PSARC/2014/291 PFLOGD: Packet Logging for PF
authorPetr Hoffmann <petr.hoffmann@oracle.com>
Thu, 17 Mar 2016 00:08:54 -0700
changeset 5618 a7df12d981ea
parent 5617 58e4e2a36e77
child 5619 4d97a998cbcc
PSARC/2014/291 PFLOGD: Packet Logging for PF PSARC/2014/292 FTP-PROXY: PF FTP-proxy supporting IPv4 NAT 22351416 deliver pflogd 22330374 deliver ftp-proxy
components/ftp-proxy/Makefile
components/ftp-proxy/ftp-proxy.Solaris/firewall-ftp-proxy.xml
components/ftp-proxy/ftp-proxy.Solaris/ftp-proxy
components/ftp-proxy/ftp-proxy.license
components/ftp-proxy/ftp-proxy.p5m
components/ftp-proxy/patches/001-solaris.patch
components/ftp-proxy/patches/002-smf.patch
components/pflogd/Makefile
components/pflogd/patches/001-solaris.patch
components/pflogd/patches/002-smf.patch
components/pflogd/pflogd.Solaris/firewall-pflog.xml
components/pflogd/pflogd.Solaris/pflog
components/pflogd/pflogd.license
components/pflogd/pflogd.p5m
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ftp-proxy/Makefile	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,75 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+#
+include ../../make-rules/shared-macros.mk
+
+COMPONENT_NAME=		ftp-proxy
+COMPONENT_VERSION=	OPENBSD_5_5
+IPS_COMPONENT_VERSION=	5.5
+COMPONENT_PROJECT_URL=	http://www.openbsd.org
+COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
+COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.bz2
+COMPONENT_ARCHIVE_HASH= sha256:372dbe0ca8c6b090842a9f0fbdd13b320dc37883137d3dc674d588448aa2d5e9
+CLEAN_PATHS +=		$(COMPONENT_SRC)
+CLOBBER_PATHS +=	$(COMPONENT_ARCHIVE)
+COMPONENT_BUGDB=	service/ftp-proxy
+
+TPNO=	24255
+
+#
+# Don't overwrite CFLAGS here, just add our options there.
+#
+COMPONENT_BUILD_ENV += CFLAGS="$(CFLAGS) -D_SOLARIS_ -DOBSD_COMP -lscf"
+COMPONENT_BUILD_ARGS +=	CC="$(CC)"
+
+include ../../make-rules/prep.mk
+include ../../make-rules/justmake.mk
+include ../../make-rules/ips.mk
+
+COMPONENT_INSTALL_ARGS +=	PREFIX=$(PROTOUSRDIR)
+COMPONENT_INSTALL_ARGS +=	MANDIR=$(PROTOUSRSHAREMANDIR)
+COMPONENT_INSTALL_ARGS +=	INSTALL=/usr/gnu/bin/install
+
+ASLR_MODE = $(ASLR_ENABLE)
+
+# common targets
+build:		$(BUILD_64)
+
+install:	$(INSTALL_64)
+
+test:		$(NO_TESTS)
+
+# Here we just download the cached source archive. In order to update
+# the cache, we have to get the sources via CVS manually and ask gatekeepers
+# to place it into the cache. There is no archive available at openbsd.org.
+download:: $(USERLAND_ARCHIVES)$(COMPONENT_ARCHIVE)
+
+$(USERLAND_ARCHIVES)$(COMPONENT_ARCHIVE): $(MAKEFILE_PREREQ)
+	$(FETCH) --file [email protected] --hash $(COMPONENT_ARCHIVE_HASH)
+	$(TOUCH) [email protected]
+
+REQUIRED_PACKAGES += library/libevent
+REQUIRED_PACKAGES += network/firewall
+REQUIRED_PACKAGES += shell/ksh93
+REQUIRED_PACKAGES += system/core-os
+REQUIRED_PACKAGES += system/header
+REQUIRED_PACKAGES += system/library
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ftp-proxy/ftp-proxy.Solaris/firewall-ftp-proxy.xml	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,203 @@
+<?xml version="1.0"?>
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<!--
+
+ CDDL HEADER START
+
+ The contents of this file are subject to the terms of the
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
+
+ You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ or http://www.opensolaris.org/os/licensing.
+ See the License for the specific language governing permissions
+ and limitations under the License.
+
+ When distributing Covered Code, include this CDDL HEADER in each
+ file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ If applicable, add the following below this CDDL HEADER, with the
+ fields enclosed by brackets "[]" replaced with your own identifying
+ information: Portions Copyright [yyyy] [name of copyright owner]
+
+ CDDL HEADER END
+
+ Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+
+    NOTE:  This service manifest is not editable; its contents will
+    be overwritten by package or patch operations, including
+    operating system upgrade.  Make customizations in a different
+    file.
+-->
+
+<service_bundle type='manifest' name='network/firewall/ftp-proxy' >
+
+<service
+    name='network/firewall/ftp-proxy'
+    type='service'
+    version='1'>
+	<dependency
+	    name='firewall'
+	    grouping='require_all'
+	    restart_on='restart'
+	    type='service'>
+		<service_fmri value='svc:/network/firewall:default'/>
+	</dependency>
+
+	<method_context>
+		<method_credential
+		    user='daemon'
+		    group='daemon'
+		    privileges='basic,!file_write,!file_link_any,!proc_info,!proc_session,sys_ip_config'
+		/>
+	</method_context>
+
+	<exec_method 
+	    type='method' 
+	    name='start'
+	    exec='/lib/svc/method/ftp-proxy start "%{ftp-proxy/anonymous-only}" "%{ftp-proxy/proxy-NAT-address}" "%{ftp-proxy/proxy-listen-address}" "%{ftp-proxy/debug-level}" "%{ftp-proxy/maxsessions}" "%{ftp-proxy/listen-port}" "%{ftp-proxy/reverse-mode-address}" "%{ftp-proxy/reverse-mode-port}" "%{ftp-proxy/always-use-ftp-data-port}" "%{ftp-proxy/tag}" "%{ftp-proxy/timeout}" "%{ftp-proxy/log}"'
+	    timeout_seconds='30'>
+	</exec_method>
+
+	<exec_method 
+	    type='method' 
+	    name='stop'
+	    exec=':kill'
+	    timeout_seconds='60'>
+	</exec_method>
+
+	<exec_method
+	    type='method'
+	    name='refresh'
+	    exec=':kill'
+	    timeout_seconds='5'>
+	</exec_method>
+
+	<instance name='default' enabled='false' complete='true'>
+		<property_group name="general" type="framework">
+			<propval
+			    name='action_authorization'
+			    type='astring'
+			    value='solaris.smf.manage.network.firewall' />
+			<propval
+			    name='value_authorization'
+			    type='astring'
+			    value='solaris.smf.manage.network.firewall' />
+		</property_group>
+		<property_group name='ftp-proxy' type='application'>
+			<propval name='anonymous-only' type='astring' value='off' />
+			<propval name='proxy-NAT-address' type='astring' value='' />
+			<propval
+			    name='proxy-listen-address'
+			    type='astring'
+			    value='127.0.0.1' />
+			<propval name='debug-level' type='integer' value='5' />
+			<propval
+			    name='maxsessions'
+			    type='integer'
+			    value='100' />
+			<propval
+			    name='listen-port'
+			    type='integer'
+			    value='8021' />
+			<propval
+			    name='reverse-mode-address'
+			    type='astring'
+			    value='' />
+			<propval name='reverse-mode-port' type='integer' value='21' />
+			<propval
+			    name='always-use-ftp-data-port'
+			    type='astring'
+			    value='off' />
+			<propval name='tag' type='astring' value=''/>
+			<propval name='timeout' type='integer' value='86400' />
+			<propval name='log' type='astring' value='off' />
+			<propval
+			    name='value_authorization'
+			    type='astring'
+			    value='solaris.smf.value.network.firewall' />
+		</property_group>
+	</instance>
+
+	<stability value='Unstable' />
+
+	<template>
+		<common_name>
+			<loctext xml:lang='C'>
+			ftp-proxy - FTP proxy daemon for PF
+			</loctext>      
+		</common_name>
+		<documentation>
+			<manpage title='ftp-proxy' section='1M' manpath='/usr/share/man' />
+		</documentation>
+		<pg_pattern name="ftp-proxy" type="application" target="instance" required="true">
+			<prop_pattern name="anonymous-only" type="astring" required="true">
+				<cardinality min="1" max="1"/>
+				<constraints>
+					<value name="on"/>
+					<value name="off"/>
+				</constraints>
+			</prop_pattern>
+			<prop_pattern name="proxy-NAT-address" type="astring" required="true">
+				<cardinality min="1" max="1"/>
+			</prop_pattern>
+			<prop_pattern name="proxy-listen-address" type="astring" required="true">
+				<cardinality min="1" max="1"/>
+			</prop_pattern>
+			<prop_pattern name="debug-level" type="integer" required="true">
+				<cardinality min="1" max="1"/>
+				<constraints>
+					<range min="0" max="7"/>
+				</constraints>
+			</prop_pattern>
+			<prop_pattern name="maxsessions" type="integer" required="true">
+				<cardinality min="1" max="1"/>
+				<constraints>
+					<range min="1" max="500"/>
+				</constraints>
+			</prop_pattern>
+			<prop_pattern name="listen-port" type="integer" required="true">
+				<cardinality min="1" max="1"/>
+				<constraints>
+					<range min="0" max="65535"/>
+				</constraints>
+			</prop_pattern>
+			<prop_pattern name="reverse-mode-address" type="astring" required="true">
+				<cardinality min="0" max="1"/>
+			</prop_pattern>
+			<prop_pattern name="reverse-mode-port" type="integer" required="true">
+				<cardinality min="0" max="1"/>
+				<constraints>
+					<range min="0" max="65535"/>
+				</constraints>
+			</prop_pattern>
+			<prop_pattern name="always-use-ftp-data-port" type="astring" required="true">
+				<cardinality min="1" max="1"/>
+				<constraints>
+					<value name="on"/>
+					<value name="off"/>
+				</constraints>
+			</prop_pattern>
+			<prop_pattern name="tag" type="astring" required="true">
+				<cardinality min="0" max="1"/>
+			</prop_pattern>
+			<prop_pattern name="timeout" type="integer" required="true">
+				<cardinality min="1" max="1"/>
+				<constraints>
+					<range min="0" max="86400"/>
+				</constraints>
+			</prop_pattern>
+			<prop_pattern name="log" type="astring" required="true">
+				<cardinality min="1" max="1"/>
+				<constraints>
+					<value name="on"/>
+					<value name="off"/>
+					<value name="all"/>
+				</constraints>
+			</prop_pattern>
+			<prop_pattern name="value_authorization" type="astring">
+			</prop_pattern>
+		</pg_pattern>
+	</template>
+</service>
+
+</service_bundle>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ftp-proxy/ftp-proxy.Solaris/ftp-proxy	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,186 @@
+#!/sbin/sh
+#
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+. /lib/svc/share/smf_include.sh
+
+PATH=$PATH:/usr/sbin
+
+# Retrieve an unescaped property value from a method token.
+# Arguments:
+# - raw method token value
+# Outputs:
+# - unescaped property value
+# Returns:
+# - 0 on success
+# - 1 when unescaping failed
+get_property()
+{
+	VALUE="$(echo "$1" | /usr/bin/sed 's/\\\(.\)/\1/g')"
+
+	if [[ $? -ne 0 ]]; then
+		exit 1
+	fi
+
+	echo "$VALUE"
+}
+
+failure()
+{
+	echo "An unknown error occurred. Probably either /usr/bin/sed is"
+	echo "missing or system resources are exhausted."
+	exit $SMF_EXIT_ERR_FATAL
+}
+
+# Exit with error if given variable is empty or unset.
+# Arguments:
+# - Variable name
+# - SMF property the variable's value is obtained from
+# Exits when the variable value is empty or unset,
+# returns otherwise.
+failure_empty_value()
+{
+	eval "[[ -z \${$1:-} ]] || return 0"
+	echo "The ftp-proxy/$2 property cannot be empty."
+	exit $SMF_EXIT_ERR_FATAL
+}
+
+failure_invalid_value()
+{
+	echo "The ftp-proxy/$1 property value is invalid."
+	exit $SMF_EXIT_ERR_FATAL
+}
+
+# store and unescape property values
+FTPPX_ANONYMOUS="$(get_property "$2")" || failure
+FTPPX_PROXY_ADDRESS="$(get_property "$3")" || failure
+FTPPX_PROXY_LISTEN_ADDRESS="$(get_property "$4")" || failure
+FTPPX_DEBUG_LEVEL="$(get_property "$5")" || failure
+FTPPX_MAXSESSIONS="$(get_property "$6")" || failure
+FTPPX_PROXY_LISTEN_PORT="$(get_property "$7")" || failure
+FTPPX_REVERSE_MODE_ADDRESS="$(get_property "$8")" || failure
+FTPPX_REVERSE_MODE_PORT="$(get_property "$9")" || failure
+FTPPX_REWRITE_SOURCE_PORT="$(get_property "${10}")" || failure
+FTPPX_TAG="$(get_property "${11}")" || failure
+FTPPX_TIMEOUT="$(get_property "${12}")" || failure
+FTPPX_LOG="$(get_property "${13}")" || failure
+
+# check the following properties are not empty and add them
+# to the command-line used to start the ftp-proxy
+typeset -a CMDLINE
+
+failure_empty_value FTPPX_PROXY_ADDRESS proxy-NAT-address
+CMDLINE+=( -a "$FTPPX_PROXY_ADDRESS" )
+
+failure_empty_value FTPPX_PROXY_LISTEN_ADDRESS proxy-listen-address
+CMDLINE+=( -b "$FTPPX_PROXY_LISTEN_ADDRESS" )
+
+failure_empty_value FTPPX_DEBUG_LEVEL debug-level
+CMDLINE+=( -D "$FTPPX_DEBUG_LEVEL" )
+
+failure_empty_value FTPPX_MAXSESSIONS maxsessions
+CMDLINE+=( -m "$FTPPX_MAXSESSIONS" )
+
+failure_empty_value FTPPX_PROXY_LISTEN_PORT listen-port
+CMDLINE+= ( -p "$FTPPX_PROXY_LISTEN_PORT" )
+
+failure_empty_value FTPPX_TIMEOUT timeout
+CMDLINE+=( -t "$FTPPX_TIMEOUT" )
+
+case $FTPPX_ANONYMOUS in
+	on)	CMDLINE+=( -A on )
+		;;
+	off)	# nothing needed
+		;;
+	*)	failure_invalid_value anonymous-only
+		;;
+esac
+
+# reverse-mode-address is optional
+if [[ -n $FTPPX_REVERSE_MODE_ADDRESS ]]; then
+	CMDLINE+=( -R "$FTPPX_REVERSE_MODE_ADDRESS" )
+	if [[ -n $FTPPX_REVERSE_MODE_PORT ]]; then
+		CMDLINE+=( -P "$FTPPX_REVERSE_MODE_PORT" )
+	fi
+fi
+
+case $FTPPX_REWRITE_SOURCE_PORT in
+	on)	CMDLINE+=( -r on )
+		;;
+	off)	# nothing needed
+		;;
+	*)	failure_invalid_value always-use-ftp-data-port
+		;;
+esac
+
+# tag is optional
+if [[ -n $FTPPX_TAG ]]; then
+	CMDLINE+=( -T "$FTPPX_TAG" )
+fi
+
+case $FTPPX_LOG in
+	on)	CMDLINE+=( -v on )
+		;;
+	all)	CMDLINE+=( -v all )
+		;;
+	off)	CMDLINE+=( -v off )
+		;;
+	*)	failure_invalid_value log
+		;;
+esac
+
+function start_proxy
+{
+	ANCHOR=$(echo "$SMF_FMRI" | \
+	    /usr/bin/cut -f 2- -d / | /usr/bin/tr / :)
+	if [[ -z $ANCHOR ]]; then
+		echo "Unable to form a valid anchor name."
+		exit $SMF_EXIT_ERR_FATAL
+	fi
+	ANCHOR="_auto/$ANCHOR"
+	echo 'anchor "*"' | pfctl -a "$ANCHOR" -f -
+
+	if [[ $? -ne 0 ]]; then
+		echo "Unable to load rules into the firewall."
+		exit $SMF_EXIT_ERR_FATAL
+	fi
+
+	CMDLINE+=( -X "$ANCHOR" )
+	smf_clear_env
+	ftp-proxy "${CMDLINE[@]}"
+}
+
+case "$1" in
+	start)
+		start_proxy
+		;;
+
+	*)
+		echo "Usage: $0 \c" >&2
+		echo "(start)" >&2
+		exit 1
+		;;
+
+esac
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ftp-proxy/ftp-proxy.license	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,71 @@
+--------------------------------------------------------------------------------
+This package brings a (modified) ftp-proxy component coming from OpenBSD 5.5.
+--------------------------------------------------------------------------------
+
+filter.c:
+/*
+ * Copyright (c) 2004, 2005 Camiel Dobbelaar, <[email protected]>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+filter.h:
+/*
+ * Copyright (c) 2004, 2005 Camiel Dobbelaar, <[email protected]>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+ftp-proxy.8:
+.\"     $OpenBSD: ftp-proxy.8,v 1.19 2012/06/25 11:49:19 jmc Exp $
+.\"
+.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <[email protected]>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ftp-proxy.c:
+/*
+ * Copyright (c) 2004, 2005 Camiel Dobbelaar, <[email protected]>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ftp-proxy/ftp-proxy.p5m	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,45 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+<transform file path=usr.*/man/.+ -> default mangler.man.stability volatile>
+set name=pkg.fmri \
+    value=pkg:/network/firewall/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="ftp-proxy - FTP proxy daemon for PF"
+set name=pkg.description value="ftp-proxy handles FTP protocol over NAT in PF"
+set name=com.oracle.info.description value="ftp-proxy, FTP proxy daemon"
+set name=com.oracle.info.tpno value=$(TPNO)
+set name=info.classification \
+    value="org.opensolaris.category.2008:System/Administration and Configuration"
+set name=info.source-url \
+    value=http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ftp-proxy/
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2014/292
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+file ftp-proxy.Solaris/firewall-ftp-proxy.xml \
+    path=lib/svc/manifest/network/firewall/ftp-proxy.xml
+file ftp-proxy.Solaris/ftp-proxy path=lib/svc/method/ftp-proxy mode=0555
+file path=usr/sbin/ftp-proxy
+file path=usr/share/man/man8/ftp-proxy.8
+license ftp-proxy.license license="ftp-proxy license"
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ftp-proxy/patches/001-solaris.patch	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,642 @@
+# This patch comes from Oracle. It fixes issues preventing ftp-proxy
+# from building and running on Solaris. Especially, we:
+# - disabled features missing support on Solaris (queuing, rtable..)
+#   where adding such support is not reasonable
+# - used workarounds to deal with missing pieces on Solaris (missing
+#   structure members in sockaddr, PF not supporting divert-to,
+#   using Solaris-specific random number generator) 
+#
+# These changes are not going to upstream, they are Solaris-specific.
+
+diff -Naur ORIGINAL/Makefile ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile
+--- ORIGINAL/Makefile	2006-11-26 03:31:13.000000000 -0800
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile	2016-02-10 04:21:21.337202150 -0800
[email protected]@ -1,13 +1,29 @@
+ #	$OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $
+ 
++CFLAGS+= -m64 -errwarn
++
+ PROG=	ftp-proxy
+ SRCS=	ftp-proxy.c filter.c
++OBJS=$(SRCS:.c=.o)
+ MAN=	ftp-proxy.8
+ 
+-CFLAGS+= -I${.CURDIR}
+-CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith \
+-         -Wno-uninitialized
+-LDADD+=	-levent
+-DPADD+= ${LIBEVENT}
++LDADD+=	-levent -luutil
++LDFLAGS+=	-z nolazyload
++
++all:	$(SRCS) $(PROG)
++
++install: $(PROG)
++	$(INSTALL) -d $(PREFIX)/sbin
++	$(INSTALL) -m 755 $(PROG) $(PREFIX)/sbin
++	$(INSTALL) -d $(MANDIR)/man8
++	$(INSTALL) -m 644 $(MAN) $(MANDIR)/man8
++
++$(PROG):	$(OBJS)
++	$(CC) $(CFLAGS) $(OBJS) -o [email protected] $(LDFLAGS) $(LDADD)
++
++.c.o:
++	$(CC) $(CFLAGS) -c -o [email protected] $<
+ 
+-.include <bsd.prog.mk>
++clean:
++	rm -rf *.o
++	rm -rf $(PROG)
+diff -Naur ORIGINAL/filter.c ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.c
+--- ORIGINAL/filter.c	2012-09-18 03:11:53.000000000 -0700
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.c	2016-02-10 04:24:03.599069704 -0800
[email protected]@ -32,6 +32,10 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <unistd.h>
++#ifdef _SOLARIS_
++/* we need _IOWR */
++#include <sys/ioccom.h>
++#endif	/* _SOLARIS_ */
+ 
+ #include "filter.h"
+ 
+diff -Naur ORIGINAL/ftp-proxy.8 ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.8
+--- ORIGINAL/ftp-proxy.8	2012-06-25 04:49:19.000000000 -0700
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.8	2016-02-24 06:31:17.792565815 -0800
[email protected]@ -30,17 +30,16 @@
+ .Op Fl m Ar maxsessions
+ .Op Fl P Ar port
+ .Op Fl p Ar port
+-.Op Fl q Ar queue
+ .Op Fl R Ar address
+ .Op Fl T Ar tag
+ .Op Fl t Ar timeout
+ .Ek
+ .Sh DESCRIPTION
+ .Nm
+-is a proxy for the Internet File Transfer Protocol.
+-FTP control connections should be redirected into the proxy using the
+-.Xr pf 4
+-.Ar divert-to
++is a proxy for the Internet File Transfer Protocol making connections
++over IPv4 NAT possible.
++FTP control connections should be redirected into the proxy using the PF
++.Ar rdr-to
+ command, after which the proxy connects to the server on behalf of
+ the client.
+ .Pp
[email protected]@ -51,22 +50,20 @@
+ Consequently, all connections from the server to the proxy have
+ their destination address rewritten, so they are redirected to the
+ client.
+-The proxy uses the
+-.Xr pf 4
++The proxy uses the PF
+ .Ar anchor
+ facility for this.
+ .Pp
+ Assuming the FTP control connection is from $client to $server, the
+-proxy connected to the server using the $proxy source address, and
+-$port is negotiated, then
++proxy is connected to the server using the $proxy source address, and
++$port is negotiated, the
+ .Nm
+ adds the following rules to the anchor.
+ $server and $orig_server are the same unless
+ .Fl R
+ is used to force a different $server address for all connections.
+-(These example rules use inet, but the proxy also supports inet6.)
+ .Pp
+-In case of active mode (PORT or EPRT):
++In case of active mode (PORT):
+ .Bd -literal -offset 2n
+ pass in from $server to $proxy port $proxy_port \e
+     rdr-to $client port $port
[email protected]@ -74,7 +71,7 @@
+     nat-to $orig_server port $natport
+ .Ed
+ .Pp
+-In case of passive mode (PASV or EPSV):
++In case of passive mode (PASV):
+ .Bd -literal -offset 2n
+ pass in from $client to $orig_server port $proxy_port \e
+     rdr-to $server port $port
[email protected]@ -83,11 +80,6 @@
+ .Pp
+ The options are as follows:
+ .Bl -tag -width Ds
+-.It Fl 6
+-IPv6 mode.
+-The proxy will expect and use IPv6 addresses for all communication.
+-Only the extended FTP modes EPSV and EPRT are allowed with IPv6.
+-The proxy is in IPv4 mode by default.
+ .It Fl A
+ Only permit anonymous FTP connections.
+ Either user "ftp" or user "anonymous" is allowed.
[email protected]@ -96,14 +88,11 @@
+ connection to a server.
+ .It Fl b Ar address
+ Address where the proxy will listen for redirected control connections.
+-The default is 127.0.0.1, or ::1 in IPv6 mode.
++The default is 127.0.0.1.
+ .It Fl D Ar level
+ Debug level, ranging from 0 to 7.
+ Higher is more verbose.
+ The default is 5.
+-(These levels correspond to the
+-.Xr syslog 3
+-levels.)
+ .It Fl d
+ Do not daemonize.
+ The process will stay in the foreground, logging to standard error.
[email protected]@ -120,10 +109,6 @@
+ .It Fl p Ar port
+ Port where the proxy will listen for redirected connections.
+ The default is port 8021.
+-.It Fl q Ar queue
+-Create rules with queue
+-.Ar queue
+-appended, so that data connections can be queued.
+ .It Fl R Ar address
+ Fixed server address, also known as reverse mode.
+ The proxy will always connect to the same server, regardless of
[email protected]@ -142,9 +127,8 @@
+ keyword can be implemented following the
+ .Nm
+ anchor.
+-These rules can use special
+-.Xr pf 4
+-features like route-to, reply-to, label, rtable, overload, etc. that
++These rules can use special PF
++features like route-to, reply-to, label, overload, etc. that
+ .Nm
+ does not implement itself.
+ There must be a matching pass rule after the
[email protected]@ -159,7 +143,9 @@
+ .It Fl v
+ Set the 'log' flag on pf rules committed by
+ .Nm .
+-Use twice to set the 'log all' flag.
++Use twice to set the
++.Sq log all
++flag.
+ The pf rules do not log by default.
+ .El
+ .Sh CONFIGURATION
[email protected]@ -171,27 +157,23 @@
+ necessary.
+ .Bd -literal -offset 2n
+ anchor "ftp-proxy/*"
+-pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
++pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021
+ pass out inet proto tcp from (self) to any port ftp
+ .Ed
++.Pp
++To run
++.Nm
++in a non-global zone, the
++.Bd -literal -offset indent
++svc:/network/socket-filter:pf_divert
++.Ed
++instance must be online in the global zone.
+ .Sh SEE ALSO
+-.Xr ftp 1 ,
+-.Xr pf 4 ,
+ .Xr pf.conf 5
+ .Sh CAVEATS
+-.Xr pf 4
+-does not allow the ruleset to be modified if the system is running at a
+-.Xr securelevel 7
+-higher than 1.
+-At that level
+-.Nm
+-cannot add rules to the anchors and FTP data connections may get blocked.
+ .Pp
+ Negotiated data connection ports below 1024 are not allowed.
+ .Pp
+ The negotiated IP address for active modes is ignored for security
+ reasons.
+ This makes third party file transfers impossible.
+-.Pp
+-.Nm
+-chroots to "/var/empty" and changes to user "proxy" to drop privileges.
+diff -Naur ORIGINAL/ftp-proxy.c ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.c
+--- ORIGINAL/ftp-proxy.c	2013-03-15 06:31:27.000000000 -0700
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.c	2016-02-10 04:12:16.600723376 -0800
[email protected]@ -38,9 +38,20 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#ifdef _SOLARIS_
++#include <strings.h>
++#include <sys/types.h>
++#include <time.h>
++#include <libuutil.h>
++#include <sys/random.h>
++#include <inttypes.h>
++#include <priv.h>
++#endif	/* _SOLARIS_ */
+ #include <syslog.h>
+ #include <unistd.h>
++#ifndef _SOLARIS_
+ #include <vis.h>
++#endif	/* !_SOLARIS_ */
+ 
+ #include "filter.h"
+ 
[email protected]@ -60,6 +71,32 @@
+ 
+ #define	sstosa(ss)	((struct sockaddr *)(ss))
+ 
++#ifdef _SOLARIS_
++/*
++ * These constants are used as a range used by pick_proxy_port(). The ftp-proxy
++ * never binds these ports. They are used only within proxy_reply() and add_rdr()
++ * to be put into a FTP-protocol message and to construct the rule to be loaded
++ * into PF, respectively.
++ *
++ * OpenBSD adheres to a convention where these port numbers are reserved for
++ * connections that want to bypass a firewall. Surely, it depends on how the
++ * administrator configures the firewall, too. Let's stick to that convention
++ * here. The idea probably is "if the admin uses this convention, these ports
++ * are not filtered and thus we are not going to clash with current firewall
++ * rules".
++ */
++#define IPPORT_HIFIRSTAUTO	49152
++#define IPPORT_HILASTAUTO	65535
++
++#define getrtable() 0
++
++#ifndef LIST_END
++#define LIST_END(x) NULL
++#endif	/* !LIST_END */
++
++#define	DIVERT_MODULE_NAME "pf_divertf"
++#endif	/* _SOLARIS_ */
++
+ enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV };
+ 
+ struct session {
[email protected]@ -115,12 +152,59 @@
+ 
+ struct event listen_ev, pause_accept_ev;
+ struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
++#ifdef _SOLARIS_
++static socklen_t fixed_server_ss_len;
++static socklen_t fixed_proxy_ss_len;
++#endif	/* _SOLARIS_ */
+ char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
+     *qname, *tagname;
+ int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
+     rfc_mode, session_count, timeout, verbose;
+ extern char *__progname;
+ 
++#ifdef	_SOLARIS_
++/*
++ * fake_arc4random_uniform()
++ * This is a fake implementation of arc4random_uniform(). The wrapper
++ * provides so called uniform calculation of pseudo random number with
++ * respect to upper bound.
++ *
++ * Function calculates random numbers until it finds one outside
++ * <0, 2^32 % upper_bound) range. Once random number, `rand`, is selected,
++ * function returns rand % upper_bound.
++ *
++ * Arguments:
++ *	upper_bound	- random number is picked up in range <0, upper_bound)
++ *
++ * Returns:
++ *	random number, uniform with respect to upper bound.
++ *      Returns UINT32_MAX on error.
++ */
++static u_int32_t
++fake_arc4random_uniform(u_int32_t upper_bound)
++{
++	u_int32_t	rand, min;
++
++	if (upper_bound < 2)
++		return (0);
++
++	/*
++	 * 2**32 % x == (2**32 - x) % x
++	 * (Trick comes from OpenBSD, arc4random_uniform.c)
++	 */
++	min = -upper_bound % upper_bound;
++	for (;;) {
++		if (getrandom(&rand, sizeof (rand), GRND_NONBLOCK) !=
++		    sizeof (rand))
++			return (UINT32_MAX);
++		if (rand >= min)
++			break;
++	}
++
++	return (rand % upper_bound);
++}
++#endif	/* _SOLARIS_ */
++
+ void
+ client_error(struct bufferevent *bufev, short what, void *arg)
+ {
[email protected]@ -220,6 +304,12 @@
+ 			return (0);
+ 		}
+ 		s->proxy_port = pick_proxy_port();
++#ifdef _SOLARIS_
++		if (s->proxy_port == UINT16_MAX) {
++			logmsg(LOG_CRIT, "pick_proxy_port() failed");
++			return (0);
++		}
++#endif /* _SOLARIS_ */
+ 		proxy_reply(s->cmd, sstosa(&s->proxy_ss), s->proxy_port);
+ 		logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf);
+ 	}
[email protected]@ -378,13 +468,30 @@
+ 	struct sockaddr *proxy_to_server_sa;
+ 	struct session *s;
+ 	socklen_t len;
++#ifdef _SOLARIS_
++	socklen_t client_sa_len, server_sa_len;
++	int one = 1; /* parameter for setsockopt */
++#endif	/* _SOLARIS_ */
+ 	int client_fd, fc, on;
+-
++	/*
++	 * We experienced big problems when event_add() was called
++	 * before accepting the incoming connection - for some reason,
++	 * a new event was fired immediately and ftp-proxy was hanged
++	 * trying to accept another client that was not there yet.
++	 * Moving event_add() call a few lines below resolved this
++	 * problem.
++	 */
++#ifndef _SOLARIS_
+ 	event_add(&listen_ev, NULL);
++#endif	/* !_SOLARIS_ */
+ 
+-	if ((event & EV_TIMEOUT))
++	if ((event & EV_TIMEOUT)) {
++#ifdef _SOLARIS_
++		event_add(&listen_ev, NULL);
++#endif	/* _SOLARIS_ */
+ 		/* accept() is no longer paused. */
+ 		return;
++	}
+ 
+ 	/*
+ 	 * We _must_ accept the connection, otherwise libevent will keep
[email protected]@ -393,6 +500,9 @@
+ 	client_sa = sstosa(&tmp_ss);
+ 	len = sizeof(struct sockaddr_storage);
+ 	if ((client_fd = accept(listen_fd, client_sa, &len)) < 0) {
++#ifdef _SOLARIS_
++		event_add(&listen_ev, NULL);
++#endif	/* _SOLARIS_ */
+ 		logmsg(LOG_CRIT, "accept() failed: %s", strerror(errno));
+ 
+ 		/*
[email protected]@ -410,6 +520,16 @@
+ 		return;
+ 	}
+ 
++#ifdef _SOLARIS_
++	event_add(&listen_ev, NULL);
++
++	/*
++	 * Struct sockaddr does not contain sa_len field on Solaris,
++	 * we use client_sa_len instead.
++	 */
++	client_sa_len = len;
++#endif	/* _SOLARIS_ */
++
+ 	/* Refuse connection if the maximum is reached. */
+ 	if (session_count >= max_sessions) {
+ 		logmsg(LOG_ERR, "client limit (%d) reached, refusing "
[email protected]@ -426,8 +546,11 @@
+ 		return;
+ 	}
+ 	s->client_fd = client_fd;
++#ifdef _SOLARIS_
++	memcpy(sstosa(&s->client_ss), client_sa, client_sa_len);
++#else /* !_SOLARIS_ */
+ 	memcpy(sstosa(&s->client_ss), client_sa, client_sa->sa_len);
+-
++#endif	/* _SOLARIS_ */
+ 	/* Cast it once, and be done with it. */
+ 	client_sa = sstosa(&s->client_ss);
+ 	server_sa = sstosa(&s->server_ss);
[email protected]@ -447,6 +570,17 @@
+ 		    strerror(errno));
+ 		goto fail;
+ 	}
++#ifdef _SOLARIS_
++	/*
++	 * Struct sockaddr does not contain sa_len field on Solaris,
++	 * we use server_sa_len instead.
++	 */
++	server_sa_len = len;
++#endif	/* _SOLARIS_ */
++/* SO_RTABLE not defined on Solaris */
++#ifdef _SOLARIS_
++	s->client_rd = 0;
++#else /* !_SOLARIS_ */
+ 	len = sizeof(s->client_rd);
+ 	if (getsockopt(s->client_fd, SOL_SOCKET, SO_RTABLE, &s->client_rd,
+ 	    &len) && errno != ENOPROTOOPT) {
[email protected]@ -454,10 +588,18 @@
+ 		    strerror(errno));
+ 		goto fail;
+ 	}
++#endif	/* _SOLARIS_ */
+ 	if (fixed_server) {
++#ifdef _SOLARIS_
++		memcpy(sstosa(&s->orig_server_ss), server_sa,
++		    server_sa_len);
++		memcpy(server_sa, fixed_server_sa, fixed_server_ss_len);
++		server_sa_len = fixed_server_ss_len; /* update the length */
++#else /* !_SOLARIS_ */
+ 		memcpy(sstosa(&s->orig_server_ss), server_sa,
+ 		    server_sa->sa_len);
+ 		memcpy(server_sa, fixed_server_sa, fixed_server_sa->sa_len);
++#endif	/* _SOLARIS_ */
+ 	}
+ 
+ 	/* XXX: check we are not connecting to ourself. */
[email protected]@ -471,8 +613,14 @@
+ 		    strerror(errno));
+ 		goto fail;
+ 	}
++#ifdef	_SOLARIS_
+ 	if (fixed_proxy && bind(s->server_fd, sstosa(&fixed_proxy_ss),
+-	    fixed_proxy_ss.ss_len) != 0) {
++	    fixed_proxy_ss_len) != 0)
++#else /* !_SOLARIS_ */
++	if (fixed_proxy && bind(s->server_fd, sstosa(&fixed_proxy_ss),
++	    fixed_proxy_ss.ss_len) != 0)
++#endif	/* _SOLARIS_ */
++	{
+ 		logmsg(LOG_CRIT, "#%d cannot bind fixed proxy address: %s",
+ 		    s->id, strerror(errno));
+ 		goto fail;
[email protected]@ -485,8 +633,14 @@
+ 		    s->id, strerror(errno));
+ 		goto fail;
+ 	}
++#ifdef _SOLARIS_
++	if (connect(s->server_fd, server_sa, server_sa_len) < 0 &&
++	    errno != EINPROGRESS)
++#else /* !_SOLARIS_ */
+ 	if (connect(s->server_fd, server_sa, server_sa->sa_len) < 0 &&
+-	    errno != EINPROGRESS) {
++	    errno != EINPROGRESS)
++#endif	/* _SOLARIS_ */
++	{
+ 		logmsg(LOG_CRIT, "#%d proxy cannot connect to server %s: %s",
+ 		    s->id, sock_ntop(server_sa), strerror(errno));
+ 		goto fail;
[email protected]@ -592,6 +746,9 @@
+ 		/* syslog does its own vissing. */
+ 		vsyslog(pri, message, ap);
+ 	else {
++#ifdef _SOLARIS_
++		vsyslog(pri, message, ap);
++#else /* !_SOLARIS_ */
+ 		char buf[MAX_LOGLINE];
+ 		char visbuf[2 * MAX_LOGLINE];
+ 
[email protected]@ -599,6 +756,7 @@
+ 		vsnprintf(buf, sizeof buf, message, ap);
+ 		strnvis(visbuf, buf, sizeof visbuf, VIS_CSTYLE | VIS_NL);
+ 		fprintf(stderr, "%s\n", visbuf);
++#endif	/* _SOLARIS_ */
+ 	}
+ 
+ 	va_end(ap);
[email protected]@ -636,9 +794,11 @@
+ 
+ 	while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) {
+ 		switch (ch) {
++#ifndef	_SOLARIS_
+ 		case '6':
+ 			ipv6_mode = 1;
+ 			break;
++#endif	/* !_SOLARIS_ */
+ 		case 'A':
+ 			anonymous_only = 1;
+ 			break;
[email protected]@ -668,11 +828,13 @@
+ 		case 'p':
+ 			listen_port = optarg;
+ 			break;
++#ifndef	_SOLARIS_
+ 		case 'q':
+ 			if (strlen(optarg) >= PF_QNAME_SIZE)
+ 				errx(1, "queuename too long");
+ 			qname = optarg;
+ 			break;
++#endif	/* !_SOLARIS_ */
+ 		case 'R':
+ 			fixed_server = optarg;
+ 			break;
[email protected]@ -718,9 +880,16 @@
+ 		hints.ai_socktype = SOCK_STREAM;
+ 		error = getaddrinfo(fixed_proxy, NULL, &hints, &res);
+ 		if (error)
+-			errx(1, "getaddrinfo fixed proxy address failed: %s",
++			errx(1, "getaddrinfo fixed proxy address (%s) failed: %s", fixed_proxy,
+ 			    gai_strerror(error));
+ 		memcpy(&fixed_proxy_ss, res->ai_addr, res->ai_addrlen);
++#ifdef _SOLARIS_
++		/*
++		 * struct sockaddr_storage does not have the member
++		 * ss_len on Solaris, thus we use a global variable.
++		 */
++		fixed_proxy_ss_len = res->ai_addrlen;
++#endif	/* _SOLARIS_ */
+ 		logmsg(LOG_INFO, "using %s to connect to servers",
+ 		    sock_ntop(sstosa(&fixed_proxy_ss)));
+ 		freeaddrinfo(res);
[email protected]@ -736,6 +905,13 @@
+ 			errx(1, "getaddrinfo fixed server address failed: %s",
+ 			    gai_strerror(error));
+ 		memcpy(&fixed_server_ss, res->ai_addr, res->ai_addrlen);
++#ifdef _SOLARIS_
++		/*
++		 * struct sockaddr_storage does not have the member
++		 * ss_len on Solaris, thus we use a global variable.
++		 */
++		fixed_server_ss_len = res->ai_addrlen;
++#endif	/* _SOLARIS_ */
+ 		logmsg(LOG_INFO, "using fixed server %s",
+ 		    sock_ntop(sstosa(&fixed_server_ss)));
+ 		freeaddrinfo(res);
[email protected]@ -752,6 +928,11 @@
+ 		    gai_strerror(error));
+ 	if ((listenfd = socket(res->ai_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
+ 		errx(1, "socket failed");
++#ifdef _SOLARIS_
++	if (setsockopt(listenfd, SOL_FILTER, FIL_ATTACH, DIVERT_MODULE_NAME,
++	    (strlen(DIVERT_MODULE_NAME)+1)) != 0)
++		err(1, "setsockopt failed - unable to attach filter");
++#endif /* _SOLARIS_ */
+ 	on = 1;
+ 	if (setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
+ 	    sizeof on) != 0)
[email protected]@ -782,7 +963,11 @@
+ 	event_init();
+ 
+ 	/* Setup signal handler. */
++#ifdef	_SOLARIS_
++	sigset(SIGPIPE, SIG_IGN);
++#else /* !_SOLARIS_ */
+ 	signal(SIGPIPE, SIG_IGN);
++#endif	/* _SOLARIS_ */
+ 	signal_set(&ev_sighup, SIGHUP, handle_signal, NULL);
+ 	signal_set(&ev_sigint, SIGINT, handle_signal, NULL);
+ 	signal_set(&ev_sigterm, SIGTERM, handle_signal, NULL);
[email protected]@ -857,12 +1042,25 @@
+ 	return (0);
+ }
+ 
++/*
++ * On Solaris, fake_arc4random_uniform() can fail. We return UINT16_MAX
++ * on error.
++ */
+ u_int16_t
+ pick_proxy_port(void)
+ {
++#ifdef _SOLARIS_
++	u_int32_t shift;
++
++	shift = fake_arc4random_uniform(IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO);
++	if (shift == UINT32_MAX)
++		return UINT16_MAX;
++	return (IPPORT_HIFIRSTAUTO + shift);
++#else /* !_SOLARIS_ */
+ 	/* Random should be good enough for avoiding port collisions. */
+ 	return (IPPORT_HIFIRSTAUTO +
+ 	    arc4random_uniform(IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO));
++#endif /* _SOLARIS_ */
+ }
+ 
+ void
[email protected]@ -985,6 +1183,12 @@
+ 			return (0);
+ 		}
+ 		s->proxy_port = pick_proxy_port();
++#ifdef _SOLARIS_
++		if (s->proxy_port == UINT16_MAX) {
++			logmsg(LOG_CRIT, "pick_proxy_port() failed");
++			return (0);
++		}
++#endif /* _SOLARIS_ */
+ 		logmsg(LOG_INFO, "#%d passive: client to server port %d"
+ 		    " via port %d", s->id, s->port, s->proxy_port);
+ 
[email protected]@ -1126,6 +1330,6 @@
+ 	fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
+ 	    " [-D level] [-m maxsessions]\n                 [-P port]"
+ 	    " [-p port] [-q queue] [-R address] [-T tag]\n"
+-            "                 [-t timeout]\n", __progname);
++	    "                 [-t timeout]\n", __progname);
+ 	exit(1);
+ }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ftp-proxy/patches/002-smf.patch	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,1582 @@
+# This patch comes from Oracle. It turns the component into
+# a well-behaving SMF service. It adds code manipulating service
+# properties, service instances, and also provides security in
+# cooperation with the service manifest (especially, extra
+# privileges are dropped when not needed).
+#
+# This patch is not going to upstream, the changes are Solaris-specific.
+
+diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/Makefile
+--- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile	2016-02-10 04:21:21.337202150 -0800
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/Makefile	2016-02-10 04:59:25.999134460 -0800
[email protected]@ -3,7 +3,7 @@
+ CFLAGS+= -m64 -errwarn
+ 
+ PROG=	ftp-proxy
+-SRCS=	ftp-proxy.c filter.c
++SRCS=	ftp-proxy.c filter.c smf-config.c
+ OBJS=$(SRCS:.c=.o)
+ MAN=	ftp-proxy.8
+ 
+diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.c ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/filter.c
+--- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.c	2016-02-10 04:24:03.599069704 -0800
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/filter.c	2016-02-02 03:05:13.156044052 -0800
[email protected]@ -53,6 +53,10 @@
+ static int dev, rule_log;
+ static char *qname, *tagname;
+ 
++#ifdef _SOLARIS_
++char *FTP_PROXY_ANCHOR;
++#endif /* _SOLARIS_ */
++
+ int
+ add_addr(struct sockaddr *addr, struct pf_pool *pfp)
+ {
+diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.h ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/filter.h
+--- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.h	2016-02-10 04:25:34.896131457 -0800
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/filter.h	2016-02-08 23:45:38.805421033 -0800
[email protected]@ -16,7 +16,11 @@
+  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
++#ifdef _SOLARIS_
++extern char* FTP_PROXY_ANCHOR;
++#else /* !_SOLARIS_ */
+ #define	FTP_PROXY_ANCHOR "ftp-proxy"
++#endif /* _SOLARIS_ */
+ 
+ int add_nat(u_int32_t, struct sockaddr *, int, struct sockaddr *, u_int16_t,
+     struct sockaddr *, u_int16_t, u_int16_t);
+diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.8 ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/ftp-proxy.8
+--- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.8	2016-02-24 06:31:17.792565815 -0800
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/ftp-proxy.8	2016-03-14 08:05:39.671773194 -0700
[email protected]@ -23,7 +23,7 @@
+ .Sh SYNOPSIS
+ .Nm
+ .Bk -words
+-.Op Fl 6Adrv
++.Op Fl A Cm on | off
+ .Op Fl a Ar address
+ .Op Fl b Ar address
+ .Op Fl D Ar level
[email protected]@ -31,8 +31,10 @@
+ .Op Fl P Ar port
+ .Op Fl p Ar port
+ .Op Fl R Ar address
++.Op Fl r Cm on | off
+ .Op Fl T Ar tag
+ .Op Fl t Ar timeout
++.Op Fl v Cm all | on | off
+ .Ek
+ .Sh DESCRIPTION
+ .Nm
[email protected]@ -83,6 +85,9 @@
+ .It Fl A
+ Only permit anonymous FTP connections.
+ Either user "ftp" or user "anonymous" is allowed.
++Solaris Note: you need to specify
++.Cm on | off
++to enable/disable anonymous-only mode.
+ .It Fl a Ar address
+ The proxy will use this as the source address for the control
+ connection to a server.
[email protected]@ -93,9 +98,6 @@
+ Debug level, ranging from 0 to 7.
+ Higher is more verbose.
+ The default is 5.
+-.It Fl d
+-Do not daemonize.
+-The process will stay in the foreground, logging to standard error.
+ .It Fl m Ar maxsessions
+ Maximum number of concurrent FTP sessions.
+ When the proxy reaches this limit, new connections are denied.
[email protected]@ -118,6 +120,9 @@
+ .It Fl r
+ Rewrite sourceport to 20 in active mode to suit ancient clients that insist
+ on this RFC property.
++Solaris Note: you need to specify
++.Cm on | off
++to enable/disable RFC compliant mode.
+ .It Fl T Ar tag
+ The filter rules will add tag
+ .Ar tag
[email protected]@ -147,6 +152,20 @@
+ .Sq log all
+ flag.
+ The pf rules do not log by default.
++Solaris Note: the option is tri-state.
++You need to specify one of the values below:
++.Bl -tag -width "all" -offset 3n -compact
++.It off
++nothing is logged
++.It on
++log only packets, which create state for data session (equivalent to
++.Fl v
++on OpenBSD)
++.It all
++log all packets, which belong to data session (equivalent to
++.Fl vv
++on OpenBSD)
++.El
+ .El
+ .Sh CONFIGURATION
+ To make use of the proxy,
[email protected]@ -156,10 +175,18 @@
+ last rule explicitly allowing FTP sessions from the proxy may not be
+ necessary.
+ .Bd -literal -offset 2n
+-anchor "ftp-proxy/*"
++anchor "_auto/network:firewall:ftp-proxy:YOUR_INSTANCE_NAME/*"
+ pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021
+ pass out inet proto tcp from (self) to any port ftp
+ .Ed
++.Sh SOLARIS
++.Nm
++must be started as an
++.Xr smf 5
++service:
++.Bd -literal -offset indent
++svc:/network/firewall/ftp-proxy
++.Ed
+ .Pp
+ To run
+ .Nm
[email protected]@ -168,8 +195,157 @@
+ svc:/network/socket-filter:pf_divert
+ .Ed
+ instance must be online in the global zone.
++.Pp
++The options described in DESCRIPTION section are set using smf properties.
++Properties processed by
++.Nm
++enable
++.Xr smf_method 5
++in order to configure the
++.Nm
++daemon are listed below.
++.Bl -tag -width "ftp-proxy/always-use-ftp-data-port" -offset 3n -compact
++.It ftp-proxy/anonymous-only
++If set to
++.Cm on
++the proxy is started with the
++.Fl A
++option, which allows anonymous FTP logins only.
++The value
++.Cm off
++is used as default.
++.It ftp-proxy/proxy-NAT-address
++This property sets the
++.Fl a
++option, the source IP address the proxy uses
++to connect to a server.
++.It ftp-proxy/proxy-listen-address
++This property sets the
++.Fl b
++option, which is the address, where the proxy accepts a connection from
++a client.
++.It ftp-proxy/proxy-listen-port
++This property sets the
++.Fl p
++option which is the port number, where the proxy accepts
++a connection from a client.
++.It ftp-proxy/debug-level
++This property sets the
++.Fl D
++option, which is a debug level (0-7).
++If not set, the default value 5 is used.
++.It ftp-proxy/max-sessions
++This property sets the
++.Fl m
++option, which is the maximum of concurrent FTP sessions served by
++the proxy.
++The valid range is from 1 to 500.
++If not specified the value 100 is used by default.
++.It ftp-proxy/reverse-mode-address
++This property sets the
++.Fl R
++option.
++It is the fixed server address, which is typically used to access
++a FTP server behind NAT.
++.It ftp-proxy/reverse-mode-port
++This property sets the
++.Fl P
++option, which is the port number used by a FTP server behind NAT.
++The default value is 21.
++.It ftp-proxy/always-use-ftp-data-port
++This property sets the
++.Fl r
++option, the value 
++.Cm off
++is used as default.
++If set to
++.Cm on
++the proxy will always use port 20 for active data connections.
++.It ftp-proxy/tag
++This property sets the
++.Fl T
++option, which tags data connection packets with the desired tag.
++.It ftp-proxy/timeout
++This property sets the
++.Fl t
++option, which specifies the number of seconds a FTP command session
++may remain idle.
++The maximum value is 86400 seconds (1 day).
++.It ftp-proxy/log
++This property sets the
++.Fl v
++option.
++There are three possible values.
++For
++.Cm off ,
++no log action will be added to FTP data connection rules created
++by the proxy.
++The value
++.Cm on
++adds the log action.
++Specifying the value
++.Cm all
++adds the
++.Sq log all
++action.
++.El
++.Pp
++.Nm
++on Solaris comes with two extra options, which make service configuration easier.
++.Bl -tag -offset 3n -compact
++.It Fl c Ar smf-instance
++Shows/changes settings kept in
++.Xr smf 5
++repository for the specified
++.Ar smf-instance
++of the
++.Nm
++service.
++.It Fl C Ar smf-instance
++Creates a new instance of the
++.Nm
++service and uses
++.Ar smf-instance
++for its name.
++.El
++.Pp
++To tell proxy service to bind the listen socket to 192.168.1.2 address,
++one has to use the command below:
++.Bd -literal -offset indent
++ftp-proxy -c default -b 192.168.1.2
++.Ed
++.Pp 
++To create anonymous-only proxy listening to port 8821, bound to
++192.168.1.2, one uses the command as follows:
++.Bd -literal -offset indent
++ftp-proxy -C anonymous -b 192.168.1.2 -p 8821 -A on
++.Ed
++.Pp
++To switch the anonymous instance created above to the regular mode (disable
++anonymous-only), one uses the command like this:
++.Bd -literal -offset indent
++ftp-proxy -c anonymous -A off
++.Ed
++.Pp
++To display the anonymous instance configuration use the command as follows:
++.Bd -literal -offset indent
++ftp-proxy -c anonymous
++.Ed
++To manage the service, you need the
++.Sy solaris.smf.manage.network.firewall
++authorization.
++To configure service instances, you need the
++.Sy solaris.smf.value.network.firewall
++authorization.
++Both these authorizations are granted through the Network Firewall Management
++profile.
++To create new service instances, you need the
++.Sy solaris.smf.modify
++authorization.
+ .Sh SEE ALSO
+-.Xr pf.conf 5
++.Xr pf.conf 5 ,
++.Xr smf 5 ,
++.Xr svccfg (1M)
+ .Sh CAVEATS
+ .Pp
+ Negotiated data connection ports below 1024 are not allowed.
[email protected]@ -177,3 +353,8 @@
+ The negotiated IP address for active modes is ignored for security
+ reasons.
+ This makes third party file transfers impossible.
++.Pp
++.Nm
++runs as the
++.Dq daemon
++user.
+diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.c ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/ftp-proxy.c
+--- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.c	2016-02-10 04:12:16.600723376 -0800
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/ftp-proxy.c	2016-02-24 06:58:52.001603474 -0800
[email protected]@ -46,6 +46,7 @@
+ #include <sys/random.h>
+ #include <inttypes.h>
+ #include <priv.h>
++#include "smf-config.h"
+ #endif	/* _SOLARIS_ */
+ #include <syslog.h>
+ #include <unistd.h>
[email protected]@ -62,8 +63,10 @@
+ #define NTOP_BUFS	3
+ #define TCP_BACKLOG	10
+ 
++#ifndef _SOLARIS_
+ #define CHROOT_DIR	"/var/empty"
+ #define NOPRIV_USER	"proxy"
++#endif	/* !_SOLARIS_ */
+ 
+ /* pfctl standard NAT range. */
+ #define PF_NAT_PROXY_PORT_LOW	50001
[email protected]@ -97,6 +100,28 @@
+ #define	DIVERT_MODULE_NAME "pf_divertf"
+ #endif	/* _SOLARIS_ */
+ 
++#ifdef	_SOLARIS_
++#define	FTP_PROXY_GETOPTSTR	"A:a:b:D:dm:P:p:R:r:T:t:v:c:C:X:"
++#define	SET_CFGFLAG(_set_, _f_)	(_set_)	|= (_f_)
++#define	SKIP_CHK(_x_)	((_x_) == NULL)
++
++#define DROP_PRIV(priv)						\
++	do {							\
++		if (priv_set(PRIV_OFF, PRIV_PERMITTED, (priv),	\
++		    NULL) != 0) {				\
++			fprintf(stderr,				\
++			    "Unable to drop privileges.\n");	\
++			exit (-1);				\
++		}						\
++	} while (0)
++#else /* !_SOLARIS_ */
++#define	FTP_PROXY_GETOPTSTR	"6Aa:b:D:dm:P:p:q:R:rT:t:v"
++#define	SET_CFGFLAG(_set_, _f_)
++#define	SKIP_CHK(_x_)	(1)
++
++#define DROP_PRIV(priv)
++#endif	/* _SOLARIS_ */
++
+ enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV };
+ 
+ struct session {
[email protected]@ -127,7 +152,9 @@
+ int	client_parse_anon(struct session *s);
+ int	client_parse_cmd(struct session *s);
+ void	client_read(struct bufferevent *, void *);
++#ifndef _SOLARIS_
+ int	drop_privs(void);
++#endif /* !_SOLARIS_ */
+ void	end_session(struct session *);
+ void	exit_daemon(void);
+ int	get_line(char *, size_t *);
[email protected]@ -348,6 +375,7 @@
+ 	} while (read == buf_avail);
+ }
+ 
++#ifndef _SOLARIS_
+ int
+ drop_privs(void)
+ {
[email protected]@ -363,9 +391,9 @@
+ 	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0 ||
+ 	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0)
+ 		return (0);
+-
+ 	return (1);
+ }
++#endif /* !_SOLARIS_ */
+ 
+ void
+ end_session(struct session *s)
[email protected]@ -561,9 +589,6 @@
+ 	logmsg(LOG_DEBUG, "#%d accepted connection from %s", s->id,
+ 	    sock_ntop(client_sa));
+ 
+-	/*
+-	 * Find out the real server and port that the client wanted.
+-	 */
+ 	len = sizeof(struct sockaddr_storage);
+ 	if (getsockname(s->client_fd, server_sa, &len) < 0) {
+ 		logmsg(LOG_CRIT, "#%d getsockname failed: %s", s->id,
[email protected]@ -770,6 +795,13 @@
+ 	struct event ev_sighup, ev_sigint, ev_sigterm;
+ 	int ch, error, listenfd, on;
+ 	const char *errstr;
++#ifdef	_SOLARIS_
++	const char	*smf_instance = NULL;
++	int	smf_create = 0;
++	int	cfg_flags = 0;
++#endif	/* _SOLARIS_ */
++
++	DROP_PRIV(PRIV_PROC_EXEC);
+ 
+ 	/* Defaults. */
+ 	anonymous_only	= 0;
[email protected]@ -792,7 +824,8 @@
+ 	id_count	= 1;
+ 	session_count	= 0;
+ 
+-	while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) {
++	while ((ch = getopt(argc, argv,
++	    FTP_PROXY_GETOPTSTR)) != -1) {
+ 		switch (ch) {
+ #ifndef	_SOLARIS_
+ 		case '6':
[email protected]@ -800,33 +833,49 @@
+ 			break;
+ #endif	/* !_SOLARIS_ */
+ 		case 'A':
++#ifdef	_SOLARIS_
++			if (strcasecmp(optarg, "off") == 0) {
++				anonymous_only = 0;
++			} else {
++				anonymous_only = 1;
++			}
++#else /* !_SOLARIS_ */
+ 			anonymous_only = 1;
++#endif	/* _SOLARIS_ */
++			SET_CFGFLAG(cfg_flags, SMF_CFG_ANON_SET);
+ 			break;
+ 		case 'a':
+ 			fixed_proxy = optarg;
++			SET_CFGFLAG(cfg_flags, SMF_CFG_FIXED_PROXY_SET);
+ 			break;
+ 		case 'b':
+ 			listen_ip = optarg;
++			SET_CFGFLAG(cfg_flags, SMF_CFG_LISTEN_ADDR_SET);
+ 			break;
+ 		case 'D':
+ 			loglevel = strtonum(optarg, LOG_EMERG, LOG_DEBUG,
+ 			    &errstr);
+ 			if (errstr)
+ 				errx(1, "loglevel %s", errstr);
++			SET_CFGFLAG(cfg_flags, SMF_CFG_DEBUG_LEVEL_SET);
+ 			break;
+ 		case 'd':
+ 			daemonize = 0;
++			DROP_PRIV(PRIV_PROC_FORK);
+ 			break;
+ 		case 'm':
+ 			max_sessions = strtonum(optarg, 1, 500, &errstr);
+ 			if (errstr)
+ 				errx(1, "max sessions %s", errstr);
++			SET_CFGFLAG(cfg_flags, SMF_CFG_MAX_SESSION_SET);
+ 			break;
+ 		case 'P':
+ 			fixed_server_port = optarg;
++			SET_CFGFLAG(cfg_flags, SMF_CFG_FIXED_SERVER_PORT_SET);
+ 			break;
+ 		case 'p':
+ 			listen_port = optarg;
++			SET_CFGFLAG(cfg_flags, SMF_CFG_LISTEN_PORT_SET);
+ 			break;
+ #ifndef	_SOLARIS_
+ 		case 'q':
[email protected]@ -837,40 +886,83 @@
+ #endif	/* !_SOLARIS_ */
+ 		case 'R':
+ 			fixed_server = optarg;
++			SET_CFGFLAG(cfg_flags, SMF_CFG_FIXED_SERVER_SET);
+ 			break;
+ 		case 'r':
++#ifdef	_SOLARIS_
++			if (strcasecmp(optarg, "off") == 0) {
++				rfc_mode = 0;
++			} else {
++				rfc_mode = 1;
++			}
++			SET_CFGFLAG(cfg_flags, SMF_CFG_RFC_MODE_SET);
++#else /* !_SOLARIS_ */
+ 			rfc_mode = 1;
++#endif	/* _SOLARIS_ */
+ 			break;
+ 		case 'T':
+ 			if (strlen(optarg) >= PF_TAG_NAME_SIZE)
+ 				errx(1, "tagname too long");
+ 			tagname = optarg;
++			SET_CFGFLAG(cfg_flags, SMF_CFG_TAG_SET);
+ 			break;
+ 		case 't':
+ 			timeout = strtonum(optarg, 0, 86400, &errstr);
+ 			if (errstr)
+ 				errx(1, "timeout %s", errstr);
++			SET_CFGFLAG(cfg_flags, SMF_CFG_TIMEOUT_SET);
+ 			break;
+ 		case 'v':
++#ifdef	_SOLARIS_
++			if (strcasecmp(optarg, "all") == 0) {
++				verbose = 2;
++			} else if (strcasecmp(optarg, "on") == 0) {
++				verbose = 1;
++			} else {
++				verbose = 0;
++			}
++			SET_CFGFLAG(cfg_flags, SMF_CFG_LOG_SET);
++#else /* !_SOLARIS_ */
+ 			verbose++;
+ 			if (verbose > 2)
+ 				usage();
++#endif /* _SOLARIS_ */
++			break;
++#ifdef	_SOLARIS_
++		case 'C':
++			smf_create = 1;
++			/* FALLTHRU */
++		case 'c':
++			smf_instance = optarg;
++			break;
++		case 'X':
++			FTP_PROXY_ANCHOR = optarg;
+ 			break;
++#endif	/* _SOLARIS_ */
+ 		default:
+ 			usage();
+ 		}
+ 	}
+ 
++#ifdef _SOLARIS_
++	if ((FTP_PROXY_ANCHOR == NULL) && (smf_instance == NULL)) {
++		fprintf(stderr, "The ftp-proxy can be started only via SMF.\n");
++		exit (-1);
++	}
++#endif /* _SOLARIS_ */
++
+ 	if (listen_ip == NULL)
+ 		listen_ip = ipv6_mode ? "::1" : "127.0.0.1";
+ 
++#ifndef	_SOLARIS_
+ 	/* Check for root to save the user from cryptic failure messages. */
+ 	if (getuid() != 0)
+ 		errx(1, "needs to start as root");
++#endif	/* !_SOLARIS_ */
+ 
+ 	/* Raise max. open files limit to satisfy max. sessions. */
+ 	rlp.rlim_cur = rlp.rlim_max = (2 * max_sessions) + 10;
+-	if (setrlimit(RLIMIT_NOFILE, &rlp) == -1)
++	if (SKIP_CHK(smf_instance) && (setrlimit(RLIMIT_NOFILE, &rlp) == -1))
+ 		err(1, "setrlimit");
+ 
+ 	if (fixed_proxy) {
[email protected]@ -895,7 +987,12 @@
+ 		freeaddrinfo(res);
+ 	}
+ 
++#ifdef _SOLARIS_
++	/* Steps not needed when we are just working with SMF. */
++	if (fixed_server && (smf_instance == NULL)) {
++#else /* !_SOLARIS_ */
+ 	if (fixed_server) {
++#endif /* _SOLARIS_ */
+ 		memset(&hints, 0, sizeof hints);
+ 		hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET;
+ 		hints.ai_socktype = SOCK_STREAM;
[email protected]@ -917,6 +1014,61 @@
+ 		freeaddrinfo(res);
+ 	}
+ 
++#ifdef	_SOLARIS_
++	if (smf_instance != NULL) {
++		/*
++		 * If we are creating new instance, we will use default
++		 * values for properties.
++		 */
++		if (smf_create == 1) {
++			cfg_flags = -1;
++		}
++
++		if (cfg_flags == 0) {
++			if (smf_print_ftpcfg(smf_instance) != 0) {
++				exit (-1);
++			}
++			exit(0);
++		} else {
++			smf_ftp_cfg.cfg_set = cfg_flags;
++			smf_ftp_cfg.cfg_anonymous_only = anonymous_only;
++			smf_ftp_cfg.cfg_listen_addr = SMF_COPY_STR(listen_ip);
++			smf_ftp_cfg.cfg_listen_port = strtonum(listen_port, 1,
++			    65535, NULL);
++			if (smf_ftp_cfg.cfg_listen_port == 0) {
++				fprintf(stderr,
++				    "Invalid listen port specified.\n");
++				exit (-1);
++			}
++			smf_ftp_cfg.cfg_debug_level = loglevel;
++			smf_ftp_cfg.cfg_max_sessions = max_sessions;
++			smf_ftp_cfg.cfg_fixed_server =
++			    SMF_COPY_STR(fixed_server);
++			smf_ftp_cfg.cfg_fixed_server_port = strtonum(
++			    fixed_server_port, 1, 65535, NULL);
++			if (smf_ftp_cfg.cfg_fixed_server_port == 0) {
++				fprintf(stderr,
++				    "Invalid fixed server port specified.\n");
++				exit (-1);
++			}
++			smf_ftp_cfg.cfg_rfc_mode = rfc_mode;
++			smf_ftp_cfg.cfg_tag = SMF_COPY_STR(tagname);
++			smf_ftp_cfg.cfg_timeout = timeout;
++			smf_ftp_cfg.cfg_log = verbose;
++			smf_ftp_cfg.cfg_fixed_proxy = SMF_COPY_STR(fixed_proxy);
++			if (smf_write_ftpcfg(smf_instance, smf_create) == -1) {
++				err(1, "...Giving up");
++			} else {
++				printf("configuration for\n\t%s (%s:%s)\nhas been saved\n",
++				    smf_instance,
++				    BASE_FMRI,
++				    smf_instance);
++			}
++			exit(0);
++		}
++	}
++#endif	/* _SOLARIS_ */
++
+ 	/* Setup listener. */
+ 	memset(&hints, 0, sizeof hints);
+ 	hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE;
[email protected]@ -946,19 +1098,21 @@
+ 
+ 	/* Initialize pf. */
+ 	init_filter(qname, tagname, verbose);
+-
+ 	if (daemonize) {
+ 		if (daemon(0, 0) == -1)
+ 			err(1, "cannot daemonize");
++		DROP_PRIV(PRIV_PROC_FORK);
+ 		openlog(__progname, LOG_PID | LOG_NDELAY, LOG_DAEMON);
+ 	}
+ 
+ 	/* Use logmsg for output from here on. */
+ 
++#ifndef _SOLARIS_
+ 	if (!drop_privs()) {
+ 		logmsg(LOG_ERR, "cannot drop privileges: %s", strerror(errno));
+ 		exit(1);
+ 	}
++#endif /* !_SOLARIS_ */
+ 	
+ 	event_init();
+ 
[email protected]@ -1327,9 +1481,16 @@
+ void
+ usage(void)
+ {
++#ifdef _SOLARIS_
++	fprintf(stderr, "usage: %s [-A on | off] [-a address] [-b address]"
++	    " [{-c | -C} instance] [-D level] [-m maxsessions]\n                 [-P port]"
++	    " [-p port] [-R address] [-r on | off] [-T tag]\n"
++            "                 [-t timeout] [-v all | on | off]\n", __progname);
++#else /* !_SOLARIS_ */
+ 	fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
+ 	    " [-D level] [-m maxsessions]\n                 [-P port]"
+ 	    " [-p port] [-q queue] [-R address] [-T tag]\n"
+ 	    "                 [-t timeout]\n", __progname);
++#endif /* _SOLARIS_ */
+ 	exit(1);
+ }
+diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.c ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/smf-config.c
+--- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.c	1969-12-31 16:00:00.000000000 -0800
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/smf-config.c	2016-02-24 08:45:36.636917450 -0800
[email protected]@ -0,0 +1,822 @@
++/*
++ * CDDL HEADER START
++ *
++ * The contents of this file are subject to the terms of the
++ * Common Development and Distribution License (the "License").
++ * You may not use this file except in compliance with the License.
++ *
++ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
++ * or http://www.opensolaris.org/os/licensing.
++ * See the License for the specific language governing permissions
++ * and limitations under the License.
++ *
++ * When distributing Covered Code, include this CDDL HEADER in each
++ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
++ * If applicable, add the following below this CDDL HEADER, with the
++ * fields enclosed by brackets "[]" replaced with your own identifying
++ * information: Portions Copyright [yyyy] [name of copyright owner]
++ *
++ * CDDL HEADER END
++ *
++ */
++
++/*
++ * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
++ */
++
++#include <string.h>
++#include <strings.h>
++#include <stdlib.h>
++#include <err.h>
++#include <stdarg.h>
++#include <stdio.h>
++#include <libscf.h>
++#include <stddef.h>
++#include <libscf_priv.h>
++
++#include "smf-config.h"
++
++/* #include <net/pfvar.h> */
++
++#define	FTP_PROXY_PG	"ftp-proxy"
++#define FTP_PROXY_PROP_VALUE_AUTH	"value_authorization"
++#define FTP_PROXY_PROP_ACTION_AUTH	"action_authorization"
++#define FTP_PROXY_VALUE_AUTH	"solaris.smf.value.network.firewall"
++#define FTP_PROXY_MANAGE_AUTH	"solaris.smf.manage.network.firewall"
++
++/*
++ * CHKASCIIZ()
++ * Macro checks if _s_ is ASCIIZ (not NULL, not empty), if _s_ is not empty
++ * string, then _p_ is returned.
++ *
++ * Arguments:
++ *	_s_	- ASCIIZ string to be tested
++ *	_p_	- string to be returned when _s_ is not NULL or empty
++ *
++ * Returns:
++ *	_p_ if _s_ is not NULL/empty, otherwise the empty string is returned.
++ */
++#define	CHKASCIIZ(_s_, _p_)	\
++	((((_s_) == NULL) || (_s_[0] == '\0')) ? "" : (_p_))
++
++#define	SKIP_PROP(_pv_)		\
++	((strcmp((_pv_)->pv_prop, "action_authorization") == 0) || \
++	(strcmp((_pv_)->pv_prop, "value_authorization") == 0))
++
++#define	STRIP_SVC(_x_)	((_x_) + (sizeof ("svc:/") - 1))
++
++/*
++ * smf_ftp_cfg
++ * FTP proxy configuration container.
++ */
++smf_ftppx_cfg_t	smf_ftp_cfg;
++
++#define	SMF_OPT_OPTIONAL	0
++#define	SMF_OPT_MANDATORY	1
++/*
++ * X-macro table.
++ * Columns are as follows:
++ * 	value key/index 
++ *	smf(5) property name name
++ *	member in smf_ftppx_cfg_t structure
++ *	function which converts ASCIIZ to member type in smf_ftppx_cfg_t
++ *	function which converts member in smf_ftppx_cfg_t to ASCIIZ
++ *	optional/mandatory status
++ *	property type
++ */
++#define	X_CFG_PROPS	\
++	X(SMF_ANON, "anonymous-only", cfg_anonymous_only, on_to_one,	\
++	    one_to_on, SMF_OPT_OPTIONAL, SCF_TYPE_ASTRING)		\
++	X(SMF_FIXED_PROXY, "proxy-NAT-address",	cfg_fixed_proxy,	\
++	    nop_in, nop_out, SMF_OPT_MANDATORY, SCF_TYPE_ASTRING)	\
++	X(SMF_LISTEN_ADDR, "proxy-listen-address", cfg_listen_addr,	\
++	    nop_in, nop_out, SMF_OPT_MANDATORY, SCF_TYPE_ASTRING)	\
++	X(SMF_LISTEN_PORT, "listen-port",	cfg_listen_port,	\
++	    int_in, int_out, SMF_OPT_OPTIONAL, SCF_TYPE_INTEGER)	\
++	X(SMF_DEBUG_LEVEL, "debug-level", cfg_debug_level, int_in,	\
++	    int_out, SMF_OPT_OPTIONAL, SCF_TYPE_INTEGER)		\
++	X(SMF_MAX_SESSIONS, "maxsessions", cfg_max_sessions,		\
++	    int_in, int_out, SMF_OPT_OPTIONAL,				\
++	    SCF_TYPE_INTEGER)						\
++	X(SMF_RFC_MODE, "always-use-ftp-data-port", cfg_rfc_mode,	\
++	    on_to_one, one_to_on, SMF_OPT_OPTIONAL, SCF_TYPE_ASTRING)	\
++	X(SMF_FIXED_SERVER_PORT, "reverse-mode-port", 			\
++	    cfg_fixed_server_port, int_in, int_out, SMF_OPT_OPTIONAL,	\
++	    SCF_TYPE_INTEGER)						\
++	X(SMF_FIXED_SERVER, "reverse-mode-address", cfg_fixed_server,	\
++	    nop_in, nop_out, SMF_OPT_OPTIONAL, SCF_TYPE_ASTRING)	\
++	X(SMF_TAG, "tag", cfg_tag, nop_in, nop_out, SMF_OPT_OPTIONAL,	\
++	    SCF_TYPE_ASTRING)						\
++	X(SMF_TIMEOUT, "timeout", cfg_timeout, int_in, int_out,		\
++	    SMF_OPT_OPTIONAL, SCF_TYPE_INTEGER)				\
++	X(SMF_LOG, "log", cfg_log, log_to_int, int_to_log,		\
++	    SMF_OPT_OPTIONAL, SCF_TYPE_ASTRING)
++
++static void nop_in(void *, void *);
++static void nop_out(void *, void *);
++static void int_in(void *, void *);
++static void int_out(void *, void *);
++static void on_to_one(void *, void *);
++static void one_to_on(void *, void *);
++static void str_to_int(void *, void *);
++static void int_to_str(void *, void *);
++static void str_to_uint(void *, void *);
++static void uint_to_str(void *, void *);
++static void log_to_int(void *, void *);
++static void int_to_log(void *, void *);
++
++/*
++ * smf_keys
++ * Keys (indexes) to `smf_propnames` dictionary.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _const_,
++enum smf_keys {
++	X_CFG_PROPS
++	SMF_CFG_PROP_COUNT
++};
++#undef	X
++
++/*
++ * smf_propnames
++ * It's an array (dictionary), which translates property code (SMF_*) to
++ * property value name found `ftp-proxy` property group.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _propname_,
++static const char *smf_propnames[] = {
++	X_CFG_PROPS
++	NULL
++};
++#undef	X
++
++/*
++ * smf_cfg_offsets
++ * Table of smf_ftppx_cfg_t members.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) offsetof(smf_ftppx_cfg_t, _decl_),
++static size_t smf_cfg_offsets[] = {
++	X_CFG_PROPS
++	sizeof (smf_ftppx_cfg_t)
++};
++#undef	X
++
++typedef void(*conv_in_f)(void *, void *);
++typedef void(*conv_out_f)(void *, void *);
++/*
++ * smf_convert_in
++ * Table of conversion functions, which convert particular smf_ftppx_cfg_t
++ * member into ASCIIZ.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _conv_in_,
++static conv_in_f smf_conv_in[] = {
++	X_CFG_PROPS
++	NULL
++};
++#undef	X
++
++/*
++ * smf_conv_out
++ * Table of conversion functions, which convert ASCIIZ fetched from smf(5)
++ * repository to member of smf_ftppx_cfg_t structure.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _conv_out_,
++static conv_out_f smf_conv_out[] = {
++	X_CFG_PROPS
++	NULL
++};
++#undef	X
++
++/*
++ * smf_mandatory
++ * Table marks configuration parameters, which must be defined by admin,
++ * before the service is enabled for the first time.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _mandatory_,
++static int smf_mandatory[] = {
++	X_CFG_PROPS
++	0
++};
++#undef	X
++
++/*
++ * smf_type
++ * Table of types of SMF properties.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _type_,
++static int smf_type[] = {
++	X_CFG_PROPS
++	0
++};
++#undef	X
++
++/*
++ * ftp-proxy property group properties
++ * +1 for NULL termination.
++ * +1 for value_authorization
++ */
++static scf_propvec_t	prop_vec[SMF_CFG_PROP_COUNT + 1 + 1];
++
++/*
++ * general property group properties
++ * +1 for NULL termination.
++ * +2 for value_authorization/action_authorization
++ */
++static scf_propvec_t	gen_prop_vec[1 + 2];
++
++static int atexit_set = 0;
++
++/*
++ * Conversion routines from smf_ftp_cfg structure to prop_vec member and vice
++ * versa.
++ */
++
++/*
++ * nop_in()
++ * Dummy conversion ASCIIZ to ASCIIZ, no allocation happens. Used when
++ * configuration is from smf(5).
++ */
++static void
++nop_in(void *asciiz, void *result)
++{
++	*((char **)result) = asciiz;
++}
++
++/*
++ * nop_out()
++ * Dummy conversion ASCIIZ to ASCIIZ, function allocates memory for result by
++ * strdup(3C). Used when configuration is written to smf(5) repository.
++ */
++static void
++nop_out(void *asciiz, void *val)
++{
++	*((char **)asciiz) = strdup(*(char **)val);
++}
++
++/*
++ * int_in()
++ * Dummy conversion of int64_t. No allocation happens. Used when reading
++ * values from smf.
++ */
++static void
++int_in(void *in, void *out) {
++	*((int64_t *)out) = *((int64_t *)in);
++}
++
++/*
++ * int_out()
++ * Dummy conversion of int64_t, storing into a newly allocated memory.
++ * Used when storing values to smf repository.
++ */
++static void
++int_out(void *out, void *in) {
++	int64_t **out_ = (int64_t **)out;
++
++	*out_ = malloc(sizeof (int64_t));
++	if (*out_ != NULL)
++		**out_ = *((int64_t *)in);
++}
++
++/*
++ * on_to_one()
++ * Function converts ASCIIZ value "on" to 1. Anything else yeilds a 0. Used to
++ * read configuration from smf(5).
++ */
++static void
++on_to_one(void *asciiz, void *result)
++{
++	*((int *)result) = ((strcasecmp((char *)asciiz, "on") == 0) ? 1 : 0);
++}
++
++/*
++ * one_to_on()
++ * Function converts 0 to ASCIIZ string "off", anything else than 0 yeilds to
++ * "on". Used when configuration ie being written to smf(5). Function also
++ * allocates memory for resulting string using strdup(3C).
++ */
++static void
++one_to_on(void *asciiz, void *val)
++{
++	if (*((int *)val) == 0) {
++		*((char **)asciiz) = strdup("off");
++	} else {
++		*((char **)asciiz) = strdup("on");
++	}
++}
++
++/*
++ * str_to_int()
++ * Function converts integer represented as ASCIIZ to int using atoi(3C).  Used
++ * when configuration is read from smf(5).
++ */
++static void
++str_to_int(void *asciiz, void *result)
++{
++	*((int *)result) = atoi((char *)asciiz);
++}
++
++/*
++ * int_to_str()
++ * Function converts integer number to ASCIIZ using asprintf(3C). Used when
++ * configuration is being stored to smf(5). Memory for results get allocated by
++ * asprintf(3C).
++ */
++static void
++int_to_str(void *asciiz, void *val)
++{
++	(void) asprintf((char **)asciiz, "%d", *((int *)val));
++}
++
++/*
++ * str_to_uint()
++ * Function converts unsigned integer represented as ASCIIZ to int using
++ * atoi(3C). Used when configuration is being read from smf(5) repository.
++ */
++static void
++str_to_uint(void *asciiz, void *result)
++{
++	*((unsigned int *)result) = (unsigned int) atoi((char *)asciiz);
++}
++
++/*
++ * uint_to_str()
++ * Function converts unsigned integer to ASCIIZ using asprintf(3C).  Used when
++ * configuration is written to smf(5). Memory for result is allocated by
++ * asprintf(3C).
++ */
++static void
++uint_to_str(void *asciiz, void *val)
++{
++	(void) asprintf((char **)asciiz, "%u", *((int *)val));
++}
++
++/*
++ * log_to_int()
++ * Function encodes ASCIIZ value for log property to numeric code.  String
++ * "all" gets converted to 2, string "on" to 1, anything else yeilds to 0.
++ * It's used when configuration is being read from smf(5) repository.
++ */
++static void
++log_to_int(void *asciiz, void *result)
++{
++	if (strcasecmp((char *)asciiz, "all") == 0) {
++		*((int *)result) = 2;
++	} else if (strcasecmp((char *)asciiz, "on") == 0) {
++		*((int *)result) = 1;
++	} else {
++		*((int *)result) = 0;
++	}
++}
++
++/*
++ * int_to_log()
++ * Function encodes value of log property to its numeric representation.  2
++ * gets encoded to "all", 1 results to "on", anything else results to off.
++ * The memory for result is allocated by strdup(3C).
++ */
++static void
++int_to_log(void *asciiz, void *val)
++{
++	switch (*((int *)val)) {
++	case	2:
++		*((char **)asciiz) = strdup("all");
++		break;
++	case	1:
++		*((char **)asciiz) = strdup("on");
++		break;
++	default:
++		*((char **)asciiz) = strdup("off");
++	}
++}
++
++static void
++clear_prop_vec2(scf_propvec_t *prop_vec_ptr, int count)
++{
++	while (count--) {
++		prop_vec_ptr->pv_prop = NULL;
++		prop_vec_ptr->pv_desc = NULL;
++		prop_vec_ptr->pv_type = 0;
++		prop_vec_ptr->pv_aux = 0;
++		prop_vec_ptr->pv_mval = 0;
++
++		if (prop_vec_ptr->pv_ptr != NULL) {
++			free(prop_vec_ptr->pv_ptr);
++			prop_vec_ptr->pv_ptr = NULL;
++		}
++
++		prop_vec_ptr++;
++	}
++}
++
++/*
++ * clear_prop_vec()
++ * Function clears global variables `prop_vec` and `gen_prop_vec`,
++ * which are vectors of properties.
++ */
++static void
++clear_prop_vec()
++{
++	clear_prop_vec2(prop_vec,
++	    sizeof (prop_vec) / sizeof (scf_propvec_t));
++	clear_prop_vec2(gen_prop_vec,
++	    sizeof (gen_prop_vec) / sizeof (scf_propvec_t));
++}
++
++/*
++ * cfg_to_prop_vec()
++ * Function converts smf_ftp_cfg global variable, which holds configuration
++ * parsed from command line arguments, to prop_vec, which is a smf(5) friendly
++ * representation of proxy configuration.
++ *
++ * Additionally, it populates gen_prop_vec to specify needed authorizations.
++ *
++ * Returns 0 on success, -1 on out of memory error.
++ */
++static int
++cfg_to_prop_vec(void)
++{
++	int		cfg_bit = 1;
++	int		i;
++	scf_propvec_t	*prop_vec_ptr = prop_vec;
++	conv_out_f	conv_func;
++
++	clear_prop_vec();
++
++	for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
++		if ((smf_ftp_cfg.cfg_set & cfg_bit) != 0) {
++			prop_vec_ptr->pv_prop = smf_propnames[i];
++			conv_func = smf_conv_out[i];
++
++			conv_func(&prop_vec_ptr->pv_ptr,
++			    ((char *)&smf_ftp_cfg + smf_cfg_offsets[i]));
++			if (prop_vec_ptr->pv_ptr == NULL)
++				return (-1);
++			prop_vec_ptr->pv_type = smf_type[i];
++			prop_vec_ptr++;
++		}
++		cfg_bit = cfg_bit << 1;
++	}
++	prop_vec_ptr->pv_type = SCF_TYPE_ASTRING;
++	prop_vec_ptr->pv_prop = FTP_PROXY_PROP_VALUE_AUTH;
++	prop_vec_ptr->pv_ptr = strdup(FTP_PROXY_VALUE_AUTH);
++	prop_vec_ptr++;
++
++	gen_prop_vec[0].pv_type = SCF_TYPE_ASTRING;
++	gen_prop_vec[0].pv_prop = FTP_PROXY_PROP_VALUE_AUTH;
++	gen_prop_vec[0].pv_ptr = strdup(FTP_PROXY_MANAGE_AUTH);
++	gen_prop_vec[1].pv_type = SCF_TYPE_ASTRING;
++	gen_prop_vec[1].pv_prop = FTP_PROXY_PROP_ACTION_AUTH;
++	gen_prop_vec[1].pv_ptr = strdup(FTP_PROXY_MANAGE_AUTH);
++
++	return (0);
++}
++
++/*
++ * prop_vec_to_cfg()
++ * Converts global variable `prop_vec` to `smf_ftp_cfg` global variable,
++ * which is understood by main().
++ */
++static void
++prop_vec_to_cfg(void)
++{
++	int		i;
++	scf_propvec_t	*prop_vec_ptr = prop_vec;
++	conv_in_f	conv_func;
++
++	for (i = 0; i < SMF_CFG_PROP_COUNT; i++, prop_vec_ptr++) {
++		if (SKIP_PROP(prop_vec_ptr)) {
++			/*
++			 * We have `hidden` properties: action/value smf
++			 * authorization. Those two are not kept in
++			 * smf_ftp_cfg.
++			 *
++			 * So we must to skip to next property in vector
++			 * without letting for loop to advance its counter, so
++			 * we compensate here by doing `i--`.
++			 */
++			i--;
++			continue;
++		};
++		conv_func = smf_conv_in[i];
++		conv_func(prop_vec_ptr->pv_ptr,
++		    ((char *)&smf_ftp_cfg + smf_cfg_offsets[i]));
++	}
++}
++
++/*
++ * smf_print_ftpcfg()
++ * Function loads ftpcfg from smf(5) repository and prints configuration to
++ * standard output. We use `scf_simple_prop_get(3SCF)`.
++ *
++ * Returns 0 on success, -1 on error..
++ */
++int
++smf_print_ftpcfg(const char *smf_instance)
++{
++	scf_simple_prop_t	*prop;
++	int			i;
++	scf_propvec_t		*prop_vec_ptr = prop_vec;
++	int			cfg_incomplete = 0;
++	char			*fmri;
++
++	if (atexit_set == 0) {
++		atexit(clear_prop_vec);
++		bzero(&smf_ftp_cfg, sizeof (smf_ftppx_cfg_t));
++		atexit_set = 1;
++	}
++
++	(void) asprintf(&fmri, "%s:%s", BASE_FMRI, smf_instance);
++	if (fmri == NULL) {
++		fprintf(stderr, "Out of memory.\n");
++		return (-1);
++	}
++
++	clear_prop_vec();
++
++	for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
++		prop = scf_simple_prop_get(NULL, fmri, FTP_PROXY_PG,
++		    smf_propnames[i]);
++		prop_vec_ptr->pv_prop = smf_propnames[i];
++		prop_vec_ptr->pv_type = scf_simple_prop_type(prop);
++		if (prop_vec_ptr->pv_type == -1) {
++			free(fmri);
++			fprintf(stderr, "Failed to get property type.\n");
++			return (-1);
++		}
++		if (prop_vec_ptr->pv_type != smf_type[i]) {
++			free(fmri);
++			fprintf(stderr, "Property %s has unexpected type.\n",
++			    smf_propnames[i]);
++			return (-1);
++		}
++		if (prop == NULL) {
++			/*
++			 * Property not defined, so we create a kind of
++			 * 'placeholder' with empty value.
++			 *
++			 * calloc() works well for both astring and integer.
++			 */
++			prop_vec_ptr->pv_ptr = calloc(1, sizeof (int64_t));
++			cfg_incomplete |= smf_mandatory[i];
++		} else {
++			if (smf_type[i] == SCF_TYPE_ASTRING) {
++				char	*propval;
++				propval = scf_simple_prop_next_astring(prop);
++				if (propval == NULL) {
++					propval = "";
++				}
++				prop_vec_ptr->pv_ptr = strdup(propval);
++
++				if (propval[0] == 0) {
++					cfg_incomplete |= smf_mandatory[i];
++				}
++			} else {
++				/* smf_type[i] == SCF_TYPE_INTEGER */
++				int64_t	*propval;
++				int64_t propval_;
++
++				propval = scf_simple_prop_next_integer(prop);
++				propval_ = (propval == NULL) ? (0) : (*propval);
++
++				prop_vec_ptr->pv_ptr = malloc(sizeof (int64_t));
++				if (prop_vec_ptr->pv_ptr != NULL) {
++					*((int64_t *)prop_vec_ptr->pv_ptr) =
++					    propval_;
++				}
++				if (propval_ == 0) {
++					cfg_incomplete |= smf_mandatory[i];
++				}
++			}
++			scf_simple_prop_free(prop);
++		}
++		if (prop_vec_ptr->pv_ptr == NULL) {
++			free(fmri);
++			fprintf(stderr, "Out of memory.\n");
++			return (-1);
++		}
++
++		prop_vec_ptr++;
++	}
++
++	printf("PF FTP proxy configuration:\n");
++
++	prop_vec_ptr = prop_vec;
++	for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
++		if (smf_type[i] == SCF_TYPE_ASTRING) {
++			const char *val = (const char *)prop_vec_ptr->pv_ptr;
++			printf("\t- %s:\n\t\t%s\n", prop_vec_ptr->pv_prop,
++			    ((val[0] == '\0') ?  "?? undefined ??" : val));
++		} else {
++			/* smf_type[i] == SCF_TYPE_INTEGER */
++			int64_t val = *((int64_t *)prop_vec_ptr->pv_ptr);
++			if (val == 0) {
++				printf("\t- %s:\n\t\t%s\n", prop_vec_ptr->pv_prop,
++			    	    "?? undefined ??");
++			} else {
++				printf("\t- %s:\n\t\t%d\n", prop_vec_ptr->pv_prop,
++			    	    (int)val);
++			}
++		}
++		prop_vec_ptr++;
++	}
++	if (cfg_incomplete) {
++		printf("\n\nConfiguration for %s is incomplete."
++		    " Service will not run.\n\n", fmri);
++	} else {
++		prop_vec_to_cfg();
++		printf(
++		    "\n\n%s service is being launched using cmd line below\n\n",
++		    fmri);
++		printf("ftp-proxy "
++		    "%s -a %s -b %s -p "
++		    "%d -D %d -m %d -t %d %s %s %s %.d %s %s %s %s\n",
++		    ((smf_ftp_cfg.cfg_anonymous_only == 1) ? "-A on" : ""),
++		    smf_ftp_cfg.cfg_fixed_proxy,
++		    smf_ftp_cfg.cfg_listen_addr,
++		    (int)smf_ftp_cfg.cfg_listen_port,
++		    (int)smf_ftp_cfg.cfg_debug_level,
++		    (int)smf_ftp_cfg.cfg_max_sessions,
++		    (int)smf_ftp_cfg.cfg_timeout,
++		    CHKASCIIZ(smf_ftp_cfg.cfg_fixed_server, "-R"),
++		    CHKASCIIZ(smf_ftp_cfg.cfg_fixed_server,
++			smf_ftp_cfg.cfg_fixed_server),
++		    (smf_ftp_cfg.cfg_fixed_server_port == 0) ? ("") : ("-P"),
++		    (int)smf_ftp_cfg.cfg_fixed_server_port,
++		    ((smf_ftp_cfg.cfg_rfc_mode != 0) ? "-r on" : ""),
++		    CHKASCIIZ(smf_ftp_cfg.cfg_tag, "-T"),
++		    CHKASCIIZ(smf_ftp_cfg.cfg_tag, smf_ftp_cfg.cfg_tag),
++		    ((smf_ftp_cfg.cfg_log == 2) ? "-vv" :
++			((smf_ftp_cfg.cfg_log == 1) ? "-v" : "")));
++	}
++
++	free(fmri);
++
++	return (0);
++}
++
++/*
++ * smf_create_ftp_instance()
++ * Function creates a new instance in smf(5) repository.
++ */
++static int
++smf_create_ftp_instance(const char *smf_instance)
++{
++	scf_handle_t	*h_scf = NULL;
++	scf_scope_t	*scp_scf = NULL;
++	scf_service_t	*svc_scf = NULL;
++	scf_instance_t	*sin_scf = NULL;
++	int	rv = -1;
++
++ 	h_scf = scf_handle_create(SCF_VERSION);
++	if ((h_scf == NULL) || (scf_handle_bind(h_scf) == -1)) {
++		(void) fprintf(stderr, "scf_handle_bind() failed - %s\n",
++		    scf_strerror(scf_error()));
++		if (h_scf != NULL) {
++			scf_handle_destroy(h_scf);
++		}
++		return (-1);
++	}
++
++	if ((scp_scf = scf_scope_create(h_scf)) == NULL) {
++		(void) fprintf(stderr, "could not create scope - %s\n",
++		    scf_strerror(scf_error()));
++		goto unbind;
++	}
++
++	if (scf_handle_get_local_scope(h_scf, scp_scf) != 0) {
++		(void) fprintf(stderr, "could not get scope - %s\n",
++		    scf_strerror(scf_error()));
++		goto scope_destroy;
++	}
++
++	if ((svc_scf = scf_service_create(h_scf)) == NULL) {
++		(void) fprintf(stderr, "could not create service - %s\n",
++		    scf_strerror(scf_error()));
++		goto scope_destroy;
++	}
++
++	if ((sin_scf = scf_instance_create(h_scf)) == NULL) {
++		(void) fprintf(stderr, "could not get instance handle - %s\n",
++		    scf_strerror(scf_error()));
++		goto service_destroy;
++	}
++
++	if (scf_scope_get_service(scp_scf, STRIP_SVC(BASE_FMRI), svc_scf) !=
++	    SCF_SUCCESS) {
++		(void) fprintf(stderr, "could not select service (%s)\n",
++		    scf_strerror(scf_error()));
++		goto instance_destroy;
++	}
++
++	if (scf_service_add_instance(svc_scf, smf_instance, sin_scf) != 0) {
++		(void) fprintf(stderr, "could not add %s instance - %s\n",
++		    smf_instance, scf_strerror(scf_error()));
++		goto instance_destroy;
++	}
++
++	if (scf_instance_add_pg(sin_scf, "general", "framework", 0,
++	    NULL) != SCF_SUCCESS) {
++		(void) fprintf(stderr,
++		    "could not create property group - %s\n",
++		    scf_strerror(scf_error()));
++		goto instance_delete;
++	}
++
++	if (scf_instance_add_pg(sin_scf, FTP_PROXY_PG, "application", 0,
++	    NULL) != SCF_SUCCESS) {
++		(void) fprintf(stderr,
++		    "could not create property group - %s\n",
++		    scf_strerror(scf_error()));
++		goto instance_delete;
++	}
++
++	rv = 0;
++	goto instance_destroy;
++
++instance_delete:
++	if (scf_instance_delete(sin_scf) != 0) {
++		fprintf(stderr, "Can't delete the newly created instance:");
++		fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
++	}
++instance_destroy:
++	scf_instance_destroy(sin_scf);
++service_destroy:
++	scf_service_destroy(svc_scf);
++scope_destroy:
++	scf_scope_destroy(scp_scf);
++unbind:
++	scf_handle_unbind(h_scf);
++	scf_handle_destroy(h_scf);
++
++	return (rv);
++}
++
++/*
++ * smf_write_ftpcfg()
++ * Function writes proxy configuration to smf(5) repostiory.
++ */
++int
++smf_write_ftpcfg(const char *smf_instance, int create)
++{
++	int	i;
++	scf_propvec_t
++		*bad_prop_vec = NULL;
++	char	*fmri;
++
++	if (atexit_set == 0) {
++		atexit(clear_prop_vec);
++		bzero(prop_vec, sizeof (prop_vec));
++		atexit_set = 1;
++	}
++
++	if (cfg_to_prop_vec() != 0) {
++		fprintf(stderr, "Out of memory.\n");
++		return (-1);
++	}
++
++	(void) asprintf(&fmri, "%s:%s", BASE_FMRI, smf_instance);
++	if (fmri == NULL) {
++		fprintf(stderr, "Out of memory.\n");
++		return (-1);
++	}
++
++	if (create) {
++		if (smf_create_ftp_instance(smf_instance) != 0) {
++			free(fmri);
++			return (-1);
++		}
++	}
++
++	if (create && (scf_write_propvec(fmri, "general", gen_prop_vec,
++	    &bad_prop_vec) != SCF_SUCCESS)) {
++		fprintf(stderr, "Can't update %s configuration:", fmri);
++		fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
++		if (bad_prop_vec != NULL) {
++			fprintf(stderr, "Could not set %s\n",
++			    bad_prop_vec->pv_prop);
++		}
++		free(fmri);
++		exit(1);
++	}
++
++	bad_prop_vec = NULL;
++	if (scf_write_propvec(fmri, FTP_PROXY_PG, prop_vec, &bad_prop_vec)
++	    != SCF_SUCCESS) {
++		fprintf(stderr, "Can't update %s configuration:", fmri);
++		fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
++		if (bad_prop_vec != NULL) {
++			fprintf(stderr, "Could not set %s\n",
++			    bad_prop_vec->pv_prop);
++		}
++		free(fmri);
++		exit(1);
++	}
++
++	free(fmri);
++	return (0);
++}
+diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.h ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/smf-config.h
+--- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.h	1969-12-31 16:00:00.000000000 -0800
++++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/smf-config.h	2016-02-19 06:43:15.097134373 -0800
[email protected]@ -0,0 +1,77 @@
++/*
++ * CDDL HEADER START
++ *
++ * The contents of this file are subject to the terms of the
++ * Common Development and Distribution License (the "License").
++ * You may not use this file except in compliance with the License.
++ *
++ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
++ * or http://www.opensolaris.org/os/licensing.
++ * See the License for the specific language governing permissions
++ * and limitations under the License.
++ *
++ * When distributing Covered Code, include this CDDL HEADER in each
++ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
++ * If applicable, add the following below this CDDL HEADER, with the
++ * fields enclosed by brackets "[]" replaced with your own identifying
++ * information: Portions Copyright [yyyy] [name of copyright owner]
++ *
++ * CDDL HEADER END
++ *
++ */
++
++/*
++ * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
++ */
++
++#ifndef	_SMF_CONFIG_H_
++#define	_SMF_CONFIG_H_
++
++#include <string.h>
++
++#define	BASE_FMRI		"svc:/network/firewall/ftp-proxy"
++#define	DEFAULT_INSTANCE	"default"
++
++#define	SMF_CFG_ANON_SET	0x00000001
++#define	SMF_CFG_FIXED_PROXY_SET	0x00000002
++#define	SMF_CFG_LISTEN_ADDR_SET	0x00000004
++#define	SMF_CFG_LISTEN_PORT_SET	0x00000008
++#define	SMF_CFG_DEBUG_LEVEL_SET	0x00000010
++#define	SMF_CFG_MAX_SESSION_SET	0x00000020
++#define	SMF_CFG_RFC_MODE_SET	0x00000040
++#define	SMF_CFG_FIXED_SERVER_PORT_SET	\
++				0x00000080
++#define	SMF_CFG_FIXED_SERVER_SET	\
++				0x00000100
++#define	SMF_CFG_TAG_SET		0x00000200
++#define	SMF_CFG_TIMEOUT_SET	0x00000400
++#define	SMF_CFG_LOG_SET		0x00000800
++
++#define	SMF_CFG_LOG_OFF	0
++#define	SMF_CFG_LOG_ON	1
++#define	SMF_CFG_LOG_ALL	2
++
++#define	SMF_COPY_STR(_x_)	(((_x_) == NULL) ? strdup("") : strdup((_x_)))
++
++typedef struct smf_ftppx_cfg {
++	unsigned int	cfg_set;	/* SMF_CFG_*_SET bit field */
++	int		cfg_anonymous_only;
++	char 		*cfg_fixed_proxy;
++	char 		*cfg_listen_addr;
++	int64_t		cfg_listen_port;
++	int64_t		cfg_debug_level;
++	int64_t		cfg_max_sessions;
++	char		*cfg_fixed_server;
++	int64_t		cfg_fixed_server_port;
++	int		cfg_rfc_mode;
++	char		*cfg_tag;
++	int64_t		cfg_timeout;
++	int		cfg_log;
++} smf_ftppx_cfg_t;
++
++extern smf_ftppx_cfg_t	smf_ftp_cfg;
++
++extern int smf_print_ftpcfg(const char *);
++extern int smf_write_ftpcfg(const char *, int);
++
++#endif	/* !_SMF_CONFIG_H_ */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pflogd/Makefile	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,75 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+#
+include ../../make-rules/shared-macros.mk
+
+COMPONENT_NAME=		pflogd
+COMPONENT_VERSION=	OPENBSD_5_5
+IPS_COMPONENT_VERSION=	5.5
+COMPONENT_PROJECT_URL=	http://www.openbsd.org
+COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
+COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.bz2
+COMPONENT_ARCHIVE_HASH= sha256:cfa97a28da9c4c5d07a2c6c8225e867d031417a427effb7152f9e8beea614957
+CLEAN_PATHS +=		$(COMPONENT_SRC)
+CLOBBER_PATHS +=	$(COMPONENT_ARCHIVE)
+COMPONENT_BUGDB=	service/pflogd
+
+TPNO=	24254
+
+#
+# Don't overwrite CFLAGS here, just add our options there.
+#
+COMPONENT_BUILD_ENV += CFLAGS="$(CFLAGS) -D_SOLARIS_ -DOBSD_COMP -lscf"
+COMPONENT_BUILD_ARGS +=	CC="$(CC)"
+
+include ../../make-rules/prep.mk
+include ../../make-rules/justmake.mk
+include ../../make-rules/ips.mk
+
+COMPONENT_INSTALL_ARGS +=	PREFIX=$(PROTOUSRDIR)
+COMPONENT_INSTALL_ARGS +=	MANDIR=$(PROTOUSRSHAREMANDIR)
+COMPONENT_INSTALL_ARGS +=	INSTALL=/usr/gnu/bin/install
+
+ASLR_MODE = $(ASLR_ENABLE)
+
+# common targets
+build:		$(BUILD_64)
+
+install:	$(INSTALL_64)
+
+test:		$(NO_TESTS)
+
+# Here we just download the cached source archive. In order to update
+# the cache, we have to get the sources via CVS manually and ask gatekeepers
+# to place it into the cache. There is no archive available at openbsd.org.
+download:: $(USERLAND_ARCHIVES)$(COMPONENT_ARCHIVE)
+
+$(USERLAND_ARCHIVES)$(COMPONENT_ARCHIVE): $(MAKEFILE_PREREQ)
+	$(FETCH) --file [email protected] --hash $(COMPONENT_ARCHIVE_HASH)
+	$(TOUCH) [email protected]
+
+REQUIRED_PACKAGES += network/firewall
+REQUIRED_PACKAGES += shell/ksh93
+REQUIRED_PACKAGES += system/core-os
+REQUIRED_PACKAGES += system/header
+REQUIRED_PACKAGES += system/library
+REQUIRED_PACKAGES += system/library/libpcap
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pflogd/patches/001-solaris.patch	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,589 @@
+# This patch comes from Oracle. It fixes issues preventing pflogd
+# from building and running on Solaris. Especially, we:
+# - make it read packets from Solaris-specific capture links instead
+#   of OpenBSD's pflog interfaces
+# - introduce our own pcap_pkthdr structure as the one used by
+#   upstream would result in corrupted packet dump files on Solaris
+# - use Solaris-specific random number generator
+#
+# This patch is not going to upstream, the changes are Solaris-specific.
+
+diff -Naur ORIGINAL/Makefile pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile
+--- ORIGINAL/Makefile	2013-06-18 20:51:30.000000000 -0700
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile	2016-02-17 02:08:53.410106245 -0800
[email protected]@ -1,15 +1,28 @@
+ #	$OpenBSD: Makefile,v 1.9 2013/06/19 03:51:30 lteo Exp $
+ 
+-CFLAGS+=-Wall -Wmissing-prototypes -Wshadow
++CFLAGS+= -m64 -errwarn
+ 
+-# for pcap-int.h
+-CFLAGS+=-I${.CURDIR}/../../lib/libpcap
++PROG=pflogd
++SRCS=pflogd.c privsep.c privsep_fdpass.c
++OBJS=$(SRCS:.c=.o)
++MAN=pflogd.8
+ 
+-LDADD+= -lpcap
+-DPADD+=	${LIBPCAP}
++LDADD+=-lpcap -ldladm -luutil
+ 
+-PROG=	pflogd
+-SRCS=	pflogd.c privsep.c privsep_fdpass.c
+-MAN=	pflogd.8
++all:	$(SRCS) $(PROG)
+ 
+-.include <bsd.prog.mk>
++install: $(PROG)
++	$(INSTALL) -d $(PREFIX)/sbin
++	$(INSTALL) -m 755 $(PROG) $(PREFIX)/sbin
++	$(INSTALL) -d $(MANDIR)/man8
++	$(INSTALL) -m 644 $(MAN) $(MANDIR)/man8
++
++$(PROG):	$(OBJS)
++	$(CC) $(CFLAGS) $(OBJS) -o [email protected] $(LDADD)
++
++.c.o:
++	$(CC) $(CFLAGS) -c -o [email protected] $<
++
++clean:
++	rm -rf *.o
++	rm -rf $(PROG)
+diff -Naur ORIGINAL/pflogd.8 pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.8
+--- ORIGINAL/pflogd.8	2014-01-20 19:15:45.000000000 -0800
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.8	2016-02-17 02:32:29.857912548 -0800
[email protected]@ -44,15 +44,15 @@
+ .Nm
+ is a background daemon which reads packets logged by
+ .Xr pf 4
+-to a
+-.Xr pflog 4
+-interface, normally
++to a dedicated capture link interface (see
++.Xr dladm 1M
++for details), normally
+ .Pa pflog0 ,
+ and writes the packets to a logfile (normally
+-.Pa /var/log/pflog )
+-in
+-.Xr tcpdump 8
+-binary format.
++.Pa /var/log/firewall/pflog/pflog0.pkt )
++in libpcap format (see
++.Xr PCAP 3pcap
++for details).
+ These logs can be reviewed later using the
+ .Fl r
+ option of
[email protected]@ -63,9 +63,7 @@
+ .Nm
+ closes and then re-opens the log file when it receives
+ .Dv SIGHUP ,
+-permitting
+-.Xr newsyslog 8
+-to rotate logfiles automatically.
++permitting convenient log rotation.
+ .Dv SIGALRM
+ causes
+ .Nm
[email protected]@ -96,7 +94,7 @@
+ .Pp
+ .Nm
+ will also log the pcap statistics for the
+-.Xr pflog 4
++capture link
+ interface to syslog when a
+ .Dv SIGUSR1
+ is received.
[email protected]@ -113,12 +111,8 @@
+ If not specified, the default is 60 seconds.
+ .It Fl f Ar filename
+ Log output filename.
+-Default is
+-.Pa /var/log/pflog .
+ .It Fl i Ar interface
+-Specifies the
+-.Xr pflog 4
+-interface to use.
++Specifies the capture link interface to use.
+ By default,
+ .Nm
+ will use
[email protected]@ -172,7 +166,7 @@
+ .El
+ .Sh FILES
+ .Bl -tag -width /var/run/pflogd.pid -compact
+-.It Pa /var/log/pflog
++.It Pa /var/log/firewall/pflog/pflog0.pkt
+ Default log file.
+ .El
+ .Sh EXAMPLES
[email protected]@ -185,7 +179,7 @@
+ .Ed
+ .Pp
+ Log from another
+-.Xr pflog 4
++capture link
+ interface, excluding specific packets:
+ .Bd -literal -offset indent
+ # pflogd -i pflog3 -f network3.log "not (tcp and port 23)"
[email protected]@ -193,7 +187,7 @@
+ .Pp
+ Display binary logs:
+ .Bd -literal -offset indent
+-# tcpdump -n -e -ttt -r /var/log/pflog
++# tcpdump -n -e -ttt -r /var/log/firewall/pflog/pflog3.pkt
+ .Ed
+ .Pp
+ Display the logs in real time (this does not interfere with the
[email protected]@ -210,16 +204,18 @@
+ .Ed
+ .Sh SEE ALSO
+ .Xr pcap 3 ,
+-.Xr pf 4 ,
+-.Xr pflog 4 ,
+ .Xr pf.conf 5 ,
+-.Xr newsyslog 8 ,
++.Xr privileges 5 ,
++.Xr smf 5 ,
+ .Xr tcpdump 8
+ .Sh HISTORY
+ The
+ .Nm
+ command appeared in
+ .Ox 3.0 .
++The Solaris version is based on
++.Nm
++found in OpenBSD 5.5.
+ .Sh AUTHORS
+ .Nm
+ was written by
+diff -Naur ORIGINAL/pflogd.c pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.c
+--- ORIGINAL/pflogd.c	2012-11-05 18:50:47.000000000 -0800
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.c	2016-02-18 12:05:03.256562087 -0800
[email protected]@ -48,7 +48,15 @@
+ #include <errno.h>
+ #include <stdarg.h>
+ #include <fcntl.h>
++#ifdef	_SOLARIS_
++#include <libdladm.h>
++#include <libnetcfg.h>
++#include <strings.h>
++#include <zone.h>
++#include <libuutil.h>
++#else /* !_SOLARIS_ */
+ #include <util.h>
++#endif	/* _SOLARIS_ */
+ #include "pflogd.h"
+ 
+ pcap_t *hpcap;
[email protected]@ -88,6 +96,34 @@
+ void  sig_hup(int);
+ void  usage(void);
+ 
++#ifdef	_SOLARIS_
++/*
++ * setproctitle() is found in libc on OpenBSD. It allows program to update its
++ * process name. It will be an empty macro on Solaris.
++ */
++#define	setproctitle(...)
++
++/*
++ * __dead attribute will be an empty macro on Solaris.
++ */
++#define	__dead
++
++/*
++ * We must define our own pcap_pkthdr to ensure timeval structure will be
++ * defined in 32-bit version. Not doing so will result in corrupted packet dump
++ * file produced by pflogd on Solaris.
++ */
++typedef struct pcap_pkthdr_file {
++	struct {
++		uint32_t	tv_sec;
++		uint32_t	tv_usec;
++	} ts;
++	uint32_t	caplen;
++	uint32_t	len;
++} pcap_pkthdr_file_t;
++
++#endif	/* _SOLARIS_ */
++
+ static int try_reset_dump(int);
+ 
+ /* buffer must always be greater than snaplen */
[email protected]@ -191,11 +227,13 @@
+ {
+ 	struct bpf_program bprog;
+ 
+-	if (pcap_compile(hpcap, &bprog, filter, PCAP_OPT_FIL, 0) < 0)
++	if (pcap_compile(hpcap, &bprog, filter, PCAP_OPT_FIL, 0) < 0) {
+ 		logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap));
+-	else {
++		logmsg(LOG_WARNING, "for filter:\n\t%s\nNo filter set.\n", filter);
++	} else {
+ 		if (pcap_setfilter(hpcap, &bprog) < 0)
+-			logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap));
++			logmsg(LOG_WARNING, "%s\nNo filter set.\n",
++			    pcap_geterr(hpcap));
+ 		pcap_freecode(&bprog);
+ 	}
+ }
[email protected]@ -203,6 +241,31 @@
+ int
+ if_exists(char *ifname)
+ {
++#ifdef	_SOLARIS_
++	dladm_handle_t	dlh;
++	datalink_id_t	linkid;
++	zoneid_t	zid = getzoneid();
++	dladm_status_t	dls;
++	int		rv = 0;
++
++	if (!dladm_valid_linkname(ifname) ||
++	    (dladm_open(&dlh) != DLADM_STATUS_OK)) {
++		errno = ENXIO;
++		return (rv);
++	}
++
++	dls = dladm_apply_linknamefilters(dlh, ifname, &linkid, 1, &zid,
++	    DLADM_OPT_ACTIVE, zid, NULL);
++	if ((dls == DLADM_STATUS_OK) && (linkid != DATALINK_INVALID_LINKID)) {
++		rv = 1;
++	}
++
++	dladm_close(dlh);
++
++	errno = (rv == 1) ? 0 : ENXIO;
++
++	return (rv);
++#else /* !_SOLARIS_ */
+ 	int s, ret = 1;
+ 	struct ifreq ifr;
+ 	struct if_data ifrdat;
[email protected]@ -220,6 +283,7 @@
+ 		err(1, "close");
+ 
+ 	return (ret);
++#endif	/* _SOLARIS_ */
+ }
+ 
+ int
[email protected]@ -243,10 +307,15 @@
+ 	cur_snaplen = snaplen = pcap_snapshot(hpcap);
+ 
+ 	/* lock */
++/*
++ * BIOCLOCK operation is not implmented on Solaris. 
++ */
++#ifndef	_SOLARIS_
+ 	if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) {
+ 		logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno));
+ 		return (-1);
+ 	}
++#endif	/* !_SOLARIS_ */
+ 
+ 	return (0);
+ }
[email protected]@ -371,7 +440,11 @@
+ scan_dump(FILE *fp, off_t size)
+ {
+ 	struct pcap_file_header hdr;
++#ifdef	_SOLARIS_
++	struct pcap_pkthdr_file	ph;
++#else /* !_SOLARIS_ */
+ 	struct pcap_pkthdr ph;
++#endif	/* _SOLARIS_ */
+ 	off_t pos;
+ 
+ 	/*
[email protected]@ -440,13 +513,26 @@
+ dump_packet_nobuf(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
+ {
+ 	FILE *f = (FILE *)user;
++#ifdef	_SOLARIS_
++	struct pcap_pkthdr_file	h_file;
++#endif	/* _SOLARIS_ */
+ 
+ 	if (suspended) {
+ 		packets_dropped++;
+ 		return;
+ 	}
+ 
+-	if (fwrite((char *)h, sizeof(*h), 1, f) != 1) {
++#ifdef	_SOLARIS_
++	h_file.ts.tv_sec = (uint32_t)h->ts.tv_sec;
++	h_file.ts.tv_usec = (uint32_t)h->ts.tv_usec;
++	h_file.caplen = h->caplen;
++	h_file.len = h->len;
++	if (fwrite((char *)&h_file, sizeof (h_file), 1, f) != 1)
++#else	/* !_SOLARIS_ */
++	if (fwrite((char *)h, sizeof(*h), 1, f) != 1)
++#endif	/* _SOLARIS_ */
++
++	{
+ 		off_t pos = ftello(f);
+ 
+ 		/* try to undo header to prevent corruption */
[email protected]@ -520,9 +606,32 @@
+ dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
+ {
+ 	FILE *f = (FILE *)user;
++#ifdef	_SOLARIS_
++	struct pcap_pkthdr_file	h_file;
++	size_t len = sizeof (h_file) + h->caplen;
++#else	/* !_SOLARIS_ */
+ 	size_t len = sizeof(*h) + h->caplen;
++#endif	/* _SOLARIS_ */
+ 
+-	if (len < sizeof(*h) || h->caplen > (size_t)cur_snaplen) {
++#ifdef	_SOLARIS_
++	/*
++	 * Member ts is struct timeval defined in sys/time.h. Solaris uses
++	 * 64-bit version for tv_sec, tv_usec. 64-bit members are not
++	 * compatible with pcap file format, hence we must convert them to
++	 * 32-bits.
++	 */
++	h_file.ts.tv_sec = (uint32_t)h->ts.tv_sec;
++	h_file.ts.tv_usec = (uint32_t)h->ts.tv_usec;
++	h_file.caplen = h->caplen;
++	h_file.len = h->len;
++#endif	/* _SOLARIS_ */
++
++#ifdef	_SOLARIS_
++	if (len < sizeof(h_file) || h_file.caplen > (size_t)cur_snaplen)
++#else	/* !_SOLARIS_ */
++	if (len < sizeof(*h) || h->caplen > (size_t)cur_snaplen)
++#endif	/* _SOLARIS_ */
++	{
+ 		logmsg(LOG_NOTICE, "invalid size %zu (%d/%d), packet dropped",
+ 		       len, cur_snaplen, snaplen);
+ 		packets_dropped++;
[email protected]@ -548,8 +657,13 @@
+ 	}
+ 
+  append:
++#ifdef	_SOLARIS_
++	(void) memcpy(bufpos, &h_file, sizeof (h_file));
++	(void) memcpy(bufpos + sizeof (h_file), sp, h->caplen);
++#else	/* !_SOLARIS_ */
+ 	memcpy(bufpos, h, sizeof(*h));
+ 	memcpy(bufpos + sizeof(*h), sp, h->caplen);
++#endif	/* _SOLARIS_ */
+ 
+ 	bufpos += len;
+ 	bufleft -= len;
[email protected]@ -611,7 +725,6 @@
+ 		default:
+ 			usage();
+ 		}
+-
+ 	}
+ 
+ 	log_debug = Debug;
[email protected]@ -658,12 +771,25 @@
+ 
+ 	setproctitle("[initializing]");
+ 	/* Process is now unprivileged and inside a chroot */
++#ifdef	_SOLARIS_
++	/*
++	 * We have to use sigset() on Solaris, since signal() resets sig.
++	 * handler to default as soon as particular signal is delivered.
++	 */
++	sigset(SIGTERM, sig_close);
++	sigset(SIGINT, sig_close);
++	sigset(SIGQUIT, sig_close);
++	sigset(SIGALRM, sig_alrm);
++	sigset(SIGUSR1, sig_usr1);
++	sigset(SIGHUP, sig_hup);
++#else /* !_SOLARIS_ */
+ 	signal(SIGTERM, sig_close);
+ 	signal(SIGINT, sig_close);
+ 	signal(SIGQUIT, sig_close);
+ 	signal(SIGALRM, sig_alrm);
+ 	signal(SIGUSR1, sig_usr1);
+ 	signal(SIGHUP, sig_hup);
++#endif	/* _SOLARIS_ */
+ 	alarm(delay);
+ 
+ 	buffer = malloc(PFLOGD_BUFSIZE);
[email protected]@ -696,7 +822,7 @@
+ 				ret = -1;
+ 				break;
+ 			}
+-			logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap));
++			logmsg(LOG_NOTICE, "pcap says: %s", pcap_geterr(hpcap));
+ 		}
+ 
+ 		if (gotsig_close)
+diff -Naur ORIGINAL/pflogd.h pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.h
+--- ORIGINAL/pflogd.h	2010-09-20 22:56:58.000000000 -0700
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.h	2016-02-18 12:08:42.414919276 -0800
[email protected]@ -16,7 +16,11 @@
+  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
++#ifdef	_SOLARIS_
++#include <limits.h>
++#else /* !_SOLARIS_ */
+ #include <sys/limits.h>
++#endif	/* _SOLARIS_ */
+ #include <pcap.h>
+ 
+ #define DEF_SNAPLEN 160		/* pfloghdr + ip hdr + proto hdr fit usually */
[email protected]@ -25,7 +29,12 @@
+ #define PCAP_OPT_FIL 1		/* filter optimization */
+ #define FLUSH_DELAY 60		/* flush delay */
+ 
++#ifdef	_SOLARIS_
++#define	PFLOGD_LOG_DIR		"/var/log/firewall/pflog"
++#define PFLOGD_LOG_FILE		"pflog.pkt"
++#else /* !_SOLARIS_ */
+ #define PFLOGD_LOG_FILE		"/var/log/pflog"
++#endif	/* _SOLARIS_ */
+ #define PFLOGD_DEFAULT_IF	"pflog0"
+ 
+ #define PFLOGD_MAXSNAPLEN	INT_MAX
+diff -Naur ORIGINAL/privsep.c pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/privsep.c
+--- ORIGINAL/privsep.c	2013-09-13 01:49:17.000000000 -0700
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/privsep.c	2016-02-18 12:07:34.219667793 -0800
[email protected]@ -28,8 +28,6 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <limits.h>
+-#include <pcap.h>
+-#include <pcap-int.h>
+ #include <pwd.h>
+ #include <signal.h>
+ #include <stdio.h>
[email protected]@ -38,6 +36,34 @@
+ #include <syslog.h>
+ #include <unistd.h>
+ #include "pflogd.h"
++#ifdef	_SOLARIS_
++#include <priv.h>
++#include <stdlib.h>
++#include <sys/types.h>
++#include <time.h>
++#include <sys/random.h>
++#endif	/* _SOLARIS_ */
++/*
++ * It's better to include these after other header files.
++ * pcap-int.h defines strlcpy() as macro if it is undefined.
++ * In our case strlcpy() comes from string.h.
++ */
++#define	HAVE_SNPRINTF	1
++#include <pcap.h>
++#include <pcap-int.h>
++
++#ifdef	_SOLARIS_
++#define	_NSIG	27
++
++/*
++ * setproctitle() is found in libc on OpenBSD. It allows program to update its
++ * process name. It will empty macro on Solaris.
++ */
++#define	setproctitle(...)
++
++#else /* !_SOLARIS_ */
++#define	PFLOGD_USER	"_pflogd"
++#endif	/* _SOLARIS_ */
+ 
+ enum cmd_types {
+ 	PRIV_SET_SNAPLEN,	/* set the snaplength */
[email protected]@ -67,7 +93,9 @@
+ {
+ 	int i, fd, socks[2], cmd;
+ 	int snaplen, ret, olderrno;
++#ifndef	_SOLARIS_
+ 	struct passwd *pw;
++#endif	/* !_SOLARIS_ */
+ 
+ 	for (i = 1; i < _NSIG; i++)
+ 		signal(i, SIG_DFL);
[email protected]@ -76,16 +104,19 @@
+ 	if (socketpair(AF_LOCAL, SOCK_STREAM, PF_UNSPEC, socks) == -1)
+ 		err(1, "socketpair() failed");
+ 
++#ifndef	_SOLARIS_
+ 	pw = getpwnam("_pflogd");
+ 	if (pw == NULL)
+ 		errx(1, "unknown user _pflogd");
+ 	endpwent();
++#endif	/* !_SOLARIS_ */
+ 
+ 	child_pid = fork();
+ 	if (child_pid < 0)
+ 		err(1, "fork() failed");
+ 
+ 	if (!child_pid) {
++#ifndef	_SOLARIS_
+ 		gid_t gidset[1];
+ 
+ 		/* Child - drop privileges and return */
[email protected]@ -101,6 +132,8 @@
+ 			err(1, "setgroups() failed");
+ 		if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
+ 			err(1, "setresuid() failed");
++#endif	/* !_SOLARIS_ */
++
+ 		close(socks[0]);
+ 		priv_fd = socks[1];
+ 		return 0;
[email protected]@ -108,19 +141,34 @@
+ 
+ 	/* Father */
+ 	/* Pass ALRM/TERM/HUP/INT/QUIT through to child, and accept CHLD */
++#ifdef	_SOLARIS_
++	/*
++	 * We have to use sigset() on Solaris, since signal() resets sig.
++	 * handler to default as soon as particular signal is delivered.
++	 */
++	sigset(SIGALRM, sig_pass_to_chld);
++	sigset(SIGTERM, sig_pass_to_chld);
++	sigset(SIGHUP,  sig_pass_to_chld);
++	sigset(SIGINT,  sig_pass_to_chld);
++	sigset(SIGQUIT,  sig_pass_to_chld);
++	sigset(SIGCHLD, sig_chld);
++#else /* !_SOLARIS_ */
+ 	signal(SIGALRM, sig_pass_to_chld);
+ 	signal(SIGTERM, sig_pass_to_chld);
+ 	signal(SIGHUP,  sig_pass_to_chld);
+ 	signal(SIGINT,  sig_pass_to_chld);
+ 	signal(SIGQUIT,  sig_pass_to_chld);
+ 	signal(SIGCHLD, sig_chld);
++#endif	/* _SOLARIS_ */
+ 
+ 	setproctitle("[priv]");
+ 	close(socks[1]);
+ 
+ 	while (!gotsig_chld) {
+-		if (may_read(socks[0], &cmd, sizeof(int)))
++		if (may_read(socks[0], &cmd, sizeof(int))) {
++			logmsg(LOG_ERR, "may_read: fails\n");
+ 			break;
++		}
+ 		switch (cmd) {
+ 		case PRIV_SET_SNAPLEN:
+ 			logmsg(LOG_DEBUG,
[email protected]@ -192,9 +240,20 @@
+ 
+ 	for (;;) {
+ 		int fd;
++#ifdef _SOLARIS_
++		uint32_t rand;
+ 
++		if (getrandom(&rand, sizeof (rand), GRND_NONBLOCK) !=
++		    sizeof (rand)) {
++			logmsg(LOG_ERR, "getrandom() failed");
++			return 1;
++		}
++		len = snprintf(ren, sizeof(ren), "%s.bad.%08x",
++		    name, rand);
++#else /* !_SOLARIS_ */
+ 		len = snprintf(ren, sizeof(ren), "%s.bad.%08x",
+ 		    name, arc4random());
++#endif /* _SOLARIS_ */
+ 		if (len >= sizeof(ren)) {
+ 			logmsg(LOG_ERR, "[priv] new name too long");
+ 			return (1);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pflogd/patches/002-smf.patch	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,1217 @@
+# This patch comes from Oracle. It turns the component into
+# a well-behaving SMF service. It adds code manipulating service
+# properties, service instances, and also provides security
+# in cooperation with the service manifest (especially, extra
+# privileges are dropped when not needed).
+#
+# This patch is not going to upstream, the changes are Solaris-specific.
+
+diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile pflogd-OPENBSD_5_5-OPENBSD_5_5/Makefile
+--- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile	2016-02-17 02:08:53.410106245 -0800
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5/Makefile	2016-02-16 05:02:32.489035397 -0800
[email protected]@ -3,7 +3,7 @@
+ CFLAGS+= -m64 -errwarn
+ 
+ PROG=pflogd
+-SRCS=pflogd.c privsep.c privsep_fdpass.c
++SRCS=pflogd.c privsep.c privsep_fdpass.c smf-config.c
+ OBJS=$(SRCS:.c=.o)
+ MAN=pflogd.8
+ 
+diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.8 pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.8
+--- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.8	2016-02-17 02:32:29.857912548 -0800
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.8	2016-03-14 07:10:13.031600727 -0700
[email protected]@ -33,7 +33,7 @@
+ .Sh SYNOPSIS
+ .Nm pflogd
+ .Bk -words
+-.Op Fl "Dx"
++.Op Fl C Ar new-pflog-instance-name | Fl c Ar pflog-instance-name
+ .Op Fl d Ar delay
+ .Op Fl f Ar filename
+ .Op Fl i Ar interface
[email protected]@ -60,6 +60,7 @@
+ hopefully offline in case there are bugs in the packet parsing code of
+ .Xr tcpdump 8 .
+ .Pp
++
+ .Nm
+ closes and then re-opens the log file when it receives
+ .Dv SIGHUP ,
[email protected]@ -101,22 +102,52 @@
+ .Pp
+ The options are as follows:
+ .Bl -tag -width Ds
+-.It Fl D
+-Debugging mode.
++.It Fl C Ar new-pflog-instance-name
++Creates a new
+ .Nm
+-does not disassociate from the controlling terminal.
++instance with the specified name. If additional options are used to specify
++configuration, it is stored into the
++.Xr smf 5
++repository. Default values are used for
++.Xr smf 5
++properties unless overriden by a command-line option. The exception is
++pflog/interface (set to equal the instance name) and pflog/logfile
++(set to a file with name equal to the instance name followed by the
++.Pa .pkt
++extension located inside the
++.Pa /var/log/firewall/pflog/
++directory) if the service instance name forms a valid linkname. If the
++service instance name is not a valid linkname, the values must be
++given explicitly.
++.It Fl c Ar pflog-instance-name
++Shows/changes the configuration of the given
++.Nm
++instance in
++.Xr smf 5
++repository. Attributes specified by additional options are placed into the
++.Xr smf 5
++repository.
+ .It Fl d Ar delay
+ Time in seconds to delay between automatic flushes of the file.
+ This may be specified with a value between 5 and 3600 seconds.
+ If not specified, the default is 60 seconds.
+ .It Fl f Ar filename
+-Log output filename.
++Log output filename. When neither
++.Fl C
++nor
++.Fl c
++is used, the default value
++.Pa pflog.pkt
++is used.
+ .It Fl i Ar interface
+ Specifies the capture link interface to use.
+-By default,
+-.Nm
+-will use
+-.Pa pflog0 .
++When neither
++.Fl C
++nor
++.Fl c
++is used, the default value
++.Pa pflog0
++is assumed.
+ .It Fl s Ar snaplen
+ Analyze at most the first
+ .Ar snaplen
[email protected]@ -124,8 +155,6 @@
+ The default of 160 is adequate for IP, ICMP, TCP, and UDP headers but may
+ truncate protocol information for other protocols.
+ Other file parsers may desire a higher snaplen.
+-.It Fl x
+-Check the integrity of an existing log file, and return.
+ .It Ar expression
+ Selects which packets will be dumped, using the regular language of
+ .Xr tcpdump 8 .
[email protected]@ -164,11 +193,59 @@
+ The direction was outbound.
+ .El
+ .El
+-.Sh FILES
+-.Bl -tag -width /var/run/pflogd.pid -compact
+-.It Pa /var/log/firewall/pflog/pflog0.pkt
+-Default log file.
++.Sh SOLARIS
++The
++.Nm
++daemon must be started as an
++.Xr smf 5
++service with the following FMRI:
++.Bd -literal -offset indent
++svc:/network/firewall/pflog
++.Ed
++.Pp
++Command line options described above are set via the following
++.Xr smf 5
++properties.
++.Bl -tag -width "pflog/interface" -offset 3n -compact
++.It pflog/delay
++Automatic flush interval.
++The default value is 60.
++Used as the argument for the
++.Fl d
++option.
++.It pflog/filter
++Packet filter expression in
++.Xr tcpdump 8
++format.
++No expression is defined by default.
++.It pflog/interface
++The capture link name from which to read packets.
++Used as the argument for the
++.Fl i
++option.
++.It pflog/logfile
++Path to the logfile (for security reasons, only paths starting by the
++.Pa /var/log/firewall/
++directory are allowed.
++Used as the argument for the
++.Fl f
++option.
++.It pflog/snaplen
++An upper bound on how many bytes from each packet to analyze.
++The default value is 160.
++Used as the argument for the
++.Fl s
++option.
+ .El
++.Pp
++The start method creates a (temporal) capture link the particular
++instance is using.
++.Pp
++The refresh method sends
++.Dv SIGHUP
++to
++.Nm
++owned by particular service instance.
+ .Sh EXAMPLES
+ Log specific TCP packets to a different log file with a large snaplen
+ (useful with a
[email protected]@ -202,6 +279,32 @@
+ .Bd -literal -offset indent
+ # tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
+ .Ed
++.Sh SECURITY
++The
++.Nm
++daemon is a privilege-aware application which runs as the
++.Dq daemon
++user possessing
++.Sy PRIV_NET_OBSERVABILITY
++privilege that is required for using
++.Xr bpf 7d
++to read packets. See
++.Xr privileges 5
++for details.
++The service start method uses
++.Xr dladm 1M
++to create capture link if it does not exist already.
++.Pp
++To configure the
++.Nm
++service one has to obtain the
++.Sy solaris.smf.value.network.firewall
++authorization.
++To manage the service (disable/enable/refresh) one must have the
++.Sy solaris.smf.manage.network.firewall
++authorization.
++Both authorizations are granted through the Network Firewall Management profile.
++To create new service instances, you need the solaris.smf.modify authorization.
+ .Sh SEE ALSO
+ .Xr pcap 3 ,
+ .Xr pf.conf 5 ,
+diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.c pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.c
+--- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.c	2016-02-18 12:05:03.256562087 -0800
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.c	2016-02-18 12:01:49.900876863 -0800
[email protected]@ -54,6 +54,7 @@
+ #include <strings.h>
+ #include <zone.h>
+ #include <libuutil.h>
++#include "smf-config.h"
+ #else /* !_SOLARIS_ */
+ #include <util.h>
+ #endif	/* _SOLARIS_ */
[email protected]@ -63,7 +64,7 @@
+ static FILE *dpcap;
+ 
+ int Debug = 0;
+-static int snaplen = DEF_SNAPLEN;
++static int64_t snaplen = DEF_SNAPLEN;
+ static int cur_snaplen = DEF_SNAPLEN;
+ 
+ volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup, gotsig_usr1;
[email protected]@ -75,7 +76,7 @@
+ char errbuf[PCAP_ERRBUF_SIZE];
+ 
+ int log_debug = 0;
+-unsigned int delay = FLUSH_DELAY;
++int64_t delay = FLUSH_DELAY;
+ 
+ char *copy_argv(char * const *);
+ void  dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
[email protected]@ -124,6 +125,15 @@
+ 
+ #endif	/* _SOLARIS_ */
+ 
++#ifdef	_SOLARIS_
++#define	PFLOGD_GETOPTS	"c:C:Dd:f:i:s:"
++#define	CFG_SETFLAG(_flags_, _f_)	((_flags_) |= (_f_))
++#define	SKIP_CHK(_x_)	((_x_) == NULL)
++#else /* !_SOLARIS_ */
++#define	PFLOGD_GETOPTS	"Dxd:f:i:s:"
++#define	CFG_SETFLAG(_flags_, _f_)
++#define	SKIP_CHK(_x_)	(1)
++#endif	/* _SOLARIS_ */
+ static int try_reset_dump(int);
+ 
+ /* buffer must always be greater than snaplen */
[email protected]@ -290,6 +300,8 @@
+ init_pcap(void)
+ {
+ 	hpcap = pcap_open_live(interface, snaplen, 1, PCAP_TO_MS, errbuf);
++	DROP_PRIV(PRIV_NET_OBSERVABILITY);
++
+ 	if (hpcap == NULL) {
+ 		logmsg(LOG_ERR, "Failed to initialize: %s", errbuf);
+ 		return (-1);
[email protected]@ -690,12 +702,20 @@
+ 	int ch, np, ret, Xflag = 0;
+ 	pcap_handler phandler = dump_packet;
+ 	const char *errstr = NULL;
++#ifdef	_SOLARIS_
++	unsigned int	create = 0;
++	unsigned int	cfg_flags = 0;
++	const char	*smf_instance = NULL;
++#endif	/* _SOLARIS_ */
++
++	DROP_PRIV(PRIV_SYS_IP_CONFIG);
++	DROP_PRIV(PRIV_PROC_EXEC);
+ 
+ 	ret = 0;
+ 
+ 	closefrom(STDERR_FILENO + 1);
+ 
+-	while ((ch = getopt(argc, argv, "Dxd:f:i:s:")) != -1) {
++	while ((ch = getopt(argc, argv, PFLOGD_GETOPTS)) != -1) {
+ 		switch (ch) {
+ 		case 'D':
+ 			Debug = 1;
[email protected]@ -704,12 +724,15 @@
+ 			delay = strtonum(optarg, 5, 60*60, &errstr);
+ 			if (errstr)
+ 				usage();
++			CFG_SETFLAG(cfg_flags, SMF_CFG_DELAY_SET);
+ 			break;
+ 		case 'f':
+ 			filename = optarg;
++			CFG_SETFLAG(cfg_flags, SMF_CFG_LOGFILE_SET);
+ 			break;
+ 		case 'i':
+ 			interface = optarg;
++			CFG_SETFLAG(cfg_flags, SMF_CFG_INTERFACE_SET);
+ 			break;
+ 		case 's':
+ 			snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
[email protected]@ -718,10 +741,27 @@
+ 				snaplen = DEF_SNAPLEN;
+ 			if (errstr)
+ 				snaplen = PFLOGD_MAXSNAPLEN;
++			CFG_SETFLAG(cfg_flags, SMF_CFG_SNAPLEN_SET);
+ 			break;
++#ifndef	_SOLARIS_
++		/*
++		 * This option requires a special securing on Solaris as
++		 * pflogd will be started manually in the case it is used.
++		 * Also, some polishing is needed so that the response
++		 * from 'pflogd -x' is shown to the user and not put into
++		 * a logfile.
++		 */
+ 		case 'x':
+ 			Xflag++;
+ 			break;
++#endif /* !_SOLARIS_ */
++#ifdef	_SOLARIS_
++		case 'C': 
++			create = 1;	/* FALLTHRU */
++		case 'c':
++			smf_instance = optarg;
++			break;
++#endif	/* _SOLARIS_ */
+ 		default:
+ 			usage();
+ 		}
[email protected]@ -732,14 +772,14 @@
+ 	argv += optind;
+ 
+ 	/* does interface exist */
+-	if (!if_exists(interface)) {
++	if (SKIP_CHK(smf_instance) && !if_exists(interface)) {
+ 		warn("Failed to initialize: %s", interface);
+ 		logmsg(LOG_ERR, "Failed to initialize: %s", interface);
+ 		logmsg(LOG_ERR, "Exiting, init failure");
+ 		exit(1);
+ 	}
+ 
+-	if (!Debug) {
++	if (SKIP_CHK(smf_instance) && !Debug) {
+ 		openlog("pflogd", LOG_PID | LOG_CONS, LOG_DAEMON);
+ 		if (daemon(0, 0)) {
+ 			logmsg(LOG_WARNING, "Failed to become daemon: %s",
[email protected]@ -757,6 +797,31 @@
+ 			logmsg(LOG_NOTICE, "Failed to form filter expression");
+ 	}
+ 
++#ifdef	_SOLARIS_
++	if (smf_instance != NULL) {
++		if (filter != NULL) {
++			CFG_SETFLAG(cfg_flags, SMF_CFG_EXPRESSION_SET);
++		} else {
++			filter = "";
++		}
++		if ((cfg_flags == 0) && (create == 0)) {
++			if (smf_print_pflogcfg(smf_instance)) {
++				exit (-1);
++			}
++		} else {
++			smf_pflogd_cfg.cfg_set = cfg_flags;
++			smf_pflogd_cfg.cfg_expression = strdup(filter);
++			smf_pflogd_cfg.cfg_interface = strdup(interface);
++			smf_pflogd_cfg.cfg_logfile = strdup(filename);
++			smf_pflogd_cfg.cfg_delay = delay;
++			smf_pflogd_cfg.cfg_snaplen = snaplen;
++
++			smf_write_pflogcfg(smf_instance, create);
++		}
++		exit(0);
++	}
++#endif	/* _SOLARIS_ */
++
+ 	/* initialize pcap before dropping privileges */
+ 	if (init_pcap()) {
+ 		logmsg(LOG_ERR, "Exiting, init failure");
[email protected]@ -768,7 +833,6 @@
+ 		logmsg(LOG_ERR, "unable to privsep");
+ 		exit(1);
+ 	}
+-
+ 	setproctitle("[initializing]");
+ 	/* Process is now unprivileged and inside a chroot */
+ #ifdef	_SOLARIS_
+diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.h pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.h
+--- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.h	2016-02-18 12:08:42.414919276 -0800
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.h	2016-02-18 12:09:18.796727948 -0800
[email protected]@ -18,6 +18,8 @@
+ 
+ #ifdef	_SOLARIS_
+ #include <limits.h>
++#include <sys/types.h>
++#include <priv.h>
+ #else /* !_SOLARIS_ */
+ #include <sys/limits.h>
+ #endif	/* _SOLARIS_ */
[email protected]@ -55,3 +57,27 @@
+ int  receive_fd(int);
+ 
+ extern int Debug;
++
++#ifdef _SOLARIS_
++#define DROP_PRIV(priv)                                         \
++	do {                                                    \
++		if (priv_set(PRIV_OFF, PRIV_PERMITTED, (priv),  \
++		    NULL) != 0) {                               \
++			fprintf(stderr,                         \
++			    "Unable to drop privileges.\n");    \
++			exit (-1);                              \
++		}                                               \
++	} while (0)
++
++#define DROP_PFLAG(flag)				\
++	do {						\
++		if (setpflags((flag), 0) != 0) {	\
++			fprintf(stderr,			\
++			    "Unable to drop pflag.\n");	\
++			exit (-1);			\
++		}					\
++} while (0)
++#else /* !_SOLARIS_ */
++#define DROP_PRIV(priv)
++#define DROP_PFLAG(flag)
++#endif /* _SOLARIS_ */
+diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/privsep.c pflogd-OPENBSD_5_5-OPENBSD_5_5/privsep.c
+--- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/privsep.c	2016-02-18 12:07:34.219667793 -0800
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5/privsep.c	2016-02-18 11:55:14.949135348 -0800
[email protected]@ -112,6 +112,7 @@
+ #endif	/* !_SOLARIS_ */
+ 
+ 	child_pid = fork();
++	DROP_PRIV(PRIV_PROC_FORK);
+ 	if (child_pid < 0)
+ 		err(1, "fork() failed");
+ 
[email protected]@ -133,6 +134,7 @@
+ 		if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
+ 			err(1, "setresuid() failed");
+ #endif	/* !_SOLARIS_ */
++		DROP_PFLAG(PRIV_XPOLICY);
+ 
+ 		close(socks[0]);
+ 		priv_fd = socks[1];
+diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.c pflogd-OPENBSD_5_5-OPENBSD_5_5/smf-config.c
+--- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.c	1969-12-31 16:00:00.000000000 -0800
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5/smf-config.c	2016-02-24 08:24:57.408744180 -0800
[email protected]@ -0,0 +1,713 @@
++/*
++ * CDDL HEADER START
++ *
++ * The contents of this file are subject to the terms of the
++ * Common Development and Distribution License (the "License").
++ * You may not use this file except in compliance with the License.
++ *
++ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
++ * or http://www.opensolaris.org/os/licensing.
++ * See the License for the specific language governing permissions
++ * and limitations under the License.
++ *
++ * When distributing Covered Code, include this CDDL HEADER in each
++ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
++ * If applicable, add the following below this CDDL HEADER, with the
++ * fields enclosed by brackets "[]" replaced with your own identifying
++ * information: Portions Copyright [yyyy] [name of copyright owner]
++ *
++ * CDDL HEADER END
++ *
++ */
++
++/*
++ * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
++ */
++
++#include <string.h>
++#include <strings.h>
++#include <stdlib.h>
++#include <err.h>
++#include <stdarg.h>
++#include <stdio.h>
++#include <libscf.h>
++#include <stddef.h>
++#include <libscf_priv.h>
++
++#include "pflogd.h"
++#include "smf-config.h"
++
++#define	PFLOGD_PG	"pflog"
++#define PFLOGD_PROP_VALUE_AUTH	"value_authorization"
++#define PFLOGD_PROP_ACTION_AUTH	"action_authorization"
++#define PFLOGD_VALUE_AUTH	"solaris.smf.value.network.firewall"
++#define PFLOGD_MANAGE_AUTH	"solaris.smf.manage.network.firewall"
++
++#define	SKIP_PROP(_pv_)		\
++	((strcmp((_pv_)->pv_prop, "action_authorization") == 0) || \
++	(strcmp((_pv_)->pv_prop, "value_authorization") == 0))
++
++#define	STRIP_SVC(_x_)	((_x_) + (sizeof ("svc:/") - 1))
++
++/*
++ * smf_pflogd_cfg
++ * FTP proxy configuration container.
++ */
++smf_pflogd_cfg_t	smf_pflogd_cfg;
++
++#define	SMF_OPT_OPTIONAL	0
++#define	SMF_OPT_MANDATORY	1
++/*
++ * X-macro table.
++ * Columns are as follows:
++ * 	value key/index 
++ *	SMF property name name
++ *	member in smf_pflogd_cfg_t structure
++ *	function which converts ASCIIZ to member type in smf_pflogd_cfg_t
++ *	function which converts member in smf_pflogd_cfg_t to ASCIIZ
++ *	optional/mandatory status
++ *      property type
++ */
++#define	X_CFG_PROPS	\
++	X(SMF_LOGFILE, "logfile", cfg_logfile, nop_in, nop_out,		\
++	    SMF_OPT_MANDATORY, SCF_TYPE_ASTRING)			\
++	X(SMF_SNAPLEN, "snaplen", cfg_snaplen, int_in, int_out,		\
++	    SMF_OPT_MANDATORY, SCF_TYPE_INTEGER)			\
++	X(SMF_INTERFACE, "interface", cfg_interface, nop_in, nop_out,	\
++	    SMF_OPT_MANDATORY, SCF_TYPE_ASTRING)			\
++	X(SMF_DELAY, "delay",	cfg_delay, int_in, int_out,		\
++	    SMF_OPT_OPTIONAL, SCF_TYPE_INTEGER)				\
++	X(SMF_EXPRESSION, "filter", cfg_expression, nop_in, nop_out,	\
++	    SMF_OPT_OPTIONAL, SCF_TYPE_ASTRING)
++
++static void nop_in(void *, void *);
++static void nop_out(void *, void *);
++static void int_in(void *, void *);
++static void int_out(void *, void *);
++
++/*
++ * smf_keys
++ * Keys (indexes) to `smf_propnames` dictionary.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _const_,
++enum smf_keys {
++	X_CFG_PROPS
++	SMF_CFG_PROP_COUNT
++};
++#undef	X
++
++/*
++ * smf_propnames
++ * It's an array (dictionary), which translates property code (SMF_*) to
++ * property value name found `ftp-proxy` property group.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _propname_,
++static const char *smf_propnames[] = {
++	X_CFG_PROPS
++	NULL
++};
++#undef	X
++
++/*
++ * smf_cfg_offsets
++ * Table of smf_pflogd_cfg_t members.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) offsetof(smf_pflogd_cfg_t, _decl_),
++static size_t smf_cfg_offsets[] = {
++	X_CFG_PROPS
++	sizeof (smf_pflogd_cfg_t)
++};
++#undef	X
++
++typedef void(*conv_in_f)(void *, void *);
++typedef void(*conv_out_f)(void *, void *);
++/*
++ * smf_convert_in
++ * Table of conversion functions, which convert particular smf_pflogd_cfg_t
++ * member into ASCIIZ.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _conv_in_,
++static conv_in_f smf_conv_in[] = {
++	X_CFG_PROPS
++	NULL
++};
++#undef	X
++
++/*
++ * smf_conv_out
++ * Table of conversion functions, which convert ASCIIZ fetched from smf(5)
++ * repository to member of smf_pflogd_cfg_t structure.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _conv_out_,
++static conv_out_f smf_conv_out[] = {
++	X_CFG_PROPS
++	NULL
++};
++#undef	X
++
++/*
++ * smf_mandatory
++ * Table marks configuration parameters, which must be defined by admin,
++ * before the service is enabled for the first time.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _mandatory_,
++static int smf_mandatory[] = {
++	X_CFG_PROPS
++	0
++};
++#undef	X
++
++/*
++ * smf_type
++ * Table of types of SMF properties.
++ */
++#define	X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
++    _type_) _type_,
++static int smf_type[] = {
++	X_CFG_PROPS
++	0
++};
++#undef	X
++
++/*
++ * pflogd property group properties
++ * +1 for NULL termination.
++ * +1 for value_authorization
++ */
++static scf_propvec_t	prop_vec[SMF_CFG_PROP_COUNT + 1 + 1];
++
++/*
++ * general property group properties
++ * +1 for NULL termination.
++ * +2 for value_authorization/action_authorization
++ */
++static scf_propvec_t	gen_prop_vec[1 + 2];
++
++static int atexit_set = 0;
++static int complete_pflogdcfg(const char *);
++
++/*
++ * nop_in()
++ * Dummy conversion ASCIIZ to ASCIIZ, no allocation happens. Used when
++ * configuration is from smf(5).
++ */
++static void
++nop_in(void *asciiz, void *result)
++{
++	*((char **)result) = (char *)asciiz;
++}
++
++/*
++ * nop_out()
++ * Dummy conversion ASCIIZ to ASCIIZ, function allocates memory for result by
++ * strdup(3C). Used when configuration is written to smf(5) repository.
++ */
++static void
++nop_out(void *asciiz, void *val)
++{
++	*((char **)asciiz) = strdup(*(char **)val);
++}
++
++/*
++ * int_in()
++ * Dummy conversion of int64_t. No allocation happens. Used when reading
++ * values from smf.
++ */
++static void
++int_in(void *in, void *out) {
++	*((int64_t *)out) = *((int64_t *)in);
++}
++
++/*
++ * int_out()
++ * Dummy conversion of int64_t, storing into a newly allocated memory.
++ * Used when storing values to smf repository.
++ */
++static void
++int_out(void *out, void *in) {
++	int64_t **out_ = (int64_t **)out;
++
++	*out_ = malloc(sizeof (int64_t));
++	if (*out_ != NULL)
++		**out_ = *((int64_t *)in);
++}
++
++static void
++clear_prop_vec2(scf_propvec_t *prop_vec_ptr, int count)
++{
++	while (count--) {
++		prop_vec_ptr->pv_prop = NULL;
++		prop_vec_ptr->pv_desc = NULL;
++		prop_vec_ptr->pv_type = 0;
++		prop_vec_ptr->pv_aux = 0;
++		prop_vec_ptr->pv_mval = 0;
++
++		if (prop_vec_ptr->pv_ptr != NULL) {
++			free(prop_vec_ptr->pv_ptr);
++			prop_vec_ptr->pv_ptr = NULL;
++		}
++
++		prop_vec_ptr++;
++	}
++}
++
++/*
++ * clear_prop_vec()
++ * Function clears global variables `prop_vec` and `gen_prop_vec`,
++ * which are vectors of properties.
++ */
++static void
++clear_prop_vec()
++{
++	clear_prop_vec2(prop_vec,
++	    sizeof (prop_vec) / sizeof (scf_propvec_t));
++	clear_prop_vec2(gen_prop_vec,
++	    sizeof (gen_prop_vec) / sizeof (scf_propvec_t));
++}
++
++/*
++ * cfg_to_prop_vec()
++ * Function converts smf_pflogd_cfg global variable, which holds configuration
++ * parsed from command line arguments, to prop_vec, which is a smf(5) friendly
++ * representation of pflogd configuration. 
++ *
++ * Additionally, it populates gen_prop_vec to specify needed authorizations.
++ *
++ * Returns 0 on success, -1 on out of memory error.
++ */
++static int
++cfg_to_prop_vec(void)
++{
++	int		cfg_bit = 1;
++	int		i;
++	scf_propvec_t	*prop_vec_ptr = prop_vec;
++	conv_out_f	conv_func;
++
++	clear_prop_vec();
++
++	for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
++		if ((smf_pflogd_cfg.cfg_set & cfg_bit) != 0) {
++			prop_vec_ptr->pv_prop = smf_propnames[i];
++			conv_func = smf_conv_out[i];
++
++			conv_func(&prop_vec_ptr->pv_ptr,
++			    ((char *)&smf_pflogd_cfg + smf_cfg_offsets[i]));
++			if (prop_vec_ptr->pv_ptr == NULL)
++				return (-1);
++			prop_vec_ptr->pv_type = smf_type[i];
++			prop_vec_ptr++;
++		}
++		cfg_bit = cfg_bit << 1;
++	}
++	prop_vec_ptr->pv_type = SCF_TYPE_ASTRING;
++	prop_vec_ptr->pv_prop = PFLOGD_PROP_VALUE_AUTH;
++	prop_vec_ptr->pv_ptr = strdup(PFLOGD_VALUE_AUTH);
++	prop_vec_ptr++;
++
++	gen_prop_vec[0].pv_type = SCF_TYPE_ASTRING;
++	gen_prop_vec[0].pv_prop = PFLOGD_PROP_VALUE_AUTH;
++	gen_prop_vec[0].pv_ptr = strdup(PFLOGD_MANAGE_AUTH);
++	gen_prop_vec[1].pv_type = SCF_TYPE_ASTRING;
++	gen_prop_vec[1].pv_prop = PFLOGD_PROP_ACTION_AUTH;
++	gen_prop_vec[1].pv_ptr = strdup(PFLOGD_MANAGE_AUTH);
++
++	return (0);
++}
++
++/*
++ * prop_vec_to_cfg()
++ * Converts global variable `prop_vec` to `smf_pflogd_cfg` global variable,
++ * which is understood by main().
++ */
++static void
++prop_vec_to_cfg(void)
++{
++	int		i;
++	scf_propvec_t	*prop_vec_ptr = prop_vec;
++	conv_in_f	conv_func;
++
++	for (i = 0; i < SMF_CFG_PROP_COUNT; i++, prop_vec_ptr++) {
++		if (SKIP_PROP(prop_vec_ptr)) {
++			/*
++			 * We have `hidden` properties: action/value smf
++			 * authorization. Those two are not kept in
++			 * smf_ftp_cfg.
++			 *
++			 * So we must to skip to next property in vector
++			 * without letting for loop to advance its counter, so
++			 * we compensate here by doing `i--`.
++			 */
++			i--;
++			continue;
++		};
++		conv_func = smf_conv_in[i];
++		conv_func(prop_vec_ptr->pv_ptr,
++		    ((char *)&smf_pflogd_cfg + smf_cfg_offsets[i]));
++	}
++}
++
++/*
++ * smf_print_pflogcfg()
++ * Function loads pflogdcfg from smf(5) repository and prints configuration to
++ * standard output. We use `scf_simple_prop_get(3SCF)`.
++ *
++ * Returns 0 on success, -1 on error.
++ */
++int
++smf_print_pflogcfg(const char *smf_instance)
++{
++	scf_simple_prop_t	*prop;
++	char			*propval;
++	int			i;
++	scf_propvec_t		*prop_vec_ptr = prop_vec;
++	int			cfg_undefined = 0;
++	char			*fmri;
++
++	if (atexit_set == 0) {
++		atexit(clear_prop_vec);
++		bzero(&smf_pflogd_cfg, sizeof (smf_pflogd_cfg_t));
++		atexit_set = 1;
++	}
++
++	(void) asprintf(&fmri, "%s:%s", BASE_FMRI, smf_instance);
++	if (fmri == NULL) {
++		fprintf(stderr, "Out of memory.\n");
++		return (-1);
++	}
++
++	clear_prop_vec();
++
++	for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
++		prop = scf_simple_prop_get(NULL, fmri, PFLOGD_PG,
++		    smf_propnames[i]);
++		prop_vec_ptr->pv_prop = smf_propnames[i];
++
++		if (prop == NULL) {
++			/*
++			 * Property not defined, so we create a kind of
++			 * 'placeholder' with empty value.
++			 *
++			 * calloc() works well for both astring and integer.
++			 */
++			prop_vec_ptr->pv_type = smf_type[i];
++			prop_vec_ptr->pv_ptr = calloc(1, sizeof (int64_t));
++			cfg_undefined |= smf_mandatory[i];
++		} else {
++			prop_vec_ptr->pv_type = scf_simple_prop_type(prop);
++			if (prop_vec_ptr->pv_type == -1) {
++				free(fmri);
++				fprintf(stderr,
++				    "Failed to get property type.\n");
++				return (-1);
++			}
++			if (prop_vec_ptr->pv_type != smf_type[i]) {
++				free(fmri);
++				fprintf(stderr,
++				    "Property %s has unexpected type.\n",
++				    smf_propnames[i]);
++				return (-1);
++			}
++
++			if (smf_type[i] == SCF_TYPE_ASTRING) {
++				char	*propval;
++				propval = scf_simple_prop_next_astring(prop);
++				if (propval == NULL) {
++					propval = "";
++				}
++				prop_vec_ptr->pv_ptr = strdup(propval);
++
++				if (propval[0] == 0) {
++					cfg_undefined |= smf_mandatory[i];
++				}
++			} else {
++				/* smf_type[i] == SCF_TYPE_INTEGER */
++				int64_t	*propval;
++				int64_t propval_;
++
++				propval = scf_simple_prop_next_integer(prop);
++				propval_ = (propval == NULL) ? (0) : (*propval);
++
++				prop_vec_ptr->pv_ptr = malloc(sizeof (int64_t));
++				if (prop_vec_ptr->pv_ptr != NULL) {
++					*((int64_t *)prop_vec_ptr->pv_ptr) =
++					    propval_;
++				}
++				if (propval_ == 0) {
++					cfg_undefined |= smf_mandatory[i];
++				}
++			}
++			scf_simple_prop_free(prop);
++		}
++		if (prop_vec_ptr->pv_ptr == NULL) {
++			free(fmri);
++			fprintf(stderr, "Out of memory.\n");
++			return (-1);
++		}
++
++		prop_vec_ptr++;
++	}
++
++	printf("PF pflogd configuration:\n");
++
++	prop_vec_ptr = prop_vec;
++	for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
++		if (smf_type[i] == SCF_TYPE_ASTRING) {
++			const char *val = (const char *)prop_vec_ptr->pv_ptr;
++			printf("\t- %s:\n\t\t%s\n", prop_vec_ptr->pv_prop,
++			    ((val[0] == '\0') ?  "?? undefined ??" : val));
++		} else {
++			/* smf_type[i] == SCF_TYPE_INTEGER */
++			int64_t val = *((int64_t *)prop_vec_ptr->pv_ptr);
++			if (val == 0) {
++				printf("\t- %s:\n\t\t%s\n", prop_vec_ptr->pv_prop,
++			    	    "?? undefined ??");
++			} else {
++				printf("\t- %s:\n\t\t%d\n", prop_vec_ptr->pv_prop,
++			    	    (int)val);
++			}
++		}
++		prop_vec_ptr++;
++	}
++	if (cfg_undefined) {
++		printf("\n\nConfiguration for %s is incomplete."
++		    " Service will not run.\n\n", fmri);
++	} else {
++		prop_vec_to_cfg();
++		printf(
++		    "\n\n%s service is being launched using cmd line below\n",
++		    fmri);
++		printf("pflogd -d %d -i %s -s %d -f %s %s\n\n",
++		    (int)smf_pflogd_cfg.cfg_delay, smf_pflogd_cfg.cfg_interface,
++		    (int)smf_pflogd_cfg.cfg_snaplen, smf_pflogd_cfg.cfg_logfile,
++		    smf_pflogd_cfg.cfg_expression);
++	}
++
++	free(fmri);
++
++	return (0);
++}
++
++/*
++ * smf_create_pflogd_instance()
++ * Function creates a new instance in smf(5) repository.
++ */
++static int
++smf_create_pflogd_instance(const char *smf_instance)
++{
++	scf_handle_t	*h_scf = NULL;
++	scf_scope_t	*scp_scf = NULL;
++	scf_service_t	*svc_scf = NULL;
++	scf_instance_t	*sin_scf = NULL;
++	int	rv = -1;
++
++ 	h_scf = scf_handle_create(SCF_VERSION);
++	if ((h_scf == NULL) || (scf_handle_bind(h_scf) == -1)) {
++		(void) fprintf(stderr, "scf_handle_bind() failed - %s\n",
++		    scf_strerror(scf_error()));
++		if (h_scf != NULL) {
++			scf_handle_destroy(h_scf);
++		}
++		return (-1);
++	}
++
++	if ((scp_scf = scf_scope_create(h_scf)) == NULL) {
++		(void) fprintf(stderr, "could not create scope - %s\n",
++		    scf_strerror(scf_error()));
++		goto unbind;
++	}
++
++	if (scf_handle_get_local_scope(h_scf, scp_scf) != 0) {
++		(void) fprintf(stderr, "could not get scope - %s\n",
++		    scf_strerror(scf_error()));
++		goto scope_destroy;
++	}
++
++	if ((svc_scf = scf_service_create(h_scf)) == NULL) {
++		(void) fprintf(stderr, "could not create service - %s\n",
++		    scf_strerror(scf_error()));
++		goto scope_destroy;
++	}
++
++	if ((sin_scf = scf_instance_create(h_scf)) == NULL) {
++		(void) fprintf(stderr, "could not get instance handle - %s\n",
++		    scf_strerror(scf_error()));
++		goto service_destroy;
++	}
++
++	if (scf_scope_get_service(scp_scf, STRIP_SVC(BASE_FMRI), svc_scf) !=
++	    SCF_SUCCESS) {
++		(void) fprintf(stderr, "could not select service (%s)\n",
++		    scf_strerror(scf_error()));
++		goto instance_destroy;
++	}
++
++	if (scf_service_add_instance(svc_scf, smf_instance, sin_scf) != 0) {
++		(void) fprintf(stderr, "could not add %s instance - %s\n",
++		    smf_instance, scf_strerror(scf_error()));
++		goto instance_destroy;
++	}
++
++	if (scf_instance_add_pg(sin_scf, "general", "framework", 0,
++	    NULL) != SCF_SUCCESS) {
++		(void) fprintf(stderr,
++		    "could not create property group - %s\n",
++		    scf_strerror(scf_error()));
++		goto instance_delete;
++	}
++
++	if (scf_instance_add_pg(sin_scf, PFLOGD_PG, "application", 0,
++	    NULL) != SCF_SUCCESS) {
++		(void) fprintf(stderr,
++		    "could not create property group - %s\n",
++		    scf_strerror(scf_error()));
++		goto instance_delete;
++	}
++
++	rv = 0;
++	goto instance_destroy;
++
++instance_delete:
++	if (scf_instance_delete(sin_scf) != 0) {
++		fprintf(stderr, "Can't delete the newly created instance:");
++		fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
++	}
++instance_destroy:
++	scf_instance_destroy(sin_scf);
++service_destroy:
++	scf_service_destroy(svc_scf);
++scope_destroy:
++	scf_scope_destroy(scp_scf);
++unbind:
++	scf_handle_unbind(h_scf);
++	scf_handle_destroy(h_scf);
++
++	return (rv);
++}
++
++/*
++ * smf_write_pflogcfg()
++ * Function writes pflogd configuration to smf(5) repository.
++ */
++int
++smf_write_pflogcfg(const char *smf_instance, int create)
++{
++	int	i;
++	scf_propvec_t
++		*bad_prop_vec = NULL;
++	char	*fmri;
++
++	if (atexit_set == 0) {
++		atexit(clear_prop_vec);
++		bzero(prop_vec, sizeof (prop_vec));
++		atexit_set = 1;
++	}
++
++	if (create && (complete_pflogdcfg(smf_instance) != 0)) {
++		fprintf(stderr, "Out of memory.\n");
++		return (-1);
++	}
++
++	if (cfg_to_prop_vec() != 0) {
++		fprintf(stderr, "Out of memory.\n");
++		return (-1);
++	}
++
++	(void) asprintf(&fmri, "%s:%s", BASE_FMRI, smf_instance);
++	if (fmri == NULL) {
++		fprintf(stderr, "Out of memory.\n");
++		return (-1);
++	}
++
++	if (create) {
++		if (smf_create_pflogd_instance(smf_instance) != 0) {
++			free(fmri);
++			return (-1);
++		}
++	}
++
++	if (create && (scf_write_propvec(fmri, "general", gen_prop_vec,
++	    &bad_prop_vec) != SCF_SUCCESS)) {
++		fprintf(stderr, "Can't update %s configuration:", fmri);
++		fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
++		if (bad_prop_vec != NULL) {
++			fprintf(stderr, "Could not set %s\n",
++			    bad_prop_vec->pv_prop);
++		}
++		free(fmri);
++		exit(1);
++	}
++
++	bad_prop_vec = NULL;
++	if (scf_write_propvec(fmri, PFLOGD_PG, prop_vec, &bad_prop_vec)
++	    != SCF_SUCCESS) {
++		fprintf(stderr, "Can't update %s configuration:", fmri);
++		fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
++		if (bad_prop_vec != NULL) {
++			fprintf(stderr, "Could not set %s\n",
++			    bad_prop_vec->pv_prop);
++		}
++		free(fmri);
++		exit(1);
++	}
++
++	free(fmri);
++	return (0);
++}
++
++/*
++ * complete_pflogdcfg()
++ * Function sets default values to properties, which are unset/undefined when
++ * new smf(5) instance is being created.
++ *
++ * Returns 0 on success, -1 on out of memory error.
++ */
++static int
++complete_pflogdcfg(const char *smf_instance)
++{
++	int	i;
++	int	f = 1;
++
++	for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
++		if ((smf_pflogd_cfg.cfg_set & f) == 0) {
++			switch (i) {
++			case SMF_LOGFILE:
++				(void) asprintf(&smf_pflogd_cfg.cfg_logfile,
++				    "%s/%s", PFLOGD_LOG_DIR, smf_instance);
++				if (smf_pflogd_cfg.cfg_logfile == NULL) {
++					return (-1);
++				}
++				smf_pflogd_cfg.cfg_set |= SMF_CFG_LOGFILE_SET;	
++				break;
++			case SMF_INTERFACE:
++				smf_pflogd_cfg.cfg_interface = strdup(smf_instance);
++				if (smf_pflogd_cfg.cfg_interface == NULL) {
++					return (-1);
++				}
++				smf_pflogd_cfg.cfg_set |= SMF_CFG_INTERFACE_SET;
++				break;
++			case SMF_SNAPLEN:
++				smf_pflogd_cfg.cfg_snaplen = DEF_SNAPLEN;
++				smf_pflogd_cfg.cfg_set |= SMF_CFG_SNAPLEN_SET;
++				break;
++			case SMF_DELAY:
++				smf_pflogd_cfg.cfg_delay = FLUSH_DELAY;
++				smf_pflogd_cfg.cfg_set |= SMF_CFG_DELAY_SET;
++				break;
++			case SMF_EXPRESSION:
++				smf_pflogd_cfg.cfg_expression = strdup("");
++				smf_pflogd_cfg.cfg_set |= SMF_CFG_EXPRESSION_SET;
++				break;
++			default: ;
++			}
++		}
++		f = f << 1;
++	}
++
++	return (0);
++}
+diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.h pflogd-OPENBSD_5_5-OPENBSD_5_5/smf-config.h
+--- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.h	1969-12-31 16:00:00.000000000 -0800
++++ pflogd-OPENBSD_5_5-OPENBSD_5_5/smf-config.h	2016-02-17 01:17:14.520118386 -0800
[email protected]@ -0,0 +1,53 @@
++/*
++ * CDDL HEADER START
++ *
++ * The contents of this file are subject to the terms of the
++ * Common Development and Distribution License (the "License").
++ * You may not use this file except in compliance with the License.
++ *
++ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
++ * or http://www.opensolaris.org/os/licensing.
++ * See the License for the specific language governing permissions
++ * and limitations under the License.
++ *
++ * When distributing Covered Code, include this CDDL HEADER in each
++ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
++ * If applicable, add the following below this CDDL HEADER, with the
++ * fields enclosed by brackets "[]" replaced with your own identifying
++ * information: Portions Copyright [yyyy] [name of copyright owner]
++ *
++ * CDDL HEADER END
++ *
++ */
++
++/*
++ * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
++ */
++
++#ifndef	_SMF_CONFIG_H_
++#define	_SMF_CONFIG_H_
++
++#define	BASE_FMRI		"svc:/network/firewall/pflog"
++#define	DEFAULT_INSTANCE	"pflog0"
++
++#define	SMF_CFG_LOGFILE_SET	0x00000001
++#define	SMF_CFG_SNAPLEN_SET	0x00000002
++#define	SMF_CFG_INTERFACE_SET	0x00000004
++#define	SMF_CFG_DELAY_SET	0x00000008
++#define	SMF_CFG_EXPRESSION_SET	0x00000010
++
++typedef struct smf_pflogd_cfg {
++	unsigned int	cfg_set;	/* SMF_CFG_*_SET bit field */
++	char		*cfg_logfile;
++	int64_t		cfg_snaplen;
++	char 		*cfg_interface;
++	int64_t		cfg_delay;
++	char		*cfg_expression;
++} smf_pflogd_cfg_t;
++
++extern smf_pflogd_cfg_t	smf_pflogd_cfg;
++
++extern int smf_print_pflogcfg(const char *);
++extern int smf_write_pflogcfg(const char *, int);
++
++#endif	/* !_SMF_CONFIG_H_ */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pflogd/pflogd.Solaris/firewall-pflog.xml	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,136 @@
+<?xml version="1.0"?>
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<!--
+
+ CDDL HEADER START
+
+ The contents of this file are subject to the terms of the
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
+
+ You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ or http://www.opensolaris.org/os/licensing.
+ See the License for the specific language governing permissions
+ and limitations under the License.
+
+ When distributing Covered Code, include this CDDL HEADER in each
+ file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ If applicable, add the following below this CDDL HEADER, with the
+ fields enclosed by brackets "[]" replaced with your own identifying
+ information: Portions Copyright [yyyy] [name of copyright owner]
+
+ CDDL HEADER END
+
+ Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+
+    NOTE:  This service manifest is not editable; its contents will
+    be overwritten by package or patch operations, including
+    operating system upgrade.  Make customizations in a different
+    file.
+-->
+
+<service_bundle type='manifest' name='network/firewall/pflog' >
+
+<service
+    name='network/firewall/pflog'
+    type='service'
+    version='1'>
+	<method_context>
+		<method_credential
+		    user='daemon'
+		    group='daemon'
+		    privileges='basic,!file_write,!file_link_any,!proc_info,!proc_session,!net_access,net_observability,sys_ip_config,{file_write}:/var/log/firewall/*'
+		/>
+	</method_context>
+
+	<exec_method 
+	    type='method' 
+	    name='start'
+	    exec='/lib/svc/method/pflog start "%{pflog/logfile}" "%{pflog/snaplen}" "%{pflog/interface}" "%{pflog/delay}" "%{pflog/filter}"'
+	    timeout_seconds='30'>
+	</exec_method>
+
+	<exec_method 
+	    type='method' 
+	    name='stop'
+	    exec=':kill'
+	    timeout_seconds='60'>
+	</exec_method>
+
+	<exec_method
+	    type='method'
+	    name='refresh'
+	    exec=':kill -HUP'
+	    timeout_seconds='5'>
+	</exec_method>
+
+	<instance name='default' enabled='false' complete='true'>
+		<property_group name="general" type="framework">
+			<propval
+			    name='action_authorization'
+			    type='astring'
+			    value='solaris.smf.manage.network.firewall' />
+			<propval
+			    name='value_authorization'
+			    type='astring'
+			    value='solaris.smf.manage.network.firewall' />
+		</property_group>
+		<property_group name='pflog' type='application'>
+			<propval
+			    name='logfile'
+			    type='astring'
+			    value='/var/log/firewall/pflog/pflog0.pkt' />
+			<propval name='snaplen' type='integer' value='160' />
+			<propval
+			    name='interface'
+			    type='astring'
+			    value='pflog0' />
+			<propval name='delay' type='integer' value='60' />
+			<propval name='filter' type='astring' value='' />
+			<propval
+			    name='value_authorization'
+			    type='astring'
+			    value='solaris.smf.value.network.firewall' />
+		</property_group>
+	</instance>
+
+	<stability value='Unstable' />
+
+	<template>
+		<common_name>
+			<loctext xml:lang='C'>
+			pflog - PF log daemon 
+			</loctext>
+		</common_name>
+		<documentation>
+			<manpage title='pflogd' section='1M' manpath='/usr/share/man' />
+		</documentation>
+		<pg_pattern name="pflog" type="application" target="instance" required="true">
+			<prop_pattern name="logfile" type="astring" required="true">
+				<cardinality min="1" max="1"/>
+			</prop_pattern>
+			<prop_pattern name="snaplen" type="integer" required="true">
+				<cardinality min="1" max="1"/>
+				<constraints>
+					<range min="0" max="2147483647"/>
+				</constraints>
+			</prop_pattern>
+			<prop_pattern name="interface" type="astring" required="true">
+				<cardinality min="1" max="1"/>
+			</prop_pattern>
+			<prop_pattern name="delay" type="integer" required="true">
+				<cardinality min="1" max="1"/>
+				<constraints>
+					<range min="5" max="3600"/>
+				</constraints>
+			</prop_pattern>
+			<prop_pattern name="filter" type="astring" required="true">
+				<cardinality min="0" max="1"/>
+			</prop_pattern>
+			<prop_pattern name="value_authorization" type="astring">
+			</prop_pattern>
+		</pg_pattern>
+	</template>
+</service>
+
+</service_bundle>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pflogd/pflogd.Solaris/pflog	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,113 @@
+#!/sbin/sh
+#
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+. /lib/svc/share/smf_include.sh
+
+PATH=$PATH:/usr/sbin
+
+# Retrieve an unescaped property value from a method token.
+# Arguments:
+# - raw method token value
+# Outputs:
+# - unescaped property value
+# Returns:
+# - 0 on succes
+# - 1 when unescaping failed
+# - 2 when the value is empty
+function get_property
+{
+	VALUE="$(echo "$1" | /usr/bin/sed 's/\\\(.\)/\1/g')"
+
+	if [[ $? -ne 0 ]]; then
+		exit 1
+	fi
+
+	echo "$VALUE"
+}
+
+function failure
+{
+	echo "An unknown error occurred. Probably either /usr/bin/sed is"
+	echo "missing or system resources are exhausted."
+	exit $SMF_EXIT_ERR_FATAL
+}
+
+# store and unescape property values
+PFLOGD_LOGFILE="$(get_property "$2")" || failure
+PFLOGD_SNAPLEN="$(get_property "$3")" || failure
+PFLOGD_IFACE="$(get_property "$4")" || failure
+PFLOGD_DELAY="$(get_property "$5")" || failure
+PFLOGD_FILTER="$(get_property "$6")" || failure
+
+# check property values for emptiness (pflog/filter may be empty)
+if [[ -z $PFLOGD_LOGFILE ]]; then
+	echo "The pflog/logfile property cannot be empty."
+	exit $SMF_EXIT_ERR_FATAL
+fi
+if [[ -z $PFLOGD_SNAPLEN ]]; then
+	echo "The pflog/snaplen property cannot be empty."
+	exit $SMF_EXIT_ERR_FATAL
+fi
+if [[ -z $PFLOGD_IFACE ]]; then
+	echo "The pflog/interface property cannot be empty."
+	exit $SMF_EXIT_ERR_FATAL
+fi
+if [[ -z $PFLOGD_DELAY ]]; then
+	echo "The pflog/delay property cannot be empty."
+	exit $SMF_EXIT_ERR_FATAL
+fi
+
+case "$1" in
+	start)
+		# Create non-persistent capture link if it does not exist.
+		echo "Checking if capture link exists.."
+		dladm show-cap "$PFLOGD_IFACE"
+		if [[ $? -ne 0 ]] ; then
+			echo "Creating a temporary capture link.."
+			dladm create-cap -t "$PFLOGD_IFACE"
+			if [ $? -ne 0 ] ; then
+				exit $SMF_EXIT_ERR_FATAL
+			fi
+		fi
+
+		# Start the daemon.
+		smf_clear_env
+		pflogd -i "$PFLOGD_IFACE" -s "$PFLOGD_SNAPLEN" \
+		    -f "$PFLOGD_LOGFILE" -d "$PFLOGD_DELAY" "$PFLOGD_FILTER"
+		if [[ $? -ne 0 ]] ; then
+			exit $SMF_EXIT_ERR_FATAL
+		fi
+		;;
+
+	*)
+		echo "Usage: $0 \c" >&2
+		echo "(start)" >&2
+		exit 1
+		;;
+
+esac
+
+exit $SMF_EXIT_OK
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pflogd/pflogd.license	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,130 @@
+--------------------------------------------------------------------------------
+This package brings a (modified) pflogd component coming from OpenBSD 5.5.
+--------------------------------------------------------------------------------
+
+pflogd.8:
+.\"     $OpenBSD: pflogd.8,v 1.46 2014/01/21 03:15:45 schwarze Exp $
+.\"
+.\" Copyright (c) 2001 Can Erkin Acar.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+
+pflogd.c:
+/*
+ * Copyright (c) 2001 Theo de Raadt
+ * Copyright (c) 2001 Can Erkin Acar
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *    - Redistributions in binary form must reproduce the above
+ *      copyright notice, this list of conditions and the following
+ *      disclaimer in the documentation and/or other materials provided
+ *      with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+pflogd.h:
+/*
+ * Copyright (c) 2003 Can Erkin Acar
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+privsep_fdpass.c:
+/*
+ * Copyright 2001 Niels Provos <[email protected]>
+ * All rights reserved.
+ *
+ * Copyright (c) 2002 Matthieu Herrb
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *    - Redistributions in binary form must reproduce the above
+ *      copyright notice, this list of conditions and the following
+ *      disclaimer in the documentation and/or other materials provided
+ *      with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+privsep.c:
+/*
+ * Copyright (c) 2003 Can Erkin Acar
+ * Copyright (c) 2003 Anil Madhavapeddy <[email protected]>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pflogd/pflogd.p5m	Thu Mar 17 00:08:54 2016 -0700
@@ -0,0 +1,49 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+<transform file path=usr.*/man/.+ -> default mangler.man.stability volatile>
+set name=pkg.fmri \
+    value=pkg:/network/firewall/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="pflog - PF packet log daemon"
+set name=pkg.description \
+    value="pflogd reads PF logged packets from capture link device"
+set name=com.oracle.info.description value="pflog, PF log daemon"
+set name=com.oracle.info.tpno value=$(TPNO)
+set name=info.classification \
+    value="org.opensolaris.category.2008:System/Administration and Configuration"
+set name=info.source-url \
+    value=http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pflogd/
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2014/291
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+file pflogd.Solaris/firewall-pflog.xml \
+    path=lib/svc/manifest/network/firewall/pflog.xml
+file pflogd.Solaris/pflog path=lib/svc/method/pflog mode=0555
+file path=usr/sbin/pflogd
+file path=usr/share/man/man8/pflogd.8
+dir  path=var/log/firewall owner=daemon group=daemon mode=0700
+dir  path=var/log/firewall/pflog owner=daemon group=daemon mode=0700
+license pflogd.license license="pflogd license"
+depend type=require fmri=pkg:/network/[email protected]