Author: tjansen Date: Thu Nov 19 14:39:13 2009 New Revision: 1708 Log: Added some test code for the future DNS retrieval of service HITs and IPs. For now, we don't actually query DNS but use hardcoded values. Modified: trunk/pisacd/cdservers.c trunk/pisacd/cdtun.c Modified: trunk/pisacd/cdservers.c ============================================================================== --- trunk/pisacd/cdservers.c Thu Nov 19 14:34:25 2009 (r1707) +++ trunk/pisacd/cdservers.c Thu Nov 19 14:39:13 2009 (r1708) @@ -211,22 +211,65 @@ } /** - * Retrieve the conmgr entry for a given local IP address. If the entry - * already exists we return it. Otherwise we create a preliminary entry and + * Retrieve the NAT mapping and the conmgr entry from DNS. + * + * TODO: Remove the NAT mapping if an error occurs. Otherwise we might have a + * DOS attack vector: Attacker sends a lot of packets to different + * (non-existant) virtual addresses the allocate memory for a NAT mapping. + * + * This is currently a stub using hardcoded values for Thomas' virtual + * machines. + * + * @param data NAT mapping + */ +static void pisa_servers_query_dns(void *data) +{ + pisa_nat_mapping *nat = (pisa_nat_mapping *) data; + char local_str[INET_ADDRSTRLEN], remote_str[INET_ADDRSTRLEN]; + char hit_str[INET6_ADDRSTRLEN]; + pisa_conmgr_entry *entry; + struct in6_addr hit; + struct in_addr remote; + + inet_pton(AF_INET6, "2001:16:415e:da37:11f6:d0e7:33f5:3ee7", &hit); + inet_pton(AF_INET, "192.168.151.31", &remote); + + entry = pisa_conmgr_findby_address(cd_ctx.conlist, &hit); + + pisa_nat_upgrade_preliminary(cd_ctx.natlist, nat, &remote, entry, NULL); + + inet_ntop(AF_INET, &nat->local_private, local_str, sizeof(local_str)); + inet_ntop(AF_INET, &nat->remote.ipv4, remote_str, sizeof(remote_str)); + inet_ntop(AF_INET6, &nat->remote.hit, hit_str, sizeof(hit_str)); + + PISA_DEBUG(PL_CONFIG, "Upgraded NAT mapping: local: %s remote %s HIT %s\n", + local_str, remote_str, hit_str); +} + +/** + * Retrieve the NAT mapping for a given local IP address. If the mapping + * already exists we return it. Otherwise we create a preliminary mapping and * schedule a DNS query. * + * TODO: This allocates a new NAT mapping each time a packet to an unknown + * destination is received. Check if this can be exploited for DOS attacks. + * * @param local_ip virtual local IP address of the service * @return nat mappin, either full or preliminary */ pisa_nat_mapping *pisa_servers_add_via_dns(struct in_addr *local_ip) { pisa_nat_mapping *nat; + struct timeval delay = {3, 0}; if ((nat = pisa_nat_mapping_find_by_local_private(cd_ctx.natlist, local_ip))) return nat; nat = pisa_nat_add_preliminary(cd_ctx.natlist, local_ip); - /* Todo: schedule DNS query */ + PISA_DEBUG(PL_CONFIG, "Added preliminary NAT mapping.\n"); + + /* Test setting: delay of 3 seconds before DNS "answers" */ + pisa_sched_add(&cd_ctx.scheduler, pisa_servers_query_dns, &delay, nat); return nat; } Modified: trunk/pisacd/cdtun.c ============================================================================== --- trunk/pisacd/cdtun.c Thu Nov 19 14:34:25 2009 (r1707) +++ trunk/pisacd/cdtun.c Thu Nov 19 14:39:13 2009 (r1708) @@ -121,6 +121,10 @@ pisa_arp_from_ipv4((struct in_addr *)&hdr->ip_src, mac); + /* TODO: use netmask and prefix of the virtual local address space to + * differentiate between the two cases of searching a NAT mapping and + * forwarding it to the trust point. */ + /* Apply NAT if needed */ dst = (struct in_addr *)&hdr->ip_dst; map = pisa_nat_mapping_find_by_local_private(cd_ctx.natlist, dst); @@ -129,9 +133,9 @@ pisa_nat_apply(hdr, dst, &map->remote.ipv4); entry = map->connection; } else { - /* No NAT mapping found, just find out which server is the - * destination */ - entry = pisa_conmgr_findby_clientip(cd_ctx.conlist, dst); + /* Retrieve the NAT mapping from DNS */ + map = pisa_servers_add_via_dns(dst); + entry = NULL; } /* If neither NAT nor a destination server could be found we have to