On Tue, Mar 06, 2012 at 01:28:43PM +0100, Mike Belopuhov wrote: > ftp-proxy has all the code to support "on rdomain" feature > in place, just not used. the change below uses an rdomain > obtained via the SO_RTABLE socket option of the accepted > socket. OK?
Looks good to me. > Index: filter.c > =================================================================== > RCS file: /home/cvs/src/usr.sbin/ftp-proxy/filter.c,v > retrieving revision 1.16 > diff -u -p -u -p -r1.16 filter.c > --- filter.c 22 Jun 2011 08:44:02 -0000 1.16 > +++ filter.c 6 Mar 2012 12:21:57 -0000 > @@ -83,7 +83,7 @@ add_nat(u_int32_t id, struct sockaddr *s > return (-1); > > pfr.rule.direction = PF_OUT; > - /* XXX limit the source routing domain */ > + pfr.rule.onrdomain = s_rd; > pfr.rule.rtableid = -1; > pfr.rule.nat.proxy_port[0] = nat_range_low; > pfr.rule.nat.proxy_port[1] = nat_range_high; > @@ -110,7 +110,7 @@ add_rdr(u_int32_t id, struct sockaddr *s > return (-1); > > pfr.rule.direction = PF_IN; > - /* XXX limit the source routing domain */ > + pfr.rule.onrdomain = s_rd; > pfr.rule.rtableid = d_rd; > pfr.rule.rdr.proxy_port[0] = rdr_port; > if (ioctl(dev, DIOCADDRULE, &pfr) == -1) > @@ -207,6 +207,7 @@ prepare_rule(u_int32_t id, struct sockad > pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; > pfr.rule.nat.addr.type = PF_ADDR_NONE; > pfr.rule.rdr.addr.type = PF_ADDR_NONE; > + pfr.rule.prio[0] = pfr.rule.prio[1] = PF_PRIO_NOTSET; > > if (src->sa_family == AF_INET) { > memcpy(&pfr.rule.src.addr.v.a.addr.v4, > -- :wq Claudio