diff options
-rw-r--r-- | usr.sbin/ppp/command.c | 4 | ||||
-rw-r--r-- | usr.sbin/ppp/nat_cmd.c | 30 | ||||
-rw-r--r-- | usr.sbin/ppp/nat_cmd.h | 3 | ||||
-rw-r--r-- | usr.sbin/ppp/ppp.8 | 19 | ||||
-rw-r--r-- | usr.sbin/ppp/ppp.8.m4 | 19 |
5 files changed, 75 insertions, 0 deletions
diff --git a/usr.sbin/ppp/command.c b/usr.sbin/ppp/command.c index 30a388b..84c8f0d 100644 --- a/usr.sbin/ppp/command.c +++ b/usr.sbin/ppp/command.c @@ -636,6 +636,10 @@ static struct cmdtab const NatCommands[] = "nat proto proto localIP [publicIP [remoteIP]]"}, {"proxy", NULL, nat_ProxyRule, LOCAL_AUTH, "proxy control", "nat proxy server host[:port] ..."}, +#ifndef NO_FW_PUNCH + {"punch_fw", NULL, nat_PunchFW, LOCAL_AUTH, + "firewall control", "nat punch_fw [base count]"}, +#endif {"same_ports", NULL, NatOption, LOCAL_AUTH, "try to leave port numbers unchanged", "nat same_ports yes|no", (const void *) PKT_ALIAS_SAME_PORTS}, diff --git a/usr.sbin/ppp/nat_cmd.c b/usr.sbin/ppp/nat_cmd.c index 05ede84..e61a002 100644 --- a/usr.sbin/ppp/nat_cmd.c +++ b/usr.sbin/ppp/nat_cmd.c @@ -435,6 +435,36 @@ nat_SetTarget(struct cmdargs const *arg) return 0; } +#ifndef NO_FW_PUNCH +int +nat_PunchFW(struct cmdargs const *arg) +{ + char *end; + long base, count; + + if (arg->argc == arg->argn) { + PacketAliasSetMode(0, PKT_ALIAS_PUNCH_FW); + return 0; + } + + if (arg->argc != arg->argn + 2) + return -1; + + base = strtol(arg->argv[arg->argn], &end, 10); + if (*end != '\0' || base < 0) + return -1; + + count = strtol(arg->argv[arg->argn + 1], &end, 10); + if (*end != '\0' || count < 0) + return -1; + + PacketAliasSetFWBase(base, count); + PacketAliasSetMode(PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW); + + return 0; +} +#endif + static struct mbuf * nat_LayerPush(struct bundle *bundle, struct link *l, struct mbuf *bp, int pri, u_short *proto) diff --git a/usr.sbin/ppp/nat_cmd.h b/usr.sbin/ppp/nat_cmd.h index 47f38ee..05264bb 100644 --- a/usr.sbin/ppp/nat_cmd.h +++ b/usr.sbin/ppp/nat_cmd.h @@ -34,5 +34,8 @@ extern int nat_RedirectAddr(struct cmdargs const *); extern int nat_RedirectProto(struct cmdargs const *); extern int nat_ProxyRule(struct cmdargs const *); extern int nat_SetTarget(struct cmdargs const *); +#ifndef NO_FW_PUNCH +extern int nat_PunchFW(struct cmdargs const *); +#endif extern struct layer natlayer; diff --git a/usr.sbin/ppp/ppp.8 b/usr.sbin/ppp/ppp.8 index 2dbc12e..f6d168e 100644 --- a/usr.sbin/ppp/ppp.8 +++ b/usr.sbin/ppp/ppp.8 @@ -3399,6 +3399,25 @@ Refer to the description of in .Xr libalias 3 for details of the available commands. +.It nat punch_fw Op Ar base count +This command tells +.Nm +to punch holes in the firewall for FTP or IRC DCC connections. +This is done dynamically by installing termporary firewall rules which +allow a particular connection (and only that connection) to go through +the firewall. +The rules are removed once the corresponding connection terminates. +.Pp +A maximum of +.Ar count +rules starting from rule number +.Ar base +will be used for punching firewall holes. +The range will be cleared when the +.Dq nat punch_fw +command is run. +.Pp +If no arguments are given, firewall punching is disabled. .It nat same_ports yes|no When enabled, this command will tell the network address translation engine to attempt to avoid changing the port number on outgoing packets. diff --git a/usr.sbin/ppp/ppp.8.m4 b/usr.sbin/ppp/ppp.8.m4 index 2dbc12e..f6d168e 100644 --- a/usr.sbin/ppp/ppp.8.m4 +++ b/usr.sbin/ppp/ppp.8.m4 @@ -3399,6 +3399,25 @@ Refer to the description of in .Xr libalias 3 for details of the available commands. +.It nat punch_fw Op Ar base count +This command tells +.Nm +to punch holes in the firewall for FTP or IRC DCC connections. +This is done dynamically by installing termporary firewall rules which +allow a particular connection (and only that connection) to go through +the firewall. +The rules are removed once the corresponding connection terminates. +.Pp +A maximum of +.Ar count +rules starting from rule number +.Ar base +will be used for punching firewall holes. +The range will be cleared when the +.Dq nat punch_fw +command is run. +.Pp +If no arguments are given, firewall punching is disabled. .It nat same_ports yes|no When enabled, this command will tell the network address translation engine to attempt to avoid changing the port number on outgoing packets. |