summaryrefslogtreecommitdiffstats
path: root/lib/libalias/alias_db.c
Commit message (Collapse)AuthorAgeFilesLines
* Move IPFW2 definition before including ip_fw.hluigi2002-07-181-32/+30
| | | | Make indentation of new parts consistent with the style used for this file.
* Fix a bug caused by dereferencing an invalid pointer whenluigi2002-07-081-62/+65
| | | | | | | | | no punch_fw was used. Fix another couple of bugs which prevented rules from being installed properly. On passing, use IPFW2 instead of NEW_IPFW to compile the new code, and slightly simplify the instruction generation code.
* Remove trailing whitespacebrian2002-07-011-35/+35
|
* The new ipfw code.luigi2002-06-271-0/+118
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
* cmott@scientech.com -> cm@linktel.netbrian2001-11-031-1/+1
| | | | Requested by: Charles Mott <cmott@scientech.com>
* Add __FBSDID's to libaliasdillon2001-09-301-2/+3
|
* Make the copyright consistent.brian2001-08-201-3/+0
| | | | Previously approved by: Charles Mott <cmott@scientech.com>
* Add BSD-style copyright headersbrian2001-06-041-3/+31
| | | | Approved by: Charles Mott <cmott@scientech.com>
* Add an integer field to keep protocol-specific flags with links.ru2001-05-301-9/+7
| | | | | | | | | | For FTP control connection, keep the CRLF end-of-line termination status in there. Fixed the bug when the first FTP command in a session was ignored. PR: 24048 MFC after: 1 week
* Make header files conform to style(9).brian2001-03-251-6/+8
| | | | | | Reviewed by (*): bde (*) alias_local.h only got a cursory glance.
* Added boolean argument to link searching functions, indicatingru2000-10-301-73/+14
| | | | whether they should create a link if lookup has failed or not.
* A significant rewrite of PPTP aliasing code.ru2000-10-301-56/+111
| | | | | | | | | | | | | | PPTP links are no longer dropped by simple (and inappropriate in this case) "inactivity timeout" procedure, only when requested through the control connection. It is now possible to have multiple PPTP servers running behind NAT. Just redirect the incoming TCP traffic to port 1723, everything else is done transparently. Problems were reported and the fix was tested by: Michael Adler <Michael.Adler@compaq.com>, David Andersen <dga@lcs.mit.edu>
* A failure to allocate memory for auxiliary TCP data is now fatal.ru2000-10-191-16/+15
| | | | | This fixes a null pointer dereference problem that is unlikely to happen in normal circumstances.
* Create aliasing links for incoming ICMP echo/timestamp requests.ru2000-08-311-1/+14
| | | | | This makes outgoing ICMP echo/timestamp replies to be de-aliased with the right source IP, not exactly the primary aliasing IP.
* Fixed PunchFW code segmentation violation bug.ru2000-08-141-5/+4
| | | | Reported by: Christian Schade <chris@cube.sax.de>
* Use queue(3) LIST_* macros for doubly-linked lists.ru2000-08-141-65/+18
|
* Add address translation support for RTSP/RTP used by RealPlayer andarchie2000-07-261-0/+213
| | | | | | | | Quicktime streaming media applications. Add a BUGS section to the man page. Submitted by: Erik Salander <erik@whistle.com>
* Fixed PunchFWHole():ru2000-06-271-2/+3
| | | | | - ipfw always rejected rule with `neither in nor out' diagnostics. - number of src/dst ports was not set properly.
* - Removed PacketAliasPptp() API function.ru2000-06-201-14/+0
| | | | - SHLIB_MAJOR++.
* Added true support for PPTP aliasing. Some nice features include:ru2000-06-201-3/+71
| | | | | | | | | | | | | | | | | | | | - Multiple PPTP clients behind NAT to the same or different servers. - Single PPTP server behind NAT -- you just need to redirect TCP port 1723 to a local machine. Multiple servers behind NAT is possible but would require a simple API change. - No API changes! For more information on how this works see comments at the start of the alias_pptp.c. PacketAliasPptp() is no longer necessary and will be removed soon. Submitted by: Erik Salander <erik@whistle.com> Reviewed by: ru Rewritten by: ru Reviewed by: Erik Salander <erik@whistle.com>
* - Added support for passive mode FTP by aliasing 227 replies.ru2000-06-141-0/+19
| | | | | | | | | | | | | | | It does mean that it is now possible to run passive-mode FTP server behind NAT. - SECURITY: FTP aliasing engine now ensures that: o the segment preceding a PORT/227 segment terminates with a \r\n; o the IP address in the PORT/227 matches the source IP address of the packet; o the port number in the PORT command or 277 reply is greater than or equal to 1024. Submitted by: Erik Salander <erik@whistle.com> Reviewed by: ru
* Revert the default behaviour for incoming connections sobrian2000-05-111-1/+1
| | | | | | | | that they (once again) go to the target machine rather than the alias address. PR: 18354 Submitted by: ru
* Replace PacketAliasRedirectPptp() (which had nothing specificru2000-04-281-55/+58
| | | | | | | to PPTP) with more generic PacketAliasRedirectProto(). Major number is not bumped because it is believed that noone has started using PacketAliasRedirectPptp() yet.
* Load Sharing using IP Network Address Translation (RFC 2391, LSNAT).ru2000-04-271-27/+85
| | | | | | LSNAT links are first created by either PacketAliasRedirectPort() or PacketAliasRedirectAddress() and then set up by one or more calls to PacketAliasAddServer().
* Add support for multiple PPTP sessions:ru2000-04-181-40/+122
| | | | | | | - new API function: PacketAliasRedirectPptp() - new mode bit: PKT_ALIAS_DENY_PPTP Please see manual page for details.
* Apply TCP_EXPIRE_CONNECTED (86400 seconds) timeout only to establishedru2000-04-141-16/+10
| | | | | | | | | | | | | | connections, after SYN packets were seen from both ends. Before this, it would get applied right after the first SYN packet was seen (either from client or server). With broken TCP connection attempts, when the remote end does not respond with SYNACK nor with RST, this resulted in having a useless (ie, no actual TCP connection associated with it) TCP link with 86400 seconds TTL, wasting system memory. With high rate of such broken connection attempts (for example, remote end simply blocks these connection attempts with ipfw(8) without sending RST back), this could result in a denial-of-service. PR: bin/17963
* Make partially specified permanent links without `dst_addr'ru2000-04-121-11/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | but with `dst_port' work for outgoing packets. This case was not handled properly when I first fixed this in revision 1.17. This change is also required for the upcoming improved PPTP support patches -- that is how I found the problem. Before this change: # natd -v -a aliasIP \ -redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT Out [TCP] [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to [TCP] aliasIP:localPORT -> remoteIP:remotePORT After this change: # natd -v -a aliasIP \ -redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT Out [TCP] [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to [TCP] publicIP:publicPORT -> remoteIP:remotePORT
* Allow PacketAliasSetTarget() to be passed the following:brian2000-03-311-12/+14
| | | | | | | | | | INADDR_NONE: Incoming packets go to the alias address (the default) INADDR_ANY: Incoming packets are not NAT'd (direct access to the internal network from outside) anything else: Incoming packets go to the specified address Change a few inaddr::s_addr == 0 to inaddr::s_addr == INADDR_ANY while I'm there.
* When an incoming packet is received that is not specificallybrian2000-03-311-1/+1
| | | | | | | redirected and when no target address has been specified, NAT the destination address to the alias address rather than allowing people direct access to your internal network from outside.
* Make _FindLinkIn() static and only define GetDestPort whenbrian2000-03-191-2/+4
| | | | NO_FW_PUNCH isn't defined.
* Fix a '&&' that should have been a '&'.archie1999-12-101-1/+1
| | | | Submitted by: Erik Salander <erik@whistle.com>
* Properly handle the case when either the aliasing or source address ofru1999-09-271-26/+66
| | | | | | | | | | | | | the link are equal to the default aliasing address. Do not zero them! This will fix the problem with non-working links added with the source and/or aliasing address equal to the default aliasing address, but the default aliasing address is set later, after the link has been set up, like both natd(8) and ppp(8) do (for objective reasons). Reviewed by: Brian Somers <brian@FreeBSD.org>, Eivind Eklund <eivind@FreeBSD.org>, Charles Mott <cmott@srv.net>
* ReLink() partial links in FindLinkOut() in the same manner as we do itru1999-09-221-7/+15
| | | | | | in FindLinkIn(). This will make TcpMonitorIn()/TcpMonitorOut() happy. Reviewed by: eivind
* Restore previous version of FindLinkIn().ru1999-09-211-9/+8
| | | | | Instead, natd(8) should be fixed to call PacketAliasSetAddress() as part of initialization, as required by libalias(3).
* - Make partially specified permanent links (without `dst_addr' and/orru1999-09-211-11/+25
| | | | | | | | | | | `dst_port') work for outgoing packets. - Make permanent links whose `alias_addr' matches the primary aliasing address `aliasAddress' work for incoming packets. - Typo fixes. Reviewed by: brian, eivind
* sys/errno.h -> errno.hbrian1999-09-211-1/+1
|
* Add $FreeBSD$ and spell Eklund properly.billf1999-08-291-0/+2
| | | | Approved by: brian (well, he approved adding $Id$)
* Make incoming packets work as keepalives, too. This should fix problemseivind1999-05-201-0/+1
| | | | | | for some games. Notified of problem by: tim@turbinegames.com
* Remove all diagnostics to stdout/stderr with #ifdef DEBUGbrian1999-03-091-0/+28
| | | | Statify functions in alias_nbt.c
* Document PacketAliasPptp() and allow it to be disabledbrian1999-03-071-2/+1
| | | | by passing INADDR_NONE.
* Version 3.0: January 1, 1999brian1999-02-271-23/+85
| | | | | | | | - Transparent proxying support added. - PPTP redirecting support added based on patches contributed by Dru Nelson <dnelson@redwoodsoft.com>. Submitted by: Charles Mott <cmott@srv.net>
* If we can't open alias.log, don't try to write to thebrian1999-01-101-2/+4
| | | | | resulting NULL FILE *. PR: 9403
* o Support a compile-time -DNO_FW_PUNCH for portabilitybrian1998-04-191-0/+15
| | | | | | (and those of us that don't want the functionality). o Don't assume sizeof(long) == 4. Ok'd by: Charles Mott <cmott@srv.net>
* 1) in CleanupAliasData, don't nullify entry in linkTableOutbrian1998-02-271-4/+2
| | | | | | | | | | | | | | since there might be permanent entries still left after calls to DeleteLink (it will be nullified by DeleteLink if all entries are deleted, won't it ?) 2) in PacketAliasSetAddress, set the aliasing address even when PKT_ALIAS_RESET_ON_ADDR_CHANGE is in effect. Just don't clean up links in this case. Submitted by: Ari Suutari <ari@suutari.iki.fi> via: Charles Mott <cmott@srv.net> PR: 5041
* Remove use of <osreldate.h>.eivind1998-01-111-6/+0
| | | | Screwed up by: myself
* Sync with ipfw interface change: fw_pts is now part of a union (aalex1998-01-101-5/+5
| | | | necessary evil due to the 108 byte setsockopt() limit).
* include <net/if.h> and restore this to sanity.jkh1998-01-101-0/+1
|
* Teach libalias to work with IPFW firewalls (controlled by a flag).eivind1998-01-091-66/+357
| | | | | Obtained from: Yes development tree (+ 10 lines of patches from Charles Mott, original libalias author)
* Fix file descriptor leak.brian1997-08-111-0/+1
| | | | | Submitted by: Charles Mott <cmott@srv.net> Identified by: Gordon Burditt
* Update to version 2.2. Only the PacketAlias*()brian1997-08-031-87/+54
| | | | | | functions should now be used. The old 2.1 stuff is there for backwards compatability. Submitted by: Charles Mott <cmott@snake.srv.net>
OpenPOWER on IntegriCloud