From andreas@klemm.gtn.com  Wed Aug 30 08:15:40 2000
Return-Path: <andreas@klemm.gtn.com>
Received: from picalon.gun.de (picalon.gun.de [192.109.159.1])
	by hub.freebsd.org (Postfix) with ESMTP id 1210F37B422
	for <FreeBSD-gnats-submit@FreeBSD.org>; Wed, 30 Aug 2000 08:15:39 -0700 (PDT)
Received: (from uucp@localhost)
	by picalon.gun.de (8.9.3/8.9.3) id RAA03015
	for FreeBSD-gnats-submit@FreeBSD.org; Wed, 30 Aug 2000 17:15:22 +0200 (MET DST)
Message-Id: <200008301502.e7UF2sp06263@klemm.gtn.com>
Date: Wed, 30 Aug 2000 17:02:54 +0200 (CEST)
From: andreas@FreeBSD.org
Sender: andreas@klemm.gtn.com
Reply-To: andreas@FreeBSD.org
To: FreeBSD-gnats-submit@FreeBSD.org
Subject: natd additions with tested DIFFS (natd.c,natd.h,natd.8,/etc/natd.conf)
X-Send-Pr-Version: 3.2

>Number:         20944
>Category:       bin
>Synopsis:       natd(8) enhancements, default config file and manpage additions
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 30 08:20:03 PDT 2000
>Closed-Date:    
>Last-Modified:  Wed May 21 20:47:21 UTC 2008
>Originator:     Andreas Klemm
>Release:        FreeBSD-4.1
>Organization:
FreeBSD
>Environment:

	4.1-STABLE

>Description:

	- our natd source directory contains a samples/natd.cf.sample example
	  config file. It would be better to offer this config file in /etc
	- you can force natd to read a special config file, but it
	  doesn't look for a default config file
	- manpage doesn't have a FILES section
	- if verbose=1, natd doesn't report, which config file is being parsed

>How-To-Repeat:

	cd /usr/src/

>Fix:

	- teach natd to use a default config file /etc/natd.conf if present
	- do not read default config file if natd has been invoked with the
	  command line options -config | -f file
	  introduced new variable haveConfigFile to trigger that
	- teach natd to report which config file will be used, if verbose is set
	- update documentation
	- new file: src/etc/natd.conf
	- update src/etc/Makefile, add natd.conf to BIN1
	- document changes in natd.8
	- Add missing FILES section in manpage

	Here is the fix matching against FreeBSD-4.1-STABLE
	of Tue Aug 29 23:43:25 CEST 2000
	Sorry, no -current system around.


Index: etc/Makefile
===================================================================
RCS file: /home/ncvs/src/etc/Makefile,v
retrieving revision 1.219.2.7
diff -u -r1.219.2.7 Makefile
--- etc/Makefile	2000/08/28 20:25:50	1.219.2.7
+++ etc/Makefile	2000/08/30 14:18:31
@@ -8,7 +8,7 @@
 	dhclient.conf dm.conf fbtab ftpusers gettytab group \
 	hosts hosts.allow host.conf hosts.equiv hosts.lpd \
 	inetd.conf login.access login.conf \
-	motd modems networks newsyslog.conf \
+	motd modems natd.conf networks newsyslog.conf \
 	pam.conf phones pim6dd.conf pim6sd.conf \
 	printcap profile protocols \
 	rc rc.atm rc.devfs rc.diskless1 rc.diskless2 rc.firewall rc.isdn \
Index: etc/natd.conf
===================================================================
RCS file: natd.conf
diff -N natd.conf
--- /dev/null	Wed Aug 30 16:51:28 2000
+++ natd.conf	Wed Aug 30 16:16:21 2000
@@ -0,0 +1,93 @@
+#
+# Configuration file for natd.
+#
+# $FreeBSD$
+#
+# !!! This is an example! You will need to modify it for your specific
+# !!! requirements!
+#
+# Enable logging to file /var/log/alias.log
+#
+#log		no
+#
+# Incoming connections.  Should NEVER be set to "yes" if redirect_port
+# or redirect_address statements are activated in this file!
+#
+# Setting to yes provides additional anti-crack protection
+#
+#deny_incoming	no
+#
+# Use sockets to avoid port clashes.  Uses additional system resources, but
+# guarantees successful connections when port numbers conflict
+#
+#use_sockets	no
+#
+# Avoid port changes if possible when altering outbound packets. Makes rlogin
+# work in most cases.
+#
+#same_ports	yes
+#
+# Verbose mode. Enables dumping of packets and disables
+# forking to background.  Only set to yes for debugging.
+#
+#verbose		no
+#
+# Divert port. Can be a name in /etc/services or numeric value.
+#
+#port		32000
+#
+# Interface name or address being aliased. Either one,
+# not both is required.
+#
+# Obtain interface name from the command output of "ifconfig -a"
+#
+# alias_address	192.168.0.1
+#interface	ep0
+#
+# Alias unregistered addresses or all addresses.  Set this to yes if
+# the inside network is all RFC1918 addresses.
+#
+#unregistered_only	no
+#
+# Configure permanent links. If you use host names instead
+# of addresses here, be sure that name server works BEFORE
+# natd is up - this is usually not the case. So either use
+# numeric addresses or hosts that are in /etc/hosts.
+#
+# Note:  Current versions of FreeBSD all call /etc/rc.firewall
+# BEFORE running named, so if the DNS server and NAT are on the same
+# machine, the nameserver won't be up if natd is called from /etc/rc.firewall
+#
+# Map connections coming to port 30000 to telnet in my_private_host.
+# Remember to allow the connection /etc/rc.firewall also.
+#
+#redirect_port		tcp my_private_host:telnet 30000
+#
+# Map connections coming from host.xyz.com to port 30001 to
+# telnet in another_host.
+#redirect_port		tcp another_host:telnet 30001 host.xyz.com
+#
+# Static NAT address mapping:
+#
+#  ipconfig must apply any legal IP numbers that inside hosts
+# will be known by to the outside interface.  These are sometimes known as
+# virtual IP numbers.  It's suggested to use the "interface" directive
+# instead of the "alias_address" directive to make it more clear what is
+# going on. (although both will work)
+#
+# DNS in this situation can get hairy.  For example, an inside host
+# named aweb.company.com is located at 192.168.1.56, and needs to be
+# accessible through a legal IP number like 198.105.232.1.  If both
+# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS
+# for aweb.company.com, then external hosts attempting to access
+# aweb.company.com may use address 192.168.1.56 which is inaccessible to them.
+#
+# The obvious solution is to use only a single address for the name, the
+# outside address.  However, this creates needless traffic through the
+# NAT, because inside hosts will go through the NAT to get to the legal
+# number, even when the inside number is on the same subnet as they are!
+#
+# It's probably not a good idea to use DNS names in redirect_address statements
+#
+#The following mapping points outside address 198.105.232.1 to 192.168.1.56
+#redirect_address  192.168.1.56		198.105.232.1
Index: sbin/natd/natd.8
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.8,v
retrieving revision 1.27.2.5
diff -u -r1.27.2.5 natd.8
--- sbin/natd/natd.8	2000/07/17 10:11:03	1.27.2.5
+++ sbin/natd/natd.8	2000/08/30 13:38:13
@@ -540,6 +540,18 @@
 Running the script in the background should be enough to prevent this
 disaster.
 .El
+.Sh FILES
+.Bl -tag -width /var/run/natd.pid -compact
+.It Pa /etc/natd.conf
+default configuration file
+.It Pa /etc/rc.conf
+for enabling natd and kernel firewall
+.It Pa /etc/rc.firewall
+firewall rules
+.It Pa /var/run/natd.pid
+pid of currently running
+.Nm
+.El
 .Sh SEE ALSO
 .Xr divert 4 ,
 .Xr protocols 5 ,
Index: sbin/natd/natd.c
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.c,v
retrieving revision 1.25.2.3
diff -u -r1.25.2.3 natd.c
--- sbin/natd/natd.c	2000/07/11 20:00:57	1.25.2.3
+++ sbin/natd/natd.c	2000/08/30 14:32:13
@@ -126,6 +126,7 @@
 static  int			dropIgnoredIncoming;
 static  int			logDropped;
 static	int			logFacility;
+static  int			haveConfigFile;
 
 int main (int argc, char** argv)
 {
@@ -160,6 +161,7 @@
 	dynamicMode		= 0;
  	logDropped		= 0;
  	logFacility		= LOG_DAEMON;
+ 	haveConfigFile		= 0;
 /*
  * Mark packet buffer empty.
  */
@@ -168,6 +170,13 @@
 
 	ParseArgs (argc, argv);
 /*
+ * Read default config file, if present and no other config file is in use
+ */
+	if (haveConfigFile == 0) {
+		ReadConfigFile (DEFAULT_CONFIG);
+	}
+
+/*
  * Open syslog channel.
  */
 	openlog ("natd", LOG_CONS | LOG_PID | (verbose ? LOG_PERROR : 0),
@@ -1243,6 +1252,7 @@
 
 	case ConfigFile:
 		ReadConfigFile (strValue);
+		haveConfigFile=1;
 		break;
 
 	case LogDenied:
@@ -1286,6 +1296,9 @@
 	file = fopen (fileName, "r");
 	if (!file)
 		err(1, "cannot open config file %s", fileName);
+
+	if (verbose)
+		printf ("using config file %s\n", fileName);
 
 	while ((buf = fgetln(file, &len)) != NULL) {
 		if (buf[len - 1] == '\n')
Index: sbin/natd/natd.h
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.h,v
retrieving revision 1.4
diff -u -r1.4 natd.h
--- sbin/natd/natd.h	1999/08/28 00:13:46	1.4
+++ sbin/natd/natd.h	2000/08/30 14:08:01
@@ -12,7 +12,8 @@
  * $FreeBSD: src/sbin/natd/natd.h,v 1.4 1999/08/28 00:13:46 peter Exp $
  */
 
-#define PIDFILE	"/var/run/natd.pid"
+#define PIDFILE		"/var/run/natd.pid"
+#define DEFAULT_CONFIG	"/etc/natd.conf"
 #define	INPUT		1
 #define	OUTPUT		2
 #define	DONT_KNOW	3


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Thu Aug 31 03:15:40 PDT 2000 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20944 

From: Ruslan Ermilov <ru@sunbay.com>
To: andreas@FreeBSD.org
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/20944: natd additions with tested DIFFS (natd.c,natd.h,natd.8,/etc/natd.conf)
Date: Fri, 1 Sep 2000 18:55:13 +0300

 On Wed, Aug 30, 2000 at 05:02:54PM +0200, andreas@FreeBSD.org wrote:
 > Problem:
 > - our natd source directory contains a samples/natd.cf.sample example
 >   config file.
 > 
 > Fix:
 > - It would be better to offer this config file in /etc
 > 
 It makes sense to install this file in /usr/share/examples/natd.
 
 > Problem:
 > - you can force natd to read a special config file, but it
 >   doesn't look for a default config file
 > 
 > Fix:
 > - teach natd to use a default config file /etc/natd.conf if present
 > 
 > - do not read default config file if natd has been invoked with the
 >   command line options -config | -f file
 >   introduced new variable haveConfigFile to trigger that
 > 
 I don't like the idea to force natd to use config file.
 
 > Problem:
 > - if verbose=1, natd doesn't report, which config file is being parsed
 > 
 > Fix:
 > - teach natd to report which config file will be used, if verbose is set
 > 
 Why would it do so?  You already know what the file is because it is you
 who tells it what file it should use with -f option.  After all, -v option
 is provided solely for debugging purposes, see the manpage.
 
 > Problem:
 > - manpage doesn't have a FILES section
 > 
 > Fix:
 > - Add missing FILES section in manpage
 > 
 Will do, thanks.
 
 
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 

From: Andreas Klemm <andreas@klemm.gtn.com>
To: Ruslan Ermilov <ru@sunbay.com>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/20944: natd additions with tested DIFFS (natd.c,natd.h,natd.8,/etc/natd.conf)
Date: Fri, 1 Sep 2000 18:22:24 +0200

 On Fri, Sep 01, 2000 at 06:55:13PM +0300, Ruslan Ermilov wrote:
 > On Wed, Aug 30, 2000 at 05:02:54PM +0200, andreas@FreeBSD.org wrote:
 > > Problem:
 > > - our natd source directory contains a samples/natd.cf.sample example
 > >   config file.
 > > Fix:
 > > - It would be better to offer this config file in /etc
 > > 
 > It makes sense to install this file in /usr/share/examples/natd.
 
 If you don't like it in /etc, yes it would make sense, but please
 see my comments below.
 
 > > Problem:
 > > - you can force natd to read a special config file, but it
 > >   doesn't look for a default config file
 > > 
 > > Fix:
 > > - teach natd to use a default config file /etc/natd.conf if present
 > > 
 > > - do not read default config file if natd has been invoked with the
 > >   command line options -config | -f file
 > >   introduced new variable haveConfigFile to trigger that
 >
 > I don't like the idea to force natd to use config file.
 
 Is there a certain technical or esthetic reason behind it ?
 Or is it the old "I want it minimalistic" approch (sorry ;-).
 
 We already offer prepared configuration files in /etc to make
 it more easy to users to configure system services.
 
 I think the current situation of not having /etc/natd.conf in
 /etc is not consistent with our nifty firewall enabling solution.
 
 For firewalling we offer the user a bunch of predefined defaults
 as example via rc.firewall.
 
 natd also is an important service concerning firewall / gateway
 machines.
 
 Additionaly I think it makes it easier to distribute a natd
 configuration through several machines, compared to an natd_flags
 entry in rc.conf which is mainly created via system installation.
 
 So in my eyes it would be a consistent step forward to have
 a /etc/natd.conf file in /etc.
 
 > > Problem:
 > > - if verbose=1, natd doesn't report, which config file is being parsed
 > > 
 > > Fix:
 > > - teach natd to report which config file will be used, if verbose is set
 > > 
 > Why would it do so?  You already know what the file is because it is you
 > who tells it what file it should use with -f option.  After all, -v option
 > is provided solely for debugging purposes, see the manpage.
 
 It was mainly for me for testing purposes, that my patch is working
 correctly. After that I deceided to leave it it, since it doesn't
 disturb in my eyes. Feel free to remove it if you dislike this
 little message.
 
 > > - manpage doesn't have a FILES section
 > > Fix:
 > > - Add missing FILES section in manpage
 > > 
 > Will do, thanks.
 
 O.k. thanks.
 
 -- 
 Andreas Klemm                                           Powered by FreeBSD SMP
 Songs from our band >>64Bits<<............http://www.apsfilter.org/64bits.html
 My homepage................................ http://people.FreeBSD.ORG/~andreas
 Please note: Apsfilter got a NEW HOME................http://www.apsfilter.org/
 
 

From: Ruslan Ermilov <ru@sunbay.com>
To: Andreas Klemm <andreas@klemm.gtn.com>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/20944: natd additions with tested DIFFS (natd.c,natd.h,natd.8,/etc/natd.conf)
Date: Fri, 1 Sep 2000 20:05:29 +0300

 On Fri, Sep 01, 2000 at 06:22:24PM +0200, Andreas Klemm wrote:
 > On Fri, Sep 01, 2000 at 06:55:13PM +0300, Ruslan Ermilov wrote:
 [...]
 > > I don't like the idea to force natd to use config file.
 > 
 > Is there a certain technical or esthetic reason behind it ?
 > Or is it the old "I want it minimalistic" approch (sorry ;-).
 > 
 The reason is simple - in a typical setup running natd with just
 a network interface as an argument is sufficient.  But if we would
 use the configuration file by default, then how we would export
 ${natd_interface} into /etc/natd.conf?
 
 > We already offer prepared configuration files in /etc to make
 > it more easy to users to configure system services.
 > 
 Sure, and by that reason we have ${natd_flags} here.  Putting
 natd_flags="-f /etc/natd.conf"
 in /etc/rc.conf is essentially equivalent to part of your patch
 that forces natd(8) to use config file.
 
 > I think the current situation of not having /etc/natd.conf in
 > /etc is not consistent with our nifty firewall enabling solution.
 > 
 > For firewalling we offer the user a bunch of predefined defaults
 > as example via rc.firewall.
 > 
 > natd also is an important service concerning firewall / gateway
 > machines.
 > 
 I can't see what you would put into /etc/natd.conf except for the
 default values, so forcing natd to always read this file would just
 be a waste of startup time.  Your firewall example is not good,
 because firewall does not have the default (preconfigured) ruleset
 while natd(8) does for its options.
 
 > Additionaly I think it makes it easier to distribute a natd
 > configuration through several machines, compared to an natd_flags
 > entry in rc.conf which is mainly created via system installation.
 > 
 I can't see how that would help to distribute the natd configuration.
 You can put ${natd_flags} into /etc/rc.conf.local, or into
 /etc/rc.conf.site and add /etc/rc.conf.site to the list of
 ${rc_conf_files}, or ...
 
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 

From: Andreas Klemm <andreas@klemm.gtn.com>
To: Ruslan Ermilov <ru@sunbay.com>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/20944: natd additions with tested DIFFS (natd.c,natd.h,natd.8,/etc/natd.conf)
Date: Fri, 1 Sep 2000 20:16:54 +0200

 On Fri, Sep 01, 2000 at 08:05:29PM +0300, Ruslan Ermilov wrote:
 > On Fri, Sep 01, 2000 at 06:22:24PM +0200, Andreas Klemm wrote:
 > > On Fri, Sep 01, 2000 at 06:55:13PM +0300, Ruslan Ermilov wrote:
 > [...]
 > > > I don't like the idea to force natd to use config file.
 > > 
 > > Is there a certain technical or esthetic reason behind it ?
 > > Or is it the old "I want it minimalistic" approch (sorry ;-).
 > > 
 > The reason is simple - in a typical setup running natd with just
 > a network interface as an argument is sufficient.  But if we would
 > use the configuration file by default, then how we would export
 > ${natd_interface} into /etc/natd.conf?
 
 keep ${natd_interface} to specify, what interface natd should use.
 /etc/natd.conf is for the rest like -redirect_xxx, where multiple
 redirects would result in a very long command line.
 
 That was my basic idea ...
 
 I thought, the commandline in complex environments might become
 relatively long and prone for editing errors.
 
 The /etc/natd.conf file could contain the "complex" part of configuration,
 whereas the commandline only gets arguments like ${natd_interface}.
 
 > > We already offer prepared configuration files in /etc to make
 > > it more easy to users to configure system services.
 > > 
 > Sure, and by that reason we have ${natd_flags} here.  Putting
 > natd_flags="-f /etc/natd.conf"
 > in /etc/rc.conf is essentially equivalent to part of your patch
 > that forces natd(8) to use config file.
 
 Nearly every utility has a default config file.
 And I think it would be good, if FreeBSD also would have a default
 place for a natd config file as other services have like
 amd, csh, dhcclient, ...
 
 > > I think the current situation of not having /etc/natd.conf in
 > > /etc is not consistent with our nifty firewall enabling solution.
 > > 
 > > For firewalling we offer the user a bunch of predefined defaults
 > > as example via rc.firewall.
 > > 
 > > natd also is an important service concerning firewall / gateway
 > > machines.
 > > 
 > I can't see what you would put into /etc/natd.conf except for the
 > default values, so forcing natd to always read this file would just
 > be a waste of startup time.
 
 Isn't it the same for hosts.allow ?
 
 > Your firewall example is not good,
 > because firewall does not have the default (preconfigured) ruleset
 > while natd(8) does for its options.
 
 o.k., I understand that difference.
 
 O.k., my last weapon, until I let you nuke my changes ;-)
 And what about user friendlyness ?
 
 (BTW what a wast of time, and I thought it would make sense :-/ )
 
 -- 
 Andreas Klemm                                           Powered by FreeBSD SMP
 Songs from our band >>64Bits<<............http://www.apsfilter.org/64bits.html
 My homepage................................ http://people.FreeBSD.ORG/~andreas
 Please note: Apsfilter got a NEW HOME................http://www.apsfilter.org/
 
 
Responsible-Changed-From-To: ru->freebsd-bugs 
Responsible-Changed-By: ru 
Responsible-Changed-When: Fri Apr 16 23:16:29 PDT 2004 
Responsible-Changed-Why:  
ENOTIME. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20944 
>Unformatted:
