1 /* lint -save -library Flexelint comment for external headers */
4 * Copyright (c) 2001 Charles Mott <cm@linktel.net>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * $FreeBSD: src/sys/netinet/libalias/alias.h,v 1.34.6.1 2008/11/25 02:59:29 kensmith Exp $
32 * Alias.h defines the outside world interfaces for the packet aliasing
35 * This software is placed into the public domain with no restrictions on its
42 #include <netinet/in_systm.h>
43 #include <netinet/in.h>
44 #include <netinet/ip.h>
46 #define LIBALIAS_BUF_SIZE 128
49 * The kernel version of libalias does not support these features.
52 #define NO_USE_SOCKETS
54 MALLOC_DECLARE(M_ALIAS);
59 * The external interface to libalias, the packet aliasing engine.
61 * There are two sets of functions:
63 * PacketAlias*() the old API which doesn't take an instance pointer
64 * and therefore can only have one packet engine at a time.
66 * LibAlias*() the new API which takes as first argument a pointer to
67 * the instance of the packet aliasing engine.
69 * The functions otherwise correspond to each other one for one, except
70 * for the LibAliasUnaliasOut()/PacketUnaliasOut() function which were
71 * were misnamed in the old API.
75 * The instance structure
81 The fundamental data structure used in this program is
82 "struct alias_link". Whenever a TCP connection is made,
83 a UDP datagram is sent out, or an ICMP echo request is made,
84 a link record is made (if it has not already been created).
85 The link record is identified by the source address/port
86 and the destination address/port. In the case of an ICMP
87 echo request, the source port is treated as being equivalent
88 with the 16-bit ID number of the ICMP packet.
90 The link record also can store some auxiliary data. For
91 TCP connections that have had sequence and acknowledgment
92 modifications, data space is available to track these changes.
93 A state field is used to keep track in changes to the TCP
94 connection state. ID numbers of fragments can also be
95 stored in the auxiliary space. Pointers to unresolved
96 fragments can also be stored.
98 The link records support two independent chainings. Lookup
99 tables for input and out tables hold the initial pointers
100 the link chains. On input, the lookup table indexes on alias
101 port and link type. On output, the lookup table indexes on
102 source address, destination address, source port, destination
106 struct ack_data_record { /* used to save changes to ACK/sequence
114 struct tcp_state { /* Information about TCP connection */
115 int in; /* State for outside -> inside */
116 int out; /* State for inside -> outside */
117 int index; /* Index to ACK data array */
118 int ack_modified; /* Indicates whether ACK and
119 * sequence numbers */
123 #define N_LINK_TCP_DATA 3 /* Number of distinct ACK number changes
124 * saved for a modified TCP stream */
126 struct tcp_state state;
127 struct ack_data_record ack[N_LINK_TCP_DATA];
128 int fwhole; /* Which firewall record is used for this
132 struct server { /* LSNAT server pool (circular list) */
138 struct alias_link { /* Main data structure */
140 struct in_addr src_addr; /* Address and port information */
141 struct in_addr dst_addr;
142 struct in_addr alias_addr;
143 struct in_addr proxy_addr;
148 struct server *server;
150 int link_type; /* Type of link: TCP, UDP, ICMP,
153 /* values for link_type */
154 #define LINK_ICMP IPPROTO_ICMP
155 #define LINK_UDP IPPROTO_UDP
156 #define LINK_TCP IPPROTO_TCP
157 #define LINK_FRAGMENT_ID (IPPROTO_MAX + 1)
158 #define LINK_FRAGMENT_PTR (IPPROTO_MAX + 2)
159 #define LINK_ADDR (IPPROTO_MAX + 3)
160 #define LINK_PPTP (IPPROTO_MAX + 4)
162 int flags; /* indicates special characteristics */
163 int pflags; /* protocol-specific flags */
166 #define LINK_UNKNOWN_DEST_PORT 0x01
167 #define LINK_UNKNOWN_DEST_ADDR 0x02
168 #define LINK_PERMANENT 0x04
169 #define LINK_PARTIALLY_SPECIFIED 0x03 /* logical-or of first two bits */
170 #define LINK_UNFIREWALLED 0x08
172 int timestamp; /* Time link was last accessed */
173 int expire_time; /* Expire time for link */
174 #ifndef NO_USE_SOCKETS
175 int sockfd; /* socket descriptor */
177 LIST_ENTRY (alias_link) list_out; /* Linked list of
179 LIST_ENTRY (alias_link) list_in; /* input and output
182 union { /* Auxiliary data */
184 struct in_addr frag_addr;
191 /* Initialization and control functions. */
192 void PacketAliasInit(void);
193 void PacketAliasSetAddress(struct in_addr _addr);
194 void PacketAliasSetFWBase(unsigned int _base, unsigned int _num);
195 void PacketAliasSetSkinnyPort(unsigned int _port);
197 PacketAliasSetMode(unsigned int _flags, unsigned int _mask);
198 void PacketAliasUninit(void);
200 /* Packet Handling functions. */
201 int PacketAliasIn(char *_ptr, int _maxpacketsize);
202 int PacketAliasOut(char *_ptr, int _maxpacketsize);
203 int PacketUnaliasOut(char *_ptr, int _maxpacketsize);
205 /* Port and address redirection functions. */
209 PacketAliasAddServer(struct alias_link *_lnk,
210 struct in_addr _addr, unsigned short _port);
212 PacketAliasRedirectAddr(struct in_addr _src_addr,
213 struct in_addr _alias_addr);
214 int PacketAliasRedirectDynamic(struct alias_link *_lnk);
215 void PacketAliasRedirectDelete(struct alias_link *_lnk);
217 PacketAliasRedirectPort(struct in_addr _src_addr,
218 unsigned short _src_port, struct in_addr _dst_addr,
219 unsigned short _dst_port, struct in_addr _alias_addr,
220 unsigned short _alias_port, unsigned char _proto);
222 PacketAliasRedirectProto(struct in_addr _src_addr,
223 struct in_addr _dst_addr, struct in_addr _alias_addr,
224 unsigned char _proto);
226 /* Fragment Handling functions. */
227 void PacketAliasFragmentIn(char *_ptr, char *_ptr_fragment);
228 char *PacketAliasGetFragment(char *_ptr);
229 int PacketAliasSaveFragment(char *_ptr);
231 /* Miscellaneous functions. */
232 int PacketAliasCheckNewLink(void);
234 PacketAliasInternetChecksum(unsigned short *_ptr, int _nbytes);
235 void PacketAliasSetTarget(struct in_addr _target_addr);
237 /* Transparent proxying routines. */
238 int PacketAliasProxyRule(const char *_cmd);
242 /* Initialization and control functions. */
243 struct libalias *LibAliasInit(struct libalias *);
244 void LibAliasSetAddress(struct libalias *, struct in_addr _addr);
245 void LibAliasSetFWBase(struct libalias *, unsigned int _base, unsigned int _num);
246 void LibAliasSetSkinnyPort(struct libalias *, unsigned int _port);
248 LibAliasSetMode(struct libalias *, unsigned int _flags, unsigned int _mask);
249 void LibAliasUninit(struct libalias *);
251 /* Packet Handling functions. */
252 int LibAliasIn (struct libalias *, char *_ptr, int _maxpacketsize);
253 int LibAliasOut(struct libalias *, char *_ptr, int _maxpacketsize);
254 int LibAliasOutTry(struct libalias *, char *_ptr, int _maxpacketsize, int _create);
255 int LibAliasUnaliasOut(struct libalias *, char *_ptr, int _maxpacketsize);
257 /* Port and address redirection functions. */
260 LibAliasAddServer(struct libalias *, struct alias_link *_lnk,
261 struct in_addr _addr, unsigned short _port);
263 LibAliasRedirectAddr(struct libalias *, struct in_addr _src_addr,
264 struct in_addr _alias_addr);
265 int LibAliasRedirectDynamic(struct libalias *, struct alias_link *_lnk);
266 void LibAliasRedirectDelete(struct libalias *, struct alias_link *_lnk);
268 LibAliasRedirectPort(struct libalias *, struct in_addr _src_addr,
269 unsigned short _src_port, struct in_addr _dst_addr,
270 unsigned short _dst_port, struct in_addr _alias_addr,
271 unsigned short _alias_port, unsigned char _proto);
273 LibAliasRedirectProto(struct libalias *, struct in_addr _src_addr,
274 struct in_addr _dst_addr, struct in_addr _alias_addr,
275 unsigned char _proto);
277 /* Fragment Handling functions. */
278 void LibAliasFragmentIn(struct libalias *, char *_ptr, char *_ptr_fragment);
279 char *LibAliasGetFragment(struct libalias *, char *_ptr);
280 int LibAliasSaveFragment(struct libalias *, char *_ptr);
282 /* Miscellaneous functions. */
283 int LibAliasCheckNewLink(struct libalias *);
285 LibAliasInternetChecksum(struct libalias *, unsigned short *_ptr, int _nbytes);
286 void LibAliasSetTarget(struct libalias *, struct in_addr _target_addr);
288 /* Transparent proxying routines. */
289 int LibAliasProxyRule(struct libalias *, const char *_cmd);
291 /* Module handling API */
292 int LibAliasLoadModule(char *);
293 int LibAliasUnLoadAllModule(void);
294 int LibAliasRefreshModules(void);
296 /* Mbuf helper function. */
297 struct mbuf *m_megapullup(struct mbuf *, int);
300 * Mode flags and other constants.
304 /* Mode flags, set using PacketAliasSetMode() */
307 * If PKT_ALIAS_LOG is set, a message will be printed to /var/log/alias.log
308 * every time a link is created or deleted. This is useful for debugging.
310 #define PKT_ALIAS_LOG 0x01
313 * If PKT_ALIAS_DENY_INCOMING is set, then incoming connections (e.g. to ftp,
314 * telnet or web servers will be prevented by the aliasing mechanism.
316 #define PKT_ALIAS_DENY_INCOMING 0x02
319 * If PKT_ALIAS_SAME_PORTS is set, packets will be attempted sent from the
320 * same port as they originated on. This allows e.g. rsh to work *99% of the
321 * time*, but _not_ 100% (it will be slightly flakey instead of not working
322 * at all). This mode bit is set by PacketAliasInit(), so it is a default
325 #define PKT_ALIAS_SAME_PORTS 0x04
328 * If PKT_ALIAS_USE_SOCKETS is set, then when partially specified links (e.g.
329 * destination port and/or address is zero), the packet aliasing engine will
330 * attempt to allocate a socket for the aliasing port it chooses. This will
331 * avoid interference with the host machine. Fully specified links do not
332 * require this. This bit is set after a call to PacketAliasInit(), so it is
333 * a default mode of operation.
335 #ifndef NO_USE_SOCKETS
336 #define PKT_ALIAS_USE_SOCKETS 0x08
339 * If PKT_ALIAS_UNREGISTERED_ONLY is set, then only packets with
340 * unregistered source addresses will be aliased. Private
341 * addresses are those in the following ranges:
343 * 10.0.0.0 -> 10.255.255.255
344 * 172.16.0.0 -> 172.31.255.255
345 * 192.168.0.0 -> 192.168.255.255
347 #define PKT_ALIAS_UNREGISTERED_ONLY 0x10
350 * If PKT_ALIAS_RESET_ON_ADDR_CHANGE is set, then the table of dynamic
351 * aliasing links will be reset whenever PacketAliasSetAddress() changes the
352 * default aliasing address. If the default aliasing address is left
353 * unchanged by this function call, then the table of dynamic aliasing links
354 * will be left intact. This bit is set after a call to PacketAliasInit().
356 #define PKT_ALIAS_RESET_ON_ADDR_CHANGE 0x20
360 * If PKT_ALIAS_PUNCH_FW is set, active FTP and IRC DCC connections will
361 * create a 'hole' in the firewall to allow the transfers to work. The
362 * ipfw rule number that the hole is created with is controlled by
363 * PacketAliasSetFWBase(). The hole will be attached to that
364 * particular alias_link, so when the link goes away the hole is deleted.
366 #define PKT_ALIAS_PUNCH_FW 0x100
370 * If PKT_ALIAS_PROXY_ONLY is set, then NAT will be disabled and only
371 * transparent proxying is performed.
373 #define PKT_ALIAS_PROXY_ONLY 0x40
376 * If PKT_ALIAS_REVERSE is set, the actions of PacketAliasIn() and
377 * PacketAliasOut() are reversed.
379 #define PKT_ALIAS_REVERSE 0x80
381 /* Function return codes. */
382 #define PKT_ALIAS_ERROR -1
383 #define PKT_ALIAS_OK 1
384 #define PKT_ALIAS_IGNORED 2
385 #define PKT_ALIAS_UNRESOLVED_FRAGMENT 3
386 #define PKT_ALIAS_FOUND_HEADER_FRAGMENT 4
390 #endif /* !_ALIAS_H_ */