authpf.c revision 1.1
1 /* $OpenBSD: authpf.c,v 1.75 2004/01/29 01:55:10 deraadt Exp $ */ 2 3 /* 4 * Copyright (C) 1998 - 2002 Bob Beck (beck (at) openbsd.org). 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/types.h> 29 #include <sys/file.h> 30 #include <sys/ioctl.h> 31 #include <sys/socket.h> 32 #include <sys/time.h> 33 34 #include <net/if.h> 35 #include <net/pfvar.h> 36 #include <arpa/inet.h> 37 38 #include <err.h> 39 #include <errno.h> 40 #include <pwd.h> 41 #include <signal.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <syslog.h> 46 #include <unistd.h> 47 48 #include <pfctl_parser.h> 49 #include <pfctl.h> 50 51 #include "pathnames.h" 52 53 extern int symset(const char *, const char *, int); 54 55 static int read_config(FILE *); 56 static void print_message(char *); 57 static int allowed_luser(char *); 58 static int check_luser(char *, char *); 59 static int remove_stale_rulesets(void); 60 static int change_filter(int, const char *, const char *); 61 static void authpf_kill_states(void); 62 63 int dev; /* pf device */ 64 char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf"; 65 char rulesetname[PF_RULESET_NAME_SIZE]; 66 67 FILE *pidfp; 68 char *infile; /* file name printed by yyerror() in parse.y */ 69 char luser[MAXLOGNAME]; /* username */ 70 char ipsrc[256]; /* ip as a string */ 71 char pidfile[MAXPATHLEN]; /* we save pid in this file. */ 72 73 struct timeval Tstart, Tend; /* start and end times of session */ 74 75 volatile sig_atomic_t want_death; 76 static void need_death(int signo); 77 static __dead void do_death(int); 78 79 /* 80 * User shell for authenticating gateways. Sole purpose is to allow 81 * a user to ssh to a gateway, and have the gateway modify packet 82 * filters to allow access, then remove access when the user finishes 83 * up. Meant to be used only from ssh(1) connections. 84 */ 85 int 86 main(int argc, char *argv[]) 87 { 88 int lockcnt = 0, n, pidfd; 89 FILE *config; 90 struct in_addr ina; 91 struct passwd *pw; 92 char *cp; 93 uid_t uid; 94 95 config = fopen(PATH_CONFFILE, "r"); 96 97 if ((cp = getenv("SSH_TTY")) == NULL) { 98 syslog(LOG_ERR, "non-interactive session connection for authpf"); 99 exit(1); 100 } 101 102 if ((cp = getenv("SSH_CLIENT")) == NULL) { 103 syslog(LOG_ERR, "cannot determine connection source"); 104 exit(1); 105 } 106 107 if (strlcpy(ipsrc, cp, sizeof(ipsrc)) >= sizeof(ipsrc)) { 108 syslog(LOG_ERR, "SSH_CLIENT variable too long"); 109 exit(1); 110 } 111 cp = strchr(ipsrc, ' '); 112 if (!cp) { 113 syslog(LOG_ERR, "corrupt SSH_CLIENT variable %s", ipsrc); 114 exit(1); 115 } 116 *cp = '\0'; 117 if (inet_pton(AF_INET, ipsrc, &ina) != 1) { 118 syslog(LOG_ERR, 119 "cannot determine IP from SSH_CLIENT %s", ipsrc); 120 exit(1); 121 } 122 /* open the pf device */ 123 dev = open(PATH_DEVFILE, O_RDWR); 124 if (dev == -1) { 125 syslog(LOG_ERR, "cannot open packet filter device (%m)"); 126 goto die; 127 } 128 129 uid = getuid(); 130 pw = getpwuid(uid); 131 if (pw == NULL) { 132 syslog(LOG_ERR, "cannot find user for uid %u", uid); 133 goto die; 134 } 135 if (strcmp(pw->pw_shell, PATH_AUTHPF_SHELL)) { 136 syslog(LOG_ERR, "wrong shell for user %s, uid %u", 137 pw->pw_name, pw->pw_uid); 138 goto die; 139 } 140 141 /* 142 * Paranoia, but this data _does_ come from outside authpf, and 143 * truncation would be bad. 144 */ 145 if (strlcpy(luser, pw->pw_name, sizeof(luser)) >= sizeof(luser)) { 146 syslog(LOG_ERR, "username too long: %s", pw->pw_name); 147 goto die; 148 } 149 150 if ((n = snprintf(rulesetname, sizeof(rulesetname), "%s(%ld)", 151 luser, (long)getpid())) < 0 || n >= sizeof(rulesetname)) { 152 syslog(LOG_INFO, "%s(%ld) too large, ruleset name will be %ld", 153 luser, (long)getpid(), (long)getpid()); 154 if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld", 155 (long)getpid())) < 0 || n >= sizeof(rulesetname)) { 156 syslog(LOG_ERR, "pid too large for ruleset name"); 157 goto die; 158 } 159 } 160 161 162 /* Make our entry in /var/authpf as /var/authpf/ipaddr */ 163 n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc); 164 if (n < 0 || (u_int)n >= sizeof(pidfile)) { 165 syslog(LOG_ERR, "path to pidfile too long"); 166 goto die; 167 } 168 169 /* 170 * If someone else is already using this ip, then this person 171 * wants to switch users - so kill the old process and exit 172 * as well. 173 * 174 * Note, we could print a message and tell them to log out, but the 175 * usual case of this is that someone has left themselves logged in, 176 * with the authenticated connection iconized and someone else walks 177 * up to use and automatically logs in before using. If this just 178 * gets rid of the old one silently, the new user never knows they 179 * could have used someone else's old authentication. If we 180 * tell them to log out before switching users it is an invitation 181 * for abuse. 182 */ 183 184 do { 185 int save_errno, otherpid = -1; 186 char otherluser[MAXLOGNAME]; 187 188 if ((pidfd = open(pidfile, O_RDWR|O_CREAT, 0644)) == -1 || 189 (pidfp = fdopen(pidfd, "r+")) == NULL) { 190 if (pidfd != -1) 191 close(pidfd); 192 syslog(LOG_ERR, "cannot open or create %s: %s", pidfile, 193 strerror(errno)); 194 goto die; 195 } 196 197 if (flock(fileno(pidfp), LOCK_EX|LOCK_NB) == 0) 198 break; 199 save_errno = errno; 200 201 /* Mark our pid, and username to our file. */ 202 203 rewind(pidfp); 204 /* 31 == MAXLOGNAME - 1 */ 205 if (fscanf(pidfp, "%d\n%31s\n", &otherpid, otherluser) != 2) 206 otherpid = -1; 207 syslog(LOG_DEBUG, "tried to lock %s, in use by pid %d: %s", 208 pidfile, otherpid, strerror(save_errno)); 209 210 if (otherpid > 0) { 211 syslog(LOG_INFO, 212 "killing prior auth (pid %d) of %s by user %s", 213 otherpid, ipsrc, otherluser); 214 if (kill((pid_t) otherpid, SIGTERM) == -1) { 215 syslog(LOG_INFO, 216 "could not kill process %d: (%m)", 217 otherpid); 218 } 219 } 220 221 /* 222 * we try to kill the previous process and acquire the lock 223 * for 10 seconds, trying once a second. if we can't after 224 * 10 attempts we log an error and give up 225 */ 226 if (++lockcnt > 10) { 227 syslog(LOG_ERR, "cannot kill previous authpf (pid %d)", 228 otherpid); 229 goto dogdeath; 230 } 231 sleep(1); 232 233 /* re-open, and try again. The previous authpf process 234 * we killed above should unlink the file and release 235 * it's lock, giving us a chance to get it now 236 */ 237 fclose(pidfp); 238 } while (1); 239 240 /* revoke privs */ 241 seteuid(getuid()); 242 setuid(getuid()); 243 244 openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON); 245 246 if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) { 247 syslog(LOG_INFO, "user %s prohibited", luser); 248 do_death(0); 249 } 250 251 if (config == NULL || read_config(config)) { 252 syslog(LOG_INFO, "bad or nonexistent %s", PATH_CONFFILE); 253 do_death(0); 254 } 255 256 if (remove_stale_rulesets()) { 257 syslog(LOG_INFO, "error removing stale rulesets"); 258 do_death(0); 259 } 260 261 /* We appear to be making headway, so actually mark our pid */ 262 rewind(pidfp); 263 fprintf(pidfp, "%ld\n%s\n", (long)getpid(), luser); 264 fflush(pidfp); 265 (void) ftruncate(fileno(pidfp), ftell(pidfp)); 266 267 if (change_filter(1, luser, ipsrc) == -1) { 268 printf("Unable to modify filters\r\n"); 269 do_death(0); 270 } 271 272 signal(SIGTERM, need_death); 273 signal(SIGINT, need_death); 274 signal(SIGALRM, need_death); 275 signal(SIGPIPE, need_death); 276 signal(SIGHUP, need_death); 277 signal(SIGSTOP, need_death); 278 signal(SIGTSTP, need_death); 279 while (1) { 280 printf("\r\nHello %s, ", luser); 281 printf("You are authenticated from host \"%s\"\r\n", ipsrc); 282 setproctitle("%s@%s", luser, ipsrc); 283 print_message(PATH_MESSAGE); 284 while (1) { 285 sleep(10); 286 if (want_death) 287 do_death(1); 288 } 289 } 290 291 /* NOTREACHED */ 292 dogdeath: 293 printf("\r\n\r\nSorry, this service is currently unavailable due to "); 294 printf("technical difficulties\r\n\r\n"); 295 print_message(PATH_PROBLEM); 296 printf("\r\nYour authentication process (pid %ld) was unable to run\n", 297 (long)getpid()); 298 sleep(180); /* them lusers read reaaaaal slow */ 299 die: 300 do_death(0); 301 } 302 303 /* 304 * reads config file in PATH_CONFFILE to set optional behaviours up 305 */ 306 static int 307 read_config(FILE *f) 308 { 309 char buf[1024]; 310 int i = 0; 311 312 do { 313 char **ap; 314 char *pair[4], *cp, *tp; 315 int len; 316 317 if (fgets(buf, sizeof(buf), f) == NULL) { 318 fclose(f); 319 return (0); 320 } 321 i++; 322 len = strlen(buf); 323 if (buf[len - 1] != '\n' && !feof(f)) { 324 syslog(LOG_ERR, "line %d too long in %s", i, 325 PATH_CONFFILE); 326 return (1); 327 } 328 buf[len - 1] = '\0'; 329 330 for (cp = buf; *cp == ' ' || *cp == '\t'; cp++) 331 ; /* nothing */ 332 333 if (!*cp || *cp == '#' || *cp == '\n') 334 continue; 335 336 for (ap = pair; ap < &pair[3] && 337 (*ap = strsep(&cp, "=")) != NULL; ) { 338 if (**ap != '\0') 339 ap++; 340 } 341 if (ap != &pair[2]) 342 goto parse_error; 343 344 tp = pair[1] + strlen(pair[1]); 345 while ((*tp == ' ' || *tp == '\t') && tp >= pair[1]) 346 *tp-- = '\0'; 347 348 if (strcasecmp(pair[0], "anchor") == 0) { 349 if (!pair[1][0] || strlcpy(anchorname, pair[1], 350 sizeof(anchorname)) >= sizeof(anchorname)) 351 goto parse_error; 352 } 353 } while (!feof(f) && !ferror(f)); 354 fclose(f); 355 return (0); 356 357 parse_error: 358 fclose(f); 359 syslog(LOG_ERR, "parse error, line %d of %s", i, PATH_CONFFILE); 360 return (1); 361 } 362 363 364 /* 365 * splatter a file to stdout - max line length of 1024, 366 * used for spitting message files at users to tell them 367 * they've been bad or we're unavailable. 368 */ 369 static void 370 print_message(char *filename) 371 { 372 char buf[1024]; 373 FILE *f; 374 375 if ((f = fopen(filename, "r")) == NULL) 376 return; /* fail silently, we don't care if it isn't there */ 377 378 do { 379 if (fgets(buf, sizeof(buf), f) == NULL) { 380 fflush(stdout); 381 fclose(f); 382 return; 383 } 384 } while (fputs(buf, stdout) != EOF && !feof(f)); 385 fflush(stdout); 386 fclose(f); 387 } 388 389 /* 390 * allowed_luser checks to see if user "luser" is allowed to 391 * use this gateway by virtue of being listed in an allowed 392 * users file, namely /etc/authpf/authpf.allow . 393 * 394 * If /etc/authpf/authpf.allow does not exist, then we assume that 395 * all users who are allowed in by sshd(8) are permitted to 396 * use this gateway. If /etc/authpf/authpf.allow does exist, then a 397 * user must be listed if the connection is to continue, else 398 * the session terminates in the same manner as being banned. 399 */ 400 static int 401 allowed_luser(char *luser) 402 { 403 char *buf, *lbuf; 404 int matched; 405 size_t len; 406 FILE *f; 407 408 if ((f = fopen(PATH_ALLOWFILE, "r")) == NULL) { 409 if (errno == ENOENT) { 410 /* 411 * allowfile doesn't exist, thus this gateway 412 * isn't restricted to certain users... 413 */ 414 return (1); 415 } 416 417 /* 418 * luser may in fact be allowed, but we can't open 419 * the file even though it's there. probably a config 420 * problem. 421 */ 422 syslog(LOG_ERR, "cannot open allowed users file %s (%s)", 423 PATH_ALLOWFILE, strerror(errno)); 424 return (0); 425 } else { 426 /* 427 * /etc/authpf/authpf.allow exists, thus we do a linear 428 * search to see if they are allowed. 429 * also, if username "*" exists, then this is a 430 * "public" gateway, such as it is, so let 431 * everyone use it. 432 */ 433 lbuf = NULL; 434 while ((buf = fgetln(f, &len))) { 435 if (buf[len - 1] == '\n') 436 buf[len - 1] = '\0'; 437 else { 438 if ((lbuf = (char *)malloc(len + 1)) == NULL) 439 err(1, NULL); 440 memcpy(lbuf, buf, len); 441 lbuf[len] = '\0'; 442 buf = lbuf; 443 } 444 445 matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0; 446 447 if (lbuf != NULL) { 448 free(lbuf); 449 lbuf = NULL; 450 } 451 452 if (matched) 453 return (1); /* matched an allowed username */ 454 } 455 syslog(LOG_INFO, "denied access to %s: not listed in %s", 456 luser, PATH_ALLOWFILE); 457 458 /* reuse buf */ 459 buf = "\n\nSorry, you are not allowed to use this facility!\n"; 460 fputs(buf, stdout); 461 } 462 fflush(stdout); 463 return (0); 464 } 465 466 /* 467 * check_luser checks to see if user "luser" has been banned 468 * from using us by virtue of having an file of the same name 469 * in the "luserdir" directory. 470 * 471 * If the user has been banned, we copy the contents of the file 472 * to the user's screen. (useful for telling the user what to 473 * do to get un-banned, or just to tell them they aren't 474 * going to be un-banned.) 475 */ 476 static int 477 check_luser(char *luserdir, char *luser) 478 { 479 FILE *f; 480 int n; 481 char tmp[MAXPATHLEN]; 482 483 n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, luser); 484 if (n < 0 || (u_int)n >= sizeof(tmp)) { 485 syslog(LOG_ERR, "provided banned directory line too long (%s)", 486 luserdir); 487 return (0); 488 } 489 if ((f = fopen(tmp, "r")) == NULL) { 490 if (errno == ENOENT) { 491 /* 492 * file or dir doesn't exist, so therefore 493 * this luser isn't banned.. all is well 494 */ 495 return (1); 496 } else { 497 /* 498 * luser may in fact be banned, but we can't open the 499 * file even though it's there. probably a config 500 * problem. 501 */ 502 syslog(LOG_ERR, "cannot open banned file %s (%s)", 503 tmp, strerror(errno)); 504 return (0); 505 } 506 } else { 507 /* 508 * luser is banned - spit the file at them to 509 * tell what they can do and where they can go. 510 */ 511 syslog(LOG_INFO, "denied access to %s: %s exists", 512 luser, tmp); 513 514 /* reuse tmp */ 515 strlcpy(tmp, "\n\n-**- Sorry, you have been banned! -**-\n\n", 516 sizeof(tmp)); 517 while (fputs(tmp, stdout) != EOF && !feof(f)) { 518 if (fgets(tmp, sizeof(tmp), f) == NULL) { 519 fflush(stdout); 520 return (0); 521 } 522 } 523 } 524 fflush(stdout); 525 return (0); 526 } 527 528 /* 529 * Search for rulesets left by other authpf processes (either because they 530 * died ungracefully or were terminated) and remove them. 531 */ 532 static int 533 remove_stale_rulesets(void) 534 { 535 struct pfioc_ruleset prs; 536 const int action[PF_RULESET_MAX] = { PF_SCRUB, 537 PF_PASS, PF_NAT, PF_BINAT, PF_RDR }; 538 u_int32_t nr, mnr; 539 540 memset(&prs, 0, sizeof(prs)); 541 strlcpy(prs.anchor, anchorname, sizeof(prs.anchor)); 542 if (ioctl(dev, DIOCGETRULESETS, &prs)) { 543 if (errno == EINVAL) 544 return (0); 545 else 546 return (1); 547 } 548 549 mnr = prs.nr; 550 nr = 0; 551 while (nr < mnr) { 552 char *s, *t; 553 pid_t pid; 554 555 prs.nr = nr; 556 if (ioctl(dev, DIOCGETRULESET, &prs)) 557 return (1); 558 errno = 0; 559 if ((t = strchr(prs.name, '(')) == NULL) 560 t = prs.name; 561 else 562 t++; 563 pid = strtoul(t, &s, 10); 564 if (!prs.name[0] || errno || 565 (*s && (t == prs.name || *s != ')'))) 566 return (1); 567 if (kill(pid, 0) && errno != EPERM) { 568 int i; 569 570 for (i = 0; i < PF_RULESET_MAX; ++i) { 571 struct pfioc_rule pr; 572 573 memset(&pr, 0, sizeof(pr)); 574 memcpy(pr.anchor, prs.anchor, sizeof(pr.anchor)); 575 memcpy(pr.ruleset, prs.name, sizeof(pr.ruleset)); 576 pr.rule.action = action[i]; 577 if ((ioctl(dev, DIOCBEGINRULES, &pr) || 578 ioctl(dev, DIOCCOMMITRULES, &pr)) && 579 errno != EINVAL) 580 return (1); 581 } 582 mnr--; 583 } else 584 nr++; 585 } 586 return (0); 587 } 588 589 /* 590 * Add/remove filter entries for user "luser" from ip "ipsrc" 591 */ 592 static int 593 change_filter(int add, const char *luser, const char *ipsrc) 594 { 595 char fn[MAXPATHLEN]; 596 FILE *f = NULL; 597 struct pfctl pf; 598 struct pfr_buffer t; 599 int i; 600 601 if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) { 602 syslog(LOG_ERR, "invalid luser/ipsrc"); 603 goto error; 604 } 605 606 if (add) { 607 if ((i = snprintf(fn, sizeof(fn), "%s/%s/authpf.rules", 608 PATH_USER_DIR, luser)) < 0 || i >= sizeof(fn)) { 609 syslog(LOG_ERR, "user rule path too long"); 610 goto error; 611 } 612 if ((f = fopen(fn, "r")) == NULL && errno != ENOENT) { 613 syslog(LOG_ERR, "cannot open %s (%m)", fn); 614 goto error; 615 } 616 if (f == NULL) { 617 if (strlcpy(fn, PATH_PFRULES, sizeof(fn)) >= 618 sizeof(fn)) { 619 syslog(LOG_ERR, "rule path too long"); 620 goto error; 621 } 622 if ((f = fopen(fn, "r")) == NULL) { 623 syslog(LOG_ERR, "cannot open %s (%m)", fn); 624 goto error; 625 } 626 } 627 } 628 629 if (pfctl_load_fingerprints(dev, 0)) { 630 syslog(LOG_ERR, "unable to load kernel's OS fingerprints"); 631 goto error; 632 } 633 bzero(&t, sizeof(t)); 634 t.pfrb_type = PFRB_TRANS; 635 memset(&pf, 0, sizeof(pf)); 636 for (i = 0; i < PF_RULESET_MAX; ++i) { 637 if (pfctl_add_trans(&t, i, anchorname, rulesetname)) { 638 syslog(LOG_ERR, "pfctl_add_trans %m"); 639 goto error; 640 } 641 } 642 if (pfctl_trans(dev, &t, DIOCXBEGIN, 0)) { 643 syslog(LOG_ERR, "DIOCXBEGIN (%s) %m", add?"add":"remove"); 644 goto error; 645 } 646 647 if (add) { 648 if (symset("user_ip", ipsrc, 0) || 649 symset("user_id", luser, 0)) { 650 syslog(LOG_ERR, "symset"); 651 goto error; 652 } 653 654 pf.dev = dev; 655 pf.trans = &t; 656 pf.anchor = anchorname; 657 pf.ruleset = rulesetname; 658 659 infile = fn; 660 if (parse_rules(f, &pf) < 0) { 661 syslog(LOG_ERR, "syntax error in rule file: " 662 "authpf rules not loaded"); 663 goto error; 664 } 665 666 infile = NULL; 667 fclose(f); 668 f = NULL; 669 } 670 671 if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) { 672 syslog(LOG_ERR, "DIOCXCOMMIT (%s) %m", add?"add":"remove"); 673 goto error; 674 } 675 676 if (add) { 677 gettimeofday(&Tstart, NULL); 678 syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser); 679 } else { 680 gettimeofday(&Tend, NULL); 681 syslog(LOG_INFO, "removed %s, user %s - duration %ld seconds", 682 ipsrc, luser, Tend.tv_sec - Tstart.tv_sec); 683 } 684 return (0); 685 686 error: 687 if (f != NULL) 688 fclose(f); 689 if (pfctl_trans(dev, &t, DIOCXROLLBACK, 0)) 690 syslog(LOG_ERR, "DIOCXROLLBACK (%s) %m", add?"add":"remove"); 691 692 infile = NULL; 693 return (-1); 694 } 695 696 /* 697 * This is to kill off states that would otherwise be left behind stateful 698 * rules. This means we don't need to allow in more traffic than we really 699 * want to, since we don't have to worry about any luser sessions lasting 700 * longer than their ssh session. This function is based on 701 * pfctl_kill_states from pfctl. 702 */ 703 static void 704 authpf_kill_states(void) 705 { 706 struct pfioc_state_kill psk; 707 struct in_addr target; 708 709 memset(&psk, 0, sizeof(psk)); 710 psk.psk_af = AF_INET; 711 712 inet_pton(AF_INET, ipsrc, &target); 713 714 /* Kill all states from ipsrc */ 715 psk.psk_src.addr.v.a.addr.v4 = target; 716 memset(&psk.psk_src.addr.v.a.mask, 0xff, 717 sizeof(psk.psk_src.addr.v.a.mask)); 718 if (ioctl(dev, DIOCKILLSTATES, &psk)) 719 syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)"); 720 721 /* Kill all states to ipsrc */ 722 psk.psk_af = AF_INET; 723 memset(&psk.psk_src, 0, sizeof(psk.psk_src)); 724 psk.psk_dst.addr.v.a.addr.v4 = target; 725 memset(&psk.psk_dst.addr.v.a.mask, 0xff, 726 sizeof(psk.psk_dst.addr.v.a.mask)); 727 if (ioctl(dev, DIOCKILLSTATES, &psk)) 728 syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)"); 729 } 730 731 /* signal handler that makes us go away properly */ 732 static void 733 need_death(int signo) 734 { 735 want_death = 1; 736 } 737 738 /* 739 * function that removes our stuff when we go away. 740 */ 741 static __dead void 742 do_death(int active) 743 { 744 int ret = 0; 745 746 if (active) { 747 change_filter(0, luser, ipsrc); 748 authpf_kill_states(); 749 remove_stale_rulesets(); 750 } 751 if (pidfp) 752 ftruncate(fileno(pidfp), 0); 753 if (pidfile[0]) 754 if (unlink(pidfile) == -1) 755 syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile); 756 exit(ret); 757 } 758 759 /* 760 * callbacks for parse_rules(void) 761 */ 762 763 int 764 pfctl_add_rule(struct pfctl *pf, struct pf_rule *r) 765 { 766 u_int8_t rs_num; 767 struct pfioc_rule pr; 768 769 switch (r->action) { 770 case PF_PASS: 771 case PF_DROP: 772 rs_num = PF_RULESET_FILTER; 773 break; 774 case PF_SCRUB: 775 rs_num = PF_RULESET_SCRUB; 776 break; 777 case PF_NAT: 778 case PF_NONAT: 779 rs_num = PF_RULESET_NAT; 780 break; 781 case PF_RDR: 782 case PF_NORDR: 783 rs_num = PF_RULESET_RDR; 784 break; 785 case PF_BINAT: 786 case PF_NOBINAT: 787 rs_num = PF_RULESET_BINAT; 788 break; 789 default: 790 syslog(LOG_ERR, "invalid rule action %d", r->action); 791 return (1); 792 } 793 794 bzero(&pr, sizeof(pr)); 795 strlcpy(pr.anchor, pf->anchor, sizeof(pr.anchor)); 796 strlcpy(pr.ruleset, pf->ruleset, sizeof(pr.ruleset)); 797 if (pfctl_add_pool(pf, &r->rpool, r->af)) 798 return (1); 799 pr.ticket = pfctl_get_ticket(pf->trans, rs_num, pf->anchor, 800 pf->ruleset); 801 pr.pool_ticket = pf->paddr.ticket; 802 memcpy(&pr.rule, r, sizeof(pr.rule)); 803 if (ioctl(pf->dev, DIOCADDRULE, &pr)) { 804 syslog(LOG_ERR, "DIOCADDRULE %m"); 805 return (1); 806 } 807 pfctl_clear_pool(&r->rpool); 808 return (0); 809 } 810 811 int 812 pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af) 813 { 814 struct pf_pooladdr *pa; 815 816 if (ioctl(pf->dev, DIOCBEGINADDRS, &pf->paddr)) { 817 syslog(LOG_ERR, "DIOCBEGINADDRS %m"); 818 return (1); 819 } 820 pf->paddr.af = af; 821 TAILQ_FOREACH(pa, &p->list, entries) { 822 memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr)); 823 if (ioctl(pf->dev, DIOCADDADDR, &pf->paddr)) { 824 syslog(LOG_ERR, "DIOCADDADDR %m"); 825 return (1); 826 } 827 } 828 return (0); 829 } 830 831 void 832 pfctl_clear_pool(struct pf_pool *pool) 833 { 834 struct pf_pooladdr *pa; 835 836 while ((pa = TAILQ_FIRST(&pool->list)) != NULL) { 837 TAILQ_REMOVE(&pool->list, pa, entries); 838 free(pa); 839 } 840 } 841 842 int 843 pfctl_add_altq(struct pfctl *pf, struct pf_altq *a) 844 { 845 fprintf(stderr, "altq rules not supported in authpf\n"); 846 return (1); 847 } 848 849 int 850 pfctl_set_optimization(struct pfctl *pf, const char *opt) 851 { 852 fprintf(stderr, "set optimization not supported in authpf\n"); 853 return (1); 854 } 855 856 int 857 pfctl_set_logif(struct pfctl *pf, char *ifname) 858 { 859 fprintf(stderr, "set loginterface not supported in authpf\n"); 860 return (1); 861 } 862 863 int 864 pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid) 865 { 866 fprintf(stderr, "set hostid not supported in authpf\n"); 867 return (1); 868 } 869 870 int 871 pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet) 872 { 873 fprintf(stderr, "set timeout not supported in authpf\n"); 874 return (1); 875 } 876 877 int 878 pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit) 879 { 880 fprintf(stderr, "set limit not supported in authpf\n"); 881 return (1); 882 } 883 884 int 885 pfctl_set_debug(struct pfctl *pf, char *d) 886 { 887 fprintf(stderr, "set debug not supported in authpf\n"); 888 return (1); 889 } 890 891 int 892 pfctl_define_table(char *name, int flags, int addrs, const char *anchor, 893 const char *ruleset, struct pfr_buffer *ab, u_int32_t ticket) 894 { 895 fprintf(stderr, "table definitions not yet supported in authpf\n"); 896 return (1); 897 } 898 899 int 900 pfctl_rules(int dev, char *filename, int opts, char *anchorname, 901 char *rulesetname, struct pfr_buffer *t) 902 { 903 /* never called, no anchors inside anchors, but we need the stub */ 904 fprintf(stderr, "load anchor not supported from authpf\n"); 905 return (1); 906 } 907 908 void 909 pfctl_print_title(char *title) 910 { 911 } 912
Indexes created Mon Sep 29 21:09:56 GMT 2025