From owner-freebsd-net Wed Apr 19 1:58:49 2000 Delivered-To: freebsd-net@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 544E037B70D for ; Wed, 19 Apr 2000 01:58:16 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id LAA52851; Wed, 19 Apr 2000 11:55:13 +0300 (EEST) (envelope-from ru) Date: Wed, 19 Apr 2000 11:55:13 +0300 From: Ruslan Ermilov To: Archie Cobbs Cc: Julian Elischer , Brian Somers , Charles Mott , Ari Suutari , Eivind Eklund , net@FreeBSD.ORG Subject: Re: Improved PPTP support for libalias(3) Message-ID: <20000419115513.A42767@relay.ucb.crimea.ua> Mail-Followup-To: Archie Cobbs , Julian Elischer , Brian Somers , Charles Mott , Ari Suutari , Eivind Eklund , net@FreeBSD.ORG References: <20000417170542.A61926@relay.ucb.crimea.ua> <200004180014.RAA28144@bubba.whistle.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=82I3+IH0IqGh5yIs X-Mailer: Mutt 0.95.3i In-Reply-To: <200004180014.RAA28144@bubba.whistle.com>; from Archie Cobbs on Mon, Apr 17, 2000 at 05:14:25PM -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --82I3+IH0IqGh5yIs Content-Type: text/plain; charset=us-ascii On Mon, Apr 17, 2000 at 05:14:25PM -0700, Archie Cobbs wrote: > Ruslan Ermilov writes: > > > does this mean that only one PC at a time behind a NAT wall, can access a > > > particular machine? > > > i.e. two visitors with their own laptops from the same place, > > > cannot go back to the same host to read their mail..? > > > This is not a BAD restriction, but it is a restriction.. > > > > > If you mean two PCs, each with their own tunnel to the same host, this > > will not work. The problem here is that we need some "tag" to use with > > source and destination IP addresses, to successfully de-alias packets > > coming in. For TCP and UDP packets, there are port numbers. For ICMP > > echo/timestamp packets, there is an ID field. But unfortunately, there > > seems to be no such "tag" with PPTP protocols. > > Sure there is: the Call ID. > > We are probably going to implement the remaining bit of this here > at Whistle in the next couple of weeks.. and will submit when done. > This patch should (hopefully) allow for concurrent PPTP tunnels from multiple local PACs to the same remote PNS to work behind NAT (rfc2637 terminology is being used). Could someone please test this patch, since I do not have enough test environment here? Note please, that you DO NOT need PacketAliasRedirectPptp() for this to work. Just running natd(8) with the default set of options should be enough. If someone is going to test this, please mail me the output of `natd -v' while trying PPTP to the same PNS from two or more local PACs. Thanks, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --82I3+IH0IqGh5yIs Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: Makefile =================================================================== RCS file: /usr/FreeBSD-CVS/src/lib/libalias/Makefile,v retrieving revision 1.13 diff -u -p -r1.13 Makefile --- Makefile 2000/01/14 07:57:13 1.13 +++ Makefile 2000/04/19 08:14:33 @@ -5,7 +5,7 @@ SHLIB_MAJOR= 3 SHLIB_MINOR= 0 CFLAGS+= -Wall -I${.CURDIR} SRCS= alias.c alias_cuseeme.c alias_db.c alias_ftp.c alias_irc.c \ - alias_nbt.c alias_proxy.c alias_util.c + alias_nbt.c alias_pptp.c alias_proxy.c alias_util.c INCS= alias.h MAN3= libalias.3 Index: alias.c =================================================================== RCS file: /usr/FreeBSD-CVS/src/lib/libalias/alias.c,v retrieving revision 1.18 diff -u -p -r1.18 alias.c --- alias.c 2000/04/18 10:18:20 1.18 +++ alias.c 2000/04/19 08:14:33 @@ -178,6 +178,7 @@ TcpMonitorOut(struct ip *pip, struct ali IcmpAliasIn(), IcmpAliasIn1(), IcmpAliasIn2(), IcmpAliasIn3() IcmpAliasOut(), IcmpAliasOut1(), IcmpAliasOut2(), IcmpAliasOut3() + PptpAliasIn(), PptpAliasOut() UdpAliasIn(), UdpAliasOut() TcpAliasIn(), TcpAliasOut() @@ -224,6 +225,9 @@ static int IcmpAliasOut2(struct ip *); static int IcmpAliasOut3(struct ip *); static int IcmpAliasOut (struct ip *); +static int PptpAliasIn(struct ip *); +static int PptpAliasOut(struct ip *); + static int UdpAliasOut(struct ip *); static int UdpAliasIn (struct ip *); @@ -670,7 +674,7 @@ PptpAliasIn(struct ip *pip) if (packetAliasMode & PKT_ALIAS_DENY_PPTP) return PKT_ALIAS_IGNORED; - link = FindPptpIn(pip->ip_src, pip->ip_dst); + link = FindPptpIn(pip->ip_src, pip->ip_dst, GetPptpCallID(pip)); if (link != NULL) { struct in_addr original_address; @@ -707,7 +711,7 @@ PptpAliasOut(struct ip *pip) if (packetAliasMode & PKT_ALIAS_DENY_PPTP) return PKT_ALIAS_IGNORED; - link = FindPptpOut(pip->ip_src, pip->ip_dst); + link = FindPptpOut(pip->ip_src, pip->ip_dst, GetPptpCallID(pip)); if (link != NULL) { struct in_addr alias_address; Index: alias_db.c =================================================================== RCS file: /usr/FreeBSD-CVS/src/lib/libalias/alias_db.c,v retrieving revision 1.27 diff -u -p -r1.27 alias_db.c --- alias_db.c 2000/04/18 10:18:20 1.27 +++ alias_db.c 2000/04/19 08:14:33 @@ -1380,12 +1380,13 @@ FindFragmentPtr(struct in_addr dst_addr, struct alias_link * FindPptpIn(struct in_addr dst_addr, - struct in_addr alias_addr) + struct in_addr alias_addr, + u_short call_id) { struct alias_link *link; link = FindLinkIn(dst_addr, alias_addr, - NO_DEST_PORT, 0, + NO_DEST_PORT, call_id, LINK_PPTP, 1); if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING)) @@ -1394,7 +1395,7 @@ FindPptpIn(struct in_addr dst_addr, target_addr = FindOriginalAddress(alias_addr); link = AddLink(target_addr, dst_addr, alias_addr, - NO_SRC_PORT, NO_DEST_PORT, 0, + call_id, NO_DEST_PORT, call_id, LINK_PPTP); } @@ -1404,12 +1405,13 @@ FindPptpIn(struct in_addr dst_addr, struct alias_link * FindPptpOut(struct in_addr src_addr, - struct in_addr dst_addr) + struct in_addr dst_addr, + u_short call_id) { struct alias_link *link; link = FindLinkOut(src_addr, dst_addr, - NO_SRC_PORT, NO_DEST_PORT, + call_id, NO_DEST_PORT, LINK_PPTP, 1); if (link == NULL) @@ -1418,7 +1420,7 @@ FindPptpOut(struct in_addr src_addr, alias_addr = FindAliasAddress(src_addr); link = AddLink(src_addr, dst_addr, alias_addr, - NO_SRC_PORT, NO_DEST_PORT, 0, + call_id, NO_DEST_PORT, call_id, LINK_PPTP); } @@ -2117,7 +2119,7 @@ PacketAliasRedirectPptp(struct in_addr s struct alias_link *link; link = AddLink(src_addr, dst_addr, alias_addr, - NO_SRC_PORT, NO_DEST_PORT, 0, + 0, NO_DEST_PORT, 0, LINK_PPTP); if (link != NULL) Index: alias_local.h =================================================================== RCS file: /usr/FreeBSD-CVS/src/lib/libalias/alias_local.h,v retrieving revision 1.12 diff -u -p -r1.12 alias_local.h --- alias_local.h 2000/04/18 10:18:21 1.12 +++ alias_local.h 2000/04/19 08:14:33 @@ -96,10 +96,10 @@ struct alias_link * FindFragmentPtr(struct in_addr, u_short); struct alias_link * -FindPptpIn(struct in_addr, struct in_addr); +FindPptpIn(struct in_addr, struct in_addr, u_short); struct alias_link * -FindPptpOut(struct in_addr, struct in_addr); +FindPptpOut(struct in_addr, struct in_addr, u_short); struct alias_link * FindUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char); @@ -168,6 +168,9 @@ void AliasHandleCUSeeMeIn(struct ip *, s /* Transparent proxy routines */ int ProxyCheck(struct ip *, struct in_addr *, u_short *); void ProxyModify(struct alias_link *, struct ip *, int, int); + +/* PPTP routines */ +u_short GetPptpCallID(struct ip *); enum alias_tcp_state { Index: alias_pptp.c =================================================================== RCS file: alias_pptp.c diff -N alias_pptp.c --- /dev/null Wed Apr 19 11:17:15 2000 +++ alias_pptp.c Wed Apr 19 11:14:34 2000 @@ -0,0 +1,48 @@ +#include +#include +#include +#include + +#include "alias_local.h" + +/* + * Enhanced GRE header. + * Per RFC 2637, July, 1999. + */ +#define PPTP_GRE_VERSION 1 + +struct grehdr { + u_char Recur:3, /* Recursion control. */ + s:1, /* Strict source route present. */ + S:1, /* Sequence number present. */ + K:1, /* Key present. */ + R:1, /* Routing present. */ + C:1; /* Checksum present. */ + u_char ver:3, /* GRE version */ + flags:4, /* Flags. */ + A:1; /* Acknowledgment sequence number present. */ + u_short proto; /* Protocol type. */ + u_short plen; /* Payload length. */ + u_short callid; /* Call ID. */ +}; + + +#define NO_CALLID 1 + +u_short +GetPptpCallID(struct ip *pip) +{ + + if (pip->ip_p == IPPROTO_GRE) { + struct grehdr *gre; + + gre = (struct grehdr *)((char *)pip + (pip->ip_hl << 2)); + + /* Make sure this is a PPTP GRE packet with the Key field. */ + if (gre->ver == PPTP_GRE_VERSION && gre->K) + return (gre->callid); + } + + /* Report dummy Call ID for non-PPTP GRE. */ + return (NO_CALLID); +} --82I3+IH0IqGh5yIs-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message