import tftp-proxy 1.6, a tftp helper for pf

ok jolan@, msf@, millert@
man page help from jmc@

5 files changed, 962 insertions, 0 deletions

diff --git a/libexec/tftp-proxy/Makefile b/libexec/tftp-proxy/Makefile
new file mode 100644
index 00000000000..b5f4eefc089
--- /dev/null
+++ b/libexec/tftp-proxy/Makefile
@@ -0,0 +1,7 @@
+#	$OpenBSD: Makefile,v 1.1 2005/12/28 19:07:07 jcs Exp $
+
+PROG=	tftp-proxy
+SRCS=	tftp-proxy.c filter.c
+MAN=	tftp-proxy.8
+
+.include <bsd.prog.mk>
diff --git a/libexec/tftp-proxy/filter.c b/libexec/tftp-proxy/filter.c
new file mode 100644
index 00000000000..cd6ce3cd1e7
--- /dev/null
+++ b/libexec/tftp-proxy/filter.c
@@ -0,0 +1,397 @@
+/*	$OpenBSD: filter.c,v 1.1 2005/12/28 19:07:07 jcs Exp $ */
+
+/*
+ * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <syslog.h>
+
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <net/if.h>
+#include <net/pfvar.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <arpa/inet.h>
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "filter.h"
+
+/* From netinet/in.h, but only _KERNEL_ gets them. */
+#define satosin(sa)	((struct sockaddr_in *)(sa))
+#define satosin6(sa)	((struct sockaddr_in6 *)(sa))
+
+enum { TRANS_FILTER = 0, TRANS_NAT, TRANS_RDR, TRANS_SIZE };
+
+int prepare_rule(u_int32_t, int, struct sockaddr *, struct sockaddr *,
+    u_int16_t, u_int8_t);
+int server_lookup4(struct sockaddr_in *, struct sockaddr_in *,
+    struct sockaddr_in *, u_int8_t);
+int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
+    struct sockaddr_in6 *, u_int8_t);
+
+static struct pfioc_pooladdr	pfp;
+static struct pfioc_rule	pfr;
+static struct pfioc_trans	pft;
+static struct pfioc_trans_e	pfte[TRANS_SIZE];
+static int dev, rule_log;
+static char *qname;
+
+int
+add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
+    struct sockaddr *dst, u_int16_t d_port, u_int8_t proto)
+{
+	if (!src || !dst || !d_port || !proto) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port, proto) == -1)
+		return (-1);
+
+	pfr.rule.direction = dir;
+	if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
+		return (-1);
+
+	return (0);
+}
+
+int
+add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
+    u_int16_t d_port, struct sockaddr *nat, u_int16_t nat_range_low,
+    u_int16_t nat_range_high, u_int8_t proto)
+{
+	if (!src || !dst || !d_port || !nat || !nat_range_low || !proto ||
+	    (src->sa_family != nat->sa_family)) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (prepare_rule(id, PF_RULESET_NAT, src, dst, d_port, proto) == -1)
+		return (-1);
+
+	if (nat->sa_family == AF_INET) {
+		memcpy(&pfp.addr.addr.v.a.addr.v4,
+		    &satosin(nat)->sin_addr.s_addr, 4);
+		memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4);
+	} else {
+		memcpy(&pfp.addr.addr.v.a.addr.v6,
+		    &satosin6(nat)->sin6_addr.s6_addr, 16);
+		memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
+	}
+	if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
+		return (-1);
+
+	pfr.rule.rpool.proxy_port[0] = nat_range_low;
+	pfr.rule.rpool.proxy_port[1] = nat_range_high;
+	if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
+		return (-1);
+
+	return (0);
+}
+
+int
+add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
+    u_int16_t d_port, struct sockaddr *rdr, u_int16_t rdr_port, u_int8_t proto)
+{
+	if (!src || !dst || !d_port || !rdr || !rdr_port || !proto ||
+	    (src->sa_family != rdr->sa_family)) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (prepare_rule(id, PF_RULESET_RDR, src, dst, d_port, proto) == -1)
+		return (-1);
+
+	if (rdr->sa_family == AF_INET) {
+		memcpy(&pfp.addr.addr.v.a.addr.v4,
+		    &satosin(rdr)->sin_addr.s_addr, 4);
+		memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4);
+	} else {
+		memcpy(&pfp.addr.addr.v.a.addr.v6,
+		    &satosin6(rdr)->sin6_addr.s6_addr, 16);
+		memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
+	}
+	if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
+		return (-1);
+
+	pfr.rule.rpool.proxy_port[0] = rdr_port;
+	if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
+		return (-1);
+
+	return (0);
+}
+
+int
+do_commit(void)
+{
+	if (ioctl(dev, DIOCXCOMMIT, &pft) == -1)
+		return (-1);
+
+	return (0);
+}
+
+int
+do_rollback(void)
+{
+	if (ioctl(dev, DIOCXROLLBACK, &pft) == -1)
+		return (-1);
+	
+	return (0);
+}
+
+void
+init_filter(char *opt_qname, int opt_verbose)
+{
+	struct pf_status status;
+
+	qname = opt_qname;
+
+	if (opt_verbose == 1)
+		rule_log = PF_LOG;
+	else if (opt_verbose == 2)
+		rule_log = PF_LOG_ALL;
+
+	dev = open("/dev/pf", O_RDWR);	
+	if (dev == -1) {
+		syslog(LOG_ERR, "can't open /dev/pf");
+		exit(1);
+	}
+	if (ioctl(dev, DIOCGETSTATUS, &status) == -1) {
+		syslog(LOG_ERR, "DIOCGETSTATUS");
+		exit(1);
+	}
+	if (!status.running) {
+		syslog(LOG_ERR, "pf is disabled");
+		exit(1);
+	}
+}
+
+int
+prepare_commit(u_int32_t id)
+{
+	char an[PF_ANCHOR_NAME_SIZE];
+	int i;
+
+	memset(&pft, 0, sizeof pft);
+	pft.size = TRANS_SIZE;
+	pft.esize = sizeof pfte[0];
+	pft.array = pfte;
+
+	snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
+	    getpid(), id);
+	for (i = 0; i < TRANS_SIZE; i++) {
+		memset(&pfte[i], 0, sizeof pfte[0]);
+		strlcpy(pfte[i].anchor, an, PF_ANCHOR_NAME_SIZE);
+		switch (i) {
+		case TRANS_FILTER:
+			pfte[i].rs_num = PF_RULESET_FILTER;
+			break;
+		case TRANS_NAT:
+			pfte[i].rs_num = PF_RULESET_NAT;
+			break;
+		case TRANS_RDR:
+			pfte[i].rs_num = PF_RULESET_RDR;
+			break;
+		default:
+			errno = EINVAL;
+			return (-1);
+		}
+	}
+
+	if (ioctl(dev, DIOCXBEGIN, &pft) == -1)
+		return (-1);
+
+	return (0);
+}
+	
+int
+prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
+    struct sockaddr *dst, u_int16_t d_port, u_int8_t proto)
+{
+	char an[PF_ANCHOR_NAME_SIZE];
+
+	if ((src->sa_family != AF_INET && src->sa_family != AF_INET6) ||
+	    (src->sa_family != dst->sa_family)) {
+	    	errno = EPROTONOSUPPORT;
+		return (-1);
+	}
+
+	memset(&pfp, 0, sizeof pfp);
+	memset(&pfr, 0, sizeof pfr);
+	snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
+	    getpid(), id);
+	strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
+	strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
+
+	switch (rs_num) {
+	case PF_RULESET_FILTER:
+		pfr.ticket = pfte[TRANS_FILTER].ticket;
+		break;
+	case PF_RULESET_NAT:
+		pfr.ticket = pfte[TRANS_NAT].ticket;
+		break;
+	case PF_RULESET_RDR:
+		pfr.ticket = pfte[TRANS_RDR].ticket;
+		break;
+	default:
+		errno = EINVAL;
+		return (-1);
+	}
+	if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
+		return (-1);
+	pfr.pool_ticket = pfp.ticket;
+
+	/* Generic for all rule types. */
+	pfr.rule.af = src->sa_family;
+	pfr.rule.proto = proto;
+	pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
+	pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
+	if (src->sa_family == AF_INET) {
+		memcpy(&pfr.rule.src.addr.v.a.addr.v4,
+		    &satosin(src)->sin_addr.s_addr, 4);
+		memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
+		memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
+		    &satosin(dst)->sin_addr.s_addr, 4);
+		memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
+	} else {
+		memcpy(&pfr.rule.src.addr.v.a.addr.v6,
+		    &satosin6(src)->sin6_addr.s6_addr, 16);
+		memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
+		memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
+		    &satosin6(dst)->sin6_addr.s6_addr, 16);
+		memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
+	}
+	pfr.rule.dst.port_op = PF_OP_EQ;
+	pfr.rule.dst.port[0] = htons(d_port);
+
+	switch (rs_num) {
+	case PF_RULESET_FILTER:
+		/*
+		 * pass quick [log] inet[6] proto tcp \
+		 *     from $src to $dst port = $d_port flags S/SAFR keep state
+		 *     (max 1) [queue qname]
+		 */
+		pfr.rule.action = PF_PASS;
+		pfr.rule.quick = 1;
+		pfr.rule.log = rule_log;
+		pfr.rule.keep_state = 1;
+		pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL);
+		pfr.rule.flagset = (proto == IPPROTO_TCP ?
+		    (TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL);
+		pfr.rule.max_states = 1;
+		if (qname != NULL)
+			strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
+		break;
+	case PF_RULESET_NAT:
+		/*
+		 * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
+		 */
+		pfr.rule.action = PF_NAT;
+		break;
+	case PF_RULESET_RDR:
+		/*
+		 * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
+		 */
+		pfr.rule.action = PF_RDR;
+		break;
+	default:
+		errno = EINVAL;
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+server_lookup(struct sockaddr *client, struct sockaddr *proxy,
+    struct sockaddr *server, u_int8_t proto)
+{
+	if (client->sa_family == AF_INET)
+		return (server_lookup4(satosin(client), satosin(proxy),
+		    satosin(server), proto));
+
+	if (client->sa_family == AF_INET6)
+		return (server_lookup6(satosin6(client), satosin6(proxy),
+		    satosin6(server), proto));
+
+	errno = EPROTONOSUPPORT;
+	return (-1);
+}
+
+int
+server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy,
+    struct sockaddr_in *server, u_int8_t proto)
+{
+	struct pfioc_natlook pnl;
+
+	memset(&pnl, 0, sizeof pnl);
+	pnl.direction = PF_OUT;
+	pnl.af = AF_INET;
+	pnl.proto = proto;
+	memcpy(&pnl.saddr.v4, &client->sin_addr.s_addr, sizeof pnl.saddr.v4);
+	memcpy(&pnl.daddr.v4, &proxy->sin_addr.s_addr, sizeof pnl.daddr.v4);
+	pnl.sport = client->sin_port;
+	pnl.dport = proxy->sin_port;
+
+	if (ioctl(dev, DIOCNATLOOK, &pnl) == -1)
+		return (-1);
+
+	memset(server, 0, sizeof(struct sockaddr_in));
+	server->sin_len = sizeof(struct sockaddr_in);
+	server->sin_family = AF_INET;
+	memcpy(&server->sin_addr.s_addr, &pnl.rdaddr.v4,
+	    sizeof server->sin_addr.s_addr);
+	server->sin_port = pnl.rdport;
+
+	return (0);
+}
+
+int
+server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy,
+    struct sockaddr_in6 *server, u_int8_t proto)
+{
+	struct pfioc_natlook pnl;
+
+	memset(&pnl, 0, sizeof pnl);
+	pnl.direction = PF_OUT;
+	pnl.af = AF_INET6;
+	pnl.proto = proto;
+	memcpy(&pnl.saddr.v6, &client->sin6_addr.s6_addr, sizeof pnl.saddr.v6);
+	memcpy(&pnl.daddr.v6, &proxy->sin6_addr.s6_addr, sizeof pnl.daddr.v6);
+	pnl.sport = client->sin6_port;
+	pnl.dport = proxy->sin6_port;
+	
+	if (ioctl(dev, DIOCNATLOOK, &pnl) == -1)
+		return (-1);
+
+	memset(server, 0, sizeof(struct sockaddr_in6));
+	server->sin6_len = sizeof(struct sockaddr_in6);
+	server->sin6_family = AF_INET6;
+	memcpy(&server->sin6_addr.s6_addr, &pnl.rdaddr.v6,
+	    sizeof server->sin6_addr);
+	server->sin6_port = pnl.rdport;
+
+	return (0);
+}
diff --git a/libexec/tftp-proxy/filter.h b/libexec/tftp-proxy/filter.h
new file mode 100644
index 00000000000..04d43f737cb
--- /dev/null
+++ b/libexec/tftp-proxy/filter.h
@@ -0,0 +1,32 @@
+/*	$OpenBSD: filter.h,v 1.1 2005/12/28 19:07:07 jcs Exp $ */
+
+/*
+ * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#define	FTP_PROXY_ANCHOR "tftp-proxy"
+
+int add_filter(u_int32_t, u_int8_t, struct sockaddr *, struct sockaddr *,
+    u_int16_t, u_int8_t);
+int add_nat(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t,
+    struct sockaddr *, u_int16_t, u_int16_t, u_int8_t);
+int add_rdr(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t,
+    struct sockaddr *, u_int16_t, u_int8_t);
+int do_commit(void);
+int do_rollback(void);
+void init_filter(char *, int);
+int prepare_commit(u_int32_t);
+int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *,
+    u_int8_t);
diff --git a/libexec/tftp-proxy/tftp-proxy.8 b/libexec/tftp-proxy/tftp-proxy.8
new file mode 100644
index 00000000000..b9098ef4d17
--- /dev/null
+++ b/libexec/tftp-proxy/tftp-proxy.8
@@ -0,0 +1,140 @@
+.\"	$OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $
+.\"
+.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd November 28, 2005
+.Dt TFTP-PROXY 8
+.Os
+.Sh NAME
+.Nm tftp-proxy
+.Nd Internet Trivial File Transfer Protocol proxy
+.Sh SYNOPSIS
+.Nm tftp-proxy
+.Op Fl v
+.Op Fl w Ar transwait
+.Sh DESCRIPTION
+.Nm
+is a proxy for the Internet Trivial File Transfer Protocol invoked by
+the
+.Xr inetd 8
+internet server.
+TFTP connections should be redirected to the proxy using the
+.Xr pf 4
+.Ar rdr
+command, after which the proxy connects to the server on behalf of
+the client.
+.Pp
+The proxy establishes a
+.Xr pf 4
+.Ar rdr
+rule using the
+.Ar anchor
+facility to rewrite packets between the client and the server.
+Once the rule is established,
+.Nm
+forwards the initial request from the client to the server to begin the
+transfer.
+After
+.Ar transwait
+seconds, the
+.Xr pf 4
+NAT state is assumed to have been established and the
+.Ar rdr
+rule is deleted and the program exits.
+Once the transfer between the client and the server is completed, the
+NAT state will naturally expire.
+.Pp
+Assuming the TFTP command request is from $client to $server, the
+proxy connected to the server using the $proxy source address, and
+$port is negotiated,
+.Nm
+adds the following rule to the anchor:
+.Bd -literal -offset indent
+rdr proto udp from $server to $proxy port $port -\*(Gt $client
+.Ed
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl v
+Log the connection and request information to
+.Xr syslogd 8 .
+.It Fl w Ar transwait
+Number of seconds to wait for the data transmission to begin before
+removing the
+.Xr pf 4
+.Ar rdr
+rule.
+The default is 2 seconds.
+.El
+.Sh CONFIGURATION
+To make use of the proxy,
+.Xr pf.conf 5
+needs the following rules.
+The anchors are mandatory.
+Adjust the rules as needed for your configuration.
+.Pp
+In the NAT section:
+.Bd -literal -offset indent
+nat on $ext_if from $int_if -\*(Gt ($ext_if:0)
+
+no nat on $ext_if to port tftp
+
+rdr-anchor "tftp-proxy/*"
+rdr on $int_if proto udp from $lan to any port tftp -\*(Gt \e
+    127.0.0.1 port 6969
+.Ed
+.Pp
+In the filter section, an anchor must be added to hold the pass rules:
+.Bd -literal -offset indent
+anchor "tftp-proxy/*"
+.Ed
+.Pp
+.Xr inetd 8
+must be configured to spawn the proxy on the port that packets are
+being forwarded to by
+.Xr pf 4 .
+An example
+.Xr inetd.conf 5
+entry follows:
+.Bd -literal -offset indent
+127.0.0.1:6969	dgram	udp	wait	root \e
+	/usr/libexec/tftp-proxy	tftp-proxy
+.Ed
+.Sh SEE ALSO
+.Xr tftp 1 ,
+.Xr pf 4 ,
+.Xr pf.conf 5 ,
+.Xr ftp-proxy 8 ,
+.Xr inetd 8 ,
+.Xr syslogd 8 ,
+.Xr tftpd 8
+.Sh CAVEATS
+.Nm
+chroots to
+.Pa /var/empty
+and changes to user
+.Dq proxy
+to drop privileges.
diff --git a/libexec/tftp-proxy/tftp-proxy.c b/libexec/tftp-proxy/tftp-proxy.c
new file mode 100644
index 00000000000..4bded2a8c2b
--- /dev/null
+++ b/libexec/tftp-proxy/tftp-proxy.c
@@ -0,0 +1,386 @@
+/* $OpenBSD: tftp-proxy.c,v 1.1 2005/12/28 19:07:07 jcs Exp $
+ *
+ * Copyright (c) 2005 DLS Internet Services
+ * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/tftp.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <net/pfvar.h>
+
+#include <errno.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "filter.h"
+
+#define CHROOT_DIR	"/var/empty"
+#define NOPRIV_USER	"proxy"
+
+#define PF_NAT_PROXY_PORT_LOW	50001
+#define PF_NAT_PROXY_PORT_HIGH	65535
+
+#define DEFTRANSWAIT	2
+#define NTOP_BUFS	4
+#define PKTSIZE		SEGSIZE+4
+
+const char *opcode(int);
+const char *sock_ntop(struct sockaddr *);
+u_int16_t pick_proxy_port(void);
+static void usage(void);
+
+extern	char *__progname;
+char	ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN];
+int	verbose = 0;
+
+int
+main(int argc, char *argv[])
+{
+	int c, fd = 0, on = 1, out_fd = 0, peer, reqsize = 0;
+	int transwait = DEFTRANSWAIT;
+	char *p;
+	struct tftphdr *tp;
+	struct passwd *pw;
+
+	char cbuf[CMSG_SPACE(sizeof(struct sockaddr_storage))];
+	char req[PKTSIZE];
+	struct cmsghdr *cmsg;
+	struct msghdr msg;
+	struct iovec iov;
+
+	struct sockaddr_storage from, proxy, server, proxy_to_server, s_in;
+	struct sockaddr_in sock_out;
+	socklen_t j;
+	in_port_t bindport;
+
+	openlog(__progname, LOG_PID | LOG_NDELAY, LOG_DAEMON);
+
+	while ((c = getopt(argc, argv, "vw:")) != -1)
+		switch (c) {
+		case 'v':
+			verbose++;
+			break;
+		case 'w':
+			transwait = strtoll(optarg, &p, 10);
+			if (transwait < 1) {
+				syslog(LOG_ERR, "invalid -w value");
+				exit(1);
+			}
+			break;
+		default:
+			usage();
+			break;
+		}
+
+	/* open /dev/pf */
+	init_filter(NULL, verbose);
+
+	tzset();
+
+	pw = getpwnam(NOPRIV_USER);
+	if (!pw) {
+		syslog(LOG_ERR, "no such user %s: %m", NOPRIV_USER);
+		exit(1);
+	}
+	if (chroot(CHROOT_DIR) || chdir("/")) {
+		syslog(LOG_ERR, "chroot %s: %m", CHROOT_DIR);
+		exit(1);
+	}
+	if (setgroups(1, &pw->pw_gid) ||
+	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
+	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) {
+		syslog(LOG_ERR, "can't revoke privs: %m");
+		exit(1);
+	}
+
+	/* non-blocking io */
+	if (ioctl(fd, FIONBIO, &on) < 0) {
+		syslog(LOG_ERR, "ioctl(FIONBIO): %m");
+		exit(1);
+	}
+
+	if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, &on, sizeof(on)) == -1) {
+		syslog(LOG_ERR, "setsockopt(IP_RECVDSTADDR): %m");
+		exit(1);
+	}
+
+	j = sizeof(s_in);
+	if (getsockname(fd, (struct sockaddr *)&s_in, &j) == -1) {
+		syslog(LOG_ERR, "getsockname: %m");
+		exit(1);
+	}
+
+	bindport = ((struct sockaddr_in *)&s_in)->sin_port;
+
+	/* req will be pushed back out at the end, unchanged */
+	j = sizeof(from);
+	if ((reqsize = recvfrom(fd, req, sizeof(req), MSG_PEEK,
+	    (struct sockaddr *)&from, &j)) < 0) {
+		syslog(LOG_ERR, "recvfrom: %m");
+		exit(1);
+	}
+
+	bzero(&msg, sizeof(msg));
+	iov.iov_base = req;
+	iov.iov_len = sizeof(req);
+	msg.msg_name = &from;
+	msg.msg_namelen = sizeof(from);
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_control = cbuf;
+	msg.msg_controllen = CMSG_LEN(sizeof(struct sockaddr_storage));
+
+	if (recvmsg(fd, &msg, 0) < 0) {
+		syslog(LOG_ERR, "recvmsg: %m");
+		exit(1);
+	}
+
+	close(fd);
+	close(1);
+
+	peer = socket(from.ss_family, SOCK_DGRAM, 0);
+	if (peer < 0) {
+		syslog(LOG_ERR, "socket: %m");
+		exit(1);
+	}
+	memset(&s_in, 0, sizeof(s_in));
+	s_in.ss_family = from.ss_family;
+	s_in.ss_len = from.ss_len;
+
+	/* get local address if possible */
+	for (cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL;
+	    cmsg = CMSG_NXTHDR(&msg, cmsg)) {
+		if (cmsg->cmsg_level == IPPROTO_IP &&
+		    cmsg->cmsg_type == IP_RECVDSTADDR) {
+			memcpy(&((struct sockaddr_in *)&s_in)->sin_addr,
+			    CMSG_DATA(cmsg), sizeof(struct in_addr));
+			break;
+		}
+	}
+
+	if (bind(peer, (struct sockaddr *)&s_in, s_in.ss_len) < 0) {
+		syslog(LOG_ERR, "bind: %m");
+		exit(1);
+	}
+	if (connect(peer, (struct sockaddr *)&from, from.ss_len) < 0) {
+		syslog(LOG_ERR, "connect: %m");
+		exit(1);
+	}
+
+	tp = (struct tftphdr *)req;
+	if (!(ntohs(tp->th_opcode) == RRQ || ntohs(tp->th_opcode) == WRQ)) {
+		/* not a tftp request, bail */
+		if (verbose) {
+			syslog(LOG_WARNING, "not a valid tftp request");
+			exit(1);
+		} else
+			/* exit 0 so inetd doesn't log anything */
+			exit(0);
+	}
+
+	j = sizeof(struct sockaddr_storage);
+	if (getsockname(fd, (struct sockaddr *)&proxy, &j) == -1) {
+		syslog(LOG_ERR, "getsockname: %m");
+		exit(1);
+	}
+
+	((struct sockaddr_in *)&proxy)->sin_port = bindport;
+
+	/* find the un-rdr'd server and port the client wanted */
+	if (server_lookup((struct sockaddr *)&from,
+	    (struct sockaddr *)&proxy, (struct sockaddr *)&server,
+	    IPPROTO_UDP) != 0) {
+		syslog(LOG_ERR, "pf connection lookup failed (no rdr?)");
+		exit(1);
+	}
+
+	/* establish a new outbound connection to the remote server */
+	if ((out_fd = socket(((struct sockaddr *)&from)->sa_family,
+	    SOCK_DGRAM, IPPROTO_UDP)) < 0) {
+		syslog(LOG_ERR, "couldn't create new socket");
+		exit(1);
+	}
+
+	bzero((char *)&sock_out, sizeof(sock_out));
+	sock_out.sin_family = from.ss_family;
+	sock_out.sin_port = htons(pick_proxy_port());
+	if (bind(out_fd, (struct sockaddr *)&sock_out, sizeof(sock_out)) < 0) {
+		syslog(LOG_ERR, "couldn't bind to new socket: %m");
+		exit(1);
+	}
+
+	if (connect(out_fd, (struct sockaddr *)&server,
+	    ((struct sockaddr *)&server)->sa_len) < 0 && errno != EINPROGRESS) {
+		syslog(LOG_ERR, "couldn't connect to remote server: %m");
+		exit(1);
+	}
+
+	j = sizeof(struct sockaddr_storage);
+	if ((getsockname(out_fd, (struct sockaddr *)&proxy_to_server,
+	    &j)) < 0) {
+		syslog(LOG_ERR, "getsockname: %m");
+		exit(1);
+	}
+
+	if (verbose)
+		syslog(LOG_INFO, "%s:%d -> %s:%d/%s:%d -> %s:%d \"%s %s\"",
+			sock_ntop((struct sockaddr *)&from),
+			ntohs(((struct sockaddr_in *)&from)->sin_port),
+			sock_ntop((struct sockaddr *)&proxy),
+			ntohs(((struct sockaddr_in *)&proxy)->sin_port),
+			sock_ntop((struct sockaddr *)&proxy_to_server),
+			ntohs(((struct sockaddr_in *)&proxy_to_server)->sin_port),
+			sock_ntop((struct sockaddr *)&server),
+			ntohs(((struct sockaddr_in *)&server)->sin_port),
+			opcode(ntohs(tp->th_opcode)),
+			tp->th_stuff);
+
+	/* get ready to add rdr and pass rules */
+	if (prepare_commit(1) == -1) {
+		syslog(LOG_ERR, "couldn't prepare pf commit");
+		exit(1);
+	}
+
+	/* rdr from server to us on our random port -> client on its port */
+	if (add_rdr(1, (struct sockaddr *)&server,
+	    (struct sockaddr *)&proxy_to_server, ntohs(sock_out.sin_port),
+	    (struct sockaddr *)&from,
+	    ntohs(((struct sockaddr_in *)&from)->sin_port),
+	    IPPROTO_UDP) == -1) {
+		syslog(LOG_ERR, "couldn't add rdr");
+		exit(1);
+	}
+
+	/* explicitly allow the packets to return back to the client (which pf
+	 * will see post-rdr) */
+	if (add_filter(1, PF_IN, (struct sockaddr *)&server,
+	    (struct sockaddr *)&from,
+	    ntohs(((struct sockaddr_in *)&from)->sin_port),
+	    IPPROTO_UDP) == -1) {
+		syslog(LOG_ERR, "couldn't add pass in");
+		exit(1);
+	}
+
+	/* and just in case, to pass out from us to the server */
+	if (add_filter(1, PF_OUT, (struct sockaddr *)&proxy_to_server,
+	    (struct sockaddr *)&server,
+	    ntohs(((struct sockaddr_in *)&server)->sin_port),
+	    IPPROTO_UDP) == -1) {
+		syslog(LOG_ERR, "couldn't add pass out");
+		exit(1);
+	}
+
+	if (do_commit() == -1) {
+		syslog(LOG_ERR, "couldn't commit pf rules");
+		exit(1);
+	}
+
+	/* forward the initial tftp request and start the insanity */
+	if (send(out_fd, tp, reqsize, 0) < 0) {
+		syslog(LOG_ERR, "couldn't forward tftp packet: %m");
+		exit(1);
+	}
+
+	/* allow the transfer to start to establish a state */
+	sleep(transwait);
+
+	/* delete our rdr rule and clean up */
+	prepare_commit(1);
+	do_commit();
+
+	return(0);
+}
+
+const char *
+opcode(int code)
+{
+	static char str[6];
+
+	switch (code) {
+	case 1:
+		(void)snprintf(str, sizeof(str), "RRQ");
+		break;
+	case 2:
+		(void)snprintf(str, sizeof(str), "WRQ");
+		break;
+	default:
+		(void)snprintf(str, sizeof(str), "(%d)", code);
+		break;
+	}
+
+	return (str);
+}
+
+const char *
+sock_ntop(struct sockaddr *sa)
+{
+	static int n = 0;
+
+	/* Cycle to next buffer. */
+	n = (n + 1) % NTOP_BUFS;
+	ntop_buf[n][0] = '\0';
+
+	if (sa->sa_family == AF_INET) {
+		struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+		return (inet_ntop(AF_INET, &sin->sin_addr, ntop_buf[n],
+		    sizeof ntop_buf[0]));
+	}
+
+	if (sa->sa_family == AF_INET6) {
+		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+		return (inet_ntop(AF_INET6, &sin6->sin6_addr, ntop_buf[n],
+		    sizeof ntop_buf[0]));
+	}
+
+	return (NULL);
+}
+
+u_int16_t
+pick_proxy_port(void)
+{
+	return (IPPORT_HIFIRSTAUTO + (arc4random() %
+	    (IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO)));
+}
+
+static void
+usage(void)
+{
+	syslog(LOG_ERR, "usage: %s [-v] [-w transwait]", __progname);
+	exit(1);
+}