aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authoredwin <edwin@FreeBSD.org>2003-09-28 21:27:06 +0800
committeredwin <edwin@FreeBSD.org>2003-09-28 21:27:06 +0800
commit39560db23498cb01c8f7b0173672a5d5f7e2339d (patch)
treed9c42661a6ff190257eb67d14531d49796fb879a /security
parent961f1950b0e85bfc7e94188b75b4ec206e7f92d3 (diff)
downloadfreebsd-ports-gnome-39560db23498cb01c8f7b0173672a5d5f7e2339d.tar.gz
freebsd-ports-gnome-39560db23498cb01c8f7b0173672a5d5f7e2339d.tar.zst
freebsd-ports-gnome-39560db23498cb01c8f7b0173672a5d5f7e2339d.zip
Update port: security/pf - OpenBSD 3.4 pf
Port update after API change in PFIL_HOOKS in -current and OpenBSD 3.4 Release. PR: ports/57305 Submitted by: Max Laier <max@love2party.net>
Diffstat (limited to 'security')
-rw-r--r--security/pf/Makefile70
-rw-r--r--security/pf/distinfo2
-rw-r--r--security/pf/files/patch-aa41
-rw-r--r--security/pf/files/patch-ab77
-rw-r--r--security/pf/files/patch-ac53
-rw-r--r--security/pf/files/patch-ad161
-rw-r--r--security/pf/files/patch-ae13
-rw-r--r--security/pf/files/patch-af19
-rw-r--r--security/pf/files/patch-ag383
-rw-r--r--security/pf/files/pf-port.diff1523
-rw-r--r--security/pf/files/pf.conf.default6
-rw-r--r--security/pf/files/pf.os.default551
-rw-r--r--security/pf/pkg-plist14
13 files changed, 2179 insertions, 734 deletions
diff --git a/security/pf/Makefile b/security/pf/Makefile
index c28667dbc1ff..c1498e873e5a 100644
--- a/security/pf/Makefile
+++ b/security/pf/Makefile
@@ -6,8 +6,7 @@
#
PORTNAME= pf_freebsd
-PORTVERSION= 1.0
-PORTREVISION= 7
+PORTVERSION= 1.65
CATEGORIES= security ipv6
MASTER_SITES= http://pf4freebsd.love2party.net/
.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
@@ -24,11 +23,12 @@ IS_INTERACTIVE= yes
STARTUP_SCRIPT= ${PREFIX}/etc/rc.d/pf.sh.sample
SAMPLE_CONFIG= ${PREFIX}/etc/pf.conf.default
+SAMPLE_PFOS= ${PREFIX}/etc/pf.os
MAN1= pftcpdump.1
MAN4= pf.4 pflog.4 pfsync.4
-MAN5= pf.conf.5
-MAN8= ftp-proxy.8 pfctl.8 pflogd.8 pftop.8
+MAN5= pf.conf.5 pf.os.5
+MAN8= ftp-proxy.8 pfctl.8 pflogd.8
MANCOMPRESSED= maybe
@@ -57,54 +57,72 @@ IGNORE= "Kernel source files required"
.if !defined(WITH_ALTQ) || (${WITH_ALTQ} != "yes")
pre-fetch:
- @${ECHO_CMD} "======================================================="
- @${ECHO_CMD} "* If you have ALTQ support from: *"
- @${ECHO_CMD} "* http://www.rofug.ro/projects/freebsd-altq/ *"
- @${ECHO_CMD} "* You can may define WITH_ALTQ=yes to make use of it *"
- @${ECHO_CMD} "* Please define SYS_ALTQ to point to the patched src *"
- @${ECHO_CMD} "* *"
- @${ECHO_CMD} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=${SRC_BASE}/sys.altq *"
- @${ECHO_CMD} "* *"
- @${ECHO_CMD} "======================================================="
+ @${ECHO_MSG} "======================================================="
+ @${ECHO_MSG} "* If you have ALTQ support from: *"
+ @${ECHO_MSG} "* http://www.nipsi.de/altq/index.html *"
+ @${ECHO_MSG} "* You can may define WITH_ALTQ=yes to make use of it *"
+ @${ECHO_MSG} "* Please define SYS_ALTQ to point to the patched src *"
+ @${ECHO_MSG} "* *"
+ @${ECHO_MSG} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=/usr/src/sys.altq *"
+ @${ECHO_MSG} "* *"
+ @${ECHO_MSG} "======================================================="
@sleep 2
.endif
-pre-install:
+post-patch:
+ @${CP} ${WRKSRC}/pfctl/pfctl_parser.h \
+ ${WRKSRC}/pfctl/pfctl_parser.h.orig
+ @${SED} -e 's!%%PREFIX%%!${PREFIX}!' \
+ ${WRKSRC}/pfctl/pfctl_parser.h.orig > \
+ ${WRKSRC}/pfctl/pfctl_parser.h
+pre-su-install:
${MKDIR} ${KMODDIR}
${MKDIR} ${PREFIX}/include/pf
${MKDIR} ${PREFIX}/include/pf/net
+.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
+ ${MKDIR} ${PREFIX}/include/pf/altq
+.endif
.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
@${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
.endif
post-install:
- ${ECHO} "Installing include files ..."
+ ${ECHO_MSG} "Installing include files ..."
${INSTALL_DATA} ${WRKSRC}/include/net/pfvar.h \
- ${PREFIX}/include/pf/net
+ ${PREFIX}/include/pf/net
${INSTALL_DATA} ${WRKSRC}/include/net/if_pflog.h \
- ${PREFIX}/include/pf/net
+ ${PREFIX}/include/pf/net
${INSTALL_DATA} ${WRKSRC}/include/net/if_pfsync.h \
- ${PREFIX}/include/pf/net
+ ${PREFIX}/include/pf/net
+.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
+ ${INSTALL_DATA} ${WRKSRC}/include/altq/*.h \
+ ${PREFIX}/include/pf/altq
+.endif
@if [ -f ${WRKSRC}/man/pf.4.gz ]; then \
- ${ECHO} "Installing pftcpdump(1) man page."; \
+ ${ECHO_MSG} "Installing pftcpdump(1) man page."; \
${GZIP_CMD} -cn ${WRKSRC}/freebsd_tcpdump/tcpdump.1 > \
${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz ; \
${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz \
- ${PREFIX}/man/man1/pftcpdump.1.gz ; \
+ ${PREFIX}/man/man1/pftcpdump.1.gz ; \
else \
- ${ECHO} "Installing pftcpdump(1) man page."; \
+ ${ECHO_MSG} "Installing pftcpdump(1) man page."; \
${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1 \
- ${PREFIX}/man/man1/pftcpdump.1 ; \
+ ${PREFIX}/man/man1/pftcpdump.1 ; \
fi
@if [ ! -f ${STARTUP_SCRIPT} ]; then \
- ${ECHO} "Installing ${STARTUP_SCRIPT} startup file." ; \
+ ${ECHO_MSG} "Installing ${STARTUP_SCRIPT} startup file." ; \
${INSTALL_SCRIPT} ${FILESDIR}/pf.sh.sample \
- ${STARTUP_SCRIPT} ; \
+ ${STARTUP_SCRIPT} ; \
fi
@if [ ! -f ${SAMPLE_CONFIG} ]; then \
- ${ECHO} "Installing ${SAMPLE_CONFIG} config file." ; \
+ ${ECHO_MSG} "Installing ${SAMPLE_CONFIG} config file." ; \
${INSTALL_DATA} ${FILESDIR}/pf.conf.default \
- ${SAMPLE_CONFIG}; \
+ ${SAMPLE_CONFIG}; \
+ fi
+ @if [ ! -f ${SAMPLE_PFOS} ]; then \
+ ${ECHO_MSG} "Installing ${SAMPLE_PFOS} config file."; \
+ ${INSTALL_DATA} ${FILESDIR}/pf.os.default \
+ ${SAMPLE_PFOS}; \
fi
${SED} -e 's!%%PREFIX%%!${PREFIX}!' ${PKGMESSAGE}
diff --git a/security/pf/distinfo b/security/pf/distinfo
index 38a8f2633367..fa00347b1c11 100644
--- a/security/pf/distinfo
+++ b/security/pf/distinfo
@@ -1 +1 @@
-MD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e
+MD5 (pf_freebsd_1.65.tar.gz) = 6956f275a7b971ab07f4ee8e0bdd83e0
diff --git a/security/pf/files/patch-aa b/security/pf/files/patch-aa
index 24724598f4fb..f1a35d32cee9 100644
--- a/security/pf/files/patch-aa
+++ b/security/pf/files/patch-aa
@@ -1,32 +1,11 @@
---- freebsd_tcpdump/print-pflog.c.orig Fri Jun 13 18:14:50 2003
-+++ freebsd_tcpdump/print-pflog.c Fri Jun 13 18:15:39 2003
-@@ -64,7 +64,9 @@
- u_int length = h->len;
- u_int caplen = h->caplen;
- const struct ip *ip;
-+#ifdef INET6
- const struct ip6_hdr *ip6;
-+#endif
- const struct pfloghdr *hdr;
- u_short res;
- char reason[128], *why;
-@@ -129,13 +131,16 @@
- if (xflag)
- default_print((const u_char *)ip,
- caplen - PFLOG_HDRLEN);
-- } else {
-+ }
-+#ifdef INET6
-+ else {
- ip6 = (struct ip6_hdr *)(p + PFLOG_HDRLEN);
- ip6_print((const u_char *)ip6, length);
- if (xflag)
- default_print((const u_char *)ip6,
- caplen - PFLOG_HDRLEN);
- }
-+#endif
+--- Makefile.orig Sat Sep 27 10:17:32 2003
++++ Makefile Sat Sep 27 10:17:46 2003
+@@ -6,7 +6,7 @@
+ SUBDIR= libpcap
+ .endif
+
+-SUBDIR+= pfctl authpf ftp-proxy man pf pflog pfsync
++SUBDIR+= pfctl ftp-proxy man pf pflog pfsync
+
+ .include "include/mk/util.mk"
- out:
- putchar('\n');
-
-
diff --git a/security/pf/files/patch-ab b/security/pf/files/patch-ab
index 0355d57ac1cd..630ae913fb4e 100644
--- a/security/pf/files/patch-ab
+++ b/security/pf/files/patch-ab
@@ -1,70 +1,11 @@
---- pf/pf_support.h Mon Apr 14 05:54:15 2003
-+++ pf/pf_support.h Tue Jun 17 14:26:33 2003
-@@ -16,10 +16,16 @@
- * Original numbers changed from 11, 12, 13.
- * sys/mbuf.h
- */
--#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */
--#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */
--#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */
--#define PACKET_TAG_PF_QID 22 /* PF queue id */
-+#if defined(PACKET_TAG_MACLABEL)
-+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL)
-+#else
-+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD)
-+#endif
-+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1)
-+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2)
-+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3)
-+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4)
-+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5)
+--- pfctl/pfctl_parser.h.orig Sat Sep 27 10:39:47 2003
++++ pfctl/pfctl_parser.h Sat Sep 27 10:40:21 2003
+@@ -33,7 +33,7 @@
+ #ifndef _PFCTL_PARSER_H_
+ #define _PFCTL_PARSER_H_
- /*
- * sys/limits.h
---- pfaltq/pf_support.h Mon Apr 14 06:04:19 2003
-+++ pfaltq/pf_support.h Tue Jun 17 14:26:34 2003
-@@ -16,10 +16,16 @@
- * Original numbers changed from 11, 12, 13.
- * sys/mbuf.h
- */
--#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */
--#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */
--#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */
--#define PACKET_TAG_PF_QID 22 /* PF queue id */
-+#if defined(PACKET_TAG_MACLABEL)
-+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL)
-+#else
-+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD)
-+#endif
-+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1)
-+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2)
-+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3)
-+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4)
-+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5)
+-#define PF_OSFP_FILE "/etc/pf.os"
++#define PF_OSFP_FILE "%%PREFIX%%/etc/pf.os"
- /*
- * sys/limits.h
---- pfctl/pf_support.h Mon Apr 14 05:55:07 2003
-+++ pfctl/pf_support.h Tue Jun 17 14:26:34 2003
-@@ -16,10 +16,16 @@
- * Original numbers changed from 11, 12, 13.
- * sys/mbuf.h
- */
--#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */
--#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */
--#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */
--#define PACKET_TAG_PF_QID 22 /* PF queue id */
-+#if defined(PACKET_TAG_MACLABEL)
-+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL)
-+#else
-+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD)
-+#endif
-+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1)
-+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2)
-+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3)
-+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4)
-+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5)
-
- /*
- * sys/limits.h
-
+ #define PF_OPT_DISABLE 0x0001
+ #define PF_OPT_ENABLE 0x0002
diff --git a/security/pf/files/patch-ac b/security/pf/files/patch-ac
index a239c523bf08..f3860bda7b1d 100644
--- a/security/pf/files/patch-ac
+++ b/security/pf/files/patch-ac
@@ -1,29 +1,24 @@
---- pf/pf.c Wed May 7 09:33:21 2003
-+++ pf/pf.c Tue Jun 17 17:02:08 2003
-@@ -2837,6 +2837,7 @@
- /* check incoming packet for BINAT/RDR */
- if ((rdr = pf_get_translation(PF_IN, ifp, pd->proto,
- saddr, 0, daddr, 0, &naddr, NULL, af)) != NULL) {
-+ PF_ACPY(&baddr, daddr, af);
- switch (af) {
- #ifdef INET
- case AF_INET:
-@@ -3179,7 +3180,7 @@
- /* Retrans: not more than one window back */
- (ackskew >= -MAXACKWINDOW) &&
- /* Acking not more than one window back */
-- (ackskew <= MAXACKWINDOW)) {
-+ (ackskew <= (MAXACKWINDOW << sws))) {
- /* Acking not more than one window forward */
-
- (*state)->packets++;
-@@ -3346,7 +3347,7 @@
- SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
- ' ': '2',
- (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
-- (ackskew <= MAXACKWINDOW) ? ' ' : '4',
-+ (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
- SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
- SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
- }
-
+--- pf/pf_ioctl.c.orig Sun Sep 28 15:00:08 2003
++++ pf/pf_ioctl.c Sun Sep 28 15:00:16 2003
+@@ -201,7 +201,7 @@
+ /* psize */ nopsize,
+ /* flags */ 0,
+ /* kqfilter */ nokqfilter,
+-#else
++#elif (__FreeBSD_version < 501109)
+ .d_open = pfopen,
+ .d_close = pfclose,
+ .d_read = noread,
+@@ -215,6 +215,12 @@
+ .d_dump = nodump,
+ .d_flags = 0,
+ .d_kqfilter = nokqfilter,
++#else
++ .d_open = pfopen,
++ .d_close = pfclose,
++ .d_ioctl = pfioctl,
++ .d_name = PF_NAME,
++ .d_flags = 0,
+ #endif
+ };
+ #endif /* __FreeBSD__ */
diff --git a/security/pf/files/patch-ad b/security/pf/files/patch-ad
deleted file mode 100644
index a9ec79cc117c..000000000000
--- a/security/pf/files/patch-ad
+++ /dev/null
@@ -1,161 +0,0 @@
---- pfctl/pfctl.c Sat Jun 21 17:29:45 2003
-+++ pfctl/pfctl.c Sat Jun 21 18:31:19 2003
-@@ -46,6 +46,7 @@
- #include <err.h>
- #include <errno.h>
- #include <fcntl.h>
-+#include <inttypes.h>
- #include <limits.h>
- #include <netdb.h>
- #include <stdio.h>
-@@ -565,8 +566,8 @@
- rule->qname, rule->qid, rule->pqname, rule->pqid);
- }
- if (opts & PF_OPT_VERBOSE)
-- printf("[ Evaluations: %-8llu Packets: %-8llu "
-- "Bytes: %-10llu States: %-6u]\n\n",
-+ printf("[ Evaluations: %-8"PRIu64" Packets: %-8"PRIu64" "
-+ "Bytes: %-10"PRIu64" States: %-6u]\n\n",
- rule->evaluations, rule->packets,
- rule->bytes, rule->states);
- }
-@@ -630,7 +631,7 @@
- case 1:
- if (pr.rule.label[0]) {
- printf("%s ", pr.rule.label);
-- printf("%llu %llu %llu\n",
-+ printf("%"PRIu64" %"PRIu64" %"PRIu64"\n",
- pr.rule.evaluations, pr.rule.packets,
- pr.rule.bytes);
- }
-@@ -662,7 +663,7 @@
- case 1:
- if (pr.rule.label[0]) {
- printf("%s ", pr.rule.label);
-- printf("%llu %llu %llu\n",
-+ printf("%"PRIu64" %"PRIu64" %"PRIu64"\n",
- pr.rule.evaluations, pr.rule.packets,
- pr.rule.bytes);
- }
---- pfctl/pfctl_parser.c Sat Jun 21 17:29:45 2003
-+++ pfctl/pfctl_parser.c Sat Jun 21 18:32:00 2003
-@@ -49,6 +49,7 @@
- #include <stdarg.h>
- #include <errno.h>
- #include <err.h>
-+#include <inttypes.h>
- #include <ifaddrs.h>
-
- #if defined(__FreeBSD__)
-@@ -503,29 +504,29 @@
- if (s->ifname[0] != 0) {
- printf("Interface Stats for %-16s %5s %16s\n",
- s->ifname, "IPv4", "IPv6");
-- printf(" %-25s %14llu %16llu\n", "Bytes In",
-+ printf(" %-25s %14"PRIu64" %16"PRIu64"\n", "Bytes In",
- s->bcounters[0][0], s->bcounters[1][0]);
-- printf(" %-25s %14llu %16llu\n", "Bytes Out",
-+ printf(" %-25s %14"PRIu64" %16"PRIu64"\n", "Bytes Out",
- s->bcounters[0][1], s->bcounters[1][1]);
- printf(" Packets In\n");
-- printf(" %-23s %14llu %16llu\n", "Passed",
-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Passed",
- s->pcounters[0][0][PF_PASS],
- s->pcounters[1][0][PF_PASS]);
-- printf(" %-23s %14llu %16llu\n", "Blocked",
-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Blocked",
- s->pcounters[0][0][PF_DROP],
- s->pcounters[1][0][PF_DROP]);
- printf(" Packets Out\n");
-- printf(" %-23s %14llu %16llu\n", "Passed",
-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Passed",
- s->pcounters[0][1][PF_PASS],
- s->pcounters[1][1][PF_PASS]);
-- printf(" %-23s %14llu %16llu\n\n", "Blocked",
-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n\n", "Blocked",
- s->pcounters[0][1][PF_DROP],
- s->pcounters[1][1][PF_DROP]);
- }
- printf("%-27s %14s %16s\n", "State Table", "Total", "Rate");
- printf(" %-25s %14u %14s\n", "current entries", s->states, "");
- for (i = 0; i < FCNT_MAX; i++) {
-- printf(" %-25s %14lld ", pf_fcounters[i],
-+ printf(" %-25s %14"PRId64" ", pf_fcounters[i],
- s->fcounters[i]);
- if (runtime > 0)
- printf("%14.1f/s\n",
-@@ -535,7 +536,7 @@
- }
- printf("Counters\n");
- for (i = 0; i < PFRES_MAX; i++) {
-- printf(" %-25s %14lld ", pf_reasons[i],
-+ printf(" %-25s %14"PRId64" ", pf_reasons[i],
- s->counters[i]);
- if (runtime > 0)
- printf("%14.1f/s\n",
---- pfctl/pfctl_qstats.c Sat Jun 21 17:29:45 2003
-+++ pfctl/pfctl_qstats.c Sat Jun 21 18:32:19 2003
-@@ -40,6 +40,7 @@
- #include <arpa/inet.h>
-
- #include <err.h>
-+#include <inttypes.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-@@ -280,8 +281,8 @@
- {
- double interval;
-
-- printf("[ pkts: %10llu bytes: %10llu "
-- "dropped pkts: %6llu bytes: %6llu ]\n",
-+ printf("[ pkts: %10"PRIu64" bytes: %10"PRIu64" "
-+ "dropped pkts: %6"PRIu64" bytes: %6"PRIu64" ]\n",
- cur.data.cbq_stats.xmit_cnt.packets,
- cur.data.cbq_stats.xmit_cnt.bytes,
- cur.data.cbq_stats.drop_cnt.packets,
-@@ -306,8 +307,8 @@
- {
- double interval;
-
-- printf("[ pkts: %10llu bytes: %10llu "
-- "dropped pkts: %6llu bytes: %6llu ]\n",
-+ printf("[ pkts: %10"PRIu64" bytes: %10"PRIu64" "
-+ "dropped pkts: %6"PRIu64" bytes: %6"PRIu64" ]\n",
- cur.data.priq_stats.xmitcnt.packets,
- cur.data.priq_stats.xmitcnt.bytes,
- cur.data.priq_stats.dropcnt.packets,
---- pfctl/pfctl_table.c Sat Jun 21 17:29:45 2003
-+++ pfctl/pfctl_table.c Sat Jun 21 18:32:36 2003
-@@ -42,6 +42,7 @@
- #include <ctype.h>
- #include <err.h>
- #include <errno.h>
-+#include <inttypes.h>
- #include <netdb.h>
- #include <stdarg.h>
- #include <stdio.h>
-@@ -363,11 +364,11 @@
- printf("\tAddresses: %d\n", ts->pfrts_cnt);
- printf("\tReferences: %d\n", ts->pfrts_refcnt);
- printf("\tCleared: %s", ctime(&time));
-- printf("\tEvaluations: [ NoMatch: %-18llu Match: %-18llu ]\n",
-+ printf("\tEvaluations: [ NoMatch: %-18"PRIu64" Match: %-18"PRIu64" ]\n",
- ts->pfrts_nomatch, ts->pfrts_match);
- for (dir = 0; dir < PFR_DIR_MAX; dir++)
- for (op = 0; op < PFR_OP_TABLE_MAX; op++)
-- printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n",
-+ printf("\t%-12s [ Packets: %-18"PRIu64" Bytes: %-18"PRIu64" ]\n",
- stats_text[dir][op],
- ts->pfrts_packets[dir][op],
- ts->pfrts_bytes[dir][op]);
-@@ -541,7 +542,7 @@
- printf("\tCleared: %s", ctime(&time));
- for (dir = 0; dir < PFR_DIR_MAX; dir++)
- for (op = 0; op < PFR_OP_ADDR_MAX; op++)
-- printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n",
-+ printf("\t%-12s [ Packets: %-18"PRIu64" Bytes: %-18"PRIu64" ]\n",
- stats_text[dir][op],
- as->pfras_packets[dir][op],
- as->pfras_bytes[dir][op]);
-
diff --git a/security/pf/files/patch-ae b/security/pf/files/patch-ae
deleted file mode 100644
index 739e91417366..000000000000
--- a/security/pf/files/patch-ae
+++ /dev/null
@@ -1,13 +0,0 @@
---- pf/pf_norm.c 7 Apr 2003 15:31:41 -0000 1.2
-+++ pf/pf_norm.c 3 Jul 2003 02:40:10 -0000 1.2.16.1
-@@ -747,6 +747,9 @@
- */
- #if defined(__FreeBSD__)
- *m0 = m_dup(m, M_NOWAIT);
-+ /* From KAME Project : We have missed this! */
-+ m_adj(*m0, (h->ip_hl << 2) -
-+ (*m0)->m_pkthdr.len);
- #else
- *m0 = m_copym2(m, 0, h->ip_hl << 2, M_NOWAIT);
- #endif
-
diff --git a/security/pf/files/patch-af b/security/pf/files/patch-af
deleted file mode 100644
index 9ae4ad0066b7..000000000000
--- a/security/pf/files/patch-af
+++ /dev/null
@@ -1,19 +0,0 @@
---- pf/pf_norm.c 3 Jul 2003 02:40:10 -0000 1.2.16.1
-+++ pf/pf_norm.c 14 Jul 2003 07:11:17 -0000 1.2.16.2
-@@ -1050,12 +1050,12 @@
- goto bad;
- }
-
-- max = fragoff + ip_len;
- /* Respect maximum length */
-- if (max > IP_MAXPACKET) {
-- DPFPRINTF(("max packet %d\n", max));
-+ if (fragoff + ip_len > IP_MAXPACKET) {
-+ DPFPRINTF(("max packet %d\n", fragoff + ip_len));
- goto bad;
- }
-+ max = fragoff + ip_len;
-
- if ((r->rule_flag & (PFRULE_FRAGCROP|PFRULE_FRAGDROP)) == 0) {
- /* Fully buffer all of the fragments */
-
diff --git a/security/pf/files/patch-ag b/security/pf/files/patch-ag
deleted file mode 100644
index ed4cd5d7d904..000000000000
--- a/security/pf/files/patch-ag
+++ /dev/null
@@ -1,383 +0,0 @@
---- pf/pf_norm.c Fri Aug 29 03:31:24 2003
-+++ pf/pf_norm.c Fri Aug 29 03:40:58 2003
-@@ -117,10 +117,10 @@
- void pf_flush_fragments(void);
- void pf_free_fragment(struct pf_fragment *);
- struct pf_fragment *pf_find_fragment(struct ip *, struct pf_frag_tree *);
--struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment *,
-+struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment **,
- struct pf_frent *, int);
- struct mbuf *pf_fragcache(struct mbuf **, struct ip*,
-- struct pf_fragment *, int, int, int *);
-+ struct pf_fragment **, int, int, int *);
- u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t);
- int pf_normalize_tcp(int, struct ifnet *, struct mbuf *,
- int, int, void *, struct pf_pdesc *);
-@@ -385,7 +385,7 @@
- }
-
- struct mbuf *
--pf_reassemble(struct mbuf **m0, struct pf_fragment *frag,
-+pf_reassemble(struct mbuf **m0, struct pf_fragment **frag,
- struct pf_frent *frent, int mff)
- {
- struct mbuf *m = *m0, *m2;
-@@ -397,10 +397,10 @@
- u_int16_t max = ip->ip_len + off;
-
- #if defined(__FreeBSD__)
-- KASSERT((frag == NULL || BUFFER_FRAGMENTS(frag)),
-- ("! (frag == NULL || BUFFER_FRAGMENTS(frag)): %s", __FUNCTION__));
-+ KASSERT((*frag == NULL || BUFFER_FRAGMENTS(*frag)),
-+ ("! (*frag == NULL || BUFFER_FRAGMENTS(*frag)): %s", __FUNCTION__));
- #else
-- KASSERT(frag == NULL || BUFFER_FRAGMENTS(frag));
-+ KASSERT(*frag == NULL || BUFFER_FRAGMENTS(*frag));
- #endif
-
- /* Strip off ip header */
-@@ -408,38 +408,38 @@
- m->m_len -= hlen;
-
- /* Create a new reassembly queue for this packet */
-- if (frag == NULL) {
-+ if (*frag == NULL) {
- #if defined(__FreeBSD__)
-- frag = uma_zalloc(pf_frag_pl, M_NOWAIT);
-+ *frag = uma_zalloc(pf_frag_pl, M_NOWAIT);
- #else
-- frag = pool_get(&pf_frag_pl, PR_NOWAIT);
-+ *frag = pool_get(&pf_frag_pl, PR_NOWAIT);
- #endif
-- if (frag == NULL) {
-+ if (*frag == NULL) {
- pf_flush_fragments();
- #if defined(__FreeBSD__)
-- frag = uma_zalloc(pf_frag_pl, M_NOWAIT);
-+ *frag = uma_zalloc(pf_frag_pl, M_NOWAIT);
- #else
-- frag = pool_get(&pf_frag_pl, PR_NOWAIT);
-+ *frag = pool_get(&pf_frag_pl, PR_NOWAIT);
- #endif
-- if (frag == NULL)
-+ if (*frag == NULL)
- goto drop_fragment;
- }
-
-- frag->fr_flags = 0;
-- frag->fr_max = 0;
-- frag->fr_src = frent->fr_ip->ip_src;
-- frag->fr_dst = frent->fr_ip->ip_dst;
-- frag->fr_p = frent->fr_ip->ip_p;
-- frag->fr_id = frent->fr_ip->ip_id;
-+ (*frag)->fr_flags = 0;
-+ (*frag)->fr_max = 0;
-+ (*frag)->fr_src = frent->fr_ip->ip_src;
-+ (*frag)->fr_dst = frent->fr_ip->ip_dst;
-+ (*frag)->fr_p = frent->fr_ip->ip_p;
-+ (*frag)->fr_id = frent->fr_ip->ip_id;
- #if defined(__FreeBSD__)
-- frag->fr_timeout = time_second;
-+ (*frag)->fr_timeout = time_second;
- #else
-- frag->fr_timeout = time.tv_sec;
-+ (*frag)->fr_timeout = time.tv_sec;
- #endif
-- LIST_INIT(&frag->fr_queue);
-+ LIST_INIT(&(*frag)->fr_queue);
-
-- RB_INSERT(pf_frag_tree, &pf_frag_tree, frag);
-- TAILQ_INSERT_HEAD(&pf_fragqueue, frag, frag_next);
-+ RB_INSERT(pf_frag_tree, &pf_frag_tree, *frag);
-+ TAILQ_INSERT_HEAD(&pf_fragqueue, *frag, frag_next);
-
- /* We do not have a previous fragment */
- frep = NULL;
-@@ -450,7 +450,7 @@
- * Find a fragment after the current one:
- * - off contains the real shifted offset.
- */
-- LIST_FOREACH(frea, &frag->fr_queue, fr_next) {
-+ LIST_FOREACH(frea, &(*frag)->fr_queue, fr_next) {
- if (frea->fr_ip->ip_off > off)
- break;
- frep = frea;
-@@ -503,41 +503,41 @@
-
- insert:
- /* Update maximum data size */
-- if (frag->fr_max < max)
-- frag->fr_max = max;
-+ if ((*frag)->fr_max < max)
-+ (*frag)->fr_max = max;
- /* This is the last segment */
- if (!mff)
-- frag->fr_flags |= PFFRAG_SEENLAST;
-+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
-
- if (frep == NULL)
-- LIST_INSERT_HEAD(&frag->fr_queue, frent, fr_next);
-+ LIST_INSERT_HEAD(&(*frag)->fr_queue, frent, fr_next);
- else
- LIST_INSERT_AFTER(frep, frent, fr_next);
-
- /* Check if we are completely reassembled */
-- if (!(frag->fr_flags & PFFRAG_SEENLAST))
-+ if (!((*frag)->fr_flags & PFFRAG_SEENLAST))
- return (NULL);
-
- /* Check if we have all the data */
- off = 0;
-- for (frep = LIST_FIRST(&frag->fr_queue); frep; frep = next) {
-+ for (frep = LIST_FIRST(&(*frag)->fr_queue); frep; frep = next) {
- next = LIST_NEXT(frep, fr_next);
-
- off += frep->fr_ip->ip_len;
-- if (off < frag->fr_max &&
-+ if (off < (*frag)->fr_max &&
- (next == NULL || next->fr_ip->ip_off != off)) {
- DPFPRINTF(("missing fragment at %d, next %d, max %d\n",
- off, next == NULL ? -1 : next->fr_ip->ip_off,
-- frag->fr_max));
-+ (*frag)->fr_max));
- return (NULL);
- }
- }
-- DPFPRINTF(("%d < %d?\n", off, frag->fr_max));
-- if (off < frag->fr_max)
-+ DPFPRINTF(("%d < %d?\n", off, (*frag)->fr_max));
-+ if (off < (*frag)->fr_max)
- return (NULL);
-
- /* We have all the data */
-- frent = LIST_FIRST(&frag->fr_queue);
-+ frent = LIST_FIRST(&(*frag)->fr_queue);
- #if defined(__FreeBSD__)
- KASSERT((frent != NULL), ("frent == NULL: %s", __FUNCTION__));
- #else
-@@ -545,7 +545,8 @@
- #endif
- if ((frent->fr_ip->ip_hl << 2) + off > IP_MAXPACKET) {
- DPFPRINTF(("drop: too big: %d\n", off));
-- pf_free_fragment(frag);
-+ pf_free_fragment(*frag);
-+ *frag = NULL;
- return (NULL);
- }
- next = LIST_NEXT(frent, fr_next);
-@@ -575,11 +576,12 @@
- m_cat(m, m2);
- }
-
-- ip->ip_src = frag->fr_src;
-- ip->ip_dst = frag->fr_dst;
-+ ip->ip_src = (*frag)->fr_src;
-+ ip->ip_dst = (*frag)->fr_dst;
-
- /* Remove from fragment queue */
-- pf_remove_fragment(frag);
-+ pf_remove_fragment(*frag);
-+ *frag = NULL;
-
- hlen = ip->ip_hl << 2;
- ip->ip_len = off + hlen;
-@@ -611,7 +613,7 @@
- }
-
- struct mbuf *
--pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment *frag, int mff,
-+pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment **frag, int mff,
- int drop, int *nomem)
- {
- struct mbuf *m = *m0;
-@@ -622,27 +624,27 @@
- int hosed = 0;
-
- #if defined(__FreeBSD__)
-- KASSERT((frag == NULL || !BUFFER_FRAGMENTS(frag)),
-- ("!(frag == NULL || !BUFFER_FRAGMENTS(frag)): %s", __FUNCTION__));
-+ KASSERT((*frag == NULL || !BUFFER_FRAGMENTS(*frag)),
-+ ("!(*frag == NULL || !BUFFER_FRAGMENTS(*frag)): %s", __FUNCTION__));
- #else
-- KASSERT(frag == NULL || !BUFFER_FRAGMENTS(frag));
-+ KASSERT(*frag == NULL || !BUFFER_FRAGMENTS(*frag));
- #endif
-
- /* Create a new range queue for this packet */
-- if (frag == NULL) {
-+ if (*frag == NULL) {
- #if defined(__FreeBSD__)
-- frag = uma_zalloc(pf_cache_pl, M_NOWAIT);
-+ *frag = uma_zalloc(pf_cache_pl, M_NOWAIT);
- #else
-- frag = pool_get(&pf_cache_pl, PR_NOWAIT);
-+ *frag = pool_get(&pf_cache_pl, PR_NOWAIT);
- #endif
-- if (frag == NULL) {
-+ if (*frag == NULL) {
- pf_flush_fragments();
- #if defined(__FreeBSD__)
-- frag = uma_zalloc(pf_cache_pl, M_NOWAIT);
-+ *frag = uma_zalloc(pf_cache_pl, M_NOWAIT);
- #else
-- frag = pool_get(&pf_cache_pl, PR_NOWAIT);
-+ *frag = pool_get(&pf_cache_pl, PR_NOWAIT);
- #endif
-- if (frag == NULL)
-+ if (*frag == NULL)
- goto no_mem;
- }
-
-@@ -654,33 +656,34 @@
- #endif
- if (cur == NULL) {
- #if defined(__FreeBSD__)
-- uma_zfree(pf_cache_pl, frag);
-+ uma_zfree(pf_cache_pl, *frag);
- #else
-- pool_put(&pf_cache_pl, frag);
-+ pool_put(&pf_cache_pl, *frag);
- #endif
-+ *frag = NULL;
- goto no_mem;
- }
- pf_ncache++;
-
-- frag->fr_flags = PFFRAG_NOBUFFER;
-- frag->fr_max = 0;
-- frag->fr_src = h->ip_src;
-- frag->fr_dst = h->ip_dst;
-- frag->fr_p = h->ip_p;
-- frag->fr_id = h->ip_id;
-+ (*frag)->fr_flags = PFFRAG_NOBUFFER;
-+ (*frag)->fr_max = 0;
-+ (*frag)->fr_src = h->ip_src;
-+ (*frag)->fr_dst = h->ip_dst;
-+ (*frag)->fr_p = h->ip_p;
-+ (*frag)->fr_id = h->ip_id;
- #if defined(__FreeBSD__)
-- frag->fr_timeout = time_second;
-+ (*frag)->fr_timeout = time_second;
- #else
-- frag->fr_timeout = time.tv_sec;
-+ (*frag)->fr_timeout = time.tv_sec;
- #endif
-
- cur->fr_off = off;
- cur->fr_end = max;
-- LIST_INIT(&frag->fr_cache);
-- LIST_INSERT_HEAD(&frag->fr_cache, cur, fr_next);
-+ LIST_INIT(&(*frag)->fr_cache);
-+ LIST_INSERT_HEAD(&(*frag)->fr_cache, cur, fr_next);
-
-- RB_INSERT(pf_frag_tree, &pf_cache_tree, frag);
-- TAILQ_INSERT_HEAD(&pf_cachequeue, frag, frag_next);
-+ RB_INSERT(pf_frag_tree, &pf_cache_tree, *frag);
-+ TAILQ_INSERT_HEAD(&pf_cachequeue, *frag, frag_next);
-
- DPFPRINTF(("fragcache[%d]: new %d-%d\n", h->ip_id, off, max));
-
-@@ -692,7 +695,7 @@
- * - off contains the real shifted offset.
- */
- frp = NULL;
-- LIST_FOREACH(fra, &frag->fr_cache, fr_next) {
-+ LIST_FOREACH(fra, &(*frag)->fr_cache, fr_next) {
- if (fra->fr_off > off)
- break;
- frp = fra;
-@@ -929,21 +932,22 @@
-
- pass:
- /* Update maximum data size */
-- if (frag->fr_max < max)
-- frag->fr_max = max;
-+ if ((*frag)->fr_max < max)
-+ (*frag)->fr_max = max;
-
- /* This is the last segment */
- if (!mff)
-- frag->fr_flags |= PFFRAG_SEENLAST;
-+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
-
- /* Check if we are completely reassembled */
-- if ((frag->fr_flags & PFFRAG_SEENLAST) &&
-- LIST_FIRST(&frag->fr_cache)->fr_off == 0 &&
-- LIST_FIRST(&frag->fr_cache)->fr_end == frag->fr_max) {
-+ if (((*frag)->fr_flags & PFFRAG_SEENLAST) &&
-+ LIST_FIRST(&(*frag)->fr_cache)->fr_off == 0 &&
-+ LIST_FIRST(&(*frag)->fr_cache)->fr_end == (*frag)->fr_max) {
- /* Remove from fragment queue */
- DPFPRINTF(("fragcache[%d]: done 0-%d\n", h->ip_id,
-- frag->fr_max));
-- pf_free_fragment(frag);
-+ (*frag)->fr_max));
-+ pf_free_fragment(*frag);
-+ *frag = NULL;
- }
-
- return (m);
-@@ -952,8 +956,8 @@
- *nomem = 1;
-
- /* Still need to pay attention to !IP_MF */
-- if (!mff && frag)
-- frag->fr_flags |= PFFRAG_SEENLAST;
-+ if (!mff && *frag != NULL)
-+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
-
- m_freem(m);
- return (NULL);
-@@ -961,15 +965,15 @@
- drop_fragment:
-
- /* Still need to pay attention to !IP_MF */
-- if (!mff && frag)
-- frag->fr_flags |= PFFRAG_SEENLAST;
-+ if (!mff && *frag != NULL)
-+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
-
- if (drop) {
- /* This fragment has been deemed bad. Don't reass */
-- if ((frag->fr_flags & PFFRAG_DROP) == 0)
-+ if (((*frag)->fr_flags & PFFRAG_DROP) == 0)
- DPFPRINTF(("fragcache[%d]: dropping overall fragment\n",
- h->ip_id));
-- frag->fr_flags |= PFFRAG_DROP;
-+ (*frag)->fr_flags |= PFFRAG_DROP;
- }
-
- m_freem(m);
-@@ -1085,12 +1089,12 @@
-
- /* Might return a completely reassembled mbuf, or NULL */
- DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max));
-- *m0 = m = pf_reassemble(m0, frag, frent, mff);
-+ *m0 = m = pf_reassemble(m0, &frag, frent, mff);
-
- if (m == NULL)
- return (PF_DROP);
-
-- if (frag && (frag->fr_flags & PFFRAG_DROP))
-+ if (frag != NULL && (frag->fr_flags & PFFRAG_DROP))
- goto drop;
-
- h = mtod(m, struct ip *);
-@@ -1119,7 +1123,7 @@
- goto bad;
- }
-
-- *m0 = m = pf_fragcache(m0, h, frag, mff,
-+ *m0 = m = pf_fragcache(m0, h, &frag, mff,
- (r->rule_flag & PFRULE_FRAGDROP) ? 1 : 0, &nomem);
- if (m == NULL) {
- if (nomem)
-@@ -1135,7 +1139,7 @@
- goto no_mem;
- m_tag_prepend(m, mtag);
- }
-- if (frag && (frag->fr_flags & PFFRAG_DROP))
-+ if (frag != NULL && (frag->fr_flags & PFFRAG_DROP))
- goto drop;
- goto fragment_pass;
- }
diff --git a/security/pf/files/pf-port.diff b/security/pf/files/pf-port.diff
new file mode 100644
index 000000000000..94d44631cab7
--- /dev/null
+++ b/security/pf/files/pf-port.diff
@@ -0,0 +1,1523 @@
+diff -ruN /usr/ports/security/pf/Makefile pf/Makefile
+--- /usr/ports/security/pf/Makefile Fri Aug 29 05:14:03 2003
++++ pf/Makefile Sat Sep 27 14:32:18 2003
+@@ -6,8 +6,7 @@
+ #
+
+ PORTNAME= pf_freebsd
+-PORTVERSION= 1.0
+-PORTREVISION= 7
++PORTVERSION= 1.65
+ CATEGORIES= security ipv6
+ MASTER_SITES= http://pf4freebsd.love2party.net/
+ .if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
+@@ -24,11 +23,12 @@
+
+ STARTUP_SCRIPT= ${PREFIX}/etc/rc.d/pf.sh.sample
+ SAMPLE_CONFIG= ${PREFIX}/etc/pf.conf.default
++SAMPLE_PFOS= ${PREFIX}/etc/pf.os
+
+ MAN1= pftcpdump.1
+ MAN4= pf.4 pflog.4 pfsync.4
+-MAN5= pf.conf.5
+-MAN8= ftp-proxy.8 pfctl.8 pflogd.8 pftop.8
++MAN5= pf.conf.5 pf.os.5
++MAN8= ftp-proxy.8 pfctl.8 pflogd.8
+
+ MANCOMPRESSED= maybe
+
+@@ -57,54 +57,72 @@
+
+ .if !defined(WITH_ALTQ) || (${WITH_ALTQ} != "yes")
+ pre-fetch:
+- @${ECHO_CMD} "======================================================="
+- @${ECHO_CMD} "* If you have ALTQ support from: *"
+- @${ECHO_CMD} "* http://www.rofug.ro/projects/freebsd-altq/ *"
+- @${ECHO_CMD} "* You can may define WITH_ALTQ=yes to make use of it *"
+- @${ECHO_CMD} "* Please define SYS_ALTQ to point to the patched src *"
+- @${ECHO_CMD} "* *"
+- @${ECHO_CMD} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=${SRC_BASE}/sys.altq *"
+- @${ECHO_CMD} "* *"
+- @${ECHO_CMD} "======================================================="
++ @${ECHO_MSG} "======================================================="
++ @${ECHO_MSG} "* If you have ALTQ support from: *"
++ @${ECHO_MSG} "* http://www.nipsi.de/altq/index.html *"
++ @${ECHO_MSG} "* You can may define WITH_ALTQ=yes to make use of it *"
++ @${ECHO_MSG} "* Please define SYS_ALTQ to point to the patched src *"
++ @${ECHO_MSG} "* *"
++ @${ECHO_MSG} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=/usr/src/sys.altq *"
++ @${ECHO_MSG} "* *"
++ @${ECHO_MSG} "======================================================="
+ @sleep 2
+ .endif
+
+-pre-install:
++post-patch:
++ @${CP} ${WRKSRC}/pfctl/pfctl_parser.h \
++ ${WRKSRC}/pfctl/pfctl_parser.h.orig
++ @${SED} -e 's!%%PREFIX%%!${PREFIX}!' \
++ ${WRKSRC}/pfctl/pfctl_parser.h.orig > \
++ ${WRKSRC}/pfctl/pfctl_parser.h
++pre-su-install:
+ ${MKDIR} ${KMODDIR}
+ ${MKDIR} ${PREFIX}/include/pf
+ ${MKDIR} ${PREFIX}/include/pf/net
++.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
++ ${MKDIR} ${PREFIX}/include/pf/altq
++.endif
+ .if !defined(BATCH) && !defined(PACKAGE_BUILDING)
+ @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
+ .endif
+
+ post-install:
+- ${ECHO} "Installing include files ..."
++ ${ECHO_MSG} "Installing include files ..."
+ ${INSTALL_DATA} ${WRKSRC}/include/net/pfvar.h \
+- ${PREFIX}/include/pf/net
++ ${PREFIX}/include/pf/net
+ ${INSTALL_DATA} ${WRKSRC}/include/net/if_pflog.h \
+- ${PREFIX}/include/pf/net
++ ${PREFIX}/include/pf/net
+ ${INSTALL_DATA} ${WRKSRC}/include/net/if_pfsync.h \
+- ${PREFIX}/include/pf/net
++ ${PREFIX}/include/pf/net
++.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
++ ${INSTALL_DATA} ${WRKSRC}/include/altq/*.h \
++ ${PREFIX}/include/pf/altq
++.endif
+ @if [ -f ${WRKSRC}/man/pf.4.gz ]; then \
+- ${ECHO} "Installing pftcpdump(1) man page."; \
++ ${ECHO_MSG} "Installing pftcpdump(1) man page."; \
+ ${GZIP_CMD} -cn ${WRKSRC}/freebsd_tcpdump/tcpdump.1 > \
+ ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz ; \
+ ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz \
+- ${PREFIX}/man/man1/pftcpdump.1.gz ; \
++ ${PREFIX}/man/man1/pftcpdump.1.gz ; \
+ else \
+- ${ECHO} "Installing pftcpdump(1) man page."; \
++ ${ECHO_MSG} "Installing pftcpdump(1) man page."; \
+ ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1 \
+- ${PREFIX}/man/man1/pftcpdump.1 ; \
++ ${PREFIX}/man/man1/pftcpdump.1 ; \
+ fi
+ @if [ ! -f ${STARTUP_SCRIPT} ]; then \
+- ${ECHO} "Installing ${STARTUP_SCRIPT} startup file." ; \
++ ${ECHO_MSG} "Installing ${STARTUP_SCRIPT} startup file." ; \
+ ${INSTALL_SCRIPT} ${FILESDIR}/pf.sh.sample \
+- ${STARTUP_SCRIPT} ; \
++ ${STARTUP_SCRIPT} ; \
+ fi
+ @if [ ! -f ${SAMPLE_CONFIG} ]; then \
+- ${ECHO} "Installing ${SAMPLE_CONFIG} config file." ; \
++ ${ECHO_MSG} "Installing ${SAMPLE_CONFIG} config file." ; \
+ ${INSTALL_DATA} ${FILESDIR}/pf.conf.default \
+- ${SAMPLE_CONFIG}; \
++ ${SAMPLE_CONFIG}; \
++ fi
++ @if [ ! -f ${SAMPLE_PFOS} ]; then \
++ ${ECHO_MSG} "Installing ${SAMPLE_PFOS} config file."; \
++ ${INSTALL_DATA} ${FILESDIR}/pf.os.default \
++ ${SAMPLE_PFOS}; \
+ fi
+ ${SED} -e 's!%%PREFIX%%!${PREFIX}!' ${PKGMESSAGE}
+
+diff -ruN /usr/ports/security/pf/distinfo pf/distinfo
+--- /usr/ports/security/pf/distinfo Fri Jun 13 03:09:29 2003
++++ pf/distinfo Sat Sep 27 13:31:03 2003
+@@ -1 +1 @@
+-MD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e
++MD5 (pf_freebsd_1.65.tar.gz) = 6956f275a7b971ab07f4ee8e0bdd83e0
+diff -ruN /usr/ports/security/pf/files/patch-aa pf/files/patch-aa
+--- /usr/ports/security/pf/files/patch-aa Mon Jun 16 05:14:27 2003
++++ pf/files/patch-aa Sat Sep 27 10:18:08 2003
+@@ -1,32 +1,11 @@
+---- freebsd_tcpdump/print-pflog.c.orig Fri Jun 13 18:14:50 2003
+-+++ freebsd_tcpdump/print-pflog.c Fri Jun 13 18:15:39 2003
+-@@ -64,7 +64,9 @@
+- u_int length = h->len;
+- u_int caplen = h->caplen;
+- const struct ip *ip;
+-+#ifdef INET6
+- const struct ip6_hdr *ip6;
+-+#endif
+- const struct pfloghdr *hdr;
+- u_short res;
+- char reason[128], *why;
+-@@ -129,13 +131,16 @@
+- if (xflag)
+- default_print((const u_char *)ip,
+- caplen - PFLOG_HDRLEN);
+-- } else {
+-+ }
+-+#ifdef INET6
+-+ else {
+- ip6 = (struct ip6_hdr *)(p + PFLOG_HDRLEN);
+- ip6_print((const u_char *)ip6, length);
+- if (xflag)
+- default_print((const u_char *)ip6,
+- caplen - PFLOG_HDRLEN);
+- }
+-+#endif
++--- Makefile.orig Sat Sep 27 10:17:32 2003
+++++ Makefile Sat Sep 27 10:17:46 2003
++@@ -6,7 +6,7 @@
++ SUBDIR= libpcap
++ .endif
++
++-SUBDIR+= pfctl authpf ftp-proxy man pf pflog pfsync
+++SUBDIR+= pfctl ftp-proxy man pf pflog pfsync
++
++ .include "include/mk/util.mk"
+
+- out:
+- putchar('\n');
+-
+-
+diff -ruN /usr/ports/security/pf/files/patch-ab pf/files/patch-ab
+--- /usr/ports/security/pf/files/patch-ab Wed Jun 18 06:46:34 2003
++++ pf/files/patch-ab Sat Sep 27 10:41:00 2003
+@@ -1,70 +1,11 @@
+---- pf/pf_support.h Mon Apr 14 05:54:15 2003
+-+++ pf/pf_support.h Tue Jun 17 14:26:33 2003
+-@@ -16,10 +16,16 @@
+- * Original numbers changed from 11, 12, 13.
+- * sys/mbuf.h
+- */
+--#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */
+--#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */
+--#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */
+--#define PACKET_TAG_PF_QID 22 /* PF queue id */
+-+#if defined(PACKET_TAG_MACLABEL)
+-+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL)
+-+#else
+-+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD)
+-+#endif
+-+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1)
+-+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2)
+-+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3)
+-+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4)
+-+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5)
++--- pfctl/pfctl_parser.h.orig Sat Sep 27 10:39:47 2003
+++++ pfctl/pfctl_parser.h Sat Sep 27 10:40:21 2003
++@@ -33,7 +33,7 @@
++ #ifndef _PFCTL_PARSER_H_
++ #define _PFCTL_PARSER_H_
+
+- /*
+- * sys/limits.h
+---- pfaltq/pf_support.h Mon Apr 14 06:04:19 2003
+-+++ pfaltq/pf_support.h Tue Jun 17 14:26:34 2003
+-@@ -16,10 +16,16 @@
+- * Original numbers changed from 11, 12, 13.
+- * sys/mbuf.h
+- */
+--#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */
+--#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */
+--#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */
+--#define PACKET_TAG_PF_QID 22 /* PF queue id */
+-+#if defined(PACKET_TAG_MACLABEL)
+-+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL)
+-+#else
+-+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD)
+-+#endif
+-+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1)
+-+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2)
+-+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3)
+-+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4)
+-+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5)
++-#define PF_OSFP_FILE "/etc/pf.os"
+++#define PF_OSFP_FILE "%%PREFIX%%/etc/pf.os"
+
+- /*
+- * sys/limits.h
+---- pfctl/pf_support.h Mon Apr 14 05:55:07 2003
+-+++ pfctl/pf_support.h Tue Jun 17 14:26:34 2003
+-@@ -16,10 +16,16 @@
+- * Original numbers changed from 11, 12, 13.
+- * sys/mbuf.h
+- */
+--#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */
+--#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */
+--#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */
+--#define PACKET_TAG_PF_QID 22 /* PF queue id */
+-+#if defined(PACKET_TAG_MACLABEL)
+-+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL)
+-+#else
+-+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD)
+-+#endif
+-+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1)
+-+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2)
+-+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3)
+-+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4)
+-+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5)
+-
+- /*
+- * sys/limits.h
+-
++ #define PF_OPT_DISABLE 0x0001
++ #define PF_OPT_ENABLE 0x0002
+diff -ruN /usr/ports/security/pf/files/patch-ac pf/files/patch-ac
+--- /usr/ports/security/pf/files/patch-ac Wed Jun 18 06:46:34 2003
++++ pf/files/patch-ac Sun Sep 28 14:04:09 2003
+@@ -1,29 +1,24 @@
+---- pf/pf.c Wed May 7 09:33:21 2003
+-+++ pf/pf.c Tue Jun 17 17:02:08 2003
+-@@ -2837,6 +2837,7 @@
+- /* check incoming packet for BINAT/RDR */
+- if ((rdr = pf_get_translation(PF_IN, ifp, pd->proto,
+- saddr, 0, daddr, 0, &naddr, NULL, af)) != NULL) {
+-+ PF_ACPY(&baddr, daddr, af);
+- switch (af) {
+- #ifdef INET
+- case AF_INET:
+-@@ -3179,7 +3180,7 @@
+- /* Retrans: not more than one window back */
+- (ackskew >= -MAXACKWINDOW) &&
+- /* Acking not more than one window back */
+-- (ackskew <= MAXACKWINDOW)) {
+-+ (ackskew <= (MAXACKWINDOW << sws))) {
+- /* Acking not more than one window forward */
+-
+- (*state)->packets++;
+-@@ -3346,7 +3347,7 @@
+- SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
+- ' ': '2',
+- (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
+-- (ackskew <= MAXACKWINDOW) ? ' ' : '4',
+-+ (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
+- SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
+- SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
+- }
+-
++--- pf/pf_ioctl.c.orig Sun Sep 28 15:00:08 2003
+++++ pf/pf_ioctl.c Sun Sep 28 15:00:16 2003
++@@ -201,7 +201,7 @@
++ /* psize */ nopsize,
++ /* flags */ 0,
++ /* kqfilter */ nokqfilter,
++-#else
+++#elif (__FreeBSD_version < 501109)
++ .d_open = pfopen,
++ .d_close = pfclose,
++ .d_read = noread,
++@@ -215,6 +215,12 @@
++ .d_dump = nodump,
++ .d_flags = 0,
++ .d_kqfilter = nokqfilter,
+++#else
+++ .d_open = pfopen,
+++ .d_close = pfclose,
+++ .d_ioctl = pfioctl,
+++ .d_name = PF_NAME,
+++ .d_flags = 0,
++ #endif
++ };
++ #endif /* __FreeBSD__ */
+diff -ruN /usr/ports/security/pf/files/patch-ad pf/files/patch-ad
+--- /usr/ports/security/pf/files/patch-ad Thu Jun 26 18:20:13 2003
++++ pf/files/patch-ad Thu Jan 1 01:00:00 1970
+@@ -1,161 +0,0 @@
+---- pfctl/pfctl.c Sat Jun 21 17:29:45 2003
+-+++ pfctl/pfctl.c Sat Jun 21 18:31:19 2003
+-@@ -46,6 +46,7 @@
+- #include <err.h>
+- #include <errno.h>
+- #include <fcntl.h>
+-+#include <inttypes.h>
+- #include <limits.h>
+- #include <netdb.h>
+- #include <stdio.h>
+-@@ -565,8 +566,8 @@
+- rule->qname, rule->qid, rule->pqname, rule->pqid);
+- }
+- if (opts & PF_OPT_VERBOSE)
+-- printf("[ Evaluations: %-8llu Packets: %-8llu "
+-- "Bytes: %-10llu States: %-6u]\n\n",
+-+ printf("[ Evaluations: %-8"PRIu64" Packets: %-8"PRIu64" "
+-+ "Bytes: %-10"PRIu64" States: %-6u]\n\n",
+- rule->evaluations, rule->packets,
+- rule->bytes, rule->states);
+- }
+-@@ -630,7 +631,7 @@
+- case 1:
+- if (pr.rule.label[0]) {
+- printf("%s ", pr.rule.label);
+-- printf("%llu %llu %llu\n",
+-+ printf("%"PRIu64" %"PRIu64" %"PRIu64"\n",
+- pr.rule.evaluations, pr.rule.packets,
+- pr.rule.bytes);
+- }
+-@@ -662,7 +663,7 @@
+- case 1:
+- if (pr.rule.label[0]) {
+- printf("%s ", pr.rule.label);
+-- printf("%llu %llu %llu\n",
+-+ printf("%"PRIu64" %"PRIu64" %"PRIu64"\n",
+- pr.rule.evaluations, pr.rule.packets,
+- pr.rule.bytes);
+- }
+---- pfctl/pfctl_parser.c Sat Jun 21 17:29:45 2003
+-+++ pfctl/pfctl_parser.c Sat Jun 21 18:32:00 2003
+-@@ -49,6 +49,7 @@
+- #include <stdarg.h>
+- #include <errno.h>
+- #include <err.h>
+-+#include <inttypes.h>
+- #include <ifaddrs.h>
+-
+- #if defined(__FreeBSD__)
+-@@ -503,29 +504,29 @@
+- if (s->ifname[0] != 0) {
+- printf("Interface Stats for %-16s %5s %16s\n",
+- s->ifname, "IPv4", "IPv6");
+-- printf(" %-25s %14llu %16llu\n", "Bytes In",
+-+ printf(" %-25s %14"PRIu64" %16"PRIu64"\n", "Bytes In",
+- s->bcounters[0][0], s->bcounters[1][0]);
+-- printf(" %-25s %14llu %16llu\n", "Bytes Out",
+-+ printf(" %-25s %14"PRIu64" %16"PRIu64"\n", "Bytes Out",
+- s->bcounters[0][1], s->bcounters[1][1]);
+- printf(" Packets In\n");
+-- printf(" %-23s %14llu %16llu\n", "Passed",
+-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Passed",
+- s->pcounters[0][0][PF_PASS],
+- s->pcounters[1][0][PF_PASS]);
+-- printf(" %-23s %14llu %16llu\n", "Blocked",
+-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Blocked",
+- s->pcounters[0][0][PF_DROP],
+- s->pcounters[1][0][PF_DROP]);
+- printf(" Packets Out\n");
+-- printf(" %-23s %14llu %16llu\n", "Passed",
+-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Passed",
+- s->pcounters[0][1][PF_PASS],
+- s->pcounters[1][1][PF_PASS]);
+-- printf(" %-23s %14llu %16llu\n\n", "Blocked",
+-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n\n", "Blocked",
+- s->pcounters[0][1][PF_DROP],
+- s->pcounters[1][1][PF_DROP]);
+- }
+- printf("%-27s %14s %16s\n", "State Table", "Total", "Rate");
+- printf(" %-25s %14u %14s\n", "current entries", s->states, "");
+- for (i = 0; i < FCNT_MAX; i++) {
+-- printf(" %-25s %14lld ", pf_fcounters[i],
+-+ printf(" %-25s %14"PRId64" ", pf_fcounters[i],
+- s->fcounters[i]);
+- if (runtime > 0)
+- printf("%14.1f/s\n",
+-@@ -535,7 +536,7 @@
+- }
+- printf("Counters\n");
+- for (i = 0; i < PFRES_MAX; i++) {
+-- printf(" %-25s %14lld ", pf_reasons[i],
+-+ printf(" %-25s %14"PRId64" ", pf_reasons[i],
+- s->counters[i]);
+- if (runtime > 0)
+- printf("%14.1f/s\n",
+---- pfctl/pfctl_qstats.c Sat Jun 21 17:29:45 2003
+-+++ pfctl/pfctl_qstats.c Sat Jun 21 18:32:19 2003
+-@@ -40,6 +40,7 @@
+- #include <arpa/inet.h>
+-
+- #include <err.h>
+-+#include <inttypes.h>
+- #include <stdio.h>
+- #include <stdlib.h>
+- #include <string.h>
+-@@ -280,8 +281,8 @@
+- {
+- double interval;
+-
+-- printf("[ pkts: %10llu bytes: %10llu "
+-- "dropped pkts: %6llu bytes: %6llu ]\n",
+-+ printf("[ pkts: %10"PRIu64" bytes: %10"PRIu64" "
+-+ "dropped pkts: %6"PRIu64" bytes: %6"PRIu64" ]\n",
+- cur.data.cbq_stats.xmit_cnt.packets,
+- cur.data.cbq_stats.xmit_cnt.bytes,
+- cur.data.cbq_stats.drop_cnt.packets,
+-@@ -306,8 +307,8 @@
+- {
+- double interval;
+-
+-- printf("[ pkts: %10llu bytes: %10llu "
+-- "dropped pkts: %6llu bytes: %6llu ]\n",
+-+ printf("[ pkts: %10"PRIu64" bytes: %10"PRIu64" "
+-+ "dropped pkts: %6"PRIu64" bytes: %6"PRIu64" ]\n",
+- cur.data.priq_stats.xmitcnt.packets,
+- cur.data.priq_stats.xmitcnt.bytes,
+- cur.data.priq_stats.dropcnt.packets,
+---- pfctl/pfctl_table.c Sat Jun 21 17:29:45 2003
+-+++ pfctl/pfctl_table.c Sat Jun 21 18:32:36 2003
+-@@ -42,6 +42,7 @@
+- #include <ctype.h>
+- #include <err.h>
+- #include <errno.h>
+-+#include <inttypes.h>
+- #include <netdb.h>
+- #include <stdarg.h>
+- #include <stdio.h>
+-@@ -363,11 +364,11 @@
+- printf("\tAddresses: %d\n", ts->pfrts_cnt);
+- printf("\tReferences: %d\n", ts->pfrts_refcnt);
+- printf("\tCleared: %s", ctime(&time));
+-- printf("\tEvaluations: [ NoMatch: %-18llu Match: %-18llu ]\n",
+-+ printf("\tEvaluations: [ NoMatch: %-18"PRIu64" Match: %-18"PRIu64" ]\n",
+- ts->pfrts_nomatch, ts->pfrts_match);
+- for (dir = 0; dir < PFR_DIR_MAX; dir++)
+- for (op = 0; op < PFR_OP_TABLE_MAX; op++)
+-- printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n",
+-+ printf("\t%-12s [ Packets: %-18"PRIu64" Bytes: %-18"PRIu64" ]\n",
+- stats_text[dir][op],
+- ts->pfrts_packets[dir][op],
+- ts->pfrts_bytes[dir][op]);
+-@@ -541,7 +542,7 @@
+- printf("\tCleared: %s", ctime(&time));
+- for (dir = 0; dir < PFR_DIR_MAX; dir++)
+- for (op = 0; op < PFR_OP_ADDR_MAX; op++)
+-- printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n",
+-+ printf("\t%-12s [ Packets: %-18"PRIu64" Bytes: %-18"PRIu64" ]\n",
+- stats_text[dir][op],
+- as->pfras_packets[dir][op],
+- as->pfras_bytes[dir][op]);
+-
+diff -ruN /usr/ports/security/pf/files/patch-ae pf/files/patch-ae
+--- /usr/ports/security/pf/files/patch-ae Fri Jul 4 03:28:53 2003
++++ pf/files/patch-ae Thu Jan 1 01:00:00 1970
+@@ -1,13 +0,0 @@
+---- pf/pf_norm.c 7 Apr 2003 15:31:41 -0000 1.2
+-+++ pf/pf_norm.c 3 Jul 2003 02:40:10 -0000 1.2.16.1
+-@@ -747,6 +747,9 @@
+- */
+- #if defined(__FreeBSD__)
+- *m0 = m_dup(m, M_NOWAIT);
+-+ /* From KAME Project : We have missed this! */
+-+ m_adj(*m0, (h->ip_hl << 2) -
+-+ (*m0)->m_pkthdr.len);
+- #else
+- *m0 = m_copym2(m, 0, h->ip_hl << 2, M_NOWAIT);
+- #endif
+-
+diff -ruN /usr/ports/security/pf/files/patch-af pf/files/patch-af
+--- /usr/ports/security/pf/files/patch-af Fri Jul 18 03:51:24 2003
++++ pf/files/patch-af Thu Jan 1 01:00:00 1970
+@@ -1,19 +0,0 @@
+---- pf/pf_norm.c 3 Jul 2003 02:40:10 -0000 1.2.16.1
+-+++ pf/pf_norm.c 14 Jul 2003 07:11:17 -0000 1.2.16.2
+-@@ -1050,12 +1050,12 @@
+- goto bad;
+- }
+-
+-- max = fragoff + ip_len;
+- /* Respect maximum length */
+-- if (max > IP_MAXPACKET) {
+-- DPFPRINTF(("max packet %d\n", max));
+-+ if (fragoff + ip_len > IP_MAXPACKET) {
+-+ DPFPRINTF(("max packet %d\n", fragoff + ip_len));
+- goto bad;
+- }
+-+ max = fragoff + ip_len;
+-
+- if ((r->rule_flag & (PFRULE_FRAGCROP|PFRULE_FRAGDROP)) == 0) {
+- /* Fully buffer all of the fragments */
+-
+diff -ruN /usr/ports/security/pf/files/patch-ag pf/files/patch-ag
+--- /usr/ports/security/pf/files/patch-ag Fri Aug 29 05:14:03 2003
++++ pf/files/patch-ag Thu Jan 1 01:00:00 1970
+@@ -1,383 +0,0 @@
+---- pf/pf_norm.c Fri Aug 29 03:31:24 2003
+-+++ pf/pf_norm.c Fri Aug 29 03:40:58 2003
+-@@ -117,10 +117,10 @@
+- void pf_flush_fragments(void);
+- void pf_free_fragment(struct pf_fragment *);
+- struct pf_fragment *pf_find_fragment(struct ip *, struct pf_frag_tree *);
+--struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment *,
+-+struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment **,
+- struct pf_frent *, int);
+- struct mbuf *pf_fragcache(struct mbuf **, struct ip*,
+-- struct pf_fragment *, int, int, int *);
+-+ struct pf_fragment **, int, int, int *);
+- u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t);
+- int pf_normalize_tcp(int, struct ifnet *, struct mbuf *,
+- int, int, void *, struct pf_pdesc *);
+-@@ -385,7 +385,7 @@
+- }
+-
+- struct mbuf *
+--pf_reassemble(struct mbuf **m0, struct pf_fragment *frag,
+-+pf_reassemble(struct mbuf **m0, struct pf_fragment **frag,
+- struct pf_frent *frent, int mff)
+- {
+- struct mbuf *m = *m0, *m2;
+-@@ -397,10 +397,10 @@
+- u_int16_t max = ip->ip_len + off;
+-
+- #if defined(__FreeBSD__)
+-- KASSERT((frag == NULL || BUFFER_FRAGMENTS(frag)),
+-- ("! (frag == NULL || BUFFER_FRAGMENTS(frag)): %s", __FUNCTION__));
+-+ KASSERT((*frag == NULL || BUFFER_FRAGMENTS(*frag)),
+-+ ("! (*frag == NULL || BUFFER_FRAGMENTS(*frag)): %s", __FUNCTION__));
+- #else
+-- KASSERT(frag == NULL || BUFFER_FRAGMENTS(frag));
+-+ KASSERT(*frag == NULL || BUFFER_FRAGMENTS(*frag));
+- #endif
+-
+- /* Strip off ip header */
+-@@ -408,38 +408,38 @@
+- m->m_len -= hlen;
+-
+- /* Create a new reassembly queue for this packet */
+-- if (frag == NULL) {
+-+ if (*frag == NULL) {
+- #if defined(__FreeBSD__)
+-- frag = uma_zalloc(pf_frag_pl, M_NOWAIT);
+-+ *frag = uma_zalloc(pf_frag_pl, M_NOWAIT);
+- #else
+-- frag = pool_get(&pf_frag_pl, PR_NOWAIT);
+-+ *frag = pool_get(&pf_frag_pl, PR_NOWAIT);
+- #endif
+-- if (frag == NULL) {
+-+ if (*frag == NULL) {
+- pf_flush_fragments();
+- #if defined(__FreeBSD__)
+-- frag = uma_zalloc(pf_frag_pl, M_NOWAIT);
+-+ *frag = uma_zalloc(pf_frag_pl, M_NOWAIT);
+- #else
+-- frag = pool_get(&pf_frag_pl, PR_NOWAIT);
+-+ *frag = pool_get(&pf_frag_pl, PR_NOWAIT);
+- #endif
+-- if (frag == NULL)
+-+ if (*frag == NULL)
+- goto drop_fragment;
+- }
+-
+-- frag->fr_flags = 0;
+-- frag->fr_max = 0;
+-- frag->fr_src = frent->fr_ip->ip_src;
+-- frag->fr_dst = frent->fr_ip->ip_dst;
+-- frag->fr_p = frent->fr_ip->ip_p;
+-- frag->fr_id = frent->fr_ip->ip_id;
+-+ (*frag)->fr_flags = 0;
+-+ (*frag)->fr_max = 0;
+-+ (*frag)->fr_src = frent->fr_ip->ip_src;
+-+ (*frag)->fr_dst = frent->fr_ip->ip_dst;
+-+ (*frag)->fr_p = frent->fr_ip->ip_p;
+-+ (*frag)->fr_id = frent->fr_ip->ip_id;
+- #if defined(__FreeBSD__)
+-- frag->fr_timeout = time_second;
+-+ (*frag)->fr_timeout = time_second;
+- #else
+-- frag->fr_timeout = time.tv_sec;
+-+ (*frag)->fr_timeout = time.tv_sec;
+- #endif
+-- LIST_INIT(&frag->fr_queue);
+-+ LIST_INIT(&(*frag)->fr_queue);
+-
+-- RB_INSERT(pf_frag_tree, &pf_frag_tree, frag);
+-- TAILQ_INSERT_HEAD(&pf_fragqueue, frag, frag_next);
+-+ RB_INSERT(pf_frag_tree, &pf_frag_tree, *frag);
+-+ TAILQ_INSERT_HEAD(&pf_fragqueue, *frag, frag_next);
+-
+- /* We do not have a previous fragment */
+- frep = NULL;
+-@@ -450,7 +450,7 @@
+- * Find a fragment after the current one:
+- * - off contains the real shifted offset.
+- */
+-- LIST_FOREACH(frea, &frag->fr_queue, fr_next) {
+-+ LIST_FOREACH(frea, &(*frag)->fr_queue, fr_next) {
+- if (frea->fr_ip->ip_off > off)
+- break;
+- frep = frea;
+-@@ -503,41 +503,41 @@
+-
+- insert:
+- /* Update maximum data size */
+-- if (frag->fr_max < max)
+-- frag->fr_max = max;
+-+ if ((*frag)->fr_max < max)
+-+ (*frag)->fr_max = max;
+- /* This is the last segment */
+- if (!mff)
+-- frag->fr_flags |= PFFRAG_SEENLAST;
+-+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
+-
+- if (frep == NULL)
+-- LIST_INSERT_HEAD(&frag->fr_queue, frent, fr_next);
+-+ LIST_INSERT_HEAD(&(*frag)->fr_queue, frent, fr_next);
+- else
+- LIST_INSERT_AFTER(frep, frent, fr_next);
+-
+- /* Check if we are completely reassembled */
+-- if (!(frag->fr_flags & PFFRAG_SEENLAST))
+-+ if (!((*frag)->fr_flags & PFFRAG_SEENLAST))
+- return (NULL);
+-
+- /* Check if we have all the data */
+- off = 0;
+-- for (frep = LIST_FIRST(&frag->fr_queue); frep; frep = next) {
+-+ for (frep = LIST_FIRST(&(*frag)->fr_queue); frep; frep = next) {
+- next = LIST_NEXT(frep, fr_next);
+-
+- off += frep->fr_ip->ip_len;
+-- if (off < frag->fr_max &&
+-+ if (off < (*frag)->fr_max &&
+- (next == NULL || next->fr_ip->ip_off != off)) {
+- DPFPRINTF(("missing fragment at %d, next %d, max %d\n",
+- off, next == NULL ? -1 : next->fr_ip->ip_off,
+-- frag->fr_max));
+-+ (*frag)->fr_max));
+- return (NULL);
+- }
+- }
+-- DPFPRINTF(("%d < %d?\n", off, frag->fr_max));
+-- if (off < frag->fr_max)
+-+ DPFPRINTF(("%d < %d?\n", off, (*frag)->fr_max));
+-+ if (off < (*frag)->fr_max)
+- return (NULL);
+-
+- /* We have all the data */
+-- frent = LIST_FIRST(&frag->fr_queue);
+-+ frent = LIST_FIRST(&(*frag)->fr_queue);
+- #if defined(__FreeBSD__)
+- KASSERT((frent != NULL), ("frent == NULL: %s", __FUNCTION__));
+- #else
+-@@ -545,7 +545,8 @@
+- #endif
+- if ((frent->fr_ip->ip_hl << 2) + off > IP_MAXPACKET) {
+- DPFPRINTF(("drop: too big: %d\n", off));
+-- pf_free_fragment(frag);
+-+ pf_free_fragment(*frag);
+-+ *frag = NULL;
+- return (NULL);
+- }
+- next = LIST_NEXT(frent, fr_next);
+-@@ -575,11 +576,12 @@
+- m_cat(m, m2);
+- }
+-
+-- ip->ip_src = frag->fr_src;
+-- ip->ip_dst = frag->fr_dst;
+-+ ip->ip_src = (*frag)->fr_src;
+-+ ip->ip_dst = (*frag)->fr_dst;
+-
+- /* Remove from fragment queue */
+-- pf_remove_fragment(frag);
+-+ pf_remove_fragment(*frag);
+-+ *frag = NULL;
+-
+- hlen = ip->ip_hl << 2;
+- ip->ip_len = off + hlen;
+-@@ -611,7 +613,7 @@
+- }
+-
+- struct mbuf *
+--pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment *frag, int mff,
+-+pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment **frag, int mff,
+- int drop, int *nomem)
+- {
+- struct mbuf *m = *m0;
+-@@ -622,27 +624,27 @@
+- int hosed = 0;
+-
+- #if defined(__FreeBSD__)
+-- KASSERT((frag == NULL || !BUFFER_FRAGMENTS(frag)),
+-- ("!(frag == NULL || !BUFFER_FRAGMENTS(frag)): %s", __FUNCTION__));
+-+ KASSERT((*frag == NULL || !BUFFER_FRAGMENTS(*frag)),
+-+ ("!(*frag == NULL || !BUFFER_FRAGMENTS(*frag)): %s", __FUNCTION__));
+- #else
+-- KASSERT(frag == NULL || !BUFFER_FRAGMENTS(frag));
+-+ KASSERT(*frag == NULL || !BUFFER_FRAGMENTS(*frag));
+- #endif
+-
+- /* Create a new range queue for this packet */
+-- if (frag == NULL) {
+-+ if (*frag == NULL) {
+- #if defined(__FreeBSD__)
+-- frag = uma_zalloc(pf_cache_pl, M_NOWAIT);
+-+ *frag = uma_zalloc(pf_cache_pl, M_NOWAIT);
+- #else
+-- frag = pool_get(&pf_cache_pl, PR_NOWAIT);
+-+ *frag = pool_get(&pf_cache_pl, PR_NOWAIT);
+- #endif
+-- if (frag == NULL) {
+-+ if (*frag == NULL) {
+- pf_flush_fragments();
+- #if defined(__FreeBSD__)
+-- frag = uma_zalloc(pf_cache_pl, M_NOWAIT);
+-+ *frag = uma_zalloc(pf_cache_pl, M_NOWAIT);
+- #else
+-- frag = pool_get(&pf_cache_pl, PR_NOWAIT);
+-+ *frag = pool_get(&pf_cache_pl, PR_NOWAIT);
+- #endif
+-- if (frag == NULL)
+-+ if (*frag == NULL)
+- goto no_mem;
+- }
+-
+-@@ -654,33 +656,34 @@
+- #endif
+- if (cur == NULL) {
+- #if defined(__FreeBSD__)
+-- uma_zfree(pf_cache_pl, frag);
+-+ uma_zfree(pf_cache_pl, *frag);
+- #else
+-- pool_put(&pf_cache_pl, frag);
+-+ pool_put(&pf_cache_pl, *frag);
+- #endif
+-+ *frag = NULL;
+- goto no_mem;
+- }
+- pf_ncache++;
+-
+-- frag->fr_flags = PFFRAG_NOBUFFER;
+-- frag->fr_max = 0;
+-- frag->fr_src = h->ip_src;
+-- frag->fr_dst = h->ip_dst;
+-- frag->fr_p = h->ip_p;
+-- frag->fr_id = h->ip_id;
+-+ (*frag)->fr_flags = PFFRAG_NOBUFFER;
+-+ (*frag)->fr_max = 0;
+-+ (*frag)->fr_src = h->ip_src;
+-+ (*frag)->fr_dst = h->ip_dst;
+-+ (*frag)->fr_p = h->ip_p;
+-+ (*frag)->fr_id = h->ip_id;
+- #if defined(__FreeBSD__)
+-- frag->fr_timeout = time_second;
+-+ (*frag)->fr_timeout = time_second;
+- #else
+-- frag->fr_timeout = time.tv_sec;
+-+ (*frag)->fr_timeout = time.tv_sec;
+- #endif
+-
+- cur->fr_off = off;
+- cur->fr_end = max;
+-- LIST_INIT(&frag->fr_cache);
+-- LIST_INSERT_HEAD(&frag->fr_cache, cur, fr_next);
+-+ LIST_INIT(&(*frag)->fr_cache);
+-+ LIST_INSERT_HEAD(&(*frag)->fr_cache, cur, fr_next);
+-
+-- RB_INSERT(pf_frag_tree, &pf_cache_tree, frag);
+-- TAILQ_INSERT_HEAD(&pf_cachequeue, frag, frag_next);
+-+ RB_INSERT(pf_frag_tree, &pf_cache_tree, *frag);
+-+ TAILQ_INSERT_HEAD(&pf_cachequeue, *frag, frag_next);
+-
+- DPFPRINTF(("fragcache[%d]: new %d-%d\n", h->ip_id, off, max));
+-
+-@@ -692,7 +695,7 @@
+- * - off contains the real shifted offset.
+- */
+- frp = NULL;
+-- LIST_FOREACH(fra, &frag->fr_cache, fr_next) {
+-+ LIST_FOREACH(fra, &(*frag)->fr_cache, fr_next) {
+- if (fra->fr_off > off)
+- break;
+- frp = fra;
+-@@ -929,21 +932,22 @@
+-
+- pass:
+- /* Update maximum data size */
+-- if (frag->fr_max < max)
+-- frag->fr_max = max;
+-+ if ((*frag)->fr_max < max)
+-+ (*frag)->fr_max = max;
+-
+- /* This is the last segment */
+- if (!mff)
+-- frag->fr_flags |= PFFRAG_SEENLAST;
+-+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
+-
+- /* Check if we are completely reassembled */
+-- if ((frag->fr_flags & PFFRAG_SEENLAST) &&
+-- LIST_FIRST(&frag->fr_cache)->fr_off == 0 &&
+-- LIST_FIRST(&frag->fr_cache)->fr_end == frag->fr_max) {
+-+ if (((*frag)->fr_flags & PFFRAG_SEENLAST) &&
+-+ LIST_FIRST(&(*frag)->fr_cache)->fr_off == 0 &&
+-+ LIST_FIRST(&(*frag)->fr_cache)->fr_end == (*frag)->fr_max) {
+- /* Remove from fragment queue */
+- DPFPRINTF(("fragcache[%d]: done 0-%d\n", h->ip_id,
+-- frag->fr_max));
+-- pf_free_fragment(frag);
+-+ (*frag)->fr_max));
+-+ pf_free_fragment(*frag);
+-+ *frag = NULL;
+- }
+-
+- return (m);
+-@@ -952,8 +956,8 @@
+- *nomem = 1;
+-
+- /* Still need to pay attention to !IP_MF */
+-- if (!mff && frag)
+-- frag->fr_flags |= PFFRAG_SEENLAST;
+-+ if (!mff && *frag != NULL)
+-+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
+-
+- m_freem(m);
+- return (NULL);
+-@@ -961,15 +965,15 @@
+- drop_fragment:
+-
+- /* Still need to pay attention to !IP_MF */
+-- if (!mff && frag)
+-- frag->fr_flags |= PFFRAG_SEENLAST;
+-+ if (!mff && *frag != NULL)
+-+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
+-
+- if (drop) {
+- /* This fragment has been deemed bad. Don't reass */
+-- if ((frag->fr_flags & PFFRAG_DROP) == 0)
+-+ if (((*frag)->fr_flags & PFFRAG_DROP) == 0)
+- DPFPRINTF(("fragcache[%d]: dropping overall fragment\n",
+- h->ip_id));
+-- frag->fr_flags |= PFFRAG_DROP;
+-+ (*frag)->fr_flags |= PFFRAG_DROP;
+- }
+-
+- m_freem(m);
+-@@ -1085,12 +1089,12 @@
+-
+- /* Might return a completely reassembled mbuf, or NULL */
+- DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max));
+-- *m0 = m = pf_reassemble(m0, frag, frent, mff);
+-+ *m0 = m = pf_reassemble(m0, &frag, frent, mff);
+-
+- if (m == NULL)
+- return (PF_DROP);
+-
+-- if (frag && (frag->fr_flags & PFFRAG_DROP))
+-+ if (frag != NULL && (frag->fr_flags & PFFRAG_DROP))
+- goto drop;
+-
+- h = mtod(m, struct ip *);
+-@@ -1119,7 +1123,7 @@
+- goto bad;
+- }
+-
+-- *m0 = m = pf_fragcache(m0, h, frag, mff,
+-+ *m0 = m = pf_fragcache(m0, h, &frag, mff,
+- (r->rule_flag & PFRULE_FRAGDROP) ? 1 : 0, &nomem);
+- if (m == NULL) {
+- if (nomem)
+-@@ -1135,7 +1139,7 @@
+- goto no_mem;
+- m_tag_prepend(m, mtag);
+- }
+-- if (frag && (frag->fr_flags & PFFRAG_DROP))
+-+ if (frag != NULL && (frag->fr_flags & PFFRAG_DROP))
+- goto drop;
+- goto fragment_pass;
+- }
+diff -ruN /usr/ports/security/pf/files/pf.conf.default pf/files/pf.conf.default
+--- /usr/ports/security/pf/files/pf.conf.default Fri Jun 13 03:09:29 2003
++++ pf/files/pf.conf.default Sat Sep 27 09:51:28 2003
+@@ -1,4 +1,4 @@
+-# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
++# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
+ #
+ # See pf.conf(5) and /usr/share/pf for syntax and examples.
+ # Required order: options, normalization, queueing, translation, filtering.
+@@ -15,17 +15,19 @@
+ #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
+
+ # Options: tune the behavior of pf, default values are given.
+-#set timeout { interval 30, frag 10 }
++#set timeout { interval 10, frag 30 }
+ #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
+ #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
+ #set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
+ #set timeout { icmp.first 20, icmp.error 10 }
+ #set timeout { other.first 60, other.single 30, other.multiple 60 }
++#set timeout { adaptive.start 0, adaptive.end 0 }
+ #set limit { states 10000, frags 5000 }
+ #set loginterface none
+ #set optimization normal
+ #set block-policy drop
+ #set require-order yes
++#set fingerprints "/etc/pf.os"
+
+ # Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
+ #scrub in all
+diff -ruN /usr/ports/security/pf/files/pf.os.default pf/files/pf.os.default
+--- /usr/ports/security/pf/files/pf.os.default Thu Jan 1 01:00:00 1970
++++ pf/files/pf.os.default Sat Sep 27 09:50:08 2003
+@@ -0,0 +1,551 @@
++# $OpenBSD: pf.os,v 1.10 2003/09/06 01:37:07 frantzen Exp $
++# passive OS fingerprinting
++# -------------------------
++#
++# SYN signatures. Those signatures work for SYN packets only (duh!).
++#
++# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
++# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org>
++#
++# Permission to use, copy, modify, and distribute this software for any
++# purpose with or without fee is hereby granted, provided that the above
++# copyright notice and this permission notice appear in all copies.
++#
++# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++#
++#
++# This fingerprint database is adapted from Michal Zalewski's p0f passive
++# operating system package.
++#
++#
++# Each line in this file specifies a single fingerprint. Please read the
++# information below carefully before attempting to append any signatures
++# reported as UNKNOWN to this file to avoid mistakes.
++#
++# We use the following set metrics for fingerprinting:
++#
++# - Window size (WSS) - a highly OS dependent setting used for TCP/IP
++# performance control (max. amount of data to be sent without ACK).
++# Some systems use a fixed value for initial packets. On other
++# systems, it is a multiple of MSS or MTU (MSS+40). In some rare
++# cases, the value is just arbitrary.
++#
++# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
++# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
++# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
++# value of nn is not fixed (unlikely), just copy the Snn or Tnn token
++# literally. If you know this device has a simple stack and a fixed
++# MTU, you can however multiply S value by MSS, or T value by MSS+40,
++# and put it instead of Snn or Tnn.
++#
++# If WSS otherwise looks like a fixed value (for example a multiple
++# of two), or if you can confirm the value is fixed, please quote
++# it literally. If there's no apparent pattern in WSS chosen, you
++# should consider wildcarding this value.
++#
++# - Overall packet size - a function of all IP and TCP options and bugs.
++#
++# NEW SIGNATURE: Copy this value literally.
++#
++# - Initial TTL - We check the actual TTL of a received packet. It can't
++# be higher than the initial TTL, and also shouldn't be dramatically
++# lower (maximum distance is defined as 40 hops).
++#
++# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
++# You need to determine the initial TTL. The best way to do it is to
++# check the documentation for a remote system, or check its settings.
++# A fairly good method is to simply round the observed TTL up to
++# 32, 64, 128, or 255, but it should be noted that some obscure devices
++# might not use round TTLs (in particular, some shoddy appliances use
++# "original" initial TTL settings). If not sure, you can see how many
++# hops you're away from the remote party with traceroute or mtr.
++#
++# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU
++# discovery. Others do not bother.
++#
++# NEW SIGNATURE: Copy this value literally.
++#
++# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f
++# uses it to determine link type of the remote host.
++#
++# NEW SIGNATURE: Always wildcard this value, except for rare cases when
++# you have an appliance with a fixed value, know the system supports only
++# a very limited number of network interface types, or know the system
++# is using a value it pulled out of nowhere. Specific unique MSS
++# can be used to tell Google crawlbots from the rest of the population.
++#
++# - Window scaling (WSCALE) - this feature is used to scale WSS.
++# It extends the size of a TCP/IP window to 32 bits. Some modern
++# systems implement this feature.
++#
++# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
++# to zero or other low value. There's usually no need to wildcard this
++# parameter.
++#
++# - Timestamp - some systems that implement timestamps set them to
++# zero in the initial SYN. This case is detected and handled appropriately.
++#
++# - Selective ACK permitted - a flag set by systems that implement
++# selective ACK functionality.
++#
++# - The sequence of TCP all options (MSS, window scaling, selective ACK
++# permitted, timestamp, NOP). Other than the options previously
++# discussed, p0f also checks for timestamp option (a silly
++# extension to broadcast your uptime ;-), NOP options (used for
++# header padding) and sackOK option (selective ACK feature).
++#
++# NEW SIGNATURE: Copy the sequence literally.
++#
++# To wildcard any value (except for initial TTL or TCP options), replace
++# it with '*'. You can also use a modulo operator to match any values
++# that divide by nnn - '%nnn'.
++#
++# Fingerprint entry format:
++#
++# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
++#
++# wwww - window size (can be *, %nnn, Snn or Tnn). The special values
++# "S" and "T" which are a multiple of MSS or a multiple of MTU
++# respectively.
++# ttt - initial TTL
++# D - don't fragment bit (0 - not set, 1 - set)
++# ss - overall SYN packet size
++# OOO - option value and order specification (see below)
++# OS - OS genre (Linux, Solaris, Windows)
++# Version - OS Version (2.0.27 on x86, etc)
++# Subtype - OS subtype or patchlevel (SP3, lo0)
++# details - Generic OS details
++#
++# If OS genre starts with '*', p0f will not show distance, link type
++# and timestamp data. It is useful for userland TCP/IP stacks of
++# network scanners and so on, where many settings are randomized or
++# bogus.
++#
++# If OS genre starts with @, it denotes an approximate hit for a group
++# of operating systems (signature reporting still enabled in this case).
++# Use this feature at the end of this file to catch cases for which
++# you don't have a precise match, but can tell it's Windows or FreeBSD
++# or whatnot by looking at, say, flag layout alone.
++#
++# Option block description is a list of comma or space separated
++# options in the order they appear in the packet:
++#
++# N - NOP option
++# Wnnn - window scaling option, value nnn (or * or %nnn)
++# Mnnn - maximum segment size option, value nnn (or * or %nnn)
++# S - selective ACK OK
++# T - timestamp
++# T0 - timestamp with a zero value
++#
++# To denote no TCP options, use a single '.'.
++#
++# Please report any additions to this file, or any inaccuracies or
++# problems spotted, to the maintainers: lcamtuf@coredump.cx,
++# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet
++# capture of the relevant SYN packet(s)
++#
++# WARNING WARNING WARNING
++# -----------------------
++#
++# Do not add a system X as OS Y just because NMAP says so. It is often
++# the case that X is a NAT firewall. While nmap is talking to the
++# device itself, p0f is fingerprinting the guy behind the firewall
++# instead.
++#
++# When in doubt, use common sense, don't add something that looks like
++# a completely different system as Linux or FreeBSD or LinkSys router.
++# Check DNS name, establish a connection to the remote host and look
++# at SYN+ACK - does it look similar?
++#
++# Some users tweak their TCP/IP settings - enable or disable RFC1323
++# functionality, enable or disable timestamps or selective ACK,
++# disable PMTU discovery, change MTU and so on. Always compare a new rule
++# to other fingerprints for this system, and verify the system isn't
++# "customized" before adding it. It is OK to add signature variants
++# caused by a commonly used software (personal firewalls, security
++# packages, etc), but it makes no sense to try to add every single
++# possible /proc/sys/net/ipv4 tweak on Linux or so.
++#
++# KEEP IN MIND: Some packet firewalls configured to normalize outgoing
++# traffic (OpenBSD pf with "scrub" enabled, for example) will, well,
++# normalize packets. Signatures will not correspond to the originating
++# system (and probably not quite to the firewall either).
++#
++# NOTE: Try to keep this file in some reasonable order, from most to
++# least likely systems. This will speed up operation. Also keep most
++# generic and broad rules near the end.
++#
++
++##########################
++# Standard OS signatures #
++##########################
++
++# ----------------- AIX ---------------------
++
++# AIX is first because its signatures are close to NetBSD, MacOS X and
++# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes...
++# This is a shoddy hack, though.
++
++16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier
++
++16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
++16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
++32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
++32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
++65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
++65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
++65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1
++
++# ----------------- Linux -------------------
++
++512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
++16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
++
++# Endian snafu! Nelson says "ha-ha":
++2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
++64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
++
++
++S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot)
++
++S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy)
++S3:64:1:60:M*,S,T,N,W0: Linux:2.4:18-21:Linux 2.4.18 and newer
++S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6
++S4:64:1:60:M*,S,T,N,W0: Linux:2.6::Linux 2.4/2.6
++
++S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5
++S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
++
++S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer
++S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
++S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
++
++# Popular cluster config scripts disable timestamps and
++# selective ACK:
++S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster
++
++# This needs to be investigated. On some systems, WSS
++# is selected as a multiple of MTU instead of MSS. I got
++# many submissions for this for many late versions of 2.4:
++T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon)
++
++# This happens only over loopback, but let's make folks happy:
++32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local)
++S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local)
++
++# Opera visitors:
++16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?)
++32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?)
++
++# Some fairly common mods:
++S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps
++S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps
++
++
++# ----------------- FreeBSD -----------------
++
++16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.1
++16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.1
++16384:64:1:44:M*: FreeBSD:4.0-4.1::FreeBSD 2.0-4.1
++16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
++
++1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
++
++57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323)
++57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.8::FreeBSD 4.6-4.8
++
++32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X)
++32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X)
++65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X)
++65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X)
++65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.9::FreeBSD 4.7-5.1
++65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.7-5.1
++
++# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps)
++
++# ----------------- NetBSD ------------------
++
++65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera)
++16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6
++16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF)
++16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3
++65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF)
++
++# ----------------- OpenBSD -----------------
++
++16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6)
++16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4::OpenBSD 3.0-3.4
++16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:no-df:OpenBSD 3.0-3.4 (scrub no-df)
++57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4::OpenBSD 3.3-3.4
++57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4:no-df:OpenBSD 3.3-3.4 (scrub no-df)
++
++65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:opera:OpenBSD 3.0-3.4 (Opera)
++
++# ----------------- Solaris -----------------
++
++S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323
++S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8
++S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7
++
++S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7
++S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1
++S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9
++S44:255:1:44:M*: Solaris:2.7::Solaris 7
++
++# ----------------- IRIX --------------------
++
++49152:64:0:44:M*: IRIX:6.4::IRIX 6.4
++61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5
++49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
++49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
++
++61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21
++49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21
++
++# ----------------- Tru64 -------------------
++
++32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0
++32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0
++8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6)
++
++# This looks awfully Linuxish :/
++# S22:64:0:60:M*,S,T,N,W0: Tru64:5.0:a:Tru64 5.0a
++
++61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)
++
++
++# ----------------- OpenVMS -----------------
++
++6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack)
++
++# ----------------- MacOS -------------------
++
++16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
++16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
++32768:255:1:48:M*,W0,N: MacOS:9.1-9.2::MacOS 9.1/9.2
++32768:64:0:60:M*,N,W0,N,N,T: MacOS:X:10.2:MacOS X 10.2
++
++# ----------------- Windows -----------------
++
++# Windows 95 - need more:
++
++8192:32:1:44:M*: Windows:95::Windows 95 (low TTL)
++
++# Windows 98 - plenty of silly signatures:
++S44:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL)
++8192:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL)
++
++%8192:64:1:48:M*,N,N,S: Windows:98::Windows 98 (or newer XP/2000 with tweaked TTL)
++S4:64:1:48:M*,N,N,S: Windows:98::Windows 98
++S6:64:1:48:M*,N,N,S: Windows:98::Windows 98
++S12:64:1:48:M*,N,N,S: Windows:98::Windows 98
++32767:64:1:48:M*,N,N,S: Windows:98::Windows 98
++37300:64:1:48:M*,N,N,S: Windows:98::Windows 98
++46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323)
++65535:64:1:44:M*: Windows:98:noSACK:Windows 98 (no sack)
++
++S16:128:1:48:M*,N,N,S: Windows:98::Windows 98
++S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98
++S26:128:1:48:M*,N,N,S: Windows:98::Windows 98
++T30:128:1:48:M*,N,N,S: Windows:98::Windows 98
++32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98
++60352:128:1:48:M*,N,N,S: Windows:98::Windows 98
++60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98
++
++# Windows NT 4.0 - need more:
++
++64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a
++8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older)
++6144:128:1:52:M*,W0,N,S,N,N: Windows:NT:4.0:Windows NT 4.0 (RFC1323)
++
++# Windows XP and 2000. Most of the signatures that were
++# either dubious or non-specific (no service pack data)
++# were deleted and replaced with generics at the end.
++
++65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1
++%8192:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1
++S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4
++S6:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows XP SP1, 2000 SP4
++S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows XP Pro SP1, 2000 SP3
++
++S6:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1, 2000 SP4
++S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP Pro SP1, 2000 SP3
++64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1
++32767:128:1:48:M1452,N,N,S: Windows:XP:SP1:Windows XP SP1
++65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1
++%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1
++
++# Odds, ends, mods:
++
++S52:128:1:48:M1260,N,N,S: Windows:XP:Cisco:Windows XP/2000 via Cisco
++S52:128:1:48:M1260,N,N,S: Windows:2000:Cisco:Windows XP/2000 via Cisco
++
++# HUNT DOWN:
++# *:128:1:48:M*,N,N,S:U:@Windows:XP (leak) (PLEASE REPORT)
++
++# ----------------- HP/UX -------------------
++
++32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20
++32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0
++32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11
++32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11
++
++# Whoa. Hardcore WSS.
++0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323)
++
++
++# ----------------- RiscOS ------------------
++
++# We don't yet support the ?12 TCP option
++#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36
++
++# ----------------- BSD/OS ------------------
++
++# Once again, power of two WSS is also shared by MacOS X with DF set
++8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF)
++8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2)
++
++
++# ---------------- NewtonOS -----------------
++
++4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1
++
++# ---------------- NeXTSTEP -----------------
++
++S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3
++
++# ------------------ BeOS -------------------
++
++1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1
++12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x
++
++# ------------------ OS/400 -----------------
++
++8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5
++8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5
++4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032
++
++
++# ------------------ ULTRIX -----------------
++
++16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5
++
++# ------------------- QNX -------------------
++
++S16:64:0:44:M512: QNX:::QNX demodisk
++
++# ------------------ Novell -----------------
++
++16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0
++6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11
++
++# ----------------- SCO ------------------
++S17:64:1:44:M1460: SCO:Unixware:7.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06
++S17:64:1:44:M1460: SCO:OpenServer:5.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06
++S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1
++
++# ------------------- DOS -------------------
++
++2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05
++
++###########################################
++# Appliance / embedded / other signatures #
++###########################################
++
++# ---------- Firewalls / routers ------------
++
++S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1)
++S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2)
++4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x
++60352:64:0:52:M1460,N,W2,N,N,S: Clavister:7::Clavister firewall 7.x
++
++# ------- Switches and other stuff ----------
++
++4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc
++S8:255:0:44:M*: Cisco:12008::Cisco 12008
++60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch
++64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client
++
++
++# ---------- Caches and whatnots ------------
++
++S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache
++
++32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x
++16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1
++65535:64:0:64:M1460,N,N,S,N,W3,N,N,T: NetApp:5.3:1:NetApp 5.3.1
++65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow
++8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1
++
++S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine
++
++27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based)
++
++65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler
++S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg
++
++
++16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?)
++
++# ----------- Embedded systems --------------
++
++S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C
++S5:255:0:44:M536: PalmOS:3::PalmOS 3/4
++S5:255:0:44:M536: PalmOS:4::PalmOS 3/4
++S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5
++2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera)
++
++S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7
++8192:255:0:44:M1460: SymbianOS:6048::SymbianOS 6048 (on Nokia 7650?)
++8192:255:0:44:M536: SymbianOS:::SymbianOS (on Nokia 9210?)
++
++
++# Perhaps S4?
++5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10
++
++32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002
++
++S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0
++
++4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0
++
++S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64
++
++
++
++####################
++# Fancy signatures #
++####################
++
++1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1)
++2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2)
++3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3)
++4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4)
++
++1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1)
++2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2)
++3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3)
++4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4)
++
++#####################################
++# Generic signatures - just in case #
++#####################################
++
++#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x
++#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x
++
++*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
++*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
++*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323)
++*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323)
++*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+)
++*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000
++*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000
++
++
+diff -ruN /usr/ports/security/pf/pkg-plist pf/pkg-plist
+--- /usr/ports/security/pf/pkg-plist Fri Jun 13 03:09:29 2003
++++ pf/pkg-plist Sat Sep 27 14:34:16 2003
+@@ -9,14 +9,26 @@
+ sbin/pfctl
+ sbin/pflogd
+ sbin/pftcpdump
+-sbin/pftop
+
+ etc/rc.d/pf.sh.sample
+ etc/pf.conf.default
++etc/pf.os
+
+ include/pf/net/pfvar.h
+ include/pf/net/if_pflog.h
+ include/pf/net/if_pfsync.h
++%%WITH_ALTQ%%include/pf/altq/altq.h
++%%WITH_ALTQ%%include/pf/altq/altq_cbq.h
++%%WITH_ALTQ%%include/pf/altq/altq_cdnr.h
++%%WITH_ALTQ%%include/pf/altq/altq_classq.h
++%%WITH_ALTQ%%include/pf/altq/altq_hfsc.h
++%%WITH_ALTQ%%include/pf/altq/altq_priq.h
++%%WITH_ALTQ%%include/pf/altq/altq_red.h
++%%WITH_ALTQ%%include/pf/altq/altq_rio.h
++%%WITH_ALTQ%%include/pf/altq/altq_rmclass.h
++%%WITH_ALTQ%%include/pf/altq/altq_rmclass_debug.h
++%%WITH_ALTQ%%include/pf/altq/altq_var.h
++%%WITH_ALTQ%%include/pf/altq/if_altq.h
+
+ @dirrm modules
+ @dirrm include/pf/net
diff --git a/security/pf/files/pf.conf.default b/security/pf/files/pf.conf.default
index 58923c97852c..3f3500737758 100644
--- a/security/pf/files/pf.conf.default
+++ b/security/pf/files/pf.conf.default
@@ -1,4 +1,4 @@
-# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
+# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
@@ -15,17 +15,19 @@
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
# Options: tune the behavior of pf, default values are given.
-#set timeout { interval 30, frag 10 }
+#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
+#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
+#set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in all
diff --git a/security/pf/files/pf.os.default b/security/pf/files/pf.os.default
new file mode 100644
index 000000000000..90b42eac57d6
--- /dev/null
+++ b/security/pf/files/pf.os.default
@@ -0,0 +1,551 @@
+# $OpenBSD: pf.os,v 1.10 2003/09/06 01:37:07 frantzen Exp $
+# passive OS fingerprinting
+# -------------------------
+#
+# SYN signatures. Those signatures work for SYN packets only (duh!).
+#
+# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
+# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+#
+# This fingerprint database is adapted from Michal Zalewski's p0f passive
+# operating system package.
+#
+#
+# Each line in this file specifies a single fingerprint. Please read the
+# information below carefully before attempting to append any signatures
+# reported as UNKNOWN to this file to avoid mistakes.
+#
+# We use the following set metrics for fingerprinting:
+#
+# - Window size (WSS) - a highly OS dependent setting used for TCP/IP
+# performance control (max. amount of data to be sent without ACK).
+# Some systems use a fixed value for initial packets. On other
+# systems, it is a multiple of MSS or MTU (MSS+40). In some rare
+# cases, the value is just arbitrary.
+#
+# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
+# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
+# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
+# value of nn is not fixed (unlikely), just copy the Snn or Tnn token
+# literally. If you know this device has a simple stack and a fixed
+# MTU, you can however multiply S value by MSS, or T value by MSS+40,
+# and put it instead of Snn or Tnn.
+#
+# If WSS otherwise looks like a fixed value (for example a multiple
+# of two), or if you can confirm the value is fixed, please quote
+# it literally. If there's no apparent pattern in WSS chosen, you
+# should consider wildcarding this value.
+#
+# - Overall packet size - a function of all IP and TCP options and bugs.
+#
+# NEW SIGNATURE: Copy this value literally.
+#
+# - Initial TTL - We check the actual TTL of a received packet. It can't
+# be higher than the initial TTL, and also shouldn't be dramatically
+# lower (maximum distance is defined as 40 hops).
+#
+# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
+# You need to determine the initial TTL. The best way to do it is to
+# check the documentation for a remote system, or check its settings.
+# A fairly good method is to simply round the observed TTL up to
+# 32, 64, 128, or 255, but it should be noted that some obscure devices
+# might not use round TTLs (in particular, some shoddy appliances use
+# "original" initial TTL settings). If not sure, you can see how many
+# hops you're away from the remote party with traceroute or mtr.
+#
+# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU
+# discovery. Others do not bother.
+#
+# NEW SIGNATURE: Copy this value literally.
+#
+# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f
+# uses it to determine link type of the remote host.
+#
+# NEW SIGNATURE: Always wildcard this value, except for rare cases when
+# you have an appliance with a fixed value, know the system supports only
+# a very limited number of network interface types, or know the system
+# is using a value it pulled out of nowhere. Specific unique MSS
+# can be used to tell Google crawlbots from the rest of the population.
+#
+# - Window scaling (WSCALE) - this feature is used to scale WSS.
+# It extends the size of a TCP/IP window to 32 bits. Some modern
+# systems implement this feature.
+#
+# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
+# to zero or other low value. There's usually no need to wildcard this
+# parameter.
+#
+# - Timestamp - some systems that implement timestamps set them to
+# zero in the initial SYN. This case is detected and handled appropriately.
+#
+# - Selective ACK permitted - a flag set by systems that implement
+# selective ACK functionality.
+#
+# - The sequence of TCP all options (MSS, window scaling, selective ACK
+# permitted, timestamp, NOP). Other than the options previously
+# discussed, p0f also checks for timestamp option (a silly
+# extension to broadcast your uptime ;-), NOP options (used for
+# header padding) and sackOK option (selective ACK feature).
+#
+# NEW SIGNATURE: Copy the sequence literally.
+#
+# To wildcard any value (except for initial TTL or TCP options), replace
+# it with '*'. You can also use a modulo operator to match any values
+# that divide by nnn - '%nnn'.
+#
+# Fingerprint entry format:
+#
+# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
+#
+# wwww - window size (can be *, %nnn, Snn or Tnn). The special values
+# "S" and "T" which are a multiple of MSS or a multiple of MTU
+# respectively.
+# ttt - initial TTL
+# D - don't fragment bit (0 - not set, 1 - set)
+# ss - overall SYN packet size
+# OOO - option value and order specification (see below)
+# OS - OS genre (Linux, Solaris, Windows)
+# Version - OS Version (2.0.27 on x86, etc)
+# Subtype - OS subtype or patchlevel (SP3, lo0)
+# details - Generic OS details
+#
+# If OS genre starts with '*', p0f will not show distance, link type
+# and timestamp data. It is useful for userland TCP/IP stacks of
+# network scanners and so on, where many settings are randomized or
+# bogus.
+#
+# If OS genre starts with @, it denotes an approximate hit for a group
+# of operating systems (signature reporting still enabled in this case).
+# Use this feature at the end of this file to catch cases for which
+# you don't have a precise match, but can tell it's Windows or FreeBSD
+# or whatnot by looking at, say, flag layout alone.
+#
+# Option block description is a list of comma or space separated
+# options in the order they appear in the packet:
+#
+# N - NOP option
+# Wnnn - window scaling option, value nnn (or * or %nnn)
+# Mnnn - maximum segment size option, value nnn (or * or %nnn)
+# S - selective ACK OK
+# T - timestamp
+# T0 - timestamp with a zero value
+#
+# To denote no TCP options, use a single '.'.
+#
+# Please report any additions to this file, or any inaccuracies or
+# problems spotted, to the maintainers: lcamtuf@coredump.cx,
+# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet
+# capture of the relevant SYN packet(s)
+#
+# WARNING WARNING WARNING
+# -----------------------
+#
+# Do not add a system X as OS Y just because NMAP says so. It is often
+# the case that X is a NAT firewall. While nmap is talking to the
+# device itself, p0f is fingerprinting the guy behind the firewall
+# instead.
+#
+# When in doubt, use common sense, don't add something that looks like
+# a completely different system as Linux or FreeBSD or LinkSys router.
+# Check DNS name, establish a connection to the remote host and look
+# at SYN+ACK - does it look similar?
+#
+# Some users tweak their TCP/IP settings - enable or disable RFC1323
+# functionality, enable or disable timestamps or selective ACK,
+# disable PMTU discovery, change MTU and so on. Always compare a new rule
+# to other fingerprints for this system, and verify the system isn't
+# "customized" before adding it. It is OK to add signature variants
+# caused by a commonly used software (personal firewalls, security
+# packages, etc), but it makes no sense to try to add every single
+# possible /proc/sys/net/ipv4 tweak on Linux or so.
+#
+# KEEP IN MIND: Some packet firewalls configured to normalize outgoing
+# traffic (OpenBSD pf with "scrub" enabled, for example) will, well,
+# normalize packets. Signatures will not correspond to the originating
+# system (and probably not quite to the firewall either).
+#
+# NOTE: Try to keep this file in some reasonable order, from most to
+# least likely systems. This will speed up operation. Also keep most
+# generic and broad rules near the end.
+#
+
+##########################
+# Standard OS signatures #
+##########################
+
+# ----------------- AIX ---------------------
+
+# AIX is first because its signatures are close to NetBSD, MacOS X and
+# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes...
+# This is a shoddy hack, though.
+
+16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier
+
+16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
+16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
+32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
+32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
+65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
+65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
+65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1
+
+# ----------------- Linux -------------------
+
+512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
+16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
+
+# Endian snafu! Nelson says "ha-ha":
+2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
+64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
+
+
+S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot)
+
+S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy)
+S3:64:1:60:M*,S,T,N,W0: Linux:2.4:18-21:Linux 2.4.18 and newer
+S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6
+S4:64:1:60:M*,S,T,N,W0: Linux:2.6::Linux 2.4/2.6
+
+S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5
+S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
+
+S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer
+S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
+S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
+
+# Popular cluster config scripts disable timestamps and
+# selective ACK:
+S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster
+
+# This needs to be investigated. On some systems, WSS
+# is selected as a multiple of MTU instead of MSS. I got
+# many submissions for this for many late versions of 2.4:
+T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon)
+
+# This happens only over loopback, but let's make folks happy:
+32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local)
+S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local)
+
+# Opera visitors:
+16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?)
+32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?)
+
+# Some fairly common mods:
+S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps
+S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps
+
+
+# ----------------- FreeBSD -----------------
+
+16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.1
+16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.1
+16384:64:1:44:M*: FreeBSD:4.0-4.1::FreeBSD 2.0-4.1
+16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
+
+1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
+
+57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323)
+57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.8::FreeBSD 4.6-4.8
+
+32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X)
+32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X)
+65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X)
+65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X)
+65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.9::FreeBSD 4.7-5.1
+65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.7-5.1
+
+# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps)
+
+# ----------------- NetBSD ------------------
+
+65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera)
+16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6
+16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF)
+16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3
+65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF)
+
+# ----------------- OpenBSD -----------------
+
+16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6)
+16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4::OpenBSD 3.0-3.4
+16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:no-df:OpenBSD 3.0-3.4 (scrub no-df)
+57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4::OpenBSD 3.3-3.4
+57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4:no-df:OpenBSD 3.3-3.4 (scrub no-df)
+
+65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:opera:OpenBSD 3.0-3.4 (Opera)
+
+# ----------------- Solaris -----------------
+
+S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323
+S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8
+S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7
+
+S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7
+S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1
+S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9
+S44:255:1:44:M*: Solaris:2.7::Solaris 7
+
+# ----------------- IRIX --------------------
+
+49152:64:0:44:M*: IRIX:6.4::IRIX 6.4
+61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5
+49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
+49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
+
+61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21
+49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21
+
+# ----------------- Tru64 -------------------
+
+32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0
+32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0
+8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6)
+
+# This looks awfully Linuxish :/
+# S22:64:0:60:M*,S,T,N,W0: Tru64:5.0:a:Tru64 5.0a
+
+61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)
+
+
+# ----------------- OpenVMS -----------------
+
+6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack)
+
+# ----------------- MacOS -------------------
+
+16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
+16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
+32768:255:1:48:M*,W0,N: MacOS:9.1-9.2::MacOS 9.1/9.2
+32768:64:0:60:M*,N,W0,N,N,T: MacOS:X:10.2:MacOS X 10.2
+
+# ----------------- Windows -----------------
+
+# Windows 95 - need more:
+
+8192:32:1:44:M*: Windows:95::Windows 95 (low TTL)
+
+# Windows 98 - plenty of silly signatures:
+S44:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL)
+8192:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL)
+
+%8192:64:1:48:M*,N,N,S: Windows:98::Windows 98 (or newer XP/2000 with tweaked TTL)
+S4:64:1:48:M*,N,N,S: Windows:98::Windows 98
+S6:64:1:48:M*,N,N,S: Windows:98::Windows 98
+S12:64:1:48:M*,N,N,S: Windows:98::Windows 98
+32767:64:1:48:M*,N,N,S: Windows:98::Windows 98
+37300:64:1:48:M*,N,N,S: Windows:98::Windows 98
+46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323)
+65535:64:1:44:M*: Windows:98:noSACK:Windows 98 (no sack)
+
+S16:128:1:48:M*,N,N,S: Windows:98::Windows 98
+S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98
+S26:128:1:48:M*,N,N,S: Windows:98::Windows 98
+T30:128:1:48:M*,N,N,S: Windows:98::Windows 98
+32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98
+60352:128:1:48:M*,N,N,S: Windows:98::Windows 98
+60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98
+
+# Windows NT 4.0 - need more:
+
+64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a
+8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older)
+6144:128:1:52:M*,W0,N,S,N,N: Windows:NT:4.0:Windows NT 4.0 (RFC1323)
+
+# Windows XP and 2000. Most of the signatures that were
+# either dubious or non-specific (no service pack data)
+# were deleted and replaced with generics at the end.
+
+65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1
+%8192:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1
+S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4
+S6:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows XP SP1, 2000 SP4
+S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows XP Pro SP1, 2000 SP3
+
+S6:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1, 2000 SP4
+S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP Pro SP1, 2000 SP3
+64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1
+32767:128:1:48:M1452,N,N,S: Windows:XP:SP1:Windows XP SP1
+65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1
+%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1
+
+# Odds, ends, mods:
+
+S52:128:1:48:M1260,N,N,S: Windows:XP:Cisco:Windows XP/2000 via Cisco
+S52:128:1:48:M1260,N,N,S: Windows:2000:Cisco:Windows XP/2000 via Cisco
+
+# HUNT DOWN:
+# *:128:1:48:M*,N,N,S:U:@Windows:XP (leak) (PLEASE REPORT)
+
+# ----------------- HP/UX -------------------
+
+32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20
+32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0
+32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11
+32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11
+
+# Whoa. Hardcore WSS.
+0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323)
+
+
+# ----------------- RiscOS ------------------
+
+# We don't yet support the ?12 TCP option
+#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36
+
+# ----------------- BSD/OS ------------------
+
+# Once again, power of two WSS is also shared by MacOS X with DF set
+8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF)
+8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2)
+
+
+# ---------------- NewtonOS -----------------
+
+4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1
+
+# ---------------- NeXTSTEP -----------------
+
+S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3
+
+# ------------------ BeOS -------------------
+
+1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1
+12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x
+
+# ------------------ OS/400 -----------------
+
+8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5
+8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5
+4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032
+
+
+# ------------------ ULTRIX -----------------
+
+16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5
+
+# ------------------- QNX -------------------
+
+S16:64:0:44:M512: QNX:::QNX demodisk
+
+# ------------------ Novell -----------------
+
+16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0
+6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11
+
+# ----------------- SCO ------------------
+S17:64:1:44:M1460: SCO:Unixware:7.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06
+S17:64:1:44:M1460: SCO:OpenServer:5.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06
+S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1
+
+# ------------------- DOS -------------------
+
+2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05
+
+###########################################
+# Appliance / embedded / other signatures #
+###########################################
+
+# ---------- Firewalls / routers ------------
+
+S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1)
+S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2)
+4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x
+60352:64:0:52:M1460,N,W2,N,N,S: Clavister:7::Clavister firewall 7.x
+
+# ------- Switches and other stuff ----------
+
+4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc
+S8:255:0:44:M*: Cisco:12008::Cisco 12008
+60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch
+64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client
+
+
+# ---------- Caches and whatnots ------------
+
+S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache
+
+32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x
+16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1
+65535:64:0:64:M1460,N,N,S,N,W3,N,N,T: NetApp:5.3:1:NetApp 5.3.1
+65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow
+8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1
+
+S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine
+
+27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based)
+
+65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler
+S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg
+
+
+16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?)
+
+# ----------- Embedded systems --------------
+
+S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C
+S5:255:0:44:M536: PalmOS:3::PalmOS 3/4
+S5:255:0:44:M536: PalmOS:4::PalmOS 3/4
+S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5
+2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera)
+
+S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7
+8192:255:0:44:M1460: SymbianOS:6048::SymbianOS 6048 (on Nokia 7650?)
+8192:255:0:44:M536: SymbianOS:::SymbianOS (on Nokia 9210?)
+
+
+# Perhaps S4?
+5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10
+
+32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002
+
+S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0
+
+4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0
+
+S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64
+
+
+
+####################
+# Fancy signatures #
+####################
+
+1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1)
+2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2)
+3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3)
+4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4)
+
+1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1)
+2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2)
+3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3)
+4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4)
+
+#####################################
+# Generic signatures - just in case #
+#####################################
+
+#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x
+#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x
+
+*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
+*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
+*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323)
+*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323)
+*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+)
+*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000
+*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000
+
+
diff --git a/security/pf/pkg-plist b/security/pf/pkg-plist
index db2d874cbb01..1420ee78cb8f 100644
--- a/security/pf/pkg-plist
+++ b/security/pf/pkg-plist
@@ -9,14 +9,26 @@ modules/pfsync.ko
sbin/pfctl
sbin/pflogd
sbin/pftcpdump
-sbin/pftop
etc/rc.d/pf.sh.sample
etc/pf.conf.default
+etc/pf.os
include/pf/net/pfvar.h
include/pf/net/if_pflog.h
include/pf/net/if_pfsync.h
+%%WITH_ALTQ%%include/pf/altq/altq.h
+%%WITH_ALTQ%%include/pf/altq/altq_cbq.h
+%%WITH_ALTQ%%include/pf/altq/altq_cdnr.h
+%%WITH_ALTQ%%include/pf/altq/altq_classq.h
+%%WITH_ALTQ%%include/pf/altq/altq_hfsc.h
+%%WITH_ALTQ%%include/pf/altq/altq_priq.h
+%%WITH_ALTQ%%include/pf/altq/altq_red.h
+%%WITH_ALTQ%%include/pf/altq/altq_rio.h
+%%WITH_ALTQ%%include/pf/altq/altq_rmclass.h
+%%WITH_ALTQ%%include/pf/altq/altq_rmclass_debug.h
+%%WITH_ALTQ%%include/pf/altq/altq_var.h
+%%WITH_ALTQ%%include/pf/altq/if_altq.h
@dirrm modules
@dirrm include/pf/net