summaryrefslogtreecommitdiffstats
path: root/usr.sbin/ftp-proxy
diff options
context:
space:
mode:
authormikeb <mikeb@openbsd.org>2011-04-28 00:17:28 +0000
committermikeb <mikeb@openbsd.org>2011-04-28 00:17:28 +0000
commit48ed0d113ab6191e50b1830ff930afcccf8457e6 (patch)
treea4f6f55a30712c65fabe94350fa4d9392610e323 /usr.sbin/ftp-proxy
parentFix a few off-by-1 errors in atascsi. (diff)
downloadwireguard-openbsd-48ed0d113ab6191e50b1830ff930afcccf8457e6.tar.xz
wireguard-openbsd-48ed0d113ab6191e50b1830ff930afcccf8457e6.zip
switch ftp-proxy over to divert-to instead of rdr-to. this avoids
an expensive state lookup (via natlook ioctl) and shrinks the code. tested by me and sthen, ok reyk sthen
Diffstat (limited to 'usr.sbin/ftp-proxy')
-rw-r--r--usr.sbin/ftp-proxy/filter.c82
-rw-r--r--usr.sbin/ftp-proxy/filter.h4
-rw-r--r--usr.sbin/ftp-proxy/ftp-proxy.88
-rw-r--r--usr.sbin/ftp-proxy/ftp-proxy.c16
4 files changed, 15 insertions, 95 deletions
diff --git a/usr.sbin/ftp-proxy/filter.c b/usr.sbin/ftp-proxy/filter.c
index 84d69a3ca2d..c6a7a4d5726 100644
--- a/usr.sbin/ftp-proxy/filter.c
+++ b/usr.sbin/ftp-proxy/filter.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: filter.c,v 1.14 2011/03/25 14:51:31 claudio Exp $ */
+/* $OpenBSD: filter.c,v 1.15 2011/04/28 00:17:28 mikeb Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@@ -42,10 +42,6 @@
int add_addr(struct sockaddr *, struct pf_pool *);
int prepare_rule(u_int32_t, struct sockaddr *, struct sockaddr *,
u_int16_t);
-int server_lookup4(struct sockaddr_in *, struct sockaddr_in *,
- struct sockaddr_in *, int *);
-int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
- struct sockaddr_in6 *, int *);
static struct pfioc_rule pfr;
static struct pfioc_trans pft;
@@ -255,79 +251,3 @@ prepare_rule(u_int32_t id, struct sockaddr *src,
return (0);
}
-
-int
-server_lookup(struct sockaddr *client, struct sockaddr *proxy,
- struct sockaddr *server, int *cdomain)
-{
- if (client->sa_family == AF_INET)
- return (server_lookup4(satosin(client), satosin(proxy),
- satosin(server), cdomain));
-
- if (client->sa_family == AF_INET6)
- return (server_lookup6(satosin6(client), satosin6(proxy),
- satosin6(server), cdomain));
-
- errno = EPROTONOSUPPORT;
- return (-1);
-}
-
-int
-server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy,
- struct sockaddr_in *server, int *cdomain)
-{
- struct pfioc_natlook pnl;
-
- memset(&pnl, 0, sizeof pnl);
- pnl.direction = PF_OUT;
- pnl.af = AF_INET;
- pnl.proto = IPPROTO_TCP;
- pnl.rdomain = getrtable();
- memcpy(&pnl.saddr.v4, &client->sin_addr.s_addr, sizeof pnl.saddr.v4);
- memcpy(&pnl.daddr.v4, &proxy->sin_addr.s_addr, sizeof pnl.daddr.v4);
- pnl.sport = client->sin_port;
- pnl.dport = proxy->sin_port;
-
- if (ioctl(dev, DIOCNATLOOK, &pnl) == -1)
- return (-1);
-
- memset(server, 0, sizeof(struct sockaddr_in));
- server->sin_len = sizeof(struct sockaddr_in);
- server->sin_family = AF_INET;
- memcpy(&server->sin_addr.s_addr, &pnl.rdaddr.v4,
- sizeof server->sin_addr.s_addr);
- server->sin_port = pnl.rdport;
- *cdomain = pnl.rrdomain;
-
- return (0);
-}
-
-int
-server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy,
- struct sockaddr_in6 *server, int *cdomain)
-{
- struct pfioc_natlook pnl;
-
- memset(&pnl, 0, sizeof pnl);
- pnl.direction = PF_OUT;
- pnl.af = AF_INET6;
- pnl.proto = IPPROTO_TCP;
- pnl.rdomain = getrtable();
- memcpy(&pnl.saddr.v6, &client->sin6_addr.s6_addr, sizeof pnl.saddr.v6);
- memcpy(&pnl.daddr.v6, &proxy->sin6_addr.s6_addr, sizeof pnl.daddr.v6);
- pnl.sport = client->sin6_port;
- pnl.dport = proxy->sin6_port;
-
- if (ioctl(dev, DIOCNATLOOK, &pnl) == -1)
- return (-1);
-
- memset(server, 0, sizeof(struct sockaddr_in6));
- server->sin6_len = sizeof(struct sockaddr_in6);
- server->sin6_family = AF_INET6;
- memcpy(&server->sin6_addr.s6_addr, &pnl.rdaddr.v6,
- sizeof server->sin6_addr);
- server->sin6_port = pnl.rdport;
- *cdomain = pnl.rrdomain;
-
- return (0);
-}
diff --git a/usr.sbin/ftp-proxy/filter.h b/usr.sbin/ftp-proxy/filter.h
index 0b40a0b4cbf..410d3eb871f 100644
--- a/usr.sbin/ftp-proxy/filter.h
+++ b/usr.sbin/ftp-proxy/filter.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: filter.h,v 1.6 2011/03/25 14:51:31 claudio Exp $ */
+/* $OpenBSD: filter.h,v 1.7 2011/04/28 00:17:28 mikeb Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@@ -26,5 +26,3 @@ int do_commit(void);
int do_rollback(void);
void init_filter(char *, char *, int);
int prepare_commit(u_int32_t);
-int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *,
- int *);
diff --git a/usr.sbin/ftp-proxy/ftp-proxy.8 b/usr.sbin/ftp-proxy/ftp-proxy.8
index 7a1fbc3de26..6a6f2b7bd56 100644
--- a/usr.sbin/ftp-proxy/ftp-proxy.8
+++ b/usr.sbin/ftp-proxy/ftp-proxy.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ftp-proxy.8,v 1.14 2009/11/21 13:59:31 claudio Exp $
+.\" $OpenBSD: ftp-proxy.8,v 1.15 2011/04/28 00:17:28 mikeb Exp $
.\"
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
.\"
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: November 21 2009 $
+.Dd $Mdocdate: April 28 2011 $
.Dt FTP-PROXY 8
.Os
.Sh NAME
@@ -40,7 +40,7 @@
is a proxy for the Internet File Transfer Protocol.
FTP control connections should be redirected into the proxy using the
.Xr pf 4
-.Ar rdr-to
+.Ar divert-to
command, after which the proxy connects to the server on behalf of
the client.
.Pp
@@ -169,7 +169,7 @@ needs the following rules.
Adjust the rules as needed.
.Bd -literal -offset 2n
anchor "ftp-proxy/*"
-pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
+pass in quick proto tcp to port ftp divert-to 127.0.0.1 port 8021
.Ed
.Sh SEE ALSO
.Xr ftp 1 ,
diff --git a/usr.sbin/ftp-proxy/ftp-proxy.c b/usr.sbin/ftp-proxy/ftp-proxy.c
index 0b8fbede6ab..2a56df3406e 100644
--- a/usr.sbin/ftp-proxy/ftp-proxy.c
+++ b/usr.sbin/ftp-proxy/ftp-proxy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ftp-proxy.c,v 1.21 2011/03/25 14:51:31 claudio Exp $ */
+/* $OpenBSD: ftp-proxy.c,v 1.22 2011/04/28 00:17:28 mikeb Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@@ -374,7 +374,7 @@ handle_connection(const int listen_fd, short event, void *ev)
{
struct sockaddr_storage tmp_ss;
struct sockaddr *client_sa, *server_sa, *fixed_server_sa;
- struct sockaddr *client_to_proxy_sa, *proxy_to_server_sa;
+ struct sockaddr *proxy_to_server_sa;
struct session *s;
socklen_t len;
int client_fd, fc, on;
@@ -411,7 +411,6 @@ handle_connection(const int listen_fd, short event, void *ev)
/* Cast it once, and be done with it. */
client_sa = sstosa(&s->client_ss);
server_sa = sstosa(&s->server_ss);
- client_to_proxy_sa = sstosa(&tmp_ss);
proxy_to_server_sa = sstosa(&s->proxy_ss);
fixed_server_sa = sstosa(&fixed_server_ss);
@@ -423,14 +422,17 @@ handle_connection(const int listen_fd, short event, void *ev)
* Find out the real server and port that the client wanted.
*/
len = sizeof(struct sockaddr_storage);
- if ((getsockname(s->client_fd, client_to_proxy_sa, &len)) < 0) {
+ if (getsockname(s->client_fd, server_sa, &len) < 0) {
logmsg(LOG_CRIT, "#%d getsockname failed: %s", s->id,
strerror(errno));
goto fail;
}
- if (server_lookup(client_sa, client_to_proxy_sa, server_sa,
- &s->client_rd) != 0) {
- logmsg(LOG_CRIT, "#%d server lookup failed (no rdr?)", s->id);
+ len = sizeof(s->client_rd);
+ if (client_sa->sa_family == AF_INET &&
+ getsockopt(s->client_fd, IPPROTO_IP, SO_RTABLE, &s->client_rd,
+ &len)) {
+ logmsg(LOG_CRIT, "#%d getsockopt failed: %s", s->id,
+ strerror(errno));
goto fail;
}
if (fixed_server) {
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.