svn commit: r186543 - in user/piso: sbin/ipfw share/man/man8
sys/modules/libalias/libalias sys/netinet sys/netinet/libalias
Paolo Pisati
piso at FreeBSD.org
Sun Dec 28 17:16:33 UTC 2008
Author: piso
Date: Sun Dec 28 17:16:32 2008
New Revision: 186543
URL: http://svn.freebsd.org/changeset/base/186543
Log:
Import sctp nat support in ipfw obtained from CAIA - http://caia.swin.edu.au.
Added:
user/piso/share/man/man8/alias_sctp.8 (contents, props changed)
user/piso/sys/netinet/libalias/alias_sctp.c (contents, props changed)
user/piso/sys/netinet/libalias/alias_sctp.h (contents, props changed)
Modified:
user/piso/sbin/ipfw/ipfw2.c
user/piso/share/man/man8/Makefile
user/piso/sys/modules/libalias/libalias/Makefile
user/piso/sys/netinet/ip_fw_nat.c
user/piso/sys/netinet/libalias/alias.c
user/piso/sys/netinet/libalias/alias.h
user/piso/sys/netinet/libalias/alias_db.c
user/piso/sys/netinet/libalias/alias_local.h
Modified: user/piso/sbin/ipfw/ipfw2.c
==============================================================================
--- user/piso/sbin/ipfw/ipfw2.c Sun Dec 28 14:37:09 2008 (r186542)
+++ user/piso/sbin/ipfw/ipfw2.c Sun Dec 28 17:16:32 2008 (r186543)
@@ -48,6 +48,7 @@
#include <fcntl.h>
#define IPFW_INTERNAL /* Access to protected structures in ip_fw.h. */
+#define _ALIAS_SCTP /*Using alias_sctp*/
#include <net/ethernet.h>
#include <net/if.h>
@@ -3504,7 +3505,13 @@ StrToProto (const char* str)
if (!strcmp (str, "udp"))
return IPPROTO_UDP;
+#ifdef _ALIAS_SCTP /*Using alias_sctp*/
+ if (!strcmp (str, "sctp"))
+ return IPPROTO_SCTP;
+ errx (EX_DATAERR, "unknown protocol %s. Expected sctp, tcp or udp", str);
+#else
errx (EX_DATAERR, "unknown protocol %s. Expected tcp or udp", str);
+#endif
}
static int
@@ -3680,13 +3687,29 @@ setup_redir_port(char *spool_buf, int le
strncpy(tmp_spool_buf, *av, strlen(*av)+1);
lsnat = 1;
} else {
- if (StrToAddrAndPortRange (*av, &r->laddr, protoName,
+#ifdef _ALIAS_SCTP /*Using alias_sctp*/
+ /*
+ * The sctp nat does not allow the port numbers to be mapped to new port numbers
+ * Therefore, no ports are to be specified in the target port field
+ */
+ if (r->proto == IPPROTO_SCTP) {
+ if (strchr (*av, ':'))
+ errx(EX_DATAERR, "redirect_port:"
+ "port numbers do not change in sctp, so do not specify them as part of the target");
+ else
+ StrToAddr(*av, &r->laddr);
+ } else {
+#endif /*Using alias_sctp*/
+ if (StrToAddrAndPortRange (*av, &r->laddr, protoName,
&portRange) != 0)
errx(EX_DATAERR, "redirect_port:"
"invalid local port range");
r->lport = GETLOPORT(portRange);
numLocalPorts = GETNUMPORTS(portRange);
+#ifdef _ALIAS_SCTP /*Using alias_sctp*/
+ }
+#endif /*Using alias_sctp*/
}
INC_ARGCV();
@@ -3710,6 +3733,12 @@ setup_redir_port(char *spool_buf, int le
}
r->pport = GETLOPORT(portRange);
+#ifdef _ALIAS_SCTP /*Using alias_sctp*/
+ if (r->proto == IPPROTO_SCTP) { /* so the logic below still works */
+ numLocalPorts = GETNUMPORTS(portRange);
+ r->lport = r->pport;
+ }
+#endif /*Using alias_sctp*/
r->pport_cnt = GETNUMPORTS(portRange);
INC_ARGCV();
@@ -3765,6 +3794,22 @@ setup_redir_port(char *spool_buf, int le
goto nospace;
len -= SOF_SPOOL;
space += SOF_SPOOL;
+
+#ifdef _ALIAS_SCTP /*Using alias_sctp*/
+ /*
+ * The sctp nat does not allow the port numbers to be mapped to new port numbers
+ * Therefore, no ports are to be specified in the target port field
+ */
+ if (r->proto == IPPROTO_SCTP) {
+ if (strchr (sep, ':')) {
+ errx(EX_DATAERR, "redirect_port:"
+ "port numbers do not change in sctp, so do not specify them as part of the target");
+ } else {
+ StrToAddr(sep, &tmp->addr);
+ tmp->port = r->pport;
+ }
+ } else {
+#endif /*Using alias_sctp*/
if (StrToAddrAndPortRange(sep, &tmp->addr, protoName,
&portRange) != 0)
errx(EX_DATAERR, "redirect_port:"
@@ -3773,6 +3818,9 @@ setup_redir_port(char *spool_buf, int le
errx(EX_DATAERR, "redirect_port: local port"
"must be single in this context");
tmp->port = GETLOPORT(portRange);
+#ifdef _ALIAS_SCTP /*Using alias_sctp*/
+ }
+#endif /*Using alias_sctp*/
r->spool_cnt++;
/* Point to the next possible cfg_spool. */
spool_buf = &spool_buf[SOF_SPOOL];
Modified: user/piso/share/man/man8/Makefile
==============================================================================
--- user/piso/share/man/man8/Makefile Sun Dec 28 14:37:09 2008 (r186542)
+++ user/piso/share/man/man8/Makefile Sun Dec 28 17:16:32 2008 (r186543)
@@ -13,7 +13,8 @@ MAN= adding_user.8 \
rc.subr.8 \
rescue.8 \
sticky.8 \
- yp.8
+ yp.8 \
+ alias_sctp.8
MLINKS= rc.8 rc.atm.8 \
rc.8 rc.d.8 \
Added: user/piso/share/man/man8/alias_sctp.8
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/piso/share/man/man8/alias_sctp.8 Sun Dec 28 17:16:32 2008 (r186543)
@@ -0,0 +1,241 @@
+.\" * Copyright (c) 2008, Centre for Advanced Internet Architectures
+.\" * Swinburne University of Technology, Melbourne, Australia
+.\" * (CRICOS number 00111D).
+.\" *
+.\" * Alias_sctp forms part of the libalias kernel module to handle
+.\" * Network Address Translation (NAT) for the SCTP protocol.
+.\" *
+.\" * This software was developed by David A. Hayes and Jason But
+.\" *
+.\" * The design is outlined in CAIA technical report number 080618A
+.\" * (D. Hayes and J. But, "Alias_sctp Version 0.1: SCTP NAT implementation in IPFW")
+.\" *
+.\" * Development is part of the CAIA SONATA project,
+.\" * proposed by Jason But and Grenville Armitage:
+.\" * http://caia.swin.edu.au/urp/sonata/
+.\" *
+.\" *
+.\" * This project has been made possible in part by a grant from
+.\" * the Cisco University Research Program Fund at Community
+.\" * Foundation Silicon Valley.
+.\" *
+.\" *
+.\" *
+.\" * All rights reserved.
+.\" *
+.\" * Redistribution and use in source and binary forms, with or without
+.\" * modification, are permitted provided that the following conditions
+.\" * are met:
+.\" * 1. Redistributions of source code must retain the above copyright
+.\" * notice, this list of conditions and the following disclaimer.
+.\" * 2. Redistributions in binary form must reproduce the above copyright
+.\" * notice, this list of conditions and the following disclaimer in the
+.\" * documentation and/or other materials provided with the distribution.
+.\" * 3. The names of the authors, the "Centre for Advanced Internet Architectures"
+.\" * and "Swinburne University of Technology" may not be used to endorse
+.\" * or promote products derived from this software without specific
+.\" * prior written permission.
+.\" *
+.\" * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS "AS IS" AND
+.\" * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" * SUCH DAMAGE.
+.TH ALIAS_SCTP 8 "30 September 08" "version 0.2"
+.SH NAME
+alias_sctp - SCTP NAT functionality for libalias in FreeBSD
+.SH SYNOPSIS
+.B alias_sctp \- libalias enhancements to support SCTP NAT
+.PP
+.B ipfw \- Extensions to user-land tool to configure SCTP NAT
+.PP
+.B sysctl net.inet.ip.alias.sctp.* \- sysctl interface to alias_sctp
+./"========================================================================="
+.SH DESCRIPTION
+.B alias_sctp
+is a kernel space addition to libalias that implements NAT for SCTP within the
+.B ipfw2
+framework for FreeBSD. The
+.B alias_sctp
+implementation is based on the details provided in Internet Draft xxxxx and our
+own ideas discovered during implementation.
+.B alias_sctp
+is a dynamically configurable NAT module that supports the following functionality:
+.IP o
+Optional support for tracking of Global IP Addresses (see Internet Draft xxxx)
+.IP o
+Dynamically configurable timeouts for various states within the NAT
+.IP o
+Dynamically configurable packet parsing limits (to protect against DoS attacks)
+.IP o
+Per port/IP-address forwarding of incoming associations
+.IP o
+Dynamically configurable hash table size and logging details
+.IP o
+NAT configured via user-land
+.B ipfw
+tool
+.IP o
+NAT statistics available via
+.B ipfw
+user-land command
+./"========================================================================="
+.SH USING alias_sctp
+.SS Configuring alias_sctp via ipfw
+.B Alias_sctp
+can be configured in a simillar manner to TCP through the ipfw command line tool
+(see ipfw(8)). The main difference in configuring SCTP NAT rules, is that
+.B alias_sctp
+does not do port translation. Since the local and global side ports will be the
+same, there is no need to specify both. Ports are redirected as follows:
+.IP
+.B ipfw nat
+inst#
+.B config if
+nic
+.B redirect_port sctp
+ip-addr [,addr-list] {port | port-port] [,ports]}
+./"========================================================================="
+.SH "sysctl" INTERFACE
+Most
+.B alias_sctp
+configuration can be done in real-time through the
+.B sysctl(8)
+interface. All may be changed dynamically, though the hash_table size will only
+change for new NAT instances. Default values are also listed below.
+
+.SS net.inet.ip.alias.sctp.hashtable_size (Default = 2003)
+Size of hash tables used for NAT lookups (100 < prime_number > 1000001)
+This value sets the hash table size for any _future_ created NAT
+instance and therefore must be set prior to creating a NAT instance (ie
+ipfw nat 100 config ...).
+.PP
+The table sizes my be changed to suit specific needs. If there will be few
+concurrent associations, and memory is scarce, you may make these smaller. If
+there will be many thousands (or millions) of concurrent associations, you
+should make these larger. A prime number is best for the table size. The sysctl
+update function will adjust your input value to the next highest prime number.
+
+.SS net.inet.ip.alias.sctp.error_on_ootb (Default = 1)
+Defines when the NAT responds to any Out-of-the-Blue (OOTB) packets with ErrorM
+packets. An OOTB packet is a packet that arrives with no existing association
+registered in the NAT AND is not an INIT or ASCONF-AddIP packet:
+.PP
+.IP "0 \-"
+ErrorM is never sent in response to OOTB packets
+.IP "1 \-"
+ErrorM is only sent to OOTB packets received on the local side
+.IP "2 \-"
+ErrorM is sent to the local side and on the global side ONLY if there is a
+partial match (ports and vtags match but the source global IP does not). This
+value is only useful if the NAT is tracking global IP addresses
+.IP "3 \-"
+ErrorM is sent in response to all OOTB packets on both the local and global side
+(DoS risk)
+.PP
+At the moment the default is 0, since the ErrorM packet is not yet
+supported by most SCTP stacks. When it is supported, and if not tracking
+global addresses we recommend setting this value to 1 to allow
+multi-homed local hosts to function with the NAT. If tracking global addresses
+we recommend setting this value to 2 to allow global hosts to be informed when
+they need to (re)send an ASCONF-AddIP. Value 3 should never be chosen (except
+for debugging) as the NAT will respond to all OOTB global packets (a DoS risk).
+
+.SS net.inet.ip.alias.sctp.accept_global_ootb_addip (Default = 0)
+Defines how the NAT responds to receipt of global OOTB ASCONF-AddIP:
+.PP
+.IP "0 \-"
+No response (unless a partially matching association exists -
+ports and vtags match but global address does not)
+.IP "1 \-"
+NAT will accept and process all OOTB global AddIP messages.
+.PP
+Option 1 should never be selected as this forms a security risk. An attacker can
+establish multiple fake associations by sending AddIP messages.
+
+.SS net.inet.ip.alias.sctp.initialising_chunk_proc_limit (Default = 2)
+Defines the maximum number of chunks in an SCTP packet that will be parsed when
+no existing association exists that matches that packet. Ideally this packet
+will only be an INIT or ASCONF-AddIP packet. A higher value may become a DoS
+risk as malformed packets can consume processing resources.
+
+.SS net.inet.ip.alias.sctp.chunk_proc_limit (Default = 5)
+Defines the maximum number of chunks in an SCTP packet that will be parsed for a
+packet that matches an existing association. This value is enforced to be >=
+(initialising_chunk_proc_limit). As for the previous parameter, a high value is
+a DoS risk yet setting too low a value may result in important control chunks in
+the packet not being located and parsed.
+
+.SS net.inet.ip.alias.sctp.param_proc_limit (Default = 25)
+Defines the maximum number of parameters within a chunk that will be parsed in a
+packet. As for other similar sysctl variables, larger values pose a DoS risk.
+
+.SS net.inet.ip.alias.sctp.track_global_addresses (Default = 0)
+Enables/disables global IP address tracking within the NAT and places an
+upper limit on the number of addresses tracked for each association:
+.PP
+.IP "0 \-"
+Global tracking is disabled
+.IP ">1 \-"
+Enables tracking, the maximum number of addresses tracked for each
+association is limited to this value
+.PP
+This variable is fully dynamic, the new value will be adopted for all newly
+arriving associations, existing association are treated as they were previously.
+Global tracking will decrease the number of collisions within the NAT at a cost
+of increased processing load, memory usage, complexity, and possible NAT state
+problems in complex networks with multiple NATs. We recommend not tracking
+global IP addresses, this will still result in a fully functional NAT.
+
+.SS net.inet.ip.alias.sctp.init_timer (Default = 15)
+Timeout value (s) while waiting for (INIT-ACK|AddIP-ACK).
+This value cannot be 0.
+
+.SS net.inet.ip.alias.sctp.up_timer (Default = 300)
+Timeout value (s) to keep an association up with no traffic.
+This value cannot be 0.
+
+.SS net.inet.ip.alias.sctp.shutdown_time (Default = 15)
+Timeout value (s) while waiting for SHUTDOWN-COMPLETE.
+This value cannot be 0.
+
+.SS net.inet.ip.alias.sctp.holddown_time (Default = 0)
+Hold association in table for this many seconds after receiving a
+SHUTDOWN-COMPLETE. This allows endpoints to correct shutdown gracefully if a
+shutdown_complete is lost and retransmissions are required. This
+net.inet.ip.alias.sctp.log_level (Default = 0) Level of detail in the system log
+messages (0 \- minimal, 1 \- event, 2 \- info, 3 \- detail, 4 \- debug, 5 \- max
+debug)
+.PP
+May be a good option in high loss environments.
+
+.SH "SEE ALSO"
+.BR ipfw (8),
+.BR libalias (8),
+.BR sysctl (8)
+.SH AUTHOR
+.B alias_sctp
+has been developed and released by:
+
+The Centre for Advanced Internet Architectures (CAIA), Swinburne University,
+Melbourne, Australia.
+.IP
+.I http://www.caia.swin.edu.au
+.LP
+The primary developers and maintainers of
+.B alias_sctp
+are David Hayes and Jason But.
+
+.B alias_sctp
+can be downloaded from its website:
+.IP
+.I http://www.caia.swin.edu.au/urp/SONATA
+.LP
+This site contains the latest updates and further information on how to use and
+.B alias_sctp
Modified: user/piso/sys/modules/libalias/libalias/Makefile
==============================================================================
--- user/piso/sys/modules/libalias/libalias/Makefile Sun Dec 28 14:37:09 2008 (r186542)
+++ user/piso/sys/modules/libalias/libalias/Makefile Sun Dec 28 17:16:32 2008 (r186543)
@@ -3,6 +3,6 @@
.PATH: ${.CURDIR}/../../../netinet/libalias
KMOD= libalias
-SRCS= alias.c alias_db.c alias_proxy.c alias_util.c alias_mod.c
+SRCS= alias.c alias_db.c alias_proxy.c alias_util.c alias_mod.c alias_sctp.c
.include <bsd.kmod.mk>
Modified: user/piso/sys/netinet/ip_fw_nat.c
==============================================================================
--- user/piso/sys/netinet/ip_fw_nat.c Sun Dec 28 14:37:09 2008 (r186542)
+++ user/piso/sys/netinet/ip_fw_nat.c Sun Dec 28 17:16:32 2008 (r186543)
@@ -326,6 +326,12 @@ ipfw_nat(struct ip_fw_args *args, struct
else
retval = LibAliasOut(t->lib, c,
mcl->m_len + M_TRAILINGSPACE(mcl));
+#ifdef _ALIAS_SCTP
+ if (retval == PKT_ALIAS_RESPOND) {
+ m->m_flags |= M_SKIP_FIREWALL;
+ retval = PKT_ALIAS_OK;
+ }
+#endif
if (retval != PKT_ALIAS_OK &&
retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
/* XXX - should i add some logging? */
@@ -401,6 +407,7 @@ ipfw_nat(struct ip_fw_args *args, struct
}
args->m = mcl;
+
return (IP_FW_NAT);
}
Modified: user/piso/sys/netinet/libalias/alias.c
==============================================================================
--- user/piso/sys/netinet/libalias/alias.c Sun Dec 28 14:37:09 2008 (r186542)
+++ user/piso/sys/netinet/libalias/alias.c Sun Dec 28 17:16:32 2008 (r186543)
@@ -111,10 +111,18 @@ __FBSDID("$FreeBSD$");
See HISTORY file for additional revisions.
*/
+/**
+ * Modifications to add sctp functionality by David A. Hayes
+ * $Id: alias.c 122 2008-06-25 06:50:47Z dhayes $
+ * All are inclosed in #ifdef _ALIAS_SCTP
+ *
+ */
+
#ifdef _KERNEL
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
+#include <sys/sysctl.h>
#else
#include <sys/types.h>
#include <stdlib.h>
@@ -136,11 +144,28 @@ __FBSDID("$FreeBSD$");
#include <netinet/libalias/alias.h>
#include <netinet/libalias/alias_local.h>
#include <netinet/libalias/alias_mod.h>
+#ifdef _ALIAS_SCTP
+#include <netinet/libalias/alias_sctp.h>
+#endif
#else
#include <err.h>
#include "alias.h"
#include "alias_local.h"
#include "alias_mod.h"
+#ifdef _ALIAS_SCTP
+#include "alias_sctp.h"
+#endif
+#endif
+
+/*
+ * Define libalias SYSCTL Node
+ */
+#ifdef SYSCTL_NODE
+
+SYSCTL_DECL(_net_inet);
+SYSCTL_DECL(_net_inet_ip);
+SYSCTL_NODE(_net_inet_ip, OID_AUTO, alias, CTLFLAG_RW, NULL, "Libalias sysctl API");
+
#endif
static __inline int
@@ -1335,6 +1360,11 @@ LibAliasInLocked(struct libalias *la, ch
case IPPROTO_TCP:
iresult = TcpAliasIn(la, pip);
break;
+#ifdef _ALIAS_SCTP
+ case IPPROTO_SCTP:
+ iresult = SctpAlias(la, pip, SN_TO_LOCAL);
+ break;
+#endif
case IPPROTO_GRE: {
int error;
struct alias_data ad = {
@@ -1477,10 +1507,15 @@ LibAliasOutLocked(struct libalias *la, c
case IPPROTO_UDP:
iresult = UdpAliasOut(la, pip, maxpacketsize, create);
break;
- case IPPROTO_TCP:
+ case IPPROTO_TCP:
iresult = TcpAliasOut(la, pip, maxpacketsize, create);
break;
- case IPPROTO_GRE: {
+ #ifdef _ALIAS_SCTP
+ case IPPROTO_SCTP:
+ iresult = SctpAlias(la, pip, SN_TO_GLOBAL);
+ break;
+#endif
+ case IPPROTO_GRE: {
int error;
struct alias_data ad = {
.lnk = NULL,
Modified: user/piso/sys/netinet/libalias/alias.h
==============================================================================
--- user/piso/sys/netinet/libalias/alias.h Sun Dec 28 14:37:09 2008 (r186542)
+++ user/piso/sys/netinet/libalias/alias.h Sun Dec 28 17:16:32 2008 (r186543)
@@ -36,6 +36,13 @@
* distribution.
*/
+/**
+ * Modifications to add sctp functionality by David A. Hayes
+ * $Id: alias.h 122 2008-06-25 06:50:47Z dhayes $
+ * All are inclosed in #ifdef _ALIAS_SCTP
+ *
+ */
+
#ifndef _ALIAS_H_
#define _ALIAS_H_
@@ -45,6 +52,11 @@
#define LIBALIAS_BUF_SIZE 128
#ifdef _KERNEL
+
+#ifndef _ALIAS_SCTP
+#define _ALIAS_SCTP //if ALIAS_SCTP code is to be included
+#endif
+
/*
* The kernel version of libalias does not support these features.
*/
Modified: user/piso/sys/netinet/libalias/alias_db.c
==============================================================================
--- user/piso/sys/netinet/libalias/alias_db.c Sun Dec 28 14:37:09 2008 (r186542)
+++ user/piso/sys/netinet/libalias/alias_db.c Sun Dec 28 17:16:32 2008 (r186543)
@@ -141,6 +141,13 @@ __FBSDID("$FreeBSD$");
See HISTORY file for additional revisions.
*/
+/**
+ * Modifications to add sctp functionality by David A. Hayes
+ * $Id: alias_db.c 177 2008-07-14 04:33:47Z dhayes $
+ * All are inclosed in #ifdef _ALIAS_SCTP
+ *
+ */
+
#ifdef _KERNEL
#include <machine/stdarg.h>
@@ -166,6 +173,9 @@ __FBSDID("$FreeBSD$");
#include <netinet/libalias/alias.h>
#include <netinet/libalias/alias_local.h>
#include <netinet/libalias/alias_mod.h>
+#ifdef _ALIAS_SCTP
+#include <netinet/libalias/alias_sctp.h>
+#endif
#include <net/if.h>
#else
#include "alias.h"
@@ -373,6 +383,7 @@ static moduledata_t alias_mod = {
};
DECLARE_MODULE(alias, alias_mod, SI_SUB_DRIVERS, SI_ORDER_SECOND);
+
#endif
/* Internal utility routines (used only in alias_db.c)
@@ -410,6 +421,10 @@ static void ClearFWHole(struct alias_lin
static void ShowAliasStats(struct libalias *);
static int InitPacketAliasLog(struct libalias *);
static void UninitPacketAliasLog(struct libalias *);
+#ifdef _ALIAS_SCTP
+struct in_addr FindSctpRedirectAddress(struct libalias *la, struct sctp_nat_msg *sm);
+void SctpShowAliasStats(struct libalias *la);
+#endif
static u_int
StartPointIn(struct in_addr alias_addr,
@@ -489,15 +504,25 @@ ShowAliasStats(struct libalias *la)
/* Used for debugging */
if (la->logDesc) {
int tot = la->icmpLinkCount + la->udpLinkCount +
+#ifdef _ALIAS_SCTP
+ (la->sctpLinkCount>>1) + /* sctp counts half associations */
+#endif
la->tcpLinkCount + la->pptpLinkCount +
la->protoLinkCount + la->fragmentIdLinkCount +
la->fragmentPtrLinkCount;
AliasLog(la->logDesc,
+#ifdef _ALIAS_SCTP
+ "icmp=%u, udp=%u, tcp=%u, sctp=%u, pptp=%u, proto=%u, frag_id=%u frag_ptr=%u / tot=%u",
+#else
"icmp=%u, udp=%u, tcp=%u, pptp=%u, proto=%u, frag_id=%u frag_ptr=%u / tot=%u",
+#endif
la->icmpLinkCount,
la->udpLinkCount,
la->tcpLinkCount,
+#ifdef _ALIAS_SCTP
+ la->sctpLinkCount>>1, /* sctp counts half associations */
+#endif
la->pptpLinkCount,
la->protoLinkCount,
la->fragmentIdLinkCount,
@@ -508,6 +533,13 @@ ShowAliasStats(struct libalias *la)
}
}
+#ifdef _ALIAS_SCTP
+void SctpShowAliasStats(struct libalias *la)
+{
+ ShowAliasStats(la);
+}
+#endif
+
/* Internal routines for finding, deleting and adding links
Port Allocation:
@@ -971,6 +1003,10 @@ AddLink(struct libalias *la, struct in_a
case LINK_TCP:
lnk->expire_time = TCP_EXPIRE_INITIAL;
break;
+#ifdef _ALIAS_SCTP
+ case LINK_SCTP: /* treat like LINK_ADDR */
+ break;
+#endif
case LINK_PPTP:
lnk->flags |= LINK_PERMANENT; /* no timeout. */
break;
@@ -1031,6 +1067,10 @@ AddLink(struct libalias *la, struct in_a
return (NULL);
}
break;
+#ifdef _ALIAS_SCTP
+ case LINK_SCTP: /* treat like LINK_ADDR */
+ break;
+#endif
case LINK_PPTP:
la->pptpLinkCount++;
break;
@@ -1277,11 +1317,17 @@ _FindLinkIn(struct libalias *la, struct
src_addr = lnk->src_addr;
src_port = lnk->src_port;
}
-
- lnk = ReLink(lnk,
- src_addr, dst_addr, alias_addr,
- src_port, dst_port, alias_port,
- link_type);
+#ifdef _ALIAS_SCTP
+ if(link_type == LINK_SCTP) {
+ lnk->src_addr = src_addr;
+ lnk->src_port = src_port;
+ return(lnk);
+ }
+#endif
+ lnk = ReLink(lnk,
+ src_addr, dst_addr, alias_addr,
+ src_port, dst_port, alias_port,
+ link_type);
}
return (lnk);
}
@@ -2277,10 +2323,15 @@ LibAliasRedirectPort(struct libalias *la
case IPPROTO_TCP:
link_type = LINK_TCP;
break;
+#ifdef _ALIAS_SCTP
+ case IPPROTO_SCTP:
+ link_type = LINK_SCTP;
+ break;
+#endif
default:
#ifdef LIBALIAS_DEBUG
fprintf(stderr, "PacketAliasRedirectPort(): ");
- fprintf(stderr, "only TCP and UDP protocols allowed\n");
+ fprintf(stderr, "only SCTP, TCP and UDP protocols allowed\n");
#endif
lnk = NULL;
goto getout;
@@ -2496,6 +2547,9 @@ LibAliasInit(struct libalias *la)
LIST_INIT(&la->linkTableOut[i]);
for (i = 0; i < LINK_TABLE_IN_SIZE; i++)
LIST_INIT(&la->linkTableIn[i]);
+#ifdef _ALIAS_SCTP
+ AliasSctpInit(la);//***
+#endif
LIBALIAS_LOCK_INIT(la);
LIBALIAS_LOCK(la);
} else {
@@ -2503,6 +2557,10 @@ LibAliasInit(struct libalias *la)
la->deleteAllLinks = 1;
CleanupAliasData(la);
la->deleteAllLinks = 0;
+#ifdef _ALIAS_SCTP
+ AliasSctpTerm(la);
+ AliasSctpInit(la);
+#endif
}
la->aliasAddress.s_addr = INADDR_ANY;
@@ -2511,6 +2569,9 @@ LibAliasInit(struct libalias *la)
la->icmpLinkCount = 0;
la->udpLinkCount = 0;
la->tcpLinkCount = 0;
+#ifdef _ALIAS_SCTP
+ la->sctpLinkCount = 0;
+#endif
la->pptpLinkCount = 0;
la->protoLinkCount = 0;
la->fragmentIdLinkCount = 0;
@@ -2539,6 +2600,9 @@ LibAliasUninit(struct libalias *la)
{
LIBALIAS_LOCK(la);
+#ifdef _ALIAS_SCTP
+ AliasSctpTerm(la);
+#endif
la->deleteAllLinks = 1;
CleanupAliasData(la);
la->deleteAllLinks = 0;
@@ -2879,3 +2943,39 @@ LibAliasSetSkinnyPort(struct libalias *l
la->skinnyPort = port;
LIBALIAS_UNLOCK(la);
}
+#ifdef _ALIAS_SCTP
+/**
+ * @brief Find the address to redirect incoming packets
+ *
+ * The function is located in alias_db.c due to calls to static functions
+ *
+ *
+ * @param la pointer to the libalias instance
+ * @param sm pointer to the incoming message
+ *
+ * @return address to redirect an incoming INIT to
+ */
+struct in_addr
+FindSctpRedirectAddress(struct libalias *la, struct sctp_nat_msg *sm)
+{
+ struct alias_link *lnk;
+ struct in_addr redir;
+
+ LIBALIAS_LOCK_ASSERT(la);
+ lnk = FindLinkIn(la, sm->ip_hdr->ip_src, sm->ip_hdr->ip_dst,
+ sm->sctp_hdr->dest_port,sm->sctp_hdr->dest_port, LINK_SCTP, 1);
+ if (lnk != NULL) {
+ return(lnk->src_addr); /* port redirect */
+ } else {
+ redir = FindOriginalAddress(la,sm->ip_hdr->ip_dst);
+ if (redir.s_addr == la->aliasAddress.s_addr ||
+ redir.s_addr == la->targetAddress.s_addr) { /* No address found */
+ lnk = FindLinkIn(la, sm->ip_hdr->ip_src, sm->ip_hdr->ip_dst,
+ NO_DEST_PORT, 0, LINK_SCTP, 1);
+ if (lnk != NULL)
+ return(lnk->src_addr); /* redirect proto */
+ }
+ return(redir); /* address redirect */
+ }
+}
+#endif
Modified: user/piso/sys/netinet/libalias/alias_local.h
==============================================================================
--- user/piso/sys/netinet/libalias/alias_local.h Sun Dec 28 14:37:09 2008 (r186542)
+++ user/piso/sys/netinet/libalias/alias_local.h Sun Dec 28 17:16:32 2008 (r186543)
@@ -42,6 +42,12 @@
*
* <updated several times by original author and Eivind Eklund>
*/
+/**
+ * Modifications to add sctp functionality by David A. Hayes
+ * $Id: alias_local.h 122 2008-06-25 06:50:47Z dhayes $
+ * All are inclosed in #ifdef _ALIAS_SCTP
+ *
+ */
#ifndef _ALIAS_LOCAL_H_
#define _ALIAS_LOCAL_H_
@@ -50,6 +56,16 @@
#include <sys/sysctl.h>
#ifdef _KERNEL
+/* if alias_sctp is not required, #define _ALIAS_SCTP should be commented out */
+#ifndef _ALIAS_SCTP
+#define _ALIAS_SCTP
+#endif
+#ifdef _ALIAS_SCTP
+#include <netinet/libalias/alias_sctp.h>
+#endif
+#endif
+
+#ifdef _KERNEL
#include <sys/malloc.h>
#include <sys/param.h>
#include <sys/lock.h>
@@ -147,6 +163,32 @@ struct libalias {
struct in_addr true_addr; /* in network byte order. */
u_short true_port; /* in host byte order. */
+ /*
+ *
+ *alias_sctp code
+ */
+#ifdef _ALIAS_SCTP
+ /*counts associations that have progressed to UP and not yet removed */
+ int sctpLinkCount;
+ /*Timing queue for keeping track of association timeouts */
+ struct sctp_nat_timer sctpNatTimer;
+
+ /* Size of hash table used in this instance*/
+ u_int sctpNatTableSize;
+/**
+ * @brief Local look up table
+ *
+ * lookup table of sctp_nat_assoc sorted by l_vtag/l_port
+ */
+ LIST_HEAD(sctpNatTableL, sctp_nat_assoc) *sctpTableLocal;
+/**
+ * @brief Global look up table
+ *
+ * lookup table of sctp_nat_assoc sorted by g_vtag/g_port
+ */
+ LIST_HEAD(sctpNatTableG, sctp_nat_assoc) *sctpTableGlobal;
+#endif
+
#ifdef _KERNEL
/*
* avoid races in libalias: every public function has to use it.
@@ -198,6 +240,22 @@ struct libalias {
/* Prototypes */
+ /*
+ *
+ *alias_sctp code
+ */
+#ifdef _ALIAS_SCTP
+/*
+ * SctpFunction prototypes
+ *
+ */
+void AliasSctpInit(struct libalias *la);
+void AliasSctpTerm(struct libalias *la);
+
+int SctpAlias(struct libalias *la, struct ip *ip, int direction);
+//int SctpAliasOut(struct libalias *la, struct ip *ip);
+#endif
+
/*
* We do not calculate TCP checksums when libalias is a kernel
* module, since it has no idea about checksum offloading.
Added: user/piso/sys/netinet/libalias/alias_sctp.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/piso/sys/netinet/libalias/alias_sctp.c Sun Dec 28 17:16:32 2008 (r186543)
@@ -0,0 +1,2687 @@
+//* $Id$ */
+//#ifndef lint
+//static char vcid[] = "$Id$";
+//#endif /* lint */
+/**
+ * @file alias_sctp.c
+ * Copyright (c) 2008, Centre for Advanced Internet Architectures
+ * Swinburne University of Technology, Melbourne, Australia
+ * (CRICOS number 00111D).
+ *
+ * Alias_sctp forms part of the libalias kernel module to handle
+ * Network Address Translation (NAT) for the SCTP protocol.
+ *
+ * This software was developed by David A. Hayes and Jason But
+ *
+ * The design is outlined in CAIA technical report number 080618A
+ * (D. Hayes and J. But, "Alias_sctp Version 0.1: SCTP NAT implementation in IPFW")
+ *
+ * Development is part of the CAIA SONATA project,
+ * proposed by Jason But and Grenville Armitage:
+ * http://caia.swin.edu.au/urp/sonata/
+ *
+ *
+ * This project has been made possible in part by a grant from
+ * the Cisco University Research Program Fund at Community
+ * Foundation Silicon Valley.
+ *
+ *
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The names of the authors, the "Centre for Advanced Internet Architectures"
+ * and "Swinburne University of Technology" may not be used to endorse
+ * or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+/** @mainpage
+ * Alias_sctp is part of the SONATA (http://caia.swin.edu.au/urp/sonata) project
+ * to develop and release a BSD licensed implementation of a Network Address
+ * Translation (NAT) module that supports the Stream Control Transmission
+ * Protocol (SCTP).
+ *
+ * Traditional address and port number look ups are inadequate for SCTP's
+ * operation due to both processing requirements and issues with multi-homing.
+ * Alias_sctp integrates with FreeBSD's ipfw/libalias NAT system.
+ *
+ * Version 0.2 features include:
+ * - Support for global multi-homing
+ * - Support for ASCONF modification from Internet Draft
+ * (draft-stewart-behave-sctpnat-04, R. Stewart and M. Tuexen, "Stream control
+ * transmission protocol (SCTP) network address translation," Jul. 2008) to
+ * provide support for multi-homed privately addressed hosts
+ * - Support for forwarding of T-flagged packets
+ * - Generation and delivery of AbortM/ErrorM packets upon detection of NAT
+ * collisions
+ * - Per-port forwarding rules
+ * - Dynamically controllable logging and statistics
+ * - Dynamic management of timers
+ * - Dynamic control of hash-table size
+ */
+
+#ifdef _KERNEL
+#include <machine/stdarg.h>
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
+#include <sys/syslog.h>
+#include <netinet/libalias/alias_sctp.h>
+#include <netinet/libalias/alias.h>
+#include <netinet/libalias/alias_local.h>
+#include <netinet/sctp_crc32.h>
+#include <machine/in_cksum.h>
+#else
+#include "alias_sctp.h"
+#include <arpa/inet.h>
+#include "alias.h"
+#include "alias_local.h"
+#include <netinet/sctp_crc32.h>
+#include <machine/in_cksum.h>
+#endif //#ifdef _KERNEL
+
+/* ----------------------------------------------------------------------
+ * FUNCTION PROTOTYPES
+ * ----------------------------------------------------------------------
+ */
+/* Packet Parsing Functions */
+static int sctp_PktParser(struct libalias *la, int direction, struct ip *pip,
+ struct sctp_nat_msg *sm, struct sctp_nat_assoc **passoc);
+static int GetAsconfVtags(struct libalias *la, struct sctp_nat_msg *sm,
+ uint32_t *l_vtag, uint32_t *g_vtag, int direction);
+static int IsASCONFack(struct libalias *la, struct sctp_nat_msg *sm, int direction);
+
+static void AddGlobalIPAddresses(struct sctp_nat_msg *sm, struct sctp_nat_assoc *assoc, int direction);
+static int Add_Global_Address_to_List(struct sctp_nat_assoc *assoc, struct sctp_GlobalAddress *G_addr);
+static void RmGlobalIPAddresses(struct sctp_nat_msg *sm, struct sctp_nat_assoc *assoc, int direction);
+static int IsADDorDEL(struct libalias *la, struct sctp_nat_msg *sm, int direction);
+
+/* State Machine Functions */
+static int ProcessSctpMsg(struct libalias *la, int direction, \
+ struct sctp_nat_msg *sm, struct sctp_nat_assoc *assoc);
+
+static int ID_process(struct libalias *la, int direction,\
+ struct sctp_nat_assoc *assoc, struct sctp_nat_msg *sm);
+static int INi_process(struct libalias *la, int direction,\
+ struct sctp_nat_assoc *assoc, struct sctp_nat_msg *sm);
+static int INa_process(struct libalias *la, int direction,\
+ struct sctp_nat_assoc *assoc, struct sctp_nat_msg *sm);
+static int UP_process(struct libalias *la, int direction,\
+ struct sctp_nat_assoc *assoc, struct sctp_nat_msg *sm);
+static int CL_process(struct libalias *la, int direction,\
+ struct sctp_nat_assoc *assoc, struct sctp_nat_msg *sm);
+static void TxAbortErrorM(struct libalias *la, struct sctp_nat_msg *sm,\
+ struct sctp_nat_assoc *assoc, int sndrply, int direction);
+
+/* Hash Table Functions */
+static struct sctp_nat_assoc*
+FindSctpLocal(struct libalias *la, struct in_addr l_addr, struct in_addr g_addr, uint32_t l_vtag, uint16_t l_port, uint16_t g_port);
+static struct sctp_nat_assoc*
+FindSctpGlobal(struct libalias *la, struct in_addr g_addr, uint32_t g_vtag, uint16_t g_port, uint16_t l_port, int *partial_match);
+static struct sctp_nat_assoc*
+FindSctpGlobalClash(struct libalias *la, struct sctp_nat_assoc *Cassoc);
+static struct sctp_nat_assoc*
+FindSctpLocalT(struct libalias *la, struct in_addr g_addr, uint32_t l_vtag, uint16_t g_port, uint16_t l_port);
+static struct sctp_nat_assoc*
+FindSctpGlobalT(struct libalias *la, struct in_addr g_addr, uint32_t g_vtag, uint16_t l_port, uint16_t g_port);
+
+static int AddSctpAssocLocal(struct libalias *la, struct sctp_nat_assoc *assoc, struct in_addr g_addr);
+static int AddSctpAssocGlobal(struct libalias *la, struct sctp_nat_assoc *assoc);
+static void RmSctpAssoc(struct libalias *la, struct sctp_nat_assoc *assoc);
+static void freeGlobalAddressList(struct sctp_nat_assoc *assoc);
+
+/* Timer Queue Functions */
+static void sctp_AddTimeOut(struct libalias *la, struct sctp_nat_assoc *assoc);
+static void sctp_RmTimeOut(struct libalias *la, struct sctp_nat_assoc *assoc);
+static void sctp_ResetTimeOut(struct libalias *la, struct sctp_nat_assoc *assoc, int newexp);
+void sctp_CheckTimers(struct libalias *la);
+
+
+/* Logging Functions */
+static void logsctperror(char* errormsg, uint32_t vtag, int error, int direction);
+static void logsctpparse(int direction, struct sctp_nat_msg *sm);
+static void logsctpassoc(struct sctp_nat_assoc *assoc, char *s);
+static void logTimerQ(struct libalias *la);
+static void logSctpGlobal(struct libalias *la);
+static void logSctpLocal(struct libalias *la);
+#ifdef _KERNEL
+static void SctpAliasLog(const char *format, ...);
+#endif
+
+/** @defgroup external External code changes and modifications
+ *
+ * Some changes have been made to files external to alias_sctp.(c|h). These
+ * changes are primarily due to code needing to call static functions within
+ * those files or to perform extra functionality that can only be performed
+ * within these files.
+ */
+/** @ingroup external
+ * @brief Log current statistics for the libalias instance
+ *
+ * This function is defined in alias_db.c, since it calls static functions in
+ * this file
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-user
mailing list