| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Notes:
svn path=/head/; revision=74870
|
| |
|
|
|
|
|
|
|
| |
Reviewed by (*): bde
(*) alias_local.h only got a cursory glance.
Notes:
svn path=/head/; revision=74778
|
| |
|
|
| |
Notes:
svn path=/head/; revision=74768
|
| |
|
|
| |
Notes:
svn path=/head/; revision=74651
|
| |
|
|
| |
Notes:
svn path=/head/; revision=71796
|
| |
|
|
| |
Notes:
svn path=/head/; revision=71763
|
| |
|
|
| |
Notes:
svn path=/head/; revision=69025
|
| |
|
|
|
|
|
| |
whether they should create a link if lookup has failed or not.
Notes:
svn path=/head/; revision=67980
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PPTP links are no longer dropped by simple (and inappropriate in this
case) "inactivity timeout" procedure, only when requested through the
control connection.
It is now possible to have multiple PPTP servers running behind NAT.
Just redirect the incoming TCP traffic to port 1723, everything else
is done transparently.
Problems were reported and the fix was tested by:
Michael Adler <Michael.Adler@compaq.com>,
David Andersen <dga@lcs.mit.edu>
Notes:
svn path=/head/; revision=67966
|
| |
|
|
|
|
|
|
| |
This fixes a null pointer dereference problem that is unlikely to
happen in normal circumstances.
Notes:
svn path=/head/; revision=67316
|
| |
|
|
| |
Notes:
svn path=/head/; revision=66545
|
| |
|
|
|
|
|
|
|
|
| |
The field is in network byte order and contains the
size of the header.
Reviewed by: brian
Notes:
svn path=/head/; revision=66157
|
| |
|
|
| |
Notes:
svn path=/head/; revision=65892
|
| |
|
|
|
|
|
|
|
|
| |
datagram embedded into ICMP error message, not with protocol
field of ICMP message itself (which is always IPPROTO_ICMP).
Pointed by: Erik Salander <erik@whistle.com>
Notes:
svn path=/head/; revision=65332
|
| |
|
|
|
|
|
|
|
|
|
| |
not alias `ip_src' unless it comes from the host an original
datagram that triggered this error message was destined for.
PR: 20712
Reviewed by: brian, Charles Mott <cmott@scientech.com>
Notes:
svn path=/head/; revision=65317
|
| |
|
|
| |
Notes:
svn path=/head/; revision=65281
|
| |
|
|
|
|
|
|
| |
This makes outgoing ICMP echo/timestamp replies to be de-aliased
with the right source IP, not exactly the primary aliasing IP.
Notes:
svn path=/head/; revision=65280
|
| |
|
|
|
|
|
| |
add unsigned char cast to ctype macro
Notes:
svn path=/head/; revision=65221
|
| |
|
|
|
|
|
| |
Reported by: Christian Schade <chris@cube.sax.de>
Notes:
svn path=/head/; revision=64644
|
| |
|
|
| |
Notes:
svn path=/head/; revision=64643
|
| |
|
|
|
|
|
|
|
|
|
| |
PPTP control messages.
- Cosmetics: replace `GRE link' with `PPTP link'.
Reviewed by: Erik Salander <erik@whistle.com>
Notes:
svn path=/head/; revision=64452
|
| |
|
|
|
|
|
| |
Submitted by: Erik Salander <erik@whistle.com>
Notes:
svn path=/head/; revision=64334
|
| |
|
|
|
|
|
|
| |
Fix an overlong line and trailing whitespace that crept in, in the
previous commit.
Notes:
svn path=/head/; revision=64061
|
| |
|
|
|
|
|
|
|
|
|
| |
Quicktime streaming media applications.
Add a BUGS section to the man page.
Submitted by: Erik Salander <erik@whistle.com>
Notes:
svn path=/head/; revision=63899
|
| |
|
|
|
|
|
|
| |
- ipfw always rejected rule with `neither in nor out' diagnostics.
- number of src/dst ports was not set properly.
Notes:
svn path=/head/; revision=62159
|
| |
|
|
|
|
|
| |
- SHLIB_MAJOR++.
Notes:
svn path=/head/; revision=61865
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Multiple PPTP clients behind NAT to the same or different servers.
- Single PPTP server behind NAT -- you just need to redirect TCP
port 1723 to a local machine. Multiple servers behind NAT is
possible but would require a simple API change.
- No API changes!
For more information on how this works see comments at the start of
the alias_pptp.c.
PacketAliasPptp() is no longer necessary and will be removed soon.
Submitted by: Erik Salander <erik@whistle.com>
Reviewed by: ru
Rewritten by: ru
Reviewed by: Erik Salander <erik@whistle.com>
Notes:
svn path=/head/; revision=61861
|
| |
|
|
|
|
|
|
| |
- Stricter checking of PORT/EPRT/227/229 messages format.
- Moved all security checks into one place.
Notes:
svn path=/head/; revision=61735
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It does mean that it is now possible to run passive-mode FTP
server behind NAT.
- SECURITY: FTP aliasing engine now ensures that:
o the segment preceding a PORT/227 segment terminates with a \r\n;
o the IP address in the PORT/227 matches the source IP address of
the packet;
o the port number in the PORT command or 277 reply is greater than
or equal to 1024.
Submitted by: Erik Salander <erik@whistle.com>
Reviewed by: ru
Notes:
svn path=/head/; revision=61677
|
| |
|
|
|
|
|
|
|
|
|
| |
that they (once again) go to the target machine rather than
the alias address.
PR: 18354
Submitted by: ru
Notes:
svn path=/head/; revision=60363
|
| |
|
|
|
|
|
|
|
|
| |
to PPTP) with more generic PacketAliasRedirectProto().
Major number is not bumped because it is believed that noone
has started using PacketAliasRedirectPptp() yet.
Notes:
svn path=/head/; revision=59726
|
| |
|
|
| |
Notes:
svn path=/head/; revision=59704
|
| |
|
|
|
|
|
|
|
| |
LSNAT links are first created by either PacketAliasRedirectPort() or
PacketAliasRedirectAddress() and then set up by one or more calls to
PacketAliasAddServer().
Notes:
svn path=/head/; revision=59702
|
| |
|
|
|
|
|
|
|
|
| |
- new API function: PacketAliasRedirectPptp()
- new mode bit: PKT_ALIAS_DENY_PPTP
Please see manual page for details.
Notes:
svn path=/head/; revision=59356
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
connections, after SYN packets were seen from both ends. Before this,
it would get applied right after the first SYN packet was seen (either
from client or server). With broken TCP connection attempts, when the
remote end does not respond with SYNACK nor with RST, this resulted in
having a useless (ie, no actual TCP connection associated with it) TCP
link with 86400 seconds TTL, wasting system memory. With high rate of
such broken connection attempts (for example, remote end simply blocks
these connection attempts with ipfw(8) without sending RST back), this
could result in a denial-of-service.
PR: bin/17963
Notes:
svn path=/head/; revision=59237
|
| |
|
|
| |
Notes:
svn path=/head/; revision=59202
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
but with `dst_port' work for outgoing packets.
This case was not handled properly when I first fixed this
in revision 1.17.
This change is also required for the upcoming improved PPTP
support patches -- that is how I found the problem.
Before this change:
# natd -v -a aliasIP \
-redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT
Out [TCP] [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
[TCP] aliasIP:localPORT -> remoteIP:remotePORT
After this change:
# natd -v -a aliasIP \
-redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT
Out [TCP] [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
[TCP] publicIP:publicPORT -> remoteIP:remotePORT
Notes:
svn path=/head/; revision=59181
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Minor optimizations.
- Minor spelling fixes.
PR: 14305
Submitted by: ume
Rewritten by: ru
Notes:
svn path=/head/; revision=59075
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Minor spelling fixes.
- Make IcmpAliasOut2() really work.
Before this change:
# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P
natd[87923]: Aliasing to A.A.A.A, mtu 1500 bytes
In [UDP] [UDP] X.X.X.X:49562 -> P.P.P.P:50000 aliased to
[UDP] X.X.X.X:49562 -> 192.168.1.1:50000
Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to
[ICMP] A.A.A.A -> X.X.X.X 3(3)
# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)"
tcpdump: listening on PUB_IFACE
X.X.X.X.49562 > P.P.P.P.50000: udp 3
A.A.A.A > X.X.X.X: icmp: A.A.A.A udp port 50000 unreachable
After this change:
# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P
natd[89360]: Aliasing to A.A.A.A, mtu 1500 bytes
In [UDP] [UDP] X.X.X.X:49563 -> P.P.P.P:50000 aliased to
[UDP] X.X.X.X:49563 -> 192.168.1.1:50000
Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to
[ICMP] P.P.P.P -> X.X.X.X 3(3)
# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)"
tcpdump: listening on PUB_IFACE
X.X.X.X.49563 > P.P.P.P.50000: udp 3
P.P.P.P > X.X.X.X: icmp: P.P.P.P udp port 50000 unreachable
Notes:
svn path=/head/; revision=59047
|
| |
|
|
|
|
|
| |
- Minor spelling fixes.
Notes:
svn path=/head/; revision=59046
|
| |
|
|
| |
Notes:
svn path=/head/; revision=59031
|
| |
|
|
|
|
|
| |
Requested by: Charles Mott <cmott@scientech.com>
Notes:
svn path=/head/; revision=58943
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
INADDR_NONE: Incoming packets go to the alias address (the default)
INADDR_ANY: Incoming packets are not NAT'd (direct access to the
internal network from outside)
anything else: Incoming packets go to the specified address
Change a few inaddr::s_addr == 0 to inaddr::s_addr == INADDR_ANY
while I'm there.
Notes:
svn path=/head/; revision=58877
|
| |
|
|
|
|
|
|
|
|
| |
redirected and when no target address has been specified, NAT
the destination address to the alias address rather than
allowing people direct access to your internal network from
outside.
Notes:
svn path=/head/; revision=58866
|
| |
|
|
|
|
|
| |
NO_FW_PUNCH isn't defined.
Notes:
svn path=/head/; revision=58279
|
| |
|
|
|
|
|
|
| |
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.
Notes:
svn path=/head/; revision=57686
|
| |
|
|
|
|
|
|
|
| |
+it does, amongst other things, clear out any
The old sentance didn't seem to make sense.
Notes:
svn path=/head/; revision=57544
|
| |
|
|
|
|
|
|
|
|
| |
being defined as 0x40. Change the former to be 0x100.
Submitted by: Erik Salander <erik@whistle.com>
Approved by: jkh
Notes:
svn path=/head/; revision=56968
|
| |
|
|
|
|
|
| |
Prompted by: archie
Notes:
svn path=/head/; revision=56967
|
| |
|
|
|
|
|
| |
Reviewed by: marcel, and make world
Notes:
svn path=/head/; revision=55955
|
