| alias.c (59047) | alias.c (59356) |
|---|---|
| 1/* -*- mode: c; tab-width: 8; c-basic-indent: 4; -*- */ 2/* 3 Alias.c provides supervisory control for the functions of the 4 packet aliasing software. It consists of routines to monitor 5 TCP connection state, protocol-specific aliasing routines, 6 fragment handling and the following outside world functional 7 interfaces: SaveFragmentPtr, GetFragmentPtr, FragmentAliasIn, 8 PacketAliasIn and PacketAliasOut. --- 64 unchanged lines hidden (view full) --- 73 - Eliminated PacketAliasIn2() and 74 PacketAliasOut2() as poorly conceived. 75 76 Version 2.3 Dec 1998 (dillon) 77 - Major bounds checking additions, see FreeBSD/CVS 78 79 See HISTORY file for additional revisions. 80 | 1/* -*- mode: c; tab-width: 8; c-basic-indent: 4; -*- */ 2/* 3 Alias.c provides supervisory control for the functions of the 4 packet aliasing software. It consists of routines to monitor 5 TCP connection state, protocol-specific aliasing routines, 6 fragment handling and the following outside world functional 7 interfaces: SaveFragmentPtr, GetFragmentPtr, FragmentAliasIn, 8 PacketAliasIn and PacketAliasOut. --- 64 unchanged lines hidden (view full) --- 73 - Eliminated PacketAliasIn2() and 74 PacketAliasOut2() as poorly conceived. 75 76 Version 2.3 Dec 1998 (dillon) 77 - Major bounds checking additions, see FreeBSD/CVS 78 79 See HISTORY file for additional revisions. 80 |
| 81 $FreeBSD: head/sys/netinet/libalias/alias.c 59047 2000-04-05 14:27:34Z ru $ | 81 $FreeBSD: head/sys/netinet/libalias/alias.c 59356 2000-04-18 10:18:21Z ru $ |
| 82*/ 83 84#include <sys/types.h> 85 86#include <netinet/in_systm.h> 87#include <netinet/in.h> 88#include <netinet/ip.h> 89#include <netinet/ip_icmp.h> --- 97 unchanged lines hidden (view full) --- 187without actually summing over the entire data packet, which could be 188unnecessarily time consuming. 189 190The purpose of the packet aliasing routines is to replace the source 191address of the outgoing packet and then correctly put it back for 192any incoming packets. For TCP and UDP, ports are also re-mapped. 193 194For ICMP echo/timestamp requests and replies, the following scheme | 82*/ 83 84#include <sys/types.h> 85 86#include <netinet/in_systm.h> 87#include <netinet/in.h> 88#include <netinet/ip.h> 89#include <netinet/ip_icmp.h> --- 97 unchanged lines hidden (view full) --- 187without actually summing over the entire data packet, which could be 188unnecessarily time consuming. 189 190The purpose of the packet aliasing routines is to replace the source 191address of the outgoing packet and then correctly put it back for 192any incoming packets. For TCP and UDP, ports are also re-mapped. 193 194For ICMP echo/timestamp requests and replies, the following scheme |
| 195is used: the id number is replaced by an alias for the outgoing | 195is used: the ID number is replaced by an alias for the outgoing |
| 196packet. 197 198ICMP error messages are handled by looking at the IP fragment 199in the data section of the message. 200 201For TCP and UDP protocols, a port number is chosen for an outgoing 202packet, and then incoming packets are identified by IP address and 203port numbers. For TCP packets, there is additional logic in the event | 196packet. 197 198ICMP error messages are handled by looking at the IP fragment 199in the data section of the message. 200 201For TCP and UDP protocols, a port number is chosen for an outgoing 202packet, and then incoming packets are identified by IP address and 203port numbers. For TCP packets, there is additional logic in the event |
| 204that sequence and ack numbers have been altered (as is the case for | 204that sequence and ACK numbers have been altered (as in the case for |
| 205FTP data port commands). 206 207The port numbers used by the packet aliasing module are not true 208ports in the Unix sense. No sockets are actually bound to ports. 209They are more correctly thought of as placeholders. 210 211All packets go through the aliasing mechanism, whether they come from 212the gateway machine or other machines on a local area network. --- 443 unchanged lines hidden (view full) --- 656PptpAliasIn(struct ip *pip) 657{ 658/* 659 Handle incoming PPTP packets. The 660 only thing which is done in this case is to alias 661 the dest IP address of the packet to our inside 662 machine. 663*/ | 205FTP data port commands). 206 207The port numbers used by the packet aliasing module are not true 208ports in the Unix sense. No sockets are actually bound to ports. 209They are more correctly thought of as placeholders. 210 211All packets go through the aliasing mechanism, whether they come from 212the gateway machine or other machines on a local area network. --- 443 unchanged lines hidden (view full) --- 656PptpAliasIn(struct ip *pip) 657{ 658/* 659 Handle incoming PPTP packets. The 660 only thing which is done in this case is to alias 661 the dest IP address of the packet to our inside 662 machine. 663*/ |
| 664 struct in_addr alias_addr; | 664 struct alias_link *link; |
| 665 | 665 |
| 666 if (!GetPptpAlias (&alias_addr)) 667 return PKT_ALIAS_IGNORED; | 666/* Return if proxy-only mode is enabled */ 667 if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) 668 return PKT_ALIAS_OK; |
| 668 | 669 |
| 669 if (pip->ip_src.s_addr != alias_addr.s_addr) { | 670 if (packetAliasMode & PKT_ALIAS_DENY_PPTP) 671 return PKT_ALIAS_IGNORED; |
| 670 | 672 |
| 671 DifferentialChecksum(&pip->ip_sum, 672 (u_short *) &alias_addr, 673 (u_short *) &pip->ip_dst, 674 2); 675 pip->ip_dst = alias_addr; 676 } | 673 link = FindPptpIn(pip->ip_src, pip->ip_dst); 674 if (link != NULL) 675 { 676 struct in_addr original_address; |
| 677 | 677 |
| 678 return PKT_ALIAS_OK; | 678 original_address = GetOriginalAddress(link); 679 680/* Restore original IP address */ 681 DifferentialChecksum(&pip->ip_sum, 682 (u_short *) &original_address, 683 (u_short *) &pip->ip_dst, 684 2); 685 pip->ip_dst = original_address; 686 687 return(PKT_ALIAS_OK); 688 } 689 return(PKT_ALIAS_IGNORED); |
| 679} 680 681 682static int 683PptpAliasOut(struct ip *pip) 684{ 685/* 686 Handle outgoing PPTP packets. The 687 only thing which is done in this case is to alias 688 the source IP address of the packet. 689*/ | 690} 691 692 693static int 694PptpAliasOut(struct ip *pip) 695{ 696/* 697 Handle outgoing PPTP packets. The 698 only thing which is done in this case is to alias 699 the source IP address of the packet. 700*/ |
| 690 struct in_addr alias_addr; | 701 struct alias_link *link; |
| 691 | 702 |
| 692 if (!GetPptpAlias (&alias_addr)) 693 return PKT_ALIAS_IGNORED; | 703/* Return if proxy-only mode is enabled */ 704 if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) 705 return PKT_ALIAS_OK; |
| 694 | 706 |
| 695 if (pip->ip_src.s_addr == alias_addr.s_addr) { | 707 if (packetAliasMode & PKT_ALIAS_DENY_PPTP) 708 return PKT_ALIAS_IGNORED; |
| 696 | 709 |
| 697 alias_addr = FindAliasAddress(pip->ip_src); 698 DifferentialChecksum(&pip->ip_sum, 699 (u_short *) &alias_addr, 700 (u_short *) &pip->ip_src, 701 2); 702 pip->ip_src = alias_addr; 703 } | 710 link = FindPptpOut(pip->ip_src, pip->ip_dst); 711 if (link != NULL) 712 { 713 struct in_addr alias_address; |
| 704 | 714 |
| 705 return PKT_ALIAS_OK; | 715 alias_address = GetAliasAddress(link); 716 717/* Change source address */ 718 DifferentialChecksum(&pip->ip_sum, 719 (u_short *) &alias_address, 720 (u_short *) &pip->ip_src, 721 2); 722 pip->ip_src = alias_address; 723 724 return(PKT_ALIAS_OK); 725 } 726 return(PKT_ALIAS_IGNORED); |
| 706} 707 708 709 710static int 711UdpAliasIn(struct ip *pip) 712{ 713 struct udphdr *ud; --- 183 unchanged lines hidden (view full) --- 897 accumulate -= tc->th_dport; 898 sptr = (u_short *) &alias_address; 899 accumulate += *sptr++; 900 accumulate += *sptr; 901 sptr = (u_short *) &original_address; 902 accumulate -= *sptr++; 903 accumulate -= *sptr; 904 | 727} 728 729 730 731static int 732UdpAliasIn(struct ip *pip) 733{ 734 struct udphdr *ud; --- 183 unchanged lines hidden (view full) --- 918 accumulate -= tc->th_dport; 919 sptr = (u_short *) &alias_address; 920 accumulate += *sptr++; 921 accumulate += *sptr; 922 sptr = (u_short *) &original_address; 923 accumulate -= *sptr++; 924 accumulate -= *sptr; 925 |
| 905/* If this is a proxy, then modify the tcp source port and | 926/* If this is a proxy, then modify the TCP source port and |
| 906 checksum accumulation */ 907 if (proxy_port != 0) 908 { 909 accumulate += tc->th_sport; 910 tc->th_sport = proxy_port; 911 accumulate -= tc->th_sport; 912 913 sptr = (u_short *) &pip->ip_src; 914 accumulate += *sptr++; 915 accumulate += *sptr; 916 sptr = (u_short *) &proxy_address; 917 accumulate -= *sptr++; 918 accumulate -= *sptr; 919 } 920 | 927 checksum accumulation */ 928 if (proxy_port != 0) 929 { 930 accumulate += tc->th_sport; 931 tc->th_sport = proxy_port; 932 accumulate -= tc->th_sport; 933 934 sptr = (u_short *) &pip->ip_src; 935 accumulate += *sptr++; 936 accumulate += *sptr; 937 sptr = (u_short *) &proxy_address; 938 accumulate -= *sptr++; 939 accumulate -= *sptr; 940 } 941 |
| 921/* See if ack number needs to be modified */ | 942/* See if ACK number needs to be modified */ |
| 922 if (GetAckModified(link) == 1) 923 { 924 int delta; 925 926 delta = GetDeltaAckIn(pip, link); 927 if (delta != 0) 928 { 929 sptr = (u_short *) &tc->th_ack; --- 54 unchanged lines hidden (view full) --- 984 tc = (struct tcphdr *) ((char *) pip + (pip->ip_hl << 2)); 985 986 proxy_type = ProxyCheck(pip, &proxy_server_address, &proxy_server_port); 987 988 if (proxy_type == 0 && (packetAliasMode & PKT_ALIAS_PROXY_ONLY)) 989 return PKT_ALIAS_OK; 990 991/* If this is a transparent proxy, save original destination, | 943 if (GetAckModified(link) == 1) 944 { 945 int delta; 946 947 delta = GetDeltaAckIn(pip, link); 948 if (delta != 0) 949 { 950 sptr = (u_short *) &tc->th_ack; --- 54 unchanged lines hidden (view full) --- 1005 tc = (struct tcphdr *) ((char *) pip + (pip->ip_hl << 2)); 1006 1007 proxy_type = ProxyCheck(pip, &proxy_server_address, &proxy_server_port); 1008 1009 if (proxy_type == 0 && (packetAliasMode & PKT_ALIAS_PROXY_ONLY)) 1010 return PKT_ALIAS_OK; 1011 1012/* If this is a transparent proxy, save original destination, |
| 992 then alter the destination and adust checksums */ | 1013 then alter the destination and adjust checksums */ |
| 993 dest_port = tc->th_dport; 994 dest_address = pip->ip_dst; 995 if (proxy_type != 0) 996 { 997 int accumulate; 998 u_short *sptr; 999 1000 accumulate = tc->th_dport; --- 38 unchanged lines hidden (view full) --- 1039 SetProxyAddress(link, dest_address); 1040 ProxyModify(link, pip, maxpacketsize, proxy_type); 1041 } 1042 1043/* Get alias address and port */ 1044 alias_port = GetAliasPort(link); 1045 alias_address = GetAliasAddress(link); 1046 | 1014 dest_port = tc->th_dport; 1015 dest_address = pip->ip_dst; 1016 if (proxy_type != 0) 1017 { 1018 int accumulate; 1019 u_short *sptr; 1020 1021 accumulate = tc->th_dport; --- 38 unchanged lines hidden (view full) --- 1060 SetProxyAddress(link, dest_address); 1061 ProxyModify(link, pip, maxpacketsize, proxy_type); 1062 } 1063 1064/* Get alias address and port */ 1065 alias_port = GetAliasPort(link); 1066 alias_address = GetAliasAddress(link); 1067 |
| 1047/* Monitor tcp connection state */ | 1068/* Monitor TCP connection state */ |
| 1048 TcpMonitorOut(pip, link); 1049 1050/* Special processing for IP encoding protocols */ 1051 if (ntohs(tc->th_dport) == FTP_CONTROL_PORT_NUMBER 1052 || ntohs(tc->th_sport) == FTP_CONTROL_PORT_NUMBER) 1053 AliasHandleFtpOut(pip, link, maxpacketsize); 1054 if (ntohs(tc->th_dport) == IRC_CONTROL_PORT_NUMBER_1 1055 || ntohs(tc->th_dport) == IRC_CONTROL_PORT_NUMBER_2) --- 53 unchanged lines hidden (view full) --- 1109 1110/* Fragment Handling 1111 1112 FragmentIn() 1113 FragmentOut() 1114 1115The packet aliasing module has a limited ability for handling IP 1116fragments. If the ICMP, TCP or UDP header is in the first fragment | 1069 TcpMonitorOut(pip, link); 1070 1071/* Special processing for IP encoding protocols */ 1072 if (ntohs(tc->th_dport) == FTP_CONTROL_PORT_NUMBER 1073 || ntohs(tc->th_sport) == FTP_CONTROL_PORT_NUMBER) 1074 AliasHandleFtpOut(pip, link, maxpacketsize); 1075 if (ntohs(tc->th_dport) == IRC_CONTROL_PORT_NUMBER_1 1076 || ntohs(tc->th_dport) == IRC_CONTROL_PORT_NUMBER_2) --- 53 unchanged lines hidden (view full) --- 1130 1131/* Fragment Handling 1132 1133 FragmentIn() 1134 FragmentOut() 1135 1136The packet aliasing module has a limited ability for handling IP 1137fragments. If the ICMP, TCP or UDP header is in the first fragment |
| 1117received, then the id number of the IP packet is saved, and other | 1138received, then the ID number of the IP packet is saved, and other |
| 1118fragments are identified according to their ID number and IP address 1119they were sent from. Pointers to unresolved fragments can also be 1120saved and recalled when a header fragment is seen. 1121*/ 1122 1123/* Local prototypes */ 1124static int FragmentIn(struct ip *); 1125static int FragmentOut(struct ip *); --- 227 unchanged lines hidden (view full) --- 1353 /* Defense against mangled packets */ 1354 if (ntohs(pip->ip_len) > maxpacketsize 1355 || (pip->ip_hl<<2) > maxpacketsize) 1356 return PKT_ALIAS_IGNORED; 1357 1358 addr_save = GetDefaultAliasAddress(); 1359 if (packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY) 1360 { | 1139fragments are identified according to their ID number and IP address 1140they were sent from. Pointers to unresolved fragments can also be 1141saved and recalled when a header fragment is seen. 1142*/ 1143 1144/* Local prototypes */ 1145static int FragmentIn(struct ip *); 1146static int FragmentOut(struct ip *); --- 227 unchanged lines hidden (view full) --- 1374 /* Defense against mangled packets */ 1375 if (ntohs(pip->ip_len) > maxpacketsize 1376 || (pip->ip_hl<<2) > maxpacketsize) 1377 return PKT_ALIAS_IGNORED; 1378 1379 addr_save = GetDefaultAliasAddress(); 1380 if (packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY) 1381 { |
| 1361 unsigned int addr; | 1382 u_long addr; |
| 1362 int iclass; 1363 1364 iclass = 0; 1365 addr = ntohl(pip->ip_src.s_addr); 1366 if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER) 1367 iclass = 3; 1368 else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER) 1369 iclass = 2; --- 38 unchanged lines hidden --- | 1383 int iclass; 1384 1385 iclass = 0; 1386 addr = ntohl(pip->ip_src.s_addr); 1387 if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER) 1388 iclass = 3; 1389 else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER) 1390 iclass = 2; --- 38 unchanged lines hidden --- |