aboutsummaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_nat.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet/ip_nat.c')
-rw-r--r--sys/netinet/ip_nat.c571
1 files changed, 423 insertions, 148 deletions
diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c
index 3c9476fe68d2..e1774b34bb05 100644
--- a/sys/netinet/ip_nat.c
+++ b/sys/netinet/ip_nat.c
@@ -1,5 +1,5 @@
/*
- * (C)opyright 1995-1996 by Darren Reed.
+ * Copyright (C) 1995-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
@@ -7,9 +7,9 @@
*
* Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com)
*/
-#if !defined(lint) && defined(LIBC_SCCS)
-static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.18 1997/05/24 07:34:44 darrenr Exp $";
+#if !defined(lint)
+static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
+static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.3 1997/11/12 10:53:29 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@@ -28,19 +28,23 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.18 1997/05/24 07:34:44 darrenr Exp
#include <sys/file.h>
#if defined(KERNEL) && (__FreeBSD_version >= 220000)
# include <sys/filio.h>
-# include <sys/fnctl.h>
+# include <sys/fcntl.h>
#else
# include <sys/ioctl.h>
#endif
#include <sys/fcntl.h>
#include <sys/uio.h>
-#include <sys/protosw.h>
+#ifndef linux
+# include <sys/protosw.h>
+#endif
#include <sys/socket.h>
-#ifdef _KERNEL
+#if defined(_KERNEL) && !defined(linux)
# include <sys/systm.h>
#endif
#if !defined(__SVR4) && !defined(__svr4__)
-# include <sys/mbuf.h>
+# ifndef linux
+# include <sys/mbuf.h>
+# endif
#else
# include <sys/filio.h>
# include <sys/byteorder.h>
@@ -63,18 +67,27 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.18 1997/05/24 07:34:44 darrenr Exp
#include <netinet/in_systm.h>
#include <netinet/ip.h>
+#ifdef __sgi
+# ifdef IFF_DRVRLOCK /* IRIX6 */
+#include <sys/hashing.h>
+#include <netinet/in_var.h>
+# endif
+#endif
+
#ifdef RFC1825
#include <vpn/md5.h>
#include <vpn/ipsec.h>
extern struct ifnet vpnif;
#endif
-#include <netinet/ip_var.h>
+#ifndef linux
+# include <netinet/ip_var.h>
+#endif
#include <netinet/tcp.h>
#include <netinet/udp.h>
-#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
#include "netinet/ip_compat.h"
+#include <netinet/tcpip.h>
#include "netinet/ip_fil.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_nat.h"
@@ -88,14 +101,32 @@ extern struct ifnet vpnif;
nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL;
ipnat_t *nat_list = NULL;
-u_long fr_defnatage = 1200;
+u_long fr_defnatage = 1200, /* 10 minutes (600 seconds) */
+ fr_defnaticmpage = 6; /* 3 seconds */
natstat_t nat_stats;
-#if SOLARIS && defined(_KERNEL)
+#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
extern kmutex_t ipf_nat;
-extern kmutex_t ipf_natfrag;
#endif
-static int flush_nattable __P((void)), clear_natlist __P((void));
+static int nat_flushtable __P((void));
+static int nat_clearlist __P((void));
+static void nat_delete __P((struct nat *));
+static int nat_ifpaddr __P((nat_t *, void *, struct in_addr *));
+
+
+#define LONG_SUM(in) (((in) & 0xffff) + ((in) >> 16))
+
+#define CALC_SUMD(s1, s2, sd) { \
+ /* Do it twice */ \
+ (s1) = ((s1) & 0xffff) + ((s1) >> 16); \
+ (s1) = ((s1) & 0xffff) + ((s1) >> 16); \
+ /* Do it twice */ \
+ (s2) = ((s2) & 0xffff) + ((s2) >> 16); \
+ (s2) = ((s2) & 0xffff) + ((s2) >> 16); \
+ /* Because ~1 == -2, We really need ~1 == -1 */ \
+ if ((s1) > (s2)) (s2)--; \
+ (sd) = (s2) - (s1); \
+ (sd) = ((sd) & 0xffff) + ((sd) >> 16); }
void fix_outcksum(sp, n)
u_short *sp;
@@ -104,11 +135,9 @@ u_long n;
register u_short sumshort;
register u_long sum1;
-#ifdef sparc
- sum1 = (~(*sp)) & 0xffff;
-#else
+ if (!n)
+ return;
sum1 = (~ntohs(*sp)) & 0xffff;
-#endif
sum1 += (n);
sum1 = (sum1 >> 16) + (sum1 & 0xffff);
/* Again */
@@ -125,6 +154,8 @@ u_long n;
register u_short sumshort;
register u_long sum1;
+ if (!n)
+ return;
#ifdef sparc
sum1 = (~(*sp)) & 0xffff;
#else
@@ -164,21 +195,33 @@ u_long n;
* Handle ioctls which manipulate the NAT.
*/
int nat_ioctl(data, cmd, mode)
+#if defined(__NetBSD__) || defined(__OpenBSD__)
+u_long cmd;
+#else
+int cmd;
+#endif
caddr_t data;
-int cmd, mode;
+int mode;
{
register ipnat_t *nat, *n = NULL, **np = NULL;
ipnat_t natd;
- int error = 0, ret, s;
+ int error = 0, ret;
+#if defined(_KERNEL) && !SOLARIS
+ int s;
+#endif
+
+ nat = NULL; /* XXX gcc -Wuninitialized */
/*
* For add/delete, look to see if the NAT entry is already present
*/
+ SPL_NET(s);
MUTEX_ENTER(&ipf_nat);
- SPLNET(s);
if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
IRCOPY(data, (char *)&natd, sizeof(natd));
nat = &natd;
+ nat->in_inip &= nat->in_inmsk;
+ nat->in_outip &= nat->in_outmsk;
for (np = &nat_list; (n = *np); np = &n->in_next)
if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
IPN_CMPSIZ))
@@ -201,8 +244,10 @@ int cmd, mode;
error = ENOMEM;
break;
}
- IRCOPY((char *)data, (char *)n, sizeof(*n));
+ bcopy((char *)nat, (char *)n, sizeof(*n));
n->in_ifp = (void *)GETUNIT(n->in_ifname);
+ if (!n->in_ifp)
+ n->in_ifp = (void *)-1;
n->in_apr = ap_match(n->in_p, n->in_plabel);
n->in_next = *np;
n->in_use = 0;
@@ -211,7 +256,7 @@ int cmd, mode;
n->in_space -= 2;
else
n->in_space = 1; /* single IP# mapping */
- if (n->in_outmsk != 0xffffffff)
+ if ((n->in_outmsk != 0xffffffff) && n->in_outmsk)
n->in_nip = ntohl(n->in_outip) + 1;
else
n->in_nip = ntohl(n->in_outip);
@@ -260,9 +305,9 @@ int cmd, mode;
IRCOPY((char *)data, (char *)&nl, sizeof(nl));
- if (nat_lookupredir(&nl))
+ if (nat_lookupredir(&nl)) {
IWCOPY((char *)&nl, (char *)data, sizeof(nl));
- else
+ } else
error = ESRCH;
break;
}
@@ -271,7 +316,7 @@ int cmd, mode;
error = EPERM;
break;
}
- ret = flush_nattable();
+ ret = nat_flushtable();
IWCOPY((caddr_t)&ret, data, sizeof(ret));
break;
case SIOCCNATL :
@@ -279,21 +324,25 @@ int cmd, mode;
error = EPERM;
break;
}
- ret = clear_natlist();
+ ret = nat_clearlist();
IWCOPY((caddr_t)&ret, data, sizeof(ret));
break;
case FIONREAD :
#ifdef IPFILTER_LOG
- *(int *)data = iplused[IPL_LOGNAT];
+ IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data,
+ sizeof(iplused[IPL_LOGNAT]));
#endif
break;
}
- SPLX(s);
MUTEX_EXIT(&ipf_nat);
+ SPL_X(s);
return error;
}
+/*
+ * Delete a nat entry from the various lists and table.
+ */
static void nat_delete(natd)
struct nat *natd;
{
@@ -314,6 +363,11 @@ struct nat *natd;
break;
}
+ /*
+ * If there is an active reference from the nat entry to its parent
+ * rule, decrement the rule's reference count and free it too if no
+ * longer being used.
+ */
if ((ipn = natd->nat_ptr)) {
ipn->in_space++;
ipn->in_use--;
@@ -324,18 +378,20 @@ struct nat *natd;
nat_stats.ns_rules--;
}
}
- MUTEX_ENTER(&ipf_natfrag);
- if (nat->nat_frag && nat->nat_frag->ipfr_data == nat)
- nat->nat_frag->ipfr_data = NULL;
- MUTEX_EXIT(&ipf_natfrag);
+
+ /*
+ * If there's a fragment table entry too for this nat entry, then
+ * dereference that as well.
+ */
+ ipfr_forget((void *)natd);
KFREE(natd);
}
/*
- * flush_nattable - clear the NAT table of all mapping entries.
+ * nat_flushtable - clear the NAT table of all mapping entries.
*/
-static int flush_nattable()
+static int nat_flushtable()
{
register nat_t *nat, **natp;
register int j = 0;
@@ -358,9 +414,9 @@ static int flush_nattable()
/*
- * clear_natlist - delete all entries in the active NAT mapping list.
+ * nat_clearlist - delete all entries in the active NAT mapping list.
*/
-static int clear_natlist()
+static int nat_clearlist()
{
register ipnat_t *n, **np = &nat_list;
int i = 0;
@@ -384,14 +440,89 @@ static int clear_natlist()
/*
+ * return the first IP Address associated with an interface
+ */
+static int nat_ifpaddr(nat, ifptr, inp)
+nat_t *nat;
+void *ifptr;
+struct in_addr *inp;
+{
+#if SOLARIS
+ ill_t *ill = ifptr;
+#else
+ struct ifnet *ifp = ifptr;
+#endif
+ struct in_addr in;
+
+#if SOLARIS
+ in.s_addr = ill->ill_ipif->ipif_local_addr;
+#else /* SOLARIS */
+# if linux
+ ;
+# else /* linux */
+ struct ifaddr *ifa;
+ struct sockaddr_in *sin;
+
+# if (__FreeBSD_version >= 300000)
+ ifa = TAILQ_FIRST(&ifp->if_addrhead);
+# else
+# if defined(__NetBSD__) || defined(__OpenBSD__)
+ ifa = ifp->if_addrlist.tqh_first;
+# else
+# if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
+ ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa;
+# else
+ ifa = ifp->if_addrlist;
+# endif
+# endif /* __NetBSD__ || __OpenBSD__ */
+# endif /* __FreeBSD_version >= 300000 */
+# if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK))
+ sin = (SOCKADDR_IN *)&ifa->ifa_addr;
+# else
+ sin = (SOCKADDR_IN *)ifa->ifa_addr;
+ while (sin && ifa &&
+ sin->sin_family != AF_INET) {
+# if (__FreeBSD_version >= 300000)
+ ifa = TAILQ_NEXT(ifa, ifa_link);
+# else
+# if defined(__NetBSD__) || defined(__OpenBSD__)
+ ifa = ifa->ifa_list.tqe_next;
+# else
+ ifa = ifa->ifa_next;
+# endif
+# endif /* __FreeBSD_version >= 300000 */
+ if (ifa)
+ sin = (SOCKADDR_IN *)ifa->ifa_addr;
+ }
+ if (!ifa)
+ sin = NULL;
+ if (!sin) {
+ KFREE(nat);
+ return -1;
+ }
+# endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */
+ in = sin->sin_addr;
+ in.s_addr = ntohl(in.s_addr);
+# endif /* linux */
+#endif /* SOLARIS */
+ *inp = in;
+ return 0;
+}
+
+
+/*
* Create a new NAT table entry.
*/
+#ifdef __STDC__
+nat_t *nat_new(ipnat_t *np, ip_t *ip, fr_info_t *fin, u_short flags, int direction)
+#else
nat_t *nat_new(np, ip, fin, flags, direction)
ipnat_t *np;
ip_t *ip;
fr_info_t *fin;
u_short flags;
int direction;
+#endif
{
register u_long sum1, sum2, sumd;
u_short port = 0, sport = 0, dport = 0, nport = 0;
@@ -419,11 +550,6 @@ int direction;
* Search the current table for a match.
*/
if (direction == NAT_OUTBOUND) {
-#if SOLARIS
- ill_t *ill = fin->fin_ifp;
-#else
- struct ifnet *ifp = fin->fin_ifp;
-#endif
/*
* If it's an outbound packet which doesn't match any existing
* record, then create a new port
@@ -432,50 +558,13 @@ int direction;
port = 0;
in.s_addr = np->in_nip;
if (!in.s_addr && (np->in_outmsk == 0xffffffff)) {
-#if SOLARIS
- in.s_addr = ill->ill_ipif->ipif_local_addr;
-#else
- struct ifaddr *ifa;
- struct sockaddr_in *sin;
-
-# if (__FreeBSD_version >= 300000)
- ifa = TAILQ_FIRST(&ifp->if_addrhead);
-# else
-# ifdef __NetBSD__
- ifa = ifp->if_addrlist.tqh_first;
-# else
- ifa = ifp->if_addrlist;
-# endif
-# endif
-# if BSD < 199306
- sin = (SOCKADDR_IN *)&ifa->ifa_addr;
-# else
- sin = (SOCKADDR_IN *)ifa->ifa_addr;
- while (sin && ifa &&
- sin->sin_family != AF_INET) {
-# if (__FreeBSD_version >= 300000)
- ifa = TAILQ_NEXT(ifa, ifa_link);
-# else
-# ifdef __NetBSD__
- ifa = ifa->ifa_list.tqe_next;
-# else
- ifa = ifa->ifa_next;
-# endif
-# endif
- sin = (SOCKADDR_IN *)ifa->ifa_addr;
- }
- if (!ifa)
- sin = NULL;
- if (!sin) {
- KFREE(nat);
+ if (nat_ifpaddr(nat, fin->fin_ifp, &in) == -1)
return NULL;
- }
-# endif
- in = sin->sin_addr;
- in.s_addr = ntohl(in.s_addr);
-#endif
- }
- if (nflags & IPN_TCPUDP) {
+ } else if (!in.s_addr && !np->in_outmsk) {
+ in.s_addr = ntohl(ip->ip_src.s_addr);
+ if (nflags & IPN_TCPUDP)
+ port = sport;
+ } else if (nflags & IPN_TCPUDP) {
port = htons(np->in_pnext++);
if (np->in_pnext >= ntohs(np->in_pmax)) {
np->in_pnext = ntohs(np->in_pmin);
@@ -520,7 +609,7 @@ int direction;
* internal port.
*/
in.s_addr = ntohl(np->in_inip);
- if (!(nport = np->in_pnext))
+ if (!(nport = htons(np->in_pnext)))
nport = dport;
nat->nat_inip.s_addr = htonl(in.s_addr);
@@ -597,10 +686,10 @@ int direction;
nat->nat_dir = direction;
if (direction == NAT_OUTBOUND) {
if (flags & IPN_TCPUDP)
- tcp->th_sport = htons(port);
+ tcp->th_sport = port;
} else {
if (flags & IPN_TCPUDP)
- tcp->th_dport = htons(nport);
+ tcp->th_dport = nport;
}
nat_stats.ns_added++;
nat_stats.ns_inuse++;
@@ -609,6 +698,132 @@ int direction;
}
+nat_t *nat_icmpinlookup(ip, fin)
+ip_t *ip;
+fr_info_t *fin;
+{
+ icmphdr_t *icmp;
+ tcphdr_t *tcp = NULL;
+ ip_t *oip;
+ int flags = 0, type;
+
+ icmp = (icmphdr_t *)fin->fin_dp;
+ /*
+ * Does it at least have the return (basic) IP header ?
+ * Only a basic IP header (no options) should be with an ICMP error
+ * header.
+ */
+ if ((ip->ip_hl != 5) || (ip->ip_len < sizeof(*icmp) + sizeof(ip_t)))
+ return NULL;
+ type = icmp->icmp_type;
+ /*
+ * If it's not an error type, then return.
+ */
+ if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
+ (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
+ (type != ICMP_PARAMPROB))
+ return NULL;
+
+ oip = (ip_t *)((char *)fin->fin_dp + 8);
+ if (oip->ip_p == IPPROTO_TCP)
+ flags = IPN_TCP;
+ else if (oip->ip_p == IPPROTO_UDP)
+ flags = IPN_UDP;
+ if (flags & IPN_TCPUDP) {
+ tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2));
+ return nat_inlookup(fin->fin_ifp, flags, oip->ip_dst,
+ tcp->th_dport, oip->ip_src, tcp->th_sport);
+ }
+ return nat_inlookup(fin->fin_ifp, 0, oip->ip_src, 0, oip->ip_dst, 0);
+}
+
+
+/*
+ * This should *ONLY* be used for incoming packets to make sure a NAT'd ICMP
+ * packet gets correctly recognised.
+ */
+nat_t *nat_icmpin(ip, fin, nflags)
+ip_t *ip;
+fr_info_t *fin;
+int *nflags;
+{
+ icmphdr_t *icmp;
+ nat_t *nat;
+ ip_t *oip;
+ int flags = 0;
+
+ if (!(nat = nat_icmpinlookup(ip, fin)))
+ return NULL;
+
+ *nflags = IPN_ICMPERR;
+ icmp = (icmphdr_t *)fin->fin_dp;
+ oip = (ip_t *)((char *)icmp + 8);
+ if (oip->ip_p == IPPROTO_TCP)
+ flags = IPN_TCP;
+ else if (oip->ip_p == IPPROTO_UDP)
+ flags = IPN_UDP;
+ /*
+ * Need to adjust ICMP header to include the real IP#'s and
+ * port #'s. Only apply a checksum change relative to the
+ * IP address change is it will be modified again in ip_natout
+ * for both address and port. Two checksum changes are
+ * necessary for the two header address changes. Be careful
+ * to only modify the checksum once for the port # and twice
+ * for the IP#.
+ */
+ if (flags & IPN_TCPUDP) {
+ tcphdr_t *tcp = (tcphdr_t *)(oip + 1);
+ u_long sum1, sum2, sumd;
+ struct in_addr in;
+
+ if (nat->nat_dir == NAT_OUTBOUND) {
+ sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr));
+ in = nat->nat_outip;
+ oip->ip_src = in;
+ tcp->th_sport = nat->nat_outport;
+ } else {
+ sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr));
+ in = nat->nat_inip;
+ oip->ip_dst = in;
+ tcp->th_dport = nat->nat_inport;
+ }
+
+ sum2 = LONG_SUM(in.s_addr);
+
+ CALC_SUMD(sum1, sum2, sumd);
+ sumd = (sumd & 0xffff) + (sumd >> 16);
+
+ if (nat->nat_dir == NAT_OUTBOUND) {
+ fix_incksum(&oip->ip_sum, sumd);
+ fix_incksum(&icmp->icmp_cksum, sumd);
+ } else {
+ fix_outcksum(&oip->ip_sum, sumd);
+ fix_outcksum(&icmp->icmp_cksum, sumd);
+ }
+
+ /*
+ * TCP checksum doesn't make it into the 1st eight
+ * bytes but UDP does.
+ */
+ if (ip->ip_p == IPPROTO_UDP) {
+ udphdr_t *udp = (udphdr_t *)tcp;
+
+ if (udp->uh_sum) {
+ if (nat->nat_dir == NAT_OUTBOUND)
+ fix_incksum(&udp->uh_sum,
+ nat->nat_sumd);
+ else
+ fix_outcksum(&udp->uh_sum,
+ nat->nat_sumd);
+ }
+ }
+ } else
+ ip->ip_dst = nat->nat_outip;
+ nat->nat_age = fr_defnaticmpage;
+ return nat;
+}
+
+
/*
* NB: these lookups don't lock access to the list, it assume it has already
* been done!
@@ -619,11 +834,15 @@ int direction;
* we're looking for a table entry, based on the destination address.
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
*/
+#ifdef __STDC__
+nat_t *nat_inlookup(void *ifp, int flags, struct in_addr src, u_short sport, struct in_addr mapdst, u_short mapdport)
+#else
nat_t *nat_inlookup(ifp, flags, src, sport, mapdst, mapdport)
void *ifp;
register int flags;
struct in_addr src , mapdst;
u_short sport, mapdport;
+#endif
{
register nat_t *nat;
@@ -648,24 +867,29 @@ u_short sport, mapdport;
* we're looking for a table entry, based on the source address.
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
*/
+#ifdef __STDC__
+nat_t *nat_outlookup(void *ifp, int flags, struct in_addr src, u_short sport, struct in_addr dst, u_short dport)
+#else
nat_t *nat_outlookup(ifp, flags, src, sport, dst, dport)
void *ifp;
register int flags;
struct in_addr src , dst;
u_short sport, dport;
+#endif
{
register nat_t *nat;
flags &= IPN_TCPUDP;
nat = nat_table[0][src.s_addr % NAT_SIZE];
- for (; nat; nat = nat->nat_hnext[0])
+ for (; nat; nat = nat->nat_hnext[0]) {
if ((!ifp || ifp == nat->nat_ifp) &&
nat->nat_inip.s_addr == src.s_addr &&
nat->nat_oip.s_addr == dst.s_addr &&
flags == nat->nat_flags && (!flags ||
(nat->nat_inport == sport && nat->nat_oport == dport)))
return nat;
+ }
return NULL;
}
@@ -675,11 +899,15 @@ u_short sport, dport;
* real destination address/port. We use this lookup when sending a packet
* out, we're looking for a table entry, based on the source address.
*/
+#ifdef __STDC__
+nat_t *nat_lookupmapip(void *ifp, int flags, struct in_addr mapsrc, u_short mapsport, struct in_addr dst, u_short dport)
+#else
nat_t *nat_lookupmapip(ifp, flags, mapsrc, mapsport, dst, dport)
void *ifp;
register int flags;
struct in_addr mapsrc , dst;
u_short mapsport, dport;
+#endif
{
register nat_t *nat;
@@ -710,10 +938,11 @@ register natlookup_t *np;
* If nl_inip is non null, this is a lookup based on the real
* ip address. Else, we use the fake.
*/
- if ((nat = nat_outlookup(NULL, IPN_TCPUDP, np->nl_inip, np->nl_inport,
- np->nl_outip, np->nl_outport))) {
- np->nl_inip = nat->nat_outip;
- np->nl_inport = nat->nat_outport;
+ if ((nat = nat_outlookup(NULL, np->nl_flags, np->nl_inip,
+ np->nl_inport, np->nl_outip,
+ np->nl_outport))) {
+ np->nl_realip = nat->nat_outip;
+ np->nl_realport = nat->nat_outport;
}
return nat;
}
@@ -731,10 +960,11 @@ fr_info_t *fin;
register ipnat_t *np;
register u_long ipa;
tcphdr_t *tcp = NULL;
- nat_t *nat;
u_short nflags = 0, sport = 0, dport = 0, *csump = NULL;
struct ifnet *ifp;
frentry_t *fr;
+ nat_t *nat;
+ int natadd = 1;
if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) &&
fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1)
@@ -757,11 +987,12 @@ fr_info_t *fin;
ipa = ip->ip_src.s_addr;
MUTEX_ENTER(&ipf_nat);
- if ((nat = ipfr_nat_knownfrag(ip, fin)))
- ;
- else if ((nat = nat_outlookup(fin->fin_ifp, nflags, ip->ip_src, sport,
+ if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
+ (nat = ipfr_nat_knownfrag(ip, fin)))
+ natadd = 0;
+ else if ((nat = nat_outlookup(ifp, nflags, ip->ip_src, sport,
ip->ip_dst, dport)))
- np = nat->nat_ptr;
+ ;
else
/*
* If there is no current entry in the nat table for this IP#,
@@ -794,7 +1025,7 @@ fr_info_t *fin;
}
if (nat) {
- if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG)
+ if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
ipfr_nat_newfrag(ip, fin, 0, nat);
nat->nat_age = fr_defnatage;
ip->ip_src = nat->nat_outip;
@@ -805,7 +1036,7 @@ fr_info_t *fin;
* Fix up checksums, not by recalculating them, but
* simply computing adjustments.
*/
-#if SOLARIS
+#if SOLARIS || defined(__sgi)
if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
else
@@ -872,8 +1103,9 @@ fr_info_t *fin;
register struct in_addr in;
struct ifnet *ifp = fin->fin_ifp;
tcphdr_t *tcp = NULL;
- u_short sport = 0, dport = 0, nflags = 0, *csump = NULL;
+ u_short sport = 0, dport = 0, *csump = NULL;
nat_t *nat;
+ int nflags = 0, natadd = 1;
if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
if (ip->ip_p == IPPROTO_TCP)
@@ -891,11 +1123,14 @@ fr_info_t *fin;
MUTEX_ENTER(&ipf_nat);
- if ((nat = ipfr_nat_knownfrag(ip, fin)))
+ if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmpin(ip, fin, &nflags)))
;
+ else if ((ip->ip_off & IP_OFFMASK) &&
+ (nat = ipfr_nat_knownfrag(ip, fin)))
+ natadd = 0;
else if ((nat = nat_inlookup(fin->fin_ifp, nflags, ip->ip_src, sport,
ip->ip_dst, dport)))
- np = nat->nat_ptr;
+ ;
else
/*
* If there is no current entry in the nat table for this IP#,
@@ -905,16 +1140,8 @@ fr_info_t *fin;
if ((np->in_ifp == ifp) &&
(!np->in_flags || (nflags & np->in_flags)) &&
((in.s_addr & np->in_outmsk) == np->in_outip) &&
- (np->in_redir & NAT_REDIRECT ||
- np->in_pmin == dport)) {
- /*
- * If this rule (np) is a redirection, rather
- * than a mapping, then do a nat_new.
- * Otherwise, if it's just a mapping, do a
- * continue;
- */
- if (!(np->in_redir & NAT_REDIRECT))
- continue;
+ (np->in_redir & NAT_REDIRECT) &&
+ (!np->in_pmin || np->in_pmin == dport)) {
if ((nat = nat_new(np, ip, fin, nflags,
NAT_INBOUND)))
#ifdef IPFILTER_LOG
@@ -925,10 +1152,13 @@ fr_info_t *fin;
break;
}
if (nat) {
- if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG)
+ if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
ipfr_nat_newfrag(ip, fin, 0, nat);
(void) ap_check(ip, tcp, fin, nat);
- nat->nat_age = fr_defnatage;
+
+ if (nflags != IPN_ICMPERR)
+ nat->nat_age = fr_defnatage;
+
ip->ip_dst = nat->nat_inip;
nat->nat_bytes += ip->ip_len;
nat->nat_pkts++;
@@ -937,13 +1167,13 @@ fr_info_t *fin;
* Fix up checksums, not by recalculating them, but
* simply computing adjustments.
*/
-#if SOLARIS
+#if SOLARIS || defined(__sgi)
if (nat->nat_dir == NAT_OUTBOUND)
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
else
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
#endif
- if (nflags && !(ip->ip_off & 0x1fff) &&
+ if ((nflags & IPN_TCPUDP) && !(ip->ip_off & 0x1fff) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
if (nat->nat_inport)
@@ -994,14 +1224,10 @@ fr_info_t *fin;
*/
void ip_natunload()
{
- int s;
-
MUTEX_ENTER(&ipf_nat);
- SPLNET(s);
- (void) clear_natlist();
- (void) flush_nattable();
+ (void) nat_clearlist();
+ (void) nat_flushtable();
(void) ap_unload();
- SPLX(s)
MUTEX_EXIT(&ipf_nat);
}
@@ -1013,10 +1239,12 @@ void ip_natunload()
void ip_natexpire()
{
register struct nat *nat, **natp;
+#if defined(_KERNEL) && !SOLARIS
int s;
+#endif
+ SPL_NET(s);
MUTEX_ENTER(&ipf_nat);
- SPLNET(s);
for (natp = &nat_instances; (nat = *natp); ) {
if (--nat->nat_age) {
natp = &nat->nat_next;
@@ -1029,34 +1257,83 @@ void ip_natexpire()
nat_delete(nat);
nat_stats.ns_expire++;
}
- SPLX(s);
MUTEX_EXIT(&ipf_nat);
+ SPL_X(s);
+}
+
+
+/*
+ */
+#ifdef __STDC__
+void ip_natsync(void *ifp)
+#else
+void ip_natsync(ifp)
+void *ifp;
+#endif
+{
+ register nat_t *nat;
+ register u_long sum1, sum2, sumd;
+ struct in_addr in;
+ ipnat_t *np;
+#if defined(_KERNEL) && !SOLARIS
+ int s;
+#endif
+
+ SPL_NET(s);
+ MUTEX_ENTER(&ipf_nat);
+ for (nat = nat_instances; nat; nat = nat->nat_next)
+ if ((ifp == nat->nat_ifp) && (np = nat->nat_ptr))
+ if ((np->in_outmsk == 0xffffffff) && !np->in_nip) {
+ /*
+ * Change the map-to address to be the same
+ * as the new one.
+ */
+ sum1 = nat->nat_outip.s_addr;
+ if (nat_ifpaddr(nat, ifp, &in) == -1)
+ nat->nat_outip.s_addr = htonl(in.s_addr);
+ sum2 = nat->nat_outip.s_addr;
+
+ /*
+ * Readjust the checksum adjustment to take
+ * into account the new IP#.
+ *
+ * Do it twice
+ */
+ sum1 = (sum1 & 0xffff) + (sum1 >> 16);
+ sum1 = (sum1 & 0xffff) + (sum1 >> 16);
+
+ /* Do it twice */
+ sum2 = (sum2 & 0xffff) + (sum2 >> 16);
+ sum2 = (sum2 & 0xffff) + (sum2 >> 16);
+
+ /* Because ~1 == -2, We really need ~1 == -1 */
+ if (sum1 > sum2)
+ sum2--;
+ sumd = sum2 - sum1;
+ sumd = (sumd & 0xffff) + (sumd >> 16);
+ sumd += nat->nat_sumd;
+ nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16);
+ }
+ MUTEX_EXIT(&ipf_nat);
+ SPL_X(s);
}
#ifdef IPFILTER_LOG
+# ifdef __STDC__
+void nat_log(struct nat *nat, u_short type)
+# else
void nat_log(nat, type)
struct nat *nat;
u_short type;
+# endif
{
- struct ipnat *np;
- struct natlog natl;
- int rulen;
-
- if (iplused[IPL_LOGNAT] + sizeof(natl) > IPLLOGSIZE) {
- nat_stats.ns_logfail++;
- return;
- }
-
- if (iplh[IPL_LOGNAT] == iplbuf[IPL_LOGNAT] + IPLLOGSIZE)
- iplh[IPL_LOGNAT] = iplbuf[IPL_LOGNAT];
+ struct ipnat *np;
+ struct natlog natl;
+ void *items[1];
+ size_t sizes[1];
+ int rulen, types[1];
-# ifdef sun
- uniqtime(&natl);
-# endif
-# if BSD >= 199306 || defined(__FreeBSD__)
- microtime((struct timeval *)&natl);
-# endif
natl.nl_inip = nat->nat_inip;
natl.nl_outip = nat->nat_outip;
natl.nl_origip = nat->nat_oip;
@@ -1074,12 +1351,10 @@ u_short type;
break;
}
}
+ items[0] = &natl;
+ sizes[0] = sizeof(natl);
+ types[0] = 0;
- if (!fr_copytolog(IPL_LOGNAT, (char *)&natl, sizeof(natl))) {
- iplused[IPL_LOGNAT] += sizeof(natl);
- nat_stats.ns_logged++;
- } else
- nat_stats.ns_logfail++;
- wakeup(iplbuf[IPL_LOGNAT]);
+ (void) ipllog(IPL_LOGNAT, 0, items, sizes, types, 1);
}
#endif