Re: ftp-proxy: use divert-to instead of rdr-to
On Mon, Apr 11, 2011 at 16:59 +0200, Mike Belopuhov wrote: On Thu, Apr 07, 2011 at 18:58 +0200, Mike Belopuhov wrote: this allows us to get rid of the nasty NATLOOKUP ioctl and get the original server address right from the socket. also this paves the way to the transparent ftp-proxy mode. if you will like this diff and nobody objects, i'll try to rip NATLOOKUP out from the other places too. note, that it requires you to change your rdr-to rule to do divert: -pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 +pass in quick proto tcp to port ftp divert-to 127.0.0.1 port 8021 new version. correct operation with rdomains requires the divert-to rdomain diff. as the divert-to rdomain diff is in, i'm looking for OKs for this one. Index: filter.c === RCS file: /home/cvs/src/usr.sbin/ftp-proxy/filter.c,v retrieving revision 1.14 diff -u -p -r1.14 filter.c --- filter.c 25 Mar 2011 14:51:31 - 1.14 +++ filter.c 7 Apr 2011 16:52:05 - @@ -42,10 +42,6 @@ int add_addr(struct sockaddr *, struct pf_pool *); int prepare_rule(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t); -int server_lookup4(struct sockaddr_in *, struct sockaddr_in *, -struct sockaddr_in *, int *); -int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, -struct sockaddr_in6 *, int *); static struct pfioc_rule pfr; static struct pfioc_transpft; @@ -252,82 +248,6 @@ prepare_rule(u_int32_t id, struct sockad strlcpy(pfr.rule.tagname, tagname, sizeof pfr.rule.tagname); } - - return (0); -} - -int -server_lookup(struct sockaddr *client, struct sockaddr *proxy, -struct sockaddr *server, int *cdomain) -{ - if (client-sa_family == AF_INET) - return (server_lookup4(satosin(client), satosin(proxy), - satosin(server), cdomain)); - - if (client-sa_family == AF_INET6) - return (server_lookup6(satosin6(client), satosin6(proxy), - satosin6(server), cdomain)); - - errno = EPROTONOSUPPORT; - return (-1); -} - -int -server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy, -struct sockaddr_in *server, int *cdomain) -{ - struct pfioc_natlook pnl; - - memset(pnl, 0, sizeof pnl); - pnl.direction = PF_OUT; - pnl.af = AF_INET; - pnl.proto = IPPROTO_TCP; - pnl.rdomain = getrtable(); - memcpy(pnl.saddr.v4, client-sin_addr.s_addr, sizeof pnl.saddr.v4); - memcpy(pnl.daddr.v4, proxy-sin_addr.s_addr, sizeof pnl.daddr.v4); - pnl.sport = client-sin_port; - pnl.dport = proxy-sin_port; - - if (ioctl(dev, DIOCNATLOOK, pnl) == -1) - return (-1); - - memset(server, 0, sizeof(struct sockaddr_in)); - server-sin_len = sizeof(struct sockaddr_in); - server-sin_family = AF_INET; - memcpy(server-sin_addr.s_addr, pnl.rdaddr.v4, - sizeof server-sin_addr.s_addr); - server-sin_port = pnl.rdport; - *cdomain = pnl.rrdomain; - - return (0); -} - -int -server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy, -struct sockaddr_in6 *server, int *cdomain) -{ - struct pfioc_natlook pnl; - - memset(pnl, 0, sizeof pnl); - pnl.direction = PF_OUT; - pnl.af = AF_INET6; - pnl.proto = IPPROTO_TCP; - pnl.rdomain = getrtable(); - memcpy(pnl.saddr.v6, client-sin6_addr.s6_addr, sizeof pnl.saddr.v6); - memcpy(pnl.daddr.v6, proxy-sin6_addr.s6_addr, sizeof pnl.daddr.v6); - pnl.sport = client-sin6_port; - pnl.dport = proxy-sin6_port; - - if (ioctl(dev, DIOCNATLOOK, pnl) == -1) - return (-1); - - memset(server, 0, sizeof(struct sockaddr_in6)); - server-sin6_len = sizeof(struct sockaddr_in6); - server-sin6_family = AF_INET6; - memcpy(server-sin6_addr.s6_addr, pnl.rdaddr.v6, - sizeof server-sin6_addr); - server-sin6_port = pnl.rdport; - *cdomain = pnl.rrdomain; return (0); } Index: filter.h === RCS file: /home/cvs/src/usr.sbin/ftp-proxy/filter.h,v retrieving revision 1.6 diff -u -p -r1.6 filter.h --- filter.h 25 Mar 2011 14:51:31 - 1.6 +++ filter.h 7 Apr 2011 16:31:38 - @@ -26,5 +26,3 @@ int do_commit(void); int do_rollback(void); void init_filter(char *, char *, int); int prepare_commit(u_int32_t); -int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *, -int *); Index: ftp-proxy.8 === RCS file: /home/cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v retrieving revision 1.14 diff -u -p -r1.14 ftp-proxy.8 --- ftp-proxy.8 21 Nov 2009 13:59:31 - 1.14 +++ ftp-proxy.8 7 Apr 2011 16:49:56
Re: ftp-proxy: use divert-to instead of rdr-to
On Thu, Apr 07, 2011 at 18:58 +0200, Mike Belopuhov wrote: this allows us to get rid of the nasty NATLOOKUP ioctl and get the original server address right from the socket. also this paves the way to the transparent ftp-proxy mode. if you will like this diff and nobody objects, i'll try to rip NATLOOKUP out from the other places too. note, that it requires you to change your rdr-to rule to do divert: -pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 +pass in quick proto tcp to port ftp divert-to 127.0.0.1 port 8021 new version. correct operation with rdomains requires the divert-to rdomain diff. Index: filter.c === RCS file: /home/cvs/src/usr.sbin/ftp-proxy/filter.c,v retrieving revision 1.14 diff -u -p -r1.14 filter.c --- filter.c25 Mar 2011 14:51:31 - 1.14 +++ filter.c7 Apr 2011 16:52:05 - @@ -42,10 +42,6 @@ int add_addr(struct sockaddr *, struct pf_pool *); int prepare_rule(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t); -int server_lookup4(struct sockaddr_in *, struct sockaddr_in *, -struct sockaddr_in *, int *); -int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, -struct sockaddr_in6 *, int *); static struct pfioc_rule pfr; static struct pfioc_trans pft; @@ -252,82 +248,6 @@ prepare_rule(u_int32_t id, struct sockad strlcpy(pfr.rule.tagname, tagname, sizeof pfr.rule.tagname); } - - return (0); -} - -int -server_lookup(struct sockaddr *client, struct sockaddr *proxy, -struct sockaddr *server, int *cdomain) -{ - if (client-sa_family == AF_INET) - return (server_lookup4(satosin(client), satosin(proxy), - satosin(server), cdomain)); - - if (client-sa_family == AF_INET6) - return (server_lookup6(satosin6(client), satosin6(proxy), - satosin6(server), cdomain)); - - errno = EPROTONOSUPPORT; - return (-1); -} - -int -server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy, -struct sockaddr_in *server, int *cdomain) -{ - struct pfioc_natlook pnl; - - memset(pnl, 0, sizeof pnl); - pnl.direction = PF_OUT; - pnl.af = AF_INET; - pnl.proto = IPPROTO_TCP; - pnl.rdomain = getrtable(); - memcpy(pnl.saddr.v4, client-sin_addr.s_addr, sizeof pnl.saddr.v4); - memcpy(pnl.daddr.v4, proxy-sin_addr.s_addr, sizeof pnl.daddr.v4); - pnl.sport = client-sin_port; - pnl.dport = proxy-sin_port; - - if (ioctl(dev, DIOCNATLOOK, pnl) == -1) - return (-1); - - memset(server, 0, sizeof(struct sockaddr_in)); - server-sin_len = sizeof(struct sockaddr_in); - server-sin_family = AF_INET; - memcpy(server-sin_addr.s_addr, pnl.rdaddr.v4, - sizeof server-sin_addr.s_addr); - server-sin_port = pnl.rdport; - *cdomain = pnl.rrdomain; - - return (0); -} - -int -server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy, -struct sockaddr_in6 *server, int *cdomain) -{ - struct pfioc_natlook pnl; - - memset(pnl, 0, sizeof pnl); - pnl.direction = PF_OUT; - pnl.af = AF_INET6; - pnl.proto = IPPROTO_TCP; - pnl.rdomain = getrtable(); - memcpy(pnl.saddr.v6, client-sin6_addr.s6_addr, sizeof pnl.saddr.v6); - memcpy(pnl.daddr.v6, proxy-sin6_addr.s6_addr, sizeof pnl.daddr.v6); - pnl.sport = client-sin6_port; - pnl.dport = proxy-sin6_port; - - if (ioctl(dev, DIOCNATLOOK, pnl) == -1) - return (-1); - - memset(server, 0, sizeof(struct sockaddr_in6)); - server-sin6_len = sizeof(struct sockaddr_in6); - server-sin6_family = AF_INET6; - memcpy(server-sin6_addr.s6_addr, pnl.rdaddr.v6, - sizeof server-sin6_addr); - server-sin6_port = pnl.rdport; - *cdomain = pnl.rrdomain; return (0); } Index: filter.h === RCS file: /home/cvs/src/usr.sbin/ftp-proxy/filter.h,v retrieving revision 1.6 diff -u -p -r1.6 filter.h --- filter.h25 Mar 2011 14:51:31 - 1.6 +++ filter.h7 Apr 2011 16:31:38 - @@ -26,5 +26,3 @@ int do_commit(void); int do_rollback(void); void init_filter(char *, char *, int); int prepare_commit(u_int32_t); -int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *, -int *); Index: ftp-proxy.8 === RCS file: /home/cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v retrieving revision 1.14 diff -u -p -r1.14 ftp-proxy.8 --- ftp-proxy.8 21 Nov 2009 13:59:31 - 1.14 +++ ftp-proxy.8 7 Apr 2011 16:49:56 - @@ -40,7 +40,7 @@ is a proxy for the Internet File Transfer Protocol. FTP control connections should be redirected into the proxy using the .Xr pf 4 -.Ar
Re: ftp-proxy: use divert-to instead of rdr-to
please disregard this diff. it's wrong. On Thu, Apr 7, 2011 at 6:58 PM, Mike Belopuhov m...@crypt.org.ru wrote: this allows us to get rid of the nasty NATLOOKUP ioctl and get the original server address right from the socket. also this paves the way to the transparent ftp-proxy mode. if you will like this diff and nobody objects, i'll try to rip NATLOOKUP out from the other places too. note, that it requires you to change your rdr-to rule to do divert: -pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 +pass in quick proto tcp to port ftp divert-to 127.0.0.1 port 8021
ftp-proxy: use divert-to instead of rdr-to
this allows us to get rid of the nasty NATLOOKUP ioctl and get the original server address right from the socket. also this paves the way to the transparent ftp-proxy mode. if you will like this diff and nobody objects, i'll try to rip NATLOOKUP out from the other places too. note, that it requires you to change your rdr-to rule to do divert: -pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 +pass in quick proto tcp to port ftp divert-to 127.0.0.1 port 8021 Index: filter.c === RCS file: /home/cvs/src/usr.sbin/ftp-proxy/filter.c,v retrieving revision 1.14 diff -u -p -r1.14 filter.c --- filter.c25 Mar 2011 14:51:31 - 1.14 +++ filter.c7 Apr 2011 16:31:30 - @@ -42,10 +42,6 @@ int add_addr(struct sockaddr *, struct pf_pool *); int prepare_rule(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t); -int server_lookup4(struct sockaddr_in *, struct sockaddr_in *, -struct sockaddr_in *, int *); -int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, -struct sockaddr_in6 *, int *); static struct pfioc_rule pfr; static struct pfioc_trans pft; @@ -252,82 +248,6 @@ prepare_rule(u_int32_t id, struct sockad strlcpy(pfr.rule.tagname, tagname, sizeof pfr.rule.tagname); } - - return (0); -} - -int -server_lookup(struct sockaddr *client, struct sockaddr *proxy, -struct sockaddr *server, int *cdomain) -{ - if (client-sa_family == AF_INET) - return (server_lookup4(satosin(client), satosin(proxy), - satosin(server), cdomain)); - - if (client-sa_family == AF_INET6) - return (server_lookup6(satosin6(client), satosin6(proxy), - satosin6(server), cdomain)); - - errno = EPROTONOSUPPORT; - return (-1); -} - -int -server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy, -struct sockaddr_in *server, int *cdomain) -{ - struct pfioc_natlook pnl; - - memset(pnl, 0, sizeof pnl); - pnl.direction = PF_OUT; - pnl.af = AF_INET; - pnl.proto = IPPROTO_TCP; - pnl.rdomain = getrtable(); - memcpy(pnl.saddr.v4, client-sin_addr.s_addr, sizeof pnl.saddr.v4); - memcpy(pnl.daddr.v4, proxy-sin_addr.s_addr, sizeof pnl.daddr.v4); - pnl.sport = client-sin_port; - pnl.dport = proxy-sin_port; - - if (ioctl(dev, DIOCNATLOOK, pnl) == -1) - return (-1); - - memset(server, 0, sizeof(struct sockaddr_in)); - server-sin_len = sizeof(struct sockaddr_in); - server-sin_family = AF_INET; - memcpy(server-sin_addr.s_addr, pnl.rdaddr.v4, - sizeof server-sin_addr.s_addr); - server-sin_port = pnl.rdport; - *cdomain = pnl.rrdomain; - - return (0); -} - -int -server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy, -struct sockaddr_in6 *server, int *cdomain) -{ - struct pfioc_natlook pnl; - - memset(pnl, 0, sizeof pnl); - pnl.direction = PF_OUT; - pnl.af = AF_INET6; - pnl.proto = IPPROTO_TCP; - pnl.rdomain = getrtable(); - memcpy(pnl.saddr.v6, client-sin6_addr.s6_addr, sizeof pnl.saddr.v6); - memcpy(pnl.daddr.v6, proxy-sin6_addr.s6_addr, sizeof pnl.daddr.v6); - pnl.sport = client-sin6_port; - pnl.dport = proxy-sin6_port; - - if (ioctl(dev, DIOCNATLOOK, pnl) == -1) - return (-1); - - memset(server, 0, sizeof(struct sockaddr_in6)); - server-sin6_len = sizeof(struct sockaddr_in6); - server-sin6_family = AF_INET6; - memcpy(server-sin6_addr.s6_addr, pnl.rdaddr.v6, - sizeof server-sin6_addr); - server-sin6_port = pnl.rdport; - *cdomain = pnl.rrdomain; return (0); } Index: filter.h === RCS file: /home/cvs/src/usr.sbin/ftp-proxy/filter.h,v retrieving revision 1.6 diff -u -p -r1.6 filter.h --- filter.h25 Mar 2011 14:51:31 - 1.6 +++ filter.h7 Apr 2011 16:31:38 - @@ -26,5 +26,3 @@ int do_commit(void); int do_rollback(void); void init_filter(char *, char *, int); int prepare_commit(u_int32_t); -int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *, -int *); Index: ftp-proxy.8 === RCS file: /home/cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v retrieving revision 1.14 diff -u -p -r1.14 ftp-proxy.8 --- ftp-proxy.8 21 Nov 2009 13:59:31 - 1.14 +++ ftp-proxy.8 7 Apr 2011 16:49:56 - @@ -40,7 +40,7 @@ is a proxy for the Internet File Transfer Protocol. FTP control connections should be redirected into the proxy using the .Xr pf 4 -.Ar rdr-to +.Ar divert-to command, after which the proxy connects to the server on behalf of the client. .Pp @@ -169,7 +169,7 @@ needs the following rules.