| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
- new API function: PacketAliasRedirectPptp()
- new mode bit: PKT_ALIAS_DENY_PPTP
Please see manual page for details.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
connections, after SYN packets were seen from both ends. Before this,
it would get applied right after the first SYN packet was seen (either
from client or server). With broken TCP connection attempts, when the
remote end does not respond with SYNACK nor with RST, this resulted in
having a useless (ie, no actual TCP connection associated with it) TCP
link with 86400 seconds TTL, wasting system memory. With high rate of
such broken connection attempts (for example, remote end simply blocks
these connection attempts with ipfw(8) without sending RST back), this
could result in a denial-of-service.
PR: bin/17963
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
but with `dst_port' work for outgoing packets.
This case was not handled properly when I first fixed this
in revision 1.17.
This change is also required for the upcoming improved PPTP
support patches -- that is how I found the problem.
Before this change:
# natd -v -a aliasIP \
-redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT
Out [TCP] [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
[TCP] aliasIP:localPORT -> remoteIP:remotePORT
After this change:
# natd -v -a aliasIP \
-redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT
Out [TCP] [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
[TCP] publicIP:publicPORT -> remoteIP:remotePORT
|
| |
|
|
|
|
|
|
|
| |
- Minor optimizations.
- Minor spelling fixes.
PR: 14305
Submitted by: ume
Rewritten by: ru
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Minor spelling fixes.
- Make IcmpAliasOut2() really work.
Before this change:
# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P
natd[87923]: Aliasing to A.A.A.A, mtu 1500 bytes
In [UDP] [UDP] X.X.X.X:49562 -> P.P.P.P:50000 aliased to
[UDP] X.X.X.X:49562 -> 192.168.1.1:50000
Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to
[ICMP] A.A.A.A -> X.X.X.X 3(3)
# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)"
tcpdump: listening on PUB_IFACE
X.X.X.X.49562 > P.P.P.P.50000: udp 3
A.A.A.A > X.X.X.X: icmp: A.A.A.A udp port 50000 unreachable
After this change:
# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P
natd[89360]: Aliasing to A.A.A.A, mtu 1500 bytes
In [UDP] [UDP] X.X.X.X:49563 -> P.P.P.P:50000 aliased to
[UDP] X.X.X.X:49563 -> 192.168.1.1:50000
Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to
[ICMP] P.P.P.P -> X.X.X.X 3(3)
# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)"
tcpdump: listening on PUB_IFACE
X.X.X.X.49563 > P.P.P.P.50000: udp 3
P.P.P.P > X.X.X.X: icmp: P.P.P.P udp port 50000 unreachable
|
| |
|
|
| |
- Minor spelling fixes.
|
| | |
|
| |
|
|
| |
Requested by: Charles Mott <cmott@scientech.com>
|
| |
|
|
|
|
|
|
|
|
| |
INADDR_NONE: Incoming packets go to the alias address (the default)
INADDR_ANY: Incoming packets are not NAT'd (direct access to the
internal network from outside)
anything else: Incoming packets go to the specified address
Change a few inaddr::s_addr == 0 to inaddr::s_addr == INADDR_ANY
while I'm there.
|
| |
|
|
|
|
|
| |
redirected and when no target address has been specified, NAT
the destination address to the alias address rather than
allowing people direct access to your internal network from
outside.
|
| |
|
|
| |
NO_FW_PUNCH isn't defined.
|
| |
|
|
|
| |
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.
|
| |
|
|
|
|
| |
+it does, amongst other things, clear out any
The old sentance didn't seem to make sense.
|
| |
|
|
|
|
|
| |
being defined as 0x40. Change the former to be 0x100.
Submitted by: Erik Salander <erik@whistle.com>
Approved by: jkh
|
| |
|
|
| |
Prompted by: archie
|
| |
|
|
| |
Reviewed by: marcel, and make world
|
| |
|
|
| |
Submitted by: Erik Salander <erik@whistle.com>
|
| |
|
|
| |
Submitted by: Erik Salander <erik@whistle.com>
|
| |
|
|
|
| |
PR: docs/14766
Submitted by: Kazutoshi Kubota <kazu@iworks.co.jp>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
the link are equal to the default aliasing address. Do not zero them!
This will fix the problem with non-working links added with the source
and/or aliasing address equal to the default aliasing address, but the
default aliasing address is set later, after the link has been set up,
like both natd(8) and ppp(8) do (for objective reasons).
Reviewed by: Brian Somers <brian@FreeBSD.org>,
Eivind Eklund <eivind@FreeBSD.org>,
Charles Mott <cmott@srv.net>
|
| |
|
|
|
|
| |
in FindLinkIn(). This will make TcpMonitorIn()/TcpMonitorOut() happy.
Reviewed by: eivind
|
| |
|
|
|
| |
Instead, natd(8) should be fixed to call PacketAliasSetAddress()
as part of initialization, as required by libalias(3).
|
| |
|
|
|
|
|
|
|
|
|
| |
`dst_port') work for outgoing packets.
- Make permanent links whose `alias_addr' matches the primary aliasing
address `aliasAddress' work for incoming packets.
- Typo fixes.
Reviewed by: brian, eivind
|
| | |
|
| |
|
|
|
|
| |
Requested by: eivind
Discussed with: eivind
Reviewed by: brian, eivind
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the words of originator:
:If an incoming connection is initiated through natd and deny_incoming is
:not set, then a new alias_link structure is created to handle the link.
:If there is nothing listening for the incoming connection, then the kernel
:responds with a RST for the connection. However, this is not processed
:correctly in libalias/alias.c:TcpMonitor{In,Out} and
:libalias/alias_db.c:SetState{In,Out} as it thinks a connection
:has been established and therefore applies a timeout of 86400 seconds
:to the link.
:
:If many of these half-connections are initiated (during, for example, a
:port scan of the host), then many thousands of unnecessary links are
:created and the resident size of natd balloons to 20MB or more.
PR: 13639
Reviewed by: brian
|
| | |
|
| |
|
|
| |
Approved by: brian (well, he approved adding $Id$)
|
| | |
|
| |
|
|
|
|
| |
product and Windows NT tunneling.
Submitted by: Chain Lee <chain@nortelnetworks.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
- Sort xrefs
- FreeBSD.ORG -> FreeBSD.org
- Be consistent with section names as outlines in mdoc(7)
- Other misc mdoc cleanup.
PR: doc/13144
Submitted by: Alexy M. Zelkin <phantom@cris.net>
|
| |
|
|
|
|
|
|
| |
is set.
Document PKT_ALIAS_REVERSE.
Pointed out by: Jonathan Hanna <jh@cr1003333-a.crdva1.bc.home.com>
PR: 12304
|
| |
|
|
| |
Mentioned by: sprice@hiwaay.net
|
| |
|
|
|
|
| |
for some games.
Notified of problem by: tim@turbinegames.com
|
| | |
|
| |
|
|
| |
hang problem. A bug report has been sent to cygnus.
|
| |
|
|
| |
Reminded by: bde
|
| | |
|
| |
|
|
| |
Reviewed by: eivind
|
| |
|
|
| |
Statify functions in alias_nbt.c
|
| |
|
|
| |
by passing INADDR_NONE.
|
| | |
|
| |
|
|
| |
just IP numbers.
|
| | |
|
| |
|
|
|
|
|
|
| |
- Transparent proxying support added.
- PPTP redirecting support added based on patches
contributed by Dru Nelson <dnelson@redwoodsoft.com>.
Submitted by: Charles Mott <cmott@srv.net>
|
| |
|
|
|
| |
resulting NULL FILE *.
PR: 9403
|
| |
|
|
|
|
|
|
|
| |
Add bounds checking to netbios NS packet resolving code. This should
prevent natd from crashing on badly formed netbios packets (as might be
heard when the machine is sitting on a cable modem or certain DSL
networks), and also closes potential security holes that might have
exploited the lack of bounds checking in the previous version of the
code.
|
| | |
|
