2 * Copyright (C) 1993-2002 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
7 # include <sys/ptimers.h>
13 #include <sys/types.h>
14 #if !defined(__SVR4) && !defined(__svr4__)
17 #include <sys/byteorder.h>
20 #include <sys/param.h>
24 #include <sys/socket.h>
25 #include <sys/ioctl.h>
26 #if defined(sun) && (defined(__svr4__) || defined(__SVR4))
27 # include <sys/ioccom.h>
28 # include <sys/sysmacros.h>
30 #include <netinet/in.h>
31 #include <netinet/in_systm.h>
32 #include <netinet/ip.h>
33 #include <netinet/tcp.h>
35 #if __FreeBSD_version >= 300000
36 # include <net/if_var.h>
39 #include <arpa/nameser.h>
40 #include <arpa/inet.h>
43 #include "netinet/ip_compat.h"
44 #include "netinet/ip_fil.h"
45 #include "netinet/ip_nat.h"
46 #include "netinet/ip_state.h"
47 #include "netinet/ip_proxy.h"
50 #if defined(sun) && !SOLARIS2
51 # define STRERROR(x) sys_errlist[x]
52 extern char *sys_errlist[];
54 # define STRERROR(x) strerror(x)
58 static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
59 static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.23 2002/02/22 15:32:55 darrenr Exp $";
64 #define bzero(a,b) memset(a,0,b)
67 extern void printnat __P((ipnat_t *, int));
68 extern int countbits __P((u_32_t));
71 ipnat_t *natparse __P((char *, int));
72 void natparsefile __P((int, char *, int));
73 void nat_setgroupmap __P((struct ipnat *));
76 void nat_setgroupmap(n)
79 if (n->in_outmsk == n->in_inmsk)
81 else if (n->in_flags & IPN_AUTOPORTMAP) {
82 n->in_ippip = ~ntohl(n->in_inmsk);
83 if (n->in_outmsk != 0xffffffff)
84 n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
88 n->in_ppip = USABLE_PORTS / n->in_ippip;
90 n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
92 if (!(n->in_ppip = n->in_pmin))
94 n->in_ippip = USABLE_PORTS / n->in_ppip;
100 * Parse a line of input from the ipnat configuration file
102 ipnat_t *natparse(line, linenum)
108 char *dnetm = NULL, *dport = NULL;
109 char *s, *t, *cps[31], **cpp;
111 char *port1a = NULL, *port1b = NULL, *port2a = NULL;
116 * Search for end of line and comment marker, advance of leading spaces
118 if ((s = strchr(line, '\n')))
120 if ((s = strchr(line, '#')))
122 while (*line && isspace(*line))
127 bzero((char *)&ipn, sizeof(ipn));
131 * split line upto into segments.
133 for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
134 cps[++i] = strtok(NULL, " \b\t\r\n");
139 fprintf(stderr, "%d: not enough segments in line\n", linenum);
146 * Check first word is a recognised keyword and then is the interface
148 if (!strcasecmp(*cpp, "map"))
149 ipn.in_redir = NAT_MAP;
150 else if (!strcasecmp(*cpp, "map-block"))
151 ipn.in_redir = NAT_MAPBLK;
152 else if (!strcasecmp(*cpp, "rdr"))
153 ipn.in_redir = NAT_REDIRECT;
154 else if (!strcasecmp(*cpp, "bimap"))
155 ipn.in_redir = NAT_BIMAP;
157 fprintf(stderr, "%d: unknown mapping: \"%s\"\n",
164 strncpy(ipn.in_ifname, *cpp, sizeof(ipn.in_ifname) - 1);
165 ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
169 * If the first word after the interface is "from" or is a ! then
170 * the expanded syntax is being used so parse it differently.
172 if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
173 if (!strcmp(*cpp, "!")) {
175 if (strcasecmp(*cpp, "from")) {
176 fprintf(stderr, "Missing from after !\n");
179 ipn.in_flags |= IPN_NOTSRC;
180 } else if (**cpp == '!') {
181 if (strcasecmp(*cpp + 1, "from")) {
182 fprintf(stderr, "Missing from after !\n");
185 ipn.in_flags |= IPN_NOTSRC;
187 if ((ipn.in_flags & IPN_NOTSRC) &&
188 (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
189 fprintf(stderr, "Cannot use '! from' with map\n");
193 ipn.in_flags |= IPN_FILTER;
195 if (ipn.in_redir == NAT_REDIRECT) {
196 if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
197 (u_32_t *)&ipn.in_srcmsk, &ipn.in_sport,
198 &ipn.in_scmp, &ipn.in_stop, linenum)) {
202 if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
203 (u_32_t *)&ipn.in_inmsk, &ipn.in_sport,
204 &ipn.in_scmp, &ipn.in_stop, linenum)) {
209 if (!strcmp(*cpp, "!")) {
211 ipn.in_flags |= IPN_NOTDST;
212 } else if (**cpp == '!') {
214 ipn.in_flags |= IPN_NOTDST;
217 if (strcasecmp(*cpp, "to")) {
218 fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
222 if ((ipn.in_flags & IPN_NOTDST) &&
223 (ipn.in_redir & (NAT_REDIRECT))) {
224 fprintf(stderr, "Cannot use '! to' with rdr\n");
229 fprintf(stderr, "%d: missing host after to\n", linenum);
232 if (ipn.in_redir == NAT_REDIRECT) {
233 if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
234 (u_32_t *)&ipn.in_outmsk, &ipn.in_dport,
235 &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
238 ipn.in_pmin = htons(ipn.in_dport);
240 if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
241 (u_32_t *)&ipn.in_srcmsk, &ipn.in_dport,
242 &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
249 fprintf(stderr, "%d: short line\n", linenum);
254 fprintf(stderr, "%d: no netmask on LHS\n", linenum);
258 if (ipn.in_redir == NAT_REDIRECT) {
259 if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1)
261 if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) {
265 if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1)
267 if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) {
273 fprintf(stderr, "%d: short line\n", linenum);
279 * If it is a standard redirect then we expect it to have a port
280 * match after the hostmask.
282 if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
283 if (strcasecmp(*cpp, "port")) {
284 fprintf(stderr, "%d: missing fields - 1st port\n",
293 "%d: missing fields (destination port)\n",
298 if (isdigit(**cpp) && (s = strchr(*cpp, '-')))
305 if (!strcmp(*cpp, "-")) {
313 ipn.in_pmax = ipn.in_pmin;
317 * In the middle of the NAT rule syntax is -> to indicate the
318 * direction of translation.
321 fprintf(stderr, "%d: missing fields (->)\n", linenum);
324 if (strcmp(*cpp, "->")) {
325 fprintf(stderr, "%d: missing ->\n", linenum);
331 fprintf(stderr, "%d: missing fields (%s)\n",
332 linenum, ipn.in_redir ? "destination" : "target");
336 if (ipn.in_redir == NAT_MAP) {
337 if (!strcasecmp(*cpp, "range")) {
339 ipn.in_flags |= IPN_IPRANGE;
341 fprintf(stderr, "%d: missing fields (%s)\n",
343 ipn.in_redir ? "destination":"target");
349 if (ipn.in_flags & IPN_IPRANGE) {
350 dnetm = strrchr(*cpp, '-');
353 if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1))
357 if (dnetm == NULL || *dnetm == '\0') {
359 "%d: desination range not specified\n",
363 } else if (ipn.in_redir != NAT_REDIRECT) {
364 dnetm = strrchr(*cpp, '/');
367 if (*cpp && !strcasecmp(*cpp, "netmask"))
372 "%d: missing fields (dest netmask)\n",
380 if (ipn.in_redir == NAT_REDIRECT) {
381 dnetm = strchr(*cpp, ',');
383 ipn.in_flags |= IPN_SPLIT;
386 if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1)
389 if (!strcmp(*cpp, ipn.in_ifname))
391 if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1)
396 if (ipn.in_redir & NAT_MAPBLK) {
397 if (*cpp && strcasecmp(*cpp, "ports")) {
399 "%d: expected \"ports\" - got \"%s\"\n",
405 ipn.in_pmin = atoi(*cpp);
409 } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
410 if (*cpp && (strrchr(*cpp, '/') != NULL)) {
411 fprintf(stderr, "%d: No netmask supported in %s\n",
412 linenum, "destination host for redirect");
417 fprintf(stderr, "%d: Missing destination port %s\n",
418 linenum, "in redirect");
422 /* If it's a in_redir, expect target port */
424 if (strcasecmp(*cpp, "port")) {
425 fprintf(stderr, "%d: missing fields - 2nd port (%s)\n",
432 "%d: missing fields (destination port)\n",
439 if (dnetm && *dnetm == '/')
442 if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) {
443 if (ipn.in_flags & IPN_IPRANGE) {
444 if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm,
447 } else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk))
450 if (ipn.in_flags & IPN_SPLIT) {
451 if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm,
454 } else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk))
457 ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */
461 if (!strcasecmp(proto, "tcp"))
462 ipn.in_flags |= IPN_TCP;
463 else if (!strcasecmp(proto, "udp"))
464 ipn.in_flags |= IPN_UDP;
465 else if (!strcasecmp(proto, "tcp/udp"))
466 ipn.in_flags |= IPN_TCPUDP;
467 else if (!strcasecmp(proto, "tcpudp")) {
468 ipn.in_flags |= IPN_TCPUDP;
470 } else if (!strcasecmp(proto, "ip"))
471 ipn.in_flags |= IPN_ANY;
473 ipn.in_flags |= IPN_ANY;
474 if ((pr = getprotobyname(proto)))
475 ipn.in_p = pr->p_proto;
477 if (!isdigit(*proto)) {
479 "%d: Unknown protocol %s\n",
483 ipn.in_p = atoi(proto);
487 if (*cpp && !strcasecmp(*cpp, "round-robin")) {
489 ipn.in_flags |= IPN_ROUNDR;
492 if (*cpp && !strcasecmp(*cpp, "frag")) {
494 ipn.in_flags |= IPN_FRAG;
497 if (*cpp && !strcasecmp(*cpp, "age")) {
501 "%d: age with no parameters\n",
506 ipn.in_age[0] = atoi(*cpp);
507 s = index(*cpp, '/');
509 ipn.in_age[1] = atoi(s + 1);
511 ipn.in_age[1] = ipn.in_age[0];
517 "%d: extra junk at the end of the line: %s\n",
524 if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
525 if (!portnum(port1a, &ipn.in_pmin, linenum))
527 ipn.in_pmin = htons(ipn.in_pmin);
528 if (port1b != NULL) {
529 if (!portnum(port1b, &ipn.in_pmax, linenum))
531 ipn.in_pmax = htons(ipn.in_pmax);
533 ipn.in_pmax = ipn.in_pmin;
536 if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
537 if (!portnum(port2a, &ipn.in_pnext, linenum))
539 ipn.in_pnext = htons(ipn.in_pnext);
542 if (!(ipn.in_flags & IPN_SPLIT))
543 ipn.in_inip &= ipn.in_inmsk;
544 if ((ipn.in_flags & IPN_IPRANGE) == 0)
545 ipn.in_outip &= ipn.in_outmsk;
546 ipn.in_srcip &= ipn.in_srcmsk;
548 if ((ipn.in_redir & NAT_MAPBLK) != 0)
549 nat_setgroupmap(&ipn);
551 if (*cpp && !strcasecmp(*cpp, "frag")) {
553 ipn.in_flags |= IPN_FRAG;
559 if (ipn.in_redir == NAT_BIMAP) {
561 "%d: extra words at the end of bimap line: %s\n",
566 if (!strcasecmp(*cpp, "proxy")) {
567 if (ipn.in_redir == NAT_BIMAP) {
568 fprintf(stderr, "%d: cannot use proxy with bimap\n",
575 "%d: missing parameter for \"proxy\"\n",
581 if (!strcasecmp(*cpp, "port")) {
585 "%d: missing parameter for \"port\"\n",
595 "%d: missing parameter for \"proxy\"\n",
601 "%d: missing keyword \"port\"\n", linenum);
605 if ((proto = index(*cpp, '/'))) {
607 if ((pr = getprotobyname(proto)))
608 ipn.in_p = pr->p_proto;
610 ipn.in_p = atoi(proto);
614 if (dport && !portnum(dport, &ipn.in_dport, linenum))
616 ipn.in_dport = htons(ipn.in_dport);
618 (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel));
623 "%d: too many parameters for \"proxy\"\n",
627 } else if (!strcasecmp(*cpp, "portmap")) {
628 if (ipn.in_redir == NAT_BIMAP) {
629 fprintf(stderr, "%d: cannot use portmap with bimap\n",
636 "%d: missing expression following portmap\n",
641 if (!strcasecmp(*cpp, "tcp"))
642 ipn.in_flags |= IPN_TCP;
643 else if (!strcasecmp(*cpp, "udp"))
644 ipn.in_flags |= IPN_UDP;
645 else if (!strcasecmp(*cpp, "tcpudp"))
646 ipn.in_flags |= IPN_TCPUDP;
647 else if (!strcasecmp(*cpp, "tcp/udp"))
648 ipn.in_flags |= IPN_TCPUDP;
651 "%d: expected protocol name - got \"%s\"\n",
659 fprintf(stderr, "%d: no port range found\n", linenum);
663 if (!strcasecmp(*cpp, "auto")) {
664 ipn.in_flags |= IPN_AUTOPORTMAP;
665 ipn.in_pmin = htons(1024);
666 ipn.in_pmax = htons(65535);
667 nat_setgroupmap(&ipn);
670 if (!(t = strchr(*cpp, ':'))) {
672 "%d: no port range in \"%s\"\n",
677 if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
678 !portnum(t, &ipn.in_pmax, linenum))
680 ipn.in_pmin = htons(ipn.in_pmin);
681 ipn.in_pmax = htons(ipn.in_pmax);
686 if (*cpp && !strcasecmp(*cpp, "age")) {
689 fprintf(stderr, "%d: age with no parameters\n",
693 s = index(*cpp, '/');
695 ipn.in_age[1] = atoi(s + 1);
697 ipn.in_age[1] = ipn.in_age[0];
702 fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
710 void natparsefile(fd, file, opts)
720 if (strcmp(file, "-")) {
721 if (!(fp = fopen(file, "r"))) {
722 fprintf(stderr, "%s: open: %s\n", file,
729 while (fgets(line, sizeof(line) - 1, fp)) {
731 line[sizeof(line) - 1] = '\0';
732 if ((s = strchr(line, '\n')))
735 if (!(np = natparse(line, linenum))) {
737 fprintf(stderr, "%d: syntax error in \"%s\"\n",
740 if ((opts & OPT_VERBOSE) && np)
742 if (!(opts & OPT_NODO)) {
743 if (!(opts & OPT_REMOVE)) {
744 if (ioctl(fd, SIOCADNAT, &np) == -1) {
745 fprintf(stderr, "%d:",
747 perror("ioctl(SIOCADNAT)");
749 } else if (ioctl(fd, SIOCRMNAT, &np) == -1) {
750 fprintf(stderr, "%d:", linenum);
751 perror("ioctl(SIOCRMNAT)");