From 1be1c4a21bb54e60ec60456374d9ef55aaf55e2f Mon Sep 17 00:00:00 2001 From: Mike Gabriel Date: Tue, 10 Feb 2015 21:11:27 +0100 Subject: Force NX proxy to bind to loopback devices only (loopback option) (220_nxproxy_bind-loopback-only.full+lite.patch). --- .../220_nxproxy_bind-loopback-only.full+lite.patch | 130 --------------------- debian/patches/series | 1 - nxcomp/Loop.cpp | 41 ++++++- nxcomp/Misc.cpp | 10 ++ nxcomp/Misc.h | 8 ++ 5 files changed, 55 insertions(+), 135 deletions(-) delete mode 100644 debian/patches/220_nxproxy_bind-loopback-only.full+lite.patch diff --git a/debian/patches/220_nxproxy_bind-loopback-only.full+lite.patch b/debian/patches/220_nxproxy_bind-loopback-only.full+lite.patch deleted file mode 100644 index c65b85501..000000000 --- a/debian/patches/220_nxproxy_bind-loopback-only.full+lite.patch +++ /dev/null @@ -1,130 +0,0 @@ -Description: Force NX proxy to bind to loopback devices only (loopback option) -Author: Mike Gabriel ---- a/nxcomp/Loop.cpp -+++ b/nxcomp/Loop.cpp -@@ -952,6 +952,7 @@ - static char displayHost[DEFAULT_STRING_LENGTH] = { 0 }; - static char authCookie[DEFAULT_STRING_LENGTH] = { 0 }; - -+static int loopbackBind = DEFAULT_LOOPBACK_BIND; - static int proxyPort = DEFAULT_NX_PROXY_PORT; - static int xPort = DEFAULT_NX_X_PORT; - -@@ -3959,7 +3960,14 @@ - - tcpAddr.sin_family = AF_INET; - tcpAddr.sin_port = htons(proxyPortTCP); -- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); -+ if ( loopbackBind ) -+ { -+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); -+ } -+ else -+ { -+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); -+ } - - if (bind(tcpFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1) - { -@@ -4550,7 +4558,14 @@ - - tcpAddr.sin_family = AF_INET; - tcpAddr.sin_port = htons(portTCP); -- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); -+ if ( loopbackBind ) -+ { -+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); -+ } -+ else -+ { -+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); -+ } - - if (bind(newFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1) - { -@@ -6718,7 +6733,14 @@ - - #ifdef __APPLE__ - -- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); -+ if ( loopbackBind ) -+ { -+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); -+ } -+ else -+ { -+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); -+ } - - #else - -@@ -8397,6 +8419,10 @@ - - listenPort = ValidateArg("local", name, value); - } -+ else if (strcasecmp(name, "loopback") == 0) -+ { -+ loopbackBind = ValidateArg("local", name, value); -+ } - else if (strcasecmp(name, "accept") == 0) - { - if (*connectHost != '\0') -@@ -13778,7 +13804,14 @@ - } - else - { -- address = htonl(INADDR_ANY); -+ if ( loopbackBind ) -+ { -+ address = htonl(INADDR_LOOPBACK); -+ } -+ else -+ { -+ address = htonl(INADDR_ANY); -+ } - } - } - else ---- a/nxcomp/Misc.cpp -+++ b/nxcomp/Misc.cpp -@@ -42,6 +42,14 @@ - #undef DEBUG - - // -+// By default nxproxy binds to all network interfaces, setting -+// DEFAULT_LOOPBACK_BIND to 1 enables binding to the loopback -+// device only. -+// -+ -+const int DEFAULT_LOOPBACK_BIND = 0; -+ -+// - // TCP port offset applied to any NX port specification. - // - -@@ -137,6 +145,8 @@ - \n\ - listen=n Local port used for accepting the proxy connection.\n\ - \n\ -+ loopback=b Bind to the loopback device only.\n\ -+\n\ - accept=s Name or IP of host that can connect to the proxy.\n\ - \n\ - connect=s Name or IP of host that the proxy will connect to.\n\ ---- a/nxcomp/Misc.h -+++ b/nxcomp/Misc.h -@@ -90,6 +90,14 @@ - extern const int DEFAULT_NX_SLAVE_PORT_SERVER_OFFSET; - - // -+// NX proxy binds to all network interfaces by default -+// With the -loopback parameter, you can switch -+// over to binding to the loopback device only. -+// -+ -+extern const int DEFAULT_LOOPBACK_BIND; -+ -+// - // Return strings containing various info. - // - diff --git a/debian/patches/series b/debian/patches/series index b6a467730..30ed936f9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,4 +1,3 @@ -220_nxproxy_bind-loopback-only.full+lite.patch 300_nxagent_set-wm-class.full.patch 301_nx-X11_use-shared-libs.full.patch 302_nx-X11_xkbbasedir-detection.full.patch diff --git a/nxcomp/Loop.cpp b/nxcomp/Loop.cpp index 05b514570..77b0c806c 100644 --- a/nxcomp/Loop.cpp +++ b/nxcomp/Loop.cpp @@ -952,6 +952,7 @@ static char listenHost[DEFAULT_STRING_LENGTH] = { 0 }; static char displayHost[DEFAULT_STRING_LENGTH] = { 0 }; static char authCookie[DEFAULT_STRING_LENGTH] = { 0 }; +static int loopbackBind = DEFAULT_LOOPBACK_BIND; static int proxyPort = DEFAULT_NX_PROXY_PORT; static int xPort = DEFAULT_NX_X_PORT; @@ -3959,7 +3960,14 @@ int SetupTcpSocket() tcpAddr.sin_family = AF_INET; tcpAddr.sin_port = htons(proxyPortTCP); - tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); + if ( loopbackBind ) + { + tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + } + else + { + tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); + } if (bind(tcpFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1) { @@ -4550,7 +4558,14 @@ int ListenConnection(int port, const char *label) tcpAddr.sin_family = AF_INET; tcpAddr.sin_port = htons(portTCP); - tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); + if ( loopbackBind ) + { + tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + } + else + { + tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); + } if (bind(newFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1) { @@ -6718,7 +6733,14 @@ int WaitForRemote(int portNum) #ifdef __APPLE__ - tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); + if ( loopbackBind ) + { + tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + } + else + { + tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY); + } #else @@ -8397,6 +8419,10 @@ int ParseEnvironmentOptions(const char *env, int force) listenPort = ValidateArg("local", name, value); } + else if (strcasecmp(name, "loopback") == 0) + { + loopbackBind = ValidateArg("local", name, value); + } else if (strcasecmp(name, "accept") == 0) { if (*connectHost != '\0') @@ -13778,7 +13804,14 @@ int ParseListenOption(int &address) } else { - address = htonl(INADDR_ANY); + if ( loopbackBind ) + { + address = htonl(INADDR_LOOPBACK); + } + else + { + address = htonl(INADDR_ANY); + } } } else diff --git a/nxcomp/Misc.cpp b/nxcomp/Misc.cpp index 7303c595b..0095eaa74 100644 --- a/nxcomp/Misc.cpp +++ b/nxcomp/Misc.cpp @@ -41,6 +41,14 @@ #undef TEST #undef DEBUG +// +// By default nxproxy binds to all network interfaces, setting +// DEFAULT_LOOPBACK_BIND to 1 enables binding to the loopback +// device only. +// + +const int DEFAULT_LOOPBACK_BIND = 0; + // // TCP port offset applied to any NX port specification. // @@ -136,6 +144,8 @@ static const char UsageInfo[] = to be forwarded by the proxy running on the client.\n\ \n\ listen=n Local port used for accepting the proxy connection.\n\ +\n\ + loopback=b Bind to the loopback device only.\n\ \n\ accept=s Name or IP of host that can connect to the proxy.\n\ \n\ diff --git a/nxcomp/Misc.h b/nxcomp/Misc.h index 3f37836f5..21a503082 100644 --- a/nxcomp/Misc.h +++ b/nxcomp/Misc.h @@ -89,6 +89,14 @@ extern const int DEFAULT_NX_FONT_PORT_OFFSET; extern const int DEFAULT_NX_SLAVE_PORT_CLIENT_OFFSET; extern const int DEFAULT_NX_SLAVE_PORT_SERVER_OFFSET; +// +// NX proxy binds to all network interfaces by default +// With the -loopback parameter, you can switch +// over to binding to the loopback device only. +// + +extern const int DEFAULT_LOOPBACK_BIND; + // // Return strings containing various info. // -- cgit v1.2.3