| /* |
| * Copyright (C) 1995-2003 by Darren Reed. |
| * |
| * See the IPFILTER.LICENCE file for details on licencing. |
| */ |
| #if defined(KERNEL) || defined(_KERNEL) |
| # undef KERNEL |
| # undef ipf_nat6_KERNEL |
| # define KERNEL 1 |
| # define ipf_nat6_KERNEL 1 |
| #endif |
| #include <sys/errno.h> |
| #include <sys/types.h> |
| #include <sys/param.h> |
| #include <sys/time.h> |
| #include <sys/file.h> |
| #if defined(_KERNEL) && defined(__NetBSD_Version__) && \ |
| (__NetBSD_Version__ >= 399002000) |
| # include <sys/kauth.h> |
| #endif |
| #if !defined(_KERNEL) |
| # include <stdio.h> |
| # include <string.h> |
| # include <stdlib.h> |
| # define ipf_nat6_KERNEL |
| # ifdef ipf_nat6__OpenBSD__ |
| struct file; |
| # endif |
| # include <sys/uio.h> |
| # undef ipf_nat6_KERNEL |
| #endif |
| #if defined(_KERNEL) && (__FreeBSD_version >= 220000) |
| # include <sys/filio.h> |
| # include <sys/fcntl.h> |
| #else |
| # include <sys/ioctl.h> |
| #endif |
| #if !defined(AIX) |
| # include <sys/fcntl.h> |
| #endif |
| #if !defined(linux) |
| # include <sys/protosw.h> |
| #endif |
| #include <sys/socket.h> |
| #if defined(_KERNEL) |
| # include <sys/systm.h> |
| # if !defined(__SVR4) && !defined(__svr4__) |
| # include <sys/mbuf.h> |
| # endif |
| #endif |
| #if defined(__SVR4) || defined(__svr4__) |
| # include <sys/filio.h> |
| # include <sys/byteorder.h> |
| # ifdef ipf_nat6_KERNEL |
| # include <sys/dditypes.h> |
| # endif |
| # include <sys/stream.h> |
| # include <sys/kmem.h> |
| #endif |
| #if ipf_nat6__FreeBSD_version >= 300000 |
| # include <sys/queue.h> |
| #endif |
| #include <net/if.h> |
| #if ipf_nat6__FreeBSD_version >= 300000 |
| # include <net/if_var.h> |
| #endif |
| #ifdef sun |
| # include <net/af.h> |
| #endif |
| #include <net/route.h> |
| #include <netinet/in.h> |
| #include <netinet/in_systm.h> |
| #include <netinet/ip.h> |
| |
| #ifdef RFC1825 |
| # include <vpn/md5.h> |
| # include <vpn/ipsec.h> |
| extern struct ifnet vpnif; |
| #endif |
| |
| #if !defined(linux) |
| # include <netinet/ip_var.h> |
| #endif |
| #include <netinet/tcp.h> |
| #include <netinet/udp.h> |
| #include <netinet/ip_icmp.h> |
| #include "netinet/ip_compat.h" |
| #include <netinet/tcpip.h> |
| #include "netinet/ip_fil.h" |
| #include "netinet/ip_nat.h" |
| #include "netinet/ip_frag.h" |
| #include "netinet/ip_state.h" |
| #include "netinet/ip_proxy.h" |
| #include "netinet/ip_lookup.h" |
| #ifdef IPFILTER_SYNC |
| #include "netinet/ip_sync.h" |
| #endif |
| #if (__FreeBSD_version >= 300000) |
| # include <sys/malloc.h> |
| #endif |
| #include "md5.h" |
| /* END OF INCLUDES */ |
| |
| #undef SOCKADDR_IN |
| #define SOCKADDR_IN struct sockaddr_in |
| |
| #if !defined(lint) |
| static const char rcsid[] = "@(#)$Id$"; |
| #endif |
| |
| #ifdef USE_INET6 |
| static struct hostmap *ipf_nat6_hostmap __P((ipf_nat_softc_t *, ipnat_t *, |
| i6addr_t *, i6addr_t *, |
| i6addr_t *, u_32_t)); |
| static int ipf_nat6_match __P((fr_info_t *, ipnat_t *)); |
| static void ipf_nat6_tabmove __P((ipf_nat_softc_t *, nat_t *)); |
| static int ipf_nat6_decap __P((fr_info_t *, nat_t *)); |
| static int ipf_nat6_nextaddr __P((fr_info_t *, nat_addr_t *, i6addr_t *, |
| i6addr_t *)); |
| static int ipf_nat6_encapok __P((fr_info_t *, nat_t *)); |
| static int ipf_nat6_matchencap __P((fr_info_t *, ipnat_t *)); |
| static nat_t *ipf_nat6_rebuildencapicmp __P((fr_info_t *, nat_t *)); |
| static int ipf_nat6_icmpquerytype __P((int)); |
| static int ipf_nat6_out __P((fr_info_t *, nat_t *, int, u_32_t)); |
| static int ipf_nat6_in __P((fr_info_t *, nat_t *, int, u_32_t)); |
| static int ipf_nat6_builddivertmp __P((ipf_nat_softc_t *, ipnat_t *)); |
| static int ipf_nat6_nextaddrinit __P((ipf_main_softc_t *, nat_addr_t *, int, void *)); |
| static int ipf_nat6_insert __P((ipf_main_softc_t *, ipf_nat_softc_t *, nat_t *)); |
| |
| |
| #define NINCLSIDE6(y,x) ATOMIC_INCL(softn->ipf_nat_stats.ns_side6[y].x) |
| #define NBUMPSIDE6(y,x) softn->ipf_nat_stats.ns_side6[y].x++ |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_ruleaddrinit */ |
| /* Returns: int - 0 == success, else failure */ |
| /* Parameters: in(I) - NAT rule that requires address fields to be init'd */ |
| /* */ |
| /* For each of the source/destination address fields in a NAT rule, call */ |
| /* ipf_nat6_nextaddrinit() to prepare the structure for active duty. Other */ |
| /* IPv6 specific actions can also be taken care of here. */ |
| /* ------------------------------------------------------------------------ */ |
| int |
| ipf_nat6_ruleaddrinit(softc, softn, n) |
| ipf_main_softc_t *softc; |
| ipf_nat_softc_t *softn; |
| ipnat_t *n; |
| { |
| int idx, error; |
| |
| if (n->in_redir == NAT_BIMAP) { |
| n->in_ndstip6 = n->in_osrcip6; |
| n->in_ndstmsk6 = n->in_osrcmsk6; |
| n->in_odstip6 = n->in_nsrcip6; |
| n->in_odstmsk6 = n->in_nsrcmsk6; |
| |
| } |
| |
| if (n->in_redir & NAT_REDIRECT) |
| idx = 1; |
| else |
| idx = 0; |
| /* |
| * Initialise all of the address fields. |
| */ |
| error = ipf_nat6_nextaddrinit(softc, &n->in_osrc, 1, n->in_ifps[idx]); |
| if (error != 0) |
| return error; |
| |
| error = ipf_nat6_nextaddrinit(softc, &n->in_odst, 1, n->in_ifps[idx]); |
| if (error != 0) |
| return error; |
| |
| error = ipf_nat6_nextaddrinit(softc, &n->in_nsrc, 1, n->in_ifps[idx]); |
| if (error != 0) |
| return error; |
| |
| error = ipf_nat6_nextaddrinit(softc, &n->in_ndst, 1, n->in_ifps[idx]); |
| if (error != 0) |
| return error; |
| |
| if (n->in_redir & (NAT_ENCAP|NAT_DIVERTUDP)) |
| ipf_nat6_builddivertmp(softn, n); |
| return 0; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_addrdr */ |
| /* Returns: Nil */ |
| /* Parameters: n(I) - pointer to NAT rule to add */ |
| /* */ |
| /* Adds a redirect rule to the hash table of redirect rules and the list of */ |
| /* loaded NAT rules. Updates the bitmask indicating which netmasks are in */ |
| /* use by redirect rules. */ |
| /* ------------------------------------------------------------------------ */ |
| void |
| ipf_nat6_addrdr(softn, n) |
| ipf_nat_softc_t *softn; |
| ipnat_t *n; |
| { |
| ipnat_t **np; |
| i6addr_t j; |
| u_int hv; |
| int k; |
| |
| if ((n->in_redir & NAT_BIMAP) == NAT_BIMAP) { |
| k = count6bits(n->in_nsrcmsk6.i6); |
| if ((k >= 0) && (k != 128)) |
| softn->ipf_nat6_rdr_masks[k >> 5] |= 1 << (k & 31); |
| |
| IP6_AND(&n->in_odstip6, &n->in_odstmsk6, &j); |
| hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_rdrrules_sz); |
| |
| } else if (n->in_odstatype == FRI_NORMAL) { |
| k = count6bits(n->in_odstmsk6.i6); |
| if ((k >= 0) && (k != 128)) |
| softn->ipf_nat6_rdr_masks[k >> 5] |= 1 << (k & 31); |
| |
| IP6_AND(&n->in_odstip6, &n->in_odstmsk6, &j); |
| hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_rdrrules_sz); |
| } else { |
| softn->ipf_nat6_rdr_masks[3] |= 1; |
| hv = 0; |
| } |
| np = softn->ipf_nat_rdr_rules + hv; |
| while (*np != NULL) |
| np = &(*np)->in_rnext; |
| n->in_rnext = NULL; |
| n->in_prnext = np; |
| n->in_hv[0] = hv; |
| *np = n; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_addmap */ |
| /* Returns: Nil */ |
| /* Parameters: n(I) - pointer to NAT rule to add */ |
| /* */ |
| /* Adds a NAT map rule to the hash table of rules and the list of loaded */ |
| /* NAT rules. Updates the bitmask indicating which netmasks are in use by */ |
| /* redirect rules. */ |
| /* ------------------------------------------------------------------------ */ |
| void |
| ipf_nat6_addmap(softn, n) |
| ipf_nat_softc_t *softn; |
| ipnat_t *n; |
| { |
| ipnat_t **np; |
| i6addr_t j; |
| u_int hv; |
| int k; |
| |
| if (n->in_osrcatype == FRI_NORMAL) { |
| k = count6bits(n->in_osrcmsk6.i6); |
| if ((k >= 0) && (k != 128)) |
| softn->ipf_nat6_map_masks[k >> 5] |= 1 << (k & 31); |
| IP6_AND(&n->in_osrcip6, &n->in_osrcmsk6, &j); |
| hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_maprules_sz); |
| } else { |
| softn->ipf_nat6_map_masks[3] |= 1; |
| hv = 0; |
| } |
| np = softn->ipf_nat_map_rules + hv; |
| while (*np != NULL) |
| np = &(*np)->in_mnext; |
| n->in_mnext = NULL; |
| n->in_pmnext = np; |
| n->in_hv[1] = hv; |
| *np = n; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_addencap */ |
| /* Returns: Nil */ |
| /* Parameters: n(I) - pointer to NAT rule to add */ |
| /* */ |
| /* Here we add in a pointer in the NAT rules hash table to match reply */ |
| /* packets that are encapsulated. For encap rules that are "out", what we */ |
| /* will want to match upon will be the source address in the encap rule as */ |
| /* this is what will become the destination in packets coming back to us. */ |
| /* For encaps pointing in, it is still the same because it is still the */ |
| /* reply packet we want to match. */ |
| /* ------------------------------------------------------------------------ */ |
| void |
| ipf_nat6_addencap(softn, n) |
| ipf_nat_softc_t *softn; |
| ipnat_t *n; |
| { |
| ipnat_t **np; |
| u_32_t j; |
| u_int hv; |
| int k; |
| |
| k = -1; |
| |
| /* |
| * It is the new source address we're after... |
| */ |
| if (n->in_nsrcatype == FRI_NORMAL) { |
| k = count6bits(n->in_nsrcip6.i6); |
| IP6_AND(&n->in_nsrcip6, &n->in_nsrcip6, &j); |
| hv = NAT_HASH_FN6(&j, 0, softn->ipf_nat_maprules_sz); |
| } else { |
| j = 0; |
| hv = 0; |
| } |
| |
| /* |
| * And place the rules table entry in the reverse spot, so for out |
| * we use the rdr-links and for rdr, we use the map-links/ |
| */ |
| if (n->in_redir & NAT_MAP) { |
| if ((k >= 0) && (k != 128)) |
| softn->ipf_nat6_rdr_masks[k >> 5] |= 1 << (k & 0x1f); |
| else |
| softn->ipf_nat6_rdr_masks[3] |= 1; |
| np = softn->ipf_nat_rdr_rules + hv; |
| while (*np != NULL) |
| np = &(*np)->in_rnext; |
| n->in_rnext = NULL; |
| n->in_prnext = np; |
| n->in_hv[0] = hv; |
| *np = n; |
| } else if (n->in_redir & NAT_REDIRECT) { |
| if ((k >= 0) && (k != 128)) |
| softn->ipf_nat6_map_masks[k >> 5] |= 1 << (k & 0x1f); |
| else |
| softn->ipf_nat6_map_masks[3] |= 1; |
| np = softn->ipf_nat_map_rules + hv; |
| while (*np != NULL) |
| np = &(*np)->in_mnext; |
| n->in_mnext = NULL; |
| n->in_pmnext = np; |
| n->in_hv[1] = hv; |
| *np = n; |
| } |
| |
| /* TRACE(n, hv, k) */ |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_hostmap */ |
| /* Returns: struct hostmap* - NULL if no hostmap could be created, */ |
| /* else a pointer to the hostmapping to use */ |
| /* Parameters: np(I) - pointer to NAT rule */ |
| /* real(I) - real IP address */ |
| /* map(I) - mapped IP address */ |
| /* port(I) - destination port number */ |
| /* Write Locks: ipf_nat */ |
| /* */ |
| /* Check if an ip address has already been allocated for a given mapping */ |
| /* that is not doing port based translation. If is not yet allocated, then */ |
| /* create a new entry if a non-NULL NAT rule pointer has been supplied. */ |
| /* ------------------------------------------------------------------------ */ |
| static struct hostmap * |
| ipf_nat6_hostmap(softn, np, src, dst, map, port) |
| ipf_nat_softc_t *softn; |
| ipnat_t *np; |
| i6addr_t *src, *dst, *map; |
| u_32_t port; |
| { |
| hostmap_t *hm; |
| u_int hv; |
| |
| hv = (src->i6[3] ^ dst->i6[3]); |
| hv += (src->i6[2] ^ dst->i6[2]); |
| hv += (src->i6[1] ^ dst->i6[1]); |
| hv += (src->i6[0] ^ dst->i6[0]); |
| hv += src->i6[3]; |
| hv += src->i6[2]; |
| hv += src->i6[1]; |
| hv += src->i6[0]; |
| hv += dst->i6[3]; |
| hv += dst->i6[2]; |
| hv += dst->i6[1]; |
| hv += dst->i6[0]; |
| hv %= HOSTMAP_SIZE; |
| for (hm = softn->ipf_hm_maptable[hv]; hm; hm = hm->hm_next) |
| if (IP6_EQ(&hm->hm_osrc6, src) && |
| IP6_EQ(&hm->hm_odst6, dst) && |
| ((np == NULL) || (np == hm->hm_ipnat)) && |
| ((port == 0) || (port == hm->hm_port))) { |
| softn->ipf_nat_stats.ns_hm_addref++; |
| hm->hm_ref++; |
| return hm; |
| } |
| |
| if (np == NULL) { |
| softn->ipf_nat_stats.ns_hm_nullnp++; |
| return NULL; |
| } |
| |
| KMALLOC(hm, hostmap_t *); |
| if (hm) { |
| hm->hm_next = softn->ipf_hm_maplist; |
| hm->hm_pnext = &softn->ipf_hm_maplist; |
| if (softn->ipf_hm_maplist != NULL) |
| softn->ipf_hm_maplist->hm_pnext = &hm->hm_next; |
| softn->ipf_hm_maplist = hm; |
| hm->hm_hnext = softn->ipf_hm_maptable[hv]; |
| hm->hm_phnext = softn->ipf_hm_maptable + hv; |
| if (softn->ipf_hm_maptable[hv] != NULL) |
| softn->ipf_hm_maptable[hv]->hm_phnext = &hm->hm_hnext; |
| softn->ipf_hm_maptable[hv] = hm; |
| hm->hm_ipnat = np; |
| hm->hm_osrcip6 = *src; |
| hm->hm_odstip6 = *dst; |
| hm->hm_nsrcip6 = *map; |
| hm->hm_ndstip6.i6[0] = 0; |
| hm->hm_ndstip6.i6[1] = 0; |
| hm->hm_ndstip6.i6[2] = 0; |
| hm->hm_ndstip6.i6[3] = 0; |
| hm->hm_ref = 1; |
| hm->hm_port = port; |
| hm->hm_hv = hv; |
| hm->hm_v = 6; |
| softn->ipf_nat_stats.ns_hm_new++; |
| } else { |
| softn->ipf_nat_stats.ns_hm_newfail++; |
| } |
| return hm; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_newmap */ |
| /* Returns: int - -1 == error, 0 == success */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nat(I) - pointer to NAT entry */ |
| /* ni(I) - pointer to structure with misc. information needed */ |
| /* to create new NAT entry. */ |
| /* */ |
| /* Given an empty NAT structure, populate it with new information about a */ |
| /* new NAT session, as defined by the matching NAT rule. */ |
| /* ni.nai_ip is passed in uninitialised and must be set, in host byte order,*/ |
| /* to the new IP address for the translation. */ |
| /* ------------------------------------------------------------------------ */ |
| int |
| ipf_nat6_newmap(fin, nat, ni) |
| fr_info_t *fin; |
| nat_t *nat; |
| natinfo_t *ni; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| u_short st_port, dport, sport, port, sp, dp; |
| i6addr_t in, st_ip; |
| hostmap_t *hm; |
| u_32_t flags; |
| ipnat_t *np; |
| nat_t *natl; |
| int l; |
| |
| /* |
| * If it's an outbound packet which doesn't match any existing |
| * record, then create a new port |
| */ |
| l = 0; |
| hm = NULL; |
| np = ni->nai_np; |
| st_ip = np->in_snip6; |
| st_port = np->in_spnext; |
| flags = nat->nat_flags; |
| |
| if (flags & IPN_ICMPQUERY) { |
| sport = fin->fin_data[1]; |
| dport = 0; |
| } else { |
| sport = htons(fin->fin_data[0]); |
| dport = htons(fin->fin_data[1]); |
| } |
| |
| /* |
| * Do a loop until we either run out of entries to try or we find |
| * a NAT mapping that isn't currently being used. This is done |
| * because the change to the source is not (usually) being fixed. |
| */ |
| do { |
| port = 0; |
| in = np->in_nsrc.na_nextaddr; |
| if (l == 0) { |
| /* |
| * Check to see if there is an existing NAT |
| * setup for this IP address pair. |
| */ |
| hm = ipf_nat6_hostmap(softn, np, &fin->fin_src6, |
| &fin->fin_dst6, &in, 0); |
| if (hm != NULL) |
| in = hm->hm_nsrcip6; |
| } else if ((l == 1) && (hm != NULL)) { |
| ipf_nat_hostmapdel(&hm); |
| } |
| |
| nat->nat_hm = hm; |
| |
| if (IP6_ISONES(&np->in_nsrcmsk6) && (np->in_spnext == 0)) { |
| if (l > 0) { |
| NINCLSIDE6(1, ns_exhausted); |
| return -1; |
| } |
| } |
| |
| if ((np->in_redir == NAT_BIMAP) && |
| IP6_EQ(&np->in_osrcmsk6, &np->in_nsrcmsk6)) { |
| i6addr_t temp; |
| /* |
| * map the address block in a 1:1 fashion |
| */ |
| temp.i6[0] = fin->fin_src6.i6[0] & |
| ~np->in_osrcmsk6.i6[0]; |
| temp.i6[1] = fin->fin_src6.i6[1] & |
| ~np->in_osrcmsk6.i6[1]; |
| temp.i6[2] = fin->fin_src6.i6[2] & |
| ~np->in_osrcmsk6.i6[0]; |
| temp.i6[3] = fin->fin_src6.i6[3] & |
| ~np->in_osrcmsk6.i6[3]; |
| in = np->in_nsrcip6; |
| IP6_MERGE(&in, &temp, &np->in_osrc); |
| |
| #ifdef NEED_128BIT_MATH |
| } else if (np->in_redir & NAT_MAPBLK) { |
| if ((l >= np->in_ppip) || ((l > 0) && |
| !(flags & IPN_TCPUDP))) { |
| NINCLSIDE6(1, ns_exhausted); |
| return -1; |
| } |
| /* |
| * map-block - Calculate destination address. |
| */ |
| IP6_MASK(&in, &fin->fin_src6, &np->in_osrcmsk6); |
| in = ntohl(in); |
| inb = in; |
| in.s_addr /= np->in_ippip; |
| in.s_addr &= ntohl(~np->in_nsrcmsk6); |
| in.s_addr += ntohl(np->in_nsrcaddr6); |
| /* |
| * Calculate destination port. |
| */ |
| if ((flags & IPN_TCPUDP) && |
| (np->in_ppip != 0)) { |
| port = ntohs(sport) + l; |
| port %= np->in_ppip; |
| port += np->in_ppip * |
| (inb.s_addr % np->in_ippip); |
| port += MAPBLK_MINPORT; |
| port = htons(port); |
| } |
| #endif |
| |
| } else if (IP6_ISZERO(&np->in_nsrcaddr) && |
| IP6_ISONES(&np->in_nsrcmsk)) { |
| /* |
| * 0/32 - use the interface's IP address. |
| */ |
| if ((l > 0) || |
| ipf_ifpaddr(softc, 6, FRI_NORMAL, fin->fin_ifp, |
| &in, NULL) == -1) { |
| NINCLSIDE6(1, ns_new_ifpaddr); |
| return -1; |
| } |
| |
| } else if (IP6_ISZERO(&np->in_nsrcip6) && |
| IP6_ISZERO(&np->in_nsrcmsk6)) { |
| /* |
| * 0/0 - use the original source address/port. |
| */ |
| if (l > 0) { |
| NINCLSIDE6(1, ns_exhausted); |
| return -1; |
| } |
| in = fin->fin_src6; |
| |
| } else if (!IP6_ISONES(&np->in_nsrcmsk6) && |
| (np->in_spnext == 0) && ((l > 0) || (hm == NULL))) { |
| IP6_INC(&np->in_snip6); |
| } |
| |
| natl = NULL; |
| |
| if ((flags & IPN_TCPUDP) && |
| ((np->in_redir & NAT_MAPBLK) == 0) && |
| (np->in_flags & IPN_AUTOPORTMAP)) { |
| #ifdef NEED_128BIT_MATH |
| /* |
| * "ports auto" (without map-block) |
| */ |
| if ((l > 0) && (l % np->in_ppip == 0)) { |
| if ((l > np->in_ppip) && |
| !IP6_ISONES(&np->in_nsrcmsk)) { |
| IP6_INC(&np->in_snip6) |
| } |
| } |
| if (np->in_ppip != 0) { |
| port = ntohs(sport); |
| port += (l % np->in_ppip); |
| port %= np->in_ppip; |
| port += np->in_ppip * |
| (ntohl(fin->fin_src6) % |
| np->in_ippip); |
| port += MAPBLK_MINPORT; |
| port = htons(port); |
| } |
| #endif |
| |
| } else if (((np->in_redir & NAT_MAPBLK) == 0) && |
| (flags & IPN_TCPUDPICMP) && (np->in_spnext != 0)) { |
| /* |
| * Standard port translation. Select next port. |
| */ |
| port = htons(np->in_spnext++); |
| |
| if (np->in_spnext > np->in_spmax) { |
| np->in_spnext = np->in_spmin; |
| if (!IP6_ISONES(&np->in_nsrcmsk6)) { |
| IP6_INC(&np->in_snip6); |
| } |
| } |
| } |
| |
| if (np->in_flags & IPN_SIPRANGE) { |
| if (IP6_GT(&np->in_snip, &np->in_nsrcmsk)) |
| np->in_snip6 = np->in_nsrcip6; |
| } else { |
| i6addr_t a1, a2; |
| |
| a1 = np->in_snip6; |
| IP6_INC(&a1); |
| IP6_AND(&a1, &np->in_nsrcmsk6, &a2); |
| |
| if (!IP6_ISONES(&np->in_nsrcmsk6) && |
| IP6_GT(&a2, &np->in_nsrcip6)) { |
| IP6_ADD(&np->in_nsrcip6, 1, &np->in_snip6); |
| } |
| } |
| |
| if ((port == 0) && (flags & (IPN_TCPUDPICMP|IPN_ICMPQUERY))) |
| port = sport; |
| |
| /* |
| * Here we do a lookup of the connection as seen from |
| * the outside. If an IP# pair already exists, try |
| * again. So if you have A->B becomes C->B, you can |
| * also have D->E become C->E but not D->B causing |
| * another C->B. Also take protocol and ports into |
| * account when determining whether a pre-existing |
| * NAT setup will cause an external conflict where |
| * this is appropriate. |
| */ |
| sp = fin->fin_data[0]; |
| dp = fin->fin_data[1]; |
| fin->fin_data[0] = fin->fin_data[1]; |
| fin->fin_data[1] = ntohs(port); |
| natl = ipf_nat6_inlookup(fin, flags & ~(SI_WILDP|NAT_SEARCH), |
| (u_int)fin->fin_p, &fin->fin_dst6.in6, |
| &in.in6); |
| fin->fin_data[0] = sp; |
| fin->fin_data[1] = dp; |
| |
| /* |
| * Has the search wrapped around and come back to the |
| * start ? |
| */ |
| if ((natl != NULL) && |
| (np->in_spnext != 0) && (st_port == np->in_spnext) && |
| (!IP6_ISZERO(&np->in_snip6) && |
| IP6_EQ(&st_ip, &np->in_snip6))) { |
| NINCLSIDE6(1, ns_wrap); |
| return -1; |
| } |
| l++; |
| } while (natl != NULL); |
| |
| /* Setup the NAT table */ |
| nat->nat_osrc6 = fin->fin_src6; |
| nat->nat_nsrc6 = in; |
| nat->nat_odst6 = fin->fin_dst6; |
| nat->nat_ndst6 = fin->fin_dst6; |
| if (nat->nat_hm == NULL) |
| nat->nat_hm = ipf_nat6_hostmap(softn, np, &fin->fin_src6, |
| &fin->fin_dst6, |
| &nat->nat_nsrc6, 0); |
| |
| if (flags & IPN_TCPUDP) { |
| nat->nat_osport = sport; |
| nat->nat_nsport = port; /* sport */ |
| nat->nat_odport = dport; |
| nat->nat_ndport = dport; |
| ((tcphdr_t *)fin->fin_dp)->th_sport = port; |
| } else if (flags & IPN_ICMPQUERY) { |
| nat->nat_oicmpid = fin->fin_data[1]; |
| ((struct icmp6_hdr *)fin->fin_dp)->icmp6_id = port; |
| nat->nat_nicmpid = port; |
| } |
| return 0; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_newrdr */ |
| /* Returns: int - -1 == error, 0 == success (no move), 1 == success and */ |
| /* allow rule to be moved if IPN_ROUNDR is set. */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nat(I) - pointer to NAT entry */ |
| /* ni(I) - pointer to structure with misc. information needed */ |
| /* to create new NAT entry. */ |
| /* */ |
| /* ni.nai_ip is passed in uninitialised and must be set, in host byte order,*/ |
| /* to the new IP address for the translation. */ |
| /* ------------------------------------------------------------------------ */ |
| int |
| ipf_nat6_newrdr(fin, nat, ni) |
| fr_info_t *fin; |
| nat_t *nat; |
| natinfo_t *ni; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| u_short nport, dport, sport; |
| u_short sp, dp; |
| hostmap_t *hm; |
| u_32_t flags; |
| i6addr_t in; |
| ipnat_t *np; |
| nat_t *natl; |
| int move; |
| |
| move = 1; |
| hm = NULL; |
| in.i6[0] = 0; |
| in.i6[1] = 0; |
| in.i6[2] = 0; |
| in.i6[3] = 0; |
| np = ni->nai_np; |
| flags = nat->nat_flags; |
| |
| if (flags & IPN_ICMPQUERY) { |
| dport = fin->fin_data[1]; |
| sport = 0; |
| } else { |
| sport = htons(fin->fin_data[0]); |
| dport = htons(fin->fin_data[1]); |
| } |
| |
| /* TRACE sport, dport */ |
| |
| |
| /* |
| * If the matching rule has IPN_STICKY set, then we want to have the |
| * same rule kick in as before. Why would this happen? If you have |
| * a collection of rdr rules with "round-robin sticky", the current |
| * packet might match a different one to the previous connection but |
| * we want the same destination to be used. |
| */ |
| if (((np->in_flags & (IPN_ROUNDR|IPN_SPLIT)) != 0) && |
| ((np->in_flags & IPN_STICKY) != 0)) { |
| hm = ipf_nat6_hostmap(softn, NULL, &fin->fin_src6, |
| &fin->fin_dst6, &in, (u_32_t)dport); |
| if (hm != NULL) { |
| in = hm->hm_ndstip6; |
| np = hm->hm_ipnat; |
| ni->nai_np = np; |
| move = 0; |
| } |
| } |
| |
| /* |
| * Otherwise, it's an inbound packet. Most likely, we don't |
| * want to rewrite source ports and source addresses. Instead, |
| * we want to rewrite to a fixed internal address and fixed |
| * internal port. |
| */ |
| if (np->in_flags & IPN_SPLIT) { |
| in = np->in_dnip6; |
| |
| if ((np->in_flags & (IPN_ROUNDR|IPN_STICKY)) == IPN_STICKY) { |
| hm = ipf_nat6_hostmap(softn, NULL, &fin->fin_src6, |
| &fin->fin_dst6, &in, |
| (u_32_t)dport); |
| if (hm != NULL) { |
| in = hm->hm_ndstip6; |
| move = 0; |
| } |
| } |
| |
| if (hm == NULL || hm->hm_ref == 1) { |
| if (IP6_EQ(&np->in_ndstip6, &in)) { |
| np->in_dnip6 = np->in_ndstmsk6; |
| move = 0; |
| } else { |
| np->in_dnip6 = np->in_ndstip6; |
| } |
| } |
| |
| } else if (IP6_ISZERO(&np->in_ndstaddr) && |
| IP6_ISONES(&np->in_ndstmsk)) { |
| /* |
| * 0/32 - use the interface's IP address. |
| */ |
| if (ipf_ifpaddr(softc, 6, FRI_NORMAL, fin->fin_ifp, |
| &in, NULL) == -1) { |
| NINCLSIDE6(0, ns_new_ifpaddr); |
| return -1; |
| } |
| |
| } else if (IP6_ISZERO(&np->in_ndstip6) && |
| IP6_ISZERO(&np->in_ndstmsk6)) { |
| /* |
| * 0/0 - use the original destination address/port. |
| */ |
| in = fin->fin_dst6; |
| |
| } else if (np->in_redir == NAT_BIMAP && |
| IP6_EQ(&np->in_ndstmsk6, &np->in_odstmsk6)) { |
| i6addr_t temp; |
| /* |
| * map the address block in a 1:1 fashion |
| */ |
| temp.i6[0] = fin->fin_dst6.i6[0] & ~np->in_osrcmsk6.i6[0]; |
| temp.i6[1] = fin->fin_dst6.i6[1] & ~np->in_osrcmsk6.i6[1]; |
| temp.i6[2] = fin->fin_dst6.i6[2] & ~np->in_osrcmsk6.i6[0]; |
| temp.i6[3] = fin->fin_dst6.i6[3] & ~np->in_osrcmsk6.i6[3]; |
| in = np->in_ndstip6; |
| IP6_MERGE(&in, &temp, &np->in_ndstmsk6); |
| } else { |
| in = np->in_ndstip6; |
| } |
| |
| if ((np->in_dpnext == 0) || ((flags & NAT_NOTRULEPORT) != 0)) |
| nport = dport; |
| else { |
| /* |
| * Whilst not optimized for the case where |
| * pmin == pmax, the gain is not significant. |
| */ |
| if (((np->in_flags & IPN_FIXEDDPORT) == 0) && |
| (np->in_odport != np->in_dtop)) { |
| nport = ntohs(dport) - np->in_odport + np->in_dpmax; |
| nport = htons(nport); |
| } else { |
| nport = htons(np->in_dpnext); |
| np->in_dpnext++; |
| if (np->in_dpnext > np->in_dpmax) |
| np->in_dpnext = np->in_dpmin; |
| } |
| } |
| |
| /* |
| * When the redirect-to address is set to 0.0.0.0, just |
| * assume a blank `forwarding' of the packet. We don't |
| * setup any translation for this either. |
| */ |
| if (IP6_ISZERO(&in)) { |
| if (nport == dport) { |
| NINCLSIDE6(0, ns_xlate_null); |
| return -1; |
| } |
| in = fin->fin_dst6; |
| } |
| |
| /* |
| * Check to see if this redirect mapping already exists and if |
| * it does, return "failure" (allowing it to be created will just |
| * cause one or both of these "connections" to stop working.) |
| */ |
| sp = fin->fin_data[0]; |
| dp = fin->fin_data[1]; |
| fin->fin_data[1] = fin->fin_data[0]; |
| fin->fin_data[0] = ntohs(nport); |
| natl = ipf_nat6_outlookup(fin, flags & ~(SI_WILDP|NAT_SEARCH), |
| (u_int)fin->fin_p, &in.in6, |
| &fin->fin_src6.in6); |
| fin->fin_data[0] = sp; |
| fin->fin_data[1] = dp; |
| if (natl != NULL) { |
| NINCLSIDE6(0, ns_xlate_exists); |
| return -1; |
| } |
| |
| nat->nat_ndst6 = in; |
| nat->nat_odst6 = fin->fin_dst6; |
| nat->nat_nsrc6 = fin->fin_src6; |
| nat->nat_osrc6 = fin->fin_src6; |
| if ((nat->nat_hm == NULL) && ((np->in_flags & IPN_STICKY) != 0)) |
| nat->nat_hm = ipf_nat6_hostmap(softn, np, &fin->fin_src6, |
| &fin->fin_dst6, &in, |
| (u_32_t)dport); |
| |
| if (flags & IPN_TCPUDP) { |
| nat->nat_odport = dport; |
| nat->nat_ndport = nport; |
| nat->nat_osport = sport; |
| nat->nat_nsport = sport; |
| ((tcphdr_t *)fin->fin_dp)->th_dport = nport; |
| } else if (flags & IPN_ICMPQUERY) { |
| nat->nat_oicmpid = fin->fin_data[1]; |
| ((struct icmp6_hdr *)fin->fin_dp)->icmp6_id = nport; |
| nat->nat_nicmpid = nport; |
| } |
| |
| return move; |
| } |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_add */ |
| /* Returns: nat6_t* - NULL == failure to create new NAT structure, */ |
| /* else pointer to new NAT structure */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* np(I) - pointer to NAT rule */ |
| /* natsave(I) - pointer to where to store NAT struct pointer */ |
| /* flags(I) - flags describing the current packet */ |
| /* direction(I) - direction of packet (in/out) */ |
| /* Write Lock: ipf_nat */ |
| /* */ |
| /* Attempts to create a new NAT entry. Does not actually change the packet */ |
| /* in any way. */ |
| /* */ |
| /* This fucntion is in three main parts: (1) deal with creating a new NAT */ |
| /* structure for a "MAP" rule (outgoing NAT translation); (2) deal with */ |
| /* creating a new NAT structure for a "RDR" rule (incoming NAT translation) */ |
| /* and (3) building that structure and putting it into the NAT table(s). */ |
| /* */ |
| /* NOTE: natsave should NOT be used top point back to an ipstate_t struct */ |
| /* as it can result in memory being corrupted. */ |
| /* ------------------------------------------------------------------------ */ |
| nat_t * |
| ipf_nat6_add(fin, np, natsave, flags, direction) |
| fr_info_t *fin; |
| ipnat_t *np; |
| nat_t **natsave; |
| u_int flags; |
| int direction; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| hostmap_t *hm = NULL; |
| nat_t *nat, *natl; |
| u_int nflags; |
| natinfo_t ni; |
| int move; |
| #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_M_CTL_MAGIC) |
| qpktinfo_t *qpi = fin->fin_qpi; |
| #endif |
| |
| if ((softn->ipf_nat_stats.ns_active * 100 / softn->ipf_nat_table_max) > |
| softn->ipf_nat_table_wm_high) { |
| softn->ipf_nat_doflush = 1; |
| } |
| |
| if (softn->ipf_nat_stats.ns_active >= softn->ipf_nat_table_max) { |
| NBUMPSIDE6(fin->fin_out, ns_table_max); |
| return NULL; |
| } |
| |
| move = 1; |
| nflags = np->in_flags & flags; |
| nflags &= NAT_FROMRULE; |
| |
| ni.nai_np = np; |
| ni.nai_dport = 0; |
| ni.nai_sport = 0; |
| |
| /* Give me a new nat */ |
| KMALLOC(nat, nat_t *); |
| if (nat == NULL) { |
| NBUMPSIDE6(fin->fin_out, ns_memfail); |
| /* |
| * Try to automatically tune the max # of entries in the |
| * table allowed to be less than what will cause kmem_alloc() |
| * to fail and try to eliminate panics due to out of memory |
| * conditions arising. |
| */ |
| if ((softn->ipf_nat_table_max > softn->ipf_nat_table_sz) && |
| (softn->ipf_nat_stats.ns_active > 100)) { |
| softn->ipf_nat_table_max = |
| softn->ipf_nat_stats.ns_active - 100; |
| printf("table_max reduced to %d\n", |
| softn->ipf_nat_table_max); |
| } |
| return NULL; |
| } |
| |
| if (flags & IPN_ICMPQUERY) { |
| /* |
| * In the ICMP query NAT code, we translate the ICMP id fields |
| * to make them unique. This is indepedent of the ICMP type |
| * (e.g. in the unlikely event that a host sends an echo and |
| * an tstamp request with the same id, both packets will have |
| * their ip address/id field changed in the same way). |
| */ |
| /* The icmp6_id field is used by the sender to identify the |
| * process making the icmp request. (the receiver justs |
| * copies it back in its response). So, it closely matches |
| * the concept of source port. We overlay sport, so we can |
| * maximally reuse the existing code. |
| */ |
| ni.nai_sport = fin->fin_data[1]; |
| ni.nai_dport = 0; |
| } |
| |
| bzero((char *)nat, sizeof(*nat)); |
| nat->nat_flags = flags; |
| nat->nat_redir = np->in_redir; |
| nat->nat_dir = direction; |
| nat->nat_pr[0] = fin->fin_p; |
| nat->nat_pr[1] = fin->fin_p; |
| |
| if ((flags & NAT_SLAVE) == 0) { |
| MUTEX_ENTER(&softn->ipf_nat_new); |
| } |
| |
| /* |
| * Search the current table for a match and create a new mapping |
| * if there is none found. |
| */ |
| if (np->in_redir & (NAT_ENCAP|NAT_DIVERTUDP)) { |
| move = ipf_nat6_newdivert(fin, nat, &ni); |
| |
| } else if (np->in_redir & NAT_REWRITE) { |
| move = ipf_nat6_newrewrite(fin, nat, &ni); |
| |
| } else if (direction == NAT_OUTBOUND) { |
| /* |
| * We can now arrange to call this for the same connection |
| * because ipf_nat6_new doesn't protect the code path into |
| * this function. |
| */ |
| natl = ipf_nat6_outlookup(fin, nflags, (u_int)fin->fin_p, |
| &fin->fin_src6.in6, |
| &fin->fin_dst6.in6); |
| if (natl != NULL) { |
| KFREE(nat); |
| nat = natl; |
| goto done; |
| } |
| |
| move = ipf_nat6_newmap(fin, nat, &ni); |
| } else { |
| /* |
| * NAT_INBOUND is used for redirects rules |
| */ |
| natl = ipf_nat6_inlookup(fin, nflags, (u_int)fin->fin_p, |
| &fin->fin_src6.in6, |
| &fin->fin_dst6.in6); |
| if (natl != NULL) { |
| KFREE(nat); |
| nat = natl; |
| goto done; |
| } |
| |
| move = ipf_nat6_newrdr(fin, nat, &ni); |
| } |
| if (move == -1) |
| goto badnat; |
| |
| np = ni.nai_np; |
| |
| nat->nat_mssclamp = np->in_mssclamp; |
| nat->nat_me = natsave; |
| nat->nat_fr = fin->fin_fr; |
| nat->nat_rev = fin->fin_rev; |
| nat->nat_ptr = np; |
| |
| #ifdef IPF_V6_PROXIES |
| if ((np->in_apr != NULL) && ((nat->nat_flags & NAT_SLAVE) == 0)) |
| if (appr_new(fin, nat) == -1) |
| goto badnat; |
| #endif |
| |
| nat->nat_ifps[0] = np->in_ifps[0]; |
| if (np->in_ifps[0] != NULL) { |
| COPYIFNAME(np->in_v[0], np->in_ifps[0], nat->nat_ifnames[0]); |
| } |
| |
| nat->nat_ifps[1] = np->in_ifps[1]; |
| if (np->in_ifps[1] != NULL) { |
| COPYIFNAME(np->in_v[1], np->in_ifps[1], nat->nat_ifnames[1]); |
| } |
| |
| if (ipf_nat6_finalise(fin, nat) == -1) { |
| goto badnat; |
| } |
| |
| np->in_use++; |
| |
| if ((move == 1) && (np->in_flags & IPN_ROUNDR)) { |
| if ((np->in_redir & (NAT_REDIRECT|NAT_MAP)) == NAT_REDIRECT) { |
| ipf_nat_delrdr(np); |
| ipf_nat6_addrdr(softn, np); |
| } else if ((np->in_redir & (NAT_REDIRECT|NAT_MAP)) == NAT_MAP) { |
| ipf_nat_delmap(np); |
| ipf_nat6_addmap(softn, np); |
| } |
| } |
| |
| if (flags & SI_WILDP) |
| softn->ipf_nat_stats.ns_wilds++; |
| softn->ipf_nat_stats.ns_proto[nat->nat_pr[0]]++; |
| |
| goto done; |
| badnat: |
| NBUMPSIDE6(fin->fin_out, ns_badnatnew); |
| if ((hm = nat->nat_hm) != NULL) |
| ipf_nat_hostmapdel(&hm); |
| KFREE(nat); |
| nat = NULL; |
| done: |
| if ((flags & NAT_SLAVE) == 0) { |
| MUTEX_EXIT(&softn->ipf_nat_new); |
| } |
| return nat; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_finalise */ |
| /* Returns: int - 0 == sucess, -1 == failure */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nat(I) - pointer to NAT entry */ |
| /* Write Lock: ipf_nat */ |
| /* */ |
| /* This is the tail end of constructing a new NAT entry and is the same */ |
| /* for both IPv4 and IPv6. */ |
| /* ------------------------------------------------------------------------ */ |
| /*ARGSUSED*/ |
| int |
| ipf_nat6_finalise(fin, nat) |
| fr_info_t *fin; |
| nat_t *nat; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| u_32_t sum1, sum2, sumd; |
| frentry_t *fr; |
| u_32_t flags; |
| |
| flags = nat->nat_flags; |
| |
| switch (fin->fin_p) |
| { |
| case IPPROTO_ICMPV6 : |
| sum1 = LONG_SUM(ntohs(nat->nat_osport)); |
| sum2 = LONG_SUM(ntohs(nat->nat_nsport)); |
| CALC_SUMD(sum1, sum2, sumd); |
| nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16); |
| |
| break; |
| |
| default : |
| sum1 = LONG_SUM6(&nat->nat_osrc6); |
| sum1 += ntohs(nat->nat_osport); |
| sum2 = LONG_SUM6(&nat->nat_nsrc6); |
| sum2 += ntohs(nat->nat_nsport); |
| CALC_SUMD(sum1, sum2, sumd); |
| nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16); |
| |
| sum1 = LONG_SUM6(&nat->nat_odst6); |
| sum1 += ntohs(nat->nat_odport); |
| sum2 = LONG_SUM6(&nat->nat_ndst6); |
| sum2 += ntohs(nat->nat_ndport); |
| CALC_SUMD(sum1, sum2, sumd); |
| nat->nat_sumd[0] += (sumd & 0xffff) + (sumd >> 16); |
| break; |
| } |
| |
| nat->nat_sumd[1] = nat->nat_sumd[0]; |
| |
| #ifdef IPFILTER_SYNC |
| if ((nat->nat_flags & SI_CLONE) == 0) |
| nat->nat_sync = ipf_sync_new(softc, SMC_NAT, fin, nat); |
| #endif |
| |
| if ((nat->nat_ifps[0] != NULL) && (nat->nat_ifps[0] != (void *)-1)) { |
| nat->nat_mtu[0] = GETIFMTU_6(nat->nat_ifps[0]); |
| } |
| |
| if ((nat->nat_ifps[1] != NULL) && (nat->nat_ifps[1] != (void *)-1)) { |
| nat->nat_mtu[1] = GETIFMTU_6(nat->nat_ifps[1]); |
| } |
| |
| nat->nat_v[0] = 6; |
| nat->nat_v[1] = 6; |
| |
| if (ipf_nat6_insert(softc, softn, nat) == 0) { |
| if (softn->ipf_nat_logging) |
| ipf_nat_log(softc, softn, nat, NL_NEW); |
| fr = nat->nat_fr; |
| if (fr != NULL) { |
| MUTEX_ENTER(&fr->fr_lock); |
| fr->fr_ref++; |
| MUTEX_EXIT(&fr->fr_lock); |
| } |
| return 0; |
| } |
| |
| NINCLSIDE6(fin->fin_out, ns_unfinalised); |
| /* |
| * nat6_insert failed, so cleanup time... |
| */ |
| return -1; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_insert */ |
| /* Returns: int - 0 == sucess, -1 == failure */ |
| /* Parameters: nat(I) - pointer to NAT structure */ |
| /* rev(I) - flag indicating forward/reverse direction of packet */ |
| /* Write Lock: ipf_nat */ |
| /* */ |
| /* Insert a NAT entry into the hash tables for searching and add it to the */ |
| /* list of active NAT entries. Adjust global counters when complete. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_insert(softc, softn, nat) |
| ipf_main_softc_t *softc; |
| ipf_nat_softc_t *softn; |
| nat_t *nat; |
| { |
| u_int hv1, hv2; |
| nat_t **natp; |
| |
| /* |
| * Try and return an error as early as possible, so calculate the hash |
| * entry numbers first and then proceed. |
| */ |
| if ((nat->nat_flags & (SI_W_SPORT|SI_W_DPORT)) == 0) { |
| hv1 = NAT_HASH_FN6(&nat->nat_osrc6, nat->nat_osport, |
| 0xffffffff); |
| hv1 = NAT_HASH_FN6(&nat->nat_odst6, hv1 + nat->nat_odport, |
| softn->ipf_nat_table_sz); |
| |
| /* |
| * TRACE nat6_osrc6, nat6_osport, nat6_odst6, |
| * nat6_odport, hv1 |
| */ |
| |
| hv2 = NAT_HASH_FN6(&nat->nat_nsrc6, nat->nat_nsport, |
| 0xffffffff); |
| hv2 = NAT_HASH_FN6(&nat->nat_ndst6, hv2 + nat->nat_ndport, |
| softn->ipf_nat_table_sz); |
| /* |
| * TRACE nat6_nsrcaddr, nat6_nsport, nat6_ndstaddr, |
| * nat6_ndport, hv1 |
| */ |
| } else { |
| hv1 = NAT_HASH_FN6(&nat->nat_osrc6, 0, 0xffffffff); |
| hv1 = NAT_HASH_FN6(&nat->nat_odst6, hv1, |
| softn->ipf_nat_table_sz); |
| /* TRACE nat6_osrcip6, nat6_odstip6, hv1 */ |
| |
| hv2 = NAT_HASH_FN6(&nat->nat_nsrc6, 0, 0xffffffff); |
| hv2 = NAT_HASH_FN6(&nat->nat_ndst6, hv2, |
| softn->ipf_nat_table_sz); |
| /* TRACE nat6_nsrcip6, nat6_ndstip6, hv2 */ |
| } |
| |
| if (softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv1] >= |
| softn->ipf_nat_maxbucket) { |
| NINCLSIDE6(0, ns_bucket_max); |
| return -1; |
| } |
| |
| if (softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv2] >= |
| softn->ipf_nat_maxbucket) { |
| NINCLSIDE6(1, ns_bucket_max); |
| return -1; |
| } |
| if (nat->nat_dir == NAT_INBOUND || nat->nat_dir == NAT_ENCAPIN || |
| nat->nat_dir == NAT_DIVERTIN) { |
| u_int swap; |
| |
| swap = hv2; |
| hv2 = hv1; |
| hv1 = swap; |
| } |
| nat->nat_hv[0] = hv1; |
| nat->nat_hv[1] = hv2; |
| |
| MUTEX_INIT(&nat->nat_lock, "nat entry lock"); |
| |
| nat->nat_ref = 1; |
| nat->nat_bytes[0] = 0; |
| nat->nat_pkts[0] = 0; |
| nat->nat_bytes[1] = 0; |
| nat->nat_pkts[1] = 0; |
| |
| nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0'; |
| nat->nat_ifps[0] = ipf_resolvenic(softc, nat->nat_ifnames[0], |
| nat->nat_v[0]); |
| |
| if (nat->nat_ifnames[1][0] != '\0') { |
| nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0'; |
| nat->nat_ifps[1] = ipf_resolvenic(softc, nat->nat_ifnames[1], |
| nat->nat_v[1]); |
| } else { |
| ipnat_t *in = nat->nat_ptr; |
| |
| if (in->in_ifnames[1][1] != '\0' && |
| in->in_ifnames[1][0] != '-' && |
| in->in_ifnames[1][0] != '*') { |
| (void) strncpy(nat->nat_ifnames[1], |
| nat->nat_ifnames[0], LIFNAMSIZ); |
| nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0'; |
| nat->nat_ifps[1] = nat->nat_ifps[0]; |
| } |
| } |
| if ((nat->nat_ifps[0] != NULL) && (nat->nat_ifps[0] != (void *)-1)) { |
| nat->nat_mtu[0] = GETIFMTU_6(nat->nat_ifps[0]); |
| } |
| if ((nat->nat_ifps[1] != NULL) && (nat->nat_ifps[1] != (void *)-1)) { |
| nat->nat_mtu[1] = GETIFMTU_6(nat->nat_ifps[1]); |
| } |
| |
| nat->nat_next = softn->ipf_nat_instances; |
| nat->nat_pnext = &softn->ipf_nat_instances; |
| if (softn->ipf_nat_instances) |
| softn->ipf_nat_instances->nat_pnext = &nat->nat_next; |
| softn->ipf_nat_instances = nat; |
| |
| natp = &softn->ipf_nat_table[0][hv1]; |
| if (*natp) |
| (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; |
| else |
| NBUMPSIDE6(0, ns_inuse); |
| nat->nat_phnext[0] = natp; |
| nat->nat_hnext[0] = *natp; |
| *natp = nat; |
| softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv1]++; |
| |
| natp = &softn->ipf_nat_table[1][hv2]; |
| if (*natp) |
| (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; |
| else |
| NBUMPSIDE6(1, ns_inuse); |
| nat->nat_phnext[1] = natp; |
| nat->nat_hnext[1] = *natp; |
| *natp = nat; |
| softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv2]++; |
| |
| ipf_nat_setqueue(softc, softn, nat); |
| |
| softn->ipf_nat_stats.ns_side[1].ns_added++; |
| softn->ipf_nat_stats.ns_active++; |
| return 0; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_icmperrorlookup */ |
| /* Returns: nat6_t* - point to matching NAT structure */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* dir(I) - direction of packet (in/out) */ |
| /* */ |
| /* Check if the ICMP error message is related to an existing TCP, UDP or */ |
| /* ICMP query nat entry. It is assumed that the packet is already of the */ |
| /* the required length. */ |
| /* ------------------------------------------------------------------------ */ |
| nat_t * |
| ipf_nat6_icmperrorlookup(fin, dir) |
| fr_info_t *fin; |
| int dir; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| struct icmp6_hdr *icmp6, *orgicmp; |
| int flags = 0, type, minlen; |
| nat_stat_side_t *nside; |
| tcphdr_t *tcp = NULL; |
| u_short data[2]; |
| ip6_t *oip6; |
| nat_t *nat; |
| u_int p; |
| |
| minlen = 40; |
| icmp6 = fin->fin_dp; |
| type = icmp6->icmp6_type; |
| nside = &softn->ipf_nat_stats.ns_side6[fin->fin_out]; |
| /* |
| * Does it at least have the return (basic) IP header ? |
| * Only a basic IP header (no options) should be with an ICMP error |
| * header. Also, if it's not an error type, then return. |
| */ |
| if (!(fin->fin_flx & FI_ICMPERR)) { |
| ATOMIC_INCL(nside->ns_icmp_basic); |
| return NULL; |
| } |
| |
| /* |
| * Check packet size |
| */ |
| if (fin->fin_plen < ICMP6ERR_IPICMPHLEN) { |
| ATOMIC_INCL(nside->ns_icmp_size); |
| return NULL; |
| } |
| oip6 = (ip6_t *)((char *)fin->fin_dp + 8); |
| |
| /* |
| * Is the buffer big enough for all of it ? It's the size of the IP |
| * header claimed in the encapsulated part which is of concern. It |
| * may be too big to be in this buffer but not so big that it's |
| * outside the ICMP packet, leading to TCP deref's causing problems. |
| * This is possible because we don't know how big oip_hl is when we |
| * do the pullup early in ipf_check() and thus can't gaurantee it is |
| * all here now. |
| */ |
| #ifdef ipf_nat6_KERNEL |
| { |
| mb_t *m; |
| |
| m = fin->fin_m; |
| # if defined(MENTAT) |
| if ((char *)oip6 + fin->fin_dlen - ICMPERR_ICMPHLEN > |
| (char *)m->b_wptr) { |
| ATOMIC_INCL(nside->ns_icmp_mbuf); |
| return NULL; |
| } |
| # else |
| if ((char *)oip6 + fin->fin_dlen - ICMPERR_ICMPHLEN > |
| (char *)fin->fin_ip + M_LEN(m)) { |
| ATOMIC_INCL(nside->ns_icmp_mbuf); |
| return NULL; |
| } |
| # endif |
| } |
| #endif |
| |
| if (IP6_NEQ(&fin->fin_dst6, &oip6->ip6_src)) { |
| ATOMIC_INCL(nside->ns_icmp_address); |
| return NULL; |
| } |
| |
| p = oip6->ip6_nxt; |
| if (p == IPPROTO_TCP) |
| flags = IPN_TCP; |
| else if (p == IPPROTO_UDP) |
| flags = IPN_UDP; |
| else if (p == IPPROTO_ICMPV6) { |
| orgicmp = (struct icmp6_hdr *)(oip6 + 1); |
| |
| /* see if this is related to an ICMP query */ |
| if (ipf_nat6_icmpquerytype(orgicmp->icmp6_type)) { |
| data[0] = fin->fin_data[0]; |
| data[1] = fin->fin_data[1]; |
| fin->fin_data[0] = 0; |
| fin->fin_data[1] = orgicmp->icmp6_id; |
| |
| flags = IPN_ICMPERR|IPN_ICMPQUERY; |
| /* |
| * NOTE : dir refers to the direction of the original |
| * ip packet. By definition the icmp error |
| * message flows in the opposite direction. |
| */ |
| if (dir == NAT_INBOUND) |
| nat = ipf_nat6_inlookup(fin, flags, p, |
| &oip6->ip6_dst, |
| &oip6->ip6_src); |
| else |
| nat = ipf_nat6_outlookup(fin, flags, p, |
| &oip6->ip6_dst, |
| &oip6->ip6_src); |
| fin->fin_data[0] = data[0]; |
| fin->fin_data[1] = data[1]; |
| return nat; |
| } |
| } |
| |
| if (flags & IPN_TCPUDP) { |
| minlen += 8; /* + 64bits of data to get ports */ |
| /* TRACE (fin,minlen) */ |
| if (fin->fin_plen < ICMPERR_IPICMPHLEN + minlen) { |
| ATOMIC_INCL(nside->ns_icmp_short); |
| return NULL; |
| } |
| |
| data[0] = fin->fin_data[0]; |
| data[1] = fin->fin_data[1]; |
| tcp = (tcphdr_t *)(oip6 + 1); |
| fin->fin_data[0] = ntohs(tcp->th_dport); |
| fin->fin_data[1] = ntohs(tcp->th_sport); |
| |
| if (dir == NAT_INBOUND) { |
| nat = ipf_nat6_inlookup(fin, flags, p, &oip6->ip6_dst, |
| &oip6->ip6_src); |
| } else { |
| nat = ipf_nat6_outlookup(fin, flags, p, &oip6->ip6_dst, |
| &oip6->ip6_src); |
| } |
| fin->fin_data[0] = data[0]; |
| fin->fin_data[1] = data[1]; |
| return nat; |
| } |
| if (dir == NAT_INBOUND) |
| nat = ipf_nat6_inlookup(fin, 0, p, &oip6->ip6_dst, |
| &oip6->ip6_src); |
| else |
| nat = ipf_nat6_outlookup(fin, 0, p, &oip6->ip6_dst, |
| &oip6->ip6_src); |
| |
| return nat; |
| } |
| |
| |
| /* result = ip1 - ip2 */ |
| u_32_t |
| ipf_nat6_ip6subtract(ip1, ip2) |
| i6addr_t *ip1, *ip2; |
| { |
| i6addr_t l1, l2, d; |
| u_short *s1, *s2, *ds; |
| u_32_t r; |
| int i, neg; |
| |
| neg = 0; |
| l1 = *ip1; |
| l2 = *ip2; |
| s1 = (u_short *)&l1; |
| s2 = (u_short *)&l2; |
| ds = (u_short *)&d; |
| |
| for (i = 7; i > 0; i--) { |
| if (s1[i] > s2[i]) { |
| ds[i] = s2[i] + 0x10000 - s1[i]; |
| s2[i - 1] += 0x10000; |
| } else { |
| ds[i] = s2[i] - s1[i]; |
| } |
| } |
| if (s2[0] > s1[0]) { |
| ds[0] = s2[0] + 0x10000 - s1[0]; |
| neg = 1; |
| } else { |
| ds[0] = s2[0] - s1[0]; |
| } |
| |
| for (i = 0, r = 0; i < 8; i++) { |
| r += ds[i]; |
| } |
| |
| return r; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_icmperror */ |
| /* Returns: nat6_t* - point to matching NAT structure */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nflags(I) - NAT flags for this packet */ |
| /* dir(I) - direction of packet (in/out) */ |
| /* */ |
| /* Fix up an ICMP packet which is an error message for an existing NAT */ |
| /* session. This will correct both packet header data and checksums. */ |
| /* */ |
| /* This should *ONLY* be used for incoming ICMP error packets to make sure */ |
| /* a NAT'd ICMP packet gets correctly recognised. */ |
| /* ------------------------------------------------------------------------ */ |
| nat_t * |
| ipf_nat6_icmperror(fin, nflags, dir) |
| fr_info_t *fin; |
| u_int *nflags; |
| int dir; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| u_32_t sum1, sum2, sumd, sumd2; |
| i6addr_t a1, a2, a3, a4; |
| struct icmp6_hdr *icmp6; |
| int flags, dlen, odst; |
| u_short *csump; |
| tcphdr_t *tcp; |
| ip6_t *oip6; |
| nat_t *nat; |
| void *dp; |
| |
| if ((fin->fin_flx & (FI_SHORT|FI_FRAGBODY))) { |
| NINCLSIDE6(fin->fin_out, ns_icmp_short); |
| return NULL; |
| } |
| |
| /* |
| * ipf_nat6_icmperrorlookup() will return NULL for `defective' packets. |
| */ |
| if ((fin->fin_v != 6) || !(nat = ipf_nat6_icmperrorlookup(fin, dir))) { |
| NINCLSIDE6(fin->fin_out, ns_icmp_notfound); |
| return NULL; |
| } |
| |
| if (nat->nat_dir == NAT_ENCAPIN || nat->nat_dir == NAT_ENCAPOUT) { |
| /* |
| * For ICMP replies to encapsulated packets, we need to |
| * rebuild the ICMP reply completely to match the original |
| * packet... |
| */ |
| if (ipf_nat6_rebuildencapicmp(fin, nat) == 0) |
| return nat; |
| NINCLSIDE6(fin->fin_out, ns_icmp_rebuild); |
| return NULL; |
| } |
| |
| tcp = NULL; |
| csump = NULL; |
| flags = 0; |
| sumd2 = 0; |
| *nflags = IPN_ICMPERR; |
| icmp6 = fin->fin_dp; |
| oip6 = (ip6_t *)((u_char *)icmp6 + sizeof(*icmp6)); |
| dp = (u_char *)oip6 + sizeof(*oip6); |
| if (oip6->ip6_nxt == IPPROTO_TCP) { |
| tcp = (tcphdr_t *)dp; |
| csump = (u_short *)&tcp->th_sum; |
| flags = IPN_TCP; |
| } else if (oip6->ip6_nxt == IPPROTO_UDP) { |
| udphdr_t *udp; |
| |
| udp = (udphdr_t *)dp; |
| tcp = (tcphdr_t *)dp; |
| csump = (u_short *)&udp->uh_sum; |
| flags = IPN_UDP; |
| } else if (oip6->ip6_nxt == IPPROTO_ICMPV6) |
| flags = IPN_ICMPQUERY; |
| dlen = fin->fin_plen - ((char *)dp - (char *)fin->fin_ip); |
| |
| /* |
| * Need to adjust ICMP header to include the real IP#'s and |
| * port #'s. Only apply a checksum change relative to the |
| * IP address change as it will be modified again in ipf_nat6_checkout |
| * for both address and port. Two checksum changes are |
| * necessary for the two header address changes. Be careful |
| * to only modify the checksum once for the port # and twice |
| * for the IP#. |
| */ |
| |
| /* |
| * Step 1 |
| * Fix the IP addresses in the offending IP packet. You also need |
| * to adjust the IP header checksum of that offending IP packet. |
| * |
| * Normally, you would expect that the ICMP checksum of the |
| * ICMP error message needs to be adjusted as well for the |
| * IP address change in oip. |
| * However, this is a NOP, because the ICMP checksum is |
| * calculated over the complete ICMP packet, which includes the |
| * changed oip IP addresses and oip6->ip6_sum. However, these |
| * two changes cancel each other out (if the delta for |
| * the IP address is x, then the delta for ip_sum is minus x), |
| * so no change in the icmp_cksum is necessary. |
| * |
| * Inbound ICMP |
| * ------------ |
| * MAP rule, SRC=a,DST=b -> SRC=c,DST=b |
| * - response to outgoing packet (a,b)=>(c,b) (OIP_SRC=c,OIP_DST=b) |
| * - OIP_SRC(c)=nat6_newsrcip, OIP_DST(b)=nat6_newdstip |
| *=> OIP_SRC(c)=nat6_oldsrcip, OIP_DST(b)=nat6_olddstip |
| * |
| * RDR rule, SRC=a,DST=b -> SRC=a,DST=c |
| * - response to outgoing packet (c,a)=>(b,a) (OIP_SRC=b,OIP_DST=a) |
| * - OIP_SRC(b)=nat6_olddstip, OIP_DST(a)=nat6_oldsrcip |
| *=> OIP_SRC(b)=nat6_newdstip, OIP_DST(a)=nat6_newsrcip |
| * |
| * REWRITE out rule, SRC=a,DST=b -> SRC=c,DST=d |
| * - response to outgoing packet (a,b)=>(c,d) (OIP_SRC=c,OIP_DST=d) |
| * - OIP_SRC(c)=nat6_newsrcip, OIP_DST(d)=nat6_newdstip |
| *=> OIP_SRC(c)=nat6_oldsrcip, OIP_DST(d)=nat6_olddstip |
| * |
| * REWRITE in rule, SRC=a,DST=b -> SRC=c,DST=d |
| * - response to outgoing packet (d,c)=>(b,a) (OIP_SRC=b,OIP_DST=a) |
| * - OIP_SRC(b)=nat6_olddstip, OIP_DST(a)=nat6_oldsrcip |
| *=> OIP_SRC(b)=nat6_newdstip, OIP_DST(a)=nat6_newsrcip |
| * |
| * Outbound ICMP |
| * ------------- |
| * MAP rule, SRC=a,DST=b -> SRC=c,DST=b |
| * - response to incoming packet (b,c)=>(b,a) (OIP_SRC=b,OIP_DST=a) |
| * - OIP_SRC(b)=nat6_olddstip, OIP_DST(a)=nat6_oldsrcip |
| *=> OIP_SRC(b)=nat6_newdstip, OIP_DST(a)=nat6_newsrcip |
| * |
| * RDR rule, SRC=a,DST=b -> SRC=a,DST=c |
| * - response to incoming packet (a,b)=>(a,c) (OIP_SRC=a,OIP_DST=c) |
| * - OIP_SRC(a)=nat6_newsrcip, OIP_DST(c)=nat6_newdstip |
| *=> OIP_SRC(a)=nat6_oldsrcip, OIP_DST(c)=nat6_olddstip |
| * |
| * REWRITE out rule, SRC=a,DST=b -> SRC=c,DST=d |
| * - response to incoming packet (d,c)=>(b,a) (OIP_SRC=c,OIP_DST=d) |
| * - OIP_SRC(c)=nat6_olddstip, OIP_DST(d)=nat6_oldsrcip |
| *=> OIP_SRC(b)=nat6_newdstip, OIP_DST(a)=nat6_newsrcip |
| * |
| * REWRITE in rule, SRC=a,DST=b -> SRC=c,DST=d |
| * - response to incoming packet (a,b)=>(c,d) (OIP_SRC=b,OIP_DST=a) |
| * - OIP_SRC(b)=nat6_newsrcip, OIP_DST(a)=nat6_newdstip |
| *=> OIP_SRC(a)=nat6_oldsrcip, OIP_DST(c)=nat6_olddstip |
| */ |
| |
| if (((fin->fin_out == 0) && ((nat->nat_redir & NAT_MAP) != 0)) || |
| ((fin->fin_out == 1) && ((nat->nat_redir & NAT_REDIRECT) != 0))) { |
| a1 = nat->nat_osrc6; |
| a4.in6 = oip6->ip6_src; |
| a3 = nat->nat_odst6; |
| a2.in6 = oip6->ip6_dst; |
| oip6->ip6_src = a1.in6; |
| oip6->ip6_dst = a3.in6; |
| odst = 1; |
| } else { |
| a1 = nat->nat_ndst6; |
| a2.in6 = oip6->ip6_dst; |
| a3 = nat->nat_nsrc6; |
| a4.in6 = oip6->ip6_src; |
| oip6->ip6_dst = a3.in6; |
| oip6->ip6_src = a1.in6; |
| odst = 0; |
| } |
| |
| sumd = 0; |
| if (IP6_NEQ(&a3, &a2) || IP6_NEQ(&a1, &a4)) { |
| if (IP6_GT(&a3, &a2)) { |
| sumd = ipf_nat6_ip6subtract(&a2, &a3); |
| sumd--; |
| } else { |
| sumd = ipf_nat6_ip6subtract(&a2, &a3); |
| } |
| if (IP6_GT(&a1, &a4)) { |
| sumd += ipf_nat6_ip6subtract(&a4, &a1); |
| sumd--; |
| } else { |
| sumd += ipf_nat6_ip6subtract(&a4, &a1); |
| } |
| sumd = ~sumd; |
| } |
| |
| sumd2 = sumd; |
| sum1 = 0; |
| sum2 = 0; |
| |
| /* |
| * Fix UDP pseudo header checksum to compensate for the |
| * IP address change. |
| */ |
| if (((flags & IPN_TCPUDP) != 0) && (dlen >= 4)) { |
| u_32_t sum3, sum4; |
| /* |
| * Step 2 : |
| * For offending TCP/UDP IP packets, translate the ports as |
| * well, based on the NAT specification. Of course such |
| * a change may be reflected in the ICMP checksum as well. |
| * |
| * Since the port fields are part of the TCP/UDP checksum |
| * of the offending IP packet, you need to adjust that checksum |
| * as well... except that the change in the port numbers should |
| * be offset by the checksum change. However, the TCP/UDP |
| * checksum will also need to change if there has been an |
| * IP address change. |
| */ |
| if (odst == 1) { |
| sum1 = ntohs(nat->nat_osport); |
| sum4 = ntohs(tcp->th_sport); |
| sum3 = ntohs(nat->nat_odport); |
| sum2 = ntohs(tcp->th_dport); |
| |
| tcp->th_sport = htons(sum1); |
| tcp->th_dport = htons(sum3); |
| } else { |
| sum1 = ntohs(nat->nat_ndport); |
| sum2 = ntohs(tcp->th_dport); |
| sum3 = ntohs(nat->nat_nsport); |
| sum4 = ntohs(tcp->th_sport); |
| |
| tcp->th_dport = htons(sum3); |
| tcp->th_sport = htons(sum1); |
| } |
| sumd += sum1 - sum4; |
| sumd += sum3 - sum2; |
| |
| if (sumd != 0 || sumd2 != 0) { |
| /* |
| * At this point, sumd is the delta to apply to the |
| * TCP/UDP header, given the changes in both the IP |
| * address and the ports and sumd2 is the delta to |
| * apply to the ICMP header, given the IP address |
| * change delta that may need to be applied to the |
| * TCP/UDP checksum instead. |
| * |
| * If we will both the IP and TCP/UDP checksums |
| * then the ICMP checksum changes by the address |
| * delta applied to the TCP/UDP checksum. If we |
| * do not change the TCP/UDP checksum them we |
| * apply the delta in ports to the ICMP checksum. |
| */ |
| if (oip6->ip6_nxt == IPPROTO_UDP) { |
| if ((dlen >= 8) && (*csump != 0)) { |
| ipf_fix_datacksum(csump, sumd); |
| } else { |
| sumd2 = sum4 - sum1; |
| if (sum1 > sum4) |
| sumd2--; |
| sumd2 += sum2 - sum3; |
| if (sum3 > sum2) |
| sumd2--; |
| } |
| } else if (oip6->ip6_nxt == IPPROTO_TCP) { |
| if (dlen >= 18) { |
| ipf_fix_datacksum(csump, sumd); |
| } else { |
| sumd2 = sum4 - sum1; |
| if (sum1 > sum4) |
| sumd2--; |
| sumd2 += sum2 - sum3; |
| if (sum3 > sum2) |
| sumd2--; |
| } |
| } |
| if (sumd2 != 0) { |
| sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); |
| sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); |
| sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); |
| ipf_fix_incksum(fin, &icmp6->icmp6_cksum, |
| sumd2); |
| } |
| } |
| } else if (((flags & IPN_ICMPQUERY) != 0) && (dlen >= 8)) { |
| struct icmp6_hdr *orgicmp; |
| |
| /* |
| * XXX - what if this is bogus hl and we go off the end ? |
| * In this case, ipf_nat6_icmperrorlookup() will have |
| * returned NULL. |
| */ |
| orgicmp = (struct icmp6_hdr *)dp; |
| |
| if (odst == 1) { |
| if (orgicmp->icmp6_id != nat->nat_osport) { |
| |
| /* |
| * Fix ICMP checksum (of the offening ICMP |
| * query packet) to compensate the change |
| * in the ICMP id of the offending ICMP |
| * packet. |
| * |
| * Since you modify orgicmp->icmp6_id with |
| * a delta (say x) and you compensate that |
| * in origicmp->icmp6_cksum with a delta |
| * minus x, you don't have to adjust the |
| * overall icmp->icmp6_cksum |
| */ |
| sum1 = ntohs(orgicmp->icmp6_id); |
| sum2 = ntohs(nat->nat_osport); |
| CALC_SUMD(sum1, sum2, sumd); |
| orgicmp->icmp6_id = nat->nat_oicmpid; |
| ipf_fix_datacksum(&orgicmp->icmp6_cksum, sumd); |
| } |
| } /* nat6_dir == NAT_INBOUND is impossible for icmp queries */ |
| } |
| return nat; |
| } |
| |
| |
| /* |
| * MAP-IN MAP-OUT RDR-IN RDR-OUT |
| * osrc X == src == src X |
| * odst X == dst == dst X |
| * nsrc == dst X X == dst |
| * ndst == src X X == src |
| * MAP = NAT_OUTBOUND, RDR = NAT_INBOUND |
| */ |
| /* |
| * NB: these lookups don't lock access to the list, it assumed that it has |
| * already been done! |
| */ |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_inlookup */ |
| /* Returns: nat6_t* - NULL == no match, */ |
| /* else pointer to matching NAT entry */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* flags(I) - NAT flags for this packet */ |
| /* p(I) - protocol for this packet */ |
| /* src(I) - source IP address */ |
| /* mapdst(I) - destination IP address */ |
| /* */ |
| /* Lookup a nat entry based on the mapped destination ip address/port and */ |
| /* real source address/port. We use this lookup when receiving a packet, */ |
| /* we're looking for a table entry, based on the destination address. */ |
| /* */ |
| /* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ |
| /* */ |
| /* NOTE: IT IS ASSUMED THAT IS ONLY HELD WITH A READ LOCK WHEN */ |
| /* THIS FUNCTION IS CALLED WITH NAT_SEARCH SET IN nflags. */ |
| /* */ |
| /* flags -> relevant are IPN_UDP/IPN_TCP/IPN_ICMPQUERY that indicate if */ |
| /* the packet is of said protocol */ |
| /* ------------------------------------------------------------------------ */ |
| nat_t * |
| ipf_nat6_inlookup(fin, flags, p, src, mapdst) |
| fr_info_t *fin; |
| u_int flags, p; |
| struct in6_addr *src , *mapdst; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| u_short sport, dport; |
| grehdr_t *gre; |
| ipnat_t *ipn; |
| u_int sflags; |
| nat_t *nat; |
| int nflags; |
| i6addr_t dst; |
| void *ifp; |
| u_int hv; |
| |
| ifp = fin->fin_ifp; |
| sport = 0; |
| dport = 0; |
| gre = NULL; |
| dst.in6 = *mapdst; |
| sflags = flags & NAT_TCPUDPICMP; |
| |
| switch (p) |
| { |
| case IPPROTO_TCP : |
| case IPPROTO_UDP : |
| sport = htons(fin->fin_data[0]); |
| dport = htons(fin->fin_data[1]); |
| break; |
| case IPPROTO_ICMPV6 : |
| if (flags & IPN_ICMPERR) |
| sport = fin->fin_data[1]; |
| else |
| dport = fin->fin_data[1]; |
| break; |
| default : |
| break; |
| } |
| |
| |
| if ((flags & SI_WILDP) != 0) |
| goto find_in_wild_ports; |
| |
| hv = NAT_HASH_FN6(&dst, dport, 0xffffffff); |
| hv = NAT_HASH_FN6(src, hv + sport, softn->ipf_nat_table_sz); |
| nat = softn->ipf_nat_table[1][hv]; |
| /* TRACE dst, dport, src, sport, hv, nat */ |
| |
| for (; nat; nat = nat->nat_hnext[1]) { |
| if (nat->nat_ifps[0] != NULL) { |
| if ((ifp != NULL) && (ifp != nat->nat_ifps[0])) |
| continue; |
| } |
| |
| if (nat->nat_pr[0] != p) |
| continue; |
| |
| switch (nat->nat_dir) |
| { |
| case NAT_INBOUND : |
| if (nat->nat_v[0] != 6) |
| continue; |
| if (IP6_NEQ(&nat->nat_osrc6, src) || |
| IP6_NEQ(&nat->nat_odst6, &dst)) |
| continue; |
| if ((nat->nat_flags & IPN_TCPUDP) != 0) { |
| if (nat->nat_osport != sport) |
| continue; |
| if (nat->nat_odport != dport) |
| continue; |
| |
| } else if (p == IPPROTO_ICMPV6) { |
| if (nat->nat_osport != dport) { |
| continue; |
| } |
| } |
| break; |
| case NAT_OUTBOUND : |
| if (nat->nat_v[1] != 6) |
| continue; |
| if (IP6_NEQ(&nat->nat_ndst6, src) || |
| IP6_NEQ(&nat->nat_nsrc6, &dst)) |
| continue; |
| if ((nat->nat_flags & IPN_TCPUDP) != 0) { |
| if (nat->nat_ndport != sport) |
| continue; |
| if (nat->nat_nsport != dport) |
| continue; |
| |
| } else if (p == IPPROTO_ICMPV6) { |
| if (nat->nat_osport != dport) { |
| continue; |
| } |
| } |
| break; |
| } |
| |
| |
| if ((nat->nat_flags & IPN_TCPUDP) != 0) { |
| ipn = nat->nat_ptr; |
| #ifdef IPF_V6_PROXIES |
| if ((ipn != NULL) && (nat->nat_aps != NULL)) |
| if (appr_match(fin, nat) != 0) |
| continue; |
| #endif |
| } |
| if (ifp != NULL) { |
| nat->nat_ifps[0] = ifp; |
| nat->nat_mtu[0] = GETIFMTU_6(ifp); |
| } |
| return nat; |
| } |
| |
| /* |
| * So if we didn't find it but there are wildcard members in the hash |
| * table, go back and look for them. We do this search and update here |
| * because it is modifying the NAT table and we want to do this only |
| * for the first packet that matches. The exception, of course, is |
| * for "dummy" (FI_IGNORE) lookups. |
| */ |
| find_in_wild_ports: |
| if (!(flags & NAT_TCPUDP) || !(flags & NAT_SEARCH)) { |
| NINCLSIDE6(0, ns_lookup_miss); |
| return NULL; |
| } |
| if (softn->ipf_nat_stats.ns_wilds == 0) { |
| NINCLSIDE6(0, ns_lookup_nowild); |
| return NULL; |
| } |
| |
| RWLOCK_EXIT(&softc->ipf_nat); |
| |
| hv = NAT_HASH_FN6(&dst, 0, 0xffffffff); |
| hv = NAT_HASH_FN6(src, hv, softn->ipf_nat_table_sz); |
| WRITE_ENTER(&softc->ipf_nat); |
| |
| nat = softn->ipf_nat_table[1][hv]; |
| /* TRACE dst, src, hv, nat */ |
| for (; nat; nat = nat->nat_hnext[1]) { |
| if (nat->nat_ifps[0] != NULL) { |
| if ((ifp != NULL) && (ifp != nat->nat_ifps[0])) |
| continue; |
| } |
| |
| if (nat->nat_pr[0] != fin->fin_p) |
| continue; |
| |
| switch (nat->nat_dir) |
| { |
| case NAT_INBOUND : |
| if (nat->nat_v[0] != 6) |
| continue; |
| if (IP6_NEQ(&nat->nat_osrc6, src) || |
| IP6_NEQ(&nat->nat_odst6, &dst)) |
| continue; |
| break; |
| case NAT_OUTBOUND : |
| if (nat->nat_v[1] != 6) |
| continue; |
| if (IP6_NEQ(&nat->nat_ndst6, src) || |
| IP6_NEQ(&nat->nat_nsrc6, &dst)) |
| continue; |
| break; |
| } |
| |
| nflags = nat->nat_flags; |
| if (!(nflags & (NAT_TCPUDP|SI_WILDP))) |
| continue; |
| |
| if (ipf_nat_wildok(nat, (int)sport, (int)dport, nflags, |
| NAT_INBOUND) == 1) { |
| if ((fin->fin_flx & FI_IGNORE) != 0) |
| break; |
| if ((nflags & SI_CLONE) != 0) { |
| nat = ipf_nat_clone(fin, nat); |
| if (nat == NULL) |
| break; |
| } else { |
| MUTEX_ENTER(&softn->ipf_nat_new); |
| softn->ipf_nat_stats.ns_wilds--; |
| MUTEX_EXIT(&softn->ipf_nat_new); |
| } |
| |
| if (nat->nat_dir == NAT_INBOUND) { |
| if (nat->nat_osport == 0) { |
| nat->nat_osport = sport; |
| nat->nat_nsport = sport; |
| } |
| if (nat->nat_odport == 0) { |
| nat->nat_odport = dport; |
| nat->nat_ndport = dport; |
| } |
| } else { |
| if (nat->nat_osport == 0) { |
| nat->nat_osport = dport; |
| nat->nat_nsport = dport; |
| } |
| if (nat->nat_odport == 0) { |
| nat->nat_odport = sport; |
| nat->nat_ndport = sport; |
| } |
| } |
| if (ifp != NULL) { |
| nat->nat_ifps[0] = ifp; |
| nat->nat_mtu[0] = GETIFMTU_6(ifp); |
| } |
| nat->nat_flags &= ~(SI_W_DPORT|SI_W_SPORT); |
| ipf_nat6_tabmove(softn, nat); |
| break; |
| } |
| } |
| |
| MUTEX_DOWNGRADE(&softc->ipf_nat); |
| |
| if (nat == NULL) { |
| NINCLSIDE6(0, ns_lookup_miss); |
| } |
| return nat; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_tabmove */ |
| /* Returns: Nil */ |
| /* Parameters: nat(I) - pointer to NAT structure */ |
| /* Write Lock: ipf_nat */ |
| /* */ |
| /* This function is only called for TCP/UDP NAT table entries where the */ |
| /* original was placed in the table without hashing on the ports and we now */ |
| /* want to include hashing on port numbers. */ |
| /* ------------------------------------------------------------------------ */ |
| static void |
| ipf_nat6_tabmove(softn, nat) |
| ipf_nat_softc_t *softn; |
| nat_t *nat; |
| { |
| nat_t **natp; |
| u_int hv0, hv1; |
| |
| if (nat->nat_flags & SI_CLONE) |
| return; |
| |
| /* |
| * Remove the NAT entry from the old location |
| */ |
| if (nat->nat_hnext[0]) |
| nat->nat_hnext[0]->nat_phnext[0] = nat->nat_phnext[0]; |
| *nat->nat_phnext[0] = nat->nat_hnext[0]; |
| softn->ipf_nat_stats.ns_side[0].ns_bucketlen[nat->nat_hv[0]]--; |
| |
| if (nat->nat_hnext[1]) |
| nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1]; |
| *nat->nat_phnext[1] = nat->nat_hnext[1]; |
| softn->ipf_nat_stats.ns_side[1].ns_bucketlen[nat->nat_hv[1]]--; |
| |
| /* |
| * Add into the NAT table in the new position |
| */ |
| hv0 = NAT_HASH_FN6(&nat->nat_osrc6, nat->nat_osport, 0xffffffff); |
| hv0 = NAT_HASH_FN6(&nat->nat_odst6, hv0 + nat->nat_odport, |
| softn->ipf_nat_table_sz); |
| hv1 = NAT_HASH_FN6(&nat->nat_nsrc6, nat->nat_nsport, 0xffffffff); |
| hv1 = NAT_HASH_FN6(&nat->nat_ndst6, hv1 + nat->nat_ndport, |
| softn->ipf_nat_table_sz); |
| |
| if (nat->nat_dir == NAT_INBOUND || nat->nat_dir == NAT_ENCAPIN || |
| nat->nat_dir == NAT_DIVERTIN) { |
| u_int swap; |
| |
| swap = hv0; |
| hv0 = hv1; |
| hv1 = swap; |
| } |
| |
| /* TRACE nat_osrc6, nat_osport, nat_odst6, nat_odport, hv0 */ |
| /* TRACE nat_nsrc6, nat_nsport, nat_ndst6, nat_ndport, hv1 */ |
| |
| nat->nat_hv[0] = hv0; |
| natp = &softn->ipf_nat_table[0][hv0]; |
| if (*natp) |
| (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; |
| nat->nat_phnext[0] = natp; |
| nat->nat_hnext[0] = *natp; |
| *natp = nat; |
| softn->ipf_nat_stats.ns_side[0].ns_bucketlen[hv0]++; |
| |
| nat->nat_hv[1] = hv1; |
| natp = &softn->ipf_nat_table[1][hv1]; |
| if (*natp) |
| (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; |
| nat->nat_phnext[1] = natp; |
| nat->nat_hnext[1] = *natp; |
| *natp = nat; |
| softn->ipf_nat_stats.ns_side[1].ns_bucketlen[hv1]++; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_outlookup */ |
| /* Returns: nat6_t* - NULL == no match, */ |
| /* else pointer to matching NAT entry */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* flags(I) - NAT flags for this packet */ |
| /* p(I) - protocol for this packet */ |
| /* src(I) - source IP address */ |
| /* dst(I) - destination IP address */ |
| /* rw(I) - 1 == write lock on held, 0 == read lock. */ |
| /* */ |
| /* Lookup a nat entry based on the source 'real' ip address/port and */ |
| /* destination address/port. We use this lookup when sending a packet out, */ |
| /* we're looking for a table entry, based on the source address. */ |
| /* */ |
| /* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ |
| /* */ |
| /* NOTE: IT IS ASSUMED THAT IS ONLY HELD WITH A READ LOCK WHEN */ |
| /* THIS FUNCTION IS CALLED WITH NAT_SEARCH SET IN nflags. */ |
| /* */ |
| /* flags -> relevant are IPN_UDP/IPN_TCP/IPN_ICMPQUERY that indicate if */ |
| /* the packet is of said protocol */ |
| /* ------------------------------------------------------------------------ */ |
| nat_t * |
| ipf_nat6_outlookup(fin, flags, p, src, dst) |
| fr_info_t *fin; |
| u_int flags, p; |
| struct in6_addr *src , *dst; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| u_short sport, dport; |
| u_int sflags; |
| ipnat_t *ipn; |
| nat_t *nat; |
| void *ifp; |
| u_int hv; |
| |
| ifp = fin->fin_ifp; |
| sflags = flags & IPN_TCPUDPICMP; |
| sport = 0; |
| dport = 0; |
| |
| switch (p) |
| { |
| case IPPROTO_TCP : |
| case IPPROTO_UDP : |
| sport = htons(fin->fin_data[0]); |
| dport = htons(fin->fin_data[1]); |
| break; |
| case IPPROTO_ICMPV6 : |
| if (flags & IPN_ICMPERR) |
| sport = fin->fin_data[1]; |
| else |
| dport = fin->fin_data[1]; |
| break; |
| default : |
| break; |
| } |
| |
| if ((flags & SI_WILDP) != 0) |
| goto find_out_wild_ports; |
| |
| hv = NAT_HASH_FN6(src, sport, 0xffffffff); |
| hv = NAT_HASH_FN6(dst, hv + dport, softn->ipf_nat_table_sz); |
| nat = softn->ipf_nat_table[0][hv]; |
| |
| /* TRACE src, sport, dst, dport, hv, nat */ |
| |
| for (; nat; nat = nat->nat_hnext[0]) { |
| if (nat->nat_ifps[1] != NULL) { |
| if ((ifp != NULL) && (ifp != nat->nat_ifps[1])) |
| continue; |
| } |
| |
| if (nat->nat_pr[1] != p) |
| continue; |
| |
| switch (nat->nat_dir) |
| { |
| case NAT_INBOUND : |
| if (nat->nat_v[1] != 6) |
| continue; |
| if (IP6_NEQ(&nat->nat_ndst6, src) || |
| IP6_NEQ(&nat->nat_nsrc6, dst)) |
| continue; |
| |
| if ((nat->nat_flags & IPN_TCPUDP) != 0) { |
| if (nat->nat_ndport != sport) |
| continue; |
| if (nat->nat_nsport != dport) |
| continue; |
| |
| } else if (p == IPPROTO_ICMPV6) { |
| if (nat->nat_osport != dport) { |
| continue; |
| } |
| } |
| break; |
| case NAT_OUTBOUND : |
| if (nat->nat_v[0] != 6) |
| continue; |
| if (IP6_NEQ(&nat->nat_osrc6, src) || |
| IP6_NEQ(&nat->nat_odst6, dst)) |
| continue; |
| |
| if ((nat->nat_flags & IPN_TCPUDP) != 0) { |
| if (nat->nat_odport != dport) |
| continue; |
| if (nat->nat_osport != sport) |
| continue; |
| |
| } else if (p == IPPROTO_ICMPV6) { |
| if (nat->nat_osport != dport) { |
| continue; |
| } |
| } |
| break; |
| } |
| |
| ipn = nat->nat_ptr; |
| #ifdef IPF_V6_PROXIES |
| if ((ipn != NULL) && (nat->nat_aps != NULL)) |
| if (appr_match(fin, nat) != 0) |
| continue; |
| #endif |
| |
| if (ifp != NULL) { |
| nat->nat_ifps[1] = ifp; |
| nat->nat_mtu[1] = GETIFMTU_6(ifp); |
| } |
| return nat; |
| } |
| |
| /* |
| * So if we didn't find it but there are wildcard members in the hash |
| * table, go back and look for them. We do this search and update here |
| * because it is modifying the NAT table and we want to do this only |
| * for the first packet that matches. The exception, of course, is |
| * for "dummy" (FI_IGNORE) lookups. |
| */ |
| find_out_wild_ports: |
| if (!(flags & NAT_TCPUDP) || !(flags & NAT_SEARCH)) { |
| NINCLSIDE6(1, ns_lookup_miss); |
| return NULL; |
| } |
| if (softn->ipf_nat_stats.ns_wilds == 0) { |
| NINCLSIDE6(1, ns_lookup_nowild); |
| return NULL; |
| } |
| |
| RWLOCK_EXIT(&softc->ipf_nat); |
| |
| hv = NAT_HASH_FN6(src, 0, 0xffffffff); |
| hv = NAT_HASH_FN6(dst, hv, softn->ipf_nat_table_sz); |
| |
| WRITE_ENTER(&softc->ipf_nat); |
| |
| nat = softn->ipf_nat_table[0][hv]; |
| for (; nat; nat = nat->nat_hnext[0]) { |
| if (nat->nat_ifps[1] != NULL) { |
| if ((ifp != NULL) && (ifp != nat->nat_ifps[1])) |
| continue; |
| } |
| |
| if (nat->nat_pr[1] != fin->fin_p) |
| continue; |
| |
| switch (nat->nat_dir) |
| { |
| case NAT_INBOUND : |
| if (nat->nat_v[1] != 6) |
| continue; |
| if (IP6_NEQ(&nat->nat_ndst6, src) || |
| IP6_NEQ(&nat->nat_nsrc6, dst)) |
| continue; |
| break; |
| case NAT_OUTBOUND : |
| if (nat->nat_v[0] != 6) |
| continue; |
| if (IP6_NEQ(&nat->nat_osrc6, src) || |
| IP6_NEQ(&nat->nat_odst6, dst)) |
| continue; |
| break; |
| } |
| |
| if (!(nat->nat_flags & (NAT_TCPUDP|SI_WILDP))) |
| continue; |
| |
| if (ipf_nat_wildok(nat, (int)sport, (int)dport, nat->nat_flags, |
| NAT_OUTBOUND) == 1) { |
| if ((fin->fin_flx & FI_IGNORE) != 0) |
| break; |
| if ((nat->nat_flags & SI_CLONE) != 0) { |
| nat = ipf_nat_clone(fin, nat); |
| if (nat == NULL) |
| break; |
| } else { |
| MUTEX_ENTER(&softn->ipf_nat_new); |
| softn->ipf_nat_stats.ns_wilds--; |
| MUTEX_EXIT(&softn->ipf_nat_new); |
| } |
| |
| if (nat->nat_dir == NAT_OUTBOUND) { |
| if (nat->nat_osport == 0) { |
| nat->nat_osport = sport; |
| nat->nat_nsport = sport; |
| } |
| if (nat->nat_odport == 0) { |
| nat->nat_odport = dport; |
| nat->nat_ndport = dport; |
| } |
| } else { |
| if (nat->nat_osport == 0) { |
| nat->nat_osport = dport; |
| nat->nat_nsport = dport; |
| } |
| if (nat->nat_odport == 0) { |
| nat->nat_odport = sport; |
| nat->nat_ndport = sport; |
| } |
| } |
| if (ifp != NULL) { |
| nat->nat_ifps[1] = ifp; |
| nat->nat_mtu[1] = GETIFMTU_6(ifp); |
| } |
| nat->nat_flags &= ~(SI_W_DPORT|SI_W_SPORT); |
| ipf_nat6_tabmove(softn, nat); |
| break; |
| } |
| } |
| |
| MUTEX_DOWNGRADE(&softc->ipf_nat); |
| |
| if (nat == NULL) { |
| NINCLSIDE6(1, ns_lookup_miss); |
| } |
| return nat; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_lookupredir */ |
| /* Returns: nat6_t* - NULL == no match, */ |
| /* else pointer to matching NAT entry */ |
| /* Parameters: np(I) - pointer to description of packet to find NAT table */ |
| /* entry for. */ |
| /* */ |
| /* Lookup the NAT tables to search for a matching redirect */ |
| /* The contents of natlookup_t should imitate those found in a packet that */ |
| /* would be translated - ie a packet coming in for RDR or going out for MAP.*/ |
| /* We can do the lookup in one of two ways, imitating an inbound or */ |
| /* outbound packet. By default we assume outbound, unless IPN_IN is set. */ |
| /* For IN, the fields are set as follows: */ |
| /* nl_real* = source information */ |
| /* nl_out* = destination information (translated) */ |
| /* For an out packet, the fields are set like this: */ |
| /* nl_in* = source information (untranslated) */ |
| /* nl_out* = destination information (translated) */ |
| /* ------------------------------------------------------------------------ */ |
| nat_t * |
| ipf_nat6_lookupredir(np) |
| natlookup_t *np; |
| { |
| fr_info_t fi; |
| nat_t *nat; |
| |
| bzero((char *)&fi, sizeof(fi)); |
| if (np->nl_flags & IPN_IN) { |
| fi.fin_data[0] = ntohs(np->nl_realport); |
| fi.fin_data[1] = ntohs(np->nl_outport); |
| } else { |
| fi.fin_data[0] = ntohs(np->nl_inport); |
| fi.fin_data[1] = ntohs(np->nl_outport); |
| } |
| if (np->nl_flags & IPN_TCP) |
| fi.fin_p = IPPROTO_TCP; |
| else if (np->nl_flags & IPN_UDP) |
| fi.fin_p = IPPROTO_UDP; |
| else if (np->nl_flags & (IPN_ICMPERR|IPN_ICMPQUERY)) |
| fi.fin_p = IPPROTO_ICMPV6; |
| |
| /* |
| * We can do two sorts of lookups: |
| * - IPN_IN: we have the `real' and `out' address, look for `in'. |
| * - default: we have the `in' and `out' address, look for `real'. |
| */ |
| if (np->nl_flags & IPN_IN) { |
| if ((nat = ipf_nat6_inlookup(&fi, np->nl_flags, fi.fin_p, |
| &np->nl_realip6, |
| &np->nl_outip6))) { |
| np->nl_inip6 = nat->nat_odst6.in6; |
| np->nl_inport = nat->nat_odport; |
| } |
| } else { |
| /* |
| * If nl_inip is non null, this is a lookup based on the real |
| * ip address. Else, we use the fake. |
| */ |
| if ((nat = ipf_nat6_outlookup(&fi, np->nl_flags, fi.fin_p, |
| &np->nl_inip6, &np->nl_outip6))) { |
| |
| if ((np->nl_flags & IPN_FINDFORWARD) != 0) { |
| fr_info_t fin; |
| bzero((char *)&fin, sizeof(fin)); |
| fin.fin_p = nat->nat_pr[0]; |
| fin.fin_data[0] = ntohs(nat->nat_ndport); |
| fin.fin_data[1] = ntohs(nat->nat_nsport); |
| if (ipf_nat6_inlookup(&fin, np->nl_flags, |
| fin.fin_p, |
| &nat->nat_ndst6.in6, |
| &nat->nat_nsrc6.in6) != |
| NULL) { |
| np->nl_flags &= ~IPN_FINDFORWARD; |
| } |
| } |
| |
| np->nl_realip6 = nat->nat_ndst6.in6; |
| np->nl_realport = nat->nat_ndport; |
| } |
| } |
| |
| return nat; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_match */ |
| /* Returns: int - 0 == no match, 1 == match */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* np(I) - pointer to NAT rule */ |
| /* */ |
| /* Pull the matching of a packet against a NAT rule out of that complex */ |
| /* loop inside ipf_nat6_checkin() and lay it out properly in its own */ |
| /* function. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_match(fin, np) |
| fr_info_t *fin; |
| ipnat_t *np; |
| { |
| frtuc_t *ft; |
| int match; |
| |
| if ((fin->fin_p == IPPROTO_IPIP) && (np->in_redir & NAT_ENCAP)) |
| return ipf_nat6_matchencap(fin, np); |
| |
| match = 0; |
| switch (np->in_osrcatype) |
| { |
| case FRI_NORMAL : |
| match = IP6_MASKNEQ(&fin->fin_src6, &np->in_osrcmsk6, |
| &np->in_osrcip6); |
| break; |
| case FRI_LOOKUP : |
| match = (*np->in_osrcfunc)(fin->fin_main_soft, np->in_osrcptr, 6, &fin->fin_src6); |
| break; |
| } |
| match ^= ((np->in_flags & IPN_NOTSRC) != 0); |
| if (match) |
| return 0; |
| |
| match = 0; |
| switch (np->in_odstatype) |
| { |
| case FRI_NORMAL : |
| match = IP6_MASKNEQ(&fin->fin_dst6, &np->in_odstmsk6, |
| &np->in_odstip6); |
| break; |
| case FRI_LOOKUP : |
| match = (*np->in_odstfunc)(fin->fin_main_soft, np->in_odstptr, 6, &fin->fin_dst6); |
| break; |
| } |
| |
| match ^= ((np->in_flags & IPN_NOTDST) != 0); |
| if (match) |
| return 0; |
| |
| ft = &np->in_tuc; |
| if (!(fin->fin_flx & FI_TCPUDP) || |
| (fin->fin_flx & (FI_SHORT|FI_FRAGBODY))) { |
| if (ft->ftu_scmp || ft->ftu_dcmp) |
| return 0; |
| return 1; |
| } |
| |
| return ipf_tcpudpchk(&fin->fin_fi, ft); |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_ipfout */ |
| /* Returns: frentry_t* - NULL (packet may have been translated, let it */ |
| /* pass), &ipfnatblock - block/drop the packet. */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* passp(I) - point to filtering result flags */ |
| /* */ |
| /* This is purely and simply a wrapper around ipf_nat6_checkout for the sole*/ |
| /* reason of being able to activate NAT from an ipf rule using "call-now". */ |
| /* ------------------------------------------------------------------------ */ |
| frentry_t * |
| ipf_nat6_ipfout(fin, passp) |
| fr_info_t *fin; |
| u_32_t *passp; |
| { |
| frentry_t *fr = fin->fin_fr; |
| |
| switch (ipf_nat6_checkout(fin, passp)) |
| { |
| case -1 : |
| fin->fin_reason = 13; |
| fr = &ipfnatblock; |
| MUTEX_ENTER(&fr->fr_lock); |
| fr->fr_ref++; |
| MUTEX_EXIT(&fr->fr_lock); |
| return fr; |
| |
| case 0 : |
| break; |
| |
| case 1 : |
| /* |
| * Returing NULL causes this rule to be "ignored" but |
| * it has actually had an influence on the packet so we |
| * increment counters for it. |
| */ |
| MUTEX_ENTER(&fr->fr_lock); |
| fr->fr_bytes += (U_QUAD_T)fin->fin_plen; |
| fr->fr_hits++; |
| MUTEX_EXIT(&fr->fr_lock); |
| break; |
| } |
| |
| return NULL; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_checkout */ |
| /* Returns: int - -1 == packet failed NAT checks so block it, */ |
| /* 0 == no packet translation occurred, */ |
| /* 1 == packet was successfully translated. */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* passp(I) - pointer to filtering result flags */ |
| /* */ |
| /* Check to see if an outcoming packet should be changed. ICMP packets are */ |
| /* first checked to see if they match an existing entry (if an error), */ |
| /* otherwise a search of the current NAT table is made. If neither results */ |
| /* in a match then a search for a matching NAT rule is made. Create a new */ |
| /* NAT entry if a we matched a NAT rule. Lastly, actually change the */ |
| /* packet header(s) as required. */ |
| /* ------------------------------------------------------------------------ */ |
| int |
| ipf_nat6_checkout(fin, passp) |
| fr_info_t *fin; |
| u_32_t *passp; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| struct icmp6_hdr *icmp6 = NULL; |
| struct ifnet *ifp, *sifp; |
| tcphdr_t *tcp = NULL; |
| int rval, natfailed; |
| ipnat_t *np = NULL; |
| u_int nflags = 0; |
| i6addr_t ipa, iph; |
| int natadd = 1; |
| frentry_t *fr; |
| nat_t *nat; |
| |
| if (softn->ipf_nat_stats.ns_rules == 0 || softn->ipf_nat_lock != 0) |
| return 0; |
| |
| natfailed = 0; |
| fr = fin->fin_fr; |
| sifp = fin->fin_ifp; |
| if (fr != NULL) { |
| ifp = fr->fr_tifs[fin->fin_rev].fd_ptr; |
| if ((ifp != NULL) && (ifp != (void *)-1)) |
| fin->fin_ifp = ifp; |
| } |
| ifp = fin->fin_ifp; |
| |
| if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) { |
| switch (fin->fin_p) |
| { |
| case IPPROTO_TCP : |
| nflags = IPN_TCP; |
| break; |
| case IPPROTO_UDP : |
| nflags = IPN_UDP; |
| break; |
| case IPPROTO_ICMPV6 : |
| icmp6 = fin->fin_dp; |
| |
| /* |
| * This is an incoming packet, so the destination is |
| * the icmp6_id and the source port equals 0 |
| */ |
| if ((fin->fin_flx & FI_ICMPQUERY) != 0) |
| nflags = IPN_ICMPQUERY; |
| break; |
| default : |
| break; |
| } |
| |
| if ((nflags & IPN_TCPUDP)) |
| tcp = fin->fin_dp; |
| } |
| |
| ipa = fin->fin_src6; |
| |
| READ_ENTER(&softc->ipf_nat); |
| |
| if ((fin->fin_p == IPPROTO_ICMPV6) && !(nflags & IPN_ICMPQUERY) && |
| (nat = ipf_nat6_icmperror(fin, &nflags, NAT_OUTBOUND))) |
| /*EMPTY*/; |
| else if ((fin->fin_flx & FI_FRAG) && (nat = ipf_frag_natknown(fin))) |
| natadd = 0; |
| else if ((nat = ipf_nat6_outlookup(fin, nflags|NAT_SEARCH, |
| (u_int)fin->fin_p, |
| &fin->fin_src6.in6, |
| &fin->fin_dst6.in6))) { |
| nflags = nat->nat_flags; |
| } else { |
| u_32_t hv, nmsk; |
| i6addr_t msk; |
| int i; |
| |
| /* |
| * If there is no current entry in the nat table for this IP#, |
| * create one for it (if there is a matching rule). |
| */ |
| RWLOCK_EXIT(&softc->ipf_nat); |
| i = 3; |
| msk.i6[0] = 0xffffffff; |
| msk.i6[1] = 0xffffffff; |
| msk.i6[2] = 0xffffffff; |
| msk.i6[3] = 0xffffffff; |
| nmsk = softn->ipf_nat6_map_masks[3]; |
| WRITE_ENTER(&softc->ipf_nat); |
| maskloop: |
| IP6_AND(&ipa, &msk, &iph); |
| hv = NAT_HASH_FN6(&iph, 0, softn->ipf_nat_maprules_sz); |
| for (np = softn->ipf_nat_map_rules[hv]; np; np = np->in_mnext) { |
| if ((np->in_ifps[1] && (np->in_ifps[1] != ifp))) |
| continue; |
| if (np->in_v[0] != 6) |
| continue; |
| if (np->in_pr[1] && (np->in_pr[1] != fin->fin_p)) |
| continue; |
| if ((np->in_flags & IPN_RF) && |
| !(np->in_flags & nflags)) |
| continue; |
| if (np->in_flags & IPN_FILTER) { |
| switch (ipf_nat6_match(fin, np)) |
| { |
| case 0 : |
| continue; |
| case -1 : |
| rval = -1; |
| goto outmatchfail; |
| case 1 : |
| default : |
| break; |
| } |
| } else if (!IP6_MASKEQ(&ipa, &np->in_osrcmsk, |
| &np->in_osrcip6)) |
| continue; |
| |
| if ((fr != NULL) && |
| !ipf_matchtag(&np->in_tag, &fr->fr_nattag)) |
| continue; |
| |
| #ifdef IPF_V6_PROXIES |
| if (*np->in_plabel != '\0') { |
| if (((np->in_flags & IPN_FILTER) == 0) && |
| (np->in_odport != fin->fin_data[1])) |
| continue; |
| if (appr_ok(fin, tcp, np) == 0) |
| continue; |
| } |
| #endif |
| |
| if (np->in_flags & IPN_NO) { |
| np->in_hits++; |
| break; |
| } |
| |
| if ((nat = ipf_nat6_add(fin, np, NULL, nflags, |
| NAT_OUTBOUND))) { |
| np->in_hits++; |
| break; |
| } else |
| natfailed = -1; |
| } |
| if ((np == NULL) && (i >= 0)) { |
| while (i >= 0) { |
| while (nmsk) { |
| msk.i6[i] = htonl(ntohl(msk.i6[i])<<1); |
| if ((nmsk & 0x80000000) != 0) { |
| nmsk <<= 1; |
| goto maskloop; |
| } |
| nmsk <<= 1; |
| } |
| msk.i6[i--] = 0; |
| if (i >= 0) { |
| nmsk = softn->ipf_nat6_map_masks[i]; |
| if (nmsk != 0) |
| goto maskloop; |
| } |
| } |
| } |
| MUTEX_DOWNGRADE(&softc->ipf_nat); |
| } |
| |
| if (nat != NULL) { |
| rval = ipf_nat6_out(fin, nat, natadd, nflags); |
| if (rval == 1) { |
| MUTEX_ENTER(&nat->nat_lock); |
| ipf_nat_update(fin, nat); |
| nat->nat_ref++; |
| nat->nat_bytes[1] += fin->fin_plen; |
| nat->nat_pkts[1]++; |
| MUTEX_EXIT(&nat->nat_lock); |
| fin->fin_nat = nat; |
| } |
| } else |
| rval = natfailed; |
| outmatchfail: |
| RWLOCK_EXIT(&softc->ipf_nat); |
| |
| switch (rval) |
| { |
| case -1 : |
| if (passp != NULL) { |
| NINCLSIDE6(1, ns_drop); |
| *passp = FR_BLOCK; |
| fin->fin_reason = 11; |
| } |
| fin->fin_flx |= FI_BADNAT; |
| NINCLSIDE6(1, ns_badnat); |
| break; |
| case 0 : |
| NINCLSIDE6(1, ns_ignored); |
| break; |
| case 1 : |
| NINCLSIDE6(1, ns_translated); |
| break; |
| } |
| fin->fin_ifp = sifp; |
| return rval; |
| } |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_out */ |
| /* Returns: int - -1 == packet failed NAT checks so block it, */ |
| /* 1 == packet was successfully translated. */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nat(I) - pointer to NAT structure */ |
| /* natadd(I) - flag indicating if it is safe to add frag cache */ |
| /* nflags(I) - NAT flags set for this packet */ |
| /* */ |
| /* Translate a packet coming "out" on an interface. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_out(fin, nat, natadd, nflags) |
| fr_info_t *fin; |
| nat_t *nat; |
| int natadd; |
| u_32_t nflags; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| struct icmp6_hdr *icmp6; |
| u_short *csump; |
| tcphdr_t *tcp; |
| ipnat_t *np; |
| int skip; |
| int i; |
| |
| tcp = NULL; |
| icmp6 = NULL; |
| csump = NULL; |
| np = nat->nat_ptr; |
| |
| if ((natadd != 0) && (fin->fin_flx & FI_FRAG) && (np != NULL)) |
| (void) ipf_frag_natnew(softc, fin, 0, nat); |
| |
| /* |
| * Address assignment is after the checksum modification because |
| * we are using the address in the packet for determining the |
| * correct checksum offset (the ICMP error could be coming from |
| * anyone...) |
| */ |
| switch (nat->nat_dir) |
| { |
| case NAT_OUTBOUND : |
| fin->fin_ip6->ip6_src = nat->nat_nsrc6.in6; |
| fin->fin_src6 = nat->nat_nsrc6; |
| fin->fin_ip6->ip6_dst = nat->nat_ndst6.in6; |
| fin->fin_dst6 = nat->nat_ndst6; |
| break; |
| |
| case NAT_INBOUND : |
| fin->fin_ip6->ip6_src = nat->nat_odst6.in6; |
| fin->fin_src6 = nat->nat_ndst6; |
| fin->fin_ip6->ip6_dst = nat->nat_osrc6.in6; |
| fin->fin_dst6 = nat->nat_nsrc6; |
| break; |
| |
| case NAT_ENCAPIN : |
| fin->fin_flx |= FI_ENCAP; |
| case NAT_DIVERTIN : |
| { |
| mb_t *m; |
| |
| skip = ipf_nat6_decap(fin, nat); |
| if (skip <= 0) { |
| NINCLSIDE6(1, ns_decap_fail); |
| return -1; |
| } |
| |
| m = fin->fin_m; |
| |
| #if defined(MENTAT) && defined(_KERNEL) |
| m->b_rptr += skip; |
| #else |
| m->m_data += skip; |
| m->m_len -= skip; |
| |
| # ifdef M_PKTHDR |
| if (m->m_flags & M_PKTHDR) |
| m->m_pkthdr.len -= skip; |
| # endif |
| #endif |
| |
| MUTEX_ENTER(&nat->nat_lock); |
| ipf_nat_update(fin, nat); |
| MUTEX_EXIT(&nat->nat_lock); |
| fin->fin_flx |= FI_NATED; |
| if (np != NULL && np->in_tag.ipt_num[0] != 0) |
| fin->fin_nattag = &np->in_tag; |
| return 1; |
| /* NOTREACHED */ |
| } |
| |
| case NAT_ENCAPOUT : |
| { |
| ip6_t *ip6; |
| mb_t *m; |
| |
| if (ipf_nat6_encapok(fin, nat) == -1) |
| return -1; |
| |
| m = M_DUP(np->in_divmp); |
| if (m == NULL) { |
| NINCLSIDE6(1, ns_encap_dup); |
| return -1; |
| } |
| |
| ip6 = MTOD(m, ip6_t *); |
| /* TRACE (fin,ip) */ |
| ip6->ip6_plen = htons(fin->fin_plen + sizeof(ip6_t)); |
| |
| /* TRACE (ip) */ |
| |
| PREP_MB_T(fin, m); |
| |
| fin->fin_ip6 = ip6; |
| fin->fin_plen += sizeof(ip6_t); /* UDP + new IPv6 hdr */ |
| fin->fin_dlen += sizeof(ip6_t); /* UDP + old IPv6 hdr */ |
| fin->fin_flx |= FI_ENCAP; |
| |
| nflags &= ~IPN_TCPUDPICMP; |
| |
| break; |
| } |
| case NAT_DIVERTOUT : |
| { |
| udphdr_t *uh; |
| ip6_t *ip6; |
| mb_t *m; |
| |
| m = M_DUP(np->in_divmp); |
| if (m == NULL) { |
| NINCLSIDE6(1, ns_divert_dup); |
| return -1; |
| } |
| |
| ip6 = MTOD(m, ip6_t *); |
| |
| ip6->ip6_plen = htons(fin->fin_plen + 8); |
| |
| uh = (udphdr_t *)(ip6 + 1); |
| uh->uh_ulen = htons(fin->fin_plen); |
| |
| PREP_MB_T(fin, m); |
| |
| fin->fin_ip6 = ip6; |
| fin->fin_plen += sizeof(ip6_t) + 8; /* UDP + new IPv4 hdr */ |
| fin->fin_dlen += sizeof(ip6_t) + 8; /* UDP + old IPv4 hdr */ |
| |
| nflags &= ~IPN_TCPUDPICMP; |
| |
| break; |
| } |
| |
| default : |
| break; |
| } |
| |
| if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) { |
| if ((nat->nat_nsport != 0) && (nflags & IPN_TCPUDP)) { |
| tcp = fin->fin_dp; |
| |
| switch (nat->nat_dir) |
| { |
| case NAT_OUTBOUND : |
| tcp->th_sport = nat->nat_nsport; |
| fin->fin_data[0] = ntohs(nat->nat_nsport); |
| tcp->th_dport = nat->nat_ndport; |
| fin->fin_data[0] = ntohs(nat->nat_ndport); |
| break; |
| |
| case NAT_INBOUND : |
| tcp->th_sport = nat->nat_odport; |
| fin->fin_data[0] = ntohs(nat->nat_odport); |
| tcp->th_dport = nat->nat_osport; |
| fin->fin_data[0] = ntohs(nat->nat_osport); |
| break; |
| } |
| } |
| |
| if ((nat->nat_nsport != 0) && (nflags & IPN_ICMPQUERY)) { |
| icmp6 = fin->fin_dp; |
| icmp6->icmp6_id = nat->nat_nicmpid; |
| } |
| |
| csump = ipf_nat_proto(fin, nat, nflags); |
| } |
| |
| /* |
| * The above comments do not hold for layer 4 (or higher) checksums... |
| */ |
| if (csump != NULL) { |
| if (nat->nat_dir == NAT_OUTBOUND) |
| ipf_fix_outcksum(fin, csump, nat->nat_sumd[1]); |
| else |
| ipf_fix_incksum(fin, csump, nat->nat_sumd[1]); |
| } |
| #ifdef IPFILTER_SYNC |
| ipf_sync_update(softc, SMC_NAT, fin, nat->nat_sync); |
| #endif |
| /* ------------------------------------------------------------- */ |
| /* A few quick notes: */ |
| /* Following are test conditions prior to calling the */ |
| /* appr_check routine. */ |
| /* */ |
| /* A NULL tcp indicates a non TCP/UDP packet. When dealing */ |
| /* with a redirect rule, we attempt to match the packet's */ |
| /* source port against in_dport, otherwise we'd compare the */ |
| /* packet's destination. */ |
| /* ------------------------------------------------------------- */ |
| if ((np != NULL) && (np->in_apr != NULL)) { |
| #ifdef IPF_V6_PROXIES |
| i = appr_check(fin, nat); |
| if (i == 0) |
| i = 1; |
| else if (i == -1) { |
| NINCLSIDE6(1, ns_appr_fail); |
| } |
| #else |
| i = 1; |
| #endif |
| } else { |
| i = 1; |
| } |
| fin->fin_flx |= FI_NATED; |
| return i; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_ipfin */ |
| /* Returns: frentry_t* - NULL (packet may have been translated, let it */ |
| /* pass), &ipfnatblock - block/drop the packet. */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* passp(I) - point to filtering result flags */ |
| /* */ |
| /* This is purely and simply a wrapper around ipf_nat6_checkin for the sole */ |
| /* reason of being able to activate NAT from an ipf rule using "call-now". */ |
| /* ------------------------------------------------------------------------ */ |
| frentry_t * |
| ipf_nat6_ipfin(fin, passp) |
| fr_info_t *fin; |
| u_32_t *passp; |
| { |
| frentry_t *fr = fin->fin_fr; |
| |
| switch (ipf_nat6_checkin(fin, passp)) |
| { |
| case -1 : |
| fin->fin_reason = 13; |
| fr = &ipfnatblock; |
| MUTEX_ENTER(&fr->fr_lock); |
| fr->fr_ref++; |
| MUTEX_EXIT(&fr->fr_lock); |
| return fr; |
| |
| case 0 : |
| return NULL; |
| |
| case 1 : |
| /* |
| * Returing NULL causes this rule to be "ignored" but |
| * it has actually had an influence on the packet so we |
| * increment counters for it. |
| */ |
| MUTEX_ENTER(&fr->fr_lock); |
| fr->fr_bytes += (U_QUAD_T)fin->fin_plen; |
| fr->fr_hits++; |
| MUTEX_EXIT(&fr->fr_lock); |
| return NULL; |
| } |
| |
| return NULL; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_checkin */ |
| /* Returns: int - -1 == packet failed NAT checks so block it, */ |
| /* 0 == no packet translation occurred, */ |
| /* 1 == packet was successfully translated. */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* passp(I) - pointer to filtering result flags */ |
| /* */ |
| /* Check to see if an incoming packet should be changed. ICMP packets are */ |
| /* first checked to see if they match an existing entry (if an error), */ |
| /* otherwise a search of the current NAT table is made. If neither results */ |
| /* in a match then a search for a matching NAT rule is made. Create a new */ |
| /* NAT entry if a we matched a NAT rule. Lastly, actually change the */ |
| /* packet header(s) as required. */ |
| /* ------------------------------------------------------------------------ */ |
| int |
| ipf_nat6_checkin(fin, passp) |
| fr_info_t *fin; |
| u_32_t *passp; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| struct icmp6_hdr *icmp6; |
| u_int nflags, natadd; |
| int rval, natfailed; |
| struct ifnet *ifp; |
| i6addr_t ipa, iph; |
| tcphdr_t *tcp; |
| u_short dport; |
| ipnat_t *np; |
| nat_t *nat; |
| |
| if (softn->ipf_nat_stats.ns_rules == 0 || softn->ipf_nat_lock != 0) |
| return 0; |
| |
| tcp = NULL; |
| icmp6 = NULL; |
| dport = 0; |
| natadd = 1; |
| nflags = 0; |
| natfailed = 0; |
| ifp = fin->fin_ifp; |
| |
| if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) { |
| switch (fin->fin_p) |
| { |
| case IPPROTO_TCP : |
| nflags = IPN_TCP; |
| break; |
| case IPPROTO_UDP : |
| nflags = IPN_UDP; |
| break; |
| case IPPROTO_ICMPV6 : |
| icmp6 = fin->fin_dp; |
| |
| /* |
| * This is an incoming packet, so the destination is |
| * the icmp6_id and the source port equals 0 |
| */ |
| if ((fin->fin_flx & FI_ICMPQUERY) != 0) { |
| nflags = IPN_ICMPQUERY; |
| dport = icmp6->icmp6_id; |
| } break; |
| default : |
| break; |
| } |
| |
| if ((nflags & IPN_TCPUDP)) { |
| tcp = fin->fin_dp; |
| dport = fin->fin_data[1]; |
| } |
| } |
| |
| ipa = fin->fin_dst6; |
| |
| READ_ENTER(&softc->ipf_nat); |
| |
| if ((fin->fin_p == IPPROTO_ICMPV6) && !(nflags & IPN_ICMPQUERY) && |
| (nat = ipf_nat6_icmperror(fin, &nflags, NAT_INBOUND))) |
| /*EMPTY*/; |
| else if ((fin->fin_flx & FI_FRAG) && (nat = ipf_frag_natknown(fin))) |
| natadd = 0; |
| else if ((nat = ipf_nat6_inlookup(fin, nflags|NAT_SEARCH, |
| (u_int)fin->fin_p, |
| &fin->fin_src6.in6, &ipa.in6))) { |
| nflags = nat->nat_flags; |
| } else { |
| u_32_t hv, rmsk; |
| i6addr_t msk; |
| int i; |
| |
| /* |
| * If there is no current entry in the nat table for this IP#, |
| * create one for it (if there is a matching rule). |
| */ |
| RWLOCK_EXIT(&softc->ipf_nat); |
| i = 3; |
| msk.i6[0] = 0xffffffff; |
| msk.i6[1] = 0xffffffff; |
| msk.i6[2] = 0xffffffff; |
| msk.i6[3] = 0xffffffff; |
| rmsk = softn->ipf_nat6_rdr_masks[3]; |
| WRITE_ENTER(&softc->ipf_nat); |
| maskloop: |
| IP6_AND(&ipa, &msk, &iph); |
| hv = NAT_HASH_FN6(&iph, 0, softn->ipf_nat_rdrrules_sz); |
| for (np = softn->ipf_nat_rdr_rules[hv]; np; np = np->in_rnext) { |
| if (np->in_ifps[0] && (np->in_ifps[0] != ifp)) |
| continue; |
| if (np->in_v[0] != 6) |
| continue; |
| if (np->in_pr[0] && (np->in_pr[0] != fin->fin_p)) |
| continue; |
| if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags)) |
| continue; |
| if (np->in_flags & IPN_FILTER) { |
| switch (ipf_nat6_match(fin, np)) |
| { |
| case 0 : |
| continue; |
| case -1 : |
| rval = -1; |
| goto inmatchfail; |
| case 1 : |
| default : |
| break; |
| } |
| } else { |
| if (!IP6_MASKEQ(&ipa, &np->in_odstmsk6, |
| &np->in_odstip6)) { |
| continue; |
| } |
| if (np->in_odport && |
| ((np->in_dtop < dport) || |
| (dport < np->in_odport))) |
| continue; |
| } |
| |
| #ifdef IPF_V6_PROXIES |
| if (*np->in_plabel != '\0') { |
| if (!appr_ok(fin, tcp, np)) { |
| continue; |
| } |
| } |
| #endif |
| |
| if (np->in_flags & IPN_NO) { |
| np->in_hits++; |
| break; |
| } |
| |
| nat = ipf_nat6_add(fin, np, NULL, nflags, NAT_INBOUND); |
| if (nat != NULL) { |
| np->in_hits++; |
| break; |
| } else |
| natfailed = -1; |
| } |
| |
| if ((np == NULL) && (i >= 0)) { |
| while (i >= 0) { |
| while (rmsk) { |
| msk.i6[i] = htonl(ntohl(msk.i6[i])<<1); |
| if ((rmsk & 0x80000000) != 0) { |
| rmsk <<= 1; |
| goto maskloop; |
| } |
| rmsk <<= 1; |
| } |
| msk.i6[i--] = 0; |
| if (i >= 0) { |
| rmsk = softn->ipf_nat6_rdr_masks[i]; |
| if (rmsk != 0) |
| goto maskloop; |
| } |
| } |
| } |
| MUTEX_DOWNGRADE(&softc->ipf_nat); |
| } |
| if (nat != NULL) { |
| rval = ipf_nat6_in(fin, nat, natadd, nflags); |
| if (rval == 1) { |
| MUTEX_ENTER(&nat->nat_lock); |
| ipf_nat_update(fin, nat); |
| nat->nat_ref++; |
| nat->nat_bytes[0] += fin->fin_plen; |
| nat->nat_pkts[0]++; |
| MUTEX_EXIT(&nat->nat_lock); |
| fin->fin_nat = nat; |
| } |
| } else |
| rval = natfailed; |
| inmatchfail: |
| RWLOCK_EXIT(&softc->ipf_nat); |
| |
| switch (rval) |
| { |
| case -1 : |
| if (passp != NULL) { |
| NINCLSIDE6(0, ns_drop); |
| *passp = FR_BLOCK; |
| fin->fin_reason = 12; |
| } |
| fin->fin_flx |= FI_BADNAT; |
| NINCLSIDE6(0, ns_badnat); |
| break; |
| case 0 : |
| NINCLSIDE6(0, ns_ignored); |
| break; |
| case 1 : |
| NINCLSIDE6(0, ns_translated); |
| break; |
| } |
| return rval; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_in */ |
| /* Returns: int - -1 == packet failed NAT checks so block it, */ |
| /* 1 == packet was successfully translated. */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nat(I) - pointer to NAT structure */ |
| /* natadd(I) - flag indicating if it is safe to add frag cache */ |
| /* nflags(I) - NAT flags set for this packet */ |
| /* Locks Held: (READ) */ |
| /* */ |
| /* Translate a packet coming "in" on an interface. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_in(fin, nat, natadd, nflags) |
| fr_info_t *fin; |
| nat_t *nat; |
| int natadd; |
| u_32_t nflags; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| struct icmp6_hdr *icmp6; |
| u_short *csump; |
| tcphdr_t *tcp; |
| ipnat_t *np; |
| int skip; |
| |
| tcp = NULL; |
| csump = NULL; |
| np = nat->nat_ptr; |
| fin->fin_fr = nat->nat_fr; |
| |
| if (np != NULL) { |
| if ((natadd != 0) && (fin->fin_flx & FI_FRAG)) |
| (void) ipf_frag_natnew(softc, fin, 0, nat); |
| |
| /* ------------------------------------------------------------- */ |
| /* A few quick notes: */ |
| /* Following are test conditions prior to calling the */ |
| /* appr_check routine. */ |
| /* */ |
| /* A NULL tcp indicates a non TCP/UDP packet. When dealing */ |
| /* with a map rule, we attempt to match the packet's */ |
| /* source port against in_dport, otherwise we'd compare the */ |
| /* packet's destination. */ |
| /* ------------------------------------------------------------- */ |
| if (np->in_apr != NULL) { |
| #ifdef IPF_V6_PROXIES |
| i = appr_check(fin, nat); |
| if (i == -1) { |
| NINCLSIDE6(0, ns_appr_fail); |
| return -1; |
| } |
| #endif |
| } |
| } |
| |
| #ifdef IPFILTER_SYNC |
| ipf_sync_update(softc, SMC_NAT, fin, nat->nat_sync); |
| #endif |
| |
| /* |
| * Fix up checksums, not by recalculating them, but |
| * simply computing adjustments. |
| * Why only do this for some platforms on inbound packets ? |
| * Because for those that it is done, IP processing is yet to happen |
| * and so the IPv4 header checksum has not yet been evaluated. |
| * Perhaps it should always be done for the benefit of things like |
| * fast forwarding (so that it doesn't need to be recomputed) but with |
| * header checksum offloading, perhaps it is a moot point. |
| */ |
| |
| switch (nat->nat_dir) |
| { |
| case NAT_INBOUND : |
| if ((fin->fin_flx & FI_ICMPERR) == 0) { |
| fin->fin_ip6->ip6_src = nat->nat_nsrc6.in6; |
| fin->fin_src6 = nat->nat_nsrc6; |
| } |
| fin->fin_ip6->ip6_dst = nat->nat_ndst6.in6; |
| fin->fin_dst6 = nat->nat_ndst6; |
| break; |
| |
| case NAT_OUTBOUND : |
| if ((fin->fin_flx & FI_ICMPERR) == 0) { |
| fin->fin_ip6->ip6_src = nat->nat_odst6.in6; |
| fin->fin_src6 = nat->nat_odst6; |
| } |
| fin->fin_ip6->ip6_dst = nat->nat_osrc6.in6; |
| fin->fin_dst6 = nat->nat_osrc6; |
| break; |
| |
| case NAT_ENCAPIN : |
| { |
| ip6_t *ip6; |
| mb_t *m; |
| |
| /* |
| * XXX |
| * This is not necessarily true. What we need to know here |
| * is the MTU of the interface out which the packets will go |
| * and this won't be nat6_ifps[1] because that is where we |
| * send packets after stripping off stuff - what's needed |
| * here is the MTU of the interface for the route to the |
| * destination of the outer header. |
| */ |
| if (ipf_nat6_encapok(fin, nat) == -1) |
| return -1; |
| |
| m = M_DUP(np->in_divmp); |
| if (m == NULL) { |
| NINCLSIDE6(0, ns_encap_dup); |
| return -1; |
| } |
| |
| ip6 = MTOD(m, ip6_t *); |
| ip6->ip6_plen = htons(fin->fin_plen + 8); |
| |
| PREP_MB_T(fin, m); |
| |
| fin->fin_ip6 = ip6; |
| fin->fin_plen += sizeof(ip6_t) + 8; /* UDP + new IPv6 hdr */ |
| fin->fin_dlen += sizeof(ip6_t) + 8; /* UDP + old IPv6 hdr */ |
| fin->fin_flx |= FI_ENCAP; |
| |
| nflags &= ~IPN_TCPUDPICMP; |
| |
| break; |
| } |
| |
| case NAT_DIVERTIN : |
| { |
| udphdr_t *uh; |
| ip6_t *ip6; |
| mb_t *m; |
| |
| m = M_DUP(np->in_divmp); |
| if (m == NULL) { |
| NINCLSIDE6(0, ns_divert_dup); |
| return -1; |
| } |
| |
| ip6 = MTOD(m, ip6_t *); |
| ip6->ip6_plen = htons(fin->fin_plen + sizeof(udphdr_t)); |
| |
| uh = (udphdr_t *)(ip6 + 1); |
| uh->uh_ulen = ntohs(fin->fin_plen); |
| |
| PREP_MB_T(fin, m); |
| |
| fin->fin_ip6 = ip6; |
| fin->fin_plen += sizeof(ip6_t) + 8; /* UDP + new IPv6 hdr */ |
| fin->fin_dlen += sizeof(ip6_t) + 8; /* UDP + old IPv6 hdr */ |
| |
| nflags &= ~IPN_TCPUDPICMP; |
| |
| break; |
| } |
| |
| case NAT_ENCAPOUT : |
| fin->fin_flx |= FI_ENCAP; |
| case NAT_DIVERTOUT : |
| { |
| mb_t *m; |
| |
| skip = ipf_nat6_decap(fin, nat); |
| if (skip <= 0) { |
| NINCLSIDE6(0, ns_decap_fail); |
| return -1; |
| } |
| |
| m = fin->fin_m; |
| |
| #if defined(MENTAT) && defined(_KERNEL) |
| m->b_rptr += skip; |
| #else |
| m->m_data += skip; |
| m->m_len -= skip; |
| |
| # ifdef M_PKTHDR |
| if (m->m_flags & M_PKTHDR) |
| m->m_pkthdr.len -= skip; |
| # endif |
| #endif |
| |
| ipf_nat_update(fin, nat); |
| fin->fin_flx |= FI_NATED; |
| if (np != NULL && np->in_tag.ipt_num[0] != 0) |
| fin->fin_nattag = &np->in_tag; |
| return 1; |
| /* NOTREACHED */ |
| } |
| } |
| if (nflags & IPN_TCPUDP) |
| tcp = fin->fin_dp; |
| |
| if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) { |
| if ((nat->nat_odport != 0) && (nflags & IPN_TCPUDP)) { |
| switch (nat->nat_dir) |
| { |
| case NAT_INBOUND : |
| tcp->th_sport = nat->nat_nsport; |
| fin->fin_data[0] = ntohs(nat->nat_nsport); |
| tcp->th_dport = nat->nat_ndport; |
| fin->fin_data[1] = ntohs(nat->nat_ndport); |
| break; |
| |
| case NAT_OUTBOUND : |
| tcp->th_sport = nat->nat_odport; |
| fin->fin_data[0] = ntohs(nat->nat_odport); |
| tcp->th_dport = nat->nat_osport; |
| fin->fin_data[1] = ntohs(nat->nat_osport); |
| break; |
| } |
| } |
| |
| |
| if ((nat->nat_odport != 0) && (nflags & IPN_ICMPQUERY)) { |
| icmp6 = fin->fin_dp; |
| |
| icmp6->icmp6_id = nat->nat_nicmpid; |
| } |
| |
| csump = ipf_nat_proto(fin, nat, nflags); |
| } |
| |
| /* |
| * The above comments do not hold for layer 4 (or higher) checksums... |
| */ |
| if (csump != NULL) { |
| if (nat->nat_dir == NAT_OUTBOUND) |
| ipf_fix_incksum(fin, csump, nat->nat_sumd[0]); |
| else |
| ipf_fix_outcksum(fin, csump, nat->nat_sumd[0]); |
| } |
| fin->fin_flx |= FI_NATED; |
| if (np != NULL && np->in_tag.ipt_num[0] != 0) |
| fin->fin_nattag = &np->in_tag; |
| return 1; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_newrewrite */ |
| /* Returns: int - -1 == error, 0 == success (no move), 1 == success and */ |
| /* allow rule to be moved if IPN_ROUNDR is set. */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nat(I) - pointer to NAT entry */ |
| /* ni(I) - pointer to structure with misc. information needed */ |
| /* to create new NAT entry. */ |
| /* Write Lock: ipf_nat */ |
| /* */ |
| /* This function is responsible for setting up an active NAT session where */ |
| /* we are changing both the source and destination parameters at the same */ |
| /* time. The loop in here works differently to elsewhere - each iteration */ |
| /* is responsible for changing a single parameter that can be incremented. */ |
| /* So one pass may increase the source IP#, next source port, next dest. IP#*/ |
| /* and the last destination port for a total of 4 iterations to try each. */ |
| /* This is done to try and exhaustively use the translation space available.*/ |
| /* ------------------------------------------------------------------------ */ |
| int |
| ipf_nat6_newrewrite(fin, nat, nai) |
| fr_info_t *fin; |
| nat_t *nat; |
| natinfo_t *nai; |
| { |
| int src_search = 1; |
| int dst_search = 1; |
| fr_info_t frnat; |
| u_32_t flags; |
| u_short swap; |
| ipnat_t *np; |
| nat_t *natl; |
| int l = 0; |
| int changed; |
| |
| natl = NULL; |
| changed = -1; |
| np = nai->nai_np; |
| flags = nat->nat_flags; |
| bcopy((char *)fin, (char *)&frnat, sizeof(*fin)); |
| frnat.fin_state = NULL; |
| |
| nat->nat_hm = NULL; |
| |
| do { |
| changed = -1; |
| /* TRACE (l, src_search, dst_search, np) */ |
| |
| if ((src_search == 0) && (np->in_spnext == 0) && |
| (dst_search == 0) && (np->in_dpnext == 0)) { |
| if (l > 0) |
| return -1; |
| } |
| |
| /* |
| * Find a new source address |
| */ |
| if (ipf_nat6_nextaddr(fin, &np->in_nsrc, &frnat.fin_src6, |
| &frnat.fin_src6) == -1) { |
| return -1; |
| } |
| |
| if (IP6_ISZERO(&np->in_nsrcip6) && |
| IP6_ISONES(&np->in_nsrcmsk6)) { |
| src_search = 0; |
| if (np->in_stepnext == 0) |
| np->in_stepnext = 1; |
| |
| } else if (IP6_ISZERO(&np->in_nsrcip6) && |
| IP6_ISZERO(&np->in_nsrcmsk6)) { |
| src_search = 0; |
| if (np->in_stepnext == 0) |
| np->in_stepnext = 1; |
| |
| } else if (IP6_ISONES(&np->in_nsrcmsk)) { |
| src_search = 0; |
| if (np->in_stepnext == 0) |
| np->in_stepnext = 1; |
| |
| } else if (!IP6_ISONES(&np->in_nsrcmsk6)) { |
| if (np->in_stepnext == 0 && changed == -1) { |
| IP6_INC(&np->in_snip); |
| np->in_stepnext++; |
| changed = 0; |
| } |
| } |
| |
| if ((flags & IPN_TCPUDPICMP) != 0) { |
| if (np->in_spnext != 0) |
| frnat.fin_data[0] = np->in_spnext; |
| |
| /* |
| * Standard port translation. Select next port. |
| */ |
| if ((flags & IPN_FIXEDSPORT) != 0) { |
| np->in_stepnext = 2; |
| } else if ((np->in_stepnext == 1) && |
| (changed == -1) && (natl != NULL)) { |
| np->in_spnext++; |
| np->in_stepnext++; |
| changed = 1; |
| if (np->in_spnext > np->in_spmax) |
| np->in_spnext = np->in_spmin; |
| } |
| } else { |
| np->in_stepnext = 2; |
| } |
| np->in_stepnext &= 0x3; |
| |
| /* |
| * Find a new destination address |
| */ |
| /* TRACE (fin, np, l, frnat) */ |
| |
| if (ipf_nat6_nextaddr(fin, &np->in_ndst, &frnat.fin_dst6, |
| &frnat.fin_dst6) == -1) |
| return -1; |
| |
| if (IP6_ISZERO(&np->in_ndstip6) && |
| IP6_ISONES(&np->in_ndstmsk6)) { |
| dst_search = 0; |
| if (np->in_stepnext == 2) |
| np->in_stepnext = 3; |
| |
| } else if (IP6_ISZERO(&np->in_ndstip6) && |
| IP6_ISZERO(&np->in_ndstmsk6)) { |
| dst_search = 0; |
| if (np->in_stepnext == 2) |
| np->in_stepnext = 3; |
| |
| } else if (IP6_ISONES(&np->in_ndstmsk6)) { |
| dst_search = 0; |
| if (np->in_stepnext == 2) |
| np->in_stepnext = 3; |
| |
| } else if (!IP6_ISONES(&np->in_ndstmsk6)) { |
| if ((np->in_stepnext == 2) && (changed == -1) && |
| (natl != NULL)) { |
| changed = 2; |
| np->in_stepnext++; |
| IP6_INC(&np->in_dnip6); |
| } |
| } |
| |
| if ((flags & IPN_TCPUDPICMP) != 0) { |
| if (np->in_dpnext != 0) |
| frnat.fin_data[1] = np->in_dpnext; |
| |
| /* |
| * Standard port translation. Select next port. |
| */ |
| if ((flags & IPN_FIXEDDPORT) != 0) { |
| np->in_stepnext = 0; |
| } else if (np->in_stepnext == 3 && changed == -1) { |
| np->in_dpnext++; |
| np->in_stepnext++; |
| changed = 3; |
| if (np->in_dpnext > np->in_dpmax) |
| np->in_dpnext = np->in_dpmin; |
| } |
| } else { |
| if (np->in_stepnext == 3) |
| np->in_stepnext = 0; |
| } |
| |
| /* TRACE (frnat) */ |
| |
| /* |
| * Here we do a lookup of the connection as seen from |
| * the outside. If an IP# pair already exists, try |
| * again. So if you have A->B becomes C->B, you can |
| * also have D->E become C->E but not D->B causing |
| * another C->B. Also take protocol and ports into |
| * account when determining whether a pre-existing |
| * NAT setup will cause an external conflict where |
| * this is appropriate. |
| * |
| * fin_data[] is swapped around because we are doing a |
| * lookup of the packet is if it were moving in the opposite |
| * direction of the one we are working with now. |
| */ |
| if (flags & IPN_TCPUDP) { |
| swap = frnat.fin_data[0]; |
| frnat.fin_data[0] = frnat.fin_data[1]; |
| frnat.fin_data[1] = swap; |
| } |
| if (fin->fin_out == 1) { |
| natl = ipf_nat6_inlookup(&frnat, |
| flags & ~(SI_WILDP|NAT_SEARCH), |
| (u_int)frnat.fin_p, |
| &frnat.fin_dst6.in6, |
| &frnat.fin_src6.in6); |
| |
| } else { |
| natl = ipf_nat6_outlookup(&frnat, |
| flags & ~(SI_WILDP|NAT_SEARCH), |
| (u_int)frnat.fin_p, |
| &frnat.fin_dst6.in6, |
| &frnat.fin_src6.in6); |
| } |
| if (flags & IPN_TCPUDP) { |
| swap = frnat.fin_data[0]; |
| frnat.fin_data[0] = frnat.fin_data[1]; |
| frnat.fin_data[1] = swap; |
| } |
| |
| /* TRACE natl, in_stepnext, l */ |
| |
| if ((natl != NULL) && (l > 8)) /* XXX 8 is arbitrary */ |
| return -1; |
| |
| np->in_stepnext &= 0x3; |
| |
| l++; |
| changed = -1; |
| } while (natl != NULL); |
| nat->nat_osrc6 = fin->fin_src6; |
| nat->nat_odst6 = fin->fin_dst6; |
| nat->nat_nsrc6 = frnat.fin_src6; |
| nat->nat_ndst6 = frnat.fin_dst6; |
| |
| if ((flags & IPN_TCPUDPICMP) != 0) { |
| nat->nat_osport = htons(fin->fin_data[0]); |
| nat->nat_odport = htons(fin->fin_data[1]); |
| nat->nat_nsport = htons(frnat.fin_data[0]); |
| nat->nat_ndport = htons(frnat.fin_data[1]); |
| } |
| |
| return 0; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_newdivert */ |
| /* Returns: int - -1 == error, 0 == success */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nat(I) - pointer to NAT entry */ |
| /* ni(I) - pointer to structure with misc. information needed */ |
| /* to create new NAT entry. */ |
| /* Write Lock: ipf_nat */ |
| /* */ |
| /* Create a new NAT encap/divert session as defined by the NAT rule. This */ |
| /* is somewhat different to other NAT session creation routines because we */ |
| /* do not iterate through either port numbers or IP addresses, searching */ |
| /* for a unique mapping, however, a complimentary duplicate check is made. */ |
| /* ------------------------------------------------------------------------ */ |
| int |
| ipf_nat6_newdivert(fin, nat, nai) |
| fr_info_t *fin; |
| nat_t *nat; |
| natinfo_t *nai; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| fr_info_t frnat; |
| ipnat_t *np; |
| nat_t *natl; |
| int p; |
| |
| np = nai->nai_np; |
| bcopy((char *)fin, (char *)&frnat, sizeof(*fin)); |
| |
| nat->nat_pr[0] = 0; |
| nat->nat_osrc6 = fin->fin_src6; |
| nat->nat_odst6 = fin->fin_dst6; |
| nat->nat_osport = htons(fin->fin_data[0]); |
| nat->nat_odport = htons(fin->fin_data[1]); |
| frnat.fin_src6 = np->in_snip6; |
| frnat.fin_dst6 = np->in_dnip6; |
| |
| if (np->in_redir & NAT_DIVERTUDP) { |
| frnat.fin_data[0] = np->in_spnext; |
| frnat.fin_data[1] = np->in_dpnext; |
| frnat.fin_flx |= FI_TCPUDP; |
| p = IPPROTO_UDP; |
| } else { |
| frnat.fin_flx &= ~FI_TCPUDP; |
| p = IPPROTO_IPIP; |
| } |
| |
| if (fin->fin_out == 1) { |
| natl = ipf_nat6_inlookup(&frnat, 0, p, &frnat.fin_dst6.in6, |
| &frnat.fin_src6.in6); |
| |
| } else { |
| natl = ipf_nat6_outlookup(&frnat, 0, p, &frnat.fin_dst6.in6, |
| &frnat.fin_src6.in6); |
| } |
| |
| if (natl != NULL) { |
| NINCLSIDE6(fin->fin_out, ns_divert_exist); |
| return -1; |
| } |
| |
| nat->nat_nsrc6 = frnat.fin_src6; |
| nat->nat_ndst6 = frnat.fin_dst6; |
| if (np->in_redir & NAT_DIVERTUDP) { |
| nat->nat_nsport = htons(frnat.fin_data[0]); |
| nat->nat_ndport = htons(frnat.fin_data[1]); |
| } |
| nat->nat_pr[fin->fin_out] = fin->fin_p; |
| nat->nat_pr[1 - fin->fin_out] = p; |
| |
| if (np->in_redir & NAT_ENCAP) { |
| if (np->in_redir & NAT_REDIRECT) |
| nat->nat_dir = NAT_ENCAPIN; |
| else |
| nat->nat_dir = NAT_ENCAPOUT; |
| } else { |
| if (np->in_redir & NAT_REDIRECT) |
| nat->nat_dir = NAT_DIVERTIN; |
| else |
| nat->nat_dir = NAT_DIVERTOUT; |
| } |
| |
| return 0; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: nat6_builddivertmp */ |
| /* Returns: int - -1 == error, 0 == success */ |
| /* Parameters: np(I) - pointer to a NAT rule */ |
| /* */ |
| /* For encap/divert rules, a skeleton packet representing what will be */ |
| /* prepended to the real packet is created. Even though we don't have the */ |
| /* full packet here, a checksum is calculated that we update later when we */ |
| /* fill in the final details. At present a 0 checksum for UDP is being set */ |
| /* here because it is expected that divert will be used for localhost. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_builddivertmp(softn, np) |
| ipf_nat_softc_t *softn; |
| ipnat_t *np; |
| { |
| udphdr_t *uh; |
| size_t len; |
| ip6_t *ip6; |
| |
| if ((np->in_redir & NAT_DIVERTUDP) != 0) |
| len = sizeof(ip6_t) + sizeof(udphdr_t); |
| else |
| len = sizeof(ip6_t); |
| |
| ALLOC_MB_T(np->in_divmp, len); |
| if (np->in_divmp == NULL) { |
| ATOMIC_INCL(softn->ipf_nat_stats.ns_divert_build); |
| return -1; |
| } |
| |
| /* |
| * First, the header to get the packet diverted to the new destination |
| */ |
| ip6 = MTOD(np->in_divmp, ip6_t *); |
| ip6->ip6_vfc = 0x60; |
| if ((np->in_redir & NAT_DIVERTUDP) != 0) |
| ip6->ip6_nxt = IPPROTO_UDP; |
| else |
| ip6->ip6_nxt = IPPROTO_IPIP; |
| ip6->ip6_hlim = 255; |
| ip6->ip6_plen = 0; |
| ip6->ip6_src = np->in_snip6.in6; |
| ip6->ip6_dst = np->in_dnip6.in6; |
| |
| if (np->in_redir & NAT_DIVERTUDP) { |
| uh = (udphdr_t *)((u_char *)ip6 + sizeof(*ip6)); |
| uh->uh_sum = 0; |
| uh->uh_ulen = 8; |
| uh->uh_sport = htons(np->in_spnext); |
| uh->uh_dport = htons(np->in_dpnext); |
| } |
| |
| return 0; |
| } |
| |
| |
| #define MINDECAP (sizeof(ip6_t) + sizeof(udphdr_t) + sizeof(ip6_t)) |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: nat6_decap */ |
| /* Returns: int - -1 == error, 0 == success */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nat(I) - pointer to current NAT session */ |
| /* */ |
| /* This function is responsible for undoing a packet's encapsulation in the */ |
| /* reverse of an encap/divert rule. After removing the outer encapsulation */ |
| /* it is necessary to call ipf_makefrip() again so that the contents of 'fin'*/ |
| /* match the "new" packet as it may still be used by IPFilter elsewhere. */ |
| /* We use "dir" here as the basis for some of the expectations about the */ |
| /* outer header. If we return an error, the goal is to leave the original */ |
| /* packet information undisturbed - this falls short at the end where we'd */ |
| /* need to back a backup copy of "fin" - expensive. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_decap(fin, nat) |
| fr_info_t *fin; |
| nat_t *nat; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| char *hdr; |
| int skip; |
| mb_t *m; |
| |
| if ((fin->fin_flx & FI_ICMPERR) != 0) { |
| return 0; |
| } |
| |
| m = fin->fin_m; |
| skip = fin->fin_hlen; |
| |
| switch (nat->nat_dir) |
| { |
| case NAT_DIVERTIN : |
| case NAT_DIVERTOUT : |
| if (fin->fin_plen < MINDECAP) |
| return -1; |
| skip += sizeof(udphdr_t); |
| break; |
| |
| case NAT_ENCAPIN : |
| case NAT_ENCAPOUT : |
| if (fin->fin_plen < (skip + sizeof(ip6_t))) |
| return -1; |
| break; |
| default : |
| return -1; |
| /* NOTREACHED */ |
| } |
| |
| /* |
| * The aim here is to keep the original packet details in "fin" for |
| * as long as possible so that returning with an error is for the |
| * original packet and there is little undoing work to do. |
| */ |
| if (M_LEN(m) < skip + sizeof(ip6_t)) { |
| if (ipf_pr_pullup(fin, skip + sizeof(ip6_t)) == -1) |
| return -1; |
| } |
| |
| hdr = MTOD(fin->fin_m, char *); |
| fin->fin_ip6 = (ip6_t *)(hdr + skip); |
| |
| if (ipf_pr_pullup(fin, skip + sizeof(ip6_t)) == -1) { |
| NINCLSIDE6(fin->fin_out, ns_decap_pullup); |
| return -1; |
| } |
| |
| fin->fin_hlen = sizeof(ip6_t); |
| fin->fin_dlen -= skip; |
| fin->fin_plen -= skip; |
| fin->fin_ipoff += skip; |
| |
| if (ipf_makefrip(sizeof(ip6_t), (ip_t *)hdr, fin) == -1) { |
| NINCLSIDE6(fin->fin_out, ns_decap_bad); |
| return -1; |
| } |
| |
| return skip; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: nat6_matchencap */ |
| /* Returns: int - -1 == packet error, 1 == success, 0 = no match */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* np(I) - pointer to a NAT rule */ |
| /* */ |
| /* To properly compare a packet travelling in the reverse direction to an */ |
| /* encap rule, it needs to be pseudo-decapsulated so we can check if a */ |
| /* reply to it would be encapsulated. In doing this, we have to be careful */ |
| /* so as not to actually do any decapsulation nor affect any of the current */ |
| /* stored parameters in "fin" so that we can continue processing it else- */ |
| /* where if it doesn't match. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_matchencap(fin, np) |
| fr_info_t *fin; |
| ipnat_t *np; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| int match, skip; |
| u_short *ports; |
| frtuc_t *ft; |
| fr_ip_t fi; |
| ip6_t *ip6; |
| char *hdr; |
| mb_t *m; |
| |
| /* |
| * This function is only for matching packets that are appearing from |
| * the reverse direction against "encap" rules. |
| */ |
| if (fin->fin_out == 1) { |
| if ((np->in_redir & NAT_REDIRECT) == 0) |
| return 0; |
| } else { |
| if ((np->in_redir & NAT_MAP) == 0) |
| return 0; |
| } |
| if (np->in_pr[fin->fin_out] != fin->fin_p) |
| return 0; |
| |
| /* |
| * The aim here is to keep the original packet details in "fin" for |
| * as long as possible so that returning with an error is for the |
| * original packet and there is little undoing work to do. |
| */ |
| m = fin->fin_m; |
| skip = fin->fin_hlen; |
| if (M_LEN(m) < skip + sizeof(ip6_t)) { |
| if (ipf_pr_pullup(fin, sizeof(ip6_t)) == -1) { |
| NINCLSIDE6(fin->fin_out, ns_encap_pullup); |
| return -1; |
| } |
| } |
| |
| hdr = MTOD(fin->fin_m, char *); |
| ip6 = (ip6_t *)(hdr + skip); |
| |
| match = 1; |
| |
| /* |
| * Now we should have the entire innder header, so match up the |
| * address fields - easy enough. Reverse matching of source and |
| * destination because this is purportedly a "reply" to an encap rule. |
| */ |
| switch (np->in_osrcatype) |
| { |
| case FRI_NORMAL : |
| match = IP6_MASKNEQ(&ip6->ip6_dst, &np->in_osrcmsk6, |
| &np->in_osrcip6); |
| break; |
| case FRI_LOOKUP : |
| match = (*np->in_osrcfunc)(softc, np->in_osrcptr, np->in_v[0], |
| &ip6->ip6_dst); |
| break; |
| } |
| if (match) |
| return 0; |
| |
| switch (np->in_odstatype) |
| { |
| case FRI_NORMAL : |
| match = IP6_MASKNEQ(&ip6->ip6_src, &np->in_odstmsk6, |
| &np->in_odstip6); |
| break; |
| case FRI_LOOKUP : |
| match = (*np->in_odstfunc)(softc, np->in_odstptr, np->in_v[0], |
| &ip6->ip6_src); |
| break; |
| } |
| if (match) |
| return 0; |
| |
| ft = &np->in_tuc; |
| |
| switch (ip6->ip6_nxt) |
| { |
| case IPPROTO_TCP : |
| case IPPROTO_UDP : |
| /* |
| * Only need to fetch port numbers for NAT |
| */ |
| if (ipf_pr_pullup(fin, sizeof(ip6_t) + 4) == -1) { |
| NBUMPSIDE6(fin->fin_out, ns_encap_pullup); |
| return -1; |
| } |
| |
| ports = (u_short *)((char *)ip6 + sizeof(ip6_t)); |
| |
| fi.fi_tcpf = 0; |
| /* |
| * And again, because we're simulating a reply, put the port |
| * numbers in the revese place to where they are now. |
| */ |
| fi.fi_ports[0] = ntohs(ports[1]); |
| fi.fi_ports[1] = ntohs(ports[0]); |
| return ipf_tcpudpchk(&fi, ft); |
| |
| /* NOTREACHED */ |
| |
| default : |
| if (ft->ftu_scmp || ft->ftu_dcmp) |
| return 0; |
| break; |
| } |
| |
| return 1; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: nat6_nextaddr */ |
| /* Returns: int - -1 == bad input (no new address), */ |
| /* 0 == success and dst has new address */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* na(I) - how to generate new address */ |
| /* old(I) - original address being replaced */ |
| /* dst(O) - where to put the new address */ |
| /* Write Lock: ipf_nat */ |
| /* */ |
| /* This function uses the contents of the "na" structure, in combination */ |
| /* with "old" to produce a new address to store in "dst". Not all of the */ |
| /* possible uses of "na" will result in a new address. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_nextaddr(fin, na, old, dst) |
| fr_info_t *fin; |
| nat_addr_t *na; |
| i6addr_t *old, *dst; |
| { |
| ipf_main_softc_t *softc = fin->fin_main_soft; |
| ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| u_32_t min, max; |
| i6addr_t newip, new; |
| |
| new.i6[0] = 0; |
| new.i6[1] = 0; |
| new.i6[2] = 0; |
| new.i6[3] = 0; |
| min = na->na_addr[0].in4.s_addr; |
| |
| switch (na->na_atype) |
| { |
| case FRI_RANGE : |
| max = na->na_addr[1].in4.s_addr; |
| break; |
| |
| case FRI_NETMASKED : |
| case FRI_DYNAMIC : |
| case FRI_NORMAL : |
| /* |
| * Compute the maximum address by adding the inverse of the |
| * netmask to the minimum address. |
| */ |
| max = ~na->na_addr[1].in4.s_addr; |
| max |= min; |
| break; |
| |
| case FRI_BROADCAST : |
| case FRI_PEERADDR : |
| case FRI_NETWORK : |
| case FRI_LOOKUP : |
| default : |
| return -1; |
| } |
| |
| switch (na->na_function) |
| { |
| case NA_RANDOM : |
| #ifdef NEED_128BIT_MATH |
| range = ntohl(max) - ntohl(min); |
| new = ipf_random() % range; |
| new += ntohl(min); |
| new = htonl(new); |
| #endif |
| break; |
| |
| case NA_NORMAL : |
| /* |
| * 0/0 as the new address means leave it alone. |
| */ |
| if (na->na_addr[0].in4.s_addr == 0 && |
| na->na_addr[1].in4.s_addr == 0) { |
| new = *old; |
| |
| /* |
| * 0/32 means get the interface's address |
| */ |
| } else if (IP6_ISZERO(&na->na_addr[0].in6) && |
| IP6_ISONES(&na->na_addr[1].in6)) { |
| if (ipf_ifpaddr(softc, 6, na->na_atype, |
| fin->fin_ifp, &newip, NULL) == -1) { |
| NBUMPSIDE6(fin->fin_out, ns_ifpaddrfail); |
| return -1; |
| } |
| new = newip; |
| } else { |
| new.in6 = na->na_nextip6; |
| } |
| break; |
| |
| case NA_HASHMD5 : |
| { |
| #ifdef NEED_128BIT_MATH |
| u_char hash[16]; |
| MD5_CTX ctx; |
| |
| range = ntohl(max) - ntohl(min); |
| |
| MD5Init(&ctx); |
| MD5Update(&ctx, (u_char *)dst, sizeof(struct in6_addr)); |
| MD5Final(hash, &ctx); |
| new = 0; |
| if (range > 0xffffff) |
| new = hash[0]; |
| new <<= 8; |
| if (range > 0xffff) |
| new |= hash[1]; |
| new <<= 8; |
| if (range > 0xff) |
| new |= hash[2]; |
| new <<= 8; |
| new |= hash[3]; |
| new %= range; |
| new += ntohl(min); |
| new = htonl(new); |
| #endif |
| break; |
| } |
| default : |
| NBUMPSIDE6(fin->fin_out, ns_badnextaddr); |
| return -1; |
| } |
| |
| *dst = new; |
| |
| return 0; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_nextaddrinit */ |
| /* Returns: int - 0 == success, else error number */ |
| /* Parameters: na(I) - NAT address information for generating new addr*/ |
| /* initial(I) - flag indicating if it is the first call for */ |
| /* this "na" structure. */ |
| /* ifp(I) - network interface to derive address */ |
| /* information from. */ |
| /* */ |
| /* This function is expected to be called in two scenarious: when a new NAT */ |
| /* rule is loaded into the kernel and when the list of NAT rules is sync'd */ |
| /* up with the valid network interfaces (possibly due to them changing.) */ |
| /* To distinguish between these, the "initial" parameter is used. If it is */ |
| /* 1 then this indicates the rule has just been reloaded and 0 for when we */ |
| /* are updating information. This difference is important because in */ |
| /* instances where we are not updating address information associated with */ |
| /* a network interface, we don't want to disturb what the "next" address to */ |
| /* come out of ipf_nat6_nextaddr() will be. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_nextaddrinit(softc, na, initial, ifp) |
| ipf_main_softc_t *softc; |
| nat_addr_t *na; |
| int initial; |
| void *ifp; |
| { |
| switch (na->na_atype) |
| { |
| case FRI_LOOKUP : |
| if (na->na_ptr == NULL) { |
| na->na_ptr = ipf_lookup_res_num(softc, na->na_type, |
| IPL_LOGNAT, |
| na->na_num, |
| &na->na_func); |
| } |
| if (na->na_ptr == NULL) { |
| softc->ipf_interror = 160056; |
| return ESRCH; |
| } |
| break; |
| case FRI_DYNAMIC : |
| case FRI_BROADCAST : |
| case FRI_NETWORK : |
| case FRI_NETMASKED : |
| case FRI_PEERADDR : |
| if (ifp != NULL) |
| (void )ipf_ifpaddr(softc, 6, na->na_atype, ifp, |
| &na->na_addr[0], |
| &na->na_addr[1]); |
| break; |
| |
| case FRI_SPLIT : |
| case FRI_RANGE : |
| if (initial) |
| na->na_nextip6 = na->na_addr[0].in6; |
| break; |
| |
| case FRI_NONE : |
| IP6_ANDASSIGN(&na->na_addr[0].in6, &na->na_addr[1].in6); |
| return 0; |
| |
| case FRI_NORMAL : |
| IP6_ANDASSIGN(&na->na_addr[0].in6, &na->na_addr[1].in6); |
| break; |
| |
| default : |
| softc->ipf_interror = 160054; |
| return EINVAL; |
| } |
| |
| if (initial && (na->na_atype == FRI_NORMAL)) { |
| if (IP6_ISZERO(&na->na_addr[0].in6)) { |
| if (IP6_ISONES(&na->na_addr[1].in6) || |
| IP6_ISZERO(&na->na_addr[1].in6)) { |
| return 0; |
| } |
| } |
| |
| na->na_nextip6 = na->na_addr[0].in6; |
| if (!IP6_ISONES(&na->na_addr[1].in6)) { |
| IP6_INC(&na->na_nextip6); |
| } |
| } |
| |
| return 0; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: nat6_encapok */ |
| /* Returns: int - -1 == MTU not big enough, 0 == ok to send packet */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nat(I) - pointer to current NAT session */ |
| /* */ |
| /* The purpose of this function is to determine whether or not a packet can */ |
| /* be sent out of a network interface after it has been encapsulated, before*/ |
| /* the actual encapsulation happens. If it cannot - because the "Don't */ |
| /* fragment" bit has been set - then generate an ICMP error message back to */ |
| /* the origin of the packet, informing it that the packet is too big and */ |
| /* what the actual MTU out for the connection is. */ |
| /* */ |
| /* At present the only question this would leave for strange behaviour is */ |
| /* with local connections that will go out an encapsulation as sending of */ |
| /* ICMP messages to local destinations isn't considered robust. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_encapok(fin, nat) |
| fr_info_t *fin; |
| nat_t *nat; |
| { |
| #ifdef INSTANCES |
| ipf_main_softc_t *softc = fin->fin_main_soft; /* For GETIFMTU_6 */ |
| #endif |
| void *sifp; |
| ipnat_t *n; |
| int extra; |
| int mtu; |
| |
| n = nat->nat_ptr; |
| |
| if (n->in_redir & NAT_ENCAP) { |
| extra = sizeof(ip6_t); |
| |
| } else { |
| return 0; |
| } |
| |
| mtu = GETIFMTU_6(nat->nat_ifps[1]); |
| |
| if (fin->fin_plen + extra < mtu) |
| return 0; |
| |
| sifp = fin->fin_ifp; |
| fin->fin_ifp = NULL; |
| fin->fin_icode = 0; |
| fin->fin_mtu = mtu - extra; |
| |
| (void) ipf_send_icmp_err(ICMP6_PACKET_TOO_BIG, fin, 1); |
| |
| fin->fin_mtu = 0; |
| |
| return -1; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_rebuildencapicmp */ |
| /* Returns: int - -1 == error, 0 == success */ |
| /* Parameters: fin(I) - pointer to packet information */ |
| /* nat(I) - pointer to current NAT session */ |
| /* */ |
| /* For ICMP replies received in response to packets we've encapsulated on */ |
| /* the way out, we need to replace all of the addressing fields found in */ |
| /* the data section of the ICMP header. The ICMP packet is going to */ |
| /* contain the the IP packet we sent out (IPENCAP) plus at least 64 bits of */ |
| /* the original IP packet - not something that will be of use to the origin */ |
| /* of the offending packet. */ |
| /* ------------------------------------------------------------------------ */ |
| static nat_t * |
| ipf_nat6_rebuildencapicmp(fin, nat) |
| fr_info_t *fin; |
| nat_t *nat; |
| { |
| struct icmp6_hdr *icmp6; |
| udphdr_t *udp; |
| ip6_t *oip6; |
| int p; |
| |
| icmp6 = fin->fin_dp; |
| oip6 = (ip6_t *)((u_char *)icmp6 + sizeof(*icmp6)); |
| |
| if (fin->fin_out == 0) { |
| if (nat->nat_dir == NAT_ENCAPIN) { |
| oip6->ip6_src = nat->nat_odst6.in6; |
| oip6->ip6_dst = nat->nat_osrc6.in6; |
| } else { |
| oip6->ip6_src = nat->nat_osrc6.in6; |
| oip6->ip6_dst = nat->nat_odst6.in6; |
| } |
| } else { |
| if (nat->nat_dir == NAT_ENCAPIN) { |
| oip6->ip6_src = nat->nat_osrc6.in6; |
| oip6->ip6_dst = nat->nat_odst6.in6; |
| } else { |
| oip6->ip6_src = nat->nat_odst6.in6; |
| oip6->ip6_dst = nat->nat_osrc6.in6; |
| } |
| } |
| |
| udp = (udphdr_t *)(oip6 + 1); |
| |
| /* |
| * We use nat6_p here because the original UDP header is quite likely |
| * to have been lost - the error packet returned contains the outer |
| * encapsulation header plus 64 bits of the inner IP header, no room |
| * for a UDP or TCP header unless extra data is returned. |
| * |
| * XXX - If the entire original packet has been included (possible) |
| * then we should be just stripping off the outer encapsulation. |
| * This is a "todo" for the near future. |
| */ |
| p = nat->nat_pr[1 - fin->fin_out]; |
| |
| switch (p) |
| { |
| case IPPROTO_UDP : |
| udp->uh_sum = 0; |
| break; |
| case IPPROTO_TCP : |
| /* |
| * NAT doesn't track the sequence number so we can't pretend |
| * to know what value this field should carry. |
| */ |
| ((tcphdr_t *)udp)->th_seq = 0; |
| break; |
| default : |
| break; |
| } |
| |
| if (p == IPPROTO_TCP || p == IPPROTO_UDP) { |
| if (fin->fin_out == 0) { |
| if (nat->nat_dir == NAT_ENCAPIN) { |
| udp->uh_sport = nat->nat_odport; |
| udp->uh_dport = nat->nat_osport; |
| } else { |
| udp->uh_sport = nat->nat_osport; |
| udp->uh_dport = nat->nat_odport; |
| } |
| } else { |
| if (nat->nat_dir == NAT_ENCAPIN) { |
| udp->uh_sport = nat->nat_osport; |
| udp->uh_dport = nat->nat_odport; |
| } else { |
| udp->uh_sport = nat->nat_odport; |
| udp->uh_dport = nat->nat_osport; |
| } |
| } |
| } |
| |
| /* TRACE (fin,oip,udp,icmp6) */ |
| oip6->ip6_nxt = nat->nat_pr[1 - fin->fin_out]; |
| |
| /* |
| * Reduce the next MTU setting by the size of the encap header |
| */ |
| if (icmp6->icmp6_type == ICMP6_PACKET_TOO_BIG) { |
| icmp6->icmp6_mtu = ntohs(icmp6->icmp6_mtu); |
| icmp6->icmp6_mtu -= sizeof(ip6_t); |
| icmp6->icmp6_mtu = htons(icmp6->icmp6_mtu); |
| } |
| |
| icmp6->icmp6_cksum = 0; |
| icmp6->icmp6_cksum = ipf_cksum((u_short *)icmp6, fin->fin_dlen); |
| |
| /* TRACE (fin,oip,udp,icmp6) */ |
| |
| return 0; |
| } |
| |
| |
| /* ------------------------------------------------------------------------ */ |
| /* Function: ipf_nat6_icmpquerytype */ |
| /* Returns: int - 1 == success, 0 == failure */ |
| /* Parameters: icmptype(I) - ICMP type number */ |
| /* */ |
| /* Tests to see if the ICMP type number passed is a query/response type or */ |
| /* not. */ |
| /* ------------------------------------------------------------------------ */ |
| static int |
| ipf_nat6_icmpquerytype(icmptype) |
| int icmptype; |
| { |
| |
| /* |
| * For the ICMP query NAT code, it is essential that both the query |
| * and the reply match on the NAT rule. Because the NAT structure |
| * does not keep track of the icmptype, and a single NAT structure |
| * is used for all icmp types with the same src, dest and id, we |
| * simply define the replies as queries as well. The funny thing is, |
| * altough it seems silly to call a reply a query, this is exactly |
| * as it is defined in the IPv4 specification |
| */ |
| |
| switch (icmptype) |
| { |
| |
| case ICMP6_ECHO_REPLY: |
| case ICMP6_ECHO_REQUEST: |
| /* route aedvertisement/solliciation is currently unsupported: */ |
| /* it would require rewriting the ICMP data section */ |
| case ICMP6_MEMBERSHIP_QUERY: |
| case ICMP6_MEMBERSHIP_REPORT: |
| case ICMP6_MEMBERSHIP_REDUCTION: |
| case ICMP6_WRUREQUEST: |
| case ICMP6_WRUREPLY: |
| case MLD6_MTRACE_RESP: |
| case MLD6_MTRACE: |
| return 1; |
| default: |
| return 0; |
| } |
| } |
| #endif /* USE_INET6 */ |