| Age | Commit message (Collapse) | Author |
|---|
|
rc.d waiting up to 30 secs when starting ftp-proxy right after updating from 5.8
because at that point sysmerge(8) would not have had a chance to run yet and the
unpriv user would not exist.
issue reported by sthen@
ok sthen@ benno@ jca@
|
|
|
|
|
|
that. Problem introduced since tftp-proxy and ftp-proxy have separate
nonpriv users.
OK deraadt@
|
|
|
|
ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
|
chroot and privdrop is a feature, not a bug, so move it out of CAVEATS.
ok sthen
|
|
CIRCLEQ_* is deprecated and not called in the tree. The other queue types
have *_END macros which were added for symmetry with CIRCLEQ_END. They are
defined as NULL. There's no reason to keep the other *_END macro calls.
ok millert@
|
|
need it.
|
|
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...
|
|
done in relayd.
ok sthen, deraadt
|
|
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
|
|
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc
|
|
|
|
From Lawrence Teo.
ok camield, myself, mikeb.
|
|
fd exhaustion.
ok deraadt mikeb
|
|
|
|
occurrences to get_line().
Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.
|
|
|
|
|
|
|
|
ok claudio
|
|
|
|
an expensive state lookup (via natlook ioctl) and shrinks the code.
tested by me and sthen, ok reyk sthen
|
|
nat-to and rdr-to rules with correct rtable rule attributes. This
allows to use ftp-proxy to proxy accross rdomains.
Tested and OK phessler@, OK henning@
|
|
are not used. bzero() of the rule structure is not enough.
Find with dlg@, OK mcbride@
|
|
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
|
due to the standard henning+oga commit-and-run-for-beer problem.
ok claudio
|
|
so that later pass rules will not overwrite the nat-to/rdr-to settings.
Because of this there must be an expilicit "pass .. tagged proxytag .."
rule after the ftp-proxy anchor. OK henning@
|
|
from Karl-Heinz Wild
|
|
try to.
|
|
This changes the way the rdr/nat rules are added to pf. Now only a single
anchor is needed (the other ones do no longer exist).
To convert your ruleset you need something like this at the start of your
ruleset:
# filter rules and anchors for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
This was tested by myself, sthen@, dlg@ and I think many more. OK by the same
people plus henning.
|
|
include the program name in logmsg() plus exit_daemon() does not return so
make it a void function. OK mpf@
|
|
the proxy would eat the 221 response coming from the server towards the
client.
Patch from camield@. Tested by Camiel and myself.
ok camield@
|
|
Use arc4random_uniform() when the desired random number upper bound
is not a power of two
ok deraadt@ millert@
|
|
the ftp-proxy anchor. Exotic setups with route-to etc.
can be implemented this way.
from camield, ok reyk beck canacar and manpage polished by jmc
|
|
immediately after the client sends the PORT command. The "normal"
behaviour is to wait for the client to actually request a transfer.
Make ftp-proxy add the active mode rules immediately too, so that
both scenario's work.
ok david pyr
Tested by Frank Denis, Stephan A. Rickauer, Ingo Schwarze, Stuart
Henderson. Thanks.
|
|
- use .Bk/.Ek
|
|
clever, nice and easy diff from bsd@openbsd.rutgers.edu, ok pyr reyk
|
|
|
|
|
|
Triggered by Rik/harry Bobbaers on bugs@.
ok mbalmer@ ray@
|
|
provos.
Fixes race condition where ftp-proxy would silently exit if a write was
attempted on a socket that was closed by an RST. Should fix PR 5260.
ok claudio@
|
|
|
|
|
|
|
|
now that it is the default;
ok henning mcbride camield (ftp-proxy bits) deraadt
|
|
otherwise.
|
|
ok jmc marco
|
|
from Andrey Matveev
|
