Hello,
pf and relayd changes...
http://marc.info/?l=openbsd-cvs&m=121030115209292&w=2
http://marc.info/?l=openbsd-cvs&m=121320866832670&w=2
(sorry, I don't know a better way to link to these changes, the commit
logs contain the affected files and their log message, so they can be
looked up in the cvsweb, or in the CVS via the dates)
...and divert-* in the pf.conf manual:
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf
/divert-to/ </host/> /port/ </port/>
Used to redirect packets to a local socket bound to /host/ and /port/.
The packets will not be modified, so getsockname(2)
<http://www.openbsd.org/cgi-bin/man.cgi?query=getsockname&sektion=2&arch=&apropos=0&manpath=OpenBSD+Current>
on the socket
will return the original destination address of the packet.
/divert-reply/
Used to receive replies for sockets that are bound to addresses
which are not local to the machine. See setsockopt(2)
<http://www.openbsd.org/cgi-bin/man.cgi?query=setsockopt&sektion=2&arch=&apropos=0&manpath=OpenBSD+Current>
for informa-
tion on how to bind these sockets.
Adrian Chadd wrote:
Well, they can be used mostly interchangably - they socket option is
just implemented at a different layer.
Porting should be a case of a simple #ifdef. :)
I wonder what pf changes are needed..
Adrian
2009/1/9 Attila Nagy <b...@fsn.hu>:
Julian Elischer wrote:
Attila Nagy wrote:
Hello,
Adrian Chadd wrote:
Author: adrian
Date: Fri Jan 9 16:02:19 2009
New Revision: 186955
URL: http://svn.freebsd.org/changeset/base/186955
Log:
Implement a new IP option (not compiled/enabled by default) to allow
applications to specify a non-local IP address when bind()'ing a socket
to a local endpoint.
This allows applications to spoof the client IP address of
connections
if (obviously!) they somehow are able to receive the traffic normally
destined to said clients.
This patch doesn't include any changes to ipfw or the bridging code
to
redirect the client traffic through the PCB checks so TCP gets a shot
at it. The normal behaviour is that packets with a non-local
destination
IP address are not handled locally. This can be dealth with some IPFW
hackery;
modifications to IPFW to make this less hacky will occur in subsequent
commmits.
Thanks to Julian Elischer and others at Ironport. This work was
approved
and donated before Cisco acquired them.
Obtained from: Julian Elischer and others
MFC after: 2 weeks
Wouldn't it be better to implement existing interfaces for that?
OpenBSD has a SO_BINDANY socket option and it seems it's also in BSD/OS:
http://marc.info/?l=openbsd-cvs&w=2&r=1&s=bindany&q=b
good point
BTW, it also makes easier to port OpenBSD's relayd (and of course other
applications relying on this). pf has some related changes there too, which
helps programs to use this feature.
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
