2 * Copyright (C) 1995-2001 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 * Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com)
9 #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
14 # include <sys/ptimers.h>
16 #include <sys/errno.h>
17 #include <sys/types.h>
18 #include <sys/param.h>
21 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
23 # include "opt_ipfilter_log.h"
25 #if !defined(_KERNEL) && !defined(KERNEL)
30 #if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
31 # include <sys/filio.h>
32 # include <sys/fcntl.h>
34 # include <sys/ioctl.h>
36 #include <sys/fcntl.h>
38 # include <sys/protosw.h>
40 #include <sys/socket.h>
41 #if defined(_KERNEL) && !defined(linux)
42 # include <sys/systm.h>
44 #if !defined(__SVR4) && !defined(__svr4__)
46 # include <sys/mbuf.h>
49 # include <sys/filio.h>
50 # include <sys/byteorder.h>
52 # include <sys/dditypes.h>
54 # include <sys/stream.h>
55 # include <sys/kmem.h>
57 #if __FreeBSD_version >= 300000
58 # include <sys/queue.h>
61 #if __FreeBSD_version >= 300000
62 # include <net/if_var.h>
63 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
64 # include "opt_ipfilter.h"
70 #include <net/route.h>
71 #include <netinet/in.h>
72 #include <netinet/in_systm.h>
73 #include <netinet/ip.h>
76 # ifdef IFF_DRVRLOCK /* IRIX6 */
77 #include <sys/hashing.h>
78 #include <netinet/in_var.h>
84 # include <vpn/ipsec.h>
85 extern struct ifnet vpnif;
89 # include <netinet/ip_var.h>
90 # include <netinet/tcp_fsm.h>
92 #include <netinet/tcp.h>
93 #include <netinet/udp.h>
94 #include <netinet/ip_icmp.h>
95 #include "netinet/ip_compat.h"
96 #include <netinet/tcpip.h>
97 #include "netinet/ip_fil.h"
98 #include "netinet/ip_nat.h"
99 #include "netinet/ip_frag.h"
100 #include "netinet/ip_state.h"
101 #include "netinet/ip_proxy.h"
102 #if (__FreeBSD_version >= 300000)
103 # include <sys/malloc.h>
106 # define MIN(a,b) (((a)<(b))?(a):(b))
109 #define SOCKADDR_IN struct sockaddr_in
112 static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
113 /* static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.44 2001/07/21 07:17:22 darrenr Exp $"; */
114 static const char rcsid[] = "@(#)$FreeBSD$";
117 nat_t **nat_table[2] = { NULL, NULL },
118 *nat_instances = NULL;
119 ipnat_t *nat_list = NULL;
120 u_int ipf_nattable_sz = NAT_TABLE_SZ;
121 u_int ipf_natrules_sz = NAT_SIZE;
122 u_int ipf_rdrrules_sz = RDR_SIZE;
123 u_int ipf_hostmap_sz = HOSTMAP_SIZE;
124 u_32_t nat_masks = 0;
125 u_32_t rdr_masks = 0;
126 ipnat_t **nat_rules = NULL;
127 ipnat_t **rdr_rules = NULL;
128 hostmap_t **maptable = NULL;
130 u_long fr_defnatage = DEF_NAT_AGE,
131 fr_defnaticmpage = 6; /* 3 seconds */
134 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
135 extern kmutex_t ipf_rw;
136 extern KRWLOCK_T ipf_nat;
139 static int nat_flushtable __P((void));
140 static void nat_addnat __P((struct ipnat *));
141 static void nat_addrdr __P((struct ipnat *));
142 static void nat_delete __P((struct nat *));
143 static void nat_delrdr __P((struct ipnat *));
144 static void nat_delnat __P((struct ipnat *));
145 static int fr_natgetent __P((caddr_t));
146 static int fr_natgetsz __P((caddr_t));
147 static int fr_natputent __P((caddr_t));
148 static void nat_tabmove __P((fr_info_t *, nat_t *));
149 static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *));
150 static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
152 static void nat_hostmapdel __P((struct hostmap *));
157 KMALLOCS(nat_table[0], nat_t **, sizeof(nat_t *) * ipf_nattable_sz);
158 if (nat_table[0] != NULL)
159 bzero((char *)nat_table[0], ipf_nattable_sz * sizeof(nat_t *));
163 KMALLOCS(nat_table[1], nat_t **, sizeof(nat_t *) * ipf_nattable_sz);
164 if (nat_table[1] != NULL)
165 bzero((char *)nat_table[1], ipf_nattable_sz * sizeof(nat_t *));
169 KMALLOCS(nat_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_natrules_sz);
170 if (nat_rules != NULL)
171 bzero((char *)nat_rules, ipf_natrules_sz * sizeof(ipnat_t *));
175 KMALLOCS(rdr_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_rdrrules_sz);
176 if (rdr_rules != NULL)
177 bzero((char *)rdr_rules, ipf_rdrrules_sz * sizeof(ipnat_t *));
181 KMALLOCS(maptable, hostmap_t **, sizeof(hostmap_t *) * ipf_hostmap_sz);
182 if (maptable != NULL)
183 bzero((char *)maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);
190 static void nat_addrdr(n)
198 k = countbits(n->in_outmsk);
199 if ((k >= 0) && (k != 32))
201 j = (n->in_outip & n->in_outmsk);
202 hv = NAT_HASH_FN(j, 0, ipf_rdrrules_sz);
205 np = &(*np)->in_rnext;
212 static void nat_addnat(n)
220 k = countbits(n->in_inmsk);
221 if ((k >= 0) && (k != 32))
223 j = (n->in_inip & n->in_inmsk);
224 hv = NAT_HASH_FN(j, 0, ipf_natrules_sz);
227 np = &(*np)->in_mnext;
234 static void nat_delrdr(n)
238 n->in_rnext->in_prnext = n->in_prnext;
239 *n->in_prnext = n->in_rnext;
243 static void nat_delnat(n)
247 n->in_mnext->in_pmnext = n->in_pmnext;
248 *n->in_pmnext = n->in_mnext;
253 * check if an ip address has already been allocated for a given mapping that
254 * is not doing port based translation.
256 * Must be called with ipf_nat held as a write lock.
258 static struct hostmap *nat_hostmap(np, real, map)
266 hv = real.s_addr % HOSTMAP_SIZE;
267 for (hm = maptable[hv]; hm; hm = hm->hm_next)
268 if ((hm->hm_realip.s_addr == real.s_addr) &&
269 (np == hm->hm_ipnat)) {
274 KMALLOC(hm, hostmap_t *);
276 hm->hm_next = maptable[hv];
277 hm->hm_pnext = maptable + hv;
279 maptable[hv]->hm_pnext = &hm->hm_next;
282 hm->hm_realip = real;
291 * Must be called with ipf_nat held as a write lock.
293 static void nat_hostmapdel(hm)
296 ATOMIC_DEC32(hm->hm_ref);
297 if (hm->hm_ref == 0) {
299 hm->hm_next->hm_pnext = hm->hm_pnext;
300 *hm->hm_pnext = hm->hm_next;
306 void fix_outcksum(fin, sp, n)
311 register u_short sumshort;
312 register u_32_t sum1;
316 else if (n & NAT_HW_CKSUM) {
319 n = (n & 0xffff) + (n >> 16);
323 sum1 = (~ntohs(*sp)) & 0xffff;
325 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
327 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
328 sumshort = ~(u_short)sum1;
329 *(sp) = htons(sumshort);
333 void fix_incksum(fin, sp, n)
338 register u_short sumshort;
339 register u_32_t sum1;
343 else if (n & NAT_HW_CKSUM) {
346 n = (n & 0xffff) + (n >> 16);
351 sum1 = (~(*sp)) & 0xffff;
353 sum1 = (~ntohs(*sp)) & 0xffff;
355 sum1 += ~(n) & 0xffff;
356 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
358 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
359 sumshort = ~(u_short)sum1;
360 *(sp) = htons(sumshort);
365 * fix_datacksum is used *only* for the adjustments of checksums in the data
366 * section of an IP packet.
368 * The only situation in which you need to do this is when NAT'ing an
369 * ICMP error message. Such a message, contains in its body the IP header
370 * of the original IP packet, that causes the error.
372 * You can't use fix_incksum or fix_outcksum in that case, because for the
373 * kernel the data section of the ICMP error is just data, and no special
374 * processing like hardware cksum or ntohs processing have been done by the
375 * kernel on the data section.
377 void fix_datacksum(sp, n)
381 register u_short sumshort;
382 register u_32_t sum1;
387 sum1 = (~ntohs(*sp)) & 0xffff;
389 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
391 sum1 = (sum1 >> 16) + (sum1 & 0xffff);
392 sumshort = ~(u_short)sum1;
393 *(sp) = htons(sumshort);
397 * How the NAT is organised and works.
399 * Inside (interface y) NAT Outside (interface x)
400 * -------------------- -+- -------------------------------------
401 * Packet going | out, processsed by ip_natout() for x
402 * ------------> | ------------>
403 * src=10.1.1.1 | src=192.1.1.1
405 * | in, processed by ip_natin() for x
406 * <------------ | <------------
407 * dst=10.1.1.1 | dst=192.1.1.1
408 * -------------------- -+- -------------------------------------
409 * ip_natout() - changes ip_src and if required, sport
410 * - creates a new mapping, if required.
411 * ip_natin() - changes ip_dst and if required, dport
413 * In the NAT table, internal source is recorded as "in" and externally
418 * Handle ioctls which manipulate the NAT.
420 int nat_ioctl(data, cmd, mode)
421 #if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
429 register ipnat_t *nat, *nt, *n = NULL, **np = NULL;
430 int error = 0, ret, arg;
434 #if (BSD >= 199306) && defined(_KERNEL)
435 if ((securelevel >= 3) && (mode & FWRITE))
439 nat = NULL; /* XXX gcc -Wuninitialized */
440 KMALLOC(nt, ipnat_t *);
441 if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT))
442 error = IRCOPYPTR(data, (char *)&natd, sizeof(natd));
443 else if (cmd == SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */
444 error = IRCOPY(data, (char *)&arg, sizeof(arg));
453 * For add/delete, look to see if the NAT entry is already present
455 WRITE_ENTER(&ipf_nat);
456 if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
458 nat->in_flags &= IPN_USERFLAGS;
459 if ((nat->in_redir & NAT_MAPBLK) == 0) {
460 if ((nat->in_flags & IPN_SPLIT) == 0)
461 nat->in_inip &= nat->in_inmsk;
462 if ((nat->in_flags & IPN_IPRANGE) == 0)
463 nat->in_outip &= nat->in_outmsk;
465 for (np = &nat_list; (n = *np); np = &n->in_next)
466 if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
478 if (!(mode & FWRITE))
481 tmp = ipflog_clear(IPL_LOGNAT);
482 IWCOPY((char *)&tmp, (char *)data, sizeof(tmp));
488 if (!(mode & FWRITE)) {
502 bcopy((char *)nat, (char *)n, sizeof(*n));
503 n->in_ifp = (void *)GETUNIT(n->in_ifname, 4);
505 n->in_ifp = (void *)-1;
506 if (n->in_plabel[0] != '\0') {
507 n->in_apr = appr_lookup(n->in_p, n->in_plabel);
516 if (n->in_redir & NAT_REDIRECT) {
517 n->in_flags &= ~IPN_NOTDST;
520 if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
521 n->in_flags &= ~IPN_NOTSRC;
526 if (n->in_redir & NAT_MAPBLK)
527 n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
528 else if (n->in_flags & IPN_AUTOPORTMAP)
529 n->in_space = USABLE_PORTS * ~ntohl(n->in_inmsk);
530 else if (n->in_flags & IPN_IPRANGE)
531 n->in_space = ntohl(n->in_outmsk) - ntohl(n->in_outip);
532 else if (n->in_flags & IPN_SPLIT)
535 n->in_space = ~ntohl(n->in_outmsk);
537 * Calculate the number of valid IP addresses in the output
538 * mapping range. In all cases, the range is inclusive of
539 * the start and ending IP addresses.
540 * If to a CIDR address, lose 2: broadcast + network address
542 * If to a range, add one.
543 * If to a single IP address, set to 1.
546 if ((n->in_flags & IPN_IPRANGE) != 0)
552 if ((n->in_outmsk != 0xffffffff) && (n->in_outmsk != 0) &&
553 ((n->in_flags & (IPN_IPRANGE|IPN_SPLIT)) == 0))
554 n->in_nip = ntohl(n->in_outip) + 1;
555 else if ((n->in_flags & IPN_SPLIT) &&
556 (n->in_redir & NAT_REDIRECT))
557 n->in_nip = ntohl(n->in_inip);
559 n->in_nip = ntohl(n->in_outip);
560 if (n->in_redir & NAT_MAP) {
561 n->in_pnext = ntohs(n->in_pmin);
563 * Multiply by the number of ports made available.
565 if (ntohs(n->in_pmax) >= ntohs(n->in_pmin)) {
566 n->in_space *= (ntohs(n->in_pmax) -
567 ntohs(n->in_pmin) + 1);
569 * Because two different sources can map to
570 * different destinations but use the same
572 * If the result is smaller than in_space, then
573 * we may have wrapped around 32bits.
576 if ((i != 0) && (i != 0xffffffff)) {
577 j = n->in_space * (~ntohl(i) + 1);
578 if (j >= n->in_space)
581 n->in_space = 0xffffffff;
585 * If no protocol is specified, multiple by 256.
587 if ((n->in_flags & IPN_TCPUDP) == 0) {
588 j = n->in_space * 256;
589 if (j >= n->in_space)
592 n->in_space = 0xffffffff;
595 /* Otherwise, these fields are preset */
597 nat_stats.ns_rules++;
600 if (!(mode & FWRITE)) {
609 if (n->in_redir & NAT_REDIRECT)
611 if (n->in_redir & (NAT_MAPBLK|NAT_MAP))
613 if (nat_list == NULL) {
620 appr_free(n->in_apr);
622 nat_stats.ns_rules--;
624 n->in_flags |= IPN_DELETE;
630 MUTEX_DOWNGRADE(&ipf_nat);
631 nat_stats.ns_table[0] = nat_table[0];
632 nat_stats.ns_table[1] = nat_table[1];
633 nat_stats.ns_list = nat_list;
634 nat_stats.ns_maptable = maptable;
635 nat_stats.ns_nattab_sz = ipf_nattable_sz;
636 nat_stats.ns_rultab_sz = ipf_natrules_sz;
637 nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz;
638 nat_stats.ns_hostmap_sz = ipf_hostmap_sz;
639 nat_stats.ns_instances = nat_instances;
640 nat_stats.ns_apslist = ap_sess_list;
641 error = IWCOPYPTR((char *)&nat_stats, (char *)data,
648 MUTEX_DOWNGRADE(&ipf_nat);
649 error = IRCOPYPTR((char *)data, (char *)&nl, sizeof(nl));
653 if (nat_lookupredir(&nl)) {
654 error = IWCOPYPTR((char *)&nl, (char *)data,
660 case SIOCIPFFL : /* old SIOCFLNAT & SIOCCNATL */
661 if (!(mode & FWRITE)) {
667 ret = nat_flushtable();
669 ret = nat_clearlist();
672 MUTEX_DOWNGRADE(&ipf_nat);
674 error = IWCOPY((caddr_t)&ret, data, sizeof(ret));
680 error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
682 error = IWCOPY((caddr_t)&fr_nat_lock, data,
683 sizeof(fr_nat_lock));
691 error = fr_natputent(data);
697 error = fr_natgetsz(data);
703 error = fr_natgetent(data);
709 arg = (int)iplused[IPL_LOGNAT];
710 MUTEX_DOWNGRADE(&ipf_nat);
711 error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg));
720 RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
728 static int fr_natgetsz(data)
736 error = IRCOPY(data, (caddr_t)&ng, sizeof(ng));
745 error = IWCOPY((caddr_t)&ng, data, sizeof(ng));
752 * Make sure the pointer we're copying from exists in the
753 * current list of entries. Security precaution to prevent
754 * copying of random kernel data.
756 for (n = nat_instances; n; n = n->nat_next)
763 ng.ng_sz = sizeof(nat_save_t);
765 if ((aps != NULL) && (aps->aps_data != 0)) {
766 ng.ng_sz += sizeof(ap_session_t);
767 ng.ng_sz += aps->aps_psiz;
770 error = IWCOPY((caddr_t)&ng, data, sizeof(ng));
777 static int fr_natgetent(data)
780 nat_save_t ipn, *ipnp, *ipnn = NULL;
781 register nat_t *n, *nat;
785 error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp));
788 error = IRCOPY((caddr_t)ipnp, (caddr_t)&ipn, sizeof(ipn));
796 if (nat_instances == NULL)
802 * Make sure the pointer we're copying from exists in the
803 * current list of entries. Security precaution to prevent
804 * copying of random kernel data.
806 for (n = nat_instances; n; n = n->nat_next)
813 ipn.ipn_next = nat->nat_next;
815 bcopy((char *)nat, (char *)&ipn.ipn_nat, sizeof(ipn.ipn_nat));
816 ipn.ipn_nat.nat_data = NULL;
819 bcopy((char *)nat->nat_ptr, (char *)&ipn.ipn_ipnat,
820 sizeof(ipn.ipn_ipnat));
824 bcopy((char *)nat->nat_fr, (char *)&ipn.ipn_rule,
825 sizeof(ipn.ipn_rule));
827 if ((aps = nat->nat_aps)) {
828 ipn.ipn_dsize = sizeof(*aps);
830 ipn.ipn_dsize += aps->aps_psiz;
831 KMALLOCS(ipnn, nat_save_t *, sizeof(*ipnn) + ipn.ipn_dsize);
834 bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn));
836 bcopy((char *)aps, ipnn->ipn_data, sizeof(*aps));
838 bcopy(aps->aps_data, ipnn->ipn_data + sizeof(*aps),
840 ipnn->ipn_dsize += aps->aps_psiz;
842 error = IWCOPY((caddr_t)ipnn, ipnp,
843 sizeof(ipn) + ipn.ipn_dsize);
846 KFREES(ipnn, sizeof(*ipnn) + ipn.ipn_dsize);
848 error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn));
856 static int fr_natputent(data)
859 nat_save_t ipn, *ipnp, *ipnn = NULL;
860 register nat_t *n, *nat;
867 error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp));
870 error = IRCOPY((caddr_t)ipnp, (caddr_t)&ipn, sizeof(ipn));
875 KMALLOCS(ipnn, nat_save_t *, sizeof(ipn) + ipn.ipn_dsize);
878 bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn));
879 error = IRCOPY((caddr_t)ipnp, (caddr_t)ipn.ipn_data,
888 KMALLOC(nat, nat_t *);
894 bcopy((char *)&ipn.ipn_nat, (char *)nat, sizeof(*nat));
896 * Initialize all these so that nat_delete() doesn't cause a crash.
898 nat->nat_phnext[0] = NULL;
899 nat->nat_phnext[1] = NULL;
907 nat->nat_data = NULL;
908 nat->nat_ifp = GETUNIT(nat->nat_ifname, 4);
911 * Restore the rule associated with this nat session
914 KMALLOC(in, ipnat_t *);
920 bcopy((char *)&ipn.ipn_ipnat, (char *)in, sizeof(*in));
922 in->in_flags |= IPN_DELETE;
925 in->in_prnext = NULL;
927 in->in_pmnext = NULL;
928 in->in_ifp = GETUNIT(in->in_ifname, 4);
929 if (in->in_plabel[0] != '\0') {
930 in->in_apr = appr_lookup(in->in_p, in->in_plabel);
935 * Restore ap_session_t structure. Include the private data allocated
939 KMALLOC(aps, ap_session_t *);
945 aps->aps_next = ap_sess_list;
947 bcopy(ipnn->ipn_data, (char *)aps, sizeof(*aps));
949 aps->aps_apr = in->in_apr;
951 KMALLOCS(aps->aps_data, void *, aps->aps_psiz);
952 if (aps->aps_data == NULL) {
956 bcopy(ipnn->ipn_data + sizeof(*aps), aps->aps_data,
960 aps->aps_data = NULL;
965 * If there was a filtering rule associated with this entry then
966 * build up a new one.
969 if (nat->nat_flags & FI_NEWFR) {
970 KMALLOC(fr, frentry_t *);
976 bcopy((char *)&ipn.ipn_fr, (char *)fr, sizeof(*fr));
977 ipn.ipn_nat.nat_fr = fr;
978 error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn));
984 for (n = nat_instances; n; n = n->nat_next)
995 KFREES(ipnn, sizeof(ipn) + ipn.ipn_dsize);
1000 KFREES(ipnn, sizeof(ipn) + ipn.ipn_dsize);
1008 * Delete a nat entry from the various lists and table.
1010 static void nat_delete(natd)
1015 if (natd->nat_flags & FI_WILDP)
1016 nat_stats.ns_wilds--;
1017 if (natd->nat_hnext[0])
1018 natd->nat_hnext[0]->nat_phnext[0] = natd->nat_phnext[0];
1019 *natd->nat_phnext[0] = natd->nat_hnext[0];
1020 if (natd->nat_hnext[1])
1021 natd->nat_hnext[1]->nat_phnext[1] = natd->nat_phnext[1];
1022 *natd->nat_phnext[1] = natd->nat_hnext[1];
1023 if (natd->nat_me != NULL)
1024 *natd->nat_me = NULL;
1026 if (natd->nat_fr != NULL) {
1027 ATOMIC_DEC32(natd->nat_fr->fr_ref);
1030 if (natd->nat_hm != NULL)
1031 nat_hostmapdel(natd->nat_hm);
1034 * If there is an active reference from the nat entry to its parent
1035 * rule, decrement the rule's reference count and free it too if no
1036 * longer being used.
1038 ipn = natd->nat_ptr;
1042 if (!ipn->in_use && (ipn->in_flags & IPN_DELETE)) {
1044 appr_free(ipn->in_apr);
1046 nat_stats.ns_rules--;
1050 MUTEX_DESTROY(&natd->nat_lock);
1052 * If there's a fragment table entry too for this nat entry, then
1053 * dereference that as well.
1055 ipfr_forget((void *)natd);
1056 aps_free(natd->nat_aps);
1057 nat_stats.ns_inuse--;
1063 * nat_flushtable - clear the NAT table of all mapping entries.
1064 * (this is for the dynamic mappings)
1066 static int nat_flushtable()
1068 register nat_t *nat, **natp;
1072 * ALL NAT mappings deleted, so lets just make the deletions
1075 if (nat_table[0] != NULL)
1076 bzero((char *)nat_table[0],
1077 sizeof(nat_table[0]) * ipf_nattable_sz);
1078 if (nat_table[1] != NULL)
1079 bzero((char *)nat_table[1],
1080 sizeof(nat_table[1]) * ipf_nattable_sz);
1082 for (natp = &nat_instances; (nat = *natp); ) {
1083 *natp = nat->nat_next;
1085 nat_log(nat, NL_FLUSH);
1090 nat_stats.ns_inuse = 0;
1096 * nat_clearlist - delete all rules in the active NAT mapping list.
1097 * (this is for NAT/RDR rules)
1101 register ipnat_t *n, **np = &nat_list;
1104 if (nat_rules != NULL)
1105 bzero((char *)nat_rules, sizeof(*nat_rules) * ipf_natrules_sz);
1106 if (rdr_rules != NULL)
1107 bzero((char *)rdr_rules, sizeof(*rdr_rules) * ipf_rdrrules_sz);
1113 appr_free(n->in_apr);
1115 nat_stats.ns_rules--;
1117 n->in_flags |= IPN_DELETE;
1129 * Create a new NAT table entry.
1130 * NOTE: Assumes write lock on ipf_nat has been obtained already.
1131 * If you intend on changing this, beware: appr_new() may call nat_new()
1134 nat_t *nat_new(fin, ip, np, natsave, flags, direction)
1142 register u_32_t sum1, sum2, sumd, l;
1143 u_short port = 0, sport = 0, dport = 0, nport = 0;
1144 struct in_addr in, inb;
1145 u_short nflags, sp, dp;
1146 tcphdr_t *tcp = NULL;
1147 hostmap_t *hm = NULL;
1149 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
1150 qif_t *qf = fin->fin_qif;
1153 nflags = flags & np->in_flags;
1154 if (flags & IPN_TCPUDP) {
1155 tcp = (tcphdr_t *)fin->fin_dp;
1156 sport = htons(fin->fin_data[0]);
1157 dport = htons(fin->fin_data[1]);
1160 /* Give me a new nat */
1161 KMALLOC(nat, nat_t *);
1163 nat_stats.ns_memfail++;
1167 bzero((char *)nat, sizeof(*nat));
1168 nat->nat_flags = flags;
1169 if (flags & FI_WILDP)
1170 nat_stats.ns_wilds++;
1172 * Search the current table for a match.
1174 if (direction == NAT_OUTBOUND) {
1176 * Values at which the search for a free resouce starts.
1182 * If it's an outbound packet which doesn't match any existing
1183 * record, then create a new port
1187 st_port = np->in_pnext;
1191 in.s_addr = htonl(np->in_nip);
1194 * Check to see if there is an existing NAT
1195 * setup for this IP address pair.
1197 hm = nat_hostmap(np, fin->fin_src, in);
1199 in.s_addr = hm->hm_mapip.s_addr;
1200 } else if ((l == 1) && (hm != NULL)) {
1204 in.s_addr = ntohl(in.s_addr);
1208 if ((np->in_outmsk == 0xffffffff) &&
1209 (np->in_pnext == 0)) {
1214 if (np->in_redir & NAT_MAPBLK) {
1215 if ((l >= np->in_ppip) || ((l > 0) &&
1216 !(flags & IPN_TCPUDP)))
1219 * map-block - Calculate destination address.
1221 in.s_addr = ntohl(fin->fin_saddr);
1222 in.s_addr &= ntohl(~np->in_inmsk);
1223 inb.s_addr = in.s_addr;
1224 in.s_addr /= np->in_ippip;
1225 in.s_addr &= ntohl(~np->in_outmsk);
1226 in.s_addr += ntohl(np->in_outip);
1228 * Calculate destination port.
1230 if ((flags & IPN_TCPUDP) &&
1231 (np->in_ppip != 0)) {
1232 port = ntohs(sport) + l;
1233 port %= np->in_ppip;
1234 port += np->in_ppip *
1235 (inb.s_addr % np->in_ippip);
1236 port += MAPBLK_MINPORT;
1239 } else if (!np->in_outip &&
1240 (np->in_outmsk == 0xffffffff)) {
1242 * 0/32 - use the interface's IP address.
1245 fr_ifpaddr(4, fin->fin_ifp, &in) == -1)
1247 in.s_addr = ntohl(in.s_addr);
1248 } else if (!np->in_outip && !np->in_outmsk) {
1250 * 0/0 - use the original source address/port.
1254 in.s_addr = ntohl(fin->fin_saddr);
1255 } else if ((np->in_outmsk != 0xffffffff) &&
1256 (np->in_pnext == 0) &&
1257 ((l > 0) || (hm == NULL)))
1261 if ((nflags & IPN_TCPUDP) &&
1262 ((np->in_redir & NAT_MAPBLK) == 0) &&
1263 (np->in_flags & IPN_AUTOPORTMAP)) {
1264 if ((l > 0) && (l % np->in_ppip == 0)) {
1265 if (l > np->in_space) {
1267 } else if ((l > np->in_ppip) &&
1268 np->in_outmsk != 0xffffffff)
1271 if (np->in_ppip != 0) {
1272 port = ntohs(sport);
1273 port += (l % np->in_ppip);
1274 port %= np->in_ppip;
1275 port += np->in_ppip *
1276 (ntohl(fin->fin_saddr) %
1278 port += MAPBLK_MINPORT;
1281 } else if (((np->in_redir & NAT_MAPBLK) == 0) &&
1282 (nflags & IPN_TCPUDP) &&
1283 (np->in_pnext != 0)) {
1284 port = htons(np->in_pnext++);
1285 if (np->in_pnext > ntohs(np->in_pmax)) {
1286 np->in_pnext = ntohs(np->in_pmin);
1287 if (np->in_outmsk != 0xffffffff)
1292 if (np->in_flags & IPN_IPRANGE) {
1293 if (np->in_nip > ntohl(np->in_outmsk))
1294 np->in_nip = ntohl(np->in_outip);
1296 if ((np->in_outmsk != 0xffffffff) &&
1297 ((np->in_nip + 1) & ntohl(np->in_outmsk)) >
1298 ntohl(np->in_outip))
1299 np->in_nip = ntohl(np->in_outip) + 1;
1302 if (!port && (flags & IPN_TCPUDP))
1306 * Here we do a lookup of the connection as seen from
1307 * the outside. If an IP# pair already exists, try
1308 * again. So if you have A->B becomes C->B, you can
1309 * also have D->E become C->E but not D->B causing
1310 * another C->B. Also take protocol and ports into
1311 * account when determining whether a pre-existing
1312 * NAT setup will cause an external conflict where
1313 * this is appropriate.
1315 inb.s_addr = htonl(in.s_addr);
1316 sp = fin->fin_data[0];
1317 dp = fin->fin_data[1];
1318 fin->fin_data[0] = fin->fin_data[1];
1319 fin->fin_data[1] = htons(port);
1320 natl = nat_inlookup(fin, flags & ~FI_WILDP,
1321 (u_int)fin->fin_p, fin->fin_dst,
1323 fin->fin_data[0] = sp;
1324 fin->fin_data[1] = dp;
1327 * Has the search wrapped around and come back to the
1330 if ((natl != NULL) &&
1331 (np->in_pnext != 0) && (st_port == np->in_pnext) &&
1332 (np->in_nip != 0) && (st_ip == np->in_nip))
1335 } while (natl != NULL);
1337 if (np->in_space > 0)
1340 /* Setup the NAT table */
1341 nat->nat_inip = fin->fin_src;
1342 nat->nat_outip.s_addr = htonl(in.s_addr);
1343 nat->nat_oip = fin->fin_dst;
1344 if (nat->nat_hm == NULL)
1345 nat->nat_hm = nat_hostmap(np, fin->fin_src,
1348 sum1 = LONG_SUM(ntohl(fin->fin_saddr)) + ntohs(sport);
1349 sum2 = LONG_SUM(in.s_addr) + ntohs(port);
1351 if (flags & IPN_TCPUDP) {
1352 nat->nat_inport = sport;
1353 nat->nat_outport = port; /* sport */
1354 nat->nat_oport = dport;
1358 * Otherwise, it's an inbound packet. Most likely, we don't
1359 * want to rewrite source ports and source addresses. Instead,
1360 * we want to rewrite to a fixed internal address and fixed
1363 if (np->in_flags & IPN_SPLIT) {
1364 in.s_addr = np->in_nip;
1365 if (np->in_inip == htonl(in.s_addr))
1366 np->in_nip = ntohl(np->in_inmsk);
1368 np->in_nip = ntohl(np->in_inip);
1369 if (np->in_flags & IPN_ROUNDR) {
1375 in.s_addr = ntohl(np->in_inip);
1376 if (np->in_flags & IPN_ROUNDR) {
1385 * Whilst not optimized for the case where
1386 * pmin == pmax, the gain is not significant.
1388 if (np->in_pmin != np->in_pmax) {
1389 nport = ntohs(dport) - ntohs(np->in_pmin) +
1390 ntohs(np->in_pnext);
1391 nport = ntohs(nport);
1393 nport = np->in_pnext;
1397 * When the redirect-to address is set to 0.0.0.0, just
1398 * assume a blank `forwarding' of the packet.
1401 in.s_addr = ntohl(fin->fin_daddr);
1403 nat->nat_inip.s_addr = htonl(in.s_addr);
1404 nat->nat_outip = fin->fin_dst;
1405 nat->nat_oip = fin->fin_src;
1407 sum1 = LONG_SUM(ntohl(fin->fin_daddr)) + ntohs(dport);
1408 sum2 = LONG_SUM(in.s_addr) + ntohs(nport);
1410 if (flags & IPN_TCPUDP) {
1411 nat->nat_inport = nport;
1412 nat->nat_outport = dport;
1413 nat->nat_oport = sport;
1417 CALC_SUMD(sum1, sum2, sumd);
1418 nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
1419 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
1420 if ((flags & IPN_TCPUDP) && dohwcksum &&
1421 (qf->qf_ill->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) {
1422 if (direction == NAT_OUTBOUND)
1423 sum1 = LONG_SUM(ntohl(in.s_addr));
1425 sum1 = LONG_SUM(ntohl(fin->fin_saddr));
1426 sum1 += LONG_SUM(ntohl(fin->fin_daddr));
1427 sum1 += IPPROTO_TCP;
1428 sum1 = (sum1 & 0xffff) + (sum1 >> 16);
1429 nat->nat_sumd[1] = NAT_HW_CKSUM|(sum1 & 0xffff);
1432 nat->nat_sumd[1] = nat->nat_sumd[0];
1434 if ((flags & IPN_TCPUDP) && ((sport != port) || (dport != nport))) {
1435 if (direction == NAT_OUTBOUND)
1436 sum1 = LONG_SUM(ntohl(fin->fin_saddr));
1438 sum1 = LONG_SUM(ntohl(fin->fin_daddr));
1440 sum2 = LONG_SUM(in.s_addr);
1442 CALC_SUMD(sum1, sum2, sumd);
1443 nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16);
1445 nat->nat_ipsumd = nat->nat_sumd[0];
1447 in.s_addr = htonl(in.s_addr);
1449 strncpy(nat->nat_ifname, IFNAME(fin->fin_ifp), IFNAMSIZ);
1451 nat->nat_me = natsave;
1452 nat->nat_dir = direction;
1453 nat->nat_ifp = fin->fin_ifp;
1455 nat->nat_p = fin->fin_p;
1458 nat->nat_fr = fin->fin_fr;
1459 if (nat->nat_fr != NULL) {
1460 ATOMIC_INC32(nat->nat_fr->fr_ref);
1462 if (direction == NAT_OUTBOUND) {
1463 if (flags & IPN_TCPUDP)
1464 tcp->th_sport = port;
1466 if (flags & IPN_TCPUDP)
1467 tcp->th_dport = nport;
1472 if ((np->in_apr != NULL) && (np->in_dport == 0 ||
1473 (tcp != NULL && dport == np->in_dport)))
1474 (void) appr_new(fin, ip, nat);
1478 nat_log(nat, (u_int)np->in_redir);
1482 nat_stats.ns_badnat++;
1483 if ((hm = nat->nat_hm) != NULL)
1491 * Insert a NAT entry into the hash tables for searching and add it to the
1492 * list of active NAT entries. Adjust global counters when complete.
1494 void nat_insert(nat)
1500 MUTEX_INIT(&nat->nat_lock, "nat entry lock", NULL);
1502 nat->nat_age = fr_defnatage;
1503 nat->nat_ifname[sizeof(nat->nat_ifname) - 1] = '\0';
1504 if (nat->nat_ifname[0] !='\0') {
1505 nat->nat_ifp = GETUNIT(nat->nat_ifname, 4);
1508 nat->nat_next = nat_instances;
1509 nat_instances = nat;
1511 if (!(nat->nat_flags & (FI_W_SPORT|FI_W_DPORT))) {
1512 hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
1514 hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport,
1516 hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
1518 hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
1521 hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, nat->nat_inip.s_addr,
1523 hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, nat->nat_outip.s_addr,
1527 natp = &nat_table[0][hv1];
1529 (*natp)->nat_phnext[0] = &nat->nat_hnext[0];
1530 nat->nat_phnext[0] = natp;
1531 nat->nat_hnext[0] = *natp;
1534 natp = &nat_table[1][hv2];
1536 (*natp)->nat_phnext[1] = &nat->nat_hnext[1];
1537 nat->nat_phnext[1] = natp;
1538 nat->nat_hnext[1] = *natp;
1541 nat_stats.ns_added++;
1542 nat_stats.ns_inuse++;
1546 nat_t *nat_icmplookup(ip, fin, dir)
1552 tcphdr_t *tcp = NULL;
1554 int flags = 0, type, minlen;
1556 icmp = (icmphdr_t *)fin->fin_dp;
1558 * Does it at least have the return (basic) IP header ?
1559 * Only a basic IP header (no options) should be with an ICMP error
1562 if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN))
1564 type = icmp->icmp_type;
1566 * If it's not an error type, then return.
1568 if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
1569 (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
1570 (type != ICMP_PARAMPROB))
1573 oip = (ip_t *)((char *)fin->fin_dp + 8);
1574 minlen = (oip->ip_hl << 2);
1575 if (minlen < sizeof(ip_t))
1577 if (ip->ip_len < ICMPERR_IPICMPHLEN + minlen)
1580 * Is the buffer big enough for all of it ? It's the size of the IP
1581 * header claimed in the encapsulated part which is of concern. It
1582 * may be too big to be in this buffer but not so big that it's
1583 * outside the ICMP packet, leading to TCP deref's causing problems.
1584 * This is possible because we don't know how big oip_hl is when we
1585 * do the pullup early in fr_check() and thus can't gaurantee it is
1594 if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > (char *)m->b_wptr)
1597 m = *(mb_t **)fin->fin_mp;
1598 if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN >
1599 (char *)ip + m->m_len)
1605 if (oip->ip_p == IPPROTO_TCP)
1607 else if (oip->ip_p == IPPROTO_UDP)
1609 if (flags & IPN_TCPUDP) {
1613 minlen += 8; /* + 64bits of data to get ports */
1614 if (ip->ip_len < ICMPERR_IPICMPHLEN + minlen)
1617 data[0] = fin->fin_data[0];
1618 data[1] = fin->fin_data[1];
1619 tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2));
1620 fin->fin_data[0] = ntohs(tcp->th_dport);
1621 fin->fin_data[1] = ntohs(tcp->th_sport);
1623 if (dir == NAT_INBOUND) {
1624 nat = nat_inlookup(fin, flags, (u_int)oip->ip_p,
1625 oip->ip_dst, oip->ip_src, 0);
1627 nat = nat_outlookup(fin, flags, (u_int)oip->ip_p,
1628 oip->ip_dst, oip->ip_src, 0);
1630 fin->fin_data[0] = data[0];
1631 fin->fin_data[1] = data[1];
1634 if (dir == NAT_INBOUND)
1635 return nat_inlookup(fin, 0, (u_int)oip->ip_p,
1636 oip->ip_dst, oip->ip_src, 0);
1638 return nat_outlookup(fin, 0, (u_int)oip->ip_p,
1639 oip->ip_dst, oip->ip_src, 0);
1644 * This should *ONLY* be used for incoming packets to make sure a NAT'd ICMP
1645 * packet gets correctly recognised.
1647 nat_t *nat_icmp(ip, fin, nflags, dir)
1653 u_32_t sum1, sum2, sumd, sumd2 = 0;
1661 if ((fin->fin_fl & FI_SHORT) || (fin->fin_off != 0))
1664 * nat_icmplookup() will return NULL for `defective' packets.
1666 if ((ip->ip_v != 4) || !(nat = nat_icmplookup(ip, fin, dir)))
1670 *nflags = IPN_ICMPERR;
1671 icmp = (icmphdr_t *)fin->fin_dp;
1672 oip = (ip_t *)&icmp->icmp_ip;
1673 if (oip->ip_p == IPPROTO_TCP)
1675 else if (oip->ip_p == IPPROTO_UDP)
1677 udp = (udphdr_t *)((((char *)oip) + (oip->ip_hl << 2)));
1679 * Need to adjust ICMP header to include the real IP#'s and
1680 * port #'s. Only apply a checksum change relative to the
1681 * IP address change as it will be modified again in ip_natout
1682 * for both address and port. Two checksum changes are
1683 * necessary for the two header address changes. Be careful
1684 * to only modify the checksum once for the port # and twice
1690 * Fix the IP addresses in the offending IP packet. You also need
1691 * to adjust the IP header checksum of that offending IP packet
1692 * and the ICMP checksum of the ICMP error message itself.
1694 * Unfortunately, for UDP and TCP, the IP addresses are also contained
1695 * in the pseudo header that is used to compute the UDP resp. TCP
1696 * checksum. So, we must compensate that as well. Even worse, the
1697 * change in the UDP and TCP checksums require yet another
1698 * adjustment of the ICMP checksum of the ICMP error message.
1700 * For the moment we forget about TCP, because that checksum is not
1701 * in the first 8 bytes, so it will not be available in most cases.
1704 if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) {
1705 sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr));
1709 sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr));
1710 in = nat->nat_outip;
1714 sum2 = LONG_SUM(ntohl(in.s_addr));
1716 CALC_SUMD(sum1, sum2, sumd);
1718 if (nat->nat_dir == NAT_OUTBOUND) {
1720 * Fix IP checksum of the offending IP packet to adjust for
1721 * the change in the IP address.
1723 * Normally, you would expect that the ICMP checksum of the
1724 * ICMP error message needs to be adjusted as well for the
1725 * IP address change in oip.
1726 * However, this is a NOP, because the ICMP checksum is
1727 * calculated over the complete ICMP packet, which includes the
1728 * changed oip IP addresses and oip->ip_sum. However, these
1729 * two changes cancel each other out (if the delta for
1730 * the IP address is x, then the delta for ip_sum is minus x),
1731 * so no change in the icmp_cksum is necessary.
1733 * Be careful that nat_dir refers to the direction of the
1734 * offending IP packet (oip), not to its ICMP response (icmp)
1736 fix_datacksum(&oip->ip_sum, sumd);
1739 * Fix UDP pseudo header checksum to compensate for the
1740 * IP address change.
1742 if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) {
1744 * The UDP checksum is optional, only adjust it
1745 * if it has been set.
1747 sum1 = ntohs(udp->uh_sum);
1748 fix_datacksum(&udp->uh_sum, sumd);
1749 sum2 = ntohs(udp->uh_sum);
1752 * Fix ICMP checksum to compensate the UDP
1753 * checksum adjustment.
1755 CALC_SUMD(sum1, sum2, sumd);
1761 * Fix TCP pseudo header checksum to compensate for the
1762 * IP address change. Before we can do the change, we
1763 * must make sure that oip is sufficient large to hold
1764 * the TCP checksum (normally it does not!).
1766 if (oip->ip_p == IPPROTO_TCP) {
1773 * Fix IP checksum of the offending IP packet to adjust for
1774 * the change in the IP address.
1776 * Normally, you would expect that the ICMP checksum of the
1777 * ICMP error message needs to be adjusted as well for the
1778 * IP address change in oip.
1779 * However, this is a NOP, because the ICMP checksum is
1780 * calculated over the complete ICMP packet, which includes the
1781 * changed oip IP addresses and oip->ip_sum. However, these
1782 * two changes cancel each other out (if the delta for
1783 * the IP address is x, then the delta for ip_sum is minus x),
1784 * so no change in the icmp_cksum is necessary.
1786 * Be careful that nat_dir refers to the direction of the
1787 * offending IP packet (oip), not to its ICMP response (icmp)
1789 fix_datacksum(&oip->ip_sum, sumd);
1791 /* XXX FV : without having looked at Solaris source code, it seems unlikely
1792 * that SOLARIS would compensate this in the kernel (a body of an IP packet
1793 * in the data section of an ICMP packet). I have the feeling that this should
1794 * be unconditional, but I'm not in a position to check.
1796 #if !SOLARIS && !defined(__sgi)
1798 * Fix UDP pseudo header checksum to compensate for the
1799 * IP address change.
1801 if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) {
1803 * The UDP checksum is optional, only adjust it
1804 * if it has been set
1806 sum1 = ntohs(udp->uh_sum);
1807 fix_datacksum(&udp->uh_sum, sumd);
1808 sum2 = ntohs(udp->uh_sum);
1811 * Fix ICMP checksum to compensate the UDP
1812 * checksum adjustment.
1814 CALC_SUMD(sum1, sum2, sumd);
1820 * Fix TCP pseudo header checksum to compensate for the
1821 * IP address change. Before we can do the change, we
1822 * must make sure that oip is sufficient large to hold
1823 * the TCP checksum (normally it does not!).
1825 if (oip->ip_p == IPPROTO_TCP) {
1833 if ((flags & IPN_TCPUDP) != 0) {
1837 * XXX - what if this is bogus hl and we go off the end ?
1838 * In this case, nat_icmpinlookup() will have returned NULL.
1840 tcp = (tcphdr_t *)udp;
1844 * For offending TCP/UDP IP packets, translate the ports as
1845 * well, based on the NAT specification. Of course such
1846 * a change must be reflected in the ICMP checksum as well.
1848 * Advance notice : Now it becomes complicated :-)
1850 * Since the port fields are part of the TCP/UDP checksum
1851 * of the offending IP packet, you need to adjust that checksum
1852 * as well... but, if you change, you must change the icmp
1853 * checksum *again*, to reflect that change.
1855 * To further complicate: the TCP checksum is not in the first
1856 * 8 bytes of the offending ip packet, so it most likely is not
1857 * available (we might have to fix that if the encounter a
1858 * device that returns more than 8 data bytes on icmp error)
1861 if (nat->nat_oport == tcp->th_dport) {
1862 if (tcp->th_sport != nat->nat_inport) {
1864 * Fix ICMP checksum to compensate port
1867 sum1 = ntohs(tcp->th_sport);
1868 sum2 = ntohs(nat->nat_inport);
1869 CALC_SUMD(sum1, sum2, sumd);
1871 tcp->th_sport = nat->nat_inport;
1874 * Fix udp checksum to compensate port
1875 * adjustment. NOTE : the offending IP packet
1876 * flows the other direction compared to the
1879 * The UDP checksum is optional, only adjust
1880 * it if it has been set.
1882 if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) {
1884 sum1 = ntohs(udp->uh_sum);
1885 fix_datacksum(&udp->uh_sum, sumd);
1886 sum2 = ntohs(udp->uh_sum);
1889 * Fix ICMP checksum to
1890 * compensate UDP checksum
1893 CALC_SUMD(sum1, sum2, sumd);
1898 if (tcp->th_dport != nat->nat_outport) {
1900 * Fix ICMP checksum to compensate port
1903 sum1 = ntohs(tcp->th_dport);
1904 sum2 = ntohs(nat->nat_outport);
1905 CALC_SUMD(sum1, sum2, sumd);
1907 tcp->th_dport = nat->nat_outport;
1910 * Fix udp checksum to compensate port
1911 * adjustment. NOTE : the offending IP
1912 * packet flows the other direction compared
1913 * to the ICMP message.
1915 * The UDP checksum is optional, only adjust
1916 * it if it has been set.
1918 if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) {
1920 sum1 = ntohs(udp->uh_sum);
1921 fix_datacksum(&udp->uh_sum, sumd);
1922 sum2 = ntohs(udp->uh_sum);
1925 * Fix ICMP checksum to compensate
1926 * UDP checksum adjustment.
1928 CALC_SUMD(sum1, sum2, sumd);
1934 sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
1935 sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
1936 if (nat->nat_dir == NAT_OUTBOUND) {
1937 fix_outcksum(fin, &icmp->icmp_cksum, sumd2);
1939 fix_incksum(fin, &icmp->icmp_cksum, sumd2);
1943 if (oip->ip_p == IPPROTO_ICMP)
1944 nat->nat_age = fr_defnaticmpage;
1950 * NB: these lookups don't lock access to the list, it assume it has already
1954 * Lookup a nat entry based on the mapped destination ip address/port and
1955 * real source address/port. We use this lookup when receiving a packet,
1956 * we're looking for a table entry, based on the destination address.
1957 * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
1959 nat_t *nat_inlookup(fin, flags, p, src, mapdst, rw)
1961 register u_int flags, p;
1962 struct in_addr src , mapdst;
1965 register u_short sport, dport;
1966 register nat_t *nat;
1967 register int nflags;
1968 register u_32_t dst;
1977 dst = mapdst.s_addr;
1978 if (flags & IPN_TCPUDP) {
1979 sport = htons(fin->fin_data[0]);
1980 dport = htons(fin->fin_data[1]);
1986 hv = NAT_HASH_FN(dst, dport, 0xffffffff);
1987 hv = NAT_HASH_FN(src.s_addr, hv + sport, ipf_nattable_sz);
1988 nat = nat_table[1][hv];
1989 for (; nat; nat = nat->nat_hnext[1]) {
1990 nflags = nat->nat_flags;
1991 if ((!ifp || ifp == nat->nat_ifp) &&
1992 nat->nat_oip.s_addr == src.s_addr &&
1993 nat->nat_outip.s_addr == dst &&
1994 ((p == 0) || (p == nat->nat_p))) {
1999 if (nat->nat_oport != sport)
2001 if (nat->nat_outport != dport)
2009 if ((ipn != NULL) && (nat->nat_aps != NULL))
2010 if (appr_match(fin, nat) != 0)
2015 if (!nat_stats.ns_wilds || !(flags & FI_WILDP))
2018 RWLOCK_EXIT(&ipf_nat);
2020 hv = NAT_HASH_FN(dst, 0, 0xffffffff);
2021 hv = NAT_HASH_FN(src.s_addr, dst, ipf_nattable_sz);
2023 WRITE_ENTER(&ipf_nat);
2025 nat = nat_table[1][hv];
2026 for (; nat; nat = nat->nat_hnext[1]) {
2027 nflags = nat->nat_flags;
2028 if (ifp && ifp != nat->nat_ifp)
2030 if (!(nflags & FI_WILDP))
2032 if (nat->nat_oip.s_addr != src.s_addr ||
2033 nat->nat_outip.s_addr != dst)
2035 if (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) &&
2036 ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))) {
2037 nat_tabmove(fin, nat);
2042 MUTEX_DOWNGRADE(&ipf_nat);
2049 * This function is only called for TCP/UDP NAT table entries where the
2050 * original was placed in the table without hashing on the ports and we now
2051 * want to include hashing on port numbers.
2053 static void nat_tabmove(fin, nat)
2057 register u_short sport, dport;
2061 nflags = nat->nat_flags;
2063 sport = ntohs(fin->fin_data[0]);
2064 dport = ntohs(fin->fin_data[1]);
2067 * Remove the NAT entry from the old location
2069 if (nat->nat_hnext[0])
2070 nat->nat_hnext[0]->nat_phnext[0] = nat->nat_phnext[0];
2071 *nat->nat_phnext[0] = nat->nat_hnext[0];
2073 if (nat->nat_hnext[1])
2074 nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1];
2075 *nat->nat_phnext[1] = nat->nat_hnext[1];
2078 * Add into the NAT table in the new position
2080 hv = NAT_HASH_FN(nat->nat_inip.s_addr, sport, 0xffffffff);
2081 hv = NAT_HASH_FN(nat->nat_oip.s_addr, hv + dport, ipf_nattable_sz);
2082 natp = &nat_table[0][hv];
2084 (*natp)->nat_phnext[0] = &nat->nat_hnext[0];
2085 nat->nat_phnext[0] = natp;
2086 nat->nat_hnext[0] = *natp;
2089 hv = NAT_HASH_FN(nat->nat_outip.s_addr, sport, 0xffffffff);
2090 hv = NAT_HASH_FN(nat->nat_oip.s_addr, hv + dport, ipf_nattable_sz);
2091 natp = &nat_table[1][hv];
2093 (*natp)->nat_phnext[1] = &nat->nat_hnext[1];
2094 nat->nat_phnext[1] = natp;
2095 nat->nat_hnext[1] = *natp;
2101 * Lookup a nat entry based on the source 'real' ip address/port and
2102 * destination address/port. We use this lookup when sending a packet out,
2103 * we're looking for a table entry, based on the source address.
2104 * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
2106 nat_t *nat_outlookup(fin, flags, p, src, dst, rw)
2108 register u_int flags, p;
2109 struct in_addr src , dst;
2112 register u_short sport, dport;
2113 register nat_t *nat;
2114 register int nflags;
2122 if (flags & IPN_TCPUDP) {
2123 sport = ntohs(fin->fin_data[0]);
2124 dport = ntohs(fin->fin_data[1]);
2130 hv = NAT_HASH_FN(srcip, sport, 0xffffffff);
2131 hv = NAT_HASH_FN(dst.s_addr, hv + dport, ipf_nattable_sz);
2132 nat = nat_table[0][hv];
2133 for (; nat; nat = nat->nat_hnext[0]) {
2134 nflags = nat->nat_flags;
2136 if ((!ifp || ifp == nat->nat_ifp) &&
2137 nat->nat_inip.s_addr == srcip &&
2138 nat->nat_oip.s_addr == dst.s_addr &&
2139 ((p == 0) || (p == nat->nat_p))) {
2144 if (nat->nat_oport != dport)
2146 if (nat->nat_inport != sport)
2154 if ((ipn != NULL) && (nat->nat_aps != NULL))
2155 if (appr_match(fin, nat) != 0)
2160 if (!nat_stats.ns_wilds || !(flags & FI_WILDP))
2163 RWLOCK_EXIT(&ipf_nat);
2166 hv = NAT_HASH_FN(dst.s_addr, srcip, ipf_nattable_sz);
2168 WRITE_ENTER(&ipf_nat);
2170 nat = nat_table[0][hv];
2171 for (; nat; nat = nat->nat_hnext[0]) {
2172 nflags = nat->nat_flags;
2173 if (ifp && ifp != nat->nat_ifp)
2175 if (!(nflags & FI_WILDP))
2177 if ((nat->nat_inip.s_addr != srcip) ||
2178 (nat->nat_oip.s_addr != dst.s_addr))
2180 if (((nat->nat_inport == sport) || (nflags & FI_W_SPORT)) &&
2181 ((nat->nat_oport == dport) || (nflags & FI_W_DPORT))) {
2182 nat_tabmove(fin, nat);
2187 MUTEX_DOWNGRADE(&ipf_nat);
2194 * Lookup the NAT tables to search for a matching redirect
2196 nat_t *nat_lookupredir(np)
2197 register natlookup_t *np;
2202 bzero((char *)&fi, sizeof(fi));
2203 fi.fin_data[0] = np->nl_inport;
2204 fi.fin_data[1] = np->nl_outport;
2207 * If nl_inip is non null, this is a lookup based on the real
2208 * ip address. Else, we use the fake.
2210 if ((nat = nat_outlookup(&fi, np->nl_flags, 0, np->nl_inip,
2211 np->nl_outip, 0))) {
2212 np->nl_realip = nat->nat_outip;
2213 np->nl_realport = nat->nat_outport;
2219 static int nat_match(fin, np, ip)
2229 if (np->in_p && fin->fin_p != np->in_p)
2232 if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK)))
2234 if (((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip)
2235 ^ ((np->in_flags & IPN_NOTSRC) != 0))
2237 if (((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip)
2238 ^ ((np->in_flags & IPN_NOTDST) != 0))
2241 if (!(np->in_redir & NAT_REDIRECT))
2243 if (((fin->fin_fi.fi_saddr & np->in_srcmsk) != np->in_srcip)
2244 ^ ((np->in_flags & IPN_NOTSRC) != 0))
2246 if (((fin->fin_fi.fi_daddr & np->in_outmsk) != np->in_outip)
2247 ^ ((np->in_flags & IPN_NOTDST) != 0))
2252 if (!(fin->fin_fl & FI_TCPUDP) ||
2253 (fin->fin_fl & FI_SHORT) || (fin->fin_off != 0)) {
2254 if (ft->ftu_scmp || ft->ftu_dcmp)
2259 return fr_tcpudpchk(ft, fin);
2264 * Packets going out on the external interface go through this.
2265 * Here, the source address requires alteration, if anything.
2267 int ip_natout(ip, fin)
2271 register ipnat_t *np = NULL;
2272 register u_32_t ipa;
2273 tcphdr_t *tcp = NULL;
2274 u_short sport = 0, dport = 0, *csump = NULL;
2275 int natadd = 1, i, icmpset = 1;
2276 u_int nflags = 0, hv, msk;
2283 if (nat_list == NULL || (fr_nat_lock))
2286 if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) &&
2287 fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1) {
2288 sifp = fin->fin_ifp;
2289 fin->fin_ifp = fr->fr_tif.fd_ifp;
2291 sifp = fin->fin_ifp;
2294 if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) {
2295 if (fin->fin_p == IPPROTO_TCP)
2297 else if (fin->fin_p == IPPROTO_UDP)
2299 if ((nflags & IPN_TCPUDP)) {
2300 tcp = (tcphdr_t *)fin->fin_dp;
2301 sport = tcp->th_sport;
2302 dport = tcp->th_dport;
2306 ipa = fin->fin_saddr;
2308 READ_ENTER(&ipf_nat);
2310 if ((fin->fin_p == IPPROTO_ICMP) &&
2311 (nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND)))
2313 else if ((fin->fin_fl & FI_FRAG) &&
2314 (nat = ipfr_nat_knownfrag(ip, fin)))
2316 else if ((nat = nat_outlookup(fin, nflags|FI_WILDP|FI_WILDA,
2317 (u_int)fin->fin_p, fin->fin_src,
2318 fin->fin_dst, 0))) {
2319 nflags = nat->nat_flags;
2320 if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) {
2321 if ((nflags & FI_W_SPORT) &&
2322 (nat->nat_inport != sport))
2323 nat->nat_inport = sport;
2324 if ((nflags & FI_W_DPORT) &&
2325 (nat->nat_oport != dport))
2326 nat->nat_oport = dport;
2328 if (nat->nat_outport == 0)
2329 nat->nat_outport = sport;
2330 nat->nat_flags &= ~(FI_W_DPORT|FI_W_SPORT);
2331 nflags = nat->nat_flags;
2332 nat_stats.ns_wilds--;
2335 RWLOCK_EXIT(&ipf_nat);
2340 WRITE_ENTER(&ipf_nat);
2342 * If there is no current entry in the nat table for this IP#,
2343 * create one for it (if there is a matching rule).
2346 iph = ipa & htonl(msk);
2347 hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz);
2348 for (np = nat_rules[hv]; np; np = np->in_mnext)
2350 if (np->in_ifp && (np->in_ifp != ifp))
2352 if ((np->in_flags & IPN_RF) &&
2353 !(np->in_flags & nflags))
2355 if (np->in_flags & IPN_FILTER) {
2356 if (!nat_match(fin, np, ip))
2358 } else if ((ipa & np->in_inmsk) != np->in_inip)
2360 if (*np->in_plabel && !appr_ok(ip, tcp, np))
2362 nat = nat_new(fin, ip, np, NULL,
2363 (u_int)nflags, NAT_OUTBOUND);
2369 if ((np == NULL) && (i > 0)) {
2373 } while ((i >= 0) && ((nat_masks & (1 << i)) == 0));
2377 MUTEX_DOWNGRADE(&ipf_nat);
2381 * NOTE: ipf_nat must now only be held as a read lock
2385 if (natadd && (fin->fin_fl & FI_FRAG) && np)
2386 ipfr_nat_newfrag(ip, fin, 0, nat);
2387 MUTEX_ENTER(&nat->nat_lock);
2388 if (fin->fin_p != IPPROTO_TCP) {
2389 if (np && np->in_age[1])
2390 nat->nat_age = np->in_age[1];
2391 else if (!icmpset && (fin->fin_p == IPPROTO_ICMP))
2392 nat->nat_age = fr_defnaticmpage;
2394 nat->nat_age = fr_defnatage;
2396 nat->nat_bytes += ip->ip_len;
2398 MUTEX_EXIT(&nat->nat_lock);
2401 * Fix up checksums, not by recalculating them, but
2402 * simply computing adjustments.
2404 if (nflags == IPN_ICMPERR) {
2405 u_32_t s1, s2, sumd;
2407 s1 = LONG_SUM(ntohl(fin->fin_saddr));
2408 s2 = LONG_SUM(ntohl(nat->nat_outip.s_addr));
2409 CALC_SUMD(s1, s2, sumd);
2411 if (nat->nat_dir == NAT_OUTBOUND)
2412 fix_outcksum(fin, &ip->ip_sum, sumd);
2414 fix_incksum(fin, &ip->ip_sum, sumd);
2416 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
2418 if (nat->nat_dir == NAT_OUTBOUND)
2419 fix_outcksum(fin, &ip->ip_sum, nat->nat_ipsumd);
2421 fix_incksum(fin, &ip->ip_sum, nat->nat_ipsumd);
2425 * Only change the packet contents, not what is filtered upon.
2427 ip->ip_src = nat->nat_outip;
2429 if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) {
2431 if ((nat->nat_outport != 0) && (tcp != NULL)) {
2432 tcp->th_sport = nat->nat_outport;
2433 fin->fin_data[0] = ntohs(tcp->th_sport);
2436 if (fin->fin_p == IPPROTO_TCP) {
2437 csump = &tcp->th_sum;
2438 MUTEX_ENTER(&nat->nat_lock);
2439 fr_tcp_age(&nat->nat_age,
2440 nat->nat_tcpstate, fin, 1);
2441 if (nat->nat_age < fr_defnaticmpage)
2442 nat->nat_age = fr_defnaticmpage;
2444 else if (nat->nat_age > fr_defnatage)
2445 nat->nat_age = fr_defnatage;
2448 * Increase this because we may have
2449 * "keep state" following this too and
2450 * packet storms can occur if this is
2451 * removed too quickly.
2453 if (nat->nat_age == fr_tcpclosed)
2454 nat->nat_age = fr_tcplastack;
2455 MUTEX_EXIT(&nat->nat_lock);
2456 } else if (fin->fin_p == IPPROTO_UDP) {
2457 udphdr_t *udp = (udphdr_t *)tcp;
2460 csump = &udp->uh_sum;
2464 if (nat->nat_dir == NAT_OUTBOUND)
2465 fix_outcksum(fin, csump,
2468 fix_incksum(fin, csump,
2473 if (np && (np->in_apr != NULL) && (np->in_dport == 0 ||
2474 (tcp != NULL && dport == np->in_dport))) {
2475 i = appr_check(ip, fin, nat);
2480 ATOMIC_INCL(nat_stats.ns_mapped[1]);
2481 RWLOCK_EXIT(&ipf_nat); /* READ */
2482 fin->fin_ifp = sifp;
2485 RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
2486 fin->fin_ifp = sifp;
2492 * Packets coming in from the external interface go through this.
2493 * Here, the destination address requires alteration, if anything.
2495 int ip_natin(ip, fin)
2499 register struct in_addr src;
2500 register struct in_addr in;
2501 register ipnat_t *np;
2502 u_short sport = 0, dport = 0, *csump = NULL;
2503 u_int nflags = 0, natadd = 1, hv, msk;
2504 struct ifnet *ifp = fin->fin_ifp;
2505 tcphdr_t *tcp = NULL;
2510 if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock))
2513 if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) {
2514 if (fin->fin_p == IPPROTO_TCP)
2516 else if (fin->fin_p == IPPROTO_UDP)
2518 if ((nflags & IPN_TCPUDP)) {
2519 tcp = (tcphdr_t *)fin->fin_dp;
2520 sport = tcp->th_sport;
2521 dport = tcp->th_dport;
2526 /* make sure the source address is to be redirected */
2529 READ_ENTER(&ipf_nat);
2531 if ((fin->fin_p == IPPROTO_ICMP) &&
2532 (nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND)))
2534 else if ((fin->fin_fl & FI_FRAG) &&
2535 (nat = ipfr_nat_knownfrag(ip, fin)))
2537 else if ((nat = nat_inlookup(fin, nflags|FI_WILDP|FI_WILDA,
2538 (u_int)fin->fin_p, fin->fin_src, in, 0))) {
2539 nflags = nat->nat_flags;
2540 if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) {
2541 if ((nat->nat_oport != sport) && (nflags & FI_W_DPORT))
2542 nat->nat_oport = sport;
2543 if ((nat->nat_outport != dport) &&
2544 (nflags & FI_W_SPORT))
2545 nat->nat_outport = dport;
2546 nat->nat_flags &= ~(FI_W_SPORT|FI_W_DPORT);
2547 nflags = nat->nat_flags;
2548 nat_stats.ns_wilds--;
2551 RWLOCK_EXIT(&ipf_nat);
2556 WRITE_ENTER(&ipf_nat);
2558 * If there is no current entry in the nat table for this IP#,
2559 * create one for it (if there is a matching rule).
2562 iph = in.s_addr & htonl(msk);
2563 hv = NAT_HASH_FN(iph, 0, ipf_rdrrules_sz);
2564 for (np = rdr_rules[hv]; np; np = np->in_rnext) {
2565 if ((np->in_ifp && (np->in_ifp != ifp)) ||
2566 (np->in_p && (np->in_p != fin->fin_p)) ||
2567 (np->in_flags && !(nflags & np->in_flags)))
2569 if (np->in_flags & IPN_FILTER) {
2570 if (!nat_match(fin, np, ip))
2572 } else if ((in.s_addr & np->in_outmsk) != np->in_outip)
2574 if ((!np->in_pmin || (np->in_flags & IPN_FILTER) ||
2575 ((ntohs(np->in_pmax) >= ntohs(dport)) &&
2576 (ntohs(dport) >= ntohs(np->in_pmin)))))
2577 if ((nat = nat_new(fin, ip, np, NULL, nflags,
2584 if ((np == NULL) && (i > 0)) {
2588 } while ((i >= 0) && ((rdr_masks & (1 << i)) == 0));
2592 MUTEX_DOWNGRADE(&ipf_nat);
2596 * NOTE: ipf_nat must now only be held as a read lock
2600 fin->fin_fr = nat->nat_fr;
2601 if (natadd && (fin->fin_fl & FI_FRAG) && np)
2602 ipfr_nat_newfrag(ip, fin, 0, nat);
2603 if (np && (np->in_apr != NULL) && (np->in_dport == 0 ||
2604 (tcp != NULL && sport == np->in_dport))) {
2605 i = appr_check(ip, fin, nat);
2607 RWLOCK_EXIT(&ipf_nat);
2612 MUTEX_ENTER(&nat->nat_lock);
2613 if (fin->fin_p != IPPROTO_TCP) {
2614 if (np && np->in_age[0])
2615 nat->nat_age = np->in_age[0];
2616 else if (!icmpset && (fin->fin_p == IPPROTO_ICMP))
2617 nat->nat_age = fr_defnaticmpage;
2619 nat->nat_age = fr_defnatage;
2621 nat->nat_bytes += ip->ip_len;
2623 MUTEX_EXIT(&nat->nat_lock);
2624 ip->ip_dst = nat->nat_inip;
2625 fin->fin_fi.fi_daddr = nat->nat_inip.s_addr;
2628 * Fix up checksums, not by recalculating them, but
2629 * simply computing adjustments.
2631 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
2632 if (nat->nat_dir == NAT_OUTBOUND)
2633 fix_incksum(fin, &ip->ip_sum, nat->nat_ipsumd);
2635 fix_outcksum(fin, &ip->ip_sum, nat->nat_ipsumd);
2637 if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) {
2639 if ((nat->nat_inport != 0) && (tcp != NULL)) {
2640 tcp->th_dport = nat->nat_inport;
2641 fin->fin_data[1] = ntohs(tcp->th_dport);
2644 if (fin->fin_p == IPPROTO_TCP) {
2645 csump = &tcp->th_sum;
2646 MUTEX_ENTER(&nat->nat_lock);
2647 fr_tcp_age(&nat->nat_age,
2648 nat->nat_tcpstate, fin, 0);
2649 if (nat->nat_age < fr_defnaticmpage)
2650 nat->nat_age = fr_defnaticmpage;
2652 else if (nat->nat_age > fr_defnatage)
2653 nat->nat_age = fr_defnatage;
2656 * Increase this because we may have
2657 * "keep state" following this too and
2658 * packet storms can occur if this is
2659 * removed too quickly.
2661 if (nat->nat_age == fr_tcpclosed)
2662 nat->nat_age = fr_tcplastack;
2663 MUTEX_EXIT(&nat->nat_lock);
2664 } else if (fin->fin_p == IPPROTO_UDP) {
2665 udphdr_t *udp = (udphdr_t *)tcp;
2668 csump = &udp->uh_sum;
2672 if (nat->nat_dir == NAT_OUTBOUND)
2673 fix_incksum(fin, csump,
2676 fix_outcksum(fin, csump,
2680 ATOMIC_INCL(nat_stats.ns_mapped[0]);
2681 RWLOCK_EXIT(&ipf_nat); /* READ */
2684 RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
2690 * Free all memory used by NAT structures allocated at runtime.
2694 WRITE_ENTER(&ipf_nat);
2695 (void) nat_clearlist();
2696 (void) nat_flushtable();
2697 RWLOCK_EXIT(&ipf_nat);
2699 if (nat_table[0] != NULL) {
2700 KFREES(nat_table[0], sizeof(nat_t *) * ipf_nattable_sz);
2701 nat_table[0] = NULL;
2703 if (nat_table[1] != NULL) {
2704 KFREES(nat_table[1], sizeof(nat_t *) * ipf_nattable_sz);
2705 nat_table[1] = NULL;
2707 if (nat_rules != NULL) {
2708 KFREES(nat_rules, sizeof(ipnat_t *) * ipf_natrules_sz);
2711 if (rdr_rules != NULL) {
2712 KFREES(rdr_rules, sizeof(ipnat_t *) * ipf_rdrrules_sz);
2715 if (maptable != NULL) {
2716 KFREES(maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);
2723 * Slowly expire held state for NAT entries. Timeouts are set in
2724 * expectation of this being called twice per second.
2728 register struct nat *nat, **natp;
2729 #if defined(_KERNEL) && !SOLARIS
2734 WRITE_ENTER(&ipf_nat);
2735 for (natp = &nat_instances; (nat = *natp); ) {
2738 natp = &nat->nat_next;
2741 *natp = nat->nat_next;
2743 nat_log(nat, NL_EXPIRE);
2746 nat_stats.ns_expire++;
2748 RWLOCK_EXIT(&ipf_nat);
2755 void ip_natsync(ifp)
2758 register ipnat_t *n;
2759 register nat_t *nat;
2760 register u_32_t sum1, sum2, sumd;
2764 #if defined(_KERNEL) && !SOLARIS
2769 * Change IP addresses for NAT sessions for any protocol except TCP
2770 * since it will break the TCP connection anyway.
2773 WRITE_ENTER(&ipf_nat);
2774 for (nat = nat_instances; nat; nat = nat->nat_next)
2775 if (((ifp == NULL) || (ifp == nat->nat_ifp)) &&
2776 !(nat->nat_flags & IPN_TCP) && (np = nat->nat_ptr) &&
2777 (np->in_outmsk == 0xffffffff) && !np->in_nip) {
2778 ifp2 = nat->nat_ifp;
2780 * Change the map-to address to be the same as the
2783 sum1 = nat->nat_outip.s_addr;
2784 if (fr_ifpaddr(4, ifp2, &in) != -1)
2785 nat->nat_outip = in;
2786 sum2 = nat->nat_outip.s_addr;
2791 * Readjust the checksum adjustment to take into
2792 * account the new IP#.
2794 CALC_SUMD(sum1, sum2, sumd);
2795 /* XXX - dont change for TCP when solaris does
2796 * hardware checksumming.
2798 sumd += nat->nat_sumd[0];
2799 nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
2800 nat->nat_sumd[1] = nat->nat_sumd[0];
2803 for (n = nat_list; (n != NULL); n = n->in_next)
2804 if (n->in_ifp == ifp) {
2805 n->in_ifp = (void *)GETUNIT(n->in_ifname, 4);
2807 n->in_ifp = (void *)-1;
2809 RWLOCK_EXIT(&ipf_nat);
2815 void nat_log(nat, type)
2823 int rulen, types[1];
2825 natl.nl_inip = nat->nat_inip;
2826 natl.nl_outip = nat->nat_outip;
2827 natl.nl_origip = nat->nat_oip;
2828 natl.nl_bytes = nat->nat_bytes;
2829 natl.nl_pkts = nat->nat_pkts;
2830 natl.nl_origport = nat->nat_oport;
2831 natl.nl_inport = nat->nat_inport;
2832 natl.nl_outport = nat->nat_outport;
2833 natl.nl_p = nat->nat_p;
2834 natl.nl_type = type;
2837 if (nat->nat_ptr != NULL) {
2838 for (rulen = 0, np = nat_list; np; np = np->in_next, rulen++)
2839 if (np == nat->nat_ptr) {
2840 natl.nl_rule = rulen;
2846 sizes[0] = sizeof(natl);
2849 (void) ipllog(IPL_LOGNAT, NULL, items, sizes, types, 1);
2854 #if defined(__OpenBSD__)
2855 void nat_ifdetach(ifp)
projects / FreeBSD / FreeBSD.git / blob