1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2001 Charles Mott <cm@linktel.net> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/cdefs.h> 30 __FBSDID("$FreeBSD$"); 31 32 /* 33 Alias.c provides supervisory control for the functions of the 34 packet aliasing software. It consists of routines to monitor 35 TCP connection state, protocol-specific aliasing routines, 36 fragment handling and the following outside world functional 37 interfaces: SaveFragmentPtr, GetFragmentPtr, FragmentAliasIn, 38 PacketAliasIn and PacketAliasOut. 39 40 The other C program files are briefly described. The data 41 structure framework which holds information needed to translate 42 packets is encapsulated in alias_db.c. Data is accessed by 43 function calls, so other segments of the program need not know 44 about the underlying data structures. Alias_ftp.c contains 45 special code for modifying the ftp PORT command used to establish 46 data connections, while alias_irc.c does the same for IRC 47 DCC. Alias_util.c contains a few utility routines. 48 49 Version 1.0 August, 1996 (cjm) 50 51 Version 1.1 August 20, 1996 (cjm) 52 PPP host accepts incoming connections for ports 0 to 1023. 53 (Gary Roberts pointed out the need to handle incoming 54 connections.) 55 56 Version 1.2 September 7, 1996 (cjm) 57 Fragment handling error in alias_db.c corrected. 58 (Tom Torrance helped fix this problem.) 59 60 Version 1.4 September 16, 1996 (cjm) 61 - A more generalized method for handling incoming 62 connections, without the 0-1023 restriction, is 63 implemented in alias_db.c 64 - Improved ICMP support in alias.c. Traceroute 65 packet streams can now be correctly aliased. 66 - TCP connection closing logic simplified in 67 alias.c and now allows for additional 1 minute 68 "grace period" after FIN or RST is observed. 69 70 Version 1.5 September 17, 1996 (cjm) 71 Corrected error in handling incoming UDP packets with 0 checksum. 72 (Tom Torrance helped fix this problem.) 73 74 Version 1.6 September 18, 1996 (cjm) 75 Simplified ICMP aliasing scheme. Should now support 76 traceroute from Win95 as well as FreeBSD. 77 78 Version 1.7 January 9, 1997 (cjm) 79 - Out-of-order fragment handling. 80 - IP checksum error fixed for ftp transfers 81 from aliasing host. 82 - Integer return codes added to all 83 aliasing/de-aliasing functions. 84 - Some obsolete comments cleaned up. 85 - Differential checksum computations for 86 IP header (TCP, UDP and ICMP were already 87 differential). 88 89 Version 2.1 May 1997 (cjm) 90 - Added support for outgoing ICMP error 91 messages. 92 - Added two functions PacketAliasIn2() 93 and PacketAliasOut2() for dynamic address 94 control (e.g. round-robin allocation of 95 incoming packets). 96 97 Version 2.2 July 1997 (cjm) 98 - Rationalized API function names to begin 99 with "PacketAlias..." 100 - Eliminated PacketAliasIn2() and 101 PacketAliasOut2() as poorly conceived. 102 103 Version 2.3 Dec 1998 (dillon) 104 - Major bounds checking additions, see FreeBSD/CVS 105 106 Version 3.1 May, 2000 (salander) 107 - Added hooks to handle PPTP. 108 109 Version 3.2 July, 2000 (salander and satoh) 110 - Added PacketUnaliasOut routine. 111 - Added hooks to handle RTSP/RTP. 112 113 See HISTORY file for additional revisions. 114 */ 115 116 #ifdef _KERNEL 117 #include <sys/param.h> 118 #include <sys/systm.h> 119 #include <sys/mbuf.h> 120 #include <sys/sysctl.h> 121 #else 122 #include <sys/types.h> 123 #include <stdlib.h> 124 #include <stdio.h> 125 #include <ctype.h> 126 #include <dlfcn.h> 127 #include <errno.h> 128 #include <string.h> 129 #endif 130 131 #include <netinet/in_systm.h> 132 #include <netinet/in.h> 133 #include <netinet/ip.h> 134 #include <netinet/ip_icmp.h> 135 #include <netinet/tcp.h> 136 #include <netinet/udp.h> 137 138 #ifdef _KERNEL 139 #include <netinet/libalias/alias.h> 140 #include <netinet/libalias/alias_local.h> 141 #include <netinet/libalias/alias_mod.h> 142 #else 143 #include <err.h> 144 #include "alias.h" 145 #include "alias_local.h" 146 #include "alias_mod.h" 147 #endif 148 149 /* 150 * Define libalias SYSCTL Node 151 */ 152 #ifdef SYSCTL_NODE 153 154 SYSCTL_DECL(_net_inet); 155 SYSCTL_DECL(_net_inet_ip); 156 SYSCTL_NODE(_net_inet_ip, OID_AUTO, alias, CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, 157 "Libalias sysctl API"); 158 159 #endif 160 161 static __inline int 162 twowords(void *p) 163 { 164 uint8_t *c = p; 165 166 #if BYTE_ORDER == LITTLE_ENDIAN 167 uint16_t s1 = ((uint16_t)c[1] << 8) + (uint16_t)c[0]; 168 uint16_t s2 = ((uint16_t)c[3] << 8) + (uint16_t)c[2]; 169 #else 170 uint16_t s1 = ((uint16_t)c[0] << 8) + (uint16_t)c[1]; 171 uint16_t s2 = ((uint16_t)c[2] << 8) + (uint16_t)c[3]; 172 #endif 173 return (s1 + s2); 174 } 175 176 /* TCP Handling Routines 177 178 TcpMonitorIn() -- These routines monitor TCP connections, and 179 TcpMonitorOut() delete a link when a connection is closed. 180 181 These routines look for SYN, FIN and RST flags to determine when TCP 182 connections open and close. When a TCP connection closes, the data 183 structure containing packet aliasing information is deleted after 184 a timeout period. 185 */ 186 187 /* Local prototypes */ 188 static void TcpMonitorIn(u_char, struct alias_link *); 189 190 static void TcpMonitorOut(u_char, struct alias_link *); 191 192 static void 193 TcpMonitorIn(u_char th_flags, struct alias_link *lnk) 194 { 195 switch (GetStateIn(lnk)) { 196 case ALIAS_TCP_STATE_NOT_CONNECTED: 197 if (th_flags & TH_RST) 198 SetStateIn(lnk, ALIAS_TCP_STATE_DISCONNECTED); 199 else if (th_flags & TH_SYN) 200 SetStateIn(lnk, ALIAS_TCP_STATE_CONNECTED); 201 break; 202 case ALIAS_TCP_STATE_CONNECTED: 203 if (th_flags & (TH_FIN | TH_RST)) 204 SetStateIn(lnk, ALIAS_TCP_STATE_DISCONNECTED); 205 break; 206 } 207 } 208 209 static void 210 TcpMonitorOut(u_char th_flags, struct alias_link *lnk) 211 { 212 switch (GetStateOut(lnk)) { 213 case ALIAS_TCP_STATE_NOT_CONNECTED: 214 if (th_flags & TH_RST) 215 SetStateOut(lnk, ALIAS_TCP_STATE_DISCONNECTED); 216 else if (th_flags & TH_SYN) 217 SetStateOut(lnk, ALIAS_TCP_STATE_CONNECTED); 218 break; 219 case ALIAS_TCP_STATE_CONNECTED: 220 if (th_flags & (TH_FIN | TH_RST)) 221 SetStateOut(lnk, ALIAS_TCP_STATE_DISCONNECTED); 222 break; 223 } 224 } 225 226 /* Protocol Specific Packet Aliasing Routines 227 228 IcmpAliasIn(), IcmpAliasIn1(), IcmpAliasIn2() 229 IcmpAliasOut(), IcmpAliasOut1(), IcmpAliasOut2() 230 ProtoAliasIn(), ProtoAliasOut() 231 UdpAliasIn(), UdpAliasOut() 232 TcpAliasIn(), TcpAliasOut() 233 234 These routines handle protocol specific details of packet aliasing. 235 One may observe a certain amount of repetitive arithmetic in these 236 functions, the purpose of which is to compute a revised checksum 237 without actually summing over the entire data packet, which could be 238 unnecessarily time consuming. 239 240 The purpose of the packet aliasing routines is to replace the source 241 address of the outgoing packet and then correctly put it back for 242 any incoming packets. For TCP and UDP, ports are also re-mapped. 243 244 For ICMP echo/timestamp requests and replies, the following scheme 245 is used: the ID number is replaced by an alias for the outgoing 246 packet. 247 248 ICMP error messages are handled by looking at the IP fragment 249 in the data section of the message. 250 251 For TCP and UDP protocols, a port number is chosen for an outgoing 252 packet, and then incoming packets are identified by IP address and 253 port numbers. For TCP packets, there is additional logic in the event 254 that sequence and ACK numbers have been altered (as in the case for 255 FTP data port commands). 256 257 The port numbers used by the packet aliasing module are not true 258 ports in the Unix sense. No sockets are actually bound to ports. 259 They are more correctly thought of as placeholders. 260 261 All packets go through the aliasing mechanism, whether they come from 262 the gateway machine or other machines on a local area network. 263 */ 264 265 /* Local prototypes */ 266 static int IcmpAliasIn1(struct libalias *, struct ip *); 267 static int IcmpAliasIn2(struct libalias *, struct ip *); 268 static int IcmpAliasIn(struct libalias *, struct ip *); 269 270 static int IcmpAliasOut1(struct libalias *, struct ip *, int create); 271 static int IcmpAliasOut2(struct libalias *, struct ip *); 272 static int IcmpAliasOut(struct libalias *, struct ip *, int create); 273 274 static int ProtoAliasIn(struct libalias *la, struct in_addr ip_src, 275 struct ip *pip, u_char ip_p, u_short *ip_sum); 276 static int ProtoAliasOut(struct libalias *la, struct ip *pip, 277 struct in_addr ip_dst, u_char ip_p, u_short *ip_sum, 278 int create); 279 280 static int UdpAliasIn(struct libalias *, struct ip *); 281 static int UdpAliasOut(struct libalias *, struct ip *, int, int create); 282 283 static int TcpAliasIn(struct libalias *, struct ip *); 284 static int TcpAliasOut(struct libalias *, struct ip *, int, int create); 285 286 /* 287 De-alias incoming echo and timestamp replies. 288 Alias incoming echo and timestamp requests. 289 */ 290 static int 291 IcmpAliasIn1(struct libalias *la, struct ip *pip) 292 { 293 struct alias_link *lnk; 294 struct icmp *ic; 295 296 LIBALIAS_LOCK_ASSERT(la); 297 ic = (struct icmp *)ip_next(pip); 298 299 /* Get source address from ICMP data field and restore original data */ 300 lnk = FindIcmpIn(la, pip->ip_src, pip->ip_dst, ic->icmp_id, 1); 301 if (lnk != NULL) { 302 u_short original_id; 303 int accumulate; 304 305 original_id = GetOriginalPort(lnk); 306 307 /* Adjust ICMP checksum */ 308 accumulate = ic->icmp_id; 309 accumulate -= original_id; 310 ADJUST_CHECKSUM(accumulate, ic->icmp_cksum); 311 312 /* Put original sequence number back in */ 313 ic->icmp_id = original_id; 314 315 /* Put original address back into IP header */ 316 { 317 struct in_addr original_address; 318 319 original_address = GetOriginalAddress(lnk); 320 DifferentialChecksum(&pip->ip_sum, 321 &original_address, &pip->ip_dst, 2); 322 pip->ip_dst = original_address; 323 } 324 325 return (PKT_ALIAS_OK); 326 } 327 return (PKT_ALIAS_IGNORED); 328 } 329 330 /* 331 Alias incoming ICMP error messages containing 332 IP header and first 64 bits of datagram. 333 */ 334 static int 335 IcmpAliasIn2(struct libalias *la, struct ip *pip) 336 { 337 struct ip *ip; 338 struct icmp *ic, *ic2; 339 struct udphdr *ud; 340 struct tcphdr *tc; 341 struct alias_link *lnk; 342 343 LIBALIAS_LOCK_ASSERT(la); 344 ic = (struct icmp *)ip_next(pip); 345 ip = &ic->icmp_ip; 346 347 ud = (struct udphdr *)ip_next(ip); 348 tc = (struct tcphdr *)ip_next(ip); 349 ic2 = (struct icmp *)ip_next(ip); 350 351 if (ip->ip_p == IPPROTO_UDP) 352 lnk = FindUdpTcpIn(la, ip->ip_dst, ip->ip_src, 353 ud->uh_dport, ud->uh_sport, 354 IPPROTO_UDP, 0); 355 else if (ip->ip_p == IPPROTO_TCP) 356 lnk = FindUdpTcpIn(la, ip->ip_dst, ip->ip_src, 357 tc->th_dport, tc->th_sport, 358 IPPROTO_TCP, 0); 359 else if (ip->ip_p == IPPROTO_ICMP) { 360 if (ic2->icmp_type == ICMP_ECHO || ic2->icmp_type == ICMP_TSTAMP) 361 lnk = FindIcmpIn(la, ip->ip_dst, ip->ip_src, ic2->icmp_id, 0); 362 else 363 lnk = NULL; 364 } else 365 lnk = NULL; 366 367 if (lnk != NULL) { 368 if (ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_TCP) { 369 int accumulate, accumulate2; 370 struct in_addr original_address; 371 u_short original_port; 372 373 original_address = GetOriginalAddress(lnk); 374 original_port = GetOriginalPort(lnk); 375 376 /* Adjust ICMP checksum */ 377 accumulate = twowords(&ip->ip_src); 378 accumulate -= twowords(&original_address); 379 accumulate += ud->uh_sport; 380 accumulate -= original_port; 381 accumulate2 = accumulate; 382 accumulate2 += ip->ip_sum; 383 ADJUST_CHECKSUM(accumulate, ip->ip_sum); 384 accumulate2 -= ip->ip_sum; 385 ADJUST_CHECKSUM(accumulate2, ic->icmp_cksum); 386 387 /* Un-alias address in IP header */ 388 DifferentialChecksum(&pip->ip_sum, 389 &original_address, &pip->ip_dst, 2); 390 pip->ip_dst = original_address; 391 392 /* Un-alias address and port number of 393 * original IP packet fragment contained 394 * in ICMP data section */ 395 ip->ip_src = original_address; 396 ud->uh_sport = original_port; 397 } else if (ip->ip_p == IPPROTO_ICMP) { 398 int accumulate, accumulate2; 399 struct in_addr original_address; 400 u_short original_id; 401 402 original_address = GetOriginalAddress(lnk); 403 original_id = GetOriginalPort(lnk); 404 405 /* Adjust ICMP checksum */ 406 accumulate = twowords(&ip->ip_src); 407 accumulate -= twowords(&original_address); 408 accumulate += ic2->icmp_id; 409 accumulate -= original_id; 410 accumulate2 = accumulate; 411 accumulate2 += ip->ip_sum; 412 ADJUST_CHECKSUM(accumulate, ip->ip_sum); 413 accumulate2 -= ip->ip_sum; 414 ADJUST_CHECKSUM(accumulate2, ic->icmp_cksum); 415 416 /* Un-alias address in IP header */ 417 DifferentialChecksum(&pip->ip_sum, 418 &original_address, &pip->ip_dst, 2); 419 pip->ip_dst = original_address; 420 421 /* Un-alias address of original IP packet and 422 * sequence number of embedded ICMP datagram */ 423 ip->ip_src = original_address; 424 ic2->icmp_id = original_id; 425 } 426 return (PKT_ALIAS_OK); 427 } 428 return (PKT_ALIAS_IGNORED); 429 } 430 431 static int 432 IcmpAliasIn(struct libalias *la, struct ip *pip) 433 { 434 struct icmp *ic; 435 int iresult; 436 size_t dlen; 437 438 LIBALIAS_LOCK_ASSERT(la); 439 440 dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2); 441 if (dlen < ICMP_MINLEN) 442 return (PKT_ALIAS_IGNORED); 443 444 /* Return if proxy-only mode is enabled */ 445 if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY) 446 return (PKT_ALIAS_OK); 447 448 ic = (struct icmp *)ip_next(pip); 449 450 iresult = PKT_ALIAS_IGNORED; 451 switch (ic->icmp_type) { 452 case ICMP_ECHOREPLY: 453 case ICMP_TSTAMPREPLY: 454 if (ic->icmp_code == 0) { 455 iresult = IcmpAliasIn1(la, pip); 456 } 457 break; 458 case ICMP_UNREACH: 459 case ICMP_SOURCEQUENCH: 460 case ICMP_TIMXCEED: 461 case ICMP_PARAMPROB: 462 if (dlen < ICMP_ADVLENMIN || 463 dlen < (size_t)ICMP_ADVLEN(ic)) 464 return (PKT_ALIAS_IGNORED); 465 iresult = IcmpAliasIn2(la, pip); 466 break; 467 case ICMP_ECHO: 468 case ICMP_TSTAMP: 469 iresult = IcmpAliasIn1(la, pip); 470 break; 471 } 472 return (iresult); 473 } 474 475 /* 476 Alias outgoing echo and timestamp requests. 477 De-alias outgoing echo and timestamp replies. 478 */ 479 static int 480 IcmpAliasOut1(struct libalias *la, struct ip *pip, int create) 481 { 482 struct alias_link *lnk; 483 struct icmp *ic; 484 485 LIBALIAS_LOCK_ASSERT(la); 486 ic = (struct icmp *)ip_next(pip); 487 488 /* Save overwritten data for when echo packet returns */ 489 lnk = FindIcmpOut(la, pip->ip_src, pip->ip_dst, ic->icmp_id, create); 490 if (lnk != NULL) { 491 u_short alias_id; 492 int accumulate; 493 494 alias_id = GetAliasPort(lnk); 495 496 /* Since data field is being modified, adjust ICMP checksum */ 497 accumulate = ic->icmp_id; 498 accumulate -= alias_id; 499 ADJUST_CHECKSUM(accumulate, ic->icmp_cksum); 500 501 /* Alias sequence number */ 502 ic->icmp_id = alias_id; 503 504 /* Change source address */ 505 { 506 struct in_addr alias_address; 507 508 alias_address = GetAliasAddress(lnk); 509 DifferentialChecksum(&pip->ip_sum, 510 &alias_address, &pip->ip_src, 2); 511 pip->ip_src = alias_address; 512 } 513 514 return (PKT_ALIAS_OK); 515 } 516 return (PKT_ALIAS_IGNORED); 517 } 518 519 /* 520 Alias outgoing ICMP error messages containing 521 IP header and first 64 bits of datagram. 522 */ 523 static int 524 IcmpAliasOut2(struct libalias *la, struct ip *pip) 525 { 526 struct ip *ip; 527 struct icmp *ic, *ic2; 528 struct udphdr *ud; 529 struct tcphdr *tc; 530 struct alias_link *lnk; 531 532 LIBALIAS_LOCK_ASSERT(la); 533 ic = (struct icmp *)ip_next(pip); 534 ip = &ic->icmp_ip; 535 536 ud = (struct udphdr *)ip_next(ip); 537 tc = (struct tcphdr *)ip_next(ip); 538 ic2 = (struct icmp *)ip_next(ip); 539 540 if (ip->ip_p == IPPROTO_UDP) 541 lnk = FindUdpTcpOut(la, ip->ip_dst, ip->ip_src, 542 ud->uh_dport, ud->uh_sport, 543 IPPROTO_UDP, 0); 544 else if (ip->ip_p == IPPROTO_TCP) 545 lnk = FindUdpTcpOut(la, ip->ip_dst, ip->ip_src, 546 tc->th_dport, tc->th_sport, 547 IPPROTO_TCP, 0); 548 else if (ip->ip_p == IPPROTO_ICMP) { 549 if (ic2->icmp_type == ICMP_ECHO || ic2->icmp_type == ICMP_TSTAMP) 550 lnk = FindIcmpOut(la, ip->ip_dst, ip->ip_src, ic2->icmp_id, 0); 551 else 552 lnk = NULL; 553 } else 554 lnk = NULL; 555 556 if (lnk != NULL) { 557 if (ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_TCP) { 558 int accumulate; 559 struct in_addr alias_address; 560 u_short alias_port; 561 562 alias_address = GetAliasAddress(lnk); 563 alias_port = GetAliasPort(lnk); 564 565 /* Adjust ICMP checksum */ 566 accumulate = twowords(&ip->ip_dst); 567 accumulate -= twowords(&alias_address); 568 accumulate += ud->uh_dport; 569 accumulate -= alias_port; 570 ADJUST_CHECKSUM(accumulate, ic->icmp_cksum); 571 572 /* 573 * Alias address in IP header if it comes from the host 574 * the original TCP/UDP packet was destined for. 575 */ 576 if (pip->ip_src.s_addr == ip->ip_dst.s_addr) { 577 DifferentialChecksum(&pip->ip_sum, 578 &alias_address, &pip->ip_src, 2); 579 pip->ip_src = alias_address; 580 } 581 /* Alias address and port number of original IP packet 582 * fragment contained in ICMP data section */ 583 ip->ip_dst = alias_address; 584 ud->uh_dport = alias_port; 585 } else if (ip->ip_p == IPPROTO_ICMP) { 586 int accumulate; 587 struct in_addr alias_address; 588 u_short alias_id; 589 590 alias_address = GetAliasAddress(lnk); 591 alias_id = GetAliasPort(lnk); 592 593 /* Adjust ICMP checksum */ 594 accumulate = twowords(&ip->ip_dst); 595 accumulate -= twowords(&alias_address); 596 accumulate += ic2->icmp_id; 597 accumulate -= alias_id; 598 ADJUST_CHECKSUM(accumulate, ic->icmp_cksum); 599 600 /* 601 * Alias address in IP header if it comes from the host 602 * the original ICMP message was destined for. 603 */ 604 if (pip->ip_src.s_addr == ip->ip_dst.s_addr) { 605 DifferentialChecksum(&pip->ip_sum, 606 &alias_address, &pip->ip_src, 2); 607 pip->ip_src = alias_address; 608 } 609 /* Alias address of original IP packet and 610 * sequence number of embedded ICMP datagram */ 611 ip->ip_dst = alias_address; 612 ic2->icmp_id = alias_id; 613 } 614 return (PKT_ALIAS_OK); 615 } 616 return (PKT_ALIAS_IGNORED); 617 } 618 619 static int 620 IcmpAliasOut(struct libalias *la, struct ip *pip, int create) 621 { 622 int iresult; 623 struct icmp *ic; 624 625 LIBALIAS_LOCK_ASSERT(la); 626 (void)create; 627 628 /* Return if proxy-only mode is enabled */ 629 if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY) 630 return (PKT_ALIAS_OK); 631 632 ic = (struct icmp *)ip_next(pip); 633 634 iresult = PKT_ALIAS_IGNORED; 635 switch (ic->icmp_type) { 636 case ICMP_ECHO: 637 case ICMP_TSTAMP: 638 if (ic->icmp_code == 0) { 639 iresult = IcmpAliasOut1(la, pip, create); 640 } 641 break; 642 case ICMP_UNREACH: 643 case ICMP_SOURCEQUENCH: 644 case ICMP_TIMXCEED: 645 case ICMP_PARAMPROB: 646 iresult = IcmpAliasOut2(la, pip); 647 break; 648 case ICMP_ECHOREPLY: 649 case ICMP_TSTAMPREPLY: 650 iresult = IcmpAliasOut1(la, pip, create); 651 } 652 return (iresult); 653 } 654 655 /* 656 Handle incoming IP packets. The 657 only thing which is done in this case is to alias 658 the dest IP address of the packet to our inside 659 machine. 660 */ 661 static int 662 ProtoAliasIn(struct libalias *la, struct in_addr ip_src, 663 struct ip *pip, u_char ip_p, u_short *ip_sum) 664 { 665 struct alias_link *lnk; 666 667 LIBALIAS_LOCK_ASSERT(la); 668 /* Return if proxy-only mode is enabled */ 669 if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY) 670 return (PKT_ALIAS_OK); 671 672 lnk = FindProtoIn(la, ip_src, pip->ip_dst, ip_p); 673 if (lnk != NULL) { 674 struct in_addr original_address; 675 676 original_address = GetOriginalAddress(lnk); 677 678 /* Restore original IP address */ 679 DifferentialChecksum(ip_sum, 680 &original_address, &pip->ip_dst, 2); 681 pip->ip_dst = original_address; 682 683 return (PKT_ALIAS_OK); 684 } 685 return (PKT_ALIAS_IGNORED); 686 } 687 688 /* 689 Handle outgoing IP packets. The 690 only thing which is done in this case is to alias 691 the source IP address of the packet. 692 */ 693 static int 694 ProtoAliasOut(struct libalias *la, struct ip *pip, 695 struct in_addr ip_dst, u_char ip_p, u_short *ip_sum, int create) 696 { 697 struct alias_link *lnk; 698 699 LIBALIAS_LOCK_ASSERT(la); 700 701 /* Return if proxy-only mode is enabled */ 702 if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY) 703 return (PKT_ALIAS_OK); 704 705 if (!create) 706 return (PKT_ALIAS_IGNORED); 707 708 lnk = FindProtoOut(la, pip->ip_src, ip_dst, ip_p); 709 if (lnk != NULL) { 710 struct in_addr alias_address; 711 712 alias_address = GetAliasAddress(lnk); 713 714 /* Change source address */ 715 DifferentialChecksum(ip_sum, 716 &alias_address, &pip->ip_src, 2); 717 pip->ip_src = alias_address; 718 719 return (PKT_ALIAS_OK); 720 } 721 return (PKT_ALIAS_IGNORED); 722 } 723 724 #define MF_ISSET(_pip) (ntohs((_pip)->ip_off) & IP_MF) 725 #define FRAG_NO_HDR(_pip) (ntohs((_pip)->ip_off) & IP_OFFMASK) 726 727 static struct udphdr * 728 ValidateUdpLength(struct ip *pip) 729 { 730 struct udphdr *ud; 731 size_t dlen; 732 733 #ifdef _KERNEL 734 KASSERT(!FRAG_NO_HDR(pip), ("header-less fragment isn't expected here")); 735 #endif 736 dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2); 737 if (dlen < sizeof(struct udphdr)) 738 return (NULL); 739 ud = (struct udphdr *)ip_next(pip); 740 if (!MF_ISSET(pip) && dlen < ntohs(ud->uh_ulen)) 741 return (NULL); 742 return (ud); 743 } 744 745 static int 746 UdpAliasIn(struct libalias *la, struct ip *pip) 747 { 748 struct udphdr *ud; 749 struct alias_link *lnk; 750 751 LIBALIAS_LOCK_ASSERT(la); 752 753 ud = ValidateUdpLength(pip); 754 if (ud == NULL) 755 return (PKT_ALIAS_IGNORED); 756 757 lnk = FindUdpTcpIn(la, pip->ip_src, pip->ip_dst, 758 ud->uh_sport, ud->uh_dport, 759 IPPROTO_UDP, !(la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)); 760 if (lnk != NULL) { 761 struct in_addr alias_address; 762 struct in_addr original_address; 763 struct in_addr proxy_address; 764 u_short alias_port; 765 u_short proxy_port; 766 int accumulate; 767 int error; 768 struct alias_data ad = { 769 .lnk = lnk, 770 .oaddr = &original_address, 771 .aaddr = &alias_address, 772 .aport = &alias_port, 773 .sport = &ud->uh_sport, 774 .dport = &ud->uh_dport, 775 .maxpktsize = 0 776 }; 777 778 alias_address = GetAliasAddress(lnk); 779 original_address = GetOriginalAddress(lnk); 780 proxy_address = GetProxyAddress(lnk); 781 alias_port = ud->uh_dport; 782 ud->uh_dport = GetOriginalPort(lnk); 783 proxy_port = GetProxyPort(lnk); 784 785 /* Walk out chain. */ 786 error = find_handler(IN, UDP, la, pip, &ad); 787 /* If we cannot figure out the packet, ignore it. */ 788 if (error < 0) 789 return (PKT_ALIAS_IGNORED); 790 791 /* If UDP checksum is not zero, then adjust since 792 * destination port is being unaliased and 793 * destination address is being altered. */ 794 if (ud->uh_sum != 0) { 795 accumulate = alias_port; 796 accumulate -= ud->uh_dport; 797 accumulate += twowords(&alias_address); 798 accumulate -= twowords(&original_address); 799 800 /* If this is a proxy packet, modify checksum 801 * because of source change.*/ 802 if (proxy_port != 0) { 803 accumulate += ud->uh_sport; 804 accumulate -= proxy_port; 805 } 806 807 if (proxy_address.s_addr != 0) { 808 accumulate += twowords(&pip->ip_src); 809 accumulate -= twowords(&proxy_address); 810 } 811 812 ADJUST_CHECKSUM(accumulate, ud->uh_sum); 813 } 814 815 /* XXX: Could the two if's below be concatenated to one ? */ 816 /* Restore source port and/or address in case of proxying*/ 817 if (proxy_port != 0) 818 ud->uh_sport = proxy_port; 819 820 if (proxy_address.s_addr != 0) { 821 DifferentialChecksum(&pip->ip_sum, 822 &proxy_address, &pip->ip_src, 2); 823 pip->ip_src = proxy_address; 824 } 825 826 /* Restore original IP address */ 827 DifferentialChecksum(&pip->ip_sum, 828 &original_address, &pip->ip_dst, 2); 829 pip->ip_dst = original_address; 830 831 return (PKT_ALIAS_OK); 832 } 833 return (PKT_ALIAS_IGNORED); 834 } 835 836 static int 837 UdpAliasOut(struct libalias *la, struct ip *pip, int maxpacketsize, int create) 838 { 839 struct udphdr *ud; 840 struct alias_link *lnk; 841 struct in_addr dest_address; 842 struct in_addr proxy_server_address; 843 u_short dest_port; 844 u_short proxy_server_port; 845 int proxy_type; 846 847 LIBALIAS_LOCK_ASSERT(la); 848 849 ud = ValidateUdpLength(pip); 850 if (ud == NULL) 851 return (PKT_ALIAS_IGNORED); 852 853 /* Return if proxy-only mode is enabled and not proxyrule found.*/ 854 proxy_type = ProxyCheck(la, &proxy_server_address, &proxy_server_port, 855 pip->ip_src, pip->ip_dst, ud->uh_dport, pip->ip_p); 856 if (proxy_type == 0 && (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)) 857 return (PKT_ALIAS_OK); 858 859 /* If this is a transparent proxy, save original destination, 860 * then alter the destination and adjust checksums */ 861 dest_port = ud->uh_dport; 862 dest_address = pip->ip_dst; 863 864 if (proxy_type != 0) { 865 int accumulate; 866 867 accumulate = twowords(&pip->ip_dst); 868 accumulate -= twowords(&proxy_server_address); 869 870 ADJUST_CHECKSUM(accumulate, pip->ip_sum); 871 872 if (ud->uh_sum != 0) { 873 accumulate = twowords(&pip->ip_dst); 874 accumulate -= twowords(&proxy_server_address); 875 accumulate += ud->uh_dport; 876 accumulate -= proxy_server_port; 877 ADJUST_CHECKSUM(accumulate, ud->uh_sum); 878 } 879 pip->ip_dst = proxy_server_address; 880 ud->uh_dport = proxy_server_port; 881 } 882 lnk = FindUdpTcpOut(la, pip->ip_src, pip->ip_dst, 883 ud->uh_sport, ud->uh_dport, 884 IPPROTO_UDP, create); 885 if (lnk != NULL) { 886 u_short alias_port; 887 struct in_addr alias_address; 888 struct alias_data ad = { 889 .lnk = lnk, 890 .oaddr = NULL, 891 .aaddr = &alias_address, 892 .aport = &alias_port, 893 .sport = &ud->uh_sport, 894 .dport = &ud->uh_dport, 895 .maxpktsize = 0 896 }; 897 898 /* Save original destination address, if this is a proxy packet. 899 * Also modify packet to include destination encoding. This may 900 * change the size of IP header. */ 901 if (proxy_type != 0) { 902 SetProxyPort(lnk, dest_port); 903 SetProxyAddress(lnk, dest_address); 904 ProxyModify(la, lnk, pip, maxpacketsize, proxy_type); 905 ud = (struct udphdr *)ip_next(pip); 906 } 907 908 alias_address = GetAliasAddress(lnk); 909 alias_port = GetAliasPort(lnk); 910 911 /* Walk out chain. */ 912 find_handler(OUT, UDP, la, pip, &ad); 913 914 /* If UDP checksum is not zero, adjust since source port is */ 915 /* being aliased and source address is being altered */ 916 if (ud->uh_sum != 0) { 917 int accumulate; 918 919 accumulate = ud->uh_sport; 920 accumulate -= alias_port; 921 accumulate += twowords(&pip->ip_src); 922 accumulate -= twowords(&alias_address); 923 ADJUST_CHECKSUM(accumulate, ud->uh_sum); 924 } 925 /* Put alias port in UDP header */ 926 ud->uh_sport = alias_port; 927 928 /* Change source address */ 929 DifferentialChecksum(&pip->ip_sum, 930 &alias_address, &pip->ip_src, 2); 931 pip->ip_src = alias_address; 932 933 return (PKT_ALIAS_OK); 934 } 935 return (PKT_ALIAS_IGNORED); 936 } 937 938 static int 939 TcpAliasIn(struct libalias *la, struct ip *pip) 940 { 941 struct tcphdr *tc; 942 struct alias_link *lnk; 943 size_t dlen; 944 945 LIBALIAS_LOCK_ASSERT(la); 946 947 dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2); 948 if (dlen < sizeof(struct tcphdr)) 949 return (PKT_ALIAS_IGNORED); 950 tc = (struct tcphdr *)ip_next(pip); 951 952 lnk = FindUdpTcpIn(la, pip->ip_src, pip->ip_dst, 953 tc->th_sport, tc->th_dport, 954 IPPROTO_TCP, 955 !(la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)); 956 if (lnk != NULL) { 957 struct in_addr alias_address; 958 struct in_addr original_address; 959 struct in_addr proxy_address; 960 u_short alias_port; 961 u_short proxy_port; 962 int accumulate; 963 964 /* 965 * The init of MANY vars is a bit below, but aliashandlepptpin 966 * seems to need the destination port that came within the 967 * packet and not the original one looks below [*]. 968 */ 969 970 struct alias_data ad = { 971 .lnk = lnk, 972 .oaddr = NULL, 973 .aaddr = NULL, 974 .aport = NULL, 975 .sport = &tc->th_sport, 976 .dport = &tc->th_dport, 977 .maxpktsize = 0 978 }; 979 980 /* Walk out chain. */ 981 find_handler(IN, TCP, la, pip, &ad); 982 983 alias_address = GetAliasAddress(lnk); 984 original_address = GetOriginalAddress(lnk); 985 proxy_address = GetProxyAddress(lnk); 986 alias_port = tc->th_dport; 987 tc->th_dport = GetOriginalPort(lnk); 988 proxy_port = GetProxyPort(lnk); 989 990 /* 991 * Look above, if anyone is going to add find_handler AFTER 992 * this aliashandlepptpin/point, please redo alias_data too. 993 * Uncommenting the piece here below should be enough. 994 */ 995 #if 0 996 struct alias_data ad = { 997 .lnk = lnk, 998 .oaddr = &original_address, 999 .aaddr = &alias_address, 1000 .aport = &alias_port, 1001 .sport = &ud->uh_sport, 1002 .dport = &ud->uh_dport, 1003 .maxpktsize = 0 1004 }; 1005 1006 /* Walk out chain. */ 1007 error = find_handler(la, pip, &ad); 1008 if (error == EHDNOF) 1009 printf("Protocol handler not found\n"); 1010 #endif 1011 1012 /* Adjust TCP checksum since destination port is being 1013 * unaliased and destination port is being altered. */ 1014 accumulate = alias_port; 1015 accumulate -= tc->th_dport; 1016 accumulate += twowords(&alias_address); 1017 accumulate -= twowords(&original_address); 1018 1019 /* If this is a proxy, then modify the TCP source port 1020 * and checksum accumulation */ 1021 if (proxy_port != 0) { 1022 accumulate += tc->th_sport; 1023 tc->th_sport = proxy_port; 1024 accumulate -= tc->th_sport; 1025 accumulate += twowords(&pip->ip_src); 1026 accumulate -= twowords(&proxy_address); 1027 } 1028 /* See if ACK number needs to be modified */ 1029 if (GetAckModified(lnk) == 1) { 1030 int delta; 1031 1032 tc = (struct tcphdr *)ip_next(pip); 1033 delta = GetDeltaAckIn(tc->th_ack, lnk); 1034 if (delta != 0) { 1035 accumulate += twowords(&tc->th_ack); 1036 tc->th_ack = htonl(ntohl(tc->th_ack) - delta); 1037 accumulate -= twowords(&tc->th_ack); 1038 } 1039 } 1040 ADJUST_CHECKSUM(accumulate, tc->th_sum); 1041 1042 /* Restore original IP address */ 1043 accumulate = twowords(&pip->ip_dst); 1044 pip->ip_dst = original_address; 1045 accumulate -= twowords(&pip->ip_dst); 1046 1047 /* If this is a transparent proxy packet, 1048 * then modify the source address */ 1049 if (proxy_address.s_addr != 0) { 1050 accumulate += twowords(&pip->ip_src); 1051 pip->ip_src = proxy_address; 1052 accumulate -= twowords(&pip->ip_src); 1053 } 1054 ADJUST_CHECKSUM(accumulate, pip->ip_sum); 1055 1056 /* Monitor TCP connection state */ 1057 tc = (struct tcphdr *)ip_next(pip); 1058 TcpMonitorIn(tc->th_flags, lnk); 1059 1060 return (PKT_ALIAS_OK); 1061 } 1062 return (PKT_ALIAS_IGNORED); 1063 } 1064 1065 static int 1066 TcpAliasOut(struct libalias *la, struct ip *pip, int maxpacketsize, int create) 1067 { 1068 int proxy_type; 1069 u_short dest_port; 1070 u_short proxy_server_port; 1071 size_t dlen; 1072 struct in_addr dest_address; 1073 struct in_addr proxy_server_address; 1074 struct tcphdr *tc; 1075 struct alias_link *lnk; 1076 1077 LIBALIAS_LOCK_ASSERT(la); 1078 1079 dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2); 1080 if (dlen < sizeof(struct tcphdr)) 1081 return (PKT_ALIAS_IGNORED); 1082 tc = (struct tcphdr *)ip_next(pip); 1083 1084 if (create) 1085 proxy_type = ProxyCheck(la, &proxy_server_address, 1086 &proxy_server_port, pip->ip_src, pip->ip_dst, 1087 tc->th_dport, pip->ip_p); 1088 else 1089 proxy_type = 0; 1090 1091 if (proxy_type == 0 && (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)) 1092 return (PKT_ALIAS_OK); 1093 1094 /* If this is a transparent proxy, save original destination, 1095 * then alter the destination and adjust checksums */ 1096 dest_port = tc->th_dport; 1097 dest_address = pip->ip_dst; 1098 if (proxy_type != 0) { 1099 int accumulate; 1100 1101 accumulate = tc->th_dport; 1102 tc->th_dport = proxy_server_port; 1103 accumulate -= tc->th_dport; 1104 accumulate += twowords(&pip->ip_dst); 1105 accumulate -= twowords(&proxy_server_address); 1106 ADJUST_CHECKSUM(accumulate, tc->th_sum); 1107 1108 accumulate = twowords(&pip->ip_dst); 1109 pip->ip_dst = proxy_server_address; 1110 accumulate -= twowords(&pip->ip_dst); 1111 ADJUST_CHECKSUM(accumulate, pip->ip_sum); 1112 } 1113 lnk = FindUdpTcpOut(la, pip->ip_src, pip->ip_dst, 1114 tc->th_sport, tc->th_dport, 1115 IPPROTO_TCP, create); 1116 if (lnk == NULL) 1117 return (PKT_ALIAS_IGNORED); 1118 if (lnk != NULL) { 1119 u_short alias_port; 1120 struct in_addr alias_address; 1121 int accumulate; 1122 struct alias_data ad = { 1123 .lnk = lnk, 1124 .oaddr = NULL, 1125 .aaddr = &alias_address, 1126 .aport = &alias_port, 1127 .sport = &tc->th_sport, 1128 .dport = &tc->th_dport, 1129 .maxpktsize = maxpacketsize 1130 }; 1131 1132 /* Save original destination address, if this is a proxy packet. 1133 * Also modify packet to include destination 1134 * encoding. This may change the size of IP header. */ 1135 if (proxy_type != 0) { 1136 SetProxyPort(lnk, dest_port); 1137 SetProxyAddress(lnk, dest_address); 1138 ProxyModify(la, lnk, pip, maxpacketsize, proxy_type); 1139 tc = (struct tcphdr *)ip_next(pip); 1140 } 1141 /* Get alias address and port */ 1142 alias_port = GetAliasPort(lnk); 1143 alias_address = GetAliasAddress(lnk); 1144 1145 /* Monitor TCP connection state */ 1146 tc = (struct tcphdr *)ip_next(pip); 1147 TcpMonitorOut(tc->th_flags, lnk); 1148 1149 /* Walk out chain. */ 1150 find_handler(OUT, TCP, la, pip, &ad); 1151 1152 /* Adjust TCP checksum since source port is being aliased 1153 * and source address is being altered */ 1154 accumulate = tc->th_sport; 1155 tc->th_sport = alias_port; 1156 accumulate -= tc->th_sport; 1157 accumulate += twowords(&pip->ip_src); 1158 accumulate -= twowords(&alias_address); 1159 1160 /* Modify sequence number if necessary */ 1161 if (GetAckModified(lnk) == 1) { 1162 int delta; 1163 1164 tc = (struct tcphdr *)ip_next(pip); 1165 delta = GetDeltaSeqOut(tc->th_seq, lnk); 1166 if (delta != 0) { 1167 accumulate += twowords(&tc->th_seq); 1168 tc->th_seq = htonl(ntohl(tc->th_seq) + delta); 1169 accumulate -= twowords(&tc->th_seq); 1170 } 1171 } 1172 ADJUST_CHECKSUM(accumulate, tc->th_sum); 1173 1174 /* Change source address */ 1175 accumulate = twowords(&pip->ip_src); 1176 pip->ip_src = alias_address; 1177 accumulate -= twowords(&pip->ip_src); 1178 ADJUST_CHECKSUM(accumulate, pip->ip_sum); 1179 1180 return (PKT_ALIAS_OK); 1181 } 1182 return (PKT_ALIAS_IGNORED); 1183 } 1184 1185 /* Fragment Handling 1186 1187 FragmentIn() 1188 FragmentOut() 1189 1190 The packet aliasing module has a limited ability for handling IP 1191 fragments. If the ICMP, TCP or UDP header is in the first fragment 1192 received, then the ID number of the IP packet is saved, and other 1193 fragments are identified according to their ID number and IP address 1194 they were sent from. Pointers to unresolved fragments can also be 1195 saved and recalled when a header fragment is seen. 1196 */ 1197 1198 /* Local prototypes */ 1199 static int FragmentIn(struct libalias *la, struct in_addr ip_src, 1200 struct ip *pip, u_short ip_id, u_short *ip_sum); 1201 static int FragmentOut(struct libalias *, struct ip *pip, 1202 u_short *ip_sum); 1203 1204 static int 1205 FragmentIn(struct libalias *la, struct in_addr ip_src, struct ip *pip, 1206 u_short ip_id, u_short *ip_sum) 1207 { 1208 struct alias_link *lnk; 1209 1210 LIBALIAS_LOCK_ASSERT(la); 1211 lnk = FindFragmentIn2(la, ip_src, pip->ip_dst, ip_id); 1212 if (lnk != NULL) { 1213 struct in_addr original_address; 1214 1215 GetFragmentAddr(lnk, &original_address); 1216 DifferentialChecksum(ip_sum, 1217 &original_address, &pip->ip_dst, 2); 1218 pip->ip_dst = original_address; 1219 1220 return (PKT_ALIAS_OK); 1221 } 1222 return (PKT_ALIAS_UNRESOLVED_FRAGMENT); 1223 } 1224 1225 static int 1226 FragmentOut(struct libalias *la, struct ip *pip, u_short *ip_sum) 1227 { 1228 struct in_addr alias_address; 1229 1230 LIBALIAS_LOCK_ASSERT(la); 1231 alias_address = FindAliasAddress(la, pip->ip_src); 1232 DifferentialChecksum(ip_sum, 1233 &alias_address, &pip->ip_src, 2); 1234 pip->ip_src = alias_address; 1235 1236 return (PKT_ALIAS_OK); 1237 } 1238 1239 /* Outside World Access 1240 1241 PacketAliasSaveFragment() 1242 PacketAliasGetFragment() 1243 PacketAliasFragmentIn() 1244 PacketAliasIn() 1245 PacketAliasOut() 1246 PacketUnaliasOut() 1247 1248 (prototypes in alias.h) 1249 */ 1250 1251 int 1252 LibAliasSaveFragment(struct libalias *la, void *ptr) 1253 { 1254 int iresult; 1255 struct alias_link *lnk; 1256 struct ip *pip; 1257 1258 LIBALIAS_LOCK(la); 1259 pip = (struct ip *)ptr; 1260 lnk = AddFragmentPtrLink(la, pip->ip_src, pip->ip_id); 1261 iresult = PKT_ALIAS_ERROR; 1262 if (lnk != NULL) { 1263 SetFragmentPtr(lnk, ptr); 1264 iresult = PKT_ALIAS_OK; 1265 } 1266 LIBALIAS_UNLOCK(la); 1267 return (iresult); 1268 } 1269 1270 void * 1271 LibAliasGetFragment(struct libalias *la, void *ptr) 1272 { 1273 struct alias_link *lnk; 1274 void *fptr; 1275 struct ip *pip; 1276 1277 LIBALIAS_LOCK(la); 1278 pip = (struct ip *)ptr; 1279 lnk = FindFragmentPtr(la, pip->ip_src, pip->ip_id); 1280 if (lnk != NULL) { 1281 GetFragmentPtr(lnk, &fptr); 1282 SetFragmentPtr(lnk, NULL); 1283 SetExpire(lnk, 0); /* Deletes link */ 1284 } else 1285 fptr = NULL; 1286 1287 LIBALIAS_UNLOCK(la); 1288 return (fptr); 1289 } 1290 1291 void 1292 LibAliasFragmentIn(struct libalias *la, 1293 void *ptr, /* Points to correctly de-aliased header fragment */ 1294 void *ptr_fragment /* fragment which must be de-aliased */ 1295 ) 1296 { 1297 struct ip *pip; 1298 struct ip *fpip; 1299 1300 LIBALIAS_LOCK(la); 1301 (void)la; 1302 pip = (struct ip *)ptr; 1303 fpip = (struct ip *)ptr_fragment; 1304 1305 DifferentialChecksum(&fpip->ip_sum, 1306 &pip->ip_dst, &fpip->ip_dst, 2); 1307 fpip->ip_dst = pip->ip_dst; 1308 LIBALIAS_UNLOCK(la); 1309 } 1310 1311 /* Local prototypes */ 1312 static int 1313 LibAliasOutLocked(struct libalias *la, struct ip *pip, 1314 int maxpacketsize, int create); 1315 static int 1316 LibAliasInLocked(struct libalias *la, struct ip *pip, 1317 int maxpacketsize); 1318 1319 int 1320 LibAliasIn(struct libalias *la, void *ptr, int maxpacketsize) 1321 { 1322 int res; 1323 1324 LIBALIAS_LOCK(la); 1325 res = LibAliasInLocked(la, (struct ip *)ptr, maxpacketsize); 1326 LIBALIAS_UNLOCK(la); 1327 return (res); 1328 } 1329 1330 static int 1331 LibAliasInLocked(struct libalias *la, struct ip *pip, int maxpacketsize) 1332 { 1333 struct in_addr alias_addr; 1334 int iresult; 1335 1336 if (la->packetAliasMode & PKT_ALIAS_REVERSE) { 1337 la->packetAliasMode &= ~PKT_ALIAS_REVERSE; 1338 iresult = LibAliasOutLocked(la, pip, maxpacketsize, 1); 1339 la->packetAliasMode |= PKT_ALIAS_REVERSE; 1340 goto getout; 1341 } 1342 HouseKeeping(la); 1343 alias_addr = pip->ip_dst; 1344 1345 /* Defense against mangled packets */ 1346 if (ntohs(pip->ip_len) > maxpacketsize 1347 || (pip->ip_hl << 2) > maxpacketsize) { 1348 iresult = PKT_ALIAS_IGNORED; 1349 goto getout; 1350 } 1351 1352 if (FRAG_NO_HDR(pip)) { 1353 iresult = FragmentIn(la, pip->ip_src, pip, pip->ip_id, 1354 &pip->ip_sum); 1355 goto getout; 1356 } 1357 1358 iresult = PKT_ALIAS_IGNORED; 1359 switch (pip->ip_p) { 1360 case IPPROTO_ICMP: 1361 iresult = IcmpAliasIn(la, pip); 1362 break; 1363 case IPPROTO_UDP: 1364 iresult = UdpAliasIn(la, pip); 1365 break; 1366 case IPPROTO_TCP: 1367 iresult = TcpAliasIn(la, pip); 1368 break; 1369 #ifdef _KERNEL 1370 case IPPROTO_SCTP: 1371 iresult = SctpAlias(la, pip, SN_TO_LOCAL); 1372 break; 1373 #endif 1374 case IPPROTO_GRE: { 1375 int error; 1376 struct alias_data ad = { 1377 .lnk = NULL, 1378 .oaddr = NULL, 1379 .aaddr = NULL, 1380 .aport = NULL, 1381 .sport = NULL, 1382 .dport = NULL, 1383 .maxpktsize = 0 1384 }; 1385 1386 /* Walk out chain. */ 1387 error = find_handler(IN, IP, la, pip, &ad); 1388 if (error == 0) 1389 iresult = PKT_ALIAS_OK; 1390 else 1391 iresult = ProtoAliasIn(la, pip->ip_src, 1392 pip, pip->ip_p, &pip->ip_sum); 1393 break; 1394 } 1395 default: 1396 iresult = ProtoAliasIn(la, pip->ip_src, pip, 1397 pip->ip_p, &pip->ip_sum); 1398 break; 1399 } 1400 1401 if (MF_ISSET(pip)) { 1402 struct alias_link *lnk; 1403 1404 lnk = FindFragmentIn1(la, pip->ip_src, alias_addr, pip->ip_id); 1405 if (lnk != NULL) { 1406 iresult = PKT_ALIAS_FOUND_HEADER_FRAGMENT; 1407 SetFragmentAddr(lnk, pip->ip_dst); 1408 } else { 1409 iresult = PKT_ALIAS_ERROR; 1410 } 1411 } 1412 1413 getout: 1414 return (iresult); 1415 } 1416 1417 /* Unregistered address ranges */ 1418 1419 /* 10.0.0.0 -> 10.255.255.255 */ 1420 #define UNREG_ADDR_A_LOWER 0x0a000000 1421 #define UNREG_ADDR_A_UPPER 0x0affffff 1422 1423 /* 172.16.0.0 -> 172.31.255.255 */ 1424 #define UNREG_ADDR_B_LOWER 0xac100000 1425 #define UNREG_ADDR_B_UPPER 0xac1fffff 1426 1427 /* 192.168.0.0 -> 192.168.255.255 */ 1428 #define UNREG_ADDR_C_LOWER 0xc0a80000 1429 #define UNREG_ADDR_C_UPPER 0xc0a8ffff 1430 1431 /* 100.64.0.0 -> 100.127.255.255 (RFC 6598 - Carrier Grade NAT) */ 1432 #define UNREG_ADDR_CGN_LOWER 0x64400000 1433 #define UNREG_ADDR_CGN_UPPER 0x647fffff 1434 1435 int 1436 LibAliasOut(struct libalias *la, void *ptr, int maxpacketsize) 1437 { 1438 int res; 1439 1440 LIBALIAS_LOCK(la); 1441 res = LibAliasOutLocked(la, (struct ip *)ptr, maxpacketsize, 1); 1442 LIBALIAS_UNLOCK(la); 1443 return (res); 1444 } 1445 1446 int 1447 LibAliasOutTry(struct libalias *la, void *ptr, int maxpacketsize, int create) 1448 { 1449 int res; 1450 1451 LIBALIAS_LOCK(la); 1452 res = LibAliasOutLocked(la, (struct ip *)ptr, maxpacketsize, create); 1453 LIBALIAS_UNLOCK(la); 1454 return (res); 1455 } 1456 1457 static int 1458 LibAliasOutLocked(struct libalias *la, 1459 struct ip *pip, /* valid IP packet */ 1460 int maxpacketsize, /* How much the packet data may grow (FTP and IRC inline changes) */ 1461 int create /* Create new entries ? */ 1462 ) 1463 { 1464 int iresult; 1465 struct in_addr addr_save; 1466 1467 if (la->packetAliasMode & PKT_ALIAS_REVERSE) { 1468 la->packetAliasMode &= ~PKT_ALIAS_REVERSE; 1469 iresult = LibAliasInLocked(la, pip, maxpacketsize); 1470 la->packetAliasMode |= PKT_ALIAS_REVERSE; 1471 goto getout; 1472 } 1473 HouseKeeping(la); 1474 1475 /* Defense against mangled packets */ 1476 if (ntohs(pip->ip_len) > maxpacketsize 1477 || (pip->ip_hl << 2) > maxpacketsize) { 1478 iresult = PKT_ALIAS_IGNORED; 1479 goto getout; 1480 } 1481 1482 addr_save = GetDefaultAliasAddress(la); 1483 if (la->packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY || 1484 la->packetAliasMode & PKT_ALIAS_UNREGISTERED_CGN) { 1485 u_long addr; 1486 int iclass; 1487 1488 iclass = 0; 1489 addr = ntohl(pip->ip_src.s_addr); 1490 if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER) 1491 iclass = 3; 1492 else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER) 1493 iclass = 2; 1494 else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER) 1495 iclass = 1; 1496 else if (addr >= UNREG_ADDR_CGN_LOWER && addr <= UNREG_ADDR_CGN_UPPER && 1497 la->packetAliasMode & PKT_ALIAS_UNREGISTERED_CGN) 1498 iclass = 4; 1499 1500 if (iclass == 0) { 1501 SetDefaultAliasAddress(la, pip->ip_src); 1502 } 1503 } else if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY) { 1504 SetDefaultAliasAddress(la, pip->ip_src); 1505 } 1506 1507 if (FRAG_NO_HDR(pip)) { 1508 iresult = FragmentOut(la, pip, &pip->ip_sum); 1509 goto getout_restore; 1510 } 1511 1512 iresult = PKT_ALIAS_IGNORED; 1513 switch (pip->ip_p) { 1514 case IPPROTO_ICMP: 1515 iresult = IcmpAliasOut(la, pip, create); 1516 break; 1517 case IPPROTO_UDP: 1518 iresult = UdpAliasOut(la, pip, maxpacketsize, create); 1519 break; 1520 case IPPROTO_TCP: 1521 iresult = TcpAliasOut(la, pip, maxpacketsize, create); 1522 break; 1523 #ifdef _KERNEL 1524 case IPPROTO_SCTP: 1525 iresult = SctpAlias(la, pip, SN_TO_GLOBAL); 1526 break; 1527 #endif 1528 case IPPROTO_GRE: { 1529 int error; 1530 struct alias_data ad = { 1531 .lnk = NULL, 1532 .oaddr = NULL, 1533 .aaddr = NULL, 1534 .aport = NULL, 1535 .sport = NULL, 1536 .dport = NULL, 1537 .maxpktsize = 0 1538 }; 1539 /* Walk out chain. */ 1540 error = find_handler(OUT, IP, la, pip, &ad); 1541 if (error == 0) 1542 iresult = PKT_ALIAS_OK; 1543 else 1544 iresult = ProtoAliasOut(la, pip, 1545 pip->ip_dst, pip->ip_p, &pip->ip_sum, create); 1546 break; 1547 } 1548 default: 1549 iresult = ProtoAliasOut(la, pip, 1550 pip->ip_dst, pip->ip_p, &pip->ip_sum, create); 1551 break; 1552 } 1553 1554 getout_restore: 1555 SetDefaultAliasAddress(la, addr_save); 1556 getout: 1557 return (iresult); 1558 } 1559 1560 int 1561 LibAliasUnaliasOut(struct libalias *la, 1562 void *ptr, /* valid IP packet */ 1563 int maxpacketsize /* for error checking */ 1564 ) 1565 { 1566 struct ip *pip; 1567 struct icmp *ic; 1568 struct udphdr *ud; 1569 struct tcphdr *tc; 1570 struct alias_link *lnk; 1571 int iresult = PKT_ALIAS_IGNORED; 1572 1573 LIBALIAS_LOCK(la); 1574 pip = (struct ip *)ptr; 1575 1576 /* Defense against mangled packets */ 1577 if (ntohs(pip->ip_len) > maxpacketsize 1578 || (pip->ip_hl << 2) > maxpacketsize) 1579 goto getout; 1580 1581 ud = (struct udphdr *)ip_next(pip); 1582 tc = (struct tcphdr *)ip_next(pip); 1583 ic = (struct icmp *)ip_next(pip); 1584 1585 /* Find a link */ 1586 if (pip->ip_p == IPPROTO_UDP) 1587 lnk = FindUdpTcpIn(la, pip->ip_dst, pip->ip_src, 1588 ud->uh_dport, ud->uh_sport, 1589 IPPROTO_UDP, 0); 1590 else if (pip->ip_p == IPPROTO_TCP) 1591 lnk = FindUdpTcpIn(la, pip->ip_dst, pip->ip_src, 1592 tc->th_dport, tc->th_sport, 1593 IPPROTO_TCP, 0); 1594 else if (pip->ip_p == IPPROTO_ICMP) 1595 lnk = FindIcmpIn(la, pip->ip_dst, pip->ip_src, ic->icmp_id, 0); 1596 else 1597 lnk = NULL; 1598 1599 /* Change it from an aliased packet to an unaliased packet */ 1600 if (lnk != NULL) { 1601 if (pip->ip_p == IPPROTO_UDP || pip->ip_p == IPPROTO_TCP) { 1602 int accumulate; 1603 struct in_addr original_address; 1604 u_short original_port; 1605 1606 original_address = GetOriginalAddress(lnk); 1607 original_port = GetOriginalPort(lnk); 1608 1609 /* Adjust TCP/UDP checksum */ 1610 accumulate = twowords(&pip->ip_src); 1611 accumulate -= twowords(&original_address); 1612 1613 if (pip->ip_p == IPPROTO_UDP) { 1614 accumulate += ud->uh_sport; 1615 accumulate -= original_port; 1616 ADJUST_CHECKSUM(accumulate, ud->uh_sum); 1617 } else { 1618 accumulate += tc->th_sport; 1619 accumulate -= original_port; 1620 ADJUST_CHECKSUM(accumulate, tc->th_sum); 1621 } 1622 1623 /* Adjust IP checksum */ 1624 DifferentialChecksum(&pip->ip_sum, 1625 &original_address, &pip->ip_src, 2); 1626 1627 /* Un-alias source address and port number */ 1628 pip->ip_src = original_address; 1629 if (pip->ip_p == IPPROTO_UDP) 1630 ud->uh_sport = original_port; 1631 else 1632 tc->th_sport = original_port; 1633 1634 iresult = PKT_ALIAS_OK; 1635 } else if (pip->ip_p == IPPROTO_ICMP) { 1636 int accumulate; 1637 struct in_addr original_address; 1638 u_short original_id; 1639 1640 original_address = GetOriginalAddress(lnk); 1641 original_id = GetOriginalPort(lnk); 1642 1643 /* Adjust ICMP checksum */ 1644 accumulate = twowords(&pip->ip_src); 1645 accumulate -= twowords(&original_address); 1646 accumulate += ic->icmp_id; 1647 accumulate -= original_id; 1648 ADJUST_CHECKSUM(accumulate, ic->icmp_cksum); 1649 1650 /* Adjust IP checksum */ 1651 DifferentialChecksum(&pip->ip_sum, 1652 &original_address, &pip->ip_src, 2); 1653 1654 /* Un-alias source address and port number */ 1655 pip->ip_src = original_address; 1656 ic->icmp_id = original_id; 1657 1658 iresult = PKT_ALIAS_OK; 1659 } 1660 } 1661 getout: 1662 LIBALIAS_UNLOCK(la); 1663 return (iresult); 1664 } 1665 1666 #ifndef _KERNEL 1667 1668 int 1669 LibAliasRefreshModules(void) 1670 { 1671 char buf[256], conf[] = "/etc/libalias.conf"; 1672 FILE *fd; 1673 int i, len; 1674 1675 fd = fopen(conf, "r"); 1676 if (fd == NULL) 1677 err(1, "fopen(%s)", conf); 1678 1679 LibAliasUnLoadAllModule(); 1680 1681 for (;;) { 1682 fgets(buf, 256, fd); 1683 if (feof(fd)) 1684 break; 1685 len = strlen(buf); 1686 if (len > 1) { 1687 for (i = 0; i < len; i++) 1688 if (!isspace(buf[i])) 1689 break; 1690 if (buf[i] == '#') 1691 continue; 1692 buf[len - 1] = '\0'; 1693 LibAliasLoadModule(buf); 1694 } 1695 } 1696 fclose(fd); 1697 return (0); 1698 } 1699 1700 int 1701 LibAliasLoadModule(char *path) 1702 { 1703 struct dll *t; 1704 void *handle; 1705 struct proto_handler *m; 1706 const char *error; 1707 moduledata_t *p; 1708 1709 handle = dlopen (path, RTLD_LAZY); 1710 if (!handle) { 1711 fprintf(stderr, "%s\n", dlerror()); 1712 return (EINVAL); 1713 } 1714 1715 p = dlsym(handle, "alias_mod"); 1716 if ((error = dlerror()) != NULL) { 1717 fprintf(stderr, "%s\n", dlerror()); 1718 return (EINVAL); 1719 } 1720 1721 t = malloc(sizeof(struct dll)); 1722 if (t == NULL) 1723 return (ENOMEM); 1724 strncpy(t->name, p->name, DLL_LEN); 1725 t->handle = handle; 1726 if (attach_dll(t) == EEXIST) { 1727 free(t); 1728 fprintf(stderr, "dll conflict\n"); 1729 return (EEXIST); 1730 } 1731 1732 m = dlsym(t->handle, "handlers"); 1733 if ((error = dlerror()) != NULL) { 1734 fprintf(stderr, "%s\n", error); 1735 return (EINVAL); 1736 } 1737 1738 LibAliasAttachHandlers(m); 1739 return (0); 1740 } 1741 1742 int 1743 LibAliasUnLoadAllModule(void) 1744 { 1745 struct dll *t; 1746 struct proto_handler *p; 1747 1748 /* Unload all modules then reload everything. */ 1749 while ((p = first_handler()) != NULL) { 1750 LibAliasDetachHandlers(p); 1751 } 1752 while ((t = walk_dll_chain()) != NULL) { 1753 dlclose(t->handle); 1754 free(t); 1755 } 1756 return (1); 1757 } 1758 1759 #endif 1760 1761 #ifdef _KERNEL 1762 /* 1763 * m_megapullup() - this function is a big hack. 1764 * Thankfully, it's only used in ng_nat and ipfw+nat. 1765 * 1766 * It allocates an mbuf with cluster and copies the specified part of the chain 1767 * into cluster, so that it is all contiguous and can be accessed via a plain 1768 * (char *) pointer. This is required, because libalias doesn't know how to 1769 * handle mbuf chains. 1770 * 1771 * On success, m_megapullup returns an mbuf (possibly with cluster) containing 1772 * the input packet, on failure NULL. The input packet is always consumed. 1773 */ 1774 struct mbuf * 1775 m_megapullup(struct mbuf *m, int len) 1776 { 1777 struct mbuf *mcl; 1778 1779 if (len > m->m_pkthdr.len) 1780 goto bad; 1781 1782 if (m->m_next == NULL && M_WRITABLE(m)) 1783 return (m); 1784 1785 if (len <= MJUMPAGESIZE) 1786 mcl = m_get2(len, M_NOWAIT, MT_DATA, M_PKTHDR); 1787 else if (len <= MJUM9BYTES) 1788 mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM9BYTES); 1789 else if (len <= MJUM16BYTES) 1790 mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES); 1791 else 1792 goto bad; 1793 if (mcl == NULL) 1794 goto bad; 1795 m_align(mcl, len); 1796 m_move_pkthdr(mcl, m); 1797 m_copydata(m, 0, len, mtod(mcl, caddr_t)); 1798 mcl->m_len = mcl->m_pkthdr.len = len; 1799 m_freem(m); 1800 1801 return (mcl); 1802 bad: 1803 m_freem(m); 1804 return (NULL); 1805 } 1806 #endif 1807