2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2001 Charles Mott <cm@linktel.net>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
33 Alias.c provides supervisory control for the functions of the
34 packet aliasing software. It consists of routines to monitor
35 TCP connection state, protocol-specific aliasing routines,
36 fragment handling and the following outside world functional
37 interfaces: SaveFragmentPtr, GetFragmentPtr, FragmentAliasIn,
38 PacketAliasIn and PacketAliasOut.
40 The other C program files are briefly described. The data
41 structure framework which holds information needed to translate
42 packets is encapsulated in alias_db.c. Data is accessed by
43 function calls, so other segments of the program need not know
44 about the underlying data structures. Alias_ftp.c contains
45 special code for modifying the ftp PORT command used to establish
46 data connections, while alias_irc.c does the same for IRC
47 DCC. Alias_util.c contains a few utility routines.
49 Version 1.0 August, 1996 (cjm)
51 Version 1.1 August 20, 1996 (cjm)
52 PPP host accepts incoming connections for ports 0 to 1023.
53 (Gary Roberts pointed out the need to handle incoming
56 Version 1.2 September 7, 1996 (cjm)
57 Fragment handling error in alias_db.c corrected.
58 (Tom Torrance helped fix this problem.)
60 Version 1.4 September 16, 1996 (cjm)
61 - A more generalized method for handling incoming
62 connections, without the 0-1023 restriction, is
63 implemented in alias_db.c
64 - Improved ICMP support in alias.c. Traceroute
65 packet streams can now be correctly aliased.
66 - TCP connection closing logic simplified in
67 alias.c and now allows for additional 1 minute
68 "grace period" after FIN or RST is observed.
70 Version 1.5 September 17, 1996 (cjm)
71 Corrected error in handling incoming UDP packets with 0 checksum.
72 (Tom Torrance helped fix this problem.)
74 Version 1.6 September 18, 1996 (cjm)
75 Simplified ICMP aliasing scheme. Should now support
76 traceroute from Win95 as well as FreeBSD.
78 Version 1.7 January 9, 1997 (cjm)
79 - Out-of-order fragment handling.
80 - IP checksum error fixed for ftp transfers
82 - Integer return codes added to all
83 aliasing/de-aliasing functions.
84 - Some obsolete comments cleaned up.
85 - Differential checksum computations for
86 IP header (TCP, UDP and ICMP were already
89 Version 2.1 May 1997 (cjm)
90 - Added support for outgoing ICMP error
92 - Added two functions PacketAliasIn2()
93 and PacketAliasOut2() for dynamic address
94 control (e.g. round-robin allocation of
97 Version 2.2 July 1997 (cjm)
98 - Rationalized API function names to begin
100 - Eliminated PacketAliasIn2() and
101 PacketAliasOut2() as poorly conceived.
103 Version 2.3 Dec 1998 (dillon)
104 - Major bounds checking additions, see FreeBSD/CVS
106 Version 3.1 May, 2000 (salander)
107 - Added hooks to handle PPTP.
109 Version 3.2 July, 2000 (salander and satoh)
110 - Added PacketUnaliasOut routine.
111 - Added hooks to handle RTSP/RTP.
113 See HISTORY file for additional revisions.
117 #include <sys/param.h>
118 #include <sys/systm.h>
119 #include <sys/mbuf.h>
120 #include <sys/sysctl.h>
122 #include <sys/types.h>
131 #include <netinet/in_systm.h>
132 #include <netinet/in.h>
133 #include <netinet/ip.h>
134 #include <netinet/ip_icmp.h>
135 #include <netinet/tcp.h>
136 #include <netinet/udp.h>
139 #include <netinet/libalias/alias.h>
140 #include <netinet/libalias/alias_local.h>
141 #include <netinet/libalias/alias_mod.h>
145 #include "alias_local.h"
146 #include "alias_mod.h"
150 * Define libalias SYSCTL Node
154 SYSCTL_DECL(_net_inet);
155 SYSCTL_DECL(_net_inet_ip);
156 SYSCTL_NODE(_net_inet_ip, OID_AUTO, alias, CTLFLAG_RW, NULL, "Libalias sysctl API");
165 #if BYTE_ORDER == LITTLE_ENDIAN
166 uint16_t s1 = ((uint16_t)c[1] << 8) + (uint16_t)c[0];
167 uint16_t s2 = ((uint16_t)c[3] << 8) + (uint16_t)c[2];
169 uint16_t s1 = ((uint16_t)c[0] << 8) + (uint16_t)c[1];
170 uint16_t s2 = ((uint16_t)c[2] << 8) + (uint16_t)c[3];
175 /* TCP Handling Routines
177 TcpMonitorIn() -- These routines monitor TCP connections, and
178 TcpMonitorOut() delete a link when a connection is closed.
180 These routines look for SYN, FIN and RST flags to determine when TCP
181 connections open and close. When a TCP connection closes, the data
182 structure containing packet aliasing information is deleted after
186 /* Local prototypes */
187 static void TcpMonitorIn(u_char, struct alias_link *);
189 static void TcpMonitorOut(u_char, struct alias_link *);
192 TcpMonitorIn(u_char th_flags, struct alias_link *lnk)
194 switch (GetStateIn(lnk)) {
195 case ALIAS_TCP_STATE_NOT_CONNECTED:
196 if (th_flags & TH_RST)
197 SetStateIn(lnk, ALIAS_TCP_STATE_DISCONNECTED);
198 else if (th_flags & TH_SYN)
199 SetStateIn(lnk, ALIAS_TCP_STATE_CONNECTED);
201 case ALIAS_TCP_STATE_CONNECTED:
202 if (th_flags & (TH_FIN | TH_RST))
203 SetStateIn(lnk, ALIAS_TCP_STATE_DISCONNECTED);
209 TcpMonitorOut(u_char th_flags, struct alias_link *lnk)
211 switch (GetStateOut(lnk)) {
212 case ALIAS_TCP_STATE_NOT_CONNECTED:
213 if (th_flags & TH_RST)
214 SetStateOut(lnk, ALIAS_TCP_STATE_DISCONNECTED);
215 else if (th_flags & TH_SYN)
216 SetStateOut(lnk, ALIAS_TCP_STATE_CONNECTED);
218 case ALIAS_TCP_STATE_CONNECTED:
219 if (th_flags & (TH_FIN | TH_RST))
220 SetStateOut(lnk, ALIAS_TCP_STATE_DISCONNECTED);
225 /* Protocol Specific Packet Aliasing Routines
227 IcmpAliasIn(), IcmpAliasIn1(), IcmpAliasIn2()
228 IcmpAliasOut(), IcmpAliasOut1(), IcmpAliasOut2()
229 ProtoAliasIn(), ProtoAliasOut()
230 UdpAliasIn(), UdpAliasOut()
231 TcpAliasIn(), TcpAliasOut()
233 These routines handle protocol specific details of packet aliasing.
234 One may observe a certain amount of repetitive arithmetic in these
235 functions, the purpose of which is to compute a revised checksum
236 without actually summing over the entire data packet, which could be
237 unnecessarily time consuming.
239 The purpose of the packet aliasing routines is to replace the source
240 address of the outgoing packet and then correctly put it back for
241 any incoming packets. For TCP and UDP, ports are also re-mapped.
243 For ICMP echo/timestamp requests and replies, the following scheme
244 is used: the ID number is replaced by an alias for the outgoing
247 ICMP error messages are handled by looking at the IP fragment
248 in the data section of the message.
250 For TCP and UDP protocols, a port number is chosen for an outgoing
251 packet, and then incoming packets are identified by IP address and
252 port numbers. For TCP packets, there is additional logic in the event
253 that sequence and ACK numbers have been altered (as in the case for
254 FTP data port commands).
256 The port numbers used by the packet aliasing module are not true
257 ports in the Unix sense. No sockets are actually bound to ports.
258 They are more correctly thought of as placeholders.
260 All packets go through the aliasing mechanism, whether they come from
261 the gateway machine or other machines on a local area network.
264 /* Local prototypes */
265 static int IcmpAliasIn1(struct libalias *, struct ip *);
266 static int IcmpAliasIn2(struct libalias *, struct ip *);
267 static int IcmpAliasIn(struct libalias *, struct ip *);
269 static int IcmpAliasOut1(struct libalias *, struct ip *, int create);
270 static int IcmpAliasOut2(struct libalias *, struct ip *);
271 static int IcmpAliasOut(struct libalias *, struct ip *, int create);
273 static int ProtoAliasIn(struct libalias *la, struct in_addr ip_src,
274 struct ip *pip, u_char ip_p, u_short *ip_sum);
275 static int ProtoAliasOut(struct libalias *la, struct ip *pip,
276 struct in_addr ip_dst, u_char ip_p, u_short *ip_sum,
279 static int UdpAliasIn(struct libalias *, struct ip *);
280 static int UdpAliasOut(struct libalias *, struct ip *, int, int create);
282 static int TcpAliasIn(struct libalias *, struct ip *);
283 static int TcpAliasOut(struct libalias *, struct ip *, int, int create);
286 De-alias incoming echo and timestamp replies.
287 Alias incoming echo and timestamp requests.
290 IcmpAliasIn1(struct libalias *la, struct ip *pip)
292 struct alias_link *lnk;
295 LIBALIAS_LOCK_ASSERT(la);
296 ic = (struct icmp *)ip_next(pip);
298 /* Get source address from ICMP data field and restore original data */
299 lnk = FindIcmpIn(la, pip->ip_src, pip->ip_dst, ic->icmp_id, 1);
304 original_id = GetOriginalPort(lnk);
306 /* Adjust ICMP checksum */
307 accumulate = ic->icmp_id;
308 accumulate -= original_id;
309 ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
311 /* Put original sequence number back in */
312 ic->icmp_id = original_id;
314 /* Put original address back into IP header */
316 struct in_addr original_address;
318 original_address = GetOriginalAddress(lnk);
319 DifferentialChecksum(&pip->ip_sum,
320 &original_address, &pip->ip_dst, 2);
321 pip->ip_dst = original_address;
324 return (PKT_ALIAS_OK);
326 return (PKT_ALIAS_IGNORED);
330 Alias incoming ICMP error messages containing
331 IP header and first 64 bits of datagram.
334 IcmpAliasIn2(struct libalias *la, struct ip *pip)
337 struct icmp *ic, *ic2;
340 struct alias_link *lnk;
342 LIBALIAS_LOCK_ASSERT(la);
343 ic = (struct icmp *)ip_next(pip);
346 ud = (struct udphdr *)ip_next(ip);
347 tc = (struct tcphdr *)ip_next(ip);
348 ic2 = (struct icmp *)ip_next(ip);
350 if (ip->ip_p == IPPROTO_UDP)
351 lnk = FindUdpTcpIn(la, ip->ip_dst, ip->ip_src,
352 ud->uh_dport, ud->uh_sport,
354 else if (ip->ip_p == IPPROTO_TCP)
355 lnk = FindUdpTcpIn(la, ip->ip_dst, ip->ip_src,
356 tc->th_dport, tc->th_sport,
358 else if (ip->ip_p == IPPROTO_ICMP) {
359 if (ic2->icmp_type == ICMP_ECHO || ic2->icmp_type == ICMP_TSTAMP)
360 lnk = FindIcmpIn(la, ip->ip_dst, ip->ip_src, ic2->icmp_id, 0);
367 if (ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_TCP) {
368 int accumulate, accumulate2;
369 struct in_addr original_address;
370 u_short original_port;
372 original_address = GetOriginalAddress(lnk);
373 original_port = GetOriginalPort(lnk);
375 /* Adjust ICMP checksum */
376 accumulate = twowords(&ip->ip_src);
377 accumulate -= twowords(&original_address);
378 accumulate += ud->uh_sport;
379 accumulate -= original_port;
380 accumulate2 = accumulate;
381 accumulate2 += ip->ip_sum;
382 ADJUST_CHECKSUM(accumulate, ip->ip_sum);
383 accumulate2 -= ip->ip_sum;
384 ADJUST_CHECKSUM(accumulate2, ic->icmp_cksum);
386 /* Un-alias address in IP header */
387 DifferentialChecksum(&pip->ip_sum,
388 &original_address, &pip->ip_dst, 2);
389 pip->ip_dst = original_address;
391 /* Un-alias address and port number of
392 * original IP packet fragment contained
393 * in ICMP data section */
394 ip->ip_src = original_address;
395 ud->uh_sport = original_port;
396 } else if (ip->ip_p == IPPROTO_ICMP) {
397 int accumulate, accumulate2;
398 struct in_addr original_address;
401 original_address = GetOriginalAddress(lnk);
402 original_id = GetOriginalPort(lnk);
404 /* Adjust ICMP checksum */
405 accumulate = twowords(&ip->ip_src);
406 accumulate -= twowords(&original_address);
407 accumulate += ic2->icmp_id;
408 accumulate -= original_id;
409 accumulate2 = accumulate;
410 accumulate2 += ip->ip_sum;
411 ADJUST_CHECKSUM(accumulate, ip->ip_sum);
412 accumulate2 -= ip->ip_sum;
413 ADJUST_CHECKSUM(accumulate2, ic->icmp_cksum);
415 /* Un-alias address in IP header */
416 DifferentialChecksum(&pip->ip_sum,
417 &original_address, &pip->ip_dst, 2);
418 pip->ip_dst = original_address;
420 /* Un-alias address of original IP packet and
421 * sequence number of embedded ICMP datagram */
422 ip->ip_src = original_address;
423 ic2->icmp_id = original_id;
425 return (PKT_ALIAS_OK);
427 return (PKT_ALIAS_IGNORED);
431 IcmpAliasIn(struct libalias *la, struct ip *pip)
437 LIBALIAS_LOCK_ASSERT(la);
439 dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
440 if (dlen < ICMP_MINLEN)
441 return (PKT_ALIAS_IGNORED);
443 /* Return if proxy-only mode is enabled */
444 if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)
445 return (PKT_ALIAS_OK);
447 ic = (struct icmp *)ip_next(pip);
449 iresult = PKT_ALIAS_IGNORED;
450 switch (ic->icmp_type) {
452 case ICMP_TSTAMPREPLY:
453 if (ic->icmp_code == 0) {
454 iresult = IcmpAliasIn1(la, pip);
458 case ICMP_SOURCEQUENCH:
461 if (dlen < ICMP_ADVLENMIN ||
462 dlen < (size_t)ICMP_ADVLEN(ic))
463 return (PKT_ALIAS_IGNORED);
464 iresult = IcmpAliasIn2(la, pip);
468 iresult = IcmpAliasIn1(la, pip);
475 Alias outgoing echo and timestamp requests.
476 De-alias outgoing echo and timestamp replies.
479 IcmpAliasOut1(struct libalias *la, struct ip *pip, int create)
481 struct alias_link *lnk;
484 LIBALIAS_LOCK_ASSERT(la);
485 ic = (struct icmp *)ip_next(pip);
487 /* Save overwritten data for when echo packet returns */
488 lnk = FindIcmpOut(la, pip->ip_src, pip->ip_dst, ic->icmp_id, create);
493 alias_id = GetAliasPort(lnk);
495 /* Since data field is being modified, adjust ICMP checksum */
496 accumulate = ic->icmp_id;
497 accumulate -= alias_id;
498 ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
500 /* Alias sequence number */
501 ic->icmp_id = alias_id;
503 /* Change source address */
505 struct in_addr alias_address;
507 alias_address = GetAliasAddress(lnk);
508 DifferentialChecksum(&pip->ip_sum,
509 &alias_address, &pip->ip_src, 2);
510 pip->ip_src = alias_address;
513 return (PKT_ALIAS_OK);
515 return (PKT_ALIAS_IGNORED);
519 Alias outgoing ICMP error messages containing
520 IP header and first 64 bits of datagram.
523 IcmpAliasOut2(struct libalias *la, struct ip *pip)
526 struct icmp *ic, *ic2;
529 struct alias_link *lnk;
531 LIBALIAS_LOCK_ASSERT(la);
532 ic = (struct icmp *)ip_next(pip);
535 ud = (struct udphdr *)ip_next(ip);
536 tc = (struct tcphdr *)ip_next(ip);
537 ic2 = (struct icmp *)ip_next(ip);
539 if (ip->ip_p == IPPROTO_UDP)
540 lnk = FindUdpTcpOut(la, ip->ip_dst, ip->ip_src,
541 ud->uh_dport, ud->uh_sport,
543 else if (ip->ip_p == IPPROTO_TCP)
544 lnk = FindUdpTcpOut(la, ip->ip_dst, ip->ip_src,
545 tc->th_dport, tc->th_sport,
547 else if (ip->ip_p == IPPROTO_ICMP) {
548 if (ic2->icmp_type == ICMP_ECHO || ic2->icmp_type == ICMP_TSTAMP)
549 lnk = FindIcmpOut(la, ip->ip_dst, ip->ip_src, ic2->icmp_id, 0);
556 if (ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_TCP) {
558 struct in_addr alias_address;
561 alias_address = GetAliasAddress(lnk);
562 alias_port = GetAliasPort(lnk);
564 /* Adjust ICMP checksum */
565 accumulate = twowords(&ip->ip_dst);
566 accumulate -= twowords(&alias_address);
567 accumulate += ud->uh_dport;
568 accumulate -= alias_port;
569 ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
572 * Alias address in IP header if it comes from the host
573 * the original TCP/UDP packet was destined for.
575 if (pip->ip_src.s_addr == ip->ip_dst.s_addr) {
576 DifferentialChecksum(&pip->ip_sum,
577 &alias_address, &pip->ip_src, 2);
578 pip->ip_src = alias_address;
580 /* Alias address and port number of original IP packet
581 * fragment contained in ICMP data section */
582 ip->ip_dst = alias_address;
583 ud->uh_dport = alias_port;
584 } else if (ip->ip_p == IPPROTO_ICMP) {
586 struct in_addr alias_address;
589 alias_address = GetAliasAddress(lnk);
590 alias_id = GetAliasPort(lnk);
592 /* Adjust ICMP checksum */
593 accumulate = twowords(&ip->ip_dst);
594 accumulate -= twowords(&alias_address);
595 accumulate += ic2->icmp_id;
596 accumulate -= alias_id;
597 ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
600 * Alias address in IP header if it comes from the host
601 * the original ICMP message was destined for.
603 if (pip->ip_src.s_addr == ip->ip_dst.s_addr) {
604 DifferentialChecksum(&pip->ip_sum,
605 &alias_address, &pip->ip_src, 2);
606 pip->ip_src = alias_address;
608 /* Alias address of original IP packet and
609 * sequence number of embedded ICMP datagram */
610 ip->ip_dst = alias_address;
611 ic2->icmp_id = alias_id;
613 return (PKT_ALIAS_OK);
615 return (PKT_ALIAS_IGNORED);
619 IcmpAliasOut(struct libalias *la, struct ip *pip, int create)
624 LIBALIAS_LOCK_ASSERT(la);
627 /* Return if proxy-only mode is enabled */
628 if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)
629 return (PKT_ALIAS_OK);
631 ic = (struct icmp *)ip_next(pip);
633 iresult = PKT_ALIAS_IGNORED;
634 switch (ic->icmp_type) {
637 if (ic->icmp_code == 0) {
638 iresult = IcmpAliasOut1(la, pip, create);
642 case ICMP_SOURCEQUENCH:
645 iresult = IcmpAliasOut2(la, pip);
648 case ICMP_TSTAMPREPLY:
649 iresult = IcmpAliasOut1(la, pip, create);
655 Handle incoming IP packets. The
656 only thing which is done in this case is to alias
657 the dest IP address of the packet to our inside
661 ProtoAliasIn(struct libalias *la, struct in_addr ip_src,
662 struct ip *pip, u_char ip_p, u_short *ip_sum)
664 struct alias_link *lnk;
666 LIBALIAS_LOCK_ASSERT(la);
667 /* Return if proxy-only mode is enabled */
668 if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)
669 return (PKT_ALIAS_OK);
671 lnk = FindProtoIn(la, ip_src, pip->ip_dst, ip_p);
673 struct in_addr original_address;
675 original_address = GetOriginalAddress(lnk);
677 /* Restore original IP address */
678 DifferentialChecksum(ip_sum,
679 &original_address, &pip->ip_dst, 2);
680 pip->ip_dst = original_address;
682 return (PKT_ALIAS_OK);
684 return (PKT_ALIAS_IGNORED);
688 Handle outgoing IP packets. The
689 only thing which is done in this case is to alias
690 the source IP address of the packet.
693 ProtoAliasOut(struct libalias *la, struct ip *pip,
694 struct in_addr ip_dst, u_char ip_p, u_short *ip_sum, int create)
696 struct alias_link *lnk;
698 LIBALIAS_LOCK_ASSERT(la);
700 /* Return if proxy-only mode is enabled */
701 if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)
702 return (PKT_ALIAS_OK);
705 return (PKT_ALIAS_IGNORED);
707 lnk = FindProtoOut(la, pip->ip_src, ip_dst, ip_p);
709 struct in_addr alias_address;
711 alias_address = GetAliasAddress(lnk);
713 /* Change source address */
714 DifferentialChecksum(ip_sum,
715 &alias_address, &pip->ip_src, 2);
716 pip->ip_src = alias_address;
718 return (PKT_ALIAS_OK);
720 return (PKT_ALIAS_IGNORED);
723 #define MF_ISSET(_pip) (ntohs((_pip)->ip_off) & IP_MF)
724 #define FRAG_NO_HDR(_pip) (ntohs((_pip)->ip_off) & IP_OFFMASK)
726 static struct udphdr *
727 ValidateUdpLength(struct ip *pip)
733 KASSERT(!FRAG_NO_HDR(pip), ("header-less fragment isn't expected here"));
735 dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
736 if (dlen < sizeof(struct udphdr))
738 ud = (struct udphdr *)ip_next(pip);
739 if (!MF_ISSET(pip) && dlen < ntohs(ud->uh_ulen))
745 UdpAliasIn(struct libalias *la, struct ip *pip)
748 struct alias_link *lnk;
750 LIBALIAS_LOCK_ASSERT(la);
752 ud = ValidateUdpLength(pip);
754 return (PKT_ALIAS_IGNORED);
756 lnk = FindUdpTcpIn(la, pip->ip_src, pip->ip_dst,
757 ud->uh_sport, ud->uh_dport,
758 IPPROTO_UDP, !(la->packetAliasMode & PKT_ALIAS_PROXY_ONLY));
760 struct in_addr alias_address;
761 struct in_addr original_address;
762 struct in_addr proxy_address;
767 struct alias_data ad = {
769 .oaddr = &original_address,
770 .aaddr = &alias_address,
771 .aport = &alias_port,
772 .sport = &ud->uh_sport,
773 .dport = &ud->uh_dport,
777 alias_address = GetAliasAddress(lnk);
778 original_address = GetOriginalAddress(lnk);
779 proxy_address = GetProxyAddress(lnk);
780 alias_port = ud->uh_dport;
781 ud->uh_dport = GetOriginalPort(lnk);
782 proxy_port = GetProxyPort(lnk);
784 /* Walk out chain. */
785 error = find_handler(IN, UDP, la, pip, &ad);
786 /* If we cannot figure out the packet, ignore it. */
788 return (PKT_ALIAS_IGNORED);
790 /* If UDP checksum is not zero, then adjust since
791 * destination port is being unaliased and
792 * destination address is being altered. */
793 if (ud->uh_sum != 0) {
794 accumulate = alias_port;
795 accumulate -= ud->uh_dport;
796 accumulate += twowords(&alias_address);
797 accumulate -= twowords(&original_address);
799 /* If this is a proxy packet, modify checksum
800 * because of source change.*/
801 if (proxy_port != 0) {
802 accumulate += ud->uh_sport;
803 accumulate -= proxy_port;
806 if (proxy_address.s_addr != 0) {
807 accumulate += twowords(&pip->ip_src);
808 accumulate -= twowords(&proxy_address);
811 ADJUST_CHECKSUM(accumulate, ud->uh_sum);
814 /* XXX: Could the two if's below be concatenated to one ? */
815 /* Restore source port and/or address in case of proxying*/
817 ud->uh_sport = proxy_port;
819 if (proxy_address.s_addr != 0) {
820 DifferentialChecksum(&pip->ip_sum,
821 &proxy_address, &pip->ip_src, 2);
822 pip->ip_src = proxy_address;
825 /* Restore original IP address */
826 DifferentialChecksum(&pip->ip_sum,
827 &original_address, &pip->ip_dst, 2);
828 pip->ip_dst = original_address;
830 return (PKT_ALIAS_OK);
832 return (PKT_ALIAS_IGNORED);
836 UdpAliasOut(struct libalias *la, struct ip *pip, int maxpacketsize, int create)
839 struct alias_link *lnk;
840 struct in_addr dest_address;
841 struct in_addr proxy_server_address;
843 u_short proxy_server_port;
847 LIBALIAS_LOCK_ASSERT(la);
849 ud = ValidateUdpLength(pip);
851 return (PKT_ALIAS_IGNORED);
853 /* Return if proxy-only mode is enabled and not proxyrule found.*/
854 proxy_type = ProxyCheck(la, &proxy_server_address, &proxy_server_port,
855 pip->ip_src, pip->ip_dst, ud->uh_dport, pip->ip_p);
856 if (proxy_type == 0 && (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY))
857 return (PKT_ALIAS_OK);
859 /* If this is a transparent proxy, save original destination,
860 * then alter the destination and adjust checksums */
861 dest_port = ud->uh_dport;
862 dest_address = pip->ip_dst;
864 if (proxy_type != 0) {
867 accumulate = twowords(&pip->ip_dst);
868 accumulate -= twowords(&proxy_server_address);
870 ADJUST_CHECKSUM(accumulate, pip->ip_sum);
872 if (ud->uh_sum != 0) {
873 accumulate = twowords(&pip->ip_dst);
874 accumulate -= twowords(&proxy_server_address);
875 accumulate += ud->uh_dport;
876 accumulate -= proxy_server_port;
877 ADJUST_CHECKSUM(accumulate, ud->uh_sum);
879 pip->ip_dst = proxy_server_address;
880 ud->uh_dport = proxy_server_port;
882 lnk = FindUdpTcpOut(la, pip->ip_src, pip->ip_dst,
883 ud->uh_sport, ud->uh_dport,
884 IPPROTO_UDP, create);
887 struct in_addr alias_address;
888 struct alias_data ad = {
891 .aaddr = &alias_address,
892 .aport = &alias_port,
893 .sport = &ud->uh_sport,
894 .dport = &ud->uh_dport,
898 /* Save original destination address, if this is a proxy packet.
899 * Also modify packet to include destination encoding. This may
900 * change the size of IP header. */
901 if (proxy_type != 0) {
902 SetProxyPort(lnk, dest_port);
903 SetProxyAddress(lnk, dest_address);
904 ProxyModify(la, lnk, pip, maxpacketsize, proxy_type);
905 ud = (struct udphdr *)ip_next(pip);
908 alias_address = GetAliasAddress(lnk);
909 alias_port = GetAliasPort(lnk);
911 /* Walk out chain. */
912 error = find_handler(OUT, UDP, la, pip, &ad);
914 /* If UDP checksum is not zero, adjust since source port is */
915 /* being aliased and source address is being altered */
916 if (ud->uh_sum != 0) {
919 accumulate = ud->uh_sport;
920 accumulate -= alias_port;
921 accumulate += twowords(&pip->ip_src);
922 accumulate -= twowords(&alias_address);
923 ADJUST_CHECKSUM(accumulate, ud->uh_sum);
925 /* Put alias port in UDP header */
926 ud->uh_sport = alias_port;
928 /* Change source address */
929 DifferentialChecksum(&pip->ip_sum,
930 &alias_address, &pip->ip_src, 2);
931 pip->ip_src = alias_address;
933 return (PKT_ALIAS_OK);
935 return (PKT_ALIAS_IGNORED);
939 TcpAliasIn(struct libalias *la, struct ip *pip)
942 struct alias_link *lnk;
945 LIBALIAS_LOCK_ASSERT(la);
947 dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
948 if (dlen < sizeof(struct tcphdr))
949 return (PKT_ALIAS_IGNORED);
950 tc = (struct tcphdr *)ip_next(pip);
952 lnk = FindUdpTcpIn(la, pip->ip_src, pip->ip_dst,
953 tc->th_sport, tc->th_dport,
955 !(la->packetAliasMode & PKT_ALIAS_PROXY_ONLY));
957 struct in_addr alias_address;
958 struct in_addr original_address;
959 struct in_addr proxy_address;
962 int accumulate, error;
965 * The init of MANY vars is a bit below, but aliashandlepptpin
966 * seems to need the destination port that came within the
967 * packet and not the original one looks below [*].
970 struct alias_data ad = {
975 .sport = &tc->th_sport,
976 .dport = &tc->th_dport,
980 /* Walk out chain. */
981 error = find_handler(IN, TCP, la, pip, &ad);
983 alias_address = GetAliasAddress(lnk);
984 original_address = GetOriginalAddress(lnk);
985 proxy_address = GetProxyAddress(lnk);
986 alias_port = tc->th_dport;
987 tc->th_dport = GetOriginalPort(lnk);
988 proxy_port = GetProxyPort(lnk);
991 * Look above, if anyone is going to add find_handler AFTER
992 * this aliashandlepptpin/point, please redo alias_data too.
993 * Uncommenting the piece here below should be enough.
996 struct alias_data ad = {
998 .oaddr = &original_address,
999 .aaddr = &alias_address,
1000 .aport = &alias_port,
1001 .sport = &ud->uh_sport,
1002 .dport = &ud->uh_dport,
1006 /* Walk out chain. */
1007 error = find_handler(la, pip, &ad);
1008 if (error == EHDNOF)
1009 printf("Protocol handler not found\n");
1012 /* Adjust TCP checksum since destination port is being
1013 * unaliased and destination port is being altered. */
1014 accumulate = alias_port;
1015 accumulate -= tc->th_dport;
1016 accumulate += twowords(&alias_address);
1017 accumulate -= twowords(&original_address);
1019 /* If this is a proxy, then modify the TCP source port
1020 * and checksum accumulation */
1021 if (proxy_port != 0) {
1022 accumulate += tc->th_sport;
1023 tc->th_sport = proxy_port;
1024 accumulate -= tc->th_sport;
1025 accumulate += twowords(&pip->ip_src);
1026 accumulate -= twowords(&proxy_address);
1028 /* See if ACK number needs to be modified */
1029 if (GetAckModified(lnk) == 1) {
1032 tc = (struct tcphdr *)ip_next(pip);
1033 delta = GetDeltaAckIn(tc->th_ack, lnk);
1035 accumulate += twowords(&tc->th_ack);
1036 tc->th_ack = htonl(ntohl(tc->th_ack) - delta);
1037 accumulate -= twowords(&tc->th_ack);
1040 ADJUST_CHECKSUM(accumulate, tc->th_sum);
1042 /* Restore original IP address */
1043 accumulate = twowords(&pip->ip_dst);
1044 pip->ip_dst = original_address;
1045 accumulate -= twowords(&pip->ip_dst);
1047 /* If this is a transparent proxy packet,
1048 * then modify the source address */
1049 if (proxy_address.s_addr != 0) {
1050 accumulate += twowords(&pip->ip_src);
1051 pip->ip_src = proxy_address;
1052 accumulate -= twowords(&pip->ip_src);
1054 ADJUST_CHECKSUM(accumulate, pip->ip_sum);
1056 /* Monitor TCP connection state */
1057 tc = (struct tcphdr *)ip_next(pip);
1058 TcpMonitorIn(tc->th_flags, lnk);
1060 return (PKT_ALIAS_OK);
1062 return (PKT_ALIAS_IGNORED);
1066 TcpAliasOut(struct libalias *la, struct ip *pip, int maxpacketsize, int create)
1068 int proxy_type, error;
1070 u_short proxy_server_port;
1072 struct in_addr dest_address;
1073 struct in_addr proxy_server_address;
1075 struct alias_link *lnk;
1077 LIBALIAS_LOCK_ASSERT(la);
1079 dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
1080 if (dlen < sizeof(struct tcphdr))
1081 return (PKT_ALIAS_IGNORED);
1082 tc = (struct tcphdr *)ip_next(pip);
1085 proxy_type = ProxyCheck(la, &proxy_server_address,
1086 &proxy_server_port, pip->ip_src, pip->ip_dst,
1087 tc->th_dport, pip->ip_p);
1091 if (proxy_type == 0 && (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY))
1092 return (PKT_ALIAS_OK);
1094 /* If this is a transparent proxy, save original destination,
1095 * then alter the destination and adjust checksums */
1096 dest_port = tc->th_dport;
1097 dest_address = pip->ip_dst;
1098 if (proxy_type != 0) {
1101 accumulate = tc->th_dport;
1102 tc->th_dport = proxy_server_port;
1103 accumulate -= tc->th_dport;
1104 accumulate += twowords(&pip->ip_dst);
1105 accumulate -= twowords(&proxy_server_address);
1106 ADJUST_CHECKSUM(accumulate, tc->th_sum);
1108 accumulate = twowords(&pip->ip_dst);
1109 pip->ip_dst = proxy_server_address;
1110 accumulate -= twowords(&pip->ip_dst);
1111 ADJUST_CHECKSUM(accumulate, pip->ip_sum);
1113 lnk = FindUdpTcpOut(la, pip->ip_src, pip->ip_dst,
1114 tc->th_sport, tc->th_dport,
1115 IPPROTO_TCP, create);
1117 return (PKT_ALIAS_IGNORED);
1120 struct in_addr alias_address;
1122 struct alias_data ad = {
1125 .aaddr = &alias_address,
1126 .aport = &alias_port,
1127 .sport = &tc->th_sport,
1128 .dport = &tc->th_dport,
1129 .maxpktsize = maxpacketsize
1132 /* Save original destination address, if this is a proxy packet.
1133 * Also modify packet to include destination
1134 * encoding. This may change the size of IP header. */
1135 if (proxy_type != 0) {
1136 SetProxyPort(lnk, dest_port);
1137 SetProxyAddress(lnk, dest_address);
1138 ProxyModify(la, lnk, pip, maxpacketsize, proxy_type);
1139 tc = (struct tcphdr *)ip_next(pip);
1141 /* Get alias address and port */
1142 alias_port = GetAliasPort(lnk);
1143 alias_address = GetAliasAddress(lnk);
1145 /* Monitor TCP connection state */
1146 tc = (struct tcphdr *)ip_next(pip);
1147 TcpMonitorOut(tc->th_flags, lnk);
1149 /* Walk out chain. */
1150 error = find_handler(OUT, TCP, la, pip, &ad);
1152 /* Adjust TCP checksum since source port is being aliased
1153 * and source address is being altered */
1154 accumulate = tc->th_sport;
1155 tc->th_sport = alias_port;
1156 accumulate -= tc->th_sport;
1157 accumulate += twowords(&pip->ip_src);
1158 accumulate -= twowords(&alias_address);
1160 /* Modify sequence number if necessary */
1161 if (GetAckModified(lnk) == 1) {
1164 tc = (struct tcphdr *)ip_next(pip);
1165 delta = GetDeltaSeqOut(tc->th_seq, lnk);
1167 accumulate += twowords(&tc->th_seq);
1168 tc->th_seq = htonl(ntohl(tc->th_seq) + delta);
1169 accumulate -= twowords(&tc->th_seq);
1172 ADJUST_CHECKSUM(accumulate, tc->th_sum);
1174 /* Change source address */
1175 accumulate = twowords(&pip->ip_src);
1176 pip->ip_src = alias_address;
1177 accumulate -= twowords(&pip->ip_src);
1178 ADJUST_CHECKSUM(accumulate, pip->ip_sum);
1180 return (PKT_ALIAS_OK);
1182 return (PKT_ALIAS_IGNORED);
1185 /* Fragment Handling
1190 The packet aliasing module has a limited ability for handling IP
1191 fragments. If the ICMP, TCP or UDP header is in the first fragment
1192 received, then the ID number of the IP packet is saved, and other
1193 fragments are identified according to their ID number and IP address
1194 they were sent from. Pointers to unresolved fragments can also be
1195 saved and recalled when a header fragment is seen.
1198 /* Local prototypes */
1199 static int FragmentIn(struct libalias *la, struct in_addr ip_src,
1200 struct ip *pip, u_short ip_id, u_short *ip_sum);
1201 static int FragmentOut(struct libalias *, struct ip *pip,
1205 FragmentIn(struct libalias *la, struct in_addr ip_src, struct ip *pip,
1206 u_short ip_id, u_short *ip_sum)
1208 struct alias_link *lnk;
1210 LIBALIAS_LOCK_ASSERT(la);
1211 lnk = FindFragmentIn2(la, ip_src, pip->ip_dst, ip_id);
1213 struct in_addr original_address;
1215 GetFragmentAddr(lnk, &original_address);
1216 DifferentialChecksum(ip_sum,
1217 &original_address, &pip->ip_dst, 2);
1218 pip->ip_dst = original_address;
1220 return (PKT_ALIAS_OK);
1222 return (PKT_ALIAS_UNRESOLVED_FRAGMENT);
1226 FragmentOut(struct libalias *la, struct ip *pip, u_short *ip_sum)
1228 struct in_addr alias_address;
1230 LIBALIAS_LOCK_ASSERT(la);
1231 alias_address = FindAliasAddress(la, pip->ip_src);
1232 DifferentialChecksum(ip_sum,
1233 &alias_address, &pip->ip_src, 2);
1234 pip->ip_src = alias_address;
1236 return (PKT_ALIAS_OK);
1239 /* Outside World Access
1241 PacketAliasSaveFragment()
1242 PacketAliasGetFragment()
1243 PacketAliasFragmentIn()
1248 (prototypes in alias.h)
1252 LibAliasSaveFragment(struct libalias *la, void *ptr)
1255 struct alias_link *lnk;
1259 pip = (struct ip *)ptr;
1260 lnk = AddFragmentPtrLink(la, pip->ip_src, pip->ip_id);
1261 iresult = PKT_ALIAS_ERROR;
1263 SetFragmentPtr(lnk, ptr);
1264 iresult = PKT_ALIAS_OK;
1266 LIBALIAS_UNLOCK(la);
1271 LibAliasGetFragment(struct libalias *la, void *ptr)
1273 struct alias_link *lnk;
1278 pip = (struct ip *)ptr;
1279 lnk = FindFragmentPtr(la, pip->ip_src, pip->ip_id);
1281 GetFragmentPtr(lnk, &fptr);
1282 SetFragmentPtr(lnk, NULL);
1283 SetExpire(lnk, 0); /* Deletes link */
1287 LIBALIAS_UNLOCK(la);
1292 LibAliasFragmentIn(struct libalias *la,
1293 void *ptr, /* Points to correctly de-aliased header fragment */
1294 void *ptr_fragment /* fragment which must be de-aliased */
1302 pip = (struct ip *)ptr;
1303 fpip = (struct ip *)ptr_fragment;
1305 DifferentialChecksum(&fpip->ip_sum,
1306 &pip->ip_dst, &fpip->ip_dst, 2);
1307 fpip->ip_dst = pip->ip_dst;
1308 LIBALIAS_UNLOCK(la);
1311 /* Local prototypes */
1313 LibAliasOutLocked(struct libalias *la, struct ip *pip,
1314 int maxpacketsize, int create);
1316 LibAliasInLocked(struct libalias *la, struct ip *pip,
1320 LibAliasIn(struct libalias *la, void *ptr, int maxpacketsize)
1325 res = LibAliasInLocked(la, (struct ip *)ptr, maxpacketsize);
1326 LIBALIAS_UNLOCK(la);
1331 LibAliasInLocked(struct libalias *la, struct ip *pip, int maxpacketsize)
1333 struct in_addr alias_addr;
1336 if (la->packetAliasMode & PKT_ALIAS_REVERSE) {
1337 la->packetAliasMode &= ~PKT_ALIAS_REVERSE;
1338 iresult = LibAliasOutLocked(la, pip, maxpacketsize, 1);
1339 la->packetAliasMode |= PKT_ALIAS_REVERSE;
1343 alias_addr = pip->ip_dst;
1345 /* Defense against mangled packets */
1346 if (ntohs(pip->ip_len) > maxpacketsize
1347 || (pip->ip_hl << 2) > maxpacketsize) {
1348 iresult = PKT_ALIAS_IGNORED;
1352 if (FRAG_NO_HDR(pip)) {
1353 iresult = FragmentIn(la, pip->ip_src, pip, pip->ip_id,
1358 iresult = PKT_ALIAS_IGNORED;
1359 switch (pip->ip_p) {
1361 iresult = IcmpAliasIn(la, pip);
1364 iresult = UdpAliasIn(la, pip);
1367 iresult = TcpAliasIn(la, pip);
1371 iresult = SctpAlias(la, pip, SN_TO_LOCAL);
1376 struct alias_data ad = {
1386 /* Walk out chain. */
1387 error = find_handler(IN, IP, la, pip, &ad);
1389 iresult = PKT_ALIAS_OK;
1391 iresult = ProtoAliasIn(la, pip->ip_src,
1392 pip, pip->ip_p, &pip->ip_sum);
1396 iresult = ProtoAliasIn(la, pip->ip_src, pip,
1397 pip->ip_p, &pip->ip_sum);
1401 if (MF_ISSET(pip)) {
1402 struct alias_link *lnk;
1404 lnk = FindFragmentIn1(la, pip->ip_src, alias_addr, pip->ip_id);
1406 iresult = PKT_ALIAS_FOUND_HEADER_FRAGMENT;
1407 SetFragmentAddr(lnk, pip->ip_dst);
1409 iresult = PKT_ALIAS_ERROR;
1417 /* Unregistered address ranges */
1419 /* 10.0.0.0 -> 10.255.255.255 */
1420 #define UNREG_ADDR_A_LOWER 0x0a000000
1421 #define UNREG_ADDR_A_UPPER 0x0affffff
1423 /* 172.16.0.0 -> 172.31.255.255 */
1424 #define UNREG_ADDR_B_LOWER 0xac100000
1425 #define UNREG_ADDR_B_UPPER 0xac1fffff
1427 /* 192.168.0.0 -> 192.168.255.255 */
1428 #define UNREG_ADDR_C_LOWER 0xc0a80000
1429 #define UNREG_ADDR_C_UPPER 0xc0a8ffff
1431 /* 100.64.0.0 -> 100.127.255.255 (RFC 6598 - Carrier Grade NAT) */
1432 #define UNREG_ADDR_CGN_LOWER 0x64400000
1433 #define UNREG_ADDR_CGN_UPPER 0x647fffff
1436 LibAliasOut(struct libalias *la, void *ptr, int maxpacketsize)
1441 res = LibAliasOutLocked(la, (struct ip *)ptr, maxpacketsize, 1);
1442 LIBALIAS_UNLOCK(la);
1447 LibAliasOutTry(struct libalias *la, void *ptr, int maxpacketsize, int create)
1452 res = LibAliasOutLocked(la, (struct ip *)ptr, maxpacketsize, create);
1453 LIBALIAS_UNLOCK(la);
1458 LibAliasOutLocked(struct libalias *la,
1459 struct ip *pip, /* valid IP packet */
1460 int maxpacketsize, /* How much the packet data may grow (FTP and IRC inline changes) */
1461 int create /* Create new entries ? */
1465 struct in_addr addr_save;
1467 if (la->packetAliasMode & PKT_ALIAS_REVERSE) {
1468 la->packetAliasMode &= ~PKT_ALIAS_REVERSE;
1469 iresult = LibAliasInLocked(la, pip, maxpacketsize);
1470 la->packetAliasMode |= PKT_ALIAS_REVERSE;
1475 /* Defense against mangled packets */
1476 if (ntohs(pip->ip_len) > maxpacketsize
1477 || (pip->ip_hl << 2) > maxpacketsize) {
1478 iresult = PKT_ALIAS_IGNORED;
1482 addr_save = GetDefaultAliasAddress(la);
1483 if (la->packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY ||
1484 la->packetAliasMode & PKT_ALIAS_UNREGISTERED_CGN) {
1489 addr = ntohl(pip->ip_src.s_addr);
1490 if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER)
1492 else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER)
1494 else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER)
1496 else if (addr >= UNREG_ADDR_CGN_LOWER && addr <= UNREG_ADDR_CGN_UPPER &&
1497 la->packetAliasMode & PKT_ALIAS_UNREGISTERED_CGN)
1501 SetDefaultAliasAddress(la, pip->ip_src);
1503 } else if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY) {
1504 SetDefaultAliasAddress(la, pip->ip_src);
1507 if (FRAG_NO_HDR(pip)) {
1508 iresult = FragmentOut(la, pip, &pip->ip_sum);
1509 goto getout_restore;
1512 iresult = PKT_ALIAS_IGNORED;
1513 switch (pip->ip_p) {
1515 iresult = IcmpAliasOut(la, pip, create);
1518 iresult = UdpAliasOut(la, pip, maxpacketsize, create);
1521 iresult = TcpAliasOut(la, pip, maxpacketsize, create);
1525 iresult = SctpAlias(la, pip, SN_TO_GLOBAL);
1530 struct alias_data ad = {
1539 /* Walk out chain. */
1540 error = find_handler(OUT, IP, la, pip, &ad);
1542 iresult = PKT_ALIAS_OK;
1544 iresult = ProtoAliasOut(la, pip,
1545 pip->ip_dst, pip->ip_p, &pip->ip_sum, create);
1549 iresult = ProtoAliasOut(la, pip,
1550 pip->ip_dst, pip->ip_p, &pip->ip_sum, create);
1555 SetDefaultAliasAddress(la, addr_save);
1561 LibAliasUnaliasOut(struct libalias *la,
1562 void *ptr, /* valid IP packet */
1563 int maxpacketsize /* for error checking */
1570 struct alias_link *lnk;
1571 int iresult = PKT_ALIAS_IGNORED;
1574 pip = (struct ip *)ptr;
1576 /* Defense against mangled packets */
1577 if (ntohs(pip->ip_len) > maxpacketsize
1578 || (pip->ip_hl << 2) > maxpacketsize)
1581 ud = (struct udphdr *)ip_next(pip);
1582 tc = (struct tcphdr *)ip_next(pip);
1583 ic = (struct icmp *)ip_next(pip);
1586 if (pip->ip_p == IPPROTO_UDP)
1587 lnk = FindUdpTcpIn(la, pip->ip_dst, pip->ip_src,
1588 ud->uh_dport, ud->uh_sport,
1590 else if (pip->ip_p == IPPROTO_TCP)
1591 lnk = FindUdpTcpIn(la, pip->ip_dst, pip->ip_src,
1592 tc->th_dport, tc->th_sport,
1594 else if (pip->ip_p == IPPROTO_ICMP)
1595 lnk = FindIcmpIn(la, pip->ip_dst, pip->ip_src, ic->icmp_id, 0);
1599 /* Change it from an aliased packet to an unaliased packet */
1601 if (pip->ip_p == IPPROTO_UDP || pip->ip_p == IPPROTO_TCP) {
1603 struct in_addr original_address;
1604 u_short original_port;
1606 original_address = GetOriginalAddress(lnk);
1607 original_port = GetOriginalPort(lnk);
1609 /* Adjust TCP/UDP checksum */
1610 accumulate = twowords(&pip->ip_src);
1611 accumulate -= twowords(&original_address);
1613 if (pip->ip_p == IPPROTO_UDP) {
1614 accumulate += ud->uh_sport;
1615 accumulate -= original_port;
1616 ADJUST_CHECKSUM(accumulate, ud->uh_sum);
1618 accumulate += tc->th_sport;
1619 accumulate -= original_port;
1620 ADJUST_CHECKSUM(accumulate, tc->th_sum);
1623 /* Adjust IP checksum */
1624 DifferentialChecksum(&pip->ip_sum,
1625 &original_address, &pip->ip_src, 2);
1627 /* Un-alias source address and port number */
1628 pip->ip_src = original_address;
1629 if (pip->ip_p == IPPROTO_UDP)
1630 ud->uh_sport = original_port;
1632 tc->th_sport = original_port;
1634 iresult = PKT_ALIAS_OK;
1635 } else if (pip->ip_p == IPPROTO_ICMP) {
1637 struct in_addr original_address;
1638 u_short original_id;
1640 original_address = GetOriginalAddress(lnk);
1641 original_id = GetOriginalPort(lnk);
1643 /* Adjust ICMP checksum */
1644 accumulate = twowords(&pip->ip_src);
1645 accumulate -= twowords(&original_address);
1646 accumulate += ic->icmp_id;
1647 accumulate -= original_id;
1648 ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
1650 /* Adjust IP checksum */
1651 DifferentialChecksum(&pip->ip_sum,
1652 &original_address, &pip->ip_src, 2);
1654 /* Un-alias source address and port number */
1655 pip->ip_src = original_address;
1656 ic->icmp_id = original_id;
1658 iresult = PKT_ALIAS_OK;
1662 LIBALIAS_UNLOCK(la);
1669 LibAliasRefreshModules(void)
1671 char buf[256], conf[] = "/etc/libalias.conf";
1675 fd = fopen(conf, "r");
1677 err(1, "fopen(%s)", conf);
1679 LibAliasUnLoadAllModule();
1682 fgets(buf, 256, fd);
1687 for (i = 0; i < len; i++)
1688 if (!isspace(buf[i]))
1692 buf[len - 1] = '\0';
1693 LibAliasLoadModule(buf);
1701 LibAliasLoadModule(char *path)
1705 struct proto_handler *m;
1709 handle = dlopen (path, RTLD_LAZY);
1711 fprintf(stderr, "%s\n", dlerror());
1715 p = dlsym(handle, "alias_mod");
1716 if ((error = dlerror()) != NULL) {
1717 fprintf(stderr, "%s\n", dlerror());
1721 t = malloc(sizeof(struct dll));
1724 strncpy(t->name, p->name, DLL_LEN);
1726 if (attach_dll(t) == EEXIST) {
1728 fprintf(stderr, "dll conflict\n");
1732 m = dlsym(t->handle, "handlers");
1733 if ((error = dlerror()) != NULL) {
1734 fprintf(stderr, "%s\n", error);
1738 LibAliasAttachHandlers(m);
1743 LibAliasUnLoadAllModule(void)
1746 struct proto_handler *p;
1748 /* Unload all modules then reload everything. */
1749 while ((p = first_handler()) != NULL) {
1750 LibAliasDetachHandlers(p);
1752 while ((t = walk_dll_chain()) != NULL) {
1763 * m_megapullup() - this function is a big hack.
1764 * Thankfully, it's only used in ng_nat and ipfw+nat.
1766 * It allocates an mbuf with cluster and copies the specified part of the chain
1767 * into cluster, so that it is all contiguous and can be accessed via a plain
1768 * (char *) pointer. This is required, because libalias doesn't know how to
1769 * handle mbuf chains.
1771 * On success, m_megapullup returns an mbuf (possibly with cluster) containing
1772 * the input packet, on failure NULL. The input packet is always consumed.
1775 m_megapullup(struct mbuf *m, int len)
1779 if (len > m->m_pkthdr.len)
1782 if (m->m_next == NULL && M_WRITABLE(m))
1785 if (len <= MJUMPAGESIZE)
1786 mcl = m_get2(len, M_NOWAIT, MT_DATA, M_PKTHDR);
1787 else if (len <= MJUM9BYTES)
1788 mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM9BYTES);
1789 else if (len <= MJUM16BYTES)
1790 mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES);
1796 m_move_pkthdr(mcl, m);
1797 m_copydata(m, 0, len, mtod(mcl, caddr_t));
1798 mcl->m_len = mcl->m_pkthdr.len = len;