Date: Tue, 10 Jun 2003 11:53:48 +0200 (CEST) From: Vaclav Petricek <petricek@sec.ms.mff.cuni.cz> To: Ruslan Ermilov <ru@freebsd.org> Cc: security@freebsd.org Subject: Re: redirect unauthorized users to a login page (natd as atransparent proxy) Message-ID: <Pine.BSF.4.50.0306101148160.89471-200000@sec.ms.mff.cuni.cz> In-Reply-To: <20030608230204.GB88799@sunbay.com> References: <Pine.BSF.4.50.0306082233300.86521-100000@sec.ms.mff.cuni.cz> <20030608220507.GA84706@sunbay.com> <20030608230204.GB88799@sunbay.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] > > > I was hoping proxy_only will do the trick but it does not seem to have > > > any impact and the source address is changed anyway. > > > > > > A quick glance at the source did not help much to my understanding of the > > > proxy_only option. > > > > > Confirmed as a bug. The attached patch worked for me, > > please test it. You'll have to recompile and reinstall > > libalias(3), then recompile and reinstall natd(8) with > > new library. > > > I was too fast. This patch doesn't work well. It works > in a sense that it doesn't modify source IP address of > the proxied packets, but it doesn't work in a sense that > reply packets do not undergo de-aliasing. The attached > patch is verified to work. Please test it instead. The patch works. Thank you very much. I attach my attempt on a patch that should make it possible to ommit the alias_address and interface options in case proxy_only is specified. IMHO in that situation these options are not used and should not be required by natd.. Thank you for any comments on the diff (especially style). Should I fire a PR? Best regards, Vaclav [-- Attachment #2 --] --- natd.c.orig Tue Jun 10 11:11:28 2003 +++ natd.c Tue Jun 10 11:35:59 2003 @@ -131,6 +131,7 @@ struct sockaddr_in addr; fd_set readMask; int fdMax; + int proxy_only; /* * Initialize packet aliasing software. * Done already here to be able to alter option bits @@ -170,7 +171,9 @@ /* * Check that valid aliasing address has been given. */ - if (aliasAddr.s_addr == INADDR_NONE && ifName == NULL) + + proxy_only = (PacketAliasSetMode(0,0) & PKT_ALIAS_PROXY_ONLY); + if (aliasAddr.s_addr == INADDR_NONE && ifName == NULL && !proxy_only) errx (1, "aliasing address not given"); if (aliasAddr.s_addr != INADDR_NONE && ifName != NULL)help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.50.0306101148160.89471-200000>