On 7/28/06, Camiel Dobbelaar <[EMAIL PROTECTED]> wrote:
On Fri, 28 Jul 2006, Raja Subramanian wrote:
> I'm trying to modify the rules generated by ftp-proxy(8),
> and I'm getting lost in the the various structs in pfvar.h.
Diff here:
http://www.sentia.org/downloads/ftp-proxy.routeto
I only checked the rule output, not if it really works as I don't have
multiple gateways.
getopt not implemented yet either, adjust routeto and routeto_if in main()
manually. The default is (lo0 127.0.0.1), without adjustment this will
break normal setups horribly.
Let us know how it works out.
Got this working with a single egress network (no need for route-to in
my test environment) and had an issue with active mode FTP. The
add_filter() call in active mode needs to not put a route-to and I
think the pass in rule needs to have a reply-to, probably a simple
modification to add_filter() to switch on the direction and do
reply-to or route-to based on direction.
I added the switch in add_filter()
+ if (routeto_if && routeto) {
+ switch (dir) {
+ case PF_OUT:
+ pfr.rule.rt = PF_ROUTETO;
+ break;
+ case PF_IN:
+ pfr.rule.rt = PF_REPLYTO;
+ break;
+ }
+ if (routeto->sa_family == AF_INET) {
and updated the active mode call
@@ -472,13 +472,13 @@
}
/* pass in from $server to $client port $port */
- if (add_filter(s->id, PF_IN, server_sa, client_sa, s->port) ==
- -1)
+ if (add_filter(s->id, PF_IN, server_sa, client_sa, s->port,
+ routeto_if, sstosa(&routeto_ss)) == -1)
goto fail;
/* pass out from $orig_server to $client port $port */
- if (add_filter(s->id, PF_OUT, orig_sa, client_sa, s->port) ==
- -1)
+ if (add_filter(s->id, PF_OUT, orig_sa, client_sa, s->port,
+ NULL, NULL) == -1)
goto fail;
so the PF_OUT call doesn't do a route/reply-to but the PF_IN does.
Other than testing that active and passive modes still work, I can't
do a heck of alot more.
--Bill
