Add a ``nat proto'' command -- similar to natd(8)'s -redirect_proto switch.

MFC after: 3 weeks

5 files changed, 117 insertions, 0 deletions

diff --git a/usr.sbin/ppp/command.c b/usr.sbin/ppp/command.c
index 48b2c93..4a11154 100644
--- a/usr.sbin/ppp/command.c
+++ b/usr.sbin/ppp/command.c
@@ -632,6 +632,8 @@ static struct cmdtab const NatCommands[] =
    (const void *) PKT_ALIAS_LOG},
   {"port", NULL, nat_RedirectPort, LOCAL_AUTH, "port redirection",
    "nat port proto localaddr:port[-port] aliasport[-aliasport]"},
+  {"proto", NULL, nat_RedirectProto, LOCAL_AUTH, "protocol redirection",
+   "nat proto proto localIP [publicIP [remoteIP]]"},
   {"proxy", NULL, nat_ProxyRule, LOCAL_AUTH,
    "proxy control", "nat proxy server host[:port] ..."},
   {"same_ports", NULL, NatOption, LOCAL_AUTH,
diff --git a/usr.sbin/ppp/nat_cmd.c b/usr.sbin/ppp/nat_cmd.c
index a4bdbb3..05ede84 100644
--- a/usr.sbin/ppp/nat_cmd.c
+++ b/usr.sbin/ppp/nat_cmd.c
@@ -229,6 +229,74 @@ nat_RedirectAddr(struct cmdargs const *arg)
 }
 
 
+int
+nat_RedirectProto(struct cmdargs const *arg)
+{
+  if (!arg->bundle->NatEnabled) {
+    prompt_Printf(arg->prompt, "nat not enabled\n");
+    return 1;
+  } else if (arg->argc >= arg->argn + 2 && arg->argc <= arg->argn + 4) {
+    struct in_addr localIP, publicIP, remoteIP;
+    struct alias_link *link;
+    struct protoent *pe;
+    int error, len;
+
+    len = strlen(arg->argv[arg->argn]);
+    if (len == 0) {
+      prompt_Printf(arg->prompt, "proto redirect: invalid protocol\n");
+      return 1;
+    }
+    if (strspn(arg->argv[arg->argn], "01234567") == len)
+      pe = getprotobynumber(atoi(arg->argv[arg->argn]));
+    else
+      pe = getprotobyname(arg->argv[arg->argn]);
+    if (pe == NULL) {
+      prompt_Printf(arg->prompt, "proto redirect: invalid protocol\n");
+      return 1;
+    }
+
+    error = StrToAddr(arg->argv[arg->argn + 1], &localIP);
+    if (error) {
+      prompt_Printf(arg->prompt, "proto redirect: invalid src address\n");
+      return 1;
+    }
+
+    if (arg->argc >= arg->argn + 3) {
+      error = StrToAddr(arg->argv[arg->argn + 2], &publicIP);
+      if (error) {
+        prompt_Printf(arg->prompt, "proto redirect: invalid alias address\n");
+        prompt_Printf(arg->prompt, "Usage: nat %s %s\n", arg->cmd->name,
+                      arg->cmd->syntax);
+        return 1;
+      }
+    } else
+      publicIP.s_addr = INADDR_ANY;
+
+    if (arg->argc == arg->argn + 4) {
+      error = StrToAddr(arg->argv[arg->argn + 2], &remoteIP);
+      if (error) {
+        prompt_Printf(arg->prompt, "proto redirect: invalid dst address\n");
+        prompt_Printf(arg->prompt, "Usage: nat %s %s\n", arg->cmd->name,
+                      arg->cmd->syntax);
+        return 1;
+      }
+    } else
+      remoteIP.s_addr = INADDR_ANY;
+
+    link = PacketAliasRedirectProto(localIP, remoteIP, publicIP, pe->p_proto);
+    if (link == NULL) {
+      prompt_Printf(arg->prompt, "proto redirect: packet aliasing"
+                    " engine error\n");
+      prompt_Printf(arg->prompt, "Usage: nat %s %s\n", arg->cmd->name,
+                    arg->cmd->syntax);
+    }
+  } else
+    return -1;
+
+  return 0;
+}
+
+
 static int
 StrToAddr(const char *str, struct in_addr *addr)
 {
diff --git a/usr.sbin/ppp/nat_cmd.h b/usr.sbin/ppp/nat_cmd.h
index 6107772..47f38ee 100644
--- a/usr.sbin/ppp/nat_cmd.h
+++ b/usr.sbin/ppp/nat_cmd.h
@@ -31,6 +31,7 @@ struct cmdargs;
 
 extern int nat_RedirectPort(struct cmdargs const *);
 extern int nat_RedirectAddr(struct cmdargs const *);
+extern int nat_RedirectProto(struct cmdargs const *);
 extern int nat_ProxyRule(struct cmdargs const *);
 extern int nat_SetTarget(struct cmdargs const *);
 
diff --git a/usr.sbin/ppp/ppp.8 b/usr.sbin/ppp/ppp.8
index 7b684c8..e74e2cd 100644
--- a/usr.sbin/ppp/ppp.8
+++ b/usr.sbin/ppp/ppp.8
@@ -3370,6 +3370,28 @@ or a range of ports the same size as the other ranges.
 This option is useful if you wish to run things like Internet phone on
 machines behind your gateway, but is limited in that connections to only
 one interior machine per source machine and target port are possible.
+.It nat proto Ar proto localIP Op Ar publicIP Op Ar remoteIP
+This command tells
+.Nm
+to redirect packets of protocol type
+.Ar proto
+.Pq see Xr protocols 5
+to the internall address
+.Ar localIP .
+.Pp
+If
+.Ar publicIP
+is specified, only packets destined for that address are matched,
+otherwise the default alias address is used.
+.Pp
+If
+.Ar remoteIP
+is specified, only packets matching that source address are matched,
+.Pp
+This command is useful for redirecting tunnel endpoints to an internal machine,
+for example:
+.Pp
+.Dl nat proto ipencap 10.0.0.1
 .It "nat proxy cmd" Ar arg Ns No ...
 This command tells
 .Nm
@@ -5646,6 +5668,7 @@ This socket is used to pass links between different instances of
 .Xr crontab 5 ,
 .Xr group 5 ,
 .Xr passwd 5 ,
+.Xr protocols 5 ,
 .Xr radius.conf 5 ,
 .Xr resolv.conf 5 ,
 .Xr syslog.conf 5 ,
diff --git a/usr.sbin/ppp/ppp.8.m4 b/usr.sbin/ppp/ppp.8.m4
index 7b684c8..e74e2cd 100644
--- a/usr.sbin/ppp/ppp.8.m4
+++ b/usr.sbin/ppp/ppp.8.m4
@@ -3370,6 +3370,28 @@ or a range of ports the same size as the other ranges.
 This option is useful if you wish to run things like Internet phone on
 machines behind your gateway, but is limited in that connections to only
 one interior machine per source machine and target port are possible.
+.It nat proto Ar proto localIP Op Ar publicIP Op Ar remoteIP
+This command tells
+.Nm
+to redirect packets of protocol type
+.Ar proto
+.Pq see Xr protocols 5
+to the internall address
+.Ar localIP .
+.Pp
+If
+.Ar publicIP
+is specified, only packets destined for that address are matched,
+otherwise the default alias address is used.
+.Pp
+If
+.Ar remoteIP
+is specified, only packets matching that source address are matched,
+.Pp
+This command is useful for redirecting tunnel endpoints to an internal machine,
+for example:
+.Pp
+.Dl nat proto ipencap 10.0.0.1
 .It "nat proxy cmd" Ar arg Ns No ...
 This command tells
 .Nm
@@ -5646,6 +5668,7 @@ This socket is used to pass links between different instances of
 .Xr crontab 5 ,
 .Xr group 5 ,
 .Xr passwd 5 ,
+.Xr protocols 5 ,
 .Xr radius.conf 5 ,
 .Xr resolv.conf 5 ,
 .Xr syslog.conf 5 ,