Attachment 107862 Details for Bug 148686 – file.diff

[patch] file.diff

file.diff (text/plain), 5.32 KB, created by Mario Lobo on 2010-07-16 17:10:07 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Mario Lobo

Created: 2010-07-16 17:10:07 UTC

Size: 5.32 KB

patch

obsolete

>--- ftp-proxy.c.orig	2009-08-03 08:13:06.000000000 +0000
>+++ ftp-proxy.c	2010-07-13 12:56:07.000000000 +0000
>@@ -116,7 +116,7 @@
> 
> struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
> char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
>-    *qname;
>+    *qname, *tname;
> int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
>     rfc_mode, session_count, timeout, verbose;
> extern char *__progname;
>@@ -601,6 +601,7 @@
> 	loglevel	= LOG_NOTICE;
> 	max_sessions	= 100;
> 	qname		= NULL;
>+	tname           = NULL;
> 	rfc_mode	= 0;
> 	timeout		= 24 * 3600;
> 	verbose		= 0;
>@@ -609,7 +610,7 @@
> 	id_count	= 1;
> 	session_count	= 0;
> 
>-	while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:v")) != -1) {
>+	while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:T:v")) != -1) {
> 		switch (ch) {
> 		case '6':
> 			ipv6_mode = 1;
>@@ -647,8 +648,9 @@
> 			if (strlen(optarg) >= PF_QNAME_SIZE)
> 				errx(1, "queuename too long");
> 			qname = optarg;
>+			tname = NULL;
> 			break;
>-		case 'R':
>+		case 'R':
> 			fixed_server = optarg;
> 			break;
> 		case 'r':
>@@ -659,6 +661,12 @@
> 			if (errstr)
> 				errx(1, "timeout %s", errstr);
> 			break;
>+		case 'T':
>+			if (strlen(optarg) >= PF_TAG_NAME_SIZE)
>+				errx(1, "tagname too long");
>+			tname = optarg;
>+			qname = NULL;
>+			break;
> 		case 'v':
> 			verbose++;
> 			if (verbose > 2)
>@@ -734,7 +742,8 @@
> 	freeaddrinfo(res);
> 
> 	/* Initialize pf. */
>-	init_filter(qname, verbose);
>+	init_filter_q(qname, verbose);
>+	init_filter_t(tname, verbose);
> 
> 	if (daemonize) {
> 		if (daemon(0, 0) == -1)
>@@ -1102,6 +1111,6 @@
> {
> 	fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
> 	    " [-D level] [-m maxsessions]\n                 [-P port]"
>-	    " [-p port] [-q queue] [-R address] [-t timeout]\n", __progname);
>+	    " [-p port] [-q queue] [-R address] [-t timeout] [-T tag]\n", __progname);
> 	exit(1);
> }
>--- filter.c.orig	2007-07-03 12:21:51.000000000 +0000
>+++ filter.c	2010-07-13 05:57:20.000000000 +0000
>@@ -54,6 +54,7 @@
> static struct pfioc_trans_e	pfte[TRANS_SIZE];
> static int dev, rule_log;
> static char *qname;
>+static char *tname;
> 
> int
> add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
>@@ -159,7 +160,7 @@
> }
> 
> void
>-init_filter(char *opt_qname, int opt_verbose)
>+init_filter_q(char *opt_qname, int opt_verbose)
> {
> 	struct pf_status status;
> 
>@@ -179,6 +180,28 @@
> 		errx(1, "pf is disabled");
> }
> 
>+void
>+init_filter_t(char *opt_tname, int opt_verbose)
>+{
>+	struct pf_status status;
>+
>+	tname = opt_tname;
>+
>+	if (opt_verbose == 1)
>+		rule_log = PF_LOG;
>+	else if (opt_verbose == 2)
>+		rule_log = PF_LOG_ALL;
>+    
>+	dev = open("/dev/pf", O_RDWR);
>+	if (dev == -1)
>+		err(1, "/dev/pf");
>+	if (ioctl(dev, DIOCGETSTATUS, &status) == -1)
>+		err(1, "DIOCGETSTATUS");
>+	if (!status.running)
>+		errx(1, "pf is disabled");
>+}
>+
>+
> int
> prepare_commit(u_int32_t id)
> {
>@@ -279,20 +302,29 @@
> 
> 	switch (rs_num) {
> 	case PF_RULESET_FILTER:
>-		/*
>-		 * pass quick [log] inet[6] proto tcp \
>-		 *     from $src to $dst port = $d_port flags S/SA keep state
>-		 *     (max 1) [queue qname]
>-		 */
>-		pfr.rule.action = PF_PASS;
>-		pfr.rule.quick = 1;
>-		pfr.rule.log = rule_log;
>-		pfr.rule.keep_state = 1;
>-		pfr.rule.flags = TH_SYN;
>-		pfr.rule.flagset = (TH_SYN|TH_ACK);
>-		pfr.rule.max_states = 1;
>-		if (qname != NULL)
>-			strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
>+
>+		/*
>+		 * pass quick [log] inet[6] proto tcp \
>+		 *     from $src to $dst port = $d_port flags S/SA keep state
>+		 *     (max 1) [queue qname]
>+		 */
>+
>+		pfr.rule.action = PF_PASS;
>+		pfr.rule.log = rule_log;
>+		pfr.rule.keep_state = 1;
>+		pfr.rule.flags = TH_SYN;
>+		pfr.rule.flagset = (TH_SYN|TH_ACK);
>+		pfr.rule.max_states = 1;
>+		pfr.rule.quick = 1;
>+
>+		if (qname != NULL) {
>+			strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
>+		} else {
>+			if (tname != NULL) {
>+				pfr.rule.quick = 0;
>+				strlcpy(pfr.rule.tagname, tname, sizeof pfr.rule.tagname);
>+			}
>+		}
> 		break;
> 	case PF_RULESET_NAT:
> 		/*
>--- filter.h.orig	2007-07-03 12:21:50.000000000 +0000
>+++ filter.h	2010-07-13 05:25:52.000000000 +0000
>@@ -26,6 +26,7 @@
>     struct sockaddr *, u_int16_t);
> int do_commit(void);
> int do_rollback(void);
>-void init_filter(char *, int);
>+void init_filter_q(char *, int);
>+void init_filter_t(char *, int);
> int prepare_commit(u_int32_t);
> int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *);
>--- ftp-proxy.8.orig	2009-08-03 08:13:06.000000000 +0000
>+++ ftp-proxy.8	2010-07-13 13:22:58.000000000 +0000
>@@ -120,7 +120,9 @@
> .It Fl q Ar queue
> Create rules with queue
> .Ar queue
>-appended, so that data connections can be queued.
>+appended, so that data connections can be queued. The -T option
>+is automatically cancelled. If -T and -q are both present, the
>+last on the command line prevails.
> .It Fl R Ar address
> Fixed server address, also known as reverse mode.
> The proxy will always connect to the same server, regardless of
>@@ -136,6 +138,12 @@
> The maximum is 86400 seconds, which is also the default.
> Do not set this too low, because the control connection is usually
> idle when large data transfers are taking place.
>+.It Fl T Ar tag
>+The filter rules will add tag 
>+.Ar tag 
>+to data connections, and not match quick. This way, alternative rules
>+that use the tagged keyword can be implemented. The -q option is
>+is automatically cancelled.
> .It Fl v
> Set the 'log' flag on pf rules committed by
> .Nm .

Actions: View | Diff

Attachments on bug 148686: 107862