Date: Wed, 30 Aug 2000 17:02:54 +0200 (CEST) From: andreas@FreeBSD.org To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/20944: natd additions with tested DIFFS (natd.c,natd.h,natd.8,/etc/natd.conf) Message-ID: <200008301502.e7UF2sp06263@klemm.gtn.com>
next in thread | raw e-mail | index | archive | help
>Number: 20944
>Category: bin
>Synopsis: natd enhancements, default config file and manpage additions
>Confidential: no
>Severity: non-critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 30 08:20:03 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Andreas Klemm
>Release: FreeBSD-4.1
>Organization:
FreeBSD
>Environment:
4.1-STABLE
>Description:
- our natd source directory contains a samples/natd.cf.sample example
config file. It would be better to offer this config file in /etc
- you can force natd to read a special config file, but it
doesn't look for a default config file
- manpage doesn't have a FILES section
- if verbose=1, natd doesn't report, which config file is being parsed
>How-To-Repeat:
cd /usr/src/
>Fix:
- teach natd to use a default config file /etc/natd.conf if present
- do not read default config file if natd has been invoked with the
command line options -config | -f file
introduced new variable haveConfigFile to trigger that
- teach natd to report which config file will be used, if verbose is set
- update documentation
- new file: src/etc/natd.conf
- update src/etc/Makefile, add natd.conf to BIN1
- document changes in natd.8
- Add missing FILES section in manpage
Here is the fix matching against FreeBSD-4.1-STABLE
of Tue Aug 29 23:43:25 CEST 2000
Sorry, no -current system around.
Index: etc/Makefile
===================================================================
RCS file: /home/ncvs/src/etc/Makefile,v
retrieving revision 1.219.2.7
diff -u -r1.219.2.7 Makefile
--- etc/Makefile 2000/08/28 20:25:50 1.219.2.7
+++ etc/Makefile 2000/08/30 14:18:31
@@ -8,7 +8,7 @@
dhclient.conf dm.conf fbtab ftpusers gettytab group \
hosts hosts.allow host.conf hosts.equiv hosts.lpd \
inetd.conf login.access login.conf \
- motd modems networks newsyslog.conf \
+ motd modems natd.conf networks newsyslog.conf \
pam.conf phones pim6dd.conf pim6sd.conf \
printcap profile protocols \
rc rc.atm rc.devfs rc.diskless1 rc.diskless2 rc.firewall rc.isdn \
Index: etc/natd.conf
===================================================================
RCS file: natd.conf
diff -N natd.conf
--- /dev/null Wed Aug 30 16:51:28 2000
+++ natd.conf Wed Aug 30 16:16:21 2000
@@ -0,0 +1,93 @@
+#
+# Configuration file for natd.
+#
+# $FreeBSD$
+#
+# !!! This is an example! You will need to modify it for your specific
+# !!! requirements!
+#
+# Enable logging to file /var/log/alias.log
+#
+#log no
+#
+# Incoming connections. Should NEVER be set to "yes" if redirect_port
+# or redirect_address statements are activated in this file!
+#
+# Setting to yes provides additional anti-crack protection
+#
+#deny_incoming no
+#
+# Use sockets to avoid port clashes. Uses additional system resources, but
+# guarantees successful connections when port numbers conflict
+#
+#use_sockets no
+#
+# Avoid port changes if possible when altering outbound packets. Makes rlogin
+# work in most cases.
+#
+#same_ports yes
+#
+# Verbose mode. Enables dumping of packets and disables
+# forking to background. Only set to yes for debugging.
+#
+#verbose no
+#
+# Divert port. Can be a name in /etc/services or numeric value.
+#
+#port 32000
+#
+# Interface name or address being aliased. Either one,
+# not both is required.
+#
+# Obtain interface name from the command output of "ifconfig -a"
+#
+# alias_address 192.168.0.1
+#interface ep0
+#
+# Alias unregistered addresses or all addresses. Set this to yes if
+# the inside network is all RFC1918 addresses.
+#
+#unregistered_only no
+#
+# Configure permanent links. If you use host names instead
+# of addresses here, be sure that name server works BEFORE
+# natd is up - this is usually not the case. So either use
+# numeric addresses or hosts that are in /etc/hosts.
+#
+# Note: Current versions of FreeBSD all call /etc/rc.firewall
+# BEFORE running named, so if the DNS server and NAT are on the same
+# machine, the nameserver won't be up if natd is called from /etc/rc.firewall
+#
+# Map connections coming to port 30000 to telnet in my_private_host.
+# Remember to allow the connection /etc/rc.firewall also.
+#
+#redirect_port tcp my_private_host:telnet 30000
+#
+# Map connections coming from host.xyz.com to port 30001 to
+# telnet in another_host.
+#redirect_port tcp another_host:telnet 30001 host.xyz.com
+#
+# Static NAT address mapping:
+#
+# ipconfig must apply any legal IP numbers that inside hosts
+# will be known by to the outside interface. These are sometimes known as
+# virtual IP numbers. It's suggested to use the "interface" directive
+# instead of the "alias_address" directive to make it more clear what is
+# going on. (although both will work)
+#
+# DNS in this situation can get hairy. For example, an inside host
+# named aweb.company.com is located at 192.168.1.56, and needs to be
+# accessible through a legal IP number like 198.105.232.1. If both
+# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS
+# for aweb.company.com, then external hosts attempting to access
+# aweb.company.com may use address 192.168.1.56 which is inaccessible to them.
+#
+# The obvious solution is to use only a single address for the name, the
+# outside address. However, this creates needless traffic through the
+# NAT, because inside hosts will go through the NAT to get to the legal
+# number, even when the inside number is on the same subnet as they are!
+#
+# It's probably not a good idea to use DNS names in redirect_address statements
+#
+#The following mapping points outside address 198.105.232.1 to 192.168.1.56
+#redirect_address 192.168.1.56 198.105.232.1
Index: sbin/natd/natd.8
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.8,v
retrieving revision 1.27.2.5
diff -u -r1.27.2.5 natd.8
--- sbin/natd/natd.8 2000/07/17 10:11:03 1.27.2.5
+++ sbin/natd/natd.8 2000/08/30 13:38:13
@@ -540,6 +540,18 @@
Running the script in the background should be enough to prevent this
disaster.
.El
+.Sh FILES
+.Bl -tag -width /var/run/natd.pid -compact
+.It Pa /etc/natd.conf
+default configuration file
+.It Pa /etc/rc.conf
+for enabling natd and kernel firewall
+.It Pa /etc/rc.firewall
+firewall rules
+.It Pa /var/run/natd.pid
+pid of currently running
+.Nm
+.El
.Sh SEE ALSO
.Xr divert 4 ,
.Xr protocols 5 ,
Index: sbin/natd/natd.c
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.c,v
retrieving revision 1.25.2.3
diff -u -r1.25.2.3 natd.c
--- sbin/natd/natd.c 2000/07/11 20:00:57 1.25.2.3
+++ sbin/natd/natd.c 2000/08/30 14:32:13
@@ -126,6 +126,7 @@
static int dropIgnoredIncoming;
static int logDropped;
static int logFacility;
+static int haveConfigFile;
int main (int argc, char** argv)
{
@@ -160,6 +161,7 @@
dynamicMode = 0;
logDropped = 0;
logFacility = LOG_DAEMON;
+ haveConfigFile = 0;
/*
* Mark packet buffer empty.
*/
@@ -168,6 +170,13 @@
ParseArgs (argc, argv);
/*
+ * Read default config file, if present and no other config file is in use
+ */
+ if (haveConfigFile == 0) {
+ ReadConfigFile (DEFAULT_CONFIG);
+ }
+
+/*
* Open syslog channel.
*/
openlog ("natd", LOG_CONS | LOG_PID | (verbose ? LOG_PERROR : 0),
@@ -1243,6 +1252,7 @@
case ConfigFile:
ReadConfigFile (strValue);
+ haveConfigFile=1;
break;
case LogDenied:
@@ -1286,6 +1296,9 @@
file = fopen (fileName, "r");
if (!file)
err(1, "cannot open config file %s", fileName);
+
+ if (verbose)
+ printf ("using config file %s\n", fileName);
while ((buf = fgetln(file, &len)) != NULL) {
if (buf[len - 1] == '\n')
Index: sbin/natd/natd.h
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.h,v
retrieving revision 1.4
diff -u -r1.4 natd.h
--- sbin/natd/natd.h 1999/08/28 00:13:46 1.4
+++ sbin/natd/natd.h 2000/08/30 14:08:01
@@ -12,7 +12,8 @@
* $FreeBSD: src/sbin/natd/natd.h,v 1.4 1999/08/28 00:13:46 peter Exp $
*/
-#define PIDFILE "/var/run/natd.pid"
+#define PIDFILE "/var/run/natd.pid"
+#define DEFAULT_CONFIG "/etc/natd.conf"
#define INPUT 1
#define OUTPUT 2
#define DONT_KNOW 3
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008301502.e7UF2sp06263>