On Tue, Mar 06, 2012 at 01:28:43PM +0100, Mike Belopuhov wrote:
ftp-proxy has all the code to support on rdomain feature
in place, just not used. the change below uses an rdomain
obtained via the SO_RTABLE socket option of the accepted
socket. OK?
Looks good to me.
Index: filter.c
===
RCS file: /home/cvs/src/usr.sbin/ftp-proxy/filter.c,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 filter.c
--- filter.c 22 Jun 2011 08:44:02 - 1.16
+++ filter.c 6 Mar 2012 12:21:57 -
@@ -83,7 +83,7 @@ add_nat(u_int32_t id, struct sockaddr *s
return (-1);
pfr.rule.direction = PF_OUT;
- /* XXX limit the source routing domain */
+ pfr.rule.onrdomain = s_rd;
pfr.rule.rtableid = -1;
pfr.rule.nat.proxy_port[0] = nat_range_low;
pfr.rule.nat.proxy_port[1] = nat_range_high;
@@ -110,7 +110,7 @@ add_rdr(u_int32_t id, struct sockaddr *s
return (-1);
pfr.rule.direction = PF_IN;
- /* XXX limit the source routing domain */
+ pfr.rule.onrdomain = s_rd;
pfr.rule.rtableid = d_rd;
pfr.rule.rdr.proxy_port[0] = rdr_port;
if (ioctl(dev, DIOCADDRULE, pfr) == -1)
@@ -207,6 +207,7 @@ prepare_rule(u_int32_t id, struct sockad
pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
pfr.rule.nat.addr.type = PF_ADDR_NONE;
pfr.rule.rdr.addr.type = PF_ADDR_NONE;
+ pfr.rule.prio[0] = pfr.rule.prio[1] = PF_PRIO_NOTSET;
if (src-sa_family == AF_INET) {
memcpy(pfr.rule.src.addr.v.a.addr.v4,
--
:wq Claudio