FreeBSD Manual Pages
LIBALIAS(3) Library Functions Manual LIBALIAS(3) NAME libalias -- packet aliasing library for masquerading and network ad- dress translation SYNOPSIS #include <sys/types.h> #include <netinet/in.h> #include <alias.h> Function prototypes are given in the main body of the text. DESCRIPTION The libalias library is a collection of functions for aliasing and de- aliasing of IP packets, intended for masquerading and network address translation (NAT). INTRODUCTION This library is a moderately portable set of functions designed to as- sist in the process of IP masquerading and network address translation. Outgoing packets from a local network with unregistered IP addresses can be aliased to appear as if they came from an accessible IP address. Incoming packets are then de-aliased so that they are sent to the cor- rect machine on the local network. A certain amount of flexibility is built into the packet aliasing en- gine. In the simplest mode of operation, a many-to-one address mapping takes place between the local network and the packet aliasing host. This is known as IP masquerading. In addition, one-to-one mappings be- tween local and public addresses can also be implemented, which is known as static NAT. In between these extremes, different groups of private addresses can be linked to different public addresses, compris- ing several distinct many-to-one mappings. Also, a given public ad- dress and port can be statically redirected to a private address/port. INITIALIZATION AND CONTROL One special function, LibAliasInit(), must always be called before any packet handling may be performed, and the returned instance pointer must be passed to all the other functions. Normally, the LibAliasSetAddress() function is called afterwards, to set the default aliasing address. In addition, the operating mode of the packet alias- ing engine can be customized by calling LibAliasSetMode(). struct libalias * LibAliasInit(struct libalias *) This function is used to initialize internal data structures. When called the first time, a NULL pointer should be passed as an argument. The following mode bits are always set after calling LibAliasInit(). See the description of LibAliasSetMode() below for the meaning of these mode bits. PKT_ALIAS_SAME_PORTS PKT_ALIAS_USE_SOCKETS PKT_ALIAS_RESET_ON_ADDR_CHANGE This function will always return the packet aliasing engine to the same initial state. The LibAliasSetAddress() function is normally called afterwards, and any desired changes from the de- fault mode bits listed above require a call to LibAliasSetMode(). It is mandatory that this function be called at the beginning of a program prior to any packet handling. void LibAliasUninit(struct libalias *) This function has no return value and is used to clear any re- sources attached to internal data structures. This function should be called when a program stops using the aliasing engine; amongst other things, it clears out any firewall holes. To provide backwards compatibility and extra security, it is added to the atexit(3) chain by LibAliasInit(). void LibAliasSetAddress(struct libalias *, struct in_addr addr) This function sets the source address to which outgoing packets from the local area network are aliased. All outgoing packets are re-mapped to this address unless overridden by a static ad- dress mapping established by LibAliasRedirectAddr(). If this function has not been called, and no static rules match, an out- going packet retains its source address. If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit is set (the de- fault mode of operation), then the internal aliasing link tables will be reset any time the aliasing address changes. This is useful for interfaces such as ppp(8), where the IP address may or may not change on successive dial-up attempts. If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit is set to zero, this function can also be used to dynamically change the aliasing address on a packet-to-packet basis (it is a low overhead call). It is mandatory that this function be called prior to any packet handling. unsigned int LibAliasSetMode(struct libalias *, unsigned int flags, unsigned int mask) This function sets or clears mode bits according to the value of flags. Only bits marked in mask are affected. The following mode bits are defined in <alias.h>: PKT_ALIAS_LOG Enables logging into /var/log/alias.log. Each time an aliasing link is created or deleted, the log file is ap- pended to with the current number of ICMP, TCP and UDP links. Mainly useful for debugging when the log file is viewed continuously with tail(1). PKT_ALIAS_DENY_INCOMING If this mode bit is set, all incoming packets associated with new TCP connections or new UDP transactions will be marked for being ignored (LibAliasIn() returns PKT_ALIAS_IGNORED code) by the calling program. Response packets to connections or transactions initiated from the packet aliasing host or local network will be unaffected. This mode bit is useful for implementing a one-way fire- wall. PKT_ALIAS_SAME_PORTS If this mode bit is set, the packet-aliasing engine will attempt to leave the alias port numbers unchanged from the actual local port numbers. This can be done as long as the quintuple (proto, alias addr, alias port, remote addr, remote port) is unique. If a conflict exists, a new aliasing port number is chosen even if this mode bit is set. PKT_ALIAS_USE_SOCKETS This bit should be set when the packet aliasing host originates network traffic as well as forwards it. When the packet aliasing host is waiting for a connection from an unknown host address or unknown port number (e.g. an FTP data connection), this mode bit specifies that a socket be allocated as a place holder to prevent port conflicts. Once a connection is established, usually within a minute or so, the socket is closed. PKT_ALIAS_UNREGISTERED_ONLY If this mode bit is set, traffic on the local network which does not originate from unregistered address spaces will be ignored. Standard Class A, B and C unregistered addresses are: 10.0.0.0 -> 10.255.255.255 (Class A subnet) 172.16.0.0 -> 172.31.255.255 (Class B subnets) 192.168.0.0 -> 192.168.255.255 (Class C subnets) This option is useful in the case that the packet alias- ing host has both registered and unregistered subnets on different interfaces. The registered subnet is fully ac- cessible to the outside world, so traffic from it does not need to be passed through the packet aliasing engine. PKT_ALIAS_UNREGISTERED_CGN Like PKT_ALIAS_UNREGISTERED_ONLY, but includes the RFC 6598 (Carrier Grade NAT) subnet as follows: 100.64.0.0 -> 100.127.255.255 (RFC 6598 subnet) PKT_ALIAS_RESET_ON_ADDR_CHANGE When this mode bit is set and LibAliasSetAddress() is called to change the aliasing address, the internal link table of the packet aliasing engine will be cleared. This operating mode is useful for ppp(8) links where the interface address can sometimes change or remain the same between dial-up attempts. If this mode bit is not set, the link table will never be reset in the event of an ad- dress change. PKT_ALIAS_PUNCH_FW This option makes libalias "punch holes" in an ipfirewall(4) - based firewall for FTP/IRC DCC connec- tions. The holes punched are bound by from/to IP address and port; it will not be possible to use a hole for an- other connection. A hole is removed when the connection that uses it dies. To cater to unexpected death of a program using libalias (e.g. kill -9), changing the state of the flag will clear the entire firewall range allo- cated for holes. This clearing will also happen on the initial call to LibAliasSetFWBase(), which must happen prior to setting this flag. PKT_ALIAS_REVERSE This option makes libalias reverse the way it handles in- coming and outgoing packets, allowing it to be fed with data that passes through the internal interface rather than the external one. PKT_ALIAS_PROXY_ONLY This option tells libalias to obey transparent proxy rules only. Normal packet aliasing is not performed. See LibAliasProxyRule() below for details. PKT_ALIAS_SKIP_GLOBAL This option is used by ipfw_nat only. Specifying it as a flag to LibAliasSetMode() has no effect. See section "NETWORK ADDRESS TRANSLATION" in ipfw(8) for more de- tails. void LibAliasSetFWBase(struct libalias *, unsigned int base, unsigned int num) Set the firewall range allocated for punching firewall holes (with the PKT_ALIAS_PUNCH_FW flag). The range is cleared for all rules on initialization. void LibAliasSkinnyPort(struct libalias *, unsigned int port) Set the TCP port used by the Skinny Station protocol. Skinny is used by Cisco IP phones to communicate with Cisco Call Managers to set up voice over IP calls. If this is not set, Skinny alias- ing will not be done. The typical port used by Skinny is 2000. PACKET HANDLING The packet handling functions are used to modify incoming (remote to local) and outgoing (local to remote) packets. The calling program is responsible for receiving and sending packets via network interfaces. Along with LibAliasInit() and LibAliasSetAddress(), the two packet han- dling functions, LibAliasIn() and LibAliasOut(), comprise the minimal set of functions needed for a basic IP masquerading implementation. int LibAliasIn(struct libalias *, void *buffer, int maxpacketsize) An incoming packet coming from a remote machine to the local net- work is de-aliased by this function. The IP packet is pointed to by buffer, and maxpacketsize indicates the size of the data structure containing the packet and should be at least as large as the actual packet size. Return codes: PKT_ALIAS_OK The packet aliasing process was successful. PKT_ALIAS_IGNORED The packet was ignored and not de-aliased. This can hap- pen if the protocol is unrecognized, as for an ICMP mes- sage type that is not handled, or if incoming packets for new connections are being ignored (if the PKT_ALIAS_DENY_INCOMING mode bit was set using LibAliasSetMode()). PKT_ALIAS_UNRESOLVED_FRAGMENT This is returned when a fragment cannot be resolved be- cause the header fragment has not been sent yet. In this situation, fragments must be saved with LibAliasSaveFragment() until a header fragment is found. PKT_ALIAS_FOUND_HEADER_FRAGMENT The packet aliasing process was successful, and a header fragment was found. This is a signal to retrieve any un- resolved fragments with LibAliasGetFragment() and de- alias them with LibAliasFragmentIn(). PKT_ALIAS_ERROR An internal error within the packet aliasing engine oc- curred. int LibAliasOut(struct libalias *, void *buffer, int maxpacketsize) An outgoing packet coming from the local network to a remote ma- chine is aliased by this function. The IP packet is pointed to by buffer, and maxpacketsize indicates the maximum packet size permissible should the packet length be changed. IP encoding protocols place address and port information in the encapsulated data stream which has to be modified and can account for changes in packet length. Well known examples of such protocols are FTP and IRC DCC. Return codes: PKT_ALIAS_OK The packet aliasing process was successful. PKT_ALIAS_IGNORED The packet was ignored and not aliased. This can happen if the protocol is unrecognized, or possibly an ICMP mes- sage type is not handled. PKT_ALIAS_ERROR An internal error within the packet aliasing engine oc- curred. PORT AND ADDRESS REDIRECTION The functions described in this section allow machines on the local network to be accessible in some degree to new incoming connections from the external network. Individual ports can be re-mapped or static network address translations can be designated. struct alias_link * LibAliasRedirectPort(struct libalias *, struct in_addr local_addr, u_short local_port, struct in_addr remote_addr, u_short remote_port, struct in_addr alias_addr, u_short alias_port, u_char proto) This function specifies that traffic from a given remote ad- dress/port to an alias address/port be redirected to a specified local address/port. The parameter proto can be either IPPROTO_TCP or IPPROTO_UDP, as defined in <netinet/in.h>. If local_addr or alias_addr is zero, this indicates that the packet aliasing address as established by LibAliasSetAddress() is to be used. Even if LibAliasSetAddress() is called to change the address after LibAliasRedirectPort() is called, a zero reference will track this change. If the link is further set up to operate with load sharing, then local_addr and local_port are ignored, and are selected dynami- cally from the server pool, as described in LibAliasAddServer() below. If remote_addr is zero, this indicates to redirect packets from any remote address. Likewise, if remote_port is zero, this indi- cates to redirect packets originating from any remote port num- ber. The remote port specification will almost always be zero, but non-zero remote addresses can sometimes be useful for fire- walling. If two calls to LibAliasRedirectPort() overlap in their address/port specifications, then the most recent call will have precedence. This function returns a pointer which can subsequently be used by LibAliasRedirectDelete(). If NULL is returned, then the function call did not complete successfully. All port numbers should be in network address byte order, so it is necessary to use htons(3) to convert these parameters from in- ternally readable numbers to network byte order. Addresses are also in network byte order, which is implicit in the use of the struct in_addr data type. struct alias_link * LibAliasRedirectAddr(struct libalias *, struct in_addr local_addr, struct in_addr alias_addr) This function designates that all incoming traffic to alias_addr be redirected to local_addr. Similarly, all outgoing traffic from local_addr is aliased to alias_addr. If local_addr or alias_addr is zero, this indicates that the packet aliasing address as established by LibAliasSetAddress() is to be used. Even if LibAliasSetAddress() is called to change the address after LibAliasRedirectAddr() is called, a zero reference will track this change. If the link is further set up to operate with load sharing, then the local_addr argument is ignored, and is selected dynamically from the server pool, as described in LibAliasAddServer() below. If subsequent calls to LibAliasRedirectAddr() use the same alias- ing address, all new incoming traffic to this aliasing address will be redirected to the local address made in the last function call. New traffic generated by any of the local machines, desig- nated in the several function calls, will be aliased to the same address. Consider the following example: LibAliasRedirectAddr(la, inet_aton("192.168.0.2"), inet_aton("141.221.254.101")); LibAliasRedirectAddr(la, inet_aton("192.168.0.3"), inet_aton("141.221.254.101")); LibAliasRedirectAddr(la, inet_aton("192.168.0.4"), inet_aton("141.221.254.101")); Any outgoing connections such as telnet(1) or ftp(1) from 192.168.0.2, 192.168.0.3 and 192.168.0.4 will appear to come from 141.221.254.101. Any incoming connections to 141.221.254.101 will be directed to 192.168.0.4. Any calls to LibAliasRedirectPort() will have precedence over ad- dress mappings designated by LibAliasRedirectAddr(). This function returns a pointer which can subsequently be used by LibAliasRedirectDelete(). If NULL is returned, then the function call did not complete successfully. int LibAliasAddServer(struct libalias *, struct alias_link *link, struct in_addr addr, u_short port) This function sets the link up for Load Sharing using IP Network Address Translation (RFC 2391, LSNAT). LSNAT operates as fol- lows. A client attempts to access a server by using the server virtual address. The LSNAT router transparently redirects the request to one of the hosts in the server pool, using a real-time load sharing algorithm. Multiple sessions may be initiated from the same client, and each session could be directed to a differ- ent host based on the load balance across server pool hosts when the sessions are initiated. If load sharing is desired for just a few specific services, the configuration on LSNAT could be de- fined to restrict load sharing to just the services desired. Currently, only the simplest selection algorithm is implemented, where a host is selected on a round-robin basis only, without re- gard to load on the host. First, the link is created by either LibAliasRedirectPort() or LibAliasRedirectAddr(). Then, LibAliasAddServer() is called mul- tiple times to add entries to the link's server pool. For links created with LibAliasRedirectAddr(), the port argument is ignored and could have any value, e.g. htons(~0). This function returns 0 on success, -1 otherwise. int LibAliasRedirectDynamic(struct libalias *, struct alias_link *link) This function marks the specified static redirect rule entered by LibAliasRedirectPort() as dynamic. This can be used to e.g. dy- namically redirect a single TCP connection, after which the rule is removed. Only fully specified links can be made dynamic. (See the "STATIC AND DYNAMIC LINKS" and "PARTIALLY SPECIFIED ALIASING LINKS" sections below for a definition of static vs. dy- namic, and partially vs. fully specified links.) This function returns 0 on success, -1 otherwise. void LibAliasRedirectDelete(struct libalias *, struct alias_link *link) This function will delete a specific static redirect rule entered by LibAliasRedirectPort() or LibAliasRedirectAddr(). The parame- ter link is the pointer returned by either of the redirection functions. If an invalid pointer is passed to LibAliasRedirectDelete(), then a program crash or unpredictable operation could result, so care is needed when using this func- tion. int LibAliasProxyRule(struct libalias *, const char *cmd) The passed cmd string consists of one or more pairs of words. The first word in each pair is a token and the second is the value that should be applied for that token. Tokens and their argument types are as follows: type encode_ip_hdr | encode_tcp_stream | no_encode In order to support transparent proxying, it is necessary to somehow pass the original address and port information into the new destination server. If encode_ip_hdr is specified, the original destination address and port are passed as an extra IP option. If encode_tcp_stream is specified, the original destination address and port are passed as the first piece of data in the TCP stream in the format "DEST IP port". port portnum Only packets with the destination port portnum are prox- ied. server host[:portnum] This specifies the host and portnum that the data is to be redirected to. host must be an IP address rather than a DNS host name. If portnum is not specified, the desti- nation port number is not changed. The server specification is mandatory unless the delete command is being used. rule index Normally, each call to LibAliasProxyRule() inserts the next rule at the start of a linear list of rules. If an index is specified, the new rule will be checked after all rules with lower indices. Calls to LibAliasProxyRule() that do not specify a rule are as- signed rule 0. delete index This token and its argument MUST NOT be used with any other tokens. When used, all existing rules with the given index are deleted. proto tcp | udp If specified, only packets of the given protocol type are matched. src IP[/bits] If specified, only packets with a source address matching the given IP are matched. If bits is also specified, then the first bits bits of IP are taken as a network specification, and all IP addresses from that network will be matched. dst IP[/bits] If specified, only packets with a destination address matching the given IP are matched. If bits is also spec- ified, then the first bits bits of IP are taken as a net- work specification, and all IP addresses from that net- work will be matched. This function is usually used to redirect outgoing connections for internal machines that are not permitted certain types of in- ternet access, or to restrict access to certain external ma- chines. struct alias_link * LibAliasRedirectProto(struct libalias *, struct in_addr local_addr, struct in_addr remote_addr, struct in_addr alias_addr, u_char proto) This function specifies that any IP packet with protocol number of proto from a given remote address to an alias address will be redirected to a specified local address. If local_addr or alias_addr is zero, this indicates that the packet aliasing address as established by LibAliasSetAddress() is to be used. Even if LibAliasSetAddress() is called to change the address after LibAliasRedirectProto() is called, a zero reference will track this change. If remote_addr is zero, this indicates to redirect packets from any remote address. Non-zero remote addresses can sometimes be useful for firewalling. If two calls to LibAliasRedirectProto() overlap in their address specifications, then the most recent call will have precedence. This function returns a pointer which can subsequently be used by LibAliasRedirectDelete(). If NULL is returned, then the function call did not complete successfully. FRAGMENT HANDLING The functions in this section are used to deal with incoming fragments. Outgoing fragments are handled within LibAliasOut() by changing the ad- dress according to any applicable mapping set by LibAliasRedirectAddr(), or the default aliasing address set by LibAliasSetAddress(). Incoming fragments are handled in one of two ways. If the header of a fragmented IP packet has already been seen, then all subsequent frag- ments will be re-mapped in the same manner the header fragment was. Fragments which arrive before the header are saved and then retrieved once the header fragment has been resolved. int LibAliasSaveFragment(struct libalias *, void *ptr) When LibAliasIn() returns PKT_ALIAS_UNRESOLVED_FRAGMENT, this function can be used to save the pointer to the unresolved frag- ment. It is implicitly assumed that ptr points to a block of memory al- located by malloc(3). If the fragment is never resolved, the packet aliasing engine will automatically free the memory after a timeout period. [Eventually this function should be modified so that a callback function for freeing memory is passed as an argu- ment.] This function returns PKT_ALIAS_OK if it was successful and PKT_ALIAS_ERROR if there was an error. void * LibAliasGetFragment(struct libalias *, void *buffer) This function can be used to retrieve fragment pointers saved by LibAliasSaveFragment(). The IP header fragment pointed to by buffer is the header fragment indicated when LibAliasIn() returns PKT_ALIAS_FOUND_HEADER_FRAGMENT. Once a fragment pointer is re- trieved, it becomes the calling program's responsibility to free the dynamically allocated memory for the fragment. The LibAliasGetFragment() function can be called sequentially un- til there are no more fragments available, at which time it re- turns NULL. void LibAliasFragmentIn(struct libalias *, void *header, void *fragment) When a fragment is retrieved with LibAliasGetFragment(), it can then be de-aliased with a call to LibAliasFragmentIn(). The header argument is the pointer to a header fragment used as a template, and fragment is the pointer to the packet to be de- aliased. MISCELLANEOUS FUNCTIONS struct alias_link * AddLink(struct libalias *, struct in_addr src_addr, struct in_addr dst_addr, struct in_addr alias_addr, u_short src_port, u_short dst_port, int alias_param, int link_type) This function adds new state to the instance hash table. The dst_address and/or dst_port may be given as zero, which intro- duces some dynamic character into the link, since LibAliasSetAd- dress can change the address that is used. However, in the cur- rent implementation, such links can only be used for inbound (ext -> int) traffic. void LibAliasSetTarget(struct libalias *, struct in_addr addr) When an incoming packet not associated with any pre-existing aliasing link arrives at the host machine, it will be sent to the address indicated by a call to LibAliasSetTarget(). If this function is called with an INADDR_NONE address argument, then all new incoming packets go to the address set by LibAliasSetAddress(). If this function is not called, or is called with an INADDR_ANY address argument, then all new incoming packets go to the address specified in the packet. This allows external machines to talk directly to internal machines if they can route packets to the machine in question. u_short LibAliasInternetChecksum(struct libalias *, u_short *buffer, int nbytes) This is a utility function that does not seem to be available elsewhere and is included as a convenience. It computes the in- ternet checksum, which is used in both IP and protocol-specific headers (TCP, UDP, ICMP). The buffer argument points to the data block to be checksummed, and nbytes is the number of bytes. The 16-bit checksum field should be zeroed before computing the checksum. Checksums can also be verified by operating on a block of data including its checksum. If the checksum is valid, LibAliasInternetChecksum() will return zero. int LibAliasUnaliasOut(struct libalias *, void *buffer, int maxpacketsize) An outgoing packet, which has already been aliased, has its pri- vate address/port information restored by this function. The IP packet is pointed to by buffer, and maxpacketsize is provided for error checking purposes. This function can be used if an al- ready-aliased packet needs to have its original IP header re- stored for further processing (e.g. logging). CONCEPTUAL BACKGROUND This section is intended for those who are planning to modify the source code or want to create somewhat esoteric applications using the packet aliasing functions. The conceptual framework under which the packet aliasing engine oper- ates is described here. Central to the discussion is the idea of an aliasing link which describes the relationship for a given packet transaction between the local machine, aliased identity and remote ma- chine. It is discussed how such links come into existence and are de- stroyed. ALIASING LINKS There is a notion of an aliasing link, which is a 7-tuple describing a specific translation: (local addr, local port, alias addr, alias port, remote addr, remote port, protocol) Outgoing packets have the local address and port number replaced with the alias address and port number. Incoming packets undergo the re- verse process. The packet aliasing engine attempts to match packets against an internal table of aliasing links to determine how to modify a given IP packet. Both the IP header and protocol dependent headers are modified as necessary. Aliasing links are created and deleted as necessary according to network traffic. Protocols can be TCP, UDP or even ICMP in certain circumstances. (Some types of ICMP packets can be aliased according to sequence or ID number which acts as an equivalent port number for identifying how individual packets should be handled.) Each aliasing link must have a unique combination of the following five quantities: alias address/port, remote address/port and protocol. This ensures that several machines on a local network can share the same aliasing IP address. In cases where conflicts might arise, the alias- ing port is chosen so that uniqueness is maintained. STATIC AND DYNAMIC LINKS Aliasing links can either be static or dynamic. Static links persist indefinitely and represent fixed rules for translating IP packets. Dy- namic links come into existence for a specific TCP connection or UDP transaction or ICMP ECHO sequence. For the case of TCP, the connection can be monitored to see when the associated aliasing link should be deleted. Aliasing links for UDP transactions (and ICMP ECHO and TIME- STAMP requests) work on a simple timeout rule. When no activity is ob- served on a dynamic link for a certain amount of time it is automati- cally deleted. Timeout rules also apply to TCP connections which do not open or close properly. PARTIALLY SPECIFIED ALIASING LINKS Aliasing links can be partially specified, meaning that the remote ad- dress and/or remote port are unknown. In this case, when a packet matching the incomplete specification is found, a fully specified dy- namic link is created. If the original partially specified link is dy- namic, it will be deleted after the fully specified link is created, otherwise it will persist. For instance, a partially specified link might be (192.168.0.4, 23, 204.228.203.215, 8066, 0, 0, tcp) The zeros denote unspecified components for the remote address and port. If this link were static it would have the effect of redirecting all incoming traffic from port 8066 of 204.228.203.215 to port 23 (tel- net) of machine 192.168.0.4 on the local network. Each individual tel- net connection would initiate the creation of a distinct dynamic link. DYNAMIC LINK CREATION In addition to aliasing links, there are also address mappings that can be stored within the internal data table of the packet aliasing mecha- nism. (local addr, alias addr) Address mappings are searched when creating new dynamic links. All outgoing packets from the local network automatically create a dy- namic link if they do not match an already existing fully specified link. If an address mapping exists for the outgoing packet, this de- termines the alias address to be used. If no mapping exists, then a default address, usually the address of the packet aliasing host, is used. If necessary, this default address can be changed as often as each individual packet arrives. The aliasing port number is determined such that the new dynamic link does not conflict with any existing links. In the default operating mode, the packet aliasing engine attempts to set the aliasing port equal to the local port number. If this results in a conflict, then port numbers are randomly chosen until a unique aliasing link can be established. In an alternate operating mode, the first choice of an aliasing port is also random and unrelated to the local port number. MODULAR ARCHITECTURE (AND ipfw(4) SUPPORT) One of the latest improvements to libalias was to make its support for new protocols independent from the rest of the library, giving it the ability to load/unload support for new protocols at run-time. To achieve this feature, all the code for protocol handling was moved to a series of modules outside of the main library. These modules are com- piled from the same sources but work in different ways, depending on whether they are compiled to work inside a kernel or as part of the userland library. LIBALIAS MODULES IN KERNEL LAND When compiled for the kernel, libalias modules are plain KLDs recogniz- able with the alias_ prefix. To add support for a new protocol, load the corresponding module. For example: kldload alias_ftp When support for a protocol is no longer needed, its module can be un- loaded: kldunload alias_ftp LIBALIAS MODULES IN USERLAND Due to the differences between kernel and userland (no KLD mechanism, many different address spaces, etc.), we had to change a bit how to handle module loading/tracking/unloading in userland. While compiled for a userland libalias, all the modules are plain li- braries, residing in /usr/lib, and recognizable with the libalias_ pre- fix. There is a configuration file, /etc/libalias.conf, with the following contents (by default): /usr/lib/libalias_ftp.so /usr/lib/libalias_irc.so /usr/lib/libalias_nbt.so /usr/lib/libalias_pptp.so /usr/lib/libalias_skinny.so /usr/lib/libalias_smedia.so This file contains the paths to the modules that libalias will load. To load/unload a new module, just add its path to libalias.conf and call LibAliasRefreshModules() from the program. In case the applica- tion provides a SIGHUP signal handler, add a call to LibAliasRefreshModules() inside the handler, and every time you want to refresh the loaded modules, send it the SIGHUP signal: kill -HUP <process_pid> MODULAR ARCHITECURE: HOW IT WORKS The modular architecture of libalias works similar whether it is run- ning inside the kernel or in userland. From alias_mod.c: /* Protocol and userland module handlers chains. */ LIST_HEAD(handler_chain, proto_handler) handler_chain ... ... SLIST_HEAD(dll_chain, dll) dll_chain ... handler_chain keeps track of all the protocol handlers loaded, while ddl_chain tracks which userland modules are loaded. handler_chain is composed of struct proto_handler entries: struct proto_handler { u_int pri; int16_t dir; uint8_t proto; int (*fingerprint)(struct libalias *la, struct ip *pip, struct alias_data *ah); int (*protohandler)(struct libalias *la, struct ip *pip, struct alias_data *ah); TAILQ_ENTRY(proto_handler) link; }; where: pri is the priority assigned to a protocol handler; lower priority is better. dir is the direction of packets: ingoing or outgoing. proto indicates to which protocol this packet belongs: IP, TCP or UDP. fingerprint points to the fingerprint function while protohandler points to the protocol handler function. The fingerprint function has the dual role of checking if the incoming packet is found, and if it belongs to any categories that this module can handle. The protohandler function actually manipulates the packet to make libalias correctly NAT it. When a packet enters libalias, if it meets a module hook, handler_chain is searched to see if there is an handler that matches this type of a packet (it checks protocol and direction of packet). Then, if more than one handler is found, it starts with the module with the lowest priority number: it calls the fingerprint function and interprets the result. If the result value is equal to 0 then it calls the protocol handler of this handler and returns. Otherwise, it proceeds to the next eligible module until the handler_chain is exhausted. Inside libalias, the module hook looks like this: struct alias_data ad = { lnk, &original_address, &alias_address, &alias_port, &ud->uh_sport, /* original source port */ &ud->uh_dport, /* original dest port */ 256 /* maxpacketsize */ }; ... /* walk out chain */ err = find_handler(IN, UDP, la, pip, &ad); All data useful to a module are gathered together in an alias_data structure, then find_handler() is called. The find_handler() function is responsible for walking the handler chain; it receives as input pa- rameters: IN direction UDP working protocol la pointer to this instance of libalias pip pointer to a struct ip ad pointer to struct alias_data (see above) In this case, find_handler() will search only for modules registered for supporting INcoming UDP packets. As was mentioned earlier, libalias in userland is a bit different, as care must be taken in module handling as well (avoiding duplicate load of modules, avoiding modules with same name, etc.) so dll_chain was in- troduced. dll_chain contains a list of all userland libalias modules loaded. When an application calls LibAliasRefreshModules(), libalias first un- loads all the loaded modules, then reloads all the modules listed in /etc/libalias.conf: for every module loaded, a new entry is added to dll_chain. dll_chain is composed of struct dll entries: struct dll { /* name of module */ char name[DLL_LEN]; /* * ptr to shared obj obtained through * dlopen() - use this ptr to get access * to any symbols from a loaded module * via dlsym() */ void *handle; struct dll *next; }; name is the name of the module. handle is a pointer to the module obtained through dlopen(3). Whenever a module is loaded in userland, an entry is added to dll_chain, then every protocol handler present in that module is re- solved and registered in handler_chain. HOW TO WRITE A MODULE FOR LIBALIAS There is a module (called alias_dummy.[ch]) in libalias that can be used as a skeleton for future work. Here we analyse some parts of that module. From alias_dummy.c: struct proto_handler handlers[] = { { .pri = 666, .dir = IN|OUT, .proto = UDP|TCP, .fingerprint = fingerprint, .protohandler= protohandler, }, { EOH } }; The variable handlers is the "most important thing" in a module since it describes the handlers present and lets the outside world use it in an opaque way. It must ALWAYS be present in every module, and it MUST retain the name handlers, otherwise attempting to load a module in userland will fail and complain about missing symbols: for more information about module load/unload, please refer to LibAliasRefreshModules(), LibAliasLoadModule() and LibAliasUnloadModule() in alias.c. handlers contains all the proto_handler structures present in a module. static int mod_handler(module_t mod, int type, void *data) { int error; switch (type) { case MOD_LOAD: error = LibAliasAttachHandlers(handlers); break; case MOD_UNLOAD: error = LibAliasDetachHandlers(handlers); break; default: error = EINVAL; } return (error); } When running as KLD, mod_handler() registers/deregisters the module us- ing LibAliasAttachHandlers() and LibAliasDetachHandlers(), respec- tively. Every module must contain at least 2 functions: one fingerprint func- tion and a protocol handler function. #ifdef _KERNEL static #endif int fingerprint(struct libalias *la, struct ip *pip, struct alias_data *ah) { ... } #ifdef _KERNEL static #endif int protohandler(struct libalias *la, struct ip *pip, struct alias_data *ah) { ... } and they must accept exactly these input parameters. PATCHING AN APPLICATION FOR USERLAND LIBALIAS MODULES To add module support into an application that uses libalias, the fol- lowing simple steps can be followed. 1. Find the main file of an application (let us call it main.c). 2. Add this to the header section of main.c, if not already present: #include <signal.h> and this just after the header section: static void signal_handler(int); 3. Add the following line to the init function of an application or, if it does not have any init function, put it in main(): signal(SIGHUP, signal_handler); and place the signal_handler() function somewhere in main.c: static void signal_handler(int sig) { LibAliasRefreshModules(); } Otherwise, if an application already traps the SIGHUP signal, just add a call to LibAliasRefreshModules() in the signal handler func- tion. For example, to patch natd(8) to use libalias modules, just add the following line to RefreshAddr(int sig __unused): LibAliasRefreshModules() recompile and you are done. LOGGING SUPPORT IN KERNEL LAND When working as KLD, libalias now has log support that happens on a buffer allocated inside struct libalias (from alias_local.h): struct libalias { ... /* log descriptor */ #ifdef KERNEL_LOG char *logDesc; /* * ptr to an auto-malloced * memory buffer when libalias * works as kld */ #else FILE *logDesc; /* * ptr to /var/log/alias.log * when libalias runs as a * userland lib */ #endif ... } so all applications using libalias will be able to handle their own logs, if they want, accessing logDesc. Moreover, every change to a log buffer is automatically added to syslog(3) with the LOG_SECURITY facil- ity and the LOG_INFO level. AUTHORS Charles Mott <cm@linktel.net>, versions 1.0 - 1.8, 2.0 - 2.4. Eivind Eklund <eivind@FreeBSD.org>, versions 1.8b, 1.9 and 2.5. Added IRC DCC support as well as contributing a number of architectural im- provements; added the firewall bypass for FTP/IRC DCC. Erik Salander <erik@whistle.com> added support for PPTP and RTSP. Junichi Satoh <junichi@junichi.org> added support for RTSP/PNA. Ruslan Ermilov <ru@FreeBSD.org> added support for PPTP and LSNAT as well as general hacking. Gleb Smirnoff <glebius@FreeBSD.org> ported the library to kernel space. Paolo Pisati <piso@FreeBSD.org> made the library modular, moving sup- port for all protocols (except for IP, TCP and UDP) to external mod- ules. ACKNOWLEDGEMENTS Listed below, in approximate chronological order, are individuals who have provided valuable comments and/or debugging assistance. Gary Roberts Tom Torrance Reto Burkhalter Martin Renters Brian Somers Paul Traina Ari Suutari Dave Remien J. Fortes Andrzej Bialecki Gordon Burditt FreeBSD 13.2 May 31, 2021 LIBALIAS(3)
NAME | SYNOPSIS | DESCRIPTION | INTRODUCTION | INITIALIZATION AND CONTROL | PACKET HANDLING | PORT AND ADDRESS REDIRECTION | FRAGMENT HANDLING | MISCELLANEOUS FUNCTIONS | CONCEPTUAL BACKGROUND | AUTHORS | ACKNOWLEDGEMENTS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=libalias&manpath=FreeBSD+14.1-RELEASE+and+Ports>