Commit Graph

47 Commits

Author SHA1 Message Date
rmind 5b97ba65a8 Disable -DWITH_NPF for now; will be converted to BPF mechanism. 2013-02-09 15:36:40 +00:00
plunky 19ea14f457 does not need -I${NETBSDSRCDIR}/sys/dist/ipf here, the include files
are installed in /usr/include/netinet
2012-09-15 17:46:25 +00:00
christos 55c6b3796e don't include pcap/bpf.h 2011-12-21 22:18:43 +00:00
joerg bec77c5f43 Use __dead 2011-08-31 13:32:36 +00:00
joerg a216da57a6 Default to -Wno-sign-compare -Wno-pointer-sign for clang.
Push -Wno-array-bounds down to the cases that depend on it.
Selectively disable warnings for 3rd party software or non-trivial
issues to be reviewed later to get clang -Werror to build most of the
tree.
2011-05-26 12:56:24 +00:00
joerg 5b79cac715 No input needed 2011-05-24 13:41:53 +00:00
rmind 3bb326c464 Fix sun2 builds. Noted by joerg@. 2011-02-04 00:19:51 +00:00
rmind 07ac07d35f NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
  Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
2011-02-02 02:20:24 +00:00
christos 976857bd1b fix build. 2010-12-13 01:44:25 +00:00
wiz 6f43bcda13 Remove trailing whitespace and dot in Nd. 2010-05-09 14:02:10 +00:00
degroote c4b8685918 Add missing license 2010-05-09 12:45:19 +00:00
wiz 95b209a8cf Sort options, standardize SYNOPSIS, slight rewordings. Use more markup. 2010-05-08 11:29:40 +00:00
degroote ca38e323d1 Add support for pfs(8)
pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@
2010-05-07 17:41:57 +00:00
degroote 2d48ac808c Import pfsync support from OpenBSD 4.2
Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.

This work was part of my 2009 GSoC

No objection on tech-net@
2009-09-14 10:36:48 +00:00
lukem a3417b09b0 WARNS=1 for pf 2009-04-23 05:25:06 +00:00
lukem d877c4c3c0 Enable WARNS=4 by default, except for:
cpuctl  dumplfs  hprop  ipf  iprop-log  kadmin  kcm  kdc  kdigest
	kimpersonate  kstash  ktutil  makefs  ndbootd  ntp  pppd  quot
	racoon  racoonctl  rtadvd  sntp  sup  tcpdchk  tcpdmatch  tcpdump
	traceroute  traceroute6  user  veriexecgen  wsmoused  zic
(Mostly third-party applications)
2009-04-22 15:23:01 +00:00
peter 430b2da1d5 Install /etc/pf.os with 444 permissions.
Modify postinstall(8) to always upgrade /etc/pf.os.

Suggested by Luke Mewburn in PR/35188.
2008-06-20 17:04:45 +00:00
yamt fff57c5525 merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@.  requested by core@
2008-06-18 09:06:25 +00:00
tron 07347616e8 Use "ipv6-icmp" instead of "icmp6" to allow loading these rules again.
Patch supplied by Daniel Horecki in PR bin/36874.
2007-09-02 15:28:43 +00:00
tls 4147a3c54a Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry.  RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros.  Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default.  Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.
2007-05-28 12:06:17 +00:00
christos 3a4d16937d compile a file with -Wno-stack-protector since it is using __cmsg_alignbytes()
for a variable on the stack.
2006-11-09 20:33:25 +00:00
christos 1ec0eb6725 remove openlog_r/syslog_r; we now have it. 2006-10-26 10:18:31 +00:00
drochner 741f357fc1 Build libpcap-0.9.4 from src/dist.
While there are some open issues, particulary wrt support of old
NetBSD-specific interfaces, it is better to get the code some public
testing before NetBSD-4 is branched.
2006-04-25 18:36:44 +00:00
reed de56c0d123 Fix mispelling in a comment. 2006-01-10 20:53:24 +00:00
peter 9c1da17e90 pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security
2005-08-23 12:12:56 +00:00
peter df0caa2637 Remove (pf)spamd. Its right to exist in NetBSD has been questioned since it
appeared and whether it's really part of pf or not is still unclear. Looking
at the other *BSDs it seems that they have left out spamd when importing pf,
and now we do that too. Also, the name conflicted with another more popular
used tool, after the rename to pfspamd it was left with completely unusable
documentation which apparently no-one wanted to fix.

A port of the latest spamd will be imported into pkgsrc soon.

Suggested by several people, no objections on last proposal on tech-userlevel.
2005-06-27 20:32:39 +00:00
tron 92570d0dfc Remove copy of manual page created during build. 2005-04-19 08:42:54 +00:00
tron 20442260d4 Remove copy of manual page created during build. 2005-04-13 17:51:12 +00:00
jwise 58015a4d36 Finally, spamlogd -> pfspamlogd, for consistency. 2005-04-12 14:44:10 +00:00
jwise f876c1012e spamd.conf is now pfspamd.conf. 2005-04-12 14:39:39 +00:00
jwise 200b4f7e06 Now that we can override the name of /etc/spamd.conf, make it /etc/pfspamd.conf. 2005-04-12 14:36:15 +00:00
jwise 88573cf3f3 Pass in path to /etc/spamd.conf in CPPFLAGS. 2005-04-12 14:34:57 +00:00
jwise a8293ab76d Now that we can specify the chroot location, make it /var/chroot/pfspamd. 2005-04-12 14:23:26 +00:00
jwise aac5bfbda9 Pass in a value for SPAMD_CHROOT in CPPFLAGS, to specify the path to the
chroot dir spamd will use.
2005-04-12 14:21:20 +00:00
jwise d32dabfd88 Per discussion on tech-userlevel and tech-security, install `spamd',
`spamd-setup', and `spamdb' as `pfspamd', `pfspamd-setup', and `pfspamdb'.

To quote Steven M. Bellovin:

  This [having a program in basesrc with the same name as a widely used and
  completely different program in pkgsrc] is a seriously bad idea; it
  violates the rule of least surprise.  That's bad enough in normal
  situations; here, we're talking about security.  You do *not* want to
  confuse people about security features; they're hard enough to get right
  as is.
2005-04-11 22:34:18 +00:00
peter 6e4d82adbb Enable pflogd(8). 2005-04-04 19:11:18 +00:00
peter 9843641178 Change BINDIR to /sbin and support MKDYNAMICROOT. 2005-03-15 17:45:11 +00:00
peter f08689a2d1 Add build glue for pflogd(8). 2005-03-15 16:32:47 +00:00
peter 3041afaec2 Add a small replacement for strtonum(). 2005-03-15 16:28:29 +00:00
peter 0a9aa9779a Install pf(4) examples. Reviewed by yamt@.
Thanks to hubertf@ for the reminder.
2005-03-15 16:05:03 +00:00
peter 1c9b56c830 Add MKIPFILTER; if set to no, don't build and install the ipf(4) programs,
headers and LKM.

Add MKPF; if set to no, don't build and install the pf(4) programs,
headers, LKM and spamd.

Both options default to yes, so nothing changed in the default build.

Reviewed by lukem.
2005-02-22 14:39:58 +00:00
yamt 0aad0f2269 copyright notice. 2005-02-13 22:29:37 +00:00
yamt 057eb0b30f don't use variable arg macro, which is not supported by gcc2. 2004-11-16 05:14:12 +00:00
yamt 2918ba1f0d handle configinstall target correctly. 2004-11-14 20:27:13 +00:00
yamt 23c8222edb merge after importing pf from openbsd 3.6. (userland part)
some files were imported to the different places from the previous version.
v3_5:
	etc/pf.conf
	etc/pf.os
	etc/spamd.conf
	share/man/man4/pf.4
	share/man/man4/pflog.4
	share/man/man5/pf.conf.5
	share/man/man5/pf.os.5
	share/man/man5/spamd.conf.5
v3_6:
	dist/pf/etc/pf.conf
	dist/pf/etc/pf.os
	dist/pf/etc/spamd.conf
	dist/pf/share/man/man4/pf.4
	dist/pf/share/man/man4/pflog.4
	dist/pf/share/man/man5/pf.conf.5
	dist/pf/share/man/man5/pf.os.5
	dist/pf/share/man/man5/spamd.conf.5
2004-11-14 11:26:43 +00:00
yamt b1ef71d369 move common fragments into Makefile.inc. 2004-11-11 12:03:53 +00:00
yamt 096fec04a9 move pf reachover makefiles into usr.sbin/pf. ok'ed by itojun.
before:
	sbin/pfctl
	usr.sbin/authpf
	usr.sbin/spamdb
	libexec/ftp-proxy
	libexec/spamd
	libexec/spamd-setup
	libexec/spamlogd
after:
	usr.sbin/pf/pfctl
	usr.sbin/pf/authpf
	usr.sbin/pf/spamdb
	usr.sbin/pf/ftp-proxy
	usr.sbin/pf/spamd
	usr.sbin/pf/spamd-setup
	usr.sbin/pf/spamlogd
2004-11-11 11:54:51 +00:00