Date: Tue, 12 Jan 1999 00:35:07 +0000 From: Brian Somers <brian@Awfulhak.org> To: Eivind Eklund <eivind@yes.no> Cc: Joseph Lee <nugundam@best.com>, freebsd-hackers@FreeBSD.ORG Subject: Re: libalias and ident Message-ID: <199901120035.AAA60265@keep.lan.Awfulhak.org> In-Reply-To: Your message of "Tue, 29 Dec 1998 17:49:12 %2B0100." <19981229174912.U53810@follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, Dec 29, 1998 at 07:19:17AM -0800, Joseph Lee wrote: > > I've been hacking around in libalias to attempt ident support, and > > have gotten stuck due to my limited knowledge of tcp connections. > > > > The basic premise of the code has been: > > (1) see if tcp packet in is destined for port 113, if so special code > > (2) in special code, do a sscanf() similar to a basic ident query > > and grab querying remote/local (fport/lport) port pair > > (3) with pair found, find corresponding in-link to find originating > > out-link that triggered the ident query, using the fport/lport pair > > (4) with in-link found, create out-link originating at original ip/auth > > port to remote ip, same remote port, using FindUdpTcpOut() > > (5) do a PunchFWHole() on the new out-link > > (6) change the original (destined) address on the tcp packet from (1) > > > Step 4 is wrong, if I understand what you write correctly. The ident > query has to be re-written with support for the relevant ports > changing - libalias is _not_ guaranteed to use the same ports as the > original machine did. AFAIK, the problem isn't solvable :-( Libalias needs to rewrite the ident query, changing the destination IP to that of the correct machine, and changing the embedded port number to the one originally sent. To do this, libalias needs to identify the link table entry for the original connection, but all it's given is the source port number and the destination IP and port. The source IP can only be guessed at; an educated guess could be made, but it wouldn't be 100% reliable. With PKT_ALIAS_SAME_PORTS set, the guess can be more educated, but it's still not going to be 100%. Having said all that, I think it's still worth investing the time in getting this working (time I haven't got at the moment I'm afraid). It should be made run-time configurable (PacketAliasSetMode()) and should default to disabled. I believe that a lot of the people that use libalias are people with a small number of internal machines and a small number of people using them. The ident module should get a good hit rate. > Eivind. -- Brian <brian@Awfulhak.org> <brian@FreeBSD.org> <brian@OpenBSD.org> <http://www.Awfulhak.org> Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901120035.AAA60265>