Sync with latest KAME.

Obtained from:	KAME

1 files changed, 158 insertions, 65 deletions

diff --git a/usr.sbin/faithd/faithd.8 b/usr.sbin/faithd/faithd.8
index 62c721a..6e42f27 100644
--- a/usr.sbin/faithd/faithd.8
+++ b/usr.sbin/faithd/faithd.8
@@ -1,6 +1,8 @@
+.\"	$KAME: faithd.8,v 1.12 2000/07/04 13:15:01 itojun Exp $
+.\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 .\" All rights reserved.
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
@@ -12,7 +14,7 @@
 .\" 3. Neither the name of the project nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,10 +27,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"	$Id: faithd.8,v 1.3 1999/10/07 04:22:14 itojun Exp $
 .\"	$FreeBSD$
 .\"
-.Dd January 27, 2000
+.Dd May 17, 1998
 .Dt FAITHD 8
 .Os
 .Sh NAME
@@ -38,35 +39,18 @@
 .Nm
 .Op Fl dp
 .Op Ar service Op Ar serverpath Op Ar serverargs
+.Nm ""
 .Sh DESCRIPTION
 .Nm
-provides IPv6/v4 TCP relay for the specified
-.Ar service .
-.Pp
+provides IPv6-to-IPv4 TCP relay.
 .Nm
-must be invoked on IPv4/v6
-dual stack router.
-The router must be configured to capture all the TCP traffic
-toward reserved
-.Tn IPv6
-address prefix, by using
-.Xr route 8
-and
-.Xr sysctl 8
-commands.
-.Nm
-will daemonize itself on invocation.
+must be used on an IPv4/v6 dual stack router.
 .Pp
+When
 .Nm
-will listen to
+receives
 .Tn TCPv6
-port
-.Ar service .
-If
-.Tn TCPv6
-traffic to port
-.Ar service
-is found,
+traffic,
 .Nm
 will relay the
 .Tn TCPv6
@@ -88,20 +72,47 @@ destination address is
 the traffic will be relayed to IPv4 destination
 .Li 10.1.1.1 .
 .Pp
-If
-.Ar service
-is not given,
-.Li telnet
-is assumed, and
+To use
 .Nm
-will relay TCP traffic on TCP port
-.Li telnet .
-With
-.Ar service ,
+translation service,
+an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
+Kernel must be properly configured to route all the TCP connection
+toward the reserved IPv6 address prefix into the
+.Xr faith 4
+pseudo interface, by using
+.Xr route 8
+command.
+Also,
+.Xr sysctl 8
+should be used to configure
+.Dv net.inet6.ip6.keepfaith
+to
+.Dv 1 .
+.Pp
+The router must be configured to capture all the TCP traffic
+toward reserved
+.Tn IPv6
+address prefix, by using
+.Xr route 8
+and
+.Xr sysctl 8
+commands.
+.Ss Daemon mode
+When
 .Nm
-will work as TCP relaying daemon for specified
+is invoked as a standalone program,
+.Nm
+will daemonize itself.
+.Nm
+will listen to
+.Tn TCPv6
+port
+.Ar service .
+If
+.Tn TCPv6
+traffic to port
 .Ar service
-as described above.
+is found, it relays the connection.
 .Pp
 Since
 .Nm
@@ -126,22 +137,20 @@ You can also specify
 .Ar serverargs
 for the arguments for the local daemon.
 .Pp
-To use
+If
+.Ar service
+is not given,
+.Li telnet
+is assumed, and
 .Nm
-translation service,
-an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
-Kernel must be properly configured to route all the TCP connection 
-toward the reserved IPv6 address prefix into the
-.Dv faith
-pseudo interface, by using
-.Xr route 8
-command.
-Also,
-.Xr sysctl 8
-should be used to configure
-.Dv net.inet6.ip6.keepfaith
-to
-.Dv 1 .
+will relay TCP traffic on TCP port
+.Li telnet .
+With
+.Ar service ,
+.Nm
+will work as TCP relaying daemon for specified
+.Ar service
+as described above.
 .Pp
 If
 .Fl d
@@ -160,7 +169,7 @@ and
 .Fl p
 is not necessary as special program code is supplied.
 .Pp
-.Nm 
+.Nm
 will relay both normal and out-of-band TCP data.
 It is capable of emulating TCP half close as well.
 .Nm
@@ -187,12 +196,50 @@ Inactive sessions will be disconnected in 30 minutes,
 to avoid stale sessions from chewing up resources.
 This may be inappropriate for some of the services
 .Pq should this be configurable? .
+.Ss inetd mode
+When
+.Nm
+is invoked via
+.Xr inetd 8 ,
+.Nm
+will handle connection passed from standard input.
+If it the connection endpoint is in the reserved IPv6 address prefix.
+.Nm
+will relay the connection.
+Otherwise,
+.Nm
+will invoke service-specific daemon like
+.Xr telnetd 8 ,
+by using the command argument passed from
+.Xr inetd 8 .
+.Pp
+.Nm
+determines operation mode by the local TCP port number,
+and enables special protocol handling whenever necessary/possible.
+For example, if
+.Nm
+is invoked via
+.Xr inetd 8
+on FTP port, it will operate as a FTP relay.
+.Pp
+The operation mode requires special support for
+.Nm
+in
+.Xr inetd 8 .
 .Sh EXAMPLES
 Before invoking
 .Nm Ns ,
 .Xr faith 4
 interface has to be configured properly.
-.Pp
+.Bd -literal -offset
+# sysctl -w net.inet6.ip6.accept_rtadv=0
+# sysctl -w net.inet6.ip6.forwarding=1
+# sysctl -w net.inet6.ip6.keepfaith=1
+# ifconfig faith0 up
+# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
+# route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0
+.Ed
+.Ss Daemon mode samples
 To translate
 .Li telnet
 service, and provide no local telnet service, invoke
@@ -200,29 +247,60 @@ service, and provide no local telnet service, invoke
 as either of the following:
 .Bd -literal -offset
 # faithd
-# faithd telnet 
+# faithd telnet
 .Ed
 .Pp
 If you would like to provide local telnet service via
 .Xr telnetd 8
 on
-.Pa /usr/libexec/telnetd ,
-user the following command line:
+.Pa /usr/local/v6/libexec/telnetd ,
+use the following command line:
 .Bd -literal -offset
-# faithd telnet /usr/libexec/telnetd telnetd
+# faithd telnet /usr/local/v6/libexec/telnetd telnetd
 .Ed
 .Pp
 If you would like to pass extra arguments to the local daemon:
 .Bd -literal -offset
-# faithd ftpd /usr/libexec/ftpd ftpd -l
+# faithd ftpd /usr/local/v6/libexec/ftpd ftpd -l
 .Ed
 .Pp
-Here are some other examples:
+Here are some other examples.
+You may need
+.Fl p
+to translate rsh/rlogin services.
 .Bd -literal -offset
-# faithd login /usr/libexec/rlogin rlogind
-# faithd shell /usr/libexec/rshd rshd
 # faithd sshd
+# faithd login /usr/local/v6/libexec/rlogin rlogind
+# faithd shell /usr/local/v6/libexec/rshd rshd
 .Ed
+.Pp
+However, you should be careful when translating rlogin or rsh
+connections. See
+.Sx SECURITY NOTICE
+for more details.
+.Ss inetd mode samples
+Add the following lines into
+.Xr inetd.conf 5 .
+Syntax may vary depending upon your operating system.
+.Bd -literal -offset
+telnet  stream  faith/tcp6  nowait  root  faithd  telnetd
+ftp     stream  faith/tcp6  nowait  root  faithd  ftpd -l
+ssh     stream  faith/tcp6  nowait  root  faithd  /usr/pkg/bin/sshd -i
+.Ed
+.Pp
+.Xr inetd 8
+will open listening sockets with enabling kernel TCP relay support.
+Whenever connection comes in,
+.Nm
+will be invoked by
+.Xr inetd 8 .
+If it the connection endpoint is in the reserved IPv6 address prefix.
+.Nm
+will relay the connection.
+Otherwise,
+.Nm
+will invoke service-specific daemon like
+.Xr telnetd 8 .
 .Sh RETURN VALUES
 .Nm
 exits with
@@ -240,8 +318,8 @@ on error.
 .%A Jun-ichiro itojun Hagino
 .%A Kazu Yamamoto
 .%T "An IPv6-to-IPv4 transport relay translator"
-.%R Internet draft
-.%N draft-ietf-ngtrans-tcpudp-relay-00.txt
+.%R internet draft
+.%N draft-ietf-ngtrans-tcpudp-relay-01.txt
 .%O work in progress material
 .Re
 .Sh SECURITY NOTICE
@@ -250,6 +328,21 @@ It is very insecure to use
 and other IP-address based authentication, for connections relayed by
 .Nm
 .Pq and any other TCP relaying services .
+.Pp
+.Nm
+itself does not implement access controls, as
+it intends to implement transparent TCP relay services.
+Administrators are advised to filter packets based on IPv6 address.
+IPv6 destination address can be limited by
+carefully configuring routing entries that points to
+.Xr faith 4 ,
+using
+.Xr route 8 .
+IPv6 source address needs to be filtered by using packet filters.
+Documents listed in
+.Sx SEE ALSO
+have more discussions on this topic.
+.\"
 .Sh HISTORY
 The
 .Nm