2 * Copyright (C) 1995-2000 by Darren Reed.
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
8 * Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com)
11 /*static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.16 2000/07/18 13:57:40 darrenr Exp $";*/
12 static const char rcsid[] = "@(#)$FreeBSD$";
15 #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
19 #include <sys/errno.h>
20 #include <sys/types.h>
21 #include <sys/param.h>
24 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
26 # include "opt_ipfilter_log.h"
28 #if !defined(_KERNEL) && !defined(KERNEL)
33 #if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
34 # include <sys/filio.h>
35 # include <sys/fcntl.h>
37 # include <sys/ioctl.h>
39 #include <sys/fcntl.h>
42 # include <sys/protosw.h>
44 #include <sys/socket.h>
45 #if defined(_KERNEL) && !defined(linux)
46 # include <sys/systm.h>
48 #if !defined(__SVR4) && !defined(__svr4__)
50 # include <sys/mbuf.h>
53 # include <sys/filio.h>
54 # include <sys/byteorder.h>
56 # include <sys/dditypes.h>
58 # include <sys/stream.h>
59 # include <sys/kmem.h>
61 #if __FreeBSD_version >= 300000
62 # include <sys/queue.h>
65 #if __FreeBSD_version >= 300000
66 # include <net/if_var.h>
67 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
68 # include "opt_ipfilter.h"
74 #include <net/route.h>
75 #include <netinet/in.h>
76 #include <netinet/in_systm.h>
77 #include <netinet/ip.h>
80 # ifdef IFF_DRVRLOCK /* IRIX6 */
81 #include <sys/hashing.h>
82 #include <netinet/in_var.h>
88 # include <vpn/ipsec.h>
89 extern struct ifnet vpnif;
93 # include <netinet/ip_var.h>
95 #include <netinet/tcp.h>
96 #include <netinet/udp.h>
97 #include <netinet/ip_icmp.h>
98 #include "netinet/ip_compat.h"
99 #include <netinet/tcpip.h>
100 #include "netinet/ip_fil.h"
101 #include "netinet/ip_proxy.h"
102 #include "netinet/ip_nat.h"
103 #include "netinet/ip_frag.h"
104 #include "netinet/ip_state.h"
105 #if (__FreeBSD_version >= 300000)
106 # include <sys/malloc.h>
109 # define MIN(a,b) (((a)<(b))?(a):(b))
112 #define SOCKADDR_IN struct sockaddr_in
114 nat_t **nat_table[2] = { NULL, NULL },
115 *nat_instances = NULL;
116 ipnat_t *nat_list = NULL;
117 u_int ipf_nattable_sz = NAT_TABLE_SZ;
118 u_int ipf_natrules_sz = NAT_SIZE;
119 u_int ipf_rdrrules_sz = RDR_SIZE;
120 u_int ipf_hostmap_sz = HOSTMAP_SIZE;
121 u_32_t nat_masks = 0;
122 u_32_t rdr_masks = 0;
123 ipnat_t **nat_rules = NULL;
124 ipnat_t **rdr_rules = NULL;
125 hostmap_t **maptable = NULL;
127 u_long fr_defnatage = DEF_NAT_AGE,
128 fr_defnaticmpage = 6; /* 3 seconds */
131 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
132 extern kmutex_t ipf_rw;
133 extern KRWLOCK_T ipf_nat;
136 static int nat_flushtable __P((void));
137 static int nat_clearlist __P((void));
138 static void nat_addnat __P((struct ipnat *));
139 static void nat_addrdr __P((struct ipnat *));
140 static void nat_delete __P((struct nat *));
141 static void nat_delrdr __P((struct ipnat *));
142 static void nat_delnat __P((struct ipnat *));
143 static int fr_natgetent __P((caddr_t));
144 static int fr_natgetsz __P((caddr_t));
145 static int fr_natputent __P((caddr_t));
146 static void nat_tabmove __P((nat_t *, u_32_t));
147 static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *));
148 static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
150 static void nat_hostmapdel __P((struct hostmap *));
155 KMALLOCS(nat_table[0], nat_t **, sizeof(nat_t *) * ipf_nattable_sz);
156 if (nat_table[0] != NULL)
157 bzero((char *)nat_table[0], ipf_nattable_sz * sizeof(nat_t *));
161 KMALLOCS(nat_table[1], nat_t **, sizeof(nat_t *) * ipf_nattable_sz);
162 if (nat_table[1] != NULL)
163 bzero((char *)nat_table[1], ipf_nattable_sz * sizeof(nat_t *));
167 KMALLOCS(nat_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_natrules_sz);
168 if (nat_rules != NULL)
169 bzero((char *)nat_rules, ipf_natrules_sz * sizeof(ipnat_t *));
173 KMALLOCS(rdr_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_rdrrules_sz);
174 if (rdr_rules != NULL)
175 bzero((char *)rdr_rules, ipf_rdrrules_sz * sizeof(ipnat_t *));
179 KMALLOCS(maptable, hostmap_t **, sizeof(hostmap_t *) * ipf_hostmap_sz);
180 if (maptable != NULL)
181 bzero((char *)maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);
188 static void nat_addrdr(n)
196 k = countbits(n->in_outmsk);
197 if ((k >= 0) && (k != 32))
199 j = (n->in_outip & n->in_outmsk);
200 hv = NAT_HASH_FN(j, 0, ipf_rdrrules_sz);
203 np = &(*np)->in_rnext;
210 static void nat_addnat(n)
218 k = countbits(n->in_inmsk);
219 if ((k >= 0) && (k != 32))
221 j = (n->in_inip & n->in_inmsk);
222 hv = NAT_HASH_FN(j, 0, ipf_natrules_sz);
225 np = &(*np)->in_mnext;
232 static void nat_delrdr(n)
236 n->in_rnext->in_prnext = n->in_prnext;
237 *n->in_prnext = n->in_rnext;
241 static void nat_delnat(n)
245 n->in_mnext->in_pmnext = n->in_pmnext;
246 *n->in_pmnext = n->in_mnext;
251 * check if an ip address has already been allocated for a given mapping that
252 * is not doing port based translation.
254 * Must be called with ipf_nat held as a write lock.
256 static struct hostmap *nat_hostmap(np, real, map)
264 hv = real.s_addr % HOSTMAP_SIZE;
265 for (hm = maptable[hv]; hm; hm = hm->hm_next)
266 if ((hm->hm_realip.s_addr == real.s_addr) &&
267 (np == hm->hm_ipnat)) {
272 KMALLOC(hm, hostmap_t *);
274 hm->hm_next = maptable[hv];
275 hm->hm_pnext = maptable + hv;
277 maptable[hv]->hm_pnext = &hm->hm_next;
280 hm->hm_realip = real;
289 * Must be called with ipf_nat held as a write lock.
291 static void nat_hostmapdel(hm)
294 ATOMIC_DEC32(hm->hm_ref);
295 if (hm->hm_ref == 0) {
297 hm->hm_next->hm_pnext = hm->hm_pnext;
298 *hm->hm_pnext = hm->hm_next;
304 void fix_outcksum(sp, n)
308 register u_short sumshort;
309 register u_32_t sum1;
314 else if (n & NAT_HW_CKSUM) {
319 sum1 = (~ntohs(*sp)) & 0xffff;
321 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
323 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
324 sumshort = ~(u_short)sum1;
325 *(sp) = htons(sumshort);
329 void fix_incksum(sp, n)
333 register u_short sumshort;
334 register u_32_t sum1;
339 else if (n & NAT_HW_CKSUM) {
345 sum1 = (~(*sp)) & 0xffff;
347 sum1 = (~ntohs(*sp)) & 0xffff;
349 sum1 += ~(n) & 0xffff;
350 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
352 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
353 sumshort = ~(u_short)sum1;
354 *(sp) = htons(sumshort);
359 * fix_datacksum is used *only* for the adjustments of checksums in the data
360 * section of an IP packet.
362 * The only situation in which you need to do this is when NAT'ing an
363 * ICMP error message. Such a message, contains in its body the IP header
364 * of the original IP packet, that causes the error.
366 * You can't use fix_incksum or fix_outcksum in that case, because for the
367 * kernel the data section of the ICMP error is just data, and no special
368 * processing like hardware cksum or ntohs processing have been done by the
369 * kernel on the data section.
371 void fix_datacksum(sp, n)
375 register u_short sumshort;
376 register u_32_t sum1;
381 sum1 = (~ntohs(*sp)) & 0xffff;
383 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
385 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
386 sumshort = ~(u_short)sum1;
387 *(sp) = htons(sumshort);
391 * How the NAT is organised and works.
393 * Inside (interface y) NAT Outside (interface x)
394 * -------------------- -+- -------------------------------------
395 * Packet going | out, processsed by ip_natout() for x
396 * ------------> | ------------>
397 * src=10.1.1.1 | src=192.1.1.1
399 * | in, processed by ip_natin() for x
400 * <------------ | <------------
401 * dst=10.1.1.1 | dst=192.1.1.1
402 * -------------------- -+- -------------------------------------
403 * ip_natout() - changes ip_src and if required, sport
404 * - creates a new mapping, if required.
405 * ip_natin() - changes ip_dst and if required, dport
407 * In the NAT table, internal source is recorded as "in" and externally
412 * Handle ioctls which manipulate the NAT.
414 int nat_ioctl(data, cmd, mode)
415 #if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
423 register ipnat_t *nat, *nt, *n = NULL, **np = NULL;
424 int error = 0, ret, arg;
428 #if (BSD >= 199306) && defined(_KERNEL)
429 if ((securelevel >= 2) && (mode & FWRITE))
433 nat = NULL; /* XXX gcc -Wuninitialized */
434 KMALLOC(nt, ipnat_t *);
435 if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT))
436 error = IRCOPYPTR(data, (char *)&natd, sizeof(natd));
437 else if (cmd == SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */
438 error = IRCOPY(data, (char *)&arg, sizeof(arg));
447 * For add/delete, look to see if the NAT entry is already present
449 WRITE_ENTER(&ipf_nat);
450 if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
452 nat->in_flags &= IPN_USERFLAGS;
453 if ((nat->in_redir & NAT_MAPBLK) == 0) {
454 if ((nat->in_flags & IPN_SPLIT) == 0)
455 nat->in_inip &= nat->in_inmsk;
456 if ((nat->in_flags & IPN_IPRANGE) == 0)
457 nat->in_outip &= nat->in_outmsk;
459 for (np = &nat_list; (n = *np); np = &n->in_next)
460 if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
472 if (!(mode & FWRITE))
475 tmp = ipflog_clear(IPL_LOGNAT);
476 IWCOPY((char *)&tmp, (char *)data, sizeof(tmp));
482 if (!(mode & FWRITE)) {
496 bcopy((char *)nat, (char *)n, sizeof(*n));
497 n->in_ifp = (void *)GETUNIT(n->in_ifname, 4);
499 n->in_ifp = (void *)-1;
500 if (n->in_plabel[0] != '\0') {
501 n->in_apr = appr_match(n->in_p, n->in_plabel);
510 if (n->in_redir & NAT_REDIRECT) {
511 n->in_flags &= ~IPN_NOTDST;
514 if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
515 n->in_flags &= ~IPN_NOTSRC;
520 if (n->in_redir & NAT_MAPBLK)
521 n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
522 else if (n->in_flags & IPN_AUTOPORTMAP)
523 n->in_space = USABLE_PORTS * ~ntohl(n->in_inmsk);
524 else if (n->in_flags & IPN_IPRANGE)
525 n->in_space = ntohl(n->in_outmsk) - ntohl(n->in_outip);
526 else if (n->in_flags & IPN_SPLIT)
529 n->in_space = ~ntohl(n->in_outmsk);
531 * Calculate the number of valid IP addresses in the output
532 * mapping range. In all cases, the range is inclusive of
533 * the start and ending IP addresses.
534 * If to a CIDR address, lose 2: broadcast + network address
536 * If to a range, add one.
537 * If to a single IP address, set to 1.
540 if ((n->in_flags & IPN_IPRANGE) != 0)
546 if ((n->in_outmsk != 0xffffffff) && (n->in_outmsk != 0) &&
547 ((n->in_flags & (IPN_IPRANGE|IPN_SPLIT)) == 0))
548 n->in_nip = ntohl(n->in_outip) + 1;
549 else if ((n->in_flags & IPN_SPLIT) &&
550 (n->in_redir & NAT_REDIRECT))
551 n->in_nip = ntohl(n->in_inip);
553 n->in_nip = ntohl(n->in_outip);
554 if (n->in_redir & NAT_MAP) {
555 n->in_pnext = ntohs(n->in_pmin);
557 * Multiply by the number of ports made available.
559 if (ntohs(n->in_pmax) >= ntohs(n->in_pmin)) {
560 n->in_space *= (ntohs(n->in_pmax) -
561 ntohs(n->in_pmin) + 1);
563 * Because two different sources can map to
564 * different destinations but use the same
566 * If the result is smaller than in_space, then
567 * we may have wrapped around 32bits.
570 if ((i != 0) && (i != 0xffffffff)) {
571 j = n->in_space * (~ntohl(i) + 1);
572 if (j >= n->in_space)
575 n->in_space = 0xffffffff;
579 * If no protocol is specified, multiple by 256.
581 if ((n->in_flags & IPN_TCPUDP) == 0) {
582 j = n->in_space * 256;
583 if (j >= n->in_space)
586 n->in_space = 0xffffffff;
589 /* Otherwise, these fields are preset */
591 nat_stats.ns_rules++;
594 if (!(mode & FWRITE)) {
603 if (n->in_redir & NAT_REDIRECT)
605 if (n->in_redir & (NAT_MAPBLK|NAT_MAP))
607 if (nat_list == NULL) {
614 appr_free(n->in_apr);
616 nat_stats.ns_rules--;
618 n->in_flags |= IPN_DELETE;
624 MUTEX_DOWNGRADE(&ipf_nat);
625 nat_stats.ns_table[0] = nat_table[0];
626 nat_stats.ns_table[1] = nat_table[1];
627 nat_stats.ns_list = nat_list;
628 nat_stats.ns_nattab_sz = ipf_nattable_sz;
629 nat_stats.ns_rultab_sz = ipf_natrules_sz;
630 nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz;
631 nat_stats.ns_instances = nat_instances;
632 nat_stats.ns_apslist = ap_sess_list;
633 error = IWCOPYPTR((char *)&nat_stats, (char *)data,
640 MUTEX_DOWNGRADE(&ipf_nat);
641 error = IRCOPYPTR((char *)data, (char *)&nl, sizeof(nl));
645 if (nat_lookupredir(&nl)) {
646 error = IWCOPYPTR((char *)&nl, (char *)data,
652 case SIOCIPFFL : /* old SIOCFLNAT & SIOCCNATL */
653 if (!(mode & FWRITE)) {
659 ret = nat_flushtable();
661 ret = nat_clearlist();
664 MUTEX_DOWNGRADE(&ipf_nat);
666 error = IWCOPY((caddr_t)&ret, data, sizeof(ret));
672 error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
674 error = IWCOPY((caddr_t)&fr_nat_lock, data,
675 sizeof(fr_nat_lock));
683 error = fr_natputent(data);
689 error = fr_natgetsz(data);
695 error = fr_natgetent(data);
701 arg = (int)iplused[IPL_LOGNAT];
702 MUTEX_DOWNGRADE(&ipf_nat);
703 error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg));
712 RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
720 static int fr_natgetsz(data)
728 error = IRCOPY(data, (caddr_t)&ng, sizeof(ng));
737 error = IWCOPY((caddr_t)&ng, data, sizeof(ng));
744 * Make sure the pointer we're copying from exists in the
745 * current list of entries. Security precaution to prevent
746 * copying of random kernel data.
748 for (n = nat_instances; n; n = n->nat_next)
755 ng.ng_sz = sizeof(nat_save_t);
757 if ((aps != NULL) && (aps->aps_data != 0)) {
758 ng.ng_sz += sizeof(ap_session_t);
759 ng.ng_sz += aps->aps_psiz;
762 error = IWCOPY((caddr_t)&ng, data, sizeof(ng));
769 static int fr_natgetent(data)
772 nat_save_t ipn, *ipnp, *ipnn = NULL;
773 register nat_t *n, *nat;
777 error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp));
780 error = IRCOPY((caddr_t)ipnp, (caddr_t)&ipn, sizeof(ipn));
788 if (nat_instances == NULL)
794 * Make sure the pointer we're copying from exists in the
795 * current list of entries. Security precaution to prevent
796 * copying of random kernel data.
798 for (n = nat_instances; n; n = n->nat_next)
805 ipn.ipn_next = nat->nat_next;
807 bcopy((char *)nat, (char *)&ipn.ipn_nat, sizeof(ipn.ipn_nat));
808 ipn.ipn_nat.nat_data = NULL;
811 bcopy((char *)nat->nat_ptr, (char *)&ipn.ipn_ipnat,
812 sizeof(ipn.ipn_ipnat));
816 bcopy((char *)nat->nat_fr, (char *)&ipn.ipn_rule,
817 sizeof(ipn.ipn_rule));
819 if ((aps = nat->nat_aps)) {
820 ipn.ipn_dsize = sizeof(*aps);
822 ipn.ipn_dsize += aps->aps_psiz;
823 KMALLOCS(ipnn, nat_save_t *, sizeof(*ipnn) + ipn.ipn_dsize);
826 bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn));
828 bcopy((char *)aps, ipnn->ipn_data, sizeof(*aps));
830 bcopy(aps->aps_data, ipnn->ipn_data + sizeof(*aps),
832 ipnn->ipn_dsize += aps->aps_psiz;
834 error = IWCOPY((caddr_t)ipnn, ipnp,
835 sizeof(ipn) + ipn.ipn_dsize);
838 KFREES(ipnn, sizeof(*ipnn) + ipn.ipn_dsize);
840 error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn));
848 static int fr_natputent(data)
851 nat_save_t ipn, *ipnp, *ipnn = NULL;
852 register nat_t *n, *nat;
859 error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp));
862 error = IRCOPY((caddr_t)ipnp, (caddr_t)&ipn, sizeof(ipn));
867 KMALLOCS(ipnn, nat_save_t *, sizeof(ipn) + ipn.ipn_dsize);
870 bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn));
871 error = IRCOPY((caddr_t)ipnp, (caddr_t)ipn.ipn_data,
880 KMALLOC(nat, nat_t *);
886 bcopy((char *)&ipn.ipn_nat, (char *)nat, sizeof(*nat));
888 * Initialize all these so that nat_delete() doesn't cause a crash.
890 nat->nat_phnext[0] = NULL;
891 nat->nat_phnext[1] = NULL;
898 nat->nat_data = NULL;
901 * Restore the rule associated with this nat session
904 KMALLOC(in, ipnat_t *);
910 bcopy((char *)&ipn.ipn_ipnat, (char *)in, sizeof(*in));
912 in->in_flags |= IPN_DELETE;
915 in->in_prnext = NULL;
917 in->in_pmnext = NULL;
918 in->in_ifp = GETUNIT(in->in_ifname, 4);
919 if (in->in_plabel[0] != '\0') {
920 in->in_apr = appr_match(in->in_p, in->in_plabel);
925 * Restore ap_session_t structure. Include the private data allocated
929 KMALLOC(aps, ap_session_t *);
935 aps->aps_next = ap_sess_list;
937 bcopy(ipnn->ipn_data, (char *)aps, sizeof(*aps));
939 aps->aps_apr = in->in_apr;
941 KMALLOCS(aps->aps_data, void *, aps->aps_psiz);
942 if (aps->aps_data == NULL) {
946 bcopy(ipnn->ipn_data + sizeof(*aps), aps->aps_data,
950 aps->aps_data = NULL;
955 * If there was a filtering rule associated with this entry then
956 * build up a new one.
959 if (nat->nat_flags & FI_NEWFR) {
960 KMALLOC(fr, frentry_t *);
966 bcopy((char *)&ipn.ipn_fr, (char *)fr, sizeof(*fr));
967 ipn.ipn_nat.nat_fr = fr;
968 error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn));
974 for (n = nat_instances; n; n = n->nat_next)
985 KFREES(ipnn, sizeof(ipn) + ipn.ipn_dsize);
990 KFREES(ipnn, sizeof(ipn) + ipn.ipn_dsize);
998 * Delete a nat entry from the various lists and table.
1000 static void nat_delete(natd)
1005 if (natd->nat_flags & FI_WILDP)
1006 nat_stats.ns_wilds--;
1007 if (natd->nat_hnext[0])
1008 natd->nat_hnext[0]->nat_phnext[0] = natd->nat_phnext[0];
1009 *natd->nat_phnext[0] = natd->nat_hnext[0];
1010 if (natd->nat_hnext[1])
1011 natd->nat_hnext[1]->nat_phnext[1] = natd->nat_phnext[1];
1012 *natd->nat_phnext[1] = natd->nat_hnext[1];
1014 if (natd->nat_fr != NULL) {
1015 ATOMIC_DEC32(natd->nat_fr->fr_ref);
1018 if (natd->nat_hm != NULL)
1019 nat_hostmapdel(natd->nat_hm);
1022 * If there is an active reference from the nat entry to its parent
1023 * rule, decrement the rule's reference count and free it too if no
1024 * longer being used.
1026 ipn = natd->nat_ptr;
1030 if (!ipn->in_use && (ipn->in_flags & IPN_DELETE)) {
1032 appr_free(ipn->in_apr);
1034 nat_stats.ns_rules--;
1038 MUTEX_DESTROY(&natd->nat_lock);
1040 * If there's a fragment table entry too for this nat entry, then
1041 * dereference that as well.
1043 ipfr_forget((void *)natd);
1044 aps_free(natd->nat_aps);
1045 nat_stats.ns_inuse--;
1051 * nat_flushtable - clear the NAT table of all mapping entries.
1053 static int nat_flushtable()
1055 register nat_t *nat, **natp;
1059 * ALL NAT mappings deleted, so lets just make the deletions
1062 if (nat_table[0] != NULL)
1063 bzero((char *)nat_table[0],
1064 sizeof(nat_table[0]) * ipf_nattable_sz);
1065 if (nat_table[1] != NULL)
1066 bzero((char *)nat_table[1],
1067 sizeof(nat_table[1]) * ipf_nattable_sz);
1069 for (natp = &nat_instances; (nat = *natp); ) {
1070 *natp = nat->nat_next;
1072 nat_log(nat, NL_FLUSH);
1077 nat_stats.ns_inuse = 0;
1083 * nat_clearlist - delete all rules in the active NAT mapping list.
1085 static int nat_clearlist()
1087 register ipnat_t *n, **np = &nat_list;
1090 if (nat_rules != NULL)
1091 bzero((char *)nat_rules, sizeof(*nat_rules) * ipf_natrules_sz);
1092 if (rdr_rules != NULL)
1093 bzero((char *)rdr_rules, sizeof(*rdr_rules) * ipf_rdrrules_sz);
1099 appr_free(n->in_apr);
1101 nat_stats.ns_rules--;
1103 n->in_flags |= IPN_DELETE;
1115 * Create a new NAT table entry.
1116 * NOTE: assumes write lock on ipf_nat has been obtained already.
1118 nat_t *nat_new(np, ip, fin, flags, direction)
1125 register u_32_t sum1, sum2, sumd, l;
1126 u_short port = 0, sport = 0, dport = 0, nport = 0;
1127 struct in_addr in, inb;
1128 tcphdr_t *tcp = NULL;
1129 hostmap_t *hm = NULL;
1132 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
1133 qif_t *qf = fin->fin_qif;
1136 nflags = flags & np->in_flags;
1137 if (flags & IPN_TCPUDP) {
1138 tcp = (tcphdr_t *)fin->fin_dp;
1139 sport = tcp->th_sport;
1140 dport = tcp->th_dport;
1143 /* Give me a new nat */
1144 KMALLOC(nat, nat_t *);
1146 nat_stats.ns_memfail++;
1150 bzero((char *)nat, sizeof(*nat));
1151 nat->nat_flags = flags;
1152 if (flags & FI_WILDP)
1153 nat_stats.ns_wilds++;
1155 * Search the current table for a match.
1157 if (direction == NAT_OUTBOUND) {
1159 * Values at which the search for a free resouce starts.
1165 * If it's an outbound packet which doesn't match any existing
1166 * record, then create a new port
1170 st_port = np->in_pnext;
1174 in.s_addr = htonl(np->in_nip);
1177 * Check to see if there is an existing NAT
1178 * setup for this IP address pair.
1180 hm = nat_hostmap(np, ip->ip_src, in);
1182 in.s_addr = hm->hm_mapip.s_addr;
1183 } else if ((l == 1) && (hm != NULL)) {
1187 in.s_addr = ntohl(in.s_addr);
1191 if ((np->in_outmsk == 0xffffffff) &&
1192 (np->in_pnext == 0)) {
1197 if (np->in_redir & NAT_MAPBLK) {
1198 if ((l >= np->in_ppip) || ((l > 0) &&
1199 !(flags & IPN_TCPUDP)))
1202 * map-block - Calculate destination address.
1204 in.s_addr = ntohl(ip->ip_src.s_addr);
1205 in.s_addr &= ntohl(~np->in_inmsk);
1206 inb.s_addr = in.s_addr;
1207 in.s_addr /= np->in_ippip;
1208 in.s_addr &= ntohl(~np->in_outmsk);
1209 in.s_addr += ntohl(np->in_outip);
1211 * Calculate destination port.
1213 if ((flags & IPN_TCPUDP) &&
1214 (np->in_ppip != 0)) {
1215 port = ntohs(sport) + l;
1216 port %= np->in_ppip;
1217 port += np->in_ppip *
1218 (inb.s_addr % np->in_ippip);
1219 port += MAPBLK_MINPORT;
1222 } else if (!np->in_outip &&
1223 (np->in_outmsk == 0xffffffff)) {
1225 * 0/32 - use the interface's IP address.
1228 fr_ifpaddr(4, fin->fin_ifp, &in) == -1)
1230 in.s_addr = ntohl(in.s_addr);
1231 } else if (!np->in_outip && !np->in_outmsk) {
1233 * 0/0 - use the original source address/port.
1237 in.s_addr = ntohl(ip->ip_src.s_addr);
1238 } else if ((np->in_outmsk != 0xffffffff) &&
1239 (np->in_pnext == 0) &&
1240 ((l > 0) || (hm == NULL)))
1244 if ((nflags & IPN_TCPUDP) &&
1245 ((np->in_redir & NAT_MAPBLK) == 0) &&
1246 (np->in_flags & IPN_AUTOPORTMAP)) {
1247 if ((l > 0) && (l % np->in_ppip == 0)) {
1248 if (l > np->in_space) {
1250 } else if ((l > np->in_ppip) &&
1251 np->in_outmsk != 0xffffffff)
1254 if (np->in_ppip != 0) {
1255 port = ntohs(sport);
1256 port += (l % np->in_ppip);
1257 port %= np->in_ppip;
1258 port += np->in_ppip *
1259 (ntohl(ip->ip_src.s_addr) %
1261 port += MAPBLK_MINPORT;
1264 } else if (((np->in_redir & NAT_MAPBLK) == 0) &&
1265 (nflags & IPN_TCPUDP) &&
1266 (np->in_pnext != 0)) {
1267 port = htons(np->in_pnext++);
1268 if (np->in_pnext > ntohs(np->in_pmax)) {
1269 np->in_pnext = ntohs(np->in_pmin);
1270 if (np->in_outmsk != 0xffffffff)
1275 if (np->in_flags & IPN_IPRANGE) {
1276 if (np->in_nip > ntohl(np->in_outmsk))
1277 np->in_nip = ntohl(np->in_outip);
1279 if ((np->in_outmsk != 0xffffffff) &&
1280 ((np->in_nip + 1) & ntohl(np->in_outmsk)) >
1281 ntohl(np->in_outip))
1282 np->in_nip = ntohl(np->in_outip) + 1;
1285 if (!port && (flags & IPN_TCPUDP))
1289 * Here we do a lookup of the connection as seen from
1290 * the outside. If an IP# pair already exists, try
1291 * again. So if you have A->B becomes C->B, you can
1292 * also have D->E become C->E but not D->B causing
1293 * another C->B. Also take protocol and ports into
1294 * account when determining whether a pre-existing
1295 * NAT setup will cause an external conflict where
1296 * this is appropriate.
1298 inb.s_addr = htonl(in.s_addr);
1299 natl = nat_inlookup(fin->fin_ifp, flags & ~FI_WILDP,
1300 (u_int)ip->ip_p, ip->ip_dst, inb,
1301 (port << 16) | dport, 1);
1304 * Has the search wrapped around and come back to the
1307 if ((natl != NULL) &&
1308 (np->in_pnext != 0) && (st_port == np->in_pnext) &&
1309 (np->in_nip != 0) && (st_ip == np->in_nip))
1312 } while (natl != NULL);
1314 if (np->in_space > 0)
1317 /* Setup the NAT table */
1318 nat->nat_inip = ip->ip_src;
1319 nat->nat_outip.s_addr = htonl(in.s_addr);
1320 nat->nat_oip = ip->ip_dst;
1321 if (nat->nat_hm == NULL)
1322 nat->nat_hm = nat_hostmap(np, ip->ip_src,
1325 sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)) + ntohs(sport);
1326 sum2 = LONG_SUM(in.s_addr) + ntohs(port);
1328 if (flags & IPN_TCPUDP) {
1329 nat->nat_inport = sport;
1330 nat->nat_outport = port; /* sport */
1331 nat->nat_oport = dport;
1335 * Otherwise, it's an inbound packet. Most likely, we don't
1336 * want to rewrite source ports and source addresses. Instead,
1337 * we want to rewrite to a fixed internal address and fixed
1340 if (np->in_flags & IPN_SPLIT) {
1341 in.s_addr = np->in_nip;
1342 if (np->in_inip == htonl(in.s_addr))
1343 np->in_nip = ntohl(np->in_inmsk);
1345 np->in_nip = ntohl(np->in_inip);
1346 if (np->in_flags & IPN_ROUNDR) {
1352 in.s_addr = ntohl(np->in_inip);
1353 if (np->in_flags & IPN_ROUNDR) {
1362 * Whilst not optimized for the case where
1363 * pmin == pmax, the gain is not significant.
1365 nport = ntohs(dport) - ntohs(np->in_pmin) +
1366 ntohs(np->in_pnext);
1367 nport = htons(nport);
1371 * When the redirect-to address is set to 0.0.0.0, just
1372 * assume a blank `forwarding' of the packet. We don't
1373 * setup any translation for this either.
1375 if (in.s_addr == 0) {
1378 in.s_addr = ntohl(ip->ip_dst.s_addr);
1381 nat->nat_inip.s_addr = htonl(in.s_addr);
1382 nat->nat_outip = ip->ip_dst;
1383 nat->nat_oip = ip->ip_src;
1385 sum1 = LONG_SUM(ntohl(ip->ip_dst.s_addr)) + ntohs(dport);
1386 sum2 = LONG_SUM(in.s_addr) + ntohs(nport);
1388 if (flags & IPN_TCPUDP) {
1389 nat->nat_inport = nport;
1390 nat->nat_outport = dport;
1391 nat->nat_oport = sport;
1395 CALC_SUMD(sum1, sum2, sumd);
1396 nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
1397 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
1398 if ((flags == IPN_TCP) && dohwcksum &&
1399 (qf->qf_ill->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) {
1400 if (direction == NAT_OUTBOUND)
1401 sum1 = LONG_SUM(ntohl(in.s_addr));
1403 sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr));
1404 sum1 += LONG_SUM(ntohl(ip->ip_dst.s_addr));
1406 sum1 = (sum1 & 0xffff) + (sum1 >> 16);
1407 nat->nat_sumd[1] = NAT_HW_CKSUM|(sum1 & 0xffff);
1410 nat->nat_sumd[1] = nat->nat_sumd[0];
1412 if ((flags & IPN_TCPUDP) && ((sport != port) || (dport != nport))) {
1413 if (direction == NAT_OUTBOUND)
1414 sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr));
1416 sum1 = LONG_SUM(ntohl(ip->ip_dst.s_addr));
1418 sum2 = LONG_SUM(in.s_addr);
1420 CALC_SUMD(sum1, sum2, sumd);
1421 nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16);
1423 nat->nat_ipsumd = nat->nat_sumd[0];
1425 in.s_addr = htonl(in.s_addr);
1428 strncpy(nat->nat_ifname, IFNAME(fin->fin_ifp), IFNAMSIZ);
1432 nat->nat_dir = direction;
1433 nat->nat_ifp = fin->fin_ifp;
1435 nat->nat_p = ip->ip_p;
1438 nat->nat_fr = fin->fin_fr;
1439 if (nat->nat_fr != NULL) {
1440 ATOMIC_INC32(nat->nat_fr->fr_ref);
1442 if (direction == NAT_OUTBOUND) {
1443 if (flags & IPN_TCPUDP)
1444 tcp->th_sport = port;
1446 if (flags & IPN_TCPUDP)
1447 tcp->th_dport = nport;
1451 nat_log(nat, (u_int)np->in_redir);
1455 nat_stats.ns_badnat++;
1456 if ((hm = nat->nat_hm) != NULL)
1463 void nat_insert(nat)
1469 MUTEX_INIT(&nat->nat_lock, "nat entry lock", NULL);
1471 nat->nat_age = fr_defnatage;
1472 nat->nat_ifname[sizeof(nat->nat_ifname) - 1] = '\0';
1473 if (nat->nat_ifname[0] !='\0') {
1474 nat->nat_ifp = GETUNIT(nat->nat_ifname, 4);
1477 nat->nat_next = nat_instances;
1478 nat_instances = nat;
1480 hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
1482 natp = &nat_table[0][hv];
1484 (*natp)->nat_phnext[0] = &nat->nat_hnext[0];
1485 nat->nat_phnext[0] = natp;
1486 nat->nat_hnext[0] = *natp;
1489 hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
1491 natp = &nat_table[1][hv];
1493 (*natp)->nat_phnext[1] = &nat->nat_hnext[1];
1494 nat->nat_phnext[1] = natp;
1495 nat->nat_hnext[1] = *natp;
1498 nat_stats.ns_added++;
1499 nat_stats.ns_inuse++;
1503 nat_t *nat_icmplookup(ip, fin, dir)
1509 tcphdr_t *tcp = NULL;
1511 int flags = 0, type, minlen;
1513 icmp = (icmphdr_t *)fin->fin_dp;
1515 * Does it at least have the return (basic) IP header ?
1516 * Only a basic IP header (no options) should be with an ICMP error
1519 if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN))
1521 type = icmp->icmp_type;
1523 * If it's not an error type, then return.
1525 if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
1526 (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
1527 (type != ICMP_PARAMPROB))
1530 oip = (ip_t *)((char *)fin->fin_dp + 8);
1531 minlen = (oip->ip_hl << 2);
1532 if (minlen < sizeof(ip_t))
1534 if (ip->ip_len < ICMPERR_IPICMPHLEN + minlen)
1537 * Is the buffer big enough for all of it ? It's the size of the IP
1538 * header claimed in the encapsulated part which is of concern. It
1539 * may be too big to be in this buffer but not so big that it's
1540 * outside the ICMP packet, leading to TCP deref's causing problems.
1541 * This is possible because we don't know how big oip_hl is when we
1542 * do the pullup early in fr_check() and thus can't gaurantee it is
1551 if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > (char *)m->b_wptr)
1554 m = *(mb_t **)fin->fin_mp;
1555 if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN >
1556 (char *)ip + m->m_len)
1562 if (oip->ip_p == IPPROTO_TCP)
1564 else if (oip->ip_p == IPPROTO_UDP)
1566 if (flags & IPN_TCPUDP) {
1567 minlen += 8; /* + 64bits of data to get ports */
1568 if (ip->ip_len < ICMPERR_IPICMPHLEN + minlen)
1570 tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2));
1571 if (dir == NAT_INBOUND)
1572 return nat_inlookup(fin->fin_ifp, flags,
1573 (u_int)oip->ip_p, oip->ip_dst, oip->ip_src,
1574 (tcp->th_sport << 16) | tcp->th_dport, 0);
1576 return nat_outlookup(fin->fin_ifp, flags,
1577 (u_int)oip->ip_p, oip->ip_dst, oip->ip_src,
1578 (tcp->th_sport << 16) | tcp->th_dport, 0);
1580 if (dir == NAT_INBOUND)
1581 return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p,
1582 oip->ip_dst, oip->ip_src, 0, 0);
1584 return nat_outlookup(fin->fin_ifp, 0, (u_int)oip->ip_p,
1585 oip->ip_dst, oip->ip_src, 0, 0);
1590 * This should *ONLY* be used for incoming packets to make sure a NAT'd ICMP
1591 * packet gets correctly recognised.
1593 nat_t *nat_icmp(ip, fin, nflags, dir)
1599 u_32_t sum1, sum2, sumd, sumd2 = 0;
1607 if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK))
1610 * nat_icmplookup() will return NULL for `defective' packets.
1612 if ((ip->ip_v != 4) || !(nat = nat_icmplookup(ip, fin, dir)))
1614 *nflags = IPN_ICMPERR;
1615 icmp = (icmphdr_t *)fin->fin_dp;
1616 oip = (ip_t *)&icmp->icmp_ip;
1617 if (oip->ip_p == IPPROTO_TCP)
1619 else if (oip->ip_p == IPPROTO_UDP)
1621 udp = (udphdr_t *)((((char *)oip) + (oip->ip_hl << 2)));
1623 * Need to adjust ICMP header to include the real IP#'s and
1624 * port #'s. Only apply a checksum change relative to the
1625 * IP address change as it will be modified again in ip_natout
1626 * for both address and port. Two checksum changes are
1627 * necessary for the two header address changes. Be careful
1628 * to only modify the checksum once for the port # and twice
1634 * Fix the IP addresses in the offending IP packet. You also need
1635 * to adjust the IP header checksum of that offending IP packet
1636 * and the ICMP checksum of the ICMP error message itself.
1638 * Unfortunately, for UDP and TCP, the IP addresses are also contained
1639 * in the pseudo header that is used to compute the UDP resp. TCP
1640 * checksum. So, we must compensate that as well. Even worse, the
1641 * change in the UDP and TCP checksums require yet another
1642 * adjustment of the ICMP checksum of the ICMP error message.
1644 * For the moment we forget about TCP, because that checksum is not
1645 * in the first 8 bytes, so it will not be available in most cases.
1648 if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) {
1649 sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr));
1653 sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr));
1654 in = nat->nat_outip;
1658 sum2 = LONG_SUM(ntohl(in.s_addr));
1660 CALC_SUMD(sum1, sum2, sumd);
1662 if (nat->nat_dir == NAT_OUTBOUND) {
1664 * Fix IP checksum of the offending IP packet to adjust for
1665 * the change in the IP address.
1667 * Normally, you would expect that the ICMP checksum of the
1668 * ICMP error message needs to be adjusted as well for the
1669 * IP address change in oip.
1670 * However, this is a NOP, because the ICMP checksum is
1671 * calculated over the complete ICMP packet, which includes the
1672 * changed oip IP addresses and oip->ip_sum. However, these
1673 * two changes cancel each other out (if the delta for
1674 * the IP address is x, then the delta for ip_sum is minus x),
1675 * so no change in the icmp_cksum is necessary.
1677 * Be careful that nat_dir refers to the direction of the
1678 * offending IP packet (oip), not to its ICMP response (icmp)
1680 fix_datacksum(&oip->ip_sum, sumd);
1683 * Fix UDP pseudo header checksum to compensate for the
1684 * IP address change.
1686 if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) {
1688 * The UDP checksum is optional, only adjust it
1689 * if it has been set.
1691 sum1 = ntohs(udp->uh_sum);
1692 fix_datacksum(&udp->uh_sum, sumd);
1693 sum2 = ntohs(udp->uh_sum);
1696 * Fix ICMP checksum to compensate the UDP
1697 * checksum adjustment.
1699 CALC_SUMD(sum1, sum2, sumd);
1705 * Fix TCP pseudo header checksum to compensate for the
1706 * IP address change. Before we can do the change, we
1707 * must make sure that oip is sufficient large to hold
1708 * the TCP checksum (normally it does not!).
1710 if (oip->ip_p == IPPROTO_TCP) {
1717 * Fix IP checksum of the offending IP packet to adjust for
1718 * the change in the IP address.
1720 * Normally, you would expect that the ICMP checksum of the
1721 * ICMP error message needs to be adjusted as well for the
1722 * IP address change in oip.
1723 * However, this is a NOP, because the ICMP checksum is
1724 * calculated over the complete ICMP packet, which includes the
1725 * changed oip IP addresses and oip->ip_sum. However, these
1726 * two changes cancel each other out (if the delta for
1727 * the IP address is x, then the delta for ip_sum is minus x),
1728 * so no change in the icmp_cksum is necessary.
1730 * Be careful that nat_dir refers to the direction of the
1731 * offending IP packet (oip), not to its ICMP response (icmp)
1733 fix_datacksum(&oip->ip_sum, sumd);
1735 /* XXX FV : without having looked at Solaris source code, it seems unlikely
1736 * that SOLARIS would compensate this in the kernel (a body of an IP packet
1737 * in the data section of an ICMP packet). I have the feeling that this should
1738 * be unconditional, but I'm not in a position to check.
1740 #if !SOLARIS && !defined(__sgi)
1742 * Fix UDP pseudo header checksum to compensate for the
1743 * IP address change.
1745 if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) {
1747 * The UDP checksum is optional, only adjust it
1748 * if it has been set
1750 sum1 = ntohs(udp->uh_sum);
1751 fix_datacksum(&udp->uh_sum, sumd);
1752 sum2 = ntohs(udp->uh_sum);
1755 * Fix ICMP checksum to compensate the UDP
1756 * checksum adjustment.
1758 CALC_SUMD(sum1, sum2, sumd);
1764 * Fix TCP pseudo header checksum to compensate for the
1765 * IP address change. Before we can do the change, we
1766 * must make sure that oip is sufficient large to hold
1767 * the TCP checksum (normally it does not!).
1769 if (oip->ip_p == IPPROTO_TCP) {
1777 if ((flags & IPN_TCPUDP) != 0) {
1781 * XXX - what if this is bogus hl and we go off the end ?
1782 * In this case, nat_icmpinlookup() will have returned NULL.
1784 tcp = (tcphdr_t *)udp;
1788 * For offending TCP/UDP IP packets, translate the ports as
1789 * well, based on the NAT specification. Of course such
1790 * a change must be reflected in the ICMP checksum as well.
1792 * Advance notice : Now it becomes complicated :-)
1794 * Since the port fields are part of the TCP/UDP checksum
1795 * of the offending IP packet, you need to adjust that checksum
1796 * as well... but, if you change, you must change the icmp
1797 * checksum *again*, to reflect that change.
1799 * To further complicate: the TCP checksum is not in the first
1800 * 8 bytes of the offending ip packet, so it most likely is not
1801 * available (we might have to fix that if the encounter a
1802 * device that returns more than 8 data bytes on icmp error)
1805 if (nat->nat_oport == tcp->th_dport) {
1806 if (tcp->th_sport != nat->nat_inport) {
1808 * Fix ICMP checksum to compensate port
1811 sum1 = ntohs(tcp->th_sport);
1812 sum2 = ntohs(nat->nat_inport);
1813 CALC_SUMD(sum1, sum2, sumd);
1815 tcp->th_sport = nat->nat_inport;
1818 * Fix udp checksum to compensate port
1819 * adjustment. NOTE : the offending IP packet
1820 * flows the other direction compared to the
1823 * The UDP checksum is optional, only adjust
1824 * it if it has been set.
1826 if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) {
1828 sum1 = ntohs(udp->uh_sum);
1829 fix_datacksum(&udp->uh_sum, sumd);
1830 sum2 = ntohs(udp->uh_sum);
1833 * Fix ICMP checksum to
1834 * compensate UDP checksum
1837 CALC_SUMD(sum1, sum2, sumd);
1842 if (tcp->th_dport != nat->nat_outport) {
1844 * Fix ICMP checksum to compensate port
1847 sum1 = ntohs(tcp->th_dport);
1848 sum2 = ntohs(nat->nat_outport);
1849 CALC_SUMD(sum1, sum2, sumd);
1851 tcp->th_dport = nat->nat_outport;
1854 * Fix udp checksum to compensate port
1855 * adjustment. NOTE : the offending IP
1856 * packet flows the other direction compared
1857 * to the ICMP message.
1859 * The UDP checksum is optional, only adjust
1860 * it if it has been set.
1862 if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) {
1864 sum1 = ntohs(udp->uh_sum);
1865 fix_datacksum(&udp->uh_sum, sumd);
1866 sum2 = ntohs(udp->uh_sum);
1869 * Fix ICMP checksum to compensate
1870 * UDP checksum adjustment.
1872 CALC_SUMD(sum1, sum2, sumd);
1878 sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
1879 sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
1880 if (nat->nat_dir == NAT_OUTBOUND) {
1881 fix_outcksum(&icmp->icmp_cksum, sumd2);
1883 fix_incksum(&icmp->icmp_cksum, sumd2);
1887 nat->nat_age = fr_defnaticmpage;
1893 * NB: these lookups don't lock access to the list, it assume it has already
1897 * Lookup a nat entry based on the mapped destination ip address/port and
1898 * real source address/port. We use this lookup when receiving a packet,
1899 * we're looking for a table entry, based on the destination address.
1900 * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
1902 nat_t *nat_inlookup(ifp, flags, p, src, mapdst, ports, rw)
1904 register u_int flags, p;
1905 struct in_addr src , mapdst;
1909 register u_short sport, dport;
1910 register nat_t *nat;
1911 register int nflags;
1912 register u_32_t dst;
1915 dst = mapdst.s_addr;
1916 dport = ports >> 16;
1917 sport = ports & 0xffff;
1918 flags &= IPN_TCPUDP;
1920 hv = NAT_HASH_FN(dst, dport, ipf_nattable_sz);
1921 nat = nat_table[1][hv];
1922 for (; nat; nat = nat->nat_hnext[1]) {
1923 nflags = nat->nat_flags;
1924 if ((!ifp || ifp == nat->nat_ifp) &&
1925 nat->nat_oip.s_addr == src.s_addr &&
1926 nat->nat_outip.s_addr == dst &&
1927 (((p == 0) && (flags == (nat->nat_flags & IPN_TCPUDP)))
1928 || (p == nat->nat_p)) && (!flags ||
1929 (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) &&
1930 ((nat->nat_outport == dport) || (nflags & FI_W_SPORT)))))
1933 if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP))
1936 RWLOCK_EXIT(&ipf_nat);
1938 hv = NAT_HASH_FN(dst, 0, ipf_nattable_sz);
1940 WRITE_ENTER(&ipf_nat);
1942 nat = nat_table[1][hv];
1943 for (; nat; nat = nat->nat_hnext[1]) {
1944 nflags = nat->nat_flags;
1945 if (ifp && ifp != nat->nat_ifp)
1947 if (!(nflags & IPN_TCPUDP))
1949 if (!(nflags & FI_WILDP))
1951 if (nat->nat_oip.s_addr != src.s_addr ||
1952 nat->nat_outip.s_addr != dst)
1954 if (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) &&
1955 ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))) {
1956 nat_tabmove(nat, ports);
1961 MUTEX_DOWNGRADE(&ipf_nat);
1968 * This function is only called for TCP/UDP NAT table entries where the
1969 * original was placed in the table without hashing on the ports and we now
1970 * want to include hashing on port numbers.
1972 static void nat_tabmove(nat, ports)
1976 register u_short sport, dport;
1980 dport = ports >> 16;
1981 sport = ports & 0xffff;
1983 if (nat->nat_oport == dport) {
1984 nat->nat_inport = sport;
1985 nat->nat_outport = sport;
1989 * Remove the NAT entry from the old location
1991 if (nat->nat_hnext[0])
1992 nat->nat_hnext[0]->nat_phnext[0] = nat->nat_phnext[0];
1993 *nat->nat_phnext[0] = nat->nat_hnext[0];
1995 if (nat->nat_hnext[1])
1996 nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1];
1997 *nat->nat_phnext[1] = nat->nat_hnext[1];
2000 * Add into the NAT table in the new position
2002 hv = NAT_HASH_FN(nat->nat_inip.s_addr, sport, ipf_nattable_sz);
2003 natp = &nat_table[0][hv];
2005 (*natp)->nat_phnext[0] = &nat->nat_hnext[0];
2006 nat->nat_phnext[0] = natp;
2007 nat->nat_hnext[0] = *natp;
2010 hv = NAT_HASH_FN(nat->nat_outip.s_addr, sport, ipf_nattable_sz);
2011 natp = &nat_table[1][hv];
2013 (*natp)->nat_phnext[1] = &nat->nat_hnext[1];
2014 nat->nat_phnext[1] = natp;
2015 nat->nat_hnext[1] = *natp;
2021 * Lookup a nat entry based on the source 'real' ip address/port and
2022 * destination address/port. We use this lookup when sending a packet out,
2023 * we're looking for a table entry, based on the source address.
2024 * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
2026 nat_t *nat_outlookup(ifp, flags, p, src, dst, ports, rw)
2028 register u_int flags, p;
2029 struct in_addr src , dst;
2033 register u_short sport, dport;
2034 register nat_t *nat;
2035 register int nflags;
2039 sport = ports & 0xffff;
2040 dport = ports >> 16;
2041 flags &= IPN_TCPUDP;
2044 hv = NAT_HASH_FN(srcip, sport, ipf_nattable_sz);
2045 nat = nat_table[0][hv];
2046 for (; nat; nat = nat->nat_hnext[0]) {
2047 nflags = nat->nat_flags;
2049 if ((!ifp || ifp == nat->nat_ifp) &&
2050 nat->nat_inip.s_addr == srcip &&
2051 nat->nat_oip.s_addr == dst.s_addr &&
2052 (((p == 0) && (flags == (nflags & IPN_TCPUDP)))
2053 || (p == nat->nat_p)) && (!flags ||
2054 ((nat->nat_inport == sport || nflags & FI_W_SPORT) &&
2055 (nat->nat_oport == dport || nflags & FI_W_DPORT))))
2058 if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP))
2061 RWLOCK_EXIT(&ipf_nat);
2063 hv = NAT_HASH_FN(srcip, 0, ipf_nattable_sz);
2065 WRITE_ENTER(&ipf_nat);
2067 nat = nat_table[0][hv];
2068 for (; nat; nat = nat->nat_hnext[0]) {
2069 nflags = nat->nat_flags;
2070 if (ifp && ifp != nat->nat_ifp)
2072 if (!(nflags & IPN_TCPUDP))
2074 if (!(nflags & FI_WILDP))
2076 if ((nat->nat_inip.s_addr != srcip) ||
2077 (nat->nat_oip.s_addr != dst.s_addr))
2079 if (((nat->nat_inport == sport) || (nflags & FI_W_SPORT)) &&
2080 ((nat->nat_oport == dport) || (nflags & FI_W_DPORT))) {
2081 nat_tabmove(nat, ports);
2086 MUTEX_DOWNGRADE(&ipf_nat);
2093 * Lookup the NAT tables to search for a matching redirect
2095 nat_t *nat_lookupredir(np)
2096 register natlookup_t *np;
2101 ports = (np->nl_outport << 16) | np->nl_inport;
2103 * If nl_inip is non null, this is a lookup based on the real
2104 * ip address. Else, we use the fake.
2106 if ((nat = nat_outlookup(NULL, np->nl_flags, 0, np->nl_inip,
2107 np->nl_outip, ports, 0))) {
2108 np->nl_realip = nat->nat_outip;
2109 np->nl_realport = nat->nat_outport;
2115 static int nat_match(fin, np, ip)
2125 if (np->in_p && ip->ip_p != np->in_p)
2128 if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK)))
2130 if (((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip)
2131 ^ ((np->in_flags & IPN_NOTSRC) != 0))
2133 if (((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip)
2134 ^ ((np->in_flags & IPN_NOTDST) != 0))
2137 if (!(np->in_redir & NAT_REDIRECT))
2139 if (((fin->fin_fi.fi_saddr & np->in_srcmsk) != np->in_srcip)
2140 ^ ((np->in_flags & IPN_NOTSRC) != 0))
2142 if (((fin->fin_fi.fi_daddr & np->in_outmsk) != np->in_outip)
2143 ^ ((np->in_flags & IPN_NOTDST) != 0))
2148 if (!(fin->fin_fi.fi_fl & FI_TCPUDP) ||
2149 (fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) {
2150 if (ft->ftu_scmp || ft->ftu_dcmp)
2155 return fr_tcpudpchk(ft, fin);
2160 * Packets going out on the external interface go through this.
2161 * Here, the source address requires alteration, if anything.
2163 int ip_natout(ip, fin)
2167 register ipnat_t *np = NULL;
2168 register u_32_t ipa;
2169 tcphdr_t *tcp = NULL;
2170 u_short sport = 0, dport = 0, *csump = NULL;
2174 u_int nflags = 0, hv, msk;
2179 if (nat_list == NULL || (fr_nat_lock))
2182 if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) &&
2183 fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1)
2184 ifp = fr->fr_tif.fd_ifp;
2188 if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
2189 if (ip->ip_p == IPPROTO_TCP)
2191 else if (ip->ip_p == IPPROTO_UDP)
2193 if ((nflags & IPN_TCPUDP)) {
2194 tcp = (tcphdr_t *)fin->fin_dp;
2195 sport = tcp->th_sport;
2196 dport = tcp->th_dport;
2200 ipa = ip->ip_src.s_addr;
2202 READ_ENTER(&ipf_nat);
2204 if ((ip->ip_p == IPPROTO_ICMP) &&
2205 (nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND)))
2207 else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
2208 (nat = ipfr_nat_knownfrag(ip, fin)))
2210 else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p,
2211 ip->ip_src, ip->ip_dst,
2212 (dport << 16) | sport, 0))) {
2213 nflags = nat->nat_flags;
2214 if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) {
2215 if ((nflags & FI_W_SPORT) &&
2216 (nat->nat_inport != sport))
2217 nat->nat_inport = sport;
2218 else if ((nflags & FI_W_DPORT) &&
2219 (nat->nat_oport != dport))
2220 nat->nat_oport = dport;
2221 if (nat->nat_outport == 0)
2222 nat->nat_outport = sport;
2223 nat->nat_flags &= ~(FI_W_DPORT|FI_W_SPORT);
2224 nflags = nat->nat_flags;
2225 nat_stats.ns_wilds--;
2228 RWLOCK_EXIT(&ipf_nat);
2229 WRITE_ENTER(&ipf_nat);
2231 * If there is no current entry in the nat table for this IP#,
2232 * create one for it (if there is a matching rule).
2237 iph = ipa & htonl(msk);
2238 hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz);
2239 for (np = nat_rules[hv]; np; np = np->in_mnext)
2241 if ((np->in_ifp && (np->in_ifp != ifp)) ||
2244 if ((np->in_flags & IPN_RF) &&
2245 !(np->in_flags & nflags))
2247 if (np->in_flags & IPN_FILTER) {
2248 if (!nat_match(fin, np, ip))
2250 } else if ((ipa & np->in_inmsk) != np->in_inip)
2252 if (np->in_redir & (NAT_MAP|NAT_MAPBLK)) {
2253 if (*np->in_plabel && !appr_ok(ip, tcp, np))
2256 * If it's a redirection, then we don't want to
2257 * create new outgoing port stuff.
2258 * Redirections are only for incoming
2261 if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK)))
2263 if ((nat = nat_new(np, ip, fin, (u_int)nflags,
2270 if ((np == NULL) && (i > 0)) {
2274 } while ((i >= 0) && ((nat_masks & (1 << i)) == 0));
2278 MUTEX_DOWNGRADE(&ipf_nat);
2282 * NOTE: ipf_nat must now only be held as a read lock
2286 if (natadd && (fin->fin_fi.fi_fl & FI_FRAG) &&
2287 np && (np->in_flags & IPN_FRAG))
2288 ipfr_nat_newfrag(ip, fin, 0, nat);
2289 MUTEX_ENTER(&nat->nat_lock);
2290 nat->nat_age = fr_defnatage;
2291 nat->nat_bytes += ip->ip_len;
2293 MUTEX_EXIT(&nat->nat_lock);
2296 * Fix up checksums, not by recalculating them, but
2297 * simply computing adjustments.
2299 if (nflags == IPN_ICMPERR) {
2300 u_32_t s1, s2, sumd;
2302 s1 = LONG_SUM(ntohl(ip->ip_src.s_addr));
2303 s2 = LONG_SUM(ntohl(nat->nat_outip.s_addr));
2304 CALC_SUMD(s1, s2, sumd);
2306 if (nat->nat_dir == NAT_OUTBOUND)
2307 fix_incksum(&ip->ip_sum, sumd);
2309 fix_outcksum(&ip->ip_sum, sumd);
2311 #if SOLARIS || defined(__sgi)
2313 if (nat->nat_dir == NAT_OUTBOUND)
2314 fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
2316 fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
2319 ip->ip_src = nat->nat_outip;
2321 if (!(ip->ip_off & IP_OFFMASK) &&
2322 !(fin->fin_fi.fi_fl & FI_SHORT)) {
2324 if ((nat->nat_outport != 0) && (nflags & IPN_TCPUDP)) {
2325 tcp->th_sport = nat->nat_outport;
2326 fin->fin_data[0] = ntohs(tcp->th_sport);
2329 if (ip->ip_p == IPPROTO_TCP) {
2330 csump = &tcp->th_sum;
2331 MUTEX_ENTER(&nat->nat_lock);
2332 fr_tcp_age(&nat->nat_age,
2333 nat->nat_tcpstate, fin, 1);
2334 if (nat->nat_age < fr_defnaticmpage)
2335 nat->nat_age = fr_defnaticmpage;
2337 else if (nat->nat_age > fr_defnatage)
2338 nat->nat_age = fr_defnatage;
2341 * Increase this because we may have
2342 * "keep state" following this too and
2343 * packet storms can occur if this is
2344 * removed too quickly.
2346 if (nat->nat_age == fr_tcpclosed)
2347 nat->nat_age = fr_tcplastack;
2348 MUTEX_EXIT(&nat->nat_lock);
2349 } else if (ip->ip_p == IPPROTO_UDP) {
2350 udphdr_t *udp = (udphdr_t *)tcp;
2353 csump = &udp->uh_sum;
2354 } else if (ip->ip_p == IPPROTO_ICMP) {
2355 nat->nat_age = fr_defnaticmpage;
2359 if (nat->nat_dir == NAT_OUTBOUND)
2360 fix_outcksum(csump, nat->nat_sumd[1]);
2362 fix_incksum(csump, nat->nat_sumd[1]);
2366 if ((np->in_apr != NULL) && (np->in_dport == 0 ||
2367 (tcp != NULL && dport == np->in_dport))) {
2368 i = appr_check(ip, fin, nat);
2373 ATOMIC_INCL(nat_stats.ns_mapped[1]);
2374 RWLOCK_EXIT(&ipf_nat); /* READ */
2377 RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
2383 * Packets coming in from the external interface go through this.
2384 * Here, the destination address requires alteration, if anything.
2386 int ip_natin(ip, fin)
2390 register struct in_addr src;
2391 register struct in_addr in;
2392 register ipnat_t *np;
2393 u_int nflags = 0, natadd = 1, hv, msk;
2394 struct ifnet *ifp = fin->fin_ifp;
2395 tcphdr_t *tcp = NULL;
2396 u_short sport = 0, dport = 0, *csump = NULL;
2401 if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock))
2404 if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
2405 if (ip->ip_p == IPPROTO_TCP)
2407 else if (ip->ip_p == IPPROTO_UDP)
2409 if ((nflags & IPN_TCPUDP)) {
2410 tcp = (tcphdr_t *)fin->fin_dp;
2411 dport = tcp->th_dport;
2412 sport = tcp->th_sport;
2417 /* make sure the source address is to be redirected */
2420 READ_ENTER(&ipf_nat);
2422 if ((ip->ip_p == IPPROTO_ICMP) &&
2423 (nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND)))
2425 else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
2426 (nat = ipfr_nat_knownfrag(ip, fin)))
2428 else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p,
2429 ip->ip_src, in, (dport << 16) | sport,
2431 nflags = nat->nat_flags;
2432 if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) {
2433 if ((nat->nat_oport != sport) && (nflags & FI_W_DPORT))
2434 nat->nat_oport = sport;
2435 else if ((nat->nat_outport != dport) &&
2436 (nflags & FI_W_SPORT))
2437 nat->nat_outport = dport;
2438 nat->nat_flags &= ~(FI_W_SPORT|FI_W_DPORT);
2439 nflags = nat->nat_flags;
2440 nat_stats.ns_wilds--;
2443 RWLOCK_EXIT(&ipf_nat);
2444 WRITE_ENTER(&ipf_nat);
2446 * If there is no current entry in the nat table for this IP#,
2447 * create one for it (if there is a matching rule).
2452 iph = in.s_addr & htonl(msk);
2453 hv = NAT_HASH_FN(iph, 0, ipf_rdrrules_sz);
2454 for (np = rdr_rules[hv]; np; np = np->in_rnext) {
2455 if ((np->in_ifp && (np->in_ifp != ifp)) ||
2456 (np->in_p && (np->in_p != ip->ip_p)) ||
2457 (np->in_flags && !(nflags & np->in_flags)))
2459 if (np->in_flags & IPN_FILTER) {
2460 if (!nat_match(fin, np, ip))
2462 } else if ((in.s_addr & np->in_outmsk) != np->in_outip)
2464 if ((np->in_redir & NAT_REDIRECT) &&
2465 (!np->in_pmin || (np->in_flags & IPN_FILTER) ||
2466 ((ntohs(np->in_pmax) >= ntohs(dport)) &&
2467 (ntohs(dport) >= ntohs(np->in_pmin)))))
2468 if ((nat = nat_new(np, ip, fin, nflags,
2475 if ((np == NULL) && (i > 0)) {
2479 } while ((i >= 0) && ((rdr_masks & (1 << i)) == 0));
2483 MUTEX_DOWNGRADE(&ipf_nat);
2487 * NOTE: ipf_nat must now only be held as a read lock
2491 fin->fin_fr = nat->nat_fr;
2492 if (natadd && (fin->fin_fi.fi_fl & FI_FRAG) &&
2493 np && (np->in_flags & IPN_FRAG))
2494 ipfr_nat_newfrag(ip, fin, 0, nat);
2495 if ((np->in_apr != NULL) && (np->in_dport == 0 ||
2496 (tcp != NULL && sport == np->in_dport))) {
2497 i = appr_check(ip, fin, nat);
2499 RWLOCK_EXIT(&ipf_nat);
2504 MUTEX_ENTER(&nat->nat_lock);
2505 if (nflags != IPN_ICMPERR)
2506 nat->nat_age = fr_defnatage;
2508 nat->nat_bytes += ip->ip_len;
2510 MUTEX_EXIT(&nat->nat_lock);
2511 ip->ip_dst = nat->nat_inip;
2512 fin->fin_fi.fi_daddr = nat->nat_inip.s_addr;
2515 * Fix up checksums, not by recalculating them, but
2516 * simply computing adjustments.
2518 #if SOLARIS || defined(__sgi)
2519 if (nat->nat_dir == NAT_OUTBOUND)
2520 fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
2522 fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
2524 if (!(ip->ip_off & IP_OFFMASK) &&
2525 !(fin->fin_fi.fi_fl & FI_SHORT)) {
2527 if ((nat->nat_inport != 0) && (nflags & IPN_TCPUDP)) {
2528 tcp->th_dport = nat->nat_inport;
2529 fin->fin_data[1] = ntohs(tcp->th_dport);
2532 if (ip->ip_p == IPPROTO_TCP) {
2533 csump = &tcp->th_sum;
2534 MUTEX_ENTER(&nat->nat_lock);
2535 fr_tcp_age(&nat->nat_age,
2536 nat->nat_tcpstate, fin, 0);
2537 if (nat->nat_age < fr_defnaticmpage)
2538 nat->nat_age = fr_defnaticmpage;
2540 else if (nat->nat_age > fr_defnatage)
2541 nat->nat_age = fr_defnatage;
2544 * Increase this because we may have
2545 * "keep state" following this too and
2546 * packet storms can occur if this is
2547 * removed too quickly.
2549 if (nat->nat_age == fr_tcpclosed)
2550 nat->nat_age = fr_tcplastack;
2551 MUTEX_EXIT(&nat->nat_lock);
2552 } else if (ip->ip_p == IPPROTO_UDP) {
2553 udphdr_t *udp = (udphdr_t *)tcp;
2556 csump = &udp->uh_sum;
2557 } else if (ip->ip_p == IPPROTO_ICMP) {
2558 nat->nat_age = fr_defnaticmpage;
2562 if (nat->nat_dir == NAT_OUTBOUND)
2563 fix_incksum(csump, nat->nat_sumd[0]);
2565 fix_outcksum(csump, nat->nat_sumd[0]);
2568 ATOMIC_INCL(nat_stats.ns_mapped[0]);
2569 RWLOCK_EXIT(&ipf_nat); /* READ */
2572 RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
2578 * Free all memory used by NAT structures allocated at runtime.
2582 WRITE_ENTER(&ipf_nat);
2583 (void) nat_clearlist();
2584 (void) nat_flushtable();
2585 RWLOCK_EXIT(&ipf_nat);
2587 if (nat_table[0] != NULL) {
2588 KFREES(nat_table[0], sizeof(nat_t *) * ipf_nattable_sz);
2589 nat_table[0] = NULL;
2591 if (nat_table[1] != NULL) {
2592 KFREES(nat_table[1], sizeof(nat_t *) * ipf_nattable_sz);
2593 nat_table[1] = NULL;
2595 if (nat_rules != NULL) {
2596 KFREES(nat_rules, sizeof(ipnat_t *) * ipf_natrules_sz);
2599 if (rdr_rules != NULL) {
2600 KFREES(rdr_rules, sizeof(ipnat_t *) * ipf_rdrrules_sz);
2603 if (maptable != NULL) {
2604 KFREES(maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);
2611 * Slowly expire held state for NAT entries. Timeouts are set in
2612 * expectation of this being called twice per second.
2616 register struct nat *nat, **natp;
2617 #if defined(_KERNEL) && !SOLARIS
2622 WRITE_ENTER(&ipf_nat);
2623 for (natp = &nat_instances; (nat = *natp); ) {
2626 natp = &nat->nat_next;
2629 *natp = nat->nat_next;
2631 nat_log(nat, NL_EXPIRE);
2634 nat_stats.ns_expire++;
2636 RWLOCK_EXIT(&ipf_nat);
2643 void ip_natsync(ifp)
2646 register ipnat_t *n;
2647 register nat_t *nat;
2648 register u_32_t sum1, sum2, sumd;
2652 #if defined(_KERNEL) && !SOLARIS
2657 * Change IP addresses for NAT sessions for any protocol except TCP
2658 * since it will break the TCP connection anyway.
2661 WRITE_ENTER(&ipf_nat);
2662 for (nat = nat_instances; nat; nat = nat->nat_next)
2663 if (((ifp == NULL) || (ifp == nat->nat_ifp)) &&
2664 !(nat->nat_flags & IPN_TCP) && (np = nat->nat_ptr) &&
2665 (np->in_outmsk == 0xffffffff) && !np->in_nip) {
2666 ifp2 = nat->nat_ifp;
2668 * Change the map-to address to be the same as the
2671 sum1 = nat->nat_outip.s_addr;
2672 if (fr_ifpaddr(4, ifp2, &in) != -1)
2673 nat->nat_outip = in;
2674 sum2 = nat->nat_outip.s_addr;
2679 * Readjust the checksum adjustment to take into
2680 * account the new IP#.
2682 CALC_SUMD(sum1, sum2, sumd);
2683 /* XXX - dont change for TCP when solaris does
2684 * hardware checksumming.
2686 sumd += nat->nat_sumd[0];
2687 nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
2688 nat->nat_sumd[1] = nat->nat_sumd[0];
2691 for (n = nat_list; (n != NULL); n = n->in_next)
2692 if (n->in_ifp == ifp) {
2693 n->in_ifp = (void *)GETUNIT(n->in_ifname, 4);
2695 n->in_ifp = (void *)-1;
2697 RWLOCK_EXIT(&ipf_nat);
2703 void nat_log(nat, type)
2711 int rulen, types[1];
2713 natl.nl_inip = nat->nat_inip;
2714 natl.nl_outip = nat->nat_outip;
2715 natl.nl_origip = nat->nat_oip;
2716 natl.nl_bytes = nat->nat_bytes;
2717 natl.nl_pkts = nat->nat_pkts;
2718 natl.nl_origport = nat->nat_oport;
2719 natl.nl_inport = nat->nat_inport;
2720 natl.nl_outport = nat->nat_outport;
2721 natl.nl_p = nat->nat_p;
2722 natl.nl_type = type;
2725 if (nat->nat_ptr != NULL) {
2726 for (rulen = 0, np = nat_list; np; np = np->in_next, rulen++)
2727 if (np == nat->nat_ptr) {
2728 natl.nl_rule = rulen;
2734 sizes[0] = sizeof(natl);
2737 (void) ipllog(IPL_LOGNAT, NULL, items, sizes, types, 1);