From f9b06d5cbee5e16afde99bc0fad5fafd1d119c8a Mon Sep 17 00:00:00 2001 From: Brian Somers Date: Sat, 6 Sep 1997 11:14:03 +0000 Subject: [PATCH] Ingored incoming packets are now dropped when deny_incoming option is set to yes. Submitted by: Ari Suutari --- sbin/natd/HISTORY | 6 ++++++ sbin/natd/natd.c | 16 ++++++++++++++-- usr.sbin/natd/HISTORY | 6 ++++++ usr.sbin/natd/natd.c | 16 ++++++++++++++-- 4 files changed, 40 insertions(+), 4 deletions(-) diff --git a/sbin/natd/HISTORY b/sbin/natd/HISTORY index 404be4be06d0..7d3175b381a0 100644 --- a/sbin/natd/HISTORY +++ b/sbin/natd/HISTORY @@ -111,3 +111,9 @@ fixed. Natd now waits with select(2) for buffer space to become available if write fails. - Packet aliasing library upgraded to 2.2. + +* Version 1.10 + + - Ignored incoming packets are now dropped when + deny_incoming option is set to yes. + - Packet aliasing library upgraded to 2.4. diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c index 13cf6ab0540c..ac99ac116682 100644 --- a/sbin/natd/natd.c +++ b/sbin/natd/natd.c @@ -94,6 +94,7 @@ static char packetBuf[IP_MAXPACKET]; static int packetLen; static struct sockaddr_in packetAddr; static int packetSock; +static int dropIgnoredIncoming; int main (int argc, char** argv) { @@ -161,6 +162,11 @@ int main (int argc, char** argv) if (inPort == 0 && outPort == 0 && inOutPort == 0) ParseOption ("port", DEFAULT_SERVICE, 0); +/* + * Check if ignored packets should be dropped. + */ + dropIgnoredIncoming = PacketAliasSetMode (0, 0); + dropIgnoredIncoming &= PKT_ALIAS_DENY_INCOMING; /* * Create divert sockets. Use only one socket if -p was specified * on command line. Otherwise, create separate sockets for @@ -254,7 +260,6 @@ int main (int argc, char** argv) */ if (aliasAddr.s_addr != INADDR_NONE) PacketAliasSetAddress (aliasAddr); - /* * We need largest descriptor number for select. */ @@ -411,6 +416,7 @@ static void DoAliasing (int fd) { int bytes; int origBytes; + int status; int addrSize; struct ip* ip; @@ -486,7 +492,13 @@ static void DoAliasing (int fd) /* * Do aliasing. */ - PacketAliasIn (packetBuf, IP_MAXPACKET); + status = PacketAliasIn (packetBuf, IP_MAXPACKET); + if (status == PKT_ALIAS_IGNORED && + dropIgnoredIncoming) { + + printf (" dropped.\n"); + return; + } } /* * Length might have changed during aliasing. diff --git a/usr.sbin/natd/HISTORY b/usr.sbin/natd/HISTORY index 404be4be06d0..7d3175b381a0 100644 --- a/usr.sbin/natd/HISTORY +++ b/usr.sbin/natd/HISTORY @@ -111,3 +111,9 @@ fixed. Natd now waits with select(2) for buffer space to become available if write fails. - Packet aliasing library upgraded to 2.2. + +* Version 1.10 + + - Ignored incoming packets are now dropped when + deny_incoming option is set to yes. + - Packet aliasing library upgraded to 2.4. diff --git a/usr.sbin/natd/natd.c b/usr.sbin/natd/natd.c index 13cf6ab0540c..ac99ac116682 100644 --- a/usr.sbin/natd/natd.c +++ b/usr.sbin/natd/natd.c @@ -94,6 +94,7 @@ static char packetBuf[IP_MAXPACKET]; static int packetLen; static struct sockaddr_in packetAddr; static int packetSock; +static int dropIgnoredIncoming; int main (int argc, char** argv) { @@ -161,6 +162,11 @@ int main (int argc, char** argv) if (inPort == 0 && outPort == 0 && inOutPort == 0) ParseOption ("port", DEFAULT_SERVICE, 0); +/* + * Check if ignored packets should be dropped. + */ + dropIgnoredIncoming = PacketAliasSetMode (0, 0); + dropIgnoredIncoming &= PKT_ALIAS_DENY_INCOMING; /* * Create divert sockets. Use only one socket if -p was specified * on command line. Otherwise, create separate sockets for @@ -254,7 +260,6 @@ int main (int argc, char** argv) */ if (aliasAddr.s_addr != INADDR_NONE) PacketAliasSetAddress (aliasAddr); - /* * We need largest descriptor number for select. */ @@ -411,6 +416,7 @@ static void DoAliasing (int fd) { int bytes; int origBytes; + int status; int addrSize; struct ip* ip; @@ -486,7 +492,13 @@ static void DoAliasing (int fd) /* * Do aliasing. */ - PacketAliasIn (packetBuf, IP_MAXPACKET); + status = PacketAliasIn (packetBuf, IP_MAXPACKET); + if (status == PKT_ALIAS_IGNORED && + dropIgnoredIncoming) { + + printf (" dropped.\n"); + return; + } } /* * Length might have changed during aliasing.