summaryrefslogtreecommitdiffstats
path: root/lib/libalias
Commit message (Collapse)AuthorAgeFilesLines
* natd core dumps when -reverse switch is used because of a bug inphk2005-04-051-2/+2
| | | | | | | | | | | | | | | | | | | | | libalias. In /usr/src/lib/libalias/alias.c, the functions LibAliasIn and LibAliasOutTry call the legacy PacketAliasIn/PacketAliasOut instead of LibAliasIn/LibAliasOut when the PKT_ALIAS_REVERSE option is set. In this case, the context variable "la" gets lost because the legacy compatibility routines expect "la" to be global. This was obviously an oversight when rewriting the PacketAlias* functions to the LibAlias* functions. The fix (as shown in the patch below) is to remove the legacy subroutine calls and replace with the new ones using the "la" struct as the first arg. Submitted by: Gil Kloepfer <fgil@kloepfer.org> Confirmed by: <nicolai@catpipe.net> PR: 76839 MFC after: 3 days
* Fix a problem in the Skinny ALG where a specially crafted packet could causemarcus2005-03-031-4/+4
| | | | | | | | | a libalias application (e.g. natd, ppp, etc.) to crash. Note: Skinny support is not enabled in natd or ppp by default. Approved by: secteam (nectar) MFC after: 1 day Secuiryt: This fixes a remote DoS exploit
* Sort sections.ru2005-01-201-5/+5
|
* include "alias.h", not <alias.h>brian2005-01-101-1/+1
| | | | MFC after: 3 days
* For variables that are only checked with defined(), don't provideru2004-10-241-1/+1
| | | | any fake value.
* Fix outgoing ICMP on global instance.phk2004-08-141-5/+5
|
* Fix Skinny and PPTP NAT'ing after the introduction of the {ip,tcp,udp}_nextmarcus2004-08-042-2/+2
| | | | | | | | | functions. Basically, the ip_next() function was used to get the PPTP and Skinny headers when tcp_next() should have been used instead. Symptoms of this included a segfault in natd when trying to process a PPTP or Skinny packet. Approved by: des
* Push WARNS back up to 6, but define NO_WERROR; I want the warts out in thedes2004-07-061-1/+2
| | | | open where people can see them and hopefully fix them.
* Introduce inline {ip,udp,tcp}_next() functions which take a pointer to andes2004-07-0612-52/+77
| | | | | | | {ip,udp,tcp} header and return a void * pointing to the payload (i.e. the first byte past the end of the header and any required padding). Use them consistently throughout libalias to a) reduce code duplication, b) improve code legibility, c) get rid of a bunch of alignment warnings.
* Rewrite twowords() to access its argument through a char pointer and notdes2004-07-061-3/+10
| | | | | | a short pointer. The previous implementation seems to be in a gray zone of the C standard, and GCC generates incorrect code for it at -O2 or higher on some platforms.
* Temporarily lower WARNS to 3 while I figure out the alignment issues ondes2004-07-061-1/+1
| | | | alpha.
* Make libalias WARNS?=6-clean. This mostly involves renaming variablesdes2004-07-0515-676/+721
| | | | | | | | | named link, foo_link or link_foo to lnk, foo_lnk or lnk_foo, fixing signed / unsigned comparisons, and shoving unused function arguments under the carpet. I was hoping WARNS?=6 might reveal more serious problems, and perhaps the source of the -O2 breakage, but found no smoking gun.
* Parenthesize return values.des2004-07-056-120/+120
|
* Mechanical whitespace cleanup.des2004-07-056-126/+126
|
* Add LibAliasOutTry() which checks a packet for a hit in the tables, butphk2004-07-042-16/+29
| | | | does not create a new entry if none is found.
* Mechanically kill hard sentence breaks.ru2004-07-021-7/+7
|
* Bumped document date.ru2004-07-011-5/+7
| | | | | Fixed markup. Fixed examples to match the new API.
* Unbreak natd.deischen2004-04-021-0/+1
| | | | Reported and submitted by: Sean McNeil (sean at mcneil.com)
* Raise WARNS level to 2.des2004-03-311-0/+1
|
* Deal with aliasing warnings.des2004-03-314-181/+63
| | | | | Reviewed by: ru Approved by: silence on the lists
* Run through indent(1) so I can read the code without getting a headache.des2004-03-1614-5317/+5233
| | | | | The result isn't quite knf, but it's knfer than the original, and far more consistent.
* Mostly mechanical rework of libalias:phk2004-01-1716-737/+1071
| | | | | | | | | | | | Makes it possible to have multiple packet aliasing instances in a single process by moving all static and global variables into an instance structure called "struct libalias". Redefine a new API based on s/PacketAlias/LibAlias/g Add new "instance" argument to all functions in the new API. Implement old API in terms of the new API.
* Grrr...add the Skinny alias code forgotten in the last commit.marcus2003-09-231-0/+338
|
* Add Cisco Skinny Station protocol support to libalias, natd, and ppp.marcus2003-09-236-1/+30
| | | | | | | | | | | | | | | Skinny is the protocol used by Cisco IP phones to talk to Cisco Call Managers. With this code, one can use a Cisco IP phone behind a FreeBSD NAT gateway. Currently, having the Call Manager behind the NAT gateway is not supported. More information on enabling Skinny support in libalias, natd, and ppp can be found in those applications' manpages. PR: 55843 Reviewed by: ru Approved by: ru MFC after: 30 days
* Fixed -Wpointer-arith warning.ru2003-09-091-1/+1
| | | | | Submitted by: Stefan Farfeleder PR: bin/56653
* mdoc(7): Use the new feature of the .In macro.ru2003-09-081-2/+2
|
* style.Makefile(5)obrien2003-08-181-1/+1
|
* Stage 3 of dynamic root support. Make all the libraries needed to rungordon2003-08-171-0/+1
| | | | | | binaries in /bin and /sbin installed in /lib. Only the versioned files reside in /lib, the .so symlink continues to live /usr/lib so the toolchain doesn't need to be modified.
* In the PKT_ALIAS_PROXY_ONLY mode, make sure to preserve theru2003-06-131-0/+4
| | | | | | original source IP address, as promised in the manual page. Spotted by: Vaclav Petricek
* Removed a couple of .Xo/.Xc that are leftovers of the "ninth-argumentru2003-06-131-9/+3
| | | | limit" mdoc(7) atavism.
* Clarify that original address and port when doing transparent proxyingru2003-06-131-5/+5
| | | | are _destination_ address and port.
* Added myself to the AUTHORS section.ru2003-06-131-0/+2
|
* The .Fn functioncharnier2003-06-081-4/+6
|
* A new API function PacketAliasRedirectDynamic() can be usedru2003-06-013-1/+36
| | | | | to mark a fully specified static link as dynamic; i.e. make it a one-time link.
* Make the PacketAliasSetAddress() function call optional. If itru2003-06-012-11/+18
| | | | | | is not called, and no static rules match an outgoing packet, the latter retains its source IP address. This is in support of the "static NAT only" mode.
* style.Makefile(5)obrien2003-04-201-7/+6
|
* Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,schweikh2003-01-012-2/+2
| | | | especially in troff files.
* Zap now-unused SHLIB_MINORpeter2002-09-281-1/+0
|
* Don't forget to recalculate the IP checksum of the originalru2002-07-231-4/+12
| | | | | | | IP datagram embedded into ICMP error message. Spotted by: tcpdump 3.7.1 (-vvv) MFC after: 3 days
* Move IPFW2 definition before including ip_fw.hluigi2002-07-181-32/+30
| | | | Make indentation of new parts consistent with the style used for this file.
* Fix a bug caused by dereferencing an invalid pointer whenluigi2002-07-081-62/+65
| | | | | | | | | no punch_fw was used. Fix another couple of bugs which prevented rules from being installed properly. On passing, use IPFW2 instead of NEW_IPFW to compile the new code, and slightly simplify the instruction generation code.
* Remove trailing whitespacebrian2002-07-0110-142/+142
|
* The new ipfw code.luigi2002-06-271-0/+118
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
* Avoid unintentional trigraph.wollman2002-05-301-1/+1
|
* Fixed the bug in transparent TCP proxying with the "encode_ip_hdr"ru2001-12-181-1/+3
| | | | | | option -- TcpAliasOut() did not catch the IP header length change. Submitted by: Stepachev Andrey <aka50@mail.ru>
* When servicing an internal FTP server, punch ipfirewall(4) holesru2001-11-271-5/+2
| | | | | | | | | for passive mode data connections (PASV/EPSV -> 227/229). Well, the actual punching happens a bit later, when the aliasing link becomes fully specified. Prodded by: Danny Carroll <dannycarroll@hotmail.com> MFC after: 1 week
* cmott@scientech.com -> cm@linktel.netbrian2001-11-039-10/+10
| | | | Requested by: Charles Mott <cmott@scientech.com>
* mdoc(7) police: Use the new .In macro for #include statements.ru2001-10-011-3/+3
|
* Add __FBSDID's to libaliasdillon2001-09-3010-21/+32
|
* Fixed the bug that prevented communication with FTP servers behindru2001-09-211-3/+4
| | | | | | | | | | | | | | | NAT in extended passive mode if the server's public IP address was different from the main NAT address. This caused a wrong aliasing link to be created that did not route the incoming packets back to the original IP address of the server. natd -v -n pub0 -redirect_address localFTP publicFTP Note that even if localFTP == publicFTP, one still needs to supply the -redirect_address directive. It is needed as a helper because extended passive mode's 229 reply does not contain the IP address. MFC after: 1 week
OpenPOWER on IntegriCloud