On 2010/01/18 22:13, Stuart Henderson wrote:
> this fixes ftpsesame following pf_pool removal.
> it works fine here for active-mode clients.
nobody else uses this?
> it does the right things for passive-mode clients, and works
> when tested by running the ftp protocol manually over telnet,
> but it doesn't seem fast enough to react for a real client.
> (this is not new, and though it's not perfect, there are still
> occasions where ftpsesame is more useful than ftp-proxy, so
> I think it makes sense to fix rather than remove the port).
>
> ok?
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/ftpsesame/Makefile,v
> retrieving revision 1.3
> diff -u -p -r1.3 Makefile
> --- Makefile 30 Nov 2009 09:55:57 -0000 1.3
> +++ Makefile 18 Jan 2010 21:54:18 -0000
> @@ -3,12 +3,10 @@
> COMMENT= automagic packet filter configurator for FTP
>
> DISTNAME= ftpsesame-0.95
> -PKGNAME= ${DISTNAME}p0
> +PKGNAME= ${DISTNAME}p1
> CATEGORIES= net
>
> HOMEPAGE= http://www.sentia.org/projects/ftpsesame/
> -
> -MAINTAINER= Stuart Henderson <[email protected]>
>
> # BSD
> PERMIT_PACKAGE_CDROM= Yes
> Index: patches/patch-filter_c
> ===================================================================
> RCS file: /cvs/ports/net/ftpsesame/patches/patch-filter_c,v
> retrieving revision 1.1
> diff -u -p -r1.1 patch-filter_c
> --- patches/patch-filter_c 30 Nov 2009 09:55:57 -0000 1.1
> +++ patches/patch-filter_c 18 Jan 2010 21:54:18 -0000
> @@ -1,7 +1,23 @@
> $OpenBSD: patch-filter_c,v 1.1 2009/11/30 09:55:57 sthen Exp $
> --- filter.c.orig Tue Oct 5 13:12:22 2004
> -+++ filter.c Sun Nov 29 22:49:34 2009
> -@@ -65,7 +65,7 @@ filter_init(char *qname, char *tagname)
> ++++ filter.c Mon Jan 18 13:57:49 2010
> +@@ -34,7 +34,6 @@
> +
> + #include "filter.h"
> +
> +-static struct pfioc_pooladdr pfp;
> + static struct pfioc_rule pfr;
> + static struct pfioc_trans pft;
> + static struct pfioc_trans_e pfte;
> +@@ -57,7 +56,6 @@ filter_init(char *qname, char *tagname)
> + * Initialize the structs for filter_allow.
> + */
> +
> +- memset(&pfp, 0, sizeof pfp);
> + memset(&pfr, 0, sizeof pfr);
> + memset(&pft, 0, sizeof pft);
> + memset(&pfte, 0, sizeof pfte);
> +@@ -65,16 +63,18 @@ filter_init(char *qname, char *tagname)
> pft.size = 1;
> pft.esize = sizeof pfte;
> pft.array = &pfte;
> @@ -9,4 +25,45 @@ $OpenBSD: patch-filter_c,v 1.1 2009/11/3
> + pfte.type = PF_TRANS_RULESET;
>
> /*
> - * pass [quick] log inet proto tcp \
> +- * pass [quick] log inet proto tcp \
> ++ * [pass quick|match] log inet proto tcp \
> + * from $src/32 to $dst/32 port = $d_port flags S/SAFR keep state
> + * [tag tagname] [queue qname]
> + */
> +- pfr.rule.action = PF_PASS;
> +- if (tagname == NULL)
> ++ if (tagname == NULL) {
> ++ pfr.rule.action = PF_PASS;
> + pfr.rule.quick = 1;
> ++ } else
> ++ pfr.rule.action = PF_MATCH;
> + pfr.rule.log = 1;
> + pfr.rule.af = AF_INET;
> + pfr.rule.proto = IPPROTO_TCP;
> +@@ -82,6 +82,8 @@ filter_init(char *qname, char *tagname)
> + memset(&pfr.rule.src.addr.v.a.mask.v4, 255, 4);
> + pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
> + memset(&pfr.rule.dst.addr.v.a.mask.v4, 255, 4);
> ++ pfr.rule.nat.addr.type = PF_ADDR_NONE;
> ++ pfr.rule.rdr.addr.type = PF_ADDR_NONE;
> + pfr.rule.dst.port_op = PF_OP_EQ;
> + pfr.rule.keep_state = 1;
> + pfr.rule.flags = TH_SYN;
> +@@ -102,17 +104,12 @@ filter_allow(u_int32_t id, struct in_addr *src, struct
> +
> + snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTPSESAME_ANCHOR,
> + getpid(), id);
> +- strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
> + strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
> + strlcpy(pfte.anchor, an, PF_ANCHOR_NAME_SIZE);
> +
> + if (ioctl(dev, DIOCXBEGIN, &pft) == -1)
> + return (0);
> + pfr.ticket = pfte.ticket;
> +-
> +- if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
> +- return (0);
> +- pfr.pool_ticket = pfp.ticket;
> +
> + if (src != NULL && dst != NULL && d_port != 0) {
> + memcpy(&pfr.rule.src.addr.v.a.addr.v4, src, 4);
> Index: patches/patch-ftpsesame_8
> ===================================================================
> RCS file: patches/patch-ftpsesame_8
> diff -N patches/patch-ftpsesame_8
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-ftpsesame_8 18 Jan 2010 21:54:18 -0000
> @@ -0,0 +1,34 @@
> +$OpenBSD$
> +--- ftpsesame.8.orig Mon Jan 18 12:36:49 2010
> ++++ ftpsesame.8 Mon Jan 18 12:36:50 2010
> +@@ -91,14 +91,22 @@ The process will stay in the foreground, logging to st
> + Listen on
> + .Ar interface .
> + .It Fl t Ar tag
> +-Create rules with tag
> +-.Ar tag .
> +-Also, option
> +-.Ar quick
> +-is not used.
> +-This way the anchor always returns to the main ruleset, with the
> +-tag set on approved FTP data connections.
> +-The tag can then be used in pass rules below the anchor.
> ++The filter rules will add tag
> ++.Ar tag
> ++to data connections, and will use match rules instead of pass ones.
> ++This way alternative rules that use the
> ++.Ar tagged
> ++keyword can be implemented following the
> ++.Nm
> ++anchor.
> ++These rules can use special
> ++.Xr pf 4
> ++features like route-to, reply-to, label, rtable, overload, etc. that
> ++.Nm
> ++does not implement itself.
> ++There must be a matching pass rule after the
> ++.Nm
> ++anchor or the data connections will be blocked.
> + .It Fl q Ar queue
> + Create rules with queue
> + .Ar queue
> Index: pkg/DESCR
> ===================================================================
> RCS file: /cvs/ports/net/ftpsesame/pkg/DESCR,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 DESCR
> --- pkg/DESCR 30 Jul 2005 15:45:30 -0000 1.1.1.1
> +++ pkg/DESCR 18 Jan 2010 21:54:18 -0000
> @@ -5,10 +5,9 @@ into a pf anchor when an FTP data connec
> You might want to try ftpsesame instead of ftp-proxy(8) from the OpenBSD
> base system for the following reasons:
> - it runs on "transparent" (no IP address) bridges
> -- you need packetfilter performance on all data connections
> -- you have to handle lots of simultaneous sessions
> - you do not want to redirect any traffic to the firewall itself: for IP
> accounting or other reasons
> +- you want to pass traffic to multiple FTP servers behind a firewall
>
> In general, ftpsesame is a good choice to run on a firewall in front of
> multiple FTP servers, where no NAT is involved. ftp-proxy(8) is usually
>
