@@ -112,6 +112,7 @@ openvpn_SOURCES = \

 	otime.c otime.h \

 	packet_id.c packet_id.h \

 	perf.c perf.h \

+	pf.c pf.h \

 	ping.c ping.h ping-inline.h \

 	plugin.c plugin.h \

 	pool.c pool.h \

@@ -424,6 +424,15 @@ string_null_terminate (char *str, int len, int capacity)

 void

 chomp (char *str)

 {

+  rm_trailing_chars (str, "\r\n");

+}

+

+/*

+ * Remove trailing chars

+ */

+void

+rm_trailing_chars (char *str, const char *what_to_delete)

+{

   bool modified;

   do {

     const int len = strlen (str);

@@ -431,7 +440,7 @@ chomp (char *str)

     if (len > 0)

       {

 	char *cp = str + (len - 1);

-	if (*cp == '\n' || *cp == '\r')

+	if (strchr (what_to_delete, *cp) != NULL)

 	  {

 	    *cp = '\0';

 	    modified = true;

@@ -137,6 +137,13 @@ buf_reset (struct buffer *buf)

   buf->data = NULL;

 }

+static inline void

+buf_reset_len (struct buffer *buf)

+{

+  buf->len = 0;

+  buf->offset = 0;

+}

+

 static inline bool

 buf_init_dowork (struct buffer *buf, int offset)

 {

@@ -224,6 +231,7 @@ void buf_rmtail (struct buffer *buf, uint8_t remove);

  * non-buffer string functions

  */

 void chomp (char *str);

+void rm_trailing_chars (char *str, const char *what_to_delete);

 const char *skip_leading_whitespace (const char *str);

 void string_null_terminate (char *str, int len, int capacity);

@@ -520,7 +520,7 @@ dnl Checking for a working epoll

 AC_CHECKING([for working epoll implementation])

 OLDLDFLAGS="$LDFLAGS"

 LDFLAGS="$LDFLAGS -Wl,--fatal-warnings"

-AC_CHECK_FUNCS(epoll_create, AC_DEFINE([HAVE_EPOLL_CREATE], 1, []))

+AC_CHECK_FUNC(epoll_create, AC_DEFINE(HAVE_EPOLL_CREATE, 1, [epoll_create function is defined]))

 LDFLAGS="$OLDLDFLAGS"

 dnl

@@ -609,6 +609,24 @@ if test "${WIN32}" != "yes"; then

 fi

 dnl

+dnl Check if LoadLibrary exists on Windows

+dnl

+if test "${WIN32}" == "yes"; then

+   if test "$PLUGINS" = "yes"; then

+	AC_TRY_LINK([

+	    #include <windows.h>

+	  ], [

+	    LoadLibrary (NULL);

+	  ], [

+	    AC_MSG_RESULT([LoadLibrary DEFINED])

+	    AC_DEFINE(USE_LOAD_LIBRARY, 1, [Use LoadLibrary to load DLLs on Windows])

+	  ], [

+	    AC_MSG_RESULT([LoadLibrary UNDEFINED])

+	  ])

+   fi

+fi

+

+dnl

 dnl check for LZO library

 dnl

@@ -11,6 +11,9 @@

 # and openvpnserv.exe) you can use the

 # provided autoconf/automake build environment.

 #

+# If you are building from an expanded .tar.gz file,

+# make sure to run "./doclean" before "./domake-win".

+#

 # See top-level build configuration and settings in:

 #

 #   version.m4

@@ -94,6 +94,7 @@

 #define D_ROUTE_QUOTA        LOGLEV(3, 43, 0)        /* show route quota exceeded messages */

 #define D_OSBUF              LOGLEV(3, 44, 0)        /* show socket/tun/tap buffer sizes */

 #define D_PS_PROXY           LOGLEV(3, 45, 0)        /* messages related to --port-share option */

+#define D_PF                 LOGLEV(3, 46, 0)        /* messages related to packet filter */

 #define D_SHOW_PARMS         LOGLEV(4, 50, 0)        /* show all parameters on program initiation */

 #define D_SHOW_OCC           LOGLEV(4, 51, 0)        /* show options compatibility string */

@@ -492,6 +492,10 @@ process_coarse_timers (struct context *c)

   check_push_request (c);

 #endif

+#ifdef ENABLE_PF

+  pf_check_reload (c);

+#endif

+

   /* process --route options */

   check_add_routes (c);

@@ -2737,6 +2737,11 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int

     init_port_share (c);

 #endif

+#ifdef ENABLE_PF

+  if (child)

+    pf_init_context (c);

+#endif

+

   /* Check for signals */

   if (IS_SIG (c))

     goto sig;

@@ -2787,6 +2792,10 @@ close_instance (struct context *c)

 	/* close TUN/TAP device */

 	do_close_tun (c, false);

+#ifdef ENABLE_PF

+	pf_destroy_context (&c->c2.pf);

+#endif

+

 #ifdef ENABLE_PLUGIN

 	/* call plugin close functions and unload */

 	do_close_plugins (c);

@@ -25,8 +25,32 @@

 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in

 dist_noinst_DATA = \

+	GetWindowsVersion.nsi \

+	build-pkcs11-helper.sh \

+	buildinstaller \

+	buildopensslpath.bat \

+	ddk-common \

+	doclean \

+	dosname.pl \

+	getgui \

+	getopenssl \

+	getpkcs11helper \

+	getprebuilt \

+	getxgui \

+	ifdef.pl \

+	m4todef.pl \

+	macro.pl \

+	makeopenvpn \

+	maketap \

+	maketapinstall \

+	maketext \

+	openssl.patch \

 	openvpn.nsi \

-	setpath.nsi

+	setpath.nsi \

+	settings.in \

+	trans.pl \

+	u2d.c \

+	winconfig

 if WIN32

@@ -33,6 +33,7 @@

 struct hash *

 hash_init (const int n_buckets,

+	   const uint32_t iv,

 	   uint32_t (*hash_function)(const void *key, uint32_t iv),

 	   bool (*compare_function)(const void *key1, const void *key2))

 {

@@ -45,7 +46,7 @@ hash_init (const int n_buckets,

   h->mask = h->n_buckets - 1;

   h->hash_function = hash_function;

   h->compare_function = compare_function;

-  h->iv = get_random ();

+  h->iv = iv;

   ALLOC_ARRAY (h->buckets, struct hash_bucket, h->n_buckets);

   for (i = 0; i < h->n_buckets; ++i)

     {

@@ -398,8 +399,8 @@ list_test (void)

   {

     struct gc_arena gc = gc_new ();

-    struct hash *hash = hash_init (10000, word_hash_function, word_compare_function);

-    struct hash *nhash = hash_init (256, word_hash_function, word_compare_function);

+    struct hash *hash = hash_init (10000, get_random (), word_hash_function, word_compare_function);

+    struct hash *nhash = hash_init (256, get_random (), word_hash_function, word_compare_function);

     printf ("hash_init n_buckets=%d mask=0x%08x\n", hash->n_buckets, hash->mask);

@@ -57,7 +57,7 @@ struct hash_element

 struct hash_bucket

 {

   MUTEX_DEFINE (mutex);

-  struct hash_element * volatile list;

+  struct hash_element *list;

 };

 struct hash

@@ -72,6 +72,7 @@ struct hash

 };

 struct hash *hash_init (const int n_buckets,

+			const uint32_t iv,

 			uint32_t (*hash_function)(const void *key, uint32_t iv),

 			bool (*compare_function)(const void *key1, const void *key2));

@@ -163,5 +163,14 @@ mroute_extract_in_addr_t (struct mroute_addr *dest, const in_addr_t src)

   *(in_addr_t*)dest->addr = htonl (src);

 }

+static inline in_addr_t

+in_addr_t_from_mroute_addr (const struct mroute_addr *addr)

+{

+  if (addr->type == MR_ADDR_IPV4 && addr->netbits == 0 && addr->len == 4)

+    return ntohl(*(in_addr_t*)addr->addr);

+  else

+    return 0;

+}

+

 #endif /* P2MP_SERVER */

 #endif /* MROUTE_H */

@@ -229,6 +229,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa

    * which is seen on the TCP/UDP socket.

    */

   m->hash = hash_init (t->options.real_hash_size,

+		       get_random (),

 		       mroute_addr_hash_function,

 		       mroute_addr_compare_function);

@@ -237,6 +238,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa

    * which client to route a packet to. 

    */

   m->vhash = hash_init (t->options.virtual_hash_size,

+			get_random (),

 			mroute_addr_hash_function,

 			mroute_addr_compare_function);

@@ -246,6 +248,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa

    * for fast iteration through the list.

    */

   m->iter = hash_init (1,

+		       get_random (),

 		       mroute_addr_hash_function,

 		       mroute_addr_compare_function);

@@ -1818,12 +1821,29 @@ multi_process_incoming_link (struct multi_context *m, struct multi_instance *ins

 		      /* if dest addr is a known client, route to it */

 		      if (mi)

 			{

-			  multi_unicast (m, &c->c2.to_tun, mi);

-			  register_activity (c, BLEN(&c->c2.to_tun));

+#ifdef ENABLE_PF

+			  if (!pf_c2c_test (c, &mi->context))

+			    {

+			      msg (D_PF, "PF: client -> [%s] packet dropped by packet filter",

+				   np (mi->msg_prefix));

+			    }

+			  else

+#endif

+			    {

+			      multi_unicast (m, &c->c2.to_tun, mi);

+			      register_activity (c, BLEN(&c->c2.to_tun));

+			    }

 			  c->c2.to_tun.len = 0;

 			}

 		    }

 		}

+#ifdef ENABLE_PF

+	      else if (!pf_addr_test (c, &dest))

+		{

+		  msg (D_PF, "PF: client -> [%s] packet dropped by packet filter",

+		       mroute_addr_print (&dest, &gc));

+		}

+#endif

 	    }

 	  else if (TUNNEL_TYPE (m->top.c1.tuntap) == DEV_TYPE_TAP)

 	    {

@@ -1936,17 +1956,28 @@ multi_process_incoming_tun (struct multi_context *m, const unsigned int mpp_flag

 		  set_prefix (m->pending);

-		  if (multi_output_queue_ready (m, m->pending))

+#ifdef ENABLE_PF

+		  if (!pf_addr_test (c, &src))

 		    {

-		      /* transfer packet pointer from top-level context buffer to instance */

-		      c->c2.buf = m->top.c2.buf;

+		      msg (D_PF, "PF: [%s] -> client packet dropped by packet filter",

+			   mroute_addr_print (&src, &gc));

+		      buf_reset_len (&c->c2.buf);

 		    }

 		  else

-		    {

-		      /* drop packet */

-		      msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");

-		      buf_clear (&c->c2.buf);

-		    }

+#endif

+		  {

+		    if (multi_output_queue_ready (m, m->pending))

+		      {

+			/* transfer packet pointer from top-level context buffer to instance */

+			c->c2.buf = m->top.c2.buf;

+		      }

+		    else

+		      {

+			/* drop packet */

+			msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");

+			buf_reset_len (&c->c2.buf);

+		      }

+		  }

 		  /* encrypt in instance context */

 		  process_incoming_tun (c);

@@ -41,13 +41,13 @@

  * New Client Connection:

  *

  * FUNC: openvpn_plugin_client_constructor_v1

- * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_VERIFY (called once for every cert

+ * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_VERIFY (called once for every cert

  *                                                     in the server chain)

- * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_TLS_VERIFY

+ * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY

  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_FINAL

  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_IPCHANGE

  *

- * [If OPENVPN_PLUGIN_AUTH_USER_PASS_TLS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED,

+ * [If OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED,

  * we don't proceed until authentication is verified via auth_control_file]

  *

  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_CLIENT_CONNECT_V2

@@ -57,12 +57,14 @@

  *

  * For each "TLS soft reset", according to reneg-sec option (or similar):

  *

- * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_VERIFY (called once for every cert

+ * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ENABLE_PF

+ *

+ * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_VERIFY (called once for every cert

  *                                                     in the server chain)

- * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_TLS_VERIFY

+ * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY

  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_FINAL

  * 

- * [If OPENVPN_PLUGIN_AUTH_USER_PASS_TLS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED,

+ * [If OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED,

  * we expect that authentication is verified via auth_control_file within

  * the number of seconds defined by the "hand-window" option.  Data channel traffic

  * will continue to flow uninterrupted during this period.]

@@ -94,7 +96,8 @@

 #define OPENVPN_PLUGIN_LEARN_ADDRESS         8

 #define OPENVPN_PLUGIN_CLIENT_CONNECT_V2     9

 #define OPENVPN_PLUGIN_TLS_FINAL             10

-#define OPENVPN_PLUGIN_N                     11

+#define OPENVPN_PLUGIN_ENABLE_PF             11

+#define OPENVPN_PLUGIN_N                     12

 /*

  * Build a mask out of a set of plug-in types.

@@ -270,16 +273,52 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op

  * first char of auth_control_file:

  * '0' -- indicates auth failure

  * '1' -- indicates auth success

- * '2' -- indicates that the client should be immediately killed

- *

- * The auth_control file will be polled for the life of the key state

- * it is associated with, and any change in the file will

- * impact the client's current authentication state.

  *

  * OpenVPN will delete the auth_control_file after it goes out of scope.

  *

+ * If an OPENVPN_PLUGIN_ENABLE_PF handler is defined and returns success

+ * for a particular client instance, packet filtering will be enabled for that

+ * instance.  OpenVPN will then attempt to read the packet filter configuration

+ * from the temporary file named by the environmental variable pf_file.  This

+ * file may be generated asynchronously and may be dynamically updated during the

+ * client session, however the client will be blocked from sending or receiving

+ * VPN tunnel packets until the packet filter file has been generated.  OpenVPN

+ * will periodically test the packet filter file over the life of the client

+ * instance and reload when modified.  OpenVPN will delete the packet filter file

+ * when the client instance goes out of scope.

+ *

+ * Packet filter file grammar:

+ *

+ * [CLIENTS DROP|ACCEPT]

+ * {+|-}common_name1

+ * {+|-}common_name2

+ * . . .

+ * [SUBNETS DROP|ACCEPT]

+ * {+|-}subnet1

+ * {+|-}subnet2

+ * . . .

+ * [END]

+ *

+ * Subnet: IP-ADDRESS | IP-ADDRESS/NUM_NETWORK_BITS

+ *

+ * CLIENTS refers to the set of clients (by their common-name) which

+ * this instance is allowed ('+') to connect to, or is excluded ('-')

+ * from connecting to.  Note that in the case of client-to-client

+ * connections, such communication must be allowed by the packet filter

+ * configuration files of both clients.

+ *

+ * SUBNETS refers to IP addresses or IP address subnets which this

+ * instance may connect to ('+') or is excluded ('-') from connecting

+ * to.

+ *

+ * DROP or ACCEPT defines default policy when there is no explicit match

+ * for a common-name or subnet.  The [END] tag must exist.  A special

+ * purpose tag called [KILL] will immediately kill the client instance.

+ * A given client or subnet rule applies to both incoming and outgoing

+ * packets.

+ *

  * See plugin/defer/simple.c for an example on using asynchronous

- * authentication.

+ * authentication and client-specific packet filtering.

  */

 OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v2)

      (openvpn_plugin_handle_t handle,

@@ -46,6 +46,7 @@

 #include "pool.h"

 #include "plugin.h"

 #include "manage.h"

+#include "pf.h"

 /*

  * Our global key schedules, packaged thusly

@@ -430,7 +431,11 @@ struct context_2

   const char *pulled_options_string;

   struct event_timeout scheduled_exit;

+#endif

+  /* packet filter */

+#ifdef ENABLE_PF

+  struct pf_context pf;

 #endif

 };

@@ -4023,15 +4023,15 @@ add_option (struct options *options,

 	}

       options->routes->flags |= RG_ENABLE;

     }

-  else if (streq (p[0], "setenv") && p[1] && p[2])

+  else if (streq (p[0], "setenv") && p[1])

     {

       VERIFY_PERMISSION (OPT_P_GENERAL);

-      setenv_str (es, p[1], p[2]);

+      setenv_str (es, p[1], p[2] ? p[2] : "");

     }

-  else if (streq (p[0], "setenv-safe") && p[1] && p[2])

+  else if (streq (p[0], "setenv-safe") && p[1])

     {

       VERIFY_PERMISSION (OPT_P_SETENV);

-      setenv_str_safe (es, p[1], p[2]);

+      setenv_str_safe (es, p[1], p[2] ? p[2] : "");

     }

   else if (streq (p[0], "mssfix"))

     {

@@ -209,12 +209,12 @@ packet_id_test (const struct packet_id_rec *p,

     {

       /*

        * In non-backtrack mode, all sequence number series must

-       * begin at 1 and must increment linearly without gaps.

+       * begin at some number n > 0 and must increment linearly without gaps.

        *

        * This mode is used with TCP.

        */

       if (pin->time == p->time)

-	return pin->id == p->id + 1;

+	return !p->id || pin->id == p->id + 1;

       else if (pin->time < p->time) /* if time goes back, reject */

 	return false;

       else                          /* time moved forward */

new file mode 100644

@@ -0,0 +1,627 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single TCP/UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program (see the file COPYING included with this

+ *  distribution); if not, write to the Free Software Foundation, Inc.,

+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+ */

+

+/* packet filter functions */

+

+#include "syshead.h"

+

+#if defined(ENABLE_PF)

+

+#include "init.h"

+

+#include "memdbg.h"

+

+static void

+pf_destroy (struct pf_set *pfs)

+{

+  if (pfs)

+    {

+      if (pfs->cns.hash_table)

+	hash_free (pfs->cns.hash_table);

+

+      {

+	struct pf_cn_elem *l = pfs->cns.list;

+	while (l)

+	  {

+	    struct pf_cn_elem *next = l->next;

+	    free (l->rule.cn);

+	    free (l);

+	    l = next;

+	  }

+      }

+      {

+	struct pf_subnet *l = pfs->sns.list;

+	while (l)

+	  {

+	    struct pf_subnet *next = l->next;

+	    free (l);

+	    l = next;

+	  }

+      }

+      free (pfs);

+    }

+}

+

+static bool

+add_client (const char *line, const char *fn, const int line_num, struct pf_cn_elem ***next, const bool exclude)

+{

+  struct pf_cn_elem *e;

+  ALLOC_OBJ_CLEAR (e, struct pf_cn_elem);

+  e->rule.exclude = exclude;

+  e->rule.cn = string_alloc (line, NULL);

+  **next = e;

+  *next = &e->next;

+  return true;

+}

+

+static bool

+add_subnet (const char *line, const char *fn, const int line_num, struct pf_subnet ***next, const bool exclude)

+{

+  struct in_addr network;

+  in_addr_t netmask = 0;

+  int netbits = 32;

+  char *div = strchr (line, '/');

+

+  if (div)

+    {

+      *div++ = '\0';

+      if (sscanf (div, "%d", &netbits) != 1)

+	{

+	  msg (D_PF, "PF: %s/%d: bad '/n' subnet specifier: '%s'", fn, line_num, div);

+	  return false;

+	}

+      if (netbits < 0 || netbits > 32)

+	{

+	  msg (D_PF, "PF: %s/%d: bad '/n' subnet specifier: must be between 0 and 32: '%s'", fn, line_num, div);

+	  return false;

+	}

+    }

+

+  if (openvpn_inet_aton (line, &network) != OIA_IP)

+    {

+      msg (D_PF, "PF: %s/%d: bad network address: '%s'", fn, line_num, line);

+      return false;

+    }

+  netmask = netbits_to_netmask (netbits);

+

+  {

+    struct pf_subnet *e;

+    ALLOC_OBJ_CLEAR (e, struct pf_subnet);

+    e->rule.exclude = exclude;

+    e->rule.network = ntohl (network.s_addr);

+    e->rule.netmask = netmask;

+    **next = e;

+    *next = &e->next;

+    return true;

+  }

+}

+

+static uint32_t

+cn_hash_function (const void *key, uint32_t iv)

+{

+  return hash_func ((uint8_t *)key, strlen ((char *)key) + 1, iv);

+}

+

+static bool

+cn_compare_function (const void *key1, const void *key2)

+{

+  return !strcmp((const char *)key1, (const char *)key2);

+}

+

+static bool

+genhash (struct pf_cn_set *cns, const char *fn, const int n_clients)

+{

+  struct pf_cn_elem *e;

+  bool status = true;

+  int n_buckets = n_clients;

+

+  if (n_buckets < 16)

+    n_buckets = 16;

+  cns->hash_table = hash_init (n_buckets, 0, cn_hash_function, cn_compare_function);

+  for (e = cns->list; e != NULL; e = e->next)

+    {

+      if (!hash_add (cns->hash_table, e->rule.cn, &e->rule, false))

+	{

+	  msg (D_PF, "PF: %s: duplicate common name in [clients] section: '%s'", fn, e->rule.cn);

+	  status = false;

+	}

+    }

+  

+  return status;

+}

+

+static struct pf_set *

+pf_init (const char *fn)

+{

+# define MODE_UNDEF   0

+# define MODE_CLIENTS 1

+# define MODE_SUBNETS 2

+  int mode = MODE_UNDEF;

+  int line_num = 0;

+  int n_clients = 0;

+  int n_subnets = 0;

+  int n_errors = 0;

+  struct pf_set *pfs = NULL;

+  char line[256];

+

+  ALLOC_OBJ_CLEAR (pfs, struct pf_set);

+  FILE *fp = fopen (fn, "r");

+  if (fp)

+    {

+      struct pf_cn_elem **cl = &pfs->cns.list;

+      struct pf_subnet **sl = &pfs->sns.list;

+

+      while (fgets (line, sizeof (line), fp) != NULL)

+	{

+	  ++line_num;

+	  rm_trailing_chars (line, "\r\n\t ");

+	  if (line[0] == '\0' || line[0] == '#')

+	    ;

+	  else if (line[0] == '+' || line[0] == '-')

+	    {

+	      bool exclude = (line[0] == '-');

+

+	      if (line[1] =='\0')

+		{

+		  msg (D_PF, "PF: %s/%d: no data after +/-: '%s'", fn, line_num, line);

+		  ++n_errors;

+		}

+	      else if (mode == MODE_CLIENTS)

+		{

+		  if (add_client (&line[1], fn, line_num, &cl, exclude))

+		    ++n_clients;

+		  else

+		    ++n_errors;

+		}

+	      else if (mode == MODE_SUBNETS)

+		{

+		  if (add_subnet (&line[1], fn, line_num, &sl, exclude))

+		    ++n_subnets;

+		  else

+		    ++n_errors;

+		}

+	      else if (mode == MODE_UNDEF)

+		;

+	      else

+		{

+		  ASSERT (0);

+		}

+	    }

+	  else if (line[0] == '[')

+	    {

+	      if (!strcasecmp (line, "[clients accept]"))

+		{

+		  mode = MODE_CLIENTS;

+		  pfs->cns.default_allow = true;

+		}

+	      else if (!strcasecmp (line, "[clients drop]"))

+		{

+		  mode = MODE_CLIENTS;

+		  pfs->cns.default_allow = false;

+		}

+	      else if (!strcasecmp (line, "[subnets accept]"))

+		{

+		  mode = MODE_SUBNETS;

+		  pfs->sns.default_allow = true;

+		}

+	      else if (!strcasecmp (line, "[subnets drop]"))

+		{

+		  mode = MODE_SUBNETS;

+		  pfs->sns.default_allow = false;

+		}

+	      else if (!strcasecmp (line, "[end]"))

+		goto done;

+	      else if (!strcasecmp (line, "[kill]"))

+		goto kill;

+	      else

+		{

+		  mode = MODE_UNDEF;

+		  msg (D_PF, "PF: %s/%d unknown tag: '%s'", fn, line_num, line);

+		  ++n_errors;

+		}

+	    }

+	  else

+	    {

+	      msg (D_PF, "PF: %s/%d line must begin with '+', '-', or '[' : '%s'", fn, line_num, line);

+	      ++n_errors;

+	    }

+	}

+      ++n_errors;

+      msg (D_PF, "PF: %s: missing [end]", fn);

+    }

+  else

+    {

+      msg (D_PF|M_ERRNO, "PF: %s: cannot open", fn);

+      ++n_errors;

+    }

+

+ done:

+  if (fp)

+    {

+      fclose (fp);

+      if (!n_errors)

+	{

+	  if (!genhash (&pfs->cns, fn, n_clients))

+	    ++n_errors;

+	}

+      if (n_errors)

+	msg (D_PF, "PF: %s rejected due to %d error(s)", fn, n_errors);

+    }

+  if (n_errors)

+    {

+      pf_destroy (pfs);

+      pfs = NULL;

+    }

+  return pfs;

+  

+ kill:

+  if (fp)

+    fclose (fp);

+  pf_destroy (pfs);

+  ALLOC_OBJ_CLEAR (pfs, struct pf_set);

+  pfs->kill = true;

+  return pfs;

+}

+

+#if PF_DEBUG >= 1

+

+static const char *

+drop_accept (const bool accept)

+{

+  return accept ? "ACCEPT" : "DROP"; 

+}

+

+#endif

+

+#if PF_DEBUG >= 2

+

+static void

+pf_cn_test_print (const char *prefix,

+		  const char *cn,

+		  const bool allow,

+		  const struct pf_cn *rule)

+{

+  if (rule)

+    {

+      msg (D_PF, "PF: %s %s %s rule=[%s %s]",

+	   prefix, cn, drop_accept (allow),

+	   rule->cn, drop_accept (!rule->exclude));

+    }

+  else

+    {

+      msg (D_PF, "PF: %s %s %s",

+	   prefix, cn, drop_accept (allow));

+    }

+}

+

+static void

+pf_addr_test_print (const char *prefix,

+		    const struct context *src,

+		    const struct mroute_addr *dest,

+		    const bool allow,

+		    const struct ipv4_subnet *rule)

+{

+  struct gc_arena gc = gc_new ();

+  if (rule)

+    {

+      msg (D_PF, "PF: %s %s %s %s rule=[%s/%s %s]",

+	   prefix,

+	   tls_common_name (src->c2.tls_multi, false),

+	   mroute_addr_print (dest, &gc),

+	   drop_accept (allow),

+	   print_in_addr_t (rule->network, 0, &gc),

+	   print_in_addr_t (rule->netmask, 0, &gc),

+	   drop_accept (!rule->exclude));

+    }

+  else

+    {

+      msg (D_PF, "PF: %s %s %s %s",

+	   prefix,

+	   tls_common_name (src->c2.tls_multi, false),

+	   mroute_addr_print (dest, &gc),

+	   drop_accept (allow));

+    }

+  gc_free (&gc);

+}

+

+#endif

+

+static inline struct pf_cn *

+lookup_cn_rule (struct hash *h, const char *cn, const uint32_t cn_hash)

+{

+  struct hash_element *he = hash_lookup_fast (h, hash_bucket (h, cn_hash), cn, cn_hash);

+  if (he)

+    return (struct pf_cn *) he->value;

+  else

+    return NULL;

+}

+

+static inline bool

+cn_test (struct pf_set *pfs, const struct tls_multi *tm)

+{

+  if (!pfs->kill)

+    {

+      const char *cn;

+      uint32_t cn_hash;

+      if (tls_common_name_hash (tm, &cn, &cn_hash))

+	{