/* * Copyright (C) 1995-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com) */#if !defined(lint)static const char sccsid[] = "@(#)ip_nat.c	1.11 6/5/96 (C) 1995 Darren Reed";static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.32 2001/01/10 06:19:11 darrenr Exp $";#endif#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)#define _KERNEL#endif#include <sys/errno.h>#include <sys/types.h>#include <sys/param.h>#include <sys/time.h>#include <sys/file.h>#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \    defined(_KERNEL)# include "opt_ipfilter_log.h"#endif#if !defined(_KERNEL) && !defined(KERNEL)# include <stdio.h># include <string.h># include <stdlib.h>#endif#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)# include <sys/filio.h># include <sys/fcntl.h>#else# include <sys/ioctl.h>#endif#include <sys/fcntl.h>#include <sys/uio.h>#ifndef linux# include <sys/protosw.h>#endif#include <sys/socket.h>#if defined(_KERNEL) && !defined(linux)# include <sys/systm.h>#endif#if !defined(__SVR4) && !defined(__svr4__)# ifndef linux#  include <sys/mbuf.h># endif#else# include <sys/filio.h># include <sys/byteorder.h># ifdef _KERNEL#  include <sys/dditypes.h># endif# include <sys/stream.h># include <sys/kmem.h>#endif#if __FreeBSD_version >= 300000# include <sys/queue.h>#endif#include <net/if.h>#if __FreeBSD_version >= 300000# include <net/if_var.h># if defined(_KERNEL) && !defined(IPFILTER_LKM)#  include "opt_ipfilter.h"# endif#endif#ifdef sun# include <net/af.h>#endif#include <net/route.h>#include <netinet/in.h>#include <netinet/in_systm.h>#include <netinet/ip.h>#ifdef __sgi# ifdef IFF_DRVRLOCK /* IRIX6 */#include <sys/hashing.h>#include <netinet/in_var.h># endif#endif#ifdef RFC1825# include <vpn/md5.h># include <vpn/ipsec.h>extern struct ifnet vpnif;#endif#ifndef linux# include <netinet/ip_var.h>#endif#include <netinet/tcp.h>#include <netinet/udp.h>#include <netinet/ip_icmp.h>#include "netinet/ip_compat.h"#include <netinet/tcpip.h>#include "netinet/ip_fil.h"#include "netinet/ip_proxy.h"#include "netinet/ip_nat.h"#include "netinet/ip_frag.h"#include "netinet/ip_state.h"#if (__FreeBSD_version >= 300000)# include <sys/malloc.h>#endif#ifndef	MIN# define	MIN(a,b)	(((a)<(b))?(a):(b))#endif#undef	SOCKADDR_IN#define	SOCKADDR_IN	struct sockaddr_innat_t	**nat_table[2] = { NULL, NULL },	*nat_instances = NULL;ipnat_t	*nat_list = NULL;u_int	ipf_nattable_sz = NAT_TABLE_SZ;u_int	ipf_natrules_sz = NAT_SIZE;u_int	ipf_rdrrules_sz = RDR_SIZE;u_int	ipf_hostmap_sz = HOSTMAP_SIZE;u_32_t	nat_masks = 0;u_32_t	rdr_masks = 0;ipnat_t	**nat_rules = NULL;ipnat_t	**rdr_rules = NULL;hostmap_t	**maptable  = NULL;u_long	fr_defnatage = DEF_NAT_AGE,	fr_defnaticmpage = 6;		/* 3 seconds */natstat_t nat_stats;int	fr_nat_lock = 0;#if	(SOLARIS || defined(__sgi)) && defined(_KERNEL)extern	kmutex_t	ipf_rw;extern	KRWLOCK_T	ipf_nat;#endifstatic	int	nat_flushtable __P((void));static	int	nat_clearlist __P((void));static	void	nat_addnat __P((struct ipnat *));static	void	nat_addrdr __P((struct ipnat *));static	void	nat_delete __P((struct nat *));static	void	nat_delrdr __P((struct ipnat *));static	void	nat_delnat __P((struct ipnat *));static	int	fr_natgetent __P((caddr_t));static	int	fr_natgetsz __P((caddr_t));static	int	fr_natputent __P((caddr_t));static	void	nat_tabmove __P((nat_t *, u_32_t));static	int	nat_match __P((fr_info_t *, ipnat_t *, ip_t *));static	hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,				    struct in_addr));static	void	nat_hostmapdel __P((struct hostmap *));int nat_init(){	KMALLOCS(nat_table[0], nat_t **, sizeof(nat_t *) * ipf_nattable_sz);	if (nat_table[0] != NULL)		bzero((char *)nat_table[0], ipf_nattable_sz * sizeof(nat_t *));	else		return -1;	KMALLOCS(nat_table[1], nat_t **, sizeof(nat_t *) * ipf_nattable_sz);	if (nat_table[1] != NULL)		bzero((char *)nat_table[1], ipf_nattable_sz * sizeof(nat_t *));	else		return -1;	KMALLOCS(nat_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_natrules_sz);	if (nat_rules != NULL)		bzero((char *)nat_rules, ipf_natrules_sz * sizeof(ipnat_t *));	else		return -1;	KMALLOCS(rdr_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_rdrrules_sz);	if (rdr_rules != NULL)		bzero((char *)rdr_rules, ipf_rdrrules_sz * sizeof(ipnat_t *));	else		return -1;	KMALLOCS(maptable, hostmap_t **, sizeof(hostmap_t *) * ipf_hostmap_sz);	if (maptable != NULL)		bzero((char *)maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);	else		return -1;	return 0;}static void nat_addrdr(n)ipnat_t *n;{	ipnat_t **np;	u_32_t j;	u_int hv;	int k;	k = countbits(n->in_outmsk);	if ((k >= 0) && (k != 32))		rdr_masks |= 1 << k;	j = (n->in_outip & n->in_outmsk);	hv = NAT_HASH_FN(j, 0, ipf_rdrrules_sz);	np = rdr_rules + hv;	while (*np != NULL)		np = &(*np)->in_rnext;	n->in_rnext = NULL;	n->in_prnext = np;	*np = n;}static void nat_addnat(n)ipnat_t *n;{	ipnat_t **np;	u_32_t j;	u_int hv;	int k;	k = countbits(n->in_inmsk);	if ((k >= 0) && (k != 32))		nat_masks |= 1 << k;	j = (n->in_inip & n->in_inmsk);	hv = NAT_HASH_FN(j, 0, ipf_natrules_sz);	np = nat_rules + hv;	while (*np != NULL)		np = &(*np)->in_mnext;	n->in_mnext = NULL;	n->in_pmnext = np;	*np = n;}static void nat_delrdr(n)ipnat_t *n;{	if (n->in_rnext)		n->in_rnext->in_prnext = n->in_prnext;	*n->in_prnext = n->in_rnext;}static void nat_delnat(n)ipnat_t *n;{	if (n->in_mnext)		n->in_mnext->in_pmnext = n->in_pmnext;	*n->in_pmnext = n->in_mnext;}/* * check if an ip address has already been allocated for a given mapping that * is not doing port based translation. * * Must be called with ipf_nat held as a write lock. */static struct hostmap *nat_hostmap(np, real, map)ipnat_t *np;struct in_addr real;struct in_addr map;{	hostmap_t *hm;	u_int hv;	hv = real.s_addr % HOSTMAP_SIZE;	for (hm = maptable[hv]; hm; hm = hm->hm_next)		if ((hm->hm_realip.s_addr == real.s_addr) &&		    (np == hm->hm_ipnat)) {			hm->hm_ref++;			return hm;		}	KMALLOC(hm, hostmap_t *);	if (hm) {		hm->hm_next = maptable[hv];		hm->hm_pnext = maptable + hv;		if (maptable[hv])			maptable[hv]->hm_pnext = &hm->hm_next;		maptable[hv] = hm;		hm->hm_ipnat = np;		hm->hm_realip = real;		hm->hm_mapip = map;		hm->hm_ref = 1;	}	return hm;}/* * Must be called with ipf_nat held as a write lock. */static void nat_hostmapdel(hm)struct hostmap *hm;{	ATOMIC_DEC32(hm->hm_ref);	if (hm->hm_ref == 0) {		if (hm->hm_next)			hm->hm_next->hm_pnext = hm->hm_pnext;		*hm->hm_pnext = hm->hm_next;		KFREE(hm);	}}void fix_outcksum(sp, n)u_short *sp;u_32_t n;{	register u_short sumshort;	register u_32_t sum1;	if (!n)		return;#if SOLARIS2 >= 6	else if (n & NAT_HW_CKSUM) {		*sp = n & 0xffff;		return;	}#endif	sum1 = (~ntohs(*sp)) & 0xffff;	sum1 += (n);	sum1 = (sum1 >> 16) + (sum1 & 0xffff);	/* Again */	sum1 = (sum1 >> 16) + (sum1 & 0xffff);	sumshort = ~(u_short)sum1;	*(sp) = htons(sumshort);}void fix_incksum(sp, n)u_short *sp;u_32_t n;{	register u_short sumshort;	register u_32_t sum1;	if (!n)		return;#if SOLARIS2 >= 6	else if (n & NAT_HW_CKSUM) {		*sp = n & 0xffff;		return;	}#endif#ifdef sparc	sum1 = (~(*sp)) & 0xffff;#else	sum1 = (~ntohs(*sp)) & 0xffff;#endif	sum1 += ~(n) & 0xffff;	sum1 = (sum1 >> 16) + (sum1 & 0xffff);	/* Again */	sum1 = (sum1 >> 16) + (sum1 & 0xffff);	sumshort = ~(u_short)sum1;	*(sp) = htons(sumshort);}/* * fix_datacksum is used *only* for the adjustments of checksums in the data * section of an IP packet. * * The only situation in which you need to do this is when NAT'ing an  * ICMP error message. Such a message, contains in its body the IP header * of the original IP packet, that causes the error. * * You can't use fix_incksum or fix_outcksum in that case, because for the * kernel the data section of the ICMP error is just data, and no special  * processing like hardware cksum or ntohs processing have been done by the  * kernel on the data section. */void fix_datacksum(sp, n)u_short *sp;u_32_t n;{	register u_short sumshort;	register u_32_t sum1;	if (!n)		return;	sum1 = (~ntohs(*sp)) & 0xffff;	sum1 += (n);	sum1 = (sum1 >> 16) + (sum1 & 0xffff);	/* Again */	sum1 = (sum1 >> 16) + (sum1 & 0xffff);	sumshort = ~(u_short)sum1;	*(sp) = htons(sumshort);}/* * How the NAT is organised and works. * * Inside (interface y) NAT       Outside (interface x) * -------------------- -+- ------------------------------------- * Packet going          |   out, processsed by ip_natout() for x * ------------>         |   ------------> * src=10.1.1.1          |   src=192.1.1.1 *                       | *                       |   in, processed by ip_natin() for x * <------------         |   <------------ * dst=10.1.1.1          |   dst=192.1.1.1 * -------------------- -+- ------------------------------------- * ip_natout() - changes ip_src and if required, sport *             - creates a new mapping, if required. * ip_natin()  - changes ip_dst and if required, dport * * In the NAT table, internal source is recorded as "in" and externally * seen as "out". *//* * Handle ioctls which manipulate the NAT. */int nat_ioctl(data, cmd, mode)#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)u_long cmd;#elseint cmd;#endifcaddr_t data;int mode;{	register ipnat_t *nat, *nt, *n = NULL, **np = NULL;	int error = 0, ret, arg;	ipnat_t natd;	u_32_t i, j;#if (BSD >= 199306) && defined(_KERNEL)	if ((securelevel >= 2) && (mode & FWRITE))		return EPERM;#endif	nat = NULL;     /* XXX gcc -Wuninitialized */	KMALLOC(nt, ipnat_t *);	if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT))		error = IRCOPYPTR(data, (char *)&natd, sizeof(natd));	else if (cmd == SIOCIPFFL) {	/* SIOCFLNAT & SIOCCNATL */		error = IRCOPY(data, (char *)&arg, sizeof(arg));		if (error)			error = EFAULT;	}	if (error)		goto done;	/*	 * For add/delete, look to see if the NAT entry is already present	 */	WRITE_ENTER(&ipf_nat);	if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {		nat = &natd;		nat->in_flags &= IPN_USERFLAGS;		if ((nat->in_redir & NAT_MAPBLK) == 0) {			if ((nat->in_flags & IPN_SPLIT) == 0)				nat->in_inip &= nat->in_inmsk;			if ((nat->in_flags & IPN_IPRANGE) == 0)				nat->in_outip &= nat->in_outmsk;		}		for (np = &nat_list; (n = *np); np = &n->in_next)			if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,					IPN_CMPSIZ))				break;	}	switch (cmd)	{#ifdef  IPFILTER_LOG	case SIOCIPFFB :	{		int tmp;		if (!(mode & FWRITE))			error = EPERM;		else {			tmp = ipflog_clear(IPL_LOGNAT);			IWCOPY((char *)&tmp, (char *)data, sizeof(tmp));		}		break;	}#endif	case SIOCADNAT :		if (!(mode & FWRITE)) {			error = EPERM;			break;		}		if (n) {			error = EEXIST;			break;		}		if (nt == NULL) {			error = ENOMEM;			break;		}		n = nt;		nt = NULL;		bcopy((char *)nat, (char *)n, sizeof(*n));		n->in_ifp = (void *)GETUNIT(n->in_ifname, 4);		if (!n->in_ifp)			n->in_ifp = (void *)-1;		if (n->in_plabel[0] != '\0') {			n->in_apr = appr_match(n->in_p, n->in_plabel);			if (!n->in_apr) {				error = ENOENT;				break;			}		}		n->in_next = NULL;		*np = n;		if (n->in_redir & NAT_REDIRECT) {			n->in_flags &= ~IPN_NOTDST;			nat_addrdr(n);		}		if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {			n->in_flags &= ~IPN_NOTSRC;			nat_addnat(n);		}		n->in_use = 0;		if (n->in_redir & NAT_MAPBLK)			n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);		else if (n->in_flags & IPN_AUTOPORTMAP)			n->in_space = USABLE_PORTS * ~ntohl(n->in_inmsk);		else if (n->in_flags & IPN_IPRANGE)			n->in_space = ntohl(n->in_outmsk) - ntohl(n->in_outip);		else if (n->in_flags & IPN_SPLIT)			n->in_space = 2;		else			n->in_space = ~ntohl(n->in_outmsk);		/*		 * Calculate the number of valid IP addresses in the output		 * mapping range.  In all cases, the range is inclusive of		 * the start and ending IP addresses.		 * If to a CIDR address, lose 2: broadcast + network address		 *			         (so subtract 1)		 * If to a range, add one.		 * If to a single IP address, set to 1.