Added new option (-punch_fw) which allows to `punch holes'

in the ipfirewall(4) for incoming FTP/IRC DCC connections.

Submitted by:	Rene de Vries <rene@canyon.demon.nl>
Rewritten by:	ru

2 files changed, 47 insertions, 2 deletions

diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8
index a0d56e5..60cf31c 100644
--- a/sbin/natd/natd.8
+++ b/sbin/natd/natd.8
@@ -29,6 +29,7 @@
 .Op Fl config | f Ar configfile
 .Op Fl log_denied
 .Op Fl log_facility Ar facility_name
+.Op Fl punch_fw Ar firewall_range
 .Sh DESCRIPTION
 This program provides a Network Address Translation facility for use
 with
@@ -412,6 +413,25 @@ Use
 to put this information into the IP option field or
 .Ar encode_tcp_stream
 to inject the data into the beginning of the TCP stream.
+.It Fl punch_fw Xo
+.Ar basenumber Ns : Ns Ar count
+.Xc
+This option makes
+.Nm
+.Ql punch holes
+in an
+.Xr ipfirewall 4
+based firewall for FTP/IRC DCC connections.
+The holes punched are bound by from/to IP address and port; it
+will not be possible to use a hole for another connection.
+A hole is removed when the connection that uses it dies.
+.Pp
+Arguments
+.Ar basenumber
+and
+.Ar count
+set the firewall range allocated for punching firewall holes.
+The range will be cleared for all rules on startup.
 .El
 .Sh RUNNING NATD
 The following steps are necessary before attempting to run
diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c
index 2f45af5..a4845d8 100644
--- a/sbin/natd/natd.c
+++ b/sbin/natd/natd.c
@@ -98,6 +98,7 @@ static int 	StrToProto (const char* str);
 static int      StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, port_range *portRange);
 static void	ParseArgs (int argc, char** argv);
 static void	FlushPacketBuffer (int fd);
+static void	SetupPunchFW(const char *strValue);
 
 /*
  * Globals.
@@ -868,7 +869,8 @@ enum Option {
 	DynamicMode,
 	ProxyRule,
  	LogDenied,
- 	LogFacility
+ 	LogFacility,
+	PunchFW
 };
 
 enum Param {
@@ -1078,8 +1080,15 @@ static struct OptionInfo optionTable[] = {
 	        "facility",
 		"name of syslog facility to use for logging",
 		"log_facility",
-		NULL }
+		NULL },
 
+	{ PunchFW,
+		0,
+		String,
+	        "basenumber:count",
+		"punch holes in the firewall for incoming FTP/IRC DCC connections",
+		"punch_fw",
+		NULL }
 };
 	
 static void ParseOption (const char* option, const char* parms)
@@ -1259,6 +1268,10 @@ static void ParseOption (const char* option, const char* parms)
 			errx(1, "Unknown log facility name: %s", strValue);	
 
 		break;
+
+	case PunchFW:
+		SetupPunchFW(strValue);
+		break;
 	}
 }
 
@@ -1687,3 +1700,15 @@ int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, p
 	StrToAddr (str, addr);
 	return StrToPortRange (ptr, proto, portRange);
 }
+
+static void
+SetupPunchFW(const char *strValue)
+{
+	unsigned int base, num;
+
+	if (sscanf(strValue, "%u:%u", &base, &num) != 2)
+		errx(1, "punch_fw: basenumber:count parameter required");
+
+	PacketAliasSetFWBase(base, num);
+	(void)PacketAliasSetMode(PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW);
+}