From bb9fd9ec1f3357f06897f843f3ad624810634069 Mon Sep 17 00:00:00 2001 From: claudio Date: Tue, 1 Sep 2009 13:46:14 +0000 Subject: Bring ftp-proxy in sync with the massive pf change just commited by Henning. This changes the way the rdr/nat rules are added to pf. Now only a single anchor is needed (the other ones do no longer exist). To convert your ruleset you need something like this at the start of your ruleset: # filter rules and anchors for ftp-proxy(8) anchor "ftp-proxy/*" pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 This was tested by myself, sthen@, dlg@ and I think many more. OK by the same people plus henning. --- usr.sbin/ftp-proxy/ftp-proxy.c | 36 ++++++++---------------------------- 1 file changed, 8 insertions(+), 28 deletions(-) (limited to 'usr.sbin/ftp-proxy/ftp-proxy.c') diff --git a/usr.sbin/ftp-proxy/ftp-proxy.c b/usr.sbin/ftp-proxy/ftp-proxy.c index 131991a4bb8..fe772c59188 100644 --- a/usr.sbin/ftp-proxy/ftp-proxy.c +++ b/usr.sbin/ftp-proxy/ftp-proxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ftp-proxy.c,v 1.19 2008/06/13 07:25:26 claudio Exp $ */ +/* $OpenBSD: ftp-proxy.c,v 1.20 2009/09/01 13:46:14 claudio Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, @@ -971,26 +971,16 @@ allow_data_connection(struct session *s) proxy_reply(s->cmd, orig_sa, s->proxy_port); logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf); - /* rdr from $client to $orig_server port $proxy_port -> $server - port $port */ + /* pass in from $client to $orig_server port $proxy_port + rdr-to $server port $port */ if (add_rdr(s->id, client_sa, orig_sa, s->proxy_port, server_sa, s->port) == -1) goto fail; - /* nat from $client to $server port $port -> $proxy */ + /* pass out from $client to $server port $port nat-to $proxy */ if (add_nat(s->id, client_sa, server_sa, s->port, proxy_sa, PF_NAT_PROXY_PORT_LOW, PF_NAT_PROXY_PORT_HIGH) == -1) goto fail; - - /* pass in from $client to $server port $port */ - if (add_filter(s->id, PF_IN, client_sa, server_sa, - s->port) == -1) - goto fail; - - /* pass out from $proxy to $server port $port */ - if (add_filter(s->id, PF_OUT, proxy_sa, server_sa, - s->port) == -1) - goto fail; } /* Active modes. */ @@ -1002,14 +992,14 @@ allow_data_connection(struct session *s) goto fail; prepared = 1; - /* rdr from $server to $proxy port $proxy_port -> $client port - $port */ + /* pass in from $server to $proxy port $proxy_port + rdr-to $client port $port */ if (add_rdr(s->id, server_sa, proxy_sa, s->proxy_port, client_sa, s->port) == -1) goto fail; - /* nat from $server to $client port $port -> $orig_server port - $natport */ + /* pass out from $server to $client port $port + nat-to $orig_server port $natport */ if (rfc_mode && s->cmd == CMD_PORT) { /* Rewrite sourceport to RFC mandated 20. */ if (add_nat(s->id, server_sa, client_sa, s->port, @@ -1022,16 +1012,6 @@ allow_data_connection(struct session *s) PF_NAT_PROXY_PORT_HIGH) == -1) goto fail; } - - /* pass in from $server to $client port $port */ - if (add_filter(s->id, PF_IN, server_sa, client_sa, s->port) == - -1) - goto fail; - - /* pass out from $orig_server to $client port $port */ - if (add_filter(s->id, PF_OUT, orig_sa, client_sa, s->port) == - -1) - goto fail; } /* Commit rules if they were prepared. */ -- cgit v1.2.3-59-g8ed1b