1 | .\"-
|
---|
2 | .\" Copyright (c) 2001 Charles Mott <cm@linktel.net>
|
---|
3 | .\" All rights reserved.
|
---|
4 | .\"
|
---|
5 | .\" Redistribution and use in source and binary forms, with or without
|
---|
6 | .\" modification, are permitted provided that the following conditions
|
---|
7 | .\" are met:
|
---|
8 | .\" 1. Redistributions of source code must retain the above copyright
|
---|
9 | .\" notice, this list of conditions and the following disclaimer.
|
---|
10 | .\" 2. Redistributions in binary form must reproduce the above copyright
|
---|
11 | .\" notice, this list of conditions and the following disclaimer in the
|
---|
12 | .\" documentation and/or other materials provided with the distribution.
|
---|
13 | .\"
|
---|
14 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
---|
15 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
---|
16 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
---|
17 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
---|
18 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
---|
19 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
---|
20 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
---|
21 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
---|
22 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
---|
23 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
---|
24 | .\" SUCH DAMAGE.
|
---|
25 | .\"
|
---|
26 | .\" $FreeBSD: src/sys/netinet/libalias/libalias.3,v 1.58.8.1 2009/04/15 03:14:26 kensmith Exp $
|
---|
27 | .\"
|
---|
28 | .Dd October 1, 2006
|
---|
29 | .Dt LIBALIAS 3
|
---|
30 | .Os
|
---|
31 | .Sh NAME
|
---|
32 | .Nm libalias
|
---|
33 | .Nd packet aliasing library for masquerading and network address translation
|
---|
34 | .Sh SYNOPSIS
|
---|
35 | .In sys/types.h
|
---|
36 | .In netinet/in.h
|
---|
37 | .In alias.h
|
---|
38 | .Pp
|
---|
39 | Function prototypes are given in the main body of the text.
|
---|
40 | .Sh DESCRIPTION
|
---|
41 | The
|
---|
42 | .Nm
|
---|
43 | library is a collection of functions for aliasing and de-aliasing of IP
|
---|
44 | packets, intended for masquerading and network address translation (NAT).
|
---|
45 | .Sh INTRODUCTION
|
---|
46 | This library is a moderately portable set of functions designed to assist
|
---|
47 | in the process of IP masquerading and network address translation.
|
---|
48 | Outgoing packets from a local network with unregistered IP addresses can
|
---|
49 | be aliased to appear as if they came from an accessible IP address.
|
---|
50 | Incoming packets are then de-aliased so that they are sent to the correct
|
---|
51 | machine on the local network.
|
---|
52 | .Pp
|
---|
53 | A certain amount of flexibility is built into the packet aliasing engine.
|
---|
54 | In the simplest mode of operation, a many-to-one address mapping takes
|
---|
55 | place between local network and the packet aliasing host.
|
---|
56 | This is known as IP masquerading.
|
---|
57 | In addition, one-to-one mappings between local and public addresses can
|
---|
58 | also be implemented, which is known as static NAT.
|
---|
59 | In between these extremes, different groups of private addresses can be
|
---|
60 | linked to different public addresses, comprising several distinct
|
---|
61 | many-to-one mappings.
|
---|
62 | Also, a given public address and port can be statically redirected to a
|
---|
63 | private address/port.
|
---|
64 | .Pp
|
---|
65 | The packet aliasing engine was designed to operate in user space outside
|
---|
66 | of the kernel, without any access to private kernel data structure, but
|
---|
67 | the source code can also be ported to a kernel environment.
|
---|
68 | .Sh INITIALIZATION AND CONTROL
|
---|
69 | One special function,
|
---|
70 | .Fn LibAliasInit ,
|
---|
71 | must always be called before any packet handling may be performed and
|
---|
72 | the returned instance pointer passed to all the other functions.
|
---|
73 | Normally, the
|
---|
74 | .Fn LibAliasSetAddress
|
---|
75 | function is called afterwards, to set the default aliasing address.
|
---|
76 | In addition, the operating mode of the packet aliasing engine can be
|
---|
77 | customized by calling
|
---|
78 | .Fn LibAliasSetMode .
|
---|
79 | .Pp
|
---|
80 | .Ft "struct libalias *"
|
---|
81 | .Fn LibAliasInit "struct libalias *"
|
---|
82 | .Bd -ragged -offset indent
|
---|
83 | This function is used to initialize
|
---|
84 | internal data structures.
|
---|
85 | When called the first time, a
|
---|
86 | .Dv NULL
|
---|
87 | pointer should be passed as an argument.
|
---|
88 | The following mode bits are always set after calling
|
---|
89 | .Fn LibAliasInit .
|
---|
90 | See the description of
|
---|
91 | .Fn LibAliasSetMode
|
---|
92 | below for the meaning of these mode bits.
|
---|
93 | .Pp
|
---|
94 | .Bl -item -offset indent -compact
|
---|
95 | .It
|
---|
96 | .Dv PKT_ALIAS_SAME_PORTS
|
---|
97 | .It
|
---|
98 | .Dv PKT_ALIAS_USE_SOCKETS
|
---|
99 | .It
|
---|
100 | .Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
|
---|
101 | .El
|
---|
102 | .Pp
|
---|
103 | This function will always return the packet aliasing engine to the same
|
---|
104 | initial state.
|
---|
105 | The
|
---|
106 | .Fn LibAliasSetAddress
|
---|
107 | function is normally called afterwards, and any desired changes from the
|
---|
108 | default mode bits listed above require a call to
|
---|
109 | .Fn LibAliasSetMode .
|
---|
110 | .Pp
|
---|
111 | It is mandatory that this function be called at the beginning of a program
|
---|
112 | prior to any packet handling.
|
---|
113 | .Ed
|
---|
114 | .Pp
|
---|
115 | .Ft void
|
---|
116 | .Fn LibAliasUninit "struct libalias *"
|
---|
117 | .Bd -ragged -offset indent
|
---|
118 | This function has no return value and is used to clear any
|
---|
119 | resources attached to internal data structures.
|
---|
120 | .Pp
|
---|
121 | This functions should be called when a program stops using the aliasing
|
---|
122 | engine; it does, amongst other things, clear out any firewall holes.
|
---|
123 | To provide backwards compatibility and extra security, it is added to
|
---|
124 | the
|
---|
125 | .Xr atexit 3
|
---|
126 | chain by
|
---|
127 | .Fn LibAliasInit .
|
---|
128 | .Ed
|
---|
129 | .Pp
|
---|
130 | .Ft void
|
---|
131 | .Fn LibAliasSetAddress "struct libalias *" "struct in_addr addr"
|
---|
132 | .Bd -ragged -offset indent
|
---|
133 | This function sets the source address to which outgoing packets from the
|
---|
134 | local area network are aliased.
|
---|
135 | All outgoing packets are re-mapped to this address unless overridden by a
|
---|
136 | static address mapping established by
|
---|
137 | .Fn LibAliasRedirectAddr .
|
---|
138 | If this function is not called, and no static rules match, an outgoing
|
---|
139 | packet retains its source address.
|
---|
140 | .Pp
|
---|
141 | If the
|
---|
142 | .Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
|
---|
143 | mode bit is set (the default mode of operation), then the internal aliasing
|
---|
144 | link tables will be reset any time the aliasing address changes.
|
---|
145 | This is useful for interfaces such as
|
---|
146 | .Xr ppp 8 ,
|
---|
147 | where the IP
|
---|
148 | address may or may not change on successive dial-up attempts.
|
---|
149 | .Pp
|
---|
150 | If the
|
---|
151 | .Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
|
---|
152 | mode bit is set to zero, this function can also be used to dynamically change
|
---|
153 | the aliasing address on a packet to packet basis (it is a low overhead call).
|
---|
154 | .Pp
|
---|
155 | It is mandatory that this function be called prior to any packet handling.
|
---|
156 | .Ed
|
---|
157 | .Pp
|
---|
158 | .Ft unsigned int
|
---|
159 | .Fn LibAliasSetMode "struct libalias *" "unsigned int flags" "unsigned int mask"
|
---|
160 | .Bd -ragged -offset indent
|
---|
161 | This function sets or clears mode bits
|
---|
162 | according to the value of
|
---|
163 | .Fa flags .
|
---|
164 | Only bits marked in
|
---|
165 | .Fa mask
|
---|
166 | are affected.
|
---|
167 | The following mode bits are defined in
|
---|
168 | .In alias.h :
|
---|
169 | .Bl -tag -width indent
|
---|
170 | .It Dv PKT_ALIAS_LOG
|
---|
171 | Enables logging into
|
---|
172 | .Pa /var/log/alias.log .
|
---|
173 | Each time an aliasing link is created or deleted, the log file is appended
|
---|
174 | with the current number of ICMP, TCP and UDP links.
|
---|
175 | Mainly useful for debugging when the log file is viewed continuously with
|
---|
176 | .Xr tail 1 .
|
---|
177 | .It Dv PKT_ALIAS_DENY_INCOMING
|
---|
178 | If this mode bit is set, all incoming packets associated with new TCP
|
---|
179 | connections or new UDP transactions will be marked for being ignored
|
---|
180 | .Fn ( LibAliasIn
|
---|
181 | returns
|
---|
182 | .Dv PKT_ALIAS_IGNORED
|
---|
183 | code)
|
---|
184 | by the calling program.
|
---|
185 | Response packets to connections or transactions initiated from the packet
|
---|
186 | aliasing host or local network will be unaffected.
|
---|
187 | This mode bit is useful for implementing a one-way firewall.
|
---|
188 | .It Dv PKT_ALIAS_SAME_PORTS
|
---|
189 | If this mode bit is set, the packet aliasing engine will attempt to leave
|
---|
190 | the alias port numbers unchanged from the actual local port numbers.
|
---|
191 | This can be done as long as the quintuple (proto, alias addr, alias port,
|
---|
192 | remote addr, remote port) is unique.
|
---|
193 | If a conflict exists, a new aliasing port number is chosen even if this
|
---|
194 | mode bit is set.
|
---|
195 | .It Dv PKT_ALIAS_USE_SOCKETS
|
---|
196 | This bit should be set when the packet aliasing host originates network
|
---|
197 | traffic as well as forwards it.
|
---|
198 | When the packet aliasing host is waiting for a connection from an unknown
|
---|
199 | host address or unknown port number (e.g.\& an FTP data connection), this
|
---|
200 | mode bit specifies that a socket be allocated as a place holder to prevent
|
---|
201 | port conflicts.
|
---|
202 | Once a connection is established, usually within a minute or so, the socket
|
---|
203 | is closed.
|
---|
204 | .It Dv PKT_ALIAS_UNREGISTERED_ONLY
|
---|
205 | If this mode bit is set, traffic on the local network which does not
|
---|
206 | originate from unregistered address spaces will be ignored.
|
---|
207 | Standard Class A, B and C unregistered addresses are:
|
---|
208 | .Bd -literal -offset indent
|
---|
209 | 10.0.0.0 -> 10.255.255.255 (Class A subnet)
|
---|
210 | 172.16.0.0 -> 172.31.255.255 (Class B subnets)
|
---|
211 | 192.168.0.0 -> 192.168.255.255 (Class C subnets)
|
---|
212 | .Ed
|
---|
213 | .Pp
|
---|
214 | This option is useful in the case that packet aliasing host has both
|
---|
215 | registered and unregistered subnets on different interfaces.
|
---|
216 | The registered subnet is fully accessible to the outside world, so traffic
|
---|
217 | from it does not need to be passed through the packet aliasing engine.
|
---|
218 | .It Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
|
---|
219 | When this mode bit is set and
|
---|
220 | .Fn LibAliasSetAddress
|
---|
221 | is called to change the aliasing address, the internal link table of the
|
---|
222 | packet aliasing engine will be cleared.
|
---|
223 | This operating mode is useful for
|
---|
224 | .Xr ppp 8
|
---|
225 | links where the interface address can sometimes change or remain the same
|
---|
226 | between dial-up attempts.
|
---|
227 | If this mode bit is not set, the link table will never be reset in the event
|
---|
228 | of an address change.
|
---|
229 | .It Dv PKT_ALIAS_PUNCH_FW
|
---|
230 | This option makes
|
---|
231 | .Nm
|
---|
232 | `punch holes' in an
|
---|
233 | .Xr ipfirewall 4
|
---|
234 | based firewall for FTP/IRC DCC connections.
|
---|
235 | The holes punched are bound by from/to IP address and port; it will not be
|
---|
236 | possible to use a hole for another connection.
|
---|
237 | A hole is removed when the connection that uses it dies.
|
---|
238 | To cater to unexpected death of a program using
|
---|
239 | .Nm
|
---|
240 | (e.g.\& kill -9),
|
---|
241 | changing the state of the flag will clear the entire firewall range
|
---|
242 | allocated for holes.
|
---|
243 | This will also happen on the initial call to
|
---|
244 | .Fn LibAliasSetFWBase .
|
---|
245 | This call must happen prior to setting this flag.
|
---|
246 | .It Dv PKT_ALIAS_REVERSE
|
---|
247 | This option makes
|
---|
248 | .Nm
|
---|
249 | reverse the way it handles incoming and outgoing packets, allowing it
|
---|
250 | to be fed with data that passes through the internal interface rather
|
---|
251 | than the external one.
|
---|
252 | .It Dv PKT_ALIAS_PROXY_ONLY
|
---|
253 | This option tells
|
---|
254 | .Nm
|
---|
255 | to obey transparent proxy rules only.
|
---|
256 | Normal packet aliasing is not performed.
|
---|
257 | See
|
---|
258 | .Fn LibAliasProxyRule
|
---|
259 | below for details.
|
---|
260 | .El
|
---|
261 | .Ed
|
---|
262 | .Pp
|
---|
263 | .Ft void
|
---|
264 | .Fn LibAliasSetFWBase "struct libalias *" "unsigned int base" "unsigned int num"
|
---|
265 | .Bd -ragged -offset indent
|
---|
266 | Set firewall range allocated for punching firewall holes (with the
|
---|
267 | .Dv PKT_ALIAS_PUNCH_FW
|
---|
268 | flag).
|
---|
269 | The range will be cleared for all rules on initialization.
|
---|
270 | .Ed
|
---|
271 | .Pp
|
---|
272 | .Ft void
|
---|
273 | .Fn LibAliasSkinnyPort "struct libalias *" "unsigned int port"
|
---|
274 | .Bd -ragged -offset indent
|
---|
275 | Set the TCP port used by the Skinny Station protocol.
|
---|
276 | Skinny is used by Cisco IP phones to communicate with
|
---|
277 | Cisco Call Managers to set up voice over IP calls.
|
---|
278 | If this is not set, Skinny aliasing will not be done.
|
---|
279 | The typical port used by Skinny is 2000.
|
---|
280 | .Ed
|
---|
281 | .Sh PACKET HANDLING
|
---|
282 | The packet handling functions are used to modify incoming (remote to local)
|
---|
283 | and outgoing (local to remote) packets.
|
---|
284 | The calling program is responsible for receiving and sending packets via
|
---|
285 | network interfaces.
|
---|
286 | .Pp
|
---|
287 | Along with
|
---|
288 | .Fn LibAliasInit
|
---|
289 | and
|
---|
290 | .Fn LibAliasSetAddress ,
|
---|
291 | the two packet handling functions,
|
---|
292 | .Fn LibAliasIn
|
---|
293 | and
|
---|
294 | .Fn LibAliasOut ,
|
---|
295 | comprise minimal set of functions needed for a basic IP masquerading
|
---|
296 | implementation.
|
---|
297 | .Pp
|
---|
298 | .Ft int
|
---|
299 | .Fn LibAliasIn "struct libalias *" "char *buffer" "int maxpacketsize"
|
---|
300 | .Bd -ragged -offset indent
|
---|
301 | An incoming packet coming from a remote machine to the local network is
|
---|
302 | de-aliased by this function.
|
---|
303 | The IP packet is pointed to by
|
---|
304 | .Fa buffer ,
|
---|
305 | and
|
---|
306 | .Fa maxpacketsize
|
---|
307 | indicates the size of the data structure containing the packet and should
|
---|
308 | be at least as large as the actual packet size.
|
---|
309 | .Pp
|
---|
310 | Return codes:
|
---|
311 | .Bl -tag -width indent
|
---|
312 | .It Dv PKT_ALIAS_OK
|
---|
313 | The packet aliasing process was successful.
|
---|
314 | .It Dv PKT_ALIAS_IGNORED
|
---|
315 | The packet was ignored and not de-aliased.
|
---|
316 | This can happen if the protocol is unrecognized, possibly an ICMP message
|
---|
317 | type is not handled or if incoming packets for new connections are being
|
---|
318 | ignored (if
|
---|
319 | .Dv PKT_ALIAS_DENY_INCOMING
|
---|
320 | mode bit was set by
|
---|
321 | .Fn LibAliasSetMode ) .
|
---|
322 | .It Dv PKT_ALIAS_UNRESOLVED_FRAGMENT
|
---|
323 | This is returned when a fragment cannot be resolved because the header
|
---|
324 | fragment has not been sent yet.
|
---|
325 | In this situation, fragments must be saved with
|
---|
326 | .Fn LibAliasSaveFragment
|
---|
327 | until a header fragment is found.
|
---|
328 | .It Dv PKT_ALIAS_FOUND_HEADER_FRAGMENT
|
---|
329 | The packet aliasing process was successful, and a header fragment was found.
|
---|
330 | This is a signal to retrieve any unresolved fragments with
|
---|
331 | .Fn LibAliasGetFragment
|
---|
332 | and de-alias them with
|
---|
333 | .Fn LibAliasFragmentIn .
|
---|
334 | .It Dv PKT_ALIAS_ERROR
|
---|
335 | An internal error within the packet aliasing engine occurred.
|
---|
336 | .El
|
---|
337 | .Ed
|
---|
338 | .Pp
|
---|
339 | .Ft int
|
---|
340 | .Fn LibAliasOut "struct libalias *" "char *buffer" "int maxpacketsize"
|
---|
341 | .Bd -ragged -offset indent
|
---|
342 | An outgoing packet coming from the local network to a remote machine is
|
---|
343 | aliased by this function.
|
---|
344 | The IP packet is pointed to by
|
---|
345 | .Fa buffer ,
|
---|
346 | and
|
---|
347 | .Fa maxpacketsize
|
---|
348 | indicates the maximum packet size permissible should the packet length be
|
---|
349 | changed.
|
---|
350 | IP encoding protocols place address and port information in the encapsulated
|
---|
351 | data stream which has to be modified and can account for changes in packet
|
---|
352 | length.
|
---|
353 | Well known examples of such protocols are FTP and IRC DCC.
|
---|
354 | .Pp
|
---|
355 | Return codes:
|
---|
356 | .Bl -tag -width indent
|
---|
357 | .It Dv PKT_ALIAS_OK
|
---|
358 | The packet aliasing process was successful.
|
---|
359 | .It Dv PKT_ALIAS_IGNORED
|
---|
360 | The packet was ignored and not aliased.
|
---|
361 | This can happen if the protocol is unrecognized, or possibly an ICMP message
|
---|
362 | type is not handled.
|
---|
363 | .It Dv PKT_ALIAS_ERROR
|
---|
364 | An internal error within the packet aliasing engine occurred.
|
---|
365 | .El
|
---|
366 | .Ed
|
---|
367 | .Sh PORT AND ADDRESS REDIRECTION
|
---|
368 | The functions described in this section allow machines on the local network
|
---|
369 | to be accessible in some degree to new incoming connections from the external
|
---|
370 | network.
|
---|
371 | Individual ports can be re-mapped or static network address translations can
|
---|
372 | be designated.
|
---|
373 | .Pp
|
---|
374 | .Ft struct alias_link *
|
---|
375 | .Fo LibAliasRedirectPort
|
---|
376 | .Fa "struct libalias *"
|
---|
377 | .Fa "struct in_addr local_addr"
|
---|
378 | .Fa "u_short local_port"
|
---|
379 | .Fa "struct in_addr remote_addr"
|
---|
380 | .Fa "u_short remote_port"
|
---|
381 | .Fa "struct in_addr alias_addr"
|
---|
382 | .Fa "u_short alias_port"
|
---|
383 | .Fa "u_char proto"
|
---|
384 | .Fc
|
---|
385 | .Bd -ragged -offset indent
|
---|
386 | This function specifies that traffic from a given remote address/port to
|
---|
387 | an alias address/port be redirected to a specified local address/port.
|
---|
388 | The parameter
|
---|
389 | .Fa proto
|
---|
390 | can be either
|
---|
391 | .Dv IPPROTO_TCP
|
---|
392 | or
|
---|
393 | .Dv IPPROTO_UDP ,
|
---|
394 | as defined in
|
---|
395 | .In netinet/in.h .
|
---|
396 | .Pp
|
---|
397 | If
|
---|
398 | .Fa local_addr
|
---|
399 | or
|
---|
400 | .Fa alias_addr
|
---|
401 | is zero, this indicates that the packet aliasing address as established
|
---|
402 | by
|
---|
403 | .Fn LibAliasSetAddress
|
---|
404 | is to be used.
|
---|
405 | Even if
|
---|
406 | .Fn LibAliasSetAddress
|
---|
407 | is called to change the address after
|
---|
408 | .Fn LibAliasRedirectPort
|
---|
409 | is called, a zero reference will track this change.
|
---|
410 | .Pp
|
---|
411 | If the link is further set up to operate for a load sharing, then
|
---|
412 | .Fa local_addr
|
---|
413 | and
|
---|
414 | .Fa local_port
|
---|
415 | are ignored, and are selected dynamically from the server pool, as described in
|
---|
416 | .Fn LibAliasAddServer
|
---|
417 | below.
|
---|
418 | .Pp
|
---|
419 | If
|
---|
420 | .Fa remote_addr
|
---|
421 | is zero, this indicates to redirect packets from any remote address.
|
---|
422 | Likewise, if
|
---|
423 | .Fa remote_port
|
---|
424 | is zero, this indicates to redirect packets originating from any remote
|
---|
425 | port number.
|
---|
426 | Almost always, the remote port specification will be zero, but non-zero
|
---|
427 | remote addresses can sometimes be useful for firewalling.
|
---|
428 | If two calls to
|
---|
429 | .Fn LibAliasRedirectPort
|
---|
430 | overlap in their address/port specifications, then the most recent call
|
---|
431 | will have precedence.
|
---|
432 | .Pp
|
---|
433 | This function returns a pointer which can subsequently be used by
|
---|
434 | .Fn LibAliasRedirectDelete .
|
---|
435 | If
|
---|
436 | .Dv NULL
|
---|
437 | is returned, then the function call did not complete successfully.
|
---|
438 | .Pp
|
---|
439 | All port numbers should be in network address byte order, so it is necessary
|
---|
440 | to use
|
---|
441 | .Xr htons 3
|
---|
442 | to convert these parameters from internally readable numbers to network byte
|
---|
443 | order.
|
---|
444 | Addresses are also in network byte order, which is implicit in the use of the
|
---|
445 | .Fa struct in_addr
|
---|
446 | data type.
|
---|
447 | .Ed
|
---|
448 | .Pp
|
---|
449 | .Ft struct alias_link *
|
---|
450 | .Fo LibAliasRedirectAddr
|
---|
451 | .Fa "struct libalias *"
|
---|
452 | .Fa "struct in_addr local_addr"
|
---|
453 | .Fa "struct in_addr alias_addr"
|
---|
454 | .Fc
|
---|
455 | .Bd -ragged -offset indent
|
---|
456 | This function designates that all incoming traffic to
|
---|
457 | .Fa alias_addr
|
---|
458 | be redirected to
|
---|
459 | .Fa local_addr .
|
---|
460 | Similarly, all outgoing traffic from
|
---|
461 | .Fa local_addr
|
---|
462 | is aliased to
|
---|
463 | .Fa alias_addr .
|
---|
464 | .Pp
|
---|
465 | If
|
---|
466 | .Fa local_addr
|
---|
467 | or
|
---|
468 | .Fa alias_addr
|
---|
469 | is zero, this indicates that the packet aliasing address as established by
|
---|
470 | .Fn LibAliasSetAddress
|
---|
471 | is to be used.
|
---|
472 | Even if
|
---|
473 | .Fn LibAliasSetAddress
|
---|
474 | is called to change the address after
|
---|
475 | .Fn LibAliasRedirectAddr
|
---|
476 | is called, a zero reference will track this change.
|
---|
477 | .Pp
|
---|
478 | If the link is further set up to operate for a load sharing, then
|
---|
479 | .Fa local_addr
|
---|
480 | is ignored, and is selected dynamically from the server pool, as described in
|
---|
481 | .Fn LibAliasAddServer
|
---|
482 | below.
|
---|
483 | .Pp
|
---|
484 | If subsequent calls to
|
---|
485 | .Fn LibAliasRedirectAddr
|
---|
486 | use the same aliasing address, all new incoming traffic to this aliasing
|
---|
487 | address will be redirected to the local address made in the last function
|
---|
488 | call.
|
---|
489 | New traffic generated by any of the local machines, designated in the
|
---|
490 | several function calls, will be aliased to the same address.
|
---|
491 | Consider the following example:
|
---|
492 | .Bd -literal -offset indent
|
---|
493 | LibAliasRedirectAddr(la, inet_aton("192.168.0.2"),
|
---|
494 | inet_aton("141.221.254.101"));
|
---|
495 | LibAliasRedirectAddr(la, inet_aton("192.168.0.3"),
|
---|
496 | inet_aton("141.221.254.101"));
|
---|
497 | LibAliasRedirectAddr(la, inet_aton("192.168.0.4"),
|
---|
498 | inet_aton("141.221.254.101"));
|
---|
499 | .Ed
|
---|
500 | .Pp
|
---|
501 | Any outgoing connections such as
|
---|
502 | .Xr telnet 1
|
---|
503 | or
|
---|
504 | .Xr ftp 1
|
---|
505 | from 192.168.0.2, 192.168.0.3 and 192.168.0.4 will appear to come from
|
---|
506 | 141.221.254.101.
|
---|
507 | Any incoming connections to 141.221.254.101 will be directed to 192.168.0.4.
|
---|
508 | .Pp
|
---|
509 | Any calls to
|
---|
510 | .Fn LibAliasRedirectPort
|
---|
511 | will have precedence over address mappings designated by
|
---|
512 | .Fn LibAliasRedirectAddr .
|
---|
513 | .Pp
|
---|
514 | This function returns a pointer which can subsequently be used by
|
---|
515 | .Fn LibAliasRedirectDelete .
|
---|
516 | If
|
---|
517 | .Dv NULL
|
---|
518 | is returned, then the function call did not complete successfully.
|
---|
519 | .Ed
|
---|
520 | .Pp
|
---|
521 | .Ft int
|
---|
522 | .Fo LibAliasAddServer
|
---|
523 | .Fa "struct libalias *"
|
---|
524 | .Fa "struct alias_link *link"
|
---|
525 | .Fa "struct in_addr addr"
|
---|
526 | .Fa "u_short port"
|
---|
527 | .Fc
|
---|
528 | .Bd -ragged -offset indent
|
---|
529 | This function sets the
|
---|
530 | .Fa link
|
---|
531 | up for Load Sharing using IP Network Address Translation (RFC 2391, LSNAT).
|
---|
532 | LSNAT operates as follows.
|
---|
533 | A client attempts to access a server by using the server virtual address.
|
---|
534 | The LSNAT router transparently redirects the request to one of the hosts
|
---|
535 | in server pool, selected using a real-time load sharing algorithm.
|
---|
536 | Multiple sessions may be initiated from the same client, and each session
|
---|
537 | could be directed to a different host based on load balance across server
|
---|
538 | pool hosts at the time.
|
---|
539 | If load share is desired for just a few specific services, the configuration
|
---|
540 | on LSNAT could be defined to restrict load share for just the services
|
---|
541 | desired.
|
---|
542 | .Pp
|
---|
543 | Currently, only the simplest selection algorithm is implemented, where a
|
---|
544 | host is selected on a round-robin basis only, without regard to load on
|
---|
545 | the host.
|
---|
546 | .Pp
|
---|
547 | First, the
|
---|
548 | .Fa link
|
---|
549 | is created by either
|
---|
550 | .Fn LibAliasRedirectPort
|
---|
551 | or
|
---|
552 | .Fn LibAliasRedirectAddr .
|
---|
553 | Then,
|
---|
554 | .Fn LibAliasAddServer
|
---|
555 | is called multiple times to add entries to the
|
---|
556 | .Fa link Ns 's
|
---|
557 | server pool.
|
---|
558 | .Pp
|
---|
559 | For links created with
|
---|
560 | .Fn LibAliasRedirectAddr ,
|
---|
561 | the
|
---|
562 | .Fa port
|
---|
563 | argument is ignored and could have any value, e.g.\& htons(~0).
|
---|
564 | .Pp
|
---|
565 | This function returns 0 on success, \-1 otherwise.
|
---|
566 | .Ed
|
---|
567 | .Pp
|
---|
568 | .Ft int
|
---|
569 | .Fn LibAliasRedirectDynamic "struct libalias *" "struct alias_link *link"
|
---|
570 | .Bd -ragged -offset indent
|
---|
571 | This function marks the specified static redirect rule entered by
|
---|
572 | .Fn LibAliasRedirectPort
|
---|
573 | as dynamic.
|
---|
574 | This can be used to e.g.\& dynamically redirect a single TCP connection,
|
---|
575 | after which the rule is removed.
|
---|
576 | Only fully specified links can be made dynamic.
|
---|
577 | (See the
|
---|
578 | .Sx STATIC AND DYNAMIC LINKS
|
---|
579 | and
|
---|
580 | .Sx PARTIALLY SPECIFIED ALIASING LINKS
|
---|
581 | sections below for a definition of static vs.\& dynamic,
|
---|
582 | and partially vs.\& fully specified links.)
|
---|
583 | .Pp
|
---|
584 | This function returns 0 on success, \-1 otherwise.
|
---|
585 | .Ed
|
---|
586 | .Pp
|
---|
587 | .Ft void
|
---|
588 | .Fn LibAliasRedirectDelete "struct libalias *" "struct alias_link *link"
|
---|
589 | .Bd -ragged -offset indent
|
---|
590 | This function will delete a specific static redirect rule entered by
|
---|
591 | .Fn LibAliasRedirectPort
|
---|
592 | or
|
---|
593 | .Fn LibAliasRedirectAddr .
|
---|
594 | The parameter
|
---|
595 | .Fa link
|
---|
596 | is the pointer returned by either of the redirection functions.
|
---|
597 | If an invalid pointer is passed to
|
---|
598 | .Fn LibAliasRedirectDelete ,
|
---|
599 | then a program crash or unpredictable operation could result, so it is
|
---|
600 | necessary to be careful using this function.
|
---|
601 | .Ed
|
---|
602 | .Pp
|
---|
603 | .Ft int
|
---|
604 | .Fn LibAliasProxyRule "struct libalias *" "const char *cmd"
|
---|
605 | .Bd -ragged -offset indent
|
---|
606 | The passed
|
---|
607 | .Fa cmd
|
---|
608 | string consists of one or more pairs of words.
|
---|
609 | The first word in each pair is a token and the second is the value that
|
---|
610 | should be applied for that token.
|
---|
611 | Tokens and their argument types are as follows:
|
---|
612 | .Bl -tag -width indent
|
---|
613 | .It Cm type encode_ip_hdr | encode_tcp_stream | no_encode
|
---|
614 | In order to support transparent proxying, it is necessary to somehow
|
---|
615 | pass the original address and port information into the new destination
|
---|
616 | server.
|
---|
617 | If
|
---|
618 | .Cm encode_ip_hdr
|
---|
619 | is specified, the original destination address and port are passed
|
---|
620 | as an extra IP option.
|
---|
621 | If
|
---|
622 | .Cm encode_tcp_stream
|
---|
623 | is specified, the original destination address and port are passed
|
---|
624 | as the first piece of data in the TCP stream in the format
|
---|
625 | .Dq Li DEST Ar IP port .
|
---|
626 | .It Cm port Ar portnum
|
---|
627 | Only packets with the destination port
|
---|
628 | .Ar portnum
|
---|
629 | are proxied.
|
---|
630 | .It Cm server Ar host Ns Op : Ns Ar portnum
|
---|
631 | This specifies the
|
---|
632 | .Ar host
|
---|
633 | and
|
---|
634 | .Ar portnum
|
---|
635 | that the data is to be redirected to.
|
---|
636 | .Ar host
|
---|
637 | must be an IP address rather than a DNS host name.
|
---|
638 | If
|
---|
639 | .Ar portnum
|
---|
640 | is not specified, the destination port number is not changed.
|
---|
641 | .Pp
|
---|
642 | The
|
---|
643 | .Ar server
|
---|
644 | specification is mandatory unless the
|
---|
645 | .Cm delete
|
---|
646 | command is being used.
|
---|
647 | .It Cm rule Ar index
|
---|
648 | Normally, each call to
|
---|
649 | .Fn LibAliasProxyRule
|
---|
650 | inserts the next rule at the start of a linear list of rules.
|
---|
651 | If an
|
---|
652 | .Ar index
|
---|
653 | is specified, the new rule will be checked after all rules with lower
|
---|
654 | indices.
|
---|
655 | Calls to
|
---|
656 | .Fn LibAliasProxyRule
|
---|
657 | that do not specify a rule are assigned rule 0.
|
---|
658 | .It Cm delete Ar index
|
---|
659 | This token and its argument MUST NOT be used with any other tokens.
|
---|
660 | When used, all existing rules with the given
|
---|
661 | .Ar index
|
---|
662 | are deleted.
|
---|
663 | .It Cm proto tcp | udp
|
---|
664 | If specified, only packets of the given protocol type are matched.
|
---|
665 | .It Cm src Ar IP Ns Op / Ns Ar bits
|
---|
666 | If specified, only packets with a source address matching the given
|
---|
667 | .Ar IP
|
---|
668 | are matched.
|
---|
669 | If
|
---|
670 | .Ar bits
|
---|
671 | is also specified, then the first
|
---|
672 | .Ar bits
|
---|
673 | bits of
|
---|
674 | .Ar IP
|
---|
675 | are taken as a network specification, and all IP addresses from that
|
---|
676 | network will be matched.
|
---|
677 | .It Cm dst Ar IP Ns Op / Ns Ar bits
|
---|
678 | If specified, only packets with a destination address matching the given
|
---|
679 | .Ar IP
|
---|
680 | are matched.
|
---|
681 | If
|
---|
682 | .Ar bits
|
---|
683 | is also specified, then the first
|
---|
684 | .Ar bits
|
---|
685 | bits of
|
---|
686 | .Ar IP
|
---|
687 | are taken as a network specification, and all IP addresses from that
|
---|
688 | network will be matched.
|
---|
689 | .El
|
---|
690 | .Pp
|
---|
691 | This function is usually used to redirect outgoing connections for
|
---|
692 | internal machines that are not permitted certain types of internet
|
---|
693 | access, or to restrict access to certain external machines.
|
---|
694 | .Ed
|
---|
695 | .Pp
|
---|
696 | .Ft struct alias_link *
|
---|
697 | .Fo LibAliasRedirectProto
|
---|
698 | .Fa "struct libalias *"
|
---|
699 | .Fa "struct in_addr local_addr"
|
---|
700 | .Fa "struct in_addr remote_addr"
|
---|
701 | .Fa "struct in_addr alias_addr"
|
---|
702 | .Fa "u_char proto"
|
---|
703 | .Fc
|
---|
704 | .Bd -ragged -offset indent
|
---|
705 | This function specifies that any IP packet with protocol number of
|
---|
706 | .Fa proto
|
---|
707 | from a given remote address to an alias address be
|
---|
708 | redirected to a specified local address.
|
---|
709 | .Pp
|
---|
710 | If
|
---|
711 | .Fa local_addr
|
---|
712 | or
|
---|
713 | .Fa alias_addr
|
---|
714 | is zero, this indicates that the packet aliasing address as established
|
---|
715 | by
|
---|
716 | .Fn LibAliasSetAddress
|
---|
717 | is to be used.
|
---|
718 | Even if
|
---|
719 | .Fn LibAliasSetAddress
|
---|
720 | is called to change the address after
|
---|
721 | .Fn LibAliasRedirectProto
|
---|
722 | is called, a zero reference will track this change.
|
---|
723 | .Pp
|
---|
724 | If
|
---|
725 | .Fa remote_addr
|
---|
726 | is zero, this indicates to redirect packets from any remote address.
|
---|
727 | Non-zero remote addresses can sometimes be useful for firewalling.
|
---|
728 | .Pp
|
---|
729 | If two calls to
|
---|
730 | .Fn LibAliasRedirectProto
|
---|
731 | overlap in their address specifications, then the most recent call
|
---|
732 | will have precedence.
|
---|
733 | .Pp
|
---|
734 | This function returns a pointer which can subsequently be used by
|
---|
735 | .Fn LibAliasRedirectDelete .
|
---|
736 | If
|
---|
737 | .Dv NULL
|
---|
738 | is returned, then the function call did not complete successfully.
|
---|
739 | .Ed
|
---|
740 | .Sh FRAGMENT HANDLING
|
---|
741 | The functions in this section are used to deal with incoming fragments.
|
---|
742 | .Pp
|
---|
743 | Outgoing fragments are handled within
|
---|
744 | .Fn LibAliasOut
|
---|
745 | by changing the address according to any applicable mapping set by
|
---|
746 | .Fn LibAliasRedirectAddr ,
|
---|
747 | or the default aliasing address set by
|
---|
748 | .Fn LibAliasSetAddress .
|
---|
749 | .Pp
|
---|
750 | Incoming fragments are handled in one of two ways.
|
---|
751 | If the header of a fragmented IP packet has already been seen, then all
|
---|
752 | subsequent fragments will be re-mapped in the same manner the header
|
---|
753 | fragment was.
|
---|
754 | Fragments which arrive before the header are saved and then retrieved
|
---|
755 | once the header fragment has been resolved.
|
---|
756 | .Pp
|
---|
757 | .Ft int
|
---|
758 | .Fn LibAliasSaveFragment "struct libalias *" "char *ptr"
|
---|
759 | .Bd -ragged -offset indent
|
---|
760 | When
|
---|
761 | .Fn LibAliasIn
|
---|
762 | returns
|
---|
763 | .Dv PKT_ALIAS_UNRESOLVED_FRAGMENT ,
|
---|
764 | this function can be used to save the pointer to the unresolved fragment.
|
---|
765 | .Pp
|
---|
766 | It is implicitly assumed that
|
---|
767 | .Fa ptr
|
---|
768 | points to a block of memory allocated by
|
---|
769 | .Xr malloc 3 .
|
---|
770 | If the fragment is never resolved, the packet aliasing engine will
|
---|
771 | automatically free the memory after a timeout period.
|
---|
772 | [Eventually this function should be modified so that a callback function
|
---|
773 | for freeing memory is passed as an argument.]
|
---|
774 | .Pp
|
---|
775 | This function returns
|
---|
776 | .Dv PKT_ALIAS_OK
|
---|
777 | if it was successful and
|
---|
778 | .Dv PKT_ALIAS_ERROR
|
---|
779 | if there was an error.
|
---|
780 | .Ed
|
---|
781 | .Pp
|
---|
782 | .Ft char *
|
---|
783 | .Fn LibAliasGetFragment "struct libalias *" "char *buffer"
|
---|
784 | .Bd -ragged -offset indent
|
---|
785 | This function can be used to retrieve fragment pointers saved by
|
---|
786 | .Fn LibAliasSaveFragment .
|
---|
787 | The IP header fragment pointed to by
|
---|
788 | .Fa buffer
|
---|
789 | is the header fragment indicated when
|
---|
790 | .Fn LibAliasIn
|
---|
791 | returns
|
---|
792 | .Dv PKT_ALIAS_FOUND_HEADER_FRAGMENT .
|
---|
793 | Once a fragment pointer is retrieved, it becomes the calling program's
|
---|
794 | responsibility to free the dynamically allocated memory for the fragment.
|
---|
795 | .Pp
|
---|
796 | The
|
---|
797 | .Fn LibAliasGetFragment
|
---|
798 | function can be called sequentially until there are no more fragments
|
---|
799 | available, at which time it returns
|
---|
800 | .Dv NULL .
|
---|
801 | .Ed
|
---|
802 | .Pp
|
---|
803 | .Ft void
|
---|
804 | .Fn LibAliasFragmentIn "struct libalias *" "char *header" "char *fragment"
|
---|
805 | .Bd -ragged -offset indent
|
---|
806 | When a fragment is retrieved with
|
---|
807 | .Fn LibAliasGetFragment ,
|
---|
808 | it can then be de-aliased with a call to
|
---|
809 | .Fn LibAliasFragmentIn .
|
---|
810 | The
|
---|
811 | .Fa header
|
---|
812 | argument is the pointer to a header fragment used as a template, and
|
---|
813 | .Fa fragment
|
---|
814 | is the pointer to the packet to be de-aliased.
|
---|
815 | .Ed
|
---|
816 | .Sh MISCELLANEOUS FUNCTIONS
|
---|
817 | .Ft void
|
---|
818 | .Fn LibAliasSetTarget "struct libalias *" "struct in_addr addr"
|
---|
819 | .Bd -ragged -offset indent
|
---|
820 | When an incoming packet not associated with any pre-existing aliasing link
|
---|
821 | arrives at the host machine, it will be sent to the address indicated by a
|
---|
822 | call to
|
---|
823 | .Fn LibAliasSetTarget .
|
---|
824 | .Pp
|
---|
825 | If this function is called with an
|
---|
826 | .Dv INADDR_NONE
|
---|
827 | address argument, then all new incoming packets go to the address set by
|
---|
828 | .Fn LibAliasSetAddress .
|
---|
829 | .Pp
|
---|
830 | If this function is not called, or is called with an
|
---|
831 | .Dv INADDR_ANY
|
---|
832 | address argument, then all new incoming packets go to the address specified
|
---|
833 | in the packet.
|
---|
834 | This allows external machines to talk directly to internal machines if they
|
---|
835 | can route packets to the machine in question.
|
---|
836 | .Ed
|
---|
837 | .Pp
|
---|
838 | .Ft int
|
---|
839 | .Fn LibAliasCheckNewLink "struct libalias *"
|
---|
840 | .Bd -ragged -offset indent
|
---|
841 | This function returns a non-zero value when a new aliasing link is created.
|
---|
842 | In circumstances where incoming traffic is being sequentially sent to
|
---|
843 | different local servers, this function can be used to trigger when
|
---|
844 | .Fn LibAliasSetTarget
|
---|
845 | is called to change the default target address.
|
---|
846 | .Ed
|
---|
847 | .Pp
|
---|
848 | .Ft u_short
|
---|
849 | .Fn LibAliasInternetChecksum "struct libalias *" "u_short *buffer" "int nbytes"
|
---|
850 | .Bd -ragged -offset indent
|
---|
851 | This is a utility function that does not seem to be available elsewhere and
|
---|
852 | is included as a convenience.
|
---|
853 | It computes the internet checksum, which is used in both IP and
|
---|
854 | protocol-specific headers (TCP, UDP, ICMP).
|
---|
855 | .Pp
|
---|
856 | The
|
---|
857 | .Fa buffer
|
---|
858 | argument points to the data block to be checksummed, and
|
---|
859 | .Fa nbytes
|
---|
860 | is the number of bytes.
|
---|
861 | The 16-bit checksum field should be zeroed before computing the checksum.
|
---|
862 | .Pp
|
---|
863 | Checksums can also be verified by operating on a block of data including
|
---|
864 | its checksum.
|
---|
865 | If the checksum is valid,
|
---|
866 | .Fn LibAliasInternetChecksum
|
---|
867 | will return zero.
|
---|
868 | .Ed
|
---|
869 | .Pp
|
---|
870 | .Ft int
|
---|
871 | .Fn LibAliasUnaliasOut "struct libalias *" "char *buffer" "int maxpacketsize"
|
---|
872 | .Bd -ragged -offset indent
|
---|
873 | An outgoing packet, which has already been aliased,
|
---|
874 | has its private address/port information restored by this function.
|
---|
875 | The IP packet is pointed to by
|
---|
876 | .Fa buffer ,
|
---|
877 | and
|
---|
878 | .Fa maxpacketsize
|
---|
879 | is provided for error checking purposes.
|
---|
880 | This function can be used if an already-aliased packet needs to have its
|
---|
881 | original IP header restored for further processing (e.g.\& logging).
|
---|
882 | .Ed
|
---|
883 | .Sh AUTHORS
|
---|
884 | .An Charles Mott Aq cm@linktel.net ,
|
---|
885 | versions 1.0 - 1.8, 2.0 - 2.4.
|
---|
886 | .An Eivind Eklund Aq eivind@FreeBSD.org ,
|
---|
887 | versions 1.8b, 1.9 and 2.5.
|
---|
888 | Added IRC DCC support as well as contributing a number of architectural
|
---|
889 | improvements; added the firewall bypass for FTP/IRC DCC.
|
---|
890 | .An Erik Salander Aq erik@whistle.com
|
---|
891 | added support for PPTP and RTSP.
|
---|
892 | .An Junichi Satoh Aq junichi@junichi.org
|
---|
893 | added support for RTSP/PNA.
|
---|
894 | .An Ruslan Ermilov Aq ru@FreeBSD.org
|
---|
895 | added support for PPTP and LSNAT as well as general hacking.
|
---|
896 | .An Paolo Pisati Aq piso@FreeBSD.org
|
---|
897 | made the library modular, moving support for all
|
---|
898 | protocols (except for IP, TCP and UDP) to external modules.
|
---|
899 | .Sh ACKNOWLEDGMENTS
|
---|
900 | Listed below, in approximate chronological order, are individuals who
|
---|
901 | have provided valuable comments and/or debugging assistance.
|
---|
902 | .Pp
|
---|
903 | .Bd -ragged -offset indent
|
---|
904 | .An -split
|
---|
905 | .An Gary Roberts
|
---|
906 | .An Tom Torrance
|
---|
907 | .An Reto Burkhalter
|
---|
908 | .An Martin Renters
|
---|
909 | .An Brian Somers
|
---|
910 | .An Paul Traina
|
---|
911 | .An Ari Suutari
|
---|
912 | .An Dave Remien
|
---|
913 | .An J. Fortes
|
---|
914 | .An Andrzej Bialecki
|
---|
915 | .An Gordon Burditt
|
---|
916 | .Ed
|
---|
917 | .Sh CONCEPTUAL BACKGROUND
|
---|
918 | This section is intended for those who are planning to modify the source
|
---|
919 | code or want to create somewhat esoteric applications using the packet
|
---|
920 | aliasing functions.
|
---|
921 | .Pp
|
---|
922 | The conceptual framework under which the packet aliasing engine operates
|
---|
923 | is described here.
|
---|
924 | Central to the discussion is the idea of an
|
---|
925 | .Em aliasing link
|
---|
926 | which describes the relationship for a given packet transaction between
|
---|
927 | the local machine, aliased identity and remote machine.
|
---|
928 | It is discussed how such links come into existence and are destroyed.
|
---|
929 | .Ss ALIASING LINKS
|
---|
930 | There is a notion of an
|
---|
931 | .Em aliasing link ,
|
---|
932 | which is a 7-tuple describing a specific translation:
|
---|
933 | .Bd -literal -offset indent
|
---|
934 | (local addr, local port, alias addr, alias port,
|
---|
935 | remote addr, remote port, protocol)
|
---|
936 | .Ed
|
---|
937 | .Pp
|
---|
938 | Outgoing packets have the local address and port number replaced with the
|
---|
939 | alias address and port number.
|
---|
940 | Incoming packets undergo the reverse process.
|
---|
941 | The packet aliasing engine attempts to match packets against an internal
|
---|
942 | table of aliasing links to determine how to modify a given IP packet.
|
---|
943 | Both the IP header and protocol dependent headers are modified as necessary.
|
---|
944 | Aliasing links are created and deleted as necessary according to network
|
---|
945 | traffic.
|
---|
946 | .Pp
|
---|
947 | Protocols can be TCP, UDP or even ICMP in certain circumstances.
|
---|
948 | (Some types of ICMP packets can be aliased according to sequence or ID
|
---|
949 | number which acts as an equivalent port number for identifying how
|
---|
950 | individual packets should be handled.)
|
---|
951 | .Pp
|
---|
952 | Each aliasing link must have a unique combination of the following five
|
---|
953 | quantities: alias address/port, remote address/port and protocol.
|
---|
954 | This ensures that several machines on a local network can share the
|
---|
955 | same aliasing IP address.
|
---|
956 | In cases where conflicts might arise, the aliasing port is chosen so that
|
---|
957 | uniqueness is maintained.
|
---|
958 | .Ss STATIC AND DYNAMIC LINKS
|
---|
959 | Aliasing links can either be static or dynamic.
|
---|
960 | Static links persist indefinitely and represent fixed rules for translating
|
---|
961 | IP packets.
|
---|
962 | Dynamic links come into existence for a specific TCP connection or UDP
|
---|
963 | transaction or ICMP ECHO sequence.
|
---|
964 | For the case of TCP, the connection can be monitored to see when the
|
---|
965 | associated aliasing link should be deleted.
|
---|
966 | Aliasing links for UDP transactions (and ICMP ECHO and TIMESTAMP requests)
|
---|
967 | work on a simple timeout rule.
|
---|
968 | When no activity is observed on a dynamic link for a certain amount of time
|
---|
969 | it is automatically deleted.
|
---|
970 | Timeout rules also apply to TCP connections which do not open or close
|
---|
971 | properly.
|
---|
972 | .Ss PARTIALLY SPECIFIED ALIASING LINKS
|
---|
973 | Aliasing links can be partially specified, meaning that the remote address
|
---|
974 | and/or remote port are unknown.
|
---|
975 | In this case, when a packet matching the incomplete specification is found,
|
---|
976 | a fully specified dynamic link is created.
|
---|
977 | If the original partially specified link is dynamic, it will be deleted
|
---|
978 | after the fully specified link is created, otherwise it will persist.
|
---|
979 | .Pp
|
---|
980 | For instance, a partially specified link might be
|
---|
981 | .Bd -literal -offset indent
|
---|
982 | (192.168.0.4, 23, 204.228.203.215, 8066, 0, 0, tcp)
|
---|
983 | .Ed
|
---|
984 | .Pp
|
---|
985 | The zeros denote unspecified components for the remote address and port.
|
---|
986 | If this link were static it would have the effect of redirecting all
|
---|
987 | incoming traffic from port 8066 of 204.228.203.215 to port 23 (telnet)
|
---|
988 | of machine 192.168.0.4 on the local network.
|
---|
989 | Each individual telnet connection would initiate the creation of a distinct
|
---|
990 | dynamic link.
|
---|
991 | .Ss DYNAMIC LINK CREATION
|
---|
992 | In addition to aliasing links, there are also address mappings that can be
|
---|
993 | stored within the internal data table of the packet aliasing mechanism.
|
---|
994 | .Bd -literal -offset indent
|
---|
995 | (local addr, alias addr)
|
---|
996 | .Ed
|
---|
997 | .Pp
|
---|
998 | Address mappings are searched when creating new dynamic links.
|
---|
999 | .Pp
|
---|
1000 | All outgoing packets from the local network automatically create a dynamic
|
---|
1001 | link if they do not match an already existing fully specified link.
|
---|
1002 | If an address mapping exists for the outgoing packet, this determines
|
---|
1003 | the alias address to be used.
|
---|
1004 | If no mapping exists, then a default address, usually the address of the
|
---|
1005 | packet aliasing host, is used.
|
---|
1006 | If necessary, this default address can be changed as often as each individual
|
---|
1007 | packet arrives.
|
---|
1008 | .Pp
|
---|
1009 | The aliasing port number is determined such that the new dynamic link does
|
---|
1010 | not conflict with any existing links.
|
---|
1011 | In the default operating mode, the packet aliasing engine attempts to set
|
---|
1012 | the aliasing port equal to the local port number.
|
---|
1013 | If this results in a conflict, then port numbers are randomly chosen until
|
---|
1014 | a unique aliasing link can be established.
|
---|
1015 | In an alternate operating mode, the first choice of an aliasing port is also
|
---|
1016 | random and unrelated to the local port number.
|
---|
1017 | .Sh MODULAR ARCHITECTURE (AND Xr ipfw 4 Sh SUPPORT)
|
---|
1018 | One of the latest improvements to
|
---|
1019 | .Nm
|
---|
1020 | was to make its support
|
---|
1021 | for new protocols independent from the rest of the library, giving it
|
---|
1022 | the ability to load/unload support for new protocols at run-time.
|
---|
1023 | To achieve this feature, all the code for protocol handling was moved
|
---|
1024 | to a series of modules outside of the main library.
|
---|
1025 | These modules are compiled from the same sources but work in
|
---|
1026 | different ways, depending on whether they are compiled to work inside a kernel
|
---|
1027 | or as part of the userland library.
|
---|
1028 | .Ss LIBALIAS MODULES IN KERNEL LAND
|
---|
1029 | When compiled for the kernel,
|
---|
1030 | .Nm
|
---|
1031 | modules are plain KLDs recognizable with the
|
---|
1032 | .Pa alias_
|
---|
1033 | prefix.
|
---|
1034 | .Pp
|
---|
1035 | To add support for a new protocol, load the corresponding module.
|
---|
1036 | For example:
|
---|
1037 | .Pp
|
---|
1038 | .Dl "kldload alias_ftp"
|
---|
1039 | .Pp
|
---|
1040 | When support for a protocol is no longer needed, its module can be unloaded:
|
---|
1041 | .Pp
|
---|
1042 | .Dl "kldunload alias_ftp"
|
---|
1043 | .Ss LIBALIAS MODULES IN USERLAND
|
---|
1044 | Due to the differences between kernel and userland (no KLD mechanism,
|
---|
1045 | many different address spaces, etc.), we had to change a bit how to
|
---|
1046 | handle module loading/tracking/unloading in userland.
|
---|
1047 | .Pp
|
---|
1048 | While compiled for a userland
|
---|
1049 | .Nm ,
|
---|
1050 | all the modules are plain libraries, residing in
|
---|
1051 | .Pa /usr/lib ,
|
---|
1052 | and recognizable with the
|
---|
1053 | .Pa libalias_
|
---|
1054 | prefix.
|
---|
1055 | .Pp
|
---|
1056 | There is a configuration file,
|
---|
1057 | .Pa /etc/libalias.conf ,
|
---|
1058 | with the following contents (by default):
|
---|
1059 | .Bd -literal -offset indent
|
---|
1060 | /usr/lib/libalias_cuseeme.so
|
---|
1061 | /usr/lib/libalias_ftp.so
|
---|
1062 | /usr/lib/libalias_irc.so
|
---|
1063 | /usr/lib/libalias_nbt.so
|
---|
1064 | /usr/lib/libalias_pptp.so
|
---|
1065 | /usr/lib/libalias_skinny.so
|
---|
1066 | /usr/lib/libalias_smedia.so
|
---|
1067 | .Ed
|
---|
1068 | .Pp
|
---|
1069 | This file contains the paths to the modules that
|
---|
1070 | .Nm
|
---|
1071 | will load.
|
---|
1072 | To load/unload a new module, just add its path to
|
---|
1073 | .Pa libalias.conf
|
---|
1074 | and call
|
---|
1075 | .Fn LibAliasRefreshModules
|
---|
1076 | from the program.
|
---|
1077 | In case the application provides a
|
---|
1078 | .Dv SIGHUP
|
---|
1079 | signal handler, add a call to
|
---|
1080 | .Fn LibAliasRefreshModules
|
---|
1081 | inside the handler, and everytime you want to refresh the loaded modules,
|
---|
1082 | send it the
|
---|
1083 | .Dv SIGHUP
|
---|
1084 | signal:
|
---|
1085 | .Pp
|
---|
1086 | .Dl "kill -HUP <process_pid>"
|
---|
1087 | .Ss MODULAR ARCHITECURE: HOW IT WORKS
|
---|
1088 | The modular architecture of
|
---|
1089 | .Nm
|
---|
1090 | works similar whether it is running inside the
|
---|
1091 | kernel or in userland.
|
---|
1092 | From
|
---|
1093 | .Pa alias_mod.c :
|
---|
1094 | .Bd -literal
|
---|
1095 | /* Protocol and userland module handlers chains. */
|
---|
1096 | LIST_HEAD(handler_chain, proto_handler) handler_chain ...
|
---|
1097 | \&...
|
---|
1098 | SLIST_HEAD(dll_chain, dll) dll_chain ...
|
---|
1099 | .Ed
|
---|
1100 | .Pp
|
---|
1101 | .Va handler_chain
|
---|
1102 | keep tracks of all the protocol handlers loaded, while
|
---|
1103 | .Va ddl_chain
|
---|
1104 | takes care of userland modules loaded.
|
---|
1105 | .Pp
|
---|
1106 | .Va handler_chain
|
---|
1107 | is composed of
|
---|
1108 | .Vt "struct proto_handler"
|
---|
1109 | entries:
|
---|
1110 | .Bd -literal
|
---|
1111 | struct proto_handler {
|
---|
1112 | u_int pri;
|
---|
1113 | int16_t dir;
|
---|
1114 | uint8_t proto;
|
---|
1115 | int (*fingerprint)(struct libalias *la,
|
---|
1116 | struct ip *pip, struct alias_data *ah);
|
---|
1117 | int (*protohandler)(struct libalias *la,
|
---|
1118 | struct ip *pip, struct alias_data *ah);
|
---|
1119 | LIST_ENTRY(proto_handler) entries;
|
---|
1120 | };
|
---|
1121 | .Ed
|
---|
1122 | .Pp
|
---|
1123 | where:
|
---|
1124 | .Bl -inset
|
---|
1125 | .It Va pri
|
---|
1126 | is the priority assigned to a protocol handler, lower
|
---|
1127 | is better.
|
---|
1128 | .It Va dir
|
---|
1129 | is the direction of packets: ingoing or outgoing.
|
---|
1130 | .It Va proto
|
---|
1131 | says at which protocol this packet belongs: IP, TCP or UDP.
|
---|
1132 | .It Va fingerprint
|
---|
1133 | points to the fingerprint function while protohandler points
|
---|
1134 | to the protocol handler function.
|
---|
1135 | .El
|
---|
1136 | .Pp
|
---|
1137 | The
|
---|
1138 | .Va fingerprint
|
---|
1139 | function has the double of scope of checking if the
|
---|
1140 | incoming packet is found and if it belongs to any categories that this
|
---|
1141 | module can handle.
|
---|
1142 | .Pp
|
---|
1143 | The
|
---|
1144 | .Va protohandler
|
---|
1145 | function actually manipulates
|
---|
1146 | the packet to make
|
---|
1147 | .Nm
|
---|
1148 | correctly NAT it.
|
---|
1149 | .Pp
|
---|
1150 | When a packet enters
|
---|
1151 | .Nm ,
|
---|
1152 | if it meets a module hook,
|
---|
1153 | .Va handler_chain
|
---|
1154 | is searched to see if there is an handler that matches
|
---|
1155 | this type of a packet (it checks protocol and direction of packet), then if
|
---|
1156 | more than one handler is found, it starts with the module with
|
---|
1157 | the lowest priority number: it calls the
|
---|
1158 | .Va fingerprint
|
---|
1159 | function and interprets the result.
|
---|
1160 | .Pp
|
---|
1161 | If the result value is equal to 0 then it calls the protocol handler
|
---|
1162 | of this handler and returns.
|
---|
1163 | Otherwise, it proceeds to the next eligible module until the
|
---|
1164 | .Va handler_chain
|
---|
1165 | is exhausted.
|
---|
1166 | .Pp
|
---|
1167 | Inside
|
---|
1168 | .Nm ,
|
---|
1169 | the module hook looks like this:
|
---|
1170 | .Bd -literal -offset indent
|
---|
1171 | struct alias_data ad = {
|
---|
1172 | lnk,
|
---|
1173 | &original_address,
|
---|
1174 | &alias_address,
|
---|
1175 | &alias_port,
|
---|
1176 | &ud->uh_sport, /* original source port */
|
---|
1177 | &ud->uh_dport, /* original dest port */
|
---|
1178 | 256 /* maxpacketsize */
|
---|
1179 | };
|
---|
1180 |
|
---|
1181 | \&...
|
---|
1182 |
|
---|
1183 | /* walk out chain */
|
---|
1184 | err = find_handler(IN, UDP, la, pip, &ad);
|
---|
1185 | .Ed
|
---|
1186 | .Pp
|
---|
1187 | All data useful to a module are gathered together in an
|
---|
1188 | .Vt alias_data
|
---|
1189 | structure, then
|
---|
1190 | .Fn find_handler
|
---|
1191 | is called.
|
---|
1192 | The
|
---|
1193 | .Fn find_handler
|
---|
1194 | function is responsible for walking out the handler
|
---|
1195 | chain, it receives as input parameters:
|
---|
1196 | .Bl -tag -width indent
|
---|
1197 | .It Fa IN
|
---|
1198 | direction
|
---|
1199 | .It Fa UDP
|
---|
1200 | working protocol
|
---|
1201 | .It Fa la
|
---|
1202 | pointer to this instance of libalias
|
---|
1203 | .It Fa pip
|
---|
1204 | pointer to a
|
---|
1205 | .Vt "struct ip"
|
---|
1206 | .It Fa ad
|
---|
1207 | pointer to
|
---|
1208 | .Vt "struct alias_data"
|
---|
1209 | (see above)
|
---|
1210 | .El
|
---|
1211 | .Pp
|
---|
1212 | In this case,
|
---|
1213 | .Fn find_handler
|
---|
1214 | will search only for modules registered for
|
---|
1215 | supporting INcoming UDP packets.
|
---|
1216 | .Pp
|
---|
1217 | As was mentioned earlier,
|
---|
1218 | .Nm
|
---|
1219 | in userland is a bit different, cause
|
---|
1220 | care has to be taken of module handling too (avoiding duplicate load of
|
---|
1221 | module, avoiding module with same name, etc.) so
|
---|
1222 | .Va dll_chain
|
---|
1223 | was introduced.
|
---|
1224 | .Pp
|
---|
1225 | .Va dll_chain
|
---|
1226 | contains a list of all userland
|
---|
1227 | .Nm
|
---|
1228 | modules loaded.
|
---|
1229 | .Pp
|
---|
1230 | When an application calls
|
---|
1231 | .Fn LibAliasRefreshModules ,
|
---|
1232 | .Nm
|
---|
1233 | first unloads all the loaded modules, then reloads all the modules listed in
|
---|
1234 | .Pa /etc/libalias.conf :
|
---|
1235 | for every module loaded, a new entry to
|
---|
1236 | .Va dll_chain
|
---|
1237 | is added.
|
---|
1238 | .Pp
|
---|
1239 | .Va dll_chain
|
---|
1240 | is composed of
|
---|
1241 | .Vt "struct dll"
|
---|
1242 | entries:
|
---|
1243 | .Bd -literal
|
---|
1244 | struct dll {
|
---|
1245 | /* name of module */
|
---|
1246 | char name[DLL_LEN];
|
---|
1247 | /*
|
---|
1248 | * ptr to shared obj obtained through
|
---|
1249 | * dlopen() - use this ptr to get access
|
---|
1250 | * to any symbols from a loaded module
|
---|
1251 | * via dlsym()
|
---|
1252 | */
|
---|
1253 | void *handle;
|
---|
1254 | struct dll *next;
|
---|
1255 | };
|
---|
1256 | .Ed
|
---|
1257 | .Bl -inset
|
---|
1258 | .It Va name
|
---|
1259 | is the name of the module
|
---|
1260 | .It Va handle
|
---|
1261 | is a pointer to the module obtained through
|
---|
1262 | .Xr dlopen 3
|
---|
1263 | .El
|
---|
1264 | Whenever a module is loaded in userland, an entry is added to
|
---|
1265 | .Va dll_chain ,
|
---|
1266 | then every protocol handler present in that module
|
---|
1267 | is resolved and registered in
|
---|
1268 | .Va handler_chain .
|
---|
1269 | .Ss HOW TO WRITE A MODULE FOR LIBALIAS
|
---|
1270 | There is a module (called
|
---|
1271 | .Pa alias_dummy.[ch] )
|
---|
1272 | in
|
---|
1273 | .Nm
|
---|
1274 | that can be used as a skeleton for future work, here we analyse some parts of that
|
---|
1275 | module.
|
---|
1276 | From
|
---|
1277 | .Pa alias_dummy.c :
|
---|
1278 | .Bd -literal
|
---|
1279 | struct proto_handler handlers [] = {{666, IN|OUT, UDP|TCP,
|
---|
1280 | &fingerprint, &protohandler}};
|
---|
1281 | .Ed
|
---|
1282 | .Pp
|
---|
1283 | The variable
|
---|
1284 | .Va handlers
|
---|
1285 | is the
|
---|
1286 | .Dq "most important thing"
|
---|
1287 | in a module
|
---|
1288 | cause it describes the handlers present and lets the outside world use
|
---|
1289 | it in an opaque way.
|
---|
1290 | .Pp
|
---|
1291 | It must ALWAYS be present in every module, and it MUST retain
|
---|
1292 | the name
|
---|
1293 | .Va handlers ,
|
---|
1294 | otherwise attempting to load a module in userland will fail and
|
---|
1295 | complain about missing symbols: for more information about module
|
---|
1296 | load/unload, please refer to
|
---|
1297 | .Fn LibAliasRefreshModules ,
|
---|
1298 | .Fn LibAliasLoadModule
|
---|
1299 | and
|
---|
1300 | .Fn LibAliasUnloadModule
|
---|
1301 | in
|
---|
1302 | .Pa alias.c .
|
---|
1303 | .Pp
|
---|
1304 | .Va handlers
|
---|
1305 | contains all the
|
---|
1306 | .Vt proto_handler
|
---|
1307 | structures present in a module.
|
---|
1308 | .Bd -literal
|
---|
1309 | static int
|
---|
1310 | mod_handler(module_t mod, int type, void *data)
|
---|
1311 | {
|
---|
1312 | int error;
|
---|
1313 |
|
---|
1314 | switch (type) {
|
---|
1315 | case MOD_LOAD:
|
---|
1316 | error = 0;
|
---|
1317 | attach_handlers(handlers);
|
---|
1318 | break;
|
---|
1319 | case MOD_UNLOAD:
|
---|
1320 | error = 0;
|
---|
1321 | detach_handlers(handlers;
|
---|
1322 | break;
|
---|
1323 | default:
|
---|
1324 | error = EINVAL;
|
---|
1325 | }
|
---|
1326 | return (error);
|
---|
1327 | }
|
---|
1328 | .Ed
|
---|
1329 | When running as KLD,
|
---|
1330 | .Fn mod_handler
|
---|
1331 | register/deregister the module using
|
---|
1332 | .Fn attach_handlers
|
---|
1333 | and
|
---|
1334 | .Fn detach_handlers ,
|
---|
1335 | respectively.
|
---|
1336 | .Pp
|
---|
1337 | Every module must contain at least 2 functions: one fingerprint
|
---|
1338 | function and a protocol handler function.
|
---|
1339 | .Bd -literal
|
---|
1340 | #ifdef _KERNEL
|
---|
1341 | static
|
---|
1342 | #endif
|
---|
1343 | int
|
---|
1344 | fingerprint(struct libalias *la, struct ip *pip, struct alias_data *ah)
|
---|
1345 | {
|
---|
1346 |
|
---|
1347 | \&...
|
---|
1348 | }
|
---|
1349 |
|
---|
1350 | #ifdef _KERNEL
|
---|
1351 | static
|
---|
1352 | #endif
|
---|
1353 | int
|
---|
1354 | protohandler(struct libalias *la, struct ip *pip,
|
---|
1355 | struct alias_data *ah)
|
---|
1356 | {
|
---|
1357 |
|
---|
1358 | \&...
|
---|
1359 | }
|
---|
1360 | .Ed
|
---|
1361 | and they must accept exactly these input parameters.
|
---|
1362 | .Ss PATCHING AN APPLICATION FOR USERLAND LIBALIAS MODULES
|
---|
1363 | To add module support into an application that uses
|
---|
1364 | .Nm ,
|
---|
1365 | the following simple steps can be followed.
|
---|
1366 | .Bl -enum
|
---|
1367 | .It
|
---|
1368 | Find the main file of an application
|
---|
1369 | (let us call it
|
---|
1370 | .Pa main.c ) .
|
---|
1371 | .It
|
---|
1372 | Add this to the header section of
|
---|
1373 | .Pa main.c ,
|
---|
1374 | if not already present:
|
---|
1375 | .Pp
|
---|
1376 | .Dl "#include <signal.h>"
|
---|
1377 | .Pp
|
---|
1378 | and this just after the header section:
|
---|
1379 | .Pp
|
---|
1380 | .Dl "static void signal_handler(int);"
|
---|
1381 | .It
|
---|
1382 | Add the following line to the init function of an application or,
|
---|
1383 | if it does not have any init function, put it in
|
---|
1384 | .Fn main :
|
---|
1385 | .Pp
|
---|
1386 | .Dl "signal(SIGHUP, signal_handler);"
|
---|
1387 | .Pp
|
---|
1388 | and place the
|
---|
1389 | .Fn signal_handler
|
---|
1390 | function somewhere in
|
---|
1391 | .Pa main.c :
|
---|
1392 | .Bd -literal -offset indent
|
---|
1393 | static void
|
---|
1394 | signal_handler(int sig)
|
---|
1395 | {
|
---|
1396 |
|
---|
1397 | LibAliasRefreshModules();
|
---|
1398 | }
|
---|
1399 | .Ed
|
---|
1400 | .Pp
|
---|
1401 | Otherwise, if an application already traps the
|
---|
1402 | .Dv SIGHUP
|
---|
1403 | signal, just add a call to
|
---|
1404 | .Fn LibAliasRefreshModules
|
---|
1405 | in the signal handler function.
|
---|
1406 | .El
|
---|
1407 | For example, to patch
|
---|
1408 | .Xr natd 8
|
---|
1409 | to use
|
---|
1410 | .Nm
|
---|
1411 | modules, just add the following line to
|
---|
1412 | .Fn RefreshAddr "int sig __unused" :
|
---|
1413 | .Pp
|
---|
1414 | .Dl "LibAliasRefreshModules()"
|
---|
1415 | .Pp
|
---|
1416 | recompile and you are done.
|
---|
1417 | .Ss LOGGING SUPPORT IN KERNEL LAND
|
---|
1418 | When working as KLD,
|
---|
1419 | .Nm
|
---|
1420 | now has log support that
|
---|
1421 | happens on a buffer allocated inside
|
---|
1422 | .Vt "struct libalias"
|
---|
1423 | (from
|
---|
1424 | .Pa alias_local.h ) :
|
---|
1425 | .Bd -literal
|
---|
1426 | struct libalias {
|
---|
1427 | ...
|
---|
1428 |
|
---|
1429 | /* log descriptor */
|
---|
1430 | #ifdef KERNEL_LOG
|
---|
1431 | char *logDesc; /*
|
---|
1432 | * ptr to an auto-malloced
|
---|
1433 | * memory buffer when libalias
|
---|
1434 | * works as kld
|
---|
1435 | */
|
---|
1436 | #else
|
---|
1437 | FILE *logDesc; /*
|
---|
1438 | * ptr to /var/log/alias.log
|
---|
1439 | * when libalias runs as a
|
---|
1440 | * userland lib
|
---|
1441 | */
|
---|
1442 | #endif
|
---|
1443 |
|
---|
1444 | ...
|
---|
1445 | }
|
---|
1446 | .Ed
|
---|
1447 | so all applications using
|
---|
1448 | .Nm
|
---|
1449 | will be able to handle their
|
---|
1450 | own logs, if they want, accessing
|
---|
1451 | .Va logDesc .
|
---|
1452 | Moreover, every change to a log buffer is automatically added to
|
---|
1453 | .Xr syslog 3
|
---|
1454 | with the
|
---|
1455 | .Dv LOG_SECURITY
|
---|
1456 | facility and the
|
---|
1457 | .Dv LOG_INFO
|
---|
1458 | level.
|
---|