aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/patches/220_nxproxy_bind-loopback-only.full+lite.patch130
-rw-r--r--debian/patches/series1
-rw-r--r--nxcomp/Loop.cpp41
-rw-r--r--nxcomp/Misc.cpp10
-rw-r--r--nxcomp/Misc.h8
5 files changed, 55 insertions, 135 deletions
diff --git a/debian/patches/220_nxproxy_bind-loopback-only.full+lite.patch b/debian/patches/220_nxproxy_bind-loopback-only.full+lite.patch
deleted file mode 100644
index c65b85501..000000000
--- a/debian/patches/220_nxproxy_bind-loopback-only.full+lite.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-Description: Force NX proxy to bind to loopback devices only (loopback option)
-Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
---- a/nxcomp/Loop.cpp
-+++ b/nxcomp/Loop.cpp
-@@ -952,6 +952,7 @@
- static char displayHost[DEFAULT_STRING_LENGTH] = { 0 };
- static char authCookie[DEFAULT_STRING_LENGTH] = { 0 };
-
-+static int loopbackBind = DEFAULT_LOOPBACK_BIND;
- static int proxyPort = DEFAULT_NX_PROXY_PORT;
- static int xPort = DEFAULT_NX_X_PORT;
-
-@@ -3959,7 +3960,14 @@
-
- tcpAddr.sin_family = AF_INET;
- tcpAddr.sin_port = htons(proxyPortTCP);
-- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
-+ if ( loopbackBind )
-+ {
-+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-+ }
-+ else
-+ {
-+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
-+ }
-
- if (bind(tcpFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1)
- {
-@@ -4550,7 +4558,14 @@
-
- tcpAddr.sin_family = AF_INET;
- tcpAddr.sin_port = htons(portTCP);
-- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
-+ if ( loopbackBind )
-+ {
-+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-+ }
-+ else
-+ {
-+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
-+ }
-
- if (bind(newFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1)
- {
-@@ -6718,7 +6733,14 @@
-
- #ifdef __APPLE__
-
-- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
-+ if ( loopbackBind )
-+ {
-+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-+ }
-+ else
-+ {
-+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
-+ }
-
- #else
-
-@@ -8397,6 +8419,10 @@
-
- listenPort = ValidateArg("local", name, value);
- }
-+ else if (strcasecmp(name, "loopback") == 0)
-+ {
-+ loopbackBind = ValidateArg("local", name, value);
-+ }
- else if (strcasecmp(name, "accept") == 0)
- {
- if (*connectHost != '\0')
-@@ -13778,7 +13804,14 @@
- }
- else
- {
-- address = htonl(INADDR_ANY);
-+ if ( loopbackBind )
-+ {
-+ address = htonl(INADDR_LOOPBACK);
-+ }
-+ else
-+ {
-+ address = htonl(INADDR_ANY);
-+ }
- }
- }
- else
---- a/nxcomp/Misc.cpp
-+++ b/nxcomp/Misc.cpp
-@@ -42,6 +42,14 @@
- #undef DEBUG
-
- //
-+// By default nxproxy binds to all network interfaces, setting
-+// DEFAULT_LOOPBACK_BIND to 1 enables binding to the loopback
-+// device only.
-+//
-+
-+const int DEFAULT_LOOPBACK_BIND = 0;
-+
-+//
- // TCP port offset applied to any NX port specification.
- //
-
-@@ -137,6 +145,8 @@
- \n\
- listen=n Local port used for accepting the proxy connection.\n\
- \n\
-+ loopback=b Bind to the loopback device only.\n\
-+\n\
- accept=s Name or IP of host that can connect to the proxy.\n\
- \n\
- connect=s Name or IP of host that the proxy will connect to.\n\
---- a/nxcomp/Misc.h
-+++ b/nxcomp/Misc.h
-@@ -90,6 +90,14 @@
- extern const int DEFAULT_NX_SLAVE_PORT_SERVER_OFFSET;
-
- //
-+// NX proxy binds to all network interfaces by default
-+// With the -loopback parameter, you can switch
-+// over to binding to the loopback device only.
-+//
-+
-+extern const int DEFAULT_LOOPBACK_BIND;
-+
-+//
- // Return strings containing various info.
- //
-
diff --git a/debian/patches/series b/debian/patches/series
index b6a467730..30ed936f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,3 @@
-220_nxproxy_bind-loopback-only.full+lite.patch
300_nxagent_set-wm-class.full.patch
301_nx-X11_use-shared-libs.full.patch
302_nx-X11_xkbbasedir-detection.full.patch
diff --git a/nxcomp/Loop.cpp b/nxcomp/Loop.cpp
index 05b514570..77b0c806c 100644
--- a/nxcomp/Loop.cpp
+++ b/nxcomp/Loop.cpp
@@ -952,6 +952,7 @@ static char listenHost[DEFAULT_STRING_LENGTH] = { 0 };
static char displayHost[DEFAULT_STRING_LENGTH] = { 0 };
static char authCookie[DEFAULT_STRING_LENGTH] = { 0 };
+static int loopbackBind = DEFAULT_LOOPBACK_BIND;
static int proxyPort = DEFAULT_NX_PROXY_PORT;
static int xPort = DEFAULT_NX_X_PORT;
@@ -3959,7 +3960,14 @@ int SetupTcpSocket()
tcpAddr.sin_family = AF_INET;
tcpAddr.sin_port = htons(proxyPortTCP);
- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ if ( loopbackBind )
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ }
+ else
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ }
if (bind(tcpFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1)
{
@@ -4550,7 +4558,14 @@ int ListenConnection(int port, const char *label)
tcpAddr.sin_family = AF_INET;
tcpAddr.sin_port = htons(portTCP);
- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ if ( loopbackBind )
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ }
+ else
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ }
if (bind(newFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1)
{
@@ -6718,7 +6733,14 @@ int WaitForRemote(int portNum)
#ifdef __APPLE__
- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ if ( loopbackBind )
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ }
+ else
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ }
#else
@@ -8397,6 +8419,10 @@ int ParseEnvironmentOptions(const char *env, int force)
listenPort = ValidateArg("local", name, value);
}
+ else if (strcasecmp(name, "loopback") == 0)
+ {
+ loopbackBind = ValidateArg("local", name, value);
+ }
else if (strcasecmp(name, "accept") == 0)
{
if (*connectHost != '\0')
@@ -13778,7 +13804,14 @@ int ParseListenOption(int &address)
}
else
{
- address = htonl(INADDR_ANY);
+ if ( loopbackBind )
+ {
+ address = htonl(INADDR_LOOPBACK);
+ }
+ else
+ {
+ address = htonl(INADDR_ANY);
+ }
}
}
else
diff --git a/nxcomp/Misc.cpp b/nxcomp/Misc.cpp
index 7303c595b..0095eaa74 100644
--- a/nxcomp/Misc.cpp
+++ b/nxcomp/Misc.cpp
@@ -42,6 +42,14 @@
#undef DEBUG
//
+// By default nxproxy binds to all network interfaces, setting
+// DEFAULT_LOOPBACK_BIND to 1 enables binding to the loopback
+// device only.
+//
+
+const int DEFAULT_LOOPBACK_BIND = 0;
+
+//
// TCP port offset applied to any NX port specification.
//
@@ -137,6 +145,8 @@ static const char UsageInfo[] =
\n\
listen=n Local port used for accepting the proxy connection.\n\
\n\
+ loopback=b Bind to the loopback device only.\n\
+\n\
accept=s Name or IP of host that can connect to the proxy.\n\
\n\
connect=s Name or IP of host that the proxy will connect to.\n\
diff --git a/nxcomp/Misc.h b/nxcomp/Misc.h
index 3f37836f5..21a503082 100644
--- a/nxcomp/Misc.h
+++ b/nxcomp/Misc.h
@@ -90,6 +90,14 @@ extern const int DEFAULT_NX_SLAVE_PORT_CLIENT_OFFSET;
extern const int DEFAULT_NX_SLAVE_PORT_SERVER_OFFSET;
//
+// NX proxy binds to all network interfaces by default
+// With the -loopback parameter, you can switch
+// over to binding to the loopback device only.
+//
+
+extern const int DEFAULT_LOOPBACK_BIND;
+
+//
// Return strings containing various info.
//