diff options
| -rw-r--r-- | lib/libalias/alias.c | 34 | ||||
| -rw-r--r-- | lib/libalias/alias.h | 9 | ||||
| -rw-r--r-- | lib/libalias/alias_db.c | 113 | ||||
| -rw-r--r-- | lib/libalias/alias_local.h | 4 | ||||
| -rw-r--r-- | lib/libalias/libalias.3 | 39 | ||||
| -rw-r--r-- | sys/netinet/libalias/alias.c | 34 | ||||
| -rw-r--r-- | sys/netinet/libalias/alias.h | 9 | ||||
| -rw-r--r-- | sys/netinet/libalias/alias_db.c | 113 | ||||
| -rw-r--r-- | sys/netinet/libalias/alias_local.h | 4 | ||||
| -rw-r--r-- | sys/netinet/libalias/libalias.3 | 39 |
10 files changed, 176 insertions, 222 deletions
diff --git a/lib/libalias/alias.c b/lib/libalias/alias.c index 39a7e4f..eaaedac 100644 --- a/lib/libalias/alias.c +++ b/lib/libalias/alias.c @@ -178,6 +178,7 @@ TcpMonitorOut(struct ip *pip, struct alias_link *link) IcmpAliasIn(), IcmpAliasIn1(), IcmpAliasIn2(), IcmpAliasIn3() IcmpAliasOut(), IcmpAliasOut1(), IcmpAliasOut2(), IcmpAliasOut3() + ProtoAliasIn(), ProtoAliasOut() UdpAliasIn(), UdpAliasOut() TcpAliasIn(), TcpAliasOut() @@ -224,6 +225,9 @@ static int IcmpAliasOut2(struct ip *); static int IcmpAliasOut3(struct ip *); static int IcmpAliasOut (struct ip *); +static int ProtoAliasIn(struct ip *); +static int ProtoAliasOut(struct ip *); + static int UdpAliasOut(struct ip *); static int UdpAliasIn (struct ip *); @@ -653,10 +657,10 @@ IcmpAliasOut(struct ip *pip) static int -PptpAliasIn(struct ip *pip) +ProtoAliasIn(struct ip *pip) { /* - Handle incoming PPTP packets. The + Handle incoming IP packets. The only thing which is done in this case is to alias the dest IP address of the packet to our inside machine. @@ -667,10 +671,7 @@ PptpAliasIn(struct ip *pip) if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) return PKT_ALIAS_OK; - if (packetAliasMode & PKT_ALIAS_DENY_PPTP) - return PKT_ALIAS_IGNORED; - - link = FindPptpIn(pip->ip_src, pip->ip_dst); + link = FindProtoIn(pip->ip_src, pip->ip_dst, pip->ip_p); if (link != NULL) { struct in_addr original_address; @@ -691,10 +692,10 @@ PptpAliasIn(struct ip *pip) static int -PptpAliasOut(struct ip *pip) +ProtoAliasOut(struct ip *pip) { /* - Handle outgoing PPTP packets. The + Handle outgoing IP packets. The only thing which is done in this case is to alias the source IP address of the packet. */ @@ -704,10 +705,7 @@ PptpAliasOut(struct ip *pip) if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) return PKT_ALIAS_OK; - if (packetAliasMode & PKT_ALIAS_DENY_PPTP) - return PKT_ALIAS_IGNORED; - - link = FindPptpOut(pip->ip_src, pip->ip_dst); + link = FindProtoOut(pip->ip_src, pip->ip_dst, pip->ip_p); if (link != NULL) { struct in_addr alias_address; @@ -1303,10 +1301,8 @@ PacketAliasIn(char *ptr, int maxpacketsize) case IPPROTO_TCP: iresult = TcpAliasIn(pip); break; - case IPPROTO_GRE: - case IPPROTO_ESP: - case IPPROTO_AH: - iresult = PptpAliasIn(pip); + default: + iresult = ProtoAliasIn(pip); break; } @@ -1411,10 +1407,8 @@ PacketAliasOut(char *ptr, /* valid IP packet */ case IPPROTO_TCP: iresult = TcpAliasOut(pip, maxpacketsize); break; - case IPPROTO_GRE: - case IPPROTO_ESP: - case IPPROTO_AH: - iresult = PptpAliasOut(pip); + default: + iresult = ProtoAliasOut(pip); break; } } diff --git a/lib/libalias/alias.h b/lib/libalias/alias.h index 9f15579..ace911d 100644 --- a/lib/libalias/alias.h +++ b/lib/libalias/alias.h @@ -60,7 +60,10 @@ struct alias_link; PacketAliasPptp(struct in_addr); extern struct alias_link * - PacketAliasRedirectPptp(struct in_addr, struct in_addr, struct in_addr); + PacketAliasRedirectProto(struct in_addr, + struct in_addr, + struct in_addr, + u_char); extern struct alias_link * PacketAliasRedirectAddr(struct in_addr, @@ -157,10 +160,6 @@ struct alias_link; and PacketAliasOut() are reversed */ #define PKT_ALIAS_REVERSE 0x80 -/* If PKT_ALIAS_DENY_PPTP is set, then PPTP sessions will be - prevented by the aliasing engine. */ -#define PKT_ALIAS_DENY_PPTP 0x200 - /* Return Codes */ #define PKT_ALIAS_ERROR -1 #define PKT_ALIAS_OK 1 diff --git a/lib/libalias/alias_db.c b/lib/libalias/alias_db.c index bc020f3..09bdcac 100644 --- a/lib/libalias/alias_db.c +++ b/lib/libalias/alias_db.c @@ -147,7 +147,7 @@ /* Timeouts (in seconds) for different link types */ #define ICMP_EXPIRE_TIME 60 #define UDP_EXPIRE_TIME 60 -#define PPTP_EXPIRE_TIME 60 +#define PROTO_EXPIRE_TIME 60 #define FRAGMENT_ID_EXPIRE_TIME 10 #define FRAGMENT_PTR_EXPIRE_TIME 30 @@ -256,16 +256,15 @@ struct alias_link /* Main data structure */ u_short proxy_port; struct server *server; - int link_type; /* Type of link: TCP, UDP, ICMP, PPTP, frag */ + int link_type; /* Type of link: TCP, UDP, ICMP, proto, frag */ /* values for link_type */ -#define LINK_ICMP 1 -#define LINK_UDP 2 -#define LINK_TCP 3 -#define LINK_FRAGMENT_ID 4 -#define LINK_FRAGMENT_PTR 5 -#define LINK_ADDR 6 -#define LINK_PPTP 7 +#define LINK_ICMP IPPROTO_ICMP +#define LINK_UDP IPPROTO_UDP +#define LINK_TCP IPPROTO_TCP +#define LINK_FRAGMENT_ID (IPPROTO_MAX + 1) +#define LINK_FRAGMENT_PTR (IPPROTO_MAX + 2) +#define LINK_ADDR (IPPROTO_MAX + 3) int flags; /* indicates special characteristics */ @@ -329,7 +328,7 @@ linkTableIn[LINK_TABLE_IN_SIZE]; /* into input and output lookup */ static int icmpLinkCount; /* Link statistics */ static int udpLinkCount; static int tcpLinkCount; -static int pptpLinkCount; +static int protoLinkCount; static int fragmentIdLinkCount; static int fragmentPtrLinkCount; static int sockCount; @@ -455,18 +454,18 @@ ShowAliasStats(void) if (monitorFile) { - fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, pptp=%d, frag_id=%d frag_ptr=%d", + fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, proto=%d, frag_id=%d frag_ptr=%d", icmpLinkCount, udpLinkCount, tcpLinkCount, - pptpLinkCount, + protoLinkCount, fragmentIdLinkCount, fragmentPtrLinkCount); fprintf(monitorFile, " / tot=%d (sock=%d)\n", icmpLinkCount + udpLinkCount + tcpLinkCount - + pptpLinkCount + + protoLinkCount + fragmentIdLinkCount + fragmentPtrLinkCount, sockCount); @@ -738,17 +737,6 @@ IncrementalCleanup(void) idelta = timeStamp - link->timestamp; switch (link->link_type) { - case LINK_ICMP: - case LINK_UDP: - case LINK_FRAGMENT_ID: - case LINK_FRAGMENT_PTR: - case LINK_PPTP: - if (idelta > link->expire_time) - { - DeleteLink(link); - icount++; - } - break; case LINK_TCP: if (idelta > link->expire_time) { @@ -763,6 +751,13 @@ IncrementalCleanup(void) } } break; + default: + if (idelta > link->expire_time) + { + DeleteLink(link); + icount++; + } + break; } link = link_next; } @@ -842,9 +837,6 @@ DeleteLink(struct alias_link *link) if (link->data.tcp != NULL) free(link->data.tcp); break; - case LINK_PPTP: - pptpLinkCount--; - break; case LINK_FRAGMENT_ID: fragmentIdLinkCount--; break; @@ -853,6 +845,11 @@ DeleteLink(struct alias_link *link) if (link->data.frag_ptr != NULL) free(link->data.frag_ptr); break; + case LINK_ADDR: + break; + default: + protoLinkCount--; + break; } /* Free memory */ @@ -908,15 +905,17 @@ AddLink(struct in_addr src_addr, case LINK_TCP: link->expire_time = TCP_EXPIRE_INITIAL; break; - case LINK_PPTP: - link->expire_time = PPTP_EXPIRE_TIME; - break; case LINK_FRAGMENT_ID: link->expire_time = FRAGMENT_ID_EXPIRE_TIME; break; case LINK_FRAGMENT_PTR: link->expire_time = FRAGMENT_PTR_EXPIRE_TIME; break; + case LINK_ADDR: + break; + default: + link->expire_time = PROTO_EXPIRE_TIME; + break; } /* Determine alias flags */ @@ -994,15 +993,17 @@ AddLink(struct in_addr src_addr, #endif } break; - case LINK_PPTP: - pptpLinkCount++; - break; case LINK_FRAGMENT_ID: fragmentIdLinkCount++; break; case LINK_FRAGMENT_PTR: fragmentPtrLinkCount++; break; + case LINK_ADDR: + break; + default: + protoLinkCount++; + break; } } else @@ -1303,7 +1304,7 @@ FindLinkIn(struct in_addr dst_addr, FindIcmpIn(), FindIcmpOut() FindFragmentIn1(), FindFragmentIn2() AddFragmentPtrLink(), FindFragmentPtr() - FindPptpIn(), FindPptpOut() + FindProtoIn(), FindProtoOut() FindUdpTcpIn(), FindUdpTcpOut() FindOriginalAddress(), FindAliasAddress() @@ -1400,14 +1401,15 @@ FindFragmentPtr(struct in_addr dst_addr, struct alias_link * -FindPptpIn(struct in_addr dst_addr, - struct in_addr alias_addr) +FindProtoIn(struct in_addr dst_addr, + struct in_addr alias_addr, + u_char proto) { struct alias_link *link; link = FindLinkIn(dst_addr, alias_addr, NO_DEST_PORT, 0, - LINK_PPTP, 1); + proto, 1); if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING)) { @@ -1416,7 +1418,7 @@ FindPptpIn(struct in_addr dst_addr, target_addr = FindOriginalAddress(alias_addr); link = AddLink(target_addr, dst_addr, alias_addr, NO_SRC_PORT, NO_DEST_PORT, 0, - LINK_PPTP); + proto); } return (link); @@ -1424,14 +1426,15 @@ FindPptpIn(struct in_addr dst_addr, struct alias_link * -FindPptpOut(struct in_addr src_addr, - struct in_addr dst_addr) +FindProtoOut(struct in_addr src_addr, + struct in_addr dst_addr, + u_char proto) { struct alias_link *link; link = FindLinkOut(src_addr, dst_addr, NO_SRC_PORT, NO_DEST_PORT, - LINK_PPTP, 1); + proto, 1); if (link == NULL) { @@ -1440,7 +1443,7 @@ FindPptpOut(struct in_addr src_addr, alias_addr = FindAliasAddress(src_addr); link = AddLink(src_addr, dst_addr, alias_addr, NO_SRC_PORT, NO_DEST_PORT, 0, - LINK_PPTP); + proto); } return (link); @@ -2063,7 +2066,7 @@ UninitPacketAliasLog(void) PacketAliasRedirectPort() PacketAliasAddServer() - PacketAliasRedirectPptp() + PacketAliasRedirectProto() PacketAliasRedirectAddr() PacketAliasRedirectDelete() PacketAliasSetAddress() @@ -2151,32 +2154,32 @@ PacketAliasAddServer(struct alias_link *link, struct in_addr addr, u_short port) } /* Translate PPTP packets to a machine on the inside - * XXX This function is made obsolete by PacketAliasRedirectPptp(). + * XXX This function is made obsolete by PacketAliasRedirectProto(). */ int PacketAliasPptp(struct in_addr src_addr) { - if (src_addr.s_addr == INADDR_NONE) - packetAliasMode |= PKT_ALIAS_DENY_PPTP; - else - (void)PacketAliasRedirectPptp(src_addr, nullAddress, nullAddress); + if (src_addr.s_addr != INADDR_NONE) + (void)PacketAliasRedirectProto(src_addr, nullAddress, nullAddress, + IPPROTO_GRE); return 1; } -/* Redirect PPTP packets from a specific +/* Redirect packets of a given IP protocol from a specific public address to a private address */ struct alias_link * -PacketAliasRedirectPptp(struct in_addr src_addr, - struct in_addr dst_addr, - struct in_addr alias_addr) +PacketAliasRedirectProto(struct in_addr src_addr, + struct in_addr dst_addr, + struct in_addr alias_addr, + u_char proto) { struct alias_link *link; link = AddLink(src_addr, dst_addr, alias_addr, NO_SRC_PORT, NO_DEST_PORT, 0, - LINK_PPTP); + proto); if (link != NULL) { @@ -2185,7 +2188,7 @@ PacketAliasRedirectPptp(struct in_addr src_addr, #ifdef DEBUG else { - fprintf(stderr, "PacketAliasRedirectPptp(): " + fprintf(stderr, "PacketAliasRedirectProto(): " "call to AddLink() failed\n"); } #endif @@ -2286,7 +2289,7 @@ PacketAliasInit(void) icmpLinkCount = 0; udpLinkCount = 0; tcpLinkCount = 0; - pptpLinkCount = 0; + protoLinkCount = 0; fragmentIdLinkCount = 0; fragmentPtrLinkCount = 0; sockCount = 0; diff --git a/lib/libalias/alias_local.h b/lib/libalias/alias_local.h index a5d3cd7..ca93151 100644 --- a/lib/libalias/alias_local.h +++ b/lib/libalias/alias_local.h @@ -96,10 +96,10 @@ struct alias_link * FindFragmentPtr(struct in_addr, u_short); struct alias_link * -FindPptpIn(struct in_addr, struct in_addr); +FindProtoIn(struct in_addr, struct in_addr, u_char); struct alias_link * -FindPptpOut(struct in_addr, struct in_addr); +FindProtoOut(struct in_addr, struct in_addr, u_char); struct alias_link * FindUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char); diff --git a/lib/libalias/libalias.3 b/lib/libalias/libalias.3 index 924262b..0344af5 100644 --- a/lib/libalias/libalias.3 +++ b/lib/libalias/libalias.3 @@ -227,15 +227,6 @@ Normal packet aliasing is not performed. See .Fn PacketAliasProxyRule below for details. -.It Dv PKT_ALIAS_DENY_PPTP -If this mode bit is set, all PPTP packets will be marked for being ignored -(both -.Fn PacketAliasIn -and -.Fn PacketAliasOut -return -.Dv PKT_ALIAS_IGNORED -code). .El .Ed .Pp @@ -647,25 +638,17 @@ access, or to restrict access to certain external machines. .Ed .Pp .Ft struct alias_link * -.Fo PacketAliasRedirectPptp +.Fo PacketAliasRedirectProto .Fa "struct in_addr local_addr" .Fa "struct in_addr remote_addr" .Fa "struct in_addr alias_addr" +.Fa "u_char proto" .Fc .Bd -ragged -offset indent -This function specifies that any Point to Point Tunneling Protocol -(PPTP) traffic from a given remote address to an alias address be +This function specifies that any IP packet with protocol number of +.Fa proto +from a given remote address to an alias address be redirected to a specified local address. -Currently supported PPTP protocols include: -.Pp -.Bl -tag -width "IPPROTO_GRE" -compact -.It IPPROTO_GRE -Generic Routing Encapsulation (RFC 1702) -.It IPPROTO_ESP -IP Encapsulating Security Payload (RFC 1827) -.It IPPROTO_AH -IP Authentication Header (RFC 1826) -.El .Pp If .Fa local_addr @@ -678,16 +661,16 @@ is to be used. Even if .Fn PacketAliasSetAddress is called to change the address after -.Fn PacketAliasRedirectPptp +.Fn PacketAliasRedirectProto is called, a zero reference will track this change. .Pp If .Fa remote_addr -is zero, this indicates to redirect PPTP packets from any remote address. +is zero, this indicates to redirect packets from any remote address. Non-zero remote addresses can sometimes be useful for firewalling. .Pp If two calls to -.Fn PacketAliasRedirectPptp +.Fn PacketAliasRedirectProto overlap in their address specifications, then the most recent call will have precedence. .Pp @@ -713,10 +696,8 @@ then PPTP aliasing is disabled. .Pp .Bf -symbolic This function is made obsolete by -.Fn PacketAliasRedirectPptp -and -.Dv PKT_ALIAS_DENY_PPTP -mode bit, and is provided only for backward compatibility. +.Fn PacketAliasRedirectProto , +and is provided only for backward compatibility. .Ef .Ed .Sh FRAGMENT HANDLING diff --git a/sys/netinet/libalias/alias.c b/sys/netinet/libalias/alias.c index 39a7e4f..eaaedac 100644 --- a/sys/netinet/libalias/alias.c +++ b/sys/netinet/libalias/alias.c @@ -178,6 +178,7 @@ TcpMonitorOut(struct ip *pip, struct alias_link *link) IcmpAliasIn(), IcmpAliasIn1(), IcmpAliasIn2(), IcmpAliasIn3() IcmpAliasOut(), IcmpAliasOut1(), IcmpAliasOut2(), IcmpAliasOut3() + ProtoAliasIn(), ProtoAliasOut() UdpAliasIn(), UdpAliasOut() TcpAliasIn(), TcpAliasOut() @@ -224,6 +225,9 @@ static int IcmpAliasOut2(struct ip *); static int IcmpAliasOut3(struct ip *); static int IcmpAliasOut (struct ip *); +static int ProtoAliasIn(struct ip *); +static int ProtoAliasOut(struct ip *); + static int UdpAliasOut(struct ip *); static int UdpAliasIn (struct ip *); @@ -653,10 +657,10 @@ IcmpAliasOut(struct ip *pip) static int -PptpAliasIn(struct ip *pip) +ProtoAliasIn(struct ip *pip) { /* - Handle incoming PPTP packets. The + Handle incoming IP packets. The only thing which is done in this case is to alias the dest IP address of the packet to our inside machine. @@ -667,10 +671,7 @@ PptpAliasIn(struct ip *pip) if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) return PKT_ALIAS_OK; - if (packetAliasMode & PKT_ALIAS_DENY_PPTP) - return PKT_ALIAS_IGNORED; - - link = FindPptpIn(pip->ip_src, pip->ip_dst); + link = FindProtoIn(pip->ip_src, pip->ip_dst, pip->ip_p); if (link != NULL) { struct in_addr original_address; @@ -691,10 +692,10 @@ PptpAliasIn(struct ip *pip) static int -PptpAliasOut(struct ip *pip) +ProtoAliasOut(struct ip *pip) { /* - Handle outgoing PPTP packets. The + Handle outgoing IP packets. The only thing which is done in this case is to alias the source IP address of the packet. */ @@ -704,10 +705,7 @@ PptpAliasOut(struct ip *pip) if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) return PKT_ALIAS_OK; - if (packetAliasMode & PKT_ALIAS_DENY_PPTP) - return PKT_ALIAS_IGNORED; - - link = FindPptpOut(pip->ip_src, pip->ip_dst); + link = FindProtoOut(pip->ip_src, pip->ip_dst, pip->ip_p); if (link != NULL) { struct in_addr alias_address; @@ -1303,10 +1301,8 @@ PacketAliasIn(char *ptr, int maxpacketsize) case IPPROTO_TCP: iresult = TcpAliasIn(pip); break; - case IPPROTO_GRE: - case IPPROTO_ESP: - case IPPROTO_AH: - iresult = PptpAliasIn(pip); + default: + iresult = ProtoAliasIn(pip); break; } @@ -1411,10 +1407,8 @@ PacketAliasOut(char *ptr, /* valid IP packet */ case IPPROTO_TCP: iresult = TcpAliasOut(pip, maxpacketsize); break; - case IPPROTO_GRE: - case IPPROTO_ESP: - case IPPROTO_AH: - iresult = PptpAliasOut(pip); + default: + iresult = ProtoAliasOut(pip); break; } } diff --git a/sys/netinet/libalias/alias.h b/sys/netinet/libalias/alias.h index 9f15579..ace911d 100644 --- a/sys/netinet/libalias/alias.h +++ b/sys/netinet/libalias/alias.h @@ -60,7 +60,10 @@ struct alias_link; PacketAliasPptp(struct in_addr); extern struct alias_link * - PacketAliasRedirectPptp(struct in_addr, struct in_addr, struct in_addr); + PacketAliasRedirectProto(struct in_addr, + struct in_addr, + struct in_addr, + u_char); extern struct alias_link * PacketAliasRedirectAddr(struct in_addr, @@ -157,10 +160,6 @@ struct alias_link; and PacketAliasOut() are reversed */ #define PKT_ALIAS_REVERSE 0x80 -/* If PKT_ALIAS_DENY_PPTP is set, then PPTP sessions will be - prevented by the aliasing engine. */ -#define PKT_ALIAS_DENY_PPTP 0x200 - /* Return Codes */ #define PKT_ALIAS_ERROR -1 #define PKT_ALIAS_OK 1 diff --git a/sys/netinet/libalias/alias_db.c b/sys/netinet/libalias/alias_db.c index bc020f3..09bdcac 100644 --- a/sys/netinet/libalias/alias_db.c +++ b/sys/netinet/libalias/alias_db.c @@ -147,7 +147,7 @@ /* Timeouts (in seconds) for different link types */ #define ICMP_EXPIRE_TIME 60 #define UDP_EXPIRE_TIME 60 -#define PPTP_EXPIRE_TIME 60 +#define PROTO_EXPIRE_TIME 60 #define FRAGMENT_ID_EXPIRE_TIME 10 #define FRAGMENT_PTR_EXPIRE_TIME 30 @@ -256,16 +256,15 @@ struct alias_link /* Main data structure */ u_short proxy_port; struct server *server; - int link_type; /* Type of link: TCP, UDP, ICMP, PPTP, frag */ + int link_type; /* Type of link: TCP, UDP, ICMP, proto, frag */ /* values for link_type */ -#define LINK_ICMP 1 -#define LINK_UDP 2 -#define LINK_TCP 3 -#define LINK_FRAGMENT_ID 4 -#define LINK_FRAGMENT_PTR 5 -#define LINK_ADDR 6 -#define LINK_PPTP 7 +#define LINK_ICMP IPPROTO_ICMP +#define LINK_UDP IPPROTO_UDP +#define LINK_TCP IPPROTO_TCP +#define LINK_FRAGMENT_ID (IPPROTO_MAX + 1) +#define LINK_FRAGMENT_PTR (IPPROTO_MAX + 2) +#define LINK_ADDR (IPPROTO_MAX + 3) int flags; /* indicates special characteristics */ @@ -329,7 +328,7 @@ linkTableIn[LINK_TABLE_IN_SIZE]; /* into input and output lookup */ static int icmpLinkCount; /* Link statistics */ static int udpLinkCount; static int tcpLinkCount; -static int pptpLinkCount; +static int protoLinkCount; static int fragmentIdLinkCount; static int fragmentPtrLinkCount; static int sockCount; @@ -455,18 +454,18 @@ ShowAliasStats(void) if (monitorFile) { - fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, pptp=%d, frag_id=%d frag_ptr=%d", + fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, proto=%d, frag_id=%d frag_ptr=%d", icmpLinkCount, udpLinkCount, tcpLinkCount, - pptpLinkCount, + protoLinkCount, fragmentIdLinkCount, fragmentPtrLinkCount); fprintf(monitorFile, " / tot=%d (sock=%d)\n", icmpLinkCount + udpLinkCount + tcpLinkCount - + pptpLinkCount + + protoLinkCount + fragmentIdLinkCount + fragmentPtrLinkCount, sockCount); @@ -738,17 +737,6 @@ IncrementalCleanup(void) idelta = timeStamp - link->timestamp; switch (link->link_type) { - case LINK_ICMP: - case LINK_UDP: - case LINK_FRAGMENT_ID: - case LINK_FRAGMENT_PTR: - case LINK_PPTP: - if (idelta > link->expire_time) - { - DeleteLink(link); - icount++; - } - break; case LINK_TCP: if (idelta > link->expire_time) { @@ -763,6 +751,13 @@ IncrementalCleanup(void) } } break; + default: + if (idelta > link->expire_time) + { + DeleteLink(link); + icount++; + } + break; } link = link_next; } @@ -842,9 +837,6 @@ DeleteLink(struct alias_link *link) if (link->data.tcp != NULL) free(link->data.tcp); break; - case LINK_PPTP: - pptpLinkCount--; - break; case LINK_FRAGMENT_ID: fragmentIdLinkCount--; break; @@ -853,6 +845,11 @@ DeleteLink(struct alias_link *link) if (link->data.frag_ptr != NULL) free(link->data.frag_ptr); break; + case LINK_ADDR: + break; + default: + protoLinkCount--; + break; } /* Free memory */ @@ -908,15 +905,17 @@ AddLink(struct in_addr src_addr, case LINK_TCP: link->expire_time = TCP_EXPIRE_INITIAL; break; - case LINK_PPTP: - link->expire_time = PPTP_EXPIRE_TIME; - break; case LINK_FRAGMENT_ID: link->expire_time = FRAGMENT_ID_EXPIRE_TIME; break; case LINK_FRAGMENT_PTR: link->expire_time = FRAGMENT_PTR_EXPIRE_TIME; break; + case LINK_ADDR: + break; + default: + link->expire_time = PROTO_EXPIRE_TIME; + break; } /* Determine alias flags */ @@ -994,15 +993,17 @@ AddLink(struct in_addr src_addr, #endif } break; - case LINK_PPTP: - pptpLinkCount++; - break; case LINK_FRAGMENT_ID: fragmentIdLinkCount++; break; case LINK_FRAGMENT_PTR: fragmentPtrLinkCount++; break; + case LINK_ADDR: + break; + default: + protoLinkCount++; + break; } } else @@ -1303,7 +1304,7 @@ FindLinkIn(struct in_addr dst_addr, FindIcmpIn(), FindIcmpOut() FindFragmentIn1(), FindFragmentIn2() AddFragmentPtrLink(), FindFragmentPtr() - FindPptpIn(), FindPptpOut() + FindProtoIn(), FindProtoOut() FindUdpTcpIn(), FindUdpTcpOut() FindOriginalAddress(), FindAliasAddress() @@ -1400,14 +1401,15 @@ FindFragmentPtr(struct in_addr dst_addr, struct alias_link * -FindPptpIn(struct in_addr dst_addr, - struct in_addr alias_addr) +FindProtoIn(struct in_addr dst_addr, + struct in_addr alias_addr, + u_char proto) { struct alias_link *link; link = FindLinkIn(dst_addr, alias_addr, NO_DEST_PORT, 0, - LINK_PPTP, 1); + proto, 1); if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING)) { @@ -1416,7 +1418,7 @@ FindPptpIn(struct in_addr dst_addr, target_addr = FindOriginalAddress(alias_addr); link = AddLink(target_addr, dst_addr, alias_addr, NO_SRC_PORT, NO_DEST_PORT, 0, - LINK_PPTP); + proto); } return (link); @@ -1424,14 +1426,15 @@ FindPptpIn(struct in_addr dst_addr, struct alias_link * -FindPptpOut(struct in_addr src_addr, - struct in_addr dst_addr) +FindProtoOut(struct in_addr src_addr, + struct in_addr dst_addr, + u_char proto) { struct alias_link *link; link = FindLinkOut(src_addr, dst_addr, NO_SRC_PORT, NO_DEST_PORT, - LINK_PPTP, 1); + proto, 1); if (link == NULL) { @@ -1440,7 +1443,7 @@ FindPptpOut(struct in_addr src_addr, alias_addr = FindAliasAddress(src_addr); link = AddLink(src_addr, dst_addr, alias_addr, NO_SRC_PORT, NO_DEST_PORT, 0, - LINK_PPTP); + proto); } return (link); @@ -2063,7 +2066,7 @@ UninitPacketAliasLog(void) PacketAliasRedirectPort() PacketAliasAddServer() - PacketAliasRedirectPptp() + PacketAliasRedirectProto() PacketAliasRedirectAddr() PacketAliasRedirectDelete() PacketAliasSetAddress() @@ -2151,32 +2154,32 @@ PacketAliasAddServer(struct alias_link *link, struct in_addr addr, u_short port) } /* Translate PPTP packets to a machine on the inside - * XXX This function is made obsolete by PacketAliasRedirectPptp(). + * XXX This function is made obsolete by PacketAliasRedirectProto(). */ int PacketAliasPptp(struct in_addr src_addr) { - if (src_addr.s_addr == INADDR_NONE) - packetAliasMode |= PKT_ALIAS_DENY_PPTP; - else - (void)PacketAliasRedirectPptp(src_addr, nullAddress, nullAddress); + if (src_addr.s_addr != INADDR_NONE) + (void)PacketAliasRedirectProto(src_addr, nullAddress, nullAddress, + IPPROTO_GRE); return 1; } -/* Redirect PPTP packets from a specific +/* Redirect packets of a given IP protocol from a specific public address to a private address */ struct alias_link * -PacketAliasRedirectPptp(struct in_addr src_addr, - struct in_addr dst_addr, - struct in_addr alias_addr) +PacketAliasRedirectProto(struct in_addr src_addr, + struct in_addr dst_addr, + struct in_addr alias_addr, + u_char proto) { struct alias_link *link; link = AddLink(src_addr, dst_addr, alias_addr, NO_SRC_PORT, NO_DEST_PORT, 0, - LINK_PPTP); + proto); if (link != NULL) { @@ -2185,7 +2188,7 @@ PacketAliasRedirectPptp(struct in_addr src_addr, #ifdef DEBUG else { - fprintf(stderr, "PacketAliasRedirectPptp(): " + fprintf(stderr, "PacketAliasRedirectProto(): " "call to AddLink() failed\n"); } #endif @@ -2286,7 +2289,7 @@ PacketAliasInit(void) icmpLinkCount = 0; udpLinkCount = 0; tcpLinkCount = 0; - pptpLinkCount = 0; + protoLinkCount = 0; fragmentIdLinkCount = 0; fragmentPtrLinkCount = 0; sockCount = 0; diff --git a/sys/netinet/libalias/alias_local.h b/sys/netinet/libalias/alias_local.h index a5d3cd7..ca93151 100644 --- a/sys/netinet/libalias/alias_local.h +++ b/sys/netinet/libalias/alias_local.h @@ -96,10 +96,10 @@ struct alias_link * FindFragmentPtr(struct in_addr, u_short); struct alias_link * -FindPptpIn(struct in_addr, struct in_addr); +FindProtoIn(struct in_addr, struct in_addr, u_char); struct alias_link * -FindPptpOut(struct in_addr, struct in_addr); +FindProtoOut(struct in_addr, struct in_addr, u_char); struct alias_link * FindUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char); diff --git a/sys/netinet/libalias/libalias.3 b/sys/netinet/libalias/libalias.3 index 924262b..0344af5 100644 --- a/sys/netinet/libalias/libalias.3 +++ b/sys/netinet/libalias/libalias.3 @@ -227,15 +227,6 @@ Normal packet aliasing is not performed. See .Fn PacketAliasProxyRule below for details. -.It Dv PKT_ALIAS_DENY_PPTP -If this mode bit is set, all PPTP packets will be marked for being ignored -(both -.Fn PacketAliasIn -and -.Fn PacketAliasOut -return -.Dv PKT_ALIAS_IGNORED -code). .El .Ed .Pp @@ -647,25 +638,17 @@ access, or to restrict access to certain external machines. .Ed .Pp .Ft struct alias_link * -.Fo PacketAliasRedirectPptp +.Fo PacketAliasRedirectProto .Fa "struct in_addr local_addr" .Fa "struct in_addr remote_addr" .Fa "struct in_addr alias_addr" +.Fa "u_char proto" .Fc .Bd -ragged -offset indent -This function specifies that any Point to Point Tunneling Protocol -(PPTP) traffic from a given remote address to an alias address be +This function specifies that any IP packet with protocol number of +.Fa proto +from a given remote address to an alias address be redirected to a specified local address. -Currently supported PPTP protocols include: -.Pp -.Bl -tag -width "IPPROTO_GRE" -compact -.It IPPROTO_GRE -Generic Routing Encapsulation (RFC 1702) -.It IPPROTO_ESP -IP Encapsulating Security Payload (RFC 1827) -.It IPPROTO_AH -IP Authentication Header (RFC 1826) -.El .Pp If .Fa local_addr @@ -678,16 +661,16 @@ is to be used. Even if .Fn PacketAliasSetAddress is called to change the address after -.Fn PacketAliasRedirectPptp +.Fn PacketAliasRedirectProto is called, a zero reference will track this change. .Pp If .Fa remote_addr -is zero, this indicates to redirect PPTP packets from any remote address. +is zero, this indicates to redirect packets from any remote address. Non-zero remote addresses can sometimes be useful for firewalling. .Pp If two calls to -.Fn PacketAliasRedirectPptp +.Fn PacketAliasRedirectProto overlap in their address specifications, then the most recent call will have precedence. .Pp @@ -713,10 +696,8 @@ then PPTP aliasing is disabled. .Pp .Bf -symbolic This function is made obsolete by -.Fn PacketAliasRedirectPptp -and -.Dv PKT_ALIAS_DENY_PPTP -mode bit, and is provided only for backward compatibility. +.Fn PacketAliasRedirectProto , +and is provided only for backward compatibility. .Ef .Ed .Sh FRAGMENT HANDLING |
