From owner-freebsd-current@FreeBSD.ORG Tue Jun 10 02:46:58 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA88537B401; Tue, 10 Jun 2003 02:46:58 -0700 (PDT) Received: from sec.ms.mff.cuni.cz (sec.ms.mff.cuni.cz [195.113.17.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id B53D943FB1; Tue, 10 Jun 2003 02:46:57 -0700 (PDT) (envelope-from petricek@sec.ms.mff.cuni.cz) Received: from localhost (localhost [127.0.0.1]) by sec.ms.mff.cuni.cz (8.12.8/8.12.8) with ESMTP id h5A9rmIV089515; Tue, 10 Jun 2003 11:53:48 +0200 (CEST) (envelope-from petricek@sec.ms.mff.cuni.cz) Date: Tue, 10 Jun 2003 11:53:48 +0200 (CEST) From: Vaclav Petricek To: Ruslan Ermilov In-Reply-To: <20030608230204.GB88799@sunbay.com> Message-ID: References: <20030608220507.GA84706@sunbay.com> <20030608230204.GB88799@sunbay.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1938582547-1055238828=:89471" cc: current@freebsd.org cc: security@freebsd.org Subject: Re: redirect unauthorized users to a login page (natd as atransparent proxy) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 09:46:59 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1938582547-1055238828=:89471 Content-Type: TEXT/PLAIN; charset=US-ASCII > > > I was hoping proxy_only will do the trick but it does not seem to have > > > any impact and the source address is changed anyway. > > > > > > A quick glance at the source did not help much to my understanding of the > > > proxy_only option. > > > > > Confirmed as a bug. The attached patch worked for me, > > please test it. You'll have to recompile and reinstall > > libalias(3), then recompile and reinstall natd(8) with > > new library. > > > I was too fast. This patch doesn't work well. It works > in a sense that it doesn't modify source IP address of > the proxied packets, but it doesn't work in a sense that > reply packets do not undergo de-aliasing. The attached > patch is verified to work. Please test it instead. The patch works. Thank you very much. I attach my attempt on a patch that should make it possible to ommit the alias_address and interface options in case proxy_only is specified. IMHO in that situation these options are not used and should not be required by natd.. Thank you for any comments on the diff (especially style). Should I fire a PR? Best regards, Vaclav --0-1938582547-1055238828=:89471 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="libalias-proxy_only-noalias.diff" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="libalias-proxy_only-noalias.diff" LS0tIG5hdGQuYy5vcmlnCVR1ZSBKdW4gMTAgMTE6MTE6MjggMjAwMw0KKysr IG5hdGQuYwlUdWUgSnVuIDEwIDExOjM1OjU5IDIwMDMNCkBAIC0xMzEsNiAr MTMxLDcgQEANCiAJc3RydWN0IHNvY2thZGRyX2luCWFkZHI7DQogCWZkX3Nl dAkJCXJlYWRNYXNrOw0KIAlpbnQJCQlmZE1heDsNCisJaW50CQkJcHJveHlf b25seTsNCiAvKiANCiAgKiBJbml0aWFsaXplIHBhY2tldCBhbGlhc2luZyBz b2Z0d2FyZS4NCiAgKiBEb25lIGFscmVhZHkgaGVyZSB0byBiZSBhYmxlIHRv IGFsdGVyIG9wdGlvbiBiaXRzDQpAQCAtMTcwLDcgKzE3MSw5IEBADQogLyoN CiAgKiBDaGVjayB0aGF0IHZhbGlkIGFsaWFzaW5nIGFkZHJlc3MgaGFzIGJl ZW4gZ2l2ZW4uDQogICovDQotCWlmIChhbGlhc0FkZHIuc19hZGRyID09IElO QUREUl9OT05FICYmIGlmTmFtZSA9PSBOVUxMKQ0KKw0KKwlwcm94eV9vbmx5 ID0gKFBhY2tldEFsaWFzU2V0TW9kZSgwLDApICYgUEtUX0FMSUFTX1BST1hZ X09OTFkpOw0KKwlpZiAoYWxpYXNBZGRyLnNfYWRkciA9PSBJTkFERFJfTk9O RSAmJiBpZk5hbWUgPT0gTlVMTCAmJiAhcHJveHlfb25seSkNCiAJCWVycngg KDEsICJhbGlhc2luZyBhZGRyZXNzIG5vdCBnaXZlbiIpOw0KIA0KIAlpZiAo YWxpYXNBZGRyLnNfYWRkciAhPSBJTkFERFJfTk9ORSAmJiBpZk5hbWUgIT0g TlVMTCkNCg== --0-1938582547-1055238828=:89471--