diff options
| author | ru <ru@FreeBSD.org> | 2000-10-30 12:39:41 +0000 |
|---|---|---|
| committer | ru <ru@FreeBSD.org> | 2000-10-30 12:39:41 +0000 |
| commit | 390de194cd65ae4f4284ca22f4b0c0bf48c41b04 (patch) | |
| tree | d2c51d699062565136879cc42dc72ff6ccab67a5 /sys/netinet | |
| parent | a2cdf6684f245866048a91f755248dcaedc075bc (diff) | |
| download | FreeBSD-src-390de194cd65ae4f4284ca22f4b0c0bf48c41b04.zip FreeBSD-src-390de194cd65ae4f4284ca22f4b0c0bf48c41b04.tar.gz | |
A significant rewrite of PPTP aliasing code.
PPTP links are no longer dropped by simple (and inappropriate in this
case) "inactivity timeout" procedure, only when requested through the
control connection.
It is now possible to have multiple PPTP servers running behind NAT.
Just redirect the incoming TCP traffic to port 1723, everything else
is done transparently.
Problems were reported and the fix was tested by:
Michael Adler <Michael.Adler@compaq.com>,
David Andersen <dga@lcs.mit.edu>
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/libalias/alias.c | 51 | ||||
| -rw-r--r-- | sys/netinet/libalias/alias_db.c | 167 | ||||
| -rw-r--r-- | sys/netinet/libalias/alias_local.h | 18 | ||||
| -rw-r--r-- | sys/netinet/libalias/alias_pptp.c | 180 |
4 files changed, 265 insertions, 151 deletions
diff --git a/sys/netinet/libalias/alias.c b/sys/netinet/libalias/alias.c index 4dc1800..a2ef4bf 100644 --- a/sys/netinet/libalias/alias.c +++ b/sys/netinet/libalias/alias.c @@ -185,7 +185,6 @@ TcpMonitorOut(struct ip *pip, struct alias_link *link) ProtoAliasIn(), ProtoAliasOut() UdpAliasIn(), UdpAliasOut() TcpAliasIn(), TcpAliasOut() - GreAliasIn() These routines handle protocol specific details of packet aliasing. One may observe a certain amount of repetitive arithmetic in these @@ -237,8 +236,6 @@ static int UdpAliasIn (struct ip *); static int TcpAliasOut(struct ip *, int); static int TcpAliasIn (struct ip *); -static int GreAliasIn(struct ip *); - static int IcmpAliasIn1(struct ip *pip) @@ -707,40 +704,6 @@ ProtoAliasOut(struct ip *pip) static int -GreAliasIn(struct ip *pip) -{ - u_short call_id; - struct alias_link *link; - -/* Return if proxy-only mode is enabled. */ - if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) - return (PKT_ALIAS_OK); - - if (PptpGetCallID(pip, &call_id)) { - if ((link = FindPptpIn(pip->ip_src, pip->ip_dst, call_id)) != NULL) { - struct in_addr alias_address; - struct in_addr original_address; - - alias_address = GetAliasAddress(link); - original_address = GetOriginalAddress(link); - PptpSetCallID(pip, GetOriginalPort(link)); - - /* Restore original IP address. */ - DifferentialChecksum(&pip->ip_sum, - (u_short *)&original_address, - (u_short *)&pip->ip_dst, - 2); - pip->ip_dst = original_address; - - return (PKT_ALIAS_OK); - } else - return (PKT_ALIAS_IGNORED); - } else - return ProtoAliasIn(pip); -} - - -static int UdpAliasIn(struct ip *pip) { struct udphdr *ud; @@ -1318,8 +1281,12 @@ PacketAliasIn(char *ptr, int maxpacketsize) iresult = TcpAliasIn(pip); break; case IPPROTO_GRE: - iresult = GreAliasIn(pip); - break; + if (packetAliasMode & PKT_ALIAS_PROXY_ONLY || + AliasHandlePptpGreIn(pip) == 0) + iresult = PKT_ALIAS_OK; + else + iresult = ProtoAliasIn(pip); + break; default: iresult = ProtoAliasIn(pip); break; @@ -1426,6 +1393,12 @@ PacketAliasOut(char *ptr, /* valid IP packet */ case IPPROTO_TCP: iresult = TcpAliasOut(pip, maxpacketsize); break; + case IPPROTO_GRE: + if (AliasHandlePptpGreOut(pip) == 0) + iresult = PKT_ALIAS_OK; + else + iresult = ProtoAliasOut(pip); + break; default: iresult = ProtoAliasOut(pip); break; diff --git a/sys/netinet/libalias/alias_db.c b/sys/netinet/libalias/alias_db.c index dcbf117..7b04548 100644 --- a/sys/netinet/libalias/alias_db.c +++ b/sys/netinet/libalias/alias_db.c @@ -158,7 +158,6 @@ /* Timeouts (in seconds) for different link types */ #define ICMP_EXPIRE_TIME 60 #define UDP_EXPIRE_TIME 60 -#define PPTP_EXPIRE_TIME 60 #define PROTO_EXPIRE_TIME 60 #define FRAGMENT_ID_EXPIRE_TIME 10 #define FRAGMENT_PTR_EXPIRE_TIME 30 @@ -422,7 +421,8 @@ StartPointIn(struct in_addr alias_addr, u_int n; n = alias_addr.s_addr; - n += alias_port; + if (link_type != LINK_PPTP) + n += alias_port; n += link_type; return(n % LINK_TABLE_IN_SIZE); } @@ -436,8 +436,10 @@ StartPointOut(struct in_addr src_addr, struct in_addr dst_addr, n = src_addr.s_addr; n += dst_addr.s_addr; - n += src_port; - n += dst_port; + if (link_type != LINK_PPTP) { + n += src_port; + n += dst_port; + } n += link_type; return(n % LINK_TABLE_OUT_SIZE); @@ -1004,7 +1006,7 @@ AddLink(struct in_addr src_addr, link->expire_time = TCP_EXPIRE_INITIAL; break; case LINK_PPTP: - link->expire_time = PPTP_EXPIRE_TIME; + link->flags |= LINK_PERMANENT; /* no timeout. */ break; case LINK_FRAGMENT_ID: link->expire_time = FRAGMENT_ID_EXPIRE_TIME; @@ -1389,7 +1391,8 @@ FindLinkIn(struct in_addr dst_addr, AddFragmentPtrLink(), FindFragmentPtr() FindProtoIn(), FindProtoOut() FindUdpTcpIn(), FindUdpTcpOut() - FindPptpIn(), FindPptpOut() + AddPptp(), FindPptpOutByCallId(), FindPptpInByCallId(), + FindPptpOutByPeerCallId(), FindPptpInByPeerCallId() FindOriginalAddress(), FindAliasAddress() (prototypes in alias_local.h) @@ -1630,56 +1633,6 @@ FindUdpTcpOut(struct in_addr src_addr, struct alias_link * -FindPptpIn(struct in_addr dst_addr, - struct in_addr alias_addr, - u_short call_id) -{ - struct alias_link *link; - - link = FindLinkIn(dst_addr, alias_addr, - NO_DEST_PORT, call_id, - LINK_PPTP, 1); - - if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING)) - { - struct in_addr target_addr; - - target_addr = FindOriginalAddress(alias_addr); - link = AddLink(target_addr, dst_addr, alias_addr, - call_id, NO_DEST_PORT, call_id, - LINK_PPTP); - } - - return(link); -} - - -struct alias_link * -FindPptpOut(struct in_addr src_addr, - struct in_addr dst_addr, - u_short call_id) -{ - struct alias_link *link; - - link = FindLinkOut(src_addr, dst_addr, - call_id, NO_DEST_PORT, - LINK_PPTP, 1); - - if (link == NULL) - { - struct in_addr alias_addr; - - alias_addr = FindAliasAddress(src_addr); - link = AddLink(src_addr, dst_addr, alias_addr, - call_id, NO_DEST_PORT, GET_ALIAS_PORT, - LINK_PPTP); - } - - return(link); -} - - -struct alias_link * QueryUdpTcpIn(struct in_addr dst_addr, struct in_addr alias_addr, u_short dst_port, @@ -1740,6 +1693,97 @@ QueryUdpTcpOut(struct in_addr src_addr, return(link); } +struct alias_link * +AddPptp(struct in_addr src_addr, + struct in_addr dst_addr, + struct in_addr alias_addr, + u_int16_t src_call_id) +{ + struct alias_link *link; + + link = AddLink(src_addr, dst_addr, alias_addr, + src_call_id, 0, GET_ALIAS_PORT, + LINK_PPTP); + + return (link); +} + + +struct alias_link * +FindPptpOutByCallId(struct in_addr src_addr, + struct in_addr dst_addr, + u_int16_t src_call_id) +{ + u_int i; + struct alias_link *link; + + i = StartPointOut(src_addr, dst_addr, 0, 0, LINK_PPTP); + LIST_FOREACH(link, &linkTableOut[i], list_out) + if (link->link_type == LINK_PPTP && + link->src_addr.s_addr == src_addr.s_addr && + link->dst_addr.s_addr == dst_addr.s_addr && + link->src_port == src_call_id) + break; + + return (link); +} + + +struct alias_link * +FindPptpOutByPeerCallId(struct in_addr src_addr, + struct in_addr dst_addr, + u_int16_t dst_call_id) +{ + u_int i; + struct alias_link *link; + + i = StartPointOut(src_addr, dst_addr, 0, 0, LINK_PPTP); + LIST_FOREACH(link, &linkTableOut[i], list_out) + if (link->link_type == LINK_PPTP && + link->src_addr.s_addr == src_addr.s_addr && + link->dst_addr.s_addr == dst_addr.s_addr && + link->dst_port == dst_call_id) + break; + + return (link); +} + + +struct alias_link * +FindPptpInByCallId(struct in_addr dst_addr, + struct in_addr alias_addr, + u_int16_t dst_call_id) +{ + u_int i; + struct alias_link *link; + + i = StartPointIn(alias_addr, 0, LINK_PPTP); + LIST_FOREACH(link, &linkTableIn[i], list_in) + if (link->link_type == LINK_PPTP && + link->dst_addr.s_addr == dst_addr.s_addr && + link->alias_addr.s_addr == alias_addr.s_addr && + link->dst_port == dst_call_id) + break; + + return (link); +} + + +struct alias_link * +FindPptpInByPeerCallId(struct in_addr dst_addr, + struct in_addr alias_addr, + u_int16_t alias_call_id) +{ + struct alias_link *link; + + link = FindLinkIn(dst_addr, alias_addr, + 0/* any */, alias_call_id, + LINK_PPTP, 0); + + + return (link); +} + struct alias_link * FindRtspOut(struct in_addr src_addr, @@ -1845,6 +1889,7 @@ FindAliasAddress(struct in_addr original_addr) SetAckModified(), GetAckModified() GetDeltaAckIn(), GetDeltaSeqOut(), AddSeq() SetLastLineCrlfTermed(), GetLastLineCrlfTermed() + SetDestCallId() */ @@ -2227,6 +2272,16 @@ GetLastLineCrlfTermed(struct alias_link *link) return (link->flags & LINK_LAST_LINE_CRLF_TERMED); } +void +SetDestCallId(struct alias_link *link, u_int16_t cid) +{ + + deleteAllLinks = 1; + link = ReLink(link, link->src_addr, link->dst_addr, link->alias_addr, + link->src_port, cid, link->alias_port, link->link_type); + deleteAllLinks = 0; +} + /* Miscellaneous Functions diff --git a/sys/netinet/libalias/alias_local.h b/sys/netinet/libalias/alias_local.h index f916d21..bd2aa75 100644 --- a/sys/netinet/libalias/alias_local.h +++ b/sys/netinet/libalias/alias_local.h @@ -108,10 +108,19 @@ struct alias_link * FindUdpTcpOut(struct in_addr, struct in_addr, u_short, u_short, u_char); struct alias_link * -FindPptpIn(struct in_addr, struct in_addr, u_short); +AddPptp(struct in_addr, struct in_addr, struct in_addr, u_int16_t); struct alias_link * -FindPptpOut(struct in_addr, struct in_addr, u_short); +FindPptpOutByCallId(struct in_addr, struct in_addr, u_int16_t); + +struct alias_link * +FindPptpInByCallId(struct in_addr, struct in_addr, u_int16_t); + +struct alias_link * +FindPptpOutByPeerCallId(struct in_addr, struct in_addr, u_int16_t); + +struct alias_link * +FindPptpInByPeerCallId(struct in_addr, struct in_addr, u_int16_t); struct alias_link * QueryUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char); @@ -159,6 +168,7 @@ void SetExpire(struct alias_link *, int); void ClearCheckNewLink(void); void SetLastLineCrlfTermed(struct alias_link *, int); int GetLastLineCrlfTermed(struct alias_link *); +void SetDestCallId(struct alias_link *, u_int16_t); #ifndef NO_FW_PUNCH void PunchFWHole(struct alias_link *); #endif @@ -180,10 +190,10 @@ void AliasHandleIrcOut(struct ip *, struct alias_link *, int); void AliasHandleRtspOut(struct ip *, struct alias_link *, int); /* PPTP routines */ -int PptpGetCallID(struct ip *, u_short *); -void PptpSetCallID(struct ip *, u_short); void AliasHandlePptpOut(struct ip *, struct alias_link *); void AliasHandlePptpIn(struct ip *, struct alias_link *); +int AliasHandlePptpGreOut(struct ip *); +int AliasHandlePptpGreIn(struct ip *); /* NetBIOS routines */ int AliasHandleUdpNbt(struct ip *, struct alias_link *, struct in_addr *, u_short); diff --git a/sys/netinet/libalias/alias_pptp.c b/sys/netinet/libalias/alias_pptp.c index 4df8a32..373e33f 100644 --- a/sys/netinet/libalias/alias_pptp.c +++ b/sys/netinet/libalias/alias_pptp.c @@ -65,9 +65,6 @@ */ /* Includes */ -#include <ctype.h> -#include <stdio.h> -#include <string.h> #include <sys/types.h> #include <netinet/in_systm.h> #include <netinet/in.h> @@ -82,21 +79,14 @@ struct grehdr /* Enhanced GRE header. */ { - u_char gh_recursion:3, /* Recursion control. */ - gh_ssr_flag:1, /* Strict source route present. */ - gh_seq_no_flag:1, /* Sequence number present. */ - gh_key_flag:1, /* Key present. */ - gh_rt_flag:1, /* Routing present. */ - gh_cksum_flag:1; /* Checksum present. */ - u_char gh_version:3, /* GRE version. */ - gh_flags:4, /* Flags. */ - gh_ack_no_flag:1; /* Acknowledgment sequence number present. */ - u_short gh_protocol; /* Protocol type. */ - u_short gh_length; /* Payload length. */ - u_short gh_call_id; /* Call ID. */ + u_int16_t gh_flags; /* Flags. */ + u_int16_t gh_protocol; /* Protocol type. */ + u_int16_t gh_length; /* Payload length. */ + u_int16_t gh_call_id; /* Call ID. */ u_int32_t gh_seq_no; /* Sequence number (optional). */ u_int32_t gh_ack_no; /* Acknowledgment number (optional). */ }; +typedef struct grehdr GreHdr; /* The PPTP protocol ID used in the GRE 'proto' field. */ #define PPTP_GRE_PROTO 0x880b @@ -123,7 +113,7 @@ enum { PPTP_CallClearRequest = 12, PPTP_CallDiscNotify = 13, PPTP_WanErrorNotify = 14, - PPTP_SetLinkInfo = 15, + PPTP_SetLinkInfo = 15 }; /* Message structures */ @@ -136,6 +126,12 @@ enum { }; typedef struct pptpMsgHead *PptpMsgHead; + struct pptpCodes { + u_int8_t resCode; /* Result Code */ + u_int8_t errCode; /* Error Code */ + }; + typedef struct pptpCodes *PptpCode; + struct pptpCallIds { u_int16_t cid1; /* Call ID field #1 */ u_int16_t cid2; /* Call ID field #2 */ @@ -144,29 +140,6 @@ enum { static PptpCallId AliasVerifyPptp(struct ip *, u_int16_t *); -int -PptpGetCallID(struct ip *pip, - u_short *call_id) -{ - struct grehdr *gr; - - gr = (struct grehdr *)((char *)pip + (pip->ip_hl << 2)); - - /* Check GRE header bits. */ - if ((ntohl(*((u_int32_t *)gr)) & PPTP_INIT_MASK) == PPTP_INIT_VALUE) { - *call_id = gr->gh_call_id; - return 1; - } else - return 0; -}; - -void PptpSetCallID(struct ip *pip, u_short call_id) -{ - struct grehdr *gr; - - gr = (struct grehdr *)((char *)pip + (pip->ip_hl << 2)); - gr->gh_call_id = call_id; -}; void AliasHandlePptpOut(struct ip *pip, /* IP packet to examine/patch */ @@ -174,6 +147,7 @@ AliasHandlePptpOut(struct ip *pip, /* IP packet to examine/patch */ { struct alias_link *pptp_link; PptpCallId cptr; + PptpCode codes; u_int16_t ctl_type; /* control message type */ struct tcphdr *tc; @@ -187,12 +161,20 @@ AliasHandlePptpOut(struct ip *pip, /* IP packet to examine/patch */ case PPTP_OutCallReply: case PPTP_InCallRequest: case PPTP_InCallReply: + /* Establish PPTP link for address and Call ID found in control message. */ + pptp_link = AddPptp(GetOriginalAddress(link), GetDestAddress(link), + GetAliasAddress(link), cptr->cid1); + break; case PPTP_CallClearRequest: case PPTP_CallDiscNotify: - - /* Establish PPTP link for address and Call ID found in PPTP Control Msg */ - pptp_link = FindPptpOut(GetOriginalAddress(link), GetDestAddress(link), - cptr->cid1); + /* Find PPTP link for address and Call ID found in control message. */ + pptp_link = FindPptpOutByCallId(GetOriginalAddress(link), + GetDestAddress(link), + cptr->cid1); + break; + default: + return; + } if (pptp_link != NULL) { int accumulate = cptr->cid1; @@ -204,11 +186,22 @@ AliasHandlePptpOut(struct ip *pip, /* IP packet to examine/patch */ tc = (struct tcphdr *) ((char *) pip + (pip->ip_hl << 2)); accumulate -= cptr->cid1; ADJUST_CHECKSUM(accumulate, tc->th_sum); + + switch (ctl_type) { + case PPTP_OutCallReply: + case PPTP_InCallReply: + codes = (PptpCode)(cptr + 1); + if (codes->resCode == 1) /* Connection established, */ + SetDestCallId(pptp_link, /* note the Peer's Call ID. */ + cptr->cid2); + else + SetExpire(pptp_link, 0); /* Connection refused. */ + break; + case PPTP_CallDiscNotify: /* Connection closed. */ + SetExpire(pptp_link, 0); + break; + } } - break; - default: - return; - } } void @@ -237,28 +230,46 @@ AliasHandlePptpIn(struct ip *pip, /* IP packet to examine/patch */ case PPTP_InCallReply: pcall_id = &cptr->cid2; break; + case PPTP_CallDiscNotify: /* Connection closed. */ + pptp_link = FindPptpInByCallId(GetDestAddress(link), + GetAliasAddress(link), + cptr->cid1); + if (pptp_link != NULL) + SetExpire(pptp_link, 0); + return; default: return; } /* Find PPTP link for address and Call ID found in PPTP Control Msg */ - pptp_link = FindPptpIn(GetDestAddress(link), GetAliasAddress(link), - *pcall_id); + pptp_link = FindPptpInByPeerCallId(GetDestAddress(link), + GetAliasAddress(link), + *pcall_id); if (pptp_link != NULL) { int accumulate = *pcall_id; - /* alias the Call Id */ + /* De-alias the Peer's Call Id. */ *pcall_id = GetOriginalPort(pptp_link); /* Compute TCP checksum for modified packet */ tc = (struct tcphdr *) ((char *) pip + (pip->ip_hl << 2)); accumulate -= *pcall_id; ADJUST_CHECKSUM(accumulate, tc->th_sum); + + if (ctl_type == PPTP_OutCallReply || ctl_type == PPTP_InCallReply) { + PptpCode codes = (PptpCode)(cptr + 1); + + if (codes->resCode == 1) /* Connection established, */ + SetDestCallId(pptp_link, /* note the Call ID. */ + cptr->cid1); + else + SetExpire(pptp_link, 0); /* Connection refused. */ + } } } -PptpCallId +static PptpCallId AliasVerifyPptp(struct ip *pip, u_int16_t *ptype) /* IP packet to examine/patch */ { int hlen, tlen, dlen; @@ -285,6 +296,71 @@ AliasVerifyPptp(struct ip *pip, u_int16_t *ptype) /* IP packet to examine/patch if ((ntohs(hptr->msgType) != PPTP_CTRL_MSG_TYPE) || (ntohl(hptr->magic) != PPTP_MAGIC)) return(NULL); + + /* Verify data length. */ + if ((*ptype == PPTP_OutCallReply || *ptype == PPTP_InCallReply) && + (dlen < sizeof(struct pptpMsgHead) + sizeof(struct pptpCallIds) + + sizeof(struct pptpCodes))) + return (NULL); else - return((PptpCallId)(((char *)hptr) + sizeof(struct pptpMsgHead))); + return (PptpCallId)(hptr + 1); +} + + +int +AliasHandlePptpGreOut(struct ip *pip) +{ + GreHdr *gr; + struct alias_link *link; + + gr = (GreHdr *)((char *)pip + (pip->ip_hl << 2)); + + /* Check GRE header bits. */ + if ((ntohl(*((u_int32_t *)gr)) & PPTP_INIT_MASK) != PPTP_INIT_VALUE) + return (-1); + + link = FindPptpOutByPeerCallId(pip->ip_src, pip->ip_dst, gr->gh_call_id); + if (link != NULL) { + struct in_addr alias_addr = GetAliasAddress(link); + + /* Change source IP address. */ + DifferentialChecksum(&pip->ip_sum, + (u_short *)&alias_addr, + (u_short *)&pip->ip_src, + 2); + pip->ip_src = alias_addr; + } + + return (0); +} + + +int +AliasHandlePptpGreIn(struct ip *pip) +{ + GreHdr *gr; + struct alias_link *link; + + gr = (GreHdr *)((char *)pip + (pip->ip_hl << 2)); + + /* Check GRE header bits. */ + if ((ntohl(*((u_int32_t *)gr)) & PPTP_INIT_MASK) != PPTP_INIT_VALUE) + return (-1); + + link = FindPptpInByPeerCallId(pip->ip_src, pip->ip_dst, gr->gh_call_id); + if (link != NULL) { + struct in_addr src_addr = GetOriginalAddress(link); + + /* De-alias the Peer's Call Id. */ + gr->gh_call_id = GetOriginalPort(link); + + /* Restore original IP address. */ + DifferentialChecksum(&pip->ip_sum, + (u_short *)&src_addr, + (u_short *)&pip->ip_dst, + 2); + pip->ip_dst = src_addr; + } + + return (0); } |
