Add support for multiple PPTP sessions:
- new API function: PacketAliasRedirectPptp() - new mode bit: PKT_ALIAS_DENY_PPTP Please see manual page for details.
This commit is contained in:
parent
6d573144b3
commit
d297953a9f
@ -192,7 +192,7 @@ address of the outgoing packet and then correctly put it back for
|
||||
any incoming packets. For TCP and UDP, ports are also re-mapped.
|
||||
|
||||
For ICMP echo/timestamp requests and replies, the following scheme
|
||||
is used: the id number is replaced by an alias for the outgoing
|
||||
is used: the ID number is replaced by an alias for the outgoing
|
||||
packet.
|
||||
|
||||
ICMP error messages are handled by looking at the IP fragment
|
||||
@ -201,7 +201,7 @@ in the data section of the message.
|
||||
For TCP and UDP protocols, a port number is chosen for an outgoing
|
||||
packet, and then incoming packets are identified by IP address and
|
||||
port numbers. For TCP packets, there is additional logic in the event
|
||||
that sequence and ack numbers have been altered (as is the case for
|
||||
that sequence and ACK numbers have been altered (as in the case for
|
||||
FTP data port commands).
|
||||
|
||||
The port numbers used by the packet aliasing module are not true
|
||||
@ -661,21 +661,32 @@ PptpAliasIn(struct ip *pip)
|
||||
the dest IP address of the packet to our inside
|
||||
machine.
|
||||
*/
|
||||
struct in_addr alias_addr;
|
||||
struct alias_link *link;
|
||||
|
||||
if (!GetPptpAlias (&alias_addr))
|
||||
return PKT_ALIAS_IGNORED;
|
||||
/* Return if proxy-only mode is enabled */
|
||||
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
|
||||
return PKT_ALIAS_OK;
|
||||
|
||||
if (pip->ip_src.s_addr != alias_addr.s_addr) {
|
||||
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
|
||||
return PKT_ALIAS_IGNORED;
|
||||
|
||||
DifferentialChecksum(&pip->ip_sum,
|
||||
(u_short *) &alias_addr,
|
||||
(u_short *) &pip->ip_dst,
|
||||
2);
|
||||
pip->ip_dst = alias_addr;
|
||||
link = FindPptpIn(pip->ip_src, pip->ip_dst);
|
||||
if (link != NULL)
|
||||
{
|
||||
struct in_addr original_address;
|
||||
|
||||
original_address = GetOriginalAddress(link);
|
||||
|
||||
/* Restore original IP address */
|
||||
DifferentialChecksum(&pip->ip_sum,
|
||||
(u_short *) &original_address,
|
||||
(u_short *) &pip->ip_dst,
|
||||
2);
|
||||
pip->ip_dst = original_address;
|
||||
|
||||
return(PKT_ALIAS_OK);
|
||||
}
|
||||
|
||||
return PKT_ALIAS_OK;
|
||||
return(PKT_ALIAS_IGNORED);
|
||||
}
|
||||
|
||||
|
||||
@ -687,22 +698,32 @@ PptpAliasOut(struct ip *pip)
|
||||
only thing which is done in this case is to alias
|
||||
the source IP address of the packet.
|
||||
*/
|
||||
struct in_addr alias_addr;
|
||||
struct alias_link *link;
|
||||
|
||||
if (!GetPptpAlias (&alias_addr))
|
||||
return PKT_ALIAS_IGNORED;
|
||||
/* Return if proxy-only mode is enabled */
|
||||
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
|
||||
return PKT_ALIAS_OK;
|
||||
|
||||
if (pip->ip_src.s_addr == alias_addr.s_addr) {
|
||||
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
|
||||
return PKT_ALIAS_IGNORED;
|
||||
|
||||
alias_addr = FindAliasAddress(pip->ip_src);
|
||||
DifferentialChecksum(&pip->ip_sum,
|
||||
(u_short *) &alias_addr,
|
||||
(u_short *) &pip->ip_src,
|
||||
2);
|
||||
pip->ip_src = alias_addr;
|
||||
link = FindPptpOut(pip->ip_src, pip->ip_dst);
|
||||
if (link != NULL)
|
||||
{
|
||||
struct in_addr alias_address;
|
||||
|
||||
alias_address = GetAliasAddress(link);
|
||||
|
||||
/* Change source address */
|
||||
DifferentialChecksum(&pip->ip_sum,
|
||||
(u_short *) &alias_address,
|
||||
(u_short *) &pip->ip_src,
|
||||
2);
|
||||
pip->ip_src = alias_address;
|
||||
|
||||
return(PKT_ALIAS_OK);
|
||||
}
|
||||
|
||||
return PKT_ALIAS_OK;
|
||||
return(PKT_ALIAS_IGNORED);
|
||||
}
|
||||
|
||||
|
||||
@ -902,7 +923,7 @@ TcpAliasIn(struct ip *pip)
|
||||
accumulate -= *sptr++;
|
||||
accumulate -= *sptr;
|
||||
|
||||
/* If this is a proxy, then modify the tcp source port and
|
||||
/* If this is a proxy, then modify the TCP source port and
|
||||
checksum accumulation */
|
||||
if (proxy_port != 0)
|
||||
{
|
||||
@ -918,7 +939,7 @@ TcpAliasIn(struct ip *pip)
|
||||
accumulate -= *sptr;
|
||||
}
|
||||
|
||||
/* See if ack number needs to be modified */
|
||||
/* See if ACK number needs to be modified */
|
||||
if (GetAckModified(link) == 1)
|
||||
{
|
||||
int delta;
|
||||
@ -989,7 +1010,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
|
||||
return PKT_ALIAS_OK;
|
||||
|
||||
/* If this is a transparent proxy, save original destination,
|
||||
then alter the destination and adust checksums */
|
||||
then alter the destination and adjust checksums */
|
||||
dest_port = tc->th_dport;
|
||||
dest_address = pip->ip_dst;
|
||||
if (proxy_type != 0)
|
||||
@ -1044,7 +1065,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
|
||||
alias_port = GetAliasPort(link);
|
||||
alias_address = GetAliasAddress(link);
|
||||
|
||||
/* Monitor tcp connection state */
|
||||
/* Monitor TCP connection state */
|
||||
TcpMonitorOut(pip, link);
|
||||
|
||||
/* Special processing for IP encoding protocols */
|
||||
@ -1114,7 +1135,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
|
||||
|
||||
The packet aliasing module has a limited ability for handling IP
|
||||
fragments. If the ICMP, TCP or UDP header is in the first fragment
|
||||
received, then the id number of the IP packet is saved, and other
|
||||
received, then the ID number of the IP packet is saved, and other
|
||||
fragments are identified according to their ID number and IP address
|
||||
they were sent from. Pointers to unresolved fragments can also be
|
||||
saved and recalled when a header fragment is seen.
|
||||
@ -1358,7 +1379,7 @@ PacketAliasOut(char *ptr, /* valid IP packet */
|
||||
addr_save = GetDefaultAliasAddress();
|
||||
if (packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY)
|
||||
{
|
||||
unsigned int addr;
|
||||
u_long addr;
|
||||
int iclass;
|
||||
|
||||
iclass = 0;
|
||||
|
@ -54,6 +54,8 @@ struct alias_link;
|
||||
extern int
|
||||
PacketAliasPptp(struct in_addr);
|
||||
|
||||
extern struct alias_link *
|
||||
PacketAliasRedirectPptp(struct in_addr, struct in_addr, struct in_addr);
|
||||
|
||||
extern struct alias_link *
|
||||
PacketAliasRedirectAddr(struct in_addr,
|
||||
@ -113,13 +115,12 @@ struct alias_link;
|
||||
port it chooses. This will avoid interference with the host
|
||||
machine. Fully specified links do not require this. This bit
|
||||
is set after a call to PacketAliasInit(), so it is a default
|
||||
mode of operation.*/
|
||||
mode of operation. */
|
||||
#define PKT_ALIAS_USE_SOCKETS 0x08
|
||||
|
||||
/* If PKT_ALIAS_UNREGISTERED_ONLY is set, then only packets with
|
||||
unregistered source addresses will be aliased (along with those
|
||||
of the ppp host maching itself. Private addresses are those
|
||||
in the following ranges:
|
||||
unregistered source addresses will be aliased. Private
|
||||
addresses are those in the following ranges:
|
||||
10.0.0.0 -> 10.255.255.255
|
||||
172.16.0.0 -> 172.31.255.255
|
||||
192.168.0.0 -> 192.168.255.255 */
|
||||
@ -128,7 +129,7 @@ struct alias_link;
|
||||
/* If PKT_ALIAS_RESET_ON_ADDR_CHANGE is set, then the table of dynamic
|
||||
aliasing links will be reset whenever PacketAliasSetAddress()
|
||||
changes the default aliasing address. If the default aliasing
|
||||
address is left unchanged by this functions call, then the
|
||||
address is left unchanged by this function call, then the
|
||||
table of dynamic aliasing links will be left intact. This
|
||||
bit is set after a call to PacketAliasInit(). */
|
||||
#define PKT_ALIAS_RESET_ON_ADDR_CHANGE 0x20
|
||||
@ -151,6 +152,10 @@ struct alias_link;
|
||||
and PacketAliasOut() are reversed */
|
||||
#define PKT_ALIAS_REVERSE 0x80
|
||||
|
||||
/* If PKT_ALIAS_DENY_PPTP is set, then PPTP sessions will be
|
||||
prevented by the aliasing engine. */
|
||||
#define PKT_ALIAS_DENY_PPTP 0x200
|
||||
|
||||
/* Return Codes */
|
||||
#define PKT_ALIAS_ERROR -1
|
||||
#define PKT_ALIAS_OK 1
|
||||
|
@ -32,7 +32,7 @@
|
||||
Version 1.7: January 9, 1997 (cjm)
|
||||
Fragment handling simplified.
|
||||
Saves pointers for unresolved fragments.
|
||||
Permits links for unspecied remote ports
|
||||
Permits links for unspecified remote ports
|
||||
or unspecified remote addresses.
|
||||
Fixed bug which did not properly zero port
|
||||
table entries after a link was deleted.
|
||||
@ -48,8 +48,8 @@
|
||||
machine will will not have their port number aliased unless it
|
||||
conflicts with an aliasing port already being used. (cjm)
|
||||
|
||||
All options earlier being #ifdef'ed now are available through
|
||||
a new interface, SetPacketAliasMode(). This allow run time
|
||||
All options earlier being #ifdef'ed are now available through
|
||||
a new interface, SetPacketAliasMode(). This allows run time
|
||||
control (which is now available in PPP+pktAlias through the
|
||||
'alias' keyword). (ee)
|
||||
|
||||
@ -78,7 +78,7 @@
|
||||
(192.168.0.2, port 21) <-> alias port 3604, known dest addr
|
||||
unknown dest port
|
||||
|
||||
These permament links allow for incoming connections to
|
||||
These permanent links allow for incoming connections to
|
||||
machines on the local network. They can be given with a
|
||||
user-chosen amount of specificity, with increasing specificity
|
||||
meaning more security. (cjm)
|
||||
@ -147,6 +147,7 @@
|
||||
/* Timeouts (in seconds) for different link types */
|
||||
#define ICMP_EXPIRE_TIME 60
|
||||
#define UDP_EXPIRE_TIME 60
|
||||
#define PPTP_EXPIRE_TIME 60
|
||||
#define FRAGMENT_ID_EXPIRE_TIME 10
|
||||
#define FRAGMENT_PTR_EXPIRE_TIME 30
|
||||
|
||||
@ -192,25 +193,25 @@
|
||||
The link record is identified by the source address/port
|
||||
and the destination address/port. In the case of an ICMP
|
||||
echo request, the source port is treated as being equivalent
|
||||
with the 16-bit id number of the ICMP packet.
|
||||
with the 16-bit ID number of the ICMP packet.
|
||||
|
||||
The link record also can store some auxiliary data. For
|
||||
TCP connections that have had sequence and acknowledgment
|
||||
modifications, data space is available to track these changes.
|
||||
A state field is used to keep track in changes to the tcp
|
||||
connection state. Id numbers of fragments can also be
|
||||
A state field is used to keep track in changes to the TCP
|
||||
connection state. ID numbers of fragments can also be
|
||||
stored in the auxiliary space. Pointers to unresolved
|
||||
framgents can also be stored.
|
||||
fragments can also be stored.
|
||||
|
||||
The link records support two independent chainings. Lookup
|
||||
tables for input and out tables hold the initial pointers
|
||||
the link chains. On input, the lookup table indexes on alias
|
||||
port and link type. On output, the lookup table indexes on
|
||||
source addreess, destination address, source port, destination
|
||||
source address, destination address, source port, destination
|
||||
port and link type.
|
||||
*/
|
||||
|
||||
struct ack_data_record /* used to save changes to ack/seq numbers */
|
||||
struct ack_data_record /* used to save changes to ACK/sequence numbers */
|
||||
{
|
||||
u_long ack_old;
|
||||
u_long ack_new;
|
||||
@ -218,16 +219,16 @@ struct ack_data_record /* used to save changes to ack/seq numbers */
|
||||
int active;
|
||||
};
|
||||
|
||||
struct tcp_state /* Information about tcp connection */
|
||||
struct tcp_state /* Information about TCP connection */
|
||||
{
|
||||
int in; /* State for outside -> inside */
|
||||
int out; /* State for inside -> outside */
|
||||
int index; /* Index to ack data array */
|
||||
int ack_modified; /* Indicates whether ack and seq numbers */
|
||||
int index; /* Index to ACK data array */
|
||||
int ack_modified; /* Indicates whether ACK and sequence numbers */
|
||||
/* been modified */
|
||||
};
|
||||
|
||||
#define N_LINK_TCP_DATA 3 /* Number of distinct ack number changes
|
||||
#define N_LINK_TCP_DATA 3 /* Number of distinct ACK number changes
|
||||
saved for a modified TCP stream */
|
||||
struct tcp_dat
|
||||
{
|
||||
@ -247,7 +248,7 @@ struct alias_link /* Main data structure */
|
||||
u_short alias_port;
|
||||
u_short proxy_port;
|
||||
|
||||
int link_type; /* Type of link: tcp, udp, icmp, frag */
|
||||
int link_type; /* Type of link: TCP, UDP, ICMP, PPTP, frag */
|
||||
|
||||
/* values for link_type */
|
||||
#define LINK_ICMP 1
|
||||
@ -256,6 +257,7 @@ struct alias_link /* Main data structure */
|
||||
#define LINK_FRAGMENT_ID 4
|
||||
#define LINK_FRAGMENT_PTR 5
|
||||
#define LINK_ADDR 6
|
||||
#define LINK_PPTP 7
|
||||
|
||||
int flags; /* indicates special characteristics */
|
||||
|
||||
@ -319,6 +321,7 @@ linkTableIn[LINK_TABLE_IN_SIZE]; /* into input and output lookup */
|
||||
static int icmpLinkCount; /* Link statistics */
|
||||
static int udpLinkCount;
|
||||
static int tcpLinkCount;
|
||||
static int pptpLinkCount;
|
||||
static int fragmentIdLinkCount;
|
||||
static int fragmentPtrLinkCount;
|
||||
static int sockCount;
|
||||
@ -352,11 +355,6 @@ static int fireWallFD = -1; /* File descriptor to be able to */
|
||||
/* flag. */
|
||||
#endif
|
||||
|
||||
static int pptpAliasFlag; /* Indicates if PPTP aliasing is */
|
||||
/* on or off */
|
||||
static struct in_addr pptpAliasAddr; /* Address of source of PPTP */
|
||||
/* packets. */
|
||||
|
||||
|
||||
|
||||
|
||||
@ -368,7 +366,7 @@ static struct in_addr pptpAliasAddr; /* Address of source of PPTP */
|
||||
Lookup table starting points:
|
||||
StartPointIn() -- link table initial search point for
|
||||
incoming packets
|
||||
StartPointOut() -- port table initial search point for
|
||||
StartPointOut() -- link table initial search point for
|
||||
outgoing packets
|
||||
|
||||
Miscellaneous:
|
||||
@ -449,16 +447,18 @@ ShowAliasStats(void)
|
||||
|
||||
if (monitorFile)
|
||||
{
|
||||
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, frag_id=%d frag_ptr=%d",
|
||||
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, pptp=%d, frag_id=%d frag_ptr=%d",
|
||||
icmpLinkCount,
|
||||
udpLinkCount,
|
||||
tcpLinkCount,
|
||||
pptpLinkCount,
|
||||
fragmentIdLinkCount,
|
||||
fragmentPtrLinkCount);
|
||||
|
||||
fprintf(monitorFile, " / tot=%d (sock=%d)\n",
|
||||
icmpLinkCount + udpLinkCount
|
||||
+ tcpLinkCount
|
||||
+ pptpLinkCount
|
||||
+ fragmentIdLinkCount
|
||||
+ fragmentPtrLinkCount,
|
||||
sockCount);
|
||||
@ -542,7 +542,7 @@ GetNewPort(struct alias_link *link, int alias_port_param)
|
||||
the port number. GetNewPort() will return this number
|
||||
without check that it is in use.
|
||||
|
||||
Whis this parameter is -1, it indicates to get a randomly
|
||||
When this parameter is -1, it indicates to get a randomly
|
||||
selected port number.
|
||||
*/
|
||||
|
||||
@ -557,7 +557,7 @@ GetNewPort(struct alias_link *link, int alias_port_param)
|
||||
if (packetAliasMode & PKT_ALIAS_SAME_PORTS)
|
||||
{
|
||||
/*
|
||||
* When the ALIAS_SAME_PORTS option is
|
||||
* When the PKT_ALIAS_SAME_PORTS option is
|
||||
* chosen, the first try will be the
|
||||
* actual source port. If this is already
|
||||
* in use, the remainder of the trials
|
||||
@ -734,6 +734,7 @@ IncrementalCleanup(void)
|
||||
case LINK_UDP:
|
||||
case LINK_FRAGMENT_ID:
|
||||
case LINK_FRAGMENT_PTR:
|
||||
case LINK_PPTP:
|
||||
if (idelta > link->expire_time)
|
||||
{
|
||||
DeleteLink(link);
|
||||
@ -773,7 +774,7 @@ DeleteLink(struct alias_link *link)
|
||||
return;
|
||||
|
||||
#ifndef NO_FW_PUNCH
|
||||
/* Delete associatied firewall hole, if any */
|
||||
/* Delete associated firewall hole, if any */
|
||||
ClearFWHole(link);
|
||||
#endif
|
||||
|
||||
@ -822,6 +823,9 @@ DeleteLink(struct alias_link *link)
|
||||
if (link->data.tcp != NULL)
|
||||
free(link->data.tcp);
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
pptpLinkCount--;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
fragmentIdLinkCount--;
|
||||
break;
|
||||
@ -884,6 +888,9 @@ AddLink(struct in_addr src_addr,
|
||||
case LINK_TCP:
|
||||
link->expire_time = TCP_EXPIRE_INITIAL;
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
link->expire_time = PPTP_EXPIRE_TIME;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
link->expire_time = FRAGMENT_ID_EXPIRE_TIME;
|
||||
break;
|
||||
@ -967,6 +974,9 @@ AddLink(struct in_addr src_addr,
|
||||
#endif
|
||||
}
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
pptpLinkCount++;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
fragmentIdLinkCount++;
|
||||
break;
|
||||
@ -1272,6 +1282,7 @@ FindLinkIn(struct in_addr dst_addr,
|
||||
FindIcmpIn(), FindIcmpOut()
|
||||
FindFragmentIn1(), FindFragmentIn2()
|
||||
AddFragmentPtrLink(), FindFragmentPtr()
|
||||
FindPptpIn(), FindPptpOut()
|
||||
FindUdpTcpIn(), FindUdpTcpOut()
|
||||
FindOriginalAddress(), FindAliasAddress()
|
||||
|
||||
@ -1367,6 +1378,54 @@ FindFragmentPtr(struct in_addr dst_addr,
|
||||
}
|
||||
|
||||
|
||||
struct alias_link *
|
||||
FindPptpIn(struct in_addr dst_addr,
|
||||
struct in_addr alias_addr)
|
||||
{
|
||||
struct alias_link *link;
|
||||
|
||||
link = FindLinkIn(dst_addr, alias_addr,
|
||||
NO_DEST_PORT, 0,
|
||||
LINK_PPTP, 1);
|
||||
|
||||
if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
|
||||
{
|
||||
struct in_addr target_addr;
|
||||
|
||||
target_addr = FindOriginalAddress(alias_addr);
|
||||
link = AddLink(target_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
}
|
||||
|
||||
return (link);
|
||||
}
|
||||
|
||||
|
||||
struct alias_link *
|
||||
FindPptpOut(struct in_addr src_addr,
|
||||
struct in_addr dst_addr)
|
||||
{
|
||||
struct alias_link *link;
|
||||
|
||||
link = FindLinkOut(src_addr, dst_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT,
|
||||
LINK_PPTP, 1);
|
||||
|
||||
if (link == NULL)
|
||||
{
|
||||
struct in_addr alias_addr;
|
||||
|
||||
alias_addr = FindAliasAddress(src_addr);
|
||||
link = AddLink(src_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
}
|
||||
|
||||
return (link);
|
||||
}
|
||||
|
||||
|
||||
struct alias_link *
|
||||
FindUdpTcpIn(struct in_addr dst_addr,
|
||||
struct in_addr alias_addr,
|
||||
@ -1663,7 +1722,7 @@ GetDestPort(struct alias_link *link)
|
||||
void
|
||||
SetAckModified(struct alias_link *link)
|
||||
{
|
||||
/* Indicate that ack numbers have been modified in a TCP connection */
|
||||
/* Indicate that ACK numbers have been modified in a TCP connection */
|
||||
link->data.tcp->state.ack_modified = 1;
|
||||
}
|
||||
|
||||
@ -1699,7 +1758,7 @@ SetProxyPort(struct alias_link *link, u_short port)
|
||||
int
|
||||
GetAckModified(struct alias_link *link)
|
||||
{
|
||||
/* See if ack numbers have been modified */
|
||||
/* See if ACK numbers have been modified */
|
||||
return link->data.tcp->state.ack_modified;
|
||||
}
|
||||
|
||||
@ -1708,8 +1767,8 @@ int
|
||||
GetDeltaAckIn(struct ip *pip, struct alias_link *link)
|
||||
{
|
||||
/*
|
||||
Find out how much the ack number has been altered for an incoming
|
||||
TCP packet. To do this, a circular list is ack numbers where the TCP
|
||||
Find out how much the ACK number has been altered for an incoming
|
||||
TCP packet. To do this, a circular list of ACK numbers where the TCP
|
||||
packet size was altered is searched.
|
||||
*/
|
||||
|
||||
@ -1759,8 +1818,8 @@ int
|
||||
GetDeltaSeqOut(struct ip *pip, struct alias_link *link)
|
||||
{
|
||||
/*
|
||||
Find out how much the seq number has been altered for an outgoing
|
||||
TCP packet. To do this, a circular list is ack numbers where the TCP
|
||||
Find out how much the sequence number has been altered for an outgoing
|
||||
TCP packet. To do this, a circular list of ACK numbers where the TCP
|
||||
packet size was altered is searched.
|
||||
*/
|
||||
|
||||
@ -1976,6 +2035,7 @@ UninitPacketAliasLog(void)
|
||||
-- "outside world" means other than alias*.c routines --
|
||||
|
||||
PacketAliasRedirectPort()
|
||||
PacketAliasRedirectPptp()
|
||||
PacketAliasRedirectAddr()
|
||||
PacketAliasRedirectDelete()
|
||||
PacketAliasSetAddress()
|
||||
@ -1987,7 +2047,7 @@ UninitPacketAliasLog(void)
|
||||
*/
|
||||
|
||||
/* Redirection from a specific public addr:port to a
|
||||
a private addr:port */
|
||||
private addr:port */
|
||||
struct alias_link *
|
||||
PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
|
||||
struct in_addr dst_addr, u_short dst_port,
|
||||
@ -2033,23 +2093,46 @@ PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
|
||||
}
|
||||
|
||||
/* Translate PPTP packets to a machine on the inside
|
||||
* XXX This function is made obsolete by PacketAliasRedirectPptp().
|
||||
*/
|
||||
int
|
||||
PacketAliasPptp(struct in_addr src_addr)
|
||||
{
|
||||
|
||||
pptpAliasAddr = src_addr; /* Address of the inside PPTP machine */
|
||||
pptpAliasFlag = src_addr.s_addr != INADDR_NONE;
|
||||
if (src_addr.s_addr == INADDR_NONE)
|
||||
packetAliasMode |= PKT_ALIAS_DENY_PPTP;
|
||||
else
|
||||
(void)PacketAliasRedirectPptp(src_addr, nullAddress, nullAddress);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int GetPptpAlias (struct in_addr* alias_addr)
|
||||
/* Redirect PPTP packets from a specific
|
||||
public address to a private address */
|
||||
struct alias_link *
|
||||
PacketAliasRedirectPptp(struct in_addr src_addr,
|
||||
struct in_addr dst_addr,
|
||||
struct in_addr alias_addr)
|
||||
{
|
||||
if (pptpAliasFlag)
|
||||
*alias_addr = pptpAliasAddr;
|
||||
struct alias_link *link;
|
||||
|
||||
return pptpAliasFlag;
|
||||
link = AddLink(src_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
|
||||
if (link != NULL)
|
||||
{
|
||||
link->flags |= LINK_PERMANENT;
|
||||
}
|
||||
#ifdef DEBUG
|
||||
else
|
||||
{
|
||||
fprintf(stderr, "PacketAliasRedirectPptp(): "
|
||||
"call to AddLink() failed\n");
|
||||
}
|
||||
#endif
|
||||
|
||||
return link;
|
||||
}
|
||||
|
||||
/* Static address translation */
|
||||
@ -2145,6 +2228,7 @@ PacketAliasInit(void)
|
||||
icmpLinkCount = 0;
|
||||
udpLinkCount = 0;
|
||||
tcpLinkCount = 0;
|
||||
pptpLinkCount = 0;
|
||||
fragmentIdLinkCount = 0;
|
||||
fragmentPtrLinkCount = 0;
|
||||
sockCount = 0;
|
||||
@ -2154,8 +2238,6 @@ PacketAliasInit(void)
|
||||
packetAliasMode = PKT_ALIAS_SAME_PORTS
|
||||
| PKT_ALIAS_USE_SOCKETS
|
||||
| PKT_ALIAS_RESET_ON_ADDR_CHANGE;
|
||||
|
||||
pptpAliasFlag = 0;
|
||||
}
|
||||
|
||||
void
|
||||
|
@ -95,6 +95,12 @@ AddFragmentPtrLink(struct in_addr, u_short);
|
||||
struct alias_link *
|
||||
FindFragmentPtr(struct in_addr, u_short);
|
||||
|
||||
struct alias_link *
|
||||
FindPptpIn(struct in_addr, struct in_addr);
|
||||
|
||||
struct alias_link *
|
||||
FindPptpOut(struct in_addr, struct in_addr);
|
||||
|
||||
struct alias_link *
|
||||
FindUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char);
|
||||
|
||||
@ -169,7 +175,5 @@ enum alias_tcp_state {
|
||||
ALIAS_TCP_STATE_CONNECTED,
|
||||
ALIAS_TCP_STATE_DISCONNECTED
|
||||
};
|
||||
|
||||
int GetPptpAlias (struct in_addr*);
|
||||
/*lint -restore */
|
||||
#endif /* defined(ALIAS_LOCAL_H) */
|
||||
|
@ -227,6 +227,15 @@ Normal packet aliasing is not performed.
|
||||
See
|
||||
.Fn PacketAliasProxyRule
|
||||
below for details.
|
||||
.It Dv PKT_ALIAS_DENY_PPTP
|
||||
If this mode bit is set, all PPTP packets will be marked for being ignored
|
||||
(both
|
||||
.Fn PacketAliasIn
|
||||
and
|
||||
.Fn PacketAliasOut
|
||||
return
|
||||
.Dv PKT_ALIAS_IGNORED
|
||||
code).
|
||||
.El
|
||||
.Ed
|
||||
.Pp
|
||||
@ -362,9 +371,9 @@ by
|
||||
.Fn PacketAliasSetAddress
|
||||
is to be used.
|
||||
Even if
|
||||
.Nm PacketAliasSetAddress
|
||||
.Fn PacketAliasSetAddress
|
||||
is called to change the address after
|
||||
.Nm PacketAliasRedirectPort
|
||||
.Fn PacketAliasRedirectPort
|
||||
is called, a zero reference will track this change.
|
||||
.Pp
|
||||
If
|
||||
@ -577,22 +586,78 @@ internal machines that are not permitted certain types of internet
|
||||
access, or to restrict access to certain external machines.
|
||||
.Ed
|
||||
.Pp
|
||||
.Ft struct alias_link *
|
||||
.Fo PacketAliasRedirectPptp
|
||||
.Fa "struct in_addr local_addr"
|
||||
.Fa "struct in_addr remote_addr"
|
||||
.Fa "struct in_addr alias_addr"
|
||||
.Fc
|
||||
.Bd -ragged -offset indent
|
||||
This function specifies that any Point to Point Tunneling Protocol
|
||||
(PPTP) traffic from a given remote address to an alias address be
|
||||
redirected to a specified local address.
|
||||
Currently supported PPTP protocols include:
|
||||
.Pp
|
||||
.Bl -tag -width "IPPROTO_GRE" -compact
|
||||
.It IPPROTO_GRE
|
||||
Generic Routing Encapsulation (RFC 1702)
|
||||
.It IPPROTO_ESP
|
||||
IP Encapsulating Security Payload (RFC 1827)
|
||||
.It IPPROTO_AH
|
||||
IP Authentication Header (RFC 1826)
|
||||
.El
|
||||
.Pp
|
||||
If
|
||||
.Fa local_addr
|
||||
or
|
||||
.Fa alias_addr
|
||||
is zero, this indicates that the packet aliasing address as established
|
||||
by
|
||||
.Fn PacketAliasSetAddress
|
||||
is to be used.
|
||||
Even if
|
||||
.Fn PacketAliasSetAddress
|
||||
is called to change the address after
|
||||
.Fn PacketAliasRedirectPptp
|
||||
is called, a zero reference will track this change.
|
||||
.Pp
|
||||
If
|
||||
.Fa remote_addr
|
||||
is zero, this indicates to redirect PPTP packets from any remote address.
|
||||
Non-zero remote addresses can sometimes be useful for firewalling.
|
||||
.Pp
|
||||
If two calls to
|
||||
.Fn PacketAliasRedirectPptp
|
||||
overlap in their address specifications, then the most recent call
|
||||
will have precedence.
|
||||
.Pp
|
||||
This function returns a pointer which can subsequently be used by
|
||||
.Fn PacketAliasRedirectDelete .
|
||||
If
|
||||
.Dv NULL
|
||||
is returned, then the function call did not complete successfully.
|
||||
.Ed
|
||||
.Pp
|
||||
.Ft int
|
||||
.Fn PacketAliasPptp "struct in_addr addr"
|
||||
.Bd -ragged -offset indent
|
||||
This function causes any General Routing Encapsulation
|
||||
.Pq Dv IPPROTO_GRE
|
||||
packets to be aliased using
|
||||
.Ar addr
|
||||
This function causes any PPTP packets to be aliased using
|
||||
.Fa addr
|
||||
rather than the address set via
|
||||
.Fn PacketAliasSetAddress .
|
||||
This allows the uses of the Point to Point Tunneling Protocol (PPTP)
|
||||
on a machine on the internal network.
|
||||
This allows the uses of the PPTP on a single machine on the internal network.
|
||||
.Pp
|
||||
If the passed address is
|
||||
.Dv INADDR_NONE ,
|
||||
.Dv PPTP
|
||||
aliasing is disabled.
|
||||
then PPTP aliasing is disabled.
|
||||
.Pp
|
||||
.Bf -symbolic
|
||||
This function is made obsolete by
|
||||
.Fn PacketAliasRedirectPptp
|
||||
and
|
||||
.Dv PKT_ALIAS_DENY_PPTP
|
||||
mode bit, and is provided only for backward compatibility.
|
||||
.Ef
|
||||
.Ed
|
||||
.Sh FRAGMENT HANDLING
|
||||
The functions in this section are used to deal with incoming fragments.
|
||||
|
@ -192,7 +192,7 @@ address of the outgoing packet and then correctly put it back for
|
||||
any incoming packets. For TCP and UDP, ports are also re-mapped.
|
||||
|
||||
For ICMP echo/timestamp requests and replies, the following scheme
|
||||
is used: the id number is replaced by an alias for the outgoing
|
||||
is used: the ID number is replaced by an alias for the outgoing
|
||||
packet.
|
||||
|
||||
ICMP error messages are handled by looking at the IP fragment
|
||||
@ -201,7 +201,7 @@ in the data section of the message.
|
||||
For TCP and UDP protocols, a port number is chosen for an outgoing
|
||||
packet, and then incoming packets are identified by IP address and
|
||||
port numbers. For TCP packets, there is additional logic in the event
|
||||
that sequence and ack numbers have been altered (as is the case for
|
||||
that sequence and ACK numbers have been altered (as in the case for
|
||||
FTP data port commands).
|
||||
|
||||
The port numbers used by the packet aliasing module are not true
|
||||
@ -661,21 +661,32 @@ PptpAliasIn(struct ip *pip)
|
||||
the dest IP address of the packet to our inside
|
||||
machine.
|
||||
*/
|
||||
struct in_addr alias_addr;
|
||||
struct alias_link *link;
|
||||
|
||||
if (!GetPptpAlias (&alias_addr))
|
||||
return PKT_ALIAS_IGNORED;
|
||||
/* Return if proxy-only mode is enabled */
|
||||
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
|
||||
return PKT_ALIAS_OK;
|
||||
|
||||
if (pip->ip_src.s_addr != alias_addr.s_addr) {
|
||||
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
|
||||
return PKT_ALIAS_IGNORED;
|
||||
|
||||
DifferentialChecksum(&pip->ip_sum,
|
||||
(u_short *) &alias_addr,
|
||||
(u_short *) &pip->ip_dst,
|
||||
2);
|
||||
pip->ip_dst = alias_addr;
|
||||
link = FindPptpIn(pip->ip_src, pip->ip_dst);
|
||||
if (link != NULL)
|
||||
{
|
||||
struct in_addr original_address;
|
||||
|
||||
original_address = GetOriginalAddress(link);
|
||||
|
||||
/* Restore original IP address */
|
||||
DifferentialChecksum(&pip->ip_sum,
|
||||
(u_short *) &original_address,
|
||||
(u_short *) &pip->ip_dst,
|
||||
2);
|
||||
pip->ip_dst = original_address;
|
||||
|
||||
return(PKT_ALIAS_OK);
|
||||
}
|
||||
|
||||
return PKT_ALIAS_OK;
|
||||
return(PKT_ALIAS_IGNORED);
|
||||
}
|
||||
|
||||
|
||||
@ -687,22 +698,32 @@ PptpAliasOut(struct ip *pip)
|
||||
only thing which is done in this case is to alias
|
||||
the source IP address of the packet.
|
||||
*/
|
||||
struct in_addr alias_addr;
|
||||
struct alias_link *link;
|
||||
|
||||
if (!GetPptpAlias (&alias_addr))
|
||||
return PKT_ALIAS_IGNORED;
|
||||
/* Return if proxy-only mode is enabled */
|
||||
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
|
||||
return PKT_ALIAS_OK;
|
||||
|
||||
if (pip->ip_src.s_addr == alias_addr.s_addr) {
|
||||
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
|
||||
return PKT_ALIAS_IGNORED;
|
||||
|
||||
alias_addr = FindAliasAddress(pip->ip_src);
|
||||
DifferentialChecksum(&pip->ip_sum,
|
||||
(u_short *) &alias_addr,
|
||||
(u_short *) &pip->ip_src,
|
||||
2);
|
||||
pip->ip_src = alias_addr;
|
||||
link = FindPptpOut(pip->ip_src, pip->ip_dst);
|
||||
if (link != NULL)
|
||||
{
|
||||
struct in_addr alias_address;
|
||||
|
||||
alias_address = GetAliasAddress(link);
|
||||
|
||||
/* Change source address */
|
||||
DifferentialChecksum(&pip->ip_sum,
|
||||
(u_short *) &alias_address,
|
||||
(u_short *) &pip->ip_src,
|
||||
2);
|
||||
pip->ip_src = alias_address;
|
||||
|
||||
return(PKT_ALIAS_OK);
|
||||
}
|
||||
|
||||
return PKT_ALIAS_OK;
|
||||
return(PKT_ALIAS_IGNORED);
|
||||
}
|
||||
|
||||
|
||||
@ -902,7 +923,7 @@ TcpAliasIn(struct ip *pip)
|
||||
accumulate -= *sptr++;
|
||||
accumulate -= *sptr;
|
||||
|
||||
/* If this is a proxy, then modify the tcp source port and
|
||||
/* If this is a proxy, then modify the TCP source port and
|
||||
checksum accumulation */
|
||||
if (proxy_port != 0)
|
||||
{
|
||||
@ -918,7 +939,7 @@ TcpAliasIn(struct ip *pip)
|
||||
accumulate -= *sptr;
|
||||
}
|
||||
|
||||
/* See if ack number needs to be modified */
|
||||
/* See if ACK number needs to be modified */
|
||||
if (GetAckModified(link) == 1)
|
||||
{
|
||||
int delta;
|
||||
@ -989,7 +1010,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
|
||||
return PKT_ALIAS_OK;
|
||||
|
||||
/* If this is a transparent proxy, save original destination,
|
||||
then alter the destination and adust checksums */
|
||||
then alter the destination and adjust checksums */
|
||||
dest_port = tc->th_dport;
|
||||
dest_address = pip->ip_dst;
|
||||
if (proxy_type != 0)
|
||||
@ -1044,7 +1065,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
|
||||
alias_port = GetAliasPort(link);
|
||||
alias_address = GetAliasAddress(link);
|
||||
|
||||
/* Monitor tcp connection state */
|
||||
/* Monitor TCP connection state */
|
||||
TcpMonitorOut(pip, link);
|
||||
|
||||
/* Special processing for IP encoding protocols */
|
||||
@ -1114,7 +1135,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
|
||||
|
||||
The packet aliasing module has a limited ability for handling IP
|
||||
fragments. If the ICMP, TCP or UDP header is in the first fragment
|
||||
received, then the id number of the IP packet is saved, and other
|
||||
received, then the ID number of the IP packet is saved, and other
|
||||
fragments are identified according to their ID number and IP address
|
||||
they were sent from. Pointers to unresolved fragments can also be
|
||||
saved and recalled when a header fragment is seen.
|
||||
@ -1358,7 +1379,7 @@ PacketAliasOut(char *ptr, /* valid IP packet */
|
||||
addr_save = GetDefaultAliasAddress();
|
||||
if (packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY)
|
||||
{
|
||||
unsigned int addr;
|
||||
u_long addr;
|
||||
int iclass;
|
||||
|
||||
iclass = 0;
|
||||
|
@ -54,6 +54,8 @@ struct alias_link;
|
||||
extern int
|
||||
PacketAliasPptp(struct in_addr);
|
||||
|
||||
extern struct alias_link *
|
||||
PacketAliasRedirectPptp(struct in_addr, struct in_addr, struct in_addr);
|
||||
|
||||
extern struct alias_link *
|
||||
PacketAliasRedirectAddr(struct in_addr,
|
||||
@ -113,13 +115,12 @@ struct alias_link;
|
||||
port it chooses. This will avoid interference with the host
|
||||
machine. Fully specified links do not require this. This bit
|
||||
is set after a call to PacketAliasInit(), so it is a default
|
||||
mode of operation.*/
|
||||
mode of operation. */
|
||||
#define PKT_ALIAS_USE_SOCKETS 0x08
|
||||
|
||||
/* If PKT_ALIAS_UNREGISTERED_ONLY is set, then only packets with
|
||||
unregistered source addresses will be aliased (along with those
|
||||
of the ppp host maching itself. Private addresses are those
|
||||
in the following ranges:
|
||||
unregistered source addresses will be aliased. Private
|
||||
addresses are those in the following ranges:
|
||||
10.0.0.0 -> 10.255.255.255
|
||||
172.16.0.0 -> 172.31.255.255
|
||||
192.168.0.0 -> 192.168.255.255 */
|
||||
@ -128,7 +129,7 @@ struct alias_link;
|
||||
/* If PKT_ALIAS_RESET_ON_ADDR_CHANGE is set, then the table of dynamic
|
||||
aliasing links will be reset whenever PacketAliasSetAddress()
|
||||
changes the default aliasing address. If the default aliasing
|
||||
address is left unchanged by this functions call, then the
|
||||
address is left unchanged by this function call, then the
|
||||
table of dynamic aliasing links will be left intact. This
|
||||
bit is set after a call to PacketAliasInit(). */
|
||||
#define PKT_ALIAS_RESET_ON_ADDR_CHANGE 0x20
|
||||
@ -151,6 +152,10 @@ struct alias_link;
|
||||
and PacketAliasOut() are reversed */
|
||||
#define PKT_ALIAS_REVERSE 0x80
|
||||
|
||||
/* If PKT_ALIAS_DENY_PPTP is set, then PPTP sessions will be
|
||||
prevented by the aliasing engine. */
|
||||
#define PKT_ALIAS_DENY_PPTP 0x200
|
||||
|
||||
/* Return Codes */
|
||||
#define PKT_ALIAS_ERROR -1
|
||||
#define PKT_ALIAS_OK 1
|
||||
|
@ -32,7 +32,7 @@
|
||||
Version 1.7: January 9, 1997 (cjm)
|
||||
Fragment handling simplified.
|
||||
Saves pointers for unresolved fragments.
|
||||
Permits links for unspecied remote ports
|
||||
Permits links for unspecified remote ports
|
||||
or unspecified remote addresses.
|
||||
Fixed bug which did not properly zero port
|
||||
table entries after a link was deleted.
|
||||
@ -48,8 +48,8 @@
|
||||
machine will will not have their port number aliased unless it
|
||||
conflicts with an aliasing port already being used. (cjm)
|
||||
|
||||
All options earlier being #ifdef'ed now are available through
|
||||
a new interface, SetPacketAliasMode(). This allow run time
|
||||
All options earlier being #ifdef'ed are now available through
|
||||
a new interface, SetPacketAliasMode(). This allows run time
|
||||
control (which is now available in PPP+pktAlias through the
|
||||
'alias' keyword). (ee)
|
||||
|
||||
@ -78,7 +78,7 @@
|
||||
(192.168.0.2, port 21) <-> alias port 3604, known dest addr
|
||||
unknown dest port
|
||||
|
||||
These permament links allow for incoming connections to
|
||||
These permanent links allow for incoming connections to
|
||||
machines on the local network. They can be given with a
|
||||
user-chosen amount of specificity, with increasing specificity
|
||||
meaning more security. (cjm)
|
||||
@ -147,6 +147,7 @@
|
||||
/* Timeouts (in seconds) for different link types */
|
||||
#define ICMP_EXPIRE_TIME 60
|
||||
#define UDP_EXPIRE_TIME 60
|
||||
#define PPTP_EXPIRE_TIME 60
|
||||
#define FRAGMENT_ID_EXPIRE_TIME 10
|
||||
#define FRAGMENT_PTR_EXPIRE_TIME 30
|
||||
|
||||
@ -192,25 +193,25 @@
|
||||
The link record is identified by the source address/port
|
||||
and the destination address/port. In the case of an ICMP
|
||||
echo request, the source port is treated as being equivalent
|
||||
with the 16-bit id number of the ICMP packet.
|
||||
with the 16-bit ID number of the ICMP packet.
|
||||
|
||||
The link record also can store some auxiliary data. For
|
||||
TCP connections that have had sequence and acknowledgment
|
||||
modifications, data space is available to track these changes.
|
||||
A state field is used to keep track in changes to the tcp
|
||||
connection state. Id numbers of fragments can also be
|
||||
A state field is used to keep track in changes to the TCP
|
||||
connection state. ID numbers of fragments can also be
|
||||
stored in the auxiliary space. Pointers to unresolved
|
||||
framgents can also be stored.
|
||||
fragments can also be stored.
|
||||
|
||||
The link records support two independent chainings. Lookup
|
||||
tables for input and out tables hold the initial pointers
|
||||
the link chains. On input, the lookup table indexes on alias
|
||||
port and link type. On output, the lookup table indexes on
|
||||
source addreess, destination address, source port, destination
|
||||
source address, destination address, source port, destination
|
||||
port and link type.
|
||||
*/
|
||||
|
||||
struct ack_data_record /* used to save changes to ack/seq numbers */
|
||||
struct ack_data_record /* used to save changes to ACK/sequence numbers */
|
||||
{
|
||||
u_long ack_old;
|
||||
u_long ack_new;
|
||||
@ -218,16 +219,16 @@ struct ack_data_record /* used to save changes to ack/seq numbers */
|
||||
int active;
|
||||
};
|
||||
|
||||
struct tcp_state /* Information about tcp connection */
|
||||
struct tcp_state /* Information about TCP connection */
|
||||
{
|
||||
int in; /* State for outside -> inside */
|
||||
int out; /* State for inside -> outside */
|
||||
int index; /* Index to ack data array */
|
||||
int ack_modified; /* Indicates whether ack and seq numbers */
|
||||
int index; /* Index to ACK data array */
|
||||
int ack_modified; /* Indicates whether ACK and sequence numbers */
|
||||
/* been modified */
|
||||
};
|
||||
|
||||
#define N_LINK_TCP_DATA 3 /* Number of distinct ack number changes
|
||||
#define N_LINK_TCP_DATA 3 /* Number of distinct ACK number changes
|
||||
saved for a modified TCP stream */
|
||||
struct tcp_dat
|
||||
{
|
||||
@ -247,7 +248,7 @@ struct alias_link /* Main data structure */
|
||||
u_short alias_port;
|
||||
u_short proxy_port;
|
||||
|
||||
int link_type; /* Type of link: tcp, udp, icmp, frag */
|
||||
int link_type; /* Type of link: TCP, UDP, ICMP, PPTP, frag */
|
||||
|
||||
/* values for link_type */
|
||||
#define LINK_ICMP 1
|
||||
@ -256,6 +257,7 @@ struct alias_link /* Main data structure */
|
||||
#define LINK_FRAGMENT_ID 4
|
||||
#define LINK_FRAGMENT_PTR 5
|
||||
#define LINK_ADDR 6
|
||||
#define LINK_PPTP 7
|
||||
|
||||
int flags; /* indicates special characteristics */
|
||||
|
||||
@ -319,6 +321,7 @@ linkTableIn[LINK_TABLE_IN_SIZE]; /* into input and output lookup */
|
||||
static int icmpLinkCount; /* Link statistics */
|
||||
static int udpLinkCount;
|
||||
static int tcpLinkCount;
|
||||
static int pptpLinkCount;
|
||||
static int fragmentIdLinkCount;
|
||||
static int fragmentPtrLinkCount;
|
||||
static int sockCount;
|
||||
@ -352,11 +355,6 @@ static int fireWallFD = -1; /* File descriptor to be able to */
|
||||
/* flag. */
|
||||
#endif
|
||||
|
||||
static int pptpAliasFlag; /* Indicates if PPTP aliasing is */
|
||||
/* on or off */
|
||||
static struct in_addr pptpAliasAddr; /* Address of source of PPTP */
|
||||
/* packets. */
|
||||
|
||||
|
||||
|
||||
|
||||
@ -368,7 +366,7 @@ static struct in_addr pptpAliasAddr; /* Address of source of PPTP */
|
||||
Lookup table starting points:
|
||||
StartPointIn() -- link table initial search point for
|
||||
incoming packets
|
||||
StartPointOut() -- port table initial search point for
|
||||
StartPointOut() -- link table initial search point for
|
||||
outgoing packets
|
||||
|
||||
Miscellaneous:
|
||||
@ -449,16 +447,18 @@ ShowAliasStats(void)
|
||||
|
||||
if (monitorFile)
|
||||
{
|
||||
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, frag_id=%d frag_ptr=%d",
|
||||
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, pptp=%d, frag_id=%d frag_ptr=%d",
|
||||
icmpLinkCount,
|
||||
udpLinkCount,
|
||||
tcpLinkCount,
|
||||
pptpLinkCount,
|
||||
fragmentIdLinkCount,
|
||||
fragmentPtrLinkCount);
|
||||
|
||||
fprintf(monitorFile, " / tot=%d (sock=%d)\n",
|
||||
icmpLinkCount + udpLinkCount
|
||||
+ tcpLinkCount
|
||||
+ pptpLinkCount
|
||||
+ fragmentIdLinkCount
|
||||
+ fragmentPtrLinkCount,
|
||||
sockCount);
|
||||
@ -542,7 +542,7 @@ GetNewPort(struct alias_link *link, int alias_port_param)
|
||||
the port number. GetNewPort() will return this number
|
||||
without check that it is in use.
|
||||
|
||||
Whis this parameter is -1, it indicates to get a randomly
|
||||
When this parameter is -1, it indicates to get a randomly
|
||||
selected port number.
|
||||
*/
|
||||
|
||||
@ -557,7 +557,7 @@ GetNewPort(struct alias_link *link, int alias_port_param)
|
||||
if (packetAliasMode & PKT_ALIAS_SAME_PORTS)
|
||||
{
|
||||
/*
|
||||
* When the ALIAS_SAME_PORTS option is
|
||||
* When the PKT_ALIAS_SAME_PORTS option is
|
||||
* chosen, the first try will be the
|
||||
* actual source port. If this is already
|
||||
* in use, the remainder of the trials
|
||||
@ -734,6 +734,7 @@ IncrementalCleanup(void)
|
||||
case LINK_UDP:
|
||||
case LINK_FRAGMENT_ID:
|
||||
case LINK_FRAGMENT_PTR:
|
||||
case LINK_PPTP:
|
||||
if (idelta > link->expire_time)
|
||||
{
|
||||
DeleteLink(link);
|
||||
@ -773,7 +774,7 @@ DeleteLink(struct alias_link *link)
|
||||
return;
|
||||
|
||||
#ifndef NO_FW_PUNCH
|
||||
/* Delete associatied firewall hole, if any */
|
||||
/* Delete associated firewall hole, if any */
|
||||
ClearFWHole(link);
|
||||
#endif
|
||||
|
||||
@ -822,6 +823,9 @@ DeleteLink(struct alias_link *link)
|
||||
if (link->data.tcp != NULL)
|
||||
free(link->data.tcp);
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
pptpLinkCount--;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
fragmentIdLinkCount--;
|
||||
break;
|
||||
@ -884,6 +888,9 @@ AddLink(struct in_addr src_addr,
|
||||
case LINK_TCP:
|
||||
link->expire_time = TCP_EXPIRE_INITIAL;
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
link->expire_time = PPTP_EXPIRE_TIME;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
link->expire_time = FRAGMENT_ID_EXPIRE_TIME;
|
||||
break;
|
||||
@ -967,6 +974,9 @@ AddLink(struct in_addr src_addr,
|
||||
#endif
|
||||
}
|
||||
break;
|
||||
case LINK_PPTP:
|
||||
pptpLinkCount++;
|
||||
break;
|
||||
case LINK_FRAGMENT_ID:
|
||||
fragmentIdLinkCount++;
|
||||
break;
|
||||
@ -1272,6 +1282,7 @@ FindLinkIn(struct in_addr dst_addr,
|
||||
FindIcmpIn(), FindIcmpOut()
|
||||
FindFragmentIn1(), FindFragmentIn2()
|
||||
AddFragmentPtrLink(), FindFragmentPtr()
|
||||
FindPptpIn(), FindPptpOut()
|
||||
FindUdpTcpIn(), FindUdpTcpOut()
|
||||
FindOriginalAddress(), FindAliasAddress()
|
||||
|
||||
@ -1367,6 +1378,54 @@ FindFragmentPtr(struct in_addr dst_addr,
|
||||
}
|
||||
|
||||
|
||||
struct alias_link *
|
||||
FindPptpIn(struct in_addr dst_addr,
|
||||
struct in_addr alias_addr)
|
||||
{
|
||||
struct alias_link *link;
|
||||
|
||||
link = FindLinkIn(dst_addr, alias_addr,
|
||||
NO_DEST_PORT, 0,
|
||||
LINK_PPTP, 1);
|
||||
|
||||
if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
|
||||
{
|
||||
struct in_addr target_addr;
|
||||
|
||||
target_addr = FindOriginalAddress(alias_addr);
|
||||
link = AddLink(target_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
}
|
||||
|
||||
return (link);
|
||||
}
|
||||
|
||||
|
||||
struct alias_link *
|
||||
FindPptpOut(struct in_addr src_addr,
|
||||
struct in_addr dst_addr)
|
||||
{
|
||||
struct alias_link *link;
|
||||
|
||||
link = FindLinkOut(src_addr, dst_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT,
|
||||
LINK_PPTP, 1);
|
||||
|
||||
if (link == NULL)
|
||||
{
|
||||
struct in_addr alias_addr;
|
||||
|
||||
alias_addr = FindAliasAddress(src_addr);
|
||||
link = AddLink(src_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
}
|
||||
|
||||
return (link);
|
||||
}
|
||||
|
||||
|
||||
struct alias_link *
|
||||
FindUdpTcpIn(struct in_addr dst_addr,
|
||||
struct in_addr alias_addr,
|
||||
@ -1663,7 +1722,7 @@ GetDestPort(struct alias_link *link)
|
||||
void
|
||||
SetAckModified(struct alias_link *link)
|
||||
{
|
||||
/* Indicate that ack numbers have been modified in a TCP connection */
|
||||
/* Indicate that ACK numbers have been modified in a TCP connection */
|
||||
link->data.tcp->state.ack_modified = 1;
|
||||
}
|
||||
|
||||
@ -1699,7 +1758,7 @@ SetProxyPort(struct alias_link *link, u_short port)
|
||||
int
|
||||
GetAckModified(struct alias_link *link)
|
||||
{
|
||||
/* See if ack numbers have been modified */
|
||||
/* See if ACK numbers have been modified */
|
||||
return link->data.tcp->state.ack_modified;
|
||||
}
|
||||
|
||||
@ -1708,8 +1767,8 @@ int
|
||||
GetDeltaAckIn(struct ip *pip, struct alias_link *link)
|
||||
{
|
||||
/*
|
||||
Find out how much the ack number has been altered for an incoming
|
||||
TCP packet. To do this, a circular list is ack numbers where the TCP
|
||||
Find out how much the ACK number has been altered for an incoming
|
||||
TCP packet. To do this, a circular list of ACK numbers where the TCP
|
||||
packet size was altered is searched.
|
||||
*/
|
||||
|
||||
@ -1759,8 +1818,8 @@ int
|
||||
GetDeltaSeqOut(struct ip *pip, struct alias_link *link)
|
||||
{
|
||||
/*
|
||||
Find out how much the seq number has been altered for an outgoing
|
||||
TCP packet. To do this, a circular list is ack numbers where the TCP
|
||||
Find out how much the sequence number has been altered for an outgoing
|
||||
TCP packet. To do this, a circular list of ACK numbers where the TCP
|
||||
packet size was altered is searched.
|
||||
*/
|
||||
|
||||
@ -1976,6 +2035,7 @@ UninitPacketAliasLog(void)
|
||||
-- "outside world" means other than alias*.c routines --
|
||||
|
||||
PacketAliasRedirectPort()
|
||||
PacketAliasRedirectPptp()
|
||||
PacketAliasRedirectAddr()
|
||||
PacketAliasRedirectDelete()
|
||||
PacketAliasSetAddress()
|
||||
@ -1987,7 +2047,7 @@ UninitPacketAliasLog(void)
|
||||
*/
|
||||
|
||||
/* Redirection from a specific public addr:port to a
|
||||
a private addr:port */
|
||||
private addr:port */
|
||||
struct alias_link *
|
||||
PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
|
||||
struct in_addr dst_addr, u_short dst_port,
|
||||
@ -2033,23 +2093,46 @@ PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
|
||||
}
|
||||
|
||||
/* Translate PPTP packets to a machine on the inside
|
||||
* XXX This function is made obsolete by PacketAliasRedirectPptp().
|
||||
*/
|
||||
int
|
||||
PacketAliasPptp(struct in_addr src_addr)
|
||||
{
|
||||
|
||||
pptpAliasAddr = src_addr; /* Address of the inside PPTP machine */
|
||||
pptpAliasFlag = src_addr.s_addr != INADDR_NONE;
|
||||
if (src_addr.s_addr == INADDR_NONE)
|
||||
packetAliasMode |= PKT_ALIAS_DENY_PPTP;
|
||||
else
|
||||
(void)PacketAliasRedirectPptp(src_addr, nullAddress, nullAddress);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int GetPptpAlias (struct in_addr* alias_addr)
|
||||
/* Redirect PPTP packets from a specific
|
||||
public address to a private address */
|
||||
struct alias_link *
|
||||
PacketAliasRedirectPptp(struct in_addr src_addr,
|
||||
struct in_addr dst_addr,
|
||||
struct in_addr alias_addr)
|
||||
{
|
||||
if (pptpAliasFlag)
|
||||
*alias_addr = pptpAliasAddr;
|
||||
struct alias_link *link;
|
||||
|
||||
return pptpAliasFlag;
|
||||
link = AddLink(src_addr, dst_addr, alias_addr,
|
||||
NO_SRC_PORT, NO_DEST_PORT, 0,
|
||||
LINK_PPTP);
|
||||
|
||||
if (link != NULL)
|
||||
{
|
||||
link->flags |= LINK_PERMANENT;
|
||||
}
|
||||
#ifdef DEBUG
|
||||
else
|
||||
{
|
||||
fprintf(stderr, "PacketAliasRedirectPptp(): "
|
||||
"call to AddLink() failed\n");
|
||||
}
|
||||
#endif
|
||||
|
||||
return link;
|
||||
}
|
||||
|
||||
/* Static address translation */
|
||||
@ -2145,6 +2228,7 @@ PacketAliasInit(void)
|
||||
icmpLinkCount = 0;
|
||||
udpLinkCount = 0;
|
||||
tcpLinkCount = 0;
|
||||
pptpLinkCount = 0;
|
||||
fragmentIdLinkCount = 0;
|
||||
fragmentPtrLinkCount = 0;
|
||||
sockCount = 0;
|
||||
@ -2154,8 +2238,6 @@ PacketAliasInit(void)
|
||||
packetAliasMode = PKT_ALIAS_SAME_PORTS
|
||||
| PKT_ALIAS_USE_SOCKETS
|
||||
| PKT_ALIAS_RESET_ON_ADDR_CHANGE;
|
||||
|
||||
pptpAliasFlag = 0;
|
||||
}
|
||||
|
||||
void
|
||||
|
@ -95,6 +95,12 @@ AddFragmentPtrLink(struct in_addr, u_short);
|
||||
struct alias_link *
|
||||
FindFragmentPtr(struct in_addr, u_short);
|
||||
|
||||
struct alias_link *
|
||||
FindPptpIn(struct in_addr, struct in_addr);
|
||||
|
||||
struct alias_link *
|
||||
FindPptpOut(struct in_addr, struct in_addr);
|
||||
|
||||
struct alias_link *
|
||||
FindUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char);
|
||||
|
||||
@ -169,7 +175,5 @@ enum alias_tcp_state {
|
||||
ALIAS_TCP_STATE_CONNECTED,
|
||||
ALIAS_TCP_STATE_DISCONNECTED
|
||||
};
|
||||
|
||||
int GetPptpAlias (struct in_addr*);
|
||||
/*lint -restore */
|
||||
#endif /* defined(ALIAS_LOCAL_H) */
|
||||
|
@ -227,6 +227,15 @@ Normal packet aliasing is not performed.
|
||||
See
|
||||
.Fn PacketAliasProxyRule
|
||||
below for details.
|
||||
.It Dv PKT_ALIAS_DENY_PPTP
|
||||
If this mode bit is set, all PPTP packets will be marked for being ignored
|
||||
(both
|
||||
.Fn PacketAliasIn
|
||||
and
|
||||
.Fn PacketAliasOut
|
||||
return
|
||||
.Dv PKT_ALIAS_IGNORED
|
||||
code).
|
||||
.El
|
||||
.Ed
|
||||
.Pp
|
||||
@ -362,9 +371,9 @@ by
|
||||
.Fn PacketAliasSetAddress
|
||||
is to be used.
|
||||
Even if
|
||||
.Nm PacketAliasSetAddress
|
||||
.Fn PacketAliasSetAddress
|
||||
is called to change the address after
|
||||
.Nm PacketAliasRedirectPort
|
||||
.Fn PacketAliasRedirectPort
|
||||
is called, a zero reference will track this change.
|
||||
.Pp
|
||||
If
|
||||
@ -577,22 +586,78 @@ internal machines that are not permitted certain types of internet
|
||||
access, or to restrict access to certain external machines.
|
||||
.Ed
|
||||
.Pp
|
||||
.Ft struct alias_link *
|
||||
.Fo PacketAliasRedirectPptp
|
||||
.Fa "struct in_addr local_addr"
|
||||
.Fa "struct in_addr remote_addr"
|
||||
.Fa "struct in_addr alias_addr"
|
||||
.Fc
|
||||
.Bd -ragged -offset indent
|
||||
This function specifies that any Point to Point Tunneling Protocol
|
||||
(PPTP) traffic from a given remote address to an alias address be
|
||||
redirected to a specified local address.
|
||||
Currently supported PPTP protocols include:
|
||||
.Pp
|
||||
.Bl -tag -width "IPPROTO_GRE" -compact
|
||||
.It IPPROTO_GRE
|
||||
Generic Routing Encapsulation (RFC 1702)
|
||||
.It IPPROTO_ESP
|
||||
IP Encapsulating Security Payload (RFC 1827)
|
||||
.It IPPROTO_AH
|
||||
IP Authentication Header (RFC 1826)
|
||||
.El
|
||||
.Pp
|
||||
If
|
||||
.Fa local_addr
|
||||
or
|
||||
.Fa alias_addr
|
||||
is zero, this indicates that the packet aliasing address as established
|
||||
by
|
||||
.Fn PacketAliasSetAddress
|
||||
is to be used.
|
||||
Even if
|
||||
.Fn PacketAliasSetAddress
|
||||
is called to change the address after
|
||||
.Fn PacketAliasRedirectPptp
|
||||
is called, a zero reference will track this change.
|
||||
.Pp
|
||||
If
|
||||
.Fa remote_addr
|
||||
is zero, this indicates to redirect PPTP packets from any remote address.
|
||||
Non-zero remote addresses can sometimes be useful for firewalling.
|
||||
.Pp
|
||||
If two calls to
|
||||
.Fn PacketAliasRedirectPptp
|
||||
overlap in their address specifications, then the most recent call
|
||||
will have precedence.
|
||||
.Pp
|
||||
This function returns a pointer which can subsequently be used by
|
||||
.Fn PacketAliasRedirectDelete .
|
||||
If
|
||||
.Dv NULL
|
||||
is returned, then the function call did not complete successfully.
|
||||
.Ed
|
||||
.Pp
|
||||
.Ft int
|
||||
.Fn PacketAliasPptp "struct in_addr addr"
|
||||
.Bd -ragged -offset indent
|
||||
This function causes any General Routing Encapsulation
|
||||
.Pq Dv IPPROTO_GRE
|
||||
packets to be aliased using
|
||||
.Ar addr
|
||||
This function causes any PPTP packets to be aliased using
|
||||
.Fa addr
|
||||
rather than the address set via
|
||||
.Fn PacketAliasSetAddress .
|
||||
This allows the uses of the Point to Point Tunneling Protocol (PPTP)
|
||||
on a machine on the internal network.
|
||||
This allows the uses of the PPTP on a single machine on the internal network.
|
||||
.Pp
|
||||
If the passed address is
|
||||
.Dv INADDR_NONE ,
|
||||
.Dv PPTP
|
||||
aliasing is disabled.
|
||||
then PPTP aliasing is disabled.
|
||||
.Pp
|
||||
.Bf -symbolic
|
||||
This function is made obsolete by
|
||||
.Fn PacketAliasRedirectPptp
|
||||
and
|
||||
.Dv PKT_ALIAS_DENY_PPTP
|
||||
mode bit, and is provided only for backward compatibility.
|
||||
.Ef
|
||||
.Ed
|
||||
.Sh FRAGMENT HANDLING
|
||||
The functions in this section are used to deal with incoming fragments.
|
||||
|
Loading…
Reference in New Issue
Block a user