View | Details | Raw Unified | Return to bug 148686
Collapse All | Expand All

(-)ftp-proxy.c (-5 / +14 lines)
Lines 116-122 Link Here
116
116
117
struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
117
struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
118
char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
118
char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
119
    *qname;
119
    *qname, *tname;
120
int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
120
int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
121
    rfc_mode, session_count, timeout, verbose;
121
    rfc_mode, session_count, timeout, verbose;
122
extern char *__progname;
122
extern char *__progname;
Lines 601-606 Link Here
601
	loglevel	= LOG_NOTICE;
601
	loglevel	= LOG_NOTICE;
602
	max_sessions	= 100;
602
	max_sessions	= 100;
603
	qname		= NULL;
603
	qname		= NULL;
604
	tname           = NULL;
604
	rfc_mode	= 0;
605
	rfc_mode	= 0;
605
	timeout		= 24 * 3600;
606
	timeout		= 24 * 3600;
606
	verbose		= 0;
607
	verbose		= 0;
Lines 609-615 Link Here
609
	id_count	= 1;
610
	id_count	= 1;
610
	session_count	= 0;
611
	session_count	= 0;
611
612
612
	while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:v")) != -1) {
613
	while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:T:v")) != -1) {
613
		switch (ch) {
614
		switch (ch) {
614
		case '6':
615
		case '6':
615
			ipv6_mode = 1;
616
			ipv6_mode = 1;
Lines 647-654 Link Here
647
			if (strlen(optarg) >= PF_QNAME_SIZE)
648
			if (strlen(optarg) >= PF_QNAME_SIZE)
648
				errx(1, "queuename too long");
649
				errx(1, "queuename too long");
649
			qname = optarg;
650
			qname = optarg;
651
			tname = NULL;
650
			break;
652
			break;
651
		case 'R':
653
		case 'R':
652
			fixed_server = optarg;
654
			fixed_server = optarg;
653
			break;
655
			break;
654
		case 'r':
656
		case 'r':
Lines 659-664 Link Here
659
			if (errstr)
661
			if (errstr)
660
				errx(1, "timeout %s", errstr);
662
				errx(1, "timeout %s", errstr);
661
			break;
663
			break;
664
		case 'T':
665
			if (strlen(optarg) >= PF_TAG_NAME_SIZE)
666
				errx(1, "tagname too long");
667
			tname = optarg;
668
			qname = NULL;
669
			break;
662
		case 'v':
670
		case 'v':
663
			verbose++;
671
			verbose++;
664
			if (verbose > 2)
672
			if (verbose > 2)
Lines 734-740 Link Here
734
	freeaddrinfo(res);
742
	freeaddrinfo(res);
735
743
736
	/* Initialize pf. */
744
	/* Initialize pf. */
737
	init_filter(qname, verbose);
745
	init_filter_q(qname, verbose);
746
	init_filter_t(tname, verbose);
738
747
739
	if (daemonize) {
748
	if (daemonize) {
740
		if (daemon(0, 0) == -1)
749
		if (daemon(0, 0) == -1)
Lines 1102-1107 Link Here
1102
{
1111
{
1103
	fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
1112
	fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
1104
	    " [-D level] [-m maxsessions]\n                 [-P port]"
1113
	    " [-D level] [-m maxsessions]\n                 [-P port]"
1105
	    " [-p port] [-q queue] [-R address] [-t timeout]\n", __progname);
1114
	    " [-p port] [-q queue] [-R address] [-t timeout] [-T tag]\n", __progname);
1106
	exit(1);
1115
	exit(1);
1107
}
1116
}
(-)filter.c (-15 / +47 lines)
Lines 54-59 Link Here
54
static struct pfioc_trans_e	pfte[TRANS_SIZE];
54
static struct pfioc_trans_e	pfte[TRANS_SIZE];
55
static int dev, rule_log;
55
static int dev, rule_log;
56
static char *qname;
56
static char *qname;
57
static char *tname;
57
58
58
int
59
int
59
add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
60
add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
Lines 159-165 Link Here
159
}
160
}
160
161
161
void
162
void
162
init_filter(char *opt_qname, int opt_verbose)
163
init_filter_q(char *opt_qname, int opt_verbose)
163
{
164
{
164
	struct pf_status status;
165
	struct pf_status status;
165
166
Lines 179-184 Link Here
179
		errx(1, "pf is disabled");
180
		errx(1, "pf is disabled");
180
}
181
}
181
182
183
void
184
init_filter_t(char *opt_tname, int opt_verbose)
185
{
186
	struct pf_status status;
187
188
	tname = opt_tname;
189
190
	if (opt_verbose == 1)
191
		rule_log = PF_LOG;
192
	else if (opt_verbose == 2)
193
		rule_log = PF_LOG_ALL;
194
    
195
	dev = open("/dev/pf", O_RDWR);
196
	if (dev == -1)
197
		err(1, "/dev/pf");
198
	if (ioctl(dev, DIOCGETSTATUS, &status) == -1)
199
		err(1, "DIOCGETSTATUS");
200
	if (!status.running)
201
		errx(1, "pf is disabled");
202
}
203
204
182
int
205
int
183
prepare_commit(u_int32_t id)
206
prepare_commit(u_int32_t id)
184
{
207
{
Lines 279-298 Link Here
279
302
280
	switch (rs_num) {
303
	switch (rs_num) {
281
	case PF_RULESET_FILTER:
304
	case PF_RULESET_FILTER:
282
		/*
305
283
		 * pass quick [log] inet[6] proto tcp \
306
		/*
284
		 *     from $src to $dst port = $d_port flags S/SA keep state
307
		 * pass quick [log] inet[6] proto tcp \
285
		 *     (max 1) [queue qname]
308
		 *     from $src to $dst port = $d_port flags S/SA keep state
286
		 */
309
		 *     (max 1) [queue qname]
287
		pfr.rule.action = PF_PASS;
310
		 */
288
		pfr.rule.quick = 1;
311
289
		pfr.rule.log = rule_log;
312
		pfr.rule.action = PF_PASS;
290
		pfr.rule.keep_state = 1;
313
		pfr.rule.log = rule_log;
291
		pfr.rule.flags = TH_SYN;
314
		pfr.rule.keep_state = 1;
292
		pfr.rule.flagset = (TH_SYN|TH_ACK);
315
		pfr.rule.flags = TH_SYN;
293
		pfr.rule.max_states = 1;
316
		pfr.rule.flagset = (TH_SYN|TH_ACK);
294
		if (qname != NULL)
317
		pfr.rule.max_states = 1;
295
			strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
318
		pfr.rule.quick = 1;
319
320
		if (qname != NULL) {
321
			strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
322
		} else {
323
			if (tname != NULL) {
324
				pfr.rule.quick = 0;
325
				strlcpy(pfr.rule.tagname, tname, sizeof pfr.rule.tagname);
326
			}
327
		}
296
		break;
328
		break;
297
	case PF_RULESET_NAT:
329
	case PF_RULESET_NAT:
298
		/*
330
		/*
(-)filter.h (-1 / +2 lines)
Lines 26-31 Link Here
26
    struct sockaddr *, u_int16_t);
26
    struct sockaddr *, u_int16_t);
27
int do_commit(void);
27
int do_commit(void);
28
int do_rollback(void);
28
int do_rollback(void);
29
void init_filter(char *, int);
29
void init_filter_q(char *, int);
30
void init_filter_t(char *, int);
30
int prepare_commit(u_int32_t);
31
int prepare_commit(u_int32_t);
31
int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *);
32
int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *);
(-)ftp-proxy.8 (-1 / +9 lines)
Lines 120-126 Link Here
120
.It Fl q Ar queue
120
.It Fl q Ar queue
121
Create rules with queue
121
Create rules with queue
122
.Ar queue
122
.Ar queue
123
appended, so that data connections can be queued.
123
appended, so that data connections can be queued. The -T option
124
is automatically cancelled. If -T and -q are both present, the
125
last on the command line prevails.
124
.It Fl R Ar address
126
.It Fl R Ar address
125
Fixed server address, also known as reverse mode.
127
Fixed server address, also known as reverse mode.
126
The proxy will always connect to the same server, regardless of
128
The proxy will always connect to the same server, regardless of
Lines 136-141 Link Here
136
The maximum is 86400 seconds, which is also the default.
138
The maximum is 86400 seconds, which is also the default.
137
Do not set this too low, because the control connection is usually
139
Do not set this too low, because the control connection is usually
138
idle when large data transfers are taking place.
140
idle when large data transfers are taking place.
141
.It Fl T Ar tag
142
The filter rules will add tag 
143
.Ar tag 
144
to data connections, and not match quick. This way, alternative rules
145
that use the tagged keyword can be implemented. The -q option is
146
is automatically cancelled.
139
.It Fl v
147
.It Fl v
140
Set the 'log' flag on pf rules committed by
148
Set the 'log' flag on pf rules committed by
141
.Nm .
149
.Nm .

Return to bug 148686