1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
Description: Force NX proxy to bind to loopback devices only (loopback option)
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
--- a/nxcomp/Loop.cpp
+++ b/nxcomp/Loop.cpp
@@ -952,6 +952,7 @@ static char listenHost[DEFAULT_STRING_LE
static char displayHost[DEFAULT_STRING_LENGTH] = { 0 };
static char authCookie[DEFAULT_STRING_LENGTH] = { 0 };
+static int loopbackBind = DEFAULT_LOOPBACK_BIND;
static int proxyPort = DEFAULT_NX_PROXY_PORT;
static int xPort = DEFAULT_NX_X_PORT;
@@ -3959,7 +3960,14 @@ int SetupTcpSocket()
tcpAddr.sin_family = AF_INET;
tcpAddr.sin_port = htons(proxyPortTCP);
- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ if ( loopbackBind )
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ }
+ else
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ }
if (bind(tcpFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1)
{
@@ -4550,7 +4558,14 @@ int ListenConnection(int port, const cha
tcpAddr.sin_family = AF_INET;
tcpAddr.sin_port = htons(portTCP);
- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ if ( loopbackBind )
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ }
+ else
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ }
if (bind(newFD, (sockaddr *) &tcpAddr, sizeof(tcpAddr)) == -1)
{
@@ -6718,7 +6733,14 @@ int WaitForRemote(int portNum)
#ifdef __APPLE__
- tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ if ( loopbackBind )
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ }
+ else
+ {
+ tcpAddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ }
#else
@@ -8397,6 +8419,10 @@ int ParseEnvironmentOptions(const char *
listenPort = ValidateArg("local", name, value);
}
+ else if (strcasecmp(name, "loopback") == 0)
+ {
+ loopbackBind = ValidateArg("local", name, value);
+ }
else if (strcasecmp(name, "accept") == 0)
{
if (*connectHost != '\0')
@@ -13778,7 +13804,14 @@ int ParseListenOption(int &address)
}
else
{
- address = htonl(INADDR_ANY);
+ if ( loopbackBind )
+ {
+ address = htonl(INADDR_LOOPBACK);
+ }
+ else
+ {
+ address = htonl(INADDR_ANY);
+ }
}
}
else
--- a/nxcomp/Misc.cpp
+++ b/nxcomp/Misc.cpp
@@ -42,6 +42,14 @@
#undef DEBUG
//
+// By default nxproxy binds to all network interfaces, setting
+// DEFAULT_LOOPBACK_BIND to 1 enables binding to the loopback
+// device only.
+//
+
+const int DEFAULT_LOOPBACK_BIND = 0;
+
+//
// TCP port offset applied to any NX port specification.
//
@@ -137,6 +145,8 @@ static const char UsageInfo[] =
\n\
listen=n Local port used for accepting the proxy connection.\n\
\n\
+ loopback=b Bind to the loopback device only.\n\
+\n\
accept=s Name or IP of host that can connect to the proxy.\n\
\n\
connect=s Name or IP of host that the proxy will connect to.\n\
--- a/nxcomp/Misc.h
+++ b/nxcomp/Misc.h
@@ -90,6 +90,14 @@ extern const int DEFAULT_NX_SLAVE_PORT_C
extern const int DEFAULT_NX_SLAVE_PORT_SERVER_OFFSET;
//
+// NX proxy binds to all network interfaces by default
+// With the -loopback parameter, you can switch
+// over to binding to the loopback device only.
+//
+
+extern const int DEFAULT_LOOPBACK_BIND;
+
+//
// Return strings containing various info.
//
|
