Could you please, post updated version to the list?
//mxb
On 27 jun 2014, at 20:09, Leclerc, Sebastien
<sebastien.lecl...@saint-georges.ca> wrote:
>> Stuart Henderson <st...@openbsd.org>, 2014-06-27 11:00
>>
>>> +/* Stolen from ftp-proxy */
>>
>> Old version of ftp-proxy I guess. It hasn't used DIOCNATLOOK for several
>> releases, it has switched to the much easier-to-use divert-to /
>> getsockname().
>
> And also :
>
>> Henning Brauer <lists-openbsdt...@bsws.de>, 2014-06-27 14:07
>> nooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
>>
>> DIOCNATLOOK is stupid. I'll celebrate the day when I can kill it.
>> Please look at less ancient ftp-proxy/*-proxy code for inspiration.
>
> Way simpler, indeed!
> Thank you
>
>
> --- tarpitd.c.bak Fri Jun 27 13:25:06 2014
> +++ tarpitd.c Fri Jun 27 14:01:35 2014
> @@ -56,21 +56,11 @@ struct con {
> int il;
> } *con;
>
> -/* From netinet/in.h, but only _KERNEL_ gets them. */
> -#define satosin(sa) ((struct sockaddr_in *)(sa))
> -#define satosin6(sa) ((struct sockaddr_in6 *)(sa))
> -int server_lookup4(struct sockaddr_in *, struct sockaddr_in *,
> - struct sockaddr_in *);
> -int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
> - struct sockaddr_in6 *);
> -
> void usage(void);
> void initcon(struct con *, int, struct sockaddr *);
> void closecon(struct con *);
> void handler(struct con *);
> void getcaddr(struct con *);
> -int server_lookup(struct sockaddr *, struct sockaddr *,
> - struct sockaddr *);
> int blockhost(char *);
> int blocklistener(void);
>
> @@ -84,7 +74,6 @@ int maxfiles;
> int maxcon = MAXCON;
> int clients;
> int debug;
> -int pfdev;
> int window = 0;
> int autoblock = 1;
> int pipel[2] = { -1, -1 };
> @@ -160,90 +149,11 @@ int blocklistener(void)
> return(ret);
> }
>
> -/* Stolen from ftp-proxy */
> -int
> -server_lookup(struct sockaddr *client, struct sockaddr *proxy,
> - struct sockaddr *server)
> -{
> - if (client->sa_family == AF_INET)
> - return (server_lookup4(satosin(client), satosin(proxy),
> - satosin(server)));
> -
> - if (client->sa_family == AF_INET6)
> - return (server_lookup6(satosin6(client), satosin6(proxy),
> - satosin6(server)));
> -
> - errno = EPROTONOSUPPORT;
> - return (-1);
> -}
> -
> -int
> -server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy,
> - struct sockaddr_in *server)
> -{
> - struct pfioc_natlook pnl;
> -
> - memset(&pnl, 0, sizeof pnl);
> - pnl.direction = PF_OUT;
> - pnl.af = AF_INET;
> - pnl.proto = IPPROTO_TCP;
> - memcpy(&pnl.saddr.v4, &client->sin_addr.s_addr, sizeof pnl.saddr.v4);
> - memcpy(&pnl.daddr.v4, &proxy->sin_addr.s_addr, sizeof pnl.daddr.v4);
> - pnl.sport = client->sin_port;
> - pnl.dport = proxy->sin_port;
> -
> - if (ioctl(pfdev, DIOCNATLOOK, &pnl) == -1)
> - return (-1);
> -
> - memset(server, 0, sizeof(struct sockaddr_in));
> - server->sin_len = sizeof(struct sockaddr_in);
> - server->sin_family = AF_INET;
> - memcpy(&server->sin_addr.s_addr, &pnl.rdaddr.v4,
> - sizeof server->sin_addr.s_addr);
> - server->sin_port = pnl.rdport;
> -
> - return (0);
> -}
> -
> -int
> -server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy,
> - struct sockaddr_in6 *server)
> -{
> - struct pfioc_natlook pnl;
> -
> - memset(&pnl, 0, sizeof pnl);
> - pnl.direction = PF_OUT;
> - pnl.af = AF_INET6;
> - pnl.proto = IPPROTO_TCP;
> - memcpy(&pnl.saddr.v6, &client->sin6_addr.s6_addr, sizeof
> pnl.saddr.v6);
> - memcpy(&pnl.daddr.v6, &proxy->sin6_addr.s6_addr, sizeof pnl.daddr.v6);
> - pnl.sport = client->sin6_port;
> - pnl.dport = proxy->sin6_port;
> -
> - if (ioctl(pfdev, DIOCNATLOOK, &pnl) == -1)
> - return (-1);
> -
> - memset(server, 0, sizeof(struct sockaddr_in6));
> - server->sin6_len = sizeof(struct sockaddr_in6);
> - server->sin6_family = AF_INET6;
> - memcpy(&server->sin6_addr.s6_addr, &pnl.rdaddr.v6,
> - sizeof server->sin6_addr);
> - server->sin6_port = pnl.rdport;
> -
> - return (0);
> -}
> -
> -/*
> - * Get address client connected to, by doing a DIOCNATLOOK call.
> - * Uses server_lookup code from ftp-proxy.
> - */
> void
> getcaddr(struct con *cp)
> {
> struct sockaddr_storage spamd_end;
> struct sockaddr *sep = (struct sockaddr *) &spamd_end;
> - struct sockaddr_storage original_destination;
> - struct sockaddr *odp = (struct sockaddr *) &original_destination;
> socklen_t len = sizeof(struct sockaddr_storage);
> int error;
>
> @@ -251,9 +161,7 @@ getcaddr(struct con *cp)
> cp->cport[0] = '\0';
> if (getsockname(cp->fd, sep, &len) == -1)
> return;
> - if (server_lookup((struct sockaddr *)&cp->ss, sep, odp) != 0)
> - return;
> - error = getnameinfo(odp, odp->sa_len, cp->caddr, sizeof(cp->caddr),
> + error = getnameinfo(sep, sep->sa_len, cp->caddr, sizeof(cp->caddr),
> cp->cport, sizeof(cp->cport), NI_NUMERICHOST | NI_NUMERICSERV);
> if (error) {
> syslog_r(LOG_WARNING, &sdata, "cannot get original destination
> address.");
> @@ -489,12 +397,6 @@ main(int argc, char *argv[])
> if (debug == 0) {
> if (daemon(1, 1) == -1)
> err(1, "daemon");
> - }
> -
> - pfdev = open("/dev/pf", O_RDWR);
> - if (pfdev == -1) {
> - syslog_r(LOG_ERR, &sdata, "open /dev/pf: %m");
> - exit(1);
> }
>
> if (chroot("/var/empty") == -1 || chdir("/") == -1) {
>
