From owner-freebsd-hackers Wed Sep 27 1:19:24 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 8E34E37B422 for ; Wed, 27 Sep 2000 01:18:51 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.9.3/1.13) id LAA37172; Wed, 27 Sep 2000 11:17:48 +0300 (EEST) Date: Wed, 27 Sep 2000 11:17:48 +0300 From: Ruslan Ermilov To: "David G. Andersen" Cc: Erik Salander , hackers@FreeBSD.org Subject: Re: natd bug with pptp, hack fix, question Message-ID: <20000927111748.B34308@sunbay.com> Mail-Followup-To: "David G. Andersen" , Erik Salander , hackers@FreeBSD.org References: <200009270434.e8R4Ybn00067@wind.lcs.mit.edu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="X1bOJ3K7DJ5YkBrT" X-Mailer: Mutt 1.0i In-Reply-To: <200009270434.e8R4Ybn00067@wind.lcs.mit.edu>; from dga@lcs.mit.edu on Wed, Sep 27, 2000 at 12:34:36AM -0400 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii On Wed, Sep 27, 2000 at 12:34:36AM -0400, David G. Andersen wrote: > With natd+ipfw, I was setting up a front-end firewall for > a client. The firewall has several real IP addresses > (we'll call them 10.0.0.1 and 10.0.0.2) and two > MS PPTP servers behind it. > > > 10.0.0.1 > 10.0.0.2 > World--------- | firewall | --------- PPTP-1 192.168.1.1 > \---- PPTP-2 192.168.1.2 > > I setup the natd.conf file in the way one would expect: > > redirect_proto gre 192.168.1.1 10.0.0.1 > redirect_port tcp 192.168.1.1:1723 10.0.0.1:1723 > > redirect_proto gre 192.168.1.2 10.0.0.2 > redirect_port tcp 192.168.1.2:1723 10.0.0.2:1723 > > [With or without the redirect_proto gre; with the > -current libalias, I would expect to perhaps not need it] > > Anyway, to make a long story short, it doesn't work. The > first PPTP server is reachable and happy, but the virtual > PPTP server on 10.0.0.2 is unreachable. When natd sees > the first GRE packet, it calls > > FindPptpIn(), which then checks: > > link = FindLinkIn(dst_addr, alias_addr, > NO_DEST_PORT, call_id, > LINK_PPTP, 1); > > This check fails, and it falls back to a call to > FindOriginalAddress(alias_addr); > > Two questions: > > a) I'm not sure about the location of the call to > AddLink for for this connection in the PPTP aliasing > code, so I couldn't determine the right way to set > things up. > > b) Shouldn't this also check to see if there's a default > GRE relay host for this alias address? > > One issue: > > I hacked my client's natd program in the interim to > AddLink inside FindPptpIn if it doesn't get a returned > link, and it works like a charm. However, it's definitely > the wrong thing to do and only a temporary solution. > The fact that it works, however, suggests that this > should be something relatively straightforward for someone > with a clue about how libalias works to fix. > > Anyone? I'm happy to fix it (though my client might > not like that. :-), but I'd love a bit of a hint about > the right way to address this within the libalias framework > before I blunder through making changes that won't be > accepted. > > Thanks! > > This is using the 4-stable natd and the libalias from -current. > > -Dave > > {I'm not on -hackers at the moment, so if you could CC: me on > a response, I'd appreciate it}. > Please try the attached patch. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: alias.c =================================================================== RCS file: /home/ncvs/src/lib/libalias/alias.c,v retrieving revision 1.24 diff -u -p -r1.24 alias.c --- alias.c 2000/09/01 16:38:53 1.24 +++ alias.c 2000/09/27 08:13:23 @@ -711,13 +711,14 @@ GreAliasIn(struct ip *pip) { u_short call_id; struct alias_link *link; + static struct in_addr null_addr = {INADDR_NONE}; /* Return if proxy-only mode is enabled. */ if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) return (PKT_ALIAS_OK); if (PptpGetCallID(pip, &call_id)) { - if ((link = FindPptpIn(pip->ip_src, pip->ip_dst, call_id)) != NULL) { + if ((link = FindPptpIn(pip->ip_src, pip->ip_dst, null_addr, call_id)) != NULL) { struct in_addr alias_address; struct in_addr original_address; Index: alias_db.c =================================================================== RCS file: /home/ncvs/src/lib/libalias/alias_db.c,v retrieving revision 1.38 diff -u -p -r1.38 alias_db.c --- alias_db.c 2000/08/31 12:47:57 1.38 +++ alias_db.c 2000/09/27 08:13:24 @@ -1632,6 +1632,7 @@ FindUdpTcpOut(struct in_addr src_addr, struct alias_link * FindPptpIn(struct in_addr dst_addr, struct in_addr alias_addr, + struct in_addr src_addr, u_short call_id) { struct alias_link *link; @@ -1640,12 +1641,9 @@ FindPptpIn(struct in_addr dst_addr, NO_DEST_PORT, call_id, LINK_PPTP, 1); - if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING)) + if (link == NULL && src_addr.s_addr != INADDR_NONE) { - struct in_addr target_addr; - - target_addr = FindOriginalAddress(alias_addr); - link = AddLink(target_addr, dst_addr, alias_addr, + link = AddLink(src_addr, dst_addr, alias_addr, call_id, NO_DEST_PORT, call_id, LINK_PPTP); } Index: alias_local.h =================================================================== RCS file: /home/ncvs/src/lib/libalias/alias_local.h,v retrieving revision 1.16 diff -u -p -r1.16 alias_local.h --- alias_local.h 2000/07/26 23:15:46 1.16 +++ alias_local.h 2000/09/27 08:13:24 @@ -108,7 +108,7 @@ struct alias_link * FindUdpTcpOut(struct in_addr, struct in_addr, u_short, u_short, u_char); struct alias_link * -FindPptpIn(struct in_addr, struct in_addr, u_short); +FindPptpIn(struct in_addr, struct in_addr, struct in_addr, u_short); struct alias_link * FindPptpOut(struct in_addr, struct in_addr, u_short); Index: alias_pptp.c =================================================================== RCS file: /home/ncvs/src/lib/libalias/alias_pptp.c,v retrieving revision 1.3 diff -u -p -r1.3 alias_pptp.c --- alias_pptp.c 2000/08/09 11:25:44 1.3 +++ alias_pptp.c 2000/09/27 08:13:24 @@ -243,7 +243,7 @@ AliasHandlePptpIn(struct ip *pip, /* /* Find PPTP link for address and Call ID found in PPTP Control Msg */ pptp_link = FindPptpIn(GetDestAddress(link), GetAliasAddress(link), - *pcall_id); + GetOriginalAddress(link), *pcall_id); if (pptp_link != NULL) { int accumulate = *pcall_id; --X1bOJ3K7DJ5YkBrT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message