is not smart, and is in
fact unnecessary, my usage of err() here also repeated the formatted
error message twice. - We don't need do_death() here, and fix err
to print the message a bit more sanely.
Noticed by Andrey Matveev <evol@online.ptt.ru> - Thanks

make authpf give up group privs before exec'ing pfctl - makes it
so the new taint enforcement for /dev/fd/X opens don't kill it

branches: 1.91.2;
useless endpwent

more setres[ug]id; ok deraadt@

branches: 1.89.2;
Minor punctuation nit.

ok henning@

warn(3) + _exit(2) instead of err(3) in the forked child
From: Andrey Matveev <andrushock@korovino.net>

-Wsign-compare clean, Andrey Matveev <andrushock@korovino.net>

ftruncate() with ftello() instead of ftell(); ok millert

spacing

Use new ioctls. ok beck@ henning@

Use '/' instead of ':' as separator for anchor path components. Note that
the parser now needs quotes around paths containing separators.
ok mcbride@

Allow recursive anchors (anchors within anchors, up to 64
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@

as the authpf manpage describes, the connecting user's shell can be
overloaded via login.conf. When verifying that the user's login shell is
indeed authpf it is not sufficient to look at (struct passwd)->pw_shell,
we also have to use login_getclass etc to check wether the shell gets
overloaded.
ok millert@ beck@

Put authpf user's IP addresses in the <authpf_users> table.
ok deraadt@ dhartmei@ markus@ mcbride@

IPv6 support; ok beck@

clean; ok beck

Make authpf exec pfctl instead of sucking in code from pfctl
ok cedric@

Do not try to load directories. found+ok mpech@

MORE BULLSHIT BECAUSE THIS PIECE OF SHIT IS INTERTWINED WITH PFCTL

handle ruleset names containing usernames, fixes PR 3627, ok Bob

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

- fix a few exit cases that would exit with no log
- add username to added ruleset names when possible
- add much needed example to man page showing how to use NAT with tagging
to track NATed authpfed connections.
ok henning@ dhartmei@, man page cleanup by jmc@

catch up with pfctl changes

Rearchitecture of the userland/kernel IOCTL interface for transactions.
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:

- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.

WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.

The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):

- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE

They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:

- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK

Ok dhartmei@ mcbride@

erm, committing to teh right repository helps sometimes.
don't reject usernames > 15 chars; username is not used as ruleset name any
more, thus, this restriction is gone.
PR3491, fix from dhartmei

stuff needed for passive OS fingerprinting PF rules

tickets are now u_int32_t, not int, fixes tree breakage; from Andrey Smagin

Better parsing and -v support for tables:

- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.

ok dhartmei@

Fix a bug that caused removal of previous users' rules when more then one
user loggged in concurrently. And fix a smaller bug which prevented
complete removal of a user's state entries on logout. Bug report and
testing by Ed Powers.

Bye bye atexit(), bye bye globals...
The pfctl.c part will probably need some further improvements.
ok henning@

This patch finally cleanup pfctl_table.c. No more global buffer,
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.

I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)

ok dhartmei@ henning@

() to (void)

/etc/authpf.allow -> /etc/authpf/authpf.allow in comments
spotted by Joel Knight again

clean

(long)getpid(); andrushock@korovino.net

remove term 3, with permission from Chris Kuethe for pathnames.h

Be polite about leaving invalid data around in globals, just in case
someone comes along later, modifies the code, and runs into a problem.
OK beck@

catch up with pfctl changes

Allow tables to be loaded into anchors.
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@

authpf is supposed to die if the /etc/authpf/authpf.conf is not present.
pr # 3217, patch from frisco@blackant.net

branches: 1.53.2;
sync to pfctl; BAD HENNING BAD BAD BAD NO COOKIE

adjust after pfctl changes

typos and minor KNF; from andrushock, thanks!

adjust after pfctl change; parse_rules doesn't take opts seperately any more

do setprocticle; ok camield

remove some unused includes, from Andrey Matveev

mop up, from krw

Permit initialisation of a table content from a file in pf.conf.
Cleaning up of the table options parsing, more flexible.
idea+cleanup deraadt@, ok dhartmei@, pass all regress tests.

Add support for active/inactive tablesets in the kernel.
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@

Add function to search for and remove stale rulesets from other authpf
processes which have terminated unexpectedly. ok beck@

nicer syslog

Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table
name. ok henning@, mcbride@, cedric@

Scrub and filter rules are separated now, adjust authpf accordingly.

Set a macro $user_id to the user name, just like $user_ip is already set
to the IP address. From discussion with Michael Lucas. ok henning@

KNF

Instead of inserting and removing rules at the top/bottom of the main
ruleset, make authpf manage its rules inside anchors.

redundant memset

KNF

Fix tree breakage; match changes to struct pfctl (now contains an array
of pointers to pfioc_rule).

Fix from henning@

ok dhartmei@

Match merge of pf_nat/pf_binat/pf_rdr structs into pf_rule
- Move pf_compare* functions here
- fix ioctls.

Introduce anchors and named rule sets, allowing to load additional rule
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.

Idea and ok deraadt@

catch up to -v -v change in pfctl(8)

KNF

Match pf_ioctl.c cleanup; if we're doing a DIOCCHANGE* operation which uses
old*, we need to call DIOCBEGINADDRS twice: once for the old rule/rdr/nat,
and once for the new one.

ok dhartmei@ henning@

don't try to do ioctl with PF_OPT_NOACTION

does not impact fuction of authpf, but make it consistent with the rest of
the add_* family

ok dhartmei@

add code to load lists of redirection addresses for nat/rdr/route-to/etc.

Disallow non-interactive sessions, to avoid problem of users scp'ing
to authpf gateway - noticed by Devan Reade <gdr@gno.org>, ok henning

be more precise

hacks to make the tree build; henning gets a carrot up the nose next time i meet him

- be even more careful with data supplied from outside
- check explicitly for negative values from snprintf (-pedantic)
- use MAXLOGNAME
- use parentheses with all sizeof's for consistency

hooks for options.
we don't support setting pf options via authpf, but need the hooks here, too.
ok dhartmei@, kjell@

fix a typo that could create a fd leak

ok beck@

fix breakage from the stupid way theo and I commited that last big pile of
changes.

I broke this. Remove separate (optional) nat calls

comment and error message cleanup, from Brian Poole <raj@cerias.purdue.edu>

fix a few nits in theo's commit, make this install and run setgid authpf
so that it can remove the files it creates in /var/authpf

twist time, space, and other aspects of reality so that we can revoke privs,
and... as early as possible. (this does not work, beck has the next half
of this coming in a few minutes)

Do not allow user to run authpf if user's shell is not /usr/sbin/authpf to
prevent users from playing with $SSH_CLIENT.

KNF before more major hacking

KNF

Unbreak from pfvar.h change.

make sure we fflush() after a sending a message and fix a typo in a comment
ok beck@ and deraadt@

don't trust USER from the environment - bad, allows users to see files
they shouldn't

minor KNF

Free memory. Patch from millert@.

fix authpf_kill_states()

move location of per-user config files; beck ok

ensure that rules files are owned and writable only by root,
along their entire path, change docs accordingly. This ensures
that people don't accidentally use the $HOME config files to
override real settings unless root meant to do it.

don't need this anymore

typo in comment

-Tattling is bad, users should be allowed to run anything on the system
without it generating logs
-exit with 0 and 1 instead of EX_FOO
-make read_config (with the test and exit) the first thing that
happens in main, no openlog or memset first.

-Make the /etc/authpf/authpf.conf config file required.
-Change authpf to install setuid by default, and exit with a tattling
syslog message if a user runs it without a config file present.
-Change man page to reflect this.

authpf - authenticating gateway shell for use with ssh(1) to make
authenticating gateway type firewalls.

caveats - needs to be setuid to opertate (but does not install that way)
consult the man page for configuration issues.

Use the monotonic clock to compute the session duration.

Ensures the correct duration is logged even if the system
time is changed during the session.

ok jca@

- Add missing goto in order to avoid a dereference of a null object
- While here remove lint comment

OK millert@

Remove a NULL-check before free().

Include <netinet/in.h> before <net/pfvar.h>. In a future change when
ports is ready, <net/pfvar.h> will stop including a pile of balony.

switch to PATH_MAX

remove stupid cast

use setresgid()
ok guenther millert

Handle big time_t

ok deraadt@

fix build with gcc 2

Per group support for authpf rules files in /etc/authpf/groups.
largely by Frank Timmers <frankt@smurfnet.eu> with fixups by me
and jmc@.

Fix file descriptor leak reported by someone on the mailing list long time
ago. OK beck@

remove trailing spaces and tabs; no binary change.

written with help from henning@, who suggested ensuring that there
are no changes in the digests for object files, thanks!

ok henning@

search for authpf.message in $USER dirs also
from Rafal Bisingier ravbc at man dot pozman dot pl, ok beck@

Make the tree compile again. Henning and I are both quite sure this is
correct.

Uninitialized variable introduced in 1.110.

variable declaration before use, found by vax, no cookie

Support group and login class in authpf.allow (%<group>, @<class>)

ok beck

protect better against races from incoming signals; slightly changed
from 5394 by tracking the fd instead of the fp.
ok beck

grammar; PR 5394

Add authpf-noip, which allows multiple users to connect from a single IP;
forces users to write sane rulesets for this by not providing $user_ip or
updating the authpf table.

testing and prodding by mtu, manpage heavily worked over by jmc
ok beck dhartmei henning

Clean anchors recursively and directly via ioctls rather than using pfctl
with '-f /dev/null'. Properly clears the user's anchor even when anchors
are nested inside it (And avoids having to fork() on exit to run pfctl)

ok beck@, with testing by mtu@

handle empty strings returned by fgets

ok ray@

exit right away if the config file isn't there, rather than
doing a whole bunch of needless screwing around
noticed by Stefan Krah <stefan-usenet@bytereef.org>

license + copyright

Pr 5395 from Stefan Krah <stefan-usenet@bytereef.org>
cleanup:
remove unused arg
no need to clear locals
return -1 to allow pid cleanup to happen if fork fails

this ftruncate is really not needed now, if we're just unlinking.
ok millert@

close 5389 and 5390,
unused variable and a chance to unlink the pidfile without lock
if we couldn't kill a preexisting authpf process.
spotted by Stefan Krah <sfk1@bigfoot.com>.

handle SIGQUIT instead of SIGSTOP, from Stefan Krah

FILE * leak

fix incorrect sizeof(), spotted by ckuethe
ok deraadt@

correct err() usage and remove the do_death which is unneeded in
the child proceess, (as noticed by <evol@online.ptt.ru>)

Backout previous change back to 1.92 - My fault, committed diff
from unclean tree.

Mine, so modernize license

calling do_death() after err makes us exit is not smart, and is in
fact unnecessary, my usage of err() here also repeated the formatted
error message twice. - We don't need do_death() here, and fix err
to print the message a bit more sanely.
Noticed by Andrey Matveev <evol@online.ptt.ru> - Thanks

make authpf give up group privs before exec'ing pfctl - makes it
so the new taint enforcement for /dev/fd/X opens don't kill it

branches: 1.91.2;
useless endpwent

more setres[ug]id; ok deraadt@

branches: 1.89.2;
Minor punctuation nit.

ok henning@

warn(3) + _exit(2) instead of err(3) in the forked child
From: Andrey Matveev <andrushock@korovino.net>

-Wsign-compare clean, Andrey Matveev <andrushock@korovino.net>

ftruncate() with ftello() instead of ftell(); ok millert

spacing

Use new ioctls. ok beck@ henning@

Use '/' instead of ':' as separator for anchor path components. Note that
the parser now needs quotes around paths containing separators.
ok mcbride@

Allow recursive anchors (anchors within anchors, up to 64
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@

as the authpf manpage describes, the connecting user's shell can be
overloaded via login.conf. When verifying that the user's login shell is
indeed authpf it is not sufficient to look at (struct passwd)->pw_shell,
we also have to use login_getclass etc to check wether the shell gets
overloaded.
ok millert@ beck@

Put authpf user's IP addresses in the <authpf_users> table.
ok deraadt@ dhartmei@ markus@ mcbride@

IPv6 support; ok beck@

clean; ok beck

Make authpf exec pfctl instead of sucking in code from pfctl
ok cedric@

Do not try to load directories. found+ok mpech@

MORE BULLSHIT BECAUSE THIS PIECE OF SHIT IS INTERTWINED WITH PFCTL

handle ruleset names containing usernames, fixes PR 3627, ok Bob

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

- fix a few exit cases that would exit with no log
- add username to added ruleset names when possible
- add much needed example to man page showing how to use NAT with tagging
to track NATed authpfed connections.
ok henning@ dhartmei@, man page cleanup by jmc@

catch up with pfctl changes

Rearchitecture of the userland/kernel IOCTL interface for transactions.
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:

- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.

WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.

The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):

- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE

They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:

- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK

Ok dhartmei@ mcbride@

erm, committing to teh right repository helps sometimes.
don't reject usernames > 15 chars; username is not used as ruleset name any
more, thus, this restriction is gone.
PR3491, fix from dhartmei

stuff needed for passive OS fingerprinting PF rules

tickets are now u_int32_t, not int, fixes tree breakage; from Andrey Smagin

Better parsing and -v support for tables:

- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.

ok dhartmei@

Fix a bug that caused removal of previous users' rules when more then one
user loggged in concurrently. And fix a smaller bug which prevented
complete removal of a user's state entries on logout. Bug report and
testing by Ed Powers.

Bye bye atexit(), bye bye globals...
The pfctl.c part will probably need some further improvements.
ok henning@

This patch finally cleanup pfctl_table.c. No more global buffer,
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.

I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)

ok dhartmei@ henning@