On 2011/05/02 22:28, Lawrence Teo wrote:
> The DIOCNATLOOK example program at the end of the pf(4) man page
> uses memset(3), but string.h is not included. The following diff
> fixes this. Any thoughts?
That change is correct but I'm not sure about keeping this example
code at all. We've had divert-to since OpenBSD 4.4 - when this is used
instead of rdr-to the destination address is preserved, so it can be
fetched with getsockname() without the DIOCNATLOOK dance.
As a result the code becomes much less complicated, so we don't
really need an example any more, also another big advantage is that
there's no need for access to the privileged /dev/pf device.
How about this?
Index: pf.4
===================================================================
RCS file: /cvs/src/share/man/man4/pf.4,v
retrieving revision 1.72
diff -u -p -r1.72 pf.4
--- pf.4 28 Dec 2010 13:56:11 -0000 1.72
+++ pf.4 3 May 2011 07:56:14 -0000
@@ -314,6 +314,13 @@ struct pfioc_natlook {
u_int8_t direction;
};
.Ed
+This was used to support transparent proxies with rdr-to rules.
+New code should use divert-to rules instead.
+These preserve the original destination address for
+.Xr getsockname 2
+and do not require access to the privileged
+.Pa /dev/pf
+device.
.It Dv DIOCSETDEBUG Fa "u_int32_t *level"
Set the debug level.
See the
@@ -988,73 +995,6 @@ Explicitly remove source tracking nodes.
.It Pa /dev/pf
packet filtering device.
.El
-.Sh EXAMPLES
-The following example demonstrates how to use the
-.Dv DIOCNATLOOK
-command to find the internal host/port of a NATed connection:
-.Bd -literal
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/fcntl.h>
-#include <net/if.h>
-#include <netinet/in.h>
-#include <net/pfvar.h>
-#include <err.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-u_int32_t
-read_address(const char *s)
-{
- int a, b, c, d;
-
- sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
- return htonl(a << 24 | b << 16 | c << 8 | d);
-}
-
-void
-print_address(u_int32_t a)
-{
- a = ntohl(a);
- printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
- a >> 8 & 255, a & 255);
-}
-
-int
-main(int argc, char *argv[])
-{
- struct pfioc_natlook nl;
- int dev;
-
- if (argc != 5) {
- printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\en",
- argv[0]);
- return 1;
- }
-
- dev = open("/dev/pf", O_RDWR);
- if (dev == -1)
- err(1, "open(\e"/dev/pf\e") failed");
-
- memset(&nl, 0, sizeof(struct pfioc_natlook));
- nl.saddr.v4.s_addr = read_address(argv[1]);
- nl.sport = htons(atoi(argv[2]));
- nl.daddr.v4.s_addr = read_address(argv[3]);
- nl.dport = htons(atoi(argv[4]));
- nl.af = AF_INET;
- nl.proto = IPPROTO_TCP;
- nl.direction = PF_IN;
-
- if (ioctl(dev, DIOCNATLOOK, &nl))
- err(1, "DIOCNATLOOK");
-
- printf("internal host ");
- print_address(nl.rsaddr.v4.s_addr);
- printf(":%u\en", ntohs(nl.rsport));
- return 0;
-}
-.Ed
.Sh SEE ALSO
.Xr ioctl 2 ,
.Xr bridge 4 ,
