> Stuart Henderson <st...@openbsd.org>, 2014-06-27 11:00
>
> > +/* Stolen from ftp-proxy */
>
> Old version of ftp-proxy I guess. It hasn't used DIOCNATLOOK for several
> releases, it has switched to the much easier-to-use divert-to / getsockname().
And also :
> Henning Brauer <lists-openbsdt...@bsws.de>, 2014-06-27 14:07
> nooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
>
> DIOCNATLOOK is stupid. I'll celebrate the day when I can kill it.
> Please look at less ancient ftp-proxy/*-proxy code for inspiration.
Way simpler, indeed!
Thank you
--- tarpitd.c.bak Fri Jun 27 13:25:06 2014
+++ tarpitd.c Fri Jun 27 14:01:35 2014
@@ -56,21 +56,11 @@ struct con {
int il;
} *con;
-/* From netinet/in.h, but only _KERNEL_ gets them. */
-#define satosin(sa) ((struct sockaddr_in *)(sa))
-#define satosin6(sa) ((struct sockaddr_in6 *)(sa))
-int server_lookup4(struct sockaddr_in *, struct sockaddr_in *,
- struct sockaddr_in *);
-int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
- struct sockaddr_in6 *);
-
void usage(void);
void initcon(struct con *, int, struct sockaddr *);
void closecon(struct con *);
void handler(struct con *);
void getcaddr(struct con *);
-int server_lookup(struct sockaddr *, struct sockaddr *,
- struct sockaddr *);
int blockhost(char *);
int blocklistener(void);
@@ -84,7 +74,6 @@ int maxfiles;
int maxcon = MAXCON;
int clients;
int debug;
-int pfdev;
int window = 0;
int autoblock = 1;
int pipel[2] = { -1, -1 };
@@ -160,90 +149,11 @@ int blocklistener(void)
return(ret);
}
-/* Stolen from ftp-proxy */
-int
-server_lookup(struct sockaddr *client, struct sockaddr *proxy,
- struct sockaddr *server)
-{
- if (client->sa_family == AF_INET)
- return (server_lookup4(satosin(client), satosin(proxy),
- satosin(server)));
-
- if (client->sa_family == AF_INET6)
- return (server_lookup6(satosin6(client), satosin6(proxy),
- satosin6(server)));
-
- errno = EPROTONOSUPPORT;
- return (-1);
-}
-
-int
-server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy,
- struct sockaddr_in *server)
-{
- struct pfioc_natlook pnl;
-
- memset(&pnl, 0, sizeof pnl);
- pnl.direction = PF_OUT;
- pnl.af = AF_INET;
- pnl.proto = IPPROTO_TCP;
- memcpy(&pnl.saddr.v4, &client->sin_addr.s_addr, sizeof pnl.saddr.v4);
- memcpy(&pnl.daddr.v4, &proxy->sin_addr.s_addr, sizeof pnl.daddr.v4);
- pnl.sport = client->sin_port;
- pnl.dport = proxy->sin_port;
-
- if (ioctl(pfdev, DIOCNATLOOK, &pnl) == -1)
- return (-1);
-
- memset(server, 0, sizeof(struct sockaddr_in));
- server->sin_len = sizeof(struct sockaddr_in);
- server->sin_family = AF_INET;
- memcpy(&server->sin_addr.s_addr, &pnl.rdaddr.v4,
- sizeof server->sin_addr.s_addr);
- server->sin_port = pnl.rdport;
-
- return (0);
-}
-
-int
-server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy,
- struct sockaddr_in6 *server)
-{
- struct pfioc_natlook pnl;
-
- memset(&pnl, 0, sizeof pnl);
- pnl.direction = PF_OUT;
- pnl.af = AF_INET6;
- pnl.proto = IPPROTO_TCP;
- memcpy(&pnl.saddr.v6, &client->sin6_addr.s6_addr, sizeof pnl.saddr.v6);
- memcpy(&pnl.daddr.v6, &proxy->sin6_addr.s6_addr, sizeof pnl.daddr.v6);
- pnl.sport = client->sin6_port;
- pnl.dport = proxy->sin6_port;
-
- if (ioctl(pfdev, DIOCNATLOOK, &pnl) == -1)
- return (-1);
-
- memset(server, 0, sizeof(struct sockaddr_in6));
- server->sin6_len = sizeof(struct sockaddr_in6);
- server->sin6_family = AF_INET6;
- memcpy(&server->sin6_addr.s6_addr, &pnl.rdaddr.v6,
- sizeof server->sin6_addr);
- server->sin6_port = pnl.rdport;
-
- return (0);
-}
-
-/*
- * Get address client connected to, by doing a DIOCNATLOOK call.
- * Uses server_lookup code from ftp-proxy.
- */
void
getcaddr(struct con *cp)
{
struct sockaddr_storage spamd_end;
struct sockaddr *sep = (struct sockaddr *) &spamd_end;
- struct sockaddr_storage original_destination;
- struct sockaddr *odp = (struct sockaddr *) &original_destination;
socklen_t len = sizeof(struct sockaddr_storage);
int error;
@@ -251,9 +161,7 @@ getcaddr(struct con *cp)
cp->cport[0] = '\0';
if (getsockname(cp->fd, sep, &len) == -1)
return;
- if (server_lookup((struct sockaddr *)&cp->ss, sep, odp) != 0)
- return;
- error = getnameinfo(odp, odp->sa_len, cp->caddr, sizeof(cp->caddr),
+ error = getnameinfo(sep, sep->sa_len, cp->caddr, sizeof(cp->caddr),
cp->cport, sizeof(cp->cport), NI_NUMERICHOST | NI_NUMERICSERV);
if (error) {
syslog_r(LOG_WARNING, &sdata, "cannot get original destination
address.");
@@ -489,12 +397,6 @@ main(int argc, char *argv[])
if (debug == 0) {
if (daemon(1, 1) == -1)
err(1, "daemon");
- }
-
- pfdev = open("/dev/pf", O_RDWR);
- if (pfdev == -1) {
- syslog_r(LOG_ERR, &sdata, "open /dev/pf: %m");
- exit(1);
}
if (chroot("/var/empty") == -1 || chdir("/") == -1) {
