1 /* $OpenBSD: util.c,v 1.19 2004/07/06 19:49:11 dhartmei Exp $ */
4 * Copyright (c) 1996-2001
5 * Obtuse Systems Corporation. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Obtuse Systems nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE OBTUSE SYSTEMS AND CONTRIBUTORS
20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OBTUSE
23 * SYSTEMS CORPORATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30 * OF THE POSSIBILITY OF SUCH DAMAGE.
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #include <sys/ioctl.h>
38 #include <netinet/in.h>
39 #include <netinet/in_systm.h>
41 #include <net/pfvar.h>
43 #include <arpa/inet.h>
59 extern int ReverseMode;
63 in_addr_t Bind_Addr = INADDR_NONE;
65 void debuglog(int debug_level, const char *fmt, ...);
68 debuglog(int debug_level, const char *fmt, ...)
73 if (Debug_Level >= debug_level)
74 vsyslog(LOG_DEBUG, fmt, ap);
79 get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr,
80 struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr)
82 struct pfioc_natlook natlook;
86 slen = sizeof(*proxy_sa_ptr);
87 if (getsockname(connected_fd, (struct sockaddr *)proxy_sa_ptr,
89 syslog(LOG_ERR, "getsockname() failed (%m)");
92 slen = sizeof(*client_sa_ptr);
93 if (getpeername(connected_fd, (struct sockaddr *)client_sa_ptr,
95 syslog(LOG_ERR, "getpeername() failed (%m)");
103 * Build up the pf natlook structure.
104 * Just for IPv4 right now
106 memset((void *)&natlook, 0, sizeof(natlook));
107 natlook.af = AF_INET;
108 natlook.saddr.addr32[0] = client_sa_ptr->sin_addr.s_addr;
109 natlook.daddr.addr32[0] = proxy_sa_ptr->sin_addr.s_addr;
110 natlook.proto = IPPROTO_TCP;
111 natlook.sport = client_sa_ptr->sin_port;
112 natlook.dport = proxy_sa_ptr->sin_port;
113 natlook.direction = PF_OUT;
116 * Open the pf device and lookup the mapping pair to find
117 * the original address we were supposed to connect to.
119 fd = open("/dev/pf", O_RDWR);
121 syslog(LOG_ERR, "cannot open /dev/pf (%m)");
122 exit(EX_UNAVAILABLE);
125 if (ioctl(fd, DIOCNATLOOK, &natlook) == -1) {
127 "pf nat lookup failed %s:%hu (%m)",
128 inet_ntoa(client_sa_ptr->sin_addr),
129 ntohs(client_sa_ptr->sin_port));
136 * Now jam the original address and port back into the into
137 * destination sockaddr_in for the proxy to deal with.
139 memset((void *)real_server_sa_ptr, 0, sizeof(struct sockaddr_in));
140 real_server_sa_ptr->sin_port = natlook.rdport;
141 real_server_sa_ptr->sin_addr.s_addr = natlook.rdaddr.addr32[0];
142 real_server_sa_ptr->sin_len = sizeof(struct sockaddr_in);
143 real_server_sa_ptr->sin_family = AF_INET;
149 * Transfer one unit of data across a pair of sockets
151 * A unit of data is as much as we get with a single read(2) call.
154 xfer_data(const char *what_read,int from_fd, int to_fd, struct in_addr from,
157 int rlen, offset, xerrno, mark, flags = 0;
161 * Are we at the OOB mark?
163 if (ioctl(from_fd, SIOCATMARK, &mark) < 0) {
165 syslog(LOG_ERR, "cannot ioctl(SIOCATMARK) socket from %s (%m)",
171 flags = MSG_OOB; /* Yes - at the OOB mark */
174 rlen = recv(from_fd, tbuf, sizeof(tbuf), flags);
175 if (rlen == -1 && flags == MSG_OOB && errno == EINVAL) {
176 /* OOB didn't work */
178 rlen = recv(from_fd, tbuf, sizeof(tbuf), flags);
181 debuglog(3, "EOF on read socket");
183 } else if (rlen == -1) {
184 if (errno == EAGAIN || errno == EINTR)
187 syslog(LOG_ERR, "xfer_data (%s): failed (%m) with flags 0%o",
193 debuglog(3, "got %d bytes from socket", rlen);
195 while (offset < rlen) {
198 wlen = send(to_fd, &tbuf[offset], rlen - offset,
201 debuglog(3, "zero-length write");
203 } else if (wlen == -1) {
204 if (errno == EAGAIN || errno == EINTR)
207 syslog(LOG_INFO, "write failed (%m)");
211 debuglog(3, "wrote %d bytes to socket",wlen);
220 * get_backchannel_socket gets us a socket bound somewhere in a
221 * particular range of ports
224 get_backchannel_socket(int type, int min_port, int max_port, int start_port,
225 int direction, struct sockaddr_in *sap)
230 * Make sure that direction is 'defined' and that min_port is not
231 * greater than max_port.
236 /* by default we go up by one port until we find one */
237 if (min_port > max_port) {
242 count = 1 + max_port - min_port;
245 * Pick a port we can bind to from within the range we want.
246 * If the caller specifies -1 as the starting port number then
247 * we pick one somewhere in the range to try.
248 * This is an optimization intended to speedup port selection and
249 * has NOTHING to do with security.
251 if (start_port == -1)
252 start_port = (arc4random() % count) + min_port;
254 if (start_port < min_port || start_port > max_port) {
259 while (count-- > 0) {
260 struct sockaddr_in sa;
263 fd = socket(AF_INET, type, 0);
265 bzero(&sa, sizeof sa);
266 sa.sin_family = AF_INET;
267 if (Bind_Addr == INADDR_NONE)
269 sa.sin_addr.s_addr = INADDR_ANY;
271 sa.sin_addr.s_addr = sap->sin_addr.s_addr;
273 sa.sin_addr.s_addr = Bind_Addr;
276 * Indicate that we want to reuse a port if it happens that the
277 * port in question was a listen port recently.
280 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one,
284 sa.sin_port = htons(start_port);
286 if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) == 0) {
292 if (errno != EADDRINUSE)
295 /* if it's in use, try the next port */
298 start_port += direction;
299 if (start_port < min_port)
300 start_port = max_port;
301 else if (start_port > max_port)
302 start_port = min_port;