ftp-proxy: use correct incoming rdomain

2012-03-06 Thread Mike Belopuhov 
ftp-proxy has all the code to support on rdomain feature
in place, just not used.  the change below uses an rdomain
obtained via the SO_RTABLE socket option of the accepted
socket.  OK?

Index: filter.c
===
RCS file: /home/cvs/src/usr.sbin/ftp-proxy/filter.c,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 filter.c
--- filter.c22 Jun 2011 08:44:02 -  1.16
+++ filter.c6 Mar 2012 12:21:57 -
@@ -83,7 +83,7 @@ add_nat(u_int32_t id, struct sockaddr *s
return (-1);
 
pfr.rule.direction = PF_OUT;
-   /* XXX limit the source routing domain */
+   pfr.rule.onrdomain = s_rd;
pfr.rule.rtableid = -1;
pfr.rule.nat.proxy_port[0] = nat_range_low;
pfr.rule.nat.proxy_port[1] = nat_range_high;
@@ -110,7 +110,7 @@ add_rdr(u_int32_t id, struct sockaddr *s
return (-1);
 
pfr.rule.direction = PF_IN;
-   /* XXX limit the source routing domain */
+   pfr.rule.onrdomain = s_rd;
pfr.rule.rtableid = d_rd;
pfr.rule.rdr.proxy_port[0] = rdr_port;
if (ioctl(dev, DIOCADDRULE, pfr) == -1)
@@ -207,6 +207,7 @@ prepare_rule(u_int32_t id, struct sockad
pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
pfr.rule.nat.addr.type = PF_ADDR_NONE;
pfr.rule.rdr.addr.type = PF_ADDR_NONE;
+   pfr.rule.prio[0] = pfr.rule.prio[1] = PF_PRIO_NOTSET;
 
if (src-sa_family == AF_INET) {
memcpy(pfr.rule.src.addr.v.a.addr.v4,

Re: ftp-proxy: use correct incoming rdomain

2012-03-06 Thread Claudio Jeker 
On Tue, Mar 06, 2012 at 01:28:43PM +0100, Mike Belopuhov wrote:
 ftp-proxy has all the code to support on rdomain feature
 in place, just not used.  the change below uses an rdomain
 obtained via the SO_RTABLE socket option of the accepted
 socket.  OK?

Looks good to me.
 
 Index: filter.c
 ===
 RCS file: /home/cvs/src/usr.sbin/ftp-proxy/filter.c,v
 retrieving revision 1.16
 diff -u -p -u -p -r1.16 filter.c
 --- filter.c  22 Jun 2011 08:44:02 -  1.16
 +++ filter.c  6 Mar 2012 12:21:57 -
 @@ -83,7 +83,7 @@ add_nat(u_int32_t id, struct sockaddr *s
   return (-1);
  
   pfr.rule.direction = PF_OUT;
 - /* XXX limit the source routing domain */
 + pfr.rule.onrdomain = s_rd;
   pfr.rule.rtableid = -1;
   pfr.rule.nat.proxy_port[0] = nat_range_low;
   pfr.rule.nat.proxy_port[1] = nat_range_high;
 @@ -110,7 +110,7 @@ add_rdr(u_int32_t id, struct sockaddr *s
   return (-1);
  
   pfr.rule.direction = PF_IN;
 - /* XXX limit the source routing domain */
 + pfr.rule.onrdomain = s_rd;
   pfr.rule.rtableid = d_rd;
   pfr.rule.rdr.proxy_port[0] = rdr_port;
   if (ioctl(dev, DIOCADDRULE, pfr) == -1)
 @@ -207,6 +207,7 @@ prepare_rule(u_int32_t id, struct sockad
   pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
   pfr.rule.nat.addr.type = PF_ADDR_NONE;
   pfr.rule.rdr.addr.type = PF_ADDR_NONE;
 + pfr.rule.prio[0] = pfr.rule.prio[1] = PF_PRIO_NOTSET;
  
   if (src-sa_family == AF_INET) {
   memcpy(pfr.rule.src.addr.v.a.addr.v4,
 

-- 
:wq Claudio