2 * Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/param.h>
30 #include <sys/systm.h>
31 #include <sys/kernel.h>
33 #include <sys/malloc.h>
34 #include <sys/ctype.h>
35 #include <sys/errno.h>
36 #include <sys/syslog.h>
38 #include <netinet/in_systm.h>
39 #include <netinet/in.h>
40 #include <netinet/ip.h>
41 #include <netinet/ip_var.h>
42 #include <netinet/tcp.h>
43 #include <machine/in_cksum.h>
45 #include <netinet/libalias/alias.h>
46 #include <netinet/libalias/alias_local.h>
48 #include <netgraph/ng_message.h>
49 #include <netgraph/ng_parse.h>
50 #include <netgraph/ng_nat.h>
51 #include <netgraph/netgraph.h>
53 static ng_constructor_t ng_nat_constructor;
54 static ng_rcvmsg_t ng_nat_rcvmsg;
55 static ng_shutdown_t ng_nat_shutdown;
56 static ng_newhook_t ng_nat_newhook;
57 static ng_rcvdata_t ng_nat_rcvdata;
58 static ng_disconnect_t ng_nat_disconnect;
60 static unsigned int ng_nat_translate_flags(unsigned int x);
62 /* Parse type for struct ng_nat_mode. */
63 static const struct ng_parse_struct_field ng_nat_mode_fields[]
65 static const struct ng_parse_type ng_nat_mode_type = {
66 &ng_parse_struct_type,
70 /* Parse type for 'description' field in structs. */
71 static const struct ng_parse_fixedstring_info ng_nat_description_info
72 = { NG_NAT_DESC_LENGTH };
73 static const struct ng_parse_type ng_nat_description_type = {
74 &ng_parse_fixedstring_type,
75 &ng_nat_description_info
78 /* Parse type for struct ng_nat_redirect_port. */
79 static const struct ng_parse_struct_field ng_nat_redirect_port_fields[]
80 = NG_NAT_REDIRECT_PORT_TYPE_INFO(&ng_nat_description_type);
81 static const struct ng_parse_type ng_nat_redirect_port_type = {
82 &ng_parse_struct_type,
83 &ng_nat_redirect_port_fields
86 /* Parse type for struct ng_nat_redirect_addr. */
87 static const struct ng_parse_struct_field ng_nat_redirect_addr_fields[]
88 = NG_NAT_REDIRECT_ADDR_TYPE_INFO(&ng_nat_description_type);
89 static const struct ng_parse_type ng_nat_redirect_addr_type = {
90 &ng_parse_struct_type,
91 &ng_nat_redirect_addr_fields
94 /* Parse type for struct ng_nat_redirect_proto. */
95 static const struct ng_parse_struct_field ng_nat_redirect_proto_fields[]
96 = NG_NAT_REDIRECT_PROTO_TYPE_INFO(&ng_nat_description_type);
97 static const struct ng_parse_type ng_nat_redirect_proto_type = {
98 &ng_parse_struct_type,
99 &ng_nat_redirect_proto_fields
102 /* Parse type for struct ng_nat_add_server. */
103 static const struct ng_parse_struct_field ng_nat_add_server_fields[]
104 = NG_NAT_ADD_SERVER_TYPE_INFO;
105 static const struct ng_parse_type ng_nat_add_server_type = {
106 &ng_parse_struct_type,
107 &ng_nat_add_server_fields
110 /* Parse type for one struct ng_nat_listrdrs_entry. */
111 static const struct ng_parse_struct_field ng_nat_listrdrs_entry_fields[]
112 = NG_NAT_LISTRDRS_ENTRY_TYPE_INFO(&ng_nat_description_type);
113 static const struct ng_parse_type ng_nat_listrdrs_entry_type = {
114 &ng_parse_struct_type,
115 &ng_nat_listrdrs_entry_fields
118 /* Parse type for 'redirects' array in struct ng_nat_list_redirects. */
120 ng_nat_listrdrs_ary_getLength(const struct ng_parse_type *type,
121 const u_char *start, const u_char *buf)
123 const struct ng_nat_list_redirects *lr;
125 lr = (const struct ng_nat_list_redirects *)
126 (buf - offsetof(struct ng_nat_list_redirects, redirects));
127 return lr->total_count;
130 static const struct ng_parse_array_info ng_nat_listrdrs_ary_info = {
131 &ng_nat_listrdrs_entry_type,
132 &ng_nat_listrdrs_ary_getLength,
135 static const struct ng_parse_type ng_nat_listrdrs_ary_type = {
136 &ng_parse_array_type,
137 &ng_nat_listrdrs_ary_info
140 /* Parse type for struct ng_nat_list_redirects. */
141 static const struct ng_parse_struct_field ng_nat_list_redirects_fields[]
142 = NG_NAT_LIST_REDIRECTS_TYPE_INFO(&ng_nat_listrdrs_ary_type);
143 static const struct ng_parse_type ng_nat_list_redirects_type = {
144 &ng_parse_struct_type,
145 &ng_nat_list_redirects_fields
148 /* List of commands and how to convert arguments to/from ASCII. */
149 static const struct ng_cmdlist ng_nat_cmdlist[] = {
154 &ng_parse_ipaddr_type,
168 &ng_parse_ipaddr_type,
173 NGM_NAT_REDIRECT_PORT,
175 &ng_nat_redirect_port_type,
176 &ng_parse_uint32_type
180 NGM_NAT_REDIRECT_ADDR,
182 &ng_nat_redirect_addr_type,
183 &ng_parse_uint32_type
187 NGM_NAT_REDIRECT_PROTO,
189 &ng_nat_redirect_proto_type,
190 &ng_parse_uint32_type
194 NGM_NAT_REDIRECT_DYNAMIC,
196 &ng_parse_uint32_type,
201 NGM_NAT_REDIRECT_DELETE,
203 &ng_parse_uint32_type,
210 &ng_nat_add_server_type,
215 NGM_NAT_LIST_REDIRECTS,
218 &ng_nat_list_redirects_type
224 &ng_parse_string_type,
230 /* Netgraph node type descriptor. */
231 static struct ng_type typestruct = {
232 .version = NG_ABI_VERSION,
233 .name = NG_NAT_NODE_TYPE,
234 .constructor = ng_nat_constructor,
235 .rcvmsg = ng_nat_rcvmsg,
236 .shutdown = ng_nat_shutdown,
237 .newhook = ng_nat_newhook,
238 .rcvdata = ng_nat_rcvdata,
239 .disconnect = ng_nat_disconnect,
240 .cmdlist = ng_nat_cmdlist,
242 NETGRAPH_INIT(nat, &typestruct);
243 MODULE_DEPEND(ng_nat, libalias, 1, 1, 1);
245 /* Element for list of redirects. */
246 struct ng_nat_rdr_lst {
247 STAILQ_ENTRY(ng_nat_rdr_lst) entries;
248 struct alias_link *lnk;
249 struct ng_nat_listrdrs_entry rdr;
251 STAILQ_HEAD(rdrhead, ng_nat_rdr_lst);
253 /* Information we store for each node. */
255 node_p node; /* back pointer to node */
256 hook_p in; /* hook for demasquerading */
257 hook_p out; /* hook for masquerading */
258 struct libalias *lib; /* libalias handler */
259 uint32_t flags; /* status flags */
260 uint32_t rdrcount; /* number or redirects in list */
261 uint32_t nextid; /* for next in turn in list */
262 struct rdrhead redirhead; /* redirect list header */
264 typedef struct ng_nat_priv *priv_p;
266 /* Values of flags */
267 #define NGNAT_CONNECTED 0x1 /* We have both hooks connected */
268 #define NGNAT_ADDR_DEFINED 0x2 /* NGM_NAT_SET_IPADDR happened */
271 ng_nat_constructor(node_p node)
275 /* Initialize private descriptor. */
276 priv = malloc(sizeof(*priv), M_NETGRAPH, M_WAITOK | M_ZERO);
278 /* Init aliasing engine. */
279 priv->lib = LibAliasInit(NULL);
281 /* Set same ports on. */
282 (void )LibAliasSetMode(priv->lib, PKT_ALIAS_SAME_PORTS,
283 PKT_ALIAS_SAME_PORTS);
285 /* Init redirects housekeeping. */
288 STAILQ_INIT(&priv->redirhead);
290 /* Link structs together. */
291 NG_NODE_SET_PRIVATE(node, priv);
295 * libalias is not thread safe, so our node
296 * must be single threaded.
298 NG_NODE_FORCE_WRITER(node);
304 ng_nat_newhook(node_p node, hook_p hook, const char *name)
306 const priv_p priv = NG_NODE_PRIVATE(node);
308 if (strcmp(name, NG_NAT_HOOK_IN) == 0) {
310 } else if (strcmp(name, NG_NAT_HOOK_OUT) == 0) {
315 if (priv->out != NULL &&
317 priv->flags |= NGNAT_CONNECTED;
323 ng_nat_rcvmsg(node_p node, item_p item, hook_p lasthook)
325 const priv_p priv = NG_NODE_PRIVATE(node);
326 struct ng_mesg *resp = NULL;
330 NGI_GET_MSG(item, msg);
332 switch (msg->header.typecookie) {
334 switch (msg->header.cmd) {
335 case NGM_NAT_SET_IPADDR:
337 struct in_addr *const ia = (struct in_addr *)msg->data;
339 if (msg->header.arglen < sizeof(*ia)) {
344 LibAliasSetAddress(priv->lib, *ia);
346 priv->flags |= NGNAT_ADDR_DEFINED;
349 case NGM_NAT_SET_MODE:
351 struct ng_nat_mode *const mode =
352 (struct ng_nat_mode *)msg->data;
354 if (msg->header.arglen < sizeof(*mode)) {
359 if (LibAliasSetMode(priv->lib,
360 ng_nat_translate_flags(mode->flags),
361 ng_nat_translate_flags(mode->mask)) < 0) {
367 case NGM_NAT_SET_TARGET:
369 struct in_addr *const ia = (struct in_addr *)msg->data;
371 if (msg->header.arglen < sizeof(*ia)) {
376 LibAliasSetTarget(priv->lib, *ia);
379 case NGM_NAT_REDIRECT_PORT:
381 struct ng_nat_rdr_lst *entry;
382 struct ng_nat_redirect_port *const rp =
383 (struct ng_nat_redirect_port *)msg->data;
385 if (msg->header.arglen < sizeof(*rp)) {
390 if ((entry = malloc(sizeof(struct ng_nat_rdr_lst),
391 M_NETGRAPH, M_NOWAIT | M_ZERO)) == NULL) {
396 /* Try actual redirect. */
397 entry->lnk = LibAliasRedirectPort(priv->lib,
398 rp->local_addr, htons(rp->local_port),
399 rp->remote_addr, htons(rp->remote_port),
400 rp->alias_addr, htons(rp->alias_port),
403 if (entry->lnk == NULL) {
405 free(entry, M_NETGRAPH);
409 /* Successful, save info in our internal list. */
410 entry->rdr.local_addr = rp->local_addr;
411 entry->rdr.alias_addr = rp->alias_addr;
412 entry->rdr.remote_addr = rp->remote_addr;
413 entry->rdr.local_port = rp->local_port;
414 entry->rdr.alias_port = rp->alias_port;
415 entry->rdr.remote_port = rp->remote_port;
416 entry->rdr.proto = rp->proto;
417 bcopy(rp->description, entry->rdr.description,
420 /* Safety precaution. */
421 entry->rdr.description[NG_NAT_DESC_LENGTH-1] = '\0';
423 entry->rdr.id = priv->nextid++;
426 /* Link to list of redirects. */
427 STAILQ_INSERT_TAIL(&priv->redirhead, entry, entries);
429 /* Response with id of newly added entry. */
430 NG_MKRESPONSE(resp, msg, sizeof(entry->rdr.id), M_NOWAIT);
435 bcopy(&entry->rdr.id, resp->data, sizeof(entry->rdr.id));
438 case NGM_NAT_REDIRECT_ADDR:
440 struct ng_nat_rdr_lst *entry;
441 struct ng_nat_redirect_addr *const ra =
442 (struct ng_nat_redirect_addr *)msg->data;
444 if (msg->header.arglen < sizeof(*ra)) {
449 if ((entry = malloc(sizeof(struct ng_nat_rdr_lst),
450 M_NETGRAPH, M_NOWAIT | M_ZERO)) == NULL) {
455 /* Try actual redirect. */
456 entry->lnk = LibAliasRedirectAddr(priv->lib,
457 ra->local_addr, ra->alias_addr);
459 if (entry->lnk == NULL) {
461 free(entry, M_NETGRAPH);
465 /* Successful, save info in our internal list. */
466 entry->rdr.local_addr = ra->local_addr;
467 entry->rdr.alias_addr = ra->alias_addr;
468 entry->rdr.proto = NG_NAT_REDIRPROTO_ADDR;
469 bcopy(ra->description, entry->rdr.description,
472 /* Safety precaution. */
473 entry->rdr.description[NG_NAT_DESC_LENGTH-1] = '\0';
475 entry->rdr.id = priv->nextid++;
478 /* Link to list of redirects. */
479 STAILQ_INSERT_TAIL(&priv->redirhead, entry, entries);
481 /* Response with id of newly added entry. */
482 NG_MKRESPONSE(resp, msg, sizeof(entry->rdr.id), M_NOWAIT);
487 bcopy(&entry->rdr.id, resp->data, sizeof(entry->rdr.id));
490 case NGM_NAT_REDIRECT_PROTO:
492 struct ng_nat_rdr_lst *entry;
493 struct ng_nat_redirect_proto *const rp =
494 (struct ng_nat_redirect_proto *)msg->data;
496 if (msg->header.arglen < sizeof(*rp)) {
501 if ((entry = malloc(sizeof(struct ng_nat_rdr_lst),
502 M_NETGRAPH, M_NOWAIT | M_ZERO)) == NULL) {
507 /* Try actual redirect. */
508 entry->lnk = LibAliasRedirectProto(priv->lib,
509 rp->local_addr, rp->remote_addr,
510 rp->alias_addr, rp->proto);
512 if (entry->lnk == NULL) {
514 free(entry, M_NETGRAPH);
518 /* Successful, save info in our internal list. */
519 entry->rdr.local_addr = rp->local_addr;
520 entry->rdr.alias_addr = rp->alias_addr;
521 entry->rdr.remote_addr = rp->remote_addr;
522 entry->rdr.proto = rp->proto;
523 bcopy(rp->description, entry->rdr.description,
526 /* Safety precaution. */
527 entry->rdr.description[NG_NAT_DESC_LENGTH-1] = '\0';
529 entry->rdr.id = priv->nextid++;
532 /* Link to list of redirects. */
533 STAILQ_INSERT_TAIL(&priv->redirhead, entry, entries);
535 /* Response with id of newly added entry. */
536 NG_MKRESPONSE(resp, msg, sizeof(entry->rdr.id), M_NOWAIT);
541 bcopy(&entry->rdr.id, resp->data, sizeof(entry->rdr.id));
544 case NGM_NAT_REDIRECT_DYNAMIC:
545 case NGM_NAT_REDIRECT_DELETE:
547 struct ng_nat_rdr_lst *entry;
548 uint32_t *const id = (uint32_t *)msg->data;
550 if (msg->header.arglen < sizeof(*id)) {
555 /* Find entry with supplied id. */
556 STAILQ_FOREACH(entry, &priv->redirhead, entries) {
557 if (entry->rdr.id == *id)
567 if (msg->header.cmd == NGM_NAT_REDIRECT_DYNAMIC) {
568 if (LibAliasRedirectDynamic(priv->lib,
570 error = ENOTTY; /* XXX Something better? */
573 } else { /* NGM_NAT_REDIRECT_DELETE */
574 LibAliasRedirectDelete(priv->lib, entry->lnk);
577 /* Delete entry from our internal list. */
579 STAILQ_REMOVE(&priv->redirhead, entry, ng_nat_rdr_lst, entries);
580 free(entry, M_NETGRAPH);
583 case NGM_NAT_ADD_SERVER:
585 struct ng_nat_rdr_lst *entry;
586 struct ng_nat_add_server *const as =
587 (struct ng_nat_add_server *)msg->data;
589 if (msg->header.arglen < sizeof(*as)) {
594 /* Find entry with supplied id. */
595 STAILQ_FOREACH(entry, &priv->redirhead, entries) {
596 if (entry->rdr.id == as->id)
606 if (LibAliasAddServer(priv->lib, entry->lnk,
607 as->addr, htons(as->port)) == -1) {
615 case NGM_NAT_LIST_REDIRECTS:
617 struct ng_nat_rdr_lst *entry;
618 struct ng_nat_list_redirects *ary;
621 NG_MKRESPONSE(resp, msg, sizeof(*ary) +
622 (priv->rdrcount) * sizeof(*entry), M_NOWAIT);
628 ary = (struct ng_nat_list_redirects *)resp->data;
629 ary->total_count = priv->rdrcount;
631 STAILQ_FOREACH(entry, &priv->redirhead, entries) {
632 bcopy(&entry->rdr, &ary->redirects[i++],
633 sizeof(struct ng_nat_listrdrs_entry));
637 case NGM_NAT_PROXY_RULE:
639 char *cmd = (char *)msg->data;
641 if (msg->header.arglen < 6) {
646 if (LibAliasProxyRule(priv->lib, cmd) != 0)
651 error = EINVAL; /* unknown command */
656 error = EINVAL; /* unknown cookie type */
660 NG_RESPOND_MSG(error, node, item, resp);
666 ng_nat_rcvdata(hook_p hook, item_p item )
668 const priv_p priv = NG_NODE_PRIVATE(NG_HOOK_NODE(hook));
674 /* We have no required hooks. */
675 if (!(priv->flags & NGNAT_CONNECTED)) {
680 /* We have no alias address yet to do anything. */
681 if (!(priv->flags & NGNAT_ADDR_DEFINED))
686 if ((m = m_megapullup(m, m->m_pkthdr.len)) == NULL) {
687 NGI_M(item) = NULL; /* avoid double free */
695 ip = mtod(m, struct ip *);
697 KASSERT(m->m_pkthdr.len == ntohs(ip->ip_len),
698 ("ng_nat: ip_len != m_pkthdr.len"));
701 * We drop packet when:
702 * 1. libalias returns PKT_ALIAS_ERROR;
703 * 2. For incoming packets:
704 * a) for unresolved fragments;
705 * b) libalias returns PKT_ALIAS_IGNORED and
706 * PKT_ALIAS_DENY_INCOMING flag is set.
708 if (hook == priv->in) {
709 rval = LibAliasIn(priv->lib, c, m->m_len + M_TRAILINGSPACE(m));
710 if (rval == PKT_ALIAS_ERROR ||
711 rval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
712 (rval == PKT_ALIAS_IGNORED &&
713 (priv->lib->packetAliasMode &
714 PKT_ALIAS_DENY_INCOMING) != 0)) {
718 } else if (hook == priv->out) {
719 rval = LibAliasOut(priv->lib, c, m->m_len + M_TRAILINGSPACE(m));
720 if (rval == PKT_ALIAS_ERROR) {
725 panic("ng_nat: unknown hook!\n");
727 if (rval == PKT_ALIAS_RESPOND)
728 m->m_flags |= M_SKIP_FIREWALL;
729 m->m_pkthdr.len = m->m_len = ntohs(ip->ip_len);
731 if ((ip->ip_off & htons(IP_OFFMASK)) == 0 &&
732 ip->ip_p == IPPROTO_TCP) {
733 struct tcphdr *th = (struct tcphdr *)((caddr_t)ip +
737 * Here is our terrible HACK.
739 * Sometimes LibAlias edits contents of TCP packet.
740 * In this case it needs to recompute full TCP
741 * checksum. However, the problem is that LibAlias
742 * doesn't have any idea about checksum offloading
743 * in kernel. To workaround this, we do not do
744 * checksumming in LibAlias, but only mark the
745 * packets in th_x2 field. If we receive a marked
746 * packet, we calculate correct checksum for it
747 * aware of offloading.
749 * Why do I do such a terrible hack instead of
750 * recalculating checksum for each packet?
751 * Because the previous checksum was not checked!
752 * Recalculating checksums for EVERY packet will
753 * hide ALL transmission errors. Yes, marked packets
754 * still suffer from this problem. But, sigh, natd(8)
755 * has this problem, too.
760 ip->ip_len = ntohs(ip->ip_len);
761 th->th_sum = in_pseudo(ip->ip_src.s_addr,
762 ip->ip_dst.s_addr, htons(IPPROTO_TCP +
763 ip->ip_len - (ip->ip_hl << 2)));
765 if ((m->m_pkthdr.csum_flags & CSUM_TCP) == 0) {
766 m->m_pkthdr.csum_data = offsetof(struct tcphdr,
770 ip->ip_len = htons(ip->ip_len);
775 if (hook == priv->in)
776 NG_FWD_ITEM_HOOK(error, item, priv->out);
778 NG_FWD_ITEM_HOOK(error, item, priv->in);
784 ng_nat_shutdown(node_p node)
786 const priv_p priv = NG_NODE_PRIVATE(node);
788 NG_NODE_SET_PRIVATE(node, NULL);
791 /* Free redirects list. */
792 while (!STAILQ_EMPTY(&priv->redirhead)) {
793 struct ng_nat_rdr_lst *entry = STAILQ_FIRST(&priv->redirhead);
794 STAILQ_REMOVE_HEAD(&priv->redirhead, entries);
795 free(entry, M_NETGRAPH);
799 LibAliasUninit(priv->lib);
800 free(priv, M_NETGRAPH);
806 ng_nat_disconnect(hook_p hook)
808 const priv_p priv = NG_NODE_PRIVATE(NG_HOOK_NODE(hook));
810 priv->flags &= ~NGNAT_CONNECTED;
812 if (hook == priv->out)
814 if (hook == priv->in)
817 if (priv->out == NULL && priv->in == NULL)
818 ng_rmnode_self(NG_HOOK_NODE(hook));
824 ng_nat_translate_flags(unsigned int x)
826 unsigned int res = 0;
829 res |= PKT_ALIAS_LOG;
830 if (x & NG_NAT_DENY_INCOMING)
831 res |= PKT_ALIAS_DENY_INCOMING;
832 if (x & NG_NAT_SAME_PORTS)
833 res |= PKT_ALIAS_SAME_PORTS;
834 if (x & NG_NAT_UNREGISTERED_ONLY)
835 res |= PKT_ALIAS_UNREGISTERED_ONLY;
836 if (x & NG_NAT_RESET_ON_ADDR_CHANGE)
837 res |= PKT_ALIAS_RESET_ON_ADDR_CHANGE;
838 if (x & NG_NAT_PROXY_ONLY)
839 res |= PKT_ALIAS_PROXY_ONLY;
840 if (x & NG_NAT_REVERSE)
841 res |= PKT_ALIAS_REVERSE;
projects / FreeBSD / releng / 9.0.git / blob