1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2001 Charles Mott <cm@linktel.net> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 /* 30 Alias_db.c encapsulates all data structures used for storing 31 packet aliasing data. Other parts of the aliasing software 32 access data through functions provided in this file. 33 34 Data storage is based on the notion of a "link", which is 35 established for ICMP echo/reply packets, UDP datagrams and 36 TCP stream connections. A link stores the original source 37 and destination addresses. For UDP and TCP, it also stores 38 source and destination port numbers, as well as an alias 39 port number. Links are also used to store information about 40 fragments. 41 42 There is a facility for sweeping through and deleting old 43 links as new packets are sent through. A simple timeout is 44 used for ICMP and UDP links. TCP links are left alone unless 45 there is an incomplete connection, in which case the link 46 can be deleted after a certain amount of time. 47 48 Initial version: August, 1996 (cjm) 49 50 Version 1.4: September 16, 1996 (cjm) 51 Facility for handling incoming links added. 52 53 Version 1.6: September 18, 1996 (cjm) 54 ICMP data handling simplified. 55 56 Version 1.7: January 9, 1997 (cjm) 57 Fragment handling simplified. 58 Saves pointers for unresolved fragments. 59 Permits links for unspecified remote ports 60 or unspecified remote addresses. 61 Fixed bug which did not properly zero port 62 table entries after a link was deleted. 63 Cleaned up some obsolete comments. 64 65 Version 1.8: January 14, 1997 (cjm) 66 Fixed data type error in StartPoint(). 67 (This error did not exist prior to v1.7 68 and was discovered and fixed by Ari Suutari) 69 70 Version 1.9: February 1, 1997 71 Optionally, connections initiated from packet aliasing host 72 machine will will not have their port number aliased unless it 73 conflicts with an aliasing port already being used. (cjm) 74 75 All options earlier being #ifdef'ed are now available through 76 a new interface, SetPacketAliasMode(). This allows run time 77 control (which is now available in PPP+pktAlias through the 78 'alias' keyword). (ee) 79 80 Added ability to create an alias port without 81 either destination address or port specified. 82 port type = ALIAS_PORT_UNKNOWN_DEST_ALL (ee) 83 84 Removed K&R style function headers 85 and general cleanup. (ee) 86 87 Added packetAliasMode to replace compiler #defines's (ee) 88 89 Allocates sockets for partially specified 90 ports if ALIAS_USE_SOCKETS defined. (cjm) 91 92 Version 2.0: March, 1997 93 SetAliasAddress() will now clean up alias links 94 if the aliasing address is changed. (cjm) 95 96 PacketAliasPermanentLink() function added to support permanent 97 links. (J. Fortes suggested the need for this.) 98 Examples: 99 100 (192.168.0.1, port 23) <-> alias port 6002, unknown dest addr/port 101 102 (192.168.0.2, port 21) <-> alias port 3604, known dest addr 103 unknown dest port 104 105 These permanent links allow for incoming connections to 106 machines on the local network. They can be given with a 107 user-chosen amount of specificity, with increasing specificity 108 meaning more security. (cjm) 109 110 Quite a bit of rework to the basic engine. The portTable[] 111 array, which kept track of which ports were in use was replaced 112 by a table/linked list structure. (cjm) 113 114 SetExpire() function added. (cjm) 115 116 DeleteLink() no longer frees memory association with a pointer 117 to a fragment (this bug was first recognized by E. Eklund in 118 v1.9). 119 120 Version 2.1: May, 1997 (cjm) 121 Packet aliasing engine reworked so that it can handle 122 multiple external addresses rather than just a single 123 host address. 124 125 PacketAliasRedirectPort() and PacketAliasRedirectAddr() 126 added to the API. The first function is a more generalized 127 version of PacketAliasPermanentLink(). The second function 128 implements static network address translation. 129 130 Version 3.2: July, 2000 (salander and satoh) 131 Added FindNewPortGroup to get contiguous range of port values. 132 133 Added QueryUdpTcpIn and QueryUdpTcpOut to look for an aliasing 134 link but not actually add one. 135 136 Added FindRtspOut, which is closely derived from FindUdpTcpOut, 137 except that the alias port (from FindNewPortGroup) is provided 138 as input. 139 140 See HISTORY file for additional revisions. 141 */ 142 143 #ifndef _ALIAS_DB_H_ 144 #define _ALIAS_DB_H_ 145 146 147 /* 148 Constants (note: constants are also defined 149 near relevant functions or structs) 150 */ 151 152 /* Timeouts (in seconds) for different link types */ 153 #define ICMP_EXPIRE_TIME 60 154 #define UDP_EXPIRE_TIME 60 155 #define PROTO_EXPIRE_TIME 60 156 #define FRAGMENT_ID_EXPIRE_TIME 10 157 #define FRAGMENT_PTR_EXPIRE_TIME 30 158 159 /* TCP link expire time for different cases */ 160 /* When the link has been used and closed - minimal grace time to 161 allow ACKs and potential re-connect in FTP (XXX - is this allowed?) */ 162 #ifndef TCP_EXPIRE_DEAD 163 #define TCP_EXPIRE_DEAD 10 164 #endif 165 166 /* When the link has been used and closed on one side - the other side 167 is allowed to still send data */ 168 #ifndef TCP_EXPIRE_SINGLEDEAD 169 #define TCP_EXPIRE_SINGLEDEAD 90 170 #endif 171 172 /* When the link isn't yet up */ 173 #ifndef TCP_EXPIRE_INITIAL 174 #define TCP_EXPIRE_INITIAL 300 175 #endif 176 177 /* When the link is up */ 178 #ifndef TCP_EXPIRE_CONNECTED 179 #define TCP_EXPIRE_CONNECTED 86400 180 #endif 181 182 /* Dummy port number codes used for FindLinkIn/Out() and AddLink(). 183 These constants can be anything except zero, which indicates an 184 unknown port number. */ 185 186 #define NO_DEST_PORT 1 187 #define NO_SRC_PORT 1 188 189 /* Matches any/unknown address in FindLinkIn/Out() and AddLink(). */ 190 static struct in_addr const ANY_ADDR = { INADDR_ANY }; 191 192 /* Data Structures 193 194 The fundamental data structure used in this program is 195 "struct alias_link". Whenever a TCP connection is made, 196 a UDP datagram is sent out, or an ICMP echo request is made, 197 a link record is made (if it has not already been created). 198 The link record is identified by the source address/port 199 and the destination address/port. In the case of an ICMP 200 echo request, the source port is treated as being equivalent 201 with the 16-bit ID number of the ICMP packet. 202 203 The link record also can store some auxiliary data. For 204 TCP connections that have had sequence and acknowledgment 205 modifications, data space is available to track these changes. 206 A state field is used to keep track in changes to the TCP 207 connection state. ID numbers of fragments can also be 208 stored in the auxiliary space. Pointers to unresolved 209 fragments can also be stored. 210 211 The link records support several independent chainings. Lookup 212 tables for input and out tables hold the initial pointers 213 the link chains. On input, the lookup table indexes on alias 214 port and link type. On output, the lookup table indexes on 215 source address, destination address, source port, destination 216 port and link type. A internal_endpoint table is used for 217 endpoint-independent mapping, and indexes on source address, 218 source port and link type. 219 */ 220 221 /* used to save changes to ACK/sequence numbers */ 222 struct ack_data_record { 223 u_long ack_old; 224 u_long ack_new; 225 int delta; 226 int active; 227 }; 228 229 /* Information about TCP connection */ 230 struct tcp_state { 231 int in; /* State for outside -> inside */ 232 int out; /* State for inside -> outside */ 233 int index; /* Index to ACK data array */ 234 /* Indicates whether ACK and sequence numbers been modified */ 235 int ack_modified; 236 }; 237 238 /* Number of distinct ACK number changes 239 * saved for a modified TCP stream */ 240 #define N_LINK_TCP_DATA 3 241 struct tcp_dat { 242 struct tcp_state state; 243 struct ack_data_record ack[N_LINK_TCP_DATA]; 244 /* Which firewall record is used for this hole? */ 245 int fwhole; 246 }; 247 248 /* LSNAT server pool (circular list) */ 249 struct server { 250 struct in_addr addr; 251 u_short port; 252 struct server *next; 253 }; 254 255 /* Main data structure */ 256 struct alias_link { 257 struct libalias *la; 258 /* Address and port information */ 259 struct in_addr src_addr; 260 struct in_addr dst_addr; 261 struct in_addr alias_addr; 262 struct in_addr proxy_addr; 263 u_short src_port; 264 u_short dst_port; 265 u_short alias_port; 266 u_short proxy_port; 267 struct server *server; 268 /* Type of link: TCP, UDP, ICMP, proto, frag */ 269 int link_type; 270 /* values for link_type */ 271 #define LINK_ICMP IPPROTO_ICMP 272 #define LINK_UDP IPPROTO_UDP 273 #define LINK_TCP IPPROTO_TCP 274 #define LINK_FRAGMENT_ID (IPPROTO_MAX + 1) 275 #define LINK_FRAGMENT_PTR (IPPROTO_MAX + 2) 276 #define LINK_ADDR (IPPROTO_MAX + 3) 277 #define LINK_PPTP (IPPROTO_MAX + 4) 278 279 int flags; /* indicates special characteristics */ 280 int pflags; /* protocol-specific flags */ 281 /* flag bits */ 282 #define LINK_UNKNOWN_DEST_PORT 0x01 283 #define LINK_UNKNOWN_DEST_ADDR 0x02 284 #define LINK_PERMANENT 0x04 285 #define LINK_PARTIALLY_SPECIFIED 0x03 /* logical-or of first two bits */ 286 #define LINK_UNFIREWALLED 0x08 287 288 int timestamp; /* Time link was last accessed */ 289 #ifndef NO_USE_SOCKETS 290 int sockfd; /* socket descriptor */ 291 #endif 292 /* Linked list of pointers for input and output lookup tables */ 293 union { 294 struct { 295 SPLAY_ENTRY(alias_link) out; 296 LIST_ENTRY (alias_link) in; 297 SPLAY_ENTRY(alias_link) internal_endpoint; 298 } all; 299 struct { 300 LIST_ENTRY (alias_link) list; 301 } pptp; 302 }; 303 struct { 304 TAILQ_ENTRY(alias_link) list; 305 int time; /* Expire time for link */ 306 } expire; 307 /* Auxiliary data */ 308 union { 309 char *frag_ptr; 310 struct in_addr frag_addr; 311 struct tcp_dat *tcp; 312 } data; 313 }; 314 315 /* Clean up procedure. */ 316 static void finishoff(void); 317 318 /* Internal utility routines (used only in alias_db.c) 319 320 Lookup table starting points: 321 StartPointIn() -- link table initial search point for 322 incoming packets 323 StartPointOut() -- link table initial search point for 324 outgoing packets 325 326 Miscellaneous: 327 SeqDiff() -- difference between two TCP sequences 328 ShowAliasStats() -- send alias statistics to a monitor file 329 */ 330 331 /* Local prototypes */ 332 static struct group_in * 333 StartPointIn(struct libalias *, struct in_addr, u_short, int, int); 334 static int SeqDiff(u_long, u_long); 335 336 #ifndef NO_FW_PUNCH 337 /* Firewall control */ 338 static void InitPunchFW(struct libalias *); 339 static void UninitPunchFW(struct libalias *); 340 static void ClearFWHole(struct alias_link *); 341 342 #endif 343 344 /* Log file control */ 345 static void ShowAliasStats(struct libalias *); 346 static int InitPacketAliasLog(struct libalias *); 347 static void UninitPacketAliasLog(struct libalias *); 348 349 void SctpShowAliasStats(struct libalias *la); 350 351 352 /* Splay handling */ 353 static inline int 354 cmp_out(struct alias_link *a, struct alias_link *b) { 355 int i = a->src_port - b->src_port; 356 if (i != 0) return (i); 357 if (a->src_addr.s_addr > b->src_addr.s_addr) return (1); 358 if (a->src_addr.s_addr < b->src_addr.s_addr) return (-1); 359 if (a->dst_addr.s_addr > b->dst_addr.s_addr) return (1); 360 if (a->dst_addr.s_addr < b->dst_addr.s_addr) return (-1); 361 i = a->dst_port - b->dst_port; 362 if (i != 0) return (i); 363 i = a->link_type - b->link_type; 364 return (i); 365 } 366 SPLAY_PROTOTYPE(splay_out, alias_link, all.out, cmp_out); 367 368 static inline int 369 cmp_in(struct group_in *a, struct group_in *b) { 370 int i = a->alias_port - b->alias_port; 371 if (i != 0) return (i); 372 i = a->link_type - b->link_type; 373 if (i != 0) return (i); 374 if (a->alias_addr.s_addr > b->alias_addr.s_addr) return (1); 375 if (a->alias_addr.s_addr < b->alias_addr.s_addr) return (-1); 376 return (0); 377 } 378 SPLAY_PROTOTYPE(splay_in, group_in, in, cmp_in); 379 380 static inline int 381 cmp_internal_endpoint(struct alias_link *a, struct alias_link *b) { 382 int i = a->link_type - b->link_type; 383 if (i != 0) return (i); 384 if (a->src_addr.s_addr > b->src_addr.s_addr) return (1); 385 if (a->src_addr.s_addr < b->src_addr.s_addr) return (-1); 386 i = a->src_port - b->src_port; 387 return (i); 388 } 389 SPLAY_PROTOTYPE(splay_internal_endpoint, alias_link, all.internal_endpoint, 390 cmp_internal_endpoint); 391 392 /* Internal routines for finding, deleting and adding links 393 394 Port Allocation: 395 GetNewPort() -- find and reserve new alias port number 396 GetSocket() -- try to allocate a socket for a given port 397 398 Link creation and deletion: 399 CleanupAliasData() - remove all link chains from lookup table 400 CleanupLink() - look for a stale link 401 DeleteLink() - remove link 402 AddLink() - add link 403 ReLink() - change link 404 405 Link search: 406 FindLinkOut() - find link for outgoing packets 407 FindLinkIn() - find link for incoming packets 408 FindLinkByInternalEndpoint() - find link by a packet's internal endpoint 409 410 Port search: 411 FindNewPortGroup() - find an available group of ports 412 */ 413 414 /* Local prototypes */ 415 static int GetNewPort(struct libalias *, struct alias_link *, int); 416 #ifndef NO_USE_SOCKETS 417 static u_short GetSocket(struct libalias *, u_short, int *, int); 418 #endif 419 static void CleanupAliasData(struct libalias *, int); 420 static void CleanupLink(struct libalias *, struct alias_link **, int); 421 static void DeleteLink(struct alias_link **, int); 422 static struct alias_link * 423 UseLink(struct libalias *, struct alias_link *); 424 425 static struct alias_link * 426 ReLink(struct alias_link *, 427 struct in_addr, struct in_addr, struct in_addr, 428 u_short, u_short, int, int, int); 429 430 static struct alias_link * 431 FindLinkOut(struct libalias *, struct in_addr, struct in_addr, u_short, u_short, int, int); 432 433 static struct alias_link * 434 FindLinkIn(struct libalias *, struct in_addr, struct in_addr, u_short, u_short, int, int); 435 436 static struct alias_link * 437 FindLinkByInternalEndpoint(struct libalias *, struct in_addr, u_short, int); 438 439 static u_short _RandomPort(struct libalias *la); 440 441 #define GET_NEW_PORT_MAX_ATTEMPTS 20 442 443 444 #ifndef NO_FW_PUNCH 445 446 static void ClearAllFWHoles(struct libalias *la); 447 448 #define fw_setfield(la, field, num) \ 449 do { \ 450 (field)[(num) - la->fireWallBaseNum] = 1; \ 451 } /*lint -save -e717 */ while(0)/* lint -restore */ 452 453 #define fw_clrfield(la, field, num) \ 454 do { \ 455 (field)[(num) - la->fireWallBaseNum] = 0; \ 456 } /*lint -save -e717 */ while(0)/* lint -restore */ 457 458 #define fw_tstfield(la, field, num) ((field)[(num) - la->fireWallBaseNum]) 459 460 #endif /* !NO_FW_PUNCH */ 461 462 #endif /* _ALIAS_DB_H_ */ 463