1 /* -*- mode: c; tab-width: 8; c-basic-indent: 4; -*- */
4 * Copyright (c) 2001 Charles Mott <cm@linktel.net>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * $FreeBSD: src/lib/libalias/alias_db.c,v 1.21.2.14 2002/07/24 03:21:24 luigi Exp $
32 Alias_db.c encapsulates all data structures used for storing
33 packet aliasing data. Other parts of the aliasing software
34 access data through functions provided in this file.
36 Data storage is based on the notion of a "link", which is
37 established for ICMP echo/reply packets, UDP datagrams and
38 TCP stream connections. A link stores the original source
39 and destination addresses. For UDP and TCP, it also stores
40 source and destination port numbers, as well as an alias
41 port number. Links are also used to store information about
44 There is a facility for sweeping through and deleting old
45 links as new packets are sent through. A simple timeout is
46 used for ICMP and UDP links. TCP links are left alone unless
47 there is an incomplete connection, in which case the link
48 can be deleted after a certain amount of time.
51 Initial version: August, 1996 (cjm)
53 Version 1.4: September 16, 1996 (cjm)
54 Facility for handling incoming links added.
56 Version 1.6: September 18, 1996 (cjm)
57 ICMP data handling simplified.
59 Version 1.7: January 9, 1997 (cjm)
60 Fragment handling simplified.
61 Saves pointers for unresolved fragments.
62 Permits links for unspecified remote ports
63 or unspecified remote addresses.
64 Fixed bug which did not properly zero port
65 table entries after a link was deleted.
66 Cleaned up some obsolete comments.
68 Version 1.8: January 14, 1997 (cjm)
69 Fixed data type error in StartPoint().
70 (This error did not exist prior to v1.7
71 and was discovered and fixed by Ari Suutari)
73 Version 1.9: February 1, 1997
74 Optionally, connections initiated from packet aliasing host
75 machine will will not have their port number aliased unless it
76 conflicts with an aliasing port already being used. (cjm)
78 All options earlier being #ifdef'ed are now available through
79 a new interface, SetPacketAliasMode(). This allows run time
80 control (which is now available in PPP+pktAlias through the
81 'alias' keyword). (ee)
83 Added ability to create an alias port without
84 either destination address or port specified.
85 port type = ALIAS_PORT_UNKNOWN_DEST_ALL (ee)
87 Removed K&R style function headers
88 and general cleanup. (ee)
90 Added packetAliasMode to replace compiler #defines's (ee)
92 Allocates sockets for partially specified
93 ports if ALIAS_USE_SOCKETS defined. (cjm)
95 Version 2.0: March, 1997
96 SetAliasAddress() will now clean up alias links
97 if the aliasing address is changed. (cjm)
99 PacketAliasPermanentLink() function added to support permanent
100 links. (J. Fortes suggested the need for this.)
103 (192.168.0.1, port 23) <-> alias port 6002, unknown dest addr/port
105 (192.168.0.2, port 21) <-> alias port 3604, known dest addr
108 These permanent links allow for incoming connections to
109 machines on the local network. They can be given with a
110 user-chosen amount of specificity, with increasing specificity
111 meaning more security. (cjm)
113 Quite a bit of rework to the basic engine. The portTable[]
114 array, which kept track of which ports were in use was replaced
115 by a table/linked list structure. (cjm)
117 SetExpire() function added. (cjm)
119 DeleteLink() no longer frees memory association with a pointer
120 to a fragment (this bug was first recognized by E. Eklund in
123 Version 2.1: May, 1997 (cjm)
124 Packet aliasing engine reworked so that it can handle
125 multiple external addresses rather than just a single
128 PacketAliasRedirectPort() and PacketAliasRedirectAddr()
129 added to the API. The first function is a more generalized
130 version of PacketAliasPermanentLink(). The second function
131 implements static network address translation.
133 Version 3.2: July, 2000 (salander and satoh)
134 Added FindNewPortGroup to get contiguous range of port values.
136 Added QueryUdpTcpIn and QueryUdpTcpOut to look for an aliasing
137 link but not actually add one.
139 Added FindRtspOut, which is closely derived from FindUdpTcpOut,
140 except that the alias port (from FindNewPortGroup) is provided
143 See HISTORY file for additional revisions.
147 /* System include files */
148 #include <sys/param.h>
149 #include <sys/queue.h>
150 #include <sys/socket.h>
151 #include <sys/time.h>
158 /* BSD network include files */
159 #include <netinet/in_systm.h>
160 #include <netinet/in.h>
161 #include <netinet/ip.h>
162 #include <netinet/tcp.h>
163 #include <arpa/inet.h>
166 #include "alias_local.h"
171 Constants (note: constants are also defined
172 near relevant functions or structs)
175 /* Sizes of input and output link tables */
176 #define LINK_TABLE_OUT_SIZE 101
177 #define LINK_TABLE_IN_SIZE 4001
179 /* Parameters used for cleanup of expired links */
180 #define ALIAS_CLEANUP_INTERVAL_SECS 60
181 #define ALIAS_CLEANUP_MAX_SPOKES 30
183 /* Timeouts (in seconds) for different link types */
184 #define ICMP_EXPIRE_TIME 60
185 #define UDP_EXPIRE_TIME 60
186 #define PROTO_EXPIRE_TIME 60
187 #define FRAGMENT_ID_EXPIRE_TIME 10
188 #define FRAGMENT_PTR_EXPIRE_TIME 30
190 /* TCP link expire time for different cases */
191 /* When the link has been used and closed - minimal grace time to
192 allow ACKs and potential re-connect in FTP (XXX - is this allowed?) */
193 #ifndef TCP_EXPIRE_DEAD
194 # define TCP_EXPIRE_DEAD 10
197 /* When the link has been used and closed on one side - the other side
198 is allowed to still send data */
199 #ifndef TCP_EXPIRE_SINGLEDEAD
200 # define TCP_EXPIRE_SINGLEDEAD 90
203 /* When the link isn't yet up */
204 #ifndef TCP_EXPIRE_INITIAL
205 # define TCP_EXPIRE_INITIAL 300
208 /* When the link is up */
209 #ifndef TCP_EXPIRE_CONNECTED
210 # define TCP_EXPIRE_CONNECTED 86400
214 /* Dummy port number codes used for FindLinkIn/Out() and AddLink().
215 These constants can be anything except zero, which indicates an
216 unknown port number. */
218 #define NO_DEST_PORT 1
219 #define NO_SRC_PORT 1
225 The fundamental data structure used in this program is
226 "struct alias_link". Whenever a TCP connection is made,
227 a UDP datagram is sent out, or an ICMP echo request is made,
228 a link record is made (if it has not already been created).
229 The link record is identified by the source address/port
230 and the destination address/port. In the case of an ICMP
231 echo request, the source port is treated as being equivalent
232 with the 16-bit ID number of the ICMP packet.
234 The link record also can store some auxiliary data. For
235 TCP connections that have had sequence and acknowledgment
236 modifications, data space is available to track these changes.
237 A state field is used to keep track in changes to the TCP
238 connection state. ID numbers of fragments can also be
239 stored in the auxiliary space. Pointers to unresolved
240 fragments can also be stored.
242 The link records support two independent chainings. Lookup
243 tables for input and out tables hold the initial pointers
244 the link chains. On input, the lookup table indexes on alias
245 port and link type. On output, the lookup table indexes on
246 source address, destination address, source port, destination
250 struct ack_data_record /* used to save changes to ACK/sequence numbers */
258 struct tcp_state /* Information about TCP connection */
260 int in; /* State for outside -> inside */
261 int out; /* State for inside -> outside */
262 int index; /* Index to ACK data array */
263 int ack_modified; /* Indicates whether ACK and sequence numbers */
267 #define N_LINK_TCP_DATA 3 /* Number of distinct ACK number changes
268 saved for a modified TCP stream */
271 struct tcp_state state;
272 struct ack_data_record ack[N_LINK_TCP_DATA];
273 int fwhole; /* Which firewall record is used for this hole? */
276 struct server /* LSNAT server pool (circular list) */
283 struct alias_link /* Main data structure */
285 struct in_addr src_addr; /* Address and port information */
286 struct in_addr dst_addr;
287 struct in_addr alias_addr;
288 struct in_addr proxy_addr;
293 struct server *server;
295 int link_type; /* Type of link: TCP, UDP, ICMP, proto, frag */
297 /* values for link_type */
298 #define LINK_ICMP IPPROTO_ICMP
299 #define LINK_UDP IPPROTO_UDP
300 #define LINK_TCP IPPROTO_TCP
301 #define LINK_FRAGMENT_ID (IPPROTO_MAX + 1)
302 #define LINK_FRAGMENT_PTR (IPPROTO_MAX + 2)
303 #define LINK_ADDR (IPPROTO_MAX + 3)
304 #define LINK_PPTP (IPPROTO_MAX + 4)
306 int flags; /* indicates special characteristics */
309 #define LINK_UNKNOWN_DEST_PORT 0x01
310 #define LINK_UNKNOWN_DEST_ADDR 0x02
311 #define LINK_PERMANENT 0x04
312 #define LINK_PARTIALLY_SPECIFIED 0x03 /* logical-or of first two bits */
313 #define LINK_UNFIREWALLED 0x08
314 #define LINK_LAST_LINE_CRLF_TERMED 0x10
316 int timestamp; /* Time link was last accessed */
317 int expire_time; /* Expire time for link */
319 int sockfd; /* socket descriptor */
321 LIST_ENTRY(alias_link) list_out; /* Linked list of pointers for */
322 LIST_ENTRY(alias_link) list_in; /* input and output lookup tables */
324 union /* Auxiliary data */
327 struct in_addr frag_addr;
338 The global variables listed here are only accessed from
339 within alias_db.c and so are prefixed with the static
343 int packetAliasMode; /* Mode flags */
344 /* - documented in alias.h */
346 static struct in_addr aliasAddress; /* Address written onto source */
347 /* field of IP packet. */
349 static struct in_addr targetAddress; /* IP address incoming packets */
350 /* are sent to if no aliasing */
351 /* link already exists */
353 static struct in_addr nullAddress; /* Used as a dummy parameter for */
354 /* some function calls */
355 static LIST_HEAD(, alias_link)
356 linkTableOut[LINK_TABLE_OUT_SIZE]; /* Lookup table of pointers to */
357 /* chains of link records. Each */
358 static LIST_HEAD(, alias_link) /* link record is doubly indexed */
359 linkTableIn[LINK_TABLE_IN_SIZE]; /* into input and output lookup */
362 static int icmpLinkCount; /* Link statistics */
363 static int udpLinkCount;
364 static int tcpLinkCount;
365 static int pptpLinkCount;
366 static int protoLinkCount;
367 static int fragmentIdLinkCount;
368 static int fragmentPtrLinkCount;
369 static int sockCount;
371 static int cleanupIndex; /* Index to chain of link table */
372 /* being inspected for old links */
374 static int timeStamp; /* System time in seconds for */
377 static int lastCleanupTime; /* Last time IncrementalCleanup() */
380 static int houseKeepingResidual; /* used by HouseKeeping() */
382 static int deleteAllLinks; /* If equal to zero, DeleteLink() */
383 /* will not remove permanent links */
385 static FILE *monitorFile; /* File descriptor for link */
386 /* statistics monitoring file */
388 static int newDefaultLink; /* Indicates if a new aliasing */
389 /* link has been created after a */
390 /* call to PacketAliasIn/Out(). */
393 static int fireWallFD = -1; /* File descriptor to be able to */
394 /* control firewall. Opened by */
395 /* PacketAliasSetMode on first */
396 /* setting the PKT_ALIAS_PUNCH_FW */
406 /* Internal utility routines (used only in alias_db.c)
408 Lookup table starting points:
409 StartPointIn() -- link table initial search point for
411 StartPointOut() -- link table initial search point for
415 SeqDiff() -- difference between two TCP sequences
416 ShowAliasStats() -- send alias statistics to a monitor file
420 /* Local prototypes */
421 static u_int StartPointIn(struct in_addr, u_short, int);
423 static u_int StartPointOut(struct in_addr, struct in_addr,
424 u_short, u_short, int);
426 static int SeqDiff(u_long, u_long);
428 static void ShowAliasStats(void);
431 /* Firewall control */
432 static void InitPunchFW(void);
433 static void UninitPunchFW(void);
434 static void ClearFWHole(struct alias_link *link);
437 /* Log file control */
438 static void InitPacketAliasLog(void);
439 static void UninitPacketAliasLog(void);
442 StartPointIn(struct in_addr alias_addr,
448 n = alias_addr.s_addr;
449 if (link_type != LINK_PPTP)
452 return(n % LINK_TABLE_IN_SIZE);
457 StartPointOut(struct in_addr src_addr, struct in_addr dst_addr,
458 u_short src_port, u_short dst_port, int link_type)
463 n += dst_addr.s_addr;
464 if (link_type != LINK_PPTP) {
470 return(n % LINK_TABLE_OUT_SIZE);
475 SeqDiff(u_long x, u_long y)
477 /* Return the difference between two TCP sequence numbers */
480 This function is encapsulated in case there are any unusual
481 arithmetic conditions that need to be considered.
484 return (ntohl(y) - ntohl(x));
491 /* Used for debugging */
495 fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, pptp=%d, proto=%d, frag_id=%d frag_ptr=%d",
502 fragmentPtrLinkCount);
504 fprintf(monitorFile, " / tot=%d (sock=%d)\n",
505 icmpLinkCount + udpLinkCount
509 + fragmentIdLinkCount
510 + fragmentPtrLinkCount,
521 /* Internal routines for finding, deleting and adding links
524 GetNewPort() -- find and reserve new alias port number
525 GetSocket() -- try to allocate a socket for a given port
527 Link creation and deletion:
528 CleanupAliasData() - remove all link chains from lookup table
529 IncrementalCleanup() - look for stale links in a single chain
530 DeleteLink() - remove link
532 ReLink() - change link
535 FindLinkOut() - find link for outgoing packets
536 FindLinkIn() - find link for incoming packets
539 FindNewPortGroup() - find an available group of ports
542 /* Local prototypes */
543 static int GetNewPort(struct alias_link *, int);
545 static u_short GetSocket(u_short, int *, int);
547 static void CleanupAliasData(void);
549 static void IncrementalCleanup(void);
551 static void DeleteLink(struct alias_link *);
553 static struct alias_link *
554 AddLink(struct in_addr, struct in_addr, struct in_addr,
555 u_short, u_short, int, int);
557 static struct alias_link *
558 ReLink(struct alias_link *,
559 struct in_addr, struct in_addr, struct in_addr,
560 u_short, u_short, int, int);
562 static struct alias_link *
563 FindLinkOut(struct in_addr, struct in_addr, u_short, u_short, int, int);
565 static struct alias_link *
566 FindLinkIn(struct in_addr, struct in_addr, u_short, u_short, int, int);
569 #define ALIAS_PORT_BASE 0x08000
570 #define ALIAS_PORT_MASK 0x07fff
571 #define ALIAS_PORT_MASK_EVEN 0x07ffe
572 #define GET_NEW_PORT_MAX_ATTEMPTS 20
574 #define GET_ALIAS_PORT -1
575 #define GET_ALIAS_ID GET_ALIAS_PORT
577 #define FIND_EVEN_ALIAS_BASE 1
579 /* GetNewPort() allocates port numbers. Note that if a port number
580 is already in use, that does not mean that it cannot be used by
581 another link concurrently. This is because GetNewPort() looks for
582 unused triplets: (dest addr, dest port, alias port). */
585 GetNewPort(struct alias_link *link, int alias_port_param)
593 Description of alias_port_param for GetNewPort(). When
594 this parameter is zero or positive, it precisely specifies
595 the port number. GetNewPort() will return this number
596 without check that it is in use.
598 When this parameter is GET_ALIAS_PORT, it indicates to get a randomly
599 selected port number.
602 if (alias_port_param == GET_ALIAS_PORT)
605 * The aliasing port is automatically selected
606 * by one of two methods below:
608 max_trials = GET_NEW_PORT_MAX_ATTEMPTS;
610 if (packetAliasMode & PKT_ALIAS_SAME_PORTS)
613 * When the PKT_ALIAS_SAME_PORTS option is
614 * chosen, the first try will be the
615 * actual source port. If this is already
616 * in use, the remainder of the trials
619 port_net = link->src_port;
620 port_sys = ntohs(port_net);
624 /* First trial and all subsequent are random. */
625 port_sys = random() & ALIAS_PORT_MASK;
626 port_sys += ALIAS_PORT_BASE;
627 port_net = htons(port_sys);
630 else if (alias_port_param >= 0 && alias_port_param < 0x10000)
632 link->alias_port = (u_short) alias_port_param;
638 fprintf(stderr, "PacketAlias/GetNewPort(): ");
639 fprintf(stderr, "input parameter error\n");
645 /* Port number search */
646 for (i=0; i<max_trials; i++)
649 struct alias_link *search_result;
651 search_result = FindLinkIn(link->dst_addr, link->alias_addr,
652 link->dst_port, port_net,
655 if (search_result == NULL)
657 else if (!(link->flags & LINK_PARTIALLY_SPECIFIED)
658 && (search_result->flags & LINK_PARTIALLY_SPECIFIED))
665 if ((packetAliasMode & PKT_ALIAS_USE_SOCKETS)
666 && (link->flags & LINK_PARTIALLY_SPECIFIED)
667 && ((link->link_type == LINK_TCP) ||
668 (link->link_type == LINK_UDP)))
670 if (GetSocket(port_net, &link->sockfd, link->link_type))
672 link->alias_port = port_net;
678 link->alias_port = port_net;
683 port_sys = random() & ALIAS_PORT_MASK;
684 port_sys += ALIAS_PORT_BASE;
685 port_net = htons(port_sys);
689 fprintf(stderr, "PacketAlias/GetnewPort(): ");
690 fprintf(stderr, "could not find free port\n");
698 GetSocket(u_short port_net, int *sockfd, int link_type)
702 struct sockaddr_in sock_addr;
704 if (link_type == LINK_TCP)
705 sock = socket(AF_INET, SOCK_STREAM, 0);
706 else if (link_type == LINK_UDP)
707 sock = socket(AF_INET, SOCK_DGRAM, 0);
711 fprintf(stderr, "PacketAlias/GetSocket(): ");
712 fprintf(stderr, "incorrect link type\n");
720 fprintf(stderr, "PacketAlias/GetSocket(): ");
721 fprintf(stderr, "socket() error %d\n", *sockfd);
726 sock_addr.sin_family = AF_INET;
727 sock_addr.sin_addr.s_addr = htonl(INADDR_ANY);
728 sock_addr.sin_port = port_net;
731 (struct sockaddr *) &sock_addr,
747 /* FindNewPortGroup() returns a base port number for an available
748 range of contiguous port numbers. Note that if a port number
749 is already in use, that does not mean that it cannot be used by
750 another link concurrently. This is because FindNewPortGroup()
751 looks for unused triplets: (dest addr, dest port, alias port). */
754 FindNewPortGroup(struct in_addr dst_addr,
755 struct in_addr alias_addr,
768 * Get link_type from protocol
774 link_type = LINK_UDP;
777 link_type = LINK_TCP;
785 * The aliasing port is automatically selected
786 * by one of two methods below:
788 max_trials = GET_NEW_PORT_MAX_ATTEMPTS;
790 if (packetAliasMode & PKT_ALIAS_SAME_PORTS) {
792 * When the ALIAS_SAME_PORTS option is
793 * chosen, the first try will be the
794 * actual source port. If this is already
795 * in use, the remainder of the trials
798 port_sys = ntohs(src_port);
802 /* First trial and all subsequent are random. */
803 if (align == FIND_EVEN_ALIAS_BASE)
804 port_sys = random() & ALIAS_PORT_MASK_EVEN;
806 port_sys = random() & ALIAS_PORT_MASK;
808 port_sys += ALIAS_PORT_BASE;
811 /* Port number search */
812 for (i = 0; i < max_trials; i++) {
814 struct alias_link *search_result;
816 for (j = 0; j < port_count; j++)
817 if (NULL != (search_result = FindLinkIn(dst_addr, alias_addr,
818 dst_port, htons(port_sys + j),
822 /* Found a good range, return base */
824 return (htons(port_sys));
826 /* Find a new base to try */
827 if (align == FIND_EVEN_ALIAS_BASE)
828 port_sys = random() & ALIAS_PORT_MASK_EVEN;
830 port_sys = random() & ALIAS_PORT_MASK;
832 port_sys += ALIAS_PORT_BASE;
836 fprintf(stderr, "PacketAlias/FindNewPortGroup(): ");
837 fprintf(stderr, "could not find free port(s)\n");
844 CleanupAliasData(void)
846 struct alias_link *link;
849 for (i=0; i<LINK_TABLE_OUT_SIZE; i++)
851 link = LIST_FIRST(&linkTableOut[i]);
854 struct alias_link *link_next;
855 link_next = LIST_NEXT(link, list_out);
866 IncrementalCleanup(void)
868 struct alias_link *link;
870 link = LIST_FIRST(&linkTableOut[cleanupIndex++]);
874 struct alias_link *link_next;
876 link_next = LIST_NEXT(link, list_out);
877 idelta = timeStamp - link->timestamp;
878 switch (link->link_type)
881 if (idelta > link->expire_time)
883 struct tcp_dat *tcp_aux;
885 tcp_aux = link->data.tcp;
886 if (tcp_aux->state.in != ALIAS_TCP_STATE_CONNECTED
887 || tcp_aux->state.out != ALIAS_TCP_STATE_CONNECTED)
894 if (idelta > link->expire_time)
903 if (cleanupIndex == LINK_TABLE_OUT_SIZE)
908 DeleteLink(struct alias_link *link)
911 /* Don't do anything if the link is marked permanent */
912 if (deleteAllLinks == 0 && link->flags & LINK_PERMANENT)
916 /* Delete associated firewall hole, if any */
920 /* Free memory allocated for LSNAT server pool */
921 if (link->server != NULL) {
922 struct server *head, *curr, *next;
924 head = curr = link->server;
928 } while ((curr = next) != head);
931 /* Adjust output table pointers */
932 LIST_REMOVE(link, list_out);
934 /* Adjust input table pointers */
935 LIST_REMOVE(link, list_in);
937 /* Close socket, if one has been allocated */
938 if (link->sockfd != -1)
944 /* Link-type dependent cleanup */
945 switch(link->link_type)
955 free(link->data.tcp);
960 case LINK_FRAGMENT_ID:
961 fragmentIdLinkCount--;
963 case LINK_FRAGMENT_PTR:
964 fragmentPtrLinkCount--;
965 if (link->data.frag_ptr != NULL)
966 free(link->data.frag_ptr);
978 /* Write statistics, if logging enabled */
979 if (packetAliasMode & PKT_ALIAS_LOG)
986 static struct alias_link *
987 AddLink(struct in_addr src_addr,
988 struct in_addr dst_addr,
989 struct in_addr alias_addr,
992 int alias_port_param, /* if less than zero, alias */
993 int link_type) /* port will be automatically */
994 { /* chosen. If greater than */
995 u_int start_point; /* zero, equal to alias port */
996 struct alias_link *link;
998 link = malloc(sizeof(struct alias_link));
1001 /* Basic initialization */
1002 link->src_addr = src_addr;
1003 link->dst_addr = dst_addr;
1004 link->alias_addr = alias_addr;
1005 link->proxy_addr.s_addr = INADDR_ANY;
1006 link->src_port = src_port;
1007 link->dst_port = dst_port;
1008 link->proxy_port = 0;
1009 link->server = NULL;
1010 link->link_type = link_type;
1013 link->timestamp = timeStamp;
1015 /* Expiration time */
1019 link->expire_time = ICMP_EXPIRE_TIME;
1022 link->expire_time = UDP_EXPIRE_TIME;
1025 link->expire_time = TCP_EXPIRE_INITIAL;
1028 link->flags |= LINK_PERMANENT; /* no timeout. */
1030 case LINK_FRAGMENT_ID:
1031 link->expire_time = FRAGMENT_ID_EXPIRE_TIME;
1033 case LINK_FRAGMENT_PTR:
1034 link->expire_time = FRAGMENT_PTR_EXPIRE_TIME;
1039 link->expire_time = PROTO_EXPIRE_TIME;
1043 /* Determine alias flags */
1044 if (dst_addr.s_addr == INADDR_ANY)
1045 link->flags |= LINK_UNKNOWN_DEST_ADDR;
1047 link->flags |= LINK_UNKNOWN_DEST_PORT;
1049 /* Determine alias port */
1050 if (GetNewPort(link, alias_port_param) != 0)
1056 /* Link-type dependent initialization */
1059 struct tcp_dat *aux_tcp;
1068 aux_tcp = malloc(sizeof(struct tcp_dat));
1069 if (aux_tcp != NULL)
1074 aux_tcp->state.in = ALIAS_TCP_STATE_NOT_CONNECTED;
1075 aux_tcp->state.out = ALIAS_TCP_STATE_NOT_CONNECTED;
1076 aux_tcp->state.index = 0;
1077 aux_tcp->state.ack_modified = 0;
1078 for (i=0; i<N_LINK_TCP_DATA; i++)
1079 aux_tcp->ack[i].active = 0;
1080 aux_tcp->fwhole = -1;
1081 link->data.tcp = aux_tcp;
1086 fprintf(stderr, "PacketAlias/AddLink: ");
1087 fprintf(stderr, " cannot allocate auxiliary TCP data\n");
1096 case LINK_FRAGMENT_ID:
1097 fragmentIdLinkCount++;
1099 case LINK_FRAGMENT_PTR:
1100 fragmentPtrLinkCount++;
1109 /* Set up pointers for output lookup table */
1110 start_point = StartPointOut(src_addr, dst_addr,
1111 src_port, dst_port, link_type);
1112 LIST_INSERT_HEAD(&linkTableOut[start_point], link, list_out);
1114 /* Set up pointers for input lookup table */
1115 start_point = StartPointIn(alias_addr, link->alias_port, link_type);
1116 LIST_INSERT_HEAD(&linkTableIn[start_point], link, list_in);
1121 fprintf(stderr, "PacketAlias/AddLink(): ");
1122 fprintf(stderr, "malloc() call failed.\n");
1126 if (packetAliasMode & PKT_ALIAS_LOG)
1134 static struct alias_link *
1135 ReLink(struct alias_link *old_link,
1136 struct in_addr src_addr,
1137 struct in_addr dst_addr,
1138 struct in_addr alias_addr,
1141 int alias_port_param, /* if less than zero, alias */
1142 int link_type) /* port will be automatically */
1143 { /* chosen. If greater than */
1144 struct alias_link *new_link; /* zero, equal to alias port */
1146 new_link = AddLink(src_addr, dst_addr, alias_addr,
1147 src_port, dst_port, alias_port_param,
1150 if (new_link != NULL &&
1151 old_link->link_type == LINK_TCP &&
1152 old_link->data.tcp->fwhole > 0) {
1153 PunchFWHole(new_link);
1156 DeleteLink(old_link);
1160 static struct alias_link *
1161 _FindLinkOut(struct in_addr src_addr,
1162 struct in_addr dst_addr,
1166 int replace_partial_links)
1169 struct alias_link *link;
1171 i = StartPointOut(src_addr, dst_addr, src_port, dst_port, link_type);
1172 LIST_FOREACH(link, &linkTableOut[i], list_out)
1174 if (link->src_addr.s_addr == src_addr.s_addr
1175 && link->server == NULL
1176 && link->dst_addr.s_addr == dst_addr.s_addr
1177 && link->dst_port == dst_port
1178 && link->src_port == src_port
1179 && link->link_type == link_type)
1181 link->timestamp = timeStamp;
1186 /* Search for partially specified links. */
1187 if (link == NULL && replace_partial_links)
1189 if (dst_port != 0 && dst_addr.s_addr != INADDR_ANY)
1191 link = _FindLinkOut(src_addr, dst_addr, src_port, 0,
1194 link = _FindLinkOut(src_addr, nullAddress, src_port,
1195 dst_port, link_type, 0);
1198 (dst_port != 0 || dst_addr.s_addr != INADDR_ANY))
1200 link = _FindLinkOut(src_addr, nullAddress, src_port, 0,
1206 src_addr, dst_addr, link->alias_addr,
1207 src_port, dst_port, link->alias_port,
1215 static struct alias_link *
1216 FindLinkOut(struct in_addr src_addr,
1217 struct in_addr dst_addr,
1221 int replace_partial_links)
1223 struct alias_link *link;
1225 link = _FindLinkOut(src_addr, dst_addr, src_port, dst_port,
1226 link_type, replace_partial_links);
1230 /* The following allows permanent links to be
1231 specified as using the default source address
1232 (i.e. device interface address) without knowing
1233 in advance what that address is. */
1234 if (aliasAddress.s_addr != 0 &&
1235 src_addr.s_addr == aliasAddress.s_addr)
1237 link = _FindLinkOut(nullAddress, dst_addr, src_port, dst_port,
1238 link_type, replace_partial_links);
1246 static struct alias_link *
1247 _FindLinkIn(struct in_addr dst_addr,
1248 struct in_addr alias_addr,
1252 int replace_partial_links)
1256 struct alias_link *link;
1257 struct alias_link *link_fully_specified;
1258 struct alias_link *link_unknown_all;
1259 struct alias_link *link_unknown_dst_addr;
1260 struct alias_link *link_unknown_dst_port;
1262 /* Initialize pointers */
1263 link_fully_specified = NULL;
1264 link_unknown_all = NULL;
1265 link_unknown_dst_addr = NULL;
1266 link_unknown_dst_port = NULL;
1268 /* If either the dest addr or port is unknown, the search
1269 loop will have to know about this. */
1272 if (dst_addr.s_addr == INADDR_ANY)
1273 flags_in |= LINK_UNKNOWN_DEST_ADDR;
1275 flags_in |= LINK_UNKNOWN_DEST_PORT;
1278 start_point = StartPointIn(alias_addr, alias_port, link_type);
1279 LIST_FOREACH(link, &linkTableIn[start_point], list_in)
1283 flags = flags_in | link->flags;
1284 if (!(flags & LINK_PARTIALLY_SPECIFIED))
1286 if (link->alias_addr.s_addr == alias_addr.s_addr
1287 && link->alias_port == alias_port
1288 && link->dst_addr.s_addr == dst_addr.s_addr
1289 && link->dst_port == dst_port
1290 && link->link_type == link_type)
1292 link_fully_specified = link;
1296 else if ((flags & LINK_UNKNOWN_DEST_ADDR)
1297 && (flags & LINK_UNKNOWN_DEST_PORT))
1299 if (link->alias_addr.s_addr == alias_addr.s_addr
1300 && link->alias_port == alias_port
1301 && link->link_type == link_type)
1303 if (link_unknown_all == NULL)
1304 link_unknown_all = link;
1307 else if (flags & LINK_UNKNOWN_DEST_ADDR)
1309 if (link->alias_addr.s_addr == alias_addr.s_addr
1310 && link->alias_port == alias_port
1311 && link->link_type == link_type
1312 && link->dst_port == dst_port)
1314 if (link_unknown_dst_addr == NULL)
1315 link_unknown_dst_addr = link;
1318 else if (flags & LINK_UNKNOWN_DEST_PORT)
1320 if (link->alias_addr.s_addr == alias_addr.s_addr
1321 && link->alias_port == alias_port
1322 && link->link_type == link_type
1323 && link->dst_addr.s_addr == dst_addr.s_addr)
1325 if (link_unknown_dst_port == NULL)
1326 link_unknown_dst_port = link;
1333 if (link_fully_specified != NULL)
1335 link_fully_specified->timestamp = timeStamp;
1336 link = link_fully_specified;
1338 else if (link_unknown_dst_port != NULL)
1339 link = link_unknown_dst_port;
1340 else if (link_unknown_dst_addr != NULL)
1341 link = link_unknown_dst_addr;
1342 else if (link_unknown_all != NULL)
1343 link = link_unknown_all;
1347 if (replace_partial_links &&
1348 (link->flags & LINK_PARTIALLY_SPECIFIED || link->server != NULL))
1350 struct in_addr src_addr;
1353 if (link->server != NULL) { /* LSNAT link */
1354 src_addr = link->server->addr;
1355 src_port = link->server->port;
1356 link->server = link->server->next;
1358 src_addr = link->src_addr;
1359 src_port = link->src_port;
1363 src_addr, dst_addr, alias_addr,
1364 src_port, dst_port, alias_port,
1371 static struct alias_link *
1372 FindLinkIn(struct in_addr dst_addr,
1373 struct in_addr alias_addr,
1377 int replace_partial_links)
1379 struct alias_link *link;
1381 link = _FindLinkIn(dst_addr, alias_addr, dst_port, alias_port,
1382 link_type, replace_partial_links);
1386 /* The following allows permanent links to be
1387 specified as using the default aliasing address
1388 (i.e. device interface address) without knowing
1389 in advance what that address is. */
1390 if (aliasAddress.s_addr != 0 &&
1391 alias_addr.s_addr == aliasAddress.s_addr)
1393 link = _FindLinkIn(dst_addr, nullAddress, dst_port, alias_port,
1394 link_type, replace_partial_links);
1404 /* External routines for finding/adding links
1406 -- "external" means outside alias_db.c, but within alias*.c --
1408 FindIcmpIn(), FindIcmpOut()
1409 FindFragmentIn1(), FindFragmentIn2()
1410 AddFragmentPtrLink(), FindFragmentPtr()
1411 FindProtoIn(), FindProtoOut()
1412 FindUdpTcpIn(), FindUdpTcpOut()
1413 AddPptp(), FindPptpOutByCallId(), FindPptpInByCallId(),
1414 FindPptpOutByPeerCallId(), FindPptpInByPeerCallId()
1415 FindOriginalAddress(), FindAliasAddress()
1417 (prototypes in alias_local.h)
1422 FindIcmpIn(struct in_addr dst_addr,
1423 struct in_addr alias_addr,
1427 struct alias_link *link;
1429 link = FindLinkIn(dst_addr, alias_addr,
1430 NO_DEST_PORT, id_alias,
1432 if (link == NULL && create && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
1434 struct in_addr target_addr;
1436 target_addr = FindOriginalAddress(alias_addr);
1437 link = AddLink(target_addr, dst_addr, alias_addr,
1438 id_alias, NO_DEST_PORT, id_alias,
1447 FindIcmpOut(struct in_addr src_addr,
1448 struct in_addr dst_addr,
1452 struct alias_link * link;
1454 link = FindLinkOut(src_addr, dst_addr,
1457 if (link == NULL && create)
1459 struct in_addr alias_addr;
1461 alias_addr = FindAliasAddress(src_addr);
1462 link = AddLink(src_addr, dst_addr, alias_addr,
1463 id, NO_DEST_PORT, GET_ALIAS_ID,
1472 FindFragmentIn1(struct in_addr dst_addr,
1473 struct in_addr alias_addr,
1476 struct alias_link *link;
1478 link = FindLinkIn(dst_addr, alias_addr,
1479 NO_DEST_PORT, ip_id,
1480 LINK_FRAGMENT_ID, 0);
1484 link = AddLink(nullAddress, dst_addr, alias_addr,
1485 NO_SRC_PORT, NO_DEST_PORT, ip_id,
1494 FindFragmentIn2(struct in_addr dst_addr, /* Doesn't add a link if one */
1495 struct in_addr alias_addr, /* is not found. */
1498 return FindLinkIn(dst_addr, alias_addr,
1499 NO_DEST_PORT, ip_id,
1500 LINK_FRAGMENT_ID, 0);
1505 AddFragmentPtrLink(struct in_addr dst_addr,
1508 return AddLink(nullAddress, dst_addr, nullAddress,
1509 NO_SRC_PORT, NO_DEST_PORT, ip_id,
1515 FindFragmentPtr(struct in_addr dst_addr,
1518 return FindLinkIn(dst_addr, nullAddress,
1519 NO_DEST_PORT, ip_id,
1520 LINK_FRAGMENT_PTR, 0);
1525 FindProtoIn(struct in_addr dst_addr,
1526 struct in_addr alias_addr,
1529 struct alias_link *link;
1531 link = FindLinkIn(dst_addr, alias_addr,
1535 if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
1537 struct in_addr target_addr;
1539 target_addr = FindOriginalAddress(alias_addr);
1540 link = AddLink(target_addr, dst_addr, alias_addr,
1541 NO_SRC_PORT, NO_DEST_PORT, 0,
1550 FindProtoOut(struct in_addr src_addr,
1551 struct in_addr dst_addr,
1554 struct alias_link *link;
1556 link = FindLinkOut(src_addr, dst_addr,
1557 NO_SRC_PORT, NO_DEST_PORT,
1562 struct in_addr alias_addr;
1564 alias_addr = FindAliasAddress(src_addr);
1565 link = AddLink(src_addr, dst_addr, alias_addr,
1566 NO_SRC_PORT, NO_DEST_PORT, 0,
1575 FindUdpTcpIn(struct in_addr dst_addr,
1576 struct in_addr alias_addr,
1583 struct alias_link *link;
1588 link_type = LINK_UDP;
1591 link_type = LINK_TCP;
1598 link = FindLinkIn(dst_addr, alias_addr,
1599 dst_port, alias_port,
1602 if (link == NULL && create && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
1604 struct in_addr target_addr;
1606 target_addr = FindOriginalAddress(alias_addr);
1607 link = AddLink(target_addr, dst_addr, alias_addr,
1608 alias_port, dst_port, alias_port,
1617 FindUdpTcpOut(struct in_addr src_addr,
1618 struct in_addr dst_addr,
1625 struct alias_link *link;
1630 link_type = LINK_UDP;
1633 link_type = LINK_TCP;
1640 link = FindLinkOut(src_addr, dst_addr, src_port, dst_port, link_type, create);
1642 if (link == NULL && create)
1644 struct in_addr alias_addr;
1646 alias_addr = FindAliasAddress(src_addr);
1647 link = AddLink(src_addr, dst_addr, alias_addr,
1648 src_port, dst_port, GET_ALIAS_PORT,
1657 AddPptp(struct in_addr src_addr,
1658 struct in_addr dst_addr,
1659 struct in_addr alias_addr,
1660 u_int16_t src_call_id)
1662 struct alias_link *link;
1664 link = AddLink(src_addr, dst_addr, alias_addr,
1665 src_call_id, 0, GET_ALIAS_PORT,
1673 FindPptpOutByCallId(struct in_addr src_addr,
1674 struct in_addr dst_addr,
1675 u_int16_t src_call_id)
1678 struct alias_link *link;
1680 i = StartPointOut(src_addr, dst_addr, 0, 0, LINK_PPTP);
1681 LIST_FOREACH(link, &linkTableOut[i], list_out)
1682 if (link->link_type == LINK_PPTP &&
1683 link->src_addr.s_addr == src_addr.s_addr &&
1684 link->dst_addr.s_addr == dst_addr.s_addr &&
1685 link->src_port == src_call_id)
1693 FindPptpOutByPeerCallId(struct in_addr src_addr,
1694 struct in_addr dst_addr,
1695 u_int16_t dst_call_id)
1698 struct alias_link *link;
1700 i = StartPointOut(src_addr, dst_addr, 0, 0, LINK_PPTP);
1701 LIST_FOREACH(link, &linkTableOut[i], list_out)
1702 if (link->link_type == LINK_PPTP &&
1703 link->src_addr.s_addr == src_addr.s_addr &&
1704 link->dst_addr.s_addr == dst_addr.s_addr &&
1705 link->dst_port == dst_call_id)
1713 FindPptpInByCallId(struct in_addr dst_addr,
1714 struct in_addr alias_addr,
1715 u_int16_t dst_call_id)
1718 struct alias_link *link;
1720 i = StartPointIn(alias_addr, 0, LINK_PPTP);
1721 LIST_FOREACH(link, &linkTableIn[i], list_in)
1722 if (link->link_type == LINK_PPTP &&
1723 link->dst_addr.s_addr == dst_addr.s_addr &&
1724 link->alias_addr.s_addr == alias_addr.s_addr &&
1725 link->dst_port == dst_call_id)
1733 FindPptpInByPeerCallId(struct in_addr dst_addr,
1734 struct in_addr alias_addr,
1735 u_int16_t alias_call_id)
1737 struct alias_link *link;
1739 link = FindLinkIn(dst_addr, alias_addr,
1740 0/* any */, alias_call_id,
1749 FindRtspOut(struct in_addr src_addr,
1750 struct in_addr dst_addr,
1756 struct alias_link *link;
1761 link_type = LINK_UDP;
1764 link_type = LINK_TCP;
1771 link = FindLinkOut(src_addr, dst_addr, src_port, 0, link_type, 1);
1775 struct in_addr alias_addr;
1777 alias_addr = FindAliasAddress(src_addr);
1778 link = AddLink(src_addr, dst_addr, alias_addr,
1779 src_port, 0, alias_port,
1788 FindOriginalAddress(struct in_addr alias_addr)
1790 struct alias_link *link;
1792 link = FindLinkIn(nullAddress, alias_addr,
1793 0, 0, LINK_ADDR, 0);
1797 if (targetAddress.s_addr == INADDR_ANY)
1799 else if (targetAddress.s_addr == INADDR_NONE)
1800 return aliasAddress;
1802 return targetAddress;
1806 if (link->server != NULL) { /* LSNAT link */
1807 struct in_addr src_addr;
1809 src_addr = link->server->addr;
1810 link->server = link->server->next;
1812 } else if (link->src_addr.s_addr == INADDR_ANY)
1813 return aliasAddress;
1815 return link->src_addr;
1821 FindAliasAddress(struct in_addr original_addr)
1823 struct alias_link *link;
1825 link = FindLinkOut(original_addr, nullAddress,
1826 0, 0, LINK_ADDR, 0);
1829 return aliasAddress;
1833 if (link->alias_addr.s_addr == INADDR_ANY)
1834 return aliasAddress;
1836 return link->alias_addr;
1841 /* External routines for getting or changing link data
1842 (external to alias_db.c, but internal to alias*.c)
1844 SetFragmentData(), GetFragmentData()
1845 SetFragmentPtr(), GetFragmentPtr()
1846 SetStateIn(), SetStateOut(), GetStateIn(), GetStateOut()
1847 GetOriginalAddress(), GetDestAddress(), GetAliasAddress()
1848 GetOriginalPort(), GetAliasPort()
1849 SetAckModified(), GetAckModified()
1850 GetDeltaAckIn(), GetDeltaSeqOut(), AddSeq()
1851 SetLastLineCrlfTermed(), GetLastLineCrlfTermed()
1857 SetFragmentAddr(struct alias_link *link, struct in_addr src_addr)
1859 link->data.frag_addr = src_addr;
1864 GetFragmentAddr(struct alias_link *link, struct in_addr *src_addr)
1866 *src_addr = link->data.frag_addr;
1871 SetFragmentPtr(struct alias_link *link, char *fptr)
1873 link->data.frag_ptr = fptr;
1878 GetFragmentPtr(struct alias_link *link, char **fptr)
1880 *fptr = link->data.frag_ptr;
1885 SetStateIn(struct alias_link *link, int state)
1887 /* TCP input state */
1889 case ALIAS_TCP_STATE_DISCONNECTED:
1890 if (link->data.tcp->state.out != ALIAS_TCP_STATE_CONNECTED)
1891 link->expire_time = TCP_EXPIRE_DEAD;
1893 link->expire_time = TCP_EXPIRE_SINGLEDEAD;
1895 case ALIAS_TCP_STATE_CONNECTED:
1896 if (link->data.tcp->state.out == ALIAS_TCP_STATE_CONNECTED)
1897 link->expire_time = TCP_EXPIRE_CONNECTED;
1902 link->data.tcp->state.in = state;
1907 SetStateOut(struct alias_link *link, int state)
1909 /* TCP output state */
1911 case ALIAS_TCP_STATE_DISCONNECTED:
1912 if (link->data.tcp->state.in != ALIAS_TCP_STATE_CONNECTED)
1913 link->expire_time = TCP_EXPIRE_DEAD;
1915 link->expire_time = TCP_EXPIRE_SINGLEDEAD;
1917 case ALIAS_TCP_STATE_CONNECTED:
1918 if (link->data.tcp->state.in == ALIAS_TCP_STATE_CONNECTED)
1919 link->expire_time = TCP_EXPIRE_CONNECTED;
1924 link->data.tcp->state.out = state;
1929 GetStateIn(struct alias_link *link)
1931 /* TCP input state */
1932 return link->data.tcp->state.in;
1937 GetStateOut(struct alias_link *link)
1939 /* TCP output state */
1940 return link->data.tcp->state.out;
1945 GetOriginalAddress(struct alias_link *link)
1947 if (link->src_addr.s_addr == INADDR_ANY)
1948 return aliasAddress;
1950 return(link->src_addr);
1955 GetDestAddress(struct alias_link *link)
1957 return(link->dst_addr);
1962 GetAliasAddress(struct alias_link *link)
1964 if (link->alias_addr.s_addr == INADDR_ANY)
1965 return aliasAddress;
1967 return link->alias_addr;
1972 GetDefaultAliasAddress(void)
1974 return aliasAddress;
1979 SetDefaultAliasAddress(struct in_addr alias_addr)
1981 aliasAddress = alias_addr;
1986 GetOriginalPort(struct alias_link *link)
1988 return(link->src_port);
1993 GetAliasPort(struct alias_link *link)
1995 return(link->alias_port);
2000 GetDestPort(struct alias_link *link)
2002 return(link->dst_port);
2007 SetAckModified(struct alias_link *link)
2009 /* Indicate that ACK numbers have been modified in a TCP connection */
2010 link->data.tcp->state.ack_modified = 1;
2015 GetProxyAddress(struct alias_link *link)
2017 return link->proxy_addr;
2022 SetProxyAddress(struct alias_link *link, struct in_addr addr)
2024 link->proxy_addr = addr;
2029 GetProxyPort(struct alias_link *link)
2031 return link->proxy_port;
2036 SetProxyPort(struct alias_link *link, u_short port)
2038 link->proxy_port = port;
2043 GetAckModified(struct alias_link *link)
2045 /* See if ACK numbers have been modified */
2046 return link->data.tcp->state.ack_modified;
2051 GetDeltaAckIn(struct ip *pip, struct alias_link *link)
2054 Find out how much the ACK number has been altered for an incoming
2055 TCP packet. To do this, a circular list of ACK numbers where the TCP
2056 packet size was altered is searched.
2061 int delta, ack_diff_min;
2064 tc = (struct tcphdr *) ((char *) pip + (pip->ip_hl << 2));
2069 for (i=0; i<N_LINK_TCP_DATA; i++)
2071 struct ack_data_record x;
2073 x = link->data.tcp->ack[i];
2078 ack_diff = SeqDiff(x.ack_new, ack);
2081 if (ack_diff_min >= 0)
2083 if (ack_diff < ack_diff_min)
2086 ack_diff_min = ack_diff;
2092 ack_diff_min = ack_diff;
2102 GetDeltaSeqOut(struct ip *pip, struct alias_link *link)
2105 Find out how much the sequence number has been altered for an outgoing
2106 TCP packet. To do this, a circular list of ACK numbers where the TCP
2107 packet size was altered is searched.
2112 int delta, seq_diff_min;
2115 tc = (struct tcphdr *) ((char *) pip + (pip->ip_hl << 2));
2120 for (i=0; i<N_LINK_TCP_DATA; i++)
2122 struct ack_data_record x;
2124 x = link->data.tcp->ack[i];
2129 seq_diff = SeqDiff(x.ack_old, seq);
2132 if (seq_diff_min >= 0)
2134 if (seq_diff < seq_diff_min)
2137 seq_diff_min = seq_diff;
2143 seq_diff_min = seq_diff;
2153 AddSeq(struct ip *pip, struct alias_link *link, int delta)
2156 When a TCP packet has been altered in length, save this
2157 information in a circular list. If enough packets have
2158 been altered, then this list will begin to overwrite itself.
2162 struct ack_data_record x;
2163 int hlen, tlen, dlen;
2166 tc = (struct tcphdr *) ((char *) pip + (pip->ip_hl << 2));
2168 hlen = (pip->ip_hl + tc->th_off) << 2;
2169 tlen = ntohs(pip->ip_len);
2172 x.ack_old = htonl(ntohl(tc->th_seq) + dlen);
2173 x.ack_new = htonl(ntohl(tc->th_seq) + dlen + delta);
2177 i = link->data.tcp->state.index;
2178 link->data.tcp->ack[i] = x;
2181 if (i == N_LINK_TCP_DATA)
2182 link->data.tcp->state.index = 0;
2184 link->data.tcp->state.index = i;
2188 SetExpire(struct alias_link *link, int expire)
2192 link->flags &= ~LINK_PERMANENT;
2195 else if (expire == -1)
2197 link->flags |= LINK_PERMANENT;
2199 else if (expire > 0)
2201 link->expire_time = expire;
2206 fprintf(stderr, "PacketAlias/SetExpire(): ");
2207 fprintf(stderr, "error in expire parameter\n");
2213 ClearCheckNewLink(void)
2219 SetLastLineCrlfTermed(struct alias_link *link, int yes)
2223 link->flags |= LINK_LAST_LINE_CRLF_TERMED;
2225 link->flags &= ~LINK_LAST_LINE_CRLF_TERMED;
2229 GetLastLineCrlfTermed(struct alias_link *link)
2232 return (link->flags & LINK_LAST_LINE_CRLF_TERMED);
2236 SetDestCallId(struct alias_link *link, u_int16_t cid)
2240 link = ReLink(link, link->src_addr, link->dst_addr, link->alias_addr,
2241 link->src_port, cid, link->alias_port, link->link_type);
2246 /* Miscellaneous Functions
2249 InitPacketAliasLog()
2250 UninitPacketAliasLog()
2254 Whenever an outgoing or incoming packet is handled, HouseKeeping()
2255 is called to find and remove timed-out aliasing links. Logic exists
2256 to sweep through the entire table and linked list structure
2259 (prototype in alias_local.h)
2270 * Save system time (seconds) in global variable timeStamp for
2271 * use by other functions. This is done so as not to unnecessarily
2272 * waste timeline by making system calls.
2274 gettimeofday(&tv, &tz);
2275 timeStamp = tv.tv_sec;
2277 /* Compute number of spokes (output table link chains) to cover */
2278 n100 = LINK_TABLE_OUT_SIZE * 100 + houseKeepingResidual;
2279 n100 *= timeStamp - lastCleanupTime;
2280 n100 /= ALIAS_CLEANUP_INTERVAL_SECS;
2284 /* Handle different cases */
2285 if (n > ALIAS_CLEANUP_MAX_SPOKES)
2287 n = ALIAS_CLEANUP_MAX_SPOKES;
2288 lastCleanupTime = timeStamp;
2289 houseKeepingResidual = 0;
2292 IncrementalCleanup();
2296 lastCleanupTime = timeStamp;
2297 houseKeepingResidual = n100 - 100*n;
2300 IncrementalCleanup();
2305 fprintf(stderr, "PacketAlias/HouseKeeping(): ");
2306 fprintf(stderr, "something unexpected in time values\n");
2308 lastCleanupTime = timeStamp;
2309 houseKeepingResidual = 0;
2314 /* Init the log file and enable logging */
2316 InitPacketAliasLog(void)
2318 if ((~packetAliasMode & PKT_ALIAS_LOG)
2319 && (monitorFile = fopen("/var/log/alias.log", "w")))
2321 packetAliasMode |= PKT_ALIAS_LOG;
2322 fprintf(monitorFile,
2323 "PacketAlias/InitPacketAliasLog: Packet alias logging enabled.\n");
2328 /* Close the log-file and disable logging. */
2330 UninitPacketAliasLog(void)
2333 fclose(monitorFile);
2336 packetAliasMode &= ~PKT_ALIAS_LOG;
2344 /* Outside world interfaces
2346 -- "outside world" means other than alias*.c routines --
2348 PacketAliasRedirectPort()
2349 PacketAliasAddServer()
2350 PacketAliasRedirectProto()
2351 PacketAliasRedirectAddr()
2352 PacketAliasRedirectDelete()
2353 PacketAliasSetAddress()
2356 PacketAliasSetMode()
2358 (prototypes in alias.h)
2361 /* Redirection from a specific public addr:port to a
2362 private addr:port */
2364 PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
2365 struct in_addr dst_addr, u_short dst_port,
2366 struct in_addr alias_addr, u_short alias_port,
2370 struct alias_link *link;
2375 link_type = LINK_UDP;
2378 link_type = LINK_TCP;
2382 fprintf(stderr, "PacketAliasRedirectPort(): ");
2383 fprintf(stderr, "only TCP and UDP protocols allowed\n");
2388 link = AddLink(src_addr, dst_addr, alias_addr,
2389 src_port, dst_port, alias_port,
2394 link->flags |= LINK_PERMANENT;
2399 fprintf(stderr, "PacketAliasRedirectPort(): "
2400 "call to AddLink() failed\n");
2407 /* Add server to the pool of servers */
2409 PacketAliasAddServer(struct alias_link *link, struct in_addr addr, u_short port)
2411 struct server *server;
2413 server = malloc(sizeof(struct server));
2415 if (server != NULL) {
2416 struct server *head;
2418 server->addr = addr;
2419 server->port = port;
2421 head = link->server;
2423 server->next = server;
2427 for (s = head; s->next != head; s = s->next);
2429 server->next = head;
2431 link->server = server;
2437 /* Redirect packets of a given IP protocol from a specific
2438 public address to a private address */
2440 PacketAliasRedirectProto(struct in_addr src_addr,
2441 struct in_addr dst_addr,
2442 struct in_addr alias_addr,
2445 struct alias_link *link;
2447 link = AddLink(src_addr, dst_addr, alias_addr,
2448 NO_SRC_PORT, NO_DEST_PORT, 0,
2453 link->flags |= LINK_PERMANENT;
2458 fprintf(stderr, "PacketAliasRedirectProto(): "
2459 "call to AddLink() failed\n");
2466 /* Static address translation */
2468 PacketAliasRedirectAddr(struct in_addr src_addr,
2469 struct in_addr alias_addr)
2471 struct alias_link *link;
2473 link = AddLink(src_addr, nullAddress, alias_addr,
2479 link->flags |= LINK_PERMANENT;
2484 fprintf(stderr, "PacketAliasRedirectAddr(): "
2485 "call to AddLink() failed\n");
2494 PacketAliasRedirectDelete(struct alias_link *link)
2496 /* This is a dangerous function to put in the API,
2497 because an invalid pointer can crash the program. */
2506 PacketAliasSetAddress(struct in_addr addr)
2508 if (packetAliasMode & PKT_ALIAS_RESET_ON_ADDR_CHANGE
2509 && aliasAddress.s_addr != addr.s_addr)
2512 aliasAddress = addr;
2517 PacketAliasSetTarget(struct in_addr target_addr)
2519 targetAddress = target_addr;
2524 PacketAliasInit(void)
2529 static int firstCall = 1;
2533 gettimeofday(&tv, &tz);
2534 timeStamp = tv.tv_sec;
2535 lastCleanupTime = tv.tv_sec;
2536 houseKeepingResidual = 0;
2538 for (i=0; i<LINK_TABLE_OUT_SIZE; i++)
2539 LIST_INIT(&linkTableOut[i]);
2540 for (i=0; i<LINK_TABLE_IN_SIZE; i++)
2541 LIST_INIT(&linkTableIn[i]);
2543 atexit(PacketAliasUninit);
2553 aliasAddress.s_addr = INADDR_ANY;
2554 targetAddress.s_addr = INADDR_ANY;
2561 fragmentIdLinkCount = 0;
2562 fragmentPtrLinkCount = 0;
2567 packetAliasMode = PKT_ALIAS_SAME_PORTS
2568 | PKT_ALIAS_USE_SOCKETS
2569 | PKT_ALIAS_RESET_ON_ADDR_CHANGE;
2573 PacketAliasUninit(void) {
2577 UninitPacketAliasLog();
2584 /* Change mode for some operations */
2587 unsigned int flags, /* Which state to bring flags to */
2588 unsigned int mask /* Mask of which flags to affect (use 0 to do a
2589 probe for flag values) */
2592 /* Enable logging? */
2593 if (flags & mask & PKT_ALIAS_LOG)
2595 InitPacketAliasLog(); /* Do the enable */
2597 /* _Disable_ logging? */
2598 if (~flags & mask & PKT_ALIAS_LOG) {
2599 UninitPacketAliasLog();
2603 /* Start punching holes in the firewall? */
2604 if (flags & mask & PKT_ALIAS_PUNCH_FW) {
2607 /* Stop punching holes in the firewall? */
2608 if (~flags & mask & PKT_ALIAS_PUNCH_FW) {
2613 /* Other flags can be set/cleared without special action */
2614 packetAliasMode = (flags & mask) | (packetAliasMode & ~mask);
2615 return packetAliasMode;
2620 PacketAliasCheckNewLink(void)
2622 return newDefaultLink;
2629 Code to support firewall punching. This shouldn't really be in this
2630 file, but making variables global is evil too.
2633 /* Firewall include files */
2635 #include <net/ipfw/ip_fw.h>
2640 * helper function, updates the pointer to cmd with the length
2641 * of the current command, and also cleans up the first word of
2642 * the new command in case it has been clobbered before.
2645 next_cmd(ipfw_insn *cmd)
2648 bzero(cmd, sizeof(*cmd));
2653 * A function to fill simple commands of size 1.
2654 * Existing flags are preserved.
2657 fill_cmd(ipfw_insn *cmd, enum ipfw_opcodes opcode, int size,
2658 int flags, u_int16_t arg)
2660 cmd->opcode = opcode;
2661 cmd->len = ((cmd->len | flags) & (F_NOT | F_OR)) | (size & F_LEN_MASK);
2663 return next_cmd(cmd);
2667 fill_ip(ipfw_insn *cmd1, enum ipfw_opcodes opcode, u_int32_t addr)
2669 ipfw_insn_ip *cmd = (ipfw_insn_ip *)cmd1;
2671 cmd->addr.s_addr = addr;
2672 return fill_cmd(cmd1, opcode, F_INSN_SIZE(ipfw_insn_u32), 0, 0);
2676 fill_one_port(ipfw_insn *cmd1, enum ipfw_opcodes opcode, u_int16_t port)
2678 ipfw_insn_u16 *cmd = (ipfw_insn_u16 *)cmd1;
2680 cmd->ports[0] = cmd->ports[1] = port;
2681 return fill_cmd(cmd1, opcode, F_INSN_SIZE(ipfw_insn_u16), 0, 0);
2685 fill_rule(void *buf, int bufsize, int rulenum,
2686 enum ipfw_opcodes action, int proto,
2687 struct in_addr sa, u_int16_t sp, struct in_addr da, u_int16_t dp)
2689 struct ipfw_ioc_rule *rule = buf;
2690 ipfw_insn *cmd = (ipfw_insn *)rule->cmd;
2692 bzero(buf, bufsize);
2693 rule->rulenum = rulenum;
2695 cmd = fill_cmd(cmd, O_PROTO, F_INSN_SIZE(ipfw_insn), 0, proto);
2696 cmd = fill_ip(cmd, O_IP_SRC, sa.s_addr);
2697 cmd = fill_one_port(cmd, O_IP_SRCPORT, sp);
2698 cmd = fill_ip(cmd, O_IP_DST, da.s_addr);
2699 cmd = fill_one_port(cmd, O_IP_DSTPORT, dp);
2701 rule->act_ofs = (u_int32_t *)cmd - (u_int32_t *)rule->cmd;
2702 cmd = fill_cmd(cmd, action, F_INSN_SIZE(ipfw_insn), 0, 0);
2704 rule->cmd_len = (u_int32_t *)cmd - (u_int32_t *)rule->cmd;
2706 return ((void *)cmd - buf);
2709 static void ClearAllFWHoles(void);
2711 static int fireWallBaseNum; /* The first firewall entry free for our use */
2712 static int fireWallNumNums; /* How many entries can we use? */
2713 static int fireWallActiveNum; /* Which entry did we last use? */
2714 static char *fireWallField; /* bool array for entries */
2716 #define fw_setfield(field, num) \
2718 (field)[(num) - fireWallBaseNum] = 1; \
2719 } /*lint -save -e717 */ while(0) /*lint -restore */
2720 #define fw_clrfield(field, num) \
2722 (field)[(num) - fireWallBaseNum] = 0; \
2723 } /*lint -save -e717 */ while(0) /*lint -restore */
2724 #define fw_tstfield(field, num) ((field)[(num) - fireWallBaseNum])
2728 fireWallField = malloc(fireWallNumNums);
2729 if (fireWallField) {
2730 memset(fireWallField, 0, fireWallNumNums);
2731 if (fireWallFD < 0) {
2732 fireWallFD = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
2735 fireWallActiveNum = fireWallBaseNum;
2740 UninitPunchFW(void) {
2742 if (fireWallFD >= 0)
2746 free(fireWallField);
2747 fireWallField = NULL;
2748 packetAliasMode &= ~PKT_ALIAS_PUNCH_FW;
2751 /* Make a certain link go through the firewall */
2753 PunchFWHole(struct alias_link *link) {
2754 int r; /* Result code */
2755 int fwhole; /* Where to punch hole */
2757 /* Don't do anything unless we are asked to */
2758 if ( !(packetAliasMode & PKT_ALIAS_PUNCH_FW) ||
2760 link->link_type != LINK_TCP)
2765 /* Find empty slot */
2766 for (fwhole = fireWallActiveNum;
2767 fwhole < fireWallBaseNum + fireWallNumNums &&
2768 fw_tstfield(fireWallField, fwhole);
2771 if (fwhole == fireWallBaseNum + fireWallNumNums) {
2772 for (fwhole = fireWallBaseNum;
2773 fwhole < fireWallActiveNum &&
2774 fw_tstfield(fireWallField, fwhole);
2777 if (fwhole == fireWallActiveNum) {
2778 /* No rule point empty - we can't punch more holes. */
2779 fireWallActiveNum = fireWallBaseNum;
2781 fprintf(stderr, "libalias: Unable to create firewall hole!\n");
2786 /* Start next search at next position */
2787 fireWallActiveNum = fwhole+1;
2790 * generate two rules of the form
2792 * add fwhole accept tcp from OAddr OPort to DAddr DPort
2793 * add fwhole accept tcp from DAddr DPort to OAddr OPort
2795 if (GetOriginalPort(link) != 0 && GetDestPort(link) != 0) {
2796 u_int32_t rulebuf[IPFW_RULE_SIZE_MAX];
2799 i = fill_rule(rulebuf, sizeof(rulebuf), fwhole,
2800 O_ACCEPT, IPPROTO_TCP,
2801 GetOriginalAddress(link), ntohs(GetOriginalPort(link)),
2802 GetDestAddress(link), ntohs(GetDestPort(link)) );
2803 r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, rulebuf, i);
2805 err(1, "alias punch inbound(1) setsockopt(IP_FW_ADD)");
2807 i = fill_rule(rulebuf, sizeof(rulebuf), fwhole,
2808 O_ACCEPT, IPPROTO_TCP,
2809 GetDestAddress(link), ntohs(GetDestPort(link)),
2810 GetOriginalAddress(link), ntohs(GetOriginalPort(link)) );
2811 r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, rulebuf, i);
2813 err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)");
2815 /* Indicate hole applied */
2816 link->data.tcp->fwhole = fwhole;
2817 fw_setfield(fireWallField, fwhole);
2820 /* Remove a hole in a firewall associated with a particular alias
2821 link. Calling this too often is harmless. */
2823 ClearFWHole(struct alias_link *link) {
2824 if (link->link_type == LINK_TCP) {
2825 int fwhole = link->data.tcp->fwhole; /* Where is the firewall hole? */
2830 while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL,
2831 &fwhole, sizeof fwhole))
2833 fw_clrfield(fireWallField, fwhole);
2834 link->data.tcp->fwhole = -1;
2838 /* Clear out the entire range dedicated to firewall holes. */
2840 ClearAllFWHoles(void) {
2846 for (i = fireWallBaseNum; i < fireWallBaseNum + fireWallNumNums; i++) {
2848 while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &r, sizeof r))
2851 memset(fireWallField, 0, fireWallNumNums);
2856 PacketAliasSetFWBase(unsigned int base, unsigned int num) {
2858 fireWallBaseNum = base;
2859 fireWallNumNums = num;
projects / dragonfly.git / blob