2 * Copyright (C) 1993-2002 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
7 # include <sys/ptimers.h>
13 #include <sys/types.h>
14 #if !defined(__SVR4) && !defined(__svr4__)
17 #include <sys/byteorder.h>
20 #include <sys/param.h>
24 #include <sys/socket.h>
25 #include <sys/ioctl.h>
26 #if defined(sun) && (defined(__svr4__) || defined(__SVR4))
27 # include <sys/ioccom.h>
28 # include <sys/sysmacros.h>
30 #include <netinet/in.h>
31 #include <netinet/in_systm.h>
32 #include <netinet/ip.h>
33 #include <netinet/tcp.h>
35 #if __FreeBSD_version >= 300000
36 # include <net/if_var.h>
39 #include <arpa/nameser.h>
40 #include <arpa/inet.h>
43 #include "netinet/ip_compat.h"
44 #include "netinet/ip_fil.h"
45 #include "netinet/ip_nat.h"
46 #include "netinet/ip_state.h"
47 #include "netinet/ip_proxy.h"
50 #if defined(sun) && !SOLARIS2
51 # define STRERROR(x) sys_errlist[x]
52 extern char *sys_errlist[];
54 # define STRERROR(x) strerror(x)
58 static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
59 static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.24 2002/04/24 17:30:51 darrenr Exp $";
64 #define bzero(a,b) memset(a,0,b)
67 extern void printnat __P((ipnat_t *, int));
68 extern int countbits __P((u_32_t));
71 ipnat_t *natparse __P((char *, int));
72 void natparsefile __P((int, char *, int));
73 void nat_setgroupmap __P((struct ipnat *));
76 void nat_setgroupmap(n)
79 if (n->in_outmsk == n->in_inmsk)
81 else if (n->in_flags & IPN_AUTOPORTMAP) {
82 n->in_ippip = ~ntohl(n->in_inmsk);
83 if (n->in_outmsk != 0xffffffff)
84 n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
88 n->in_ppip = USABLE_PORTS / n->in_ippip;
90 n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
92 if (!(n->in_ppip = n->in_pmin))
94 n->in_ippip = USABLE_PORTS / n->in_ppip;
100 * Parse a line of input from the ipnat configuration file
102 ipnat_t *natparse(line, linenum)
108 char *dnetm = NULL, *dport = NULL;
109 char *s, *t, *cps[31], **cpp;
111 char *port1a = NULL, *port1b = NULL, *port2a = NULL;
116 * Search for end of line and comment marker, advance of leading spaces
118 if ((s = strchr(line, '\n')))
120 if ((s = strchr(line, '#')))
122 while (*line && isspace(*line))
127 bzero((char *)&ipn, sizeof(ipn));
131 * split line upto into segments.
133 for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
134 cps[++i] = strtok(NULL, " \b\t\r\n");
139 fprintf(stderr, "%d: not enough segments in line\n", linenum);
146 * Check first word is a recognised keyword and then is the interface
148 if (!strcasecmp(*cpp, "map"))
149 ipn.in_redir = NAT_MAP;
150 else if (!strcasecmp(*cpp, "map-block"))
151 ipn.in_redir = NAT_MAPBLK;
152 else if (!strcasecmp(*cpp, "rdr"))
153 ipn.in_redir = NAT_REDIRECT;
154 else if (!strcasecmp(*cpp, "bimap"))
155 ipn.in_redir = NAT_BIMAP;
157 fprintf(stderr, "%d: unknown mapping: \"%s\"\n",
164 strncpy(ipn.in_ifname, *cpp, sizeof(ipn.in_ifname) - 1);
165 ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
169 * If the first word after the interface is "from" or is a ! then
170 * the expanded syntax is being used so parse it differently.
172 if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
173 if (!strcmp(*cpp, "!")) {
175 if (strcasecmp(*cpp, "from")) {
176 fprintf(stderr, "Missing from after !\n");
179 ipn.in_flags |= IPN_NOTSRC;
180 } else if (**cpp == '!') {
181 if (strcasecmp(*cpp + 1, "from")) {
182 fprintf(stderr, "Missing from after !\n");
185 ipn.in_flags |= IPN_NOTSRC;
187 if ((ipn.in_flags & IPN_NOTSRC) &&
188 (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
189 fprintf(stderr, "Cannot use '! from' with map\n");
193 ipn.in_flags |= IPN_FILTER;
195 if (ipn.in_redir == NAT_REDIRECT) {
196 if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
197 (u_32_t *)&ipn.in_srcmsk, &ipn.in_sport,
198 &ipn.in_scmp, &ipn.in_stop, linenum)) {
202 if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
203 (u_32_t *)&ipn.in_inmsk, &ipn.in_sport,
204 &ipn.in_scmp, &ipn.in_stop, linenum)) {
209 if (!strcmp(*cpp, "!")) {
211 ipn.in_flags |= IPN_NOTDST;
212 } else if (**cpp == '!') {
214 ipn.in_flags |= IPN_NOTDST;
217 if (strcasecmp(*cpp, "to")) {
218 fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
222 if ((ipn.in_flags & IPN_NOTDST) &&
223 (ipn.in_redir & (NAT_REDIRECT))) {
224 fprintf(stderr, "Cannot use '! to' with rdr\n");
229 fprintf(stderr, "%d: missing host after to\n", linenum);
232 if (ipn.in_redir == NAT_REDIRECT) {
233 if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
234 (u_32_t *)&ipn.in_outmsk, &ipn.in_dport,
235 &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
238 ipn.in_pmin = htons(ipn.in_dport);
240 if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
241 (u_32_t *)&ipn.in_srcmsk, &ipn.in_dport,
242 &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
249 fprintf(stderr, "%d: short line\n", linenum);
254 fprintf(stderr, "%d: no netmask on LHS\n", linenum);
258 if (ipn.in_redir == NAT_REDIRECT) {
259 if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1)
261 if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) {
265 if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1)
267 if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) {
273 fprintf(stderr, "%d: short line\n", linenum);
279 * If it is a standard redirect then we expect it to have a port
280 * match after the hostmask.
282 if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
283 if (strcasecmp(*cpp, "port")) {
284 fprintf(stderr, "%d: missing fields - 1st port\n",
293 "%d: missing fields (destination port)\n",
298 if (isdigit(**cpp) && (s = strchr(*cpp, '-')))
305 if (!strcmp(*cpp, "-")) {
313 ipn.in_pmax = ipn.in_pmin;
317 * In the middle of the NAT rule syntax is -> to indicate the
318 * direction of translation.
321 fprintf(stderr, "%d: missing fields (->)\n", linenum);
324 if (strcmp(*cpp, "->")) {
325 fprintf(stderr, "%d: missing ->\n", linenum);
331 fprintf(stderr, "%d: missing fields (%s)\n",
332 linenum, ipn.in_redir ? "destination" : "target");
336 if (ipn.in_redir == NAT_MAP) {
337 if (!strcasecmp(*cpp, "range")) {
339 ipn.in_flags |= IPN_IPRANGE;
341 fprintf(stderr, "%d: missing fields (%s)\n",
343 ipn.in_redir ? "destination":"target");
349 if (ipn.in_flags & IPN_IPRANGE) {
350 dnetm = strrchr(*cpp, '-');
353 if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1))
357 if (dnetm == NULL || *dnetm == '\0') {
359 "%d: desination range not specified\n",
363 } else if (ipn.in_redir != NAT_REDIRECT) {
364 dnetm = strrchr(*cpp, '/');
367 if (*cpp && !strcasecmp(*cpp, "netmask"))
372 "%d: missing fields (dest netmask)\n",
380 if (ipn.in_redir == NAT_REDIRECT) {
381 dnetm = strchr(*cpp, ',');
383 ipn.in_flags |= IPN_SPLIT;
386 if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1)
389 if (!strcmp(*cpp, ipn.in_ifname))
391 if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1)
396 if (ipn.in_redir & NAT_MAPBLK) {
398 if (strcasecmp(*cpp, "ports")) {
400 "%d: expected \"ports\" - got \"%s\"\n",
407 "%d: missing argument to \"ports\"\n",
411 if (!strcasecmp(*cpp, "auto"))
412 ipn.in_flags |= IPN_AUTOPORTMAP;
414 ipn.in_pmin = atoi(*cpp);
418 } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
419 if (*cpp && (strrchr(*cpp, '/') != NULL)) {
420 fprintf(stderr, "%d: No netmask supported in %s\n",
421 linenum, "destination host for redirect");
426 fprintf(stderr, "%d: Missing destination port %s\n",
427 linenum, "in redirect");
431 /* If it's a in_redir, expect target port */
433 if (strcasecmp(*cpp, "port")) {
434 fprintf(stderr, "%d: missing fields - 2nd port (%s)\n",
441 "%d: missing fields (destination port)\n",
448 if (dnetm && *dnetm == '/')
451 if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) {
452 if (ipn.in_flags & IPN_IPRANGE) {
453 if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm,
456 } else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk))
459 if (ipn.in_flags & IPN_SPLIT) {
460 if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm,
463 } else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk))
466 ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */
470 if (!strcasecmp(proto, "tcp"))
471 ipn.in_flags |= IPN_TCP;
472 else if (!strcasecmp(proto, "udp"))
473 ipn.in_flags |= IPN_UDP;
474 else if (!strcasecmp(proto, "tcp/udp"))
475 ipn.in_flags |= IPN_TCPUDP;
476 else if (!strcasecmp(proto, "tcpudp")) {
477 ipn.in_flags |= IPN_TCPUDP;
479 } else if (!strcasecmp(proto, "ip"))
480 ipn.in_flags |= IPN_ANY;
482 ipn.in_flags |= IPN_ANY;
483 if ((pr = getprotobyname(proto)))
484 ipn.in_p = pr->p_proto;
486 if (!isdigit(*proto)) {
488 "%d: Unknown protocol %s\n",
492 ipn.in_p = atoi(proto);
495 if ((ipn.in_flags & IPN_TCPUDP) == 0) {
500 if (*cpp && !strcasecmp(*cpp, "round-robin")) {
502 ipn.in_flags |= IPN_ROUNDR;
505 if (*cpp && !strcasecmp(*cpp, "frag")) {
507 ipn.in_flags |= IPN_FRAG;
510 if (*cpp && !strcasecmp(*cpp, "age")) {
514 "%d: age with no parameters\n",
519 ipn.in_age[0] = atoi(*cpp);
520 s = index(*cpp, '/');
522 ipn.in_age[1] = atoi(s + 1);
524 ipn.in_age[1] = ipn.in_age[0];
530 "%d: extra junk at the end of the line: %s\n",
537 if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
538 if (!portnum(port1a, &ipn.in_pmin, linenum))
540 ipn.in_pmin = htons(ipn.in_pmin);
541 if (port1b != NULL) {
542 if (!portnum(port1b, &ipn.in_pmax, linenum))
544 ipn.in_pmax = htons(ipn.in_pmax);
546 ipn.in_pmax = ipn.in_pmin;
549 if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
550 if (!portnum(port2a, &ipn.in_pnext, linenum))
552 ipn.in_pnext = htons(ipn.in_pnext);
555 if (!(ipn.in_flags & IPN_SPLIT))
556 ipn.in_inip &= ipn.in_inmsk;
557 if ((ipn.in_flags & IPN_IPRANGE) == 0)
558 ipn.in_outip &= ipn.in_outmsk;
559 ipn.in_srcip &= ipn.in_srcmsk;
561 if ((ipn.in_redir & NAT_MAPBLK) != 0)
562 nat_setgroupmap(&ipn);
564 if (*cpp && !*(cpp+1) && !strcasecmp(*cpp, "frag")) {
566 ipn.in_flags |= IPN_FRAG;
572 if (ipn.in_redir == NAT_BIMAP) {
574 "%d: extra words at the end of bimap line: %s\n",
579 if (!strcasecmp(*cpp, "proxy")) {
580 if (ipn.in_redir == NAT_BIMAP) {
581 fprintf(stderr, "%d: cannot use proxy with bimap\n",
588 "%d: missing parameter for \"proxy\"\n",
594 if (!strcasecmp(*cpp, "port")) {
598 "%d: missing parameter for \"port\"\n",
608 "%d: missing parameter for \"proxy\"\n",
614 "%d: missing keyword \"port\"\n", linenum);
618 if ((proto = index(*cpp, '/'))) {
620 if ((pr = getprotobyname(proto)))
621 ipn.in_p = pr->p_proto;
623 ipn.in_p = atoi(proto);
627 if (dport && !portnum(dport, &ipn.in_dport, linenum))
629 ipn.in_dport = htons(ipn.in_dport);
631 (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel));
634 } else if (!strcasecmp(*cpp, "portmap")) {
635 if (ipn.in_redir == NAT_BIMAP) {
636 fprintf(stderr, "%d: cannot use portmap with bimap\n",
643 "%d: missing expression following portmap\n",
648 if (!strcasecmp(*cpp, "tcp"))
649 ipn.in_flags |= IPN_TCP;
650 else if (!strcasecmp(*cpp, "udp"))
651 ipn.in_flags |= IPN_UDP;
652 else if (!strcasecmp(*cpp, "tcpudp"))
653 ipn.in_flags |= IPN_TCPUDP;
654 else if (!strcasecmp(*cpp, "tcp/udp"))
655 ipn.in_flags |= IPN_TCPUDP;
658 "%d: expected protocol name - got \"%s\"\n",
666 fprintf(stderr, "%d: no port range found\n", linenum);
670 if (!strcasecmp(*cpp, "auto")) {
671 ipn.in_flags |= IPN_AUTOPORTMAP;
672 ipn.in_pmin = htons(1024);
673 ipn.in_pmax = htons(65535);
674 nat_setgroupmap(&ipn);
677 if (!(t = strchr(*cpp, ':'))) {
679 "%d: no port range in \"%s\"\n",
684 if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
685 !portnum(t, &ipn.in_pmax, linenum))
687 ipn.in_pmin = htons(ipn.in_pmin);
688 ipn.in_pmax = htons(ipn.in_pmax);
693 if (*cpp && !strcasecmp(*cpp, "frag")) {
695 ipn.in_flags |= IPN_FRAG;
698 if (*cpp && !strcasecmp(*cpp, "age")) {
701 fprintf(stderr, "%d: age with no parameters\n",
705 ipn.in_age[0] = atoi(*cpp);
706 s = index(*cpp, '/');
708 ipn.in_age[1] = atoi(s + 1);
710 ipn.in_age[1] = ipn.in_age[0];
715 fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
723 void natparsefile(fd, file, opts)
733 if (strcmp(file, "-")) {
734 if (!(fp = fopen(file, "r"))) {
735 fprintf(stderr, "%s: open: %s\n", file,
742 while (fgets(line, sizeof(line) - 1, fp)) {
744 line[sizeof(line) - 1] = '\0';
745 if ((s = strchr(line, '\n')))
748 if (!(np = natparse(line, linenum))) {
750 fprintf(stderr, "%d: syntax error in \"%s\"\n",
753 if ((opts & OPT_VERBOSE) && np)
755 if (!(opts & OPT_NODO)) {
756 if (!(opts & OPT_REMOVE)) {
757 if (ioctl(fd, SIOCADNAT, &np) == -1) {
758 fprintf(stderr, "%d:",
760 perror("ioctl(SIOCADNAT)");
762 } else if (ioctl(fd, SIOCRMNAT, &np) == -1) {
763 fprintf(stderr, "%d:", linenum);
764 perror("ioctl(SIOCRMNAT)");
projects / FreeBSD / FreeBSD.git / blob