From 9d4f19ab2216d8e5d618452394909a2b1a56cf14 Mon Sep 17 00:00:00 2001
From: brian <brian@FreeBSD.org>
Date: Sat, 6 Sep 1997 11:14:03 +0000
Subject: Ingored incoming packets are now dropped when deny_incoming option is
 set to yes. Submitted by:	Ari Suutari <ari@suutari.iki.fi>

---
 sbin/natd/HISTORY |  6 ++++++
 sbin/natd/natd.c  | 16 ++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

(limited to 'sbin/natd')

diff --git a/sbin/natd/HISTORY b/sbin/natd/HISTORY
index 404be4b..7d3175b 100644
--- a/sbin/natd/HISTORY
+++ b/sbin/natd/HISTORY
@@ -111,3 +111,9 @@
 	  fixed. Natd now waits with select(2) for buffer space
 	  to become available if write fails.
 	- Packet aliasing library upgraded to 2.2.
+
+* Version 1.10
+
+	- Ignored incoming packets are now dropped when
+	  deny_incoming option is set to yes.
+	- Packet aliasing library upgraded to 2.4.
diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c
index 13cf6ab..ac99ac1 100644
--- a/sbin/natd/natd.c
+++ b/sbin/natd/natd.c
@@ -94,6 +94,7 @@ static	char			packetBuf[IP_MAXPACKET];
 static 	int			packetLen;
 static	struct sockaddr_in	packetAddr;
 static 	int			packetSock;
+static  int			dropIgnoredIncoming;
 
 int main (int argc, char** argv)
 {
@@ -162,6 +163,11 @@ int main (int argc, char** argv)
 		ParseOption ("port", DEFAULT_SERVICE, 0);
 
 /*
+ * Check if ignored packets should be dropped.
+ */
+	dropIgnoredIncoming = PacketAliasSetMode (0, 0);
+	dropIgnoredIncoming &= PKT_ALIAS_DENY_INCOMING;
+/*
  * Create divert sockets. Use only one socket if -p was specified
  * on command line. Otherwise, create separate sockets for
  * outgoing and incoming connnections.
@@ -254,7 +260,6 @@ int main (int argc, char** argv)
  */
 	if (aliasAddr.s_addr != INADDR_NONE)
 		PacketAliasSetAddress (aliasAddr);
-
 /*
  * We need largest descriptor number for select.
  */
@@ -411,6 +416,7 @@ static void DoAliasing (int fd)
 {
 	int			bytes;
 	int			origBytes;
+	int			status;
 	int			addrSize;
 	struct ip*		ip;
 
@@ -486,7 +492,13 @@ static void DoAliasing (int fd)
 /*
  * Do aliasing.
  */	
-		PacketAliasIn (packetBuf, IP_MAXPACKET);
+		status = PacketAliasIn (packetBuf, IP_MAXPACKET);
+		if (status == PKT_ALIAS_IGNORED &&
+		    dropIgnoredIncoming) {
+
+			printf (" dropped.\n");
+			return;
+		}
 	}
 /*
  * Length might have changed during aliasing.
-- 
cgit v1.1