Date: Wed, 27 Sep 2000 11:17:48 +0300 From: Ruslan Ermilov <ru@sunbay.com> To: "David G. Andersen" <dga@lcs.mit.edu> Cc: Erik Salander <erik@whistle.com>, hackers@FreeBSD.org Subject: Re: natd bug with pptp, hack fix, question Message-ID: <20000927111748.B34308@sunbay.com> In-Reply-To: <200009270434.e8R4Ybn00067@wind.lcs.mit.edu>; from dga@lcs.mit.edu on Wed, Sep 27, 2000 at 12:34:36AM -0400 References: <200009270434.e8R4Ybn00067@wind.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=us-ascii
On Wed, Sep 27, 2000 at 12:34:36AM -0400, David G. Andersen wrote:
> With natd+ipfw, I was setting up a front-end firewall for
> a client. The firewall has several real IP addresses
> (we'll call them 10.0.0.1 and 10.0.0.2) and two
> MS PPTP servers behind it.
>
>
> 10.0.0.1
> 10.0.0.2
> World--------- | firewall | --------- PPTP-1 192.168.1.1
> \---- PPTP-2 192.168.1.2
>
> I setup the natd.conf file in the way one would expect:
>
> redirect_proto gre 192.168.1.1 10.0.0.1
> redirect_port tcp 192.168.1.1:1723 10.0.0.1:1723
>
> redirect_proto gre 192.168.1.2 10.0.0.2
> redirect_port tcp 192.168.1.2:1723 10.0.0.2:1723
>
> [With or without the redirect_proto gre; with the
> -current libalias, I would expect to perhaps not need it]
>
> Anyway, to make a long story short, it doesn't work. The
> first PPTP server is reachable and happy, but the virtual
> PPTP server on 10.0.0.2 is unreachable. When natd sees
> the first GRE packet, it calls
>
> FindPptpIn(), which then checks:
>
> link = FindLinkIn(dst_addr, alias_addr,
> NO_DEST_PORT, call_id,
> LINK_PPTP, 1);
>
> This check fails, and it falls back to a call to
> FindOriginalAddress(alias_addr);
>
> Two questions:
>
> a) I'm not sure about the location of the call to
> AddLink for for this connection in the PPTP aliasing
> code, so I couldn't determine the right way to set
> things up.
>
> b) Shouldn't this also check to see if there's a default
> GRE relay host for this alias address?
>
> One issue:
>
> I hacked my client's natd program in the interim to
> AddLink inside FindPptpIn if it doesn't get a returned
> link, and it works like a charm. However, it's definitely
> the wrong thing to do and only a temporary solution.
> The fact that it works, however, suggests that this
> should be something relatively straightforward for someone
> with a clue about how libalias works to fix.
>
> Anyone? I'm happy to fix it (though my client might
> not like that. :-), but I'd love a bit of a hint about
> the right way to address this within the libalias framework
> before I blunder through making changes that won't be
> accepted.
>
> Thanks!
>
> This is using the 4-stable natd and the libalias from -current.
>
> -Dave
>
> {I'm not on -hackers at the moment, so if you could CC: me on
> a response, I'd appreciate it}.
>
Please try the attached patch.
--
Ruslan Ermilov Oracle Developer/DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=p
Index: alias.c
===================================================================
RCS file: /home/ncvs/src/lib/libalias/alias.c,v
retrieving revision 1.24
diff -u -p -r1.24 alias.c
--- alias.c 2000/09/01 16:38:53 1.24
+++ alias.c 2000/09/27 08:13:23
@@ -711,13 +711,14 @@ GreAliasIn(struct ip *pip)
{
u_short call_id;
struct alias_link *link;
+ static struct in_addr null_addr = {INADDR_NONE};
/* Return if proxy-only mode is enabled. */
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
return (PKT_ALIAS_OK);
if (PptpGetCallID(pip, &call_id)) {
- if ((link = FindPptpIn(pip->ip_src, pip->ip_dst, call_id)) != NULL) {
+ if ((link = FindPptpIn(pip->ip_src, pip->ip_dst, null_addr, call_id)) != NULL) {
struct in_addr alias_address;
struct in_addr original_address;
Index: alias_db.c
===================================================================
RCS file: /home/ncvs/src/lib/libalias/alias_db.c,v
retrieving revision 1.38
diff -u -p -r1.38 alias_db.c
--- alias_db.c 2000/08/31 12:47:57 1.38
+++ alias_db.c 2000/09/27 08:13:24
@@ -1632,6 +1632,7 @@ FindUdpTcpOut(struct in_addr src_addr,
struct alias_link *
FindPptpIn(struct in_addr dst_addr,
struct in_addr alias_addr,
+ struct in_addr src_addr,
u_short call_id)
{
struct alias_link *link;
@@ -1640,12 +1641,9 @@ FindPptpIn(struct in_addr dst_addr,
NO_DEST_PORT, call_id,
LINK_PPTP, 1);
- if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
+ if (link == NULL && src_addr.s_addr != INADDR_NONE)
{
- struct in_addr target_addr;
-
- target_addr = FindOriginalAddress(alias_addr);
- link = AddLink(target_addr, dst_addr, alias_addr,
+ link = AddLink(src_addr, dst_addr, alias_addr,
call_id, NO_DEST_PORT, call_id,
LINK_PPTP);
}
Index: alias_local.h
===================================================================
RCS file: /home/ncvs/src/lib/libalias/alias_local.h,v
retrieving revision 1.16
diff -u -p -r1.16 alias_local.h
--- alias_local.h 2000/07/26 23:15:46 1.16
+++ alias_local.h 2000/09/27 08:13:24
@@ -108,7 +108,7 @@ struct alias_link *
FindUdpTcpOut(struct in_addr, struct in_addr, u_short, u_short, u_char);
struct alias_link *
-FindPptpIn(struct in_addr, struct in_addr, u_short);
+FindPptpIn(struct in_addr, struct in_addr, struct in_addr, u_short);
struct alias_link *
FindPptpOut(struct in_addr, struct in_addr, u_short);
Index: alias_pptp.c
===================================================================
RCS file: /home/ncvs/src/lib/libalias/alias_pptp.c,v
retrieving revision 1.3
diff -u -p -r1.3 alias_pptp.c
--- alias_pptp.c 2000/08/09 11:25:44 1.3
+++ alias_pptp.c 2000/09/27 08:13:24
@@ -243,7 +243,7 @@ AliasHandlePptpIn(struct ip *pip, /*
/* Find PPTP link for address and Call ID found in PPTP Control Msg */
pptp_link = FindPptpIn(GetDestAddress(link), GetAliasAddress(link),
- *pcall_id);
+ GetOriginalAddress(link), *pcall_id);
if (pptp_link != NULL) {
int accumulate = *pcall_id;
--X1bOJ3K7DJ5YkBrT--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000927111748.B34308>