summaryrefslogtreecommitdiffstats
path: root/usr.sbin/ftp-proxy (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Standardize argument naming for "sourceaddr" and unify the wording a bit,schwarze2020-02-122-7/+8
| | | | similar to what deraadt@ recently did in other manual pages.
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-281-7/+7
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* fix typo; from semariederaadt2017-01-151-3/+3
|
* Exit early from rdaemon() is the passed fd is invalid.jca2016-09-261-1/+8
| | | | fd == -1 check suggested by deraadt@, ok florian@
* Go in the background later, using rdaemon().jca2016-09-151-8/+39
| | | | | | | | | | | | rdaemon() works like daemon(3) but requires its caller to pre-open /dev/null. This makes it possible to go in the background after a chroot(2), allowing for more error checking. The pattern is basically - open /dev/null - chroot - privdrop - rdaemon "design" initialy discussed with semarie@ a while ago, ok dlg@
* Exit early with an error if the "_ftp_proxy" user does not exist. This preventsajacoutot2016-02-121-1/+4
| | | | | | | | | rc.d waiting up to 30 secs when starting ftp-proxy right after updating from 5.8 because at that point sysmerge(8) would not have had a chance to run yet and the unpriv user would not exist. issue reported by sthen@ ok sthen@ benno@ jca@
* no need for af on divert-to rule; from/ok mikebjmc2016-01-041-3/+3
|
* commiting -> committingmmcc2015-12-221-2/+2
|
* Make the NOPRIV_USER match that is actually intended to be used forsebastia2015-12-041-2/+2
| | | | | | | that. Problem introduced since tftp-proxy and ftp-proxy have separate nonpriv users. OK deraadt@
* switch to new _ftp_proxy user; ok dlgderaadt2015-12-012-5/+5
|
* Include <netinet/in.h> before <net/pfvar.h>. In a future change whenderaadt2015-01-212-6/+6
| | | | ports is ready, <net/pfvar.h> will stop including a pile of balony.
* Document that ftp-proxy breaks explicit RFC4217 FTP TLS. While here,stsp2015-01-091-3/+7
| | | | | chroot and privdrop is a feature, not a bug, so move it out of CAVEATS. ok sthen
* Replace all queue *_END macro calls except CIRCLEQ_END with NULL.doug2014-09-131-2/+2
| | | | | | | | CIRCLEQ_* is deprecated and not called in the tree. The other queue types have *_END macros which were added for symmetry with CIRCLEQ_END. They are defined as NULL. There's no reason to keep the other *_END macro calls. ok millert@
* camield requested backout of rev 1.26, and indeed ftp-proxy does notbenno2013-03-151-45/+3
| | | | need it.
* handle ECONNABORTED errors from accept(). In many code blocks they can bederaadt2013-03-111-2/+4
| | | | | ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
* reserve a filedescriptor on accept() for subsequent connect() call, asbenno2013-03-101-3/+45
| | | | | done in relayd. ok sthen, deraadt
* prio 0 is valid, therefore, I chose an "impossible" value for prio meaninghenning2012-09-181-2/+1
| | | | | | | | "not set" and used a PF_PRIO_NOTSET define for it. now that means that everything that creates a struct pf_rule doesn't get away with bzero'ing it, which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead, make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio should be set. ok benno claudio mikeb
* rename prio in struct pf_rule and related structs to set_prio so it ishenning2012-07-071-2/+2
| | | | | | | utterly clear this is not a filter criteria but a packet modification thing. also preparation for upcoming changes, including one to unscrew this mess (I should not have to touch half the tree for this - ifixitlater) not user visible, ok gcc
* log all, not log-all; ok henningjmc2012-06-251-3/+3
|
* Check for nat_range_high before creating the PF nat rule.haesbaert2012-04-301-2/+2
| | | | | | From Lawrence Teo. ok camield, myself, mikeb.
* Rate-limit accepting of new connections while we are experiencingcamield2012-04-051-6/+25
| | | | | | fd exhaustion. ok deraadt mikeb
* catch up with "on rdomain" changes; ok claudiomikeb2012-03-061-3/+4
|
* In preparation for getline and getdelim additions to libc, rename getline()fgsch2012-03-041-5/+5
| | | | | occurrences to get_line(). Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.
* fix whitespacesthen2011-06-221-5/+5
|
* Convert SO_RTABLE's protocol level to the SOL_SOCKET; ok claudiomikeb2011-06-211-4/+3
|
* tweak previous;jmc2011-05-161-4/+4
|
* Make it clear that ftp-proxy needs to make outbound connections.mcbride2011-05-121-3/+6
| | | | ok claudio
* divert-to is picky about the address family so adjust the rulemikeb2011-04-281-2/+2
|
* switch ftp-proxy over to divert-to instead of rdr-to. this avoidsmikeb2011-04-284-95/+15
| | | | | an expensive state lookup (via natlook ioctl) and shrinks the code. tested by me and sthen, ok reyk sthen
* Use the rdomain information returned by DIOCNATLOOK to install theclaudio2011-03-253-30/+42
| | | | | | nat-to and rdr-to rules with correct rtable rule attributes. This allows to use ftp-proxy to proxy accross rdomains. Tested and OK phessler@, OK henning@
* pfr.rule.*.addr.type must be initialized to PF_ADDR_NONE for things thatclaudio2010-01-131-1/+4
| | | | | are not used. bzero() of the rule structure is not enough. Find with dlg@, OK mcbride@
* First pass at removing the 'pf_pool' mechanism for translation and routingmcbride2010-01-121-18/+10
| | | | | | | | | | | actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
* Move from the PF_RULESET_FILTER world order to PF_TRANS_RULESETderaadt2009-11-221-6/+6
| | | | | due to the standard henning+oga commit-and-run-for-beer problem. ok claudio
* If tagging is used use match rules instead of pass rules. This is neededclaudio2009-11-212-5/+11
| | | | | | so that later pass rules will not overwrite the nat-to/rdr-to settings. Because of this there must be an expilicit "pass .. tagged proxytag .." rule after the ftp-proxy anchor. OK henning@
* rdr -> rdr-tojmc2009-09-071-4/+4
| | | | from Karl-Heinz Wild
* Bring manpage up to speed with the changes that just happend or at leastclaudio2009-09-011-23/+14
| | | | try to.
* Bring ftp-proxy in sync with the massive pf change just commited by Henning.claudio2009-09-013-145/+57
| | | | | | | | | | | | | This changes the way the rdr/nat rules are added to pf. Now only a single anchor is needed (the other ones do no longer exist). To convert your ruleset you need something like this at the start of your ruleset: # filter rules and anchors for ftp-proxy(8) anchor "ftp-proxy/*" pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 This was tested by myself, sthen@, dlg@ and I think many more. OK by the same people plus henning.
* Better error messages. Include the function causing the problem and do notclaudio2008-06-132-9/+6
| | | | | include the program name in logmsg() plus exit_daemon() does not return so make it a void function. OK mpf@
* Flush output buffers before closing TCP session. Fixes the case wherejoel2008-04-221-1/+7
| | | | | | | | | | the proxy would eat the 221 response coming from the server towards the client. Patch from camield@. Tested by Camiel and myself. ok camield@
* Use arc4random_buf() when requesting more than a single word of outputdjm2008-04-131-3/+3
| | | | | | | Use arc4random_uniform() when the desired random number upper bound is not a power of two ok deraadt@ millert@
* Don't pass quick when tagging, so the tag can be used outsidehenning2008-02-263-15/+29
| | | | | | the ftp-proxy anchor. Exotic setups with route-to etc. can be implemented this way. from camield, ok reyk beck canacar and manpage polished by jmc
* Some servers / proxies out there like to open the data connectioncamield2007-08-151-11/+34
| | | | | | | | | | | | immediately after the client sends the PORT command. The "normal" behaviour is to wait for the client to actually request a transfer. Make ftp-proxy add the active mode rules immediately too, so that both scenario's work. ok david pyr Tested by Frank Denis, Stephan A. Rickauer, Ingo Schwarze, Stuart Henderson. Thanks.
* - -T before -tjmc2007-08-011-6/+8
| | | | - use .Bk/.Ek
* allow ftp-proxy to add tag statements to teh rules it insertshenning2007-08-014-12/+26
| | | | clever, nice and easy diff from bsd@openbsd.rutgers.edu, ok pyr reyk
* convert to new .Dd format;jmc2007-05-311-2/+2
|
* Remove stub write callback functions now that libevent allows them to be NULL.camield2006-12-301-19/+5
|
* Convert three instances of atoi() to strtonum() and apply sane upper bounds.camield2006-12-302-13/+16
| | | | | | Triggered by Rik/harry Bobbaers on bugs@. ok mbalmer@ ray@
* Ignore sigpipe as libevent does not handle that for us. Confirmed bycamield2006-12-121-1/+2
| | | | | | | | | provos. Fixes race condition where ftp-proxy would silently exit if a write was attempted on a socket that was closed by an RST. Should fix PR 5260. ok claudio@
* forgot to update the comment as wellcamield2006-12-011-2/+2
|
* use flags S/SA for consistency with the rest of pfcamield2006-12-011-2/+2
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.