this fixes ftpsesame following pf_pool removal.
it works fine here for active-mode clients.
it does the right things for passive-mode clients, and works
when tested by running the ftp protocol manually over telnet,
but it doesn't seem fast enough to react for a real client.
(this is not new, and though it's not perfect, there are still
occasions where ftpsesame is more useful than ftp-proxy, so
I think it makes sense to fix rather than remove the port).
ok?
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/ftpsesame/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- Makefile 30 Nov 2009 09:55:57 -0000 1.3
+++ Makefile 18 Jan 2010 21:54:18 -0000
@@ -3,12 +3,10 @@
COMMENT= automagic packet filter configurator for FTP
DISTNAME= ftpsesame-0.95
-PKGNAME= ${DISTNAME}p0
+PKGNAME= ${DISTNAME}p1
CATEGORIES= net
HOMEPAGE= http://www.sentia.org/projects/ftpsesame/
-
-MAINTAINER= Stuart Henderson <[email protected]>
# BSD
PERMIT_PACKAGE_CDROM= Yes
Index: patches/patch-filter_c
===================================================================
RCS file: /cvs/ports/net/ftpsesame/patches/patch-filter_c,v
retrieving revision 1.1
diff -u -p -r1.1 patch-filter_c
--- patches/patch-filter_c 30 Nov 2009 09:55:57 -0000 1.1
+++ patches/patch-filter_c 18 Jan 2010 21:54:18 -0000
@@ -1,7 +1,23 @@
$OpenBSD: patch-filter_c,v 1.1 2009/11/30 09:55:57 sthen Exp $
--- filter.c.orig Tue Oct 5 13:12:22 2004
-+++ filter.c Sun Nov 29 22:49:34 2009
-@@ -65,7 +65,7 @@ filter_init(char *qname, char *tagname)
++++ filter.c Mon Jan 18 13:57:49 2010
+@@ -34,7 +34,6 @@
+
+ #include "filter.h"
+
+-static struct pfioc_pooladdr pfp;
+ static struct pfioc_rule pfr;
+ static struct pfioc_trans pft;
+ static struct pfioc_trans_e pfte;
+@@ -57,7 +56,6 @@ filter_init(char *qname, char *tagname)
+ * Initialize the structs for filter_allow.
+ */
+
+- memset(&pfp, 0, sizeof pfp);
+ memset(&pfr, 0, sizeof pfr);
+ memset(&pft, 0, sizeof pft);
+ memset(&pfte, 0, sizeof pfte);
+@@ -65,16 +63,18 @@ filter_init(char *qname, char *tagname)
pft.size = 1;
pft.esize = sizeof pfte;
pft.array = &pfte;
@@ -9,4 +25,45 @@ $OpenBSD: patch-filter_c,v 1.1 2009/11/3
+ pfte.type = PF_TRANS_RULESET;
/*
- * pass [quick] log inet proto tcp \
+- * pass [quick] log inet proto tcp \
++ * [pass quick|match] log inet proto tcp \
+ * from $src/32 to $dst/32 port = $d_port flags S/SAFR keep state
+ * [tag tagname] [queue qname]
+ */
+- pfr.rule.action = PF_PASS;
+- if (tagname == NULL)
++ if (tagname == NULL) {
++ pfr.rule.action = PF_PASS;
+ pfr.rule.quick = 1;
++ } else
++ pfr.rule.action = PF_MATCH;
+ pfr.rule.log = 1;
+ pfr.rule.af = AF_INET;
+ pfr.rule.proto = IPPROTO_TCP;
+@@ -82,6 +82,8 @@ filter_init(char *qname, char *tagname)
+ memset(&pfr.rule.src.addr.v.a.mask.v4, 255, 4);
+ pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
+ memset(&pfr.rule.dst.addr.v.a.mask.v4, 255, 4);
++ pfr.rule.nat.addr.type = PF_ADDR_NONE;
++ pfr.rule.rdr.addr.type = PF_ADDR_NONE;
+ pfr.rule.dst.port_op = PF_OP_EQ;
+ pfr.rule.keep_state = 1;
+ pfr.rule.flags = TH_SYN;
+@@ -102,17 +104,12 @@ filter_allow(u_int32_t id, struct in_addr *src, struct
+
+ snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTPSESAME_ANCHOR,
+ getpid(), id);
+- strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
+ strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
+ strlcpy(pfte.anchor, an, PF_ANCHOR_NAME_SIZE);
+
+ if (ioctl(dev, DIOCXBEGIN, &pft) == -1)
+ return (0);
+ pfr.ticket = pfte.ticket;
+-
+- if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
+- return (0);
+- pfr.pool_ticket = pfp.ticket;
+
+ if (src != NULL && dst != NULL && d_port != 0) {
+ memcpy(&pfr.rule.src.addr.v.a.addr.v4, src, 4);
Index: patches/patch-ftpsesame_8
===================================================================
RCS file: patches/patch-ftpsesame_8
diff -N patches/patch-ftpsesame_8
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-ftpsesame_8 18 Jan 2010 21:54:18 -0000
@@ -0,0 +1,34 @@
+$OpenBSD$
+--- ftpsesame.8.orig Mon Jan 18 12:36:49 2010
++++ ftpsesame.8 Mon Jan 18 12:36:50 2010
+@@ -91,14 +91,22 @@ The process will stay in the foreground, logging to st
+ Listen on
+ .Ar interface .
+ .It Fl t Ar tag
+-Create rules with tag
+-.Ar tag .
+-Also, option
+-.Ar quick
+-is not used.
+-This way the anchor always returns to the main ruleset, with the
+-tag set on approved FTP data connections.
+-The tag can then be used in pass rules below the anchor.
++The filter rules will add tag
++.Ar tag
++to data connections, and will use match rules instead of pass ones.
++This way alternative rules that use the
++.Ar tagged
++keyword can be implemented following the
++.Nm
++anchor.
++These rules can use special
++.Xr pf 4
++features like route-to, reply-to, label, rtable, overload, etc. that
++.Nm
++does not implement itself.
++There must be a matching pass rule after the
++.Nm
++anchor or the data connections will be blocked.
+ .It Fl q Ar queue
+ Create rules with queue
+ .Ar queue
Index: pkg/DESCR
===================================================================
RCS file: /cvs/ports/net/ftpsesame/pkg/DESCR,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 DESCR
--- pkg/DESCR 30 Jul 2005 15:45:30 -0000 1.1.1.1
+++ pkg/DESCR 18 Jan 2010 21:54:18 -0000
@@ -5,10 +5,9 @@ into a pf anchor when an FTP data connec
You might want to try ftpsesame instead of ftp-proxy(8) from the OpenBSD
base system for the following reasons:
- it runs on "transparent" (no IP address) bridges
-- you need packetfilter performance on all data connections
-- you have to handle lots of simultaneous sessions
- you do not want to redirect any traffic to the firewall itself: for IP
accounting or other reasons
+- you want to pass traffic to multiple FTP servers behind a firewall
In general, ftpsesame is a good choice to run on a firewall in front of
multiple FTP servers, where no NAT is involved. ftp-proxy(8) is usually
