369411 |
03-Mar-2021 |
hselasky |
MFC 9febbc454190: Fix for natd(8) sending wrong sequence number after TCP retransmission, terminating a TCP connection.
If a TCP packet must be retransmitted and the data length has changed in the retransmitted packet, due to the internal workings of TCP, typically when ACK packets are lost, then there is a 30% chance that the logic in GetDeltaSeqOut() will find the correct length, which is the last length received.
This can be explained as follows:
If a "227 Entering Passive Mode" packet must be retransmittet and the length changes from 51 to 50 bytes, for example, then we have three cases for the list scan in GetDeltaSeqOut(), depending on how many prior packets were received modulus N_LINK_TCP_DATA=3:
case 1: index 0: original packet 51 index 1: retransmitted packet 50 index 2: not relevant
case 2: index 0: not relevant index 1: original packet 51 index 2: retransmitted packet 50
case 3: index 0: retransmitted packet 50 index 1: not relevant index 2: original packet 51
This patch simply changes the searching order for TCP packets, always starting at the last received packet instead of any received packet, in GetDeltaAckIn() and GetDeltaSeqOut().
Else no functional changes.
Discussed with: rscheff@ Submitted by: Andreas Longwitz <longwitz@incore.de> PR: 230755 Sponsored by: Mellanox Technologies // NVIDIA Networking
(cherry picked from commit 9febbc4541903bb8e6b0f1c84988c98b2f7c96ef)
Git Hash: e3d9b9cc02b6e00858526d302c82bfa1dbeb87ee Git Author: hselasky@FreeBSD.org |
360973 |
12-May-2020 |
emaste |
MFC r360968: libalias: fix potential memory disclosure from ftp module
admbugs: 956 Submitted by: markj Reported by: Vishnu Dev TJ working with Trend Micro Zero Day Initiative Approved by: so Security: FreeBSD-SA-20:13.libalias Security: CVE-2020-7455 Security: ZDI-CAN-10849 |
360971 |
12-May-2020 |
emaste |
MFC r360967: libalias: validate packet lengths before accessing headers
admbugs: 956 Submitted by: ae Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative Reported by: Vishnu working with Trend Micro Zero Day Initiative Approved by: so Security: FreeBSD-SA-20:12.libalias Security: CVE-2020-7454 Security: ZDI-CAN-10624, ZDI-CAN-10850 |
359695 |
07-Apr-2020 |
eugen |
MFC r357092,357787: Add support for RFC 6598/Carrier Grade NAT subnets to libalias and ipfw.
In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added. This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware. Also, we add a new NAT option to ipfw called unreg_cgn, which is like unreg_only, but also is RFC 6598-aware. The reason for the new flags/options is to avoid breaking existing networks, especially those which rely on RFC 6598 as an external address.
Submitted by: Neel Chauhan <neel AT neelc DOT org> Reviewed by: melifaro, rgrimes, Lutz Donnerhacke Relnotes: yes Differential Revision: https://reviews.freebsd.org/D22877 Differential Revision: https://reviews.freebsd.org/D23448 |
336279 |
14-Jul-2018 |
markj |
MFC r336199: Remove a duplicate check.
PR: 229663 |
335473 |
21-Jun-2018 |
ae |
MFC r335133: In m_megapullup() use m_getjcl() to allocate 9k or 16k mbuf when requested.
It is better to try allocate a big mbuf, than just silently drop a big packet. A better solution could be reworking of libalias modules to be able use m_copydata()/m_copyback() instead of requiring the single contiguous buffer.
PR: 229006 |
332276 |
08-Apr-2018 |
tuexen |
MFC r327203:
Allow the first (and second) argument of sn_calloc() be a sum. This fixes a bug reported in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224103
PR: 224103 |
332257 |
07-Apr-2018 |
tuexen |
MFC r327214:
Whitespace changes. |
332256 |
07-Apr-2018 |
tuexen |
MFC r327209:
Clarify that there is no break missing. While there, cleanup whitespaces. |
332255 |
07-Apr-2018 |
tuexen |
Clarify that the break is not missing.
CID: 1008198 |
332254 |
07-Apr-2018 |
tuexen |
MFC r327205:
Fix an assignment. While there, do some whitespace cleanups.
CID: 1008936 |
330578 |
07-Mar-2018 |
eadler |
MFC r327206:
Fix CID 1008428. |
318518 |
19-May-2017 |
eugen |
MFC r318150:
Fix translation of transit PPtP/GRE connections for ipfw nat/natd "global" case.
PR: 218968 Approved by: ae, vsevolod (mentor) |
315456 |
17-Mar-2017 |
vangyzen |
MFC r313821 r315277 r315286
Use inet_ntoa_r() instead of inet_ntoa() throughout the kernel.
inet_ntoa() cannot be used safely in a multithreaded environment because it uses a static local buffer. Instead, use inet_ntoa_r() with a buffer on the caller's stack, except for KTR messages. KTR can correctly log the immediate integral values passed to it, as well as constant strings, but not non-constant strings, since they might change by the time ktrdump retrieves them. Therefore, use hex notation in KTR messages.
Sponsored by: Dell EMC |
302408 |
08-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
298995 |
03-May-2016 |
pfg |
sys/net*: minor spelling fixes.
No functional change.
|
298066 |
15-Apr-2016 |
pfg |
netinet: for pointers replace 0 with NULL.
These are mostly cosmetical, no functional change.
Found with devel/coccinelle.
Reviewed by: ae. tuexen
|
282018 |
26-Apr-2015 |
bapt |
mdoc: fix rendering issues
|
259865 |
25-Dec-2013 |
glebius |
It'll be okay to use LibAliasDetachHandlers() here, relying on the fact that all handlers come from modules' bss and are followed by NODIR handler.
|
259859 |
25-Dec-2013 |
glebius |
Cleanup alias module handler register/unregister.
- Remove locking, since all module(9) events are running under &Giant. - Use TAILQ for protocol handlers and fix a bug which led to infinite cycle. Bug found in VirtualBox [1] - Simplify code everywhere. - Fix documentation.
[1] https://www.virtualbox.org/pipermail/vbox-dev/2013-November/011936.html
PR: 183792 [1] Submitted by: Valery Ushakov <uwe NetBSD.org> [1] Sponsored by: Nginx, Inc.
|
259858 |
25-Dec-2013 |
glebius |
Kill space at eols.
|
259857 |
25-Dec-2013 |
glebius |
Remove from kernel the "dll" code.
|
259856 |
25-Dec-2013 |
glebius |
Whitespace cleanup.
|
257179 |
26-Oct-2013 |
glebius |
Provide includes that are needed in these files, and before were read in implicitly via if.h -> if_var.h pollution.
Sponsored by: Netflix Sponsored by: Nginx, Inc.
|
248416 |
17-Mar-2013 |
glebius |
In m_megapullup() instead of reserving some space at the end of packet, m_align() it, reserving space to prepend data.
Reviewed by: mav
|
248207 |
12-Mar-2013 |
glebius |
Functions m_getm2() and m_get2() have different order of arguments, and that can drive someone crazy. While m_get2() is young and not documented yet, change its order of arguments to match m_getm2().
Sorry for churn, but better now than later.
|
248158 |
11-Mar-2013 |
glebius |
Remove LIBALIAS_LOCK_ASSERT(), including a couple with an uninitialzed argument, in code that isn't compiled in kernel.
PR: kern/176667 Sponsored by: Nginx, Inc.
|
246144 |
31-Jan-2013 |
glebius |
- Move AUTHORS and ACKNOWLEDGEMENTS to the end of the page. - Add myself to list of authors.
|
246130 |
30-Jan-2013 |
glebius |
Utilize m_get2() to get mbuf of appropriate size.
|
243882 |
05-Dec-2012 |
glebius |
Mechanically substitute flags from historic mbuf allocator with malloc(9) flags within sys.
Exceptions:
- sys/contrib not touched - sys/mbuf.h edited manually
|
241648 |
17-Oct-2012 |
emaste |
Avoid potential bad pointer dereference.
Previously RuleAdd would leave entry->la unset for the first entry in the proxyList.
Sponsored by: ADARA Networks MFC After: 1 week
|
240725 |
20-Sep-2012 |
kevlo |
Fix typo: s/pakcet/packet
|
237015 |
13-Jun-2012 |
joel |
mdoc: avoid nested displays. Fixes mandoc warnings.
|
236596 |
05-Jun-2012 |
eadler |
Fix style nit: don't use leading zero for dates in .Dd
Prompted by: brueffer Approved by: brueffer MFC after: 3 days
|
235644 |
19-May-2012 |
marcel |
Remove unused inclusion of curses.h
|
235286 |
11-May-2012 |
gjb |
General mdoc(7) and typo fixes.
PR: 167734 Submitted by: Nobuyuki Koganemaru (kogane!jp.freebsd.org) MFC after: 3 days
|
227309 |
07-Nov-2011 |
ed |
Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.
The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
|
227293 |
07-Nov-2011 |
ed |
Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.
This means that their use is restricted to a single C file.
|
223773 |
04-Jul-2011 |
gjb |
- General grammar and mdoc(7) fixes. [1] [2] - While here, remove a paragraph about userspace operation that has been outdated for some time. [2]
PR: 158623 Submitted by: Ben Kudak (kaduk % mit!edu) [1] Reviewed by: glebius [2] MFC after: 1 week
|
223437 |
22-Jun-2011 |
ae |
Export AddLink() function from libalias. It can be used when custom alias address needs to be specified. Add inbound handler to the alias_ftp module. It helps handle active FTP transfer mode for the case with external clients and FTP server behind NAT. Fix passive FTP transfer case for server behind NAT using redirect with external IP address different from NAT ip address.
PR: kern/157957 Submitted by: Alexander V. Chernikov
|
223421 |
22-Jun-2011 |
ae |
Document PKT_ALIAS_SKIP_GLOBAL option.
Submitted by: Alexander V. Chernikov
|
223080 |
14-Jun-2011 |
ae |
Implement "global" mode for ipfw nat. It is similar to natd(8) "globalport" option for multiple NAT instances.
If ipfw rule contains "global" keyword instead of nat_number, then for each outgoing packet ipfw_nat looks up translation state in all configured nat instances. If an entry is found, packet aliased according to that entry, otherwise packet is passed unchanged.
User can specify "skip_global" option in NAT configuration to exclude an instance from the lookup in global mode.
PR: kern/157867 Submitted by: Alexander V. Chernikov (previous version) Tested by: Eugene Grosbein
|
223077 |
14-Jun-2011 |
ae |
Sort alias mode flags in the increasing order.
|
222809 |
07-Jun-2011 |
ae |
Fix indentation.
|
220800 |
18-Apr-2011 |
glebius |
LibAliasInit() should allocate memory with M_WAITOK flag. Modify it and its callers.
|
218909 |
21-Feb-2011 |
brucec |
Fix typos - remove duplicate "the".
PR: bin/154928 Submitted by: Eitan Adler <lists at eitanadler.com> MFC after: 3 days
|
215153 |
12-Nov-2010 |
lstewart |
Standardise all Swinburne related copyright/licence statements throughout the tree in preparation for another large code import. Swinburne University is the legal entity that owns copyright and the 2-clause BSD licence is acceptable.
|
215152 |
12-Nov-2010 |
lstewart |
The university does not require that its CRICOS number be included in source code. Remove all references from the tree.
MFC after: 3 days
|
214754 |
03-Nov-2010 |
n_hibma |
Don't spam the console with loaded modules during boot and/or during startup of ppp.
Note: This cannot be hidden behind bootverbose as this file is included from lib/libalias as well.
|
214054 |
19-Oct-2010 |
uqs |
mdoc: drop even more redundant .Pp calls
No change in rendered output, less mandoc lint warnings.
Tool provided by: Nobuyuki Koganemaru n-kogane at syd.odn.ne.jp
|
211057 |
08-Aug-2010 |
ed |
Don't use struct timezone.
The timezone structure acquired by gettimeofday() is not used at all. Just remove it.
|
210160 |
16-Jul-2010 |
imp |
machine/cpu.h isn't appropriate for this file,so remove it
|
201758 |
07-Jan-2010 |
mbr |
Remove extraneous semicolons, no functional changes.
Submitted by: Marc Balmer <marc@msys.ch> MFC after: 1 week
|
201145 |
28-Dec-2009 |
antoine |
(S)LIST_HEAD_INITIALIZER takes a (S)LIST_HEAD as an argument. Fix some wrong usages. Note: this does not affect generated binaries as this argument is not used.
PR: 137213 Submitted by: Eygene Ryabinkin (initial version) MFC after: 1 month
|
199208 |
12-Nov-2009 |
attilio |
Move inet_aton() (specular to inet_ntoa(), already present in libkern) into libkern in order to made it usable by other modules than alias_proxy.
Obtained from: Sandvine Incorporated Sponsored by: Sandvine Incorporated MFC: 1 week
|
198539 |
28-Oct-2009 |
brueffer |
Close a stream file descriptor leak.
PR: 138130 Submitted by: Patroklos Argyroudis <argp@census-labs.com> MFC after: 1 week
|
190941 |
11-Apr-2009 |
piso |
What's the point of adjusting a checksum if we are going to toss the packet? Anticipate the check/return code.
|
190938 |
11-Apr-2009 |
piso |
Plug two bugs introduced with modules conversion:
-UdpAliasIn(): correctly check return code after modules ran. -alias_nbt: in case of malformed packets (or some other unrecoverable error), toss the packet.
|
190935 |
11-Apr-2009 |
piso |
Remove stale comments.
|
190841 |
08-Apr-2009 |
piso |
-don't pass down, to module's fingerprint function, unused data like a pointer to the ip header. -style -spacing
|
188605 |
14-Feb-2009 |
rrs |
This commit fixes the issue with alias_sctp.c. No longer do we require SCTP to be in the kernel for the lib to be able to handle SCTP. We do this by moving the CRC32c checksum into libkern/crc32.c and then adjusting all routines to use the common methods. Note that this will improve the performance of iSCSI since they were using the old single 256 bit table lookup versus the slicing 8 algorithm (which gives a 4x speed up in CRC32c calculation :-D)
Reviewed by:rwatson, gnn, scottl, paolo MFC after: 4 week? (assuming we MFC the alias_sctp changes)
|
188294 |
07-Feb-2009 |
piso |
Add SCTP NAT support.
Submitted by: CAIA (http://caia.swin.edu.au)
|
187304 |
15-Jan-2009 |
piso |
Silent userland warnings about missing prototypes.
Submitted by: Roman Divacky <rdivacky@freebsd.org>
|
185895 |
10-Dec-2008 |
zec |
Conditionally compile out V_ globals while instantiating the appropriate container structures, depending on VIMAGE_GLOBALS compile time option.
Make VIMAGE_GLOBALS a new compile-time option, which by default will not be defined, resulting in instatiations of global variables selected for V_irtualization (enclosed in #ifdef VIMAGE_GLOBALS blocks) to be effectively compiled out. Instantiate new global container structures to hold V_irtualized variables: vnet_net_0, vnet_inet_0, vnet_inet6_0, vnet_ipsec_0, vnet_netgraph_0, and vnet_gif_0.
Update the VSYM() macro so that depending on VIMAGE_GLOBALS the V_ macros resolve either to the original globals, or to fields inside container structures, i.e. effectively
#ifdef VIMAGE_GLOBALS #define V_rt_tables rt_tables #else #define V_rt_tables vnet_net_0._rt_tables #endif
Update SYSCTL_V_*() macros to operate either on globals or on fields inside container structs.
Extend the internal kldsym() lookups with the ability to resolve selected fields inside the virtualization container structs. This applies only to the fields which are explicitly registered for kldsym() visibility via VNET_MOD_DECLARE() and vnet_mod_register(), currently this is done only in sys/net/if.c.
Fix a few broken instances of MODULE_GLOBAL() macro use in SCTP code, and modify the MODULE_GLOBAL() macro to resolve to V_ macros, which in turn result in proper code being generated depending on VIMAGE_GLOBALS.
De-virtualize local static variables in sys/contrib/pf/net/pf_subr.c which were prematurely V_irtualized by automated V_ prepending scripts during earlier merging steps. PF virtualization will be done separately, most probably after next PF import.
Convert a few variable initializations at instantiation to initialization in init functions, most notably in ipfw. Also convert TUNABLE_INT() initializers for V_ variables to TUNABLE_FETCH_INT() in initializer functions.
Discussed at: devsummit Strassburg Reviewed by: bz, julian Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
|
182488 |
30-Aug-2008 |
csjp |
Improve the entropy of the source port randomization for network address translation. It turns out this is useful for applications which require source port randomization for security (i.e. dns servers).
Discussed with: secteam Requested by: mlaier MFC after: 2 weeks
|
179924 |
22-Jun-2008 |
mav |
Partially revert previous commit. DeleteLink() does not deletes permanent links so we should be aware of it and try to delete every link only once or we will loop forever.
|
179920 |
21-Jun-2008 |
mav |
Implement UDP transparent proxy support.
PR: bin/54274 Submitted by: Nicolai Petri <nicolai@petri.cc>
|
179912 |
21-Jun-2008 |
mav |
Add support for PORT/EPRT FTP commands in lowercase. Use strncasecmp() instead of huge local implementation to reduce code size. Check space presence after command/code.
PR: kern/73034
|
179480 |
01-Jun-2008 |
mav |
Increase LINK_TABLE_OUT_SIZE from 101 to 4001 like LINK_TABLE_IN_SIZE to reduce performance degradation under heavy outgoing scan/flood. Scalability is now much more important then several kilobytes of RAM.
Remove unneded TCP-specific expiration handeling. Before this connected TCP sessions could never expire. Now connected TCP sessions will expire after 24hours of inactivity.
Simplify HouseKeeping() to avoid several mul/div-s per packet. Taking into account increased LINK_TABLE_OUT_SIZE, precision is still much more then required.
|
179478 |
01-Jun-2008 |
mav |
Make m_megapullup() more intelligent: - to increase performance do not reallocate mbuf when possible, - to support up to 16K packets (was 2K max) use mbuf cluster of proper size. This change depends on recent ng_nat and ip_fw_nat changes.
|
179472 |
01-Jun-2008 |
mav |
Fix packet fragmentation support broken by copy/paste error in rev.1.60. ip_id should be u_short, but not u_char.
|
178730 |
02-May-2008 |
marck |
Fix build, together with a bit of style breakage.
|
177382 |
19-Mar-2008 |
piso |
Explicitate the newpacket size.
Bug pointed out by: many Pointy hat to: me :(
|
177323 |
17-Mar-2008 |
piso |
Don't abuse stack space while in kernel land, use heap instead.
|
177098 |
12-Mar-2008 |
piso |
-Don't pass down the entire pkt to ProtoAliasIn, ProtoAliasOut, FragmentIn and FragmentOut. -Axe the old PacketAlias API: it has been deprecated since 5.x.
|
176884 |
06-Mar-2008 |
piso |
MFP4: restrict the utilization of direct pointers to the content of ip packet. These modifications are functionally nop()s thus can be merged with no side effects.
|
174348 |
06-Dec-2007 |
des |
Simpler version of the previous commit.
|
173874 |
23-Nov-2007 |
jb |
Fix strict alias warnings.
|
169149 |
30-Apr-2007 |
maxim |
o Kill EOLWS while I'm here.
|
169148 |
30-Apr-2007 |
maxim |
o Fix strtoul() error conditions check.
PR: kern/108211 Submitted by: Yong Tang MFC after: 2 weeks
|
168459 |
07-Apr-2007 |
piso |
Prevent the usage of an uninitialized variable: do not accept StartMediaTx message before an OpnRcvChnAck message was received.
Reviewed by: glebius Approved by: glebius (mentor) MFC after: 3 days Found with: Coverity Prevent(tm) CID: 498
|
168458 |
07-Apr-2007 |
piso |
Silence Coverity about an unused variable.
Reviewed by: glebius Approved by: glebius (mentor) MFC after: 3 days CID: 538
|
168346 |
04-Apr-2007 |
kan |
Include string.h for non-kernel builds to get proper memcpy prototype.
|
168344 |
04-Apr-2007 |
kan |
Include string.h for non-kernel builds to get proper strcpy, strlen prototypes.
|
168342 |
04-Apr-2007 |
kan |
Do not assign result of (char *) cast to u_char * variable.
|
165243 |
15-Dec-2006 |
piso |
o made in kernel libalias mpsafe o fixed a comment o made in kernel libalias a bit less verbose (disabled automatic logging everytime a new link is added or deleted)
Approved by: glebius (mentor)
|
164798 |
01-Dec-2006 |
piso |
Make libalias.conf parsing a bit smarter. This closes PR kern/106112.
While here, add mbuf's #includes i forgot in the previous commit.
Approved by: gleb
|
164797 |
01-Dec-2006 |
piso |
Remove m_megapullup from ng_nat and put it under libalias.
Approved by: gleb
|
164075 |
07-Nov-2006 |
marcus |
Fix TFTP NAT support by making sure the appropriate fingerprinting checks are done.
Reviewed by: piso
|
163224 |
11-Oct-2006 |
ru |
Merge the rest of my changes.
|
163127 |
08-Oct-2006 |
piso |
Various mdoc and grammar fixes.
Approved by: glebius Reviewed by: glebius, ru
|
162685 |
27-Sep-2006 |
piso |
Compilation.
|
162674 |
26-Sep-2006 |
piso |
Summer of Code 2005: improve libalias - part 1 of 2
With the first part of my previous Summer of Code work, we get:
-made libalias modular:
-support for 'particular' protocols (like ftp/irc/etcetc) is no more hardcoded inside libalias, but it's available through external modules loadable at runtime
-modules are available both in kernel (/boot/kernel/alias_*.ko) and user land (/lib/libalias_*)
-protocols/applications modularized are: cuseeme, ftp, irc, nbt, pptp, skinny and smedia
-added logging support for kernel side
-cleanup
After a buildworld, do a 'mergemaster -i' to install the file libalias.conf in /etc or manually copy it.
During startup (and after every HUP signal) user land applications running the new libalias will try to read a file in /etc called libalias.conf: that file contains the list of modules to load.
User land applications affected by this commit are ppp and natd: if libalias.conf is present in /etc you won't notice any difference.
The only kernel land bit affected by this commit is ng_nat: if you are using ng_nat, and it doesn't correctly handle ftp/irc/etcetc sessions anymore, remember to kldload the correspondent module (i.e. kldload alias_ftp).
General information and details about the inner working are available in the libalias man page under the section 'MODULAR ARCHITECTURE (AND ipfw(4) SUPPORT)'.
NOTA BENE: this commit affects _ONLY_ libalias, ipfw in-kernel nat support will be part of the next libalias-related commit.
Approved by: glebius Reviewed by: glebius, ru
|
160097 |
04-Jul-2006 |
maxim |
o Kill BUGS section as it is not valid since rev. 1.4 alias_pptp.c.
Spotted by: ru.unix.bsd activists MFC after: 1 week
|
152767 |
24-Nov-2005 |
ru |
Fix prototype.
|
150350 |
19-Sep-2005 |
andre |
Use monotonic 'time_uptime' instead of 'time_second' as timebase for timeouts.
|
147636 |
27-Jun-2005 |
phk |
Libalias incorrectly applies proxy rules to the global divert socket: it should only look for existing translation entries, not create new ones (no matter how it got the idea).
Approved by: re(scottl)
|
147623 |
27-Jun-2005 |
glebius |
Disable checksum processing in LibAlias, when it works as a kernel module. LibAlias is not aware about checksum offloading, so the caller should provide checksum calculation. (The only current consumer is ng_nat(4)). When TCP packet internals has been changed and it requires checksum recalculation, a cookie is set in th_x2 field of TCP packet, to inform caller that it needs to recalculate checksum. This ugly hack would be removed when LibAlias is made more kernel friendly.
Incremental checksum updates are left as is, since they don't conflict with offloading.
Approved by: re (scottl)
|
147501 |
20-Jun-2005 |
glebius |
- Don't use legacy function in a non-legacy one. This gives us possibility to compile libalias without legacy support. - Use correct way to mark variable as unused.
Approved by: re (dwhite)
|
145963 |
06-May-2005 |
glebius |
Add a workaround for 64-bit archs: store unsigned long return value in temporary variable, check it and then cast to in_addr_t.
|
145961 |
06-May-2005 |
glebius |
s/DEBUG/LIBALIAS_DEBUG/, since DEBUG is defined in LINT and not supported for kernel build.
|
145933 |
05-May-2005 |
glebius |
More bits for kernel version: - copy inet_aton() from libc - disable getservbyname() lookup and accept only numeric port
|
145932 |
05-May-2005 |
glebius |
Always include alias.h before alias_local.h
|
145931 |
05-May-2005 |
glebius |
When used in kernel define NO_FW_PUNCH, NO_LOGGING, NO_USE_SOCKETS.
|
145930 |
05-May-2005 |
glebius |
Fix argument order for bcopy() in last commit.
Noticed by: njl Pointy hat to: glebius
|
145929 |
05-May-2005 |
glebius |
Use bcopy() instead of memmove().
|
145928 |
05-May-2005 |
glebius |
Hide fflush(3) under ifdef DEBUG.
|
145927 |
05-May-2005 |
glebius |
Things required to build libalias as kernel module: - kernel module declarations and handler. - macros to map malloc(3) calls to malloc(9) ones. - malloc(9) declarations. - call finishoff() from module handler MOD_UNLOAD case instead of atexit(3). - use panic(9) instead of abort(3) - take time from time_second instead of gettimeofday(2) - define INADDR_NONE
|
145926 |
05-May-2005 |
glebius |
Add NO_USE_SOCKETS knob, which cuts off functionality socket binding.
|
145925 |
05-May-2005 |
glebius |
Add NO_LOGGING knob, which cuts off functionality of debug logging to a file.
|
145921 |
05-May-2005 |
glebius |
Play with includes so that libalias can be compiled both as userland library and kernel module.
|
145868 |
04-May-2005 |
glebius |
Cleanup IPFW2 ifdefs.
|
145867 |
04-May-2005 |
glebius |
Makefile is not needed here.
|
144666 |
05-Apr-2005 |
phk |
natd core dumps when -reverse switch is used because of a bug in libalias.
In /usr/src/lib/libalias/alias.c, the functions LibAliasIn and LibAliasOutTry call the legacy PacketAliasIn/PacketAliasOut instead of LibAliasIn/LibAliasOut when the PKT_ALIAS_REVERSE option is set. In this case, the context variable "la" gets lost because the legacy compatibility routines expect "la" to be global. This was obviously an oversight when rewriting the PacketAlias* functions to the LibAlias* functions.
The fix (as shown in the patch below) is to remove the legacy subroutine calls and replace with the new ones using the "la" struct as the first arg.
Submitted by: Gil Kloepfer <fgil@kloepfer.org> Confirmed by: <nicolai@catpipe.net> PR: 76839 MFC after: 3 days
|
143083 |
03-Mar-2005 |
marcus |
Fix a problem in the Skinny ALG where a specially crafted packet could cause a libalias application (e.g. natd, ppp, etc.) to crash. Note: Skinny support is not enabled in natd or ppp by default.
Approved by: secteam (nectar) MFC after: 1 day Secuiryt: This fixes a remote DoS exploit
|
140505 |
20-Jan-2005 |
ru |
Sort sections.
|
139976 |
10-Jan-2005 |
brian |
include "alias.h", not <alias.h>
MFC after: 3 days
|
136910 |
24-Oct-2004 |
ru |
For variables that are only checked with defined(), don't provide any fake value.
|
133719 |
14-Aug-2004 |
phk |
Fix outgoing ICMP on global instance.
|
133121 |
04-Aug-2004 |
marcus |
Fix Skinny and PPTP NAT'ing after the introduction of the {ip,tcp,udp}_next functions. Basically, the ip_next() function was used to get the PPTP and Skinny headers when tcp_next() should have been used instead. Symptoms of this included a segfault in natd when trying to process a PPTP or Skinny packet.
Approved by: des
|
131700 |
06-Jul-2004 |
des |
Push WARNS back up to 6, but define NO_WERROR; I want the warts out in the open where people can see them and hopefully fix them.
|
131699 |
06-Jul-2004 |
des |
Introduce inline {ip,udp,tcp}_next() functions which take a pointer to an {ip,udp,tcp} header and return a void * pointing to the payload (i.e. the first byte past the end of the header and any required padding). Use them consistently throughout libalias to a) reduce code duplication, b) improve code legibility, c) get rid of a bunch of alignment warnings.
|
131693 |
06-Jul-2004 |
des |
Rewrite twowords() to access its argument through a char pointer and not a short pointer. The previous implementation seems to be in a gray zone of the C standard, and GCC generates incorrect code for it at -O2 or higher on some platforms.
|
131690 |
06-Jul-2004 |
des |
Temporarily lower WARNS to 3 while I figure out the alignment issues on alpha.
|
131614 |
05-Jul-2004 |
des |
Make libalias WARNS?=6-clean. This mostly involves renaming variables named link, foo_link or link_foo to lnk, foo_lnk or lnk_foo, fixing signed / unsigned comparisons, and shoving unused function arguments under the carpet.
I was hoping WARNS?=6 might reveal more serious problems, and perhaps the source of the -O2 breakage, but found no smoking gun.
|
131613 |
05-Jul-2004 |
des |
Parenthesize return values.
|
131612 |
05-Jul-2004 |
des |
Mechanical whitespace cleanup.
|
131566 |
04-Jul-2004 |
phk |
Add LibAliasOutTry() which checks a packet for a hit in the tables, but does not create a new entry if none is found.
|
131504 |
02-Jul-2004 |
ru |
Mechanically kill hard sentence breaks.
|
131420 |
01-Jul-2004 |
ru |
Bumped document date. Fixed markup. Fixed examples to match the new API.
|
127757 |
02-Apr-2004 |
deischen |
Unbreak natd.
Reported and submitted by: Sean McNeil (sean at mcneil.com)
|
127690 |
31-Mar-2004 |
des |
Raise WARNS level to 2.
|
127689 |
31-Mar-2004 |
des |
Deal with aliasing warnings.
Reviewed by: ru Approved by: silence on the lists
|
127094 |
16-Mar-2004 |
des |
Run through indent(1) so I can read the code without getting a headache. The result isn't quite knf, but it's knfer than the original, and far more consistent.
|
124621 |
17-Jan-2004 |
phk |
Mostly mechanical rework of libalias:
Makes it possible to have multiple packet aliasing instances in a single process by moving all static and global variables into an instance structure called "struct libalias".
Redefine a new API based on s/PacketAlias/LibAlias/g
Add new "instance" argument to all functions in the new API.
Implement old API in terms of the new API.
|
120373 |
23-Sep-2003 |
marcus |
Grrr...add the Skinny alias code forgotten in the last commit.
|
120372 |
23-Sep-2003 |
marcus |
Add Cisco Skinny Station protocol support to libalias, natd, and ppp. Skinny is the protocol used by Cisco IP phones to talk to Cisco Call Managers. With this code, one can use a Cisco IP phone behind a FreeBSD NAT gateway.
Currently, having the Call Manager behind the NAT gateway is not supported. More information on enabling Skinny support in libalias, natd, and ppp can be found in those applications' manpages.
PR: 55843 Reviewed by: ru Approved by: ru MFC after: 30 days
|
119932 |
09-Sep-2003 |
ru |
Fixed -Wpointer-arith warning.
Submitted by: Stefan Farfeleder PR: bin/56653
|
119893 |
08-Sep-2003 |
ru |
mdoc(7): Use the new feature of the .In macro.
|
119071 |
18-Aug-2003 |
obrien |
style.Makefile(5)
|
119017 |
17-Aug-2003 |
gordon |
Stage 3 of dynamic root support. Make all the libraries needed to run binaries in /bin and /sbin installed in /lib. Only the versioned files reside in /lib, the .so symlink continues to live /usr/lib so the toolchain doesn't need to be modified.
|
116315 |
13-Jun-2003 |
ru |
In the PKT_ALIAS_PROXY_ONLY mode, make sure to preserve the original source IP address, as promised in the manual page.
Spotted by: Vaclav Petricek
|
116314 |
13-Jun-2003 |
ru |
Removed a couple of .Xo/.Xc that are leftovers of the "ninth-argument limit" mdoc(7) atavism.
|
116313 |
13-Jun-2003 |
ru |
Clarify that original address and port when doing transparent proxying are _destination_ address and port.
|
116312 |
13-Jun-2003 |
ru |
Added myself to the AUTHORS section.
|
116020 |
08-Jun-2003 |
charnier |
The .Fn function
|
115650 |
01-Jun-2003 |
ru |
A new API function PacketAliasRedirectDynamic() can be used to mark a fully specified static link as dynamic; i.e. make it a one-time link.
|
115648 |
01-Jun-2003 |
ru |
Make the PacketAliasSetAddress() function call optional. If it is not called, and no static rules match an outgoing packet, the latter retains its source IP address. This is in support of the "static NAT only" mode.
|
113755 |
20-Apr-2003 |
obrien |
style.Makefile(5)
|
108533 |
01-Jan-2003 |
schweikh |
Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup, especially in troff files.
|
104073 |
28-Sep-2002 |
peter |
Zap now-unused SHLIB_MINOR
|
100537 |
23-Jul-2002 |
ru |
Don't forget to recalculate the IP checksum of the original IP datagram embedded into ICMP error message.
Spotted by: tcpdump 3.7.1 (-vvv) MFC after: 3 days
|
100288 |
18-Jul-2002 |
luigi |
Move IPFW2 definition before including ip_fw.h
Make indentation of new parts consistent with the style used for this file.
|
99623 |
08-Jul-2002 |
luigi |
Fix a bug caused by dereferencing an invalid pointer when no punch_fw was used. Fix another couple of bugs which prevented rules from being installed properly.
On passing, use IPFW2 instead of NEW_IPFW to compile the new code, and slightly simplify the instruction generation code.
|
99207 |
01-Jul-2002 |
brian |
Remove trailing whitespace
|
98943 |
27-Jun-2002 |
luigi |
The new ipfw code.
This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug.
The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules).
The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time.
I have not renamed the header file because it would have required touching a one-line change to a number of kernel files.
In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon.
On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like
ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any
This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones.
Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this:
10.20.30.0/26{18,44,33,22,9}
which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes).
Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled.
The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
|
97627 |
30-May-2002 |
wollman |
Avoid unintentional trigraph.
|
88132 |
18-Dec-2001 |
ru |
Fixed the bug in transparent TCP proxying with the "encode_ip_hdr" option -- TcpAliasOut() did not catch the IP header length change.
Submitted by: Stepachev Andrey <aka50@mail.ru>
|
86953 |
27-Nov-2001 |
ru |
When servicing an internal FTP server, punch ipfirewall(4) holes for passive mode data connections (PASV/EPSV -> 227/229). Well, the actual punching happens a bit later, when the aliasing link becomes fully specified.
Prodded by: Danny Carroll <dannycarroll@hotmail.com> MFC after: 1 week
|
85964 |
03-Nov-2001 |
brian |
cmott@scientech.com -> cm@linktel.net
Requested by: Charles Mott <cmott@scientech.com>
|
84306 |
01-Oct-2001 |
ru |
mdoc(7) police: Use the new .In macro for #include statements.
|
84195 |
30-Sep-2001 |
dillon |
Add __FBSDID's to libalias
|
83771 |
21-Sep-2001 |
ru |
Fixed the bug that prevented communication with FTP servers behind NAT in extended passive mode if the server's public IP address was different from the main NAT address. This caused a wrong aliasing link to be created that did not route the incoming packets back to the original IP address of the server.
natd -v -n pub0 -redirect_address localFTP publicFTP
Note that even if localFTP == publicFTP, one still needs to supply the -redirect_address directive. It is needed as a helper because extended passive mode's 229 reply does not contain the IP address.
MFC after: 1 week
|
82069 |
21-Aug-2001 |
ru |
Added TFTP support.
Submitted by: Joe Clarke <marcus@marcuscom.com> MFC after: 2 weeks
|
82050 |
21-Aug-2001 |
ru |
Close the "IRC DCC" security breach reported recently on Bugtraq.
Submitted by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
|
82001 |
20-Aug-2001 |
brian |
Make the copyright consistent.
Previously approved by: Charles Mott <cmott@scientech.com>
|
81962 |
20-Aug-2001 |
brian |
Handle snprintf() returning -1
MFC after: 2 weeks
|
81251 |
07-Aug-2001 |
ru |
mdoc(7) police:
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text. Not only this slows down the mdoc(7) processing significantly, but it also has an undesired (in this case) effect of disabling hyphenation within the entire enclosed block.
|
79531 |
10-Jul-2001 |
ru |
mdoc(7) police: removed HISTORY info from the .Os call.
|
78886 |
27-Jun-2001 |
ru |
Fixed the brain-o in rev. 1.10: the logic check was reversed.
Reported by: Bernd Fuerwitt <bf@fuerwitt.de>
|
77701 |
04-Jun-2001 |
brian |
Add BSD-style copyright headers
Approved by: Charles Mott <cmott@scientech.com>
|
77696 |
04-Jun-2001 |
brian |
Change to a standard BSD-style copyright
Approved by: Atsushi Murai <amurai@spec.co.jp>
|
77485 |
30-May-2001 |
ru |
Add an integer field to keep protocol-specific flags with links.
For FTP control connection, keep the CRLF end-of-line termination status in there.
Fixed the bug when the first FTP command in a session was ignored.
PR: 24048 MFC after: 1 week
|
74870 |
27-Mar-2001 |
ru |
MAN[1-9] -> MAN.
|
74778 |
25-Mar-2001 |
brian |
Make header files conform to style(9).
Reviewed by (*): bde
(*) alias_local.h only got a cursory glance.
|
74768 |
25-Mar-2001 |
brian |
Remove an extraneous declaration.
|
74651 |
22-Mar-2001 |
brian |
Remove (non-protected) variable names from function prototypes.
|
71796 |
29-Jan-2001 |
brian |
Add a few ``const''s to silence some -Wwrite-strings warnings
|
71763 |
29-Jan-2001 |
brian |
Ignore leading witespace in the string given to PacketAliasProxyRule().
|
69025 |
22-Nov-2000 |
ru |
mdoc(7) police: use the new feature of the An macro.
|
67980 |
30-Oct-2000 |
ru |
Added boolean argument to link searching functions, indicating whether they should create a link if lookup has failed or not.
|
67966 |
30-Oct-2000 |
ru |
A significant rewrite of PPTP aliasing code.
PPTP links are no longer dropped by simple (and inappropriate in this case) "inactivity timeout" procedure, only when requested through the control connection.
It is now possible to have multiple PPTP servers running behind NAT. Just redirect the incoming TCP traffic to port 1723, everything else is done transparently.
Problems were reported and the fix was tested by: Michael Adler <Michael.Adler@compaq.com>, David Andersen <dga@lcs.mit.edu>
|
67316 |
19-Oct-2000 |
ru |
A failure to allocate memory for auxiliary TCP data is now fatal. This fixes a null pointer dereference problem that is unlikely to happen in normal circumstances.
|
66545 |
02-Oct-2000 |
ru |
A bit of indentation reformatting.
|
66157 |
21-Sep-2000 |
ru |
Fixed the calculations with UDP header length field. The field is in network byte order and contains the size of the header.
Reviewed by: brian
|
65892 |
15-Sep-2000 |
ru |
Add -Wmissing-prototypes.
|
65332 |
01-Sep-2000 |
ru |
Match IPPROTO_ICMP with IP protocol field of the original IP datagram embedded into ICMP error message, not with protocol field of ICMP message itself (which is always IPPROTO_ICMP).
Pointed by: Erik Salander <erik@whistle.com>
|
65317 |
01-Sep-2000 |
ru |
Changed the way we handle outgoing ICMP error messages -- do not alias `ip_src' unless it comes from the host an original datagram that triggered this error message was destined for.
PR: 20712 Reviewed by: brian, Charles Mott <cmott@scientech.com>
|
65281 |
31-Aug-2000 |
ru |
Grab ADJUST_CHECKSUM() macro from alias_local.h.
|
65280 |
31-Aug-2000 |
ru |
Create aliasing links for incoming ICMP echo/timestamp requests. This makes outgoing ICMP echo/timestamp replies to be de-aliased with the right source IP, not exactly the primary aliasing IP.
|
65221 |
29-Aug-2000 |
ache |
strtok -> strsep (no strtok allowed in libraries) add unsigned char cast to ctype macro
|
64644 |
14-Aug-2000 |
ru |
Fixed PunchFW code segmentation violation bug.
Reported by: Christian Schade <chris@cube.sax.de>
|
64643 |
14-Aug-2000 |
ru |
Use queue(3) LIST_* macros for doubly-linked lists.
|
64452 |
09-Aug-2000 |
ru |
- Do not modify Peer's Call ID in outgoing Incoming-Call-Connected PPTP control messages.
- Cosmetics: replace `GRE link' with `PPTP link'.
Reviewed by: Erik Salander <erik@whistle.com>
|
64334 |
07-Aug-2000 |
ru |
Adjust TCP checksum rather than compute it afresh.
Submitted by: Erik Salander <erik@whistle.com>
|
64061 |
31-Jul-2000 |
sheldonh |
Whitespace only:
Fix an overlong line and trailing whitespace that crept in, in the previous commit.
|
63899 |
26-Jul-2000 |
archie |
Add address translation support for RTSP/RTP used by RealPlayer and Quicktime streaming media applications.
Add a BUGS section to the man page.
Submitted by: Erik Salander <erik@whistle.com>
|
62159 |
27-Jun-2000 |
ru |
Fixed PunchFWHole(): - ipfw always rejected rule with `neither in nor out' diagnostics. - number of src/dst ports was not set properly.
|
61865 |
20-Jun-2000 |
ru |
- Removed PacketAliasPptp() API function. - SHLIB_MAJOR++.
|
61861 |
20-Jun-2000 |
ru |
Added true support for PPTP aliasing. Some nice features include:
- Multiple PPTP clients behind NAT to the same or different servers.
- Single PPTP server behind NAT -- you just need to redirect TCP port 1723 to a local machine. Multiple servers behind NAT is possible but would require a simple API change.
- No API changes!
For more information on how this works see comments at the start of the alias_pptp.c.
PacketAliasPptp() is no longer necessary and will be removed soon.
Submitted by: Erik Salander <erik@whistle.com> Reviewed by: ru Rewritten by: ru Reviewed by: Erik Salander <erik@whistle.com>
|
61735 |
16-Jun-2000 |
ru |
- Improved passive mode FTP support by aliasing 229 replies. - Stricter checking of PORT/EPRT/227/229 messages format. - Moved all security checks into one place.
|
61677 |
14-Jun-2000 |
ru |
- Added support for passive mode FTP by aliasing 227 replies. It does mean that it is now possible to run passive-mode FTP server behind NAT.
- SECURITY: FTP aliasing engine now ensures that: o the segment preceding a PORT/227 segment terminates with a \r\n; o the IP address in the PORT/227 matches the source IP address of the packet; o the port number in the PORT command or 277 reply is greater than or equal to 1024.
Submitted by: Erik Salander <erik@whistle.com> Reviewed by: ru
|
60363 |
11-May-2000 |
brian |
Revert the default behaviour for incoming connections so that they (once again) go to the target machine rather than the alias address.
PR: 18354 Submitted by: ru
|
59726 |
28-Apr-2000 |
ru |
Replace PacketAliasRedirectPptp() (which had nothing specific to PPTP) with more generic PacketAliasRedirectProto().
Major number is not bumped because it is believed that noone has started using PacketAliasRedirectPptp() yet.
|
59704 |
27-Apr-2000 |
ru |
Spell PacketAliasRedirectAddr() correctly.
|
59702 |
27-Apr-2000 |
ru |
Load Sharing using IP Network Address Translation (RFC 2391, LSNAT).
LSNAT links are first created by either PacketAliasRedirectPort() or PacketAliasRedirectAddress() and then set up by one or more calls to PacketAliasAddServer().
|
59356 |
18-Apr-2000 |
ru |
Add support for multiple PPTP sessions:
- new API function: PacketAliasRedirectPptp() - new mode bit: PKT_ALIAS_DENY_PPTP
Please see manual page for details.
|
59237 |
14-Apr-2000 |
ru |
Apply TCP_EXPIRE_CONNECTED (86400 seconds) timeout only to established connections, after SYN packets were seen from both ends. Before this, it would get applied right after the first SYN packet was seen (either from client or server). With broken TCP connection attempts, when the remote end does not respond with SYNACK nor with RST, this resulted in having a useless (ie, no actual TCP connection associated with it) TCP link with 86400 seconds TTL, wasting system memory. With high rate of such broken connection attempts (for example, remote end simply blocks these connection attempts with ipfw(8) without sending RST back), this could result in a denial-of-service.
PR: bin/17963
|
59202 |
13-Apr-2000 |
ru |
A complete reformatting of manual page.
|
59181 |
12-Apr-2000 |
ru |
Make partially specified permanent links without `dst_addr' but with `dst_port' work for outgoing packets.
This case was not handled properly when I first fixed this in revision 1.17.
This change is also required for the upcoming improved PPTP support patches -- that is how I found the problem.
Before this change:
# natd -v -a aliasIP \ -redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT
Out [TCP] [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to [TCP] aliasIP:localPORT -> remoteIP:remotePORT
After this change:
# natd -v -a aliasIP \ -redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT
Out [TCP] [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to [TCP] publicIP:publicPORT -> remoteIP:remotePORT
|
59075 |
06-Apr-2000 |
ru |
- Add support for FTP EPRT (RFC 2428) command. - Minor optimizations. - Minor spelling fixes.
PR: 14305 Submitted by: ume Rewritten by: ru
|
59047 |
05-Apr-2000 |
ru |
- Remove unused includes. - Minor spelling fixes. - Make IcmpAliasOut2() really work.
Before this change:
# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P natd[87923]: Aliasing to A.A.A.A, mtu 1500 bytes In [UDP] [UDP] X.X.X.X:49562 -> P.P.P.P:50000 aliased to [UDP] X.X.X.X:49562 -> 192.168.1.1:50000 Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to [ICMP] A.A.A.A -> X.X.X.X 3(3)
# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)" tcpdump: listening on PUB_IFACE X.X.X.X.49562 > P.P.P.P.50000: udp 3 A.A.A.A > X.X.X.X: icmp: A.A.A.A udp port 50000 unreachable
After this change:
# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P natd[89360]: Aliasing to A.A.A.A, mtu 1500 bytes In [UDP] [UDP] X.X.X.X:49563 -> P.P.P.P:50000 aliased to [UDP] X.X.X.X:49563 -> 192.168.1.1:50000 Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to [ICMP] P.P.P.P -> X.X.X.X 3(3)
# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)" tcpdump: listening on PUB_IFACE X.X.X.X.49563 > P.P.P.P.50000: udp 3 P.P.P.P > X.X.X.X: icmp: P.P.P.P udp port 50000 unreachable
|
59046 |
05-Apr-2000 |
ru |
- Moved NULL definition into private include file. - Minor spelling fixes.
|
59031 |
05-Apr-2000 |
ru |
Minor spelling fixes.
|
58943 |
02-Apr-2000 |
brian |
Correct Charles Mott's email address
Requested by: Charles Mott <cmott@scientech.com>
|
58877 |
31-Mar-2000 |
brian |
Allow PacketAliasSetTarget() to be passed the following: INADDR_NONE: Incoming packets go to the alias address (the default) INADDR_ANY: Incoming packets are not NAT'd (direct access to the internal network from outside) anything else: Incoming packets go to the specified address
Change a few inaddr::s_addr == 0 to inaddr::s_addr == INADDR_ANY while I'm there.
|
58866 |
31-Mar-2000 |
brian |
When an incoming packet is received that is not specifically redirected and when no target address has been specified, NAT the destination address to the alias address rather than allowing people direct access to your internal network from outside.
|
58279 |
19-Mar-2000 |
brian |
Make _FindLinkIn() static and only define GetDestPort when NO_FW_PUNCH isn't defined.
|
57686 |
02-Mar-2000 |
sheldonh |
Remove single-space hard sentence breaks. These degrade the quality of the typeset output, tend to make diffs harder to read and provide bad examples for new-comers to mdoc.
|
57544 |
28-Feb-2000 |
alfred |
-it do, among other things, clear out any +it does, amongst other things, clear out any
The old sentance didn't seem to make sense.
|
56968 |
02-Feb-2000 |
archie |
The flags PKT_ALIAS_PUNCH_FW and PKT_ALIAS_PROXY_ONLY were both being defined as 0x40. Change the former to be 0x100.
Submitted by: Erik Salander <erik@whistle.com> Approved by: jkh
|
56967 |
02-Feb-2000 |
brian |
Mention what PKT_ALIAS_PROXY_ONLY does.
Prompted by: archie
|
55955 |
14-Jan-2000 |
rgrimes |
Replace beforeinstall target with new variables used by .mk system.
Reviewed by: marcel, and make world
|
54415 |
10-Dec-1999 |
archie |
Fix a '&&' that should have been a '&'.
Submitted by: Erik Salander <erik@whistle.com>
|
54376 |
09-Dec-1999 |
archie |
Fix several typos.
Submitted by: Erik Salander <erik@whistle.com>
|
53038 |
09-Nov-1999 |
phantom |
Restore sub-chapters order.
PR: docs/14766 Submitted by: Kazutoshi Kubota <kazu@iworks.co.jp>
|
51727 |
27-Sep-1999 |
ru |
Properly handle the case when either the aliasing or source address of the link are equal to the default aliasing address. Do not zero them!
This will fix the problem with non-working links added with the source and/or aliasing address equal to the default aliasing address, but the default aliasing address is set later, after the link has been set up, like both natd(8) and ppp(8) do (for objective reasons).
Reviewed by: Brian Somers <brian@FreeBSD.org>, Eivind Eklund <eivind@FreeBSD.org>, Charles Mott <cmott@srv.net>
|
51550 |
22-Sep-1999 |
ru |
ReLink() partial links in FindLinkOut() in the same manner as we do it in FindLinkIn(). This will make TcpMonitorIn()/TcpMonitorOut() happy.
Reviewed by: eivind
|
51506 |
21-Sep-1999 |
ru |
Restore previous version of FindLinkIn().
Instead, natd(8) should be fixed to call PacketAliasSetAddress() as part of initialization, as required by libalias(3).
|
51494 |
21-Sep-1999 |
ru |
- Make partially specified permanent links (without `dst_addr' and/or `dst_port') work for outgoing packets.
- Make permanent links whose `alias_addr' matches the primary aliasing address `aliasAddress' work for incoming packets.
- Typo fixes.
Reviewed by: brian, eivind
|
51491 |
21-Sep-1999 |
brian |
sys/errno.h -> errno.h
|
51125 |
10-Sep-1999 |
ru |
- Optimization to the previous (rev 1.15) commit.
Requested by: eivind Discussed with: eivind Reviewed by: brian, eivind
|
51107 |
09-Sep-1999 |
ru |
Handle TCP reset sequence properly.
In the words of originator: :If an incoming connection is initiated through natd and deny_incoming is :not set, then a new alias_link structure is created to handle the link. :If there is nothing listening for the incoming connection, then the kernel :responds with a RST for the connection. However, this is not processed :correctly in libalias/alias.c:TcpMonitor{In,Out} and :libalias/alias_db.c:SetState{In,Out} as it thinks a connection :has been established and therefore applies a timeout of 86400 seconds :to the link. : :If many of these half-connections are initiated (during, for example, a :port scan of the host), then many thousands of unnecessary links are :created and the resident size of natd balloons to 20MB or more.
PR: 13639 Reviewed by: brian
|
51091 |
08-Sep-1999 |
ru |
Fix typo.
|
50597 |
29-Aug-1999 |
billf |
Add $FreeBSD$ and spell Eklund properly.
Approved by: brian (well, he approved adding $Id$)
|
50476 |
28-Aug-1999 |
peter |
$Id$ -> $FreeBSD$
|
50194 |
22-Aug-1999 |
brian |
Aallow ppp to work with Nortel Networks Extranet Switch product and Windows NT tunneling.
Submitted by: Chain Lee <chain@nortelnetworks.com>
|
50175 |
22-Aug-1999 |
hoek |
Typo: 102 => 192 (PR: docs/13310 - Maxim Sobolev <sobomax@altavista.net>)
|
49828 |
15-Aug-1999 |
mpp |
Various man page cleanup:
- Sort xrefs - FreeBSD.ORG -> FreeBSD.org - Be consistent with section names as outlines in mdoc(7) - Other misc mdoc cleanup.
PR: doc/13144 Submitted by: Alexy M. Zelkin <phantom@cris.net>
|
48102 |
22-Jun-1999 |
brian |
Don't get caught in an infinite recursion when PKT_ALIAS_REVERSE is set. Document PKT_ALIAS_REVERSE.
Pointed out by: Jonathan Hanna <jh@cr1003333-a.crdva1.bc.home.com> PR: 12304
|
47427 |
23-May-1999 |
brian |
brucify Mentioned by: sprice@hiwaay.net
|
47344 |
20-May-1999 |
eivind |
Make incoming packets work as keepalives, too. This should fix problems for some games.
Notified of problem by: tim@turbinegames.com
|
46395 |
04-May-1999 |
brian |
Add missing ``.''.
|
45926 |
21-Apr-1999 |
luoqi |
Work around an egcs optimizer bug (i386). This should fix the active ftp hang problem. A bug report has been sent to cygnus.
|
45025 |
25-Mar-1999 |
brian |
PacketAliasProxyRule takes a const char * Reminded by: bde
|
45008 |
24-Mar-1999 |
brian |
Add a ``const'' and remove some inconsistent prototype args.
|
44979 |
23-Mar-1999 |
billf |
Remove duplicate line.
Reviewed by: eivind
|
44616 |
09-Mar-1999 |
brian |
Remove all diagnostics to stdout/stderr with #ifdef DEBUG Statify functions in alias_nbt.c
|
44556 |
07-Mar-1999 |
brian |
Document PacketAliasPptp() and allow it to be disabled by passing INADDR_NONE.
|
44548 |
07-Mar-1999 |
brian |
Remove unused function stubs.
|
44546 |
07-Mar-1999 |
brian |
Mention that PacketAliasProxyRule() doesn't accept host names, just IP numbers.
|
44526 |
06-Mar-1999 |
brian |
Document PacketAliasProxyRule() and fix a typo.
|
44307 |
27-Feb-1999 |
brian |
Version 3.0: January 1, 1999 - Transparent proxying support added. - PPTP redirecting support added based on patches contributed by Dru Nelson <dnelson@redwoodsoft.com>.
Submitted by: Charles Mott <cmott@srv.net>
|
42454 |
10-Jan-1999 |
brian |
If we can't open alias.log, don't try to write to the resulting NULL FILE *. PR: 9403
|
41759 |
14-Dec-1998 |
dillon |
Reviewed by: freebsd-current
Add bounds checking to netbios NS packet resolving code. This should prevent natd from crashing on badly formed netbios packets (as might be heard when the machine is sitting on a cable modem or certain DSL networks), and also closes potential security holes that might have exploited the lack of bounds checking in the previous version of the code.
|
41252 |
19-Nov-1998 |
jdp |
Fix a couple of typos.
|
38681 |
31-Aug-1998 |
brian |
Remove OpenBSD build support - let the Makefile vary per OS rather than making it a mess and potentially screwing up cross builds. Suggested by: bde
Add Id keyword.
|
38663 |
30-Aug-1998 |
brian |
Add OpenBSD build support
|
37131 |
24-Jun-1998 |
brian |
Add CUSEEME support. This has *not* been tested, nor could I find anyone to test it, so please report any problems to me.
|
36834 |
10-Jun-1998 |
brian |
Quieten gcc 2.8.1
|
36711 |
06-Jun-1998 |
brian |
Don't call PunchFWHole() ifdef NO_FW_PUNCH Pointed out by: "Steve Sims" <SimsS@IBM.Net>
|
36692 |
06-Jun-1998 |
jkoshy |
Spelling corrections.
PR: 6868 Submitted by: Josh Gilliam <josh@quick.net>
|
36321 |
24-May-1998 |
amurai |
Primary verison of NetBIOS over TCP/IP. Now you can connect Windows DOMAIN as DOMAIN user through NAT function. See also RFC1002 for futher detail of SMB structure.
Submitted by: Atsushi Murai <amurai@spec.co.jp>
|
35314 |
19-Apr-1998 |
brian |
o Support a compile-time -DNO_FW_PUNCH for portability (and those of us that don't want the functionality). o Don't assume sizeof(long) == 4. Ok'd by: Charles Mott <cmott@srv.net>
|
34815 |
23-Mar-1998 |
bde |
FixedSpellingErrorInAFunctionname.
|
33897 |
27-Feb-1998 |
brian |
1) in CleanupAliasData, don't nullify entry in linkTableOut since there might be permanent entries still left after calls to DeleteLink (it will be nullified by DeleteLink if all entries are deleted, won't it ?)
2) in PacketAliasSetAddress, set the aliasing address even when PKT_ALIAS_RESET_ON_ADDR_CHANGE is in effect. Just don't clean up links in this case.
Submitted by: Ari Suutari <ari@suutari.iki.fi> via: Charles Mott <cmott@srv.net> PR: 5041
|
32561 |
16-Jan-1998 |
bde |
Fixed a missing #include in the synopsis. Fixed some wrong prototypes. Fixed a misspelled function name.
The owner of this file should add a copyright and an Id.
|
32560 |
16-Jan-1998 |
bde |
Added prototypes for functions that were documented in libalias.3 but not prototyped here.
|
32498 |
14-Jan-1998 |
brian |
Remove __libalias_version. Ppp no longer uses it.
|
32443 |
11-Jan-1998 |
eivind |
Remove use of <osreldate.h>.
Screwed up by: myself
|
32398 |
10-Jan-1998 |
steve |
Put back __libalias_version so ppp(8) build again.
|
32396 |
10-Jan-1998 |
alex |
Sync with ipfw interface change: fw_pts is now part of a union (a necessary evil due to the 108 byte setsockopt() limit).
|
32392 |
10-Jan-1998 |
jkh |
include <net/if.h> and restore this to sanity.
|
32377 |
09-Jan-1998 |
eivind |
Teach libalias to work with IPFW firewalls (controlled by a flag).
Obtained from: Yes development tree (+ 10 lines of patches from Charles Mott, original libalias author)
|
29162 |
06-Sep-1997 |
brian |
Upgrade to 2.4 (Fix -PKT_ALIAS_UNREGISTERED_ONLY) Submitted by: Charles Mott <cmott@srv.net>
Add __libalias_version so that ppp can derive the correct library name for dlopen()
|
28084 |
11-Aug-1997 |
brian |
Fix file descriptor leak.
Submitted by: Charles Mott <cmott@srv.net> Identified by: Gordon Burditt
|
27864 |
03-Aug-1997 |
brian |
Update to version 2.2. Only the PacketAlias*() functions should now be used. The old 2.1 stuff is there for backwards compatability. Submitted by: Charles Mott <cmott@snake.srv.net>
|
26026 |
23-May-1997 |
brian |
Create the alias library. This is currently only used by ppp (or will be shortly). Natd can now be updated to use this library rather than carrying its own version of the code.
Submitted by: Charles Mott <cmott@srv.net>
|