- poll(2) support.

- simplify by strdup.
- set ai_protocol in hints to TCP.
- g/c FAITH_NS (no description, not maintained for years)
- warn if connection from IPv4 mapped is reached.
- IPV6_V6ONLY if possible.
- unifdef -UFAITH4.
- drop rsh/rlogin support.
- deal with negative return value from wait3.

Obtained from:	KAME

1 files changed, 41 insertions, 55 deletions

diff --git a/usr.sbin/faithd/faithd.8 b/usr.sbin/faithd/faithd.8
index 177396b..66de665 100644
--- a/usr.sbin/faithd/faithd.8
+++ b/usr.sbin/faithd/faithd.8
@@ -1,4 +1,4 @@
-.\"	$KAME: faithd.8,v 1.33 2001/09/05 03:04:20 itojun Exp $
+.\"	$KAME: faithd.8,v 1.37 2002/05/09 14:21:23 itojun Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 .\" All rights reserved.
@@ -41,10 +41,12 @@
 .Op Fl f Ar configfile
 .Ar service
 .Op Ar serverpath Op Ar serverargs
+.Nm ""
 .Sh DESCRIPTION
 The
 .Nm
-utility provides IPv6-to-IPv4 TCP relay.  It
+utility provides IPv6-to-IPv4 TCP relay.
+.Nm
 must be used on an IPv4/v6 dual stack router.
 .Pp
 When
@@ -65,7 +67,7 @@ destination.
 For example, if
 .Li 3ffe:0501:4819:ffff::
 is reserved for
-.Nm ,
+.Nm Ns ,
 and the
 .Tn TCPv6
 destination address is
@@ -116,7 +118,6 @@ at
 .Pa http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html .
 Make sure you do not propagate translated DNS records to normal DNS cloud,
 it is highly harmful.
-.Pp
 .Ss Daemon mode
 When
 .Nm
@@ -147,7 +148,7 @@ or other standard mechanisms.
 By specifying
 .Ar serverpath
 to
-.Nm ,
+.Nm Ns ,
 you can run local daemons on the router.
 The
 .Nm
@@ -172,8 +173,6 @@ Use privileged TCP port number as source port,
 for IPv4 TCP connection toward final destination.
 For relaying
 .Xr ftp 1
-and
-.Xr rlogin 1 ,
 this flag is not necessary as special program code is supplied.
 .El
 .Pp
@@ -184,9 +183,7 @@ It is capable of emulating TCP half close as well.
 The
 .Nm
 utility includes special support for protocols used by
-.Xr ftp 1
-and
-.Xr rlogin 1 .
+.Xr ftp 1 .
 When translating FTP protocol,
 .Nm
 translates network level addresses in
@@ -194,18 +191,11 @@ translates network level addresses in
 and
 .Li PASV/LPSV/EPSV
 commands.
-For RLOGIN protocol,
-.Nm
-will relay back connection from
-.Xr rlogind 8
-on the server to
-.Xr rlogin 1
-on client.
 .Pp
 Inactive sessions will be disconnected in 30 minutes,
 to avoid stale sessions from chewing up resources.
 This may be inappropriate for some of the services
-(should this be configurable?).
+.Pq should this be configurable? .
 .Ss inetd mode
 When
 .Nm
@@ -243,10 +233,12 @@ To prevent malicious accesses,
 implements a simple address-based access control.
 With
 .Pa /etc/faithd.conf
-(or
+.Po
+or
 .Ar configfile
 specified by
-.Fl f ) ,
+.Fl f
+.Pc ,
 .Nm
 will avoid relaying unwanted traffic.
 The
@@ -254,35 +246,48 @@ The
 contains directives with the following format:
 .Bl -bullet
 .It
-.Ar src Ns / Ns Ar slen Cm deny Ar dst Ns / Ns Ar dlen
+.Xo
+.Ic Ar src/slen Li deny Ar dst/dlen
+.Xc
 .Pp
 If the source address of a query matches
-.Ar src Ns / Ns Ar slen ,
+.Ar src/slen ,
 and the translated destination address matches
-.Ar dst Ns / Ns Ar dlen ,
+.Ar dst/dlen ,
 deny the connection.
 .It
-.Ar src Ns / Ns Ar slen Cm permit Ar dst Ns / Ns Ar dlen
+.Xo
+.Ic Ar src/slen Li permit Ar dst/dlen
+.Xc
 .Pp
 If the source address of a query matches
-.Ar src Ns / Ns Ar slen ,
+.Ar src/slen ,
 and the translated destination address matches
-.Ar dst Ns / Ns Ar dlen ,
+.Ar dst/dlen ,
 permit the connection.
 .El
 .Pp
 The directives are evaluated in sequence,
 and the first matching entry will be effective.
 If there is no match
-(if we reach the end of the ruleset)
+.Pq if we reach the end of the ruleset
 the traffic will be denied.
 .Pp
 With inetd mode,
 traffic may be filtered by using access control functionality in
 .Xr inetd 8 .
+.Sh RETURN VALUES
+.Nm
+exits with
+.Dv EXIT_SUCCESS
+.Pq 0
+on success, and
+.Dv EXIT_FAILURE
+.Pq 1
+on error.
 .Sh EXAMPLES
 Before invoking
-.Nm ,
+.Nm Ns ,
 .Xr faith 4
 interface has to be configured properly.
 .Bd -literal -offset
@@ -320,26 +325,19 @@ If you would like to pass extra arguments to the local daemon:
 Here are some other examples.
 You may need
 .Fl p
-to translate rsh/rlogin services.
+if the service checks the source port range.
 .Bd -literal -offset
 # faithd ssh
-# faithd login /usr/libexec/rlogin rlogind
-# faithd shell /usr/libexec/rshd rshd
+# faithd telnet /usr/libexec/telnetd telnetd
 .Ed
-.Pp
-However, you should be careful when translating rlogin or rsh
-connections.
-See
-.Sx SECURITY CONSIDERATIONS
-for more details.
 .Ss inetd mode samples
 Add the following lines into
 .Xr inetd.conf 5 .
 Syntax may vary depending upon your operating system.
 .Bd -literal -offset
-telnet  stream  tcp6/faith  nowait  root  /usr/sbin/faithd  telnetd
-ftp     stream  tcp6/faith  nowait  root  /usr/sbin/faithd  ftpd -l
-ssh     stream  tcp6/faith  nowait  root  /usr/sbin/faithd  /usr/sbin/sshd -i
+telnet  stream  tcp6/faith  nowait  root  faithd  telnetd
+ftp     stream  tcp6/faith  nowait  root  faithd  ftpd -l
+ssh     stream  tcp6/faith  nowait  root  faithd  /usr/sbin/sshd -i
 .Ed
 .Pp
 .Xr inetd 8
@@ -370,16 +368,6 @@ setting.
 3ffe:501:ffff::/48 deny 127.0.0.0/8
 3ffe:501:ffff::/48 permit 0.0.0.0/0
 .Ed
-.Sh RETURN VALUES
-The
-.Nm
-utility exits with
-.Dv EXIT_SUCCESS
-.Pq 0
-on success, and
-.Dv EXIT_FAILURE
-.Pq 1
-on error.
 .Sh SEE ALSO
 .Xr faith 4 ,
 .Xr route 8 ,
@@ -403,11 +391,9 @@ IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
 was initially integrated into
 .Fx 4.0
 .Sh SECURITY CONSIDERATIONS
-It is very insecure to use
-.Xr rhosts 5
-and other IP-address based authentication, for connections relayed by
-.Nm
-(and any other TCP relaying services).
+It is very insecure to use IP-address based authentication, for connections relayed by
+.Nm Ns ,
+and any other TCP relaying services.
 .Pp
 Administrators are advised to limit accesses to
 .Nm