diff options
| author | Ruslan Ermilov <ru@FreeBSD.org> | 2000-06-27 15:26:24 +0000 |
|---|---|---|
| committer | Ruslan Ermilov <ru@FreeBSD.org> | 2000-06-27 15:26:24 +0000 |
| commit | bc4ebb98dc561e3bd55a1c5f9f35d810182e419d (patch) | |
| tree | 1ed8eba3c78c0b1bd08cc1452fbddbc794d9bbb7 /sbin/natd | |
| parent | 36e6576b4465853a78970c57d4915f00c9e83bfb (diff) | |
| download | src-bc4ebb98dc561e3bd55a1c5f9f35d810182e419d.tar.gz src-bc4ebb98dc561e3bd55a1c5f9f35d810182e419d.zip | |
Added new option (-punch_fw) which allows to `punch holes'
in the ipfirewall(4) for incoming FTP/IRC DCC connections.
Submitted by: Rene de Vries <rene@canyon.demon.nl>
Rewritten by: ru
Notes
Notes:
svn path=/head/; revision=62160
Diffstat (limited to 'sbin/natd')
| -rw-r--r-- | sbin/natd/natd.8 | 20 | ||||
| -rw-r--r-- | sbin/natd/natd.c | 29 |
2 files changed, 47 insertions, 2 deletions
diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8 index a0d56e5e1a2a..60cf31c058c0 100644 --- a/sbin/natd/natd.8 +++ b/sbin/natd/natd.8 @@ -29,6 +29,7 @@ .Op Fl config | f Ar configfile .Op Fl log_denied .Op Fl log_facility Ar facility_name +.Op Fl punch_fw Ar firewall_range .Sh DESCRIPTION This program provides a Network Address Translation facility for use with @@ -412,6 +413,25 @@ Use to put this information into the IP option field or .Ar encode_tcp_stream to inject the data into the beginning of the TCP stream. +.It Fl punch_fw Xo +.Ar basenumber Ns : Ns Ar count +.Xc +This option makes +.Nm +.Ql punch holes +in an +.Xr ipfirewall 4 +based firewall for FTP/IRC DCC connections. +The holes punched are bound by from/to IP address and port; it +will not be possible to use a hole for another connection. +A hole is removed when the connection that uses it dies. +.Pp +Arguments +.Ar basenumber +and +.Ar count +set the firewall range allocated for punching firewall holes. +The range will be cleared for all rules on startup. .El .Sh RUNNING NATD The following steps are necessary before attempting to run diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c index 2f45af525083..a4845d88093a 100644 --- a/sbin/natd/natd.c +++ b/sbin/natd/natd.c @@ -98,6 +98,7 @@ static int StrToProto (const char* str); static int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, port_range *portRange); static void ParseArgs (int argc, char** argv); static void FlushPacketBuffer (int fd); +static void SetupPunchFW(const char *strValue); /* * Globals. @@ -868,7 +869,8 @@ enum Option { DynamicMode, ProxyRule, LogDenied, - LogFacility + LogFacility, + PunchFW }; enum Param { @@ -1078,8 +1080,15 @@ static struct OptionInfo optionTable[] = { "facility", "name of syslog facility to use for logging", "log_facility", - NULL } + NULL }, + { PunchFW, + 0, + String, + "basenumber:count", + "punch holes in the firewall for incoming FTP/IRC DCC connections", + "punch_fw", + NULL } }; static void ParseOption (const char* option, const char* parms) @@ -1259,6 +1268,10 @@ static void ParseOption (const char* option, const char* parms) errx(1, "Unknown log facility name: %s", strValue); break; + + case PunchFW: + SetupPunchFW(strValue); + break; } } @@ -1687,3 +1700,15 @@ int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, p StrToAddr (str, addr); return StrToPortRange (ptr, proto, portRange); } + +static void +SetupPunchFW(const char *strValue) +{ + unsigned int base, num; + + if (sscanf(strValue, "%u:%u", &base, &num) != 2) + errx(1, "punch_fw: basenumber:count parameter required"); + + PacketAliasSetFWBase(base, num); + (void)PacketAliasSetMode(PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW); +} |