aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/0220_nxproxy_bind-loopback-only.full+lite.patch
blob: c65b85501fe2a81bc7ffbde47bff762a08bc7d2f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
Description: Force NX proxy to bind to loopback devices only (loopback option)
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
--- a/nxcomp/Loop.cpp
+++ b/nxcomp/Loop.cpp
@@ -952,6 +952,7 @@
 static char displayHost[DEFAULT_STRING_LENGTH] = { 0 };
 static char authCookie[DEFAULT_STRING_LENGTH]  = { 0 };
 
+static int loopbackBind = DEFAULT_LOOPBACK_BIND;
 static int proxyPort = DEFAULT_NX_PROXY_PORT;
 static int xPort     = DEFAULT_NX_X_PORT;
 
@@ -3959,7 +3960,14 @@
 
   tcpAddr.sin_family = AF_INET;
   tcpAddr.sin_port = htons(proxyPortTCP);
-  tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+  if ( loopbackBind )
+  {
+    tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+  }
+  else
+  {
+    tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+  }
 
   if (bind(tcpFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1)
   {
@@ -4550,7 +4558,14 @@
 
   tcpAddr.sin_family = AF_INET;
   tcpAddr.sin_port = htons(portTCP);
-  tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+  if ( loopbackBind )
+  {
+    tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+  }
+  else
+  {
+    tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+  }
 
   if (bind(newFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1)
   {
@@ -6718,7 +6733,14 @@
 
   #ifdef __APPLE__
 
-  tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+  if ( loopbackBind )
+  {
+    tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+  }
+  else
+  {
+    tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+  }
 
   #else
 
@@ -8397,6 +8419,10 @@
 
       listenPort = ValidateArg("local", name, value);
     }
+    else if (strcasecmp(name, "loopback") == 0)
+    {
+      loopbackBind = ValidateArg("local", name, value);
+    }
     else if (strcasecmp(name, "accept") == 0)
     {
       if (*connectHost != '\0')
@@ -13778,7 +13804,14 @@
     }
     else
     {
-      address = htonl(INADDR_ANY);
+      if ( loopbackBind )
+      {
+        address = htonl(INADDR_LOOPBACK);
+      }
+      else
+      {
+        address = htonl(INADDR_ANY);
+      }
     }
   }
   else
--- a/nxcomp/Misc.cpp
+++ b/nxcomp/Misc.cpp
@@ -42,6 +42,14 @@
 #undef  DEBUG
 
 //
+// By default nxproxy binds to all network interfaces, setting
+// DEFAULT_LOOPBACK_BIND to 1 enables binding to the loopback
+// device only.
+//
+
+const int DEFAULT_LOOPBACK_BIND = 0;
+
+//
 // TCP port offset applied to any NX port specification.
 //
 
@@ -137,6 +145,8 @@
 \n\
   listen=n     Local port used for accepting the proxy connection.\n\
 \n\
+  loopback=b   Bind to the loopback device only.\n\
+\n\
   accept=s     Name or IP of host that can connect to the proxy.\n\
 \n\
   connect=s    Name or IP of host that the proxy will connect to.\n\
--- a/nxcomp/Misc.h
+++ b/nxcomp/Misc.h
@@ -90,6 +90,14 @@
 extern const int DEFAULT_NX_SLAVE_PORT_SERVER_OFFSET;
 
 //
+// NX proxy binds to all network interfaces by default
+// With the -loopback parameter, you can switch
+// over to binding to the loopback device only.
+//
+
+extern const int DEFAULT_LOOPBACK_BIND;
+
+//
 // Return strings containing various info.
 //