2 * Copyright (C) 1993-1998 by Darren Reed.
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
12 #include <sys/types.h>
13 #if !defined(__SVR4) && !defined(__svr4__)
16 #include <sys/byteorder.h>
19 #include <sys/param.h>
23 #include <sys/socket.h>
24 #include <sys/ioctl.h>
25 #if defined(sun) && (defined(__svr4__) || defined(__SVR4))
26 # include <sys/ioccom.h>
27 # include <sys/sysmacros.h>
29 #include <netinet/in.h>
30 #include <netinet/in_systm.h>
31 #include <netinet/ip.h>
32 #include <netinet/tcp.h>
34 #if __FreeBSD_version >= 300000
35 # include <net/if_var.h>
38 #include <arpa/nameser.h>
39 #include <arpa/inet.h>
42 #include "netinet/ip_compat.h"
43 #include "netinet/ip_fil.h"
44 #include "netinet/ip_proxy.h"
45 #include "netinet/ip_nat.h"
47 #if defined(sun) && !SOLARIS2
48 # define STRERROR(x) sys_errlist[x]
49 extern char *sys_errlist[];
51 # define STRERROR(x) strerror(x)
55 static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
56 static const char rcsid[] = "@(#)$Id: natparse.c,v 1.2.2.1 1999/11/20 22:50:30 darrenr Exp $";
61 #define bzero(a,b) memset(a,0,b)
64 extern int countbits __P((u_32_t));
65 extern u_32_t hostnum __P((char *, int *, int));
67 ipnat_t *natparse __P((char *, int));
68 void printnat __P((ipnat_t *, int, void *));
69 void natparsefile __P((int, char *, int));
70 u_32_t n_hostmask __P((char *));
71 u_short n_portnum __P((char *, char *, int));
72 void nat_setgroupmap __P((struct ipnat *));
78 #define OPT_VERBOSE 16
83 void printnat(np, verbose, ptr)
101 printf("map-block ");
107 fprintf(stderr, "unknown value for in_redir: %#x\n",
112 if (np->in_redir == NAT_REDIRECT) {
113 printf("%s ", np->in_ifname);
114 if (np->in_src[0].s_addr || np->in_src[1].s_addr) {
115 printf("from %s",inet_ntoa(np->in_src[0]));
116 bits = countbits(np->in_src[1].s_addr);
118 printf("/%d ", bits);
120 printf("/%s ", inet_ntoa(np->in_src[1]));
122 printf("%s",inet_ntoa(np->in_out[0]));
123 bits = countbits(np->in_out[1].s_addr);
125 printf("/%d ", bits);
127 printf("/%s ", inet_ntoa(np->in_out[1]));
129 printf("port %d ", ntohs(np->in_pmin));
130 printf("-> %s", inet_ntoa(np->in_in[0]));
132 printf(" port %d", ntohs(np->in_pnext));
133 if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
135 else if ((np->in_flags & IPN_TCP) == IPN_TCP)
137 else if ((np->in_flags & IPN_UDP) == IPN_UDP)
141 printf("\t%p %lu %x %u %p %d\n", np->in_ifp,
142 np->in_space, np->in_flags, np->in_pnext, np,
145 np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
146 printf("%s %s/", np->in_ifname, inet_ntoa(np->in_in[0]));
147 bits = countbits(np->in_in[1].s_addr);
151 printf("%s", inet_ntoa(np->in_in[1]));
153 if (np->in_flags & IPN_RANGE) {
154 printf("range %s-", inet_ntoa(np->in_out[0]));
155 printf("%s", inet_ntoa(np->in_out[1]));
157 printf("%s/", inet_ntoa(np->in_out[0]));
158 bits = countbits(np->in_out[1].s_addr);
162 printf("%s", inet_ntoa(np->in_out[1]));
164 if (*np->in_plabel) {
165 pr = getprotobynumber(np->in_p);
166 printf(" proxy port");
167 if (np->in_dport != 0) {
169 sv = getservbyport(np->in_dport,
172 sv = getservbyport(np->in_dport, NULL);
174 printf(" %s", sv->s_name);
176 printf(" %hu", ntohs(np->in_dport));
178 printf(" %.*s/", (int)sizeof(np->in_plabel),
181 fputs(pr->p_name, stdout);
183 printf("%d", np->in_p);
184 } else if (np->in_redir == NAT_MAPBLK) {
185 printf(" ports %d", np->in_pmin);
187 printf("\n\tip modulous %d", np->in_pmax);
188 } else if (np->in_pmin || np->in_pmax) {
190 if (np->in_flags & IPN_AUTOPORTMAP) {
193 printf(" [%d:%d %d %d]",
196 np->in_ippip, np->in_ppip);
198 if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
200 else if (np->in_flags & IPN_TCP)
202 else if (np->in_flags & IPN_UDP)
204 printf(" %d:%d", ntohs(np->in_pmin),
210 printf("\tifp %p space %lu nextip %s pnext %d",
211 np->in_ifp, np->in_space,
212 inet_ntoa(np->in_nextip), np->in_pnext);
213 printf(" flags %x use %u\n",
214 np->in_flags, np->in_use);
220 void nat_setgroupmap(n)
223 if (n->in_outmsk == n->in_inmsk)
225 else if (n->in_flags & IPN_AUTOPORTMAP) {
226 n->in_ippip = ~ntohl(n->in_inmsk);
227 if (n->in_outmsk != 0xffffffff)
228 n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
230 if (n->in_ippip == 0)
232 n->in_ppip = USABLE_PORTS / n->in_ippip;
234 n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
236 if (!(n->in_ppip = n->in_pmin))
238 n->in_ippip = USABLE_PORTS / n->in_ppip;
244 ipnat_t *natparse(line, linenum)
251 char *shost, *snetm, *dhost, *proto, *srchost, *srcnetm;
252 char *dnetm = NULL, *dport = NULL, *tport = NULL;
258 bzero((char *)&ipn, sizeof(ipn));
259 if ((s = strchr(line, '\n')))
261 if ((s = strchr(line, '#')))
265 if (!(s = strtok(line, " \t")))
267 if (!strcasecmp(s, "map"))
268 ipn.in_redir = NAT_MAP;
269 else if (!strcasecmp(s, "map-block"))
270 ipn.in_redir = NAT_MAPBLK;
271 else if (!strcasecmp(s, "rdr"))
272 ipn.in_redir = NAT_REDIRECT;
273 else if (!strcasecmp(s, "bimap"))
274 ipn.in_redir = NAT_BIMAP;
276 fprintf(stderr, "%d: unknown mapping: \"%s\"\n",
281 if (!(s = strtok(NULL, " \t"))) {
282 fprintf(stderr, "%d: missing fields (interface)\n",
287 strncpy(ipn.in_ifname, s, sizeof(ipn.in_ifname) - 1);
288 ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
289 if (!(s = strtok(NULL, " \t"))) {
290 fprintf(stderr, "%d: missing fields (%s)\n", linenum,
291 ipn.in_redir ? "from source | destination" : "source");
295 if ((ipn.in_redir == NAT_REDIRECT) && !strcasecmp(s, "from")) {
296 if (!(s = strtok(NULL, " \t"))) {
298 "%d: missing fields (source address)\n",
304 srcnetm = strrchr(srchost, '/');
306 if (srcnetm == NULL) {
307 if (!(s = strtok(NULL, " \t"))) {
309 "%d: missing fields (source netmask)\n",
314 if (strcasecmp(s, "netmask")) {
316 "%d: missing fields (netmask)\n",
320 if (!(s = strtok(NULL, " \t"))) {
322 "%d: missing fields (source netmask)\n",
331 /* re read the next word -- destination */
332 if (!(s = strtok(NULL, " \t"))) {
334 "%d: missing fields (destination)\n", linenum);
342 if (ipn.in_redir == NAT_REDIRECT) {
343 if (!(s = strtok(NULL, " \t"))) {
345 "%d: missing fields (destination port)\n",
350 if (strcasecmp(s, "port")) {
351 fprintf(stderr, "%d: missing fields (port)\n", linenum);
355 if (!(s = strtok(NULL, " \t"))) {
357 "%d: missing fields (destination port)\n",
366 if (!(s = strtok(NULL, " \t"))) {
367 fprintf(stderr, "%d: missing fields (->)\n", linenum);
370 if (!strcmp(s, "->")) {
371 snetm = strrchr(shost, '/');
374 "%d: missing fields (%s netmask)\n", linenum,
375 ipn.in_redir ? "destination" : "source");
379 if (strcasecmp(s, "netmask")) {
380 fprintf(stderr, "%d: missing fields (netmask)\n",
384 if (!(s = strtok(NULL, " \t"))) {
386 "%d: missing fields (%s netmask)\n", linenum,
387 ipn.in_redir ? "destination" : "source");
393 if (!(s = strtok(NULL, " \t"))) {
394 fprintf(stderr, "%d: missing fields (%s)\n",
395 linenum, ipn.in_redir ? "destination":"target");
399 if (ipn.in_redir == NAT_MAP) {
400 if (!strcasecmp(s, "range")) {
401 ipn.in_flags |= IPN_RANGE;
402 if (!(s = strtok(NULL, " \t"))) {
403 fprintf(stderr, "%d: missing fields (%s)\n",
405 ipn.in_redir ? "destination":"target");
412 if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) {
413 if (ipn.in_flags & IPN_RANGE) {
414 dnetm = strrchr(dhost, '-');
416 if (!(s = strtok(NULL, " \t")))
421 else if ((s = strtok(NULL, " \t"))) {
427 if (dnetm == NULL || *dnetm == '\0') {
429 "%d: desination range not specified\n",
434 dnetm = strrchr(dhost, '/');
436 if (!(s = strtok(NULL, " \t")))
438 else if (!strcasecmp(s, "netmask"))
439 if ((s = strtok(NULL, " \t")) != NULL)
444 "%d: missing fields (dest netmask)\n",
451 s = strtok(NULL, " \t");
454 if (ipn.in_redir & NAT_MAPBLK) {
455 if (s && strcasecmp(s, "ports")) {
457 "%d: expected \"ports\" - got \"%s\"\n",
462 if ((s = strtok(NULL, " \t")) == NULL)
464 ipn.in_pmin = atoi(s);
465 s = strtok(NULL, " \t");
468 } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
469 if (strrchr(dhost, '/') != NULL) {
470 fprintf(stderr, "%d: No netmask supported in %s\n",
471 linenum, "destination host for redirect");
474 /* If it's a in_redir, expect target port */
475 if (!(s = strtok(NULL, " \t"))) {
477 "%d: missing fields (destination port)\n",
482 if (strcasecmp(s, "port")) {
483 fprintf(stderr, "%d: missing fields (port)\n",
488 if (!(s = strtok(NULL, " \t"))) {
490 "%d: missing fields (destination port)\n",
496 if (dnetm && *dnetm == '/')
498 if (snetm && *snetm == '/')
501 if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) {
502 ipn.in_inip = hostnum(shost, &resolved, linenum);
505 ipn.in_inmsk = n_hostmask(snetm);
506 ipn.in_outip = hostnum(dhost, &resolved, linenum);
509 if (ipn.in_flags & IPN_RANGE) {
510 ipn.in_outmsk = hostnum(dnetm, &resolved, linenum);
514 ipn.in_outmsk = n_hostmask(dnetm);
516 ipn.in_srcip = hostnum(srchost, &resolved, linenum);
521 ipn.in_srcmsk = n_hostmask(srcnetm);
524 ipn.in_srcip = hostnum(srchost, &resolved, linenum);
529 ipn.in_srcmsk = n_hostmask(srcnetm);
530 ipn.in_inip = hostnum(dhost, &resolved, linenum);
533 ipn.in_inmsk = n_hostmask("255.255.255.255");
534 ipn.in_outip = hostnum(shost, &resolved, linenum);
537 ipn.in_outmsk = n_hostmask(snetm);
538 if (!(s = strtok(NULL, " \t"))) {
539 ipn.in_flags = IPN_TCP; /* XXX- TCP only by default */
542 if (!strcasecmp(s, "tcp"))
543 ipn.in_flags = IPN_TCP;
544 else if (!strcasecmp(s, "udp"))
545 ipn.in_flags = IPN_UDP;
546 else if (!strcasecmp(s, "tcp/udp"))
547 ipn.in_flags = IPN_TCPUDP;
548 else if (!strcasecmp(s, "tcpudp"))
549 ipn.in_flags = IPN_TCPUDP;
550 else if (!strcasecmp(s, "ip"))
551 ipn.in_flags = IPN_ANY;
553 ipn.in_flags = IPN_ANY;
554 if ((pr = getprotobyname(s)))
555 ipn.in_p = pr->p_proto;
560 if ((s = strtok(NULL, " \t"))) {
562 "%d: extra junk at the end of rdr: %s\n",
567 ipn.in_pmin = n_portnum(dport, proto, linenum);
568 ipn.in_pmax = ipn.in_pmin;
569 ipn.in_pnext = n_portnum(tport, proto, linenum);
572 ipn.in_inip &= ipn.in_inmsk;
573 if ((ipn.in_flags & IPN_RANGE) == 0)
574 ipn.in_outip &= ipn.in_outmsk;
575 ipn.in_srcip &= ipn.in_srcmsk;
577 if ((ipn.in_redir & NAT_MAPBLK) != 0)
578 nat_setgroupmap(&ipn);
583 if (ipn.in_redir == NAT_BIMAP) {
585 "%d: extra words at the end of bimap line: %s\n",
589 if (!strcasecmp(s, "proxy")) {
590 if (!(s = strtok(NULL, " \t"))) {
592 "%d: missing parameter for \"proxy\"\n",
598 if (!strcasecmp(s, "port")) {
599 if (!(s = strtok(NULL, " \t"))) {
601 "%d: missing parameter for \"port\"\n",
608 if (!(s = strtok(NULL, " \t"))) {
610 "%d: missing parameter for \"proxy\"\n",
616 "%d: missing keyword \"port\"\n", linenum);
619 if ((proto = index(s, '/'))) {
621 if ((pr = getprotobyname(proto)))
622 ipn.in_p = pr->p_proto;
624 ipn.in_p = atoi(proto);
626 ipn.in_dport = n_portnum(dport, proto, linenum);
630 ipn.in_dport = n_portnum(dport, NULL, linenum);
633 (void) strncpy(ipn.in_plabel, s, sizeof(ipn.in_plabel));
634 if ((s = strtok(NULL, " \t"))) {
636 "%d: too many parameters for \"proxy\"\n",
644 if (strcasecmp(s, "portmap")) {
646 "%d: expected \"portmap\" - got \"%s\"\n", linenum, s);
649 if (!(s = strtok(NULL, " \t")))
651 if (!strcasecmp(s, "tcp"))
652 ipn.in_flags = IPN_TCP;
653 else if (!strcasecmp(s, "udp"))
654 ipn.in_flags = IPN_UDP;
655 else if (!strcasecmp(s, "tcpudp"))
656 ipn.in_flags = IPN_TCPUDP;
657 else if (!strcasecmp(s, "tcp/udp"))
658 ipn.in_flags = IPN_TCPUDP;
661 "%d: expected protocol name - got \"%s\"\n",
666 if (!(s = strtok(NULL, " \t"))) {
667 fprintf(stderr, "%d: no port range found\n", linenum);
671 if (!strcasecmp(s, "auto")) {
672 ipn.in_flags |= IPN_AUTOPORTMAP;
673 ipn.in_pmin = htons(1024);
674 ipn.in_pmax = htons(65535);
675 nat_setgroupmap(&ipn);
679 if (!(t = strchr(s, ':'))) {
680 fprintf(stderr, "%d: no port range in \"%s\"\n", linenum, s);
684 ipn.in_pmin = n_portnum(s, proto, linenum);
685 ipn.in_pmax = n_portnum(t, proto, linenum);
690 void natparsefile(fd, file, opts)
700 if (strcmp(file, "-")) {
701 if (!(fp = fopen(file, "r"))) {
702 fprintf(stderr, "%s: open: %s\n", file,
709 while (fgets(line, sizeof(line) - 1, fp)) {
711 line[sizeof(line) - 1] = '\0';
712 if ((s = strchr(line, '\n')))
715 if (!(np = natparse(line, linenum))) {
717 fprintf(stderr, "%d: syntax error in \"%s\"\n",
720 if ((opts & OPT_VERBOSE) && np)
721 printnat(np, opts & OPT_VERBOSE, NULL);
722 if (!(opts & OPT_NODO)) {
723 if (!(opts & OPT_REM)) {
724 if (ioctl(fd, SIOCADNAT, np) == -1)
725 perror("ioctl(SIOCADNAT)");
726 } else if (ioctl(fd, SIOCRMNAT, np) == -1)
727 perror("ioctl(SIOCRMNAT)");
736 u_32_t n_hostmask(msk)
744 if (strchr(msk, '.'))
745 return inet_addr(msk);
746 if (strchr(msk, 'x'))
747 return (u_32_t)strtol(msk, NULL, 0);
749 * set x most significant bits
751 for (mask = 0, bits = atoi(msk); bits; bits--) {
753 mask |= ntohl(inet_addr("128.0.0.0"));
760 u_short n_portnum(name, proto, linenum)
764 struct servent *sp, *sp2;
768 return htons((u_short)atoi(name));
771 if (strcasecmp(proto, "tcp/udp")) {
772 sp = getservbyname(name, proto);
775 fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name);
778 sp = getservbyname(name, "tcp");
781 sp2 = getservbyname(name, "udp");
783 fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n",
787 if (p1 != sp2->s_port) {
788 fprintf(stderr, "%d: %s %d/tcp is a different port to ",
790 fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port);