summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--sbin/natd/natd.820
-rw-r--r--sbin/natd/natd.c29
2 files changed, 47 insertions, 2 deletions
diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8
index a0d56e5..60cf31c 100644
--- a/sbin/natd/natd.8
+++ b/sbin/natd/natd.8
@@ -29,6 +29,7 @@
.Op Fl config | f Ar configfile
.Op Fl log_denied
.Op Fl log_facility Ar facility_name
+.Op Fl punch_fw Ar firewall_range
.Sh DESCRIPTION
This program provides a Network Address Translation facility for use
with
@@ -412,6 +413,25 @@ Use
to put this information into the IP option field or
.Ar encode_tcp_stream
to inject the data into the beginning of the TCP stream.
+.It Fl punch_fw Xo
+.Ar basenumber Ns : Ns Ar count
+.Xc
+This option makes
+.Nm
+.Ql punch holes
+in an
+.Xr ipfirewall 4
+based firewall for FTP/IRC DCC connections.
+The holes punched are bound by from/to IP address and port; it
+will not be possible to use a hole for another connection.
+A hole is removed when the connection that uses it dies.
+.Pp
+Arguments
+.Ar basenumber
+and
+.Ar count
+set the firewall range allocated for punching firewall holes.
+The range will be cleared for all rules on startup.
.El
.Sh RUNNING NATD
The following steps are necessary before attempting to run
diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c
index 2f45af5..a4845d8 100644
--- a/sbin/natd/natd.c
+++ b/sbin/natd/natd.c
@@ -98,6 +98,7 @@ static int StrToProto (const char* str);
static int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, port_range *portRange);
static void ParseArgs (int argc, char** argv);
static void FlushPacketBuffer (int fd);
+static void SetupPunchFW(const char *strValue);
/*
* Globals.
@@ -868,7 +869,8 @@ enum Option {
DynamicMode,
ProxyRule,
LogDenied,
- LogFacility
+ LogFacility,
+ PunchFW
};
enum Param {
@@ -1078,8 +1080,15 @@ static struct OptionInfo optionTable[] = {
"facility",
"name of syslog facility to use for logging",
"log_facility",
- NULL }
+ NULL },
+ { PunchFW,
+ 0,
+ String,
+ "basenumber:count",
+ "punch holes in the firewall for incoming FTP/IRC DCC connections",
+ "punch_fw",
+ NULL }
};
static void ParseOption (const char* option, const char* parms)
@@ -1259,6 +1268,10 @@ static void ParseOption (const char* option, const char* parms)
errx(1, "Unknown log facility name: %s", strValue);
break;
+
+ case PunchFW:
+ SetupPunchFW(strValue);
+ break;
}
}
@@ -1687,3 +1700,15 @@ int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, p
StrToAddr (str, addr);
return StrToPortRange (ptr, proto, portRange);
}
+
+static void
+SetupPunchFW(const char *strValue)
+{
+ unsigned int base, num;
+
+ if (sscanf(strValue, "%u:%u", &base, &num) != 2)
+ errx(1, "punch_fw: basenumber:count parameter required");
+
+ PacketAliasSetFWBase(base, num);
+ (void)PacketAliasSetMode(PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW);
+}
OpenPOWER on IntegriCloud