2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2015-2019 Yandex LLC
5 * Copyright (c) 2015 Alexander V. Chernikov <melifaro@FreeBSD.org>
6 * Copyright (c) 2015-2019 Andrey V. Elsukov <ae@FreeBSD.org>
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/counter.h>
37 #include <sys/epoch.h>
38 #include <sys/errno.h>
39 #include <sys/kernel.h>
41 #include <sys/malloc.h>
43 #include <sys/module.h>
44 #include <sys/rmlock.h>
45 #include <sys/rwlock.h>
46 #include <sys/socket.h>
47 #include <sys/sockopt.h>
51 #include <netinet/in.h>
52 #include <netinet/ip.h>
53 #include <netinet/ip_var.h>
54 #include <netinet/ip_fw.h>
55 #include <netinet6/ip_fw_nat64.h>
57 #include <netpfil/ipfw/ip_fw_private.h>
61 VNET_DEFINE(uint16_t, nat64lsn_eid) = 0;
63 static struct nat64lsn_cfg *
64 nat64lsn_find(struct namedobj_instance *ni, const char *name, uint8_t set)
66 struct nat64lsn_cfg *cfg;
68 cfg = (struct nat64lsn_cfg *)ipfw_objhash_lookup_name_type(ni, set,
69 IPFW_TLV_NAT64LSN_NAME, name);
75 nat64lsn_default_config(ipfw_nat64lsn_cfg *uc)
79 uc->jmaxlen = NAT64LSN_JMAXLEN;
80 if (uc->jmaxlen > 65536)
82 if (uc->nh_delete_delay == 0)
83 uc->nh_delete_delay = NAT64LSN_HOST_AGE;
84 if (uc->pg_delete_delay == 0)
85 uc->pg_delete_delay = NAT64LSN_PG_AGE;
86 if (uc->st_syn_ttl == 0)
87 uc->st_syn_ttl = NAT64LSN_TCP_SYN_AGE;
88 if (uc->st_close_ttl == 0)
89 uc->st_close_ttl = NAT64LSN_TCP_FIN_AGE;
90 if (uc->st_estab_ttl == 0)
91 uc->st_estab_ttl = NAT64LSN_TCP_EST_AGE;
92 if (uc->st_udp_ttl == 0)
93 uc->st_udp_ttl = NAT64LSN_UDP_AGE;
94 if (uc->st_icmp_ttl == 0)
95 uc->st_icmp_ttl = NAT64LSN_ICMP_AGE;
97 if (uc->states_chunks == 0)
98 uc->states_chunks = 1;
99 else if (uc->states_chunks >= 128)
100 uc->states_chunks = 128;
101 else if (!powerof2(uc->states_chunks))
102 uc->states_chunks = 1 << fls(uc->states_chunks);
106 * Creates new nat64lsn instance.
107 * Data layout (v0)(current):
108 * Request: [ ipfw_obj_lheader ipfw_nat64lsn_cfg ]
110 * Returns 0 on success
113 nat64lsn_create(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
114 struct sockopt_data *sd)
116 ipfw_obj_lheader *olh;
117 ipfw_nat64lsn_cfg *uc;
118 struct nat64lsn_cfg *cfg;
119 struct namedobj_instance *ni;
120 uint32_t addr4, mask4;
122 if (sd->valsize != sizeof(*olh) + sizeof(*uc))
125 olh = (ipfw_obj_lheader *)sd->kbuf;
126 uc = (ipfw_nat64lsn_cfg *)(olh + 1);
128 if (ipfw_check_object_name_generic(uc->name) != 0)
131 if (uc->set >= IPFW_MAX_SETS)
138 * Unspecified address has special meaning. But it must
139 * have valid prefix length. This length will be used to
140 * correctly extract and embedd IPv4 address into IPv6.
142 if (nat64_check_prefix6(&uc->prefix6, uc->plen6) != 0 &&
143 IN6_IS_ADDR_UNSPECIFIED(&uc->prefix6) &&
144 nat64_check_prefixlen(uc->plen6) != 0)
147 /* XXX: Check prefix4 to be global */
148 addr4 = ntohl(uc->prefix4.s_addr);
149 mask4 = ~((1 << (32 - uc->plen4)) - 1);
150 if ((addr4 & mask4) != addr4)
153 nat64lsn_default_config(uc);
155 ni = CHAIN_TO_SRV(ch);
157 if (nat64lsn_find(ni, uc->name, uc->set) != NULL) {
163 cfg = nat64lsn_init_instance(ch, addr4, uc->plen4);
164 strlcpy(cfg->name, uc->name, sizeof(cfg->name));
165 cfg->no.name = cfg->name;
166 cfg->no.etlv = IPFW_TLV_NAT64LSN_NAME;
167 cfg->no.set = uc->set;
169 cfg->base.plat_prefix = uc->prefix6;
170 cfg->base.plat_plen = uc->plen6;
171 cfg->base.flags = (uc->flags & NAT64LSN_FLAGSMASK) | NAT64_PLATPFX;
172 if (IN6_IS_ADDR_WKPFX(&cfg->base.plat_prefix))
173 cfg->base.flags |= NAT64_WKPFX;
174 else if (IN6_IS_ADDR_UNSPECIFIED(&cfg->base.plat_prefix))
175 cfg->base.flags |= NAT64LSN_ANYPREFIX;
177 cfg->states_chunks = uc->states_chunks;
178 cfg->jmaxlen = uc->jmaxlen;
179 cfg->host_delete_delay = uc->nh_delete_delay;
180 cfg->pg_delete_delay = uc->pg_delete_delay;
181 cfg->st_syn_ttl = uc->st_syn_ttl;
182 cfg->st_close_ttl = uc->st_close_ttl;
183 cfg->st_estab_ttl = uc->st_estab_ttl;
184 cfg->st_udp_ttl = uc->st_udp_ttl;
185 cfg->st_icmp_ttl = uc->st_icmp_ttl;
187 cfg->nomatch_verdict = IP_FW_DENY;
191 if (nat64lsn_find(ni, uc->name, uc->set) != NULL) {
193 nat64lsn_destroy_instance(cfg);
197 if (ipfw_objhash_alloc_idx(CHAIN_TO_SRV(ch), &cfg->no.kidx) != 0) {
199 nat64lsn_destroy_instance(cfg);
202 ipfw_objhash_add(CHAIN_TO_SRV(ch), &cfg->no);
204 /* Okay, let's link data */
205 SRV_OBJECT(ch, cfg->no.kidx) = cfg;
206 nat64lsn_start_instance(cfg);
213 nat64lsn_detach_config(struct ip_fw_chain *ch, struct nat64lsn_cfg *cfg)
216 IPFW_UH_WLOCK_ASSERT(ch);
218 ipfw_objhash_del(CHAIN_TO_SRV(ch), &cfg->no);
219 ipfw_objhash_free_idx(CHAIN_TO_SRV(ch), cfg->no.kidx);
223 * Destroys nat64 instance.
224 * Data layout (v0)(current):
225 * Request: [ ipfw_obj_header ]
227 * Returns 0 on success
230 nat64lsn_destroy(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
231 struct sockopt_data *sd)
233 struct nat64lsn_cfg *cfg;
236 if (sd->valsize != sizeof(*oh))
239 oh = (ipfw_obj_header *)op3;
242 cfg = nat64lsn_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set);
248 if (cfg->no.refcnt > 0) {
253 ipfw_reset_eaction_instance(ch, V_nat64lsn_eid, cfg->no.kidx);
254 SRV_OBJECT(ch, cfg->no.kidx) = NULL;
255 nat64lsn_detach_config(ch, cfg);
258 nat64lsn_destroy_instance(cfg);
262 #define __COPY_STAT_FIELD(_cfg, _stats, _field) \
263 (_stats)->_field = NAT64STAT_FETCH(&(_cfg)->base.stats, _field)
265 export_stats(struct ip_fw_chain *ch, struct nat64lsn_cfg *cfg,
266 struct ipfw_nat64lsn_stats *stats)
268 struct nat64lsn_alias *alias;
271 __COPY_STAT_FIELD(cfg, stats, opcnt64);
272 __COPY_STAT_FIELD(cfg, stats, opcnt46);
273 __COPY_STAT_FIELD(cfg, stats, ofrags);
274 __COPY_STAT_FIELD(cfg, stats, ifrags);
275 __COPY_STAT_FIELD(cfg, stats, oerrors);
276 __COPY_STAT_FIELD(cfg, stats, noroute4);
277 __COPY_STAT_FIELD(cfg, stats, noroute6);
278 __COPY_STAT_FIELD(cfg, stats, nomatch4);
279 __COPY_STAT_FIELD(cfg, stats, noproto);
280 __COPY_STAT_FIELD(cfg, stats, nomem);
281 __COPY_STAT_FIELD(cfg, stats, dropped);
283 __COPY_STAT_FIELD(cfg, stats, jcalls);
284 __COPY_STAT_FIELD(cfg, stats, jrequests);
285 __COPY_STAT_FIELD(cfg, stats, jhostsreq);
286 __COPY_STAT_FIELD(cfg, stats, jportreq);
287 __COPY_STAT_FIELD(cfg, stats, jhostfails);
288 __COPY_STAT_FIELD(cfg, stats, jportfails);
289 __COPY_STAT_FIELD(cfg, stats, jmaxlen);
290 __COPY_STAT_FIELD(cfg, stats, jnomem);
291 __COPY_STAT_FIELD(cfg, stats, jreinjected);
292 __COPY_STAT_FIELD(cfg, stats, screated);
293 __COPY_STAT_FIELD(cfg, stats, sdeleted);
294 __COPY_STAT_FIELD(cfg, stats, spgcreated);
295 __COPY_STAT_FIELD(cfg, stats, spgdeleted);
297 stats->hostcount = cfg->hosts_count;
298 for (i = 0; i < (1 << (32 - cfg->plen4)); i++) {
299 alias = &cfg->aliases[i];
300 for (j = 0; j < 32 && ISSET32(alias->tcp_chunkmask, j); j++)
301 stats->tcpchunks += bitcount32(alias->tcp_pgmask[j]);
302 for (j = 0; j < 32 && ISSET32(alias->udp_chunkmask, j); j++)
303 stats->udpchunks += bitcount32(alias->udp_pgmask[j]);
304 for (j = 0; j < 32 && ISSET32(alias->icmp_chunkmask, j); j++)
305 stats->icmpchunks += bitcount32(alias->icmp_pgmask[j]);
308 #undef __COPY_STAT_FIELD
311 nat64lsn_export_config(struct ip_fw_chain *ch, struct nat64lsn_cfg *cfg,
312 ipfw_nat64lsn_cfg *uc)
315 uc->flags = cfg->base.flags & NAT64LSN_FLAGSMASK;
316 uc->states_chunks = cfg->states_chunks;
317 uc->jmaxlen = cfg->jmaxlen;
318 uc->nh_delete_delay = cfg->host_delete_delay;
319 uc->pg_delete_delay = cfg->pg_delete_delay;
320 uc->st_syn_ttl = cfg->st_syn_ttl;
321 uc->st_close_ttl = cfg->st_close_ttl;
322 uc->st_estab_ttl = cfg->st_estab_ttl;
323 uc->st_udp_ttl = cfg->st_udp_ttl;
324 uc->st_icmp_ttl = cfg->st_icmp_ttl;
325 uc->prefix4.s_addr = htonl(cfg->prefix4);
326 uc->prefix6 = cfg->base.plat_prefix;
327 uc->plen4 = cfg->plen4;
328 uc->plen6 = cfg->base.plat_plen;
329 uc->set = cfg->no.set;
330 strlcpy(uc->name, cfg->no.name, sizeof(uc->name));
333 struct nat64_dump_arg {
334 struct ip_fw_chain *ch;
335 struct sockopt_data *sd;
339 export_config_cb(struct namedobj_instance *ni, struct named_object *no,
342 struct nat64_dump_arg *da = (struct nat64_dump_arg *)arg;
343 ipfw_nat64lsn_cfg *uc;
345 uc = (struct _ipfw_nat64lsn_cfg *)ipfw_get_sopt_space(da->sd,
347 nat64lsn_export_config(da->ch, (struct nat64lsn_cfg *)no, uc);
352 * Lists all nat64 lsn instances currently available in kernel.
353 * Data layout (v0)(current):
354 * Request: [ ipfw_obj_lheader ]
355 * Reply: [ ipfw_obj_lheader ipfw_nat64lsn_cfg x N ]
357 * Returns 0 on success
360 nat64lsn_list(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
361 struct sockopt_data *sd)
363 ipfw_obj_lheader *olh;
364 struct nat64_dump_arg da;
366 /* Check minimum header size */
367 if (sd->valsize < sizeof(ipfw_obj_lheader))
370 olh = (ipfw_obj_lheader *)ipfw_get_sopt_header(sd, sizeof(*olh));
373 olh->count = ipfw_objhash_count_type(CHAIN_TO_SRV(ch),
374 IPFW_TLV_NAT64LSN_NAME);
375 olh->objsize = sizeof(ipfw_nat64lsn_cfg);
376 olh->size = sizeof(*olh) + olh->count * olh->objsize;
378 if (sd->valsize < olh->size) {
382 memset(&da, 0, sizeof(da));
385 ipfw_objhash_foreach_type(CHAIN_TO_SRV(ch), export_config_cb, &da,
386 IPFW_TLV_NAT64LSN_NAME);
393 * Change existing nat64lsn instance configuration.
394 * Data layout (v0)(current):
395 * Request: [ ipfw_obj_header ipfw_nat64lsn_cfg ]
396 * Reply: [ ipfw_obj_header ipfw_nat64lsn_cfg ]
398 * Returns 0 on success
401 nat64lsn_config(struct ip_fw_chain *ch, ip_fw3_opheader *op,
402 struct sockopt_data *sd)
405 ipfw_nat64lsn_cfg *uc;
406 struct nat64lsn_cfg *cfg;
407 struct namedobj_instance *ni;
409 if (sd->valsize != sizeof(*oh) + sizeof(*uc))
412 oh = (ipfw_obj_header *)ipfw_get_sopt_space(sd,
413 sizeof(*oh) + sizeof(*uc));
414 uc = (ipfw_nat64lsn_cfg *)(oh + 1);
416 if (ipfw_check_object_name_generic(oh->ntlv.name) != 0 ||
417 oh->ntlv.set >= IPFW_MAX_SETS)
420 ni = CHAIN_TO_SRV(ch);
421 if (sd->sopt->sopt_dir == SOPT_GET) {
423 cfg = nat64lsn_find(ni, oh->ntlv.name, oh->ntlv.set);
428 nat64lsn_export_config(ch, cfg, uc);
433 nat64lsn_default_config(uc);
436 cfg = nat64lsn_find(ni, oh->ntlv.name, oh->ntlv.set);
443 * For now allow to change only following values:
444 * jmaxlen, nh_del_age, pg_del_age, tcp_syn_age, tcp_close_age,
445 * tcp_est_age, udp_age, icmp_age, flags, states_chunks.
448 cfg->states_chunks = uc->states_chunks;
449 cfg->jmaxlen = uc->jmaxlen;
450 cfg->host_delete_delay = uc->nh_delete_delay;
451 cfg->pg_delete_delay = uc->pg_delete_delay;
452 cfg->st_syn_ttl = uc->st_syn_ttl;
453 cfg->st_close_ttl = uc->st_close_ttl;
454 cfg->st_estab_ttl = uc->st_estab_ttl;
455 cfg->st_udp_ttl = uc->st_udp_ttl;
456 cfg->st_icmp_ttl = uc->st_icmp_ttl;
457 cfg->base.flags &= ~NAT64LSN_FLAGSMASK;
458 cfg->base.flags |= uc->flags & NAT64LSN_FLAGSMASK;
466 * Get nat64lsn statistics.
467 * Data layout (v0)(current):
468 * Request: [ ipfw_obj_header ]
469 * Reply: [ ipfw_obj_header ipfw_counter_tlv ]
471 * Returns 0 on success
474 nat64lsn_stats(struct ip_fw_chain *ch, ip_fw3_opheader *op,
475 struct sockopt_data *sd)
477 struct ipfw_nat64lsn_stats stats;
478 struct nat64lsn_cfg *cfg;
483 sz = sizeof(ipfw_obj_header) + sizeof(ipfw_obj_ctlv) + sizeof(stats);
484 if (sd->valsize % sizeof(uint64_t))
486 if (sd->valsize < sz)
488 oh = (ipfw_obj_header *)ipfw_get_sopt_header(sd, sz);
491 memset(&stats, 0, sizeof(stats));
494 cfg = nat64lsn_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set);
500 export_stats(ch, cfg, &stats);
503 ctlv = (ipfw_obj_ctlv *)(oh + 1);
504 memset(ctlv, 0, sizeof(*ctlv));
505 ctlv->head.type = IPFW_TLV_COUNTERS;
506 ctlv->head.length = sz - sizeof(ipfw_obj_header);
507 ctlv->count = sizeof(stats) / sizeof(uint64_t);
508 ctlv->objsize = sizeof(uint64_t);
509 ctlv->version = IPFW_NAT64_VERSION;
510 memcpy(ctlv + 1, &stats, sizeof(stats));
515 * Reset nat64lsn statistics.
516 * Data layout (v0)(current):
517 * Request: [ ipfw_obj_header ]
519 * Returns 0 on success
522 nat64lsn_reset_stats(struct ip_fw_chain *ch, ip_fw3_opheader *op,
523 struct sockopt_data *sd)
525 struct nat64lsn_cfg *cfg;
528 if (sd->valsize != sizeof(*oh))
530 oh = (ipfw_obj_header *)sd->kbuf;
531 if (ipfw_check_object_name_generic(oh->ntlv.name) != 0 ||
532 oh->ntlv.set >= IPFW_MAX_SETS)
536 cfg = nat64lsn_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set);
541 COUNTER_ARRAY_ZERO(cfg->base.stats.cnt, NAT64STATS);
547 #define FREEMASK_COPY(pg, n, out) (out) = *FREEMASK_CHUNK((pg), (n))
549 #define FREEMASK_COPY(pg, n, out) (out) = *FREEMASK_CHUNK((pg), (n)) | \
550 ((uint64_t)*(FREEMASK_CHUNK((pg), (n)) + 1) << 32)
553 * Reply: [ ipfw_obj_header ipfw_obj_data [ ipfw_nat64lsn_stg
554 * ipfw_nat64lsn_state x count, ... ] ]
557 nat64lsn_export_states_v1(struct nat64lsn_cfg *cfg, union nat64lsn_pgidx *idx,
558 struct nat64lsn_pg *pg, struct sockopt_data *sd, uint32_t *ret_count)
560 ipfw_nat64lsn_state_v1 *s;
561 struct nat64lsn_state *state;
565 /* validate user input */
566 if (idx->chunk > pg->chunks_count - 1)
569 FREEMASK_COPY(pg, idx->chunk, freemask);
570 count = 64 - bitcount64(freemask);
572 return (0); /* Try next PG/chunk */
574 DPRINTF(DP_STATE, "EXPORT PG 0x%16jx, count %d",
575 (uintmax_t)idx->index, count);
577 s = (ipfw_nat64lsn_state_v1 *)ipfw_get_sopt_space(sd,
578 count * sizeof(ipfw_nat64lsn_state_v1));
582 for (i = 0; i < 64; i++) {
583 if (ISSET64(freemask, i))
585 state = pg->chunks_count == 1 ? &pg->states->state[i] :
586 &pg->states_chunk[idx->chunk]->state[i];
588 s->host6 = state->host->addr;
589 s->daddr.s_addr = htonl(state->ip_dst);
590 s->dport = state->dport;
591 s->sport = state->sport;
592 s->aport = state->aport;
593 s->flags = (uint8_t)(state->flags & 7);
594 s->proto = state->proto;
595 s->idle = GET_AGE(state->timestamp);
602 #define LAST_IDX 0xFF
604 nat64lsn_next_pgidx(struct nat64lsn_cfg *cfg, struct nat64lsn_pg *pg,
605 union nat64lsn_pgidx *idx)
608 /* First iterate over chunks */
610 if (idx->chunk < pg->chunks_count - 1) {
617 if (idx->port < UINT16_MAX - 64) {
621 idx->port = NAT64_MIN_PORT;
622 /* Then over supported protocols */
623 switch (idx->proto) {
625 idx->proto = IPPROTO_TCP;
628 idx->proto = IPPROTO_UDP;
631 idx->proto = IPPROTO_ICMP;
633 /* And then over IPv4 alias addresses */
634 if (idx->addr < cfg->pmask4) {
636 return (1); /* New states group is needed */
638 idx->index = LAST_IDX;
639 return (-1); /* No more states */
642 static struct nat64lsn_pg*
643 nat64lsn_get_pg_byidx(struct nat64lsn_cfg *cfg, union nat64lsn_pgidx *idx)
645 struct nat64lsn_alias *alias;
648 alias = &cfg->aliases[idx->addr & ((1 << (32 - cfg->plen4)) - 1)];
649 MPASS(alias->addr == idx->addr);
651 pg_idx = (idx->port - NAT64_MIN_PORT) / 64;
652 switch (idx->proto) {
654 if (ISSET32(alias->icmp_pgmask[pg_idx / 32], pg_idx % 32))
655 return (alias->icmp[pg_idx / 32]->pgptr[pg_idx % 32]);
658 if (ISSET32(alias->tcp_pgmask[pg_idx / 32], pg_idx % 32))
659 return (alias->tcp[pg_idx / 32]->pgptr[pg_idx % 32]);
662 if (ISSET32(alias->udp_pgmask[pg_idx / 32], pg_idx % 32))
663 return (alias->udp[pg_idx / 32]->pgptr[pg_idx % 32]);
670 * Lists nat64lsn states.
672 * Request: [ ipfw_obj_header ipfw_obj_data [ uint64_t ]]
673 * Reply: [ ipfw_obj_header ipfw_obj_data [
674 * ipfw_nat64lsn_stg ipfw_nat64lsn_state x N] ]
676 * Returns 0 on success
679 nat64lsn_states_v0(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
680 struct sockopt_data *sd)
683 /* TODO: implement states listing for old ipfw(8) binaries */
688 * Lists nat64lsn states.
689 * Data layout (v1)(current):
690 * Request: [ ipfw_obj_header ipfw_obj_data [ uint64_t ]]
691 * Reply: [ ipfw_obj_header ipfw_obj_data [
692 * ipfw_nat64lsn_stg_v1 ipfw_nat64lsn_state_v1 x N] ]
694 * Returns 0 on success
697 nat64lsn_states_v1(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
698 struct sockopt_data *sd)
702 ipfw_nat64lsn_stg_v1 *stg;
703 struct nat64lsn_cfg *cfg;
704 struct nat64lsn_pg *pg;
705 union nat64lsn_pgidx idx;
707 uint32_t count, total;
710 sz = sizeof(ipfw_obj_header) + sizeof(ipfw_obj_data) +
712 /* Check minimum header size */
713 if (sd->valsize < sz)
716 oh = (ipfw_obj_header *)sd->kbuf;
717 od = (ipfw_obj_data *)(oh + 1);
718 if (od->head.type != IPFW_TLV_OBJDATA ||
719 od->head.length != sz - sizeof(ipfw_obj_header))
722 idx.index = *(uint64_t *)(od + 1);
723 if (idx.index != 0 && idx.proto != IPPROTO_ICMP &&
724 idx.proto != IPPROTO_TCP && idx.proto != IPPROTO_UDP)
726 if (idx.index == LAST_IDX)
730 cfg = nat64lsn_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set);
735 if (idx.index == 0) { /* Fill in starting point */
736 idx.addr = cfg->prefix4;
737 idx.proto = IPPROTO_ICMP;
738 idx.port = NAT64_MIN_PORT;
740 if (idx.addr < cfg->prefix4 || idx.addr > cfg->pmask4 ||
741 idx.port < NAT64_MIN_PORT) {
745 sz = sizeof(ipfw_obj_header) + sizeof(ipfw_obj_data) +
746 sizeof(ipfw_nat64lsn_stg_v1);
747 if (sd->valsize < sz) {
751 oh = (ipfw_obj_header *)ipfw_get_sopt_space(sd, sz);
752 od = (ipfw_obj_data *)(oh + 1);
753 od->head.type = IPFW_TLV_OBJDATA;
754 od->head.length = sz - sizeof(ipfw_obj_header);
755 stg = (ipfw_nat64lsn_stg_v1 *)(od + 1);
756 stg->count = total = 0;
757 stg->next.index = idx.index;
759 * Acquire CALLOUT_LOCK to avoid races with expiration code.
760 * Thus states, hosts and PGs will not expire while we hold it.
765 pg = nat64lsn_get_pg_byidx(cfg, &idx);
768 ret = nat64lsn_export_states_v1(cfg, &idx, pg,
775 /* Update total size of reply */
777 count * sizeof(ipfw_nat64lsn_state_v1);
778 sz += count * sizeof(ipfw_nat64lsn_state_v1);
780 stg->alias4.s_addr = htonl(idx.addr);
782 /* Determine new index */
783 switch (nat64lsn_next_pgidx(cfg, pg, &idx)) {
785 ret = ENOENT; /* End of search */
788 * Next alias address, new group may be needed.
789 * If states count is zero, use this group.
793 /* Otherwise try to create new group */
794 sz += sizeof(ipfw_nat64lsn_stg_v1);
795 if (sd->valsize < sz) {
799 /* Save next index in current group */
800 stg->next.index = idx.index;
801 stg = (ipfw_nat64lsn_stg_v1 *)ipfw_get_sopt_space(sd,
802 sizeof(ipfw_nat64lsn_stg_v1));
803 od->head.length += sizeof(ipfw_nat64lsn_stg_v1);
807 stg->next.index = idx.index;
811 return ((total > 0 || idx.index == LAST_IDX) ? 0: ret);
814 static struct ipfw_sopt_handler scodes[] = {
815 { IP_FW_NAT64LSN_CREATE, 0, HDIR_BOTH, nat64lsn_create },
816 { IP_FW_NAT64LSN_DESTROY,0, HDIR_SET, nat64lsn_destroy },
817 { IP_FW_NAT64LSN_CONFIG, 0, HDIR_BOTH, nat64lsn_config },
818 { IP_FW_NAT64LSN_LIST, 0, HDIR_GET, nat64lsn_list },
819 { IP_FW_NAT64LSN_STATS, 0, HDIR_GET, nat64lsn_stats },
820 { IP_FW_NAT64LSN_RESET_STATS,0, HDIR_SET, nat64lsn_reset_stats },
821 { IP_FW_NAT64LSN_LIST_STATES,0, HDIR_GET, nat64lsn_states_v0 },
822 { IP_FW_NAT64LSN_LIST_STATES,1, HDIR_GET, nat64lsn_states_v1 },
826 nat64lsn_classify(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype)
831 if (icmd->opcode != O_EXTERNAL_ACTION ||
832 icmd->arg1 != V_nat64lsn_eid)
841 nat64lsn_update_arg1(ipfw_insn *cmd, uint16_t idx)
848 nat64lsn_findbyname(struct ip_fw_chain *ch, struct tid_info *ti,
849 struct named_object **pno)
853 err = ipfw_objhash_find_type(CHAIN_TO_SRV(ch), ti,
854 IPFW_TLV_NAT64LSN_NAME, pno);
858 static struct named_object *
859 nat64lsn_findbykidx(struct ip_fw_chain *ch, uint16_t idx)
861 struct namedobj_instance *ni;
862 struct named_object *no;
864 IPFW_UH_WLOCK_ASSERT(ch);
865 ni = CHAIN_TO_SRV(ch);
866 no = ipfw_objhash_lookup_kidx(ni, idx);
867 KASSERT(no != NULL, ("NAT64LSN with index %d not found", idx));
873 nat64lsn_manage_sets(struct ip_fw_chain *ch, uint16_t set, uint8_t new_set,
874 enum ipfw_sets_cmd cmd)
877 return (ipfw_obj_manage_sets(CHAIN_TO_SRV(ch), IPFW_TLV_NAT64LSN_NAME,
881 static struct opcode_obj_rewrite opcodes[] = {
883 .opcode = O_EXTERNAL_INSTANCE,
884 .etlv = IPFW_TLV_EACTION /* just show it isn't table */,
885 .classifier = nat64lsn_classify,
886 .update = nat64lsn_update_arg1,
887 .find_byname = nat64lsn_findbyname,
888 .find_bykidx = nat64lsn_findbykidx,
889 .manage_sets = nat64lsn_manage_sets,
894 destroy_config_cb(struct namedobj_instance *ni, struct named_object *no,
897 struct nat64lsn_cfg *cfg;
898 struct ip_fw_chain *ch;
900 ch = (struct ip_fw_chain *)arg;
901 cfg = (struct nat64lsn_cfg *)SRV_OBJECT(ch, no->kidx);
902 SRV_OBJECT(ch, no->kidx) = NULL;
903 nat64lsn_detach_config(ch, cfg);
904 nat64lsn_destroy_instance(cfg);
909 nat64lsn_init(struct ip_fw_chain *ch, int first)
913 nat64lsn_init_internal();
914 V_nat64lsn_eid = ipfw_add_eaction(ch, ipfw_nat64lsn, "nat64lsn");
915 if (V_nat64lsn_eid == 0)
917 IPFW_ADD_SOPT_HANDLER(first, scodes);
918 IPFW_ADD_OBJ_REWRITER(first, opcodes);
923 nat64lsn_uninit(struct ip_fw_chain *ch, int last)
926 IPFW_DEL_OBJ_REWRITER(last, opcodes);
927 IPFW_DEL_SOPT_HANDLER(last, scodes);
928 ipfw_del_eaction(ch, V_nat64lsn_eid);
930 * Since we already have deregistered external action,
931 * our named objects become unaccessible via rules, because
932 * all rules were truncated by ipfw_del_eaction().
933 * So, we can unlink and destroy our named objects without holding
937 ipfw_objhash_foreach_type(CHAIN_TO_SRV(ch), destroy_config_cb, ch,
938 IPFW_TLV_NAT64LSN_NAME);
942 nat64lsn_uninit_internal();
projects / FreeBSD / FreeBSD.git / blob