Add a ``nat punch_fw'' command for punching FTP and IRC DCC holes through

the firewall.
2001-08-02 10:16:32 +00:00 · 2001-08-02 10:16:32 +00:00 · 686e8c8b12
commit 686e8c8b12
parent 2b5dcd2ffe
5 changed files with 75 additions and 0 deletions
--- a/usr.sbin/ppp/command.c
+++ b/usr.sbin/ppp/command.c
@ -636,6 +636,10 @@ static struct cmdtab const NatCommands[] =
   "nat proto proto localIP [publicIP [remoteIP]]"},
  {"proxy", NULL, nat_ProxyRule, LOCAL_AUTH,
   "proxy control", "nat proxy server host[:port] ..."},
+#ifndef NO_FW_PUNCH
+  {"punch_fw", NULL, nat_PunchFW, LOCAL_AUTH,
+   "firewall control", "nat punch_fw [base count]"},
+#endif
  {"same_ports", NULL, NatOption, LOCAL_AUTH,
   "try to leave port numbers unchanged", "nat same_ports yes|no",
   (const void *) PKT_ALIAS_SAME_PORTS},
--- a/usr.sbin/ppp/nat_cmd.c
+++ b/usr.sbin/ppp/nat_cmd.c
@ -435,6 +435,36 @@ nat_SetTarget(struct cmdargs const *arg)
  return 0;
 }

+#ifndef NO_FW_PUNCH
+int
+nat_PunchFW(struct cmdargs const *arg)
+{
+  char *end;
+  long base, count;
+
+  if (arg->argc == arg->argn) {
+    PacketAliasSetMode(0, PKT_ALIAS_PUNCH_FW);
+    return 0;
+  }
+
+  if (arg->argc != arg->argn + 2)
+    return -1;
+
+  base = strtol(arg->argv[arg->argn], &end, 10);
+  if (*end != '\0' || base < 0)
+    return -1;
+
+  count = strtol(arg->argv[arg->argn + 1], &end, 10);
+  if (*end != '\0' || count < 0)
+    return -1;
+
+  PacketAliasSetFWBase(base, count);
+  PacketAliasSetMode(PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW);
+
+  return 0;
+}
+#endif
+
 static struct mbuf *
 nat_LayerPush(struct bundle *bundle, struct link *l, struct mbuf *bp,
                int pri, u_short *proto)
--- a/usr.sbin/ppp/nat_cmd.h
+++ b/usr.sbin/ppp/nat_cmd.h
@ -34,5 +34,8 @@ extern int nat_RedirectAddr(struct cmdargs const *);
 extern int nat_RedirectProto(struct cmdargs const *);
 extern int nat_ProxyRule(struct cmdargs const *);
 extern int nat_SetTarget(struct cmdargs const *);
+#ifndef NO_FW_PUNCH
+extern int nat_PunchFW(struct cmdargs const *);
+#endif

 extern struct layer natlayer;
--- a/usr.sbin/ppp/ppp.8
+++ b/usr.sbin/ppp/ppp.8
@ -3399,6 +3399,25 @@ Refer to the description of
 in
 .Xr libalias 3
 for details of the available commands.
+.It nat punch_fw Op Ar base count
+This command tells
+.Nm
+to punch holes in the firewall for FTP or IRC DCC connections.
+This is done dynamically by installing termporary firewall rules which
+allow a particular connection (and only that connection) to go through
+the firewall.
+The rules are removed once the corresponding connection terminates.
+.Pp
+A maximum of
+.Ar count
+rules starting from rule number
+.Ar base
+will be used for punching firewall holes.
+The range will be cleared when the
+.Dq nat punch_fw
+command is run.
+.Pp
+If no arguments are given, firewall punching is disabled.
 .It nat same_ports yes|no
 When enabled, this command will tell the network address translation engine to
 attempt to avoid changing the port number on outgoing packets.
--- a/usr.sbin/ppp/ppp.8.m4
+++ b/usr.sbin/ppp/ppp.8.m4
@ -3399,6 +3399,25 @@ Refer to the description of
 in
 .Xr libalias 3
 for details of the available commands.
+.It nat punch_fw Op Ar base count
+This command tells
+.Nm
+to punch holes in the firewall for FTP or IRC DCC connections.
+This is done dynamically by installing termporary firewall rules which
+allow a particular connection (and only that connection) to go through
+the firewall.
+The rules are removed once the corresponding connection terminates.
+.Pp
+A maximum of
+.Ar count
+rules starting from rule number
+.Ar base
+will be used for punching firewall holes.
+The range will be cleared when the
+.Dq nat punch_fw
+command is run.
+.Pp
+If no arguments are given, firewall punching is disabled.
 .It nat same_ports yes|no
 When enabled, this command will tell the network address translation engine to
 attempt to avoid changing the port number on outgoing packets.