Commit resolved import of OpenBSD 4.1 pf userland from perforce.

Approved by:	re (kensmith)

5 files changed, 165 insertions, 168 deletions

diff --git a/contrib/pf/pflogd/pflogd.8 b/contrib/pf/pflogd/pflogd.8
index 0eef77b..22643fc 100644
--- a/contrib/pf/pflogd/pflogd.8
+++ b/contrib/pf/pflogd/pflogd.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pflogd.8,v 1.25 2005/01/02 18:15:02 jmc Exp $
+.\"	$OpenBSD: pflogd.8,v 1.32 2006/12/08 10:26:38 joel Exp $
 .\"
 .\" Copyright (c) 2001 Can Erkin Acar.  All rights reserved.
 .\"
@@ -37,14 +37,17 @@
 .Op Fl Dx
 .Op Fl d Ar delay
 .Op Fl f Ar filename
+.Op Fl i Ar interface
 .Op Fl s Ar snaplen
 .Op Ar expression
 .Sh DESCRIPTION
 .Nm
 is a background daemon which reads packets logged by
 .Xr pf 4
-to the packet logging interface
-.Pa pflog0
+to a
+.Xr pflog 4
+interface, normally
+.Pa pflog0 ,
 and writes the packets to a logfile (normally
 .Pa /var/log/pflog )
 in
@@ -83,7 +86,9 @@ temporarily uses the old snaplen to keep the log file consistent.
 tries to preserve the integrity of the log file against I/O errors.
 Furthermore, integrity of an existing log file is verified before
 appending.
-If there is an invalid log file or an I/O error, logging is suspended until a
+If there is an invalid log file or an I/O error, the log file is moved
+out of the way and a new one is created.
+If a new file cannot be created, logging is suspended until a
 .Dv SIGHUP
 or a
 .Dv SIGALRM
@@ -103,11 +108,19 @@ If not specified, the default is 60 seconds.
 Log output filename.
 Default is
 .Pa /var/log/pflog .
+.It Fl i Ar interface
+Specifies the
+.Xr pflog 4
+interface to use.
+By default,
+.Nm
+will use
+.Ar pflog0 .
 .It Fl s Ar snaplen
 Analyze at most the first
 .Ar snaplen
-bytes of data from each packet rather than the default of 96.
-The default of 96 is adequate for IP, ICMP, TCP, and UDP headers but may
+bytes of data from each packet rather than the default of 116.
+The default of 116 is adequate for IP, ICMP, TCP, and UDP headers but may
 truncate protocol information for other protocols.
 Other file parsers may desire a higher snaplen.
 .It Fl x
@@ -131,6 +144,13 @@ Log specific tcp packets to a different log file with a large snaplen
 # pflogd -s 1600 -f suspicious.log port 80 and host evilhost
 .Ed
 .Pp
+Log from another
+.Xr pflog 4
+interface, excluding specific packets:
+.Bd -literal -offset indent
+# pflogd -i pflog3 -f network3.log "not (tcp and port 23)"
+.Ed
+.Pp
 Display binary logs:
 .Bd -literal -offset indent
 # tcpdump -n -e -ttt -r /var/log/pflog
@@ -150,7 +170,7 @@ Tcpdump can restrict the output
 to packets logged on a specified interface, a rule number, a reason,
 a direction, an IP family or an action.
 .Pp
-.Bl -tag -width "reason match " -compact
+.Bl -tag -width "ruleset authpf " -compact
 .It ip
 Address family equals IPv4.
 .It ip6
@@ -159,12 +179,16 @@ Address family equals IPv6.
 Interface name equals "kue0".
 .It on kue0
 Interface name equals "kue0".
+.It ruleset authpf
+Ruleset name equals "authpf".
 .It rulenum 10
 Rule number equals 10.
 .It reason match
 Reason equals match.
 Also accepts "bad-offset", "fragment", "bad-timestamp", "short",
-"normalize" and "memory".
+"normalize", "memory", "congestion", "ip-option", "proto-cksum",
+"state-mismatch", "state-insert", "state-limit", "src-limit",
+and "synproxy".
 .It action pass
 Action equals pass.
 Also accepts "block".
@@ -192,4 +216,6 @@ The
 command appeared in
 .Ox 3.0 .
 .Sh AUTHORS
-Can Erkin Acar
+.Nm
+was written by
+.An Can Erkin Acar Aq canacar@openbsd.org .
diff --git a/contrib/pf/pflogd/pflogd.c b/contrib/pf/pflogd/pflogd.c
index 5f7ebdd..6f57b9e 100644
--- a/contrib/pf/pflogd/pflogd.c
+++ b/contrib/pf/pflogd/pflogd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pflogd.c,v 1.33 2005/02/09 12:09:30 henning Exp $	*/
+/*	$OpenBSD: pflogd.c,v 1.37 2006/10/26 13:34:47 jmc Exp $	*/
 
 /*
  * Copyright (c) 2001 Theo de Raadt
@@ -81,7 +81,7 @@ int   flush_buffer(FILE *);
 int   init_pcap(void);
 void  logmsg(int, const char *, ...);
 void  purge_buffer(void);
-int   reset_dump(void);
+int   reset_dump(int);
 int   scan_dump(FILE *, off_t);
 int   set_snaplen(int);
 void  set_suspended(int);
@@ -90,6 +90,8 @@ void  sig_close(int);
 void  sig_hup(int);
 void  usage(void);
 
+static int try_reset_dump(int);
+
 /* buffer must always be greater than snaplen */
 static int    bufpkt = 0;	/* number of packets in buffer */
 static int    buflen = 0;	/* allocated size of buffer */
@@ -108,8 +110,9 @@ set_suspended(int s)
 		return;
 
 	suspended = s;
-	setproctitle("[%s] -s %d -f %s",
-            suspended ? "suspended" : "running", cur_snaplen, filename);
+	setproctitle("[%s] -s %d -i %s -f %s",
+	    suspended ? "suspended" : "running",
+	    cur_snaplen, interface, filename);
 }
 
 char *
@@ -159,8 +162,9 @@ __dead void
 #endif
 usage(void)
 {
-	fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename] ");
-	fprintf(stderr, "[-s snaplen] [expression]\n");
+	fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename]");
+	fprintf(stderr, " [-i interface] [-s snaplen]\n");
+	fprintf(stderr, "              [expression]\n");
 	exit(1);
 }
 
@@ -240,7 +244,25 @@ set_snaplen(int snap)
 }
 
 int
-reset_dump(void)
+reset_dump(int nomove)
+{
+	int ret;
+
+	for (;;) {
+		ret = try_reset_dump(nomove);
+		if (ret <= 0)
+			break;
+	}
+
+	return (ret);
+}
+
+/*
+ * tries to (re)open log file, nomove flag is used with -x switch
+ * returns 0: success, 1: retry (log moved), -1: error
+ */
+int
+try_reset_dump(int nomove)
 {
 	struct pcap_file_header hdr;
 	struct stat st;
@@ -262,26 +284,26 @@ reset_dump(void)
 	 */
 	fd = priv_open_log();
 	if (fd < 0)
-		return (1);
+		return (-1);
 
 	fp = fdopen(fd, "a+");
 
 	if (fp == NULL) {
-		close(fd);
 		logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
-		return (1);
+		close(fd);
+		return (-1);
 	}
 	if (fstat(fileno(fp), &st) == -1) {
-		fclose(fp);
 		logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
-		return (1);
+		fclose(fp);
+		return (-1);
 	}
 
 	/* set FILE unbuffered, we do our own buffering */
 	if (setvbuf(fp, NULL, _IONBF, 0)) {
-		fclose(fp);
 		logmsg(LOG_ERR, "Failed to set output buffers");
-		return (1);
+		fclose(fp);
+		return (-1);
 	}
 
 #define TCPDUMP_MAGIC 0xa1b2c3d4
@@ -289,11 +311,9 @@ reset_dump(void)
 	if (st.st_size == 0) {
 		if (snaplen != cur_snaplen) {
 			logmsg(LOG_NOTICE, "Using snaplen %d", snaplen);
-			if (set_snaplen(snaplen)) {
-				fclose(fp);
+			if (set_snaplen(snaplen))
 				logmsg(LOG_WARNING,
 				    "Failed, using old settings");
-			}
 		}
 		hdr.magic = TCPDUMP_MAGIC;
 		hdr.version_major = PCAP_VERSION_MAJOR;
@@ -305,11 +325,15 @@ reset_dump(void)
 
 		if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
 			fclose(fp);
-			return (1);
+			return (-1);
 		}
 	} else if (scan_dump(fp, st.st_size)) {
-		/* XXX move file and continue? */
 		fclose(fp);
+		if (nomove || priv_move_log()) {
+			logmsg(LOG_ERR,
+			    "Invalid/incompatible log file, move it away");
+			return (-1);
+		}
 		return (1);
 	}
 
@@ -352,7 +376,6 @@ scan_dump(FILE *fp, off_t size)
 	    hdr.version_minor != PCAP_VERSION_MINOR ||
 	    hdr.linktype != hpcap->linktype ||
 	    hdr.snaplen > PFLOGD_MAXSNAPLEN) {
-		logmsg(LOG_ERR, "Invalid/incompatible log file, move it away");
 		return (1);
 	}
 
@@ -563,7 +586,7 @@ main(int argc, char **argv)
 	closefrom(STDERR_FILENO + 1);
 #endif
 
-	while ((ch = getopt(argc, argv, "Dxd:s:f:")) != -1) {
+	while ((ch = getopt(argc, argv, "Dxd:f:i:s:")) != -1) {
 		switch (ch) {
 		case 'D':
 			Debug = 1;
@@ -576,6 +599,9 @@ main(int argc, char **argv)
 		case 'f':
 			filename = optarg;
 			break;
+		case 'i':
+			interface = optarg;
+			break;
 		case 's':
 			snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
 			    &errstr);
@@ -648,7 +674,7 @@ main(int argc, char **argv)
 		bufpkt = 0;
 	}
 
-	if (reset_dump()) {
+	if (reset_dump(Xflag) < 0) {
 		if (Xflag)
 			return (1);
 
@@ -674,7 +700,7 @@ main(int argc, char **argv)
 		if (gotsig_close)
 			break;
 		if (gotsig_hup) {
-			if (reset_dump()) {
+			if (reset_dump(0)) {
 				logmsg(LOG_ERR,
 				    "Logging suspended: open error");
 				set_suspended(1);
@@ -685,6 +711,8 @@ main(int argc, char **argv)
 		if (gotsig_alrm) {
 			if (dpcap)
 				flush_buffer(dpcap);
+			else 
+				gotsig_hup = 1;
 			gotsig_alrm = 0;
 			alarm(delay);
 		}
diff --git a/contrib/pf/pflogd/pidfile.c b/contrib/pf/pflogd/pidfile.c
deleted file mode 100644
index db6007f..0000000
--- a/contrib/pf/pflogd/pidfile.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/*	$FreeBSD$ */
-/*	$OpenBSD: pidfile.c,v 1.5 2002/05/26 09:29:02 deraadt Exp $	*/
-/*	$NetBSD: pidfile.c,v 1.4 2001/02/19 22:43:42 cgd Exp $	*/
-
-/*-
- * Copyright (c) 1999 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Jason R. Thorpe.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *        This product includes software developed by the NetBSD
- *        Foundation, Inc. and its contributors.
- * 4. Neither the name of The NetBSD Foundation nor the names of its
- *    contributors may be used to endorse or promote products derived
- *    from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$OpenBSD: pidfile.c,v 1.5 2002/05/26 09:29:02 deraadt Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <sys/param.h>
-#include <errno.h>
-#include <paths.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#ifdef __FreeBSD__
-#include "pidfile.h"
-#else
-#include <util.h>
-#endif
-
-static char *pidfile_path;
-static pid_t pidfile_pid;
-
-static void pidfile_cleanup(void);
-
-extern char *__progname;
-
-int
-pidfile(const char *basename)
-{
-	FILE *f;
-	int save_errno;
-	pid_t pid;
-
-	if (basename == NULL)
-		basename = __progname;
-
-	if (pidfile_path != NULL) {
-		free(pidfile_path);
-		pidfile_path = NULL;
-	}
-
-	/* _PATH_VARRUN includes trailing / */
-	(void) asprintf(&pidfile_path, "%s%s.pid", _PATH_VARRUN, basename);
-	if (pidfile_path == NULL)
-		return (-1);
-
-	if ((f = fopen(pidfile_path, "w")) == NULL) {
-		save_errno = errno;
-		free(pidfile_path);
-		pidfile_path = NULL;
-		errno = save_errno;
-		return (-1);
-	}
-
-	pid = getpid();
-	if (fprintf(f, "%ld\n", (long)pid) <= 0 || fclose(f) != 0) {
-		save_errno = errno;
-		(void) unlink(pidfile_path);
-		free(pidfile_path);
-		pidfile_path = NULL;
-		errno = save_errno;
-		return (-1);
-	}
-
-	pidfile_pid = pid;
-	if (atexit(pidfile_cleanup) < 0) {
-		save_errno = errno;
-		(void) unlink(pidfile_path);
-		free(pidfile_path);
-		pidfile_path = NULL;
-		pidfile_pid = 0;
-		errno = save_errno;
-		return (-1);
-	}
-
-	return (0);
-}
-
-static void
-pidfile_cleanup(void)
-{
-
-	if (pidfile_path != NULL && pidfile_pid == getpid())
-		(void) unlink(pidfile_path);
-}
diff --git a/contrib/pf/pflogd/pidfile.h b/contrib/pf/pflogd/pidfile.h
deleted file mode 100644
index 542325f..0000000
--- a/contrib/pf/pflogd/pidfile.h
+++ /dev/null
@@ -1 +0,0 @@
-int pidfile(const char *);
diff --git a/contrib/pf/pflogd/privsep.c b/contrib/pf/pflogd/privsep.c
index ac64ebe..a07d141 100644
--- a/contrib/pf/pflogd/privsep.c
+++ b/contrib/pf/pflogd/privsep.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: privsep.c,v 1.13 2004/12/22 09:21:02 otto Exp $	*/
+/*	$OpenBSD: privsep.c,v 1.16 2006/10/25 20:55:04 moritz Exp $	*/
 
 /*
  * Copyright (c) 2003 Can Erkin Acar
@@ -20,7 +20,7 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
-#include <sys/param.h>
+#include <sys/types.h>
 #include <sys/time.h>
 #include <sys/socket.h>
 
@@ -30,19 +30,28 @@ __FBSDID("$FreeBSD$");
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <limits.h>
+#ifndef __FreeBSD__
+#include <pcap.h>
+#include <pcap-int.h>
+#endif
 #include <pwd.h>
 #include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#ifdef __FreeBSD__
+/* XXX: pcap pollutes namespace with strlcpy if not present previously */
 #include <pcap.h>
 #include <pcap-int.h>
+#endif
 #include <syslog.h>
 #include <unistd.h>
 #include "pflogd.h"
 
 enum cmd_types {
 	PRIV_SET_SNAPLEN,	/* set the snaplength */
+	PRIV_MOVE_LOG,		/* move logfile away */
 	PRIV_OPEN_LOG		/* open logfile for appending */
 };
 
@@ -57,10 +66,8 @@ static int  may_read(int, void *, size_t);
 static void must_read(int, void *, size_t);
 static void must_write(int, void *, size_t);
 static int  set_snaplen(int snap);
+static int  move_log(const char *name);
 
-/* bpf filter expression common to parent and child */
-extern char *filter;
-extern char *errbuf;
 extern char *filename;
 extern pcap_t *hpcap;
 
@@ -102,16 +109,12 @@ priv_init(void)
 			err(1, "unable to chdir");
 
 		gidset[0] = pw->pw_gid;
+		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1)
+			err(1, "setresgid() failed");
 		if (setgroups(1, gidset) == -1)
 			err(1, "setgroups() failed");
-		if (setegid(pw->pw_gid) == -1)
-			err(1, "setegid() failed");
-		if (setgid(pw->pw_gid) == -1)
-			err(1, "setgid() failed");
-		if (seteuid(pw->pw_uid) == -1)
-			err(1, "seteuid() failed");
-		if (setuid(pw->pw_uid) == -1)
-			err(1, "setuid() failed");
+		if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
+			err(1, "setresuid() failed");
 		close(socks[0]);
 		priv_fd = socks[1];
 		return 0;
@@ -165,6 +168,13 @@ priv_init(void)
 				close(fd);
 			break;
 
+		case PRIV_MOVE_LOG:
+			logmsg(LOG_DEBUG,
+			    "[priv]: msg PRIV_MOVE_LOG received");
+			ret = move_log(filename);
+			must_write(socks[0], &ret, sizeof(int));
+			break;
+
 		default:
 			logmsg(LOG_ERR, "[priv]: unknown command %d", cmd);
 			_exit(1);
@@ -188,6 +198,47 @@ set_snaplen(int snap)
 	return 0;
 }
 
+static int
+move_log(const char *name)
+{
+	char ren[PATH_MAX];
+	int len;
+
+	for (;;) {
+		int fd;
+
+		len = snprintf(ren, sizeof(ren), "%s.bad.%08x",
+		    name, arc4random());
+		if (len >= sizeof(ren)) {
+			logmsg(LOG_ERR, "[priv] new name too long");
+			return (1);
+		}
+
+		/* lock destinanion */
+		fd = open(ren, O_CREAT|O_EXCL, 0);
+		if (fd >= 0) {
+			close(fd);
+			break;
+		}
+		/* if file exists, try another name */
+		if (errno != EEXIST && errno != EINTR) {
+			logmsg(LOG_ERR, "[priv] failed to create new name: %s",
+			    strerror(errno));
+			return (1);			
+		}
+	}
+
+	if (rename(name, ren)) {
+		logmsg(LOG_ERR, "[priv] failed to rename %s to %s: %s",
+		    name, ren, strerror(errno));
+		return (1);
+	}
+
+	logmsg(LOG_NOTICE,
+	       "[priv]: log file %s moved to %s", name, ren);
+
+	return (0);
+}
 
 /*
  * send the snaplength to privileged process
@@ -229,6 +280,21 @@ priv_open_log(void)
 
 	return (fd);
 }
+/* Move-away and reopen log-file */
+int
+priv_move_log(void)
+{
+	int cmd, ret;
+
+	if (priv_fd < 0)
+		errx(1, "%s: called from privileged portion\n", __func__);
+
+	cmd = PRIV_MOVE_LOG;
+	must_write(priv_fd, &cmd, sizeof(int));
+	must_read(priv_fd, &ret, sizeof(int));
+
+	return (ret);
+}
 
 /* If priv parent gets a TERM or HUP, pass it through to child instead */
 static void