summaryrefslogtreecommitdiff
path: root/libexec
diff options
context:
space:
mode:
Diffstat (limited to 'libexec')
-rw-r--r--libexec/tftp-proxy/filter.c103
1 files changed, 26 insertions, 77 deletions
diff --git a/libexec/tftp-proxy/filter.c b/libexec/tftp-proxy/filter.c
index 89a7d358cd0..1fa1a5fa921 100644
--- a/libexec/tftp-proxy/filter.c
+++ b/libexec/tftp-proxy/filter.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: filter.c,v 1.3 2009/07/30 20:40:27 sthen Exp $ */
+/* $OpenBSD: filter.c,v 1.4 2009/09/01 13:45:13 sthen Exp $ */
/*
* Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
@@ -44,7 +44,7 @@
enum { TRANS_FILTER = 0, TRANS_NAT, TRANS_RDR, TRANS_SIZE };
-int prepare_rule(u_int32_t, int, struct sockaddr *, struct sockaddr *,
+int prepare_rule(u_int32_t, struct sockaddr *, struct sockaddr *,
u_int16_t, u_int8_t);
int server_lookup4(struct sockaddr_in *, struct sockaddr_in *,
struct sockaddr_in *, u_int8_t);
@@ -54,7 +54,7 @@ int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
static struct pfioc_pooladdr pfp;
static struct pfioc_rule pfr;
static struct pfioc_trans pft;
-static struct pfioc_trans_e pfte[TRANS_SIZE];
+static struct pfioc_trans_e pfte;
static int dev, rule_log;
static char *qname;
@@ -67,7 +67,7 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
return (-1);
}
- if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port, proto) == -1)
+ if (prepare_rule(id, src, dst, d_port, proto) == -1)
return (-1);
pfr.rule.direction = dir;
@@ -87,7 +87,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
return (-1);
}
- if (prepare_rule(id, PF_RULESET_RDR, src, dst, d_port, proto) == -1)
+ if (prepare_rule(id, src, dst, d_port, proto) == -1)
return (-1);
if (rdr->sa_family == AF_INET) {
@@ -99,10 +99,12 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
&satosin6(rdr)->sin6_addr.s6_addr, 16);
memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
}
+
+ pfp.which = PF_RDR;
if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
return (-1);
- pfr.rule.rpool.proxy_port[0] = rdr_port;
+ pfr.rule.rdr.proxy_port[0] = rdr_port;
if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
return (-1);
@@ -161,30 +163,15 @@ prepare_commit(u_int32_t id)
int i;
memset(&pft, 0, sizeof pft);
- pft.size = TRANS_SIZE;
- pft.esize = sizeof pfte[0];
- pft.array = pfte;
+ memset(&pfte, 0, sizeof pfte);
+ pft.size = 1;
+ pft.esize = sizeof pfte;
+ pft.array = &pfte;
snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
getpid(), id);
- for (i = 0; i < TRANS_SIZE; i++) {
- memset(&pfte[i], 0, sizeof pfte[0]);
- strlcpy(pfte[i].anchor, an, PF_ANCHOR_NAME_SIZE);
- switch (i) {
- case TRANS_FILTER:
- pfte[i].rs_num = PF_RULESET_FILTER;
- break;
- case TRANS_NAT:
- pfte[i].rs_num = PF_RULESET_NAT;
- break;
- case TRANS_RDR:
- pfte[i].rs_num = PF_RULESET_RDR;
- break;
- default:
- errno = EINVAL;
- return (-1);
- }
- }
+ strlcpy(pfte.anchor, an, PF_ANCHOR_NAME_SIZE);
+ pfte.rs_num = PF_RULESET_FILTER;
if (ioctl(dev, DIOCXBEGIN, &pft) == -1)
return (-1);
@@ -193,7 +180,7 @@ prepare_commit(u_int32_t id)
}
int
-prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
+prepare_rule(u_int32_t id, struct sockaddr *src,
struct sockaddr *dst, u_int16_t d_port, u_int8_t proto)
{
char an[PF_ANCHOR_NAME_SIZE];
@@ -211,20 +198,7 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
- switch (rs_num) {
- case PF_RULESET_FILTER:
- pfr.ticket = pfte[TRANS_FILTER].ticket;
- break;
- case PF_RULESET_NAT:
- pfr.ticket = pfte[TRANS_NAT].ticket;
- break;
- case PF_RULESET_RDR:
- pfr.ticket = pfte[TRANS_RDR].ticket;
- break;
- default:
- errno = EINVAL;
- return (-1);
- }
+ pfr.ticket = pfte.ticket;
if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
return (-1);
pfr.pool_ticket = pfp.ticket;
@@ -251,41 +225,16 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
}
pfr.rule.dst.port_op = PF_OP_EQ;
pfr.rule.dst.port[0] = htons(d_port);
-
- switch (rs_num) {
- case PF_RULESET_FILTER:
- /*
- * pass quick [log] inet[6] proto tcp \
- * from $src to $dst port = $d_port flags S/SAFR keep state
- * (max 1) [queue qname]
- */
- pfr.rule.action = PF_PASS;
- pfr.rule.quick = 1;
- pfr.rule.log = rule_log;
- pfr.rule.keep_state = 1;
- pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
- pfr.rule.flagset = (proto == IPPROTO_TCP ?
- (TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0);
- pfr.rule.max_states = 1;
- if (qname != NULL)
- strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
- break;
- case PF_RULESET_NAT:
- /*
- * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
- */
- pfr.rule.action = PF_NAT;
- break;
- case PF_RULESET_RDR:
- /*
- * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
- */
- pfr.rule.action = PF_RDR;
- break;
- default:
- errno = EINVAL;
- return (-1);
- }
+ pfr.rule.action = PF_PASS;
+ pfr.rule.quick = 1;
+ pfr.rule.log = rule_log;
+ pfr.rule.keep_state = 1;
+ pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
+ pfr.rule.flagset = (proto == IPPROTO_TCP ?
+ (TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0);
+ pfr.rule.max_states = 1;
+ if (qname != NULL)
+ strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
return (0);
}