From owner-freebsd-hackers Tue Jan 12 07:04:58 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA29569 for freebsd-hackers-outgoing; Tue, 12 Jan 1999 07:04:58 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from awfulhak.org (awfulhak.force9.co.uk [195.166.136.63]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA29560 for ; Tue, 12 Jan 1999 07:04:54 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from keep.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by keep.lan.Awfulhak.org (8.9.1/8.9.1) with ESMTP id AAA60265; Tue, 12 Jan 1999 00:35:07 GMT (envelope-from brian@keep.lan.Awfulhak.org) Message-Id: <199901120035.AAA60265@keep.lan.Awfulhak.org> X-Mailer: exmh version 2.0.2 2/24/98 To: Eivind Eklund cc: Joseph Lee , freebsd-hackers@FreeBSD.ORG Subject: Re: libalias and ident In-reply-to: Your message of "Tue, 29 Dec 1998 17:49:12 +0100." <19981229174912.U53810@follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 12 Jan 1999 00:35:07 +0000 From: Brian Somers Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > On Tue, Dec 29, 1998 at 07:19:17AM -0800, Joseph Lee wrote: > > I've been hacking around in libalias to attempt ident support, and > > have gotten stuck due to my limited knowledge of tcp connections. > > > > The basic premise of the code has been: > > (1) see if tcp packet in is destined for port 113, if so special code > > (2) in special code, do a sscanf() similar to a basic ident query > > and grab querying remote/local (fport/lport) port pair > > (3) with pair found, find corresponding in-link to find originating > > out-link that triggered the ident query, using the fport/lport pair > > (4) with in-link found, create out-link originating at original ip/auth > > port to remote ip, same remote port, using FindUdpTcpOut() > > (5) do a PunchFWHole() on the new out-link > > (6) change the original (destined) address on the tcp packet from (1) > > > Step 4 is wrong, if I understand what you write correctly. The ident > query has to be re-written with support for the relevant ports > changing - libalias is _not_ guaranteed to use the same ports as the > original machine did. AFAIK, the problem isn't solvable :-( Libalias needs to rewrite the ident query, changing the destination IP to that of the correct machine, and changing the embedded port number to the one originally sent. To do this, libalias needs to identify the link table entry for the original connection, but all it's given is the source port number and the destination IP and port. The source IP can only be guessed at; an educated guess could be made, but it wouldn't be 100% reliable. With PKT_ALIAS_SAME_PORTS set, the guess can be more educated, but it's still not going to be 100%. Having said all that, I think it's still worth investing the time in getting this working (time I haven't got at the moment I'm afraid). It should be made run-time configurable (PacketAliasSetMode()) and should default to disabled. I believe that a lot of the people that use libalias are people with a small number of internal machines and a small number of people using them. The ident module should get a good hit rate. > Eivind. -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message