This commit was generated by cvs2svn to compensate for changes in r130614,

which included commits to RCS files with non-trunk default branches.

4 files changed, 161 insertions, 74 deletions

diff --git a/contrib/pf/pfctl/pf_print_state.c b/contrib/pf/pfctl/pf_print_state.c
index 58ce23a..b7cf5ca 100644
--- a/contrib/pf/pfctl/pf_print_state.c
+++ b/contrib/pf/pfctl/pf_print_state.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_print_state.c,v 1.33 2003/07/06 22:01:28 deraadt Exp $	*/
+/*	$OpenBSD: pf_print_state.c,v 1.39 2004/02/10 17:48:08 henning Exp $	*/
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -50,9 +50,24 @@ void	print_name(struct pf_addr *, sa_family_t);
 void
 print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
 {
-	switch(addr->type) {
+	switch (addr->type) {
 	case PF_ADDR_DYNIFTL:
-		printf("(%s)", addr->v.ifname);
+		printf("(%s", addr->v.ifname);
+		if (addr->iflags & PFI_AFLAG_NETWORK)
+			printf(":network");
+		if (addr->iflags & PFI_AFLAG_BROADCAST)
+			printf(":broadcast");
+		if (addr->iflags & PFI_AFLAG_PEER)
+			printf(":peer");
+		if (addr->iflags & PFI_AFLAG_NOALIAS)
+			printf(":0");
+		if (verbose) {
+			if (addr->p.dyncnt <= 0)
+				printf(":*");
+			else
+				printf(":%d", addr->p.dyncnt);
+		}
+		printf(")");
 		break;
 	case PF_ADDR_TABLE:
 		if (verbose)
@@ -85,7 +100,10 @@ print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
 		printf("?");
 		return;
 	}
-	if (! PF_AZERO(&addr->v.a.mask, af)) {
+
+	/* mask if not _both_ address and mask are zero */
+	if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
+	    PF_AZERO(&addr->v.a.mask, AF_INET6))) {
 		int bits = unmask(&addr->v.a.mask, af);
 
 		if (bits != (af == AF_INET ? 32 : 128))
@@ -140,8 +158,10 @@ print_host(struct pf_state_host *h, sa_family_t af, int opts)
 		aw.v.a.addr = h->addr;
 		if (af == AF_INET)
 			aw.v.a.mask.addr32[0] = 0xffffffff;
-		else
+		else {
 			memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
+			af = AF_INET6;
+		}
 		print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
 	}
 
@@ -177,6 +197,7 @@ print_state(struct pf_state *s, int opts)
 		src = &s->dst;
 		dst = &s->src;
 	}
+	printf("%s ", s->u.ifname);
 	if ((p = getprotobynumber(s->proto)) != NULL)
 		printf("%s ", p->p_name);
 	else
@@ -256,8 +277,16 @@ print_state(struct pf_state *s, int opts)
 			printf(", anchor %u", s->anchor.nr);
 		if (s->rule.nr != -1)
 			printf(", rule %u", s->rule.nr);
+		if (s->src_node != NULL)
+			printf(", source-track");
+		if (s->nat_src_node != NULL)
+			printf(", sticky-address");
 		printf("\n");
 	}
+	if (opts & PF_OPT_VERBOSE2) {
+		printf("   id: %016llx creatorid: %08x\n",
+		    betoh64(s->id), ntohl(s->creatorid));
+	}
 }
 
 int
diff --git a/contrib/pf/pfctl/pfctl.8 b/contrib/pf/pfctl/pfctl.8
index fb73ce2..6fac2d5 100644
--- a/contrib/pf/pfctl/pfctl.8
+++ b/contrib/pf/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.102 2003/09/18 09:18:51 jmc Exp $
+.\" $OpenBSD: pfctl.8,v 1.110 2004/03/20 09:31:42 david Exp $
 .\"
 .\" Copyright (c) 2001 Kjell Wooding.  All rights reserved.
 .\"
@@ -33,15 +33,17 @@
 .Sh SYNOPSIS
 .Nm pfctl
 .Bk -words
-.Op Fl AdeghnNqrROvz
+.Op Fl AdeghNnOqRrvz
 .Op Fl a Ar anchor Ns Op Ar :ruleset
 .Op Fl D Ar macro=value
-.Op Fl f Ar file
 .Op Fl F Ar modifier
+.Op Fl f Ar file
+.Op Fl i Ar interface
 .Op Fl k Ar host
+.Op Fl p Ar device
 .Op Fl s Ar modifier
-.Op Fl t Ar table
 .Op Fl T Ar command Op Ar address ...
+.Op Fl t Ar table
 .Op Fl x Ar level
 .Ek
 .Sh DESCRIPTION
@@ -93,6 +95,9 @@ The
 utility provides several commands.
 The options are as follows:
 .Bl -tag -width Ds
+.It Fl A
+Load only the queue rules present in the rule file.
+Other rules and options are ignored.
 .It Fl a Ar anchor Ns Op Ar :ruleset
 Apply flags
 .Fl f ,
@@ -134,11 +139,6 @@ This is similar to C rules for variables.
 It is possible to create distinct tables with the same name in the global
 ruleset and in an anchor, but this is often bad design and a warning will be
 issued in that case.
-.It Fl A
-Load only the queue rules present in the rule file.
-Other rules and options are ignored.
-.It Fl d
-Disable the packet filter.
 .It Fl D Ar macro=value
 Define
 .Ar macro
@@ -148,17 +148,10 @@ on the command line.
 Overrides the definition of
 .Ar macro
 in the ruleset.
+.It Fl d
+Disable the packet filter.
 .It Fl e
 Enable the packet filter.
-.It Fl f Ar file
-Load the rules contained in
-.Ar file .
-This
-.Ar file
-may contain macros, tables, options, and normalization, queueing,
-translation, and filtering rules.
-With the exception of macros and tables, the statements must appear in that
-order.
 .It Fl F Ar modifier
 Flush the filter parameters specified by
 .Ar modifier
@@ -173,6 +166,8 @@ Flush the queue rules.
 Flush the filter rules.
 .It Fl F Ar state
 Flush the state table (NAT and filter).
+.It Fl F Ar Sources
+Flush the source tracking table.
 .It Fl F Ar info
 Flush the filter information (statistics that are not bound to rules).
 .It Fl F Ar Tables
@@ -182,8 +177,22 @@ Flush the passive operating system fingerprints.
 .It Fl F Ar all
 Flush all of the above.
 .El
+.It Fl f Ar file
+Load the rules contained in
+.Ar file .
+This
+.Ar file
+may contain macros, tables, options, and normalization, queueing,
+translation, and filtering rules.
+With the exception of macros and tables, the statements must appear in that
+order.
 .It Fl g
 Include output helpful for debugging.
+.It Fl h
+Help.
+.It Fl i Ar interface
+Restrict the operation to the given
+.Ar interface .
 .It Fl k Ar host
 Kill all of the state entries originating from the specified
 .Ar host .
@@ -207,29 +216,32 @@ to
 .Bd -literal -offset indent
 # pfctl -k host1 -k host2
 .Ed
-.It Fl h
-Help.
-.It Fl n
-Do not actually load rules, just parse them.
 .It Fl N
 Load only the NAT rules present in the rule file.
 Other rules and options are ignored.
+.It Fl n
+Do not actually load rules, just parse them.
+.It Fl O
+Load only the options present in the rule file.
+Other rules and options are ignored.
+.It Fl p Ar device
+Use the device file
+.Ar device
+instead of the default
+.Pa /dev/pf .
 .It Fl q
 Only print errors and warnings.
-.It Fl r
-Perform reverse DNS lookups on states when displaying them.
 .It Fl R
 Load only the filter rules present in the rule file.
 Other rules and options are ignored.
-.It Fl O
-Load only the options present in the rule file.
-Other rules and options are ignored.
+.It Fl r
+Perform reverse DNS lookups on states when displaying them.
 .It Fl s Ar modifier
 Show the filter parameters specified by
 .Ar modifier
 (may be abbreviated):
 .Pp
-.Bl -tag -width xxxxxxxxxxxx -compact
+.Bl -tag -width xxxxxxxxxxxxx -compact
 .It Fl s Ar nat
 Show the currently loaded NAT rules.
 .It Fl s Ar queue
@@ -261,8 +273,13 @@ is specified as well, the named rulesets currently loaded in the specified
 anchor are shown instead.
 .It Fl s Ar state
 Show the contents of the state table.
+.It Fl s Ar Sources
+Show the contents of the source tracking table.
 .It Fl s Ar info
 Show filter information (statistics and counters).
+When used together with
+.Fl v ,
+source tracking statistics are also shown.
 .It Fl s Ar labels
 Show per-rule statistics (label, evaluations, packets, bytes) of
 filter rules with labels, useful for accounting.
@@ -274,16 +291,17 @@ Show the current pool memory hard limits.
 Show the list of tables.
 .It Fl s Ar osfp
 Show the list of operating system fingerprints.
-Can be used in combination with
-.Fl o Ar file
-to list the fingerprints in a
-.Xr pf.os 5
-file.
+.It Fl s Ar Interfaces
+Show the list of interfaces and interface drivers available to PF.
+When used together with a double
+.Fl v ,
+interface statistics are also shown.
+.Fl i
+can be used to select an interface or a group of interfaces.
 .It Fl s Ar all
-Show all of the above.
+Show all of the above, except for the lists of interfaces and operating
+system fingerprints.
 .El
-.It Fl t Ar table
-Specify the name of the table.
 .It Fl T Ar command Op Ar address ...
 Specify the
 .Ar command
@@ -334,7 +352,7 @@ Comments starting with a "#" are allowed in the text file.
 With these commands, the
 .Fl v
 flag can also be used once or twice, in which case
-.Nm pfctl
+.Nm
 will print the
 detailed result of the operation for each individual address, prefixed by
 one of the following letters:
@@ -359,7 +377,7 @@ The address/network has been cleared (statistics).
 Each table maintains a set of counters that can be retrieved using the
 .Fl v
 flag of
-.Nm pfctl .
+.Nm .
 For example, the following commands define a wide open firewall which will keep
 track of packets going to or coming from the
 .Ox
@@ -367,8 +385,8 @@ ftp server.
 The following commands configure the firewall and send 10 pings to the ftp
 server:
 .Bd -literal -offset indent
-# printf \&"table <test> { ftp.openbsd.org }\en \e
-\  \  pass out to <test> keep state\en" \&| pfctl -f-
+# printf "table <test> { ftp.openbsd.org }\en \e
+    pass out to <test> keep state\en" | pfctl -f-
 # ping -qc10 ftp.openbsd.org
 .Ed
 .Pp
@@ -381,12 +399,12 @@ The time at which the current accounting started is also shown with the
 line.
 .Bd -literal -offset indent
 # pfctl -t test -vTshow
-\ \ \ 129.128.5.191
-\ \ \ \ Cleared: \ \ \ \ Thu Feb 13 18:55:18 2003
-\ \ \ \ In/Block: \ \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ]
-\ \ \ \ In/Pass: \ \ \ \ [ Packets: 10 \ \ \ \ \ \ Bytes: 840 \ \ \ \ \ ]
-\ \ \ \ Out/Block: \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ]
-\ \ \ \ Out/Pass: \ \ \ [ Packets: 10 \ \ \ \ \ \ Bytes: 840 \ \ \ \ \ ]
+   129.128.5.191
+    Cleared:     Thu Feb 13 18:55:18 2003
+    In/Block:    [ Packets: 0        Bytes: 0        ]
+    In/Pass:     [ Packets: 10       Bytes: 840      ]
+    Out/Block:   [ Packets: 0        Bytes: 0        ]
+    Out/Pass:    [ Packets: 10       Bytes: 840      ]
 .Ed
 .Pp
 Similarly, it is possible to view global information about the tables
@@ -401,19 +419,19 @@ packet statistics for the whole table:
 .Bd -literal -offset indent
 # pfctl -vvsTables
 --a-r-  test
-\ \ \ \ Addresses: \ \ 1
-\ \ \ \ Cleared: \ \ \ \ Thu Feb 13 18:55:18 2003
-\ \ \ \ References: \ [ Anchors: 0 \ \ \ \ \ \ \ Rules: 1 \ \ \ \ \ \ \ ]
-\ \ \ \ Evaluations: [ NoMatch: 3496 \ \ \ \ Match: 1 \ \ \ \ \ \ \ ]
-\ \ \ \ In/Block: \ \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ]
-\ \ \ \ In/Pass: \ \ \ \ [ Packets: 10 \ \ \ \ \ \ Bytes: 840 \ \ \ \ \ ]
-\ \ \ \ In/XPass: \ \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ]
-\ \ \ \ Out/Block: \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ]
-\ \ \ \ Out/Pass: \ \ \ [ Packets: 10 \ \ \ \ \ \ Bytes: 840 \ \ \ \ \ ]
-\ \ \ \ Out/XPass: \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ]
+    Addresses:   1
+    Cleared:     Thu Feb 13 18:55:18 2003
+    References:  [ Anchors: 0        Rules: 1        ]
+    Evaluations: [ NoMatch: 3496     Match: 1        ]
+    In/Block:    [ Packets: 0        Bytes: 0        ]
+    In/Pass:     [ Packets: 10       Bytes: 840      ]
+    In/XPass:    [ Packets: 0        Bytes: 0        ]
+    Out/Block:   [ Packets: 0        Bytes: 0        ]
+    Out/Pass:    [ Packets: 10       Bytes: 840      ]
+    Out/XPass:   [ Packets: 0        Bytes: 0        ]
 .Ed
 .Pp
-As we can see here, only one packet - the initial ping request - matched the
+As we can see here, only one packet \- the initial ping request \- matched the
 table; but all packets passing as the result of the state are correctly
 accounted for.
 Reloading the table(s) or ruleset will not affect packet accounting in any way.
@@ -421,14 +439,14 @@ The two
 .Ar XPass
 counters are incremented instead of the
 .Ar Pass
-counters when a \&"stateful\&" packet is passed but doesn't match the table
+counters when a "stateful" packet is passed but doesn't match the table
 anymore.
 This will happen in our example if someone flushes the table while the ping
 command is running.
 .Pp
 When used with a single
 .Fl v ,
-.Nm pfctl
+.Nm
 will only display the first line containing the table flags and name.
 The flags are defined as follows:
 .Pp
@@ -459,6 +477,8 @@ For tables which are referenced (used) by rules.
 This flag is set when a table in the main ruleset is hidden by one or more
 tables of the same name in sub-rulesets (anchors).
 .El
+.It Fl t Ar table
+Specify the name of the table.
 .It Fl v
 Produce more verbose output.
 A second use of
diff --git a/contrib/pf/pfctl/pfctl_osfp.c b/contrib/pf/pfctl/pfctl_osfp.c
index 9585314..6d1fb99 100644
--- a/contrib/pf/pfctl/pfctl_osfp.c
+++ b/contrib/pf/pfctl/pfctl_osfp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_osfp.c,v 1.4 2003/08/27 17:42:00 frantzen Exp $ */
+/*	$OpenBSD: pfctl_osfp.c,v 1.8 2004/02/27 10:42:00 henning Exp $ */
 
 /*
  * Copyright (c) 2003 Mike Frantzen <frantzen@openbsd.org>
@@ -31,6 +31,7 @@
 #include <string.h>
 
 #include "pfctl_parser.h"
+#include "pfctl.h"
 
 #ifndef MIN
 # define MIN(a,b)	(((a) < (b)) ? (a) : (b))
@@ -308,11 +309,17 @@ pfctl_load_fingerprints(int dev, int opts)
 void
 pfctl_show_fingerprints(int opts)
 {
-	printf("Passive OS Fingerprints:\n");
-	printf("\tClass\tVersion\tSubtype(subversion)\n");
-	printf("\t-----\t-------\t-------------------\n");
-	sort_name_list(opts, &classes);
-	print_name_list(opts, &classes, "\t");
+	if (LIST_FIRST(&classes) != NULL) {
+		if (opts & PF_OPT_SHOWALL) {
+			pfctl_print_title("OS FINGERPRINTS:");
+			printf("%u fingerprints loaded\n", fingerprint_count);
+		} else {
+			printf("Class\tVersion\tSubtype(subversion)\n");
+			printf("-----\t-------\t-------------------\n");
+			sort_name_list(opts, &classes);
+			print_name_list(opts, &classes, "");
+		}
+	}
 }
 
 /* Lookup a fingerprint */
@@ -825,7 +832,7 @@ get_int(char **line, size_t *len, int *var, int *mod,
 	}
 
 	for (; i < fieldlen; i++) {
-		if (field[i] < '0'  || field[i] > '9') {
+		if (field[i] < '0' || field[i] > '9') {
 			fprintf(stderr, "%s:%d non-digit character in %s\n",
 			    filename, lineno, name);
 			return (1);
diff --git a/contrib/pf/pfctl/pfctl_radix.c b/contrib/pf/pfctl/pfctl_radix.c
index 788522c..04fb487 100644
--- a/contrib/pf/pfctl/pfctl_radix.c
+++ b/contrib/pf/pfctl/pfctl_radix.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_radix.c,v 1.21 2003/09/24 09:12:35 cedric Exp $ */
+/*	$OpenBSD: pfctl_radix.c,v 1.24 2004/02/10 18:29:30 henning Exp $ */
 
 /*
  * Copyright (c) 2002 Cedric Berger
@@ -259,7 +259,8 @@ pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int *size,
 {
 	struct pfioc_table io;
 
-	if (tbl == NULL || size == NULL || *size < 0 || (*size && addr == NULL)) {
+	if (tbl == NULL || size == NULL || *size < 0 ||
+	    (*size && addr == NULL)) {
 		errno = EINVAL;
 		return (-1);
 	}
@@ -281,7 +282,8 @@ pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size,
 {
 	struct pfioc_table io;
 
-	if (tbl == NULL || size == NULL || *size < 0 || (*size && addr == NULL)) {
+	if (tbl == NULL || size == NULL || *size < 0 ||
+	    (*size && addr == NULL)) {
 		errno = EINVAL;
 		return (-1);
 	}
@@ -454,11 +456,40 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
 	return (0);
 }
 
+/* interface management code */
+
+int
+pfi_get_ifaces(const char *filter, struct pfi_if *buf, int *size, int flags)
+{
+	struct pfioc_iface io;
+
+	if (size == NULL || *size < 0 || (*size && buf == NULL)) {
+		errno = EINVAL;
+		return (-1);
+	}
+	bzero(&io, sizeof io);
+	io.pfiio_flags = flags;
+	if (filter != NULL)
+		if (strlcpy(io.pfiio_name, filter, sizeof(io.pfiio_name)) >=
+		    sizeof(io.pfiio_name)) {
+			errno = EINVAL;
+			return (-1);
+		}
+	io.pfiio_buffer = buf;
+	io.pfiio_esize = sizeof(*buf);
+	io.pfiio_size = *size;
+	if (ioctl(dev, DIOCIGETIFACES, &io))
+		return (-1);
+	*size = io.pfiio_size;
+	return (0);
+}
+
 /* buffer management code */
 
 size_t buf_esize[PFRB_MAX] = { 0,
 	sizeof(struct pfr_table), sizeof(struct pfr_tstats),
 	sizeof(struct pfr_addr), sizeof(struct pfr_astats),
+	sizeof(struct pfi_if), sizeof(struct pfioc_trans_e)
 };
 
 /*