Index: head/net/bird/Makefile =================================================================== --- head/net/bird/Makefile (revision 465712) +++ head/net/bird/Makefile (revision 465713) @@ -1,53 +1,32 @@ # Created by: Pav Lucistnik # $FreeBSD$ PORTNAME= bird -PORTVERSION= 1.6.3 -PORTREVISION= 4 +PORTVERSION= 1.6.4 CATEGORIES= net -MASTER_SITES= ftp://bird.network.cz/pub/bird/ \ - http://bird.mpls.in/distfiles/bird/ +MASTER_SITES= ftp://bird.network.cz/pub/bird/ MAINTAINER= olivier@FreeBSD.org COMMENT?= Dynamic IP routing daemon (${FLAVOR:Uipv4:S/ip/IP/} version) LICENSE= GPLv2 FLAVORS= ipv4 ipv6 ipv6_PKGNAMESUFFIX= 6 -USES= bison gmake ncurses readline +USES= autoreconf bison gmake ncurses readline GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var -OPTIONS_DEFINE?= FIREWALL -FIREWALL_DESC= Enable firewall protocol -NO_OPTIONS_SORT= yes - MAKE_JOBS_UNSAFE= yes USE_RC_SUBR= ${PKGBASE} .if ${FLAVOR:U} == ipv6 CONFIGURE_ARGS+= --enable-ipv6 PLIST_SUB= VER=6 .else PLIST_SUB?= VER="" -.endif - -FIREWALL_EXTRA_PATCHES+= ${FILESDIR}/firewall_support.patch - -.include - -post-patch: -.if ${PORT_OPTIONS:MFIREWALL} - @${REINPLACE_CMD} -e 's/^\(all_protocols=".*\)"/\1 firewall"/' ${WRKSRC}/configure - @${REINPLACE_CMD} -e '/proto_build(&proto_device);/{G;s/$$/ proto_build(\&proto_firewall);/;}' ${WRKSRC}/nest/proto.c - @${REINPLACE_CMD} -e '/CONFIG_PIPE/{G;s/$$/#undef CONFIG_FIREWALL_IPSET/;}' ${WRKSRC}/sysdep/autoconf.h.in - @${REINPLACE_CMD} -e '/CONFIG_PIPE/{G;s/$$/#undef CONFIG_FIREWALL_PF/;}' ${WRKSRC}/sysdep/autoconf.h.in - @${REINPLACE_CMD} -e '/CONFIG_PIPE/{G;s/$$/#undef CONFIG_FIREWALL_IPFW/;}' ${WRKSRC}/sysdep/autoconf.h.in - @${REINPLACE_CMD} -e '/CONFIG_PIPE/{G;s/$$/#undef CONFIG_FIREWALL/;}' ${WRKSRC}/sysdep/autoconf.h.in - @${REINPLACE_CMD} -e 's/\(proto_bfd\)/\1, proto_firewall/' ${WRKSRC}/nest/protocol.h .endif .include Index: head/net/bird/distinfo =================================================================== --- head/net/bird/distinfo (revision 465712) +++ head/net/bird/distinfo (revision 465713) @@ -1,3 +1,3 @@ -TIMESTAMP = 1485093974 -SHA256 (bird-1.6.3.tar.gz) = 39c51cf57c3ba8b5978b2a657ffa2f647ec7f3ae643e91cf42ee5cb070cf7e7c -SIZE (bird-1.6.3.tar.gz) = 1337198 +TIMESTAMP = 1521796106 +SHA256 (bird-1.6.4.tar.gz) = 089db0570dbc171a1330862f84b908c15d869879a806c925621515e207f7296f +SIZE (bird-1.6.4.tar.gz) = 1360234 Index: head/net/bird/files/patch-filter-filter.c =================================================================== --- head/net/bird/files/patch-filter-filter.c (revision 465712) +++ head/net/bird/files/patch-filter-filter.c (nonexistent) @@ -1,10 +0,0 @@ ---- filter/filter.c.orig 2018-02-07 16:42:34.914441000 +0100 -+++ filter/filter.c 2018-02-07 16:43:07.274018000 +0100 -@@ -1559,6 +1559,7 @@ - case P('<','='): TWOARGS; break; - - case '!': ONEARG; break; -+ case P('!', '~'): - case '~': TWOARGS; break; - case P('d','e'): ONEARG; break; - Property changes on: head/net/bird/files/patch-filter-filter.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/net/bird/files/firewall_support.patch =================================================================== --- head/net/bird/files/firewall_support.patch (revision 465712) +++ head/net/bird/files/firewall_support.patch (nonexistent) @@ -1,913 +0,0 @@ -From f610486180e7ba5a0f7b7127edfdcfaf704353a1 Mon Sep 17 00:00:00 2001 -From: Alexander V. Chernikov -Date: Wed, 15 Aug 2012 16:09:21 +0000 -Subject: [PATCH 1/1] Add firewall support v2 - ---- - configure.in | 6 +- - doc/bird.sgml | 34 ++++ - nest/proto.c | 3 + - nest/protocol.h | 2 +- - nest/route.h | 3 +- - proto/firewall/Doc | 1 + - proto/firewall/Makefile | 6 + - proto/firewall/config.Y | 77 +++++++++ - proto/firewall/firewall.c | 198 ++++++++++++++++++++++ - proto/firewall/firewall.h | 54 ++++++ - sysdep/autoconf.h.in | 5 + - sysdep/bsd/Modules | 1 + - sysdep/bsd/fw.c | 404 +++++++++++++++++++++++++++++++++++++++++++++ - 13 files changed, 791 insertions(+), 3 deletions(-) - create mode 100644 proto/firewall/Doc - create mode 100644 proto/firewall/Makefile - create mode 100644 proto/firewall/config.Y - create mode 100644 proto/firewall/firewall.c - create mode 100644 proto/firewall/firewall.h - create mode 100644 sysdep/bsd/fw.c - -diff --git a/configure.in b/configure.in -index 54993df..51b7cc2 100644 ---- configure.in -+++ configure.in -@@ -137,10 +137,13 @@ else - ipv4:netbsd*) sysdesc=bsd - CPPFLAGS="$CPPFLAGS -I/usr/pkg/include" - LDFLAGS="$LDFLAGS -L/usr/pkg/lib -R/usr/pkg/lib" -+ AC_DEFINE(CONFIG_FIREWALL_PF, 1) - ;; - ipv6:freebsd*) sysdesc=bsd-v6 - ;; - ipv4:freebsd*) sysdesc=bsd -+ AC_DEFINE(CONFIG_FIREWALL_IPFW, 1) -+ AC_DEFINE(CONFIG_FIREWALL_PF, 1) - ;; - ipv6:dragonfly*) sysdesc=bsd-v6 - ;; -@@ -153,6 +156,7 @@ else - ipv6:openbsd*) sysdesc=bsd-v6 - ;; - ipv4:openbsd*) sysdesc=bsd -+ AC_DEFINE(CONFIG_FIREWALL_PF, 1) - ;; - *) AC_MSG_ERROR([Cannot determine correct system configuration. Please use --with-sysconfig to set it manually.]) - ;; -diff --git a/doc/bird.sgml b/doc/bird.sgml -index 24bc302..a01ec99 100644 ---- doc/bird.sgml -+++ doc/bird.sgml -@@ -2743,6 +2743,40 @@ protocol static { - } - - -+Firewall -+ -+

Firewall protocol doesn't communicate with any network devices, -+but instead it allows you to add announced prefixes to given firewall table. -+At the moment IPFW and PF are supported. One can also specify special integer tag -+that can be passed as argument to IPFW table. Any number of instances can be configured. -+ -+

Firewall protocol does not have many configuration options. -+ -+ -+ fwtype pf|ipfw Select firewall type. -+ fwtable Specifies firewall table name. -+ keep on startup|shutdownDo not flush table on protocol startup or shutdown. -+ keep alwaysDo not flush table on protocol startup and shutdown. -+ -+ -+

Firewall defines single route attribute: -+ -+ -+ int Value that can be passed with prefix. -+ Value is unsigned 4-byte integer. It can be set when importing routes from the other -+ protocols or on protocol export. -+ -+ -+

Example firewall config might look like this: -+ -+

-+protocol firewall { -+ table testable; # Connect to a non-default routing table -+ fwtype ipfw; # Use IPFW as backend -+ fwtable "2"; # Use table 2 -+ export filter { fw_value = 125; accept; }; # Set value 125 for all prefixes -+} -+ - Conclusions - - Future work -diff --git a/nest/route.h b/nest/route.h -index 524e69b..f3062a2 100644 ---- nest/route.h -+++ nest/route.h -@@ -361,7 +361,8 @@ typedef struct eattr { - #define EAP_OSPF 3 /* OSPF */ - #define EAP_KRT 4 /* Kernel route attributes */ - #define EAP_BABEL 5 /* Babel attributes */ --#define EAP_MAX 6 -+#define EAP_FIREWALL 6 /* Abstact firewall interface */ -+#define EAP_MAX 7 - - #define EA_CODE(proto,id) (((proto) << 8) | (id)) - #define EA_PROTO(ea) ((ea) >> 8) -diff --git a/proto/firewall/Doc b/proto/firewall/Doc -new file mode 100644 -index 0000000..5779342 ---- /dev/null -+++ proto/firewall/Doc -@@ -0,0 +1 @@ -+S firewall.c -diff --git a/proto/firewall/Makefile b/proto/firewall/Makefile -new file mode 100644 -index 0000000..a322ab6 ---- /dev/null -+++ proto/firewall/Makefile -@@ -0,0 +1,6 @@ -+source=firewall.c -+root-rel=../../ -+dir-name=proto/firewall -+ -+include ../../Rules -+ -diff --git a/proto/firewall/config.Y b/proto/firewall/config.Y -new file mode 100644 -index 0000000..aefc606 ---- /dev/null -+++ proto/firewall/config.Y -@@ -0,0 +1,77 @@ -+/* -+ * BIRD -- Firewall Protocol Configuration -+ * -+ * (c) 2011 Alexander V. Chernikov -+ * -+ * Can be freely distributed and used under the terms of the GNU GPL. -+ */ -+ -+CF_HDR -+ -+#include "proto/firewall/firewall.h" -+ -+CF_DEFINES -+ -+#define FIREWALL_CFG ((struct firewall_config *) this_proto) -+ -+CF_DECLS -+ -+CF_KEYWORDS(FIREWALL, FWTABLE, FWTYPE, FW_VALUE, IPFW, PF, IPSET, KEEP, ON, STARTUP, SHUTDOWN, ALWAYS) -+ -+%type firewall_type -+CF_GRAMMAR -+ -+CF_ADDTO(proto, firewall_proto '}') -+ -+firewall_proto_start: proto_start FIREWALL { -+ this_proto = proto_config_new(&proto_firewall, $1); -+ this_proto->preference = 0; -+ FIREWALL_CFG->flush_start = 1; -+ FIREWALL_CFG->flush_shutdown = 1; -+ } -+ ; -+ -+firewall_proto: -+ firewall_proto_start proto_name '{' -+ | firewall_proto proto_item ';' -+ | firewall_proto firewall_proto_item ';' -+ ; -+ -+firewall_proto_item: -+ FWTYPE firewall_type { -+ switch ($2) -+ { -+#ifdef CONFIG_FIREWALL_IPFW -+ case FWTYPE_IPFW: -+ break; -+#endif -+#ifdef CONFIG_FIREWALL_PF -+ case FWTYPE_PF: -+ break; -+#endif -+#ifdef CONFIG_FIREWALL_IPSET -+ case FWTYPE_IPSET: -+ break; -+#endif -+ default: -+ cf_error("firewall type is not supported by your OS/build"); -+ } -+ FIREWALL_CFG->fwtype = $2; -+ }; -+ | FWTABLE TEXT { FIREWALL_CFG->fwtable = $2; } -+ | KEEP ON STARTUP { FIREWALL_CFG->flush_start = 0; } -+ | KEEP ON SHUTDOWN { FIREWALL_CFG->flush_shutdown = 0; } -+ | KEEP ALWAYS { FIREWALL_CFG->flush_start = 0; FIREWALL_CFG->flush_shutdown = 0; } -+ ; -+ -+firewall_type: -+ IPFW { $$ = FWTYPE_IPFW; } -+ | PF { $$ = FWTYPE_PF; } -+ | IPSET { $$ = FWTYPE_IPSET; } -+ ; -+ -+CF_ADDTO(dynamic_attr, FW_VALUE { $$ = f_new_dynamic_attr(EAF_TYPE_INT, T_INT, EA_FIREWALL_VALUE); }) -+ -+CF_CODE -+ -+CF_END -diff --git a/proto/firewall/firewall.c b/proto/firewall/firewall.c -new file mode 100644 -index 0000000..e447470 ---- /dev/null -+++ proto/firewall/firewall.c -@@ -0,0 +1,199 @@ -+/* -+ * BIRD -- Firewall Protocol Configuration -+ * -+ * (c) 2011 Alexander V. Chernikov -+ * -+ * Can be freely distributed and used under the terms of the GNU GPL. -+ */ -+ -+/** -+ * DOC: Firewall -+ * -+ * Firewall protocol is very simple. It adds or removes exported routes to given firewall -+ * table with zero (or filter-specified) value. Table can be flushed on startup to -+ * avoid error messages on bird restart. -+ */ -+ -+#undef LOCAL_DEBUG -+ -+#include "nest/bird.h" -+#include "nest/iface.h" -+#include "nest/protocol.h" -+#include "nest/route.h" -+#include "conf/conf.h" -+#include "filter/filter.h" -+#include "lib/string.h" -+ -+#include "firewall.h" -+ -+static int init_done = 0; -+struct tbf rl_fw_err; -+ -+static void -+firewall_collect(void) -+{ -+ memset(&firewalls, 0, sizeof(firewalls)); -+ log(L_DEBUG "Initializing firewalls.."); -+#ifdef CONFIG_FIREWALL_IPFW -+ firewalls[FWTYPE_IPFW] = &fw_ipfw; -+ log(L_DEBUG "IPFW.."); -+#endif -+#ifdef CONFIG_FIREWALL_PF -+ firewalls[FWTYPE_PF] = &fw_pf; -+ log(L_DEBUG "PF.."); -+#endif -+#ifdef CONFIG_FIREWALL_IPSET -+ firewalls[FWTYPE_IPSET] = &fw_ipset; -+ log(L_DEBUG "IPSET.."); -+#endif -+} -+ -+static void -+firewall_rt_notify(struct proto *P, rtable *src_table, net *n, rte *new, rte *old, ea_list *attrs) -+{ -+ struct firewall_proto *p = (struct firewall_proto *) P; -+ u32 prefix_val; -+ char prefix_data[10]; -+ -+ if (!new && !old) -+ return; -+ -+ prefix_val = ea_get_int(attrs, EA_FIREWALL_VALUE, 0); -+ -+ if (prefix_val) -+ bsnprintf(prefix_data, sizeof(prefix_data), "%u", prefix_val); -+ else -+ prefix_data[0] = '\0'; -+ -+ DBG("Got prefix %I/%d with data '%s'\n", n->n.prefix, n->n.pxlen, prefix_data); -+ -+ if (old && new && p->fw->fw_replace) -+ { -+ p->fw->fw_replace(p->fwdata, n, prefix_data); -+ return; -+ } -+ -+ if (old) -+ p->fw->fw_del(p->fwdata, n); -+ -+ if (new) -+ p->fw->fw_add(p->fwdata, n, prefix_data); -+} -+ -+static int -+firewall_start(struct proto *P) -+{ -+ struct firewall_proto *p = (struct firewall_proto *) P; -+ struct firewall_config *c = (struct firewall_config *)P->cf; -+ void *fwdata; -+ -+ if ((fwdata = p->fw->fw_init(P, c->fwtable)) == NULL) -+ return PS_START; -+ -+ p->fwdata = fwdata; -+ -+ /* Flush table if needed */ -+ if ((c->flush_start) && (p->fw->fw_flush)) -+ if (!p->fw->fw_flush(fwdata)) -+ { -+ log(L_ERR "flush failed for table %s", c->fwtable); -+ return PS_START; -+ } -+ -+ return PS_UP; -+} -+ -+static int -+firewall_shutdown(struct proto *P) -+{ -+ struct firewall_proto *p = (struct firewall_proto *) P; -+ struct firewall_config *c = (struct firewall_config *)P->cf; -+ -+ log(L_DEBUG, "Shutdown requested"); -+ -+ /* Flush table if needed */ -+ if ((c->flush_shutdown) && (p->fw->fw_flush)) -+ if (!p->fw->fw_flush(p->fwdata)) -+ log(L_ERR "flush failed for table %s", c->fwtable); -+ -+ p->fw->fw_shutdown(p->fwdata); -+ -+ return PS_DOWN; -+} -+ -+static struct proto * -+firewall_init(struct proto_config *C) -+{ -+ struct firewall_config *c = (struct firewall_config *) C; -+ struct proto *P = proto_new(C, sizeof(struct firewall_proto)); -+ struct firewall_proto *p = (struct firewall_proto *) P; -+ -+ /* Configure firewalls */ -+ if (!init_done) -+ { -+ init_done = 1; -+ firewall_collect(); -+ } -+ -+ p->fwtype = c->fwtype; -+ p->fw = firewalls[p->fwtype]; -+ P->accept_ra_types = RA_OPTIMAL; -+ P->rt_notify = firewall_rt_notify; -+ -+ return P; -+} -+ -+static int -+firewall_reconfigure(struct proto *P, struct proto_config *new) -+{ -+ struct firewall_config *o = (struct firewall_config *) P->cf; -+ struct firewall_config *n = (struct firewall_config *) new; -+ -+ if ((o->fwtype != n->fwtype) || (strcmp(o->fwtable, n->fwtable))) -+ return 0; -+ -+ return 1; -+} -+ -+static void -+firewall_copy_config(struct proto_config *dest, struct proto_config *src) -+{ -+ /* Just a shallow copy, not many items here */ -+ proto_copy_rest(dest, src, sizeof(struct firewall_config)); -+} -+ -+static void -+firewall_get_status(struct proto *P, byte *buf) -+{ -+ struct firewall_config *c = (struct firewall_config *) P->cf; -+ -+ bsprintf(buf, "Table [%s]", c->fwtable); -+} -+ -+static int -+firewall_get_attr(eattr * a, byte * buf, int buflen UNUSED) -+{ -+ switch (a->id) -+ { -+ case EA_FIREWALL_VALUE: -+ bsprintf(buf, "fw_value"); -+ return GA_NAME; -+ default: -+ return GA_UNKNOWN; -+ } -+} -+ -+ -+struct protocol proto_firewall = { -+ name: "Firewall", -+ template: "fw%d", -+ attr_class: EAP_FIREWALL, -+ config_size: sizeof(struct firewall_config), -+ init: firewall_init, -+ start: firewall_start, -+ shutdown: firewall_shutdown, -+ reconfigure: firewall_reconfigure, -+ copy_config: firewall_copy_config, -+ get_status: firewall_get_status, -+ get_attr: firewall_get_attr, -+}; -diff --git a/proto/firewall/firewall.h b/proto/firewall/firewall.h -new file mode 100644 -index 0000000..c97ed38 ---- /dev/null -+++ proto/firewall/firewall.h -@@ -0,0 +1,54 @@ -+/* -+ * BIRD -- Firewall Protocol Configuration -+ * -+ * (c) 2011 Alexander V. Chernikov -+ * -+ * Can be freely distributed and used under the terms of the GNU GPL. -+ */ -+ -+#ifndef _BIRD_FIREWALL_H_ -+#define _BIRD_FIREWALL_H_ -+ -+#define FWTYPE_IPFW 0 -+#define FWTYPE_PF 1 -+#define FWTYPE_IPSET 2 -+ -+#define FWTYPE_MAX 3 -+ -+#define EA_FIREWALL_VALUE EA_CODE(EAP_FIREWALL, 0) -+ -+struct firewall_config { -+ struct proto_config c; -+ int fwtype; /* Firewall type */ -+ char *fwtable; /* Firewall table to write to */ -+ int flush_start; /* Do table flush on startup? */ -+ int flush_shutdown; /* Do table flush on shutdown? */ -+}; -+ -+struct firewall_control { -+ int fwtype; /* Firewall type */ -+ char *description; /* Firewall description */ -+ void *(*fw_init)(struct proto *, char *); /* Init firewall instance */ -+ void (*fw_shutdown)(void *); /* Shutdown firewall instance */ -+ int (*fw_flush)(void *); /* Flush firewall table */ -+ int (*fw_add)(void *, net *, char *); /* Add record to table */ -+ int (*fw_del)(void *, net *); /* Remove record from table */ -+ int (*fw_replace)(void *, net *, char *); /* Replace record. Optional */ -+}; -+ -+struct firewall_control * firewalls[FWTYPE_MAX]; -+ -+struct firewall_proto { -+ struct proto p; -+ int fwtype; /* Firewall type */ -+ struct firewall_control *fw; /* Pointer to configured protocol type */ -+ void *fwdata; /* Firewall instance private data */ -+}; -+ -+extern struct protocol proto_firewall; -+ -+extern struct firewall_control fw_ipfw, fw_pf, fw_ipset; -+extern struct tbf rl_fw_err; -+#define FW_ERR(x, y...) log_rl(&rl_fw_err, L_ERR x, ##y) -+ -+#endif -diff --git a/sysdep/bsd/Modules b/sysdep/bsd/Modules -index 3729587..0607321 100644 ---- sysdep/bsd/Modules -+++ sysdep/bsd/Modules -@@ -1,3 +1,4 @@ - krt-sock.c - krt-sys.h - sysio.h -+fw.c -diff --git a/sysdep/bsd/fw.c b/sysdep/bsd/fw.c -new file mode 100644 -index 0000000..e841e06 ---- /dev/null -+++ sysdep/bsd/fw.c -@@ -0,0 +1,404 @@ -+/* -+ * BIRD -- IPFW/PF manipulations -+ * -+ * (c) 2011 Alexander V. Chernikov -+ * -+ * Can be freely distributed and used under the terms of the GNU GPL. -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#undef LOCAL_DEBUG -+ -+#include "nest/bird.h" -+#include "nest/iface.h" -+#include "nest/route.h" -+#include "nest/protocol.h" -+#include "nest/iface.h" -+#include "lib/timer.h" -+#include "lib/unix.h" -+#include "lib/krt.h" -+#include "lib/string.h" -+#include "lib/socket.h" -+#ifdef CONFIG_FIREWALL -+#include "proto/firewall/firewall.h" -+#ifdef CONFIG_FIREWALL_IPFW -+#include "netinet/ip_fw.h" -+#endif -+#ifdef CONFIG_FIREWALL_PF -+#include "net/pfvar.h" -+#endif -+ -+#ifdef CONFIG_FIREWALL_IPFW -+ -+int ipfw_fd = -1; -+int ipfw_instance_count = 0; -+ -+struct ipfw_priv { -+ int table; /* Table number */ -+ pool *pool; /* Protocol pool */ -+}; -+ -+int -+ipfw_do_cmd(int optname, void *optval, uintptr_t optlen) -+{ -+ return setsockopt(ipfw_fd, IPPROTO_IP, optname, optval, optlen); -+} -+ -+void * -+ipfw_fw_init(struct proto *p, char *table) -+{ -+ pool *fwpool = p->pool; -+ int table_num = strtol(table, NULL, 10); -+ int tables_max; -+ size_t len = sizeof(tables_max); -+ -+ if (sysctlbyname("net.inet.ip.fw.tables_max", &tables_max, &len, NULL, 0) == -1) -+ { -+ log(L_ERR "Error getting maximum ipfw table count"); -+ tables_max = IPFW_TABLES_MAX; -+ } -+ DBG("ipfw maximum table count set to %d\n", tables_max); -+ -+ if ((table_num < 0) || (table_num >= tables_max)) -+ { -+ log(L_ERR "ipfw table %d is not within possible range (0..%d)", table_num, tables_max); -+ return NULL; -+ } -+ -+ if (ipfw_fd == -1) -+ { -+ if ((ipfw_fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) -+ { -+ log(L_ERR "ipfw: error opering raw socket: %m"); -+ return NULL; -+ } -+ DBG("Opened IPFW socked %d\n", ipfw_fd); -+ } -+ -+ struct ipfw_priv *priv = mb_alloc(fwpool, sizeof(struct ipfw_priv)); -+ -+ priv->table = table_num; -+ priv->pool = fwpool; -+ -+ ipfw_instance_count++; -+ -+ return priv; -+} -+ -+void -+ipfw_fw_shutdown(void *_priv UNUSED) -+{ -+ if (--ipfw_instance_count == 0) -+ { -+ DBG("Closing ipfw socket %d\n", ipfw_fd); -+ close(ipfw_fd); -+ ipfw_fd = -1; -+ } -+} -+ -+int -+ipfw_fw_flush(void *_priv) -+{ -+ struct ipfw_priv *priv = _priv; -+ ipfw_table_entry ent; -+ -+ memset(&ent, 0, sizeof(ent)); -+ ent.tbl = priv->table; -+ -+ log(L_DEBUG "Flushing ipfw table %d", priv->table); -+ -+ if (ipfw_do_cmd(IP_FW_TABLE_FLUSH, &ent.tbl, sizeof(ent.tbl)) == -1) -+ { -+ log(L_ERR "Error flushing ipfw table %d: %m", priv->table); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+int -+ipfw_fw_add(void *_priv, net *n, char *prefixdata) -+{ -+ struct ipfw_priv *priv = _priv; -+ ip_addr addr; -+ ipfw_table_entry ent; -+ -+ addr = n->n.prefix; -+ ipa_hton(addr); -+ -+ ent.masklen = n->n.pxlen; -+ memcpy(&ent.addr, &addr, sizeof(ip_addr)); -+ ent.value = strtol(prefixdata, NULL, 0); -+ ent.tbl = priv->table; -+ -+ DBG("Adding %I/%d to ipfw table %d with value %s\n", n->n.prefix, n->n.pxlen, priv->table, prefixdata); -+ -+ if (ipfw_do_cmd(IP_FW_TABLE_ADD, &ent, sizeof(ent)) == -1) -+ { -+ FW_ERR("Error adding %I/%d to ipfw table %d: %m", n->n.prefix, n->n.pxlen, priv->table); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+int -+ipfw_fw_del(void *_priv, net *n) -+{ -+ struct ipfw_priv *priv = _priv; -+ ip_addr addr; -+ ipfw_table_entry ent; -+ -+ addr = n->n.prefix; -+ ipa_hton(addr); -+ -+ ent.masklen = n->n.pxlen; -+ memcpy(&ent.addr, &addr, sizeof(ip_addr)); -+ ent.value = 0; -+ ent.tbl = priv->table; -+ -+ DBG("Removing %I/%d from ipfw table %d\n", n->n.prefix, n->n.pxlen, priv->table); -+ -+ if (ipfw_do_cmd(IP_FW_TABLE_DEL, &ent, sizeof(ent)) == -1) -+ { -+ FW_ERR("Error removing %I/%d from ipfw table %d: %m", n->n.prefix, n->n.pxlen, priv->table); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+struct firewall_control fw_ipfw = { -+ fwtype: FWTYPE_IPFW, -+ description: "IPFW", -+ fw_init: ipfw_fw_init, -+ fw_shutdown: ipfw_fw_shutdown, -+ fw_flush: ipfw_fw_flush, -+ fw_add: ipfw_fw_add, -+ fw_del: ipfw_fw_del, -+}; -+#endif -+ -+#ifdef CONFIG_FIREWALL_PF -+ -+#define PF_DEVNAME "/dev/pf" -+int pf_fd = -1; -+int pf_instance_count = 0; -+ -+struct pf_priv { -+ struct pfr_table table; /* PF table structure */ -+ pool *pool; /* Protocol pool */ -+}; -+ -+#define pf_tablename table.pfrt_name -+ -+int -+pf_do_cmd(struct pfr_table *tbl, unsigned long cmd, void *buffer, int esize, int items, int *nadd, int *ndel, int flags) -+{ -+ struct pfioc_table io; -+ -+ bzero(&io, sizeof(io)); -+ io.pfrio_flags = flags; -+ if (tbl) -+ io.pfrio_table = *tbl; -+ io.pfrio_buffer = buffer; -+ io.pfrio_esize = esize; -+ io.pfrio_size = items; -+ -+ /* DBG("Doing PF ioctl %X for table %s on fd %d\n", cmd, tbl ? tbl->pfrt_name : "NULL", pf_fd); */ -+ if (ioctl(pf_fd, cmd, &io)) -+ return 0; -+ -+ if (nadd) -+ *nadd = io.pfrio_nadd; -+ if (ndel) -+ *ndel = io.pfrio_ndel; -+ -+ return 1; -+} -+ -+void * -+pf_fw_init(struct proto *p, char *table) -+{ -+ pool *fwpool = p->pool; -+ struct pfr_table pf_table; -+ int nadd = 0; -+ -+ if (strlen(table) > PF_TABLE_NAME_SIZE) -+ { -+ log(L_ERR "PF table name too long, max %d", PF_TABLE_NAME_SIZE); -+ return NULL; -+ } -+ -+ memset(&pf_table, 0, sizeof(pf_table)); -+ -+ if (pf_fd == -1) -+ { -+ if ((pf_fd = open(PF_DEVNAME, O_RDWR)) == -1) -+ { -+ log(L_ERR "pf: error opening %s: %m", PF_DEVNAME); -+ return NULL; -+ } -+ -+ DBG("Opened PF socked %d\n", pf_fd); -+ } -+ -+ strcpy(pf_table.pfrt_name, table); -+ pf_table.pfrt_flags |= PFR_TFLAG_PERSIST; -+ if (!pf_do_cmd(NULL, DIOCRADDTABLES, &pf_table, sizeof(pf_table), 1, &nadd, NULL, 0)) -+ { -+ log(L_ERR "Error creating PF table %s: %m", table); -+ if (pf_instance_count == 0) -+ { -+ log(L_ERR "Closing PF socket"); -+ close(pf_fd); -+ pf_fd = -1; -+ } -+ return NULL; -+ } -+ DBG("PF table %s created\n", table); -+ /* Remove persistent flag */ -+ pf_table.pfrt_flags = 0; -+ -+ struct pf_priv *priv = mb_alloc(fwpool, sizeof(struct pf_priv)); -+ -+ priv->table = pf_table; -+ priv->pool = fwpool; -+ -+ pf_instance_count++; -+ -+ return priv; -+} -+ -+void -+pf_fw_shutdown(void *_priv UNUSED) -+{ -+ if (--pf_instance_count == 0) -+ { -+ DBG("Closing PF socket %d\n", pf_fd); -+ close(pf_fd); -+ pf_fd = -1; -+ } -+} -+ -+int -+pf_fw_flush(void *_priv) -+{ -+ struct pf_priv *priv = _priv; -+ int ndel; -+ -+ log(L_DEBUG "Flushing PF table %s", priv->pf_tablename); -+ -+ if (!pf_do_cmd(&priv->table, DIOCRCLRADDRS, NULL, 0, 0, NULL, &ndel, 0)) -+ { -+ log(L_ERR "Error flushing PF table %s: %m", priv->pf_tablename); -+ return 0; -+ } -+ -+ DBG("Flushed %d record(s) from PF table %s\n", ndel, priv->pf_tablename); -+ -+ return 1; -+} -+ -+static int -+pf_put_addr(struct pfr_addr *pf_addr, net *n) -+{ -+ int rt_family = AF_INET; -+ ip_addr addr; -+ -+ memset(pf_addr, 0, sizeof(struct pfr_addr)); -+ pf_addr->pfra_not = 0; -+ pf_addr->pfra_net = n->n.pxlen; -+ switch (rt_family) -+ { -+ case AF_INET: -+ addr = n->n.prefix; -+ ipa_hton(addr); -+ pf_addr->pfra_ip4addr.s_addr = addr; -+ pf_addr->pfra_af = rt_family; -+ break; -+ default: -+ log(L_ERR "Address family %d is not supported by pf, ignoring prefix", rt_family); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+int -+pf_fw_add(void *_priv, net *n, char *prefixdata) -+{ -+ struct pf_priv *priv = _priv; -+ struct pfr_addr pf_addr; -+ int nadd = 0; -+ -+ if (!pf_put_addr(&pf_addr, n)) -+ { -+ FW_ERR("Error adding %I/%d to PF table %s", n->n.prefix, n->n.pxlen, priv->pf_tablename); -+ return 0; -+ } -+ -+ DBG("Adding %I/%d to PF table %s with value %s\n", n->n.prefix, n->n.pxlen, priv->pf_tablename, prefixdata); -+ if (!pf_do_cmd(&priv->table, DIOCRADDADDRS, &pf_addr, sizeof(pf_addr), 1, &nadd, NULL, 0)) -+ { -+ FW_ERR("Error adding %I/%d to PF table %s: %m", n->n.prefix, n->n.pxlen, priv->pf_tablename); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+int -+pf_fw_del(void *_priv, net *n) -+{ -+ struct pf_priv *priv = _priv; -+ struct pfr_addr pf_addr; -+ int ndel = 0; -+ -+ if (!pf_put_addr(&pf_addr, n)) -+ { -+ FW_ERR("Error deleting %I/%d from PF table %s", n->n.prefix, n->n.pxlen, priv->pf_tablename); -+ return 0; -+ } -+ -+ DBG("Deleting %I/%d from PF table %s\n", n->n.prefix, n->n.pxlen, priv->pf_tablename); -+ if (!pf_do_cmd(&priv->table, DIOCRDELADDRS, &pf_addr, sizeof(pf_addr), 1, NULL, &ndel, 0)) -+ { -+ FW_ERR("Error deleting %I/%d from PF table %s: %m", n->n.prefix, n->n.pxlen, priv->pf_tablename); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+struct firewall_control fw_pf = { -+ fwtype: FWTYPE_PF, -+ description: "PF", -+ fw_init: pf_fw_init, -+ fw_shutdown: pf_fw_shutdown, -+ fw_flush: pf_fw_flush, -+ fw_add: pf_fw_add, -+ fw_del: pf_fw_del, -+}; -+#endif -+ -+ -+#endif -+ --- -1.7.3.2 - ---- configure.orig 2012-08-07 13:28:04.000000000 +0400 -+++ configure 2012-08-15 15:54:05.000000000 +0400 -@@ -4361,6 +4361,8 @@ - ipv6:freebsd*) sysdesc=bsd-v6 - ;; - ipv4:freebsd*) sysdesc=bsd -+ $as_echo "#define CONFIG_FIREWALL_IPFW 1" >>confdefs.h -+ $as_echo "#define CONFIG_FIREWALL_PF 1" >>confdefs.h - ;; - ipv6:dragonfly*) sysdesc=bsd-v6 - ;; - Property changes on: head/net/bird/files/firewall_support.patch ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/net/bird/files/patch-sysdep-bsd-sysio.h =================================================================== --- head/net/bird/files/patch-sysdep-bsd-sysio.h (revision 465712) +++ head/net/bird/files/patch-sysdep-bsd-sysio.h (nonexistent) @@ -1,23 +0,0 @@ -diff --git sysdep/bsd/sysio.h sysdep/bsd/sysio.h -index 2610a47..9b10e6e 100644 ---- sysdep/bsd/sysio.h -+++ sysdep/bsd/sysio.h -@@ -9,6 +9,7 @@ - #include - #include // Workaround for some BSDs - #include -+#include - - - #ifdef __NetBSD__ -@@ -179,8 +180,8 @@ sk_prepare_ip_header(sock *s, void *hdr, int dlen) - ip->ip_src = ipa_to_in4(s->saddr); - ip->ip_dst = ipa_to_in4(s->daddr); - --#ifdef __OpenBSD__ -- /* OpenBSD expects ip_len in network order, other BSDs expect host order */ -+#if (defined __OpenBSD__) || (defined __DragonFly__) || (defined __FreeBSD__ && (__FreeBSD_version >= 1100030)) -+ /* Different BSDs have different expectations of ip_len endianity */ - ip->ip_len = htons(ip->ip_len); - #endif - } Property changes on: head/net/bird/files/patch-sysdep-bsd-sysio.h ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/net/bird/files/patch-sysdep-bsd-setkey.h =================================================================== --- head/net/bird/files/patch-sysdep-bsd-setkey.h (revision 465712) +++ head/net/bird/files/patch-sysdep-bsd-setkey.h (revision 465713) @@ -1,19 +1,19 @@ ---- sysdep/bsd/setkey.h 2017-05-15 14:04:47.215628000 +0300 -+++ sysdep/bsd/setkey.h 2017-05-15 14:05:36.850028000 +0300 +--- sysdep/bsd/setkey.h.orig 2018-03-22 12:32:46 UTC ++++ sysdep/bsd/setkey.h @@ -158,12 +158,14 @@ sk_set_md5_in_sasp_db(sock *s, ip_addr local, ip_addr if (len > TCP_KEYLEN_MAX) ERR_MSG("The password for TCP MD5 Signature is too long"); - if (setkey_md5(&src, &dst, passwd, SADB_ADD) < 0) + if (setkey_md5(&src, &dst, passwd, SADB_ADD) < 0 || + setkey_md5(&dst, &src, passwd, SADB_ADD) < 0) ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database"); } else { - if (setkey_md5(&src, &dst, NULL, SADB_DELETE) < 0) + if (setkey_md5(&src, &dst, NULL, SADB_DELETE) < 0 || + setkey_md5(&dst, &src, NULL, SADB_DELETE) < 0) ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database"); } return 0; Index: head/net/bird/files/patch-tools_gendist =================================================================== --- head/net/bird/files/patch-tools_gendist (nonexistent) +++ head/net/bird/files/patch-tools_gendist (revision 465713) @@ -0,0 +1,11 @@ +--- tools/gendist.orig 2018-03-26 21:29:43 UTC ++++ tools/gendist +@@ -5,7 +5,7 @@ + # + + set -e +-AC=`if [ -x /usr/bin/autoconf2.50 ] ; then echo autoconf2.50 ; else echo autoconf ; fi` ++AC=autoreconf + $AC + ./configure + make distclean Property changes on: head/net/bird/files/patch-tools_gendist ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property