Update to 6.9

Doxyfile

@@ -1,11 +1,11 @@
-# Doxyfile 1.8.20
+# Doxyfile 1.9.1
 
 #---------------------------------------------------------------------------
 # Project related configuration options
 #---------------------------------------------------------------------------
 DOXYFILE_ENCODING      = UTF-8
 PROJECT_NAME           = "PF Rule Editor"
-PROJECT_NUMBER         = 6.8
+PROJECT_NUMBER         = 6.9
 PROJECT_BRIEF          =
 PROJECT_LOGO           =
 OUTPUT_DIRECTORY       = ./docs
@@ -15,9 +15,9 @@ OUTPUT_LANGUAGE        = English
 OUTPUT_TEXT_DIRECTION  = None
 BRIEF_MEMBER_DESC      = YES
 REPEAT_BRIEF           = YES
-ABBREVIATE_BRIEF       = "The $name class " \
-                         "The $name widget " \
-                         "The $name file " \
+ABBREVIATE_BRIEF       = "The $name class" \
+                         "The $name widget" \
+                         "The $name file" \
                          is \
                          provides \
                          specifies \
@@ -73,6 +73,7 @@ EXTRACT_STATIC         = NO
 EXTRACT_LOCAL_CLASSES  = YES
 EXTRACT_LOCAL_METHODS  = NO
 EXTRACT_ANON_NSPACES   = NO
+RESOLVE_UNNAMED_PARAMS = YES
 HIDE_UNDOC_MEMBERS     = NO
 HIDE_UNDOC_CLASSES     = NO
 HIDE_FRIEND_COMPOUNDS  = NO
@@ -154,7 +155,6 @@ VERBATIM_HEADERS       = YES
 # Configuration options related to the alphabetical class index
 #---------------------------------------------------------------------------
 ALPHABETICAL_INDEX     = YES
-COLS_IN_ALPHA_INDEX    = 5
 IGNORE_PREFIX          =
 #---------------------------------------------------------------------------
 # Configuration options related to the HTML output
@@ -318,6 +318,8 @@ COLLABORATION_GRAPH    = YES
 GROUP_GRAPHS           = YES
 UML_LOOK               = NO
 UML_LIMIT_NUM_FIELDS   = 10
+DOT_UML_DETAILS        = NO
+DOT_WRAP_THRESHOLD     = 17
 TEMPLATE_RELATIONS     = NO
 INCLUDE_GRAPH          = YES
 INCLUDED_BY_GRAPH      = YES

README.md

@@ -17,7 +17,7 @@ Using PFRE, you can develop rules from scratch or modify existing ones:
 
 A couple of notes about the requirements, design decisions, and implementation of PFRE:
 
-- PFRE does not provide any wizards nor tries to simplify rule development by hiding details. On the contrary, it enables the user by providing as much relevant detail as possible.
+- PFRE does not provide any wizards nor even try to simplify rule development by hiding details. On the contrary, it enables the user by providing as much relevant detail as possible.
 - PFRE aims to generate text ruleset output as close to what a system administrator would produce as possible:
 	+ PFRE tries to be true to the original rule file loaded: PFRE does not insert any extra lines into its output, such as PFRE specific marks or rule generation dates (you cannot tell if its output is generated by PFRE or not).
 	+ You can insert blank lines between rules: Blank lines are of a separate rule type.
@@ -50,8 +50,8 @@ A couple of notes about the requirements, design decisions, and implementation o
 
 Here are the basic steps to obtain a working PFRE installation:
 
-- Install OpenBSD 6.8, perhaps on a VM.
-- Install PHP 7.4.10, php-pcntl, and php-cgi.
+- Install OpenBSD 6.9, perhaps on a VM.
+- Install PHP 8.0.3, php-pcntl, and php-cgi.
 - Copy the files in PFRE src folder to /var/www/htdocs/pfre/.
 - Configure httpd.conf for PFRE.
 - Create admin and user users, and set their passwords.
@@ -66,7 +66,7 @@ The OpenBSD installation guide is at [faq4](http://www.openbsd.org/faq/faq4.html
 
 Here are a couple of guidelines:
 
-- You can download install68.iso available at OpenBSD mirrors.
+- You can download install69.iso available at OpenBSD mirrors.
 - It may be easier to install a PFRE test system on a VM of your choice, e.g. VMware or VirtualBox, rather than bare hardware.
 - 512MB RAM and 8GB HD should be more than enough.
 - If you want to obtain a packet filtering firewall, make sure the VM has at least 2 ethernet interfaces:
@@ -91,18 +91,18 @@ Set the $PKG\_PATH env variable to the cache folder you have just created:
 Download the required packages from an OpenBSD mirror and copy them to $PKG\_PATH. The following is the list of files you should have under $PKG\_PATH:
 
 	argon2-20190702.tgz
-	bzip2-1.0.8.tgz
+	bzip2-1.0.8p0.tgz
 	femail-1.0p1.tgz
 	femail-chroot-1.0p3.tgz
-	gettext-runtime-0.21.tgz
+	gettext-runtime-0.21p1.tgz
 	libiconv-1.16p0.tgz
 	libsodium-1.0.18p1.tgz
 	libxml-2.9.10p2.tgz
-	oniguruma-6.9.5pl1p0.tgz
-	pcre2-10.35.tgz
-	php-7.4.10.tgz
-	php-cgi-7.4.10.tgz
-	php-pcntl-7.4.10.tgz
+	oniguruma-6.9.6.tgz
+	pcre2-10.36.tgz
+	php-8.0.3.tgz
+	php-cgi-8.0.3.tgz
+	php-pcntl-8.0.3.tgz
 	xz-5.2.5.tgz
 
 Install PHP, php-pcntl, and php-cgi by running the following commands, which should install their dependencies as well:
@@ -118,18 +118,18 @@ If you want to see if all required packages are installed successfully, run the
 Here is the expected output of that command:
 
 	argon2-20190702     C implementation of Argon2 - password hashing function
-	bzip2-1.0.8         block-sorting file compressor, unencumbered
+	bzip2-1.0.8p0       block-sorting file compressor, unencumbered
 	femail-1.0p1        simple SMTP client
 	femail-chroot-1.0p3 simple SMTP client for chrooted web servers
-	gettext-runtime-0.21 GNU gettext runtime libraries and programs
+	gettext-runtime-0.21p1 GNU gettext runtime libraries and programs
 	libiconv-1.16p0     character set conversion library
 	libsodium-1.0.18p1  library for network communications and cryptography
 	libxml-2.9.10p2     XML parsing library
-	oniguruma-6.9.5pl1p0 regular expressions library
-	pcre2-10.35         perl-compatible regular expression library, version 2
-	php-7.4.10          server-side HTML-embedded scripting language
-	php-cgi-7.4.10      php CGI binary
-	php-pcntl-7.4.10    PCNTL extensions for php
+	oniguruma-6.9.6     regular expressions library
+	pcre2-10.36         perl-compatible regular expression library, version 2
+	php-8.0.3           server-side HTML-embedded scripting language
+	php-cgi-8.0.3       php CGI binary
+	php-pcntl-8.0.3     PCNTL extensions for php
 	xz-5.2.5            LZMA compression and decompression tools
 
 ### Install PFRE
@@ -208,15 +208,22 @@ However, you are advised to pick a better password than soner123.
 Go to /usr/local/bin/ and create a link to php executable:
 
 	# cd /usr/local/bin
-	# ln -s php-7.4 php
+	# ln -s php-8.0 php
 
-Edit the /etc/php-7.4.ini file to disable NOTICE messages, otherwise they may disturb pfctl test reports:
+Edit the /etc/php-8.0.ini file to disable NOTICE messages and write error messages to syslog, otherwise they may disturb pfctl test reports:
 
 	error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT & ~E_NOTICE
+	ignore_repeated_errors = On
+	ignore_repeated_source = On
+	error_log = syslog
 
-To enable pcntl, go to /etc/php-7.4/ and create the pcntl.ini file:
+Also, edit the /etc/php-fpm.conf file to write error messages to syslog:
 
-	# cd /etc/php-7.4/
+	error_log = syslog
+
+To enable pcntl, go to /etc/php-8.0/ and create the pcntl.ini file:
+
+	# cd /etc/php-8.0/
 	# touch pcntl.ini
 
 And add the following line to pcntl.ini:
@@ -255,9 +262,9 @@ If you want the web server to be started automatically after a reboot, first cop
 
 Then add the following lines to it:
 
-	if [ -x /usr/local/sbin/php-fpm-7.4 ]; then
+	if [ -x /usr/local/sbin/php-fpm-8.0 ]; then
 		echo 'PHP CGI server'
-		/usr/local/sbin/php-fpm-7.4
+		/usr/local/sbin/php-fpm-8.0
 	fi
 
 Create the rc.conf.local file under /etc/
@@ -282,7 +289,7 @@ And uncomment the line which enables forwarding of IPv4 packets:
 
 Now you can either reboot the system or start the php cgi server and the web server manually using the following commands:
 
-	# /usr/local/sbin/php-fpm-7.4
+	# /usr/local/sbin/php-fpm-8.0
 	# /usr/sbin/httpd 
 
 Finally, if you point your web browser to the IP address of PFRE, you should see the login page. And you should be able to log in by entering admin:soner123 as user and password.

src/Controller/sh.php

@@ -22,19 +22,19 @@
 /** @file
  * Login shell for users.
  *
- * We set login shells of admin and user users to sh.php.
+ * We set the login shells of admin and user users to sh.php.
  *
- * Using a shell script to pass args to Controller commands would expand
- * those args, hence might cause security issues.
+ * Using a shell script to pass args to the Controller commands would expand
+ * those args, hence could cause security issues.
  *
- * Now instead we make sure args are never expanded and users cannot drop to a
- * command shell:
+ * Now instead we make sure the args are never expanded and the users cannot
+ * drop to a command shell:
  * - use sh.php as login shell
- * - pass all args to it as an ssh command (-c option) without any shell
- *   expansion
+ * - pass all args to it as an ssh command (the -c option of phpseclib channel
+ *   exec), without any shell expansion
  * - validate all args within sh.php
- * - convert them to a string enclosed between single quotes (so no expansion
- *   again)
+ * - convert them to a string enclosed between single quotes, so no expansion
+ *   again
  * - exec ctlr.php passing the args string to it
  *
  * @todo Continually check for security issues.

src/View/lib/libauth.php

@@ -73,7 +73,8 @@ function wui_syslog($prio, $file, $func, $line, $msg)
 		openlog('wui', LOG_PID, LOG_LOCAL0);
 
 		if ($prio <= $LOG_LEVEL) {
-			$useratip= $_SESSION['USER'].'@'.filter_input(INPUT_SERVER, 'REMOTE_ADDR');
+			$user= array_key_exists('USER', $_SESSION) ? $_SESSION['USER'] : 'NA';
+			$useratip= $user.'@'.filter_input(INPUT_SERVER, 'REMOTE_ADDR');
 			$func= $func == '' ? 'NA' : $func;
 			$log= "$LOG_PRIOS[$prio] $useratip $file: $func ($line): $msg";
 			if (!syslog($prio, $log)) {

src/View/locale/tr_TR/LC_MESSAGES/pfre.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 6.8\n"
+"Project-Id-Version: PFRE 6.9\n"
 "Last-Translator: Soner Tari <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre_CONTROL.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 6.8\n"
+"Project-Id-Version: PFRE 6.9\n"
 "Last-Translator: Soner Tari <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre_HELPBOX.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 6.8\n"
+"Project-Id-Version: PFRE 6.9\n"
 "Last-Translator: Soner Tari <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre_MENU.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 6.8\n"
+"Project-Id-Version: PFRE 6.9\n"
 "Last-Translator: Soner Tari <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre_NOTICE.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 6.8\n"
+"Project-Id-Version: PFRE 6.9\n"
 "Last-Translator: Soner Tari <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre_TITLE.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 6.8\n"
+"Project-Id-Version: PFRE 6.9\n"
 "Last-Translator: Soner Tari <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/locale/tr_TR/LC_MESSAGES/pfre__.po

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: PFRE 6.8\n"
+"Project-Id-Version: PFRE 6.9\n"
 "Last-Translator: Soner Tari <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"

src/View/pf/pf.conf.html

@@ -815,11 +815,12 @@
 
 <a name="route-to"></a>
      <span class="bold">route-to</span>  The <span class="bold">route-to</span> option routes the packet to the specified
-               interface with an optional address for the next hop.  When a
-               <span class="bold">route-to</span> rule creates state, only packets that pass in the same
-               direction as the filter rule specifies will be routed in this
-               way.  Packets passing in the opposite direction (replies) are
-               not affected and are routed normally.
+               destination address instead of the destination address in the
+               packet header.  When a <span class="bold">route-to</span> rule creates state, only
+               packets that pass in the same direction as the filter rule
+               specifies will be routed in this way.  Packets passing in the
+               opposite direction (replies) are not affected and are routed
+               normally.
 
      For the <span class="bold">dup-to</span>, <span class="bold">reply-to</span>, and <span class="bold">route-to</span> route options for which there is a
      single redirection address which has a subnet mask smaller than 32 for
@@ -1591,6 +1592,7 @@
      <span class="bold">modulate</span> <span class="bold">state</span>.
 
      Rules with <span class="bold">synproxy</span> <span class="bold">state</span> will not work if pf(4) operates on a bridge(4).
+     Also they act on incoming SYN packets only.
 
      Example:
 
@@ -2187,8 +2189,7 @@
      interface-list = [ "!" ] ( interface-name | interface-group )
                       [ [ "," ] interface-list ]
      route          = ( "route-to" | "reply-to" | "dup-to" )
-                      ( routehost | "{" routehost-list "}" )
-                      [ pooltype ]
+                      ( redirhost | "{" redirhost-list "}" )
      af             = "inet" | "inet6"
 
      protospec      = "proto" ( proto-name | proto-number |
@@ -2207,14 +2208,11 @@
                       address [ "/" mask-bits ] [ "weight" number ] |
                       "&lt;" string "&gt;" )
      redirhost      = address [ "/" mask-bits ]
-     routehost      = host | host "@" interface-name |
-                      "(" interface-name [ address [ "/" mask-bits ] ] ")"
      address        = ( interface-name | interface-group |
                       "(" ( interface-name | interface-group ) ")" |
                       hostname | ipv4-dotted-quad | ipv6-coloned-hex )
      host-list      = host [ [ "," ] host-list ]
      redirhost-list = redirhost [ [ "," ] redirhost-list ]
-     routehost-list = routehost [ [ "," ] routehost-list ]
 
      port           = "port" ( unary-op | binary-op | "{" op-list "}" )
      portspec       = "port" ( number | name ) [ ":" ( "*" | number | name ) ]
@@ -2286,7 +2284,7 @@
 <span class="bold">HISTORY</span>
      The <span class="bold">pf.conf</span> file format first appeared in OpenBSD 3.0.
 
-OpenBSD 6.8                    February 10, 2020                   OpenBSD 6.8
+OpenBSD 6.9                    February 1, 2021                    OpenBSD 6.9
 </pre>
 </body>
 </html>

src/create_po.sh

@@ -81,7 +81,7 @@ if ! xgettext -L "PHP" -s \
 		--copyright-holder="Soner Tari, The PFRE project" \
 		--msgid-bugs-address="[email protected]" \
 		--package-name="PFRE" \
-		--package-version="6.8" \
+		--package-version="6.9" \
 		-j -o $LOCALE_FILE \
 		-f files.txt; then
 	echo "FAILED generating $LOCALE_FILE"

src/lib/defs.php

@@ -23,7 +23,7 @@
  */
 
 /// Project version.
-define('VERSION', '6.8');
+define('VERSION', '6.9');
 
 $ROOT= dirname(dirname(dirname(__FILE__)));
 $SRC_ROOT= dirname(dirname(__FILE__));