mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-10 16:31:18 +01:00
e83aaae350
Requested by: Charles Mott <cmott@scientech.com>
982 lines
32 KiB
Groff
982 lines
32 KiB
Groff
.\"-
|
|
.\" Copyright (c) 2001 Charles Mott <cm@linktel.net>
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd April 13, 2000
|
|
.Dt LIBALIAS 3
|
|
.Os
|
|
.Sh NAME
|
|
.Nm libalias
|
|
.Nd packet aliasing library for masquerading and network address translation
|
|
.Sh SYNOPSIS
|
|
.In sys/types.h
|
|
.In netinet/in.h
|
|
.In alias.h
|
|
.Pp
|
|
Function prototypes are given in the main body of the text.
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
library is a collection of functions for aliasing and de-aliasing of IP
|
|
packets, intended for masquerading and network address translation (NAT).
|
|
.Sh INTRODUCTION
|
|
This library is a moderately portable set of functions designed to assist
|
|
in the process of IP masquerading and network address translation.
|
|
Outgoing packets from a local network with unregistered IP addresses can
|
|
be aliased to appear as if they came from an accessible IP address.
|
|
Incoming packets are then de-aliased so that they are sent to the correct
|
|
machine on the local network.
|
|
.Pp
|
|
A certain amount of flexibility is built into the packet aliasing engine.
|
|
In the simplest mode of operation, a many-to-one address mapping takes
|
|
place between local network and the packet aliasing host.
|
|
This is known as IP masquerading.
|
|
In addition, one-to-one mappings between local and public addresses can
|
|
also be implemented, which is known as static NAT.
|
|
In between these extremes, different groups of private addresses can be
|
|
linked to different public addresses, comprising several distinct
|
|
many-to-one mappings.
|
|
Also, a given public address and port can be statically redirected to a
|
|
private address/port.
|
|
.Pp
|
|
The packet aliasing engine was designed to operate in user space outside
|
|
of the kernel, without any access to private kernel data structure, but
|
|
the source code can also be ported to a kernel environment.
|
|
.Sh INITIALIZATION AND CONTROL
|
|
Two special functions,
|
|
.Fn PacketAliasInit
|
|
and
|
|
.Fn PacketAliasSetAddress ,
|
|
must always be called before any packet handling may be performed.
|
|
In addition, the operating mode of the packet aliasing engine can be
|
|
customized by calling
|
|
.Fn PacketAliasSetMode .
|
|
.Pp
|
|
.Ft void
|
|
.Fn PacketAliasInit void
|
|
.Bd -ragged -offset indent
|
|
This function has no arguments or return value and is used to initialize
|
|
internal data structures.
|
|
The following mode bits are always set after calling
|
|
.Fn PacketAliasInit .
|
|
See the description of
|
|
.Fn PacketAliasSetMode
|
|
below for the meaning of these mode bits.
|
|
.Pp
|
|
.Bl -item -offset indent -compact
|
|
.It
|
|
.Dv PKT_ALIAS_SAME_PORTS
|
|
.It
|
|
.Dv PKT_ALIAS_USE_SOCKETS
|
|
.It
|
|
.Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
|
|
.El
|
|
.Pp
|
|
This function will always return the packet aliasing engine to the same
|
|
initial state.
|
|
.Fn PacketAliasSetAddress
|
|
must be called afterwards, and any desired changes from the default mode
|
|
bits listed above require a call to
|
|
.Fn PacketAliasSetMode .
|
|
.Pp
|
|
It is mandatory that this function be called at the beginning of a program
|
|
prior to any packet handling.
|
|
.Ed
|
|
.Pp
|
|
.Ft void
|
|
.Fn PacketAliasUninit void
|
|
.Bd -ragged -offset indent
|
|
This function has no arguments or return value and is used to clear any
|
|
resources attached to internal data structures.
|
|
.Pp
|
|
This functions should be called when a program stops using the aliasing
|
|
engine; it does, amongst other things, clear out any firewall holes.
|
|
To provide backwards compatibility and extra security, it is added to
|
|
the
|
|
.Xr atexit 3
|
|
chain by
|
|
.Fn PacketAliasInit .
|
|
Calling it multiple times is harmless.
|
|
.Ed
|
|
.Pp
|
|
.Ft void
|
|
.Fn PacketAliasSetAddress "struct in_addr addr"
|
|
.Bd -ragged -offset indent
|
|
This function sets the source address to which outgoing packets from the
|
|
local area network are aliased.
|
|
All outgoing packets are re-mapped to this address unless overridden by a
|
|
static address mapping established by
|
|
.Fn PacketAliasRedirectAddr .
|
|
.Pp
|
|
If the
|
|
.Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
|
|
mode bit is set (the default mode of operation), then the internal aliasing
|
|
link tables will be reset any time the aliasing address changes.
|
|
This is useful for interfaces such as
|
|
.Xr ppp 8 ,
|
|
where the IP
|
|
address may or may not change on successive dial-up attempts.
|
|
.Pp
|
|
If the
|
|
.Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
|
|
mode bit is set to zero, this function can also be used to dynamically change
|
|
the aliasing address on a packet to packet basis (it is a low overhead call).
|
|
.Pp
|
|
It is mandatory that this function be called prior to any packet handling.
|
|
.Ed
|
|
.Pp
|
|
.Ft unsigned int
|
|
.Fn PacketAliasSetMode "unsigned int flags" "unsigned int mask"
|
|
.Bd -ragged -offset indent
|
|
This function sets or clears mode bits
|
|
according to the value of
|
|
.Fa flags .
|
|
Only bits marked in
|
|
.Fa mask
|
|
are affected.
|
|
The following mode bits are defined in
|
|
.Aq Pa alias.h :
|
|
.Bl -tag -width indent
|
|
.It Dv PKT_ALIAS_LOG
|
|
Enables logging into
|
|
.Pa /var/log/alias.log .
|
|
Each time an aliasing link is created or deleted, the log file is appended
|
|
with the current number of ICMP, TCP and UDP links.
|
|
Mainly useful for debugging when the log file is viewed continuously with
|
|
.Xr tail 1 .
|
|
.It Dv PKT_ALIAS_DENY_INCOMING
|
|
If this mode bit is set, all incoming packets associated with new TCP
|
|
connections or new UDP transactions will be marked for being ignored
|
|
.Fn ( PacketAliasIn
|
|
returns
|
|
.Dv PKT_ALIAS_IGNORED
|
|
code)
|
|
by the calling program.
|
|
Response packets to connections or transactions initiated from the packet
|
|
aliasing host or local network will be unaffected.
|
|
This mode bit is useful for implementing a one-way firewall.
|
|
.It Dv PKT_ALIAS_SAME_PORTS
|
|
If this mode bit is set, the packet aliasing engine will attempt to leave
|
|
the alias port numbers unchanged from the actual local port numbers.
|
|
This can be done as long as the quintuple (proto, alias addr, alias port,
|
|
remote addr, remote port) is unique.
|
|
If a conflict exists, a new aliasing port number is chosen even if this
|
|
mode bit is set.
|
|
.It Dv PKT_ALIAS_USE_SOCKETS
|
|
This bit should be set when the packet aliasing host originates network
|
|
traffic as well as forwards it.
|
|
When the packet aliasing host is waiting for a connection from an unknown
|
|
host address or unknown port number (e.g. an FTP data connection), this
|
|
mode bit specifies that a socket be allocated as a place holder to prevent
|
|
port conflicts.
|
|
Once a connection is established, usually within a minute or so, the socket
|
|
is closed.
|
|
.It Dv PKT_ALIAS_UNREGISTERED_ONLY
|
|
If this mode bit is set, traffic on the local network which does not
|
|
originate from unregistered address spaces will be ignored.
|
|
Standard Class A, B and C unregistered addresses are:
|
|
.Bd -literal -offset indent
|
|
10.0.0.0 -> 10.255.255.255 (Class A subnet)
|
|
172.16.0.0 -> 172.31.255.255 (Class B subnets)
|
|
192.168.0.0 -> 192.168.255.255 (Class C subnets)
|
|
.Ed
|
|
.Pp
|
|
This option is useful in the case that packet aliasing host has both
|
|
registered and unregistered subnets on different interfaces.
|
|
The registered subnet is fully accessible to the outside world, so traffic
|
|
from it does not need to be passed through the packet aliasing engine.
|
|
.It Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
|
|
When this mode bit is set and
|
|
.Fn PacketAliasSetAddress
|
|
is called to change the aliasing address, the internal link table of the
|
|
packet aliasing engine will be cleared.
|
|
This operating mode is useful for
|
|
.Xr ppp 8
|
|
links where the interface address can sometimes change or remain the same
|
|
between dial-up attempts.
|
|
If this mode bit is not set, the link table will never be reset in the event
|
|
of an address change.
|
|
.It Dv PKT_ALIAS_PUNCH_FW
|
|
This option makes
|
|
.Nm
|
|
`punch holes' in an
|
|
.Xr ipfirewall 4
|
|
based firewall for FTP/IRC DCC connections.
|
|
The holes punched are bound by from/to IP address and port; it will not be
|
|
possible to use a hole for another connection.
|
|
A hole is removed when the connection that uses it dies.
|
|
To cater to unexpected death of a program using
|
|
.Nm
|
|
(e.g. kill -9),
|
|
changing the state of the flag will clear the entire firewall range
|
|
allocated for holes.
|
|
This will also happen on the initial call to
|
|
.Fn PacketAliasSetFWBase .
|
|
This call must happen prior to setting this flag.
|
|
.It Dv PKT_ALIAS_REVERSE
|
|
This option makes
|
|
.Nm
|
|
reverse the way it handles incoming and outgoing packets, allowing it
|
|
to be fed with data that passes through the internal interface rather
|
|
than the external one.
|
|
.It Dv PKT_ALIAS_PROXY_ONLY
|
|
This option tells
|
|
.Nm
|
|
to obey transparent proxy rules only.
|
|
Normal packet aliasing is not performed.
|
|
See
|
|
.Fn PacketAliasProxyRule
|
|
below for details.
|
|
.El
|
|
.Ed
|
|
.Pp
|
|
.Ft void
|
|
.Fn PacketAliasSetFWBase "unsigned int base" "unsigned int num"
|
|
.Bd -ragged -offset indent
|
|
Set firewall range allocated for punching firewall holes (with the
|
|
.Dv PKT_ALIAS_PUNCH_FW
|
|
flag).
|
|
The range will be cleared for all rules on initialization.
|
|
.Ed
|
|
.Sh PACKET HANDLING
|
|
The packet handling functions are used to modify incoming (remote to local)
|
|
and outgoing (local to remote) packets.
|
|
The calling program is responsible for receiving and sending packets via
|
|
network interfaces.
|
|
.Pp
|
|
Along with
|
|
.Fn PacketAliasInit
|
|
and
|
|
.Fn PacketAliasSetAddress ,
|
|
the two packet handling functions,
|
|
.Fn PacketAliasIn
|
|
and
|
|
.Fn PacketAliasOut ,
|
|
comprise minimal set of functions needed for a basic IP masquerading
|
|
implementation.
|
|
.Pp
|
|
.Ft int
|
|
.Fn PacketAliasIn "char *buffer" "int maxpacketsize"
|
|
.Bd -ragged -offset indent
|
|
An incoming packet coming from a remote machine to the local network is
|
|
de-aliased by this function.
|
|
The IP packet is pointed to by
|
|
.Fa buffer ,
|
|
and
|
|
.Fa maxpacketsize
|
|
indicates the size of the data structure containing the packet and should
|
|
be at least as large as the actual packet size.
|
|
.Pp
|
|
Return codes:
|
|
.Bl -tag -width indent
|
|
.It Dv PKT_ALIAS_OK
|
|
The packet aliasing process was successful.
|
|
.It Dv PKT_ALIAS_IGNORED
|
|
The packet was ignored and not de-aliased.
|
|
This can happen if the protocol is unrecognized, possibly an ICMP message
|
|
type is not handled or if incoming packets for new connections are being
|
|
ignored (if
|
|
.Dv PKT_ALIAS_DENY_INCOMING
|
|
mode bit was set by
|
|
.Fn PacketAliasSetMode ) .
|
|
.It Dv PKT_ALIAS_UNRESOLVED_FRAGMENT
|
|
This is returned when a fragment cannot be resolved because the header
|
|
fragment has not been sent yet.
|
|
In this situation, fragments must be saved with
|
|
.Fn PacketAliasSaveFragment
|
|
until a header fragment is found.
|
|
.It Dv PKT_ALIAS_FOUND_HEADER_FRAGMENT
|
|
The packet aliasing process was successful, and a header fragment was found.
|
|
This is a signal to retrieve any unresolved fragments with
|
|
.Fn PacketAliasGetFragment
|
|
and de-alias them with
|
|
.Fn PacketAliasFragmentIn .
|
|
.It Dv PKT_ALIAS_ERROR
|
|
An internal error within the packet aliasing engine occurred.
|
|
.El
|
|
.Ed
|
|
.Pp
|
|
.Ft int
|
|
.Fn PacketAliasOut "char *buffer" "int maxpacketsize"
|
|
.Bd -ragged -offset indent
|
|
An outgoing packet coming from the local network to a remote machine is
|
|
aliased by this function.
|
|
The IP packet is pointed to by
|
|
.Fa buffer ,
|
|
and
|
|
.Fa maxpacketsize
|
|
indicates the maximum packet size permissible should the packet length be
|
|
changed.
|
|
IP encoding protocols place address and port information in the encapsulated
|
|
data stream which has to be modified and can account for changes in packet
|
|
length.
|
|
Well known examples of such protocols are FTP and IRC DCC.
|
|
.Pp
|
|
Return codes:
|
|
.Bl -tag -width indent
|
|
.It Dv PKT_ALIAS_OK
|
|
The packet aliasing process was successful.
|
|
.It Dv PKT_ALIAS_IGNORED
|
|
The packet was ignored and not aliased.
|
|
This can happen if the protocol is unrecognized, or possibly an ICMP message
|
|
type is not handled.
|
|
.It Dv PKT_ALIAS_ERROR
|
|
An internal error within the packet aliasing engine occurred.
|
|
.El
|
|
.Ed
|
|
.Sh PORT AND ADDRESS REDIRECTION
|
|
The functions described in this section allow machines on the local network
|
|
to be accessible in some degree to new incoming connections from the external
|
|
network.
|
|
Individual ports can be re-mapped or static network address translations can
|
|
be designated.
|
|
.Pp
|
|
.Ft struct alias_link *
|
|
.Fo PacketAliasRedirectPort
|
|
.Fa "struct in_addr local_addr"
|
|
.Fa "u_short local_port"
|
|
.Fa "struct in_addr remote_addr"
|
|
.Fa "u_short remote_port"
|
|
.Fa "struct in_addr alias_addr"
|
|
.Fa "u_short alias_port"
|
|
.Fa "u_char proto"
|
|
.Fc
|
|
.Bd -ragged -offset indent
|
|
This function specifies that traffic from a given remote address/port to
|
|
an alias address/port be redirected to a specified local address/port.
|
|
The parameter
|
|
.Fa proto
|
|
can be either
|
|
.Dv IPPROTO_TCP
|
|
or
|
|
.Dv IPPROTO_UDP ,
|
|
as defined in
|
|
.Aq Pa netinet/in.h .
|
|
.Pp
|
|
If
|
|
.Fa local_addr
|
|
or
|
|
.Fa alias_addr
|
|
is zero, this indicates that the packet aliasing address as established
|
|
by
|
|
.Fn PacketAliasSetAddress
|
|
is to be used.
|
|
Even if
|
|
.Fn PacketAliasSetAddress
|
|
is called to change the address after
|
|
.Fn PacketAliasRedirectPort
|
|
is called, a zero reference will track this change.
|
|
.Pp
|
|
If the link is further set up to operate for a load sharing, then
|
|
.Fa local_addr
|
|
and
|
|
.Fa local_port
|
|
are ignored, and are selected dynamically from the server pool, as described in
|
|
.Fn PacketAliasAddServer
|
|
below.
|
|
.Pp
|
|
If
|
|
.Fa remote_addr
|
|
is zero, this indicates to redirect packets from any remote address.
|
|
Likewise, if
|
|
.Fa remote_port
|
|
is zero, this indicates to redirect packets originating from any remote
|
|
port number.
|
|
Almost always, the remote port specification will be zero, but non-zero
|
|
remote addresses can sometimes be useful for firewalling.
|
|
If two calls to
|
|
.Fn PacketAliasRedirectPort
|
|
overlap in their address/port specifications, then the most recent call
|
|
will have precedence.
|
|
.Pp
|
|
This function returns a pointer which can subsequently be used by
|
|
.Fn PacketAliasRedirectDelete .
|
|
If
|
|
.Dv NULL
|
|
is returned, then the function call did not complete successfully.
|
|
.Pp
|
|
All port numbers should be in network address byte order, so it is necessary
|
|
to use
|
|
.Xr htons 3
|
|
to convert these parameters from internally readable numbers to network byte
|
|
order.
|
|
Addresses are also in network byte order, which is implicit in the use of the
|
|
.Fa struct in_addr
|
|
data type.
|
|
.Ed
|
|
.Pp
|
|
.Ft struct alias_link *
|
|
.Fo PacketAliasRedirectAddr
|
|
.Fa "struct in_addr local_addr"
|
|
.Fa "struct in_addr alias_addr"
|
|
.Fc
|
|
.Bd -ragged -offset indent
|
|
This function designates that all incoming traffic to
|
|
.Fa alias_addr
|
|
be redirected to
|
|
.Fa local_addr .
|
|
Similarly, all outgoing traffic from
|
|
.Fa local_addr
|
|
is aliased to
|
|
.Fa alias_addr .
|
|
.Pp
|
|
If
|
|
.Fa local_addr
|
|
or
|
|
.Fa alias_addr
|
|
is zero, this indicates that the packet aliasing address as established by
|
|
.Fn PacketAliasSetAddress
|
|
is to be used.
|
|
Even if
|
|
.Fn PacketAliasSetAddress
|
|
is called to change the address after
|
|
.Fn PacketAliasRedirectAddr
|
|
is called, a zero reference will track this change.
|
|
.Pp
|
|
If the link is further set up to operate for a load sharing, then
|
|
.Fa local_addr
|
|
is ignored, and is selected dynamically from the server pool, as described in
|
|
.Fn PacketAliasAddServer
|
|
below.
|
|
.Pp
|
|
If subsequent calls to
|
|
.Fn PacketAliasRedirectAddr
|
|
use the same aliasing address, all new incoming traffic to this aliasing
|
|
address will be redirected to the local address made in the last function
|
|
call.
|
|
New traffic generated by any of the local machines, designated in the
|
|
several function calls, will be aliased to the same address.
|
|
Consider the following example:
|
|
.Bd -literal -offset indent
|
|
PacketAliasRedirectAddr(inet_aton("192.168.0.2"),
|
|
inet_aton("141.221.254.101"));
|
|
PacketAliasRedirectAddr(inet_aton("192.168.0.3"),
|
|
inet_aton("141.221.254.101"));
|
|
PacketAliasRedirectAddr(inet_aton("192.168.0.4"),
|
|
inet_aton("141.221.254.101"));
|
|
.Ed
|
|
.Pp
|
|
Any outgoing connections such as
|
|
.Xr telnet 1
|
|
or
|
|
.Xr ftp 1
|
|
from 192.168.0.2, 192.168.0.3 and 192.168.0.4 will appear to come from
|
|
141.221.254.101.
|
|
Any incoming connections to 141.221.254.101 will be directed to 192.168.0.4.
|
|
.Pp
|
|
Any calls to
|
|
.Fn PacketAliasRedirectPort
|
|
will have precedence over address mappings designated by
|
|
.Fn PacketAliasRedirectAddr .
|
|
.Pp
|
|
This function returns a pointer which can subsequently be used by
|
|
.Fn PacketAliasRedirectDelete .
|
|
If
|
|
.Dv NULL
|
|
is returned, then the function call did not complete successfully.
|
|
.Ed
|
|
.Pp
|
|
.Ft int
|
|
.Fo PacketAliasAddServer
|
|
.Fa "struct alias_link *link"
|
|
.Fa "struct in_addr addr"
|
|
.Fa "u_short port"
|
|
.Fc
|
|
.Bd -ragged -offset indent
|
|
This function sets the
|
|
.Fa link
|
|
up for Load Sharing using IP Network Address Translation (RFC 2391, LSNAT).
|
|
LSNAT operates as follows.
|
|
A client attempts to access a server by using the server virtual address.
|
|
The LSNAT router transparently redirects the request to one of the hosts
|
|
in server pool, selected using a real-time load sharing algorithm.
|
|
Multiple sessions may be initiated from the same client, and each session
|
|
could be directed to a different host based on load balance across server
|
|
pool hosts at the time.
|
|
If load share is desired for just a few specific services, the configuration
|
|
on LSNAT could be defined to restrict load share for just the services
|
|
desired.
|
|
.Pp
|
|
Currently, only the simplest selection algorithm is implemented, where a
|
|
host is selected on a round-robin basis only, without regard to load on
|
|
the host.
|
|
.Pp
|
|
First, the
|
|
.Fa link
|
|
is created by either
|
|
.Fn PacketAliasRedirectPort
|
|
or
|
|
.Fn PacketAliasRedirectAddr .
|
|
Then,
|
|
.Fn PacketAliasAddServer
|
|
is called multiple times to add entries to the
|
|
.Fa link Ns 's
|
|
server pool.
|
|
.Pp
|
|
For links created with
|
|
.Fn PacketAliasRedirectAddr ,
|
|
the
|
|
.Fa port
|
|
argument is ignored and could have any value, e.g. htons(~0).
|
|
.Pp
|
|
This function returns 0 on success, -1 otherwise.
|
|
.Ed
|
|
.Pp
|
|
.Ft void
|
|
.Fn PacketAliasRedirectDelete "struct alias_link *link"
|
|
.Bd -ragged -offset indent
|
|
This function will delete a specific static redirect rule entered by
|
|
.Fn PacketAliasRedirectPort
|
|
or
|
|
.Fn PacketAliasRedirectAddr .
|
|
The parameter
|
|
.Fa link
|
|
is the pointer returned by either of the redirection functions.
|
|
If an invalid pointer is passed to
|
|
.Fn PacketAliasRedirectDelete ,
|
|
then a program crash or unpredictable operation could result, so it is
|
|
necessary to be careful using this function.
|
|
.Ed
|
|
.Pp
|
|
.Ft int
|
|
.Fn PacketAliasProxyRule "const char *cmd"
|
|
.Bd -ragged -offset indent
|
|
The passed
|
|
.Fa cmd
|
|
string consists of one or more pairs of words.
|
|
The first word in each pair is a token and the second is the value that
|
|
should be applied for that token.
|
|
Tokens and their argument types are as follows:
|
|
.Bl -tag -width indent
|
|
.It Cm type encode_ip_hdr | encode_tcp_stream | no_encode
|
|
In order to support transparent proxying, it is necessary to somehow
|
|
pass the original address and port information into the new destination
|
|
server.
|
|
If
|
|
.Cm encode_ip_hdr
|
|
is specified, the original address and port is passed as an extra IP
|
|
option.
|
|
If
|
|
.Cm encode_tcp_stream
|
|
is specified, the original address and port is passed as the first
|
|
piece of data in the TCP stream in the format
|
|
.Dq DEST Ar IP port .
|
|
.It Cm port Ar portnum
|
|
Only packets with the destination port
|
|
.Ar portnum
|
|
are proxied.
|
|
.It Cm server Ar host Ns Xo
|
|
.Op : Ns Ar portnum
|
|
.Xc
|
|
This specifies the
|
|
.Ar host
|
|
and
|
|
.Ar portnum
|
|
that the data is to be redirected to.
|
|
.Ar host
|
|
must be an IP address rather than a DNS host name.
|
|
If
|
|
.Ar portnum
|
|
is not specified, the destination port number is not changed.
|
|
.Pp
|
|
The
|
|
.Ar server
|
|
specification is mandatory unless the
|
|
.Cm delete
|
|
command is being used.
|
|
.It Cm rule Ar index
|
|
Normally, each call to
|
|
.Fn PacketAliasProxyRule
|
|
inserts the next rule at the start of a linear list of rules.
|
|
If an
|
|
.Ar index
|
|
is specified, the new rule will be checked after all rules with lower
|
|
indices.
|
|
Calls to
|
|
.Fn PacketAliasProxyRule
|
|
that do not specify a rule are assigned rule 0.
|
|
.It Cm delete Ar index
|
|
This token and its argument MUST NOT be used with any other tokens.
|
|
When used, all existing rules with the given
|
|
.Ar index
|
|
are deleted.
|
|
.It Cm proto tcp | udp
|
|
If specified, only packets of the given protocol type are matched.
|
|
.It Cm src Ar IP Ns Xo
|
|
.Op / Ns Ar bits
|
|
.Xc
|
|
If specified, only packets with a source address matching the given
|
|
.Ar IP
|
|
are matched.
|
|
If
|
|
.Ar bits
|
|
is also specified, then the first
|
|
.Ar bits
|
|
bits of
|
|
.Ar IP
|
|
are taken as a network specification, and all IP addresses from that
|
|
network will be matched.
|
|
.It Cm dst Ar IP Ns Xo
|
|
.Op / Ns Ar bits
|
|
.Xc
|
|
If specified, only packets with a destination address matching the given
|
|
.Ar IP
|
|
are matched.
|
|
If
|
|
.Ar bits
|
|
is also specified, then the first
|
|
.Ar bits
|
|
bits of
|
|
.Ar IP
|
|
are taken as a network specification, and all IP addresses from that
|
|
network will be matched.
|
|
.El
|
|
.Pp
|
|
This function is usually used to redirect outgoing connections for
|
|
internal machines that are not permitted certain types of internet
|
|
access, or to restrict access to certain external machines.
|
|
.Ed
|
|
.Pp
|
|
.Ft struct alias_link *
|
|
.Fo PacketAliasRedirectProto
|
|
.Fa "struct in_addr local_addr"
|
|
.Fa "struct in_addr remote_addr"
|
|
.Fa "struct in_addr alias_addr"
|
|
.Fa "u_char proto"
|
|
.Fc
|
|
.Bd -ragged -offset indent
|
|
This function specifies that any IP packet with protocol number of
|
|
.Fa proto
|
|
from a given remote address to an alias address be
|
|
redirected to a specified local address.
|
|
.Pp
|
|
If
|
|
.Fa local_addr
|
|
or
|
|
.Fa alias_addr
|
|
is zero, this indicates that the packet aliasing address as established
|
|
by
|
|
.Fn PacketAliasSetAddress
|
|
is to be used.
|
|
Even if
|
|
.Fn PacketAliasSetAddress
|
|
is called to change the address after
|
|
.Fn PacketAliasRedirectProto
|
|
is called, a zero reference will track this change.
|
|
.Pp
|
|
If
|
|
.Fa remote_addr
|
|
is zero, this indicates to redirect packets from any remote address.
|
|
Non-zero remote addresses can sometimes be useful for firewalling.
|
|
.Pp
|
|
If two calls to
|
|
.Fn PacketAliasRedirectProto
|
|
overlap in their address specifications, then the most recent call
|
|
will have precedence.
|
|
.Pp
|
|
This function returns a pointer which can subsequently be used by
|
|
.Fn PacketAliasRedirectDelete .
|
|
If
|
|
.Dv NULL
|
|
is returned, then the function call did not complete successfully.
|
|
.Ed
|
|
.Sh FRAGMENT HANDLING
|
|
The functions in this section are used to deal with incoming fragments.
|
|
.Pp
|
|
Outgoing fragments are handled within
|
|
.Fn PacketAliasOut
|
|
by changing the address according to any applicable mapping set by
|
|
.Fn PacketAliasRedirectAddr ,
|
|
or the default aliasing address set by
|
|
.Fn PacketAliasSetAddress .
|
|
.Pp
|
|
Incoming fragments are handled in one of two ways.
|
|
If the header of a fragmented IP packet has already been seen, then all
|
|
subsequent fragments will be re-mapped in the same manner the header
|
|
fragment was.
|
|
Fragments which arrive before the header are saved and then retrieved
|
|
once the header fragment has been resolved.
|
|
.Pp
|
|
.Ft int
|
|
.Fn PacketAliasSaveFragment "char *ptr"
|
|
.Bd -ragged -offset indent
|
|
When
|
|
.Fn PacketAliasIn
|
|
returns
|
|
.Dv PKT_ALIAS_UNRESOLVED_FRAGMENT ,
|
|
this function can be used to save the pointer to the unresolved fragment.
|
|
.Pp
|
|
It is implicitly assumed that
|
|
.Fa ptr
|
|
points to a block of memory allocated by
|
|
.Xr malloc 3 .
|
|
If the fragment is never resolved, the packet aliasing engine will
|
|
automatically free the memory after a timeout period.
|
|
[Eventually this function should be modified so that a callback function
|
|
for freeing memory is passed as an argument.]
|
|
.Pp
|
|
This function returns
|
|
.Dv PKT_ALIAS_OK
|
|
if it was successful and
|
|
.Dv PKT_ALIAS_ERROR
|
|
if there was an error.
|
|
.Ed
|
|
.Pp
|
|
.Ft char *
|
|
.Fn PacketAliasGetFragment "char *buffer"
|
|
.Bd -ragged -offset indent
|
|
This function can be used to retrieve fragment pointers saved by
|
|
.Fn PacketAliasSaveFragment .
|
|
The IP header fragment pointed to by
|
|
.Fa buffer
|
|
is the header fragment indicated when
|
|
.Fn PacketAliasIn
|
|
returns
|
|
.Dv PKT_ALIAS_FOUND_HEADER_FRAGMENT .
|
|
Once a fragment pointer is retrieved, it becomes the calling program's
|
|
responsibility to free the dynamically allocated memory for the fragment.
|
|
.Pp
|
|
.Fn PacketAliasGetFragment
|
|
can be called sequentially until there are no more fragments available,
|
|
at which time it returns
|
|
.Dv NULL .
|
|
.Ed
|
|
.Pp
|
|
.Ft void
|
|
.Fn PacketAliasFragmentIn "char *header" "char *fragment"
|
|
.Bd -ragged -offset indent
|
|
When a fragment is retrieved with
|
|
.Fn PacketAliasGetFragment ,
|
|
it can then be de-aliased with a call to
|
|
.Fn PacketAliasFragmentIn .
|
|
The
|
|
.Fa header
|
|
argument is the pointer to a header fragment used as a template, and
|
|
.Fa fragment
|
|
is the pointer to the packet to be de-aliased.
|
|
.Ed
|
|
.Sh MISCELLANEOUS FUNCTIONS
|
|
.Ft void
|
|
.Fn PacketAliasSetTarget "struct in_addr addr"
|
|
.Bd -ragged -offset indent
|
|
When an incoming packet not associated with any pre-existing aliasing link
|
|
arrives at the host machine, it will be sent to the address indicated by a
|
|
call to
|
|
.Fn PacketAliasSetTarget .
|
|
.Pp
|
|
If this function is called with an
|
|
.Dv INADDR_NONE
|
|
address argument, then all new incoming packets go to the address set by
|
|
.Fn PacketAliasSetAddress .
|
|
.Pp
|
|
If this function is not called, or is called with an
|
|
.Dv INADDR_ANY
|
|
address argument, then all new incoming packets go to the address specified
|
|
in the packet.
|
|
This allows external machines to talk directly to internal machines if they
|
|
can route packets to the machine in question.
|
|
.Ed
|
|
.Pp
|
|
.Ft int
|
|
.Fn PacketAliasCheckNewLink void
|
|
.Bd -ragged -offset indent
|
|
This function returns a non-zero value when a new aliasing link is created.
|
|
In circumstances where incoming traffic is being sequentially sent to
|
|
different local servers, this function can be used to trigger when
|
|
.Fn PacketAliasSetTarget
|
|
is called to change the default target address.
|
|
.Ed
|
|
.Pp
|
|
.Ft u_short
|
|
.Fn PacketAliasInternetChecksum "u_short *buffer" "int nbytes"
|
|
.Bd -ragged -offset indent
|
|
This is a utility function that does not seem to be available elsewhere and
|
|
is included as a convenience.
|
|
It computes the internet checksum, which is used in both IP and
|
|
protocol-specific headers (TCP, UDP, ICMP).
|
|
.Pp
|
|
The
|
|
.Fa buffer
|
|
argument points to the data block to be checksummed, and
|
|
.Fa nbytes
|
|
is the number of bytes.
|
|
The 16-bit checksum field should be zeroed before computing the checksum.
|
|
.Pp
|
|
Checksums can also be verified by operating on a block of data including
|
|
its checksum.
|
|
If the checksum is valid,
|
|
.Fn PacketAliasInternetChecksum
|
|
will return zero.
|
|
.Ed
|
|
.Pp
|
|
.Ft int
|
|
.Fn PacketUnaliasOut "char *buffer" "int maxpacketsize"
|
|
.Bd -ragged -offset indent
|
|
An outgoing packet, which has already been aliased,
|
|
has its private address/port information restored by this function.
|
|
The IP packet is pointed to by
|
|
.Fa buffer ,
|
|
and
|
|
.Fa maxpacketsize
|
|
is provided for error checking purposes.
|
|
This function can be used if an already-aliased packet needs to have its
|
|
original IP header restored for further processing (eg. logging).
|
|
.Ed
|
|
.Sh BUGS
|
|
PPTP aliasing does not work when more than one internal client
|
|
connects to the same external server at the same time, because
|
|
PPTP requires a single TCP control connection to be established
|
|
between any two IP addresses.
|
|
.Sh AUTHORS
|
|
.An Charles Mott Aq cm@linktel.net ,
|
|
versions 1.0 - 1.8, 2.0 - 2.4.
|
|
.An Eivind Eklund Aq eivind@FreeBSD.org ,
|
|
versions 1.8b, 1.9 and 2.5.
|
|
Added IRC DCC support as well as contributing a number of architectural
|
|
improvements; added the firewall bypass for FTP/IRC DCC.
|
|
.An Erik Salander Aq erik@whistle.com
|
|
added support for PPTP and RTSP.
|
|
.An Junichi Satoh Aq junichi@junichi.org
|
|
added support for RTSP/PNA.
|
|
.Sh ACKNOWLEDGMENTS
|
|
Listed below, in approximate chronological order, are individuals who
|
|
have provided valuable comments and/or debugging assistance.
|
|
.Pp
|
|
.Bd -ragged -offset indent
|
|
.An -split
|
|
.An Gary Roberts
|
|
.An Tom Torrance
|
|
.An Reto Burkhalter
|
|
.An Martin Renters
|
|
.An Brian Somers
|
|
.An Paul Traina
|
|
.An Ari Suutari
|
|
.An Dave Remien
|
|
.An J. Fortes
|
|
.An Andrzej Bialecki
|
|
.An Gordon Burditt
|
|
.Ed
|
|
.Sh CONCEPTUAL BACKGROUND
|
|
This section is intended for those who are planning to modify the source
|
|
code or want to create somewhat esoteric applications using the packet
|
|
aliasing functions.
|
|
.Pp
|
|
The conceptual framework under which the packet aliasing engine operates
|
|
is described here.
|
|
Central to the discussion is the idea of an
|
|
.Em aliasing link
|
|
which describes the relationship for a given packet transaction between
|
|
the local machine, aliased identity and remote machine.
|
|
It is discussed how such links come into existence and are destroyed.
|
|
.Ss ALIASING LINKS
|
|
There is a notion of an
|
|
.Em aliasing link ,
|
|
which is a 7-tuple describing a specific translation:
|
|
.Bd -literal -offset indent
|
|
(local addr, local port, alias addr, alias port,
|
|
remote addr, remote port, protocol)
|
|
.Ed
|
|
.Pp
|
|
Outgoing packets have the local address and port number replaced with the
|
|
alias address and port number.
|
|
Incoming packets undergo the reverse process.
|
|
The packet aliasing engine attempts to match packets against an internal
|
|
table of aliasing links to determine how to modify a given IP packet.
|
|
Both the IP header and protocol dependent headers are modified as necessary.
|
|
Aliasing links are created and deleted as necessary according to network
|
|
traffic.
|
|
.Pp
|
|
Protocols can be TCP, UDP or even ICMP in certain circumstances.
|
|
(Some types of ICMP packets can be aliased according to sequence or ID
|
|
number which acts as an equivalent port number for identifying how
|
|
individual packets should be handled.)
|
|
.Pp
|
|
Each aliasing link must have a unique combination of the following five
|
|
quantities: alias address/port, remote address/port and protocol.
|
|
This ensures that several machines on a local network can share the
|
|
same aliasing IP address.
|
|
In cases where conflicts might arise, the aliasing port is chosen so that
|
|
uniqueness is maintained.
|
|
.Ss STATIC AND DYNAMIC LINKS
|
|
Aliasing links can either be static or dynamic.
|
|
Static links persist indefinitely and represent fixed rules for translating
|
|
IP packets.
|
|
Dynamic links come into existence for a specific TCP connection or UDP
|
|
transaction or ICMP ECHO sequence.
|
|
For the case of TCP, the connection can be monitored to see when the
|
|
associated aliasing link should be deleted.
|
|
Aliasing links for UDP transactions (and ICMP ECHO and TIMESTAMP requests)
|
|
work on a simple timeout rule.
|
|
When no activity is observed on a dynamic link for a certain amount of time
|
|
it is automatically deleted.
|
|
Timeout rules also apply to TCP connections which do not open or close
|
|
properly.
|
|
.Ss PARTIALLY SPECIFIED ALIASING LINKS
|
|
Aliasing links can be partially specified, meaning that the remote address
|
|
and/or remote port are unknown.
|
|
In this case, when a packet matching the incomplete specification is found,
|
|
a fully specified dynamic link is created.
|
|
If the original partially specified link is dynamic, it will be deleted
|
|
after the fully specified link is created, otherwise it will persist.
|
|
.Pp
|
|
For instance, a partially specified link might be
|
|
.Bd -literal -offset indent
|
|
(192.168.0.4, 23, 204.228.203.215, 8066, 0, 0, tcp)
|
|
.Ed
|
|
.Pp
|
|
The zeros denote unspecified components for the remote address and port.
|
|
If this link were static it would have the effect of redirecting all
|
|
incoming traffic from port 8066 of 204.228.203.215 to port 23 (telnet)
|
|
of machine 192.168.0.4 on the local network.
|
|
Each individual telnet connection would initiate the creation of a distinct
|
|
dynamic link.
|
|
.Ss DYNAMIC LINK CREATION
|
|
In addition to aliasing links, there are also address mappings that can be
|
|
stored within the internal data table of the packet aliasing mechanism.
|
|
.Bd -literal -offset indent
|
|
(local addr, alias addr)
|
|
.Ed
|
|
.Pp
|
|
Address mappings are searched when creating new dynamic links.
|
|
.Pp
|
|
All outgoing packets from the local network automatically create a dynamic
|
|
link if they do not match an already existing fully specified link.
|
|
If an address mapping exists for the outgoing packet, this determines
|
|
the alias address to be used.
|
|
If no mapping exists, then a default address, usually the address of the
|
|
packet aliasing host, is used.
|
|
If necessary, this default address can be changed as often as each individual
|
|
packet arrives.
|
|
.Pp
|
|
The aliasing port number is determined such that the new dynamic link does
|
|
not conflict with any existing links.
|
|
In the default operating mode, the packet aliasing engine attempts to set
|
|
the aliasing port equal to the local port number.
|
|
If this results in a conflict, then port numbers are randomly chosen until
|
|
a unique aliasing link can be established.
|
|
In an alternate operating mode, the first choice of an aliasing port is also
|
|
random and unrelated to the local port number.
|