[pisa-src] r1708 - in trunk/pisacd: cdservers.c cdtun.c
- From: Thomas Jansen <mithi@xxxxxxxxx>
- To: pisa-src@xxxxxxxxxxxxx
- Date: Thu, 19 Nov 2009 14:39:13 +0100
Author: tjansen
Date: Thu Nov 19 14:39:13 2009
New Revision: 1708
Log:
Added some test code for the future DNS retrieval of service HITs and IPs.
For now, we don't actually query DNS but use hardcoded values.
Modified:
trunk/pisacd/cdservers.c
trunk/pisacd/cdtun.c
Modified: trunk/pisacd/cdservers.c
==============================================================================
--- trunk/pisacd/cdservers.c Thu Nov 19 14:34:25 2009 (r1707)
+++ trunk/pisacd/cdservers.c Thu Nov 19 14:39:13 2009 (r1708)
@@ -211,22 +211,65 @@
}
/**
- * Retrieve the conmgr entry for a given local IP address. If the entry
- * already exists we return it. Otherwise we create a preliminary entry and
+ * Retrieve the NAT mapping and the conmgr entry from DNS.
+ *
+ * TODO: Remove the NAT mapping if an error occurs. Otherwise we might have a
+ * DOS attack vector: Attacker sends a lot of packets to different
+ * (non-existant) virtual addresses the allocate memory for a NAT mapping.
+ *
+ * This is currently a stub using hardcoded values for Thomas' virtual
+ * machines.
+ *
+ * @param data NAT mapping
+ */
+static void pisa_servers_query_dns(void *data)
+{
+ pisa_nat_mapping *nat = (pisa_nat_mapping *) data;
+ char local_str[INET_ADDRSTRLEN], remote_str[INET_ADDRSTRLEN];
+ char hit_str[INET6_ADDRSTRLEN];
+ pisa_conmgr_entry *entry;
+ struct in6_addr hit;
+ struct in_addr remote;
+
+ inet_pton(AF_INET6, "2001:16:415e:da37:11f6:d0e7:33f5:3ee7", &hit);
+ inet_pton(AF_INET, "192.168.151.31", &remote);
+
+ entry = pisa_conmgr_findby_address(cd_ctx.conlist, &hit);
+
+ pisa_nat_upgrade_preliminary(cd_ctx.natlist, nat, &remote, entry, NULL);
+
+ inet_ntop(AF_INET, &nat->local_private, local_str, sizeof(local_str));
+ inet_ntop(AF_INET, &nat->remote.ipv4, remote_str, sizeof(remote_str));
+ inet_ntop(AF_INET6, &nat->remote.hit, hit_str, sizeof(hit_str));
+
+ PISA_DEBUG(PL_CONFIG, "Upgraded NAT mapping: local: %s remote %s HIT
%s\n",
+ local_str, remote_str, hit_str);
+}
+
+/**
+ * Retrieve the NAT mapping for a given local IP address. If the mapping
+ * already exists we return it. Otherwise we create a preliminary mapping and
* schedule a DNS query.
*
+ * TODO: This allocates a new NAT mapping each time a packet to an unknown
+ * destination is received. Check if this can be exploited for DOS attacks.
+ *
* @param local_ip virtual local IP address of the service
* @return nat mappin, either full or preliminary
*/
pisa_nat_mapping *pisa_servers_add_via_dns(struct in_addr *local_ip)
{
pisa_nat_mapping *nat;
+ struct timeval delay = {3, 0};
if ((nat = pisa_nat_mapping_find_by_local_private(cd_ctx.natlist,
local_ip)))
return nat;
nat = pisa_nat_add_preliminary(cd_ctx.natlist, local_ip);
- /* Todo: schedule DNS query */
+ PISA_DEBUG(PL_CONFIG, "Added preliminary NAT mapping.\n");
+
+ /* Test setting: delay of 3 seconds before DNS "answers" */
+ pisa_sched_add(&cd_ctx.scheduler, pisa_servers_query_dns, &delay, nat);
return nat;
}
Modified: trunk/pisacd/cdtun.c
==============================================================================
--- trunk/pisacd/cdtun.c Thu Nov 19 14:34:25 2009 (r1707)
+++ trunk/pisacd/cdtun.c Thu Nov 19 14:39:13 2009 (r1708)
@@ -121,6 +121,10 @@
pisa_arp_from_ipv4((struct in_addr *)&hdr->ip_src, mac);
+ /* TODO: use netmask and prefix of the virtual local address space to
+ * differentiate between the two cases of searching a NAT mapping and
+ * forwarding it to the trust point. */
+
/* Apply NAT if needed */
dst = (struct in_addr *)&hdr->ip_dst;
map = pisa_nat_mapping_find_by_local_private(cd_ctx.natlist, dst);
@@ -129,9 +133,9 @@
pisa_nat_apply(hdr, dst, &map->remote.ipv4);
entry = map->connection;
} else {
- /* No NAT mapping found, just find out which server is the
- * destination */
- entry = pisa_conmgr_findby_clientip(cd_ctx.conlist, dst);
+ /* Retrieve the NAT mapping from DNS */
+ map = pisa_servers_add_via_dns(dst);
+ entry = NULL;
}
/* If neither NAT nor a destination server could be found we have to
Other related posts:
- » [pisa-src] r1708 - in trunk/pisacd: cdservers.c cdtun.c - Thomas Jansen
