diff options
| author |   claudio <claudio@openbsd.org> | 2009-11-21 13:59:31 +0000 |
|---|---|---|
| committer | claudio <claudio@openbsd.org> | 2009-11-21 13:59:31 +0000 |
| commit | 14f90764bc3d22fe953e99419f9fafa8acc8cdf0 (patch) | |
| tree | ed3dee698dfcb9306d56b94b8f4c402c7ddd21a1 /usr.sbin/ftp-proxy | |
| parent | User triggerable KASSERT()s and NULL dereferences in netbt setsockopt()s, (diff) | |
| download | wireguard-openbsd-14f90764bc3d22fe953e99419f9fafa8acc8cdf0.tar.xz wireguard-openbsd-14f90764bc3d22fe953e99419f9fafa8acc8cdf0.zip | |
If tagging is used use match rules instead of pass rules. This is needed
so that later pass rules will not overwrite the nat-to/rdr-to settings.
Because of this there must be an expilicit "pass .. tagged proxytag .."
rule after the ftp-proxy anchor. OK henning@
Diffstat (limited to 'usr.sbin/ftp-proxy')
| -rw-r--r-- | usr.sbin/ftp-proxy/filter.c | 7 | ||||
| -rw-r--r-- | usr.sbin/ftp-proxy/ftp-proxy.8 | 9 |
2 files changed, 11 insertions, 5 deletions
diff --git a/usr.sbin/ftp-proxy/filter.c b/usr.sbin/ftp-proxy/filter.c index 6a771c28639..c1d81dc1d35 100644 --- a/usr.sbin/ftp-proxy/filter.c +++ b/usr.sbin/ftp-proxy/filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.c,v 1.9 2009/09/01 13:46:14 claudio Exp $ */ +/* $OpenBSD: filter.c,v 1.10 2009/11/21 13:59:31 claudio Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -236,7 +236,10 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, * from $src to $dst port = $d_port flags S/SA keep state * (max 1) [queue qname] [tag tagname] */ - pfr.rule.action = PF_PASS; + if (tagname != NULL) + pfr.rule.action = PF_MATCH; + else + pfr.rule.action = PF_PASS; pfr.rule.quick = 1; pfr.rule.log = rule_log; pfr.rule.keep_state = 1; diff --git a/usr.sbin/ftp-proxy/ftp-proxy.8 b/usr.sbin/ftp-proxy/ftp-proxy.8 index 973c0420c99..7a1fbc3de26 100644 --- a/usr.sbin/ftp-proxy/ftp-proxy.8 +++ b/usr.sbin/ftp-proxy/ftp-proxy.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.13 2009/09/07 09:41:02 jmc Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.14 2009/11/21 13:59:31 claudio Exp $ .\" .\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 7 2009 $ +.Dd $Mdocdate: November 21 2009 $ .Dt FTP-PROXY 8 .Os .Sh NAME @@ -136,7 +136,7 @@ on this RFC property. .It Fl T Ar tag The filter rules will add tag .Ar tag -to data connections, and not match quick. +to data connections, and will use match rules instead of pass ones. This way alternative rules that use the .Ar tagged keyword can be implemented following the @@ -147,6 +147,9 @@ These rules can use special features like route-to, reply-to, label, rtable, overload, etc. that .Nm does not implement itself. +There must be a matching pass rule after the +.Nm +anchor or the data connections will be blocked. .It Fl t Ar timeout Number of seconds that the control connection can be idle, before the proxy will disconnect. |