--- a/components/ftp-proxy/Makefile Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,66 +0,0 @@
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
-#
-include ../../make-rules/shared-macros.mk
-
-COMPONENT_NAME= ftp-proxy
-COMPONENT_VERSION= OPENBSD_5_5
-IPS_COMPONENT_VERSION= 5.5
-COMPONENT_PROJECT_URL= http://www.openbsd.org
-COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
[email protected]:/cvs
-CVS_PATH=src/usr.sbin/ftp-proxy
-CVS_HASH= sha256:fc4487a5ea3f8f088d8096d512bda15c99b811db9d66fee44bdd40aa93122403
-CVS_TAG=$(COMPONENT_VERSION)
-COMPONENT_BUGDB= service/ftp-proxy
-
-TPNO= 24255
-
-#
-# Don't overwrite CFLAGS here, just add our options there.
-#
-COMPONENT_BUILD_ENV += CFLAGS="$(CFLAGS) -D_SOLARIS_ -DOBSD_COMP -lscf"
-COMPONENT_BUILD_ARGS += CC="$(CC)"
-
-include ../../make-rules/prep.mk
-include ../../make-rules/justmake.mk
-include ../../make-rules/ips.mk
-
-COMPONENT_INSTALL_ARGS += PREFIX=$(PROTOUSRDIR)
-COMPONENT_INSTALL_ARGS += MANDIR=$(PROTOUSRSHAREMANDIR)
-COMPONENT_INSTALL_ARGS += INSTALL=/usr/gnu/bin/install
-
-ASLR_MODE = $(ASLR_ENABLE)
-
-# common targets
-build: $(BUILD_64)
-
-install: $(INSTALL_64)
-
-test: $(NO_TESTS)
-
-REQUIRED_PACKAGES += library/libevent
-REQUIRED_PACKAGES += network/firewall
-REQUIRED_PACKAGES += shell/ksh93
-REQUIRED_PACKAGES += system/core-os
-REQUIRED_PACKAGES += system/header
-REQUIRED_PACKAGES += system/library
--- a/components/ftp-proxy/ftp-proxy.Solaris/firewall-ftp-proxy.xml Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,203 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
-<!--
-
- CDDL HEADER START
-
- The contents of this file are subject to the terms of the
- Common Development and Distribution License (the "License").
- You may not use this file except in compliance with the License.
-
- You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- or http://www.opensolaris.org/os/licensing.
- See the License for the specific language governing permissions
- and limitations under the License.
-
- When distributing Covered Code, include this CDDL HEADER in each
- file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- If applicable, add the following below this CDDL HEADER, with the
- fields enclosed by brackets "[]" replaced with your own identifying
- information: Portions Copyright [yyyy] [name of copyright owner]
-
- CDDL HEADER END
-
- Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
-
- NOTE: This service manifest is not editable; its contents will
- be overwritten by package or patch operations, including
- operating system upgrade. Make customizations in a different
- file.
--->
-
-<service_bundle type='manifest' name='network/firewall/ftp-proxy' >
-
-<service
- name='network/firewall/ftp-proxy'
- type='service'
- version='1'>
- <dependency
- name='firewall'
- grouping='require_all'
- restart_on='restart'
- type='service'>
- <service_fmri value='svc:/network/firewall:default'/>
- </dependency>
-
- <method_context>
- <method_credential
- user='daemon'
- group='daemon'
- privileges='basic,!file_write,!file_link_any,!proc_info,!proc_session,sys_ip_config'
- />
- </method_context>
-
- <exec_method
- type='method'
- name='start'
- exec='/lib/svc/method/ftp-proxy start "%{ftp-proxy/anonymous-only}" "%{ftp-proxy/proxy-NAT-address}" "%{ftp-proxy/proxy-listen-address}" "%{ftp-proxy/debug-level}" "%{ftp-proxy/maxsessions}" "%{ftp-proxy/listen-port}" "%{ftp-proxy/reverse-mode-address}" "%{ftp-proxy/reverse-mode-port}" "%{ftp-proxy/always-use-ftp-data-port}" "%{ftp-proxy/tag}" "%{ftp-proxy/timeout}" "%{ftp-proxy/log}"'
- timeout_seconds='30'>
- </exec_method>
-
- <exec_method
- type='method'
- name='stop'
- exec=':kill'
- timeout_seconds='60'>
- </exec_method>
-
- <exec_method
- type='method'
- name='refresh'
- exec=':kill'
- timeout_seconds='5'>
- </exec_method>
-
- <instance name='default' enabled='false' complete='true'>
- <property_group name="general" type="framework">
- <propval
- name='action_authorization'
- type='astring'
- value='solaris.smf.manage.network.firewall' />
- <propval
- name='value_authorization'
- type='astring'
- value='solaris.smf.manage.network.firewall' />
- </property_group>
- <property_group name='ftp-proxy' type='application'>
- <propval name='anonymous-only' type='astring' value='off' />
- <propval name='proxy-NAT-address' type='astring' value='' />
- <propval
- name='proxy-listen-address'
- type='astring'
- value='127.0.0.1' />
- <propval name='debug-level' type='integer' value='5' />
- <propval
- name='maxsessions'
- type='integer'
- value='100' />
- <propval
- name='listen-port'
- type='integer'
- value='8021' />
- <propval
- name='reverse-mode-address'
- type='astring'
- value='' />
- <propval name='reverse-mode-port' type='integer' value='21' />
- <propval
- name='always-use-ftp-data-port'
- type='astring'
- value='off' />
- <propval name='tag' type='astring' value=''/>
- <propval name='timeout' type='integer' value='86400' />
- <propval name='log' type='astring' value='off' />
- <propval
- name='value_authorization'
- type='astring'
- value='solaris.smf.value.network.firewall' />
- </property_group>
- </instance>
-
- <stability value='Unstable' />
-
- <template>
- <common_name>
- <loctext xml:lang='C'>
- ftp-proxy - FTP proxy daemon for PF
- </loctext>
- </common_name>
- <documentation>
- <manpage title='ftp-proxy' section='1M' manpath='/usr/share/man' />
- </documentation>
- <pg_pattern name="ftp-proxy" type="application" target="instance" required="true">
- <prop_pattern name="anonymous-only" type="astring" required="true">
- <cardinality min="1" max="1"/>
- <constraints>
- <value name="on"/>
- <value name="off"/>
- </constraints>
- </prop_pattern>
- <prop_pattern name="proxy-NAT-address" type="astring" required="true">
- <cardinality min="1" max="1"/>
- </prop_pattern>
- <prop_pattern name="proxy-listen-address" type="astring" required="true">
- <cardinality min="1" max="1"/>
- </prop_pattern>
- <prop_pattern name="debug-level" type="integer" required="true">
- <cardinality min="1" max="1"/>
- <constraints>
- <range min="0" max="7"/>
- </constraints>
- </prop_pattern>
- <prop_pattern name="maxsessions" type="integer" required="true">
- <cardinality min="1" max="1"/>
- <constraints>
- <range min="1" max="500"/>
- </constraints>
- </prop_pattern>
- <prop_pattern name="listen-port" type="integer" required="true">
- <cardinality min="1" max="1"/>
- <constraints>
- <range min="0" max="65535"/>
- </constraints>
- </prop_pattern>
- <prop_pattern name="reverse-mode-address" type="astring" required="true">
- <cardinality min="0" max="1"/>
- </prop_pattern>
- <prop_pattern name="reverse-mode-port" type="integer" required="true">
- <cardinality min="0" max="1"/>
- <constraints>
- <range min="0" max="65535"/>
- </constraints>
- </prop_pattern>
- <prop_pattern name="always-use-ftp-data-port" type="astring" required="true">
- <cardinality min="1" max="1"/>
- <constraints>
- <value name="on"/>
- <value name="off"/>
- </constraints>
- </prop_pattern>
- <prop_pattern name="tag" type="astring" required="true">
- <cardinality min="0" max="1"/>
- </prop_pattern>
- <prop_pattern name="timeout" type="integer" required="true">
- <cardinality min="1" max="1"/>
- <constraints>
- <range min="0" max="86400"/>
- </constraints>
- </prop_pattern>
- <prop_pattern name="log" type="astring" required="true">
- <cardinality min="1" max="1"/>
- <constraints>
- <value name="on"/>
- <value name="off"/>
- <value name="all"/>
- </constraints>
- </prop_pattern>
- <prop_pattern name="value_authorization" type="astring">
- </prop_pattern>
- </pg_pattern>
- </template>
-</service>
-
-</service_bundle>
--- a/components/ftp-proxy/ftp-proxy.Solaris/ftp-proxy Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,186 +0,0 @@
-#!/sbin/sh
-#
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-#
-# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
-#
-
-. /lib/svc/share/smf_include.sh
-
-PATH=$PATH:/usr/sbin
-
-# Retrieve an unescaped property value from a method token.
-# Arguments:
-# - raw method token value
-# Outputs:
-# - unescaped property value
-# Returns:
-# - 0 on success
-# - 1 when unescaping failed
-get_property()
-{
- VALUE="$(echo "$1" | /usr/bin/sed 's/\\\(.\)/\1/g')"
-
- if [[ $? -ne 0 ]]; then
- exit 1
- fi
-
- echo "$VALUE"
-}
-
-failure()
-{
- echo "An unknown error occurred. Probably either /usr/bin/sed is"
- echo "missing or system resources are exhausted."
- exit $SMF_EXIT_ERR_FATAL
-}
-
-# Exit with error if given variable is empty or unset.
-# Arguments:
-# - Variable name
-# - SMF property the variable's value is obtained from
-# Exits when the variable value is empty or unset,
-# returns otherwise.
-failure_empty_value()
-{
- eval "[[ -z \${$1:-} ]] || return 0"
- echo "The ftp-proxy/$2 property cannot be empty."
- exit $SMF_EXIT_ERR_FATAL
-}
-
-failure_invalid_value()
-{
- echo "The ftp-proxy/$1 property value is invalid."
- exit $SMF_EXIT_ERR_FATAL
-}
-
-# store and unescape property values
-FTPPX_ANONYMOUS="$(get_property "$2")" || failure
-FTPPX_PROXY_ADDRESS="$(get_property "$3")" || failure
-FTPPX_PROXY_LISTEN_ADDRESS="$(get_property "$4")" || failure
-FTPPX_DEBUG_LEVEL="$(get_property "$5")" || failure
-FTPPX_MAXSESSIONS="$(get_property "$6")" || failure
-FTPPX_PROXY_LISTEN_PORT="$(get_property "$7")" || failure
-FTPPX_REVERSE_MODE_ADDRESS="$(get_property "$8")" || failure
-FTPPX_REVERSE_MODE_PORT="$(get_property "$9")" || failure
-FTPPX_REWRITE_SOURCE_PORT="$(get_property "${10}")" || failure
-FTPPX_TAG="$(get_property "${11}")" || failure
-FTPPX_TIMEOUT="$(get_property "${12}")" || failure
-FTPPX_LOG="$(get_property "${13}")" || failure
-
-# check the following properties are not empty and add them
-# to the command-line used to start the ftp-proxy
-typeset -a CMDLINE
-
-failure_empty_value FTPPX_PROXY_ADDRESS proxy-NAT-address
-CMDLINE+=( -a "$FTPPX_PROXY_ADDRESS" )
-
-failure_empty_value FTPPX_PROXY_LISTEN_ADDRESS proxy-listen-address
-CMDLINE+=( -b "$FTPPX_PROXY_LISTEN_ADDRESS" )
-
-failure_empty_value FTPPX_DEBUG_LEVEL debug-level
-CMDLINE+=( -D "$FTPPX_DEBUG_LEVEL" )
-
-failure_empty_value FTPPX_MAXSESSIONS maxsessions
-CMDLINE+=( -m "$FTPPX_MAXSESSIONS" )
-
-failure_empty_value FTPPX_PROXY_LISTEN_PORT listen-port
-CMDLINE+= ( -p "$FTPPX_PROXY_LISTEN_PORT" )
-
-failure_empty_value FTPPX_TIMEOUT timeout
-CMDLINE+=( -t "$FTPPX_TIMEOUT" )
-
-case $FTPPX_ANONYMOUS in
- on) CMDLINE+=( -A on )
- ;;
- off) # nothing needed
- ;;
- *) failure_invalid_value anonymous-only
- ;;
-esac
-
-# reverse-mode-address is optional
-if [[ -n $FTPPX_REVERSE_MODE_ADDRESS ]]; then
- CMDLINE+=( -R "$FTPPX_REVERSE_MODE_ADDRESS" )
- if [[ -n $FTPPX_REVERSE_MODE_PORT ]]; then
- CMDLINE+=( -P "$FTPPX_REVERSE_MODE_PORT" )
- fi
-fi
-
-case $FTPPX_REWRITE_SOURCE_PORT in
- on) CMDLINE+=( -r on )
- ;;
- off) # nothing needed
- ;;
- *) failure_invalid_value always-use-ftp-data-port
- ;;
-esac
-
-# tag is optional
-if [[ -n $FTPPX_TAG ]]; then
- CMDLINE+=( -T "$FTPPX_TAG" )
-fi
-
-case $FTPPX_LOG in
- on) CMDLINE+=( -v on )
- ;;
- all) CMDLINE+=( -v all )
- ;;
- off) CMDLINE+=( -v off )
- ;;
- *) failure_invalid_value log
- ;;
-esac
-
-function start_proxy
-{
- ANCHOR=$(echo "$SMF_FMRI" | \
- /usr/bin/cut -f 2- -d / | /usr/bin/tr / :)
- if [[ -z $ANCHOR ]]; then
- echo "Unable to form a valid anchor name."
- exit $SMF_EXIT_ERR_FATAL
- fi
- ANCHOR="_auto/$ANCHOR"
- echo 'anchor "*"' | pfctl -a "$ANCHOR" -f -
-
- if [[ $? -ne 0 ]]; then
- echo "Unable to load rules into the firewall."
- exit $SMF_EXIT_ERR_FATAL
- fi
-
- CMDLINE+=( -X "$ANCHOR" )
- smf_clear_env
- ftp-proxy "${CMDLINE[@]}"
-}
-
-case "$1" in
- start)
- start_proxy
- ;;
-
- *)
- echo "Usage: $0 \c" >&2
- echo "(start)" >&2
- exit 1
- ;;
-
-esac
--- a/components/ftp-proxy/ftp-proxy.license Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,71 +0,0 @@
---------------------------------------------------------------------------------
-This package brings a (modified) ftp-proxy component coming from OpenBSD 5.5.
---------------------------------------------------------------------------------
-
-filter.c:
-/*
- * Copyright (c) 2004, 2005 Camiel Dobbelaar, <[email protected]>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-filter.h:
-/*
- * Copyright (c) 2004, 2005 Camiel Dobbelaar, <[email protected]>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-ftp-proxy.8:
-.\" $OpenBSD: ftp-proxy.8,v 1.19 2012/06/25 11:49:19 jmc Exp $
-.\"
-.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <[email protected]>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-ftp-proxy.c:
-/*
- * Copyright (c) 2004, 2005 Camiel Dobbelaar, <[email protected]>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
--- a/components/ftp-proxy/ftp-proxy.p5m Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,45 +0,0 @@
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-
-#
-# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
-#
-
-<transform file path=usr.*/man/.+ -> default mangler.man.stability volatile>
-set name=pkg.fmri \
- value=pkg:/network/firewall/firewall-ftp-proxy@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
-set name=pkg.summary value="ftp-proxy - FTP proxy daemon for PF"
-set name=pkg.description value="ftp-proxy handles FTP protocol over NAT in PF"
-set name=com.oracle.info.description value="ftp-proxy, FTP proxy daemon"
-set name=com.oracle.info.tpno value=$(TPNO)
-set name=info.classification \
- value="org.opensolaris.category.2008:System/Administration and Configuration"
-set name=info.source-url \
- value=http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ftp-proxy/
-set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2014/292
-set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
-file ftp-proxy.Solaris/firewall-ftp-proxy.xml \
- path=lib/svc/manifest/network/firewall/ftp-proxy.xml
-file ftp-proxy.Solaris/ftp-proxy path=lib/svc/method/ftp-proxy mode=0555
-file path=usr/sbin/ftp-proxy
-file path=usr/share/man/man8/ftp-proxy.8
-license ftp-proxy.license license="ftp-proxy license"
--- a/components/ftp-proxy/patches/001-solaris.patch Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,642 +0,0 @@
-# This patch comes from Oracle. It fixes issues preventing ftp-proxy
-# from building and running on Solaris. Especially, we:
-# - disabled features missing support on Solaris (queuing, rtable..)
-# where adding such support is not reasonable
-# - used workarounds to deal with missing pieces on Solaris (missing
-# structure members in sockaddr, PF not supporting divert-to,
-# using Solaris-specific random number generator)
-#
-# These changes are not going to upstream, they are Solaris-specific.
-
-diff -Naur ORIGINAL/Makefile ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile
---- ORIGINAL/Makefile 2006-11-26 03:31:13.000000000 -0800
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile 2016-02-10 04:21:21.337202150 -0800
-@@ -1,13 +1,29 @@
- # $OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $
-
-+CFLAGS+= -m64 -errwarn
-+
- PROG= ftp-proxy
- SRCS= ftp-proxy.c filter.c
-+OBJS=$(SRCS:.c=.o)
- MAN= ftp-proxy.8
-
--CFLAGS+= -I${.CURDIR}
--CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith \
-- -Wno-uninitialized
--LDADD+= -levent
--DPADD+= ${LIBEVENT}
-+LDADD+= -levent -luutil
-+LDFLAGS+= -z nolazyload
-+
-+all: $(SRCS) $(PROG)
-+
-+install: $(PROG)
-+ $(INSTALL) -d $(PREFIX)/sbin
-+ $(INSTALL) -m 755 $(PROG) $(PREFIX)/sbin
-+ $(INSTALL) -d $(MANDIR)/man8
-+ $(INSTALL) -m 644 $(MAN) $(MANDIR)/man8
-+
-+$(PROG): $(OBJS)
-+ $(CC) $(CFLAGS) $(OBJS) -o $@ $(LDFLAGS) $(LDADD)
-+
-+.c.o:
-+ $(CC) $(CFLAGS) -c -o $@ $<
-
--.include <bsd.prog.mk>
-+clean:
-+ rm -rf *.o
-+ rm -rf $(PROG)
-diff -Naur ORIGINAL/filter.c ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.c
---- ORIGINAL/filter.c 2012-09-18 03:11:53.000000000 -0700
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.c 2016-02-10 04:24:03.599069704 -0800
-@@ -32,6 +32,10 @@
- #include <stdio.h>
- #include <string.h>
- #include <unistd.h>
-+#ifdef _SOLARIS_
-+/* we need _IOWR */
-+#include <sys/ioccom.h>
-+#endif /* _SOLARIS_ */
-
- #include "filter.h"
-
-diff -Naur ORIGINAL/ftp-proxy.8 ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.8
---- ORIGINAL/ftp-proxy.8 2012-06-25 04:49:19.000000000 -0700
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.8 2016-02-24 06:31:17.792565815 -0800
-@@ -30,17 +30,16 @@
- .Op Fl m Ar maxsessions
- .Op Fl P Ar port
- .Op Fl p Ar port
--.Op Fl q Ar queue
- .Op Fl R Ar address
- .Op Fl T Ar tag
- .Op Fl t Ar timeout
- .Ek
- .Sh DESCRIPTION
- .Nm
--is a proxy for the Internet File Transfer Protocol.
--FTP control connections should be redirected into the proxy using the
--.Xr pf 4
--.Ar divert-to
-+is a proxy for the Internet File Transfer Protocol making connections
-+over IPv4 NAT possible.
-+FTP control connections should be redirected into the proxy using the PF
-+.Ar rdr-to
- command, after which the proxy connects to the server on behalf of
- the client.
- .Pp
-@@ -51,22 +50,20 @@
- Consequently, all connections from the server to the proxy have
- their destination address rewritten, so they are redirected to the
- client.
--The proxy uses the
--.Xr pf 4
-+The proxy uses the PF
- .Ar anchor
- facility for this.
- .Pp
- Assuming the FTP control connection is from $client to $server, the
--proxy connected to the server using the $proxy source address, and
--$port is negotiated, then
-+proxy is connected to the server using the $proxy source address, and
-+$port is negotiated, the
- .Nm
- adds the following rules to the anchor.
- $server and $orig_server are the same unless
- .Fl R
- is used to force a different $server address for all connections.
--(These example rules use inet, but the proxy also supports inet6.)
- .Pp
--In case of active mode (PORT or EPRT):
-+In case of active mode (PORT):
- .Bd -literal -offset 2n
- pass in from $server to $proxy port $proxy_port \e
- rdr-to $client port $port
-@@ -74,7 +71,7 @@
- nat-to $orig_server port $natport
- .Ed
- .Pp
--In case of passive mode (PASV or EPSV):
-+In case of passive mode (PASV):
- .Bd -literal -offset 2n
- pass in from $client to $orig_server port $proxy_port \e
- rdr-to $server port $port
-@@ -83,11 +80,6 @@
- .Pp
- The options are as follows:
- .Bl -tag -width Ds
--.It Fl 6
--IPv6 mode.
--The proxy will expect and use IPv6 addresses for all communication.
--Only the extended FTP modes EPSV and EPRT are allowed with IPv6.
--The proxy is in IPv4 mode by default.
- .It Fl A
- Only permit anonymous FTP connections.
- Either user "ftp" or user "anonymous" is allowed.
-@@ -96,14 +88,11 @@
- connection to a server.
- .It Fl b Ar address
- Address where the proxy will listen for redirected control connections.
--The default is 127.0.0.1, or ::1 in IPv6 mode.
-+The default is 127.0.0.1.
- .It Fl D Ar level
- Debug level, ranging from 0 to 7.
- Higher is more verbose.
- The default is 5.
--(These levels correspond to the
--.Xr syslog 3
--levels.)
- .It Fl d
- Do not daemonize.
- The process will stay in the foreground, logging to standard error.
-@@ -120,10 +109,6 @@
- .It Fl p Ar port
- Port where the proxy will listen for redirected connections.
- The default is port 8021.
--.It Fl q Ar queue
--Create rules with queue
--.Ar queue
--appended, so that data connections can be queued.
- .It Fl R Ar address
- Fixed server address, also known as reverse mode.
- The proxy will always connect to the same server, regardless of
-@@ -142,9 +127,8 @@
- keyword can be implemented following the
- .Nm
- anchor.
--These rules can use special
--.Xr pf 4
--features like route-to, reply-to, label, rtable, overload, etc. that
-+These rules can use special PF
-+features like route-to, reply-to, label, overload, etc. that
- .Nm
- does not implement itself.
- There must be a matching pass rule after the
-@@ -159,7 +143,9 @@
- .It Fl v
- Set the 'log' flag on pf rules committed by
- .Nm .
--Use twice to set the 'log all' flag.
-+Use twice to set the
-+.Sq log all
-+flag.
- The pf rules do not log by default.
- .El
- .Sh CONFIGURATION
-@@ -171,27 +157,23 @@
- necessary.
- .Bd -literal -offset 2n
- anchor "ftp-proxy/*"
--pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
-+pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021
- pass out inet proto tcp from (self) to any port ftp
- .Ed
-+.Pp
-+To run
-+.Nm
-+in a non-global zone, the
-+.Bd -literal -offset indent
-+svc:/network/socket-filter:pf_divert
-+.Ed
-+instance must be online in the global zone.
- .Sh SEE ALSO
--.Xr ftp 1 ,
--.Xr pf 4 ,
- .Xr pf.conf 5
- .Sh CAVEATS
--.Xr pf 4
--does not allow the ruleset to be modified if the system is running at a
--.Xr securelevel 7
--higher than 1.
--At that level
--.Nm
--cannot add rules to the anchors and FTP data connections may get blocked.
- .Pp
- Negotiated data connection ports below 1024 are not allowed.
- .Pp
- The negotiated IP address for active modes is ignored for security
- reasons.
- This makes third party file transfers impossible.
--.Pp
--.Nm
--chroots to "/var/empty" and changes to user "proxy" to drop privileges.
-diff -Naur ORIGINAL/ftp-proxy.c ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.c
---- ORIGINAL/ftp-proxy.c 2013-03-15 06:31:27.000000000 -0700
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.c 2016-02-10 04:12:16.600723376 -0800
-@@ -38,9 +38,20 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#ifdef _SOLARIS_
-+#include <strings.h>
-+#include <sys/types.h>
-+#include <time.h>
-+#include <libuutil.h>
-+#include <sys/random.h>
-+#include <inttypes.h>
-+#include <priv.h>
-+#endif /* _SOLARIS_ */
- #include <syslog.h>
- #include <unistd.h>
-+#ifndef _SOLARIS_
- #include <vis.h>
-+#endif /* !_SOLARIS_ */
-
- #include "filter.h"
-
-@@ -60,6 +71,32 @@
-
- #define sstosa(ss) ((struct sockaddr *)(ss))
-
-+#ifdef _SOLARIS_
-+/*
-+ * These constants are used as a range used by pick_proxy_port(). The ftp-proxy
-+ * never binds these ports. They are used only within proxy_reply() and add_rdr()
-+ * to be put into a FTP-protocol message and to construct the rule to be loaded
-+ * into PF, respectively.
-+ *
-+ * OpenBSD adheres to a convention where these port numbers are reserved for
-+ * connections that want to bypass a firewall. Surely, it depends on how the
-+ * administrator configures the firewall, too. Let's stick to that convention
-+ * here. The idea probably is "if the admin uses this convention, these ports
-+ * are not filtered and thus we are not going to clash with current firewall
-+ * rules".
-+ */
-+#define IPPORT_HIFIRSTAUTO 49152
-+#define IPPORT_HILASTAUTO 65535
-+
-+#define getrtable() 0
-+
-+#ifndef LIST_END
-+#define LIST_END(x) NULL
-+#endif /* !LIST_END */
-+
-+#define DIVERT_MODULE_NAME "pf_divertf"
-+#endif /* _SOLARIS_ */
-+
- enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV };
-
- struct session {
-@@ -115,12 +152,59 @@
-
- struct event listen_ev, pause_accept_ev;
- struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
-+#ifdef _SOLARIS_
-+static socklen_t fixed_server_ss_len;
-+static socklen_t fixed_proxy_ss_len;
-+#endif /* _SOLARIS_ */
- char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
- *qname, *tagname;
- int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
- rfc_mode, session_count, timeout, verbose;
- extern char *__progname;
-
-+#ifdef _SOLARIS_
-+/*
-+ * fake_arc4random_uniform()
-+ * This is a fake implementation of arc4random_uniform(). The wrapper
-+ * provides so called uniform calculation of pseudo random number with
-+ * respect to upper bound.
-+ *
-+ * Function calculates random numbers until it finds one outside
-+ * <0, 2^32 % upper_bound) range. Once random number, `rand`, is selected,
-+ * function returns rand % upper_bound.
-+ *
-+ * Arguments:
-+ * upper_bound - random number is picked up in range <0, upper_bound)
-+ *
-+ * Returns:
-+ * random number, uniform with respect to upper bound.
-+ * Returns UINT32_MAX on error.
-+ */
-+static u_int32_t
-+fake_arc4random_uniform(u_int32_t upper_bound)
-+{
-+ u_int32_t rand, min;
-+
-+ if (upper_bound < 2)
-+ return (0);
-+
-+ /*
-+ * 2**32 % x == (2**32 - x) % x
-+ * (Trick comes from OpenBSD, arc4random_uniform.c)
-+ */
-+ min = -upper_bound % upper_bound;
-+ for (;;) {
-+ if (getrandom(&rand, sizeof (rand), GRND_NONBLOCK) !=
-+ sizeof (rand))
-+ return (UINT32_MAX);
-+ if (rand >= min)
-+ break;
-+ }
-+
-+ return (rand % upper_bound);
-+}
-+#endif /* _SOLARIS_ */
-+
- void
- client_error(struct bufferevent *bufev, short what, void *arg)
- {
-@@ -220,6 +304,12 @@
- return (0);
- }
- s->proxy_port = pick_proxy_port();
-+#ifdef _SOLARIS_
-+ if (s->proxy_port == UINT16_MAX) {
-+ logmsg(LOG_CRIT, "pick_proxy_port() failed");
-+ return (0);
-+ }
-+#endif /* _SOLARIS_ */
- proxy_reply(s->cmd, sstosa(&s->proxy_ss), s->proxy_port);
- logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf);
- }
-@@ -378,13 +468,30 @@
- struct sockaddr *proxy_to_server_sa;
- struct session *s;
- socklen_t len;
-+#ifdef _SOLARIS_
-+ socklen_t client_sa_len, server_sa_len;
-+ int one = 1; /* parameter for setsockopt */
-+#endif /* _SOLARIS_ */
- int client_fd, fc, on;
--
-+ /*
-+ * We experienced big problems when event_add() was called
-+ * before accepting the incoming connection - for some reason,
-+ * a new event was fired immediately and ftp-proxy was hanged
-+ * trying to accept another client that was not there yet.
-+ * Moving event_add() call a few lines below resolved this
-+ * problem.
-+ */
-+#ifndef _SOLARIS_
- event_add(&listen_ev, NULL);
-+#endif /* !_SOLARIS_ */
-
-- if ((event & EV_TIMEOUT))
-+ if ((event & EV_TIMEOUT)) {
-+#ifdef _SOLARIS_
-+ event_add(&listen_ev, NULL);
-+#endif /* _SOLARIS_ */
- /* accept() is no longer paused. */
- return;
-+ }
-
- /*
- * We _must_ accept the connection, otherwise libevent will keep
-@@ -393,6 +500,9 @@
- client_sa = sstosa(&tmp_ss);
- len = sizeof(struct sockaddr_storage);
- if ((client_fd = accept(listen_fd, client_sa, &len)) < 0) {
-+#ifdef _SOLARIS_
-+ event_add(&listen_ev, NULL);
-+#endif /* _SOLARIS_ */
- logmsg(LOG_CRIT, "accept() failed: %s", strerror(errno));
-
- /*
-@@ -410,6 +520,16 @@
- return;
- }
-
-+#ifdef _SOLARIS_
-+ event_add(&listen_ev, NULL);
-+
-+ /*
-+ * Struct sockaddr does not contain sa_len field on Solaris,
-+ * we use client_sa_len instead.
-+ */
-+ client_sa_len = len;
-+#endif /* _SOLARIS_ */
-+
- /* Refuse connection if the maximum is reached. */
- if (session_count >= max_sessions) {
- logmsg(LOG_ERR, "client limit (%d) reached, refusing "
-@@ -426,8 +546,11 @@
- return;
- }
- s->client_fd = client_fd;
-+#ifdef _SOLARIS_
-+ memcpy(sstosa(&s->client_ss), client_sa, client_sa_len);
-+#else /* !_SOLARIS_ */
- memcpy(sstosa(&s->client_ss), client_sa, client_sa->sa_len);
--
-+#endif /* _SOLARIS_ */
- /* Cast it once, and be done with it. */
- client_sa = sstosa(&s->client_ss);
- server_sa = sstosa(&s->server_ss);
-@@ -447,6 +570,17 @@
- strerror(errno));
- goto fail;
- }
-+#ifdef _SOLARIS_
-+ /*
-+ * Struct sockaddr does not contain sa_len field on Solaris,
-+ * we use server_sa_len instead.
-+ */
-+ server_sa_len = len;
-+#endif /* _SOLARIS_ */
-+/* SO_RTABLE not defined on Solaris */
-+#ifdef _SOLARIS_
-+ s->client_rd = 0;
-+#else /* !_SOLARIS_ */
- len = sizeof(s->client_rd);
- if (getsockopt(s->client_fd, SOL_SOCKET, SO_RTABLE, &s->client_rd,
- &len) && errno != ENOPROTOOPT) {
-@@ -454,10 +588,18 @@
- strerror(errno));
- goto fail;
- }
-+#endif /* _SOLARIS_ */
- if (fixed_server) {
-+#ifdef _SOLARIS_
-+ memcpy(sstosa(&s->orig_server_ss), server_sa,
-+ server_sa_len);
-+ memcpy(server_sa, fixed_server_sa, fixed_server_ss_len);
-+ server_sa_len = fixed_server_ss_len; /* update the length */
-+#else /* !_SOLARIS_ */
- memcpy(sstosa(&s->orig_server_ss), server_sa,
- server_sa->sa_len);
- memcpy(server_sa, fixed_server_sa, fixed_server_sa->sa_len);
-+#endif /* _SOLARIS_ */
- }
-
- /* XXX: check we are not connecting to ourself. */
-@@ -471,8 +613,14 @@
- strerror(errno));
- goto fail;
- }
-+#ifdef _SOLARIS_
- if (fixed_proxy && bind(s->server_fd, sstosa(&fixed_proxy_ss),
-- fixed_proxy_ss.ss_len) != 0) {
-+ fixed_proxy_ss_len) != 0)
-+#else /* !_SOLARIS_ */
-+ if (fixed_proxy && bind(s->server_fd, sstosa(&fixed_proxy_ss),
-+ fixed_proxy_ss.ss_len) != 0)
-+#endif /* _SOLARIS_ */
-+ {
- logmsg(LOG_CRIT, "#%d cannot bind fixed proxy address: %s",
- s->id, strerror(errno));
- goto fail;
-@@ -485,8 +633,14 @@
- s->id, strerror(errno));
- goto fail;
- }
-+#ifdef _SOLARIS_
-+ if (connect(s->server_fd, server_sa, server_sa_len) < 0 &&
-+ errno != EINPROGRESS)
-+#else /* !_SOLARIS_ */
- if (connect(s->server_fd, server_sa, server_sa->sa_len) < 0 &&
-- errno != EINPROGRESS) {
-+ errno != EINPROGRESS)
-+#endif /* _SOLARIS_ */
-+ {
- logmsg(LOG_CRIT, "#%d proxy cannot connect to server %s: %s",
- s->id, sock_ntop(server_sa), strerror(errno));
- goto fail;
-@@ -592,6 +746,9 @@
- /* syslog does its own vissing. */
- vsyslog(pri, message, ap);
- else {
-+#ifdef _SOLARIS_
-+ vsyslog(pri, message, ap);
-+#else /* !_SOLARIS_ */
- char buf[MAX_LOGLINE];
- char visbuf[2 * MAX_LOGLINE];
-
-@@ -599,6 +756,7 @@
- vsnprintf(buf, sizeof buf, message, ap);
- strnvis(visbuf, buf, sizeof visbuf, VIS_CSTYLE | VIS_NL);
- fprintf(stderr, "%s\n", visbuf);
-+#endif /* _SOLARIS_ */
- }
-
- va_end(ap);
-@@ -636,9 +794,11 @@
-
- while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) {
- switch (ch) {
-+#ifndef _SOLARIS_
- case '6':
- ipv6_mode = 1;
- break;
-+#endif /* !_SOLARIS_ */
- case 'A':
- anonymous_only = 1;
- break;
-@@ -668,11 +828,13 @@
- case 'p':
- listen_port = optarg;
- break;
-+#ifndef _SOLARIS_
- case 'q':
- if (strlen(optarg) >= PF_QNAME_SIZE)
- errx(1, "queuename too long");
- qname = optarg;
- break;
-+#endif /* !_SOLARIS_ */
- case 'R':
- fixed_server = optarg;
- break;
-@@ -718,9 +880,16 @@
- hints.ai_socktype = SOCK_STREAM;
- error = getaddrinfo(fixed_proxy, NULL, &hints, &res);
- if (error)
-- errx(1, "getaddrinfo fixed proxy address failed: %s",
-+ errx(1, "getaddrinfo fixed proxy address (%s) failed: %s", fixed_proxy,
- gai_strerror(error));
- memcpy(&fixed_proxy_ss, res->ai_addr, res->ai_addrlen);
-+#ifdef _SOLARIS_
-+ /*
-+ * struct sockaddr_storage does not have the member
-+ * ss_len on Solaris, thus we use a global variable.
-+ */
-+ fixed_proxy_ss_len = res->ai_addrlen;
-+#endif /* _SOLARIS_ */
- logmsg(LOG_INFO, "using %s to connect to servers",
- sock_ntop(sstosa(&fixed_proxy_ss)));
- freeaddrinfo(res);
-@@ -736,6 +905,13 @@
- errx(1, "getaddrinfo fixed server address failed: %s",
- gai_strerror(error));
- memcpy(&fixed_server_ss, res->ai_addr, res->ai_addrlen);
-+#ifdef _SOLARIS_
-+ /*
-+ * struct sockaddr_storage does not have the member
-+ * ss_len on Solaris, thus we use a global variable.
-+ */
-+ fixed_server_ss_len = res->ai_addrlen;
-+#endif /* _SOLARIS_ */
- logmsg(LOG_INFO, "using fixed server %s",
- sock_ntop(sstosa(&fixed_server_ss)));
- freeaddrinfo(res);
-@@ -752,6 +928,11 @@
- gai_strerror(error));
- if ((listenfd = socket(res->ai_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
- errx(1, "socket failed");
-+#ifdef _SOLARIS_
-+ if (setsockopt(listenfd, SOL_FILTER, FIL_ATTACH, DIVERT_MODULE_NAME,
-+ (strlen(DIVERT_MODULE_NAME)+1)) != 0)
-+ err(1, "setsockopt failed - unable to attach filter");
-+#endif /* _SOLARIS_ */
- on = 1;
- if (setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
- sizeof on) != 0)
-@@ -782,7 +963,11 @@
- event_init();
-
- /* Setup signal handler. */
-+#ifdef _SOLARIS_
-+ sigset(SIGPIPE, SIG_IGN);
-+#else /* !_SOLARIS_ */
- signal(SIGPIPE, SIG_IGN);
-+#endif /* _SOLARIS_ */
- signal_set(&ev_sighup, SIGHUP, handle_signal, NULL);
- signal_set(&ev_sigint, SIGINT, handle_signal, NULL);
- signal_set(&ev_sigterm, SIGTERM, handle_signal, NULL);
-@@ -857,12 +1042,25 @@
- return (0);
- }
-
-+/*
-+ * On Solaris, fake_arc4random_uniform() can fail. We return UINT16_MAX
-+ * on error.
-+ */
- u_int16_t
- pick_proxy_port(void)
- {
-+#ifdef _SOLARIS_
-+ u_int32_t shift;
-+
-+ shift = fake_arc4random_uniform(IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO);
-+ if (shift == UINT32_MAX)
-+ return UINT16_MAX;
-+ return (IPPORT_HIFIRSTAUTO + shift);
-+#else /* !_SOLARIS_ */
- /* Random should be good enough for avoiding port collisions. */
- return (IPPORT_HIFIRSTAUTO +
- arc4random_uniform(IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO));
-+#endif /* _SOLARIS_ */
- }
-
- void
-@@ -985,6 +1183,12 @@
- return (0);
- }
- s->proxy_port = pick_proxy_port();
-+#ifdef _SOLARIS_
-+ if (s->proxy_port == UINT16_MAX) {
-+ logmsg(LOG_CRIT, "pick_proxy_port() failed");
-+ return (0);
-+ }
-+#endif /* _SOLARIS_ */
- logmsg(LOG_INFO, "#%d passive: client to server port %d"
- " via port %d", s->id, s->port, s->proxy_port);
-
-@@ -1126,6 +1330,6 @@
- fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
- " [-D level] [-m maxsessions]\n [-P port]"
- " [-p port] [-q queue] [-R address] [-T tag]\n"
-- " [-t timeout]\n", __progname);
-+ " [-t timeout]\n", __progname);
- exit(1);
- }
--- a/components/ftp-proxy/patches/002-smf.patch Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1583 +0,0 @@
-# This patch comes from Oracle. It turns the component into
-# a well-behaving SMF service. It adds code manipulating service
-# properties, service instances, and also provides security in
-# cooperation with the service manifest (especially, extra
-# privileges are dropped when not needed).
-#
-# This patch is not going to upstream, the changes are Solaris-specific.
-
-diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/Makefile
---- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile 2016-02-10 04:21:21.337202150 -0800
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/Makefile 2016-02-10 04:59:25.999134460 -0800
-@@ -3,7 +3,7 @@
- CFLAGS+= -m64 -errwarn
-
- PROG= ftp-proxy
--SRCS= ftp-proxy.c filter.c
-+SRCS= ftp-proxy.c filter.c smf-config.c
- OBJS=$(SRCS:.c=.o)
- MAN= ftp-proxy.8
-
-diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.c ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/filter.c
---- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.c 2016-02-10 04:24:03.599069704 -0800
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/filter.c 2016-02-02 03:05:13.156044052 -0800
-@@ -53,6 +53,10 @@
- static int dev, rule_log;
- static char *qname, *tagname;
-
-+#ifdef _SOLARIS_
-+char *FTP_PROXY_ANCHOR;
-+#endif /* _SOLARIS_ */
-+
- int
- add_addr(struct sockaddr *addr, struct pf_pool *pfp)
- {
-diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.h ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/filter.h
---- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/filter.h 2016-02-10 04:25:34.896131457 -0800
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/filter.h 2016-02-08 23:45:38.805421033 -0800
-@@ -16,7 +16,11 @@
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-+#ifdef _SOLARIS_
-+extern char* FTP_PROXY_ANCHOR;
-+#else /* !_SOLARIS_ */
- #define FTP_PROXY_ANCHOR "ftp-proxy"
-+#endif /* _SOLARIS_ */
-
- int add_nat(u_int32_t, struct sockaddr *, int, struct sockaddr *, u_int16_t,
- struct sockaddr *, u_int16_t, u_int16_t);
-diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.8 ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/ftp-proxy.8
---- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.8 2016-02-24 06:31:17.792565815 -0800
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/ftp-proxy.8 2016-02-24 21:29:33.789584296 -0800
-@@ -23,7 +23,7 @@
- .Sh SYNOPSIS
- .Nm
- .Bk -words
--.Op Fl 6Adrv
-+.Op Fl A Cm on | off
- .Op Fl a Ar address
- .Op Fl b Ar address
- .Op Fl D Ar level
-@@ -31,8 +31,10 @@
- .Op Fl P Ar port
- .Op Fl p Ar port
- .Op Fl R Ar address
-+.Op Fl r Cm on | off
- .Op Fl T Ar tag
- .Op Fl t Ar timeout
-+.Op Fl v Cm all | on | off
- .Ek
- .Sh DESCRIPTION
- .Nm
-@@ -83,6 +85,9 @@
- .It Fl A
- Only permit anonymous FTP connections.
- Either user "ftp" or user "anonymous" is allowed.
-+Solaris Note: you need to specify
-+.Cm on | off
-+to enable/disable anonymous-only mode.
- .It Fl a Ar address
- The proxy will use this as the source address for the control
- connection to a server.
-@@ -93,9 +98,6 @@
- Debug level, ranging from 0 to 7.
- Higher is more verbose.
- The default is 5.
--.It Fl d
--Do not daemonize.
--The process will stay in the foreground, logging to standard error.
- .It Fl m Ar maxsessions
- Maximum number of concurrent FTP sessions.
- When the proxy reaches this limit, new connections are denied.
-@@ -118,6 +120,9 @@
- .It Fl r
- Rewrite sourceport to 20 in active mode to suit ancient clients that insist
- on this RFC property.
-+Solaris Note: you need to specify
-+.Cm on | off
-+to enable/disable RFC compliant mode.
- .It Fl T Ar tag
- The filter rules will add tag
- .Ar tag
-@@ -147,6 +152,20 @@
- .Sq log all
- flag.
- The pf rules do not log by default.
-+Solaris Note: the option is tri-state.
-+You need to specify one of the values below:
-+.Bl -tag -width "all" -offset 3n -compact
-+.It off
-+nothing is logged
-+.It on
-+log only packets, which create state for data session (equivalent to
-+.Fl v
-+on OpenBSD)
-+.It all
-+log all packets, which belong to data session (equivalent to
-+.Fl vv
-+on OpenBSD)
-+.El
- .El
- .Sh CONFIGURATION
- To make use of the proxy,
-@@ -156,10 +175,19 @@
- last rule explicitly allowing FTP sessions from the proxy may not be
- necessary.
- .Bd -literal -offset 2n
--anchor "ftp-proxy/*"
-+anchor "_auto/network:firewall:ftp-proxy:YOUR_INSTANCE_NAME/*"
- pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021
- pass out inet proto tcp from (self) to any port ftp
- .Ed
-+.Sh SOLARIS
-+Solaris runs
-+.Nm
-+as a
-+.Xr smf 5
-+service:
-+.Bd -literal -offset indent
-+svc:/network/firewall/ftp-proxy
-+.Ed
- .Pp
- To run
- .Nm
-@@ -168,8 +196,157 @@
- svc:/network/socket-filter:pf_divert
- .Ed
- instance must be online in the global zone.
-+.Pp
-+The options described in DESCRIPTION section are set using smf properties.
-+Properties processed by
-+.Nm
-+enable
-+.Xr smf_method 5
-+in order to configure the
-+.Nm
-+daemon are listed below.
-+.Bl -tag -width "ftp-proxy/always-use-ftp-data-port" -offset 3n -compact
-+.It ftp-proxy/anonymous-only
-+If set to
-+.Cm on
-+the proxy is started with the
-+.Fl A
-+option, which allows anonymous FTP logins only.
-+The value
-+.Cm off
-+is used as default.
-+.It ftp-proxy/proxy-NAT-address
-+This property sets the
-+.Fl a
-+option, the source IP address the proxy uses
-+to connect to a server.
-+.It ftp-proxy/proxy-listen-address
-+This property sets the
-+.Fl b
-+option, which is the address, where the proxy accepts a connection from
-+a client.
-+.It ftp-proxy/proxy-listen-port
-+This property sets the
-+.Fl p
-+option which is the port number, where the proxy accepts
-+a connection from a client.
-+.It ftp-proxy/debug-level
-+This property sets the
-+.Fl D
-+option, which is a debug level (0-7).
-+If not set, the default value 5 is used.
-+.It ftp-proxy/max-sessions
-+This property sets the
-+.Fl m
-+option, which is the maximum of concurrent FTP sessions served by
-+the proxy.
-+The valid range is from 1 to 500.
-+If not specified the value 100 is used by default.
-+.It ftp-proxy/reverse-mode-address
-+This property sets the
-+.Fl R
-+option.
-+It is the fixed server address, which is typically used to access
-+a FTP server behind NAT.
-+.It ftp-proxy/reverse-mode-port
-+This property sets the
-+.Fl P
-+option, which is the port number used by a FTP server behind NAT.
-+The default value is 21.
-+.It ftp-proxy/always-use-ftp-data-port
-+This property sets the
-+.Fl r
-+option, the value
-+.Cm off
-+is used as default.
-+If set to
-+.Cm on
-+the proxy will always use port 20 for active data connections.
-+.It ftp-proxy/tag
-+This property sets the
-+.Fl T
-+option, which tags data connection packets with the desired tag.
-+.It ftp-proxy/timeout
-+This property sets the
-+.Fl t
-+option, which specifies the number of seconds a FTP command session
-+may remain idle.
-+The maximum value is 86400 seconds (1 day).
-+.It ftp-proxy/log
-+This property sets the
-+.Fl v
-+option.
-+There are three possible values.
-+For
-+.Cm off ,
-+no log action will be added to FTP data connection rules created
-+by the proxy.
-+The value
-+.Cm on
-+adds the log action.
-+Specifying the value
-+.Cm all
-+adds the
-+.Sq log all
-+action.
-+.El
-+.Pp
-+.Nm
-+on Solaris comes with two extra options, which make service configuration easier.
-+.Bl -tag -offset 3n -compact
-+.It Fl c Ar smf-instance
-+Shows/changes settings kept in
-+.Xr smf 5
-+repository for the specified
-+.Ar smf-instance
-+of the
-+.Nm
-+service.
-+.It Fl C Ar smf-instance
-+Creates a new instance of the
-+.Nm
-+service and uses
-+.Ar smf-instance
-+for its name.
-+.El
-+.Pp
-+To tell proxy service to bind the listen socket to 192.168.1.2 address,
-+one has to use the command below:
-+.Bd -literal -offset indent
-+ftp-proxy -c default -b 192.168.1.2
-+.Ed
-+.Pp
-+To create anonymous-only proxy listening to port 8821, bound to
-+192.168.1.2, one uses the command as follows:
-+.Bd -literal -offset indent
-+ftp-proxy -C anonymous -b 192.168.1.2 -p 8821 -A on
-+.Ed
-+.Pp
-+To switch the anonymous instance created above to the regular mode (disable
-+anonymous-only), one uses the command like this:
-+.Bd -literal -offset indent
-+ftp-proxy -c anonymous -A off
-+.Ed
-+.Pp
-+To display the anonymous instance configuration use the command as follows:
-+.Bd -literal -offset indent
-+ftp-proxy -c anonymous
-+.Ed
-+To manage the service, you need the
-+.Sy solaris.smf.manage.network.firewall
-+authorization.
-+To configure service instances, you need the
-+.Sy solaris.smf.value.network.firewall
-+authorization.
-+Both these authorizations are granted through the Network Firewall Management
-+profile.
-+To create new service instances, you need the
-+.Sy solaris.smf.modify
-+authorization.
- .Sh SEE ALSO
--.Xr pf.conf 5
-+.Xr pf.conf 5 ,
-+.Xr smf 5 ,
-+.Xr svccfg (1M)
- .Sh CAVEATS
- .Pp
- Negotiated data connection ports below 1024 are not allowed.
-@@ -177,3 +354,8 @@
- The negotiated IP address for active modes is ignored for security
- reasons.
- This makes third party file transfers impossible.
-+.Pp
-+.Nm
-+runs as the
-+.Dq daemon
-+user.
-diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.c ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/ftp-proxy.c
---- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/ftp-proxy.c 2016-02-10 04:12:16.600723376 -0800
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/ftp-proxy.c 2016-02-24 06:58:52.001603474 -0800
-@@ -46,6 +46,7 @@
- #include <sys/random.h>
- #include <inttypes.h>
- #include <priv.h>
-+#include "smf-config.h"
- #endif /* _SOLARIS_ */
- #include <syslog.h>
- #include <unistd.h>
-@@ -62,8 +63,10 @@
- #define NTOP_BUFS 3
- #define TCP_BACKLOG 10
-
-+#ifndef _SOLARIS_
- #define CHROOT_DIR "/var/empty"
- #define NOPRIV_USER "proxy"
-+#endif /* !_SOLARIS_ */
-
- /* pfctl standard NAT range. */
- #define PF_NAT_PROXY_PORT_LOW 50001
-@@ -97,6 +100,28 @@
- #define DIVERT_MODULE_NAME "pf_divertf"
- #endif /* _SOLARIS_ */
-
-+#ifdef _SOLARIS_
-+#define FTP_PROXY_GETOPTSTR "A:a:b:D:dm:P:p:R:r:T:t:v:c:C:X:"
-+#define SET_CFGFLAG(_set_, _f_) (_set_) |= (_f_)
-+#define SKIP_CHK(_x_) ((_x_) == NULL)
-+
-+#define DROP_PRIV(priv) \
-+ do { \
-+ if (priv_set(PRIV_OFF, PRIV_PERMITTED, (priv), \
-+ NULL) != 0) { \
-+ fprintf(stderr, \
-+ "Unable to drop privileges.\n"); \
-+ exit (-1); \
-+ } \
-+ } while (0)
-+#else /* !_SOLARIS_ */
-+#define FTP_PROXY_GETOPTSTR "6Aa:b:D:dm:P:p:q:R:rT:t:v"
-+#define SET_CFGFLAG(_set_, _f_)
-+#define SKIP_CHK(_x_) (1)
-+
-+#define DROP_PRIV(priv)
-+#endif /* _SOLARIS_ */
-+
- enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV };
-
- struct session {
-@@ -127,7 +152,9 @@
- int client_parse_anon(struct session *s);
- int client_parse_cmd(struct session *s);
- void client_read(struct bufferevent *, void *);
-+#ifndef _SOLARIS_
- int drop_privs(void);
-+#endif /* !_SOLARIS_ */
- void end_session(struct session *);
- void exit_daemon(void);
- int get_line(char *, size_t *);
-@@ -348,6 +375,7 @@
- } while (read == buf_avail);
- }
-
-+#ifndef _SOLARIS_
- int
- drop_privs(void)
- {
-@@ -363,9 +391,9 @@
- setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0 ||
- setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0)
- return (0);
--
- return (1);
- }
-+#endif /* !_SOLARIS_ */
-
- void
- end_session(struct session *s)
-@@ -561,9 +589,6 @@
- logmsg(LOG_DEBUG, "#%d accepted connection from %s", s->id,
- sock_ntop(client_sa));
-
-- /*
-- * Find out the real server and port that the client wanted.
-- */
- len = sizeof(struct sockaddr_storage);
- if (getsockname(s->client_fd, server_sa, &len) < 0) {
- logmsg(LOG_CRIT, "#%d getsockname failed: %s", s->id,
-@@ -770,6 +795,13 @@
- struct event ev_sighup, ev_sigint, ev_sigterm;
- int ch, error, listenfd, on;
- const char *errstr;
-+#ifdef _SOLARIS_
-+ const char *smf_instance = NULL;
-+ int smf_create = 0;
-+ int cfg_flags = 0;
-+#endif /* _SOLARIS_ */
-+
-+ DROP_PRIV(PRIV_PROC_EXEC);
-
- /* Defaults. */
- anonymous_only = 0;
-@@ -792,7 +824,8 @@
- id_count = 1;
- session_count = 0;
-
-- while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) {
-+ while ((ch = getopt(argc, argv,
-+ FTP_PROXY_GETOPTSTR)) != -1) {
- switch (ch) {
- #ifndef _SOLARIS_
- case '6':
-@@ -800,33 +833,49 @@
- break;
- #endif /* !_SOLARIS_ */
- case 'A':
-+#ifdef _SOLARIS_
-+ if (strcasecmp(optarg, "off") == 0) {
-+ anonymous_only = 0;
-+ } else {
-+ anonymous_only = 1;
-+ }
-+#else /* !_SOLARIS_ */
- anonymous_only = 1;
-+#endif /* _SOLARIS_ */
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_ANON_SET);
- break;
- case 'a':
- fixed_proxy = optarg;
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_FIXED_PROXY_SET);
- break;
- case 'b':
- listen_ip = optarg;
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_LISTEN_ADDR_SET);
- break;
- case 'D':
- loglevel = strtonum(optarg, LOG_EMERG, LOG_DEBUG,
- &errstr);
- if (errstr)
- errx(1, "loglevel %s", errstr);
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_DEBUG_LEVEL_SET);
- break;
- case 'd':
- daemonize = 0;
-+ DROP_PRIV(PRIV_PROC_FORK);
- break;
- case 'm':
- max_sessions = strtonum(optarg, 1, 500, &errstr);
- if (errstr)
- errx(1, "max sessions %s", errstr);
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_MAX_SESSION_SET);
- break;
- case 'P':
- fixed_server_port = optarg;
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_FIXED_SERVER_PORT_SET);
- break;
- case 'p':
- listen_port = optarg;
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_LISTEN_PORT_SET);
- break;
- #ifndef _SOLARIS_
- case 'q':
-@@ -837,40 +886,83 @@
- #endif /* !_SOLARIS_ */
- case 'R':
- fixed_server = optarg;
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_FIXED_SERVER_SET);
- break;
- case 'r':
-+#ifdef _SOLARIS_
-+ if (strcasecmp(optarg, "off") == 0) {
-+ rfc_mode = 0;
-+ } else {
-+ rfc_mode = 1;
-+ }
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_RFC_MODE_SET);
-+#else /* !_SOLARIS_ */
- rfc_mode = 1;
-+#endif /* _SOLARIS_ */
- break;
- case 'T':
- if (strlen(optarg) >= PF_TAG_NAME_SIZE)
- errx(1, "tagname too long");
- tagname = optarg;
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_TAG_SET);
- break;
- case 't':
- timeout = strtonum(optarg, 0, 86400, &errstr);
- if (errstr)
- errx(1, "timeout %s", errstr);
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_TIMEOUT_SET);
- break;
- case 'v':
-+#ifdef _SOLARIS_
-+ if (strcasecmp(optarg, "all") == 0) {
-+ verbose = 2;
-+ } else if (strcasecmp(optarg, "on") == 0) {
-+ verbose = 1;
-+ } else {
-+ verbose = 0;
-+ }
-+ SET_CFGFLAG(cfg_flags, SMF_CFG_LOG_SET);
-+#else /* !_SOLARIS_ */
- verbose++;
- if (verbose > 2)
- usage();
-+#endif /* _SOLARIS_ */
-+ break;
-+#ifdef _SOLARIS_
-+ case 'C':
-+ smf_create = 1;
-+ /* FALLTHRU */
-+ case 'c':
-+ smf_instance = optarg;
-+ break;
-+ case 'X':
-+ FTP_PROXY_ANCHOR = optarg;
- break;
-+#endif /* _SOLARIS_ */
- default:
- usage();
- }
- }
-
-+#ifdef _SOLARIS_
-+ if ((FTP_PROXY_ANCHOR == NULL) && (smf_instance == NULL)) {
-+ fprintf(stderr, "The ftp-proxy can be started only via SMF.\n");
-+ exit (-1);
-+ }
-+#endif /* _SOLARIS_ */
-+
- if (listen_ip == NULL)
- listen_ip = ipv6_mode ? "::1" : "127.0.0.1";
-
-+#ifndef _SOLARIS_
- /* Check for root to save the user from cryptic failure messages. */
- if (getuid() != 0)
- errx(1, "needs to start as root");
-+#endif /* !_SOLARIS_ */
-
- /* Raise max. open files limit to satisfy max. sessions. */
- rlp.rlim_cur = rlp.rlim_max = (2 * max_sessions) + 10;
-- if (setrlimit(RLIMIT_NOFILE, &rlp) == -1)
-+ if (SKIP_CHK(smf_instance) && (setrlimit(RLIMIT_NOFILE, &rlp) == -1))
- err(1, "setrlimit");
-
- if (fixed_proxy) {
-@@ -895,7 +987,12 @@
- freeaddrinfo(res);
- }
-
-+#ifdef _SOLARIS_
-+ /* Steps not needed when we are just working with SMF. */
-+ if (fixed_server && (smf_instance == NULL)) {
-+#else /* !_SOLARIS_ */
- if (fixed_server) {
-+#endif /* _SOLARIS_ */
- memset(&hints, 0, sizeof hints);
- hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET;
- hints.ai_socktype = SOCK_STREAM;
-@@ -917,6 +1014,61 @@
- freeaddrinfo(res);
- }
-
-+#ifdef _SOLARIS_
-+ if (smf_instance != NULL) {
-+ /*
-+ * If we are creating new instance, we will use default
-+ * values for properties.
-+ */
-+ if (smf_create == 1) {
-+ cfg_flags = -1;
-+ }
-+
-+ if (cfg_flags == 0) {
-+ if (smf_print_ftpcfg(smf_instance) != 0) {
-+ exit (-1);
-+ }
-+ exit(0);
-+ } else {
-+ smf_ftp_cfg.cfg_set = cfg_flags;
-+ smf_ftp_cfg.cfg_anonymous_only = anonymous_only;
-+ smf_ftp_cfg.cfg_listen_addr = SMF_COPY_STR(listen_ip);
-+ smf_ftp_cfg.cfg_listen_port = strtonum(listen_port, 1,
-+ 65535, NULL);
-+ if (smf_ftp_cfg.cfg_listen_port == 0) {
-+ fprintf(stderr,
-+ "Invalid listen port specified.\n");
-+ exit (-1);
-+ }
-+ smf_ftp_cfg.cfg_debug_level = loglevel;
-+ smf_ftp_cfg.cfg_max_sessions = max_sessions;
-+ smf_ftp_cfg.cfg_fixed_server =
-+ SMF_COPY_STR(fixed_server);
-+ smf_ftp_cfg.cfg_fixed_server_port = strtonum(
-+ fixed_server_port, 1, 65535, NULL);
-+ if (smf_ftp_cfg.cfg_fixed_server_port == 0) {
-+ fprintf(stderr,
-+ "Invalid fixed server port specified.\n");
-+ exit (-1);
-+ }
-+ smf_ftp_cfg.cfg_rfc_mode = rfc_mode;
-+ smf_ftp_cfg.cfg_tag = SMF_COPY_STR(tagname);
-+ smf_ftp_cfg.cfg_timeout = timeout;
-+ smf_ftp_cfg.cfg_log = verbose;
-+ smf_ftp_cfg.cfg_fixed_proxy = SMF_COPY_STR(fixed_proxy);
-+ if (smf_write_ftpcfg(smf_instance, smf_create) == -1) {
-+ err(1, "...Giving up");
-+ } else {
-+ printf("configuration for\n\t%s (%s:%s)\nhas been saved\n",
-+ smf_instance,
-+ BASE_FMRI,
-+ smf_instance);
-+ }
-+ exit(0);
-+ }
-+ }
-+#endif /* _SOLARIS_ */
-+
- /* Setup listener. */
- memset(&hints, 0, sizeof hints);
- hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE;
-@@ -946,19 +1098,21 @@
-
- /* Initialize pf. */
- init_filter(qname, tagname, verbose);
--
- if (daemonize) {
- if (daemon(0, 0) == -1)
- err(1, "cannot daemonize");
-+ DROP_PRIV(PRIV_PROC_FORK);
- openlog(__progname, LOG_PID | LOG_NDELAY, LOG_DAEMON);
- }
-
- /* Use logmsg for output from here on. */
-
-+#ifndef _SOLARIS_
- if (!drop_privs()) {
- logmsg(LOG_ERR, "cannot drop privileges: %s", strerror(errno));
- exit(1);
- }
-+#endif /* !_SOLARIS_ */
-
- event_init();
-
-@@ -1327,9 +1481,16 @@
- void
- usage(void)
- {
-+#ifdef _SOLARIS_
-+ fprintf(stderr, "usage: %s [-A on | off] [-a address] [-b address]"
-+ " [{-c | -C} instance] [-D level] [-m maxsessions]\n [-P port]"
-+ " [-p port] [-R address] [-r on | off] [-T tag]\n"
-+ " [-t timeout] [-v all | on | off]\n", __progname);
-+#else /* !_SOLARIS_ */
- fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
- " [-D level] [-m maxsessions]\n [-P port]"
- " [-p port] [-q queue] [-R address] [-T tag]\n"
- " [-t timeout]\n", __progname);
-+#endif /* _SOLARIS_ */
- exit(1);
- }
-diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.c ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/smf-config.c
---- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.c 1969-12-31 16:00:00.000000000 -0800
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/smf-config.c 2016-02-24 08:45:36.636917450 -0800
-@@ -0,0 +1,822 @@
-+/*
-+ * CDDL HEADER START
-+ *
-+ * The contents of this file are subject to the terms of the
-+ * Common Development and Distribution License (the "License").
-+ * You may not use this file except in compliance with the License.
-+ *
-+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-+ * or http://www.opensolaris.org/os/licensing.
-+ * See the License for the specific language governing permissions
-+ * and limitations under the License.
-+ *
-+ * When distributing Covered Code, include this CDDL HEADER in each
-+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-+ * If applicable, add the following below this CDDL HEADER, with the
-+ * fields enclosed by brackets "[]" replaced with your own identifying
-+ * information: Portions Copyright [yyyy] [name of copyright owner]
-+ *
-+ * CDDL HEADER END
-+ *
-+ */
-+
-+/*
-+ * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
-+ */
-+
-+#include <string.h>
-+#include <strings.h>
-+#include <stdlib.h>
-+#include <err.h>
-+#include <stdarg.h>
-+#include <stdio.h>
-+#include <libscf.h>
-+#include <stddef.h>
-+#include <libscf_priv.h>
-+
-+#include "smf-config.h"
-+
-+/* #include <net/pfvar.h> */
-+
-+#define FTP_PROXY_PG "ftp-proxy"
-+#define FTP_PROXY_PROP_VALUE_AUTH "value_authorization"
-+#define FTP_PROXY_PROP_ACTION_AUTH "action_authorization"
-+#define FTP_PROXY_VALUE_AUTH "solaris.smf.value.network.firewall"
-+#define FTP_PROXY_MANAGE_AUTH "solaris.smf.manage.network.firewall"
-+
-+/*
-+ * CHKASCIIZ()
-+ * Macro checks if _s_ is ASCIIZ (not NULL, not empty), if _s_ is not empty
-+ * string, then _p_ is returned.
-+ *
-+ * Arguments:
-+ * _s_ - ASCIIZ string to be tested
-+ * _p_ - string to be returned when _s_ is not NULL or empty
-+ *
-+ * Returns:
-+ * _p_ if _s_ is not NULL/empty, otherwise the empty string is returned.
-+ */
-+#define CHKASCIIZ(_s_, _p_) \
-+ ((((_s_) == NULL) || (_s_[0] == '\0')) ? "" : (_p_))
-+
-+#define SKIP_PROP(_pv_) \
-+ ((strcmp((_pv_)->pv_prop, "action_authorization") == 0) || \
-+ (strcmp((_pv_)->pv_prop, "value_authorization") == 0))
-+
-+#define STRIP_SVC(_x_) ((_x_) + (sizeof ("svc:/") - 1))
-+
-+/*
-+ * smf_ftp_cfg
-+ * FTP proxy configuration container.
-+ */
-+smf_ftppx_cfg_t smf_ftp_cfg;
-+
-+#define SMF_OPT_OPTIONAL 0
-+#define SMF_OPT_MANDATORY 1
-+/*
-+ * X-macro table.
-+ * Columns are as follows:
-+ * value key/index
-+ * smf(5) property name name
-+ * member in smf_ftppx_cfg_t structure
-+ * function which converts ASCIIZ to member type in smf_ftppx_cfg_t
-+ * function which converts member in smf_ftppx_cfg_t to ASCIIZ
-+ * optional/mandatory status
-+ * property type
-+ */
-+#define X_CFG_PROPS \
-+ X(SMF_ANON, "anonymous-only", cfg_anonymous_only, on_to_one, \
-+ one_to_on, SMF_OPT_OPTIONAL, SCF_TYPE_ASTRING) \
-+ X(SMF_FIXED_PROXY, "proxy-NAT-address", cfg_fixed_proxy, \
-+ nop_in, nop_out, SMF_OPT_MANDATORY, SCF_TYPE_ASTRING) \
-+ X(SMF_LISTEN_ADDR, "proxy-listen-address", cfg_listen_addr, \
-+ nop_in, nop_out, SMF_OPT_MANDATORY, SCF_TYPE_ASTRING) \
-+ X(SMF_LISTEN_PORT, "listen-port", cfg_listen_port, \
-+ int_in, int_out, SMF_OPT_OPTIONAL, SCF_TYPE_INTEGER) \
-+ X(SMF_DEBUG_LEVEL, "debug-level", cfg_debug_level, int_in, \
-+ int_out, SMF_OPT_OPTIONAL, SCF_TYPE_INTEGER) \
-+ X(SMF_MAX_SESSIONS, "maxsessions", cfg_max_sessions, \
-+ int_in, int_out, SMF_OPT_OPTIONAL, \
-+ SCF_TYPE_INTEGER) \
-+ X(SMF_RFC_MODE, "always-use-ftp-data-port", cfg_rfc_mode, \
-+ on_to_one, one_to_on, SMF_OPT_OPTIONAL, SCF_TYPE_ASTRING) \
-+ X(SMF_FIXED_SERVER_PORT, "reverse-mode-port", \
-+ cfg_fixed_server_port, int_in, int_out, SMF_OPT_OPTIONAL, \
-+ SCF_TYPE_INTEGER) \
-+ X(SMF_FIXED_SERVER, "reverse-mode-address", cfg_fixed_server, \
-+ nop_in, nop_out, SMF_OPT_OPTIONAL, SCF_TYPE_ASTRING) \
-+ X(SMF_TAG, "tag", cfg_tag, nop_in, nop_out, SMF_OPT_OPTIONAL, \
-+ SCF_TYPE_ASTRING) \
-+ X(SMF_TIMEOUT, "timeout", cfg_timeout, int_in, int_out, \
-+ SMF_OPT_OPTIONAL, SCF_TYPE_INTEGER) \
-+ X(SMF_LOG, "log", cfg_log, log_to_int, int_to_log, \
-+ SMF_OPT_OPTIONAL, SCF_TYPE_ASTRING)
-+
-+static void nop_in(void *, void *);
-+static void nop_out(void *, void *);
-+static void int_in(void *, void *);
-+static void int_out(void *, void *);
-+static void on_to_one(void *, void *);
-+static void one_to_on(void *, void *);
-+static void str_to_int(void *, void *);
-+static void int_to_str(void *, void *);
-+static void str_to_uint(void *, void *);
-+static void uint_to_str(void *, void *);
-+static void log_to_int(void *, void *);
-+static void int_to_log(void *, void *);
-+
-+/*
-+ * smf_keys
-+ * Keys (indexes) to `smf_propnames` dictionary.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _const_,
-+enum smf_keys {
-+ X_CFG_PROPS
-+ SMF_CFG_PROP_COUNT
-+};
-+#undef X
-+
-+/*
-+ * smf_propnames
-+ * It's an array (dictionary), which translates property code (SMF_*) to
-+ * property value name found `ftp-proxy` property group.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _propname_,
-+static const char *smf_propnames[] = {
-+ X_CFG_PROPS
-+ NULL
-+};
-+#undef X
-+
-+/*
-+ * smf_cfg_offsets
-+ * Table of smf_ftppx_cfg_t members.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) offsetof(smf_ftppx_cfg_t, _decl_),
-+static size_t smf_cfg_offsets[] = {
-+ X_CFG_PROPS
-+ sizeof (smf_ftppx_cfg_t)
-+};
-+#undef X
-+
-+typedef void(*conv_in_f)(void *, void *);
-+typedef void(*conv_out_f)(void *, void *);
-+/*
-+ * smf_convert_in
-+ * Table of conversion functions, which convert particular smf_ftppx_cfg_t
-+ * member into ASCIIZ.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _conv_in_,
-+static conv_in_f smf_conv_in[] = {
-+ X_CFG_PROPS
-+ NULL
-+};
-+#undef X
-+
-+/*
-+ * smf_conv_out
-+ * Table of conversion functions, which convert ASCIIZ fetched from smf(5)
-+ * repository to member of smf_ftppx_cfg_t structure.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _conv_out_,
-+static conv_out_f smf_conv_out[] = {
-+ X_CFG_PROPS
-+ NULL
-+};
-+#undef X
-+
-+/*
-+ * smf_mandatory
-+ * Table marks configuration parameters, which must be defined by admin,
-+ * before the service is enabled for the first time.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _mandatory_,
-+static int smf_mandatory[] = {
-+ X_CFG_PROPS
-+ 0
-+};
-+#undef X
-+
-+/*
-+ * smf_type
-+ * Table of types of SMF properties.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _type_,
-+static int smf_type[] = {
-+ X_CFG_PROPS
-+ 0
-+};
-+#undef X
-+
-+/*
-+ * ftp-proxy property group properties
-+ * +1 for NULL termination.
-+ * +1 for value_authorization
-+ */
-+static scf_propvec_t prop_vec[SMF_CFG_PROP_COUNT + 1 + 1];
-+
-+/*
-+ * general property group properties
-+ * +1 for NULL termination.
-+ * +2 for value_authorization/action_authorization
-+ */
-+static scf_propvec_t gen_prop_vec[1 + 2];
-+
-+static int atexit_set = 0;
-+
-+/*
-+ * Conversion routines from smf_ftp_cfg structure to prop_vec member and vice
-+ * versa.
-+ */
-+
-+/*
-+ * nop_in()
-+ * Dummy conversion ASCIIZ to ASCIIZ, no allocation happens. Used when
-+ * configuration is from smf(5).
-+ */
-+static void
-+nop_in(void *asciiz, void *result)
-+{
-+ *((char **)result) = asciiz;
-+}
-+
-+/*
-+ * nop_out()
-+ * Dummy conversion ASCIIZ to ASCIIZ, function allocates memory for result by
-+ * strdup(3C). Used when configuration is written to smf(5) repository.
-+ */
-+static void
-+nop_out(void *asciiz, void *val)
-+{
-+ *((char **)asciiz) = strdup(*(char **)val);
-+}
-+
-+/*
-+ * int_in()
-+ * Dummy conversion of int64_t. No allocation happens. Used when reading
-+ * values from smf.
-+ */
-+static void
-+int_in(void *in, void *out) {
-+ *((int64_t *)out) = *((int64_t *)in);
-+}
-+
-+/*
-+ * int_out()
-+ * Dummy conversion of int64_t, storing into a newly allocated memory.
-+ * Used when storing values to smf repository.
-+ */
-+static void
-+int_out(void *out, void *in) {
-+ int64_t **out_ = (int64_t **)out;
-+
-+ *out_ = malloc(sizeof (int64_t));
-+ if (*out_ != NULL)
-+ **out_ = *((int64_t *)in);
-+}
-+
-+/*
-+ * on_to_one()
-+ * Function converts ASCIIZ value "on" to 1. Anything else yeilds a 0. Used to
-+ * read configuration from smf(5).
-+ */
-+static void
-+on_to_one(void *asciiz, void *result)
-+{
-+ *((int *)result) = ((strcasecmp((char *)asciiz, "on") == 0) ? 1 : 0);
-+}
-+
-+/*
-+ * one_to_on()
-+ * Function converts 0 to ASCIIZ string "off", anything else than 0 yeilds to
-+ * "on". Used when configuration ie being written to smf(5). Function also
-+ * allocates memory for resulting string using strdup(3C).
-+ */
-+static void
-+one_to_on(void *asciiz, void *val)
-+{
-+ if (*((int *)val) == 0) {
-+ *((char **)asciiz) = strdup("off");
-+ } else {
-+ *((char **)asciiz) = strdup("on");
-+ }
-+}
-+
-+/*
-+ * str_to_int()
-+ * Function converts integer represented as ASCIIZ to int using atoi(3C). Used
-+ * when configuration is read from smf(5).
-+ */
-+static void
-+str_to_int(void *asciiz, void *result)
-+{
-+ *((int *)result) = atoi((char *)asciiz);
-+}
-+
-+/*
-+ * int_to_str()
-+ * Function converts integer number to ASCIIZ using asprintf(3C). Used when
-+ * configuration is being stored to smf(5). Memory for results get allocated by
-+ * asprintf(3C).
-+ */
-+static void
-+int_to_str(void *asciiz, void *val)
-+{
-+ (void) asprintf((char **)asciiz, "%d", *((int *)val));
-+}
-+
-+/*
-+ * str_to_uint()
-+ * Function converts unsigned integer represented as ASCIIZ to int using
-+ * atoi(3C). Used when configuration is being read from smf(5) repository.
-+ */
-+static void
-+str_to_uint(void *asciiz, void *result)
-+{
-+ *((unsigned int *)result) = (unsigned int) atoi((char *)asciiz);
-+}
-+
-+/*
-+ * uint_to_str()
-+ * Function converts unsigned integer to ASCIIZ using asprintf(3C). Used when
-+ * configuration is written to smf(5). Memory for result is allocated by
-+ * asprintf(3C).
-+ */
-+static void
-+uint_to_str(void *asciiz, void *val)
-+{
-+ (void) asprintf((char **)asciiz, "%u", *((int *)val));
-+}
-+
-+/*
-+ * log_to_int()
-+ * Function encodes ASCIIZ value for log property to numeric code. String
-+ * "all" gets converted to 2, string "on" to 1, anything else yeilds to 0.
-+ * It's used when configuration is being read from smf(5) repository.
-+ */
-+static void
-+log_to_int(void *asciiz, void *result)
-+{
-+ if (strcasecmp((char *)asciiz, "all") == 0) {
-+ *((int *)result) = 2;
-+ } else if (strcasecmp((char *)asciiz, "on") == 0) {
-+ *((int *)result) = 1;
-+ } else {
-+ *((int *)result) = 0;
-+ }
-+}
-+
-+/*
-+ * int_to_log()
-+ * Function encodes value of log property to its numeric representation. 2
-+ * gets encoded to "all", 1 results to "on", anything else results to off.
-+ * The memory for result is allocated by strdup(3C).
-+ */
-+static void
-+int_to_log(void *asciiz, void *val)
-+{
-+ switch (*((int *)val)) {
-+ case 2:
-+ *((char **)asciiz) = strdup("all");
-+ break;
-+ case 1:
-+ *((char **)asciiz) = strdup("on");
-+ break;
-+ default:
-+ *((char **)asciiz) = strdup("off");
-+ }
-+}
-+
-+static void
-+clear_prop_vec2(scf_propvec_t *prop_vec_ptr, int count)
-+{
-+ while (count--) {
-+ prop_vec_ptr->pv_prop = NULL;
-+ prop_vec_ptr->pv_desc = NULL;
-+ prop_vec_ptr->pv_type = 0;
-+ prop_vec_ptr->pv_aux = 0;
-+ prop_vec_ptr->pv_mval = 0;
-+
-+ if (prop_vec_ptr->pv_ptr != NULL) {
-+ free(prop_vec_ptr->pv_ptr);
-+ prop_vec_ptr->pv_ptr = NULL;
-+ }
-+
-+ prop_vec_ptr++;
-+ }
-+}
-+
-+/*
-+ * clear_prop_vec()
-+ * Function clears global variables `prop_vec` and `gen_prop_vec`,
-+ * which are vectors of properties.
-+ */
-+static void
-+clear_prop_vec()
-+{
-+ clear_prop_vec2(prop_vec,
-+ sizeof (prop_vec) / sizeof (scf_propvec_t));
-+ clear_prop_vec2(gen_prop_vec,
-+ sizeof (gen_prop_vec) / sizeof (scf_propvec_t));
-+}
-+
-+/*
-+ * cfg_to_prop_vec()
-+ * Function converts smf_ftp_cfg global variable, which holds configuration
-+ * parsed from command line arguments, to prop_vec, which is a smf(5) friendly
-+ * representation of proxy configuration.
-+ *
-+ * Additionally, it populates gen_prop_vec to specify needed authorizations.
-+ *
-+ * Returns 0 on success, -1 on out of memory error.
-+ */
-+static int
-+cfg_to_prop_vec(void)
-+{
-+ int cfg_bit = 1;
-+ int i;
-+ scf_propvec_t *prop_vec_ptr = prop_vec;
-+ conv_out_f conv_func;
-+
-+ clear_prop_vec();
-+
-+ for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
-+ if ((smf_ftp_cfg.cfg_set & cfg_bit) != 0) {
-+ prop_vec_ptr->pv_prop = smf_propnames[i];
-+ conv_func = smf_conv_out[i];
-+
-+ conv_func(&prop_vec_ptr->pv_ptr,
-+ ((char *)&smf_ftp_cfg + smf_cfg_offsets[i]));
-+ if (prop_vec_ptr->pv_ptr == NULL)
-+ return (-1);
-+ prop_vec_ptr->pv_type = smf_type[i];
-+ prop_vec_ptr++;
-+ }
-+ cfg_bit = cfg_bit << 1;
-+ }
-+ prop_vec_ptr->pv_type = SCF_TYPE_ASTRING;
-+ prop_vec_ptr->pv_prop = FTP_PROXY_PROP_VALUE_AUTH;
-+ prop_vec_ptr->pv_ptr = strdup(FTP_PROXY_VALUE_AUTH);
-+ prop_vec_ptr++;
-+
-+ gen_prop_vec[0].pv_type = SCF_TYPE_ASTRING;
-+ gen_prop_vec[0].pv_prop = FTP_PROXY_PROP_VALUE_AUTH;
-+ gen_prop_vec[0].pv_ptr = strdup(FTP_PROXY_MANAGE_AUTH);
-+ gen_prop_vec[1].pv_type = SCF_TYPE_ASTRING;
-+ gen_prop_vec[1].pv_prop = FTP_PROXY_PROP_ACTION_AUTH;
-+ gen_prop_vec[1].pv_ptr = strdup(FTP_PROXY_MANAGE_AUTH);
-+
-+ return (0);
-+}
-+
-+/*
-+ * prop_vec_to_cfg()
-+ * Converts global variable `prop_vec` to `smf_ftp_cfg` global variable,
-+ * which is understood by main().
-+ */
-+static void
-+prop_vec_to_cfg(void)
-+{
-+ int i;
-+ scf_propvec_t *prop_vec_ptr = prop_vec;
-+ conv_in_f conv_func;
-+
-+ for (i = 0; i < SMF_CFG_PROP_COUNT; i++, prop_vec_ptr++) {
-+ if (SKIP_PROP(prop_vec_ptr)) {
-+ /*
-+ * We have `hidden` properties: action/value smf
-+ * authorization. Those two are not kept in
-+ * smf_ftp_cfg.
-+ *
-+ * So we must to skip to next property in vector
-+ * without letting for loop to advance its counter, so
-+ * we compensate here by doing `i--`.
-+ */
-+ i--;
-+ continue;
-+ };
-+ conv_func = smf_conv_in[i];
-+ conv_func(prop_vec_ptr->pv_ptr,
-+ ((char *)&smf_ftp_cfg + smf_cfg_offsets[i]));
-+ }
-+}
-+
-+/*
-+ * smf_print_ftpcfg()
-+ * Function loads ftpcfg from smf(5) repository and prints configuration to
-+ * standard output. We use `scf_simple_prop_get(3SCF)`.
-+ *
-+ * Returns 0 on success, -1 on error..
-+ */
-+int
-+smf_print_ftpcfg(const char *smf_instance)
-+{
-+ scf_simple_prop_t *prop;
-+ int i;
-+ scf_propvec_t *prop_vec_ptr = prop_vec;
-+ int cfg_incomplete = 0;
-+ char *fmri;
-+
-+ if (atexit_set == 0) {
-+ atexit(clear_prop_vec);
-+ bzero(&smf_ftp_cfg, sizeof (smf_ftppx_cfg_t));
-+ atexit_set = 1;
-+ }
-+
-+ (void) asprintf(&fmri, "%s:%s", BASE_FMRI, smf_instance);
-+ if (fmri == NULL) {
-+ fprintf(stderr, "Out of memory.\n");
-+ return (-1);
-+ }
-+
-+ clear_prop_vec();
-+
-+ for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
-+ prop = scf_simple_prop_get(NULL, fmri, FTP_PROXY_PG,
-+ smf_propnames[i]);
-+ prop_vec_ptr->pv_prop = smf_propnames[i];
-+ prop_vec_ptr->pv_type = scf_simple_prop_type(prop);
-+ if (prop_vec_ptr->pv_type == -1) {
-+ free(fmri);
-+ fprintf(stderr, "Failed to get property type.\n");
-+ return (-1);
-+ }
-+ if (prop_vec_ptr->pv_type != smf_type[i]) {
-+ free(fmri);
-+ fprintf(stderr, "Property %s has unexpected type.\n",
-+ smf_propnames[i]);
-+ return (-1);
-+ }
-+ if (prop == NULL) {
-+ /*
-+ * Property not defined, so we create a kind of
-+ * 'placeholder' with empty value.
-+ *
-+ * calloc() works well for both astring and integer.
-+ */
-+ prop_vec_ptr->pv_ptr = calloc(1, sizeof (int64_t));
-+ cfg_incomplete |= smf_mandatory[i];
-+ } else {
-+ if (smf_type[i] == SCF_TYPE_ASTRING) {
-+ char *propval;
-+ propval = scf_simple_prop_next_astring(prop);
-+ if (propval == NULL) {
-+ propval = "";
-+ }
-+ prop_vec_ptr->pv_ptr = strdup(propval);
-+
-+ if (propval[0] == 0) {
-+ cfg_incomplete |= smf_mandatory[i];
-+ }
-+ } else {
-+ /* smf_type[i] == SCF_TYPE_INTEGER */
-+ int64_t *propval;
-+ int64_t propval_;
-+
-+ propval = scf_simple_prop_next_integer(prop);
-+ propval_ = (propval == NULL) ? (0) : (*propval);
-+
-+ prop_vec_ptr->pv_ptr = malloc(sizeof (int64_t));
-+ if (prop_vec_ptr->pv_ptr != NULL) {
-+ *((int64_t *)prop_vec_ptr->pv_ptr) =
-+ propval_;
-+ }
-+ if (propval_ == 0) {
-+ cfg_incomplete |= smf_mandatory[i];
-+ }
-+ }
-+ scf_simple_prop_free(prop);
-+ }
-+ if (prop_vec_ptr->pv_ptr == NULL) {
-+ free(fmri);
-+ fprintf(stderr, "Out of memory.\n");
-+ return (-1);
-+ }
-+
-+ prop_vec_ptr++;
-+ }
-+
-+ printf("PF FTP proxy configuration:\n");
-+
-+ prop_vec_ptr = prop_vec;
-+ for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
-+ if (smf_type[i] == SCF_TYPE_ASTRING) {
-+ const char *val = (const char *)prop_vec_ptr->pv_ptr;
-+ printf("\t- %s:\n\t\t%s\n", prop_vec_ptr->pv_prop,
-+ ((val[0] == '\0') ? "?? undefined ??" : val));
-+ } else {
-+ /* smf_type[i] == SCF_TYPE_INTEGER */
-+ int64_t val = *((int64_t *)prop_vec_ptr->pv_ptr);
-+ if (val == 0) {
-+ printf("\t- %s:\n\t\t%s\n", prop_vec_ptr->pv_prop,
-+ "?? undefined ??");
-+ } else {
-+ printf("\t- %s:\n\t\t%d\n", prop_vec_ptr->pv_prop,
-+ (int)val);
-+ }
-+ }
-+ prop_vec_ptr++;
-+ }
-+ if (cfg_incomplete) {
-+ printf("\n\nConfiguration for %s is incomplete."
-+ " Service will not run.\n\n", fmri);
-+ } else {
-+ prop_vec_to_cfg();
-+ printf(
-+ "\n\n%s service is being launched using cmd line below\n\n",
-+ fmri);
-+ printf("ftp-proxy "
-+ "%s -a %s -b %s -p "
-+ "%d -D %d -m %d -t %d %s %s %s %.d %s %s %s %s\n",
-+ ((smf_ftp_cfg.cfg_anonymous_only == 1) ? "-A on" : ""),
-+ smf_ftp_cfg.cfg_fixed_proxy,
-+ smf_ftp_cfg.cfg_listen_addr,
-+ (int)smf_ftp_cfg.cfg_listen_port,
-+ (int)smf_ftp_cfg.cfg_debug_level,
-+ (int)smf_ftp_cfg.cfg_max_sessions,
-+ (int)smf_ftp_cfg.cfg_timeout,
-+ CHKASCIIZ(smf_ftp_cfg.cfg_fixed_server, "-R"),
-+ CHKASCIIZ(smf_ftp_cfg.cfg_fixed_server,
-+ smf_ftp_cfg.cfg_fixed_server),
-+ (smf_ftp_cfg.cfg_fixed_server_port == 0) ? ("") : ("-P"),
-+ (int)smf_ftp_cfg.cfg_fixed_server_port,
-+ ((smf_ftp_cfg.cfg_rfc_mode != 0) ? "-r on" : ""),
-+ CHKASCIIZ(smf_ftp_cfg.cfg_tag, "-T"),
-+ CHKASCIIZ(smf_ftp_cfg.cfg_tag, smf_ftp_cfg.cfg_tag),
-+ ((smf_ftp_cfg.cfg_log == 2) ? "-vv" :
-+ ((smf_ftp_cfg.cfg_log == 1) ? "-v" : "")));
-+ }
-+
-+ free(fmri);
-+
-+ return (0);
-+}
-+
-+/*
-+ * smf_create_ftp_instance()
-+ * Function creates a new instance in smf(5) repository.
-+ */
-+static int
-+smf_create_ftp_instance(const char *smf_instance)
-+{
-+ scf_handle_t *h_scf = NULL;
-+ scf_scope_t *scp_scf = NULL;
-+ scf_service_t *svc_scf = NULL;
-+ scf_instance_t *sin_scf = NULL;
-+ int rv = -1;
-+
-+ h_scf = scf_handle_create(SCF_VERSION);
-+ if ((h_scf == NULL) || (scf_handle_bind(h_scf) == -1)) {
-+ (void) fprintf(stderr, "scf_handle_bind() failed - %s\n",
-+ scf_strerror(scf_error()));
-+ if (h_scf != NULL) {
-+ scf_handle_destroy(h_scf);
-+ }
-+ return (-1);
-+ }
-+
-+ if ((scp_scf = scf_scope_create(h_scf)) == NULL) {
-+ (void) fprintf(stderr, "could not create scope - %s\n",
-+ scf_strerror(scf_error()));
-+ goto unbind;
-+ }
-+
-+ if (scf_handle_get_local_scope(h_scf, scp_scf) != 0) {
-+ (void) fprintf(stderr, "could not get scope - %s\n",
-+ scf_strerror(scf_error()));
-+ goto scope_destroy;
-+ }
-+
-+ if ((svc_scf = scf_service_create(h_scf)) == NULL) {
-+ (void) fprintf(stderr, "could not create service - %s\n",
-+ scf_strerror(scf_error()));
-+ goto scope_destroy;
-+ }
-+
-+ if ((sin_scf = scf_instance_create(h_scf)) == NULL) {
-+ (void) fprintf(stderr, "could not get instance handle - %s\n",
-+ scf_strerror(scf_error()));
-+ goto service_destroy;
-+ }
-+
-+ if (scf_scope_get_service(scp_scf, STRIP_SVC(BASE_FMRI), svc_scf) !=
-+ SCF_SUCCESS) {
-+ (void) fprintf(stderr, "could not select service (%s)\n",
-+ scf_strerror(scf_error()));
-+ goto instance_destroy;
-+ }
-+
-+ if (scf_service_add_instance(svc_scf, smf_instance, sin_scf) != 0) {
-+ (void) fprintf(stderr, "could not add %s instance - %s\n",
-+ smf_instance, scf_strerror(scf_error()));
-+ goto instance_destroy;
-+ }
-+
-+ if (scf_instance_add_pg(sin_scf, "general", "framework", 0,
-+ NULL) != SCF_SUCCESS) {
-+ (void) fprintf(stderr,
-+ "could not create property group - %s\n",
-+ scf_strerror(scf_error()));
-+ goto instance_delete;
-+ }
-+
-+ if (scf_instance_add_pg(sin_scf, FTP_PROXY_PG, "application", 0,
-+ NULL) != SCF_SUCCESS) {
-+ (void) fprintf(stderr,
-+ "could not create property group - %s\n",
-+ scf_strerror(scf_error()));
-+ goto instance_delete;
-+ }
-+
-+ rv = 0;
-+ goto instance_destroy;
-+
-+instance_delete:
-+ if (scf_instance_delete(sin_scf) != 0) {
-+ fprintf(stderr, "Can't delete the newly created instance:");
-+ fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
-+ }
-+instance_destroy:
-+ scf_instance_destroy(sin_scf);
-+service_destroy:
-+ scf_service_destroy(svc_scf);
-+scope_destroy:
-+ scf_scope_destroy(scp_scf);
-+unbind:
-+ scf_handle_unbind(h_scf);
-+ scf_handle_destroy(h_scf);
-+
-+ return (rv);
-+}
-+
-+/*
-+ * smf_write_ftpcfg()
-+ * Function writes proxy configuration to smf(5) repostiory.
-+ */
-+int
-+smf_write_ftpcfg(const char *smf_instance, int create)
-+{
-+ int i;
-+ scf_propvec_t
-+ *bad_prop_vec = NULL;
-+ char *fmri;
-+
-+ if (atexit_set == 0) {
-+ atexit(clear_prop_vec);
-+ bzero(prop_vec, sizeof (prop_vec));
-+ atexit_set = 1;
-+ }
-+
-+ if (cfg_to_prop_vec() != 0) {
-+ fprintf(stderr, "Out of memory.\n");
-+ return (-1);
-+ }
-+
-+ (void) asprintf(&fmri, "%s:%s", BASE_FMRI, smf_instance);
-+ if (fmri == NULL) {
-+ fprintf(stderr, "Out of memory.\n");
-+ return (-1);
-+ }
-+
-+ if (create) {
-+ if (smf_create_ftp_instance(smf_instance) != 0) {
-+ free(fmri);
-+ return (-1);
-+ }
-+ }
-+
-+ if (create && (scf_write_propvec(fmri, "general", gen_prop_vec,
-+ &bad_prop_vec) != SCF_SUCCESS)) {
-+ fprintf(stderr, "Can't update %s configuration:", fmri);
-+ fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
-+ if (bad_prop_vec != NULL) {
-+ fprintf(stderr, "Could not set %s\n",
-+ bad_prop_vec->pv_prop);
-+ }
-+ free(fmri);
-+ exit(1);
-+ }
-+
-+ bad_prop_vec = NULL;
-+ if (scf_write_propvec(fmri, FTP_PROXY_PG, prop_vec, &bad_prop_vec)
-+ != SCF_SUCCESS) {
-+ fprintf(stderr, "Can't update %s configuration:", fmri);
-+ fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
-+ if (bad_prop_vec != NULL) {
-+ fprintf(stderr, "Could not set %s\n",
-+ bad_prop_vec->pv_prop);
-+ }
-+ free(fmri);
-+ exit(1);
-+ }
-+
-+ free(fmri);
-+ return (0);
-+}
-diff -Naur ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.h ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/smf-config.h
---- ftp-proxy-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.h 1969-12-31 16:00:00.000000000 -0800
-+++ ftp-proxy-OPENBSD_5_5-OPENBSD_5_5/smf-config.h 2016-02-19 06:43:15.097134373 -0800
-@@ -0,0 +1,77 @@
-+/*
-+ * CDDL HEADER START
-+ *
-+ * The contents of this file are subject to the terms of the
-+ * Common Development and Distribution License (the "License").
-+ * You may not use this file except in compliance with the License.
-+ *
-+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-+ * or http://www.opensolaris.org/os/licensing.
-+ * See the License for the specific language governing permissions
-+ * and limitations under the License.
-+ *
-+ * When distributing Covered Code, include this CDDL HEADER in each
-+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-+ * If applicable, add the following below this CDDL HEADER, with the
-+ * fields enclosed by brackets "[]" replaced with your own identifying
-+ * information: Portions Copyright [yyyy] [name of copyright owner]
-+ *
-+ * CDDL HEADER END
-+ *
-+ */
-+
-+/*
-+ * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
-+ */
-+
-+#ifndef _SMF_CONFIG_H_
-+#define _SMF_CONFIG_H_
-+
-+#include <string.h>
-+
-+#define BASE_FMRI "svc:/network/firewall/ftp-proxy"
-+#define DEFAULT_INSTANCE "default"
-+
-+#define SMF_CFG_ANON_SET 0x00000001
-+#define SMF_CFG_FIXED_PROXY_SET 0x00000002
-+#define SMF_CFG_LISTEN_ADDR_SET 0x00000004
-+#define SMF_CFG_LISTEN_PORT_SET 0x00000008
-+#define SMF_CFG_DEBUG_LEVEL_SET 0x00000010
-+#define SMF_CFG_MAX_SESSION_SET 0x00000020
-+#define SMF_CFG_RFC_MODE_SET 0x00000040
-+#define SMF_CFG_FIXED_SERVER_PORT_SET \
-+ 0x00000080
-+#define SMF_CFG_FIXED_SERVER_SET \
-+ 0x00000100
-+#define SMF_CFG_TAG_SET 0x00000200
-+#define SMF_CFG_TIMEOUT_SET 0x00000400
-+#define SMF_CFG_LOG_SET 0x00000800
-+
-+#define SMF_CFG_LOG_OFF 0
-+#define SMF_CFG_LOG_ON 1
-+#define SMF_CFG_LOG_ALL 2
-+
-+#define SMF_COPY_STR(_x_) (((_x_) == NULL) ? strdup("") : strdup((_x_)))
-+
-+typedef struct smf_ftppx_cfg {
-+ unsigned int cfg_set; /* SMF_CFG_*_SET bit field */
-+ int cfg_anonymous_only;
-+ char *cfg_fixed_proxy;
-+ char *cfg_listen_addr;
-+ int64_t cfg_listen_port;
-+ int64_t cfg_debug_level;
-+ int64_t cfg_max_sessions;
-+ char *cfg_fixed_server;
-+ int64_t cfg_fixed_server_port;
-+ int cfg_rfc_mode;
-+ char *cfg_tag;
-+ int64_t cfg_timeout;
-+ int cfg_log;
-+} smf_ftppx_cfg_t;
-+
-+extern smf_ftppx_cfg_t smf_ftp_cfg;
-+
-+extern int smf_print_ftpcfg(const char *);
-+extern int smf_write_ftpcfg(const char *, int);
-+
-+#endif /* !_SMF_CONFIG_H_ */
--- a/components/pflogd/Makefile Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,66 +0,0 @@
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
-#
-include ../../make-rules/shared-macros.mk
-
-COMPONENT_NAME= pflogd
-COMPONENT_VERSION= OPENBSD_5_5
-IPS_COMPONENT_VERSION= 5.5
-COMPONENT_PROJECT_URL= http://www.openbsd.org
-COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
[email protected]:/cvs
-CVS_PATH='src/sbin/pflogd'
-CVS_HASH= sha256:b3cc2c34844489913e8eaf4b3e4096c4b7f7f9e54901e477fa202d5a9a56994a
-CVS_TAG=$(COMPONENT_VERSION)
-COMPONENT_BUGDB= service/pflogd
-
-TPNO= 24254
-
-#
-# Don't overwrite CFLAGS here, just add our options there.
-#
-COMPONENT_BUILD_ENV += CFLAGS="$(CFLAGS) -D_SOLARIS_ -DOBSD_COMP -lscf"
-COMPONENT_BUILD_ARGS += CC="$(CC)"
-
-include ../../make-rules/prep.mk
-include ../../make-rules/justmake.mk
-include ../../make-rules/ips.mk
-
-COMPONENT_INSTALL_ARGS += PREFIX=$(PROTOUSRDIR)
-COMPONENT_INSTALL_ARGS += MANDIR=$(PROTOUSRSHAREMANDIR)
-COMPONENT_INSTALL_ARGS += INSTALL=/usr/gnu/bin/install
-
-ASLR_MODE = $(ASLR_ENABLE)
-
-# common targets
-build: $(BUILD_64)
-
-install: $(INSTALL_64)
-
-test: $(NO_TESTS)
-
-REQUIRED_PACKAGES += network/firewall
-REQUIRED_PACKAGES += shell/ksh93
-REQUIRED_PACKAGES += system/core-os
-REQUIRED_PACKAGES += system/header
-REQUIRED_PACKAGES += system/library
-REQUIRED_PACKAGES += system/library/libpcap
--- a/components/pflogd/patches/001-solaris.patch Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,589 +0,0 @@
-# This patch comes from Oracle. It fixes issues preventing pflogd
-# from building and running on Solaris. Especially, we:
-# - make it read packets from Solaris-specific capture links instead
-# of OpenBSD's pflog interfaces
-# - introduce our own pcap_pkthdr structure as the one used by
-# upstream would result in corrupted packet dump files on Solaris
-# - use Solaris-specific random number generator
-#
-# This patch is not going to upstream, the changes are Solaris-specific.
-
-diff -Naur ORIGINAL/Makefile pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile
---- ORIGINAL/Makefile 2013-06-18 20:51:30.000000000 -0700
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile 2016-02-17 02:08:53.410106245 -0800
-@@ -1,15 +1,28 @@
- # $OpenBSD: Makefile,v 1.9 2013/06/19 03:51:30 lteo Exp $
-
--CFLAGS+=-Wall -Wmissing-prototypes -Wshadow
-+CFLAGS+= -m64 -errwarn
-
--# for pcap-int.h
--CFLAGS+=-I${.CURDIR}/../../lib/libpcap
-+PROG=pflogd
-+SRCS=pflogd.c privsep.c privsep_fdpass.c
-+OBJS=$(SRCS:.c=.o)
-+MAN=pflogd.8
-
--LDADD+= -lpcap
--DPADD+= ${LIBPCAP}
-+LDADD+=-lpcap -ldladm -luutil
-
--PROG= pflogd
--SRCS= pflogd.c privsep.c privsep_fdpass.c
--MAN= pflogd.8
-+all: $(SRCS) $(PROG)
-
--.include <bsd.prog.mk>
-+install: $(PROG)
-+ $(INSTALL) -d $(PREFIX)/sbin
-+ $(INSTALL) -m 755 $(PROG) $(PREFIX)/sbin
-+ $(INSTALL) -d $(MANDIR)/man8
-+ $(INSTALL) -m 644 $(MAN) $(MANDIR)/man8
-+
-+$(PROG): $(OBJS)
-+ $(CC) $(CFLAGS) $(OBJS) -o $@ $(LDADD)
-+
-+.c.o:
-+ $(CC) $(CFLAGS) -c -o $@ $<
-+
-+clean:
-+ rm -rf *.o
-+ rm -rf $(PROG)
-diff -Naur ORIGINAL/pflogd.8 pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.8
---- ORIGINAL/pflogd.8 2014-01-20 19:15:45.000000000 -0800
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.8 2016-02-17 02:32:29.857912548 -0800
-@@ -44,15 +44,15 @@
- .Nm
- is a background daemon which reads packets logged by
- .Xr pf 4
--to a
--.Xr pflog 4
--interface, normally
-+to a dedicated capture link interface (see
-+.Xr dladm 1M
-+for details), normally
- .Pa pflog0 ,
- and writes the packets to a logfile (normally
--.Pa /var/log/pflog )
--in
--.Xr tcpdump 8
--binary format.
-+.Pa /var/log/firewall/pflog/pflog0.pkt )
-+in libpcap format (see
-+.Xr PCAP 3pcap
-+for details).
- These logs can be reviewed later using the
- .Fl r
- option of
-@@ -63,9 +63,7 @@
- .Nm
- closes and then re-opens the log file when it receives
- .Dv SIGHUP ,
--permitting
--.Xr newsyslog 8
--to rotate logfiles automatically.
-+permitting convenient log rotation.
- .Dv SIGALRM
- causes
- .Nm
-@@ -96,7 +94,7 @@
- .Pp
- .Nm
- will also log the pcap statistics for the
--.Xr pflog 4
-+capture link
- interface to syslog when a
- .Dv SIGUSR1
- is received.
-@@ -113,12 +111,8 @@
- If not specified, the default is 60 seconds.
- .It Fl f Ar filename
- Log output filename.
--Default is
--.Pa /var/log/pflog .
- .It Fl i Ar interface
--Specifies the
--.Xr pflog 4
--interface to use.
-+Specifies the capture link interface to use.
- By default,
- .Nm
- will use
-@@ -172,7 +166,7 @@
- .El
- .Sh FILES
- .Bl -tag -width /var/run/pflogd.pid -compact
--.It Pa /var/log/pflog
-+.It Pa /var/log/firewall/pflog/pflog0.pkt
- Default log file.
- .El
- .Sh EXAMPLES
-@@ -185,7 +179,7 @@
- .Ed
- .Pp
- Log from another
--.Xr pflog 4
-+capture link
- interface, excluding specific packets:
- .Bd -literal -offset indent
- # pflogd -i pflog3 -f network3.log "not (tcp and port 23)"
-@@ -193,7 +187,7 @@
- .Pp
- Display binary logs:
- .Bd -literal -offset indent
--# tcpdump -n -e -ttt -r /var/log/pflog
-+# tcpdump -n -e -ttt -r /var/log/firewall/pflog/pflog3.pkt
- .Ed
- .Pp
- Display the logs in real time (this does not interfere with the
-@@ -210,16 +204,18 @@
- .Ed
- .Sh SEE ALSO
- .Xr pcap 3 ,
--.Xr pf 4 ,
--.Xr pflog 4 ,
- .Xr pf.conf 5 ,
--.Xr newsyslog 8 ,
-+.Xr privileges 5 ,
-+.Xr smf 5 ,
- .Xr tcpdump 8
- .Sh HISTORY
- The
- .Nm
- command appeared in
- .Ox 3.0 .
-+The Solaris version is based on
-+.Nm
-+found in OpenBSD 5.5.
- .Sh AUTHORS
- .Nm
- was written by
-diff -Naur ORIGINAL/pflogd.c pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.c
---- ORIGINAL/pflogd.c 2012-11-05 18:50:47.000000000 -0800
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.c 2016-02-18 12:05:03.256562087 -0800
-@@ -48,7 +48,15 @@
- #include <errno.h>
- #include <stdarg.h>
- #include <fcntl.h>
-+#ifdef _SOLARIS_
-+#include <libdladm.h>
-+#include <libnetcfg.h>
-+#include <strings.h>
-+#include <zone.h>
-+#include <libuutil.h>
-+#else /* !_SOLARIS_ */
- #include <util.h>
-+#endif /* _SOLARIS_ */
- #include "pflogd.h"
-
- pcap_t *hpcap;
-@@ -88,6 +96,34 @@
- void sig_hup(int);
- void usage(void);
-
-+#ifdef _SOLARIS_
-+/*
-+ * setproctitle() is found in libc on OpenBSD. It allows program to update its
-+ * process name. It will be an empty macro on Solaris.
-+ */
-+#define setproctitle(...)
-+
-+/*
-+ * __dead attribute will be an empty macro on Solaris.
-+ */
-+#define __dead
-+
-+/*
-+ * We must define our own pcap_pkthdr to ensure timeval structure will be
-+ * defined in 32-bit version. Not doing so will result in corrupted packet dump
-+ * file produced by pflogd on Solaris.
-+ */
-+typedef struct pcap_pkthdr_file {
-+ struct {
-+ uint32_t tv_sec;
-+ uint32_t tv_usec;
-+ } ts;
-+ uint32_t caplen;
-+ uint32_t len;
-+} pcap_pkthdr_file_t;
-+
-+#endif /* _SOLARIS_ */
-+
- static int try_reset_dump(int);
-
- /* buffer must always be greater than snaplen */
-@@ -191,11 +227,13 @@
- {
- struct bpf_program bprog;
-
-- if (pcap_compile(hpcap, &bprog, filter, PCAP_OPT_FIL, 0) < 0)
-+ if (pcap_compile(hpcap, &bprog, filter, PCAP_OPT_FIL, 0) < 0) {
- logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap));
-- else {
-+ logmsg(LOG_WARNING, "for filter:\n\t%s\nNo filter set.\n", filter);
-+ } else {
- if (pcap_setfilter(hpcap, &bprog) < 0)
-- logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap));
-+ logmsg(LOG_WARNING, "%s\nNo filter set.\n",
-+ pcap_geterr(hpcap));
- pcap_freecode(&bprog);
- }
- }
-@@ -203,6 +241,31 @@
- int
- if_exists(char *ifname)
- {
-+#ifdef _SOLARIS_
-+ dladm_handle_t dlh;
-+ datalink_id_t linkid;
-+ zoneid_t zid = getzoneid();
-+ dladm_status_t dls;
-+ int rv = 0;
-+
-+ if (!dladm_valid_linkname(ifname) ||
-+ (dladm_open(&dlh) != DLADM_STATUS_OK)) {
-+ errno = ENXIO;
-+ return (rv);
-+ }
-+
-+ dls = dladm_apply_linknamefilters(dlh, ifname, &linkid, 1, &zid,
-+ DLADM_OPT_ACTIVE, zid, NULL);
-+ if ((dls == DLADM_STATUS_OK) && (linkid != DATALINK_INVALID_LINKID)) {
-+ rv = 1;
-+ }
-+
-+ dladm_close(dlh);
-+
-+ errno = (rv == 1) ? 0 : ENXIO;
-+
-+ return (rv);
-+#else /* !_SOLARIS_ */
- int s, ret = 1;
- struct ifreq ifr;
- struct if_data ifrdat;
-@@ -220,6 +283,7 @@
- err(1, "close");
-
- return (ret);
-+#endif /* _SOLARIS_ */
- }
-
- int
-@@ -243,10 +307,15 @@
- cur_snaplen = snaplen = pcap_snapshot(hpcap);
-
- /* lock */
-+/*
-+ * BIOCLOCK operation is not implmented on Solaris.
-+ */
-+#ifndef _SOLARIS_
- if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) {
- logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno));
- return (-1);
- }
-+#endif /* !_SOLARIS_ */
-
- return (0);
- }
-@@ -371,7 +440,11 @@
- scan_dump(FILE *fp, off_t size)
- {
- struct pcap_file_header hdr;
-+#ifdef _SOLARIS_
-+ struct pcap_pkthdr_file ph;
-+#else /* !_SOLARIS_ */
- struct pcap_pkthdr ph;
-+#endif /* _SOLARIS_ */
- off_t pos;
-
- /*
-@@ -440,13 +513,26 @@
- dump_packet_nobuf(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
- {
- FILE *f = (FILE *)user;
-+#ifdef _SOLARIS_
-+ struct pcap_pkthdr_file h_file;
-+#endif /* _SOLARIS_ */
-
- if (suspended) {
- packets_dropped++;
- return;
- }
-
-- if (fwrite((char *)h, sizeof(*h), 1, f) != 1) {
-+#ifdef _SOLARIS_
-+ h_file.ts.tv_sec = (uint32_t)h->ts.tv_sec;
-+ h_file.ts.tv_usec = (uint32_t)h->ts.tv_usec;
-+ h_file.caplen = h->caplen;
-+ h_file.len = h->len;
-+ if (fwrite((char *)&h_file, sizeof (h_file), 1, f) != 1)
-+#else /* !_SOLARIS_ */
-+ if (fwrite((char *)h, sizeof(*h), 1, f) != 1)
-+#endif /* _SOLARIS_ */
-+
-+ {
- off_t pos = ftello(f);
-
- /* try to undo header to prevent corruption */
-@@ -520,9 +606,32 @@
- dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
- {
- FILE *f = (FILE *)user;
-+#ifdef _SOLARIS_
-+ struct pcap_pkthdr_file h_file;
-+ size_t len = sizeof (h_file) + h->caplen;
-+#else /* !_SOLARIS_ */
- size_t len = sizeof(*h) + h->caplen;
-+#endif /* _SOLARIS_ */
-
-- if (len < sizeof(*h) || h->caplen > (size_t)cur_snaplen) {
-+#ifdef _SOLARIS_
-+ /*
-+ * Member ts is struct timeval defined in sys/time.h. Solaris uses
-+ * 64-bit version for tv_sec, tv_usec. 64-bit members are not
-+ * compatible with pcap file format, hence we must convert them to
-+ * 32-bits.
-+ */
-+ h_file.ts.tv_sec = (uint32_t)h->ts.tv_sec;
-+ h_file.ts.tv_usec = (uint32_t)h->ts.tv_usec;
-+ h_file.caplen = h->caplen;
-+ h_file.len = h->len;
-+#endif /* _SOLARIS_ */
-+
-+#ifdef _SOLARIS_
-+ if (len < sizeof(h_file) || h_file.caplen > (size_t)cur_snaplen)
-+#else /* !_SOLARIS_ */
-+ if (len < sizeof(*h) || h->caplen > (size_t)cur_snaplen)
-+#endif /* _SOLARIS_ */
-+ {
- logmsg(LOG_NOTICE, "invalid size %zu (%d/%d), packet dropped",
- len, cur_snaplen, snaplen);
- packets_dropped++;
-@@ -548,8 +657,13 @@
- }
-
- append:
-+#ifdef _SOLARIS_
-+ (void) memcpy(bufpos, &h_file, sizeof (h_file));
-+ (void) memcpy(bufpos + sizeof (h_file), sp, h->caplen);
-+#else /* !_SOLARIS_ */
- memcpy(bufpos, h, sizeof(*h));
- memcpy(bufpos + sizeof(*h), sp, h->caplen);
-+#endif /* _SOLARIS_ */
-
- bufpos += len;
- bufleft -= len;
-@@ -611,7 +725,6 @@
- default:
- usage();
- }
--
- }
-
- log_debug = Debug;
-@@ -658,12 +771,25 @@
-
- setproctitle("[initializing]");
- /* Process is now unprivileged and inside a chroot */
-+#ifdef _SOLARIS_
-+ /*
-+ * We have to use sigset() on Solaris, since signal() resets sig.
-+ * handler to default as soon as particular signal is delivered.
-+ */
-+ sigset(SIGTERM, sig_close);
-+ sigset(SIGINT, sig_close);
-+ sigset(SIGQUIT, sig_close);
-+ sigset(SIGALRM, sig_alrm);
-+ sigset(SIGUSR1, sig_usr1);
-+ sigset(SIGHUP, sig_hup);
-+#else /* !_SOLARIS_ */
- signal(SIGTERM, sig_close);
- signal(SIGINT, sig_close);
- signal(SIGQUIT, sig_close);
- signal(SIGALRM, sig_alrm);
- signal(SIGUSR1, sig_usr1);
- signal(SIGHUP, sig_hup);
-+#endif /* _SOLARIS_ */
- alarm(delay);
-
- buffer = malloc(PFLOGD_BUFSIZE);
-@@ -696,7 +822,7 @@
- ret = -1;
- break;
- }
-- logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap));
-+ logmsg(LOG_NOTICE, "pcap says: %s", pcap_geterr(hpcap));
- }
-
- if (gotsig_close)
-diff -Naur ORIGINAL/pflogd.h pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.h
---- ORIGINAL/pflogd.h 2010-09-20 22:56:58.000000000 -0700
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.h 2016-02-18 12:08:42.414919276 -0800
-@@ -16,7 +16,11 @@
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-+#ifdef _SOLARIS_
-+#include <limits.h>
-+#else /* !_SOLARIS_ */
- #include <sys/limits.h>
-+#endif /* _SOLARIS_ */
- #include <pcap.h>
-
- #define DEF_SNAPLEN 160 /* pfloghdr + ip hdr + proto hdr fit usually */
-@@ -25,7 +29,12 @@
- #define PCAP_OPT_FIL 1 /* filter optimization */
- #define FLUSH_DELAY 60 /* flush delay */
-
-+#ifdef _SOLARIS_
-+#define PFLOGD_LOG_DIR "/var/log/firewall/pflog"
-+#define PFLOGD_LOG_FILE "pflog.pkt"
-+#else /* !_SOLARIS_ */
- #define PFLOGD_LOG_FILE "/var/log/pflog"
-+#endif /* _SOLARIS_ */
- #define PFLOGD_DEFAULT_IF "pflog0"
-
- #define PFLOGD_MAXSNAPLEN INT_MAX
-diff -Naur ORIGINAL/privsep.c pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/privsep.c
---- ORIGINAL/privsep.c 2013-09-13 01:49:17.000000000 -0700
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/privsep.c 2016-02-18 12:07:34.219667793 -0800
-@@ -28,8 +28,6 @@
- #include <errno.h>
- #include <fcntl.h>
- #include <limits.h>
--#include <pcap.h>
--#include <pcap-int.h>
- #include <pwd.h>
- #include <signal.h>
- #include <stdio.h>
-@@ -38,6 +36,34 @@
- #include <syslog.h>
- #include <unistd.h>
- #include "pflogd.h"
-+#ifdef _SOLARIS_
-+#include <priv.h>
-+#include <stdlib.h>
-+#include <sys/types.h>
-+#include <time.h>
-+#include <sys/random.h>
-+#endif /* _SOLARIS_ */
-+/*
-+ * It's better to include these after other header files.
-+ * pcap-int.h defines strlcpy() as macro if it is undefined.
-+ * In our case strlcpy() comes from string.h.
-+ */
-+#define HAVE_SNPRINTF 1
-+#include <pcap.h>
-+#include <pcap-int.h>
-+
-+#ifdef _SOLARIS_
-+#define _NSIG 27
-+
-+/*
-+ * setproctitle() is found in libc on OpenBSD. It allows program to update its
-+ * process name. It will empty macro on Solaris.
-+ */
-+#define setproctitle(...)
-+
-+#else /* !_SOLARIS_ */
-+#define PFLOGD_USER "_pflogd"
-+#endif /* _SOLARIS_ */
-
- enum cmd_types {
- PRIV_SET_SNAPLEN, /* set the snaplength */
-@@ -67,7 +93,9 @@
- {
- int i, fd, socks[2], cmd;
- int snaplen, ret, olderrno;
-+#ifndef _SOLARIS_
- struct passwd *pw;
-+#endif /* !_SOLARIS_ */
-
- for (i = 1; i < _NSIG; i++)
- signal(i, SIG_DFL);
-@@ -76,16 +104,19 @@
- if (socketpair(AF_LOCAL, SOCK_STREAM, PF_UNSPEC, socks) == -1)
- err(1, "socketpair() failed");
-
-+#ifndef _SOLARIS_
- pw = getpwnam("_pflogd");
- if (pw == NULL)
- errx(1, "unknown user _pflogd");
- endpwent();
-+#endif /* !_SOLARIS_ */
-
- child_pid = fork();
- if (child_pid < 0)
- err(1, "fork() failed");
-
- if (!child_pid) {
-+#ifndef _SOLARIS_
- gid_t gidset[1];
-
- /* Child - drop privileges and return */
-@@ -101,6 +132,8 @@
- err(1, "setgroups() failed");
- if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
- err(1, "setresuid() failed");
-+#endif /* !_SOLARIS_ */
-+
- close(socks[0]);
- priv_fd = socks[1];
- return 0;
-@@ -108,19 +141,34 @@
-
- /* Father */
- /* Pass ALRM/TERM/HUP/INT/QUIT through to child, and accept CHLD */
-+#ifdef _SOLARIS_
-+ /*
-+ * We have to use sigset() on Solaris, since signal() resets sig.
-+ * handler to default as soon as particular signal is delivered.
-+ */
-+ sigset(SIGALRM, sig_pass_to_chld);
-+ sigset(SIGTERM, sig_pass_to_chld);
-+ sigset(SIGHUP, sig_pass_to_chld);
-+ sigset(SIGINT, sig_pass_to_chld);
-+ sigset(SIGQUIT, sig_pass_to_chld);
-+ sigset(SIGCHLD, sig_chld);
-+#else /* !_SOLARIS_ */
- signal(SIGALRM, sig_pass_to_chld);
- signal(SIGTERM, sig_pass_to_chld);
- signal(SIGHUP, sig_pass_to_chld);
- signal(SIGINT, sig_pass_to_chld);
- signal(SIGQUIT, sig_pass_to_chld);
- signal(SIGCHLD, sig_chld);
-+#endif /* _SOLARIS_ */
-
- setproctitle("[priv]");
- close(socks[1]);
-
- while (!gotsig_chld) {
-- if (may_read(socks[0], &cmd, sizeof(int)))
-+ if (may_read(socks[0], &cmd, sizeof(int))) {
-+ logmsg(LOG_ERR, "may_read: fails\n");
- break;
-+ }
- switch (cmd) {
- case PRIV_SET_SNAPLEN:
- logmsg(LOG_DEBUG,
-@@ -192,9 +240,20 @@
-
- for (;;) {
- int fd;
-+#ifdef _SOLARIS_
-+ uint32_t rand;
-
-+ if (getrandom(&rand, sizeof (rand), GRND_NONBLOCK) !=
-+ sizeof (rand)) {
-+ logmsg(LOG_ERR, "getrandom() failed");
-+ return 1;
-+ }
-+ len = snprintf(ren, sizeof(ren), "%s.bad.%08x",
-+ name, rand);
-+#else /* !_SOLARIS_ */
- len = snprintf(ren, sizeof(ren), "%s.bad.%08x",
- name, arc4random());
-+#endif /* _SOLARIS_ */
- if (len >= sizeof(ren)) {
- logmsg(LOG_ERR, "[priv] new name too long");
- return (1);
--- a/components/pflogd/patches/002-smf.patch Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1217 +0,0 @@
-# This patch comes from Oracle. It turns the component into
-# a well-behaving SMF service. It adds code manipulating service
-# properties, service instances, and also provides security
-# in cooperation with the service manifest (especially, extra
-# privileges are dropped when not needed).
-#
-# This patch is not going to upstream, the changes are Solaris-specific.
-
-diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile pflogd-OPENBSD_5_5-OPENBSD_5_5/Makefile
---- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/Makefile 2016-02-17 02:08:53.410106245 -0800
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5/Makefile 2016-02-16 05:02:32.489035397 -0800
-@@ -3,7 +3,7 @@
- CFLAGS+= -m64 -errwarn
-
- PROG=pflogd
--SRCS=pflogd.c privsep.c privsep_fdpass.c
-+SRCS=pflogd.c privsep.c privsep_fdpass.c smf-config.c
- OBJS=$(SRCS:.c=.o)
- MAN=pflogd.8
-
-diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.8 pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.8
---- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.8 2016-02-17 02:32:29.857912548 -0800
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.8 2016-02-24 21:24:27.453116577 -0800
-@@ -33,7 +33,7 @@
- .Sh SYNOPSIS
- .Nm pflogd
- .Bk -words
--.Op Fl "Dx"
-+.Op Fl C Ar new-pflog-instance-name | Fl c Ar pflog-instance-name
- .Op Fl d Ar delay
- .Op Fl f Ar filename
- .Op Fl i Ar interface
-@@ -60,6 +60,7 @@
- hopefully offline in case there are bugs in the packet parsing code of
- .Xr tcpdump 8 .
- .Pp
-+
- .Nm
- closes and then re-opens the log file when it receives
- .Dv SIGHUP ,
-@@ -101,22 +102,52 @@
- .Pp
- The options are as follows:
- .Bl -tag -width Ds
--.It Fl D
--Debugging mode.
-+.It Fl C Ar new-pflog-instance-name
-+Creates a new
- .Nm
--does not disassociate from the controlling terminal.
-+instance with the specified name. If additional options are used to specify
-+configuration, it is stored into the
-+.Xr smf 5
-+repository. Default values are used for
-+.Xr smf 5
-+properties unless overriden by a command-line option. The exception is
-+pflog/interface (set to equal the instance name) and pflog/logfile
-+(set to a file with name equal to the instance name followed by the
-+.Pa .pkt
-+extension located inside the
-+.Pa /var/log/firewall/pflog/
-+directory) if the service instance name forms a valid linkname. If the
-+service instance name is not a valid linkname, the values must be
-+given explicitly.
-+.It Fl c Ar pflog-instance-name
-+Shows/changes the configuration of the given
-+.Nm
-+instance in
-+.Xr smf 5
-+repository. Attributes specified by additional options are placed into the
-+.Xr smf 5
-+repository.
- .It Fl d Ar delay
- Time in seconds to delay between automatic flushes of the file.
- This may be specified with a value between 5 and 3600 seconds.
- If not specified, the default is 60 seconds.
- .It Fl f Ar filename
--Log output filename.
-+Log output filename. When neither
-+.Fl C
-+nor
-+.Fl c
-+is used, the default value
-+.Pa pflog.pkt
-+is used.
- .It Fl i Ar interface
- Specifies the capture link interface to use.
--By default,
--.Nm
--will use
--.Pa pflog0 .
-+When neither
-+.Fl C
-+nor
-+.Fl c
-+is used, the default value
-+.Pa pflog0
-+is assumed.
- .It Fl s Ar snaplen
- Analyze at most the first
- .Ar snaplen
-@@ -124,8 +155,6 @@
- The default of 160 is adequate for IP, ICMP, TCP, and UDP headers but may
- truncate protocol information for other protocols.
- Other file parsers may desire a higher snaplen.
--.It Fl x
--Check the integrity of an existing log file, and return.
- .It Ar expression
- Selects which packets will be dumped, using the regular language of
- .Xr tcpdump 8 .
-@@ -164,11 +193,59 @@
- The direction was outbound.
- .El
- .El
--.Sh FILES
--.Bl -tag -width /var/run/pflogd.pid -compact
--.It Pa /var/log/firewall/pflog/pflog0.pkt
--Default log file.
-+.Sh SOLARIS
-+The
-+.Nm
-+daemon runs as an
-+.Xr smf 5
-+service with the following FMRI:
-+.Bd -literal -offset indent
-+svc:/network/firewall/pflog
-+.Ed
-+.Pp
-+Command line options described above are set via the following
-+.Xr smf 5
-+properties.
-+.Bl -tag -width "pflog/interface" -offset 3n -compact
-+.It pflog/delay
-+Automatic flush interval.
-+The default value is 60.
-+Used as the argument for the
-+.Fl d
-+option.
-+.It pflog/filter
-+Packet filter expression in
-+.Xr tcpdump 8
-+format.
-+No expression is defined by default.
-+.It pflog/interface
-+The capture link name from which to read packets.
-+Used as the argument for the
-+.Fl i
-+option.
-+.It pflog/logfile
-+Path to the logfile (for security reasons, only paths starting by the
-+.Pa /var/log/firewall/
-+directory are allowed.
-+Used as the argument for the
-+.Fl f
-+option.
-+.It pflog/snaplen
-+An upper bound on how many bytes from each packet to analyze.
-+The default value is 160.
-+Used as the argument for the
-+.Fl s
-+option.
- .El
-+.Pp
-+The start method creates a (temporal) capture link the particular
-+instance is using.
-+.Pp
-+The refresh method sends
-+.Dv SIGHUP
-+to
-+.Nm
-+owned by particular service instance.
- .Sh EXAMPLES
- Log specific TCP packets to a different log file with a large snaplen
- (useful with a
-@@ -202,6 +279,32 @@
- .Bd -literal -offset indent
- # tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
- .Ed
-+.Sh SECURITY
-+The
-+.Nm
-+daemon is a privilege-aware application which runs as the
-+.Dq daemon
-+user possessing
-+.Sy PRIV_NET_OBSERVABILITY
-+privilege that is required for using
-+.Xr bpf 7d
-+to read packets. See
-+.Xr privileges 5
-+for details.
-+The service start method uses
-+.Xr dladm 1M
-+to create capture link if it does not exist already.
-+.Pp
-+To configure the
-+.Nm
-+service one has to obtain the
-+.Sy solaris.smf.value.network.firewall
-+authorization.
-+To manage the service (disable/enable/refresh) one must have the
-+.Sy solaris.smf.manage.network.firewall
-+authorization.
-+Both authorizations are granted through the Network Firewall Management profile.
-+To create new service instances, you need the solaris.smf.modify authorization.
- .Sh SEE ALSO
- .Xr pcap 3 ,
- .Xr pf.conf 5 ,
-diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.c pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.c
---- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.c 2016-02-18 12:05:03.256562087 -0800
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.c 2016-02-18 12:01:49.900876863 -0800
-@@ -54,6 +54,7 @@
- #include <strings.h>
- #include <zone.h>
- #include <libuutil.h>
-+#include "smf-config.h"
- #else /* !_SOLARIS_ */
- #include <util.h>
- #endif /* _SOLARIS_ */
-@@ -63,7 +64,7 @@
- static FILE *dpcap;
-
- int Debug = 0;
--static int snaplen = DEF_SNAPLEN;
-+static int64_t snaplen = DEF_SNAPLEN;
- static int cur_snaplen = DEF_SNAPLEN;
-
- volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup, gotsig_usr1;
-@@ -75,7 +76,7 @@
- char errbuf[PCAP_ERRBUF_SIZE];
-
- int log_debug = 0;
--unsigned int delay = FLUSH_DELAY;
-+int64_t delay = FLUSH_DELAY;
-
- char *copy_argv(char * const *);
- void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
-@@ -124,6 +125,15 @@
-
- #endif /* _SOLARIS_ */
-
-+#ifdef _SOLARIS_
-+#define PFLOGD_GETOPTS "c:C:Dd:f:i:s:"
-+#define CFG_SETFLAG(_flags_, _f_) ((_flags_) |= (_f_))
-+#define SKIP_CHK(_x_) ((_x_) == NULL)
-+#else /* !_SOLARIS_ */
-+#define PFLOGD_GETOPTS "Dxd:f:i:s:"
-+#define CFG_SETFLAG(_flags_, _f_)
-+#define SKIP_CHK(_x_) (1)
-+#endif /* _SOLARIS_ */
- static int try_reset_dump(int);
-
- /* buffer must always be greater than snaplen */
-@@ -290,6 +300,8 @@
- init_pcap(void)
- {
- hpcap = pcap_open_live(interface, snaplen, 1, PCAP_TO_MS, errbuf);
-+ DROP_PRIV(PRIV_NET_OBSERVABILITY);
-+
- if (hpcap == NULL) {
- logmsg(LOG_ERR, "Failed to initialize: %s", errbuf);
- return (-1);
-@@ -690,12 +702,20 @@
- int ch, np, ret, Xflag = 0;
- pcap_handler phandler = dump_packet;
- const char *errstr = NULL;
-+#ifdef _SOLARIS_
-+ unsigned int create = 0;
-+ unsigned int cfg_flags = 0;
-+ const char *smf_instance = NULL;
-+#endif /* _SOLARIS_ */
-+
-+ DROP_PRIV(PRIV_SYS_IP_CONFIG);
-+ DROP_PRIV(PRIV_PROC_EXEC);
-
- ret = 0;
-
- closefrom(STDERR_FILENO + 1);
-
-- while ((ch = getopt(argc, argv, "Dxd:f:i:s:")) != -1) {
-+ while ((ch = getopt(argc, argv, PFLOGD_GETOPTS)) != -1) {
- switch (ch) {
- case 'D':
- Debug = 1;
-@@ -704,12 +724,15 @@
- delay = strtonum(optarg, 5, 60*60, &errstr);
- if (errstr)
- usage();
-+ CFG_SETFLAG(cfg_flags, SMF_CFG_DELAY_SET);
- break;
- case 'f':
- filename = optarg;
-+ CFG_SETFLAG(cfg_flags, SMF_CFG_LOGFILE_SET);
- break;
- case 'i':
- interface = optarg;
-+ CFG_SETFLAG(cfg_flags, SMF_CFG_INTERFACE_SET);
- break;
- case 's':
- snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
-@@ -718,10 +741,27 @@
- snaplen = DEF_SNAPLEN;
- if (errstr)
- snaplen = PFLOGD_MAXSNAPLEN;
-+ CFG_SETFLAG(cfg_flags, SMF_CFG_SNAPLEN_SET);
- break;
-+#ifndef _SOLARIS_
-+ /*
-+ * This option requires a special securing on Solaris as
-+ * pflogd will be started manually in the case it is used.
-+ * Also, some polishing is needed so that the response
-+ * from 'pflogd -x' is shown to the user and not put into
-+ * a logfile.
-+ */
- case 'x':
- Xflag++;
- break;
-+#endif /* !_SOLARIS_ */
-+#ifdef _SOLARIS_
-+ case 'C':
-+ create = 1; /* FALLTHRU */
-+ case 'c':
-+ smf_instance = optarg;
-+ break;
-+#endif /* _SOLARIS_ */
- default:
- usage();
- }
-@@ -732,14 +772,14 @@
- argv += optind;
-
- /* does interface exist */
-- if (!if_exists(interface)) {
-+ if (SKIP_CHK(smf_instance) && !if_exists(interface)) {
- warn("Failed to initialize: %s", interface);
- logmsg(LOG_ERR, "Failed to initialize: %s", interface);
- logmsg(LOG_ERR, "Exiting, init failure");
- exit(1);
- }
-
-- if (!Debug) {
-+ if (SKIP_CHK(smf_instance) && !Debug) {
- openlog("pflogd", LOG_PID | LOG_CONS, LOG_DAEMON);
- if (daemon(0, 0)) {
- logmsg(LOG_WARNING, "Failed to become daemon: %s",
-@@ -757,6 +797,31 @@
- logmsg(LOG_NOTICE, "Failed to form filter expression");
- }
-
-+#ifdef _SOLARIS_
-+ if (smf_instance != NULL) {
-+ if (filter != NULL) {
-+ CFG_SETFLAG(cfg_flags, SMF_CFG_EXPRESSION_SET);
-+ } else {
-+ filter = "";
-+ }
-+ if ((cfg_flags == 0) && (create == 0)) {
-+ if (smf_print_pflogcfg(smf_instance)) {
-+ exit (-1);
-+ }
-+ } else {
-+ smf_pflogd_cfg.cfg_set = cfg_flags;
-+ smf_pflogd_cfg.cfg_expression = strdup(filter);
-+ smf_pflogd_cfg.cfg_interface = strdup(interface);
-+ smf_pflogd_cfg.cfg_logfile = strdup(filename);
-+ smf_pflogd_cfg.cfg_delay = delay;
-+ smf_pflogd_cfg.cfg_snaplen = snaplen;
-+
-+ smf_write_pflogcfg(smf_instance, create);
-+ }
-+ exit(0);
-+ }
-+#endif /* _SOLARIS_ */
-+
- /* initialize pcap before dropping privileges */
- if (init_pcap()) {
- logmsg(LOG_ERR, "Exiting, init failure");
-@@ -768,7 +833,6 @@
- logmsg(LOG_ERR, "unable to privsep");
- exit(1);
- }
--
- setproctitle("[initializing]");
- /* Process is now unprivileged and inside a chroot */
- #ifdef _SOLARIS_
-diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.h pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.h
---- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/pflogd.h 2016-02-18 12:08:42.414919276 -0800
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5/pflogd.h 2016-02-18 12:09:18.796727948 -0800
-@@ -18,6 +18,8 @@
-
- #ifdef _SOLARIS_
- #include <limits.h>
-+#include <sys/types.h>
-+#include <priv.h>
- #else /* !_SOLARIS_ */
- #include <sys/limits.h>
- #endif /* _SOLARIS_ */
-@@ -55,3 +57,27 @@
- int receive_fd(int);
-
- extern int Debug;
-+
-+#ifdef _SOLARIS_
-+#define DROP_PRIV(priv) \
-+ do { \
-+ if (priv_set(PRIV_OFF, PRIV_PERMITTED, (priv), \
-+ NULL) != 0) { \
-+ fprintf(stderr, \
-+ "Unable to drop privileges.\n"); \
-+ exit (-1); \
-+ } \
-+ } while (0)
-+
-+#define DROP_PFLAG(flag) \
-+ do { \
-+ if (setpflags((flag), 0) != 0) { \
-+ fprintf(stderr, \
-+ "Unable to drop pflag.\n"); \
-+ exit (-1); \
-+ } \
-+} while (0)
-+#else /* !_SOLARIS_ */
-+#define DROP_PRIV(priv)
-+#define DROP_PFLAG(flag)
-+#endif /* _SOLARIS_ */
-diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/privsep.c pflogd-OPENBSD_5_5-OPENBSD_5_5/privsep.c
---- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/privsep.c 2016-02-18 12:07:34.219667793 -0800
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5/privsep.c 2016-02-18 11:55:14.949135348 -0800
-@@ -112,6 +112,7 @@
- #endif /* !_SOLARIS_ */
-
- child_pid = fork();
-+ DROP_PRIV(PRIV_PROC_FORK);
- if (child_pid < 0)
- err(1, "fork() failed");
-
-@@ -133,6 +134,7 @@
- if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
- err(1, "setresuid() failed");
- #endif /* !_SOLARIS_ */
-+ DROP_PFLAG(PRIV_XPOLICY);
-
- close(socks[0]);
- priv_fd = socks[1];
-diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.c pflogd-OPENBSD_5_5-OPENBSD_5_5/smf-config.c
---- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.c 1969-12-31 16:00:00.000000000 -0800
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5/smf-config.c 2016-02-24 08:24:57.408744180 -0800
-@@ -0,0 +1,713 @@
-+/*
-+ * CDDL HEADER START
-+ *
-+ * The contents of this file are subject to the terms of the
-+ * Common Development and Distribution License (the "License").
-+ * You may not use this file except in compliance with the License.
-+ *
-+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-+ * or http://www.opensolaris.org/os/licensing.
-+ * See the License for the specific language governing permissions
-+ * and limitations under the License.
-+ *
-+ * When distributing Covered Code, include this CDDL HEADER in each
-+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-+ * If applicable, add the following below this CDDL HEADER, with the
-+ * fields enclosed by brackets "[]" replaced with your own identifying
-+ * information: Portions Copyright [yyyy] [name of copyright owner]
-+ *
-+ * CDDL HEADER END
-+ *
-+ */
-+
-+/*
-+ * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
-+ */
-+
-+#include <string.h>
-+#include <strings.h>
-+#include <stdlib.h>
-+#include <err.h>
-+#include <stdarg.h>
-+#include <stdio.h>
-+#include <libscf.h>
-+#include <stddef.h>
-+#include <libscf_priv.h>
-+
-+#include "pflogd.h"
-+#include "smf-config.h"
-+
-+#define PFLOGD_PG "pflog"
-+#define PFLOGD_PROP_VALUE_AUTH "value_authorization"
-+#define PFLOGD_PROP_ACTION_AUTH "action_authorization"
-+#define PFLOGD_VALUE_AUTH "solaris.smf.value.network.firewall"
-+#define PFLOGD_MANAGE_AUTH "solaris.smf.manage.network.firewall"
-+
-+#define SKIP_PROP(_pv_) \
-+ ((strcmp((_pv_)->pv_prop, "action_authorization") == 0) || \
-+ (strcmp((_pv_)->pv_prop, "value_authorization") == 0))
-+
-+#define STRIP_SVC(_x_) ((_x_) + (sizeof ("svc:/") - 1))
-+
-+/*
-+ * smf_pflogd_cfg
-+ * FTP proxy configuration container.
-+ */
-+smf_pflogd_cfg_t smf_pflogd_cfg;
-+
-+#define SMF_OPT_OPTIONAL 0
-+#define SMF_OPT_MANDATORY 1
-+/*
-+ * X-macro table.
-+ * Columns are as follows:
-+ * value key/index
-+ * SMF property name name
-+ * member in smf_pflogd_cfg_t structure
-+ * function which converts ASCIIZ to member type in smf_pflogd_cfg_t
-+ * function which converts member in smf_pflogd_cfg_t to ASCIIZ
-+ * optional/mandatory status
-+ * property type
-+ */
-+#define X_CFG_PROPS \
-+ X(SMF_LOGFILE, "logfile", cfg_logfile, nop_in, nop_out, \
-+ SMF_OPT_MANDATORY, SCF_TYPE_ASTRING) \
-+ X(SMF_SNAPLEN, "snaplen", cfg_snaplen, int_in, int_out, \
-+ SMF_OPT_MANDATORY, SCF_TYPE_INTEGER) \
-+ X(SMF_INTERFACE, "interface", cfg_interface, nop_in, nop_out, \
-+ SMF_OPT_MANDATORY, SCF_TYPE_ASTRING) \
-+ X(SMF_DELAY, "delay", cfg_delay, int_in, int_out, \
-+ SMF_OPT_OPTIONAL, SCF_TYPE_INTEGER) \
-+ X(SMF_EXPRESSION, "filter", cfg_expression, nop_in, nop_out, \
-+ SMF_OPT_OPTIONAL, SCF_TYPE_ASTRING)
-+
-+static void nop_in(void *, void *);
-+static void nop_out(void *, void *);
-+static void int_in(void *, void *);
-+static void int_out(void *, void *);
-+
-+/*
-+ * smf_keys
-+ * Keys (indexes) to `smf_propnames` dictionary.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _const_,
-+enum smf_keys {
-+ X_CFG_PROPS
-+ SMF_CFG_PROP_COUNT
-+};
-+#undef X
-+
-+/*
-+ * smf_propnames
-+ * It's an array (dictionary), which translates property code (SMF_*) to
-+ * property value name found `ftp-proxy` property group.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _propname_,
-+static const char *smf_propnames[] = {
-+ X_CFG_PROPS
-+ NULL
-+};
-+#undef X
-+
-+/*
-+ * smf_cfg_offsets
-+ * Table of smf_pflogd_cfg_t members.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) offsetof(smf_pflogd_cfg_t, _decl_),
-+static size_t smf_cfg_offsets[] = {
-+ X_CFG_PROPS
-+ sizeof (smf_pflogd_cfg_t)
-+};
-+#undef X
-+
-+typedef void(*conv_in_f)(void *, void *);
-+typedef void(*conv_out_f)(void *, void *);
-+/*
-+ * smf_convert_in
-+ * Table of conversion functions, which convert particular smf_pflogd_cfg_t
-+ * member into ASCIIZ.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _conv_in_,
-+static conv_in_f smf_conv_in[] = {
-+ X_CFG_PROPS
-+ NULL
-+};
-+#undef X
-+
-+/*
-+ * smf_conv_out
-+ * Table of conversion functions, which convert ASCIIZ fetched from smf(5)
-+ * repository to member of smf_pflogd_cfg_t structure.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _conv_out_,
-+static conv_out_f smf_conv_out[] = {
-+ X_CFG_PROPS
-+ NULL
-+};
-+#undef X
-+
-+/*
-+ * smf_mandatory
-+ * Table marks configuration parameters, which must be defined by admin,
-+ * before the service is enabled for the first time.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _mandatory_,
-+static int smf_mandatory[] = {
-+ X_CFG_PROPS
-+ 0
-+};
-+#undef X
-+
-+/*
-+ * smf_type
-+ * Table of types of SMF properties.
-+ */
-+#define X(_const_, _propname_, _decl_, _conv_in_, _conv_out_, _mandatory_, \
-+ _type_) _type_,
-+static int smf_type[] = {
-+ X_CFG_PROPS
-+ 0
-+};
-+#undef X
-+
-+/*
-+ * pflogd property group properties
-+ * +1 for NULL termination.
-+ * +1 for value_authorization
-+ */
-+static scf_propvec_t prop_vec[SMF_CFG_PROP_COUNT + 1 + 1];
-+
-+/*
-+ * general property group properties
-+ * +1 for NULL termination.
-+ * +2 for value_authorization/action_authorization
-+ */
-+static scf_propvec_t gen_prop_vec[1 + 2];
-+
-+static int atexit_set = 0;
-+static int complete_pflogdcfg(const char *);
-+
-+/*
-+ * nop_in()
-+ * Dummy conversion ASCIIZ to ASCIIZ, no allocation happens. Used when
-+ * configuration is from smf(5).
-+ */
-+static void
-+nop_in(void *asciiz, void *result)
-+{
-+ *((char **)result) = (char *)asciiz;
-+}
-+
-+/*
-+ * nop_out()
-+ * Dummy conversion ASCIIZ to ASCIIZ, function allocates memory for result by
-+ * strdup(3C). Used when configuration is written to smf(5) repository.
-+ */
-+static void
-+nop_out(void *asciiz, void *val)
-+{
-+ *((char **)asciiz) = strdup(*(char **)val);
-+}
-+
-+/*
-+ * int_in()
-+ * Dummy conversion of int64_t. No allocation happens. Used when reading
-+ * values from smf.
-+ */
-+static void
-+int_in(void *in, void *out) {
-+ *((int64_t *)out) = *((int64_t *)in);
-+}
-+
-+/*
-+ * int_out()
-+ * Dummy conversion of int64_t, storing into a newly allocated memory.
-+ * Used when storing values to smf repository.
-+ */
-+static void
-+int_out(void *out, void *in) {
-+ int64_t **out_ = (int64_t **)out;
-+
-+ *out_ = malloc(sizeof (int64_t));
-+ if (*out_ != NULL)
-+ **out_ = *((int64_t *)in);
-+}
-+
-+static void
-+clear_prop_vec2(scf_propvec_t *prop_vec_ptr, int count)
-+{
-+ while (count--) {
-+ prop_vec_ptr->pv_prop = NULL;
-+ prop_vec_ptr->pv_desc = NULL;
-+ prop_vec_ptr->pv_type = 0;
-+ prop_vec_ptr->pv_aux = 0;
-+ prop_vec_ptr->pv_mval = 0;
-+
-+ if (prop_vec_ptr->pv_ptr != NULL) {
-+ free(prop_vec_ptr->pv_ptr);
-+ prop_vec_ptr->pv_ptr = NULL;
-+ }
-+
-+ prop_vec_ptr++;
-+ }
-+}
-+
-+/*
-+ * clear_prop_vec()
-+ * Function clears global variables `prop_vec` and `gen_prop_vec`,
-+ * which are vectors of properties.
-+ */
-+static void
-+clear_prop_vec()
-+{
-+ clear_prop_vec2(prop_vec,
-+ sizeof (prop_vec) / sizeof (scf_propvec_t));
-+ clear_prop_vec2(gen_prop_vec,
-+ sizeof (gen_prop_vec) / sizeof (scf_propvec_t));
-+}
-+
-+/*
-+ * cfg_to_prop_vec()
-+ * Function converts smf_pflogd_cfg global variable, which holds configuration
-+ * parsed from command line arguments, to prop_vec, which is a smf(5) friendly
-+ * representation of pflogd configuration.
-+ *
-+ * Additionally, it populates gen_prop_vec to specify needed authorizations.
-+ *
-+ * Returns 0 on success, -1 on out of memory error.
-+ */
-+static int
-+cfg_to_prop_vec(void)
-+{
-+ int cfg_bit = 1;
-+ int i;
-+ scf_propvec_t *prop_vec_ptr = prop_vec;
-+ conv_out_f conv_func;
-+
-+ clear_prop_vec();
-+
-+ for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
-+ if ((smf_pflogd_cfg.cfg_set & cfg_bit) != 0) {
-+ prop_vec_ptr->pv_prop = smf_propnames[i];
-+ conv_func = smf_conv_out[i];
-+
-+ conv_func(&prop_vec_ptr->pv_ptr,
-+ ((char *)&smf_pflogd_cfg + smf_cfg_offsets[i]));
-+ if (prop_vec_ptr->pv_ptr == NULL)
-+ return (-1);
-+ prop_vec_ptr->pv_type = smf_type[i];
-+ prop_vec_ptr++;
-+ }
-+ cfg_bit = cfg_bit << 1;
-+ }
-+ prop_vec_ptr->pv_type = SCF_TYPE_ASTRING;
-+ prop_vec_ptr->pv_prop = PFLOGD_PROP_VALUE_AUTH;
-+ prop_vec_ptr->pv_ptr = strdup(PFLOGD_VALUE_AUTH);
-+ prop_vec_ptr++;
-+
-+ gen_prop_vec[0].pv_type = SCF_TYPE_ASTRING;
-+ gen_prop_vec[0].pv_prop = PFLOGD_PROP_VALUE_AUTH;
-+ gen_prop_vec[0].pv_ptr = strdup(PFLOGD_MANAGE_AUTH);
-+ gen_prop_vec[1].pv_type = SCF_TYPE_ASTRING;
-+ gen_prop_vec[1].pv_prop = PFLOGD_PROP_ACTION_AUTH;
-+ gen_prop_vec[1].pv_ptr = strdup(PFLOGD_MANAGE_AUTH);
-+
-+ return (0);
-+}
-+
-+/*
-+ * prop_vec_to_cfg()
-+ * Converts global variable `prop_vec` to `smf_pflogd_cfg` global variable,
-+ * which is understood by main().
-+ */
-+static void
-+prop_vec_to_cfg(void)
-+{
-+ int i;
-+ scf_propvec_t *prop_vec_ptr = prop_vec;
-+ conv_in_f conv_func;
-+
-+ for (i = 0; i < SMF_CFG_PROP_COUNT; i++, prop_vec_ptr++) {
-+ if (SKIP_PROP(prop_vec_ptr)) {
-+ /*
-+ * We have `hidden` properties: action/value smf
-+ * authorization. Those two are not kept in
-+ * smf_ftp_cfg.
-+ *
-+ * So we must to skip to next property in vector
-+ * without letting for loop to advance its counter, so
-+ * we compensate here by doing `i--`.
-+ */
-+ i--;
-+ continue;
-+ };
-+ conv_func = smf_conv_in[i];
-+ conv_func(prop_vec_ptr->pv_ptr,
-+ ((char *)&smf_pflogd_cfg + smf_cfg_offsets[i]));
-+ }
-+}
-+
-+/*
-+ * smf_print_pflogcfg()
-+ * Function loads pflogdcfg from smf(5) repository and prints configuration to
-+ * standard output. We use `scf_simple_prop_get(3SCF)`.
-+ *
-+ * Returns 0 on success, -1 on error.
-+ */
-+int
-+smf_print_pflogcfg(const char *smf_instance)
-+{
-+ scf_simple_prop_t *prop;
-+ char *propval;
-+ int i;
-+ scf_propvec_t *prop_vec_ptr = prop_vec;
-+ int cfg_undefined = 0;
-+ char *fmri;
-+
-+ if (atexit_set == 0) {
-+ atexit(clear_prop_vec);
-+ bzero(&smf_pflogd_cfg, sizeof (smf_pflogd_cfg_t));
-+ atexit_set = 1;
-+ }
-+
-+ (void) asprintf(&fmri, "%s:%s", BASE_FMRI, smf_instance);
-+ if (fmri == NULL) {
-+ fprintf(stderr, "Out of memory.\n");
-+ return (-1);
-+ }
-+
-+ clear_prop_vec();
-+
-+ for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
-+ prop = scf_simple_prop_get(NULL, fmri, PFLOGD_PG,
-+ smf_propnames[i]);
-+ prop_vec_ptr->pv_prop = smf_propnames[i];
-+
-+ if (prop == NULL) {
-+ /*
-+ * Property not defined, so we create a kind of
-+ * 'placeholder' with empty value.
-+ *
-+ * calloc() works well for both astring and integer.
-+ */
-+ prop_vec_ptr->pv_type = smf_type[i];
-+ prop_vec_ptr->pv_ptr = calloc(1, sizeof (int64_t));
-+ cfg_undefined |= smf_mandatory[i];
-+ } else {
-+ prop_vec_ptr->pv_type = scf_simple_prop_type(prop);
-+ if (prop_vec_ptr->pv_type == -1) {
-+ free(fmri);
-+ fprintf(stderr,
-+ "Failed to get property type.\n");
-+ return (-1);
-+ }
-+ if (prop_vec_ptr->pv_type != smf_type[i]) {
-+ free(fmri);
-+ fprintf(stderr,
-+ "Property %s has unexpected type.\n",
-+ smf_propnames[i]);
-+ return (-1);
-+ }
-+
-+ if (smf_type[i] == SCF_TYPE_ASTRING) {
-+ char *propval;
-+ propval = scf_simple_prop_next_astring(prop);
-+ if (propval == NULL) {
-+ propval = "";
-+ }
-+ prop_vec_ptr->pv_ptr = strdup(propval);
-+
-+ if (propval[0] == 0) {
-+ cfg_undefined |= smf_mandatory[i];
-+ }
-+ } else {
-+ /* smf_type[i] == SCF_TYPE_INTEGER */
-+ int64_t *propval;
-+ int64_t propval_;
-+
-+ propval = scf_simple_prop_next_integer(prop);
-+ propval_ = (propval == NULL) ? (0) : (*propval);
-+
-+ prop_vec_ptr->pv_ptr = malloc(sizeof (int64_t));
-+ if (prop_vec_ptr->pv_ptr != NULL) {
-+ *((int64_t *)prop_vec_ptr->pv_ptr) =
-+ propval_;
-+ }
-+ if (propval_ == 0) {
-+ cfg_undefined |= smf_mandatory[i];
-+ }
-+ }
-+ scf_simple_prop_free(prop);
-+ }
-+ if (prop_vec_ptr->pv_ptr == NULL) {
-+ free(fmri);
-+ fprintf(stderr, "Out of memory.\n");
-+ return (-1);
-+ }
-+
-+ prop_vec_ptr++;
-+ }
-+
-+ printf("PF pflogd configuration:\n");
-+
-+ prop_vec_ptr = prop_vec;
-+ for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
-+ if (smf_type[i] == SCF_TYPE_ASTRING) {
-+ const char *val = (const char *)prop_vec_ptr->pv_ptr;
-+ printf("\t- %s:\n\t\t%s\n", prop_vec_ptr->pv_prop,
-+ ((val[0] == '\0') ? "?? undefined ??" : val));
-+ } else {
-+ /* smf_type[i] == SCF_TYPE_INTEGER */
-+ int64_t val = *((int64_t *)prop_vec_ptr->pv_ptr);
-+ if (val == 0) {
-+ printf("\t- %s:\n\t\t%s\n", prop_vec_ptr->pv_prop,
-+ "?? undefined ??");
-+ } else {
-+ printf("\t- %s:\n\t\t%d\n", prop_vec_ptr->pv_prop,
-+ (int)val);
-+ }
-+ }
-+ prop_vec_ptr++;
-+ }
-+ if (cfg_undefined) {
-+ printf("\n\nConfiguration for %s is incomplete."
-+ " Service will not run.\n\n", fmri);
-+ } else {
-+ prop_vec_to_cfg();
-+ printf(
-+ "\n\n%s service is being launched using cmd line below\n",
-+ fmri);
-+ printf("pflogd -d %d -i %s -s %d -f %s %s\n\n",
-+ (int)smf_pflogd_cfg.cfg_delay, smf_pflogd_cfg.cfg_interface,
-+ (int)smf_pflogd_cfg.cfg_snaplen, smf_pflogd_cfg.cfg_logfile,
-+ smf_pflogd_cfg.cfg_expression);
-+ }
-+
-+ free(fmri);
-+
-+ return (0);
-+}
-+
-+/*
-+ * smf_create_pflogd_instance()
-+ * Function creates a new instance in smf(5) repository.
-+ */
-+static int
-+smf_create_pflogd_instance(const char *smf_instance)
-+{
-+ scf_handle_t *h_scf = NULL;
-+ scf_scope_t *scp_scf = NULL;
-+ scf_service_t *svc_scf = NULL;
-+ scf_instance_t *sin_scf = NULL;
-+ int rv = -1;
-+
-+ h_scf = scf_handle_create(SCF_VERSION);
-+ if ((h_scf == NULL) || (scf_handle_bind(h_scf) == -1)) {
-+ (void) fprintf(stderr, "scf_handle_bind() failed - %s\n",
-+ scf_strerror(scf_error()));
-+ if (h_scf != NULL) {
-+ scf_handle_destroy(h_scf);
-+ }
-+ return (-1);
-+ }
-+
-+ if ((scp_scf = scf_scope_create(h_scf)) == NULL) {
-+ (void) fprintf(stderr, "could not create scope - %s\n",
-+ scf_strerror(scf_error()));
-+ goto unbind;
-+ }
-+
-+ if (scf_handle_get_local_scope(h_scf, scp_scf) != 0) {
-+ (void) fprintf(stderr, "could not get scope - %s\n",
-+ scf_strerror(scf_error()));
-+ goto scope_destroy;
-+ }
-+
-+ if ((svc_scf = scf_service_create(h_scf)) == NULL) {
-+ (void) fprintf(stderr, "could not create service - %s\n",
-+ scf_strerror(scf_error()));
-+ goto scope_destroy;
-+ }
-+
-+ if ((sin_scf = scf_instance_create(h_scf)) == NULL) {
-+ (void) fprintf(stderr, "could not get instance handle - %s\n",
-+ scf_strerror(scf_error()));
-+ goto service_destroy;
-+ }
-+
-+ if (scf_scope_get_service(scp_scf, STRIP_SVC(BASE_FMRI), svc_scf) !=
-+ SCF_SUCCESS) {
-+ (void) fprintf(stderr, "could not select service (%s)\n",
-+ scf_strerror(scf_error()));
-+ goto instance_destroy;
-+ }
-+
-+ if (scf_service_add_instance(svc_scf, smf_instance, sin_scf) != 0) {
-+ (void) fprintf(stderr, "could not add %s instance - %s\n",
-+ smf_instance, scf_strerror(scf_error()));
-+ goto instance_destroy;
-+ }
-+
-+ if (scf_instance_add_pg(sin_scf, "general", "framework", 0,
-+ NULL) != SCF_SUCCESS) {
-+ (void) fprintf(stderr,
-+ "could not create property group - %s\n",
-+ scf_strerror(scf_error()));
-+ goto instance_delete;
-+ }
-+
-+ if (scf_instance_add_pg(sin_scf, PFLOGD_PG, "application", 0,
-+ NULL) != SCF_SUCCESS) {
-+ (void) fprintf(stderr,
-+ "could not create property group - %s\n",
-+ scf_strerror(scf_error()));
-+ goto instance_delete;
-+ }
-+
-+ rv = 0;
-+ goto instance_destroy;
-+
-+instance_delete:
-+ if (scf_instance_delete(sin_scf) != 0) {
-+ fprintf(stderr, "Can't delete the newly created instance:");
-+ fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
-+ }
-+instance_destroy:
-+ scf_instance_destroy(sin_scf);
-+service_destroy:
-+ scf_service_destroy(svc_scf);
-+scope_destroy:
-+ scf_scope_destroy(scp_scf);
-+unbind:
-+ scf_handle_unbind(h_scf);
-+ scf_handle_destroy(h_scf);
-+
-+ return (rv);
-+}
-+
-+/*
-+ * smf_write_pflogcfg()
-+ * Function writes pflogd configuration to smf(5) repository.
-+ */
-+int
-+smf_write_pflogcfg(const char *smf_instance, int create)
-+{
-+ int i;
-+ scf_propvec_t
-+ *bad_prop_vec = NULL;
-+ char *fmri;
-+
-+ if (atexit_set == 0) {
-+ atexit(clear_prop_vec);
-+ bzero(prop_vec, sizeof (prop_vec));
-+ atexit_set = 1;
-+ }
-+
-+ if (create && (complete_pflogdcfg(smf_instance) != 0)) {
-+ fprintf(stderr, "Out of memory.\n");
-+ return (-1);
-+ }
-+
-+ if (cfg_to_prop_vec() != 0) {
-+ fprintf(stderr, "Out of memory.\n");
-+ return (-1);
-+ }
-+
-+ (void) asprintf(&fmri, "%s:%s", BASE_FMRI, smf_instance);
-+ if (fmri == NULL) {
-+ fprintf(stderr, "Out of memory.\n");
-+ return (-1);
-+ }
-+
-+ if (create) {
-+ if (smf_create_pflogd_instance(smf_instance) != 0) {
-+ free(fmri);
-+ return (-1);
-+ }
-+ }
-+
-+ if (create && (scf_write_propvec(fmri, "general", gen_prop_vec,
-+ &bad_prop_vec) != SCF_SUCCESS)) {
-+ fprintf(stderr, "Can't update %s configuration:", fmri);
-+ fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
-+ if (bad_prop_vec != NULL) {
-+ fprintf(stderr, "Could not set %s\n",
-+ bad_prop_vec->pv_prop);
-+ }
-+ free(fmri);
-+ exit(1);
-+ }
-+
-+ bad_prop_vec = NULL;
-+ if (scf_write_propvec(fmri, PFLOGD_PG, prop_vec, &bad_prop_vec)
-+ != SCF_SUCCESS) {
-+ fprintf(stderr, "Can't update %s configuration:", fmri);
-+ fprintf(stderr, "\t%s\n", scf_strerror(scf_error()));
-+ if (bad_prop_vec != NULL) {
-+ fprintf(stderr, "Could not set %s\n",
-+ bad_prop_vec->pv_prop);
-+ }
-+ free(fmri);
-+ exit(1);
-+ }
-+
-+ free(fmri);
-+ return (0);
-+}
-+
-+/*
-+ * complete_pflogdcfg()
-+ * Function sets default values to properties, which are unset/undefined when
-+ * new smf(5) instance is being created.
-+ *
-+ * Returns 0 on success, -1 on out of memory error.
-+ */
-+static int
-+complete_pflogdcfg(const char *smf_instance)
-+{
-+ int i;
-+ int f = 1;
-+
-+ for (i = 0; i < SMF_CFG_PROP_COUNT; i++) {
-+ if ((smf_pflogd_cfg.cfg_set & f) == 0) {
-+ switch (i) {
-+ case SMF_LOGFILE:
-+ (void) asprintf(&smf_pflogd_cfg.cfg_logfile,
-+ "%s/%s", PFLOGD_LOG_DIR, smf_instance);
-+ if (smf_pflogd_cfg.cfg_logfile == NULL) {
-+ return (-1);
-+ }
-+ smf_pflogd_cfg.cfg_set |= SMF_CFG_LOGFILE_SET;
-+ break;
-+ case SMF_INTERFACE:
-+ smf_pflogd_cfg.cfg_interface = strdup(smf_instance);
-+ if (smf_pflogd_cfg.cfg_interface == NULL) {
-+ return (-1);
-+ }
-+ smf_pflogd_cfg.cfg_set |= SMF_CFG_INTERFACE_SET;
-+ break;
-+ case SMF_SNAPLEN:
-+ smf_pflogd_cfg.cfg_snaplen = DEF_SNAPLEN;
-+ smf_pflogd_cfg.cfg_set |= SMF_CFG_SNAPLEN_SET;
-+ break;
-+ case SMF_DELAY:
-+ smf_pflogd_cfg.cfg_delay = FLUSH_DELAY;
-+ smf_pflogd_cfg.cfg_set |= SMF_CFG_DELAY_SET;
-+ break;
-+ case SMF_EXPRESSION:
-+ smf_pflogd_cfg.cfg_expression = strdup("");
-+ smf_pflogd_cfg.cfg_set |= SMF_CFG_EXPRESSION_SET;
-+ break;
-+ default: ;
-+ }
-+ }
-+ f = f << 1;
-+ }
-+
-+ return (0);
-+}
-diff -Naur pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.h pflogd-OPENBSD_5_5-OPENBSD_5_5/smf-config.h
---- pflogd-OPENBSD_5_5-OPENBSD_5_5.pre-smf/smf-config.h 1969-12-31 16:00:00.000000000 -0800
-+++ pflogd-OPENBSD_5_5-OPENBSD_5_5/smf-config.h 2016-02-17 01:17:14.520118386 -0800
-@@ -0,0 +1,53 @@
-+/*
-+ * CDDL HEADER START
-+ *
-+ * The contents of this file are subject to the terms of the
-+ * Common Development and Distribution License (the "License").
-+ * You may not use this file except in compliance with the License.
-+ *
-+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-+ * or http://www.opensolaris.org/os/licensing.
-+ * See the License for the specific language governing permissions
-+ * and limitations under the License.
-+ *
-+ * When distributing Covered Code, include this CDDL HEADER in each
-+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-+ * If applicable, add the following below this CDDL HEADER, with the
-+ * fields enclosed by brackets "[]" replaced with your own identifying
-+ * information: Portions Copyright [yyyy] [name of copyright owner]
-+ *
-+ * CDDL HEADER END
-+ *
-+ */
-+
-+/*
-+ * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
-+ */
-+
-+#ifndef _SMF_CONFIG_H_
-+#define _SMF_CONFIG_H_
-+
-+#define BASE_FMRI "svc:/network/firewall/pflog"
-+#define DEFAULT_INSTANCE "pflog0"
-+
-+#define SMF_CFG_LOGFILE_SET 0x00000001
-+#define SMF_CFG_SNAPLEN_SET 0x00000002
-+#define SMF_CFG_INTERFACE_SET 0x00000004
-+#define SMF_CFG_DELAY_SET 0x00000008
-+#define SMF_CFG_EXPRESSION_SET 0x00000010
-+
-+typedef struct smf_pflogd_cfg {
-+ unsigned int cfg_set; /* SMF_CFG_*_SET bit field */
-+ char *cfg_logfile;
-+ int64_t cfg_snaplen;
-+ char *cfg_interface;
-+ int64_t cfg_delay;
-+ char *cfg_expression;
-+} smf_pflogd_cfg_t;
-+
-+extern smf_pflogd_cfg_t smf_pflogd_cfg;
-+
-+extern int smf_print_pflogcfg(const char *);
-+extern int smf_write_pflogcfg(const char *, int);
-+
-+#endif /* !_SMF_CONFIG_H_ */
--- a/components/pflogd/pflogd.Solaris/firewall-pflog.xml Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,136 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
-<!--
-
- CDDL HEADER START
-
- The contents of this file are subject to the terms of the
- Common Development and Distribution License (the "License").
- You may not use this file except in compliance with the License.
-
- You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- or http://www.opensolaris.org/os/licensing.
- See the License for the specific language governing permissions
- and limitations under the License.
-
- When distributing Covered Code, include this CDDL HEADER in each
- file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- If applicable, add the following below this CDDL HEADER, with the
- fields enclosed by brackets "[]" replaced with your own identifying
- information: Portions Copyright [yyyy] [name of copyright owner]
-
- CDDL HEADER END
-
- Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
-
- NOTE: This service manifest is not editable; its contents will
- be overwritten by package or patch operations, including
- operating system upgrade. Make customizations in a different
- file.
--->
-
-<service_bundle type='manifest' name='network/firewall/pflog' >
-
-<service
- name='network/firewall/pflog'
- type='service'
- version='1'>
- <method_context>
- <method_credential
- user='daemon'
- group='daemon'
- privileges='basic,!file_write,!file_link_any,!proc_info,!proc_session,!net_access,net_observability,sys_ip_config,{file_write}:/var/log/firewall/*'
- />
- </method_context>
-
- <exec_method
- type='method'
- name='start'
- exec='/lib/svc/method/pflog start "%{pflog/logfile}" "%{pflog/snaplen}" "%{pflog/interface}" "%{pflog/delay}" "%{pflog/filter}"'
- timeout_seconds='30'>
- </exec_method>
-
- <exec_method
- type='method'
- name='stop'
- exec=':kill'
- timeout_seconds='60'>
- </exec_method>
-
- <exec_method
- type='method'
- name='refresh'
- exec=':kill -HUP'
- timeout_seconds='5'>
- </exec_method>
-
- <instance name='default' enabled='false' complete='true'>
- <property_group name="general" type="framework">
- <propval
- name='action_authorization'
- type='astring'
- value='solaris.smf.manage.network.firewall' />
- <propval
- name='value_authorization'
- type='astring'
- value='solaris.smf.manage.network.firewall' />
- </property_group>
- <property_group name='pflog' type='application'>
- <propval
- name='logfile'
- type='astring'
- value='/var/log/firewall/pflog/pflog0.pkt' />
- <propval name='snaplen' type='integer' value='160' />
- <propval
- name='interface'
- type='astring'
- value='pflog0' />
- <propval name='delay' type='integer' value='60' />
- <propval name='filter' type='astring' value='' />
- <propval
- name='value_authorization'
- type='astring'
- value='solaris.smf.value.network.firewall' />
- </property_group>
- </instance>
-
- <stability value='Unstable' />
-
- <template>
- <common_name>
- <loctext xml:lang='C'>
- pflog - PF log daemon
- </loctext>
- </common_name>
- <documentation>
- <manpage title='pflogd' section='1M' manpath='/usr/share/man' />
- </documentation>
- <pg_pattern name="pflog" type="application" target="instance" required="true">
- <prop_pattern name="logfile" type="astring" required="true">
- <cardinality min="1" max="1"/>
- </prop_pattern>
- <prop_pattern name="snaplen" type="integer" required="true">
- <cardinality min="1" max="1"/>
- <constraints>
- <range min="0" max="2147483647"/>
- </constraints>
- </prop_pattern>
- <prop_pattern name="interface" type="astring" required="true">
- <cardinality min="1" max="1"/>
- </prop_pattern>
- <prop_pattern name="delay" type="integer" required="true">
- <cardinality min="1" max="1"/>
- <constraints>
- <range min="5" max="3600"/>
- </constraints>
- </prop_pattern>
- <prop_pattern name="filter" type="astring" required="true">
- <cardinality min="0" max="1"/>
- </prop_pattern>
- <prop_pattern name="value_authorization" type="astring">
- </prop_pattern>
- </pg_pattern>
- </template>
-</service>
-
-</service_bundle>
--- a/components/pflogd/pflogd.Solaris/pflog Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,113 +0,0 @@
-#!/sbin/sh
-#
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-#
-# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
-#
-
-. /lib/svc/share/smf_include.sh
-
-PATH=$PATH:/usr/sbin
-
-# Retrieve an unescaped property value from a method token.
-# Arguments:
-# - raw method token value
-# Outputs:
-# - unescaped property value
-# Returns:
-# - 0 on succes
-# - 1 when unescaping failed
-# - 2 when the value is empty
-function get_property
-{
- VALUE="$(echo "$1" | /usr/bin/sed 's/\\\(.\)/\1/g')"
-
- if [[ $? -ne 0 ]]; then
- exit 1
- fi
-
- echo "$VALUE"
-}
-
-function failure
-{
- echo "An unknown error occurred. Probably either /usr/bin/sed is"
- echo "missing or system resources are exhausted."
- exit $SMF_EXIT_ERR_FATAL
-}
-
-# store and unescape property values
-PFLOGD_LOGFILE="$(get_property "$2")" || failure
-PFLOGD_SNAPLEN="$(get_property "$3")" || failure
-PFLOGD_IFACE="$(get_property "$4")" || failure
-PFLOGD_DELAY="$(get_property "$5")" || failure
-PFLOGD_FILTER="$(get_property "$6")" || failure
-
-# check property values for emptiness (pflog/filter may be empty)
-if [[ -z $PFLOGD_LOGFILE ]]; then
- echo "The pflog/logfile property cannot be empty."
- exit $SMF_EXIT_ERR_FATAL
-fi
-if [[ -z $PFLOGD_SNAPLEN ]]; then
- echo "The pflog/snaplen property cannot be empty."
- exit $SMF_EXIT_ERR_FATAL
-fi
-if [[ -z $PFLOGD_IFACE ]]; then
- echo "The pflog/interface property cannot be empty."
- exit $SMF_EXIT_ERR_FATAL
-fi
-if [[ -z $PFLOGD_DELAY ]]; then
- echo "The pflog/delay property cannot be empty."
- exit $SMF_EXIT_ERR_FATAL
-fi
-
-case "$1" in
- start)
- # Create non-persistent capture link if it does not exist.
- echo "Checking if capture link exists.."
- dladm show-cap "$PFLOGD_IFACE"
- if [[ $? -ne 0 ]] ; then
- echo "Creating a temporary capture link.."
- dladm create-cap -t "$PFLOGD_IFACE"
- if [ $? -ne 0 ] ; then
- exit $SMF_EXIT_ERR_FATAL
- fi
- fi
-
- # Start the daemon.
- smf_clear_env
- pflogd -i "$PFLOGD_IFACE" -s "$PFLOGD_SNAPLEN" \
- -f "$PFLOGD_LOGFILE" -d "$PFLOGD_DELAY" "$PFLOGD_FILTER"
- if [[ $? -ne 0 ]] ; then
- exit $SMF_EXIT_ERR_FATAL
- fi
- ;;
-
- *)
- echo "Usage: $0 \c" >&2
- echo "(start)" >&2
- exit 1
- ;;
-
-esac
-
-exit $SMF_EXIT_OK
--- a/components/pflogd/pflogd.license Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,130 +0,0 @@
---------------------------------------------------------------------------------
-This package brings a (modified) pflogd component coming from OpenBSD 5.5.
---------------------------------------------------------------------------------
-
-pflogd.8:
-.\" $OpenBSD: pflogd.8,v 1.46 2014/01/21 03:15:45 schwarze Exp $
-.\"
-.\" Copyright (c) 2001 Can Erkin Acar. All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\" 3. The name of the author may not be used to endorse or promote products
-.\" derived from this software without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-
-pflogd.c:
-/*
- * Copyright (c) 2001 Theo de Raadt
- * Copyright (c) 2001 Can Erkin Acar
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * - Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * - Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
- * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
- * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
- * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-pflogd.h:
-/*
- * Copyright (c) 2003 Can Erkin Acar
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-privsep_fdpass.c:
-/*
- * Copyright 2001 Niels Provos <[email protected]>
- * All rights reserved.
- *
- * Copyright (c) 2002 Matthieu Herrb
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * - Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * - Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
- * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
- * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
- * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-privsep.c:
-/*
- * Copyright (c) 2003 Can Erkin Acar
- * Copyright (c) 2003 Anil Madhavapeddy <[email protected]>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
--- a/components/pflogd/pflogd.p5m Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,49 +0,0 @@
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-
-#
-# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
-#
-
-<transform file path=usr.*/man/.+ -> default mangler.man.stability volatile>
-set name=pkg.fmri \
- value=pkg:/network/firewall/firewall-pflog@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
-set name=pkg.summary value="pflog - PF packet log daemon"
-set name=pkg.description \
- value="pflogd reads PF logged packets from capture link device"
-set name=com.oracle.info.description value="pflog, PF log daemon"
-set name=com.oracle.info.tpno value=$(TPNO)
-set name=info.classification \
- value="org.opensolaris.category.2008:System/Administration and Configuration"
-set name=info.source-url \
- value=http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pflogd/
-set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2014/291
-set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
-file pflogd.Solaris/firewall-pflog.xml \
- path=lib/svc/manifest/network/firewall/pflog.xml
-file pflogd.Solaris/pflog path=lib/svc/method/pflog mode=0555
-file path=usr/sbin/pflogd
-file path=usr/share/man/man8/pflogd.8
-dir path=var/log/firewall owner=daemon group=daemon mode=0700
-dir path=var/log/firewall/pflog owner=daemon group=daemon mode=0700
-license pflogd.license license="pflogd license"
-depend type=require fmri=pkg:/network/[email protected]
--- a/make-rules/prep-cvs.mk Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,76 +0,0 @@
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
-#
-
-CVS=$(WS_TOP)/tools/proxy_cvs
-
-#
-# Anything that we pull from a CVS repo must have a CVS_REPO{_[0-9]+} and
-# CVS_TAG{_[0-9]+} to match.
-#
-
-CVS_SUFFIXES = $(subst CVS_REPO_,, $(filter CVS_REPO_%, $(.VARIABLES)))
-
-define cvs-rules
-ifdef CVS_REPO$(1)
-ifdef CVS_PATH$(1)
-ifdef CVS_TAG$(1)
-
-COMPONENT_SRC$(1) = $(COMPONENT_NAME)-$(COMPONENT_VERSION)-$$(CVS_TAG$(1))
-COMPONENT_ARCHIVE$(1) = $$(COMPONENT_SRC$(1)).tar.bz2
-
-CLEAN_PATHS += $$(COMPONENT_SRC$(1))
-CLOBBER_PATHS += $$(COMPONENT_ARCHIVE$(1))
-SOURCE_DIR$(1) = $$(COMPONENT_DIR)/$(COMPONENT_SRC$(1))
-
-download:: $$(USERLAND_ARCHIVES)$$(COMPONENT_ARCHIVE$(1))
-
-# First attempt to download a cached archive of the CVS repo at the proper
-# CVS tag. If that fails, create an archive by cloning the CVS repo,
-# updating to the selected tag, archiving that directory, and cleaning up
-# when complete.
-$$(USERLAND_ARCHIVES)$$(COMPONENT_ARCHIVE$(1)): $(MAKEFILE_PREREQ)
- $$(FETCH) --file $$@ $$(CVS_HASH$(1):%=--hash %) || \
- (TMP_REPO=$$$$(mktemp --directory ./cvs.XXXXXX) && \
- $(CVS) -qd $$(CVS_REPO$(1)) get $$(CVS_TAG$(1):%=-r%) -d $$$${TMP_REPO} $$(CVS_PATH$(1)) && \
- /usr/gnu/bin/tar --create --file - --absolute-names \
- --transform="s;$$$${TMP_REPO};$$(COMPONENT_SRC$(1));g" \
- --bzip2 $$$${TMP_REPO} >$$@ && \
- $(RM) -rf $$$${TMP_REPO} && \
- CVS_HASH=$$$$(digest -a sha256 $$@) && \
- $(GSED) -i \
- -e "s/^CVS_HASH$(1)=.*/CVS_HASH$(1)= sha256:$$$${CVS_HASH}/" \
- Makefile)
-
-REQUIRED_PACKAGES += developer/versioning/cvs
-
-endif
-endif
-endif
-endef
-
-#
-# Define the rules required to download any source archives and augment any
-# cleanup macros.
-#
-$(eval $(call cvs-rules,))
-$(foreach suffix, $(CVS_SUFFIXES), $(eval $(call cvs-rules,_$(suffix))))
--- a/make-rules/prep.mk Wed Mar 09 08:20:13 2016 -0800
+++ b/make-rules/prep.mk Wed Mar 09 13:49:42 2016 -0800
@@ -20,14 +20,13 @@
#
#
-# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
#
include $(WS_MAKE_RULES)/prep-download.mk
include $(WS_MAKE_RULES)/prep-hg.mk
include $(WS_MAKE_RULES)/prep-git.mk
include $(WS_MAKE_RULES)/prep-svn.mk
-include $(WS_MAKE_RULES)/prep-cvs.mk
include $(WS_MAKE_RULES)/prep-unpack.mk
include $(WS_MAKE_RULES)/prep-patch.mk
--- a/tools/Makefile Wed Mar 09 08:20:13 2016 -0800
+++ b/tools/Makefile Wed Mar 09 13:49:42 2016 -0800
@@ -24,8 +24,7 @@
include ../make-rules/shared-macros.mk
download setup prep build install publish \
-validate: links pkglint time-$(MACH32).so time-$(MACH64).so \
- proxy_cvs
+validate: links pkglint time-$(MACH32).so time-$(MACH64).so
# generate wrappers for parfait. we need to generate them
# with the correct compiler variables from the common makefiles because
@@ -53,9 +52,6 @@
> pkglint
@chmod +x pkglint
-proxy_cvs:
- @cp proxy_cvs.sh proxy_cvs
- @chmod +x proxy_cvs
time-$(MACH64).o: BITS=64
time-$(MACH32).o time-$(MACH64).o: CFLAGS += -Kpic
@@ -69,7 +65,6 @@
clean:
@$(RM) time-*.o time*.bc
@$(RM) pkglint
- @$(RM) proxy_cvs
clobber: clean
@$(RM) time-*.so python/pkglint/*.pyc
--- a/tools/proxy_cvs.sh Wed Mar 09 08:20:13 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,96 +0,0 @@
-#!/bin/sh
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
-#
-
-# proxy_cvs.sh
-# script tunnels cvs+ssh through http proxy outside of ORAWAN. It's easy to
-# tell cvs to use ssh instead of rsh, just set 'CVS_RSH=ssh'. It's lot harder
-# to tell ssh running on cvs behalf to use http proxy. So our approach is to
-# create temp script, which executes ssh with all proxy parameters to set up
-# HTTP tunnel for ssh session.
-#
-# If `http_proxy` variable is not set the script uses a default proxy,
-# which is 'emeacache.uk.oracle.com:80'.
-#
-# All arguments, which appear on command line are passed to cvs(1) command with
-# out any modification.
-#
-# Example:
-# To check out pflogd sources from OpenBSD repository to local pflogd.src
-# directory one invokes proxy_cvs.sh like that:
-#
-# proxy_cvs.sh -qd [email protected]:/cvs \
-# -d pflogd.src src/sbin/pflogd
-#
-# To check a particular version of pflogd sources, one has to use a
-# corresponding CVS version tag assigned by upstream developers. Command below
-# retrieves pflogd source code released by OpenBSD 5.4:
-#
-# proxy_cvs.sh -qd [email protected]:/cvs \
-# -rOPENBSD_5_4 -d pflogd.src src/sbin/pflogd
-#
-
-#
-# crate_ssh_wrapper
-# function creates a shell script, which a netcat(1) as proxy to tunnel
-# ssh via http proxy.
-#
-# Arguments:
-# file name where to dump script, function makes file executable.
-#
-function create_ssh_wraper
-{
- if [ -z "$http_proxy" ] ; then
- HTTP_PROXY='emeacache.uk.oracle.com:80'
- else
- HTTP_PROXY=$http_proxy
- fi
- echo '#!/bin/sh\n' > $1
- echo 'ssh -oProxyCommand='"'/usr/bin/nc -X connect -x $HTTP_PROXY %h %p'"\
- '-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null $*' >> $1
- chmod +x $1
-}
-
-#
-# This is a workaround. I don't know how to pass all arguments required by
-# 'ssh/http' proxy into CVS_RSH environment variable. So my solution is to
-# dump desired arguments into a temporary shell script and point CVS_RSH
-# variable to it.
-#
-function init_cvs_rsh
-{
- export TMPF=`mktemp`
- create_ssh_wraper $TMPF;
- CVS_RSH=$TMPF
- export CVS_RSH
-}
-
-init_cvs_rsh
-
-trap "rm -f $TMPF" EXIT
-
-cvs $*
-
-RETURN=$?
-
-exit $RETURN