Added new option (-punch_fw) which allows to `punch holes'

in the ipfirewall(4) for incoming FTP/IRC DCC connections. Submitted by: Rene de Vries <rene@canyon.demon.nl> Rewritten by: ru
svn path=/head/; revision=62160
2025-01-01 12:19:28 +00:00 · 2000-06-27 15:26:24 +00:00 · 2000-06-27 15:26:24 +00:00 · bc4ebb98dc · 2020-12-20 02:59:44 +00:00
commit bc4ebb98dc
parent 36e6576b44
2 changed files with 47 additions and 2 deletions
--- a/sbin/natd/natd.8
+++ b/sbin/natd/natd.8
@ -29,6 +29,7 @@
 .Op Fl config | f Ar configfile
 .Op Fl log_denied
 .Op Fl log_facility Ar facility_name
+.Op Fl punch_fw Ar firewall_range
 .Sh DESCRIPTION
 This program provides a Network Address Translation facility for use
 with
@ -412,6 +413,25 @@ Use
 to put this information into the IP option field or
 .Ar encode_tcp_stream
 to inject the data into the beginning of the TCP stream.
+.It Fl punch_fw Xo
+.Ar basenumber Ns : Ns Ar count
+.Xc
+This option makes
+.Nm
+.Ql punch holes
+in an
+.Xr ipfirewall 4
+based firewall for FTP/IRC DCC connections.
+The holes punched are bound by from/to IP address and port; it
+will not be possible to use a hole for another connection.
+A hole is removed when the connection that uses it dies.
+.Pp
+Arguments
+.Ar basenumber
+and
+.Ar count
+set the firewall range allocated for punching firewall holes.
+The range will be cleared for all rules on startup.
 .El
 .Sh RUNNING NATD
 The following steps are necessary before attempting to run
--- a/sbin/natd/natd.c
+++ b/sbin/natd/natd.c
@ -98,6 +98,7 @@ static int 	StrToProto (const char* str);
 static int      StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, port_range *portRange);
 static void	ParseArgs (int argc, char** argv);
 static void	FlushPacketBuffer (int fd);
+static void	SetupPunchFW(const char *strValue);

 /*
 * Globals.
@ -868,7 +869,8 @@ enum Option {
 	DynamicMode,
 	ProxyRule,
 	LogDenied,
- 	LogFacility
+ 	LogFacility,
+	PunchFW
 };

 enum Param {
@ -1078,8 +1080,15 @@ static struct OptionInfo optionTable[] = {
 	        "facility",
 		"name of syslog facility to use for logging",
 		"log_facility",
-		NULL }
+		NULL },

+	{ PunchFW,
+		0,
+		String,
+	        "basenumber:count",
+		"punch holes in the firewall for incoming FTP/IRC DCC connections",
+		"punch_fw",
+		NULL }
 };
 	
 static void ParseOption (const char* option, const char* parms)
@ -1259,6 +1268,10 @@ static void ParseOption (const char* option, const char* parms)
 			errx(1, "Unknown log facility name: %s", strValue);	

 		break;
+
+	case PunchFW:
+		SetupPunchFW(strValue);
+		break;
 	}
 }

@ -1687,3 +1700,15 @@ int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, p
 	StrToAddr (str, addr);
 	return StrToPortRange (ptr, proto, portRange);
 }
+
+static void
+SetupPunchFW(const char *strValue)
+{
+	unsigned int base, num;
+
+	if (sscanf(strValue, "%u:%u", &base, &num) != 2)
+		errx(1, "punch_fw: basenumber:count parameter required");
+
+	PacketAliasSetFWBase(base, num);
+	(void)PacketAliasSetMode(PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW);
+}