Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/libexec/identd add npf support.
details: https://anonhg.NetBSD.org/src/rev/2871941905b1
branches: trunk
changeset: 349406:2871941905b1
user: christos <christos%NetBSD.org@localhost>
date: Sat Dec 10 05:43:11 2016 +0000
description:
add npf support.
diffstat:
libexec/identd/Makefile | 10 +++-
libexec/identd/identd.8 | 18 ++++---
libexec/identd/identd.c | 39 ++++++++++-----
libexec/identd/identd.h | 15 +++++-
libexec/identd/ipf.c | 16 +++---
libexec/identd/npf.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++
libexec/identd/pf.c | 24 +++++-----
7 files changed, 190 insertions(+), 46 deletions(-)
diffs (truncated from 456 to 300 lines):
diff -r 92ddee77d7e5 -r 2871941905b1 libexec/identd/Makefile
--- a/libexec/identd/Makefile Sat Dec 10 05:41:10 2016 +0000
+++ b/libexec/identd/Makefile Sat Dec 10 05:43:11 2016 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.13 2012/09/15 17:45:35 plunky Exp $
+# $NetBSD: Makefile,v 1.14 2016/12/10 05:43:11 christos Exp $
.include <bsd.own.mk>
@@ -18,4 +18,12 @@
CPPFLAGS+=-DWITH_PF
.endif
+# Build with npf support?
+.if (${MKNPF} != "no")
+SRCS+= npf.c
+CPPFLAGS+=-DWITH_NPF
+LDADD+=-lnpf
+DPADD+=${LIBNPF}
+.endif
+
.include <bsd.prog.mk>
diff -r 92ddee77d7e5 -r 2871941905b1 libexec/identd/identd.8
--- a/libexec/identd/identd.8 Sat Dec 10 05:41:10 2016 +0000
+++ b/libexec/identd/identd.8 Sat Dec 10 05:43:11 2016 +0000
@@ -1,9 +1,9 @@
-.\" $NetBSD: identd.8,v 1.20 2005/04/04 18:43:55 peter Exp $
+.\" $NetBSD: identd.8,v 1.21 2016/12/10 05:43:11 christos Exp $
.\"
.\" This software is in the public domain.
.\" Written by Peter Postma <peter%NetBSD.org@localhost>
.\"
-.Dd April 4, 2005
+.Dd December 9, 2016
.Dt IDENTD 8
.Os
.Sh NAME
@@ -124,9 +124,10 @@
.Ar filter
argument specifies which packet filter should be used to lookup the
connections, currently
-.Sq pf
+.Sq ipfilter ,
+.Sq npf ,
and
-.Sq ipfilter
+.Sq pf
are supported packet filters.
Note that
.Nm
@@ -231,10 +232,11 @@
flag then
.Nm
will need access to either
-.Pa /etc/pf
-(pf) or
-.Pa /etc/ipnat
-(ipfilter).
+.Pa /dev/ipnat
+(ipfilter),
+.Pa /dev/pf
+(pf), or
+.Pa /dev/npf.
Since it's not a good idea to run
.Nm
under root, you'll need to adjust group owner/permissions to the device(s)
diff -r 92ddee77d7e5 -r 2871941905b1 libexec/identd/identd.c
--- a/libexec/identd/identd.c Sat Dec 10 05:41:10 2016 +0000
+++ b/libexec/identd/identd.c Sat Dec 10 05:43:11 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: identd.c,v 1.34 2012/03/15 02:02:21 joerg Exp $ */
+/* $NetBSD: identd.c,v 1.35 2016/12/10 05:43:11 christos Exp $ */
/*
* identd.c - TCP/IP Ident protocol server.
@@ -8,7 +8,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: identd.c,v 1.34 2012/03/15 02:02:21 joerg Exp $");
+__RCSID("$NetBSD: identd.c,v 1.35 2016/12/10 05:43:11 christos Exp $");
#include <sys/param.h>
#include <sys/socket.h>
@@ -65,16 +65,19 @@
__dead static void fatal(const char *);
__dead static void die(const char *, ...) __printflike(1, 2);
-static int bflag, eflag, fflag, iflag, Iflag;
+static int bflag, dflag, eflag, fflag, iflag, Iflag;
static int lflag, Lflag, nflag, Nflag, rflag;
/* NAT lookup function pointer. */
-static int (*nat_lookup)(struct sockaddr_storage *, struct sockaddr *, int *);
+typedef int (*nat_lookup_t)(const struct sockaddr_storage *,
+ struct sockaddr_storage *, in_port_t *);
+
+static nat_lookup_t nat_lookup;
/* Packet filters. */
static const struct {
const char *name;
- int (*fn)(struct sockaddr_storage *, struct sockaddr *, int *);
+ nat_lookup_t fn;
} filters[] = {
#ifdef WITH_PF
{ "pf", pf_natlookup },
@@ -82,6 +85,9 @@
#ifdef WITH_IPF
{ "ipfilter", ipf_natlookup },
#endif
+#ifdef WITH_NPF
+ { "npf", npf_natlookup },
+#endif
{ NULL, NULL }
};
@@ -109,7 +115,7 @@
filter = proxy = NULL;
address = charset = fmt = NULL;
uid = gid = 0;
- bflag = eflag = fflag = iflag = Iflag = 0;
+ bflag = dflag = eflag = fflag = iflag = Iflag = 0;
lflag = Lflag = nflag = Nflag = rflag = 0;
/* Started from a tty? then run as daemon. */
@@ -118,7 +124,7 @@
/* Parse command line arguments. */
while ((ch = getopt(argc, argv,
- "46a:bceF:f:g:IiL:lm:Nno:P:p:rt:u:")) != -1) {
+ "46a:bcdeF:f:g:IiL:lm:Nno:P:p:rt:u:")) != -1) {
switch (ch) {
case '4':
IPv4or6 = AF_INET;
@@ -135,6 +141,9 @@
case 'c':
charset = optarg;
break;
+ case 'd':
+ dflag++;
+ break;
case 'e':
eflag = 1;
break;
@@ -255,7 +264,7 @@
int fd, nfds, rv;
struct pollfd *rfds;
- if (daemon(0, 0) < 0)
+ if (!dflag && daemon(0, 0) < 0)
die("daemon: %s", strerror(errno));
rfds = malloc(*socks * sizeof(struct pollfd));
@@ -424,16 +433,16 @@
if (ident_getuid(ss, sizeof(ss), proxy, &uid) == -1) {
/* Lookup failed, try to forward if enabled. */
if (nat_lookup != NULL) {
- struct sockaddr nat_addr;
- int nat_lport;
+ struct sockaddr_storage nat_addr;
+ in_port_t nat_lport;
(void)memset(&nat_addr, 0, sizeof(nat_addr));
-
if ((*nat_lookup)(ss, &nat_addr, &nat_lport) &&
- forward(fd, &nat_addr, nat_lport, fport, lport)) {
+ forward(fd, (struct sockaddr *)&nat_addr,
+ nat_lport, fport, lport)) {
maybe_syslog(LOG_INFO,
"Succesfully forwarded the request to %s",
- gethost(&nat_addr));
+ gethost((struct sockaddr *)&nat_addr));
return 0;
}
}
@@ -812,7 +821,7 @@
* Send the ident query to the NAT host, but use as local port
* the port of the NAT host.
*/
- (void)snprintf(buf, sizeof(buf), "%d , %d\r\n", nat_lport, fport);
+ (void)snprintf(buf, sizeof(buf), "%d , %d\r\n", fport, nat_lport);
if (send(sock, buf, strlen(buf), 0) < 0) {
maybe_syslog(LOG_ERR, "send: %m");
(void)close(sock);
@@ -830,6 +839,8 @@
return 0;
}
reply[n] = '\0';
+ if (dflag)
+ maybe_syslog(LOG_ERR, "Replied %s", reply);
(void)close(sock);
/* Extract everything after the port specs from the ident reply. */
diff -r 92ddee77d7e5 -r 2871941905b1 libexec/identd/identd.h
--- a/libexec/identd/identd.h Sat Dec 10 05:41:10 2016 +0000
+++ b/libexec/identd/identd.h Sat Dec 10 05:43:11 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: identd.h,v 1.10 2015/10/14 15:53:50 christos Exp $ */
+/* $NetBSD: identd.h,v 1.11 2016/12/10 05:43:11 christos Exp $ */
/*
* identd.h - TCP/IP Ident protocol server.
@@ -12,16 +12,25 @@
#define satosin(sa) ((struct sockaddr_in *)(sa))
#define satosin6(sa) ((struct sockaddr_in6 *)(sa))
+#define csatosin(sa) ((const struct sockaddr_in *)(sa))
+#define csatosin6(sa) ((const struct sockaddr_in6 *)(sa))
#define in_hosteq(s,t) ((s).s_addr == (t).s_addr)
void maybe_syslog(int, const char *, ...) __sysloglike(2, 3);
#ifdef WITH_PF
-int pf_natlookup(struct sockaddr_storage *, struct sockaddr *, int *);
+int pf_natlookup(const struct sockaddr_storage *, struct sockaddr_storage *,
+ in_port_t *);
#endif
#ifdef WITH_IPF
-int ipf_natlookup(struct sockaddr_storage *, struct sockaddr *, int *);
+int ipf_natlookup(const struct sockaddr_storage *, struct sockaddr_storage *,
+ in_port_t *);
+#endif
+
+#ifdef WITH_NPF
+int npf_natlookup(const struct sockaddr_storage *, struct sockaddr_storage *,
+ in_port_t *);
#endif
#endif /* !_IDENTD_H_ */
diff -r 92ddee77d7e5 -r 2871941905b1 libexec/identd/ipf.c
--- a/libexec/identd/ipf.c Sat Dec 10 05:41:10 2016 +0000
+++ b/libexec/identd/ipf.c Sat Dec 10 05:43:11 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipf.c,v 1.2 2005/06/14 12:18:24 peter Exp $ */
+/* $NetBSD: ipf.c,v 1.3 2016/12/10 05:43:11 christos Exp $ */
/*
* ipf.c - NAT lookup code for IP Filter.
@@ -8,7 +8,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: ipf.c,v 1.2 2005/06/14 12:18:24 peter Exp $");
+__RCSID("$NetBSD: ipf.c,v 1.3 2016/12/10 05:43:11 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -31,8 +31,8 @@
#include "identd.h"
int
-ipf_natlookup(struct sockaddr_storage *ss, struct sockaddr *nat_addr,
- int *nat_lport)
+ipf_natlookup(const struct sockaddr_storage *ss,
+ struct sockaddr_storage *nat_addr, in_port_t *nat_lport)
{
natlookup_t nl;
ipfobj_t obj;
@@ -50,12 +50,12 @@
/* Build the ipf natlook structure. */
switch (ss[0].ss_family) {
case AF_INET:
- (void)memcpy(&nl.nl_realip, &satosin(&ss[0])->sin_addr,
+ (void)memcpy(&nl.nl_realip, &csatosin(&ss[0])->sin_addr,
sizeof(struct in_addr));
- (void)memcpy(&nl.nl_outip, &satosin(&ss[1])->sin_addr,
+ (void)memcpy(&nl.nl_outip, &csatosin(&ss[1])->sin_addr,
sizeof(struct in_addr));
- nl.nl_realport = ntohs(satosin(&ss[0])->sin_port);
- nl.nl_outport = ntohs(satosin(&ss[1])->sin_port);
+ nl.nl_realport = ntohs(csatosin(&ss[0])->sin_port);
+ nl.nl_outport = ntohs(csatosin(&ss[1])->sin_port);
nl.nl_flags = IPN_TCP | IPN_IN;
break;
case AF_INET6:
diff -r 92ddee77d7e5 -r 2871941905b1 libexec/identd/npf.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/libexec/identd/npf.c Sat Dec 10 05:43:11 2016 +0000
@@ -0,0 +1,114 @@
+/* $NetBSD: npf.c,v 1.1 2016/12/10 05:43:11 christos Exp $ */
+
+/*-
+ * Copyright (c) 2016 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
Home |
Main Index |
Thread Index |
Old Index