Import userland of pf 3.5 from OpenBSD (OPENBSD_3_5_BASE).

3 files changed, 58 insertions, 23 deletions

diff --git a/contrib/pf/ftp-proxy/ftp-proxy.8 b/contrib/pf/ftp-proxy/ftp-proxy.8
index 2832ddb..e68bdde 100644
--- a/contrib/pf/ftp-proxy/ftp-proxy.8
+++ b/contrib/pf/ftp-proxy/ftp-proxy.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ftp-proxy.8,v 1.37 2003/09/05 12:27:47 jmc Exp $
+.\"	$OpenBSD: ftp-proxy.8,v 1.40 2004/03/16 08:50:07 jmc Exp $
 .\"
 .\" Copyright (c) 1996-2001
 .\"	Obtuse Systems Corporation, All rights reserved.
@@ -36,10 +36,11 @@
 .Sh SYNOPSIS
 .Nm ftp-proxy
 .Op Fl AnrVw
+.Op Fl a Ar address
 .Op Fl D Ar debuglevel
 .Op Fl g Ar group
-.Op Fl m Ar minport
 .Op Fl M Ar maxport
+.Op Fl m Ar minport
 .Op Fl t Ar timeout
 .Op Fl u Ar user
 .Sh DESCRIPTION
@@ -65,6 +66,26 @@ or
 .Qq anonymous
 only.
 Any attempt to log in as another user will be blocked by the proxy.
+.It Fl a Ar address
+Specify the local IP address to use in
+.Xr bind 2
+as the source for connections made by
+.Nm ftp-proxy
+when connecting to destination FTP servers.
+This may be necessary if the interface address of
+your default route is not reachable from the destinations
+.Nm
+is attempting connections to, or this address is different from the one
+connections are being NATed to.
+In the usual case this means that
+.Ar address
+should be a publicly visible IP address assigned to one of
+the interfaces on the machine running
+.Nm
+and should be the same address to which you are translating traffic
+if you are using the
+.Fl n
+option.
 .It Fl D Ar debuglevel
 Specify a debug level, where the proxy emits verbose debug output
 into
@@ -80,14 +101,6 @@ lookups which require root.
 By default,
 .Nm
 uses the default group of the user it drops privilege to.
-.It Fl m Ar minport
-Specify the lower end of the port range the proxy will use for all
-data connections it establishes.
-The default is
-.Dv IPPORT_HIFIRSTAUTO
-defined in
-.Aq Pa netinet/in.h
-as 49152.
 .It Fl M Ar maxport
 Specify the upper end of the port range the proxy will use for the
 data connections it establishes.
@@ -96,6 +109,14 @@ The default is
 defined in
 .Aq Pa netinet/in.h
 as 65535.
+.It Fl m Ar minport
+Specify the lower end of the port range the proxy will use for all
+data connections it establishes.
+The default is
+.Dv IPPORT_HIFIRSTAUTO
+defined in
+.Aq Pa netinet/in.h
+as 49152.
 .It Fl n
 Activate network address translation
 .Pq NAT
@@ -173,8 +194,8 @@ A typical way to do this would be to use a
 .Xr pf.conf 5
 rule such as
 .Bd -literal -offset 2n
-int_if = xl0
-rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
+int_if = \&"xl0\&"
+rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
 .Ed
 .Pp
 .Xr inetd 8
diff --git a/contrib/pf/ftp-proxy/ftp-proxy.c b/contrib/pf/ftp-proxy/ftp-proxy.c
index 88b6fd1..18bc0a6 100644
--- a/contrib/pf/ftp-proxy/ftp-proxy.c
+++ b/contrib/pf/ftp-proxy/ftp-proxy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ftp-proxy.c,v 1.33 2003/08/22 21:50:34 david Exp $ */
+/*	$OpenBSD: ftp-proxy.c,v 1.35 2004/03/14 21:51:44 dhartmei Exp $ */
 
 /*
  * Copyright (c) 1996-2001
@@ -67,7 +67,7 @@
  * - per-user rules perhaps.
  */
 
-#include <sys/types.h>
+#include <sys/param.h>
 #include <sys/time.h>
 #include <sys/socket.h>
 
@@ -148,6 +148,7 @@ char *Group;
 
 extern int Debug_Level;
 extern int Use_Rdns;
+extern in_addr_t Bind_Addr;
 extern char *__progname;
 
 typedef enum {
@@ -171,9 +172,8 @@ static void
 usage(void)
 {
 	syslog(LOG_NOTICE,
-	    "usage: %s [-AnrVw] [-D debuglevel] [-g group] %s %s",
-	    __progname, "[-m minport] [-M maxport] [-t timeout]",
-	    "[-u user]");
+	    "usage: %s [-AnrVw] [-a address] [-D debuglevel [-g group]"
+	    " [-M maxport] [-m minport] [-t timeout] [-u user]", __progname);
 	exit(EX_USAGE);
 }
 
@@ -973,9 +973,18 @@ main(int argc, char *argv[])
 	int use_tcpwrapper = 0;
 #endif /* LIBWRAP */
 
-	while ((ch = getopt(argc, argv, "D:g:m:M:t:u:AnVwr")) != -1) {
+	while ((ch = getopt(argc, argv, "a:D:g:m:M:t:u:AnVwr")) != -1) {
 		char *p;
 		switch (ch) {
+		case 'a':
+			if (!*optarg)
+				usage();
+			if ((Bind_Addr = inet_addr(optarg)) == INADDR_NONE) {
+				syslog(LOG_NOTICE,
+					"%s: invalid address", optarg);
+				usage();
+			}
+			break;
 		case 'A':
 			AnonFtpOnly = 1; /* restrict to anon usernames only */
 			break;
diff --git a/contrib/pf/ftp-proxy/util.c b/contrib/pf/ftp-proxy/util.c
index 3c8b20e..17a88ca 100644
--- a/contrib/pf/ftp-proxy/util.c
+++ b/contrib/pf/ftp-proxy/util.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: util.c,v 1.16 2003/06/28 01:04:57 deraadt Exp $ */
+/*	$OpenBSD: util.c,v 1.18 2004/01/22 16:10:30 beck Exp $ */
 
 /*
  * Copyright (c) 1996-2001
@@ -58,6 +58,7 @@
 
 int Debug_Level;
 int Use_Rdns;
+in_addr_t Bind_Addr = INADDR_NONE;
 
 void		debuglog(int debug_level, const char *fmt, ...);
 
@@ -77,7 +78,8 @@ get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr,
     struct sockaddr_in *client_sa_ptr)
 {
 	struct pfioc_natlook natlook;
-	int slen, fd;
+	socklen_t slen;
+	int fd;
 
 	slen = sizeof(*real_server_sa_ptr);
 	if (getsockname(connected_fd, (struct sockaddr *)real_server_sa_ptr,
@@ -257,10 +259,13 @@ get_backchannel_socket(int type, int min_port, int max_port, int start_port,
 
 		bzero(&sa, sizeof sa);
 		sa.sin_family = AF_INET;
-		if (sap == NULL)
-			sa.sin_addr.s_addr = INADDR_ANY;
+		if (Bind_Addr == INADDR_NONE)
+			if (sap == NULL)
+				sa.sin_addr.s_addr = INADDR_ANY;
+			else
+				sa.sin_addr.s_addr = sap->sin_addr.s_addr;
 		else
-			sa.sin_addr.s_addr = sap->sin_addr.s_addr;
+			sa.sin_addr.s_addr = Bind_Addr;
 
 		/*
 		 * Indicate that we want to reuse a port if it happens that the