d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to version 2.2. Only the PacketAlias*()

Browse Source 
functions should now be used.  The old 2.1 stuff is
there for backwards compatability.
Submitted by:	Charles Mott <cmott@snake.srv.net>
This commit is contained in:
brian 1997-08-03 18:20:03 +00:00
parent e80e7192e4
commit c9cf08e905
18 changed files with 2142 additions and 392 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
lib/libalias/HISTORY Normal file
View File

@ -0,0 +1,105 @@
Version 1.0: August 11, 1996 (cjm)
Version 1.1: August 20, 1996 (cjm)
- Host accepts incoming connections for ports 0 to 1023.
Version 1.2: September 7, 1996 (cjm)
- Fragment handling error in alias_db.c corrected.
Version 1.3: September 15, 1996 (cjm)
- Generalized mechanism for handling incoming
connections (no more 0 to 1023 restriction).
- Increased ICMP support (will handle traceroute now).
- Improved TCP close connection logic.
Version 1.4: September 16, 1996 (cjm)
Version 1.5: September 17, 1996 (cjm)
- Corrected error in handling incoming UDP packets
with zero checksum.
Version 1.6: September 18, 1996
- Simplified ICMP data storage. Will now handle
tracert from Win95 and NT as well as FreeBSD
traceroute, which uses UDP packets to non-existent
ports.
Verstion 1.7: January 9, 1997 (cjm)
- Reduced malloc() activity for ICMP echo and
timestamp requests.
- Added handling for out-of-order IP fragments.
- Switched to differential checksum computation
for IP headers (TCP, UDP and ICMP checksums
were already differential).
- Accepts FTP data connections from other than
port 20. This allows one ftp connections
from two hosts which are both running packet
aliasing.
Version 1.8: January 14, 1997 (cjm)
- Fixed data type error in function StartPoint()
in alias_db.c (this bug did not exist before v1.7)
Version 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>)
- Added support for IRC DCC (ee)
- Changed the aliasing routines to use ANSI style
throughout (ee)
- Minor API changes for integration with other
programs than PPP (ee)
- Fixed minor security hole in alias_ftp.c for
other applications of the aliasing software.
Hole could _not_ manifest in ppp+pktAlias, but
could potentially manifest in other applications
of the aliasing. (ee)
- Connections initiated from packet aliasing
host machine will not have their port number
aliased unless it conflicts with an aliasing
port already being used. (There is an option
to disable this for debugging) (cjm)
- Sockets will be allocated in cases where
there might be port interference with the
host machine. This can be disabled in cases
where the ppp host will be acting purely as a
masquerading router and not generate any
traffic of its own.
(cjm)
Version 2.0: March, 1997 (cjm)
- Aliasing links are cleared only when a host interface address
changes.
- PacketAliasPermanentLink() API added.
- Option for only aliasing private, unregistered
IP addresses added.
- Substantial rework to the aliasing lookup engine.
Version 2.1: May, 1997 (cjm)
- Continuing rework to the aliasing lookup engine
to support multiple incoming addresses and static
NAT. PacketAliasRedirectPort() and
PacketAliasRedirectAddr() added to API.
- Now supports outgoing as well as incoming ICMP
error messges.
Version 2.2: July, 1997 (cjm)
- Rationalized API function names to all begin with
"PacketAlias..." Old function names are retained
for backwards compatitibility.
- Packet aliasing engine will now free memory of
fragments which are never resolved after a timeout
period. Once a fragment is resolved, it becomes
the users responsibility to free the memory.

5
lib/libalias/Makefile
View File

@ -1,8 +1,9 @@
LIB= alias
SHLIB_MAJOR= 2
SHLIB_MINOR= 1
SHLIB_MINOR= 2
CFLAGS+=-Wall -I${.CURDIR}
SRCS= alias.c alias_db.c alias_ftp.c alias_irc.c alias_util.c
SRCS= alias.c alias_db.c alias_ftp.c alias_irc.c alias_util.c alias_old.c
MAN3=libalias.3
beforeinstall:
${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 ${.CURDIR}/alias.h \

88
lib/libalias/alias.c
View File

@ -66,6 +66,13 @@
and PacketAliasOut2() for dynamic address
control (e.g. round-robin allocation of
incoming packets).
Version 2.2 July 1997 (cjm)
- Rationalized API function names to begin
with "PacketAlias..."
- Eliminated PacketAliasIn2() and
PacketAliasOut2() as poorly conceived.
*/
#include <stdio.h>
@ -884,20 +891,18 @@ FragmentOut(struct ip *pip)
/* Outside World Access
SaveFragmentPtr()
GetNextFragmentPtr()
FragmentAliasIn()
PacketAliasSaveFragment()
PacketAliasGetFragment()
PacketAliasFragmentIn()
PacketAliasIn()
PacketAliasOut()
PacketAliasIn2()
PacketAliasOut2()
(prototypes in alias.h)
*/
int
SaveFragmentPtr(char *ptr)
PacketAliasSaveFragment(char *ptr)
{
int iresult;
struct alias_link *link;
@ -916,7 +921,7 @@ SaveFragmentPtr(char *ptr)
char *
GetNextFragmentPtr(char *ptr)
PacketAliasGetFragment(char *ptr)
{
struct alias_link *link;
char *fptr;
@ -927,6 +932,7 @@ GetNextFragmentPtr(char *ptr)
if (link != NULL)
{
GetFragmentPtr(link, &fptr);
SetFragmentPtr(link, NULL);
SetExpire(link, 0); /* Deletes link */
return(fptr);
@ -939,11 +945,11 @@ GetNextFragmentPtr(char *ptr)
void
FragmentAliasIn(char *ptr, /* Points to correctly de-aliased
header fragment */
char *ptr_fragment /* Points to fragment which must
be de-aliased */
)
PacketAliasFragmentIn(char *ptr, /* Points to correctly de-aliased
header fragment */
char *ptr_fragment /* Points to fragment which must
be de-aliased */
)
{
struct ip *pip;
struct ip *fpip;
@ -967,6 +973,7 @@ PacketAliasIn(char *ptr, int maxpacketsize)
int iresult;
HouseKeeping();
ClearCheckNewLink();
pip = (struct ip *) ptr;
alias_addr = pip->ip_dst;
@ -1039,6 +1046,7 @@ PacketAliasOut(char *ptr, /* valid IP packet */
struct ip *pip;
HouseKeeping();
ClearCheckNewLink();
pip = (struct ip *) ptr;
addr_save = GetDefaultAliasAddress();
@ -1056,7 +1064,7 @@ PacketAliasOut(char *ptr, /* valid IP packet */
else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER)
iclass = 1;
if (iclass == 0)
if (iclass != 0)
{
SetDefaultAliasAddress(pip->ip_src);
}
@ -1086,57 +1094,3 @@ PacketAliasOut(char *ptr, /* valid IP packet */
SetDefaultAliasAddress(addr_save);
return(iresult);
}
int
PacketAliasIn2(char *ptr, /* valid IP packet */
struct in_addr addr, /* Default aliasing address */
int maxpacketsize /* How much the packet data may grow
(FTP and IRC inline changes) */
)
{
int result_code;
struct in_addr addr_save;
ClearNewDefaultLink();
addr_save = GetDefaultAliasAddress();
SetDefaultTargetAddress(addr);
result_code = PacketAliasIn(ptr, maxpacketsize);
ClearDefaultTargetAddress();
if (result_code == PKT_ALIAS_OK)
{
if (CheckNewDefaultLink())
return PKT_ALIAS_NEW_LINK;
}
return result_code;
}
int
PacketAliasOut2(char *ptr, /* valid IP packet */
struct in_addr addr, /* Default aliasing address */
int maxpacketsize /* How much the packet data may grow
(FTP and IRC inline changes) */
)
{
int result_code;
struct in_addr addr_save;
ClearNewDefaultLink();
addr_save = GetDefaultAliasAddress();
SetDefaultAliasAddress(addr);
result_code = PacketAliasOut(ptr, maxpacketsize);
SetDefaultAliasAddress(addr_save);
if (result_code == PKT_ALIAS_OK)
{
if (CheckNewDefaultLink())
return PKT_ALIAS_NEW_LINK;
}
return result_code;
}

113
lib/libalias/alias.h
View File

@ -12,45 +12,82 @@
#ifndef _ALIAS_H_
#define _ALIAS_H_
/* Alias link representativei (incomplete struct) */
#ifndef NULL
#define NULL 0
#endif
/* Alias link representative (incomplete struct) */
struct alias_link;
/* External interfaces (API) to packet aliasing engine */
/* Initialization and Control */
extern void
PacketAliasInit(void);
extern void
PacketAliasSetAddress(struct in_addr);
extern unsigned int
PacketAliasSetMode(unsigned int, unsigned int);
/* Packet Handling */
extern int
PacketAliasIn(char *, int maxpacketsize);
extern int
PacketAliasOut(char *, int maxpacketsize);
/* Port and Address Redirection */
extern struct alias_link *
PacketAliasRedirectPort(struct in_addr, u_short,
struct in_addr, u_short,
struct in_addr, u_short,
u_char);
extern struct alias_link *
PacketAliasRedirectAddr(struct in_addr,
struct in_addr);
extern void
PacketAliasRedirectDelete(struct alias_link *);
/* Fragment Handling */
extern int
PacketAliasSaveFragment(char *);
extern char *
PacketAliasGetFragment(char *);
extern void
PacketAliasFragmentIn(char *, char *);
/* Miscellaneous Functions */
extern u_short
PacketAliasInternetChecksum(u_short *, int);
/*
In version 2.2, the function names were rationalized
to all be of the form PacketAlias... These are the
old function names for backwards compatibility
*/
extern int SaveFragmentPtr(char *);
extern char *GetNextFragmentPtr(char *);
extern void FragmentAliasIn(char *, char *);
extern int PacketAliasIn(char *, int maxpacketsize);
extern int PacketAliasOut(char *, int maxpacketsize);
extern int PacketAliasIn2(char *, struct in_addr, int maxpacketsize);
extern int PacketAliasOut2(char *, struct in_addr, int maxpacketsize);
extern void SetPacketAliasAddress(struct in_addr);
extern void InitPacketAlias(void);
extern void InitPacketAliasLog(void);
extern void UninitPacketAliasLog(void);
extern unsigned int SetPacketAliasMode(unsigned int, unsigned int);
extern struct alias_link *
PacketAliasRedirectPort(struct in_addr, u_short,
struct in_addr, u_short,
struct in_addr, u_short,
u_char);
extern int PacketAliasIn2(char *, struct in_addr, int maxpacketsize);
extern int PacketAliasOut2(char *, struct in_addr, int maxpacketsize);
extern int
PacketAliasPermanentLink(struct in_addr, u_short,
struct in_addr, u_short,
u_short, u_char);
extern struct alias_link *
PacketAliasRedirectAddr(struct in_addr,
struct in_addr);
void PacketAliasRedirectDelete(struct alias_link *);
/* InternetChecksum() is not specifically part of the
packet aliasing API, but is sometimes needed outside
the module. (~for instance, natd uses it to create
an ICMP error message when interface size is
exceeded.) */
extern u_short InternetChecksum(u_short *, int);
/* Obsolete constant */
#define PKT_ALIAS_NEW_LINK 5
/********************** Mode flags ********************/
/* Set these flags using SetPacketAliasMode() */
@ -58,25 +95,28 @@ extern u_short InternetChecksum(u_short *, int);
/* If PKT_ALIAS_LOG is set, a message will be printed to
/var/log/alias.log every time a link is created or deleted. This
is useful for debugging */
#define PKT_ALIAS_LOG 1
#define PKT_ALIAS_LOG 0x01
/* If PKT_ALIAS_DENY_INCOMING is set, then incoming connections (e.g.
to ftp, telnet or web servers will be prevented by the aliasing
mechanism. */
#define PKT_ALIAS_DENY_INCOMING 2
#define PKT_ALIAS_DENY_INCOMING 0x02
/* If PKT_ALIAS_SAME_PORTS is set, packets will be attempted sent from
the same port as they originated on. This allow eg rsh to work
the same port as they originated on. This allows eg rsh to work
*99% of the time*, but _not_ 100%. (It will be slightly flakey
instead of not working at all.) */
#define PKT_ALIAS_SAME_PORTS 4
instead of not working at all.) This mode bit is set by
PacketAliasInit(), so it is a default mode of operation. */
#define PKT_ALIAS_SAME_PORTS 0x04
/* If PKT_ALIAS_USE_SOCKETS is set, then when partially specified
links (e.g. destination port and/or address is zero), the packet
aliasing engine will attempt to allocate a socket for the aliasing
port it chooses. This will avoid interference with the host
machine. Fully specified links do not require this. */
#define PKT_ALIAS_USE_SOCKETS 8
machine. Fully specified links do not require this. This bit
is set after a call to PacketAliasInit(), so it is a default
mode of operation.*/
#define PKT_ALIAS_USE_SOCKETS 0x08
/* If PKT_ALIAS_UNREGISTERED_ONLY is set, then only packets with with
unregistered source addresses will be aliased (along with those
@ -86,9 +126,15 @@ extern u_short InternetChecksum(u_short *, int);
10.0.0.0 -> 10.255.255.255
172.16.0.0 -> 172.31.255.255
192.168.0.0 -> 192.168.255.255 */
#define PKT_ALIAS_UNREGISTERED_ONLY 16
#define PKT_ALIAS_UNREGISTERED_ONLY 0x10
/* If PKT_ALIAS_RESET_ON_ADDR_CHANGE is set, then the table of dynamic
aliasing links will be reset whenever PacketAliasSetAddress()
changes the default aliasing address. If the default aliasing
address is left unchanged by this functions call, then the
table of dynamic aliasing links will be left intact. This
bit is set after a call to PacketAliasInit(). */
#define PKT_ALIAS_RESET_ON_ADDR_CHANGE 0x20
/* Return Codes */
#define PKT_ALIAS_ERROR -1
@ -96,7 +142,6 @@ extern u_short InternetChecksum(u_short *, int);
#define PKT_ALIAS_IGNORED 2
#define PKT_ALIAS_UNRESOLVED_FRAGMENT 3
#define PKT_ALIAS_FOUND_HEADER_FRAGMENT 4
#define PKT_ALIAS_NEW_LINK 5
#endif
/*lint -restore */

141
lib/libalias/alias_db.c
View File

@ -249,8 +249,8 @@ struct alias_link /* Main data structure */
union /* Auxiliary data */
{
struct in_addr frag_addr;
char *frag_ptr;
struct in_addr frag_addr;
struct tcp_dat *tcp;
} data;
};
@ -755,6 +755,8 @@ DeleteLink(struct alias_link *link)
break;
case LINK_FRAGMENT_PTR:
fragmentPtrLinkCount--;
if (link->data.frag_ptr != NULL)
free(link->data.frag_ptr);
break;
}
@ -1351,8 +1353,6 @@ FindAliasAddress(struct in_addr original_addr)
GetOriginalPort(), GetAliasPort()
SetAckModified(), GetAckModified()
GetDeltaAckIn(), GetDeltaSeqOut(), AddSeq()
ClearNewLink()
CheckNewLink()
*/
@ -1457,19 +1457,6 @@ SetDefaultAliasAddress(struct in_addr alias_addr)
}
void
SetDefaultTargetAddress(struct in_addr target_addr)
{
targetAddress = target_addr;
}
void ClearDefaultTargetAddress(void)
{
targetAddress.s_addr = 0;
}
u_short
GetOriginalPort(struct alias_link *link)
{
@ -1661,19 +1648,18 @@ SetExpire(struct alias_link *link, int expire)
}
void
ClearNewDefaultLink(void)
ClearCheckNewLink(void)
{
newDefaultLink = 0;
}
int
CheckNewDefaultLink(void)
{
return newDefaultLink;
}
/* Miscellaneous Functions
HouseKeeping()
InitPacketAliasLog()
UninitPacketAliasLog()
*/
/*
Whenever an outgoing or incoming packet is handled, HouseKeeping()
@ -1734,6 +1720,31 @@ HouseKeeping(void)
}
/* Init the log file and enable logging */
void
InitPacketAliasLog(void)
{
if ((~packetAliasMode & PKT_ALIAS_LOG)
&& (monitorFile = fopen("/var/log/alias.log", "w")))
{
packetAliasMode |= PKT_ALIAS_LOG;
fprintf(monitorFile,
"PacketAlias/InitPacketAliasLog: Packet alias logging enabled.\n");
}
}
/* Close the log-file and disable logging. */
void
UninitPacketAliasLog(void)
{
if( monitorFile )
fclose(monitorFile);
packetAliasMode &= ~PKT_ALIAS_LOG;
}
@ -1743,11 +1754,10 @@ HouseKeeping(void)
PacketAliasRedirectPort()
PacketAliasRedirectAddr()
SetPacketAliasAddress()
InitPacketAliasLog()
UninitPacketAliasLog()
InitPacketAlias()
SetPacketAliasMode()
PacketAliasRedirectDelete()
PacketAliasSetAddress()
PacketAliasInit()
PacketAliasSetMode()
(prototypes in alias.h)
*/
@ -1795,28 +1805,6 @@ PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
}
/* This function is slightly less generalized than
PacketAliasRedirectPort and is included for backwards
compatibility */
int
PacketAliasPermanentLink(struct in_addr src_addr, u_short src_port,
struct in_addr dst_addr, u_short dst_port,
u_short alias_port, u_char proto)
{
struct alias_link *link;
link = PacketAliasRedirectPort(src_addr, src_port,
dst_addr, dst_port,
nullAddress, alias_port,
proto);
if (link == NULL)
return -1;
else
return 0;
}
/* Static address translation */
struct alias_link *
PacketAliasRedirectAddr(struct in_addr src_addr,
@ -1845,7 +1833,7 @@ PacketAliasRedirectAddr(struct in_addr src_addr,
void
PacketAliasRedirectDelete(struct alias_link *link)
{
/* This is a very dangerous function to put in the API,
/* This is a dangerous function to put in the API,
because an invalid pointer can crash the program. */
deleteAllLinks = 1;
@ -1855,9 +1843,10 @@ PacketAliasRedirectDelete(struct alias_link *link)
void
SetPacketAliasAddress(struct in_addr addr)
PacketAliasSetAddress(struct in_addr addr)
{
if (aliasAddress.s_addr != addr.s_addr)
if (packetAliasMode & PKT_ALIAS_RESET_ON_ADDR_CHANGE
&& aliasAddress.s_addr != addr.s_addr)
{
CleanupAliasData();
aliasAddress = addr;
@ -1865,32 +1854,15 @@ SetPacketAliasAddress(struct in_addr addr)
}
/* Init the log file and enable logging */
void
InitPacketAliasLog(void)
PacketAliasSetTarget(struct in_addr target_addr)
{
if ((~packetAliasMode & PKT_ALIAS_LOG)
&& (monitorFile = fopen("/var/log/alias.log", "w")))
{
packetAliasMode |= PKT_ALIAS_LOG;
fprintf(monitorFile,
"PacketAlias/InitPacketAliasLog: Packet alias logging enabled.\n");
}
}
/* Close the log-file and disable logging. */
void
UninitPacketAliasLog(void)
{
if( monitorFile )
fclose(monitorFile);
packetAliasMode &= ~PKT_ALIAS_LOG;
targetAddress = target_addr;
}
void
InitPacketAlias(void)
PacketAliasInit(void)
{
int i;
struct timeval tv;
@ -1918,6 +1890,7 @@ InitPacketAlias(void)
}
aliasAddress.s_addr = 0;
targetAddress.s_addr = 0;
icmpLinkCount = 0;
udpLinkCount = 0;
@ -1929,19 +1902,14 @@ InitPacketAlias(void)
cleanupIndex =0;
packetAliasMode = PKT_ALIAS_SAME_PORTS
| PKT_ALIAS_USE_SOCKETS;
if (packetAliasMode & PKT_ALIAS_LOG)
{
InitPacketAliasLog();
fprintf(monitorFile, "Packet aliasing initialized.\n");
}
| PKT_ALIAS_USE_SOCKETS
| PKT_ALIAS_RESET_ON_ADDR_CHANGE;
}
/* Change mode for some operations */
unsigned int
SetPacketAliasMode
PacketAliasSetMode
(
unsigned int flags, /* Which state to bring flags to */
unsigned int mask /* Mask of which flags to affect (use 0 to do a
@ -1964,9 +1932,8 @@ SetPacketAliasMode
}
/*
Clear all packet aliasing links, but leave mode
flags unchanged. Typically used when the interface
address changes and all existing links become
invalid.
*/
int
PacketAliasCheckNewLink(void)
{
return newDefaultLink;
}

10
lib/libalias/alias_local.h
View File

@ -68,8 +68,6 @@ struct in_addr GetDestAddress(struct alias_link *);
struct in_addr GetAliasAddress(struct alias_link *);
struct in_addr GetDefaultAliasAddress(void);
void SetDefaultAliasAddress(struct in_addr);
void SetDefaultTargetAddress(struct in_addr);
void ClearDefaultTargetAddress(void);
u_short GetOriginalPort(struct alias_link *);
u_short GetAliasPort(struct alias_link *);
void SetAckModified(struct alias_link *);
@ -78,8 +76,7 @@ int GetDeltaAckIn(struct ip *, struct alias_link *);
int GetDeltaSeqOut(struct ip *, struct alias_link *);
void AddSeq(struct ip *, struct alias_link *, int);
void SetExpire(struct alias_link *, int);
void ClearNewDefaultLink(void);
int CheckNewDefaultLink(void);
void ClearCheckNewLink(void);
/* Housekeeping function */
void HouseKeeping(void);
@ -88,4 +85,9 @@ void HouseKeeping(void);
/*lint -save -library Suppress flexelint warnings */
void AliasHandleFtpOut(struct ip *, struct alias_link *, int);
void AliasHandleIrcOut(struct ip *pip, struct alias_link *link, int maxsize );
/* Log file control */
void InitPacketAliasLog(void);
void UninitPacketAliasLog(void);
/*lint -restore */

77
lib/libalias/alias_old.c Normal file
View File

@ -0,0 +1,77 @@
/*
This file can be considered a junk pile of old functions that
are either obsolete or have had their names changed. In the
transition from alias2.1 to alias2.2, all the function names
were rationalized so that they began with "PacketAlias..."
These functions are included for backwards compatibility.
*/
#include <sys/types.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include "alias.h"
#include "alias_local.h"
void
InitPacketAlias(void)
{
PacketAliasInit();
}
void
SetPacketAliasAddress(struct in_addr addr)
{
PacketAliasSetAddress(addr);
}
unsigned int
SetPacketAliasMode(unsigned int flags, unsigned int mask)
{
return PacketAliasSetMode(flags, mask);
}
int
PacketAliasPermanentLink(struct in_addr src_addr, u_short src_port,
struct in_addr dst_addr, u_short dst_port,
u_short alias_port, u_char proto)
{
struct alias_link *link;
struct in_addr null_address;
null_address.s_addr = 0;
link = PacketAliasRedirectPort(src_addr, src_port,
dst_addr, dst_port,
null_address, alias_port,
proto);
if (link == NULL)
return -1;
else
return 0;
}
int
SaveFragmentPtr(char *ptr)
{
return PacketAliasSaveFragment(ptr);
}
char *
GetNextFragmentPtr(char *ptr)
{
return PacketAliasGetFragment(ptr);
}
void
FragmentAliasIn(char *header, char *fragment)
{
PacketAliasFragmentIn(header, fragment);
}
u_short
InternetChecksum(u_short *ptr, int len)
{
return PacketAliasInternetChecksum(ptr, len);
}

6
lib/libalias/alias_util.c
View File

@ -26,10 +26,11 @@ purposes);
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include "alias.h"
#include "alias_local.h"
u_short
InternetChecksum(u_short *ptr, int nbytes)
PacketAliasInternetChecksum(u_short *ptr, int nbytes)
{
int sum, oddbyte;
@ -53,7 +54,8 @@ InternetChecksum(u_short *ptr, int nbytes)
u_short
IpChecksum(struct ip *pip)
{
return( InternetChecksum((u_short *) pip, (pip->ip_hl << 2)) );
return( PacketAliasInternetChecksum((u_short *) pip,
(pip->ip_hl << 2)) );
}

722
lib/libalias/libalias.3 Normal file
View File

@ -0,0 +1,722 @@
.Dd July, 1997
.Dt "libalias" 3
.Os
.Sh NAME
.Nm "libalias"
Packet Aliasing Library. A collection of
functions for aliasing and de-aliasing
of IP packets, intended for masquerading and
network address translation (NAT).
.Sh SYNOPSIS
.Fd #include <netinet/in.h>
.Fd #include <alias.h>
Function prototypes are given in the main body
of the text.
.Sh CONTENTS
.Bd -literal -offset left
1. Introduction
2. Initialization and Control
2.1 PacketAliasInit()
2.2 PacketAliasSetAddress()
2.3 PacketAliasSetMode()
3. Packet Handling
3.1 PacketAliasOut()
3.2 PacketAliasIn()
4. Port and Address Redirection
4.1 PacketAliasRedirectPort()
4.2 PacketAliasRedirectAddr()
4.3 PacketAliasRedirectDelete()
5. Fragment Handling
5.1 PacketAliasSaveFragment()
5.2 PacketAliasGetFragment()
5.3 PacketAliasFragmentIn()
6. Miscellaneous Functions
6.1 PacketAliasSetTarget()
6.2 PacketAliasCheckNewLink()
6.3 PacketAliasInternetChecksum()
7. Authors
8. Acknowledgments
Appendix A: Conceptual Background
A.1 Aliasing Links
A.2 Static and Dynamic Links
A.3 Partially Specified Links
A.4 Dynamic Link Creation
.Ed
.Sh 1. Introduction
This library is a moderately portable
set of functions designed to assist
in the process of IP masquerading and
network address translation. Outgoing
packets from a local network with
unregistered IP addresses can be aliased
to appear as if they came from an
accessible IP address. Incoming packets
are then de-aliased so that they are sent
to the correct machine on the local network.
A certain amount of flexibility is built
into the packet aliasing engine. In
the simplest mode of operation, a
many-to-one address mapping takes place
between local network and the packet
aliasing host. This is known as IP
masquerading. In addition, one-to-one
mappings between local and public addresses
can also be implemented, which is known as
static NAT. In between these extremes,
different groups of private addresses
can be linked to different public addresses,
comprising several distinct many-to-one
mappings. Also, a given public address
and port can be staticly redirected to
a private address/port.
The packet aliasing engine was designed
to operate in user space outside of the
kernel, without any access to private
kernel data structure, but the source code
can also be ported to a kernel environment.
.Sh 2. Initialization and Control
Two specific functions, PacketAliasInit()
and PacketAliasSetAddress(), must always be
called before any packet handling may be
performed. In addition, the operating mode
of the packet aliasing engine can be customized
by calling PacketAliasSetMode().
.Ss 2.1 PacketAliasInit()
.Ft void
.Fn PacketAliasInit "void"
This function has no argument or return
value and is used to initialize internal
data structures. The following mode bits
are always set after calling
PacketAliasInit(). See section 2.3 for
the meaning of these mode bits.
.Bd -literal -offset indent
PKT_ALIAS_USE_SAME_PORTS
PKT_ALIAS_USE_SOCKETS
PKT_ALIAS_RESET_ON_ADDR_CHANGE
.Ed
This function will always return the packet
aliasing engine to the same initial state.
PacketAliasSetAddress() must be called afterwards,
and any desired changes from the default mode
bits listed above require a call to
PacketAliasSetMode().
It is mandatory that this function be called
at the beginning of a program prior to any
packet handling.
.Ss 2.2 PacketAliasSetAddress()
.Ft void
.Fn PacketAliasSetAddress "struct in_addr addr"
This function sets the source address to which
outgoing packets from the local area network
are aliased. All outgoing packets are remapped
to this address unless overridden by a static
address mapping established by
PacketAliasRedirectAddr().
If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit
is set (the default mode of operation), then
the internal aliasing link tables will be reset
any time the aliasing address changes, as if
PacketAliasReset() were called. This is useful
for interfaces such as ppp where the IP
address may or may not change on successive
dial-up attempts.
If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit
is set to zero, this function can also be used to
dynamically change the aliasing address on a
packet to packet basis (it is a low overhead
call).
It is mandatory that this function be called
prior to any packet handling.
.Ss 2.3 PacketAliasSetMode()
.Ft void
.Fn PacketAliasSetMode "int mode" "int mask"
This function sets or clears mode bits
according to the value of
.Em mode .
Only bits marked in
.Em mask
are affected. The following mode bits are
defined in alias.h:
.Bl -hang -offset left
.It PKT_ALIAS_LOG.
Enables logging /var/log/alias.log. The log file
shows total numbers of links (icmp, tcp, udp) each
time an aliasing link is created or deleted. Mainly
useful for debugging when the log file is viewed
continuously with "tail -f".
.It PKT_ALIAS_DENY_INCOMING.
If this mode bit is set, all incoming packets
associated with new TCP connections or new
UDP transactions will be marked for being
ignored (PacketAliasIn() return code
PKT_ALIAS_IGNORED) by the calling program.
Response packets to connections or transactions
initiated from the packet aliasing host or
local network will be unaffected. This mode
bit is useful for implementing a one-way firewall.
.It PKT_ALIAS_SAME_PORTS.
If this mode bit is set, the packet aliasing
engine will attempt to leave the alias port
numbers unchanged from the actual local port
number. This can be done as long as the
quintuple (proto, alias addr, alias port,
remote addr, remote port) is unique. If a
conflict exists, an new aliasing port number is
chosen even if this mode bit is set.
.It PKT_ALIAS_USE_SOCKETS.
This bit should be set when the the packet
aliasing host originates network traffic as
well as forwards it. When the packet aliasing
host is waiting for a connection from an
unknown host address or unknown port number
(e.g. an FTP data connection), this mode bit
specifies that a socket be allocated as a place
holder to prevent port conflicts. Once a
connection is extablished, usually within a
minute or so, the socket is closed.
.It PKT_ALIAS_UNREGISTERED_ONLY.
If this mode bit is set, traffic on the
local network which does not originate from
unregistered address spaces will be ignored.
Standard Class A, B and C unregistered addresses
are:
.Bd -literal -offset indent
10.0.0.0 -> 10.255.255.255 (Class A subnet)
172.16.0.0 -> 172.31.255.255 (Class B subnets)
192.168.0.0 -> 192.168.255.255 (Class C subnets)
.Ed
This option is useful in the case that
packet aliasing host has both registered and
unregistered subnets on different interfaces.
The registered subnet is fully accessible to
the outside world, so traffic from it doesn't
need to be passed through the packet aliasing
engine.
.It PKT_ALIAS_RESET_ON_ADDR_CHANGE.
When this mode bit is set and
PacketAliasSetAddress() is called to change
the aliasing address, the internal link table
of the packet aliasing engine will be cleared.
This operating mode is useful for ppp links
where the interface address can sometimes
change or remain the same between dial-ups.
If this mode bit is not set, it the link table
will never be reset in the event of an
address change.
.El
.Sh 3. Packet Handling
The packet handling functions are used to
modify incoming (remote->local) and outgoing
(local->remote) packets. The calling program
is responsible for receiving and sending
packets via network interfaces.
Along with PacketAliasInit() and PacketAliasSetAddress(),
the two packet handling functions, PacketAliasIn()
and PacketAliasOut(), comprise minimal set of functions
needed for a basic IP masquerading implementation.
.Ss 3.1 PacketAliasIn()
.Ft int
.Fn PacketAliasIn "char *buffer" "int maxpacketsize"
An incoming packet coming from a remote machine to
the local network is de-aliased by this function.
The IP packet is pointed to by
.Em buffer ,
and
.Em maxpacketsize
indicates the size of the data structure containing
the packet and should be at least as large as the
actual packet size.
Return codes:
.Bl -hang -offset left
.It PKT_ALIAS_ERROR.
An internal error within the packet aliasing
engine occured.
.It PKT_ALIAS_OK.
The packet aliasing process was successful.
.It PKT_ALIAS_IGNORED.
The packet was ignored and not de-aliased.
This can happen if the protocal is unrecognized,
possibly an ICMP message type is not handled or
if incoming packets for new connections are being
ignored (see PKT_ALIAS_DENY_INCOMING in section
2.2).
.It PKT_ALIAS_UNRESOLVED_FRAGMENT.
This is returned when a fragment cannot be
resolved because the header fragment has not
been sent yet. In this situation, fragments
must be saved with PacketAliasSaveFragment()
until a header fragment is found.
.It PKT_ALIAS_FOUND_HEADER_FRAGMENT.
The packet aliasing process was successful,
and a header fragment was found. This is a
signal to retrieve any unresolved fragments
with PacketAliasGetFragment() and de-alias
them with PacketAliasFragmentIn().
.El
.Ss 3.2 PacketAliasOut()
.Ft int
.Fn PacketAliasIn "char *buffer" "int maxpacketsize"
An outgoing packet coming from the local network
to a remote machine is aliased by this function.
The IP packet is pointed to by
.Em buffer r,
and
.Em maxpacketsize
indicates the maximum packet size permissable
should the packet length be changed. IP encoding
protocols place addresss and port information in
the encapsulated data stream which have to be
modified and can account for changes in packet
length. Well known examples of such protocols
are FTP and IRC.
Return codes:
.Bl -hang -offset left
.It PKT_ALIAS_ERROR.
An internal error within the packet aliasing
engine occured.
.It PKT_ALIAS_OK.
The packet aliasing process was successful.
.It PKT_ALIAS_IGNORED.
The packet was ignored and not de-aliased.
This can happen if the protocal is unrecognized,
or possibly an ICMP message type is not handled.
.El
.Sh 4. Port and Address Redirection
The functions described in this section allow machines
on the local network to be accessible in some degree
to new incoming connections from the external network.
Individual ports can be re-mapped or static network
address translations can be designated.
.Ss 4.1 PacketAliasRedirectPort()
.Ft struct alias_link *
.Fo PacketAliasRedirectPort
.Fa "struct in_addr local_addr"
.Fa "u_short local_port"
.Fa "struct in_addr remote_addr"
.Fa "u_short remote_port"
.Fa "struct in_addr alias_addr"
.Fa "u_short alias_port"
.Fa "u_char proto"
.Fc
This function specifies that traffic from a
given remote address/port to an alias address/port
be redirected to a specified local address/port.
The paramater
.Em proto
can be either IPPROTO_TCP or IPPROTO_UDP, as
defined in <netinet/in.h>.
If
.Em local_addr
or
.Em alias_addr
is zero, this indicates that the packet aliasing
address as established by PacketAliasSetAddress()
is to be used. Even if PacketAliasAddress() is
called to change the address after PacketAliasRedirectPort()
is called, a zero reference will track this change.
If
.Em remote_addr
is zero, this indicates to redirect packets from
any remote address. Likewise, if
.Em remote_port
is zero, this indicates to redirect packets originating
from any remote port number. Almost always, the remote
port specification will be zero, but non-zero remote
addresses can be sometimes be useful for firewalling.
If two calls to PacketAliasRedirectPort() overlap in
their address/port specifications, then the most recent
call will have precedence.
This function returns a pointer which can subsequently
be used by PacketAliasRedirectDelete(). If NULL is
returned, then the function call did not complete
successfully.
All port numbers are in network address byte order,
so it is necessary to use htons() to convert these
parameters from internally readable numbers to
network byte order. Addresses are also in network
byte order, which is implicit in the use of the
.Em struct in_addr
data type.
.Ss 4.2 PacketAliasRedirectAddr()
.Ft struct alias_link *
.Fo PacketAliasRedirectAddress
.Fa "struct in_addr local_addr"
.Fa "struct in_addr alias_addr"
.Fc
This function desgnates that all incoming
traffic to
.Em alias_addr
be redirected to
.Em local_addr.
Similarly, all outgoing traffic from
.Em local_addr
is aliased to
.Em alias_addr .
If
.Em local_addr
or
.Em alias_addr
is zero, this indicates that the packet aliasing
address as established by PacketAliasSetAddress()
is to be used. Even if PacketAliasAddress() is
called to change the address after PacketAliasRedirectAddr()
is called, a zero reference will track this change.
If subsequent calls to PacketAliasRedirectAddr()
use the same aliasing address, all new incoming
traffic to this aliasing address will be redirected
to the local address made in the last function call,
but new traffic all of the local machines designated
in the several function calls will be aliased to
the same address. Consider the following example:
.Bd -literal -offset left
PacketAliasRedirectAddr(inet_aton("192.168.0.2"),
inet_aton("141.221.254.101"));
PacketAliasRedirectAddr(inet_aton("192.168.0.3"),
inet_aton("141.221.254.101"));
PacketAliasRedirectAddr(inet_aton("192.168.0.4"),
inet_aton("141.221.254.101"));
.Ed
Any outgoing connections such as telnet or ftp
from 192.168.0.2, 102.168.0.3, 192.168.0.4 will
appear to come from 141.221.254.101. Any incoming
connections to 141.221.254.101 will be directed
to 192.168.0.4.
Any calls to PacketAliasRedirectPort() will
have precedence over address mappings designated
by PacketAliasRedirectAddr().
This function returns a pointer which can subsequently
be used by PacketAliasRedirectDelete(). If NULL is
returned, then the function call did not complete
successfully.
.Ss 4.3 PacketAliasRedirectDelete()
.Ft void
.Fn PacketAliasRedirectDelete "struct alias_link *ptr"
This function will delete a specific static redirect
rule entered by PacketAliasRedirectPort() or
PacketAliasRedirectAddr(). The parameter
.Em ptr
is the pointer returned by either of the redirection
functions. If an invalid pointer is passed to
PacketAliasRedirectDelete(), then a program crash
or unpredictable operation could result, so it is
necessary to be careful using this function.
.Sh 5. Fragment Handling
The functions in this section are used to deal with
incoming fragments.
Outgoing fragments are handled within PacketAliasOut()
by changing the address according to any
applicable mapping set by PacketAliasRedirectAddress(),
or the default aliasing address set by
PacketAliasSetAddress().
Incoming fragments are handled in one of two ways.
If the header of a fragmented IP packet has already
been seen, then all subsequent fragments will be
re-mapped in the same manner the header fragment
was. Fragments which arrive before the header
are saved and then retrieved once the header fragment
has been resolved.
.Ss 5.1 PacketAliasSaveFragment()
.Ft int
.Fn PacketAliasSaveFragment "char *ptr"
When PacketAliasIn() returns
PKT_ALIAS_UNRESOLVED_FRAGMENT, this
function can be used to save the pointer to
the unresolved fragment.
It is implicitly assumed that
.Em ptr
points to a block of memory allocated by
malloc(). If the fragment is never
resolved, the packet aliasing engine will
automatically free the memory after a
timeout period. [Eventually this function
should be modified so that a callback
function for freeing memory is passed as
an argument.]
This function returns PKT_ALIAS_OK if it
was successful and PKT_ALIAS_ERROR if there
was an error.
.Ss 5.2 PacketAliasGetNextFragment()
.Ft char *
.Fn PacketAliasGetFragment "char *buffer"
This function can be used to retrieve fragment
pointers saved by PacketAliasSaveFragment().
The IP header fragment pointed to by
Em buffer
is the header fragment indicated when
PacketAliasIn() returns PKT_ALIAS_FOUND_HEADER_FRAGMENT.
Once a a fragment pointer is retrieved, it
becomes the calling program's responsibility
to free the dynamically allocated memory for
the fragment.
PacketAliasGetFragment() can be called
sequentially until there are no more fragments
available, at which time it returns NULL.
.Ss 5.3 PacketAliasFragmentIn()
.Ft void
.Fn PacketAliasFragmentIn "char *header" "char *fragment"
When a fragment is retrieved with
PacketAliasGetFragment(), it can then be
de-aliased with a call to PacketAliasFragmentIn().
.Em header
is the pointer to a header fragment used as a
template, and
.Em fragment
is the pointer to the packet to be de-aliased.
.Sh 6. Miscellaneous Functions
.Ss 6.1 PacketAliasSetTarget()
.Ft void
.Fn PacketAliasSetTarget "struct in_addr addr"
When an incoming packet not associated with
any pre-existing aliasing link arrives at the
host machine, it will be sent to the address
indicated by a call to PacketAliasSetTarget().
If this function is not called, or is called
with a zero address argument, then all new
incoming packets go to the address set by
PacketAliasSetAddress.
.Ss 6.2 PacketAliasCheckNewLink()
.Ft int
.Fn PacketAliasCheckNewLink "void"
This function returns a non-zero value when
a new aliasing link is created. In circumstances
where incoming traffic is being sequentially
sent to different local servers, this function
can be used to trigger when PacketAliasSetTarget()
is called to change the default target address.
.Ss 6.3 PacketAliasInternetChecksum()
.Ft u_short
.Fn PacketAliasInternetChecksum "char *buffer" "int nbytes"
This is a utility function that does not seem
to be available elswhere and is included as a
convenience. It computes the internet checksum,
which is used in both IP and protocol-specific
headers (TCP, UDP, ICMP).
.Em buffer
points to the data block to be checksummed, and
.Em nbytes
is the number of bytes. The 16-bit checksum
field should be zeroed before computing the checksum.
Checksums can also be verified by operating on a block
of data including its checksum. If the checksum is
valid, PacketAliasInternetChecksum() will return zero.
.Sh 7. Authors
Charles Mott (cmott@srv.net), versions 1.0 - 1.8, 2.0 - 2.2.
Eivind Eiklund (eivind@freebsd.org), versions 1.8b and 1.9.
Added IRC support as well as contributing a number of
architectural improvements.
.Sh 8. Acknowledgments
Listed below, in approximate chronological
order, are individuals who have provided
valuable comments and/or debugging assistance.
.Bl -inset -compact -offset left
.It Gary Roberts
.It Tom Torrance
.It Reto Burkhalter
.It Martin Renters
.It Brian Somers
.It Paul Traina
.It Ari Suutari
.It Dave Remien
.It J. Fortes
.It Andrzej Bialeki
.El
.Sh Appendix: Conceptual Background
This appendix is intended for those who
are planning to modify the source code or want
to create somewhat esoteric applications using
the packet aliasing functions.
The conceptual framework under which the
packet aliasing engine operates is described here.
Central to the discussion is the idea of an
"aliasing link" which describes the relationship
for a given packet transaction between the local
machine, aliased identity and remote machine. It
is discussed how such links come into existence
and are destroyed.
.Ss A.1 Aliasing Links
There is a notion of an "aliasing link",
which is 7-tuple describing a specific
translation:
.Bd -literal -offset indent
(local addr, local port, alias addr, alias port,
remote addr, remote port, protocol)
.Ed
Outgoing packets have the local address and
port number replaced with the alias address
and port number. Incoming packets undergo the
reverse process. The packet aliasing engine
attempts to match packets against an internal
table of aliasing links to determine how to
modify a given IP packet. Both the IP
header and protocol dependent headers are
modified as necessary. Aliasing links are
created and deleted as necessary according
to network traffic.
Protocols can be TCP, UDP or even ICMP in
certain circumstances. (Some types of ICMP
packets can be aliased according to sequence
or id number which acts as an equivalent port
number for identifying how individual packets
should be handled.)
Each aliasing link must have a unique
combination of the following five quanties:
alias address/port, remote address/port
and protocol. This ensures that several
machines on a local network can share the
same aliased IP address. In cases where
conflicts might arise, the aliasing port
is chosen so that uniqueness is maintained.
.Ss A.2 Static and Dynamic Links
Aliasing links can either be static or dynamic.
Static links persist indefinitely and represent
fixed rules for translating IP packets. Dynamic
links come into existence for a specific TCP
connection or UDP transaction or ICMP echo
sequence. For the case of TCP, the connection
can be monitored to see when the associated
aliasing link should be deleted. Aliasing links
for UDP transactions (and ICMP echo and timestamp
equests) work on a simple timeout rule. When
no activity is observed on a dynamic link for
a certain amount of time it is automatically
deleted. Timeout rules also apply to TCP
connections which do not open or close
properly.
.Ss A.3 Partially Specified Aliasing Links
Aliasing links can be partially specified,
meaning that the remote address and/or remote
ports are unkown. In this case, when a packet
matching the incomplete specification is found,
a fully specified dynamic link is created. If
the original partially specified link is dynamic,
it will be deleted after the fully specified link
is created, otherwise it will persist.
For instance, a partially specified link might
be
.Bd -literal -offset indent
(192.168.0.4, 23, 204.228.203.215, 8066, 0, 0, tcp)
.Ed
The zeros denote unspecified components for
the remote address and port. If this link were
static it would have the effect of redirecting
all incoming traffic from port 8066 of
204.228.203.215 to port 23 (telnet) of machine
192.168.0.4 on the local network. Each
individual telnet connection would initiate
the creation of a distinct dynamic link.
.Ss A.4 Dynamic Link Creation
In addition to aliasing links, there are
also address mappings that can be stored
within the internal data table of the packet
aliasing mechanism.
.Bd -literal -offset indent
(local addr, alias addr)
.Ed
Address mappings are searched when creating
new dynamic links.
All outgoing packets from the local network
automatically create a dynamic link if
they do not match an already existing fully
specified link. If an address mapping exists
for the the outgoing packet, this determines
the alias address to be used. If no mapping
exists, then a default address, usually the
address of the packet aliasing host, is used.
If necessary, this default address can be
changed as often as each indvidual packet
arrives.
The aliasing port number is determined
such that the new dynamic link does not
conflict with any existing links. In the
default operating mode, the packet aliasing
engine attempts to set the aliasing port
equal to the local port number. If this
results in a conflict, then port numbers
are randomly chosen until a unique aliasing
link can be established. In an alternate
operating mode, the first choice of an
aliasing port is also random and unrelated
to the local port number.

105
sys/netinet/libalias/HISTORY Normal file
View File

@ -0,0 +1,105 @@
Version 1.0: August 11, 1996 (cjm)
Version 1.1: August 20, 1996 (cjm)
- Host accepts incoming connections for ports 0 to 1023.
Version 1.2: September 7, 1996 (cjm)
- Fragment handling error in alias_db.c corrected.
Version 1.3: September 15, 1996 (cjm)
- Generalized mechanism for handling incoming
connections (no more 0 to 1023 restriction).
- Increased ICMP support (will handle traceroute now).
- Improved TCP close connection logic.
Version 1.4: September 16, 1996 (cjm)
Version 1.5: September 17, 1996 (cjm)
- Corrected error in handling incoming UDP packets
with zero checksum.
Version 1.6: September 18, 1996
- Simplified ICMP data storage. Will now handle
tracert from Win95 and NT as well as FreeBSD
traceroute, which uses UDP packets to non-existent
ports.
Verstion 1.7: January 9, 1997 (cjm)
- Reduced malloc() activity for ICMP echo and
timestamp requests.
- Added handling for out-of-order IP fragments.
- Switched to differential checksum computation
for IP headers (TCP, UDP and ICMP checksums
were already differential).
- Accepts FTP data connections from other than
port 20. This allows one ftp connections
from two hosts which are both running packet
aliasing.
Version 1.8: January 14, 1997 (cjm)
- Fixed data type error in function StartPoint()
in alias_db.c (this bug did not exist before v1.7)
Version 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>)
- Added support for IRC DCC (ee)
- Changed the aliasing routines to use ANSI style
throughout (ee)
- Minor API changes for integration with other
programs than PPP (ee)
- Fixed minor security hole in alias_ftp.c for
other applications of the aliasing software.
Hole could _not_ manifest in ppp+pktAlias, but
could potentially manifest in other applications
of the aliasing. (ee)
- Connections initiated from packet aliasing
host machine will not have their port number
aliased unless it conflicts with an aliasing
port already being used. (There is an option
to disable this for debugging) (cjm)
- Sockets will be allocated in cases where
there might be port interference with the
host machine. This can be disabled in cases
where the ppp host will be acting purely as a
masquerading router and not generate any
traffic of its own.
(cjm)
Version 2.0: March, 1997 (cjm)
- Aliasing links are cleared only when a host interface address
changes.
- PacketAliasPermanentLink() API added.
- Option for only aliasing private, unregistered
IP addresses added.
- Substantial rework to the aliasing lookup engine.
Version 2.1: May, 1997 (cjm)
- Continuing rework to the aliasing lookup engine
to support multiple incoming addresses and static
NAT. PacketAliasRedirectPort() and
PacketAliasRedirectAddr() added to API.
- Now supports outgoing as well as incoming ICMP
error messges.
Version 2.2: July, 1997 (cjm)
- Rationalized API function names to all begin with
"PacketAlias..." Old function names are retained
for backwards compatitibility.
- Packet aliasing engine will now free memory of
fragments which are never resolved after a timeout
period. Once a fragment is resolved, it becomes
the users responsibility to free the memory.

5
sys/netinet/libalias/Makefile
View File

@ -1,8 +1,9 @@
LIB= alias
SHLIB_MAJOR= 2
SHLIB_MINOR= 1
SHLIB_MINOR= 2
CFLAGS+=-Wall -I${.CURDIR}
SRCS= alias.c alias_db.c alias_ftp.c alias_irc.c alias_util.c
SRCS= alias.c alias_db.c alias_ftp.c alias_irc.c alias_util.c alias_old.c
MAN3=libalias.3
beforeinstall:
${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 ${.CURDIR}/alias.h \

88
sys/netinet/libalias/alias.c
View File

@ -66,6 +66,13 @@
and PacketAliasOut2() for dynamic address
control (e.g. round-robin allocation of
incoming packets).
Version 2.2 July 1997 (cjm)
- Rationalized API function names to begin
with "PacketAlias..."
- Eliminated PacketAliasIn2() and
PacketAliasOut2() as poorly conceived.
*/
#include <stdio.h>
@ -884,20 +891,18 @@ FragmentOut(struct ip *pip)
/* Outside World Access
SaveFragmentPtr()
GetNextFragmentPtr()
FragmentAliasIn()
PacketAliasSaveFragment()
PacketAliasGetFragment()
PacketAliasFragmentIn()
PacketAliasIn()
PacketAliasOut()
PacketAliasIn2()
PacketAliasOut2()
(prototypes in alias.h)
*/
int
SaveFragmentPtr(char *ptr)
PacketAliasSaveFragment(char *ptr)
{
int iresult;
struct alias_link *link;
@ -916,7 +921,7 @@ SaveFragmentPtr(char *ptr)
char *
GetNextFragmentPtr(char *ptr)
PacketAliasGetFragment(char *ptr)
{
struct alias_link *link;
char *fptr;
@ -927,6 +932,7 @@ GetNextFragmentPtr(char *ptr)
if (link != NULL)
{
GetFragmentPtr(link, &fptr);
SetFragmentPtr(link, NULL);
SetExpire(link, 0); /* Deletes link */
return(fptr);
@ -939,11 +945,11 @@ GetNextFragmentPtr(char *ptr)
void
FragmentAliasIn(char *ptr, /* Points to correctly de-aliased
header fragment */
char *ptr_fragment /* Points to fragment which must
be de-aliased */
)
PacketAliasFragmentIn(char *ptr, /* Points to correctly de-aliased
header fragment */
char *ptr_fragment /* Points to fragment which must
be de-aliased */
)
{
struct ip *pip;
struct ip *fpip;
@ -967,6 +973,7 @@ PacketAliasIn(char *ptr, int maxpacketsize)
int iresult;
HouseKeeping();
ClearCheckNewLink();
pip = (struct ip *) ptr;
alias_addr = pip->ip_dst;
@ -1039,6 +1046,7 @@ PacketAliasOut(char *ptr, /* valid IP packet */
struct ip *pip;
HouseKeeping();
ClearCheckNewLink();
pip = (struct ip *) ptr;
addr_save = GetDefaultAliasAddress();
@ -1056,7 +1064,7 @@ PacketAliasOut(char *ptr, /* valid IP packet */
else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER)
iclass = 1;
if (iclass == 0)
if (iclass != 0)
{
SetDefaultAliasAddress(pip->ip_src);
}
@ -1086,57 +1094,3 @@ PacketAliasOut(char *ptr, /* valid IP packet */
SetDefaultAliasAddress(addr_save);
return(iresult);
}
int
PacketAliasIn2(char *ptr, /* valid IP packet */
struct in_addr addr, /* Default aliasing address */
int maxpacketsize /* How much the packet data may grow
(FTP and IRC inline changes) */
)
{
int result_code;
struct in_addr addr_save;
ClearNewDefaultLink();
addr_save = GetDefaultAliasAddress();
SetDefaultTargetAddress(addr);
result_code = PacketAliasIn(ptr, maxpacketsize);
ClearDefaultTargetAddress();
if (result_code == PKT_ALIAS_OK)
{
if (CheckNewDefaultLink())
return PKT_ALIAS_NEW_LINK;
}
return result_code;
}
int
PacketAliasOut2(char *ptr, /* valid IP packet */
struct in_addr addr, /* Default aliasing address */
int maxpacketsize /* How much the packet data may grow
(FTP and IRC inline changes) */
)
{
int result_code;
struct in_addr addr_save;
ClearNewDefaultLink();
addr_save = GetDefaultAliasAddress();
SetDefaultAliasAddress(addr);
result_code = PacketAliasOut(ptr, maxpacketsize);
SetDefaultAliasAddress(addr_save);
if (result_code == PKT_ALIAS_OK)
{
if (CheckNewDefaultLink())
return PKT_ALIAS_NEW_LINK;
}
return result_code;
}

113
sys/netinet/libalias/alias.h
View File

@ -12,45 +12,82 @@
#ifndef _ALIAS_H_
#define _ALIAS_H_
/* Alias link representativei (incomplete struct) */
#ifndef NULL
#define NULL 0
#endif
/* Alias link representative (incomplete struct) */
struct alias_link;
/* External interfaces (API) to packet aliasing engine */
/* Initialization and Control */
extern void
PacketAliasInit(void);
extern void
PacketAliasSetAddress(struct in_addr);
extern unsigned int
PacketAliasSetMode(unsigned int, unsigned int);
/* Packet Handling */
extern int
PacketAliasIn(char *, int maxpacketsize);
extern int
PacketAliasOut(char *, int maxpacketsize);
/* Port and Address Redirection */
extern struct alias_link *
PacketAliasRedirectPort(struct in_addr, u_short,
struct in_addr, u_short,
struct in_addr, u_short,
u_char);
extern struct alias_link *
PacketAliasRedirectAddr(struct in_addr,
struct in_addr);
extern void
PacketAliasRedirectDelete(struct alias_link *);
/* Fragment Handling */
extern int
PacketAliasSaveFragment(char *);
extern char *
PacketAliasGetFragment(char *);
extern void
PacketAliasFragmentIn(char *, char *);
/* Miscellaneous Functions */
extern u_short
PacketAliasInternetChecksum(u_short *, int);
/*
In version 2.2, the function names were rationalized
to all be of the form PacketAlias... These are the
old function names for backwards compatibility
*/
extern int SaveFragmentPtr(char *);
extern char *GetNextFragmentPtr(char *);
extern void FragmentAliasIn(char *, char *);
extern int PacketAliasIn(char *, int maxpacketsize);
extern int PacketAliasOut(char *, int maxpacketsize);
extern int PacketAliasIn2(char *, struct in_addr, int maxpacketsize);
extern int PacketAliasOut2(char *, struct in_addr, int maxpacketsize);
extern void SetPacketAliasAddress(struct in_addr);
extern void InitPacketAlias(void);
extern void InitPacketAliasLog(void);
extern void UninitPacketAliasLog(void);
extern unsigned int SetPacketAliasMode(unsigned int, unsigned int);
extern struct alias_link *
PacketAliasRedirectPort(struct in_addr, u_short,
struct in_addr, u_short,
struct in_addr, u_short,
u_char);
extern int PacketAliasIn2(char *, struct in_addr, int maxpacketsize);
extern int PacketAliasOut2(char *, struct in_addr, int maxpacketsize);
extern int
PacketAliasPermanentLink(struct in_addr, u_short,
struct in_addr, u_short,
u_short, u_char);
extern struct alias_link *
PacketAliasRedirectAddr(struct in_addr,
struct in_addr);
void PacketAliasRedirectDelete(struct alias_link *);
/* InternetChecksum() is not specifically part of the
packet aliasing API, but is sometimes needed outside
the module. (~for instance, natd uses it to create
an ICMP error message when interface size is
exceeded.) */
extern u_short InternetChecksum(u_short *, int);
/* Obsolete constant */
#define PKT_ALIAS_NEW_LINK 5
/********************** Mode flags ********************/
/* Set these flags using SetPacketAliasMode() */
@ -58,25 +95,28 @@ extern u_short InternetChecksum(u_short *, int);
/* If PKT_ALIAS_LOG is set, a message will be printed to
/var/log/alias.log every time a link is created or deleted. This
is useful for debugging */
#define PKT_ALIAS_LOG 1
#define PKT_ALIAS_LOG 0x01
/* If PKT_ALIAS_DENY_INCOMING is set, then incoming connections (e.g.
to ftp, telnet or web servers will be prevented by the aliasing
mechanism. */
#define PKT_ALIAS_DENY_INCOMING 2
#define PKT_ALIAS_DENY_INCOMING 0x02
/* If PKT_ALIAS_SAME_PORTS is set, packets will be attempted sent from
the same port as they originated on. This allow eg rsh to work
the same port as they originated on. This allows eg rsh to work
*99% of the time*, but _not_ 100%. (It will be slightly flakey
instead of not working at all.) */
#define PKT_ALIAS_SAME_PORTS 4
instead of not working at all.) This mode bit is set by
PacketAliasInit(), so it is a default mode of operation. */
#define PKT_ALIAS_SAME_PORTS 0x04
/* If PKT_ALIAS_USE_SOCKETS is set, then when partially specified
links (e.g. destination port and/or address is zero), the packet
aliasing engine will attempt to allocate a socket for the aliasing
port it chooses. This will avoid interference with the host
machine. Fully specified links do not require this. */
#define PKT_ALIAS_USE_SOCKETS 8
machine. Fully specified links do not require this. This bit
is set after a call to PacketAliasInit(), so it is a default
mode of operation.*/
#define PKT_ALIAS_USE_SOCKETS 0x08
/* If PKT_ALIAS_UNREGISTERED_ONLY is set, then only packets with with
unregistered source addresses will be aliased (along with those
@ -86,9 +126,15 @@ extern u_short InternetChecksum(u_short *, int);
10.0.0.0 -> 10.255.255.255
172.16.0.0 -> 172.31.255.255
192.168.0.0 -> 192.168.255.255 */
#define PKT_ALIAS_UNREGISTERED_ONLY 16
#define PKT_ALIAS_UNREGISTERED_ONLY 0x10
/* If PKT_ALIAS_RESET_ON_ADDR_CHANGE is set, then the table of dynamic
aliasing links will be reset whenever PacketAliasSetAddress()
changes the default aliasing address. If the default aliasing
address is left unchanged by this functions call, then the
table of dynamic aliasing links will be left intact. This
bit is set after a call to PacketAliasInit(). */
#define PKT_ALIAS_RESET_ON_ADDR_CHANGE 0x20
/* Return Codes */
#define PKT_ALIAS_ERROR -1
@ -96,7 +142,6 @@ extern u_short InternetChecksum(u_short *, int);
#define PKT_ALIAS_IGNORED 2
#define PKT_ALIAS_UNRESOLVED_FRAGMENT 3
#define PKT_ALIAS_FOUND_HEADER_FRAGMENT 4
#define PKT_ALIAS_NEW_LINK 5
#endif
/*lint -restore */

141
sys/netinet/libalias/alias_db.c
View File

@ -249,8 +249,8 @@ struct alias_link /* Main data structure */
union /* Auxiliary data */
{
struct in_addr frag_addr;
char *frag_ptr;
struct in_addr frag_addr;
struct tcp_dat *tcp;
} data;
};
@ -755,6 +755,8 @@ DeleteLink(struct alias_link *link)
break;
case LINK_FRAGMENT_PTR:
fragmentPtrLinkCount--;
if (link->data.frag_ptr != NULL)
free(link->data.frag_ptr);
break;
}
@ -1351,8 +1353,6 @@ FindAliasAddress(struct in_addr original_addr)
GetOriginalPort(), GetAliasPort()
SetAckModified(), GetAckModified()
GetDeltaAckIn(), GetDeltaSeqOut(), AddSeq()
ClearNewLink()
CheckNewLink()
*/
@ -1457,19 +1457,6 @@ SetDefaultAliasAddress(struct in_addr alias_addr)
}
void
SetDefaultTargetAddress(struct in_addr target_addr)
{
targetAddress = target_addr;
}
void ClearDefaultTargetAddress(void)
{
targetAddress.s_addr = 0;
}
u_short
GetOriginalPort(struct alias_link *link)
{
@ -1661,19 +1648,18 @@ SetExpire(struct alias_link *link, int expire)
}
void
ClearNewDefaultLink(void)
ClearCheckNewLink(void)
{
newDefaultLink = 0;
}
int
CheckNewDefaultLink(void)
{
return newDefaultLink;
}
/* Miscellaneous Functions
HouseKeeping()
InitPacketAliasLog()
UninitPacketAliasLog()
*/
/*
Whenever an outgoing or incoming packet is handled, HouseKeeping()
@ -1734,6 +1720,31 @@ HouseKeeping(void)
}
/* Init the log file and enable logging */
void
InitPacketAliasLog(void)
{
if ((~packetAliasMode & PKT_ALIAS_LOG)
&& (monitorFile = fopen("/var/log/alias.log", "w")))
{
packetAliasMode |= PKT_ALIAS_LOG;
fprintf(monitorFile,
"PacketAlias/InitPacketAliasLog: Packet alias logging enabled.\n");
}
}
/* Close the log-file and disable logging. */
void
UninitPacketAliasLog(void)
{
if( monitorFile )
fclose(monitorFile);
packetAliasMode &= ~PKT_ALIAS_LOG;
}
@ -1743,11 +1754,10 @@ HouseKeeping(void)
PacketAliasRedirectPort()
PacketAliasRedirectAddr()
SetPacketAliasAddress()
InitPacketAliasLog()
UninitPacketAliasLog()
InitPacketAlias()
SetPacketAliasMode()
PacketAliasRedirectDelete()
PacketAliasSetAddress()
PacketAliasInit()
PacketAliasSetMode()
(prototypes in alias.h)
*/
@ -1795,28 +1805,6 @@ PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
}
/* This function is slightly less generalized than
PacketAliasRedirectPort and is included for backwards
compatibility */
int
PacketAliasPermanentLink(struct in_addr src_addr, u_short src_port,
struct in_addr dst_addr, u_short dst_port,
u_short alias_port, u_char proto)
{
struct alias_link *link;
link = PacketAliasRedirectPort(src_addr, src_port,
dst_addr, dst_port,
nullAddress, alias_port,
proto);
if (link == NULL)
return -1;
else
return 0;
}
/* Static address translation */
struct alias_link *
PacketAliasRedirectAddr(struct in_addr src_addr,
@ -1845,7 +1833,7 @@ PacketAliasRedirectAddr(struct in_addr src_addr,
void
PacketAliasRedirectDelete(struct alias_link *link)
{
/* This is a very dangerous function to put in the API,
/* This is a dangerous function to put in the API,
because an invalid pointer can crash the program. */
deleteAllLinks = 1;
@ -1855,9 +1843,10 @@ PacketAliasRedirectDelete(struct alias_link *link)
void
SetPacketAliasAddress(struct in_addr addr)
PacketAliasSetAddress(struct in_addr addr)
{
if (aliasAddress.s_addr != addr.s_addr)
if (packetAliasMode & PKT_ALIAS_RESET_ON_ADDR_CHANGE
&& aliasAddress.s_addr != addr.s_addr)
{
CleanupAliasData();
aliasAddress = addr;
@ -1865,32 +1854,15 @@ SetPacketAliasAddress(struct in_addr addr)
}
/* Init the log file and enable logging */
void
InitPacketAliasLog(void)
PacketAliasSetTarget(struct in_addr target_addr)
{
if ((~packetAliasMode & PKT_ALIAS_LOG)
&& (monitorFile = fopen("/var/log/alias.log", "w")))
{
packetAliasMode |= PKT_ALIAS_LOG;
fprintf(monitorFile,
"PacketAlias/InitPacketAliasLog: Packet alias logging enabled.\n");
}
}
/* Close the log-file and disable logging. */
void
UninitPacketAliasLog(void)
{
if( monitorFile )
fclose(monitorFile);
packetAliasMode &= ~PKT_ALIAS_LOG;
targetAddress = target_addr;
}
void
InitPacketAlias(void)
PacketAliasInit(void)
{
int i;
struct timeval tv;
@ -1918,6 +1890,7 @@ InitPacketAlias(void)
}
aliasAddress.s_addr = 0;
targetAddress.s_addr = 0;
icmpLinkCount = 0;
udpLinkCount = 0;
@ -1929,19 +1902,14 @@ InitPacketAlias(void)
cleanupIndex =0;
packetAliasMode = PKT_ALIAS_SAME_PORTS
| PKT_ALIAS_USE_SOCKETS;
if (packetAliasMode & PKT_ALIAS_LOG)
{
InitPacketAliasLog();
fprintf(monitorFile, "Packet aliasing initialized.\n");
}
| PKT_ALIAS_USE_SOCKETS
| PKT_ALIAS_RESET_ON_ADDR_CHANGE;
}
/* Change mode for some operations */
unsigned int
SetPacketAliasMode
PacketAliasSetMode
(
unsigned int flags, /* Which state to bring flags to */
unsigned int mask /* Mask of which flags to affect (use 0 to do a
@ -1964,9 +1932,8 @@ SetPacketAliasMode
}
/*
Clear all packet aliasing links, but leave mode
flags unchanged. Typically used when the interface
address changes and all existing links become
invalid.
*/
int
PacketAliasCheckNewLink(void)
{
return newDefaultLink;
}

10
sys/netinet/libalias/alias_local.h
View File

@ -68,8 +68,6 @@ struct in_addr GetDestAddress(struct alias_link *);
struct in_addr GetAliasAddress(struct alias_link *);
struct in_addr GetDefaultAliasAddress(void);
void SetDefaultAliasAddress(struct in_addr);
void SetDefaultTargetAddress(struct in_addr);
void ClearDefaultTargetAddress(void);
u_short GetOriginalPort(struct alias_link *);
u_short GetAliasPort(struct alias_link *);
void SetAckModified(struct alias_link *);
@ -78,8 +76,7 @@ int GetDeltaAckIn(struct ip *, struct alias_link *);
int GetDeltaSeqOut(struct ip *, struct alias_link *);
void AddSeq(struct ip *, struct alias_link *, int);
void SetExpire(struct alias_link *, int);
void ClearNewDefaultLink(void);
int CheckNewDefaultLink(void);
void ClearCheckNewLink(void);
/* Housekeeping function */
void HouseKeeping(void);
@ -88,4 +85,9 @@ void HouseKeeping(void);
/*lint -save -library Suppress flexelint warnings */
void AliasHandleFtpOut(struct ip *, struct alias_link *, int);
void AliasHandleIrcOut(struct ip *pip, struct alias_link *link, int maxsize );
/* Log file control */
void InitPacketAliasLog(void);
void UninitPacketAliasLog(void);
/*lint -restore */

77
sys/netinet/libalias/alias_old.c Normal file
View File

@ -0,0 +1,77 @@
/*
This file can be considered a junk pile of old functions that
are either obsolete or have had their names changed. In the
transition from alias2.1 to alias2.2, all the function names
were rationalized so that they began with "PacketAlias..."
These functions are included for backwards compatibility.
*/
#include <sys/types.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include "alias.h"
#include "alias_local.h"
void
InitPacketAlias(void)
{
PacketAliasInit();
}
void
SetPacketAliasAddress(struct in_addr addr)
{
PacketAliasSetAddress(addr);
}
unsigned int
SetPacketAliasMode(unsigned int flags, unsigned int mask)
{
return PacketAliasSetMode(flags, mask);
}
int
PacketAliasPermanentLink(struct in_addr src_addr, u_short src_port,
struct in_addr dst_addr, u_short dst_port,
u_short alias_port, u_char proto)
{
struct alias_link *link;
struct in_addr null_address;
null_address.s_addr = 0;
link = PacketAliasRedirectPort(src_addr, src_port,
dst_addr, dst_port,
null_address, alias_port,
proto);
if (link == NULL)
return -1;
else
return 0;
}
int
SaveFragmentPtr(char *ptr)
{
return PacketAliasSaveFragment(ptr);
}
char *
GetNextFragmentPtr(char *ptr)
{
return PacketAliasGetFragment(ptr);
}
void
FragmentAliasIn(char *header, char *fragment)
{
PacketAliasFragmentIn(header, fragment);
}
u_short
InternetChecksum(u_short *ptr, int len)
{
return PacketAliasInternetChecksum(ptr, len);
}

6
sys/netinet/libalias/alias_util.c
View File

@ -26,10 +26,11 @@ purposes);
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include "alias.h"
#include "alias_local.h"
u_short
InternetChecksum(u_short *ptr, int nbytes)
PacketAliasInternetChecksum(u_short *ptr, int nbytes)
{
int sum, oddbyte;
@ -53,7 +54,8 @@ InternetChecksum(u_short *ptr, int nbytes)
u_short
IpChecksum(struct ip *pip)
{
return( InternetChecksum((u_short *) pip, (pip->ip_hl << 2)) );
return( PacketAliasInternetChecksum((u_short *) pip,
(pip->ip_hl << 2)) );
}

722
sys/netinet/libalias/libalias.3 Normal file
View File

@ -0,0 +1,722 @@
.Dd July, 1997
.Dt "libalias" 3
.Os
.Sh NAME
.Nm "libalias"
Packet Aliasing Library. A collection of
functions for aliasing and de-aliasing
of IP packets, intended for masquerading and
network address translation (NAT).
.Sh SYNOPSIS
.Fd #include <netinet/in.h>
.Fd #include <alias.h>
Function prototypes are given in the main body
of the text.
.Sh CONTENTS
.Bd -literal -offset left
1. Introduction
2. Initialization and Control
2.1 PacketAliasInit()
2.2 PacketAliasSetAddress()
2.3 PacketAliasSetMode()
3. Packet Handling
3.1 PacketAliasOut()
3.2 PacketAliasIn()
4. Port and Address Redirection
4.1 PacketAliasRedirectPort()
4.2 PacketAliasRedirectAddr()
4.3 PacketAliasRedirectDelete()
5. Fragment Handling
5.1 PacketAliasSaveFragment()
5.2 PacketAliasGetFragment()
5.3 PacketAliasFragmentIn()
6. Miscellaneous Functions
6.1 PacketAliasSetTarget()
6.2 PacketAliasCheckNewLink()
6.3 PacketAliasInternetChecksum()
7. Authors
8. Acknowledgments
Appendix A: Conceptual Background
A.1 Aliasing Links
A.2 Static and Dynamic Links
A.3 Partially Specified Links
A.4 Dynamic Link Creation
.Ed
.Sh 1. Introduction
This library is a moderately portable
set of functions designed to assist
in the process of IP masquerading and
network address translation. Outgoing
packets from a local network with
unregistered IP addresses can be aliased
to appear as if they came from an
accessible IP address. Incoming packets
are then de-aliased so that they are sent
to the correct machine on the local network.
A certain amount of flexibility is built
into the packet aliasing engine. In
the simplest mode of operation, a
many-to-one address mapping takes place
between local network and the packet
aliasing host. This is known as IP
masquerading. In addition, one-to-one
mappings between local and public addresses
can also be implemented, which is known as
static NAT. In between these extremes,
different groups of private addresses
can be linked to different public addresses,
comprising several distinct many-to-one
mappings. Also, a given public address
and port can be staticly redirected to
a private address/port.
The packet aliasing engine was designed
to operate in user space outside of the
kernel, without any access to private
kernel data structure, but the source code
can also be ported to a kernel environment.
.Sh 2. Initialization and Control
Two specific functions, PacketAliasInit()
and PacketAliasSetAddress(), must always be
called before any packet handling may be
performed. In addition, the operating mode
of the packet aliasing engine can be customized
by calling PacketAliasSetMode().
.Ss 2.1 PacketAliasInit()
.Ft void
.Fn PacketAliasInit "void"
This function has no argument or return
value and is used to initialize internal
data structures. The following mode bits
are always set after calling
PacketAliasInit(). See section 2.3 for
the meaning of these mode bits.
.Bd -literal -offset indent
PKT_ALIAS_USE_SAME_PORTS
PKT_ALIAS_USE_SOCKETS
PKT_ALIAS_RESET_ON_ADDR_CHANGE
.Ed
This function will always return the packet
aliasing engine to the same initial state.
PacketAliasSetAddress() must be called afterwards,
and any desired changes from the default mode
bits listed above require a call to
PacketAliasSetMode().
It is mandatory that this function be called
at the beginning of a program prior to any
packet handling.
.Ss 2.2 PacketAliasSetAddress()
.Ft void
.Fn PacketAliasSetAddress "struct in_addr addr"
This function sets the source address to which
outgoing packets from the local area network
are aliased. All outgoing packets are remapped
to this address unless overridden by a static
address mapping established by
PacketAliasRedirectAddr().
If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit
is set (the default mode of operation), then
the internal aliasing link tables will be reset
any time the aliasing address changes, as if
PacketAliasReset() were called. This is useful
for interfaces such as ppp where the IP
address may or may not change on successive
dial-up attempts.
If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit
is set to zero, this function can also be used to
dynamically change the aliasing address on a
packet to packet basis (it is a low overhead
call).
It is mandatory that this function be called
prior to any packet handling.
.Ss 2.3 PacketAliasSetMode()
.Ft void
.Fn PacketAliasSetMode "int mode" "int mask"
This function sets or clears mode bits
according to the value of
.Em mode .
Only bits marked in
.Em mask
are affected. The following mode bits are
defined in alias.h:
.Bl -hang -offset left
.It PKT_ALIAS_LOG.
Enables logging /var/log/alias.log. The log file
shows total numbers of links (icmp, tcp, udp) each
time an aliasing link is created or deleted. Mainly
useful for debugging when the log file is viewed
continuously with "tail -f".
.It PKT_ALIAS_DENY_INCOMING.
If this mode bit is set, all incoming packets
associated with new TCP connections or new
UDP transactions will be marked for being
ignored (PacketAliasIn() return code
PKT_ALIAS_IGNORED) by the calling program.
Response packets to connections or transactions
initiated from the packet aliasing host or
local network will be unaffected. This mode
bit is useful for implementing a one-way firewall.
.It PKT_ALIAS_SAME_PORTS.
If this mode bit is set, the packet aliasing
engine will attempt to leave the alias port
numbers unchanged from the actual local port
number. This can be done as long as the
quintuple (proto, alias addr, alias port,
remote addr, remote port) is unique. If a
conflict exists, an new aliasing port number is
chosen even if this mode bit is set.
.It PKT_ALIAS_USE_SOCKETS.
This bit should be set when the the packet
aliasing host originates network traffic as
well as forwards it. When the packet aliasing
host is waiting for a connection from an
unknown host address or unknown port number
(e.g. an FTP data connection), this mode bit
specifies that a socket be allocated as a place
holder to prevent port conflicts. Once a
connection is extablished, usually within a
minute or so, the socket is closed.
.It PKT_ALIAS_UNREGISTERED_ONLY.
If this mode bit is set, traffic on the
local network which does not originate from
unregistered address spaces will be ignored.
Standard Class A, B and C unregistered addresses
are:
.Bd -literal -offset indent
10.0.0.0 -> 10.255.255.255 (Class A subnet)
172.16.0.0 -> 172.31.255.255 (Class B subnets)
192.168.0.0 -> 192.168.255.255 (Class C subnets)
.Ed
This option is useful in the case that
packet aliasing host has both registered and
unregistered subnets on different interfaces.
The registered subnet is fully accessible to
the outside world, so traffic from it doesn't
need to be passed through the packet aliasing
engine.
.It PKT_ALIAS_RESET_ON_ADDR_CHANGE.
When this mode bit is set and
PacketAliasSetAddress() is called to change
the aliasing address, the internal link table
of the packet aliasing engine will be cleared.
This operating mode is useful for ppp links
where the interface address can sometimes
change or remain the same between dial-ups.
If this mode bit is not set, it the link table
will never be reset in the event of an
address change.
.El
.Sh 3. Packet Handling
The packet handling functions are used to
modify incoming (remote->local) and outgoing
(local->remote) packets. The calling program
is responsible for receiving and sending
packets via network interfaces.
Along with PacketAliasInit() and PacketAliasSetAddress(),
the two packet handling functions, PacketAliasIn()
and PacketAliasOut(), comprise minimal set of functions
needed for a basic IP masquerading implementation.
.Ss 3.1 PacketAliasIn()
.Ft int
.Fn PacketAliasIn "char *buffer" "int maxpacketsize"
An incoming packet coming from a remote machine to
the local network is de-aliased by this function.
The IP packet is pointed to by
.Em buffer ,
and
.Em maxpacketsize
indicates the size of the data structure containing
the packet and should be at least as large as the
actual packet size.
Return codes:
.Bl -hang -offset left
.It PKT_ALIAS_ERROR.
An internal error within the packet aliasing
engine occured.
.It PKT_ALIAS_OK.
The packet aliasing process was successful.
.It PKT_ALIAS_IGNORED.
The packet was ignored and not de-aliased.
This can happen if the protocal is unrecognized,
possibly an ICMP message type is not handled or
if incoming packets for new connections are being
ignored (see PKT_ALIAS_DENY_INCOMING in section
2.2).
.It PKT_ALIAS_UNRESOLVED_FRAGMENT.
This is returned when a fragment cannot be
resolved because the header fragment has not
been sent yet. In this situation, fragments
must be saved with PacketAliasSaveFragment()
until a header fragment is found.
.It PKT_ALIAS_FOUND_HEADER_FRAGMENT.
The packet aliasing process was successful,
and a header fragment was found. This is a
signal to retrieve any unresolved fragments
with PacketAliasGetFragment() and de-alias
them with PacketAliasFragmentIn().
.El
.Ss 3.2 PacketAliasOut()
.Ft int
.Fn PacketAliasIn "char *buffer" "int maxpacketsize"
An outgoing packet coming from the local network
to a remote machine is aliased by this function.
The IP packet is pointed to by
.Em buffer r,
and
.Em maxpacketsize
indicates the maximum packet size permissable
should the packet length be changed. IP encoding
protocols place addresss and port information in
the encapsulated data stream which have to be
modified and can account for changes in packet
length. Well known examples of such protocols
are FTP and IRC.
Return codes:
.Bl -hang -offset left
.It PKT_ALIAS_ERROR.
An internal error within the packet aliasing
engine occured.
.It PKT_ALIAS_OK.
The packet aliasing process was successful.
.It PKT_ALIAS_IGNORED.
The packet was ignored and not de-aliased.
This can happen if the protocal is unrecognized,
or possibly an ICMP message type is not handled.
.El
.Sh 4. Port and Address Redirection
The functions described in this section allow machines
on the local network to be accessible in some degree
to new incoming connections from the external network.
Individual ports can be re-mapped or static network
address translations can be designated.
.Ss 4.1 PacketAliasRedirectPort()
.Ft struct alias_link *
.Fo PacketAliasRedirectPort
.Fa "struct in_addr local_addr"
.Fa "u_short local_port"
.Fa "struct in_addr remote_addr"
.Fa "u_short remote_port"
.Fa "struct in_addr alias_addr"
.Fa "u_short alias_port"
.Fa "u_char proto"
.Fc
This function specifies that traffic from a
given remote address/port to an alias address/port
be redirected to a specified local address/port.
The paramater
.Em proto
can be either IPPROTO_TCP or IPPROTO_UDP, as
defined in <netinet/in.h>.
If
.Em local_addr
or
.Em alias_addr
is zero, this indicates that the packet aliasing
address as established by PacketAliasSetAddress()
is to be used. Even if PacketAliasAddress() is
called to change the address after PacketAliasRedirectPort()
is called, a zero reference will track this change.
If
.Em remote_addr
is zero, this indicates to redirect packets from
any remote address. Likewise, if
.Em remote_port
is zero, this indicates to redirect packets originating
from any remote port number. Almost always, the remote
port specification will be zero, but non-zero remote
addresses can be sometimes be useful for firewalling.
If two calls to PacketAliasRedirectPort() overlap in
their address/port specifications, then the most recent
call will have precedence.
This function returns a pointer which can subsequently
be used by PacketAliasRedirectDelete(). If NULL is
returned, then the function call did not complete
successfully.
All port numbers are in network address byte order,
so it is necessary to use htons() to convert these
parameters from internally readable numbers to
network byte order. Addresses are also in network
byte order, which is implicit in the use of the
.Em struct in_addr
data type.
.Ss 4.2 PacketAliasRedirectAddr()
.Ft struct alias_link *
.Fo PacketAliasRedirectAddress
.Fa "struct in_addr local_addr"
.Fa "struct in_addr alias_addr"
.Fc
This function desgnates that all incoming
traffic to
.Em alias_addr
be redirected to
.Em local_addr.
Similarly, all outgoing traffic from
.Em local_addr
is aliased to
.Em alias_addr .
If
.Em local_addr
or
.Em alias_addr
is zero, this indicates that the packet aliasing
address as established by PacketAliasSetAddress()
is to be used. Even if PacketAliasAddress() is
called to change the address after PacketAliasRedirectAddr()
is called, a zero reference will track this change.
If subsequent calls to PacketAliasRedirectAddr()
use the same aliasing address, all new incoming
traffic to this aliasing address will be redirected
to the local address made in the last function call,
but new traffic all of the local machines designated
in the several function calls will be aliased to
the same address. Consider the following example:
.Bd -literal -offset left
PacketAliasRedirectAddr(inet_aton("192.168.0.2"),
inet_aton("141.221.254.101"));
PacketAliasRedirectAddr(inet_aton("192.168.0.3"),
inet_aton("141.221.254.101"));
PacketAliasRedirectAddr(inet_aton("192.168.0.4"),
inet_aton("141.221.254.101"));
.Ed
Any outgoing connections such as telnet or ftp
from 192.168.0.2, 102.168.0.3, 192.168.0.4 will
appear to come from 141.221.254.101. Any incoming
connections to 141.221.254.101 will be directed
to 192.168.0.4.
Any calls to PacketAliasRedirectPort() will
have precedence over address mappings designated
by PacketAliasRedirectAddr().
This function returns a pointer which can subsequently
be used by PacketAliasRedirectDelete(). If NULL is
returned, then the function call did not complete
successfully.
.Ss 4.3 PacketAliasRedirectDelete()
.Ft void
.Fn PacketAliasRedirectDelete "struct alias_link *ptr"
This function will delete a specific static redirect
rule entered by PacketAliasRedirectPort() or
PacketAliasRedirectAddr(). The parameter
.Em ptr
is the pointer returned by either of the redirection
functions. If an invalid pointer is passed to
PacketAliasRedirectDelete(), then a program crash
or unpredictable operation could result, so it is
necessary to be careful using this function.
.Sh 5. Fragment Handling
The functions in this section are used to deal with
incoming fragments.
Outgoing fragments are handled within PacketAliasOut()
by changing the address according to any
applicable mapping set by PacketAliasRedirectAddress(),
or the default aliasing address set by
PacketAliasSetAddress().
Incoming fragments are handled in one of two ways.
If the header of a fragmented IP packet has already
been seen, then all subsequent fragments will be
re-mapped in the same manner the header fragment
was. Fragments which arrive before the header
are saved and then retrieved once the header fragment
has been resolved.
.Ss 5.1 PacketAliasSaveFragment()
.Ft int
.Fn PacketAliasSaveFragment "char *ptr"
When PacketAliasIn() returns
PKT_ALIAS_UNRESOLVED_FRAGMENT, this
function can be used to save the pointer to
the unresolved fragment.
It is implicitly assumed that
.Em ptr
points to a block of memory allocated by
malloc(). If the fragment is never
resolved, the packet aliasing engine will
automatically free the memory after a
timeout period. [Eventually this function
should be modified so that a callback
function for freeing memory is passed as
an argument.]
This function returns PKT_ALIAS_OK if it
was successful and PKT_ALIAS_ERROR if there
was an error.
.Ss 5.2 PacketAliasGetNextFragment()
.Ft char *
.Fn PacketAliasGetFragment "char *buffer"
This function can be used to retrieve fragment
pointers saved by PacketAliasSaveFragment().
The IP header fragment pointed to by
Em buffer
is the header fragment indicated when
PacketAliasIn() returns PKT_ALIAS_FOUND_HEADER_FRAGMENT.
Once a a fragment pointer is retrieved, it
becomes the calling program's responsibility
to free the dynamically allocated memory for
the fragment.
PacketAliasGetFragment() can be called
sequentially until there are no more fragments
available, at which time it returns NULL.
.Ss 5.3 PacketAliasFragmentIn()
.Ft void
.Fn PacketAliasFragmentIn "char *header" "char *fragment"
When a fragment is retrieved with
PacketAliasGetFragment(), it can then be
de-aliased with a call to PacketAliasFragmentIn().
.Em header
is the pointer to a header fragment used as a
template, and
.Em fragment
is the pointer to the packet to be de-aliased.
.Sh 6. Miscellaneous Functions
.Ss 6.1 PacketAliasSetTarget()
.Ft void
.Fn PacketAliasSetTarget "struct in_addr addr"
When an incoming packet not associated with
any pre-existing aliasing link arrives at the
host machine, it will be sent to the address
indicated by a call to PacketAliasSetTarget().
If this function is not called, or is called
with a zero address argument, then all new
incoming packets go to the address set by
PacketAliasSetAddress.
.Ss 6.2 PacketAliasCheckNewLink()
.Ft int
.Fn PacketAliasCheckNewLink "void"
This function returns a non-zero value when
a new aliasing link is created. In circumstances
where incoming traffic is being sequentially
sent to different local servers, this function
can be used to trigger when PacketAliasSetTarget()
is called to change the default target address.
.Ss 6.3 PacketAliasInternetChecksum()
.Ft u_short
.Fn PacketAliasInternetChecksum "char *buffer" "int nbytes"
This is a utility function that does not seem
to be available elswhere and is included as a
convenience. It computes the internet checksum,
which is used in both IP and protocol-specific
headers (TCP, UDP, ICMP).
.Em buffer
points to the data block to be checksummed, and
.Em nbytes
is the number of bytes. The 16-bit checksum
field should be zeroed before computing the checksum.
Checksums can also be verified by operating on a block
of data including its checksum. If the checksum is
valid, PacketAliasInternetChecksum() will return zero.
.Sh 7. Authors
Charles Mott (cmott@srv.net), versions 1.0 - 1.8, 2.0 - 2.2.
Eivind Eiklund (eivind@freebsd.org), versions 1.8b and 1.9.
Added IRC support as well as contributing a number of
architectural improvements.
.Sh 8. Acknowledgments
Listed below, in approximate chronological
order, are individuals who have provided
valuable comments and/or debugging assistance.
.Bl -inset -compact -offset left
.It Gary Roberts
.It Tom Torrance
.It Reto Burkhalter
.It Martin Renters
.It Brian Somers
.It Paul Traina
.It Ari Suutari
.It Dave Remien
.It J. Fortes
.It Andrzej Bialeki
.El
.Sh Appendix: Conceptual Background
This appendix is intended for those who
are planning to modify the source code or want
to create somewhat esoteric applications using
the packet aliasing functions.
The conceptual framework under which the
packet aliasing engine operates is described here.
Central to the discussion is the idea of an
"aliasing link" which describes the relationship
for a given packet transaction between the local
machine, aliased identity and remote machine. It
is discussed how such links come into existence
and are destroyed.
.Ss A.1 Aliasing Links
There is a notion of an "aliasing link",
which is 7-tuple describing a specific
translation:
.Bd -literal -offset indent
(local addr, local port, alias addr, alias port,
remote addr, remote port, protocol)
.Ed
Outgoing packets have the local address and
port number replaced with the alias address
and port number. Incoming packets undergo the
reverse process. The packet aliasing engine
attempts to match packets against an internal
table of aliasing links to determine how to
modify a given IP packet. Both the IP
header and protocol dependent headers are
modified as necessary. Aliasing links are
created and deleted as necessary according
to network traffic.
Protocols can be TCP, UDP or even ICMP in
certain circumstances. (Some types of ICMP
packets can be aliased according to sequence
or id number which acts as an equivalent port
number for identifying how individual packets
should be handled.)
Each aliasing link must have a unique
combination of the following five quanties:
alias address/port, remote address/port
and protocol. This ensures that several
machines on a local network can share the
same aliased IP address. In cases where
conflicts might arise, the aliasing port
is chosen so that uniqueness is maintained.
.Ss A.2 Static and Dynamic Links
Aliasing links can either be static or dynamic.
Static links persist indefinitely and represent
fixed rules for translating IP packets. Dynamic
links come into existence for a specific TCP
connection or UDP transaction or ICMP echo
sequence. For the case of TCP, the connection
can be monitored to see when the associated
aliasing link should be deleted. Aliasing links
for UDP transactions (and ICMP echo and timestamp
equests) work on a simple timeout rule. When
no activity is observed on a dynamic link for
a certain amount of time it is automatically
deleted. Timeout rules also apply to TCP
connections which do not open or close
properly.
.Ss A.3 Partially Specified Aliasing Links
Aliasing links can be partially specified,
meaning that the remote address and/or remote
ports are unkown. In this case, when a packet
matching the incomplete specification is found,
a fully specified dynamic link is created. If
the original partially specified link is dynamic,
it will be deleted after the fully specified link
is created, otherwise it will persist.
For instance, a partially specified link might
be
.Bd -literal -offset indent
(192.168.0.4, 23, 204.228.203.215, 8066, 0, 0, tcp)
.Ed
The zeros denote unspecified components for
the remote address and port. If this link were
static it would have the effect of redirecting
all incoming traffic from port 8066 of
204.228.203.215 to port 23 (telnet) of machine
192.168.0.4 on the local network. Each
individual telnet connection would initiate
the creation of a distinct dynamic link.
.Ss A.4 Dynamic Link Creation
In addition to aliasing links, there are
also address mappings that can be stored
within the internal data table of the packet
aliasing mechanism.
.Bd -literal -offset indent
(local addr, alias addr)
.Ed
Address mappings are searched when creating
new dynamic links.
All outgoing packets from the local network
automatically create a dynamic link if
they do not match an already existing fully
specified link. If an address mapping exists
for the the outgoing packet, this determines
the alias address to be used. If no mapping
exists, then a default address, usually the
address of the packet aliasing host, is used.
If necessary, this default address can be
changed as often as each indvidual packet
arrives.
The aliasing port number is determined
such that the new dynamic link does not
conflict with any existing links. In the
default operating mode, the packet aliasing
engine attempts to set the aliasing port
equal to the local port number. If this
results in a conflict, then port numbers
are randomly chosen until a unique aliasing
link can be established. In an alternate
operating mode, the first choice of an
aliasing port is also random and unrelated
to the local port number.