ref: f9d6ecb14eb37a27dc9a7e70fc387dd13052bd32
parent: cf180ac97241fb84830cbdacfeb334c0092afafc
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Thu Dec 25 20:49:26 EST 2025
rcpu: allow aan listening port to be constrained with aanport attribute in ndb (thanks panini) When using the -p flag for rcpu(1) like programs, we now look up all "aanport=low-high/port" attributes from ndb for the host (server) and try to allocate a listen port from the specified range. The main intend is to help with port based fireall filtering. Thanks panini (penny@limitedideas.org) for the work!
--- a/rc/bin/rconnect
+++ b/rc/bin/rconnect
@@ -53,7 +53,16 @@
<>$netdir/clone { netdir=$netdir/`{read} || exit >[3] $netdir/ctl {- echo -n 'announce *!0' >[1=3]
+ @{+ for(range in `{ndb/query -cia sys $sysname aanport} 0){+ range=`{echo `-{echo $range}}+ if(~ $#range 2)range=`{seq $range}+ for(port in $range){+ echo -n announce '*!'^$port >[1=3] && exit ''
+ }
+ }
+ exit 'nope'
+ } >[2]/dev/null
echo `{cat $netdir/local} || exitbind '#|' /mnt/aan || exit
exec aan -m $aanto $netdir <>/mnt/aan/data1 >[1=0] >[2]/dev/null &
--- a/sys/man/1/rcpu
+++ b/sys/man/1/rcpu
@@ -192,7 +192,11 @@
.B -p
Protect the connection against connection resets by establishing
.IR aan (8)
-tunnel.
+tunnel. If the remote host has
+.B aanport
+set (see
+.IR ndb (6))
+the remote listeners will be restricted to the given port range.
.SH FILES
.B /rc/bin/service/tcp17019
.SH SOURCE
--- a/sys/man/6/ndb
+++ b/sys/man/6/ndb
@@ -304,6 +304,16 @@
(see
.IR ndb (8))
in tuples for hosts that supported the IL protocol
+.TP
+.B aanport
+a range of ports to restrict
+.IR aan (8)
+listeners started by incoming
+.IR rcpu (1)
+connections to; in the form of
+.B aanport=low-high.
+Single ports are also allowed, as well as multiple
+entries of either kind.
.PD
.PP
.I Cs
--
⑨