2 * Copyright (C) 2012 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 #if defined(KERNEL) || defined(_KERNEL)
12 #include <sys/errno.h>
13 #include <sys/types.h>
14 #include <sys/param.h>
17 #if defined(_KERNEL) && defined(__NetBSD_Version__) && \
18 (__NetBSD_Version__ >= 399002000)
19 # include <sys/kauth.h>
26 # ifdef ipf_nat6__OpenBSD__
32 #if defined(_KERNEL) && defined(__FreeBSD__)
33 # include <sys/filio.h>
34 # include <sys/fcntl.h>
36 # include <sys/ioctl.h>
38 # include <sys/fcntl.h>
39 # include <sys/protosw.h>
40 #include <sys/socket.h>
42 # include <sys/systm.h>
44 # include <sys/mbuf.h>
48 # include <sys/filio.h>
49 # include <sys/byteorder.h>
51 # include <sys/dditypes.h>
53 # include <sys/stream.h>
54 # include <sys/kmem.h>
56 #if defined(__FreeBSD__)
57 # include <sys/queue.h>
60 #if defined(__FreeBSD__)
61 # include <net/if_var.h>
66 #include <net/route.h>
67 #include <netinet/in.h>
68 #include <netinet/in_systm.h>
69 #include <netinet/ip.h>
73 # include <vpn/ipsec.h>
74 extern struct ifnet vpnif;
77 # include <netinet/ip_var.h>
78 #include <netinet/tcp.h>
79 #include <netinet/udp.h>
80 #include <netinet/ip_icmp.h>
81 #include "netinet/ip_compat.h"
82 #include <netinet/tcpip.h>
83 #include "netinet/ip_fil.h"
84 #include "netinet/ip_nat.h"
85 #include "netinet/ip_frag.h"
86 #include "netinet/ip_state.h"
87 #include "netinet/ip_proxy.h"
88 #include "netinet/ip_lookup.h"
89 #include "netinet/ip_dstlist.h"
90 #include "netinet/ip_sync.h"
91 #if defined(__FreeBSD__)
92 # include <sys/malloc.h>
102 #define SOCKADDR_IN struct sockaddr_in
105 static const char rcsid[] = "@(#)$Id: ip_nat6.c,v 1.22.2.20 2012/07/22 08:04:23 darren_r Exp $";
109 static struct hostmap *ipf_nat6_hostmap(ipf_nat_softc_t *, ipnat_t *,
110 i6addr_t *, i6addr_t *,
112 static int ipf_nat6_match(fr_info_t *, ipnat_t *);
113 static void ipf_nat6_tabmove(ipf_nat_softc_t *, nat_t *);
114 static int ipf_nat6_decap(fr_info_t *, nat_t *);
115 static int ipf_nat6_nextaddr(fr_info_t *, nat_addr_t *, i6addr_t *,
117 static int ipf_nat6_icmpquerytype(int);
118 static int ipf_nat6_out(fr_info_t *, nat_t *, int, u_32_t);
119 static int ipf_nat6_in(fr_info_t *, nat_t *, int, u_32_t);
120 static int ipf_nat6_builddivertmp(ipf_nat_softc_t *, ipnat_t *);
121 static int ipf_nat6_nextaddrinit(ipf_main_softc_t *, char *,
122 nat_addr_t *, int, void *);
123 static int ipf_nat6_insert(ipf_main_softc_t *, ipf_nat_softc_t *,
127 #define NINCLSIDE6(y,x) ATOMIC_INCL(softn->ipf_nat_stats.ns_side6[y].x)
128 #define NBUMPSIDE(y,x) softn->ipf_nat_stats.ns_side[y].x++
129 #define NBUMPSIDE6(y,x) softn->ipf_nat_stats.ns_side6[y].x++
130 #define NBUMPSIDE6D(y,x) \
132 softn->ipf_nat_stats.ns_side6[y].x++; \
135 #define NBUMPSIDE6DX(y,x,z) \
137 softn->ipf_nat_stats.ns_side6[y].x++; \
142 /* ------------------------------------------------------------------------ */
143 /* Function: ipf_nat6_ruleaddrinit */
144 /* Returns: int - 0 == success, else failure */
145 /* Parameters: in(I) - NAT rule that requires address fields to be init'd */
147 /* For each of the source/destination address fields in a NAT rule, call */
148 /* ipf_nat6_nextaddrinit() to prepare the structure for active duty. Other */
149 /* IPv6 specific actions can also be taken care of here. */
150 /* ------------------------------------------------------------------------ */
152 ipf_nat6_ruleaddrinit(softc, softn, n)
153 ipf_main_softc_t *softc;
154 ipf_nat_softc_t *softn;
159 if (n->in_redir == NAT_BIMAP) {
160 n->in_ndstip6 = n->in_osrcip6;
161 n->in_ndstmsk6 = n->in_osrcmsk6;
162 n->in_odstip6 = n->in_nsrcip6;
163 n->in_odstmsk6 = n->in_nsrcmsk6;
167 if (n->in_redir & NAT_REDIRECT)
172 * Initialise all of the address fields.
174 error = ipf_nat6_nextaddrinit(softc, n->in_names, &n->in_osrc, 1,
179 error = ipf_nat6_nextaddrinit(softc, n->in_names, &n->in_odst, 1,
184 error = ipf_nat6_nextaddrinit(softc, n->in_names, &n->in_nsrc, 1,
189 error = ipf_nat6_nextaddrinit(softc, n->in_names, &n->in_ndst, 1,
194 if (n->in_redir & NAT_DIVERTUDP)
195 ipf_nat6_builddivertmp(softn, n);
200 /* ------------------------------------------------------------------------ */
201 /* Function: ipf_nat6_addrdr */
203 /* Parameters: n(I) - pointer to NAT rule to add */
205 /* Adds a redirect rule to the hash table of redirect rules and the list of */
206 /* loaded NAT rules. Updates the bitmask indicating which netmasks are in */
207 /* use by redirect rules. */
208 /* ------------------------------------------------------------------------ */
210 ipf_nat6_addrdr(softn, n)
211 ipf_nat_softc_t *softn;
220 if ((n->in_redir & NAT_BIMAP) == NAT_BIMAP) {
221 k = count6bits(n->in_nsrcmsk6.i6);
222 mask = &n->in_nsrcmsk6;
223 IP6_AND(&n->in_odstip6, &n->in_odstmsk6, &j);
224 hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_rdrrules_sz);
226 } else if (n->in_odstatype == FRI_NORMAL) {
227 k = count6bits(n->in_odstmsk6.i6);
228 mask = &n->in_odstmsk6;
229 IP6_AND(&n->in_odstip6, &n->in_odstmsk6, &j);
230 hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_rdrrules_sz);
236 ipf_inet6_mask_add(k, mask, &softn->ipf_nat6_rdr_mask);
238 np = softn->ipf_nat_rdr_rules + hv;
240 np = &(*np)->in_rnext;
249 /* ------------------------------------------------------------------------ */
250 /* Function: ipf_nat6_addmap */
252 /* Parameters: n(I) - pointer to NAT rule to add */
254 /* Adds a NAT map rule to the hash table of rules and the list of loaded */
255 /* NAT rules. Updates the bitmask indicating which netmasks are in use by */
256 /* redirect rules. */
257 /* ------------------------------------------------------------------------ */
259 ipf_nat6_addmap(softn, n)
260 ipf_nat_softc_t *softn;
269 if (n->in_osrcatype == FRI_NORMAL) {
270 k = count6bits(n->in_osrcmsk6.i6);
271 mask = &n->in_osrcmsk6;
272 IP6_AND(&n->in_osrcip6, &n->in_osrcmsk6, &j);
273 hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_maprules_sz);
279 ipf_inet6_mask_add(k, mask, &softn->ipf_nat6_map_mask);
281 np = softn->ipf_nat_map_rules + hv;
283 np = &(*np)->in_mnext;
292 /* ------------------------------------------------------------------------ */
293 /* Function: ipf_nat6_del_rdr */
295 /* Parameters: n(I) - pointer to NAT rule to delete */
297 /* Removes a NAT rdr rule from the hash table of NAT rdr rules. */
298 /* ------------------------------------------------------------------------ */
300 ipf_nat6_delrdr(softn, n)
301 ipf_nat_softc_t *softn;
307 if ((n->in_redir & NAT_BIMAP) == NAT_BIMAP) {
308 k = count6bits(n->in_nsrcmsk6.i6);
309 mask = &n->in_nsrcmsk6;
310 } else if (n->in_odstatype == FRI_NORMAL) {
311 k = count6bits(n->in_odstmsk6.i6);
312 mask = &n->in_odstmsk6;
317 ipf_inet6_mask_del(k, mask, &softn->ipf_nat6_rdr_mask);
319 if (n->in_rnext != NULL)
320 n->in_rnext->in_prnext = n->in_prnext;
321 *n->in_prnext = n->in_rnext;
326 /* ------------------------------------------------------------------------ */
327 /* Function: ipf_nat6_delmap */
329 /* Parameters: n(I) - pointer to NAT rule to delete */
331 /* Removes a NAT map rule from the hash table of NAT map rules. */
332 /* ------------------------------------------------------------------------ */
334 ipf_nat6_delmap(softn, n)
335 ipf_nat_softc_t *softn;
341 if (n->in_osrcatype == FRI_NORMAL) {
342 k = count6bits(n->in_osrcmsk6.i6);
343 mask = &n->in_osrcmsk6;
348 ipf_inet6_mask_del(k, mask, &softn->ipf_nat6_map_mask);
350 if (n->in_mnext != NULL)
351 n->in_mnext->in_pmnext = n->in_pmnext;
352 *n->in_pmnext = n->in_mnext;
357 /* ------------------------------------------------------------------------ */
358 /* Function: ipf_nat6_hostmap */
359 /* Returns: struct hostmap* - NULL if no hostmap could be created, */
360 /* else a pointer to the hostmapping to use */
361 /* Parameters: np(I) - pointer to NAT rule */
362 /* real(I) - real IP address */
363 /* map(I) - mapped IP address */
364 /* port(I) - destination port number */
365 /* Write Locks: ipf_nat */
367 /* Check if an ip address has already been allocated for a given mapping */
368 /* that is not doing port based translation. If is not yet allocated, then */
369 /* create a new entry if a non-NULL NAT rule pointer has been supplied. */
370 /* ------------------------------------------------------------------------ */
371 static struct hostmap *
372 ipf_nat6_hostmap(softn, np, src, dst, map, port)
373 ipf_nat_softc_t *softn;
375 i6addr_t *src, *dst, *map;
381 hv = (src->i6[3] ^ dst->i6[3]);
382 hv += (src->i6[2] ^ dst->i6[2]);
383 hv += (src->i6[1] ^ dst->i6[1]);
384 hv += (src->i6[0] ^ dst->i6[0]);
393 hv %= softn->ipf_nat_hostmap_sz;
394 for (hm = softn->ipf_hm_maptable[hv]; hm; hm = hm->hm_next)
395 if (IP6_EQ(&hm->hm_osrc6, src) &&
396 IP6_EQ(&hm->hm_odst6, dst) &&
397 ((np == NULL) || (np == hm->hm_ipnat)) &&
398 ((port == 0) || (port == hm->hm_port))) {
399 softn->ipf_nat_stats.ns_hm_addref++;
405 softn->ipf_nat_stats.ns_hm_nullnp++;
409 KMALLOC(hm, hostmap_t *);
411 hm->hm_next = softn->ipf_hm_maplist;
412 hm->hm_pnext = &softn->ipf_hm_maplist;
413 if (softn->ipf_hm_maplist != NULL)
414 softn->ipf_hm_maplist->hm_pnext = &hm->hm_next;
415 softn->ipf_hm_maplist = hm;
416 hm->hm_hnext = softn->ipf_hm_maptable[hv];
417 hm->hm_phnext = softn->ipf_hm_maptable + hv;
418 if (softn->ipf_hm_maptable[hv] != NULL)
419 softn->ipf_hm_maptable[hv]->hm_phnext = &hm->hm_hnext;
420 softn->ipf_hm_maptable[hv] = hm;
423 hm->hm_osrcip6 = *src;
424 hm->hm_odstip6 = *dst;
425 hm->hm_nsrcip6 = *map;
426 hm->hm_ndstip6.i6[0] = 0;
427 hm->hm_ndstip6.i6[1] = 0;
428 hm->hm_ndstip6.i6[2] = 0;
429 hm->hm_ndstip6.i6[3] = 0;
434 softn->ipf_nat_stats.ns_hm_new++;
436 softn->ipf_nat_stats.ns_hm_newfail++;
442 /* ------------------------------------------------------------------------ */
443 /* Function: ipf_nat6_newmap */
444 /* Returns: int - -1 == error, 0 == success */
445 /* Parameters: fin(I) - pointer to packet information */
446 /* nat(I) - pointer to NAT entry */
447 /* ni(I) - pointer to structure with misc. information needed */
448 /* to create new NAT entry. */
450 /* Given an empty NAT structure, populate it with new information about a */
451 /* new NAT session, as defined by the matching NAT rule. */
452 /* ni.nai_ip is passed in uninitialised and must be set, in host byte order,*/
453 /* to the new IP address for the translation. */
454 /* ------------------------------------------------------------------------ */
456 ipf_nat6_newmap(fin, nat, ni)
461 ipf_main_softc_t *softc = fin->fin_main_soft;
462 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
463 u_short st_port, dport, sport, port, sp, dp;
472 * If it's an outbound packet which doesn't match any existing
473 * record, then create a new port
478 st_ip = np->in_snip6;
479 st_port = np->in_spnext;
480 flags = nat->nat_flags;
482 if (flags & IPN_ICMPQUERY) {
483 sport = fin->fin_data[1];
486 sport = htons(fin->fin_data[0]);
487 dport = htons(fin->fin_data[1]);
491 * Do a loop until we either run out of entries to try or we find
492 * a NAT mapping that isn't currently being used. This is done
493 * because the change to the source is not (usually) being fixed.
497 in = np->in_nsrc.na_nextaddr;
500 * Check to see if there is an existing NAT
501 * setup for this IP address pair.
503 hm = ipf_nat6_hostmap(softn, np, &fin->fin_src6,
504 &fin->fin_dst6, &in, 0);
507 } else if ((l == 1) && (hm != NULL)) {
508 ipf_nat_hostmapdel(softc, &hm);
513 if (IP6_ISONES(&np->in_nsrcmsk6) && (np->in_spnext == 0)) {
515 NBUMPSIDE6DX(1, ns_exhausted, ns_exhausted_1);
520 if ((np->in_redir == NAT_BIMAP) &&
521 IP6_EQ(&np->in_osrcmsk6, &np->in_nsrcmsk6)) {
524 * map the address block in a 1:1 fashion
526 temp.i6[0] = fin->fin_src6.i6[0] &
527 ~np->in_osrcmsk6.i6[0];
528 temp.i6[1] = fin->fin_src6.i6[1] &
529 ~np->in_osrcmsk6.i6[1];
530 temp.i6[2] = fin->fin_src6.i6[2] &
531 ~np->in_osrcmsk6.i6[0];
532 temp.i6[3] = fin->fin_src6.i6[3] &
533 ~np->in_osrcmsk6.i6[3];
535 IP6_MERGE(&in, &temp, &np->in_osrc);
537 #ifdef NEED_128BIT_MATH
538 } else if (np->in_redir & NAT_MAPBLK) {
539 if ((l >= np->in_ppip) || ((l > 0) &&
540 !(flags & IPN_TCPUDP))) {
541 NBUMPSIDE6DX(1, ns_exhausted, ns_exhausted_2);
545 * map-block - Calculate destination address.
547 IP6_MASK(&in, &fin->fin_src6, &np->in_osrcmsk6);
550 in.s_addr /= np->in_ippip;
551 in.s_addr &= ntohl(~np->in_nsrcmsk6);
552 in.s_addr += ntohl(np->in_nsrcaddr6);
554 * Calculate destination port.
556 if ((flags & IPN_TCPUDP) &&
557 (np->in_ppip != 0)) {
558 port = ntohs(sport) + l;
560 port += np->in_ppip *
561 (inb.s_addr % np->in_ippip);
562 port += MAPBLK_MINPORT;
567 } else if (IP6_ISZERO(&np->in_nsrcaddr) &&
568 IP6_ISONES(&np->in_nsrcmsk)) {
570 * 0/32 - use the interface's IP address.
573 ipf_ifpaddr(softc, 6, FRI_NORMAL, fin->fin_ifp,
575 NBUMPSIDE6DX(1, ns_new_ifpaddr,
580 } else if (IP6_ISZERO(&np->in_nsrcip6) &&
581 IP6_ISZERO(&np->in_nsrcmsk6)) {
583 * 0/0 - use the original source address/port.
586 NBUMPSIDE6DX(1, ns_exhausted, ns_exhausted_3);
591 } else if (!IP6_ISONES(&np->in_nsrcmsk6) &&
592 (np->in_spnext == 0) && ((l > 0) || (hm == NULL))) {
593 IP6_INC(&np->in_snip6);
598 if ((flags & IPN_TCPUDP) &&
599 ((np->in_redir & NAT_MAPBLK) == 0) &&
600 (np->in_flags & IPN_AUTOPORTMAP)) {
601 #ifdef NEED_128BIT_MATH
603 * "ports auto" (without map-block)
605 if ((l > 0) && (l % np->in_ppip == 0)) {
606 if ((l > np->in_ppip) &&
607 !IP6_ISONES(&np->in_nsrcmsk)) {
608 IP6_INC(&np->in_snip6)
611 if (np->in_ppip != 0) {
613 port += (l % np->in_ppip);
615 port += np->in_ppip *
616 (ntohl(fin->fin_src6) %
618 port += MAPBLK_MINPORT;
623 } else if (((np->in_redir & NAT_MAPBLK) == 0) &&
624 (flags & IPN_TCPUDPICMP) && (np->in_spnext != 0)) {
626 * Standard port translation. Select next port.
628 if (np->in_flags & IPN_SEQUENTIAL) {
629 port = np->in_spnext;
631 port = ipf_random() % (np->in_spmax -
633 port += np->in_spmin;
638 if (np->in_spnext > np->in_spmax) {
639 np->in_spnext = np->in_spmin;
640 if (!IP6_ISONES(&np->in_nsrcmsk6)) {
641 IP6_INC(&np->in_snip6);
646 if (np->in_flags & IPN_SIPRANGE) {
647 if (IP6_GT(&np->in_snip, &np->in_nsrcmsk))
648 np->in_snip6 = np->in_nsrcip6;
654 IP6_AND(&a1, &np->in_nsrcmsk6, &a2);
656 if (!IP6_ISONES(&np->in_nsrcmsk6) &&
657 IP6_GT(&a2, &np->in_nsrcip6)) {
658 IP6_ADD(&np->in_nsrcip6, 1, &np->in_snip6);
662 if ((port == 0) && (flags & (IPN_TCPUDPICMP|IPN_ICMPQUERY)))
666 * Here we do a lookup of the connection as seen from
667 * the outside. If an IP# pair already exists, try
668 * again. So if you have A->B becomes C->B, you can
669 * also have D->E become C->E but not D->B causing
670 * another C->B. Also take protocol and ports into
671 * account when determining whether a pre-existing
672 * NAT setup will cause an external conflict where
673 * this is appropriate.
675 sp = fin->fin_data[0];
676 dp = fin->fin_data[1];
677 fin->fin_data[0] = fin->fin_data[1];
678 fin->fin_data[1] = ntohs(port);
679 natl = ipf_nat6_inlookup(fin, flags & ~(SI_WILDP|NAT_SEARCH),
680 (u_int)fin->fin_p, &fin->fin_dst6.in6,
682 fin->fin_data[0] = sp;
683 fin->fin_data[1] = dp;
686 * Has the search wrapped around and come back to the
689 if ((natl != NULL) &&
690 (np->in_spnext != 0) && (st_port == np->in_spnext) &&
691 (!IP6_ISZERO(&np->in_snip6) &&
692 IP6_EQ(&st_ip, &np->in_snip6))) {
693 NBUMPSIDE6D(1, ns_wrap);
697 } while (natl != NULL);
699 /* Setup the NAT table */
700 nat->nat_osrc6 = fin->fin_src6;
702 nat->nat_odst6 = fin->fin_dst6;
703 nat->nat_ndst6 = fin->fin_dst6;
704 if (nat->nat_hm == NULL)
705 nat->nat_hm = ipf_nat6_hostmap(softn, np, &fin->fin_src6,
709 if (flags & IPN_TCPUDP) {
710 nat->nat_osport = sport;
711 nat->nat_nsport = port; /* sport */
712 nat->nat_odport = dport;
713 nat->nat_ndport = dport;
714 ((tcphdr_t *)fin->fin_dp)->th_sport = port;
715 } else if (flags & IPN_ICMPQUERY) {
716 nat->nat_oicmpid = fin->fin_data[1];
717 ((struct icmp6_hdr *)fin->fin_dp)->icmp6_id = port;
718 nat->nat_nicmpid = port;
724 /* ------------------------------------------------------------------------ */
725 /* Function: ipf_nat6_newrdr */
726 /* Returns: int - -1 == error, 0 == success (no move), 1 == success and */
727 /* allow rule to be moved if IPN_ROUNDR is set. */
728 /* Parameters: fin(I) - pointer to packet information */
729 /* nat(I) - pointer to NAT entry */
730 /* ni(I) - pointer to structure with misc. information needed */
731 /* to create new NAT entry. */
733 /* ni.nai_ip is passed in uninitialised and must be set, in host byte order,*/
734 /* to the new IP address for the translation. */
735 /* ------------------------------------------------------------------------ */
737 ipf_nat6_newrdr(fin, nat, ni)
742 ipf_main_softc_t *softc = fin->fin_main_soft;
743 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
744 u_short nport, dport, sport;
760 flags = nat->nat_flags;
762 if (flags & IPN_ICMPQUERY) {
763 dport = fin->fin_data[1];
766 sport = htons(fin->fin_data[0]);
767 dport = htons(fin->fin_data[1]);
770 /* TRACE sport, dport */
774 * If the matching rule has IPN_STICKY set, then we want to have the
775 * same rule kick in as before. Why would this happen? If you have
776 * a collection of rdr rules with "round-robin sticky", the current
777 * packet might match a different one to the previous connection but
778 * we want the same destination to be used.
780 if (((np->in_flags & (IPN_ROUNDR|IPN_SPLIT)) != 0) &&
781 ((np->in_flags & IPN_STICKY) != 0)) {
782 hm = ipf_nat6_hostmap(softn, NULL, &fin->fin_src6,
783 &fin->fin_dst6, &in, (u_32_t)dport);
793 * Otherwise, it's an inbound packet. Most likely, we don't
794 * want to rewrite source ports and source addresses. Instead,
795 * we want to rewrite to a fixed internal address and fixed
798 if (np->in_flags & IPN_SPLIT) {
801 if ((np->in_flags & (IPN_ROUNDR|IPN_STICKY)) == IPN_STICKY) {
802 hm = ipf_nat6_hostmap(softn, NULL, &fin->fin_src6,
811 if (hm == NULL || hm->hm_ref == 1) {
812 if (IP6_EQ(&np->in_ndstip6, &in)) {
813 np->in_dnip6 = np->in_ndstmsk6;
816 np->in_dnip6 = np->in_ndstip6;
820 } else if (IP6_ISZERO(&np->in_ndstaddr) &&
821 IP6_ISONES(&np->in_ndstmsk)) {
823 * 0/32 - use the interface's IP address.
825 if (ipf_ifpaddr(softc, 6, FRI_NORMAL, fin->fin_ifp,
827 NBUMPSIDE6DX(0, ns_new_ifpaddr, ns_new_ifpaddr_2);
831 } else if (IP6_ISZERO(&np->in_ndstip6) &&
832 IP6_ISZERO(&np->in_ndstmsk6)) {
834 * 0/0 - use the original destination address/port.
838 } else if (np->in_redir == NAT_BIMAP &&
839 IP6_EQ(&np->in_ndstmsk6, &np->in_odstmsk6)) {
842 * map the address block in a 1:1 fashion
844 temp.i6[0] = fin->fin_dst6.i6[0] & ~np->in_osrcmsk6.i6[0];
845 temp.i6[1] = fin->fin_dst6.i6[1] & ~np->in_osrcmsk6.i6[1];
846 temp.i6[2] = fin->fin_dst6.i6[2] & ~np->in_osrcmsk6.i6[0];
847 temp.i6[3] = fin->fin_dst6.i6[3] & ~np->in_osrcmsk6.i6[3];
849 IP6_MERGE(&in, &temp, &np->in_ndstmsk6);
854 if ((np->in_dpnext == 0) || ((flags & NAT_NOTRULEPORT) != 0))
858 * Whilst not optimized for the case where
859 * pmin == pmax, the gain is not significant.
861 if (((np->in_flags & IPN_FIXEDDPORT) == 0) &&
862 (np->in_odport != np->in_dtop)) {
863 nport = ntohs(dport) - np->in_odport + np->in_dpmax;
864 nport = htons(nport);
866 nport = htons(np->in_dpnext);
868 if (np->in_dpnext > np->in_dpmax)
869 np->in_dpnext = np->in_dpmin;
874 * When the redirect-to address is set to 0.0.0.0, just
875 * assume a blank `forwarding' of the packet. We don't
876 * setup any translation for this either.
878 if (IP6_ISZERO(&in)) {
879 if (nport == dport) {
880 NBUMPSIDE6D(0, ns_xlate_null);
887 * Check to see if this redirect mapping already exists and if
888 * it does, return "failure" (allowing it to be created will just
889 * cause one or both of these "connections" to stop working.)
891 sp = fin->fin_data[0];
892 dp = fin->fin_data[1];
893 fin->fin_data[1] = fin->fin_data[0];
894 fin->fin_data[0] = ntohs(nport);
895 natl = ipf_nat6_outlookup(fin, flags & ~(SI_WILDP|NAT_SEARCH),
896 (u_int)fin->fin_p, &in.in6,
898 fin->fin_data[0] = sp;
899 fin->fin_data[1] = dp;
901 NBUMPSIDE6D(0, ns_xlate_exists);
906 nat->nat_odst6 = fin->fin_dst6;
907 nat->nat_nsrc6 = fin->fin_src6;
908 nat->nat_osrc6 = fin->fin_src6;
909 if ((nat->nat_hm == NULL) && ((np->in_flags & IPN_STICKY) != 0))
910 nat->nat_hm = ipf_nat6_hostmap(softn, np, &fin->fin_src6,
914 if (flags & IPN_TCPUDP) {
915 nat->nat_odport = dport;
916 nat->nat_ndport = nport;
917 nat->nat_osport = sport;
918 nat->nat_nsport = sport;
919 ((tcphdr_t *)fin->fin_dp)->th_dport = nport;
920 } else if (flags & IPN_ICMPQUERY) {
921 nat->nat_oicmpid = fin->fin_data[1];
922 ((struct icmp6_hdr *)fin->fin_dp)->icmp6_id = nport;
923 nat->nat_nicmpid = nport;
929 /* ------------------------------------------------------------------------ */
930 /* Function: ipf_nat6_add */
931 /* Returns: nat6_t* - NULL == failure to create new NAT structure, */
932 /* else pointer to new NAT structure */
933 /* Parameters: fin(I) - pointer to packet information */
934 /* np(I) - pointer to NAT rule */
935 /* natsave(I) - pointer to where to store NAT struct pointer */
936 /* flags(I) - flags describing the current packet */
937 /* direction(I) - direction of packet (in/out) */
938 /* Write Lock: ipf_nat */
940 /* Attempts to create a new NAT entry. Does not actually change the packet */
943 /* This fucntion is in three main parts: (1) deal with creating a new NAT */
944 /* structure for a "MAP" rule (outgoing NAT translation); (2) deal with */
945 /* creating a new NAT structure for a "RDR" rule (incoming NAT translation) */
946 /* and (3) building that structure and putting it into the NAT table(s). */
948 /* NOTE: natsave should NOT be used top point back to an ipstate_t struct */
949 /* as it can result in memory being corrupted. */
950 /* ------------------------------------------------------------------------ */
952 ipf_nat6_add(fin, np, natsave, flags, direction)
959 ipf_main_softc_t *softc = fin->fin_main_soft;
960 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
961 hostmap_t *hm = NULL;
967 #if SOLARIS && defined(_KERNEL) && defined(ICK_M_CTL_MAGIC)
968 qpktinfo_t *qpi = fin->fin_qpi;
971 nsp = &softn->ipf_nat_stats;
973 if ((nsp->ns_active * 100 / softn->ipf_nat_table_max) >
974 softn->ipf_nat_table_wm_high) {
975 softn->ipf_nat_doflush = 1;
978 if (nsp->ns_active >= softn->ipf_nat_table_max) {
979 NBUMPSIDE6(fin->fin_out, ns_table_max);
984 nflags = np->in_flags & flags;
985 nflags &= NAT_FROMRULE;
991 /* Give me a new nat */
992 KMALLOC(nat, nat_t *);
994 NBUMPSIDE6(fin->fin_out, ns_memfail);
996 * Try to automatically tune the max # of entries in the
997 * table allowed to be less than what will cause kmem_alloc()
998 * to fail and try to eliminate panics due to out of memory
999 * conditions arising.
1001 if ((softn->ipf_nat_table_max > softn->ipf_nat_table_sz) &&
1002 (nsp->ns_active > 100)) {
1003 softn->ipf_nat_table_max = nsp->ns_active - 100;
1004 printf("table_max reduced to %d\n",
1005 softn->ipf_nat_table_max);
1010 if (flags & IPN_ICMPQUERY) {
1012 * In the ICMP query NAT code, we translate the ICMP id fields
1013 * to make them unique. This is indepedent of the ICMP type
1014 * (e.g. in the unlikely event that a host sends an echo and
1015 * an tstamp request with the same id, both packets will have
1016 * their ip address/id field changed in the same way).
1018 /* The icmp6_id field is used by the sender to identify the
1019 * process making the icmp request. (the receiver justs
1020 * copies it back in its response). So, it closely matches
1021 * the concept of source port. We overlay sport, so we can
1022 * maximally reuse the existing code.
1024 ni.nai_sport = fin->fin_data[1];
1028 bzero((char *)nat, sizeof(*nat));
1029 nat->nat_flags = flags;
1030 nat->nat_redir = np->in_redir;
1031 nat->nat_dir = direction;
1032 nat->nat_pr[0] = fin->fin_p;
1033 nat->nat_pr[1] = fin->fin_p;
1036 * Search the current table for a match and create a new mapping
1037 * if there is none found.
1039 if (np->in_redir & NAT_DIVERTUDP) {
1040 move = ipf_nat6_newdivert(fin, nat, &ni);
1042 } else if (np->in_redir & NAT_REWRITE) {
1043 move = ipf_nat6_newrewrite(fin, nat, &ni);
1045 } else if (direction == NAT_OUTBOUND) {
1047 * We can now arrange to call this for the same connection
1048 * because ipf_nat6_new doesn't protect the code path into
1051 natl = ipf_nat6_outlookup(fin, nflags, (u_int)fin->fin_p,
1053 &fin->fin_dst6.in6);
1060 move = ipf_nat6_newmap(fin, nat, &ni);
1063 * NAT_INBOUND is used for redirects rules
1065 natl = ipf_nat6_inlookup(fin, nflags, (u_int)fin->fin_p,
1067 &fin->fin_dst6.in6);
1074 move = ipf_nat6_newrdr(fin, nat, &ni);
1081 nat->nat_mssclamp = np->in_mssclamp;
1082 nat->nat_me = natsave;
1083 nat->nat_fr = fin->fin_fr;
1084 nat->nat_rev = fin->fin_rev;
1086 nat->nat_dlocal = np->in_dlocal;
1088 if ((np->in_apr != NULL) && ((nat->nat_flags & NAT_SLAVE) == 0)) {
1089 if (ipf_proxy_new(fin, nat) == -1) {
1090 NBUMPSIDE6D(fin->fin_out, ns_appr_fail);
1095 nat->nat_ifps[0] = np->in_ifps[0];
1096 if (np->in_ifps[0] != NULL) {
1097 COPYIFNAME(np->in_v[0], np->in_ifps[0], nat->nat_ifnames[0]);
1100 nat->nat_ifps[1] = np->in_ifps[1];
1101 if (np->in_ifps[1] != NULL) {
1102 COPYIFNAME(np->in_v[1], np->in_ifps[1], nat->nat_ifnames[1]);
1105 if (ipf_nat6_finalise(fin, nat) == -1) {
1111 if ((move == 1) && (np->in_flags & IPN_ROUNDR)) {
1112 if ((np->in_redir & (NAT_REDIRECT|NAT_MAP)) == NAT_REDIRECT) {
1113 ipf_nat6_delrdr(softn, np);
1114 ipf_nat6_addrdr(softn, np);
1115 } else if ((np->in_redir & (NAT_REDIRECT|NAT_MAP)) == NAT_MAP) {
1116 ipf_nat6_delmap(softn, np);
1117 ipf_nat6_addmap(softn, np);
1121 if (flags & SI_WILDP)
1123 softn->ipf_nat_stats.ns_proto[nat->nat_pr[0]]++;
1127 NBUMPSIDE6(fin->fin_out, ns_badnatnew);
1128 if ((hm = nat->nat_hm) != NULL)
1129 ipf_nat_hostmapdel(softc, &hm);
1133 if (nat != NULL && np != NULL)
1135 if (natsave != NULL)
1141 /* ------------------------------------------------------------------------ */
1142 /* Function: ipf_nat6_finalise */
1143 /* Returns: int - 0 == sucess, -1 == failure */
1144 /* Parameters: fin(I) - pointer to packet information */
1145 /* nat(I) - pointer to NAT entry */
1146 /* Write Lock: ipf_nat */
1148 /* This is the tail end of constructing a new NAT entry and is the same */
1149 /* for both IPv4 and IPv6. */
1150 /* ------------------------------------------------------------------------ */
1153 ipf_nat6_finalise(fin, nat)
1157 ipf_main_softc_t *softc = fin->fin_main_soft;
1158 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
1159 u_32_t sum1, sum2, sumd;
1163 flags = nat->nat_flags;
1167 case IPPROTO_ICMPV6 :
1168 sum1 = LONG_SUM6(&nat->nat_osrc6);
1169 sum1 += ntohs(nat->nat_oicmpid);
1170 sum2 = LONG_SUM6(&nat->nat_nsrc6);
1171 sum2 += ntohs(nat->nat_nicmpid);
1172 CALC_SUMD(sum1, sum2, sumd);
1173 nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
1175 sum1 = LONG_SUM6(&nat->nat_odst6);
1176 sum2 = LONG_SUM6(&nat->nat_ndst6);
1177 CALC_SUMD(sum1, sum2, sumd);
1178 nat->nat_sumd[0] += (sumd & 0xffff) + (sumd >> 16);
1183 sum1 = LONG_SUM6(&nat->nat_osrc6);
1184 sum1 += ntohs(nat->nat_osport);
1185 sum2 = LONG_SUM6(&nat->nat_nsrc6);
1186 sum2 += ntohs(nat->nat_nsport);
1187 CALC_SUMD(sum1, sum2, sumd);
1188 nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
1190 sum1 = LONG_SUM6(&nat->nat_odst6);
1191 sum1 += ntohs(nat->nat_odport);
1192 sum2 = LONG_SUM6(&nat->nat_ndst6);
1193 sum2 += ntohs(nat->nat_ndport);
1194 CALC_SUMD(sum1, sum2, sumd);
1195 nat->nat_sumd[0] += (sumd & 0xffff) + (sumd >> 16);
1199 sum1 = LONG_SUM6(&nat->nat_osrc6);
1200 sum2 = LONG_SUM6(&nat->nat_nsrc6);
1201 CALC_SUMD(sum1, sum2, sumd);
1202 nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
1204 sum1 = LONG_SUM6(&nat->nat_odst6);
1205 sum2 = LONG_SUM6(&nat->nat_ndst6);
1206 CALC_SUMD(sum1, sum2, sumd);
1207 nat->nat_sumd[0] += (sumd & 0xffff) + (sumd >> 16);
1212 * Compute the partial checksum, just in case.
1213 * This is only ever placed into outbound packets so care needs
1214 * to be taken over which pair of addresses are used.
1216 if (nat->nat_dir == NAT_OUTBOUND) {
1217 sum1 = LONG_SUM6(&nat->nat_nsrc6);
1218 sum1 += LONG_SUM6(&nat->nat_ndst6);
1220 sum1 = LONG_SUM6(&nat->nat_osrc6);
1221 sum1 += LONG_SUM6(&nat->nat_odst6);
1223 sum1 += nat->nat_pr[1];
1224 nat->nat_sumd[1] = (sum1 & 0xffff) + (sum1 >> 16);
1226 if ((nat->nat_flags & SI_CLONE) == 0)
1227 nat->nat_sync = ipf_sync_new(softc, SMC_NAT, fin, nat);
1229 if ((nat->nat_ifps[0] != NULL) && (nat->nat_ifps[0] != (void *)-1)) {
1230 nat->nat_mtu[0] = GETIFMTU_6(nat->nat_ifps[0]);
1233 if ((nat->nat_ifps[1] != NULL) && (nat->nat_ifps[1] != (void *)-1)) {
1234 nat->nat_mtu[1] = GETIFMTU_6(nat->nat_ifps[1]);
1240 if (ipf_nat6_insert(softc, softn, nat) == 0) {
1241 if (softn->ipf_nat_logging)
1242 ipf_nat_log(softc, softn, nat, NL_NEW);
1245 MUTEX_ENTER(&fr->fr_lock);
1247 MUTEX_EXIT(&fr->fr_lock);
1252 NBUMPSIDE6D(fin->fin_out, ns_unfinalised);
1254 * nat6_insert failed, so cleanup time...
1256 if (nat->nat_sync != NULL)
1257 ipf_sync_del_nat(softc->ipf_sync_soft, nat->nat_sync);
1262 /* ------------------------------------------------------------------------ */
1263 /* Function: ipf_nat6_insert */
1264 /* Returns: int - 0 == sucess, -1 == failure */
1265 /* Parameters: softc(I) - pointer to soft context main structure */
1266 /* softn(I) - pointer to NAT context structure */
1267 /* nat(I) - pointer to NAT structure */
1268 /* Write Lock: ipf_nat */
1270 /* Insert a NAT entry into the hash tables for searching and add it to the */
1271 /* list of active NAT entries. Adjust global counters when complete. */
1272 /* ------------------------------------------------------------------------ */
1274 ipf_nat6_insert(softc, softn, nat)
1275 ipf_main_softc_t *softc;
1276 ipf_nat_softc_t *softn;
1284 * Try and return an error as early as possible, so calculate the hash
1285 * entry numbers first and then proceed.
1287 if ((nat->nat_flags & (SI_W_SPORT|SI_W_DPORT)) == 0) {
1288 if ((nat->nat_flags & IPN_TCPUDP) != 0) {
1289 sp = nat->nat_osport;
1290 dp = nat->nat_odport;
1291 } else if ((nat->nat_flags & IPN_ICMPQUERY) != 0) {
1293 dp = nat->nat_oicmpid;
1298 hv1 = NAT_HASH_FN6(&nat->nat_osrc6, sp, 0xffffffff);
1299 hv1 = NAT_HASH_FN6(&nat->nat_odst6, hv1 + dp,
1300 softn->ipf_nat_table_sz);
1303 * TRACE nat6_osrc6, nat6_osport, nat6_odst6,
1307 if ((nat->nat_flags & IPN_TCPUDP) != 0) {
1308 sp = nat->nat_nsport;
1309 dp = nat->nat_ndport;
1310 } else if ((nat->nat_flags & IPN_ICMPQUERY) != 0) {
1312 dp = nat->nat_nicmpid;
1317 hv2 = NAT_HASH_FN6(&nat->nat_nsrc6, sp, 0xffffffff);
1318 hv2 = NAT_HASH_FN6(&nat->nat_ndst6, hv2 + dp,
1319 softn->ipf_nat_table_sz);
1321 * TRACE nat6_nsrcaddr, nat6_nsport, nat6_ndstaddr,
1325 hv1 = NAT_HASH_FN6(&nat->nat_osrc6, 0, 0xffffffff);
1326 hv1 = NAT_HASH_FN6(&nat->nat_odst6, hv1,
1327 softn->ipf_nat_table_sz);
1328 /* TRACE nat6_osrcip6, nat6_odstip6, hv1 */
1330 hv2 = NAT_HASH_FN6(&nat->nat_nsrc6, 0, 0xffffffff);
1331 hv2 = NAT_HASH_FN6(&nat->nat_ndst6, hv2,
1332 softn->ipf_nat_table_sz);
1333 /* TRACE nat6_nsrcip6, nat6_ndstip6, hv2 */
1336 nat->nat_hv[0] = hv1;
1337 nat->nat_hv[1] = hv2;
1339 MUTEX_INIT(&nat->nat_lock, "nat entry lock");
1342 nat->nat_ref = nat->nat_me ? 2 : 1;
1344 nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0';
1345 nat->nat_ifps[0] = ipf_resolvenic(softc, nat->nat_ifnames[0],
1348 if (nat->nat_ifnames[1][0] != '\0') {
1349 nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0';
1350 nat->nat_ifps[1] = ipf_resolvenic(softc, nat->nat_ifnames[1],
1352 } else if (in->in_ifnames[1] != -1) {
1355 name = in->in_names + in->in_ifnames[1];
1356 if (name[1] != '\0' && name[0] != '-' && name[0] != '*') {
1357 (void) strncpy(nat->nat_ifnames[1],
1358 nat->nat_ifnames[0], LIFNAMSIZ);
1359 nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0';
1360 nat->nat_ifps[1] = nat->nat_ifps[0];
1363 if ((nat->nat_ifps[0] != NULL) && (nat->nat_ifps[0] != (void *)-1)) {
1364 nat->nat_mtu[0] = GETIFMTU_6(nat->nat_ifps[0]);
1366 if ((nat->nat_ifps[1] != NULL) && (nat->nat_ifps[1] != (void *)-1)) {
1367 nat->nat_mtu[1] = GETIFMTU_6(nat->nat_ifps[1]);
1370 return ipf_nat_hashtab_add(softc, softn, nat);
1374 /* ------------------------------------------------------------------------ */
1375 /* Function: ipf_nat6_icmperrorlookup */
1376 /* Returns: nat6_t* - point to matching NAT structure */
1377 /* Parameters: fin(I) - pointer to packet information */
1378 /* dir(I) - direction of packet (in/out) */
1380 /* Check if the ICMP error message is related to an existing TCP, UDP or */
1381 /* ICMP query nat entry. It is assumed that the packet is already of the */
1382 /* the required length. */
1383 /* ------------------------------------------------------------------------ */
1385 ipf_nat6_icmperrorlookup(fin, dir)
1389 ipf_main_softc_t *softc = fin->fin_main_soft;
1390 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
1391 struct icmp6_hdr *icmp6, *orgicmp;
1392 int flags = 0, type, minlen;
1393 nat_stat_side_t *nside;
1394 tcphdr_t *tcp = NULL;
1401 icmp6 = fin->fin_dp;
1402 type = icmp6->icmp6_type;
1403 nside = &softn->ipf_nat_stats.ns_side6[fin->fin_out];
1405 * Does it at least have the return (basic) IP header ?
1406 * Only a basic IP header (no options) should be with an ICMP error
1407 * header. Also, if it's not an error type, then return.
1409 if (!(fin->fin_flx & FI_ICMPERR)) {
1410 ATOMIC_INCL(nside->ns_icmp_basic);
1417 if (fin->fin_plen < ICMP6ERR_IPICMPHLEN) {
1418 ATOMIC_INCL(nside->ns_icmp_size);
1421 oip6 = (ip6_t *)((char *)fin->fin_dp + 8);
1424 * Is the buffer big enough for all of it ? It's the size of the IP
1425 * header claimed in the encapsulated part which is of concern. It
1426 * may be too big to be in this buffer but not so big that it's
1427 * outside the ICMP packet, leading to TCP deref's causing problems.
1428 * This is possible because we don't know how big oip_hl is when we
1429 * do the pullup early in ipf_check() and thus can't gaurantee it is
1438 if ((char *)oip6 + fin->fin_dlen - ICMPERR_ICMPHLEN >
1439 (char *)m->b_wptr) {
1440 ATOMIC_INCL(nside->ns_icmp_mbuf);
1444 if ((char *)oip6 + fin->fin_dlen - ICMPERR_ICMPHLEN >
1445 (char *)fin->fin_ip + M_LEN(m)) {
1446 ATOMIC_INCL(nside->ns_icmp_mbuf);
1453 if (IP6_NEQ(&fin->fin_dst6, &oip6->ip6_src)) {
1454 ATOMIC_INCL(nside->ns_icmp_address);
1459 if (p == IPPROTO_TCP)
1461 else if (p == IPPROTO_UDP)
1463 else if (p == IPPROTO_ICMPV6) {
1464 orgicmp = (struct icmp6_hdr *)(oip6 + 1);
1466 /* see if this is related to an ICMP query */
1467 if (ipf_nat6_icmpquerytype(orgicmp->icmp6_type)) {
1468 data[0] = fin->fin_data[0];
1469 data[1] = fin->fin_data[1];
1470 fin->fin_data[0] = 0;
1471 fin->fin_data[1] = orgicmp->icmp6_id;
1473 flags = IPN_ICMPERR|IPN_ICMPQUERY;
1475 * NOTE : dir refers to the direction of the original
1476 * ip packet. By definition the icmp error
1477 * message flows in the opposite direction.
1479 if (dir == NAT_INBOUND)
1480 nat = ipf_nat6_inlookup(fin, flags, p,
1484 nat = ipf_nat6_outlookup(fin, flags, p,
1487 fin->fin_data[0] = data[0];
1488 fin->fin_data[1] = data[1];
1493 if (flags & IPN_TCPUDP) {
1494 minlen += 8; /* + 64bits of data to get ports */
1495 /* TRACE (fin,minlen) */
1496 if (fin->fin_plen < ICMPERR_IPICMPHLEN + minlen) {
1497 ATOMIC_INCL(nside->ns_icmp_short);
1501 data[0] = fin->fin_data[0];
1502 data[1] = fin->fin_data[1];
1503 tcp = (tcphdr_t *)(oip6 + 1);
1504 fin->fin_data[0] = ntohs(tcp->th_dport);
1505 fin->fin_data[1] = ntohs(tcp->th_sport);
1507 if (dir == NAT_INBOUND) {
1508 nat = ipf_nat6_inlookup(fin, flags, p, &oip6->ip6_dst,
1511 nat = ipf_nat6_outlookup(fin, flags, p, &oip6->ip6_dst,
1514 fin->fin_data[0] = data[0];
1515 fin->fin_data[1] = data[1];
1518 if (dir == NAT_INBOUND)
1519 nat = ipf_nat6_inlookup(fin, 0, p, &oip6->ip6_dst,
1522 nat = ipf_nat6_outlookup(fin, 0, p, &oip6->ip6_dst,
1529 /* result = ip1 - ip2 */
1531 ipf_nat6_ip6subtract(ip1, ip2)
1532 i6addr_t *ip1, *ip2;
1535 u_short *s1, *s2, *ds;
1542 s1 = (u_short *)&l1;
1543 s2 = (u_short *)&l2;
1546 for (i = 7; i > 0; i--) {
1547 if (s1[i] > s2[i]) {
1548 ds[i] = s2[i] + 0x10000 - s1[i];
1549 s2[i - 1] += 0x10000;
1551 ds[i] = s2[i] - s1[i];
1554 if (s2[0] > s1[0]) {
1555 ds[0] = s2[0] + 0x10000 - s1[0];
1558 ds[0] = s2[0] - s1[0];
1561 for (i = 0, r = 0; i < 8; i++) {
1569 /* ------------------------------------------------------------------------ */
1570 /* Function: ipf_nat6_icmperror */
1571 /* Returns: nat6_t* - point to matching NAT structure */
1572 /* Parameters: fin(I) - pointer to packet information */
1573 /* nflags(I) - NAT flags for this packet */
1574 /* dir(I) - direction of packet (in/out) */
1576 /* Fix up an ICMP packet which is an error message for an existing NAT */
1577 /* session. This will correct both packet header data and checksums. */
1579 /* This should *ONLY* be used for incoming ICMP error packets to make sure */
1580 /* a NAT'd ICMP packet gets correctly recognised. */
1581 /* ------------------------------------------------------------------------ */
1583 ipf_nat6_icmperror(fin, nflags, dir)
1588 ipf_main_softc_t *softc = fin->fin_main_soft;
1589 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
1590 u_32_t sum1, sum2, sumd, sumd2;
1591 i6addr_t a1, a2, a3, a4;
1592 struct icmp6_hdr *icmp6;
1593 int flags, dlen, odst;
1600 if ((fin->fin_flx & (FI_SHORT|FI_FRAGBODY))) {
1601 NBUMPSIDE6D(fin->fin_out, ns_icmp_short);
1606 * ipf_nat6_icmperrorlookup() will return NULL for `defective' packets.
1608 if ((fin->fin_v != 6) || !(nat = ipf_nat6_icmperrorlookup(fin, dir))) {
1609 NBUMPSIDE6D(fin->fin_out, ns_icmp_notfound);
1617 *nflags = IPN_ICMPERR;
1618 icmp6 = fin->fin_dp;
1619 oip6 = (ip6_t *)((u_char *)icmp6 + sizeof(*icmp6));
1620 dp = (u_char *)oip6 + sizeof(*oip6);
1621 if (oip6->ip6_nxt == IPPROTO_TCP) {
1622 tcp = (tcphdr_t *)dp;
1623 csump = (u_short *)&tcp->th_sum;
1625 } else if (oip6->ip6_nxt == IPPROTO_UDP) {
1628 udp = (udphdr_t *)dp;
1629 tcp = (tcphdr_t *)dp;
1630 csump = (u_short *)&udp->uh_sum;
1632 } else if (oip6->ip6_nxt == IPPROTO_ICMPV6)
1633 flags = IPN_ICMPQUERY;
1634 dlen = fin->fin_plen - ((char *)dp - (char *)fin->fin_ip);
1637 * Need to adjust ICMP header to include the real IP#'s and
1638 * port #'s. Only apply a checksum change relative to the
1639 * IP address change as it will be modified again in ipf_nat6_checkout
1640 * for both address and port. Two checksum changes are
1641 * necessary for the two header address changes. Be careful
1642 * to only modify the checksum once for the port # and twice
1648 * Fix the IP addresses in the offending IP packet. You also need
1649 * to adjust the IP header checksum of that offending IP packet.
1651 * Normally, you would expect that the ICMP checksum of the
1652 * ICMP error message needs to be adjusted as well for the
1653 * IP address change in oip.
1654 * However, this is a NOP, because the ICMP checksum is
1655 * calculated over the complete ICMP packet, which includes the
1656 * changed oip IP addresses and oip6->ip6_sum. However, these
1657 * two changes cancel each other out (if the delta for
1658 * the IP address is x, then the delta for ip_sum is minus x),
1659 * so no change in the icmp_cksum is necessary.
1663 * MAP rule, SRC=a,DST=b -> SRC=c,DST=b
1664 * - response to outgoing packet (a,b)=>(c,b) (OIP_SRC=c,OIP_DST=b)
1665 * - OIP_SRC(c)=nat6_newsrcip, OIP_DST(b)=nat6_newdstip
1666 *=> OIP_SRC(c)=nat6_oldsrcip, OIP_DST(b)=nat6_olddstip
1668 * RDR rule, SRC=a,DST=b -> SRC=a,DST=c
1669 * - response to outgoing packet (c,a)=>(b,a) (OIP_SRC=b,OIP_DST=a)
1670 * - OIP_SRC(b)=nat6_olddstip, OIP_DST(a)=nat6_oldsrcip
1671 *=> OIP_SRC(b)=nat6_newdstip, OIP_DST(a)=nat6_newsrcip
1673 * REWRITE out rule, SRC=a,DST=b -> SRC=c,DST=d
1674 * - response to outgoing packet (a,b)=>(c,d) (OIP_SRC=c,OIP_DST=d)
1675 * - OIP_SRC(c)=nat6_newsrcip, OIP_DST(d)=nat6_newdstip
1676 *=> OIP_SRC(c)=nat6_oldsrcip, OIP_DST(d)=nat6_olddstip
1678 * REWRITE in rule, SRC=a,DST=b -> SRC=c,DST=d
1679 * - response to outgoing packet (d,c)=>(b,a) (OIP_SRC=b,OIP_DST=a)
1680 * - OIP_SRC(b)=nat6_olddstip, OIP_DST(a)=nat6_oldsrcip
1681 *=> OIP_SRC(b)=nat6_newdstip, OIP_DST(a)=nat6_newsrcip
1685 * MAP rule, SRC=a,DST=b -> SRC=c,DST=b
1686 * - response to incoming packet (b,c)=>(b,a) (OIP_SRC=b,OIP_DST=a)
1687 * - OIP_SRC(b)=nat6_olddstip, OIP_DST(a)=nat6_oldsrcip
1688 *=> OIP_SRC(b)=nat6_newdstip, OIP_DST(a)=nat6_newsrcip
1690 * RDR rule, SRC=a,DST=b -> SRC=a,DST=c
1691 * - response to incoming packet (a,b)=>(a,c) (OIP_SRC=a,OIP_DST=c)
1692 * - OIP_SRC(a)=nat6_newsrcip, OIP_DST(c)=nat6_newdstip
1693 *=> OIP_SRC(a)=nat6_oldsrcip, OIP_DST(c)=nat6_olddstip
1695 * REWRITE out rule, SRC=a,DST=b -> SRC=c,DST=d
1696 * - response to incoming packet (d,c)=>(b,a) (OIP_SRC=c,OIP_DST=d)
1697 * - OIP_SRC(c)=nat6_olddstip, OIP_DST(d)=nat6_oldsrcip
1698 *=> OIP_SRC(b)=nat6_newdstip, OIP_DST(a)=nat6_newsrcip
1700 * REWRITE in rule, SRC=a,DST=b -> SRC=c,DST=d
1701 * - response to incoming packet (a,b)=>(c,d) (OIP_SRC=b,OIP_DST=a)
1702 * - OIP_SRC(b)=nat6_newsrcip, OIP_DST(a)=nat6_newdstip
1703 *=> OIP_SRC(a)=nat6_oldsrcip, OIP_DST(c)=nat6_olddstip
1706 if (((fin->fin_out == 0) && ((nat->nat_redir & NAT_MAP) != 0)) ||
1707 ((fin->fin_out == 1) && ((nat->nat_redir & NAT_REDIRECT) != 0))) {
1708 a1 = nat->nat_osrc6;
1709 a4.in6 = oip6->ip6_src;
1710 a3 = nat->nat_odst6;
1711 a2.in6 = oip6->ip6_dst;
1712 oip6->ip6_src = a1.in6;
1713 oip6->ip6_dst = a3.in6;
1716 a1 = nat->nat_ndst6;
1717 a2.in6 = oip6->ip6_dst;
1718 a3 = nat->nat_nsrc6;
1719 a4.in6 = oip6->ip6_src;
1720 oip6->ip6_dst = a3.in6;
1721 oip6->ip6_src = a1.in6;
1726 if (IP6_NEQ(&a3, &a2) || IP6_NEQ(&a1, &a4)) {
1727 if (IP6_GT(&a3, &a2)) {
1728 sumd = ipf_nat6_ip6subtract(&a2, &a3);
1731 sumd = ipf_nat6_ip6subtract(&a2, &a3);
1733 if (IP6_GT(&a1, &a4)) {
1734 sumd += ipf_nat6_ip6subtract(&a4, &a1);
1737 sumd += ipf_nat6_ip6subtract(&a4, &a1);
1747 * Fix UDP pseudo header checksum to compensate for the
1748 * IP address change.
1750 if (((flags & IPN_TCPUDP) != 0) && (dlen >= 4)) {
1754 * For offending TCP/UDP IP packets, translate the ports as
1755 * well, based on the NAT specification. Of course such
1756 * a change may be reflected in the ICMP checksum as well.
1758 * Since the port fields are part of the TCP/UDP checksum
1759 * of the offending IP packet, you need to adjust that checksum
1760 * as well... except that the change in the port numbers should
1761 * be offset by the checksum change. However, the TCP/UDP
1762 * checksum will also need to change if there has been an
1763 * IP address change.
1766 sum1 = ntohs(nat->nat_osport);
1767 sum4 = ntohs(tcp->th_sport);
1768 sum3 = ntohs(nat->nat_odport);
1769 sum2 = ntohs(tcp->th_dport);
1771 tcp->th_sport = htons(sum1);
1772 tcp->th_dport = htons(sum3);
1774 sum1 = ntohs(nat->nat_ndport);
1775 sum2 = ntohs(tcp->th_dport);
1776 sum3 = ntohs(nat->nat_nsport);
1777 sum4 = ntohs(tcp->th_sport);
1779 tcp->th_dport = htons(sum3);
1780 tcp->th_sport = htons(sum1);
1782 sumd += sum1 - sum4;
1783 sumd += sum3 - sum2;
1785 if (sumd != 0 || sumd2 != 0) {
1787 * At this point, sumd is the delta to apply to the
1788 * TCP/UDP header, given the changes in both the IP
1789 * address and the ports and sumd2 is the delta to
1790 * apply to the ICMP header, given the IP address
1791 * change delta that may need to be applied to the
1792 * TCP/UDP checksum instead.
1794 * If we will both the IP and TCP/UDP checksums
1795 * then the ICMP checksum changes by the address
1796 * delta applied to the TCP/UDP checksum. If we
1797 * do not change the TCP/UDP checksum them we
1798 * apply the delta in ports to the ICMP checksum.
1800 if (oip6->ip6_nxt == IPPROTO_UDP) {
1801 if ((dlen >= 8) && (*csump != 0)) {
1802 ipf_fix_datacksum(csump, sumd);
1804 sumd2 = sum4 - sum1;
1807 sumd2 += sum2 - sum3;
1811 } else if (oip6->ip6_nxt == IPPROTO_TCP) {
1813 ipf_fix_datacksum(csump, sumd);
1815 sumd2 = sum4 - sum1;
1818 sumd2 += sum2 - sum3;
1824 sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
1825 sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
1826 sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
1827 ipf_fix_incksum(0, &icmp6->icmp6_cksum,
1831 } else if (((flags & IPN_ICMPQUERY) != 0) && (dlen >= 8)) {
1832 struct icmp6_hdr *orgicmp;
1835 * XXX - what if this is bogus hl and we go off the end ?
1836 * In this case, ipf_nat6_icmperrorlookup() will have
1839 orgicmp = (struct icmp6_hdr *)dp;
1842 if (orgicmp->icmp6_id != nat->nat_osport) {
1845 * Fix ICMP checksum (of the offening ICMP
1846 * query packet) to compensate the change
1847 * in the ICMP id of the offending ICMP
1850 * Since you modify orgicmp->icmp6_id with
1851 * a delta (say x) and you compensate that
1852 * in origicmp->icmp6_cksum with a delta
1853 * minus x, you don't have to adjust the
1854 * overall icmp->icmp6_cksum
1856 sum1 = ntohs(orgicmp->icmp6_id);
1857 sum2 = ntohs(nat->nat_osport);
1858 CALC_SUMD(sum1, sum2, sumd);
1859 orgicmp->icmp6_id = nat->nat_oicmpid;
1860 ipf_fix_datacksum(&orgicmp->icmp6_cksum, sumd);
1862 } /* nat6_dir == NAT_INBOUND is impossible for icmp queries */
1869 * MAP-IN MAP-OUT RDR-IN RDR-OUT
1870 * osrc X == src == src X
1871 * odst X == dst == dst X
1872 * nsrc == dst X X == dst
1873 * ndst == src X X == src
1874 * MAP = NAT_OUTBOUND, RDR = NAT_INBOUND
1877 * NB: these lookups don't lock access to the list, it assumed that it has
1878 * already been done!
1880 /* ------------------------------------------------------------------------ */
1881 /* Function: ipf_nat6_inlookup */
1882 /* Returns: nat6_t* - NULL == no match, */
1883 /* else pointer to matching NAT entry */
1884 /* Parameters: fin(I) - pointer to packet information */
1885 /* flags(I) - NAT flags for this packet */
1886 /* p(I) - protocol for this packet */
1887 /* src(I) - source IP address */
1888 /* mapdst(I) - destination IP address */
1890 /* Lookup a nat entry based on the mapped destination ip address/port and */
1891 /* real source address/port. We use this lookup when receiving a packet, */
1892 /* we're looking for a table entry, based on the destination address. */
1894 /* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */
1896 /* NOTE: IT IS ASSUMED THAT IS ONLY HELD WITH A READ LOCK WHEN */
1897 /* THIS FUNCTION IS CALLED WITH NAT_SEARCH SET IN nflags. */
1899 /* flags -> relevant are IPN_UDP/IPN_TCP/IPN_ICMPQUERY that indicate if */
1900 /* the packet is of said protocol */
1901 /* ------------------------------------------------------------------------ */
1903 ipf_nat6_inlookup(fin, flags, p, src, mapdst)
1906 struct in6_addr *src , *mapdst;
1908 ipf_main_softc_t *softc = fin->fin_main_soft;
1909 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
1910 u_short sport, dport;
1925 sflags = flags & NAT_TCPUDPICMP;
1931 sport = htons(fin->fin_data[0]);
1932 dport = htons(fin->fin_data[1]);
1934 case IPPROTO_ICMPV6 :
1935 if (flags & IPN_ICMPERR)
1936 sport = fin->fin_data[1];
1938 dport = fin->fin_data[1];
1945 if ((flags & SI_WILDP) != 0)
1946 goto find_in_wild_ports;
1948 hv = NAT_HASH_FN6(&dst, dport, 0xffffffff);
1949 hv = NAT_HASH_FN6(src, hv + sport, softn->ipf_nat_table_sz);
1950 nat = softn->ipf_nat_table[1][hv];
1951 /* TRACE dst, dport, src, sport, hv, nat */
1953 for (; nat; nat = nat->nat_hnext[1]) {
1954 if (nat->nat_ifps[0] != NULL) {
1955 if ((ifp != NULL) && (ifp != nat->nat_ifps[0]))
1959 if (nat->nat_pr[0] != p)
1962 switch (nat->nat_dir)
1965 if (nat->nat_v[0] != 6)
1967 if (IP6_NEQ(&nat->nat_osrc6, src) ||
1968 IP6_NEQ(&nat->nat_odst6, &dst))
1970 if ((nat->nat_flags & IPN_TCPUDP) != 0) {
1971 if (nat->nat_osport != sport)
1973 if (nat->nat_odport != dport)
1976 } else if (p == IPPROTO_ICMPV6) {
1977 if (nat->nat_osport != dport) {
1983 if (nat->nat_v[1] != 6)
1985 if (IP6_NEQ(&nat->nat_ndst6, src) ||
1986 IP6_NEQ(&nat->nat_nsrc6, &dst))
1988 if ((nat->nat_flags & IPN_TCPUDP) != 0) {
1989 if (nat->nat_ndport != sport)
1991 if (nat->nat_nsport != dport)
1994 } else if (p == IPPROTO_ICMPV6) {
1995 if (nat->nat_osport != dport) {
2003 if ((nat->nat_flags & IPN_TCPUDP) != 0) {
2005 #ifdef IPF_V6_PROXIES
2006 if ((ipn != NULL) && (nat->nat_aps != NULL))
2007 if (appr_match(fin, nat) != 0)
2011 if ((nat->nat_ifps[0] == NULL) && (ifp != NULL)) {
2012 nat->nat_ifps[0] = ifp;
2013 nat->nat_mtu[0] = GETIFMTU_6(ifp);
2019 * So if we didn't find it but there are wildcard members in the hash
2020 * table, go back and look for them. We do this search and update here
2021 * because it is modifying the NAT table and we want to do this only
2022 * for the first packet that matches. The exception, of course, is
2023 * for "dummy" (FI_IGNORE) lookups.
2026 if (!(flags & NAT_TCPUDP) || !(flags & NAT_SEARCH)) {
2027 NBUMPSIDE6DX(0, ns_lookup_miss, ns_lookup_miss_1);
2030 if (softn->ipf_nat_stats.ns_wilds == 0 || (fin->fin_flx & FI_NOWILD)) {
2031 NBUMPSIDE6D(0, ns_lookup_nowild);
2035 RWLOCK_EXIT(&softc->ipf_nat);
2037 hv = NAT_HASH_FN6(&dst, 0, 0xffffffff);
2038 hv = NAT_HASH_FN6(src, hv, softn->ipf_nat_table_sz);
2039 WRITE_ENTER(&softc->ipf_nat);
2041 nat = softn->ipf_nat_table[1][hv];
2042 /* TRACE dst, src, hv, nat */
2043 for (; nat; nat = nat->nat_hnext[1]) {
2044 if (nat->nat_ifps[0] != NULL) {
2045 if ((ifp != NULL) && (ifp != nat->nat_ifps[0]))
2049 if (nat->nat_pr[0] != fin->fin_p)
2052 switch (nat->nat_dir)
2055 if (nat->nat_v[0] != 6)
2057 if (IP6_NEQ(&nat->nat_osrc6, src) ||
2058 IP6_NEQ(&nat->nat_odst6, &dst))
2062 if (nat->nat_v[1] != 6)
2064 if (IP6_NEQ(&nat->nat_ndst6, src) ||
2065 IP6_NEQ(&nat->nat_nsrc6, &dst))
2070 nflags = nat->nat_flags;
2071 if (!(nflags & (NAT_TCPUDP|SI_WILDP)))
2074 if (ipf_nat_wildok(nat, (int)sport, (int)dport, nflags,
2075 NAT_INBOUND) == 1) {
2076 if ((fin->fin_flx & FI_IGNORE) != 0)
2078 if ((nflags & SI_CLONE) != 0) {
2079 nat = ipf_nat_clone(fin, nat);
2083 MUTEX_ENTER(&softn->ipf_nat_new);
2084 softn->ipf_nat_stats.ns_wilds--;
2085 MUTEX_EXIT(&softn->ipf_nat_new);
2088 if (nat->nat_dir == NAT_INBOUND) {
2089 if (nat->nat_osport == 0) {
2090 nat->nat_osport = sport;
2091 nat->nat_nsport = sport;
2093 if (nat->nat_odport == 0) {
2094 nat->nat_odport = dport;
2095 nat->nat_ndport = dport;
2098 if (nat->nat_osport == 0) {
2099 nat->nat_osport = dport;
2100 nat->nat_nsport = dport;
2102 if (nat->nat_odport == 0) {
2103 nat->nat_odport = sport;
2104 nat->nat_ndport = sport;
2107 if ((nat->nat_ifps[0] == NULL) && (ifp != NULL)) {
2108 nat->nat_ifps[0] = ifp;
2109 nat->nat_mtu[0] = GETIFMTU_6(ifp);
2111 nat->nat_flags &= ~(SI_W_DPORT|SI_W_SPORT);
2112 ipf_nat6_tabmove(softn, nat);
2117 MUTEX_DOWNGRADE(&softc->ipf_nat);
2120 NBUMPSIDE6DX(0, ns_lookup_miss, ns_lookup_miss_2);
2126 /* ------------------------------------------------------------------------ */
2127 /* Function: ipf_nat6_tabmove */
2129 /* Parameters: nat(I) - pointer to NAT structure */
2130 /* Write Lock: ipf_nat */
2132 /* This function is only called for TCP/UDP NAT table entries where the */
2133 /* original was placed in the table without hashing on the ports and we now */
2134 /* want to include hashing on port numbers. */
2135 /* ------------------------------------------------------------------------ */
2137 ipf_nat6_tabmove(softn, nat)
2138 ipf_nat_softc_t *softn;
2144 if (nat->nat_flags & SI_CLONE)
2148 * Remove the NAT entry from the old location
2150 if (nat->nat_hnext[0])
2151 nat->nat_hnext[0]->nat_phnext[0] = nat->nat_phnext[0];
2152 *nat->nat_phnext[0] = nat->nat_hnext[0];
2153 softn->ipf_nat_stats.ns_side[0].ns_bucketlen[nat->nat_hv[0]]--;
2155 if (nat->nat_hnext[1])
2156 nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1];
2157 *nat->nat_phnext[1] = nat->nat_hnext[1];
2158 softn->ipf_nat_stats.ns_side[1].ns_bucketlen[nat->nat_hv[1]]--;
2161 * Add into the NAT table in the new position
2163 hv0 = NAT_HASH_FN6(&nat->nat_osrc6, nat->nat_osport, 0xffffffff);
2164 hv0 = NAT_HASH_FN6(&nat->nat_odst6, hv0 + nat->nat_odport,
2165 softn->ipf_nat_table_sz);
2166 hv1 = NAT_HASH_FN6(&nat->nat_nsrc6, nat->nat_nsport, 0xffffffff);
2167 hv1 = NAT_HASH_FN6(&nat->nat_ndst6, hv1 + nat->nat_ndport,
2168 softn->ipf_nat_table_sz);
2170 if (nat->nat_dir == NAT_INBOUND || nat->nat_dir == NAT_DIVERTIN) {
2178 /* TRACE nat_osrc6, nat_osport, nat_odst6, nat_odport, hv0 */
2179 /* TRACE nat_nsrc6, nat_nsport, nat_ndst6, nat_ndport, hv1 */
2181 nat->nat_hv[0] = hv0;
2182 natp = &softn->ipf_nat_table[0][hv0];
2184 (*natp)->nat_phnext[0] = &nat->nat_hnext[0];
2185 nat->nat_phnext[0] = natp;
2186 nat->nat_hnext[0] = *natp;
2188 softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv0]++;
2190 nat->nat_hv[1] = hv1;
2191 natp = &softn->ipf_nat_table[1][hv1];
2193 (*natp)->nat_phnext[1] = &nat->nat_hnext[1];
2194 nat->nat_phnext[1] = natp;
2195 nat->nat_hnext[1] = *natp;
2197 softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv1]++;
2201 /* ------------------------------------------------------------------------ */
2202 /* Function: ipf_nat6_outlookup */
2203 /* Returns: nat6_t* - NULL == no match, */
2204 /* else pointer to matching NAT entry */
2205 /* Parameters: fin(I) - pointer to packet information */
2206 /* flags(I) - NAT flags for this packet */
2207 /* p(I) - protocol for this packet */
2208 /* src(I) - source IP address */
2209 /* dst(I) - destination IP address */
2210 /* rw(I) - 1 == write lock on held, 0 == read lock. */
2212 /* Lookup a nat entry based on the source 'real' ip address/port and */
2213 /* destination address/port. We use this lookup when sending a packet out, */
2214 /* we're looking for a table entry, based on the source address. */
2216 /* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */
2218 /* NOTE: IT IS ASSUMED THAT IS ONLY HELD WITH A READ LOCK WHEN */
2219 /* THIS FUNCTION IS CALLED WITH NAT_SEARCH SET IN nflags. */
2221 /* flags -> relevant are IPN_UDP/IPN_TCP/IPN_ICMPQUERY that indicate if */
2222 /* the packet is of said protocol */
2223 /* ------------------------------------------------------------------------ */
2225 ipf_nat6_outlookup(fin, flags, p, src, dst)
2228 struct in6_addr *src , *dst;
2230 ipf_main_softc_t *softc = fin->fin_main_soft;
2231 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
2232 u_short sport, dport;
2240 sflags = flags & IPN_TCPUDPICMP;
2248 sport = htons(fin->fin_data[0]);
2249 dport = htons(fin->fin_data[1]);
2251 case IPPROTO_ICMPV6 :
2252 if (flags & IPN_ICMPERR)
2253 sport = fin->fin_data[1];
2255 dport = fin->fin_data[1];
2261 if ((flags & SI_WILDP) != 0)
2262 goto find_out_wild_ports;
2264 hv = NAT_HASH_FN6(src, sport, 0xffffffff);
2265 hv = NAT_HASH_FN6(dst, hv + dport, softn->ipf_nat_table_sz);
2266 nat = softn->ipf_nat_table[0][hv];
2268 /* TRACE src, sport, dst, dport, hv, nat */
2270 for (; nat; nat = nat->nat_hnext[0]) {
2271 if (nat->nat_ifps[1] != NULL) {
2272 if ((ifp != NULL) && (ifp != nat->nat_ifps[1]))
2276 if (nat->nat_pr[1] != p)
2279 switch (nat->nat_dir)
2282 if (nat->nat_v[1] != 6)
2284 if (IP6_NEQ(&nat->nat_ndst6, src) ||
2285 IP6_NEQ(&nat->nat_nsrc6, dst))
2288 if ((nat->nat_flags & IPN_TCPUDP) != 0) {
2289 if (nat->nat_ndport != sport)
2291 if (nat->nat_nsport != dport)
2294 } else if (p == IPPROTO_ICMPV6) {
2295 if (nat->nat_osport != dport) {
2301 if (nat->nat_v[0] != 6)
2303 if (IP6_NEQ(&nat->nat_osrc6, src) ||
2304 IP6_NEQ(&nat->nat_odst6, dst))
2307 if ((nat->nat_flags & IPN_TCPUDP) != 0) {
2308 if (nat->nat_odport != dport)
2310 if (nat->nat_osport != sport)
2313 } else if (p == IPPROTO_ICMPV6) {
2314 if (nat->nat_osport != dport) {
2322 #ifdef IPF_V6_PROXIES
2323 if ((ipn != NULL) && (nat->nat_aps != NULL))
2324 if (appr_match(fin, nat) != 0)
2328 if ((nat->nat_ifps[1] == NULL) && (ifp != NULL)) {
2329 nat->nat_ifps[1] = ifp;
2330 nat->nat_mtu[1] = GETIFMTU_6(ifp);
2336 * So if we didn't find it but there are wildcard members in the hash
2337 * table, go back and look for them. We do this search and update here
2338 * because it is modifying the NAT table and we want to do this only
2339 * for the first packet that matches. The exception, of course, is
2340 * for "dummy" (FI_IGNORE) lookups.
2342 find_out_wild_ports:
2343 if (!(flags & NAT_TCPUDP) || !(flags & NAT_SEARCH)) {
2344 NBUMPSIDE6DX(1, ns_lookup_miss, ns_lookup_miss_3);
2347 if (softn->ipf_nat_stats.ns_wilds == 0 || (fin->fin_flx & FI_NOWILD)) {
2348 NBUMPSIDE6D(1, ns_lookup_nowild);
2352 RWLOCK_EXIT(&softc->ipf_nat);
2354 hv = NAT_HASH_FN6(src, 0, 0xffffffff);
2355 hv = NAT_HASH_FN6(dst, hv, softn->ipf_nat_table_sz);
2357 WRITE_ENTER(&softc->ipf_nat);
2359 nat = softn->ipf_nat_table[0][hv];
2360 for (; nat; nat = nat->nat_hnext[0]) {
2361 if (nat->nat_ifps[1] != NULL) {
2362 if ((ifp != NULL) && (ifp != nat->nat_ifps[1]))
2366 if (nat->nat_pr[1] != fin->fin_p)
2369 switch (nat->nat_dir)
2372 if (nat->nat_v[1] != 6)
2374 if (IP6_NEQ(&nat->nat_ndst6, src) ||
2375 IP6_NEQ(&nat->nat_nsrc6, dst))
2379 if (nat->nat_v[0] != 6)
2381 if (IP6_NEQ(&nat->nat_osrc6, src) ||
2382 IP6_NEQ(&nat->nat_odst6, dst))
2387 if (!(nat->nat_flags & (NAT_TCPUDP|SI_WILDP)))
2390 if (ipf_nat_wildok(nat, (int)sport, (int)dport, nat->nat_flags,
2391 NAT_OUTBOUND) == 1) {
2392 if ((fin->fin_flx & FI_IGNORE) != 0)
2394 if ((nat->nat_flags & SI_CLONE) != 0) {
2395 nat = ipf_nat_clone(fin, nat);
2399 MUTEX_ENTER(&softn->ipf_nat_new);
2400 softn->ipf_nat_stats.ns_wilds--;
2401 MUTEX_EXIT(&softn->ipf_nat_new);
2404 if (nat->nat_dir == NAT_OUTBOUND) {
2405 if (nat->nat_osport == 0) {
2406 nat->nat_osport = sport;
2407 nat->nat_nsport = sport;
2409 if (nat->nat_odport == 0) {
2410 nat->nat_odport = dport;
2411 nat->nat_ndport = dport;
2414 if (nat->nat_osport == 0) {
2415 nat->nat_osport = dport;
2416 nat->nat_nsport = dport;
2418 if (nat->nat_odport == 0) {
2419 nat->nat_odport = sport;
2420 nat->nat_ndport = sport;
2423 if ((nat->nat_ifps[1] == NULL) && (ifp != NULL)) {
2424 nat->nat_ifps[1] = ifp;
2425 nat->nat_mtu[1] = GETIFMTU_6(ifp);
2427 nat->nat_flags &= ~(SI_W_DPORT|SI_W_SPORT);
2428 ipf_nat6_tabmove(softn, nat);
2433 MUTEX_DOWNGRADE(&softc->ipf_nat);
2436 NBUMPSIDE6DX(1, ns_lookup_miss, ns_lookup_miss_4);
2442 /* ------------------------------------------------------------------------ */
2443 /* Function: ipf_nat6_lookupredir */
2444 /* Returns: nat6_t* - NULL == no match, */
2445 /* else pointer to matching NAT entry */
2446 /* Parameters: np(I) - pointer to description of packet to find NAT table */
2449 /* Lookup the NAT tables to search for a matching redirect */
2450 /* The contents of natlookup_t should imitate those found in a packet that */
2451 /* would be translated - ie a packet coming in for RDR or going out for MAP.*/
2452 /* We can do the lookup in one of two ways, imitating an inbound or */
2453 /* outbound packet. By default we assume outbound, unless IPN_IN is set. */
2454 /* For IN, the fields are set as follows: */
2455 /* nl_real* = source information */
2456 /* nl_out* = destination information (translated) */
2457 /* For an out packet, the fields are set like this: */
2458 /* nl_in* = source information (untranslated) */
2459 /* nl_out* = destination information (translated) */
2460 /* ------------------------------------------------------------------------ */
2462 ipf_nat6_lookupredir(np)
2468 bzero((char *)&fi, sizeof(fi));
2469 if (np->nl_flags & IPN_IN) {
2470 fi.fin_data[0] = ntohs(np->nl_realport);
2471 fi.fin_data[1] = ntohs(np->nl_outport);
2473 fi.fin_data[0] = ntohs(np->nl_inport);
2474 fi.fin_data[1] = ntohs(np->nl_outport);
2476 if (np->nl_flags & IPN_TCP)
2477 fi.fin_p = IPPROTO_TCP;
2478 else if (np->nl_flags & IPN_UDP)
2479 fi.fin_p = IPPROTO_UDP;
2480 else if (np->nl_flags & (IPN_ICMPERR|IPN_ICMPQUERY))
2481 fi.fin_p = IPPROTO_ICMPV6;
2484 * We can do two sorts of lookups:
2485 * - IPN_IN: we have the `real' and `out' address, look for `in'.
2486 * - default: we have the `in' and `out' address, look for `real'.
2488 if (np->nl_flags & IPN_IN) {
2489 if ((nat = ipf_nat6_inlookup(&fi, np->nl_flags, fi.fin_p,
2492 np->nl_inip6 = nat->nat_odst6.in6;
2493 np->nl_inport = nat->nat_odport;
2497 * If nl_inip is non null, this is a lookup based on the real
2498 * ip address. Else, we use the fake.
2500 if ((nat = ipf_nat6_outlookup(&fi, np->nl_flags, fi.fin_p,
2501 &np->nl_inip6, &np->nl_outip6))) {
2503 if ((np->nl_flags & IPN_FINDFORWARD) != 0) {
2505 bzero((char *)&fin, sizeof(fin));
2506 fin.fin_p = nat->nat_pr[0];
2507 fin.fin_data[0] = ntohs(nat->nat_ndport);
2508 fin.fin_data[1] = ntohs(nat->nat_nsport);
2509 if (ipf_nat6_inlookup(&fin, np->nl_flags,
2511 &nat->nat_ndst6.in6,
2512 &nat->nat_nsrc6.in6) !=
2514 np->nl_flags &= ~IPN_FINDFORWARD;
2518 np->nl_realip6 = nat->nat_odst6.in6;
2519 np->nl_realport = nat->nat_odport;
2527 /* ------------------------------------------------------------------------ */
2528 /* Function: ipf_nat6_match */
2529 /* Returns: int - 0 == no match, 1 == match */
2530 /* Parameters: fin(I) - pointer to packet information */
2531 /* np(I) - pointer to NAT rule */
2533 /* Pull the matching of a packet against a NAT rule out of that complex */
2534 /* loop inside ipf_nat6_checkin() and lay it out properly in its own */
2536 /* ------------------------------------------------------------------------ */
2538 ipf_nat6_match(fin, np)
2546 switch (np->in_osrcatype)
2549 match = IP6_MASKNEQ(&fin->fin_src6, &np->in_osrcmsk6,
2553 match = (*np->in_osrcfunc)(fin->fin_main_soft, np->in_osrcptr,
2554 6, &fin->fin_src6, fin->fin_plen);
2557 match ^= ((np->in_flags & IPN_NOTSRC) != 0);
2562 switch (np->in_odstatype)
2565 match = IP6_MASKNEQ(&fin->fin_dst6, &np->in_odstmsk6,
2569 match = (*np->in_odstfunc)(fin->fin_main_soft, np->in_odstptr,
2570 6, &fin->fin_dst6, fin->fin_plen);
2574 match ^= ((np->in_flags & IPN_NOTDST) != 0);
2579 if (!(fin->fin_flx & FI_TCPUDP) ||
2580 (fin->fin_flx & (FI_SHORT|FI_FRAGBODY))) {
2581 if (ft->ftu_scmp || ft->ftu_dcmp)
2586 return ipf_tcpudpchk(&fin->fin_fi, ft);
2590 /* ------------------------------------------------------------------------ */
2591 /* Function: ipf_nat6_checkout */
2592 /* Returns: int - -1 == packet failed NAT checks so block it, */
2593 /* 0 == no packet translation occurred, */
2594 /* 1 == packet was successfully translated. */
2595 /* Parameters: fin(I) - pointer to packet information */
2596 /* passp(I) - pointer to filtering result flags */
2598 /* Check to see if an outcoming packet should be changed. ICMP packets are */
2599 /* first checked to see if they match an existing entry (if an error), */
2600 /* otherwise a search of the current NAT table is made. If neither results */
2601 /* in a match then a search for a matching NAT rule is made. Create a new */
2602 /* NAT entry if a we matched a NAT rule. Lastly, actually change the */
2603 /* packet header(s) as required. */
2604 /* ------------------------------------------------------------------------ */
2606 ipf_nat6_checkout(fin, passp)
2610 ipf_main_softc_t *softc = fin->fin_main_soft;
2611 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
2612 struct icmp6_hdr *icmp6 = NULL;
2613 struct ifnet *ifp, *sifp;
2614 tcphdr_t *tcp = NULL;
2615 int rval, natfailed;
2623 if (softn->ipf_nat_stats.ns_rules == 0 || softn->ipf_nat_lock != 0)
2629 sifp = fin->fin_ifp;
2631 ifp = fr->fr_tifs[fin->fin_rev].fd_ptr;
2632 if ((ifp != NULL) && (ifp != (void *)-1))
2637 if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
2646 case IPPROTO_ICMPV6 :
2647 icmp6 = fin->fin_dp;
2650 * Apart from ECHO request and reply, all other
2651 * informational messages should not be translated
2652 * so as to keep IPv6 working.
2654 if (icmp6->icmp6_type > ICMP6_ECHO_REPLY)
2658 * This is an incoming packet, so the destination is
2659 * the icmp6_id and the source port equals 0
2661 if ((fin->fin_flx & FI_ICMPQUERY) != 0)
2662 nflags = IPN_ICMPQUERY;
2668 if ((nflags & IPN_TCPUDP))
2672 ipa = fin->fin_src6;
2674 READ_ENTER(&softc->ipf_nat);
2676 if ((fin->fin_p == IPPROTO_ICMPV6) && !(nflags & IPN_ICMPQUERY) &&
2677 (nat = ipf_nat6_icmperror(fin, &nflags, NAT_OUTBOUND)))
2679 else if ((fin->fin_flx & FI_FRAG) && (nat = ipf_frag_natknown(fin)))
2681 else if ((nat = ipf_nat6_outlookup(fin, nflags|NAT_SEARCH,
2684 &fin->fin_dst6.in6))) {
2685 nflags = nat->nat_flags;
2686 } else if (fin->fin_off == 0) {
2687 u_32_t hv, nmsk = 0;
2691 * If there is no current entry in the nat table for this IP#,
2692 * create one for it (if there is a matching rule).
2695 msk = &softn->ipf_nat6_map_active_masks[nmsk];
2696 IP6_AND(&ipa, msk, &iph);
2697 hv = NAT_HASH_FN6(&iph, 0, softn->ipf_nat_maprules_sz);
2698 for (np = softn->ipf_nat_map_rules[hv]; np; np = np->in_mnext) {
2699 if ((np->in_ifps[1] && (np->in_ifps[1] != ifp)))
2701 if (np->in_v[0] != 6)
2703 if (np->in_pr[1] && (np->in_pr[1] != fin->fin_p))
2705 if ((np->in_flags & IPN_RF) &&
2706 !(np->in_flags & nflags))
2708 if (np->in_flags & IPN_FILTER) {
2709 switch (ipf_nat6_match(fin, np))
2720 } else if (!IP6_MASKEQ(&ipa, &np->in_osrcmsk,
2725 !ipf_matchtag(&np->in_tag, &fr->fr_nattag))
2728 #ifdef IPF_V6_PROXIES
2729 if (np->in_plabel != -1) {
2730 if (((np->in_flags & IPN_FILTER) == 0) &&
2731 (np->in_odport != fin->fin_data[1]))
2733 if (appr_ok(fin, tcp, np) == 0)
2738 if (np->in_flags & IPN_NO) {
2743 MUTEX_ENTER(&softn->ipf_nat_new);
2744 nat = ipf_nat6_add(fin, np, NULL, nflags, NAT_OUTBOUND);
2745 MUTEX_EXIT(&softn->ipf_nat_new);
2752 if ((np == NULL) && (nmsk < softn->ipf_nat6_map_max)) {
2759 rval = ipf_nat6_out(fin, nat, natadd, nflags);
2761 MUTEX_ENTER(&nat->nat_lock);
2762 ipf_nat_update(fin, nat);
2763 nat->nat_bytes[1] += fin->fin_plen;
2765 MUTEX_EXIT(&nat->nat_lock);
2770 RWLOCK_EXIT(&softc->ipf_nat);
2775 if (passp != NULL) {
2776 NBUMPSIDE6D(1, ns_drop);
2778 fin->fin_reason = FRB_NATV6;
2780 fin->fin_flx |= FI_BADNAT;
2781 NBUMPSIDE6D(1, ns_badnat);
2784 NBUMPSIDE6D(1, ns_ignored);
2787 NBUMPSIDE6D(1, ns_translated);
2790 fin->fin_ifp = sifp;
2794 /* ------------------------------------------------------------------------ */
2795 /* Function: ipf_nat6_out */
2796 /* Returns: int - -1 == packet failed NAT checks so block it, */
2797 /* 1 == packet was successfully translated. */
2798 /* Parameters: fin(I) - pointer to packet information */
2799 /* nat(I) - pointer to NAT structure */
2800 /* natadd(I) - flag indicating if it is safe to add frag cache */
2801 /* nflags(I) - NAT flags set for this packet */
2803 /* Translate a packet coming "out" on an interface. */
2804 /* ------------------------------------------------------------------------ */
2806 ipf_nat6_out(fin, nat, natadd, nflags)
2812 ipf_main_softc_t *softc = fin->fin_main_soft;
2813 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
2814 struct icmp6_hdr *icmp6;
2824 if ((natadd != 0) && (fin->fin_flx & FI_FRAG) && (np != NULL))
2825 (void) ipf_frag_natnew(softc, fin, 0, nat);
2828 * Address assignment is after the checksum modification because
2829 * we are using the address in the packet for determining the
2830 * correct checksum offset (the ICMP error could be coming from
2833 switch (nat->nat_dir)
2836 fin->fin_ip6->ip6_src = nat->nat_nsrc6.in6;
2837 fin->fin_src6 = nat->nat_nsrc6;
2838 fin->fin_ip6->ip6_dst = nat->nat_ndst6.in6;
2839 fin->fin_dst6 = nat->nat_ndst6;
2843 fin->fin_ip6->ip6_src = nat->nat_odst6.in6;
2844 fin->fin_src6 = nat->nat_ndst6;
2845 fin->fin_ip6->ip6_dst = nat->nat_osrc6.in6;
2846 fin->fin_dst6 = nat->nat_nsrc6;
2853 skip = ipf_nat6_decap(fin, nat);
2855 NBUMPSIDE6D(1, ns_decap_fail);
2861 #if SOLARIS && defined(_KERNEL)
2868 if (m->m_flags & M_PKTHDR)
2869 m->m_pkthdr.len -= skip;
2873 MUTEX_ENTER(&nat->nat_lock);
2874 ipf_nat_update(fin, nat);
2875 MUTEX_EXIT(&nat->nat_lock);
2876 fin->fin_flx |= FI_NATED;
2877 if (np != NULL && np->in_tag.ipt_num[0] != 0)
2878 fin->fin_nattag = &np->in_tag;
2883 case NAT_DIVERTOUT :
2889 m = M_DUP(np->in_divmp);
2891 NBUMPSIDE6D(1, ns_divert_dup);
2895 ip6 = MTOD(m, ip6_t *);
2897 ip6->ip6_plen = htons(fin->fin_plen + 8);
2899 uh = (udphdr_t *)(ip6 + 1);
2900 uh->uh_ulen = htons(fin->fin_plen);
2905 fin->fin_plen += sizeof(ip6_t) + 8; /* UDP + new IPv4 hdr */
2906 fin->fin_dlen += sizeof(ip6_t) + 8; /* UDP + old IPv4 hdr */
2908 nflags &= ~IPN_TCPUDPICMP;
2917 if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
2920 if ((nat->nat_nsport != 0) && (nflags & IPN_TCPUDP)) {
2923 switch (nat->nat_dir)
2926 tcp->th_sport = nat->nat_nsport;
2927 fin->fin_data[0] = ntohs(nat->nat_nsport);
2928 tcp->th_dport = nat->nat_ndport;
2929 fin->fin_data[1] = ntohs(nat->nat_ndport);
2933 tcp->th_sport = nat->nat_odport;
2934 fin->fin_data[0] = ntohs(nat->nat_odport);
2935 tcp->th_dport = nat->nat_osport;
2936 fin->fin_data[1] = ntohs(nat->nat_osport);
2941 if ((nat->nat_nsport != 0) && (nflags & IPN_ICMPQUERY)) {
2942 icmp6 = fin->fin_dp;
2943 icmp6->icmp6_id = nat->nat_nicmpid;
2946 csump = ipf_nat_proto(fin, nat, nflags);
2949 * The above comments do not hold for layer 4 (or higher)
2952 if (csump != NULL) {
2953 if (nat->nat_dir == NAT_OUTBOUND)
2954 ipf_fix_outcksum(fin->fin_cksum, csump,
2959 ipf_fix_incksum(fin->fin_cksum, csump,
2966 ipf_sync_update(softc, SMC_NAT, fin, nat->nat_sync);
2967 /* ------------------------------------------------------------- */
2968 /* A few quick notes: */
2969 /* Following are test conditions prior to calling the */
2970 /* ipf_proxy_check routine. */
2972 /* A NULL tcp indicates a non TCP/UDP packet. When dealing */
2973 /* with a redirect rule, we attempt to match the packet's */
2974 /* source port against in_dport, otherwise we'd compare the */
2975 /* packet's destination. */
2976 /* ------------------------------------------------------------- */
2977 if ((np != NULL) && (np->in_apr != NULL)) {
2978 i = ipf_proxy_check(fin, nat);
2981 } else if (i == -1) {
2982 NBUMPSIDE6D(1, ns_ipf_proxy_fail);
2987 fin->fin_flx |= FI_NATED;
2992 /* ------------------------------------------------------------------------ */
2993 /* Function: ipf_nat6_checkin */
2994 /* Returns: int - -1 == packet failed NAT checks so block it, */
2995 /* 0 == no packet translation occurred, */
2996 /* 1 == packet was successfully translated. */
2997 /* Parameters: fin(I) - pointer to packet information */
2998 /* passp(I) - pointer to filtering result flags */
3000 /* Check to see if an incoming packet should be changed. ICMP packets are */
3001 /* first checked to see if they match an existing entry (if an error), */
3002 /* otherwise a search of the current NAT table is made. If neither results */
3003 /* in a match then a search for a matching NAT rule is made. Create a new */
3004 /* NAT entry if a we matched a NAT rule. Lastly, actually change the */
3005 /* packet header(s) as required. */
3006 /* ------------------------------------------------------------------------ */
3008 ipf_nat6_checkin(fin, passp)
3012 ipf_main_softc_t *softc = fin->fin_main_soft;
3013 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
3014 struct icmp6_hdr *icmp6;
3015 u_int nflags, natadd;
3016 int rval, natfailed;
3024 if (softn->ipf_nat_stats.ns_rules == 0 || softn->ipf_nat_lock != 0)
3035 if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
3044 case IPPROTO_ICMPV6 :
3045 icmp6 = fin->fin_dp;
3048 * Apart from ECHO request and reply, all other
3049 * informational messages should not be translated
3050 * so as to keep IPv6 working.
3052 if (icmp6->icmp6_type > ICMP6_ECHO_REPLY)
3056 * This is an incoming packet, so the destination is
3057 * the icmp6_id and the source port equals 0
3059 if ((fin->fin_flx & FI_ICMPQUERY) != 0) {
3060 nflags = IPN_ICMPQUERY;
3061 dport = icmp6->icmp6_id;
3067 if ((nflags & IPN_TCPUDP)) {
3069 dport = fin->fin_data[1];
3073 ipa = fin->fin_dst6;
3075 READ_ENTER(&softc->ipf_nat);
3077 if ((fin->fin_p == IPPROTO_ICMPV6) && !(nflags & IPN_ICMPQUERY) &&
3078 (nat = ipf_nat6_icmperror(fin, &nflags, NAT_INBOUND)))
3080 else if ((fin->fin_flx & FI_FRAG) && (nat = ipf_frag_natknown(fin)))
3082 else if ((nat = ipf_nat6_inlookup(fin, nflags|NAT_SEARCH,
3084 &fin->fin_src6.in6, &ipa.in6))) {
3085 nflags = nat->nat_flags;
3086 } else if (fin->fin_off == 0) {
3087 u_32_t hv, rmsk = 0;
3091 * If there is no current entry in the nat table for this IP#,
3092 * create one for it (if there is a matching rule).
3095 msk = &softn->ipf_nat6_rdr_active_masks[rmsk];
3096 IP6_AND(&ipa, msk, &iph);
3097 hv = NAT_HASH_FN6(&iph, 0, softn->ipf_nat_rdrrules_sz);
3098 for (np = softn->ipf_nat_rdr_rules[hv]; np; np = np->in_rnext) {
3099 if (np->in_ifps[0] && (np->in_ifps[0] != ifp))
3101 if (np->in_v[0] != 6)
3103 if (np->in_pr[0] && (np->in_pr[0] != fin->fin_p))
3105 if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags))
3107 if (np->in_flags & IPN_FILTER) {
3108 switch (ipf_nat6_match(fin, np))
3120 if (!IP6_MASKEQ(&ipa, &np->in_odstmsk6,
3124 if (np->in_odport &&
3125 ((np->in_dtop < dport) ||
3126 (dport < np->in_odport)))
3130 #ifdef IPF_V6_PROXIES
3131 if (np->in_plabel != -1) {
3132 if (!appr_ok(fin, tcp, np)) {
3138 if (np->in_flags & IPN_NO) {
3143 MUTEX_ENTER(&softn->ipf_nat_new);
3144 nat = ipf_nat6_add(fin, np, NULL, nflags, NAT_INBOUND);
3145 MUTEX_EXIT(&softn->ipf_nat_new);
3153 if ((np == NULL) && (rmsk < softn->ipf_nat6_rdr_max)) {
3159 rval = ipf_nat6_in(fin, nat, natadd, nflags);
3161 MUTEX_ENTER(&nat->nat_lock);
3162 ipf_nat_update(fin, nat);
3163 nat->nat_bytes[0] += fin->fin_plen;
3165 MUTEX_EXIT(&nat->nat_lock);
3170 RWLOCK_EXIT(&softc->ipf_nat);
3175 if (passp != NULL) {
3176 NBUMPSIDE6D(0, ns_drop);
3178 fin->fin_reason = FRB_NATV6;
3180 fin->fin_flx |= FI_BADNAT;
3181 NBUMPSIDE6D(0, ns_badnat);
3184 NBUMPSIDE6D(0, ns_ignored);
3187 NBUMPSIDE6D(0, ns_translated);
3194 /* ------------------------------------------------------------------------ */
3195 /* Function: ipf_nat6_in */
3196 /* Returns: int - -1 == packet failed NAT checks so block it, */
3197 /* 1 == packet was successfully translated. */
3198 /* Parameters: fin(I) - pointer to packet information */
3199 /* nat(I) - pointer to NAT structure */
3200 /* natadd(I) - flag indicating if it is safe to add frag cache */
3201 /* nflags(I) - NAT flags set for this packet */
3202 /* Locks Held: (READ) */
3204 /* Translate a packet coming "in" on an interface. */
3205 /* ------------------------------------------------------------------------ */
3207 ipf_nat6_in(fin, nat, natadd, nflags)
3213 ipf_main_softc_t *softc = fin->fin_main_soft;
3214 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
3215 struct icmp6_hdr *icmp6;
3225 fin->fin_fr = nat->nat_fr;
3228 if ((natadd != 0) && (fin->fin_flx & FI_FRAG))
3229 (void) ipf_frag_natnew(softc, fin, 0, nat);
3231 /* ------------------------------------------------------------- */
3232 /* A few quick notes: */
3233 /* Following are test conditions prior to calling the */
3234 /* ipf_proxy_check routine. */
3236 /* A NULL tcp indicates a non TCP/UDP packet. When dealing */
3237 /* with a map rule, we attempt to match the packet's */
3238 /* source port against in_dport, otherwise we'd compare the */
3239 /* packet's destination. */
3240 /* ------------------------------------------------------------- */
3241 if (np->in_apr != NULL) {
3242 i = ipf_proxy_check(fin, nat);
3244 NBUMPSIDE6D(0, ns_ipf_proxy_fail);
3250 ipf_sync_update(softc, SMC_NAT, fin, nat->nat_sync);
3253 * Fix up checksums, not by recalculating them, but
3254 * simply computing adjustments.
3255 * Why only do this for some platforms on inbound packets ?
3256 * Because for those that it is done, IP processing is yet to happen
3257 * and so the IPv4 header checksum has not yet been evaluated.
3258 * Perhaps it should always be done for the benefit of things like
3259 * fast forwarding (so that it doesn't need to be recomputed) but with
3260 * header checksum offloading, perhaps it is a moot point.
3263 switch (nat->nat_dir)
3266 if ((fin->fin_flx & FI_ICMPERR) == 0) {
3267 fin->fin_ip6->ip6_src = nat->nat_nsrc6.in6;
3268 fin->fin_src6 = nat->nat_nsrc6;
3270 fin->fin_ip6->ip6_dst = nat->nat_ndst6.in6;
3271 fin->fin_dst6 = nat->nat_ndst6;
3275 if ((fin->fin_flx & FI_ICMPERR) == 0) {
3276 fin->fin_ip6->ip6_src = nat->nat_odst6.in6;
3277 fin->fin_src6 = nat->nat_odst6;
3279 fin->fin_ip6->ip6_dst = nat->nat_osrc6.in6;
3280 fin->fin_dst6 = nat->nat_osrc6;
3289 m = M_DUP(np->in_divmp);
3291 NBUMPSIDE6D(0, ns_divert_dup);
3295 ip6 = MTOD(m, ip6_t *);
3296 ip6->ip6_plen = htons(fin->fin_plen + sizeof(udphdr_t));
3298 uh = (udphdr_t *)(ip6 + 1);
3299 uh->uh_ulen = ntohs(fin->fin_plen);
3304 fin->fin_plen += sizeof(ip6_t) + 8; /* UDP + new IPv6 hdr */
3305 fin->fin_dlen += sizeof(ip6_t) + 8; /* UDP + old IPv6 hdr */
3307 nflags &= ~IPN_TCPUDPICMP;
3312 case NAT_DIVERTOUT :
3316 skip = ipf_nat6_decap(fin, nat);
3318 NBUMPSIDE6D(0, ns_decap_fail);
3324 #if SOLARIS && defined(_KERNEL)
3331 if (m->m_flags & M_PKTHDR)
3332 m->m_pkthdr.len -= skip;
3336 ipf_nat_update(fin, nat);
3337 fin->fin_flx |= FI_NATED;
3338 if (np != NULL && np->in_tag.ipt_num[0] != 0)
3339 fin->fin_nattag = &np->in_tag;
3344 if (nflags & IPN_TCPUDP)
3347 if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
3348 if ((nat->nat_odport != 0) && (nflags & IPN_TCPUDP)) {
3349 switch (nat->nat_dir)
3352 tcp->th_sport = nat->nat_nsport;
3353 fin->fin_data[0] = ntohs(nat->nat_nsport);
3354 tcp->th_dport = nat->nat_ndport;
3355 fin->fin_data[1] = ntohs(nat->nat_ndport);
3359 tcp->th_sport = nat->nat_odport;
3360 fin->fin_data[0] = ntohs(nat->nat_odport);
3361 tcp->th_dport = nat->nat_osport;
3362 fin->fin_data[1] = ntohs(nat->nat_osport);
3368 if ((nat->nat_odport != 0) && (nflags & IPN_ICMPQUERY)) {
3369 icmp6 = fin->fin_dp;
3371 icmp6->icmp6_id = nat->nat_nicmpid;
3374 csump = ipf_nat_proto(fin, nat, nflags);
3378 * The above comments do not hold for layer 4 (or higher) checksums...
3380 if (csump != NULL) {
3381 if (nat->nat_dir == NAT_OUTBOUND)
3382 ipf_fix_incksum(0, csump, nat->nat_sumd[0], 0);
3384 ipf_fix_outcksum(0, csump, nat->nat_sumd[0], 0);
3386 fin->fin_flx |= FI_NATED;
3387 if (np != NULL && np->in_tag.ipt_num[0] != 0)
3388 fin->fin_nattag = &np->in_tag;
3393 /* ------------------------------------------------------------------------ */
3394 /* Function: ipf_nat6_newrewrite */
3395 /* Returns: int - -1 == error, 0 == success (no move), 1 == success and */
3396 /* allow rule to be moved if IPN_ROUNDR is set. */
3397 /* Parameters: fin(I) - pointer to packet information */
3398 /* nat(I) - pointer to NAT entry */
3399 /* ni(I) - pointer to structure with misc. information needed */
3400 /* to create new NAT entry. */
3401 /* Write Lock: ipf_nat */
3403 /* This function is responsible for setting up an active NAT session where */
3404 /* we are changing both the source and destination parameters at the same */
3405 /* time. The loop in here works differently to elsewhere - each iteration */
3406 /* is responsible for changing a single parameter that can be incremented. */
3407 /* So one pass may increase the source IP#, next source port, next dest. IP#*/
3408 /* and the last destination port for a total of 4 iterations to try each. */
3409 /* This is done to try and exhaustively use the translation space available.*/
3410 /* ------------------------------------------------------------------------ */
3412 ipf_nat6_newrewrite(fin, nat, nai)
3430 flags = nat->nat_flags;
3431 bcopy((char *)fin, (char *)&frnat, sizeof(*fin));
3437 /* TRACE (l, src_search, dst_search, np) */
3439 if ((src_search == 0) && (np->in_spnext == 0) &&
3440 (dst_search == 0) && (np->in_dpnext == 0)) {
3446 * Find a new source address
3448 if (ipf_nat6_nextaddr(fin, &np->in_nsrc, &frnat.fin_src6,
3449 &frnat.fin_src6) == -1) {
3453 if (IP6_ISZERO(&np->in_nsrcip6) &&
3454 IP6_ISONES(&np->in_nsrcmsk6)) {
3456 if (np->in_stepnext == 0)
3457 np->in_stepnext = 1;
3459 } else if (IP6_ISZERO(&np->in_nsrcip6) &&
3460 IP6_ISZERO(&np->in_nsrcmsk6)) {
3462 if (np->in_stepnext == 0)
3463 np->in_stepnext = 1;
3465 } else if (IP6_ISONES(&np->in_nsrcmsk)) {
3467 if (np->in_stepnext == 0)
3468 np->in_stepnext = 1;
3470 } else if (!IP6_ISONES(&np->in_nsrcmsk6)) {
3471 if (np->in_stepnext == 0 && changed == -1) {
3472 IP6_INC(&np->in_snip);
3478 if ((flags & IPN_TCPUDPICMP) != 0) {
3479 if (np->in_spnext != 0)
3480 frnat.fin_data[0] = np->in_spnext;
3483 * Standard port translation. Select next port.
3485 if ((flags & IPN_FIXEDSPORT) != 0) {
3486 np->in_stepnext = 2;
3487 } else if ((np->in_stepnext == 1) &&
3488 (changed == -1) && (natl != NULL)) {
3492 if (np->in_spnext > np->in_spmax)
3493 np->in_spnext = np->in_spmin;
3496 np->in_stepnext = 2;
3498 np->in_stepnext &= 0x3;
3501 * Find a new destination address
3503 /* TRACE (fin, np, l, frnat) */
3505 if (ipf_nat6_nextaddr(fin, &np->in_ndst, &frnat.fin_dst6,
3506 &frnat.fin_dst6) == -1)
3509 if (IP6_ISZERO(&np->in_ndstip6) &&
3510 IP6_ISONES(&np->in_ndstmsk6)) {
3512 if (np->in_stepnext == 2)
3513 np->in_stepnext = 3;
3515 } else if (IP6_ISZERO(&np->in_ndstip6) &&
3516 IP6_ISZERO(&np->in_ndstmsk6)) {
3518 if (np->in_stepnext == 2)
3519 np->in_stepnext = 3;
3521 } else if (IP6_ISONES(&np->in_ndstmsk6)) {
3523 if (np->in_stepnext == 2)
3524 np->in_stepnext = 3;
3526 } else if (!IP6_ISONES(&np->in_ndstmsk6)) {
3527 if ((np->in_stepnext == 2) && (changed == -1) &&
3531 IP6_INC(&np->in_dnip6);
3535 if ((flags & IPN_TCPUDPICMP) != 0) {
3536 if (np->in_dpnext != 0)
3537 frnat.fin_data[1] = np->in_dpnext;
3540 * Standard port translation. Select next port.
3542 if ((flags & IPN_FIXEDDPORT) != 0) {
3543 np->in_stepnext = 0;
3544 } else if (np->in_stepnext == 3 && changed == -1) {
3548 if (np->in_dpnext > np->in_dpmax)
3549 np->in_dpnext = np->in_dpmin;
3552 if (np->in_stepnext == 3)
3553 np->in_stepnext = 0;
3559 * Here we do a lookup of the connection as seen from
3560 * the outside. If an IP# pair already exists, try
3561 * again. So if you have A->B becomes C->B, you can
3562 * also have D->E become C->E but not D->B causing
3563 * another C->B. Also take protocol and ports into
3564 * account when determining whether a pre-existing
3565 * NAT setup will cause an external conflict where
3566 * this is appropriate.
3568 * fin_data[] is swapped around because we are doing a
3569 * lookup of the packet is if it were moving in the opposite
3570 * direction of the one we are working with now.
3572 if (flags & IPN_TCPUDP) {
3573 swap = frnat.fin_data[0];
3574 frnat.fin_data[0] = frnat.fin_data[1];
3575 frnat.fin_data[1] = swap;
3577 if (fin->fin_out == 1) {
3578 natl = ipf_nat6_inlookup(&frnat,
3579 flags & ~(SI_WILDP|NAT_SEARCH),
3581 &frnat.fin_dst6.in6,
3582 &frnat.fin_src6.in6);
3585 natl = ipf_nat6_outlookup(&frnat,
3586 flags & ~(SI_WILDP|NAT_SEARCH),
3588 &frnat.fin_dst6.in6,
3589 &frnat.fin_src6.in6);
3591 if (flags & IPN_TCPUDP) {
3592 swap = frnat.fin_data[0];
3593 frnat.fin_data[0] = frnat.fin_data[1];
3594 frnat.fin_data[1] = swap;
3597 /* TRACE natl, in_stepnext, l */
3599 if ((natl != NULL) && (l > 8)) /* XXX 8 is arbitrary */
3602 np->in_stepnext &= 0x3;
3606 } while (natl != NULL);
3607 nat->nat_osrc6 = fin->fin_src6;
3608 nat->nat_odst6 = fin->fin_dst6;
3609 nat->nat_nsrc6 = frnat.fin_src6;
3610 nat->nat_ndst6 = frnat.fin_dst6;
3612 if ((flags & IPN_TCPUDP) != 0) {
3613 nat->nat_osport = htons(fin->fin_data[0]);
3614 nat->nat_odport = htons(fin->fin_data[1]);
3615 nat->nat_nsport = htons(frnat.fin_data[0]);
3616 nat->nat_ndport = htons(frnat.fin_data[1]);
3617 } else if ((flags & IPN_ICMPQUERY) != 0) {
3618 nat->nat_oicmpid = fin->fin_data[1];
3619 nat->nat_nicmpid = frnat.fin_data[1];
3626 /* ------------------------------------------------------------------------ */
3627 /* Function: ipf_nat6_newdivert */
3628 /* Returns: int - -1 == error, 0 == success */
3629 /* Parameters: fin(I) - pointer to packet information */
3630 /* nat(I) - pointer to NAT entry */
3631 /* ni(I) - pointer to structure with misc. information needed */
3632 /* to create new NAT entry. */
3633 /* Write Lock: ipf_nat */
3635 /* Create a new NAT divert session as defined by the NAT rule. This is */
3636 /* somewhat different to other NAT session creation routines because we */
3637 /* do not iterate through either port numbers or IP addresses, searching */
3638 /* for a unique mapping, however, a complimentary duplicate check is made. */
3639 /* ------------------------------------------------------------------------ */
3641 ipf_nat6_newdivert(fin, nat, nai)
3646 ipf_main_softc_t *softc = fin->fin_main_soft;
3647 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
3654 bcopy((char *)fin, (char *)&frnat, sizeof(*fin));
3657 nat->nat_osrc6 = fin->fin_src6;
3658 nat->nat_odst6 = fin->fin_dst6;
3659 nat->nat_osport = htons(fin->fin_data[0]);
3660 nat->nat_odport = htons(fin->fin_data[1]);
3661 frnat.fin_src6 = np->in_snip6;
3662 frnat.fin_dst6 = np->in_dnip6;
3664 if (np->in_redir & NAT_DIVERTUDP) {
3665 frnat.fin_data[0] = np->in_spnext;
3666 frnat.fin_data[1] = np->in_dpnext;
3667 frnat.fin_flx |= FI_TCPUDP;
3670 frnat.fin_flx &= ~FI_TCPUDP;
3674 if (fin->fin_out == 1) {
3675 natl = ipf_nat6_inlookup(&frnat, 0, p, &frnat.fin_dst6.in6,
3676 &frnat.fin_src6.in6);
3679 natl = ipf_nat6_outlookup(&frnat, 0, p, &frnat.fin_dst6.in6,
3680 &frnat.fin_src6.in6);
3684 NBUMPSIDE6D(fin->fin_out, ns_divert_exist);
3688 nat->nat_nsrc6 = frnat.fin_src6;
3689 nat->nat_ndst6 = frnat.fin_dst6;
3690 if (np->in_redir & NAT_DIVERTUDP) {
3691 nat->nat_nsport = htons(frnat.fin_data[0]);
3692 nat->nat_ndport = htons(frnat.fin_data[1]);
3694 nat->nat_pr[fin->fin_out] = fin->fin_p;
3695 nat->nat_pr[1 - fin->fin_out] = p;
3697 if (np->in_redir & NAT_REDIRECT)
3698 nat->nat_dir = NAT_DIVERTIN;
3700 nat->nat_dir = NAT_DIVERTOUT;
3706 /* ------------------------------------------------------------------------ */
3707 /* Function: nat6_builddivertmp */
3708 /* Returns: int - -1 == error, 0 == success */
3709 /* Parameters: np(I) - pointer to a NAT rule */
3711 /* For divert rules, a skeleton packet representing what will be prepended */
3712 /* to the real packet is created. Even though we don't have the full */
3713 /* packet here, a checksum is calculated that we update later when we */
3714 /* fill in the final details. At present a 0 checksum for UDP is being set */
3715 /* here because it is expected that divert will be used for localhost. */
3716 /* ------------------------------------------------------------------------ */
3718 ipf_nat6_builddivertmp(softn, np)
3719 ipf_nat_softc_t *softn;
3726 if ((np->in_redir & NAT_DIVERTUDP) != 0)
3727 len = sizeof(ip6_t) + sizeof(udphdr_t);
3729 len = sizeof(ip6_t);
3731 ALLOC_MB_T(np->in_divmp, len);
3732 if (np->in_divmp == NULL) {
3733 ATOMIC_INCL(softn->ipf_nat_stats.ns_divert_build);
3738 * First, the header to get the packet diverted to the new destination
3740 ip6 = MTOD(np->in_divmp, ip6_t *);
3741 ip6->ip6_vfc = 0x60;
3742 if ((np->in_redir & NAT_DIVERTUDP) != 0)
3743 ip6->ip6_nxt = IPPROTO_UDP;
3745 ip6->ip6_nxt = IPPROTO_IPIP;
3746 ip6->ip6_hlim = 255;
3748 ip6->ip6_src = np->in_snip6.in6;
3749 ip6->ip6_dst = np->in_dnip6.in6;
3751 if (np->in_redir & NAT_DIVERTUDP) {
3752 uh = (udphdr_t *)((u_char *)ip6 + sizeof(*ip6));
3755 uh->uh_sport = htons(np->in_spnext);
3756 uh->uh_dport = htons(np->in_dpnext);
3763 #define MINDECAP (sizeof(ip6_t) + sizeof(udphdr_t) + sizeof(ip6_t))
3765 /* ------------------------------------------------------------------------ */
3766 /* Function: nat6_decap */
3767 /* Returns: int - -1 == error, 0 == success */
3768 /* Parameters: fin(I) - pointer to packet information */
3769 /* nat(I) - pointer to current NAT session */
3771 /* This function is responsible for undoing a packet's encapsulation in the */
3772 /* reverse of an encap/divert rule. After removing the outer encapsulation */
3773 /* it is necessary to call ipf_makefrip() again so that the contents of 'fin'*/
3774 /* match the "new" packet as it may still be used by IPFilter elsewhere. */
3775 /* We use "dir" here as the basis for some of the expectations about the */
3776 /* outer header. If we return an error, the goal is to leave the original */
3777 /* packet information undisturbed - this falls short at the end where we'd */
3778 /* need to back a backup copy of "fin" - expensive. */
3779 /* ------------------------------------------------------------------------ */
3781 ipf_nat6_decap(fin, nat)
3785 ipf_main_softc_t *softc = fin->fin_main_soft;
3786 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
3791 if ((fin->fin_flx & FI_ICMPERR) != 0) {
3796 skip = fin->fin_hlen;
3798 switch (nat->nat_dir)
3801 case NAT_DIVERTOUT :
3802 if (fin->fin_plen < MINDECAP)
3804 skip += sizeof(udphdr_t);
3809 if (fin->fin_plen < (skip + sizeof(ip6_t)))
3818 * The aim here is to keep the original packet details in "fin" for
3819 * as long as possible so that returning with an error is for the
3820 * original packet and there is little undoing work to do.
3822 if (M_LEN(m) < skip + sizeof(ip6_t)) {
3823 if (ipf_pr_pullup(fin, skip + sizeof(ip6_t)) == -1)
3827 hdr = MTOD(fin->fin_m, char *);
3828 fin->fin_ip6 = (ip6_t *)(hdr + skip);
3830 if (ipf_pr_pullup(fin, skip + sizeof(ip6_t)) == -1) {
3831 NBUMPSIDE6D(fin->fin_out, ns_decap_pullup);
3835 fin->fin_hlen = sizeof(ip6_t);
3836 fin->fin_dlen -= skip;
3837 fin->fin_plen -= skip;
3838 fin->fin_ipoff += skip;
3840 if (ipf_makefrip(sizeof(ip6_t), (ip_t *)hdr, fin) == -1) {
3841 NBUMPSIDE6D(fin->fin_out, ns_decap_bad);
3849 /* ------------------------------------------------------------------------ */
3850 /* Function: nat6_nextaddr */
3851 /* Returns: int - -1 == bad input (no new address), */
3852 /* 0 == success and dst has new address */
3853 /* Parameters: fin(I) - pointer to packet information */
3854 /* na(I) - how to generate new address */
3855 /* old(I) - original address being replaced */
3856 /* dst(O) - where to put the new address */
3857 /* Write Lock: ipf_nat */
3859 /* This function uses the contents of the "na" structure, in combination */
3860 /* with "old" to produce a new address to store in "dst". Not all of the */
3861 /* possible uses of "na" will result in a new address. */
3862 /* ------------------------------------------------------------------------ */
3864 ipf_nat6_nextaddr(fin, na, old, dst)
3867 i6addr_t *old, *dst;
3869 ipf_main_softc_t *softc = fin->fin_main_soft;
3870 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
3871 i6addr_t newip, new;
3879 amin = na->na_addr[0].in4.s_addr;
3881 switch (na->na_atype)
3884 amax = na->na_addr[1].in4.s_addr;
3887 case FRI_NETMASKED :
3891 * Compute the maximum address by adding the inverse of the
3892 * netmask to the minimum address.
3894 amax = ~na->na_addr[1].in4.s_addr;
3901 case FRI_BROADCAST :
3909 switch (na->na_function)
3912 error = ipf_dstlist_select_node(fin, na->na_ptr, dst->i6,
3918 * 0/0 as the new address means leave it alone.
3920 if (na->na_addr[0].in4.s_addr == 0 &&
3921 na->na_addr[1].in4.s_addr == 0) {
3925 * 0/32 means get the interface's address
3927 } else if (IP6_ISZERO(&na->na_addr[0].in6) &&
3928 IP6_ISONES(&na->na_addr[1].in6)) {
3929 if (ipf_ifpaddr(softc, 6, na->na_atype,
3930 fin->fin_ifp, &newip, NULL) == -1) {
3931 NBUMPSIDE6(fin->fin_out, ns_ifpaddrfail);
3936 new.in6 = na->na_nextip6;
3943 NBUMPSIDE6(fin->fin_out, ns_badnextaddr);
3951 /* ------------------------------------------------------------------------ */
3952 /* Function: ipf_nat6_nextaddrinit */
3953 /* Returns: int - 0 == success, else error number */
3954 /* Parameters: na(I) - NAT address information for generating new addr*/
3955 /* base(I) - start of where to find strings */
3956 /* initial(I) - flag indicating if it is the first call for */
3957 /* this "na" structure. */
3958 /* ifp(I) - network interface to derive address */
3959 /* information from. */
3961 /* This function is expected to be called in two scenarious: when a new NAT */
3962 /* rule is loaded into the kernel and when the list of NAT rules is sync'd */
3963 /* up with the valid network interfaces (possibly due to them changing.) */
3964 /* To distinguish between these, the "initial" parameter is used. If it is */
3965 /* 1 then this indicates the rule has just been reloaded and 0 for when we */
3966 /* are updating information. This difference is important because in */
3967 /* instances where we are not updating address information associated with */
3968 /* a network interface, we don't want to disturb what the "next" address to */
3969 /* come out of ipf_nat6_nextaddr() will be. */
3970 /* ------------------------------------------------------------------------ */
3972 ipf_nat6_nextaddrinit(softc, base, na, initial, ifp)
3973 ipf_main_softc_t *softc;
3979 switch (na->na_atype)
3982 if (na->na_subtype == 0) {
3983 na->na_ptr = ipf_lookup_res_num(softc, IPL_LOGNAT,
3987 } else if (na->na_subtype == 1) {
3988 na->na_ptr = ipf_lookup_res_name(softc, IPL_LOGNAT,
3993 if (na->na_func == NULL) {
3997 if (na->na_ptr == NULL) {
4003 case FRI_BROADCAST :
4005 case FRI_NETMASKED :
4008 (void )ipf_ifpaddr(softc, 6, na->na_atype, ifp,
4016 na->na_nextip6 = na->na_addr[0].in6;
4020 IP6_ANDASSIGN(&na->na_addr[0].in6, &na->na_addr[1].in6);
4024 IP6_ANDASSIGN(&na->na_addr[0].in6, &na->na_addr[1].in6);
4032 if (initial && (na->na_atype == FRI_NORMAL)) {
4033 if (IP6_ISZERO(&na->na_addr[0].in6)) {
4034 if (IP6_ISONES(&na->na_addr[1].in6) ||
4035 IP6_ISZERO(&na->na_addr[1].in6)) {
4040 na->na_nextip6 = na->na_addr[0].in6;
4041 if (!IP6_ISONES(&na->na_addr[1].in6)) {
4042 IP6_INC(&na->na_nextip6);
4050 /* ------------------------------------------------------------------------ */
4051 /* Function: ipf_nat6_icmpquerytype */
4052 /* Returns: int - 1 == success, 0 == failure */
4053 /* Parameters: icmptype(I) - ICMP type number */
4055 /* Tests to see if the ICMP type number passed is a query/response type or */
4057 /* ------------------------------------------------------------------------ */
4059 ipf_nat6_icmpquerytype(icmptype)
4064 * For the ICMP query NAT code, it is essential that both the query
4065 * and the reply match on the NAT rule. Because the NAT structure
4066 * does not keep track of the icmptype, and a single NAT structure
4067 * is used for all icmp types with the same src, dest and id, we
4068 * simply define the replies as queries as well. The funny thing is,
4069 * altough it seems silly to call a reply a query, this is exactly
4070 * as it is defined in the IPv4 specification
4076 case ICMP6_ECHO_REPLY:
4077 case ICMP6_ECHO_REQUEST:
4078 /* route aedvertisement/solliciation is currently unsupported: */
4079 /* it would require rewriting the ICMP data section */
4080 case ICMP6_MEMBERSHIP_QUERY:
4081 case ICMP6_MEMBERSHIP_REPORT:
4082 case ICMP6_MEMBERSHIP_REDUCTION:
4083 case ICMP6_WRUREQUEST:
4084 case ICMP6_WRUREPLY:
4085 case MLD6_MTRACE_RESP:
4092 #endif /* USE_INET6 */