diff options
| author |   claudio <claudio@openbsd.org> | 2009-09-01 13:46:14 +0000 |
|---|---|---|
| committer | claudio <claudio@openbsd.org> | 2009-09-01 13:46:14 +0000 |
| commit | bb9fd9ec1f3357f06897f843f3ad624810634069 (patch) | |
| tree | 4e7530335aed6b2f85d6e7d4b355c16e4207878a /usr.sbin/ftp-proxy/ftp-proxy.c | |
| parent | adapt to new pf, ok henning@ (diff) | |
| download | wireguard-openbsd-bb9fd9ec1f3357f06897f843f3ad624810634069.tar.xz wireguard-openbsd-bb9fd9ec1f3357f06897f843f3ad624810634069.zip | |
Bring ftp-proxy in sync with the massive pf change just commited by Henning.
This changes the way the rdr/nat rules are added to pf. Now only a single
anchor is needed (the other ones do no longer exist).
To convert your ruleset you need something like this at the start of your
ruleset:
# filter rules and anchors for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
This was tested by myself, sthen@, dlg@ and I think many more. OK by the same
people plus henning.
Diffstat (limited to 'usr.sbin/ftp-proxy/ftp-proxy.c')
| -rw-r--r-- | usr.sbin/ftp-proxy/ftp-proxy.c | 36 |
1 files changed, 8 insertions, 28 deletions
diff --git a/usr.sbin/ftp-proxy/ftp-proxy.c b/usr.sbin/ftp-proxy/ftp-proxy.c index 131991a4bb8..fe772c59188 100644 --- a/usr.sbin/ftp-proxy/ftp-proxy.c +++ b/usr.sbin/ftp-proxy/ftp-proxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ftp-proxy.c,v 1.19 2008/06/13 07:25:26 claudio Exp $ */ +/* $OpenBSD: ftp-proxy.c,v 1.20 2009/09/01 13:46:14 claudio Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -971,26 +971,16 @@ allow_data_connection(struct session *s) proxy_reply(s->cmd, orig_sa, s->proxy_port); logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf); - /* rdr from $client to $orig_server port $proxy_port -> $server - port $port */ + /* pass in from $client to $orig_server port $proxy_port + rdr-to $server port $port */ if (add_rdr(s->id, client_sa, orig_sa, s->proxy_port, server_sa, s->port) == -1) goto fail; - /* nat from $client to $server port $port -> $proxy */ + /* pass out from $client to $server port $port nat-to $proxy */ if (add_nat(s->id, client_sa, server_sa, s->port, proxy_sa, PF_NAT_PROXY_PORT_LOW, PF_NAT_PROXY_PORT_HIGH) == -1) goto fail; - - /* pass in from $client to $server port $port */ - if (add_filter(s->id, PF_IN, client_sa, server_sa, - s->port) == -1) - goto fail; - - /* pass out from $proxy to $server port $port */ - if (add_filter(s->id, PF_OUT, proxy_sa, server_sa, - s->port) == -1) - goto fail; } /* Active modes. */ @@ -1002,14 +992,14 @@ allow_data_connection(struct session *s) goto fail; prepared = 1; - /* rdr from $server to $proxy port $proxy_port -> $client port - $port */ + /* pass in from $server to $proxy port $proxy_port + rdr-to $client port $port */ if (add_rdr(s->id, server_sa, proxy_sa, s->proxy_port, client_sa, s->port) == -1) goto fail; - /* nat from $server to $client port $port -> $orig_server port - $natport */ + /* pass out from $server to $client port $port + nat-to $orig_server port $natport */ if (rfc_mode && s->cmd == CMD_PORT) { /* Rewrite sourceport to RFC mandated 20. */ if (add_nat(s->id, server_sa, client_sa, s->port, @@ -1022,16 +1012,6 @@ allow_data_connection(struct session *s) PF_NAT_PROXY_PORT_HIGH) == -1) goto fail; } - - /* pass in from $server to $client port $port */ - if (add_filter(s->id, PF_IN, server_sa, client_sa, s->port) == - -1) - goto fail; - - /* pass out from $orig_server to $client port $port */ - if (add_filter(s->id, PF_OUT, orig_sa, client_sa, s->port) == - -1) - goto fail; } /* Commit rules if they were prepared. */ |