On 12 March 2010 c. 13:22:41 Stuart Henderson wrote:
> On 2010-03-12, Vadim Zhukov <persg...@gmail.com> wrote:
> > Hm-m. I think ftp-proxy itself should be fixed instead. What if
> > target FTP server is not on egress? (yes, my workaround proposal was
> > bad at that too)? Dropping "on egress" will be stupid because this
> > will definitely allow more connections than intended.
> >
> > Basic algorithm for fix as I see it:
> >
> > s = socket();
> > bind(s);
> > getsockname(s, sa);
> > add_peer_rule(sa, dest);
> > connect(dest);
>
> Hmm. I think it's more flexible to have an explicit rule, then people
> can choose interfaces, add rule options, etc, as they wish. For
> example ftp-proxy has no way to tell which interface you might want to
> permit.
It has: you can use either -T flag and then "tagged" in pf.conf, or just
anchor options.
We cannot tell (directly) which interface you might want to permit
directly when creating rules for file transfer either.
So here is a patch proposal.
--
Best wishes,
Vadim Zhukov
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
Index: ftp-proxy.c
===================================================================
RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.c,v
retrieving revision 1.20
diff -u -p -r1.20 ftp-proxy.c
--- ftp-proxy.c 1 Sep 2009 13:46:14 -0000 1.20
+++ ftp-proxy.c 12 Mar 2010 21:58:41 -0000
@@ -59,6 +59,8 @@
#define PF_NAT_PROXY_PORT_HIGH 65535
#define sstosa(ss) ((struct sockaddr *)(ss))
+#define sstosin(ss) ((struct sockaddr_in *)(ss))
+#define sstosin6(ss) ((struct sockaddr_in6 *)(ss))
enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV };
@@ -448,9 +450,9 @@ handle_connection(const int listen_fd, s
strerror(errno));
goto fail;
}
- if (fixed_proxy && bind(s->server_fd, sstosa(&fixed_proxy_ss),
+ if (bind(s->server_fd, sstosa(&fixed_proxy_ss),
fixed_proxy_ss.ss_len) != 0) {
- logmsg(LOG_CRIT, "#%d cannot bind fixed proxy address: %s",
+ logmsg(LOG_CRIT, "#%d cannot bind (fixed) proxy address: %s",
s->id, strerror(errno));
goto fail;
}
@@ -586,6 +588,8 @@ main(int argc, char *argv[])
{
struct rlimit rlp;
struct addrinfo hints, *res;
+ struct sockaddr_in6 *sin6;
+ struct sockaddr_in *sin;
struct event ev, ev_sighup, ev_sigint, ev_sigterm;
int ch, error, listenfd, on;
const char *errstr;
@@ -701,6 +705,21 @@ main(int argc, char *argv[])
logmsg(LOG_INFO, "using %s to connect to servers",
sock_ntop(sstosa(&fixed_proxy_ss)));
freeaddrinfo(res);
+ } else {
+ memset(&fixed_proxy_ss, 0, sizeof(struct sockaddr_storage));
+ if (ipv6_mode) {
+ sin6 = sstosin6(&fixed_proxy_ss);
+ sin6->sin6_len = sizeof(struct sockaddr_in);
+ sin6->sin6_family = AF_INET;
+ if (inet_pton(AF_INET6, "::", &sin6->sin6_addr) != 1)
+ errx(1, "inet_pton unspecified address "
+ "failed: %s", strerror(errno));
+ } else {
+ sin = sstosin(&fixed_proxy_ss);
+ sin->sin_len = sizeof(struct sockaddr_in6);
+ sin->sin_family = AF_INET6;
+ sin->sin_addr.s_addr = INADDR_ANY;
+ }
}
if (fixed_server) {
