Add portforwarder-ssh-wrap script.

diff --git a/Makefile b/Makefile
index 1637ee032a5d77d28d932a25114e904fc00f77fc..1c83784691ae9b00351afcc805a585d49a1ef911 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -5,3 +5,4 @@ install:
        install -m755 upgrade-porter-chroots $(DESTDIR)/usr/sbin
        install -m755 apache2-vhost-update $(DESTDIR)/usr/sbin
        install -m755 buildd-reboot $(DESTDIR)/usr/sbin
+       install -m755 portforwarder-ssh-wrap $(DESTDIR)/usr/bin

diff --git a/debian/changelog b/debian/changelog
index dfc1b97c8f65ffe031d56deba9cbb19109100f30..00a093a9bb093b93e08557ebd2310bd75339fe24 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,13 @@
 debian.org (31) UNRELEASED; urgency=low
 
+  [ Martin Zobel-Helas ]
   * New dependencies of debian.org-www-master:
     - ttf-arphic-uming
 
- -- Martin Zobel-Helas <zobel@debian.org>  Sun, 24 Jan 2010 22:33:51 +0100
+  [ Peter Palfrader ]
+  * Add portforwarder-ssh-wrap script.
+
+ -- Peter Palfrader <weasel@debian.org>  Sun, 21 Feb 2010 16:56:06 +0100
 
 debian.org (30) stable; urgency=low
 

diff --git a/portforwarder-ssh-wrap b/portforwarder-ssh-wrap
new file mode 100755 (executable)
index 0000000..758ccb6
--- /dev/null
+++ b/portforwarder-ssh-wrap
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+# Copyright (c) 2009,2010 Peter Palfrader
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+set -e
+set -u
+
+
+MYLOGNAME="`basename "$0"`[$$]"
+
+usage() {
+       echo "local Usage: $0 <source-host> <local-bind> <allowed-port> [<allowed-port> ...]"
+       echo "via ssh orig command : forward-to <port>"
+}
+croak() {
+       logger -s -p daemon.warn -t "$MYLOGNAME" "$1"
+       exit 1
+}
+
+
+if [ -z "${SSH_ORIGINAL_COMMAND:-}" ] ; then
+       echo "Did not find SSH_ORIGINAL_COMMAND" 2>&1
+       exit 1
+fi
+
+
+if [ "${1-}" = "-h" ] || [ "${1-}" = "--help" ]; then
+       usage
+       exit 0
+fi
+# check/parse local command line
+if [ "$#" -le 2 ]; then
+       usage >&2
+       exit 1
+fi
+host="$1"
+shift
+bindaddr="$1"
+shift
+if [[ "$bindaddr" =~ [^0-9.] ]]; then
+       echo "Invalid bindaddr spec" >&2
+       exit 1
+fi
+allowed_ports="$@"
+
+# check/parse remote command line
+set "dummy" ${SSH_ORIGINAL_COMMAND}
+shift
+
+# check/parse local command line
+if [ "$#" != 2 ]; then
+       usage >&2
+       exit 1
+fi
+if [ "$1" != "forward-to" ]; then
+       croak "Expected forward-to as command"
+fi
+port="$2"
+if [[ "$port" =~ [^0-9] ]]; then
+       croak "Invalid port spec"
+fi
+ok=0
+for allowed in $allowed_ports ; do
+       if [ "$port" = "$allowed" ]; then
+               ok=1
+               break
+       fi
+done
+
+if [ "$ok" = "1" ]; then
+       logger -p daemon.info -t "$MYLOGNAME" "Forwarding to port $port for remote host $host"
+       exec /bin/nc -s "$bindaddr" 127.0.0.1 "$port"
+       echo "Exec failed" >&2
+       exit 1
+else
+       croak "$host requested unallowed port $port"
+fi