For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which mig

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

show more ...

Standardize argument naming for "sourceaddr" and unify the wording a bit,
similar to what deraadt@ recently did in other manual pages.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

Exit early from rdaemon() is the passed fd is invalid.

fd == -1 check suggested by deraadt@, ok florian@

Go in the background later, using rdaemon().

rdaemon() works like daemon(3) but requires its caller to pre-open
/dev/null. This makes it possible to go in the background after
a chroot(2), allowing

Go in the background later, using rdaemon().

rdaemon() works like daemon(3) but requires its caller to pre-open
/dev/null. This makes it possible to go in the background after
a chroot(2), allowing for more error checking. The pattern is basically
- open /dev/null
- chroot
- privdrop
- rdaemon

"design" initialy discussed with semarie@ a while ago, ok dlg@

show more ...

Exit early with an error if the "_ftp_proxy" user does not exist. This prevents
rc.d waiting up to 30 secs when starting ftp-proxy right after updating from 5.8
because at that point sysmerge(8) woul

Exit early with an error if the "_ftp_proxy" user does not exist. This prevents
rc.d waiting up to 30 secs when starting ftp-proxy right after updating from 5.8
because at that point sysmerge(8) would not have had a chance to run yet and the
unpriv user would not exist.

issue reported by sthen@
ok sthen@ benno@ jca@

show more ...

commiting -> committing

Make the NOPRIV_USER match that is actually intended to be used for
that. Problem introduced since tftp-proxy and ftp-proxy have separate
nonpriv users.

OK deraadt@

switch to new _ftp_proxy user; ok dlg

Include <netinet/in.h> before <net/pfvar.h>. In a future change when
ports is ready, <net/pfvar.h> will stop including a pile of balony.

Replace all queue *_END macro calls except CIRCLEQ_END with NULL.

CIRCLEQ_* is deprecated and not called in the tree. The other queue types
have *_END macros which were added for symmetry with CIRC

Replace all queue *_END macro calls except CIRCLEQ_END with NULL.

CIRCLEQ_* is deprecated and not called in the tree. The other queue types
have *_END macros which were added for symmetry with CIRCLEQ_END. They are
defined as NULL. There's no reason to keep the other *_END macro calls.

ok millert@

show more ...

camield requested backout of rev 1.26, and indeed ftp-proxy does not
need it.

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directori

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

show more ...

reserve a filedescriptor on accept() for subsequent connect() call, as
done in relayd.
ok sthen, deraadt

Rate-limit accepting of new connections while we are experiencing
fd exhaustion.

ok deraadt mikeb

In preparation for getline and getdelim additions to libc, rename getline()
occurrences to get_line().
Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.

Convert SO_RTABLE's protocol level to the SOL_SOCKET; ok claudio

switch ftp-proxy over to divert-to instead of rdr-to. this avoids
an expensive state lookup (via natlook ioctl) and shrinks the code.
tested by me and sthen, ok reyk sthen

Use the rdomain information returned by DIOCNATLOOK to install the
nat-to and rdr-to rules with correct rtable rule attributes. This
allows to use ftp-proxy to proxy accross rdomains.
Tested and OK p

Use the rdomain information returned by DIOCNATLOOK to install the
nat-to and rdr-to rules with correct rtable rule attributes. This
allows to use ftp-proxy to proxy accross rdomains.
Tested and OK phessler@, OK henning@

show more ...

Bring ftp-proxy in sync with the massive pf change just commited by Henning.
This changes the way the rdr/nat rules are added to pf. Now only a single
anchor is needed (the other ones do no longer ex

Bring ftp-proxy in sync with the massive pf change just commited by Henning.
This changes the way the rdr/nat rules are added to pf. Now only a single
anchor is needed (the other ones do no longer exist).
To convert your ruleset you need something like this at the start of your
ruleset:
# filter rules and anchors for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

This was tested by myself, sthen@, dlg@ and I think many more. OK by the same
people plus henning.

show more ...

Better error messages. Include the function causing the problem and do not
include the program name in logmsg() plus exit_daemon() does not return so
make it a void function. OK mpf@

Flush output buffers before closing TCP session. Fixes the case where
the proxy would eat the 221 response coming from the server towards the
client.

Patch from camield@. Tested by Camiel and mysel

Flush output buffers before closing TCP session. Fixes the case where
the proxy would eat the 221 response coming from the server towards the
client.

Patch from camield@. Tested by Camiel and myself.


ok camield@

show more ...

Use arc4random_buf() when requesting more than a single word of output

Use arc4random_uniform() when the desired random number upper bound
is not a power of two

ok deraadt@ millert@

Don't pass quick when tagging, so the tag can be used outside
the ftp-proxy anchor. Exotic setups with route-to etc.
can be implemented this way.
from camield, ok reyk beck canacar and manpage polis

Don't pass quick when tagging, so the tag can be used outside
the ftp-proxy anchor. Exotic setups with route-to etc.
can be implemented this way.
from camield, ok reyk beck canacar and manpage polished by jmc

show more ...

Some servers / proxies out there like to open the data connection
immediately after the client sends the PORT command. The "normal"
behaviour is to wait for the client to actually request a transfer

Some servers / proxies out there like to open the data connection
immediately after the client sends the PORT command. The "normal"
behaviour is to wait for the client to actually request a transfer.
Make ftp-proxy add the active mode rules immediately too, so that
both scenario's work.

ok david pyr

Tested by Frank Denis, Stephan A. Rickauer, Ingo Schwarze, Stuart
Henderson. Thanks.

show more ...