2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2001 Charles Mott <cm@linktel.net>
5 * Brian Somers <brian@Awfulhak.org>
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/param.h>
33 #include <netinet/in.h>
34 #include <arpa/inet.h>
36 #include <netinet/in_systm.h>
37 #include <netinet/ip.h>
38 #include <sys/socket.h>
59 #include "descriptor.h"
63 #include "slcompress.h"
64 #include "throughput.h"
85 #define NAT_EXTRABUF (13)
87 static int StrToAddr(const char *, struct in_addr *);
88 static int StrToPortRange(const char *, u_short *, u_short *, const char *);
89 static int StrToAddrAndPort(const char *, struct in_addr *, u_short *,
90 u_short *, const char *);
92 extern struct libalias *la;
95 lowhigh(u_short *a, u_short *b)
107 nat_RedirectPort(struct cmdargs const *arg)
109 if (!arg->bundle->NatEnabled) {
110 prompt_Printf(arg->prompt, "Alias not enabled\n");
112 } else if (arg->argc == arg->argn + 3 || arg->argc == arg->argn + 4) {
115 struct in_addr localaddr;
116 u_short hlocalport, llocalport;
117 struct in_addr aliasaddr;
118 u_short haliasport, laliasport;
119 struct in_addr remoteaddr;
120 u_short hremoteport, lremoteport;
121 struct alias_link *link;
124 proto = arg->argv[arg->argn];
125 if (strcmp(proto, "tcp") == 0) {
126 proto_constant = IPPROTO_TCP;
127 } else if (strcmp(proto, "udp") == 0) {
128 proto_constant = IPPROTO_UDP;
130 prompt_Printf(arg->prompt, "port redirect: protocol must be"
135 error = StrToAddrAndPort(arg->argv[arg->argn+1], &localaddr, &llocalport,
138 prompt_Printf(arg->prompt, "nat port: error reading localaddr:port\n");
142 error = StrToPortRange(arg->argv[arg->argn+2], &laliasport, &haliasport,
145 prompt_Printf(arg->prompt, "nat port: error reading alias port\n");
148 aliasaddr.s_addr = INADDR_ANY;
150 if (arg->argc == arg->argn + 4) {
151 error = StrToAddrAndPort(arg->argv[arg->argn+3], &remoteaddr,
152 &lremoteport, &hremoteport, proto);
154 prompt_Printf(arg->prompt, "nat port: error reading "
155 "remoteaddr:port\n");
159 remoteaddr.s_addr = INADDR_ANY;
160 lremoteport = hremoteport = 0;
163 lowhigh(&llocalport, &hlocalport);
164 lowhigh(&laliasport, &haliasport);
165 lowhigh(&lremoteport, &hremoteport);
167 if (haliasport - laliasport != hlocalport - llocalport) {
168 prompt_Printf(arg->prompt, "nat port: local & alias port ranges "
173 if (hremoteport && hremoteport - lremoteport != hlocalport - llocalport) {
174 prompt_Printf(arg->prompt, "nat port: local & remote port ranges "
180 link = LibAliasRedirectPort(la, localaddr, htons(llocalport),
181 remoteaddr, htons(lremoteport),
182 aliasaddr, htons(laliasport),
186 prompt_Printf(arg->prompt, "nat port: %d: error %d\n", laliasport,
193 } while (laliasport++ < haliasport);
203 nat_RedirectAddr(struct cmdargs const *arg)
205 if (!arg->bundle->NatEnabled) {
206 prompt_Printf(arg->prompt, "nat not enabled\n");
208 } else if (arg->argc == arg->argn+2) {
210 struct in_addr localaddr, aliasaddr;
211 struct alias_link *link;
213 error = StrToAddr(arg->argv[arg->argn], &localaddr);
215 prompt_Printf(arg->prompt, "address redirect: invalid local address\n");
218 error = StrToAddr(arg->argv[arg->argn+1], &aliasaddr);
220 prompt_Printf(arg->prompt, "address redirect: invalid alias address\n");
221 prompt_Printf(arg->prompt, "usage: nat %s %s\n", arg->cmd->name,
225 link = LibAliasRedirectAddr(la, localaddr, aliasaddr);
227 prompt_Printf(arg->prompt, "address redirect: packet aliasing"
229 prompt_Printf(arg->prompt, "usage: nat %s %s\n", arg->cmd->name,
240 nat_RedirectProto(struct cmdargs const *arg)
242 if (!arg->bundle->NatEnabled) {
243 prompt_Printf(arg->prompt, "nat not enabled\n");
245 } else if (arg->argc >= arg->argn + 2 && arg->argc <= arg->argn + 4) {
246 struct in_addr localIP, publicIP, remoteIP;
247 struct alias_link *link;
252 len = strlen(arg->argv[arg->argn]);
254 prompt_Printf(arg->prompt, "proto redirect: invalid protocol\n");
257 if (strspn(arg->argv[arg->argn], "01234567") == len)
258 pe = getprotobynumber(atoi(arg->argv[arg->argn]));
260 pe = getprotobyname(arg->argv[arg->argn]);
262 prompt_Printf(arg->prompt, "proto redirect: invalid protocol\n");
266 error = StrToAddr(arg->argv[arg->argn + 1], &localIP);
268 prompt_Printf(arg->prompt, "proto redirect: invalid src address\n");
272 if (arg->argc >= arg->argn + 3) {
273 error = StrToAddr(arg->argv[arg->argn + 2], &publicIP);
275 prompt_Printf(arg->prompt, "proto redirect: invalid alias address\n");
276 prompt_Printf(arg->prompt, "usage: nat %s %s\n", arg->cmd->name,
281 publicIP.s_addr = INADDR_ANY;
283 if (arg->argc == arg->argn + 4) {
284 error = StrToAddr(arg->argv[arg->argn + 2], &remoteIP);
286 prompt_Printf(arg->prompt, "proto redirect: invalid dst address\n");
287 prompt_Printf(arg->prompt, "usage: nat %s %s\n", arg->cmd->name,
292 remoteIP.s_addr = INADDR_ANY;
294 link = LibAliasRedirectProto(la, localIP, remoteIP, publicIP, pe->p_proto);
296 prompt_Printf(arg->prompt, "proto redirect: packet aliasing"
298 prompt_Printf(arg->prompt, "usage: nat %s %s\n", arg->cmd->name,
309 StrToAddr(const char *str, struct in_addr *addr)
313 if (inet_aton(str, addr))
316 hp = gethostbyname(str);
318 log_Printf(LogWARN, "StrToAddr: Unknown host %s.\n", str);
321 *addr = *((struct in_addr *) hp->h_addr);
327 StrToPort(const char *str, u_short *port, const char *proto)
332 *port = strtol(str, &end, 10);
334 sp = getservbyname(str, proto);
336 log_Printf(LogWARN, "StrToAddr: Unknown port or service %s/%s.\n",
340 *port = ntohs(sp->s_port);
347 StrToPortRange(const char *str, u_short *low, u_short *high, const char *proto)
352 minus = strchr(str, '-');
354 *minus = '\0'; /* Cheat the const-ness ! */
356 res = StrToPort(str, low, proto);
359 *minus = '-'; /* Cheat the const-ness ! */
363 res = StrToPort(minus + 1, high, proto);
372 StrToAddrAndPort(const char *str, struct in_addr *addr, u_short *low,
373 u_short *high, const char *proto)
378 colon = strchr(str, ':');
380 log_Printf(LogWARN, "StrToAddrAndPort: %s is missing port number.\n", str);
384 *colon = '\0'; /* Cheat the const-ness ! */
385 res = StrToAddr(str, addr);
386 *colon = ':'; /* Cheat the const-ness ! */
390 return StrToPortRange(colon + 1, low, high, proto);
394 nat_ProxyRule(struct cmdargs const *arg)
400 if (arg->argn >= arg->argc)
403 for (f = arg->argn, pos = 0; f < arg->argc; f++) {
404 len = strlen(arg->argv[f]);
405 if (sizeof cmd - pos < len + (len ? 1 : 0))
409 strcpy(cmd + pos, arg->argv[f]);
413 return LibAliasProxyRule(la, cmd);
417 nat_SetTarget(struct cmdargs const *arg)
421 if (arg->argc == arg->argn) {
422 addr.s_addr = INADDR_ANY;
423 LibAliasSetTarget(la, addr);
427 if (arg->argc != arg->argn + 1)
430 if (!strcasecmp(arg->argv[arg->argn], "MYADDR")) {
431 addr.s_addr = INADDR_ANY;
432 LibAliasSetTarget(la, addr);
436 addr = GetIpAddr(arg->argv[arg->argn]);
437 if (addr.s_addr == INADDR_NONE) {
438 log_Printf(LogWARN, "%s: invalid address\n", arg->argv[arg->argn]);
442 LibAliasSetTarget(la, addr);
448 nat_PunchFW(struct cmdargs const *arg)
453 if (arg->argc == arg->argn) {
454 LibAliasSetMode(la, 0, PKT_ALIAS_PUNCH_FW);
458 if (arg->argc != arg->argn + 2)
461 base = strtol(arg->argv[arg->argn], &end, 10);
462 if (*end != '\0' || base < 0)
465 count = strtol(arg->argv[arg->argn + 1], &end, 10);
466 if (*end != '\0' || count < 0)
469 LibAliasSetFWBase(la, base, count);
470 LibAliasSetMode(la, PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW);
477 nat_SkinnyPort(struct cmdargs const *arg)
482 if (arg->argc == arg->argn) {
483 LibAliasSetSkinnyPort(la, 0);
487 if (arg->argc != arg->argn + 1)
490 port = strtol(arg->argv[arg->argn], &end, 10);
491 if (*end != '\0' || port < 0)
494 LibAliasSetSkinnyPort(la, port);
500 nat_LayerPush(struct bundle *bundle, struct link *l __unused, struct mbuf *bp,
501 int pri __unused, u_short *proto)
503 if (!bundle->NatEnabled || *proto != PROTO_IP)
506 log_Printf(LogDEBUG, "nat_LayerPush: PROTO_IP -> PROTO_IP\n");
507 m_settype(bp, MB_NATOUT);
508 /* Ensure there's a bit of extra buffer for the NAT code... */
509 bp = m_pullup(m_append(bp, NULL, NAT_EXTRABUF));
510 LibAliasOut(la, MBUF_CTOP(bp), bp->m_len);
511 bp->m_len = ntohs(((struct ip *)MBUF_CTOP(bp))->ip_len);
517 nat_LayerPull(struct bundle *bundle, struct link *l __unused, struct mbuf *bp,
521 int ret, len, nfrags;
525 if (!bundle->NatEnabled || *proto != PROTO_IP)
528 log_Printf(LogDEBUG, "nat_LayerPull: PROTO_IP -> PROTO_IP\n");
529 m_settype(bp, MB_NATIN);
530 /* Ensure there's a bit of extra buffer for the NAT code... */
531 bp = m_pullup(m_append(bp, NULL, NAT_EXTRABUF));
532 ret = LibAliasIn(la, MBUF_CTOP(bp), bp->m_len);
534 bp->m_len = ntohs(((struct ip *)MBUF_CTOP(bp))->ip_len);
535 if (bp->m_len > MAX_MRU) {
536 log_Printf(LogWARN, "nat_LayerPull: Problem with IP header length (%lu)\n",
537 (unsigned long)bp->m_len);
546 case PKT_ALIAS_UNRESOLVED_FRAGMENT:
547 /* Save the data for later */
548 if ((fptr = malloc(bp->m_len)) == NULL) {
549 log_Printf(LogWARN, "nat_LayerPull: Dropped unresolved fragment -"
550 " out of memory!\n");
554 bp = mbuf_Read(bp, fptr, bp->m_len);
555 LibAliasSaveFragment(la, fptr);
556 log_Printf(LogDEBUG, "Store another frag (%lu) - now %d\n",
557 (unsigned long)((struct ip *)fptr)->ip_id, ++gfrags);
561 case PKT_ALIAS_FOUND_HEADER_FRAGMENT:
562 /* Fetch all the saved fragments and chain them on the end of `bp' */
563 last = &bp->m_nextpkt;
565 while ((fptr = LibAliasGetFragment(la, MBUF_CTOP(bp))) != NULL) {
567 LibAliasFragmentIn(la, MBUF_CTOP(bp), fptr);
568 len = ntohs(((struct ip *)fptr)->ip_len);
569 *last = m_get(len, MB_NATIN);
570 memcpy(MBUF_CTOP(*last), fptr, len);
572 last = &(*last)->m_nextpkt;
575 log_Printf(LogDEBUG, "Found a frag header (%lu) - plus %d more frags (no"
576 "w %d)\n", (unsigned long)((struct ip *)MBUF_CTOP(bp))->ip_id,
580 case PKT_ALIAS_IGNORED:
581 if (LibAliasSetMode(la, 0, 0) & PKT_ALIAS_DENY_INCOMING) {
582 log_Printf(LogTCPIP, "NAT engine denied data:\n");
585 } else if (log_IsKept(LogTCPIP)) {
586 log_Printf(LogTCPIP, "NAT engine ignored data:\n");
587 PacketCheck(bundle, AF_INET, MBUF_CTOP(bp), bp->m_len, NULL,
593 log_Printf(LogWARN, "nat_LayerPull: Dropped a packet (%d)....\n", ret);
602 struct layer natlayer =
603 { LAYER_NAT, "nat", nat_LayerPush, nat_LayerPull };