xref: /freebsd/contrib/pf/authpf/authpf.c (revision 076b94438c7d42c1b4661ed1e12e3b12ca69361a)
1 /*	$OpenBSD: authpf.c,v 1.112 2009/01/10 19:08:53 miod Exp $	*/
2 
3 /*
4  * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <sys/cdefs.h>
20 __FBSDID("$FreeBSD$");
21 
22 #include <sys/types.h>
23 #include <sys/file.h>
24 #include <sys/ioctl.h>
25 #include <sys/socket.h>
26 #include <sys/stat.h>
27 #include <sys/time.h>
28 #include <sys/wait.h>
29 
30 #include <net/if.h>
31 #include <net/pfvar.h>
32 #include <arpa/inet.h>
33 
34 #include <err.h>
35 #include <errno.h>
36 #ifdef __FreeBSD__
37 #include <inttypes.h>
38 #endif
39 #include <login_cap.h>
40 #include <pwd.h>
41 #include <grp.h>
42 #include <signal.h>
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <string.h>
46 #include <syslog.h>
47 #include <unistd.h>
48 
49 #include "pathnames.h"
50 
51 static int	read_config(FILE *);
52 static void	print_message(const char *);
53 static int	allowed_luser(struct passwd *);
54 static int	check_luser(const char *, char *);
55 static int	remove_stale_rulesets(void);
56 static int	recursive_ruleset_purge(char *, char *);
57 static int	change_filter(int, const char *, const char *);
58 static int	change_table(int, const char *);
59 static void	authpf_kill_states(void);
60 
61 int	dev;			/* pf device */
62 char	anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
63 char	rulesetname[MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 2];
64 char	tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
65 int	user_ip = 1;	/* controls whether $user_ip is set */
66 
67 FILE	*pidfp;
68 int	pidfd = -1;
69 char	 luser[MAXLOGNAME];	/* username */
70 char	 ipsrc[256];		/* ip as a string */
71 char	 pidfile[MAXPATHLEN];	/* we save pid in this file. */
72 
73 struct timeval	Tstart, Tend;	/* start and end times of session */
74 
75 volatile sig_atomic_t	want_death;
76 static void		need_death(int signo);
77 #ifdef __FreeBSD__
78 static __dead2 void	do_death(int);
79 #else
80 static __dead void	do_death(int);
81 #endif
82 extern char *__progname;	/* program name */
83 
84 /*
85  * User shell for authenticating gateways. Sole purpose is to allow
86  * a user to ssh to a gateway, and have the gateway modify packet
87  * filters to allow access, then remove access when the user finishes
88  * up. Meant to be used only from ssh(1) connections.
89  */
90 int
91 main(void)
92 {
93 	int		 lockcnt = 0, n;
94 	FILE		*config;
95 	struct in6_addr	 ina;
96 	struct passwd	*pw;
97 	char		*cp;
98 	gid_t		 gid;
99 	uid_t		 uid;
100 	const char	*shell;
101 	login_cap_t	*lc;
102 
103 	if (strcmp(__progname, "-authpf-noip") == 0)
104                 user_ip = 0;
105 
106 	config = fopen(PATH_CONFFILE, "r");
107 	if (config == NULL) {
108 		syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE);
109 		exit(1);
110 	}
111 
112 	if ((cp = getenv("SSH_TTY")) == NULL) {
113 		syslog(LOG_ERR, "non-interactive session connection for authpf");
114 		exit(1);
115 	}
116 
117 	if ((cp = getenv("SSH_CLIENT")) == NULL) {
118 		syslog(LOG_ERR, "cannot determine connection source");
119 		exit(1);
120 	}
121 
122 	if (strlcpy(ipsrc, cp, sizeof(ipsrc)) >= sizeof(ipsrc)) {
123 		syslog(LOG_ERR, "SSH_CLIENT variable too long");
124 		exit(1);
125 	}
126 	cp = strchr(ipsrc, ' ');
127 	if (!cp) {
128 		syslog(LOG_ERR, "corrupt SSH_CLIENT variable %s", ipsrc);
129 		exit(1);
130 	}
131 	*cp = '\0';
132 	if (inet_pton(AF_INET, ipsrc, &ina) != 1 &&
133 	    inet_pton(AF_INET6, ipsrc, &ina) != 1) {
134 		syslog(LOG_ERR,
135 		    "cannot determine IP from SSH_CLIENT %s", ipsrc);
136 		exit(1);
137 	}
138 	/* open the pf device */
139 	dev = open(PATH_DEVFILE, O_RDWR);
140 	if (dev == -1) {
141 		syslog(LOG_ERR, "cannot open packet filter device (%m)");
142 		goto die;
143 	}
144 
145 	uid = getuid();
146 	pw = getpwuid(uid);
147 	if (pw == NULL) {
148 		syslog(LOG_ERR, "cannot find user for uid %u", uid);
149 		goto die;
150 	}
151 
152 	if ((lc = login_getclass(pw->pw_class)) != NULL)
153 		shell = login_getcapstr(lc, "shell", pw->pw_shell,
154 		    pw->pw_shell);
155 	else
156 		shell = pw->pw_shell;
157 
158 #ifndef __FreeBSD__
159 	login_close(lc);
160 #endif
161 
162 	if (strcmp(shell, PATH_AUTHPF_SHELL) &&
163 	    strcmp(shell, PATH_AUTHPF_SHELL_NOIP)) {
164 		syslog(LOG_ERR, "wrong shell for user %s, uid %u",
165 		    pw->pw_name, pw->pw_uid);
166 #ifdef __FreeBSD__
167 	login_close(lc);
168 #else
169 		if (shell != pw->pw_shell)
170 			free(shell);
171 #endif
172 		goto die;
173 	}
174 
175 #ifdef __FreeBSD__
176 	login_close(lc);
177 #else
178 	if (shell != pw->pw_shell)
179 		free(shell);
180 #endif
181 
182 	/*
183 	 * Paranoia, but this data _does_ come from outside authpf, and
184 	 * truncation would be bad.
185 	 */
186 	if (strlcpy(luser, pw->pw_name, sizeof(luser)) >= sizeof(luser)) {
187 		syslog(LOG_ERR, "username too long: %s", pw->pw_name);
188 		goto die;
189 	}
190 
191 	if ((n = snprintf(rulesetname, sizeof(rulesetname), "%s(%ld)",
192 	    luser, (long)getpid())) < 0 || (u_int)n >= sizeof(rulesetname)) {
193 		syslog(LOG_INFO, "%s(%ld) too large, ruleset name will be %ld",
194 		    luser, (long)getpid(), (long)getpid());
195 		if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld",
196 		    (long)getpid())) < 0 || (u_int)n >= sizeof(rulesetname)) {
197 			syslog(LOG_ERR, "pid too large for ruleset name");
198 			goto die;
199 		}
200 	}
201 
202 
203 	/* Make our entry in /var/authpf as ipaddr or username */
204 	n = snprintf(pidfile, sizeof(pidfile), "%s/%s",
205 	    PATH_PIDFILE, user_ip ? ipsrc : luser);
206 	if (n < 0 || (u_int)n >= sizeof(pidfile)) {
207 		syslog(LOG_ERR, "path to pidfile too long");
208 		goto die;
209 	}
210 
211 	signal(SIGTERM, need_death);
212 	signal(SIGINT, need_death);
213 	signal(SIGALRM, need_death);
214 	signal(SIGPIPE, need_death);
215 	signal(SIGHUP, need_death);
216 	signal(SIGQUIT, need_death);
217 	signal(SIGTSTP, need_death);
218 
219 	/*
220 	 * If someone else is already using this ip, then this person
221 	 * wants to switch users - so kill the old process and exit
222 	 * as well.
223 	 *
224 	 * Note, we could print a message and tell them to log out, but the
225 	 * usual case of this is that someone has left themselves logged in,
226 	 * with the authenticated connection iconized and someone else walks
227 	 * up to use and automatically logs in before using. If this just
228 	 * gets rid of the old one silently, the new user never knows they
229 	 * could have used someone else's old authentication. If we
230 	 * tell them to log out before switching users it is an invitation
231 	 * for abuse.
232 	 */
233 
234 	do {
235 		int	save_errno, otherpid = -1;
236 		char	otherluser[MAXLOGNAME];
237 
238 		if ((pidfd = open(pidfile, O_RDWR|O_CREAT, 0644)) == -1 ||
239 		    (pidfp = fdopen(pidfd, "r+")) == NULL) {
240 			if (pidfd != -1)
241 				close(pidfd);
242 			syslog(LOG_ERR, "cannot open or create %s: %s", pidfile,
243 			    strerror(errno));
244 			goto die;
245 		}
246 
247 		if (flock(fileno(pidfp), LOCK_EX|LOCK_NB) == 0)
248 			break;
249 		save_errno = errno;
250 
251 		/* Mark our pid, and username to our file. */
252 
253 		rewind(pidfp);
254 		/* 31 == MAXLOGNAME - 1 */
255 		if (fscanf(pidfp, "%d\n%31s\n", &otherpid, otherluser) != 2)
256 			otherpid = -1;
257 		syslog(LOG_DEBUG, "tried to lock %s, in use by pid %d: %s",
258 		    pidfile, otherpid, strerror(save_errno));
259 
260 		if (otherpid > 0) {
261 			syslog(LOG_INFO,
262 			    "killing prior auth (pid %d) of %s by user %s",
263 			    otherpid, ipsrc, otherluser);
264 			if (kill((pid_t) otherpid, SIGTERM) == -1) {
265 				syslog(LOG_INFO,
266 				    "could not kill process %d: (%m)",
267 				    otherpid);
268 			}
269 		}
270 
271 		/*
272 		 * We try to kill the previous process and acquire the lock
273 		 * for 10 seconds, trying once a second. if we can't after
274 		 * 10 attempts we log an error and give up.
275 		 */
276 		if (want_death || ++lockcnt > 10) {
277 			if (!want_death)
278 				syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
279 				    otherpid);
280 			fclose(pidfp);
281 			pidfp = NULL;
282 			pidfd = -1;
283 			goto dogdeath;
284 		}
285 		sleep(1);
286 
287 		/* re-open, and try again. The previous authpf process
288 		 * we killed above should unlink the file and release
289 		 * it's lock, giving us a chance to get it now
290 		 */
291 		fclose(pidfp);
292 		pidfp = NULL;
293 		pidfd = -1;
294 	} while (1);
295 
296 	/* whack the group list */
297 	gid = getegid();
298 	if (setgroups(1, &gid) == -1) {
299 		syslog(LOG_INFO, "setgroups: %s", strerror(errno));
300 		do_death(0);
301 	}
302 
303 	/* revoke privs */
304 	uid = getuid();
305 	if (setresuid(uid, uid, uid) == -1) {
306 		syslog(LOG_INFO, "setresuid: %s", strerror(errno));
307 		do_death(0);
308 	}
309 	openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
310 
311 	if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) {
312 		syslog(LOG_INFO, "user %s prohibited", luser);
313 		do_death(0);
314 	}
315 
316 	if (read_config(config)) {
317 		syslog(LOG_ERR, "invalid config file %s", PATH_CONFFILE);
318 		do_death(0);
319 	}
320 
321 	if (remove_stale_rulesets()) {
322 		syslog(LOG_INFO, "error removing stale rulesets");
323 		do_death(0);
324 	}
325 
326 	/* We appear to be making headway, so actually mark our pid */
327 	rewind(pidfp);
328 	fprintf(pidfp, "%ld\n%s\n", (long)getpid(), luser);
329 	fflush(pidfp);
330 	(void) ftruncate(fileno(pidfp), ftello(pidfp));
331 
332 	if (change_filter(1, luser, ipsrc) == -1) {
333 		printf("Unable to modify filters\r\n");
334 		do_death(0);
335 	}
336 	if (user_ip && change_table(1, ipsrc) == -1) {
337 		printf("Unable to modify table\r\n");
338 		change_filter(0, luser, ipsrc);
339 		do_death(0);
340 	}
341 
342 	while (1) {
343 		printf("\r\nHello %s. ", luser);
344 		printf("You are authenticated from host \"%s\"\r\n", ipsrc);
345 		setproctitle("%s@%s", luser, ipsrc);
346 		print_message(PATH_MESSAGE);
347 		while (1) {
348 			sleep(10);
349 			if (want_death)
350 				do_death(1);
351 		}
352 	}
353 
354 	/* NOTREACHED */
355 dogdeath:
356 	printf("\r\n\r\nSorry, this service is currently unavailable due to ");
357 	printf("technical difficulties\r\n\r\n");
358 	print_message(PATH_PROBLEM);
359 	printf("\r\nYour authentication process (pid %ld) was unable to run\n",
360 	    (long)getpid());
361 	sleep(180); /* them lusers read reaaaaal slow */
362 die:
363 	do_death(0);
364 }
365 
366 /*
367  * reads config file in PATH_CONFFILE to set optional behaviours up
368  */
369 static int
370 read_config(FILE *f)
371 {
372 	char	buf[1024];
373 	int	i = 0;
374 
375 	do {
376 		char	**ap;
377 		char	 *pair[4], *cp, *tp;
378 		int	  len;
379 
380 		if (fgets(buf, sizeof(buf), f) == NULL) {
381 			fclose(f);
382 			return (0);
383 		}
384 		i++;
385 		len = strlen(buf);
386 		if (len == 0)
387 			continue;
388 		if (buf[len - 1] != '\n' && !feof(f)) {
389 			syslog(LOG_ERR, "line %d too long in %s", i,
390 			    PATH_CONFFILE);
391 			return (1);
392 		}
393 		buf[len - 1] = '\0';
394 
395 		for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
396 			; /* nothing */
397 
398 		if (!*cp || *cp == '#' || *cp == '\n')
399 			continue;
400 
401 		for (ap = pair; ap < &pair[3] &&
402 		    (*ap = strsep(&cp, "=")) != NULL; ) {
403 			if (**ap != '\0')
404 				ap++;
405 		}
406 		if (ap != &pair[2])
407 			goto parse_error;
408 
409 		tp = pair[1] + strlen(pair[1]);
410 		while ((*tp == ' ' || *tp == '\t') && tp >= pair[1])
411 			*tp-- = '\0';
412 
413 		if (strcasecmp(pair[0], "anchor") == 0) {
414 			if (!pair[1][0] || strlcpy(anchorname, pair[1],
415 			    sizeof(anchorname)) >= sizeof(anchorname))
416 				goto parse_error;
417 		}
418 		if (strcasecmp(pair[0], "table") == 0) {
419 			if (!pair[1][0] || strlcpy(tablename, pair[1],
420 			    sizeof(tablename)) >= sizeof(tablename))
421 				goto parse_error;
422 		}
423 	} while (!feof(f) && !ferror(f));
424 	fclose(f);
425 	return (0);
426 
427 parse_error:
428 	fclose(f);
429 	syslog(LOG_ERR, "parse error, line %d of %s", i, PATH_CONFFILE);
430 	return (1);
431 }
432 
433 
434 /*
435  * splatter a file to stdout - max line length of 1024,
436  * used for spitting message files at users to tell them
437  * they've been bad or we're unavailable.
438  */
439 static void
440 print_message(const char *filename)
441 {
442 	char	 buf[1024];
443 	FILE	*f;
444 
445 	if ((f = fopen(filename, "r")) == NULL)
446 		return; /* fail silently, we don't care if it isn't there */
447 
448 	do {
449 		if (fgets(buf, sizeof(buf), f) == NULL) {
450 			fflush(stdout);
451 			fclose(f);
452 			return;
453 		}
454 	} while (fputs(buf, stdout) != EOF && !feof(f));
455 	fflush(stdout);
456 	fclose(f);
457 }
458 
459 /*
460  * allowed_luser checks to see if user "luser" is allowed to
461  * use this gateway by virtue of being listed in an allowed
462  * users file, namely /etc/authpf/authpf.allow .
463  * Users may be listed by <username>, %<group>, or @<login_class>.
464  *
465  * If /etc/authpf/authpf.allow does not exist, then we assume that
466  * all users who are allowed in by sshd(8) are permitted to
467  * use this gateway. If /etc/authpf/authpf.allow does exist, then a
468  * user must be listed if the connection is to continue, else
469  * the session terminates in the same manner as being banned.
470  */
471 static int
472 allowed_luser(struct passwd *pw)
473 {
474 	char *buf,*lbuf;
475 	int	 matched;
476 	size_t	 len;
477 	FILE	*f;
478 
479 	if ((f = fopen(PATH_ALLOWFILE, "r")) == NULL) {
480 		if (errno == ENOENT) {
481 			/*
482 			 * allowfile doesn't exist, thus this gateway
483 			 * isn't restricted to certain users...
484 			 */
485 			return (1);
486 		}
487 
488 		/*
489 		 * luser may in fact be allowed, but we can't open
490 		 * the file even though it's there. probably a config
491 		 * problem.
492 		 */
493 		syslog(LOG_ERR, "cannot open allowed users file %s (%s)",
494 		    PATH_ALLOWFILE, strerror(errno));
495 		return (0);
496 	} else {
497 		/*
498 		 * /etc/authpf/authpf.allow exists, thus we do a linear
499 		 * search to see if they are allowed.
500 		 * also, if username "*" exists, then this is a
501 		 * "public" gateway, such as it is, so let
502 		 * everyone use it.
503 		 */
504 		int gl_init = 0, ngroups = NGROUPS + 1;
505 		gid_t groups[NGROUPS + 1];
506 
507 		lbuf = NULL;
508 		matched = 0;
509 
510 		while ((buf = fgetln(f, &len))) {
511 
512 			if (buf[len - 1] == '\n')
513 				buf[len - 1] = '\0';
514 			else {
515 				if ((lbuf = (char *)malloc(len + 1)) == NULL)
516 					err(1, NULL);
517 				memcpy(lbuf, buf, len);
518 				lbuf[len] = '\0';
519 				buf = lbuf;
520 			}
521 
522 			if (buf[0] == '@') {
523 				/* check login class */
524 				if (strcmp(pw->pw_class, buf + 1) == 0)
525 					matched++;
526 			} else if (buf[0] == '%') {
527 				/* check group membership */
528 				int cnt;
529 				struct group *group;
530 
531 				if ((group = getgrnam(buf + 1)) == NULL) {
532 					syslog(LOG_ERR,
533 					    "invalid group '%s' in %s (%s)",
534 					    buf + 1, PATH_ALLOWFILE,
535 				 	    strerror(errno));
536 					return (0);
537 				}
538 
539 				if (!gl_init) {
540 					(void) getgrouplist(pw->pw_name,
541 					    pw->pw_gid, groups, &ngroups);
542 					gl_init++;
543 				}
544 
545 				for ( cnt = 0; cnt < ngroups; cnt++) {
546 					if (group->gr_gid == groups[cnt]) {
547 						matched++;
548 						break;
549 					}
550 				}
551 			} else {
552 				/* check username and wildcard */
553 				matched = strcmp(pw->pw_name, buf) == 0 ||
554 				    strcmp("*", buf) == 0;
555 			}
556 
557 			if (lbuf != NULL) {
558 				free(lbuf);
559 				lbuf = NULL;
560 			}
561 
562 			if (matched)
563 				return (1); /* matched an allowed user/group */
564 		}
565 		syslog(LOG_INFO, "denied access to %s: not listed in %s",
566 		    pw->pw_name, PATH_ALLOWFILE);
567 
568 		/* reuse buf */
569 		sprintf(buf, "%s", "\n\nSorry, you are not allowed to use this facility!\n");
570 		fputs(buf, stdout);
571 	}
572 	fflush(stdout);
573 	return (0);
574 }
575 
576 /*
577  * check_luser checks to see if user "luser" has been banned
578  * from using us by virtue of having an file of the same name
579  * in the "luserdir" directory.
580  *
581  * If the user has been banned, we copy the contents of the file
582  * to the user's screen. (useful for telling the user what to
583  * do to get un-banned, or just to tell them they aren't
584  * going to be un-banned.)
585  */
586 static int
587 check_luser(const char *luserdir, char *l_user)
588 {
589 	FILE	*f;
590 	int	 n;
591 	char	 tmp[MAXPATHLEN];
592 
593 	n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, l_user);
594 	if (n < 0 || (u_int)n >= sizeof(tmp)) {
595 		syslog(LOG_ERR, "provided banned directory line too long (%s)",
596 		    luserdir);
597 		return (0);
598 	}
599 	if ((f = fopen(tmp, "r")) == NULL) {
600 		if (errno == ENOENT) {
601 			/*
602 			 * file or dir doesn't exist, so therefore
603 			 * this luser isn't banned..  all is well
604 			 */
605 			return (1);
606 		} else {
607 			/*
608 			 * luser may in fact be banned, but we can't open the
609 			 * file even though it's there. probably a config
610 			 * problem.
611 			 */
612 			syslog(LOG_ERR, "cannot open banned file %s (%s)",
613 			    tmp, strerror(errno));
614 			return (0);
615 		}
616 	} else {
617 		/*
618 		 * luser is banned - spit the file at them to
619 		 * tell what they can do and where they can go.
620 		 */
621 		syslog(LOG_INFO, "denied access to %s: %s exists",
622 		    l_user, tmp);
623 
624 		/* reuse tmp */
625 		strlcpy(tmp, "\n\n-**- Sorry, you have been banned! -**-\n\n",
626 		    sizeof(tmp));
627 		while (fputs(tmp, stdout) != EOF && !feof(f)) {
628 			if (fgets(tmp, sizeof(tmp), f) == NULL) {
629 				fflush(stdout);
630 				fclose(f);
631 				return (0);
632 			}
633 		}
634 		fclose(f);
635 	}
636 	fflush(stdout);
637 	return (0);
638 }
639 
640 /*
641  * Search for rulesets left by other authpf processes (either because they
642  * died ungracefully or were terminated) and remove them.
643  */
644 static int
645 remove_stale_rulesets(void)
646 {
647 	struct pfioc_ruleset	 prs;
648 	u_int32_t		 nr;
649 
650 	memset(&prs, 0, sizeof(prs));
651 	strlcpy(prs.path, anchorname, sizeof(prs.path));
652 	if (ioctl(dev, DIOCGETRULESETS, &prs)) {
653 		if (errno == EINVAL)
654 			return (0);
655 		else
656 			return (1);
657 	}
658 
659 	nr = prs.nr;
660 	while (nr) {
661 		char	*s, *t;
662 		pid_t	 pid;
663 
664 		prs.nr = nr - 1;
665 		if (ioctl(dev, DIOCGETRULESET, &prs))
666 			return (1);
667 		errno = 0;
668 		if ((t = strchr(prs.name, '(')) == NULL)
669 			t = prs.name;
670 		else
671 			t++;
672 		pid = strtoul(t, &s, 10);
673 		if (!prs.name[0] || errno ||
674 		    (*s && (t == prs.name || *s != ')')))
675 			return (1);
676 		if ((kill(pid, 0) && errno != EPERM) || pid == getpid()) {
677 			if (recursive_ruleset_purge(anchorname, prs.name))
678 				return (1);
679 		}
680 		nr--;
681 	}
682 	return (0);
683 }
684 
685 static int
686 recursive_ruleset_purge(char *an, char *rs)
687 {
688 	struct pfioc_trans_e     *t_e = NULL;
689 	struct pfioc_trans	 *t = NULL;
690 	struct pfioc_ruleset	 *prs = NULL;
691 	int			  i;
692 
693 
694 	/* purge rules */
695 	errno = 0;
696 	if ((t = calloc(1, sizeof(struct pfioc_trans))) == NULL)
697 		goto no_mem;
698 	if ((t_e = calloc(PF_RULESET_MAX+1,
699 	    sizeof(struct pfioc_trans_e))) == NULL)
700 		goto no_mem;
701 	t->size = PF_RULESET_MAX+1;
702 	t->esize = sizeof(struct pfioc_trans_e);
703 	t->array = t_e;
704 	for (i = 0; i < PF_RULESET_MAX+1; ++i) {
705 		t_e[i].rs_num = i;
706 		snprintf(t_e[i].anchor, sizeof(t_e[i].anchor), "%s/%s", an, rs);
707 	}
708 	t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE;
709 	if ((ioctl(dev, DIOCXBEGIN, t) ||
710 	    ioctl(dev, DIOCXCOMMIT, t)) &&
711 	    errno != EINVAL)
712 		goto cleanup;
713 
714 	/* purge any children */
715 	if ((prs = calloc(1, sizeof(struct pfioc_ruleset))) == NULL)
716 		goto no_mem;
717 	snprintf(prs->path, sizeof(prs->path), "%s/%s", an, rs);
718 	if (ioctl(dev, DIOCGETRULESETS, prs)) {
719 		if (errno != EINVAL)
720 			goto cleanup;
721 		errno = 0;
722 	} else {
723 		int nr = prs->nr;
724 
725 		while (nr) {
726 			prs->nr = 0;
727 			if (ioctl(dev, DIOCGETRULESET, prs))
728 				goto cleanup;
729 
730 			if (recursive_ruleset_purge(prs->path, prs->name))
731 				goto cleanup;
732 			nr--;
733 		}
734 	}
735 
736 no_mem:
737 	if (errno == ENOMEM)
738 		syslog(LOG_ERR, "calloc failed");
739 
740 cleanup:
741 	free(t);
742 	free(t_e);
743 	free(prs);
744 	return (errno);
745 }
746 
747 /*
748  * Add/remove filter entries for user "luser" from ip "ipsrc"
749  */
750 static int
751 change_filter(int add, const char *l_user, const char *ip_src)
752 {
753 	char	*fdpath = NULL, *userstr = NULL, *ipstr = NULL;
754 	char	*rsn = NULL, *fn = NULL;
755 	pid_t	pid;
756 	gid_t   gid;
757 	int	s;
758 
759 	if (add) {
760 		struct stat sb;
761 		char *pargv[13] = {
762 			"pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
763 			"-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL
764 		};
765 
766 		if (l_user == NULL || !l_user[0] || ip_src == NULL || !ip_src[0]) {
767 			syslog(LOG_ERR, "invalid luser/ipsrc");
768 			goto error;
769 		}
770 
771 		if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)
772 			goto no_mem;
773 		if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
774 			goto no_mem;
775 		if (asprintf(&ipstr, "user_ip=%s", ip_src) == -1)
776 			goto no_mem;
777 		if (asprintf(&userstr, "user_id=%s", l_user) == -1)
778 			goto no_mem;
779 		if (asprintf(&fn, "%s/%s/authpf.rules",
780 		    PATH_USER_DIR, l_user) == -1)
781 			goto no_mem;
782 		if (stat(fn, &sb) == -1) {
783 			free(fn);
784 			if ((fn = strdup(PATH_PFRULES)) == NULL)
785 				goto no_mem;
786 		}
787 		pargv[2] = fdpath;
788 		pargv[5] = rsn;
789 		pargv[7] = userstr;
790 		if (user_ip) {
791 			pargv[9] = ipstr;
792 			pargv[11] = fn;
793 		} else {
794 			pargv[8] = "-f";
795 			pargv[9] = fn;
796 			pargv[10] = NULL;
797 		}
798 
799 		switch (pid = fork()) {
800 		case -1:
801 			syslog(LOG_ERR, "fork failed");
802 			goto error;
803 		case 0:
804 			/* revoke group privs before exec */
805 			gid = getgid();
806 			if (setregid(gid, gid) == -1) {
807 				err(1, "setregid");
808 			}
809 			execvp(PATH_PFCTL, pargv);
810 			warn("exec of %s failed", PATH_PFCTL);
811 			_exit(1);
812 		}
813 
814 		/* parent */
815 		waitpid(pid, &s, 0);
816 		if (s != 0) {
817 			syslog(LOG_ERR, "pfctl exited abnormally");
818 			goto error;
819 		}
820 
821 		gettimeofday(&Tstart, NULL);
822 		syslog(LOG_INFO, "allowing %s, user %s", ip_src, l_user);
823 	} else {
824 		remove_stale_rulesets();
825 
826 		gettimeofday(&Tend, NULL);
827 		syslog(LOG_INFO, "removed %s, user %s - duration %ju seconds",
828 		    ip_src, l_user, (uintmax_t)(Tend.tv_sec - Tstart.tv_sec));
829 	}
830 	return (0);
831 no_mem:
832 	syslog(LOG_ERR, "malloc failed");
833 error:
834 	free(fdpath);
835 	free(rsn);
836 	free(userstr);
837 	free(ipstr);
838 	free(fn);
839 	return (-1);
840 }
841 
842 /*
843  * Add/remove this IP from the "authpf_users" table.
844  */
845 static int
846 change_table(int add, const char *ip_src)
847 {
848 	struct pfioc_table	io;
849 	struct pfr_addr		addr;
850 
851 	bzero(&io, sizeof(io));
852 	strlcpy(io.pfrio_table.pfrt_name, tablename,
853 	    sizeof(io.pfrio_table.pfrt_name));
854 	io.pfrio_buffer = &addr;
855 	io.pfrio_esize = sizeof(addr);
856 	io.pfrio_size = 1;
857 
858 	bzero(&addr, sizeof(addr));
859 	if (ip_src == NULL || !ip_src[0])
860 		return (-1);
861 	if (inet_pton(AF_INET, ip_src, &addr.pfra_ip4addr) == 1) {
862 		addr.pfra_af = AF_INET;
863 		addr.pfra_net = 32;
864 	} else if (inet_pton(AF_INET6, ip_src, &addr.pfra_ip6addr) == 1) {
865 		addr.pfra_af = AF_INET6;
866 		addr.pfra_net = 128;
867 	} else {
868 		syslog(LOG_ERR, "invalid ipsrc");
869 		return (-1);
870 	}
871 
872 	if (ioctl(dev, add ? DIOCRADDADDRS : DIOCRDELADDRS, &io) &&
873 	    errno != ESRCH) {
874 		syslog(LOG_ERR, "cannot %s %s from table %s: %s",
875 		    add ? "add" : "remove", ip_src, tablename,
876 		    strerror(errno));
877 		return (-1);
878 	}
879 	return (0);
880 }
881 
882 /*
883  * This is to kill off states that would otherwise be left behind stateful
884  * rules. This means we don't need to allow in more traffic than we really
885  * want to, since we don't have to worry about any luser sessions lasting
886  * longer than their ssh session. This function is based on
887  * pfctl_kill_states from pfctl.
888  */
889 static void
890 authpf_kill_states(void)
891 {
892 	struct pfioc_state_kill	psk;
893 	struct pf_addr target;
894 
895 	memset(&psk, 0, sizeof(psk));
896 	memset(&target, 0, sizeof(target));
897 
898 	if (inet_pton(AF_INET, ipsrc, &target.v4) == 1)
899 		psk.psk_af = AF_INET;
900 	else if (inet_pton(AF_INET6, ipsrc, &target.v6) == 1)
901 		psk.psk_af = AF_INET6;
902 	else {
903 		syslog(LOG_ERR, "inet_pton(%s) failed", ipsrc);
904 		return;
905 	}
906 
907 	/* Kill all states from ipsrc */
908 	memcpy(&psk.psk_src.addr.v.a.addr, &target,
909 	    sizeof(psk.psk_src.addr.v.a.addr));
910 	memset(&psk.psk_src.addr.v.a.mask, 0xff,
911 	    sizeof(psk.psk_src.addr.v.a.mask));
912 	if (ioctl(dev, DIOCKILLSTATES, &psk))
913 		syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)");
914 
915 	/* Kill all states to ipsrc */
916 	memset(&psk.psk_src, 0, sizeof(psk.psk_src));
917 	memcpy(&psk.psk_dst.addr.v.a.addr, &target,
918 	    sizeof(psk.psk_dst.addr.v.a.addr));
919 	memset(&psk.psk_dst.addr.v.a.mask, 0xff,
920 	    sizeof(psk.psk_dst.addr.v.a.mask));
921 	if (ioctl(dev, DIOCKILLSTATES, &psk))
922 		syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)");
923 }
924 
925 /* signal handler that makes us go away properly */
926 static void
927 need_death(int signo __unused)
928 {
929 	want_death = 1;
930 }
931 
932 /*
933  * function that removes our stuff when we go away.
934  */
935 #ifdef __FreeBSD__
936 static __dead2 void
937 #else
938 static __dead void
939 #endif
940 do_death(int active)
941 {
942 	int	ret = 0;
943 
944 	if (active) {
945 		change_filter(0, luser, ipsrc);
946 		if (user_ip) {
947 			change_table(0, ipsrc);
948 			authpf_kill_states();
949 		}
950 	}
951 	if (pidfile[0] && pidfd != -1)
952 		if (unlink(pidfile) == -1)
953 			syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
954 	exit(ret);
955 }
956