subject:"natd bug with pptp, hack fix, question"

natd bug with pptp, hack fix, question

2000-09-26 Thread David G. Andersen


With natd+ipfw, I was setting up a front-end firewall for
a client.  The firewall has several real IP addresses
(we'll call them 10.0.0.1 and 10.0.0.2) and two
MS PPTP servers behind it.


  10.0.0.1
  10.0.0.2
World- | firewall | - PPTP-1  192.168.1.1
\ PPTP-2  192.168.1.2

I setup the natd.conf file in the way one would expect:

redirect_proto gre 192.168.1.1   10.0.0.1
redirect_port  tcp 192.168.1.1:1723  10.0.0.1:1723

redirect_proto gre 192.168.1.2   10.0.0.2
redirect_port  tcp 192.168.1.2:1723  10.0.0.2:1723

[With or without the redirect_proto gre;  with the
 -current libalias, I would expect to perhaps not need it]

Anyway, to make a long story short, it doesn't work.  The
first PPTP server is reachable and happy, but the virtual
PPTP server on 10.0.0.2 is unreachable.  When natd sees
the first GRE packet, it calls

FindPptpIn(), which then checks:

link = FindLinkIn(dst_addr, alias_addr,
  NO_DEST_PORT, call_id,
  LINK_PPTP, 1);

This check fails, and it falls back to a call to
FindOriginalAddress(alias_addr);

Two questions:

  a)  I'm not sure about the location of the call to
AddLink for for this connection in the PPTP aliasing
code, so I couldn't determine the right way to set
things up.

  b)  Shouldn't this also check to see if there's a default
  GRE relay host for this alias address?

One issue:

  I hacked my client's natd program in the interim to
AddLink inside FindPptpIn if it doesn't get a returned
link, and it works like a charm.  However, it's definitely
the wrong thing to do and only a temporary solution.
The fact that it works, however, suggests that this
should be something relatively straightforward for someone
with a clue about how libalias works to fix.

  Anyone?  I'm happy to fix it (though my client might
not like that. :-), but I'd love a bit of a hint about
the right way to address this within the libalias framework
before I blunder through making changes that won't be
accepted.

Thanks!

This is using the 4-stable natd and the libalias from -current.

   -Dave

{I'm not on -hackers at the moment, so if you could CC: me on
 a response, I'd appreciate it}.

-- 
work: [EMAIL PROTECTED]  me:  [EMAIL PROTECTED]
  MIT Laboratory for Computer Science   http://www.angio.net/


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Re: natd bug with pptp, hack fix, question

2000-09-27 Thread Ruslan Ermilov


On Wed, Sep 27, 2000 at 12:34:36AM -0400, David G. Andersen wrote:
> With natd+ipfw, I was setting up a front-end firewall for
> a client.  The firewall has several real IP addresses
> (we'll call them 10.0.0.1 and 10.0.0.2) and two
> MS PPTP servers behind it.
> 
> 
>   10.0.0.1
>   10.0.0.2
> World- | firewall | - PPTP-1  192.168.1.1
> \ PPTP-2  192.168.1.2
> 
> I setup the natd.conf file in the way one would expect:
> 
> redirect_proto gre 192.168.1.1   10.0.0.1
> redirect_port  tcp 192.168.1.1:1723  10.0.0.1:1723
> 
> redirect_proto gre 192.168.1.2   10.0.0.2
> redirect_port  tcp 192.168.1.2:1723  10.0.0.2:1723
> 
> [With or without the redirect_proto gre;  with the
>  -current libalias, I would expect to perhaps not need it]
> 
> Anyway, to make a long story short, it doesn't work.  The
> first PPTP server is reachable and happy, but the virtual
> PPTP server on 10.0.0.2 is unreachable.  When natd sees
> the first GRE packet, it calls
> 
> FindPptpIn(), which then checks:
> 
> link = FindLinkIn(dst_addr, alias_addr,
>   NO_DEST_PORT, call_id,
>   LINK_PPTP, 1);
> 
> This check fails, and it falls back to a call to
> FindOriginalAddress(alias_addr);
> 
> Two questions:
> 
>   a)  I'm not sure about the location of the call to
> AddLink for for this connection in the PPTP aliasing
> code, so I couldn't determine the right way to set
> things up.
> 
>   b)  Shouldn't this also check to see if there's a default
>   GRE relay host for this alias address?
> 
> One issue:
> 
>   I hacked my client's natd program in the interim to
> AddLink inside FindPptpIn if it doesn't get a returned
> link, and it works like a charm.  However, it's definitely
> the wrong thing to do and only a temporary solution.
> The fact that it works, however, suggests that this
> should be something relatively straightforward for someone
> with a clue about how libalias works to fix.
> 
>   Anyone?  I'm happy to fix it (though my client might
> not like that. :-), but I'd love a bit of a hint about
> the right way to address this within the libalias framework
> before I blunder through making changes that won't be
> accepted.
> 
> Thanks!
> 
> This is using the 4-stable natd and the libalias from -current.
> 
>-Dave
> 
> {I'm not on -hackers at the moment, so if you could CC: me on
>  a response, I'd appreciate it}.
> 
Please try the attached patch.

-- 
Ruslan Ermilov  Oracle Developer/DBA,
[EMAIL PROTECTED]   Sunbay Software AG,
[EMAIL PROTECTED]  FreeBSD committer,
+380.652.512.251Simferopol, Ukraine

http://www.FreeBSD.org  The Power To Serve
http://www.oracle.com   Enabling The Information Age


Index: alias.c
===
RCS file: /home/ncvs/src/lib/libalias/alias.c,v
retrieving revision 1.24
diff -u -p -r1.24 alias.c
--- alias.c 2000/09/01 16:38:53 1.24
+++ alias.c 2000/09/27 08:13:23
@@ -711,13 +711,14 @@ GreAliasIn(struct ip *pip)
 {
 u_short call_id;
 struct alias_link *link;
+static struct in_addr null_addr = {INADDR_NONE};
 
 /* Return if proxy-only mode is enabled. */
 if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
 return (PKT_ALIAS_OK);
 
 if (PptpGetCallID(pip, &call_id)) {
-   if ((link = FindPptpIn(pip->ip_src, pip->ip_dst, call_id)) != NULL) {
+   if ((link = FindPptpIn(pip->ip_src, pip->ip_dst, null_addr, call_id)) != NULL) 
+{
struct in_addr alias_address;
struct in_addr original_address;
 
Index: alias_db.c
===
RCS file: /home/ncvs/src/lib/libalias/alias_db.c,v
retrieving revision 1.38
diff -u -p -r1.38 alias_db.c
--- alias_db.c  2000/08/31 12:47:57 1.38
+++ alias_db.c  2000/09/27 08:13:24
@@ -1632,6 +1632,7 @@ FindUdpTcpOut(struct in_addr  src_addr,
 struct alias_link *
 FindPptpIn(struct in_addr dst_addr,
   struct in_addr alias_addr,
+  struct in_addr src_addr,
   u_short call_id)
 {
 struct alias_link *link;
@@ -1640,12 +1641,9 @@ FindPptpIn(struct in_addr dst_addr,
   NO_DEST_PORT, call_id,
   LINK_PPTP, 1);
 
-if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
+if (link == NULL && src_addr.s_addr != INADDR_NONE)
 {
-struct in_addr target_addr;
-
-target_addr = FindOriginalAddress(alias_addr);
-link = AddLink(target_addr, dst_addr, alias_addr,
+link = AddLink(src_addr, dst_addr, alias_addr,
call_id, NO_DEST_PORT, call_id,
LINK_PPTP);
 }
Index: alias_local.h
===
RCS file: /home/ncvs/src/lib/libalias/alias_local.h,v
retrieving revision 1.16
diff -u -p -r1.16 alias_local.h
--- alias_local.h   2000/07/26 23:15:46

natd bug with pptp, hack fix, question

Re: natd bug with pptp, hack fix, question

2 matches

Site Navigation

Mail list logo

Footer information