Replace PacketAliasRedirectPptp() (which had nothing specific
to PPTP) with more generic PacketAliasRedirectProto(). Major number is not bumped because it is believed that noone has started using PacketAliasRedirectPptp() yet.
This commit is contained in:
parent
b673230313
commit
8060760500
@ -178,6 +178,7 @@ TcpMonitorOut(struct ip *pip, struct alias_link *link)
|
||||
|
||||
IcmpAliasIn(), IcmpAliasIn1(), IcmpAliasIn2(), IcmpAliasIn3()
|
||||
IcmpAliasOut(), IcmpAliasOut1(), IcmpAliasOut2(), IcmpAliasOut3()
|
||||
ProtoAliasIn(), ProtoAliasOut()
|
||||
UdpAliasIn(), UdpAliasOut()
|
||||
TcpAliasIn(), TcpAliasOut()
|
||||
|
||||
@ -224,6 +225,9 @@ static int IcmpAliasOut2(struct ip *);
|
||||
static int IcmpAliasOut3(struct ip *);
|
||||
static int IcmpAliasOut (struct ip *);
|
||||
|
||||
static int ProtoAliasIn(struct ip *);
|
||||
static int ProtoAliasOut(struct ip *);
|
||||
|
||||
static int UdpAliasOut(struct ip *);
|
||||
static int UdpAliasIn (struct ip *);
|
||||
|
||||
@ -653,10 +657,10 @@ IcmpAliasOut(struct ip *pip)
|
||||
|
||||
|
||||
static int
|
||||
PptpAliasIn(struct ip *pip)
|
||||
ProtoAliasIn(struct ip *pip)
|
||||
{
|
||||
/*
|
||||
Handle incoming PPTP packets. The
|
||||
Handle incoming IP packets. The
|
||||
only thing which is done in this case is to alias
|
||||
the dest IP address of the packet to our inside
|
||||
machine.
|
||||
@ -667,10 +671,7 @@ PptpAliasIn(struct ip *pip)
|
||||
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
|
||||
return PKT_ALIAS_OK;
|
||||
|
||||
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
|
||||
return PKT_ALIAS_IGNORED;
|
||||
|
||||
link = FindPptpIn(pip->ip_src, pip->ip_dst);
|
||||
link = FindProtoIn(pip->ip_src, pip->ip_dst, pip->ip_p);
|
||||
if (link != NULL)
|
||||
{
|
||||
struct in_addr original_address;
|
||||
@ -691,10 +692,10 @@ PptpAliasIn(struct ip *pip)
|
||||
|
||||
|
||||
static int
|
||||
PptpAliasOut(struct ip *pip)
|
||||
ProtoAliasOut(struct ip *pip)
|
||||
{
|
||||
/*
|
||||
Handle outgoing PPTP packets. The
|
||||
Handle outgoing IP packets. The
|
||||
only thing which is done in this case is to alias
|
||||
the source IP address of the packet.
|
||||
*/
|
||||
@ -704,10 +705,7 @@ PptpAliasOut(struct ip *pip)
|
||||
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
|
||||
return PKT_ALIAS_OK;
|
||||
|
||||
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
|
||||
return PKT_ALIAS_IGNORED;
|
||||
|
||||
link = FindPptpOut(pip->ip_src, pip->ip_dst);
|
||||
link = FindProtoOut(pip->ip_src, pip->ip_dst, pip->ip_p);
|
||||
if (link != NULL)
|
||||
{
|
||||
struct in_addr alias_address;
|
||||
@ -1303,10 +1301,8 @@ PacketAliasIn(char *ptr, int maxpacketsize)
|
||||
case IPPROTO_TCP:
|
||||
iresult = TcpAliasIn(pip);
|
||||
break;
|
||||
case IPPROTO_GRE:
|
||||
case IPPROTO_ESP:
|
||||
case IPPROTO_AH:
|
||||
iresult = PptpAliasIn(pip);
|
||||
default:
|
||||
iresult = ProtoAliasIn(pip);
|
||||
break;
|
||||
}
|
||||
|
||||
@ -1411,10 +1407,8 @@ PacketAliasOut(char *ptr, /* valid IP packet */
|
||||
case IPPROTO_TCP:
|
||||
iresult = TcpAliasOut(pip, maxpacketsize);
|
||||
break;
|
||||
case IPPROTO_GRE:
|
||||
case IPPROTO_ESP:
|
||||
case IPPROTO_AH:
|
||||
iresult = PptpAliasOut(pip);
|
||||
default:
|
||||
iresult = ProtoAliasOut(pip);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
@ -60,7 +60,10 @@ struct alias_link;
|
||||
PacketAliasPptp(struct in_addr);
|
||||
|
||||
extern struct alias_link *
|
||||
PacketAliasRedirectPptp(struct in_addr, struct in_addr, struct in_addr);
|
||||
PacketAliasRedirectProto(struct in_addr,
|
||||
struct in_addr,
|
||||
struct in_addr,
|
||||
u_char);
|
||||
|
||||
extern struct alias_link *
|
||||
PacketAliasRedirectAddr(struct in_addr,
|
||||
@ -157,10 +160,6 @@ struct alias_link;
|
||||
and PacketAliasOut() are reversed */
|
||||
#define PKT_ALIAS_REVERSE 0x80
|
||||
|
||||
/* If PKT_ALIAS_DENY_PPTP is set, then PPTP sessions will be
|
||||
prevented by the aliasing engine. */
|
||||
#define PKT_ALIAS_DENY_PPTP 0x200
|
||||
|
||||
/* Return Codes */
|
||||
#define PKT_ALIAS_ERROR -1
|
||||
#define PKT_ALIAS_OK 1
|
||||
|
@ -147,7 +147,7 @@
|
||||
/* Timeouts (in seconds) for different link types */
|
||||
#define ICMP_EXPIRE_TIME 60
|
||||
#define UDP_EXPIRE_TIME 60
|
||||
#define PPTP_EXPIRE_TIME 60
|
||||
#define PROTO_EXPIRE_TIME 60
|
||||
#define FRAGMENT_ID_EXPIRE_TIME 10
|
||||
#define FRAGMENT_PTR_EXPIRE_TIME 30
|
||||
|
||||
@ -256,16 +256,15 @@ struct alias_link /* Main data structure */
|
||||
u_short proxy_port;
|
||||
struct server *server;
|
||||
|
||||
int link_type; /* Type of link: TCP, UDP, ICMP, PPTP, frag */
|
||||
int link_type; /* Type of link: TCP, UDP, ICMP, proto, frag */
|
||||
|
||||
/* values for link_type */
|
||||
#define LINK_ICMP 1
|
||||
#define LINK_UDP 2
|
||||
#define LINK_TCP 3
|
||||
#define LINK_FRAGMENT_ID 4
|
||||
#define LINK_FRAGMENT_PTR 5
|
||||
#define LINK_ADDR 6
|
||||
#define LINK_PPTP 7
|
||||
#define LINK_ICMP IPPROTO_ICMP
|
||||
#define LINK_UDP IPPROTO_UDP
|
||||
#define LINK_TCP IPPROTO_TCP
|
||||
#define LINK_FRAGMENT_ID (IPPROTO_MAX + 1)
|
||||
#define LINK_FRAGMENT_PTR (IPPROTO_MAX + 2)
|
||||
#define LINK_ADDR (IPPROTO_MAX + 3)
|
||||
|
||||
int flags; /* indicates special characteristics */
|
||||
|
||||
@ -329,7 +328,7 @@ linkTableIn[LINK_TABLE_IN_SIZE]; /* into input and output lookup */
|
||||
static int icmpLinkCount; /* Link statistics */
|
||||
static int udpLinkCount;
|
||||
static int tcpLinkCount;
|
||||
static int pptpLinkCount;
|
||||
static int protoLinkCount;
|
||||
static int fragmentIdLinkCount;
|
||||
static int fragmentPtrLinkCount;
|
||||
static int sockCount;
|
||||
@ -455,18 +454,18 @@ ShowAliasStats(void)
|
||||
|
||||
if (monitorFile)
|
||||
{
|
||||
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, pptp=%d, frag_id=%d frag_ptr=%d",
|
||||
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, proto=%d, frag_id=%d frag_ptr=%d",
|
||||
icmpLinkCount,
|
||||
udpLinkCount,
|
||||
tcpLinkCount,
|
||||
pptpLinkCount,
|
||||
protoLinkCount,
|
||||
fragmentIdLinkCount,
|
||||
fragmentPtrLinkCount);
|
||||
|
||||
fprintf(monitorFile, " / tot=%d (sock=%d)\n",
|
||||
icmpLinkCount + udpLinkCount
|
||||
+ tcpLinkCount
|
||||
+ pptpLinkCount
|
||||
+ protoLinkCount
|
||||
+ fragmentIdLinkCount
|
||||
+ fragmentPtrLinkCount,
|
||||
sockCount);
|
||||
@ -738,17 +737,6 @@ IncrementalCleanup(void)
|
||||
idelta = timeStamp - link->timestamp;
|
||||
switch (link->link_type)
|
||||
{
|
||||
case LINK_ICMP:
|
||||
case LINK_UDP:
|
||||
case LINK_FRAGMENT_ID:
|
||||
case LINK_FRAGMENT_PTR:
|
||||
case LINK_PPTP:
|
||||
if (idelta > link->expire_time)
|
||||
{
|
||||
DeleteLink(link);
|
||||
icount++;
|
||||
}
|
||||
break;
|
||||
case LINK_TCP:
|
||||
if (idelta > link->expire_time)
|
||||
{
|
||||
@ -763,6 +751,13 @@ IncrementalCleanup(void)
|
||||
}
|
||||
}
|
||||
break;
|
||||
default:
|
||||
if (idelta > link->expire_time)
|
||||
{
|
||||
DeleteLink(link);
|
||||
icount++;
|
||||
}
|
||||
break;
|
||||
}
|
||||
link = link_next;
|
||||
}
|
||||
@ -842,9 +837,6 @@ DeleteLink(struct alias_link *link)
|
||||
if (link->data.tcp != NULL)
|
||||
free(link->data.tcp);
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
pptpLinkCount--;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
fragmentIdLinkCount--;
|
||||
break;
|
||||
@ -853,6 +845,11 @@ DeleteLink(struct alias_link *link)
|
||||
if (link->data.frag_ptr != NULL)
|
||||
free(link->data.frag_ptr);
|
||||
break;
|
||||
case LINK_ADDR:
|
||||
break;
|
||||
default:
|
||||
protoLinkCount--;
|
||||
break;
|
||||
}
|
||||
|
||||
/* Free memory */
|
||||
@ -908,15 +905,17 @@ AddLink(struct in_addr src_addr,
|
||||
case LINK_TCP:
|
||||
link->expire_time = TCP_EXPIRE_INITIAL;
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
link->expire_time = PPTP_EXPIRE_TIME;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
link->expire_time = FRAGMENT_ID_EXPIRE_TIME;
|
||||
break;
|
||||
case LINK_FRAGMENT_PTR:
|
||||
link->expire_time = FRAGMENT_PTR_EXPIRE_TIME;
|
||||
break;
|
||||
case LINK_ADDR:
|
||||
break;
|
||||
default:
|
||||
link->expire_time = PROTO_EXPIRE_TIME;
|
||||
break;
|
||||
}
|
||||
|
||||
/* Determine alias flags */
|
||||
@ -994,15 +993,17 @@ AddLink(struct in_addr src_addr,
|
||||
#endif
|
||||
}
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
pptpLinkCount++;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
fragmentIdLinkCount++;
|
||||
break;
|
||||
case LINK_FRAGMENT_PTR:
|
||||
fragmentPtrLinkCount++;
|
||||
break;
|
||||
case LINK_ADDR:
|
||||
break;
|
||||
default:
|
||||
protoLinkCount++;
|
||||
break;
|
||||
}
|
||||
}
|
||||
else
|
||||
@ -1303,7 +1304,7 @@ FindLinkIn(struct in_addr dst_addr,
|
||||
FindIcmpIn(), FindIcmpOut()
|
||||
FindFragmentIn1(), FindFragmentIn2()
|
||||
AddFragmentPtrLink(), FindFragmentPtr()
|
||||
FindPptpIn(), FindPptpOut()
|
||||
FindProtoIn(), FindProtoOut()
|
||||
FindUdpTcpIn(), FindUdpTcpOut()
|
||||
FindOriginalAddress(), FindAliasAddress()
|
||||
|
||||
@ -1400,14 +1401,15 @@ FindFragmentPtr(struct in_addr dst_addr,
|
||||
|
||||
|
||||
struct alias_link *
|
||||
FindPptpIn(struct in_addr dst_addr,
|
||||
struct in_addr alias_addr)
|
||||
FindProtoIn(struct in_addr dst_addr,
|
||||
struct in_addr alias_addr,
|
||||
u_char proto)
|
||||
{
|
||||
struct alias_link *link;
|
||||
|
||||
link = FindLinkIn(dst_addr, alias_addr,
|
||||
NO_DEST_PORT, 0,
|
||||
LINK_PPTP, 1);
|
||||
proto, 1);
|
||||
|
||||
if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
|
||||
{
|
||||
@ -1416,7 +1418,7 @@ FindPptpIn(struct in_addr dst_addr,
|
||||
target_addr = FindOriginalAddress(alias_addr);
|
||||
link = AddLink(target_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
proto);
|
||||
}
|
||||
|
||||
return (link);
|
||||
@ -1424,14 +1426,15 @@ FindPptpIn(struct in_addr dst_addr,
|
||||
|
||||
|
||||
struct alias_link *
|
||||
FindPptpOut(struct in_addr src_addr,
|
||||
struct in_addr dst_addr)
|
||||
FindProtoOut(struct in_addr src_addr,
|
||||
struct in_addr dst_addr,
|
||||
u_char proto)
|
||||
{
|
||||
struct alias_link *link;
|
||||
|
||||
link = FindLinkOut(src_addr, dst_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT,
|
||||
LINK_PPTP, 1);
|
||||
proto, 1);
|
||||
|
||||
if (link == NULL)
|
||||
{
|
||||
@ -1440,7 +1443,7 @@ FindPptpOut(struct in_addr src_addr,
|
||||
alias_addr = FindAliasAddress(src_addr);
|
||||
link = AddLink(src_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
proto);
|
||||
}
|
||||
|
||||
return (link);
|
||||
@ -2063,7 +2066,7 @@ UninitPacketAliasLog(void)
|
||||
|
||||
PacketAliasRedirectPort()
|
||||
PacketAliasAddServer()
|
||||
PacketAliasRedirectPptp()
|
||||
PacketAliasRedirectProto()
|
||||
PacketAliasRedirectAddr()
|
||||
PacketAliasRedirectDelete()
|
||||
PacketAliasSetAddress()
|
||||
@ -2151,32 +2154,32 @@ PacketAliasAddServer(struct alias_link *link, struct in_addr addr, u_short port)
|
||||
}
|
||||
|
||||
/* Translate PPTP packets to a machine on the inside
|
||||
* XXX This function is made obsolete by PacketAliasRedirectPptp().
|
||||
* XXX This function is made obsolete by PacketAliasRedirectProto().
|
||||
*/
|
||||
int
|
||||
PacketAliasPptp(struct in_addr src_addr)
|
||||
{
|
||||
|
||||
if (src_addr.s_addr == INADDR_NONE)
|
||||
packetAliasMode |= PKT_ALIAS_DENY_PPTP;
|
||||
else
|
||||
(void)PacketAliasRedirectPptp(src_addr, nullAddress, nullAddress);
|
||||
if (src_addr.s_addr != INADDR_NONE)
|
||||
(void)PacketAliasRedirectProto(src_addr, nullAddress, nullAddress,
|
||||
IPPROTO_GRE);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Redirect PPTP packets from a specific
|
||||
/* Redirect packets of a given IP protocol from a specific
|
||||
public address to a private address */
|
||||
struct alias_link *
|
||||
PacketAliasRedirectPptp(struct in_addr src_addr,
|
||||
struct in_addr dst_addr,
|
||||
struct in_addr alias_addr)
|
||||
PacketAliasRedirectProto(struct in_addr src_addr,
|
||||
struct in_addr dst_addr,
|
||||
struct in_addr alias_addr,
|
||||
u_char proto)
|
||||
{
|
||||
struct alias_link *link;
|
||||
|
||||
link = AddLink(src_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
proto);
|
||||
|
||||
if (link != NULL)
|
||||
{
|
||||
@ -2185,7 +2188,7 @@ PacketAliasRedirectPptp(struct in_addr src_addr,
|
||||
#ifdef DEBUG
|
||||
else
|
||||
{
|
||||
fprintf(stderr, "PacketAliasRedirectPptp(): "
|
||||
fprintf(stderr, "PacketAliasRedirectProto(): "
|
||||
"call to AddLink() failed\n");
|
||||
}
|
||||
#endif
|
||||
@ -2286,7 +2289,7 @@ PacketAliasInit(void)
|
||||
icmpLinkCount = 0;
|
||||
udpLinkCount = 0;
|
||||
tcpLinkCount = 0;
|
||||
pptpLinkCount = 0;
|
||||
protoLinkCount = 0;
|
||||
fragmentIdLinkCount = 0;
|
||||
fragmentPtrLinkCount = 0;
|
||||
sockCount = 0;
|
||||
|
@ -96,10 +96,10 @@ struct alias_link *
|
||||
FindFragmentPtr(struct in_addr, u_short);
|
||||
|
||||
struct alias_link *
|
||||
FindPptpIn(struct in_addr, struct in_addr);
|
||||
FindProtoIn(struct in_addr, struct in_addr, u_char);
|
||||
|
||||
struct alias_link *
|
||||
FindPptpOut(struct in_addr, struct in_addr);
|
||||
FindProtoOut(struct in_addr, struct in_addr, u_char);
|
||||
|
||||
struct alias_link *
|
||||
FindUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char);
|
||||
|
@ -227,15 +227,6 @@ Normal packet aliasing is not performed.
|
||||
See
|
||||
.Fn PacketAliasProxyRule
|
||||
below for details.
|
||||
.It Dv PKT_ALIAS_DENY_PPTP
|
||||
If this mode bit is set, all PPTP packets will be marked for being ignored
|
||||
(both
|
||||
.Fn PacketAliasIn
|
||||
and
|
||||
.Fn PacketAliasOut
|
||||
return
|
||||
.Dv PKT_ALIAS_IGNORED
|
||||
code).
|
||||
.El
|
||||
.Ed
|
||||
.Pp
|
||||
@ -647,25 +638,17 @@ access, or to restrict access to certain external machines.
|
||||
.Ed
|
||||
.Pp
|
||||
.Ft struct alias_link *
|
||||
.Fo PacketAliasRedirectPptp
|
||||
.Fo PacketAliasRedirectProto
|
||||
.Fa "struct in_addr local_addr"
|
||||
.Fa "struct in_addr remote_addr"
|
||||
.Fa "struct in_addr alias_addr"
|
||||
.Fa "u_char proto"
|
||||
.Fc
|
||||
.Bd -ragged -offset indent
|
||||
This function specifies that any Point to Point Tunneling Protocol
|
||||
(PPTP) traffic from a given remote address to an alias address be
|
||||
This function specifies that any IP packet with protocol number of
|
||||
.Fa proto
|
||||
from a given remote address to an alias address be
|
||||
redirected to a specified local address.
|
||||
Currently supported PPTP protocols include:
|
||||
.Pp
|
||||
.Bl -tag -width "IPPROTO_GRE" -compact
|
||||
.It IPPROTO_GRE
|
||||
Generic Routing Encapsulation (RFC 1702)
|
||||
.It IPPROTO_ESP
|
||||
IP Encapsulating Security Payload (RFC 1827)
|
||||
.It IPPROTO_AH
|
||||
IP Authentication Header (RFC 1826)
|
||||
.El
|
||||
.Pp
|
||||
If
|
||||
.Fa local_addr
|
||||
@ -678,16 +661,16 @@ is to be used.
|
||||
Even if
|
||||
.Fn PacketAliasSetAddress
|
||||
is called to change the address after
|
||||
.Fn PacketAliasRedirectPptp
|
||||
.Fn PacketAliasRedirectProto
|
||||
is called, a zero reference will track this change.
|
||||
.Pp
|
||||
If
|
||||
.Fa remote_addr
|
||||
is zero, this indicates to redirect PPTP packets from any remote address.
|
||||
is zero, this indicates to redirect packets from any remote address.
|
||||
Non-zero remote addresses can sometimes be useful for firewalling.
|
||||
.Pp
|
||||
If two calls to
|
||||
.Fn PacketAliasRedirectPptp
|
||||
.Fn PacketAliasRedirectProto
|
||||
overlap in their address specifications, then the most recent call
|
||||
will have precedence.
|
||||
.Pp
|
||||
@ -713,10 +696,8 @@ then PPTP aliasing is disabled.
|
||||
.Pp
|
||||
.Bf -symbolic
|
||||
This function is made obsolete by
|
||||
.Fn PacketAliasRedirectPptp
|
||||
and
|
||||
.Dv PKT_ALIAS_DENY_PPTP
|
||||
mode bit, and is provided only for backward compatibility.
|
||||
.Fn PacketAliasRedirectProto ,
|
||||
and is provided only for backward compatibility.
|
||||
.Ef
|
||||
.Ed
|
||||
.Sh FRAGMENT HANDLING
|
||||
|
@ -178,6 +178,7 @@ TcpMonitorOut(struct ip *pip, struct alias_link *link)
|
||||
|
||||
IcmpAliasIn(), IcmpAliasIn1(), IcmpAliasIn2(), IcmpAliasIn3()
|
||||
IcmpAliasOut(), IcmpAliasOut1(), IcmpAliasOut2(), IcmpAliasOut3()
|
||||
ProtoAliasIn(), ProtoAliasOut()
|
||||
UdpAliasIn(), UdpAliasOut()
|
||||
TcpAliasIn(), TcpAliasOut()
|
||||
|
||||
@ -224,6 +225,9 @@ static int IcmpAliasOut2(struct ip *);
|
||||
static int IcmpAliasOut3(struct ip *);
|
||||
static int IcmpAliasOut (struct ip *);
|
||||
|
||||
static int ProtoAliasIn(struct ip *);
|
||||
static int ProtoAliasOut(struct ip *);
|
||||
|
||||
static int UdpAliasOut(struct ip *);
|
||||
static int UdpAliasIn (struct ip *);
|
||||
|
||||
@ -653,10 +657,10 @@ IcmpAliasOut(struct ip *pip)
|
||||
|
||||
|
||||
static int
|
||||
PptpAliasIn(struct ip *pip)
|
||||
ProtoAliasIn(struct ip *pip)
|
||||
{
|
||||
/*
|
||||
Handle incoming PPTP packets. The
|
||||
Handle incoming IP packets. The
|
||||
only thing which is done in this case is to alias
|
||||
the dest IP address of the packet to our inside
|
||||
machine.
|
||||
@ -667,10 +671,7 @@ PptpAliasIn(struct ip *pip)
|
||||
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
|
||||
return PKT_ALIAS_OK;
|
||||
|
||||
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
|
||||
return PKT_ALIAS_IGNORED;
|
||||
|
||||
link = FindPptpIn(pip->ip_src, pip->ip_dst);
|
||||
link = FindProtoIn(pip->ip_src, pip->ip_dst, pip->ip_p);
|
||||
if (link != NULL)
|
||||
{
|
||||
struct in_addr original_address;
|
||||
@ -691,10 +692,10 @@ PptpAliasIn(struct ip *pip)
|
||||
|
||||
|
||||
static int
|
||||
PptpAliasOut(struct ip *pip)
|
||||
ProtoAliasOut(struct ip *pip)
|
||||
{
|
||||
/*
|
||||
Handle outgoing PPTP packets. The
|
||||
Handle outgoing IP packets. The
|
||||
only thing which is done in this case is to alias
|
||||
the source IP address of the packet.
|
||||
*/
|
||||
@ -704,10 +705,7 @@ PptpAliasOut(struct ip *pip)
|
||||
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
|
||||
return PKT_ALIAS_OK;
|
||||
|
||||
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
|
||||
return PKT_ALIAS_IGNORED;
|
||||
|
||||
link = FindPptpOut(pip->ip_src, pip->ip_dst);
|
||||
link = FindProtoOut(pip->ip_src, pip->ip_dst, pip->ip_p);
|
||||
if (link != NULL)
|
||||
{
|
||||
struct in_addr alias_address;
|
||||
@ -1303,10 +1301,8 @@ PacketAliasIn(char *ptr, int maxpacketsize)
|
||||
case IPPROTO_TCP:
|
||||
iresult = TcpAliasIn(pip);
|
||||
break;
|
||||
case IPPROTO_GRE:
|
||||
case IPPROTO_ESP:
|
||||
case IPPROTO_AH:
|
||||
iresult = PptpAliasIn(pip);
|
||||
default:
|
||||
iresult = ProtoAliasIn(pip);
|
||||
break;
|
||||
}
|
||||
|
||||
@ -1411,10 +1407,8 @@ PacketAliasOut(char *ptr, /* valid IP packet */
|
||||
case IPPROTO_TCP:
|
||||
iresult = TcpAliasOut(pip, maxpacketsize);
|
||||
break;
|
||||
case IPPROTO_GRE:
|
||||
case IPPROTO_ESP:
|
||||
case IPPROTO_AH:
|
||||
iresult = PptpAliasOut(pip);
|
||||
default:
|
||||
iresult = ProtoAliasOut(pip);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
@ -60,7 +60,10 @@ struct alias_link;
|
||||
PacketAliasPptp(struct in_addr);
|
||||
|
||||
extern struct alias_link *
|
||||
PacketAliasRedirectPptp(struct in_addr, struct in_addr, struct in_addr);
|
||||
PacketAliasRedirectProto(struct in_addr,
|
||||
struct in_addr,
|
||||
struct in_addr,
|
||||
u_char);
|
||||
|
||||
extern struct alias_link *
|
||||
PacketAliasRedirectAddr(struct in_addr,
|
||||
@ -157,10 +160,6 @@ struct alias_link;
|
||||
and PacketAliasOut() are reversed */
|
||||
#define PKT_ALIAS_REVERSE 0x80
|
||||
|
||||
/* If PKT_ALIAS_DENY_PPTP is set, then PPTP sessions will be
|
||||
prevented by the aliasing engine. */
|
||||
#define PKT_ALIAS_DENY_PPTP 0x200
|
||||
|
||||
/* Return Codes */
|
||||
#define PKT_ALIAS_ERROR -1
|
||||
#define PKT_ALIAS_OK 1
|
||||
|
@ -147,7 +147,7 @@
|
||||
/* Timeouts (in seconds) for different link types */
|
||||
#define ICMP_EXPIRE_TIME 60
|
||||
#define UDP_EXPIRE_TIME 60
|
||||
#define PPTP_EXPIRE_TIME 60
|
||||
#define PROTO_EXPIRE_TIME 60
|
||||
#define FRAGMENT_ID_EXPIRE_TIME 10
|
||||
#define FRAGMENT_PTR_EXPIRE_TIME 30
|
||||
|
||||
@ -256,16 +256,15 @@ struct alias_link /* Main data structure */
|
||||
u_short proxy_port;
|
||||
struct server *server;
|
||||
|
||||
int link_type; /* Type of link: TCP, UDP, ICMP, PPTP, frag */
|
||||
int link_type; /* Type of link: TCP, UDP, ICMP, proto, frag */
|
||||
|
||||
/* values for link_type */
|
||||
#define LINK_ICMP 1
|
||||
#define LINK_UDP 2
|
||||
#define LINK_TCP 3
|
||||
#define LINK_FRAGMENT_ID 4
|
||||
#define LINK_FRAGMENT_PTR 5
|
||||
#define LINK_ADDR 6
|
||||
#define LINK_PPTP 7
|
||||
#define LINK_ICMP IPPROTO_ICMP
|
||||
#define LINK_UDP IPPROTO_UDP
|
||||
#define LINK_TCP IPPROTO_TCP
|
||||
#define LINK_FRAGMENT_ID (IPPROTO_MAX + 1)
|
||||
#define LINK_FRAGMENT_PTR (IPPROTO_MAX + 2)
|
||||
#define LINK_ADDR (IPPROTO_MAX + 3)
|
||||
|
||||
int flags; /* indicates special characteristics */
|
||||
|
||||
@ -329,7 +328,7 @@ linkTableIn[LINK_TABLE_IN_SIZE]; /* into input and output lookup */
|
||||
static int icmpLinkCount; /* Link statistics */
|
||||
static int udpLinkCount;
|
||||
static int tcpLinkCount;
|
||||
static int pptpLinkCount;
|
||||
static int protoLinkCount;
|
||||
static int fragmentIdLinkCount;
|
||||
static int fragmentPtrLinkCount;
|
||||
static int sockCount;
|
||||
@ -455,18 +454,18 @@ ShowAliasStats(void)
|
||||
|
||||
if (monitorFile)
|
||||
{
|
||||
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, pptp=%d, frag_id=%d frag_ptr=%d",
|
||||
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, proto=%d, frag_id=%d frag_ptr=%d",
|
||||
icmpLinkCount,
|
||||
udpLinkCount,
|
||||
tcpLinkCount,
|
||||
pptpLinkCount,
|
||||
protoLinkCount,
|
||||
fragmentIdLinkCount,
|
||||
fragmentPtrLinkCount);
|
||||
|
||||
fprintf(monitorFile, " / tot=%d (sock=%d)\n",
|
||||
icmpLinkCount + udpLinkCount
|
||||
+ tcpLinkCount
|
||||
+ pptpLinkCount
|
||||
+ protoLinkCount
|
||||
+ fragmentIdLinkCount
|
||||
+ fragmentPtrLinkCount,
|
||||
sockCount);
|
||||
@ -738,17 +737,6 @@ IncrementalCleanup(void)
|
||||
idelta = timeStamp - link->timestamp;
|
||||
switch (link->link_type)
|
||||
{
|
||||
case LINK_ICMP:
|
||||
case LINK_UDP:
|
||||
case LINK_FRAGMENT_ID:
|
||||
case LINK_FRAGMENT_PTR:
|
||||
case LINK_PPTP:
|
||||
if (idelta > link->expire_time)
|
||||
{
|
||||
DeleteLink(link);
|
||||
icount++;
|
||||
}
|
||||
break;
|
||||
case LINK_TCP:
|
||||
if (idelta > link->expire_time)
|
||||
{
|
||||
@ -763,6 +751,13 @@ IncrementalCleanup(void)
|
||||
}
|
||||
}
|
||||
break;
|
||||
default:
|
||||
if (idelta > link->expire_time)
|
||||
{
|
||||
DeleteLink(link);
|
||||
icount++;
|
||||
}
|
||||
break;
|
||||
}
|
||||
link = link_next;
|
||||
}
|
||||
@ -842,9 +837,6 @@ DeleteLink(struct alias_link *link)
|
||||
if (link->data.tcp != NULL)
|
||||
free(link->data.tcp);
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
pptpLinkCount--;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
fragmentIdLinkCount--;
|
||||
break;
|
||||
@ -853,6 +845,11 @@ DeleteLink(struct alias_link *link)
|
||||
if (link->data.frag_ptr != NULL)
|
||||
free(link->data.frag_ptr);
|
||||
break;
|
||||
case LINK_ADDR:
|
||||
break;
|
||||
default:
|
||||
protoLinkCount--;
|
||||
break;
|
||||
}
|
||||
|
||||
/* Free memory */
|
||||
@ -908,15 +905,17 @@ AddLink(struct in_addr src_addr,
|
||||
case LINK_TCP:
|
||||
link->expire_time = TCP_EXPIRE_INITIAL;
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
link->expire_time = PPTP_EXPIRE_TIME;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
link->expire_time = FRAGMENT_ID_EXPIRE_TIME;
|
||||
break;
|
||||
case LINK_FRAGMENT_PTR:
|
||||
link->expire_time = FRAGMENT_PTR_EXPIRE_TIME;
|
||||
break;
|
||||
case LINK_ADDR:
|
||||
break;
|
||||
default:
|
||||
link->expire_time = PROTO_EXPIRE_TIME;
|
||||
break;
|
||||
}
|
||||
|
||||
/* Determine alias flags */
|
||||
@ -994,15 +993,17 @@ AddLink(struct in_addr src_addr,
|
||||
#endif
|
||||
}
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
pptpLinkCount++;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
fragmentIdLinkCount++;
|
||||
break;
|
||||
case LINK_FRAGMENT_PTR:
|
||||
fragmentPtrLinkCount++;
|
||||
break;
|
||||
case LINK_ADDR:
|
||||
break;
|
||||
default:
|
||||
protoLinkCount++;
|
||||
break;
|
||||
}
|
||||
}
|
||||
else
|
||||
@ -1303,7 +1304,7 @@ FindLinkIn(struct in_addr dst_addr,
|
||||
FindIcmpIn(), FindIcmpOut()
|
||||
FindFragmentIn1(), FindFragmentIn2()
|
||||
AddFragmentPtrLink(), FindFragmentPtr()
|
||||
FindPptpIn(), FindPptpOut()
|
||||
FindProtoIn(), FindProtoOut()
|
||||
FindUdpTcpIn(), FindUdpTcpOut()
|
||||
FindOriginalAddress(), FindAliasAddress()
|
||||
|
||||
@ -1400,14 +1401,15 @@ FindFragmentPtr(struct in_addr dst_addr,
|
||||
|
||||
|
||||
struct alias_link *
|
||||
FindPptpIn(struct in_addr dst_addr,
|
||||
struct in_addr alias_addr)
|
||||
FindProtoIn(struct in_addr dst_addr,
|
||||
struct in_addr alias_addr,
|
||||
u_char proto)
|
||||
{
|
||||
struct alias_link *link;
|
||||
|
||||
link = FindLinkIn(dst_addr, alias_addr,
|
||||
NO_DEST_PORT, 0,
|
||||
LINK_PPTP, 1);
|
||||
proto, 1);
|
||||
|
||||
if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
|
||||
{
|
||||
@ -1416,7 +1418,7 @@ FindPptpIn(struct in_addr dst_addr,
|
||||
target_addr = FindOriginalAddress(alias_addr);
|
||||
link = AddLink(target_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
proto);
|
||||
}
|
||||
|
||||
return (link);
|
||||
@ -1424,14 +1426,15 @@ FindPptpIn(struct in_addr dst_addr,
|
||||
|
||||
|
||||
struct alias_link *
|
||||
FindPptpOut(struct in_addr src_addr,
|
||||
struct in_addr dst_addr)
|
||||
FindProtoOut(struct in_addr src_addr,
|
||||
struct in_addr dst_addr,
|
||||
u_char proto)
|
||||
{
|
||||
struct alias_link *link;
|
||||
|
||||
link = FindLinkOut(src_addr, dst_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT,
|
||||
LINK_PPTP, 1);
|
||||
proto, 1);
|
||||
|
||||
if (link == NULL)
|
||||
{
|
||||
@ -1440,7 +1443,7 @@ FindPptpOut(struct in_addr src_addr,
|
||||
alias_addr = FindAliasAddress(src_addr);
|
||||
link = AddLink(src_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
proto);
|
||||
}
|
||||
|
||||
return (link);
|
||||
@ -2063,7 +2066,7 @@ UninitPacketAliasLog(void)
|
||||
|
||||
PacketAliasRedirectPort()
|
||||
PacketAliasAddServer()
|
||||
PacketAliasRedirectPptp()
|
||||
PacketAliasRedirectProto()
|
||||
PacketAliasRedirectAddr()
|
||||
PacketAliasRedirectDelete()
|
||||
PacketAliasSetAddress()
|
||||
@ -2151,32 +2154,32 @@ PacketAliasAddServer(struct alias_link *link, struct in_addr addr, u_short port)
|
||||
}
|
||||
|
||||
/* Translate PPTP packets to a machine on the inside
|
||||
* XXX This function is made obsolete by PacketAliasRedirectPptp().
|
||||
* XXX This function is made obsolete by PacketAliasRedirectProto().
|
||||
*/
|
||||
int
|
||||
PacketAliasPptp(struct in_addr src_addr)
|
||||
{
|
||||
|
||||
if (src_addr.s_addr == INADDR_NONE)
|
||||
packetAliasMode |= PKT_ALIAS_DENY_PPTP;
|
||||
else
|
||||
(void)PacketAliasRedirectPptp(src_addr, nullAddress, nullAddress);
|
||||
if (src_addr.s_addr != INADDR_NONE)
|
||||
(void)PacketAliasRedirectProto(src_addr, nullAddress, nullAddress,
|
||||
IPPROTO_GRE);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Redirect PPTP packets from a specific
|
||||
/* Redirect packets of a given IP protocol from a specific
|
||||
public address to a private address */
|
||||
struct alias_link *
|
||||
PacketAliasRedirectPptp(struct in_addr src_addr,
|
||||
struct in_addr dst_addr,
|
||||
struct in_addr alias_addr)
|
||||
PacketAliasRedirectProto(struct in_addr src_addr,
|
||||
struct in_addr dst_addr,
|
||||
struct in_addr alias_addr,
|
||||
u_char proto)
|
||||
{
|
||||
struct alias_link *link;
|
||||
|
||||
link = AddLink(src_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
proto);
|
||||
|
||||
if (link != NULL)
|
||||
{
|
||||
@ -2185,7 +2188,7 @@ PacketAliasRedirectPptp(struct in_addr src_addr,
|
||||
#ifdef DEBUG
|
||||
else
|
||||
{
|
||||
fprintf(stderr, "PacketAliasRedirectPptp(): "
|
||||
fprintf(stderr, "PacketAliasRedirectProto(): "
|
||||
"call to AddLink() failed\n");
|
||||
}
|
||||
#endif
|
||||
@ -2286,7 +2289,7 @@ PacketAliasInit(void)
|
||||
icmpLinkCount = 0;
|
||||
udpLinkCount = 0;
|
||||
tcpLinkCount = 0;
|
||||
pptpLinkCount = 0;
|
||||
protoLinkCount = 0;
|
||||
fragmentIdLinkCount = 0;
|
||||
fragmentPtrLinkCount = 0;
|
||||
sockCount = 0;
|
||||
|
@ -96,10 +96,10 @@ struct alias_link *
|
||||
FindFragmentPtr(struct in_addr, u_short);
|
||||
|
||||
struct alias_link *
|
||||
FindPptpIn(struct in_addr, struct in_addr);
|
||||
FindProtoIn(struct in_addr, struct in_addr, u_char);
|
||||
|
||||
struct alias_link *
|
||||
FindPptpOut(struct in_addr, struct in_addr);
|
||||
FindProtoOut(struct in_addr, struct in_addr, u_char);
|
||||
|
||||
struct alias_link *
|
||||
FindUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char);
|
||||
|
@ -227,15 +227,6 @@ Normal packet aliasing is not performed.
|
||||
See
|
||||
.Fn PacketAliasProxyRule
|
||||
below for details.
|
||||
.It Dv PKT_ALIAS_DENY_PPTP
|
||||
If this mode bit is set, all PPTP packets will be marked for being ignored
|
||||
(both
|
||||
.Fn PacketAliasIn
|
||||
and
|
||||
.Fn PacketAliasOut
|
||||
return
|
||||
.Dv PKT_ALIAS_IGNORED
|
||||
code).
|
||||
.El
|
||||
.Ed
|
||||
.Pp
|
||||
@ -647,25 +638,17 @@ access, or to restrict access to certain external machines.
|
||||
.Ed
|
||||
.Pp
|
||||
.Ft struct alias_link *
|
||||
.Fo PacketAliasRedirectPptp
|
||||
.Fo PacketAliasRedirectProto
|
||||
.Fa "struct in_addr local_addr"
|
||||
.Fa "struct in_addr remote_addr"
|
||||
.Fa "struct in_addr alias_addr"
|
||||
.Fa "u_char proto"
|
||||
.Fc
|
||||
.Bd -ragged -offset indent
|
||||
This function specifies that any Point to Point Tunneling Protocol
|
||||
(PPTP) traffic from a given remote address to an alias address be
|
||||
This function specifies that any IP packet with protocol number of
|
||||
.Fa proto
|
||||
from a given remote address to an alias address be
|
||||
redirected to a specified local address.
|
||||
Currently supported PPTP protocols include:
|
||||
.Pp
|
||||
.Bl -tag -width "IPPROTO_GRE" -compact
|
||||
.It IPPROTO_GRE
|
||||
Generic Routing Encapsulation (RFC 1702)
|
||||
.It IPPROTO_ESP
|
||||
IP Encapsulating Security Payload (RFC 1827)
|
||||
.It IPPROTO_AH
|
||||
IP Authentication Header (RFC 1826)
|
||||
.El
|
||||
.Pp
|
||||
If
|
||||
.Fa local_addr
|
||||
@ -678,16 +661,16 @@ is to be used.
|
||||
Even if
|
||||
.Fn PacketAliasSetAddress
|
||||
is called to change the address after
|
||||
.Fn PacketAliasRedirectPptp
|
||||
.Fn PacketAliasRedirectProto
|
||||
is called, a zero reference will track this change.
|
||||
.Pp
|
||||
If
|
||||
.Fa remote_addr
|
||||
is zero, this indicates to redirect PPTP packets from any remote address.
|
||||
is zero, this indicates to redirect packets from any remote address.
|
||||
Non-zero remote addresses can sometimes be useful for firewalling.
|
||||
.Pp
|
||||
If two calls to
|
||||
.Fn PacketAliasRedirectPptp
|
||||
.Fn PacketAliasRedirectProto
|
||||
overlap in their address specifications, then the most recent call
|
||||
will have precedence.
|
||||
.Pp
|
||||
@ -713,10 +696,8 @@ then PPTP aliasing is disabled.
|
||||
.Pp
|
||||
.Bf -symbolic
|
||||
This function is made obsolete by
|
||||
.Fn PacketAliasRedirectPptp
|
||||
and
|
||||
.Dv PKT_ALIAS_DENY_PPTP
|
||||
mode bit, and is provided only for backward compatibility.
|
||||
.Fn PacketAliasRedirectProto ,
|
||||
and is provided only for backward compatibility.
|
||||
.Ef
|
||||
.Ed
|
||||
.Sh FRAGMENT HANDLING
|
||||
|
Loading…
x
Reference in New Issue
Block a user