fix conflicts

author: darrenr <darrenr@FreeBSD.org> 2000-05-24 04:01:30 +0000
committer: darrenr <darrenr@FreeBSD.org> 2000-05-24 04:01:30 +0000
commit: 3a99aee60f0a28e131e1ae80b6da2da06700a956 (patch)
tree: 82a735415c85206fcb15a0a9b5d5f6d7f92b604a /sys/contrib
parent: 9c26b06dba2d89b362983cd4e3bf5f9d7d1ff971 (diff)
download: FreeBSD-src-3a99aee60f0a28e131e1ae80b6da2da06700a956.zip
FreeBSD-src-3a99aee60f0a28e131e1ae80b6da2da06700a956.tar.gz
2 files changed, 831 insertions, 273 deletions
diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c
index fc07ca2..f0d622f 100644
--- a/sys/contrib/ipfilter/netinet/ip_nat.c
+++ b/sys/contrib/ipfilter/netinet/ip_nat.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1995-1998 by Darren Reed.
+ * Copyright (C) 1995-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -31,7 +31,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 # include <string.h>
 # include <stdlib.h>
 #endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
+#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
 # include <sys/filio.h>
 # include <sys/fcntl.h>
 #else
@@ -118,24 +118,35 @@ ipnat_t	*nat_list = NULL;
 u_int	ipf_nattable_sz = NAT_TABLE_SZ;
 u_int	ipf_natrules_sz = NAT_SIZE;
 u_int	ipf_rdrrules_sz = RDR_SIZE;
+u_int	ipf_hostmap_sz = HOSTMAP_SIZE;
 u_32_t	nat_masks = 0;
 u_32_t	rdr_masks = 0;
 ipnat_t	**nat_rules = NULL;
 ipnat_t	**rdr_rules = NULL;
+hostmap_t	**maptable  = NULL;
 
 u_long	fr_defnatage = DEF_NAT_AGE,
 	fr_defnaticmpage = 6;		/* 3 seconds */
-natstat_t nat_stats;
+static natstat_t nat_stats;
+int	fr_nat_lock = 0;
 #if	(SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern	kmutex_t	ipf_rw;
+extern	kmutex_t	ipf_rw, ipf_hostmap;
 extern	KRWLOCK_T	ipf_nat;
 #endif
 
 static	int	nat_flushtable __P((void));
 static	int	nat_clearlist __P((void));
-static	void	nat_delete __P((struct nat *));
+static	void	nat_addnat __P((struct ipnat *));
+static	void	nat_addrdr __P((struct ipnat *));
 static	void	nat_delrdr __P((struct ipnat *));
 static	void	nat_delnat __P((struct ipnat *));
+static	int	fr_natgetent __P((caddr_t));
+static	int	fr_natgetsz __P((caddr_t));
+static	int	fr_natputent __P((caddr_t));
+static	int	nat_match __P((fr_info_t *, ipnat_t *, ip_t *));
+static	hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
+				    struct in_addr));
+static	void	nat_hostmapdel __P((struct hostmap *));
 
 
 int nat_init()
@@ -163,39 +174,129 @@ int nat_init()
 		bzero((char *)rdr_rules, ipf_rdrrules_sz * sizeof(ipnat_t *));
 	else
 		return -1;
+
+	KMALLOCS(maptable, hostmap_t **, sizeof(hostmap_t *) * ipf_hostmap_sz);
+	if (maptable != NULL)
+		bzero((char *)maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);
+	else
+		return -1;
 	return 0;
 }
 
 
-void nat_delrdr(n)
+static void nat_addrdr(n)
 ipnat_t *n;
 {
-	ipnat_t **n1;
-	u_32_t iph;
+	ipnat_t **np;
+	u_32_t j;
 	u_int hv;
+	int k;
+
+	k = countbits(n->in_outmsk);
+	if ((k >= 0) && (k != 32))
+		rdr_masks |= 1 << k;
+	j = (n->in_outip & n->in_outmsk);
+	hv = NAT_HASH_FN(j, 0, ipf_rdrrules_sz);
+	np = rdr_rules + hv;
+	while (*np != NULL)
+		np = &(*np)->in_rnext;
+	n->in_rnext = NULL;
+	n->in_prnext = np;
+	*np = n;
+}
 
-	iph = n->in_outip & n->in_outmsk;
-	hv = NAT_HASH_FN(iph, ipf_rdrrules_sz);
-	for (n1 = &rdr_rules[hv]; *n1 && (*n1 != n); n1 = &(*n1)->in_rnext)
-		;
-	if (*n1)
-		*n1 = n->in_rnext;
+
+static void nat_addnat(n)
+ipnat_t *n;
+{
+	ipnat_t **np;
+	u_32_t j;
+	u_int hv;
+	int k;
+
+	k = countbits(n->in_inmsk);
+	if ((k >= 0) && (k != 32))
+		nat_masks |= 1 << k;
+	j = (n->in_inip & n->in_inmsk);
+	hv = NAT_HASH_FN(j, 0, ipf_natrules_sz);
+	np = nat_rules + hv;
+	while (*np != NULL)
+		np = &(*np)->in_mnext;
+	n->in_mnext = NULL;
+	n->in_pmnext = np;
+	*np = n;
+}
+
+
+static void nat_delrdr(n)
+ipnat_t *n;
+{
+	if (n->in_rnext)
+		n->in_rnext->in_prnext = n->in_prnext;
+	*n->in_prnext = n->in_rnext;
 }
 
 
 static void nat_delnat(n)
 ipnat_t *n;
 {
-	ipnat_t **n1;
-	u_32_t iph;
+	if (n->in_mnext)
+		n->in_mnext->in_pmnext = n->in_pmnext;
+	*n->in_pmnext = n->in_mnext;
+}
+
+
+/*
+ * check if an ip address has already been allocated for a given mapping that
+ * is not doing port based translation.
+ */
+static struct hostmap *nat_hostmap(np, real, map)
+ipnat_t *np;
+struct in_addr real;
+struct in_addr map;
+{
+	hostmap_t *hm;
 	u_int hv;
 
-	iph = n->in_inip & n->in_inmsk;
-	hv = NAT_HASH_FN(iph, ipf_natrules_sz);
-	for (n1 = &nat_rules[hv]; *n1 && (*n1 != n); n1 = &(*n1)->in_mnext)
-		;
-	if (*n1)
-		*n1 = n->in_mnext;
+	MUTEX_ENTER(&ipf_hostmap);
+	hv = real.s_addr % HOSTMAP_SIZE;
+	for (hm = maptable[hv]; hm; hm = hm->hm_next)
+		if ((hm->hm_realip.s_addr == real.s_addr) &&
+		    (np == hm->hm_ipnat)) {
+			hm->hm_ref++;
+			MUTEX_EXIT(&ipf_hostmap);
+			return hm;
+		}
+
+	KMALLOC(hm, hostmap_t *);
+	if (hm) {
+		hm->hm_next = maptable[hv];
+		hm->hm_pnext = maptable + hv;
+		if (maptable[hv])
+			maptable[hv]->hm_pnext = &hm->hm_next;
+		maptable[hv] = hm;
+		hm->hm_ipnat = np;
+		hm->hm_realip = real;
+		hm->hm_mapip = map;
+		hm->hm_ref = 1;
+	}
+	MUTEX_EXIT(&ipf_hostmap);
+	return hm;
+}
+
+
+static void nat_hostmapdel(hm)
+struct hostmap *hm;
+{
+	MUTEX_ENTER(&ipf_hostmap);
+	ATOMIC_DEC32(hm->hm_ref);
+	if (hm->hm_ref == 0) {
+		if (hm->hm_next)
+			hm->hm_next->hm_pnext = hm->hm_pnext;
+		*hm->hm_pnext = hm->hm_next;
+		KFREE(hm);
+	}
+	MUTEX_EXIT(&ipf_hostmap);
 }
 
 
@@ -280,7 +381,7 @@ int len;
  * Handle ioctls which manipulate the NAT.
  */
 int nat_ioctl(data, cmd, mode)
-#if defined(__NetBSD__) || defined(__OpenBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
 u_long cmd;
 #else
 int cmd;
@@ -289,12 +390,9 @@ caddr_t data;
 int mode;
 {
 	register ipnat_t *nat, *nt, *n = NULL, **np = NULL;
-	int error = 0, ret, k;
+	int error = 0, ret, arg;
 	ipnat_t natd;
 	u_32_t i, j;
-#if defined(_KERNEL) && !SOLARIS
-	int s;
-#endif
 
 #if (BSD >= 199306) && defined(_KERNEL)
 	if ((securelevel >= 2) && (mode & FWRITE))
@@ -304,19 +402,24 @@ int mode;
 	nat = NULL;     /* XXX gcc -Wuninitialized */
 	KMALLOC(nt, ipnat_t *);
 	if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT))
-		IRCOPY(data, (char *)&natd, sizeof(natd));
+		error = IRCOPYPTR(data, (char *)&natd, sizeof(natd));
+	else if (cmd == SIOCIPFFL)	/* SIOCFLNAT & SIOCCNATL */
+		error = IRCOPY(data, (char *)&arg, sizeof(arg));
+
+	if (error)
+		goto done;
 
 	/*
 	 * For add/delete, look to see if the NAT entry is already present
 	 */
-	SPL_NET(s);
 	WRITE_ENTER(&ipf_nat);
 	if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
 		nat = &natd;
 		nat->in_flags &= IPN_USERFLAGS;
 		if ((nat->in_redir & NAT_MAPBLK) == 0) {
-			nat->in_inip &= nat->in_inmsk;
-			if ((nat->in_flags & IPN_RANGE) == 0)
+			if ((nat->in_flags & IPN_SPLIT) == 0)
+				nat->in_inip &= nat->in_inmsk;
+			if ((nat->in_flags & IPN_IPRANGE) == 0)
 				nat->in_outip &= nat->in_outmsk;
 		}
 		for (np = &nat_list; (n = *np); np = &n->in_next)
@@ -329,11 +432,17 @@ int mode;
 	{
 #ifdef  IPFILTER_LOG
 	case SIOCIPFFB :
+	{
+		int tmp;
+
 		if (!(mode & FWRITE))
 			error = EPERM;
-		else
-			*(int *)data = ipflog_clear(IPL_LOGNAT);
+		else {
+			tmp = ipflog_clear(IPL_LOGNAT);
+			IWCOPY((char *)&tmp, (char *)data, sizeof(tmp));
+		}
 		break;
+	}
 #endif
 	case SIOCADNAT :
 		if (!(mode & FWRITE)) {
@@ -351,7 +460,7 @@ int mode;
 		n = nt;
 		nt = NULL;
 		bcopy((char *)nat, (char *)n, sizeof(*n));
-		n->in_ifp = (void *)GETUNIT(n->in_ifname);
+		n->in_ifp = (void *)GETUNIT(n->in_ifname, 4);
 		if (!n->in_ifp)
 			n->in_ifp = (void *)-1;
 		if (n->in_plabel[0] != '\0') {
@@ -364,42 +473,20 @@ int mode;
 		n->in_next = NULL;
 		*np = n;
 
-		if (n->in_redir & NAT_REDIRECT) {
-			u_int hv;
-
-			k = countbits(n->in_outmsk);
-			if ((k >= 0) && (k != 32))
-				rdr_masks |= 1 << k;
-			j = (n->in_outip & n->in_outmsk);
-			hv = NAT_HASH_FN(j, ipf_rdrrules_sz);
-			np = rdr_rules + hv;
-			while (*np != NULL)
-				np = &(*np)->in_rnext;
-			n->in_rnext = NULL;
-			*np = n;
-		}
-		if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
-			u_int hv;
-
-			k = countbits(n->in_inmsk);
-			if ((k >= 0) && (k != 32))
-				nat_masks |= 1 << k;
-			j = (n->in_inip & n->in_inmsk);
-			hv = NAT_HASH_FN(j, ipf_natrules_sz);
-			np = nat_rules + hv;
-			while (*np != NULL)
-				np = &(*np)->in_mnext;
-			n->in_mnext = NULL;
-			*np = n;
-		}
+		if (n->in_redir & NAT_REDIRECT)
+			nat_addrdr(n);
+		if (n->in_redir & (NAT_MAP|NAT_MAPBLK))
+			nat_addnat(n);
 
 		n->in_use = 0;
 		if (n->in_redir & NAT_MAPBLK)
 			n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
 		else if (n->in_flags & IPN_AUTOPORTMAP)
 			n->in_space = USABLE_PORTS * ~ntohl(n->in_inmsk);
-		else if (n->in_flags & IPN_RANGE)
+		else if (n->in_flags & IPN_IPRANGE)
 			n->in_space = ntohl(n->in_outmsk) - ntohl(n->in_outip);
+		else if (n->in_flags & IPN_SPLIT)
+			n->in_space = 2;
 		else
 			n->in_space = ~ntohl(n->in_outmsk);
 		/*
@@ -412,15 +499,18 @@ int mode;
 		 * If to a single IP address, set to 1.
 		 */
 		if (n->in_space) {
-			if ((n->in_flags & IPN_RANGE) != 0)
+			if ((n->in_flags & IPN_IPRANGE) != 0)
 				n->in_space += 1;
 			else
 				n->in_space -= 1;
 		} else
 			n->in_space = 1;
 		if ((n->in_outmsk != 0xffffffff) && (n->in_outmsk != 0) &&
-		    ((n->in_flags & IPN_RANGE) == 0))
+		    ((n->in_flags & (IPN_IPRANGE|IPN_SPLIT)) == 0))
 			n->in_nip = ntohl(n->in_outip) + 1;
+		else if ((n->in_flags & IPN_SPLIT) &&
+			 (n->in_redir & NAT_REDIRECT))
+			n->in_nip = ntohl(n->in_inip);
 		else
 			n->in_nip = ntohl(n->in_outip);
 		if (n->in_redir & NAT_MAP) {
@@ -502,44 +592,76 @@ int mode;
 		nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz;
 		nat_stats.ns_instances = nat_instances;
 		nat_stats.ns_apslist = ap_sess_list;
-		IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats));
+		error = IWCOPYPTR((char *)&nat_stats, (char *)data,
+				  sizeof(nat_stats));
 		break;
 	case SIOCGNATL :
 	    {
 		natlookup_t nl;
 
 		MUTEX_DOWNGRADE(&ipf_nat);
-		IRCOPY((char *)data, (char *)&nl, sizeof(nl));
+		error = IRCOPYPTR((char *)data, (char *)&nl, sizeof(nl));
+		if (error)
+			break;
 
 		if (nat_lookupredir(&nl)) {
-			IWCOPY((char *)&nl, (char *)data, sizeof(nl));
+			error = IWCOPYPTR((char *)&nl, (char *)data,
+					  sizeof(nl));
 		} else
 			error = ESRCH;
 		break;
 	    }
-	case SIOCFLNAT :
+	case SIOCIPFFL :	/* old SIOCFLNAT & SIOCCNATL */
 		if (!(mode & FWRITE)) {
 			error = EPERM;
 			break;
 		}
-		ret = nat_flushtable();
+		error = 0;
+		if (arg == 0)
+			ret = nat_flushtable();
+		else if (arg == 1)
+			ret = nat_clearlist();
+		else
+			error = EINVAL;
 		MUTEX_DOWNGRADE(&ipf_nat);
-		IWCOPY((caddr_t)&ret, data, sizeof(ret));
+		if (!error) {
+			error = IWCOPY((caddr_t)&ret, data, sizeof(ret));
+			if (error)
+				error = EFAULT;
+		}
 		break;
-	case SIOCCNATL :
-		if (!(mode & FWRITE)) {
-			error = EPERM;
-			break;
+	case SIOCSTLCK :
+		error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
+		if (!error) {
+			error = IWCOPY((caddr_t)&fr_nat_lock, data,
+					sizeof(fr_nat_lock));
+			if (!error)
+				fr_nat_lock = arg;
 		}
-		ret = nat_clearlist();
-		MUTEX_DOWNGRADE(&ipf_nat);
-		IWCOPY((caddr_t)&ret, data, sizeof(ret));
+		break;
+	case SIOCSTPUT :
+		if (fr_nat_lock)
+			error = fr_natputent(data);
+		else
+			error = EACCES;
+		break;
+	case SIOCSTGSZ :
+		if (fr_nat_lock)
+			error = fr_natgetsz(data);
+		else
+			error = EACCES;
+		break;
+	case SIOCSTGET :
+		if (fr_nat_lock)
+			error = fr_natgetent(data);
+		else
+			error = EACCES;
 		break;
 	case FIONREAD :
 #ifdef	IPFILTER_LOG
 		MUTEX_DOWNGRADE(&ipf_nat);
-		IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data,
-		       sizeof(iplused[IPL_LOGNAT]));
+		error = IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data,
+			       sizeof(iplused[IPL_LOGNAT]));
 #endif
 		break;
 	default :
@@ -547,13 +669,285 @@ int mode;
 		break;
 	}
 	RWLOCK_EXIT(&ipf_nat);			/* READ/WRITE */
-	SPL_X(s);
+done:
 	if (nt)
 		KFREE(nt);
 	return error;
 }
 
 
+static int fr_natgetsz(data)
+caddr_t data;
+{
+	ap_session_t *aps;
+	nat_t *nat, *n;
+	int error = 0;
+	natget_t ng;
+
+	error = IRCOPY(data, (caddr_t)&ng, sizeof(ng));
+	if (error)
+		return EFAULT;
+
+	nat = ng.ng_ptr;
+	if (!nat) {
+		nat = nat_instances;
+		ng.ng_sz = 0;
+		if (nat == NULL) {
+			error = IWCOPY((caddr_t)&ng, data, sizeof(ng));
+			if (error)
+				error = EFAULT;
+			return error;
+		}
+	} else {
+		/*
+		 * Make sure the pointer we're copying from exists in the
+		 * current list of entries.  Security precaution to prevent
+		 * copying of random kernel data.
+		 */
+		for (n = nat_instances; n; n = n->nat_next)
+			if (n == nat)
+				break;
+		if (!n)
+			return ESRCH;
+	}
+
+	ng.ng_sz = sizeof(nat_save_t);
+	aps = nat->nat_aps;
+	if ((aps != NULL) && (aps->aps_data != 0)) {
+		ng.ng_sz += sizeof(ap_session_t);
+		ng.ng_sz += aps->aps_psiz;
+	}
+
+	error = IWCOPY((caddr_t)&ng, data, sizeof(ng));
+	if (error)
+		error = EFAULT;
+	return error;
+}
+
+
+static int fr_natgetent(data)
+caddr_t data;
+{
+	nat_save_t ipn, *ipnp, *ipnn;
+	register nat_t *n, *nat;
+	ap_session_t *aps;
+	int error;
+
+	error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp));
+	if (error)
+		return EFAULT;
+	error = IRCOPY((caddr_t)ipnp, (caddr_t)&ipn, sizeof(ipn));
+	if (error)
+		return EFAULT;
+
+	nat = ipn.ipn_next;
+	if (!nat) {
+		nat = nat_instances;
+		if (nat == NULL) {
+			if (nat_instances == NULL)
+				return ENOENT;
+			return 0;
+		}
+	} else {
+		/*
+		 * Make sure the pointer we're copying from exists in the
+		 * current list of entries.  Security precaution to prevent
+		 * copying of random kernel data.
+		 */
+		for (n = nat_instances; n; n = n->nat_next)
+			if (n == nat)
+				break;
+		if (!n)
+			return ESRCH;
+	}
+
+	ipn.ipn_next = nat->nat_next;
+	ipn.ipn_dsize = 0;
+	bcopy((char *)nat, (char *)&ipn.ipn_nat, sizeof(ipn.ipn_nat));
+	ipn.ipn_nat.nat_data = NULL;
+
+	if (nat->nat_ptr) {
+		bcopy((char *)nat->nat_ptr, (char *)&ipn.ipn_ipnat,
+		      sizeof(ipn.ipn_ipnat));
+	}
+
+	if (nat->nat_fr)
+		bcopy((char *)nat->nat_fr, (char *)&ipn.ipn_rule,
+		      sizeof(ipn.ipn_rule));
+
+	if ((aps = nat->nat_aps)) {
+		ipn.ipn_dsize = sizeof(*aps);
+		if (aps->aps_data)
+			ipn.ipn_dsize += aps->aps_psiz;
+		KMALLOCS(ipnn, nat_save_t *, sizeof(*ipnn) + ipn.ipn_dsize);
+		if (ipnn == NULL)
+			return NULL;
+		bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn));
+
+		bcopy((char *)aps, ipn.ipn_data, sizeof(*aps));
+		if (aps->aps_data) {
+			bcopy(aps->aps_data, ipn.ipn_data + sizeof(*aps),
+			      aps->aps_psiz);
+			ipn.ipn_dsize += aps->aps_psiz;
+		}
+		error = IWCOPY((caddr_t)ipnn, ipnp,
+			       sizeof(ipn) + ipn.ipn_dsize);
+		if (error)
+			return EFAULT;
+		KFREES(ipnn, sizeof(*ipnn) + ipn.ipn_dsize);
+	} else {
+		error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn));
+		if (error)
+			return EFAULT;
+	}
+	return 0;
+}
+
+
+static int fr_natputent(data)
+caddr_t data;
+{
+	nat_save_t ipn, *ipnp, *ipnn;
+	register nat_t *n, *nat;
+	ap_session_t *aps;
+	frentry_t *fr;
+	ipnat_t *in;
+
+	int error;
+
+	error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp));
+	if (error)
+		return EFAULT;
+	error = IRCOPY((caddr_t)ipnp, (caddr_t)&ipn, sizeof(ipn));
+	if (error)
+		return EFAULT;
+	if (ipn.ipn_dsize) {
+		KMALLOCS(ipnn, nat_save_t *, sizeof(ipn) + ipn.ipn_dsize);
+		if (ipnn == NULL)
+			return ENOMEM;
+		bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn));
+		error = IRCOPY((caddr_t)ipnp, (caddr_t)ipn.ipn_data,
+			       ipn.ipn_dsize);
+		if (error)
+			return EFAULT;
+	} else
+		ipnn = NULL;
+
+	KMALLOC(nat, nat_t *);
+	if (nat == NULL)
+		return ENOMEM;
+
+	bcopy((char *)&ipn.ipn_nat, (char *)nat, sizeof(*nat));
+	/*
+	 * Initialize all these so that nat_delete() doesn't cause a crash.
+	 */
+	nat->nat_hstart[0] = NULL;
+	nat->nat_hstart[1] = NULL;
+	fr = nat->nat_fr;
+	nat->nat_fr = NULL;
+	aps = nat->nat_aps;
+	nat->nat_aps = NULL;
+	in = nat->nat_ptr;
+	nat->nat_ptr = NULL;
+	nat->nat_data = NULL;
+
+	/*
+	 * Restore the rule associated with this nat session
+	 */
+	if (in) {
+		KMALLOC(in, ipnat_t *);
+		if (in == NULL) {
+			error = ENOMEM;
+			goto junkput;
+		}
+		nat->nat_ptr = in;
+		bcopy((char *)&ipn.ipn_ipnat, (char *)in, sizeof(*in));
+		in->in_use = 1;
+		in->in_flags |= IPN_DELETE;
+		in->in_next = NULL;
+		in->in_rnext = NULL;
+		in->in_prnext = NULL;
+		in->in_mnext = NULL;
+		in->in_pmnext = NULL;
+		in->in_ifp = GETUNIT(in->in_ifname, 4);
+		if (in->in_plabel[0] != '\0') {
+			in->in_apr = appr_match(in->in_p, in->in_plabel);
+		}
+	}
+
+	/*
+	 * Restore ap_session_t structure.  Include the private data allocated
+	 * if it was there.
+	 */
+	if (aps) {
+		KMALLOC(aps, ap_session_t *);
+		if (aps == NULL) {
+			error = ENOMEM;
+			goto junkput;
+		}
+		nat->nat_aps = aps;
+		aps->aps_next = ap_sess_list;
+		ap_sess_list = aps;
+		bcopy(ipnn->ipn_data, (char *)aps, sizeof(*aps));
+		if (in)
+			aps->aps_apr = in->in_apr;
+		if (aps->aps_psiz) {
+			KMALLOCS(aps->aps_data, void *, aps->aps_psiz);
+			if (aps->aps_data == NULL) {
+				error = ENOMEM;
+				goto junkput;
+			}
+			bcopy(ipnn->ipn_data + sizeof(*aps), aps->aps_data,
+			      aps->aps_psiz);
+		} else {
+			aps->aps_psiz = 0;
+			aps->aps_data = NULL;
+		}
+	}
+
+	/*
+	 * If there was a filtering rule associated with this entry then
+	 * build up a new one.
+	 */
+	if (fr != NULL) {
+		if (nat->nat_flags & FI_NEWFR) {
+			KMALLOC(fr, frentry_t *);
+			nat->nat_fr = fr;
+			if (fr == NULL) {
+				error = ENOMEM;
+				goto junkput;
+			}
+			bcopy((char *)&ipn.ipn_fr, (char *)fr, sizeof(*fr));
+			ipn.ipn_nat.nat_fr = fr;
+			error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn));
+			if (error) {
+				error = EFAULT;
+				goto junkput;
+			}
+		} else {
+			for (n = nat_instances; n; n = n->nat_next)
+				if (n->nat_fr == fr)
+					break;
+			if (!n) {
+				error = ESRCH;
+				goto junkput;
+			}
+		}
+	}
+
+	if (ipnn)
+		KFREES(ipnn, sizeof(ipn) + ipn.ipn_dsize);
+	nat_insert(nat);
+	return 0;
+junkput:
+	if (ipnn)
+		KFREES(ipnn, sizeof(ipn) + ipn.ipn_dsize);
+	if (nat)
+		nat_delete(nat);
+	return error;
+}
+
+
 /*
  * Delete a nat entry from the various lists and table.
  */
@@ -563,14 +957,14 @@ struct nat *natd;
 	register struct nat **natp, *nat;
 	struct ipnat *ipn;
 
-	for (natp = natd->nat_hstart[0]; (nat = *natp);
+	for (natp = natd->nat_hstart[0]; natp && (nat = *natp);
 	     natp = &nat->nat_hnext[0])
 		if (nat == natd) {
 			*natp = nat->nat_hnext[0];
 			break;
 		}
 
-	for (natp = natd->nat_hstart[1]; (nat = *natp);
+	for (natp = natd->nat_hstart[1]; natp && (nat = *natp);
 	     natp = &nat->nat_hnext[1])
 		if (nat == natd) {
 			*natp = nat->nat_hnext[1];
@@ -578,8 +972,12 @@ struct nat *natd;
 		}
 
 	if (natd->nat_fr != NULL) {
-		ATOMIC_DEC(natd->nat_fr->fr_ref);
+		ATOMIC_DEC32(natd->nat_fr->fr_ref);
 	}
+
+	if (natd->nat_hm != NULL)
+		nat_hostmapdel(natd->nat_hm);
+
 	/*
 	 * If there is an active reference from the nat entry to its parent
 	 * rule, decrement the rule's reference count and free it too if no
@@ -597,6 +995,7 @@ struct nat *natd;
 		}
 	}
 
+	MUTEX_DESTROY(&natd->nat_lock);
 	/*
 	 * If there's a fragment table entry too for this nat entry, then
 	 * dereference that as well.
@@ -682,11 +1081,11 @@ int direction;
 {
 	register u_32_t sum1, sum2, sumd, l;
 	u_short port = 0, sport = 0, dport = 0, nport = 0;
-	nat_t *nat, **natp, *natl = NULL;
 	struct in_addr in, inb;
 	tcphdr_t *tcp = NULL;
+	hostmap_t *hm = NULL;
+	nat_t *nat, *natl;
 	u_short nflags;
-	u_int hv;
 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
 	qif_t *qf = fin->fin_qif;
 #endif
@@ -700,8 +1099,10 @@ int direction;
 
 	/* Give me a new nat */
 	KMALLOC(nat, nat_t *);
-	if (nat == NULL)
+	if (nat == NULL) {
+		nat_stats.ns_memfail++;
 		return NULL;
+	}
 
 	bzero((char *)nat, sizeof(*nat));
 	nat->nat_flags = flags;
@@ -725,42 +1126,33 @@ int direction;
 
 		do {
 			port = 0;
-			in.s_addr = np->in_nip;
+			in.s_addr = htonl(np->in_nip);
 			if (l == 0) {
 				/*
 				 * Check to see if there is an existing NAT
 				 * setup for this IP address pair.
 				 */
-				natl = nat_maplookup(fin->fin_ifp, flags,
-						     ip->ip_src, ip->ip_dst);
-				if (natl != NULL) {
-					in = natl->nat_outip;
-					if ((in.s_addr & np->in_outmsk) !=
-					    np->in_outip)
-						in.s_addr = 0;
-					else
-#ifndef sparc
-						in.s_addr = ntohl(in.s_addr);
-#else
-						;
-#endif
-				}
+				hm = nat_hostmap(np, ip->ip_src, in);
+				if (hm != NULL)
+					in.s_addr = hm->hm_mapip.s_addr;
+			} else if ((l == 1) && (hm != NULL)) {
+				nat_hostmapdel(hm);
+				hm = NULL;
 			}
+			in.s_addr = ntohl(in.s_addr);
+
+			nat->nat_hm = hm;
 
 			if ((np->in_outmsk == 0xffffffff) &&
 			    (np->in_pnext == 0)) {
-				if (l > 0) {
-					KFREE(nat);
-					return NULL;
-				}
+				if (l > 0)
+					goto badnat;
 			}
 
 			if (np->in_redir & NAT_MAPBLK) {
 				if ((l >= np->in_ppip) || ((l > 0) &&
-				     !(flags & IPN_TCPUDP))) {
-					KFREE(nat);
-					return NULL;
-				}
+				     !(flags & IPN_TCPUDP)))
+					goto badnat;
 				/*
 				 * map-block - Calculate destination address.
 				 */
@@ -782,29 +1174,25 @@ int direction;
 					port += MAPBLK_MINPORT;
 					port = htons(port);
 				}
-			} else if (!in.s_addr &&
+			} else if (!np->in_outip &&
 				   (np->in_outmsk == 0xffffffff)) {
 				/*
 				 * 0/32 - use the interface's IP address.
 				 */
 				if ((l > 0) ||
-				    fr_ifpaddr(fin->fin_ifp, &in) == -1) {
-					KFREE(nat);
-					return NULL;
-				}
+				    fr_ifpaddr(4, fin->fin_ifp, &in) == -1)
+					goto badnat;
 				in.s_addr = ntohl(in.s_addr);
-			} else if (!in.s_addr && !np->in_outmsk) {
+			} else if (!np->in_outip && !np->in_outmsk) {
 				/*
 				 * 0/0 - use the original source address/port.
 				 */
-				if (l > 0) {
-					KFREE(nat);
-					return NULL;
-				}
+				if (l > 0)
+					goto badnat;
 				in.s_addr = ntohl(ip->ip_src.s_addr);
 			} else if ((np->in_outmsk != 0xffffffff) &&
 				   (np->in_pnext == 0) &&
-				   ((l > 0) || (natl == NULL)))
+				   ((l > 0) || (hm == NULL)))
 				np->in_nip++;
 			natl = NULL;
 
@@ -813,8 +1201,7 @@ int direction;
 			    (np->in_flags & IPN_AUTOPORTMAP)) {
 				if ((l > 0) && (l % np->in_ppip == 0)) {
 					if (l > np->in_space) {
-						KFREE(nat);
-						return NULL;
+						goto badnat;
 					} else if ((l > np->in_ppip) &&
 						   np->in_outmsk != 0xffffffff)
 						np->in_nip++;
@@ -840,8 +1227,8 @@ int direction;
 				}
 			}
 
-			if (np->in_flags & IPN_RANGE) {
-				if (np->in_nip >= ntohl(np->in_outmsk))
+			if (np->in_flags & IPN_IPRANGE) {
+				if (np->in_nip > ntohl(np->in_outmsk))
 					np->in_nip = ntohl(np->in_outip);
 			} else {
 				if ((np->in_outmsk != 0xffffffff) &&
@@ -864,7 +1251,7 @@ int direction;
 			 * this is appropriate.
 			 */
 			inb.s_addr = htonl(in.s_addr);
-			natl = nat_inlookup(fin->fin_ifp, flags & ~FI_WILD,
+			natl = nat_inlookup(fin->fin_ifp, flags & ~FI_WILDP,
 					    (u_int)ip->ip_p, ip->ip_dst, inb,
 					    (port << 16) | dport);
 
@@ -874,10 +1261,8 @@ int direction;
 			 */
 			if ((natl != NULL) &&
 			    (np->in_pnext != 0) && (st_port == np->in_pnext) &&
-			    (np->in_nip != 0) && (st_ip == np->in_nip)) {
-				KFREE(nat);
-				return NULL;
-			}
+			    (np->in_nip != 0) && (st_ip == np->in_nip))
+				goto badnat;
 			l++;
 		} while (natl != NULL);
 
@@ -888,6 +1273,9 @@ int direction;
 		nat->nat_inip = ip->ip_src;
 		nat->nat_outip.s_addr = htonl(in.s_addr);
 		nat->nat_oip = ip->ip_dst;
+		if (nat->nat_hm == NULL)
+			nat->nat_hm = nat_hostmap(np, ip->ip_src,
+						  nat->nat_outip);
 
 		sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)) + ntohs(sport);
 		sum2 = LONG_SUM(in.s_addr) + ntohs(port);
@@ -904,18 +1292,45 @@ int direction;
 		 * we want to rewrite to a fixed internal address and fixed
 		 * internal port.
 		 */
-		in.s_addr = ntohl(np->in_inip);
-		if (!(nport = np->in_pnext))
+		if (np->in_flags & IPN_SPLIT) {
+			in.s_addr = np->in_nip;
+			if (np->in_inip == htonl(in.s_addr))
+				np->in_nip = ntohl(np->in_inmsk);
+			else {
+				np->in_nip = ntohl(np->in_inip);
+				if (np->in_flags & IPN_ROUNDR) {
+					nat_delrdr(np);
+					nat_addrdr(np);
+				}
+			}
+		} else {
+			in.s_addr = ntohl(np->in_inip);
+			if (np->in_flags & IPN_ROUNDR) {
+				nat_delrdr(np);
+				nat_addrdr(np);
+			}
+		}
+		if (!np->in_pnext)
 			nport = dport;
+		else {
+			/*
+			 * Whilst not optimized for the case where
+			 * pmin == pmax, the gain is not significant.
+			 */
+			nport = ntohs(dport) - ntohs(np->in_pmin) +
+				ntohs(np->in_pnext);
+			nport = htons(nport);
+		}
 
 		/*
 		 * When the redirect-to address is set to 0.0.0.0, just
 		 * assume a blank `forwarding' of the packet.  We don't
 		 * setup any translation for this either.
 		 */
-		if ((in.s_addr == 0) && (nport == dport)) {
-			KFREE(nat);
-			return NULL;
+		if (in.s_addr == 0) {
+			if (nport == dport)
+				goto badnat;
+			in.s_addr = ntohl(ip->ip_dst.s_addr);
 		}
 
 		nat->nat_inip.s_addr = htonl(in.s_addr);
@@ -963,28 +1378,21 @@ int direction;
 		nat->nat_ipsumd = nat->nat_sumd[0];
 
 	in.s_addr = htonl(in.s_addr);
-	nat->nat_next = nat_instances;
-	nat_instances = nat;
-	hv = NAT_HASH_FN(nat->nat_inip.s_addr, ipf_nattable_sz);
-	natp = &nat_table[0][hv];
-	nat->nat_hstart[0] = natp;
-	nat->nat_hnext[0] = *natp;
-	*natp = nat;
-	hv = NAT_HASH_FN(nat->nat_outip.s_addr, ipf_nattable_sz);
-	natp = &nat_table[1][hv];
-	nat->nat_hstart[1] = natp;
-	nat->nat_hnext[1] = *natp;
-	*natp = nat;
+
+#ifdef  _KERNEL
+	strncpy(nat->nat_ifname, IFNAME(fin->fin_ifp), IFNAMSIZ);
+#endif
+	nat_insert(nat);
+
 	nat->nat_dir = direction;
 	nat->nat_ifp = fin->fin_ifp;
 	nat->nat_ptr = np;
 	nat->nat_p = ip->ip_p;
 	nat->nat_bytes = 0;
 	nat->nat_pkts = 0;
-	nat->nat_age = fr_defnatage;
 	nat->nat_fr = fin->fin_fr;
 	if (nat->nat_fr != NULL) {
-		ATOMIC_INC(nat->nat_fr->fr_ref);
+		ATOMIC_INC32(nat->nat_fr->fr_ref);
 	}
 	if (direction == NAT_OUTBOUND) {
 		if (flags & IPN_TCPUDP)
@@ -993,16 +1401,55 @@ int direction;
 		if (flags & IPN_TCPUDP)
 			tcp->th_dport = nport;
 	}
-	nat_stats.ns_added++;
-	nat_stats.ns_inuse++;
 	np->in_use++;
 	return nat;
+badnat:
+	nat_stats.ns_badnat++;
+	if ((hm = nat->nat_hm) != NULL)
+		nat_hostmapdel(hm);
+	KFREE(nat);
+	return NULL;
+}
+
+
+void	nat_insert(nat)
+nat_t	*nat;
+{
+	nat_t **natp;
+	u_int hv;
+
+	MUTEX_INIT(&nat->nat_lock, "nat entry lock", NULL);
+
+	nat->nat_age = fr_defnatage;
+	nat->nat_ifname[sizeof(nat->nat_ifname) - 1] = '\0';
+	if (nat->nat_ifname[0] !='\0') {
+		nat->nat_ifp = GETUNIT(nat->nat_ifname, 4);
+	}
+
+	nat->nat_next = nat_instances;
+	nat_instances = nat;
+	hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
+			 ipf_nattable_sz);
+	natp = &nat_table[0][hv];
+	nat->nat_hstart[0] = natp;
+	nat->nat_hnext[0] = *natp;
+	*natp = nat;
+	hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
+			 ipf_nattable_sz);
+	natp = &nat_table[1][hv];
+	nat->nat_hstart[1] = natp;
+	nat->nat_hnext[1] = *natp;
+	*natp = nat;
+
+	nat_stats.ns_added++;
+	nat_stats.ns_inuse++;
 }
 
 
-nat_t *nat_icmpinlookup(ip, fin)
+nat_t *nat_icmplookup(ip, fin, dir)
 ip_t *ip;
 fr_info_t *fin;
+int dir;
 {
 	icmphdr_t *icmp;
 	tcphdr_t *tcp = NULL;
@@ -1035,12 +1482,21 @@ fr_info_t *fin;
 		flags = IPN_UDP;
 	if (flags & IPN_TCPUDP) {
 		tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2));
-		return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p,
-				    oip->ip_dst, oip->ip_src,
-				    (tcp->th_sport << 16) | tcp->th_dport);
+		if (dir == NAT_INBOUND)
+			return nat_inlookup(fin->fin_ifp, flags,
+				(u_int)oip->ip_p, oip->ip_dst, oip->ip_src,
+				(tcp->th_sport << 16) | tcp->th_dport);
+		else
+			return nat_outlookup(fin->fin_ifp, flags,
+				(u_int)oip->ip_p, oip->ip_dst, oip->ip_src,
+				(tcp->th_sport << 16) | tcp->th_dport);
 	}
-	return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p, oip->ip_dst,
-			    oip->ip_src, 0);
+	if (dir == NAT_INBOUND)
+		return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p,
+			oip->ip_dst, oip->ip_src, 0);
+	else
+		return nat_outlookup(fin->fin_ifp, 0, (u_int)oip->ip_p,
+			oip->ip_dst, oip->ip_src, 0);
 }
 
 
@@ -1048,10 +1504,11 @@ fr_info_t *fin;
  * This should *ONLY* be used for incoming packets to make sure a NAT'd ICMP
  * packet gets correctly recognised.
  */
-nat_t *nat_icmpin(ip, fin, nflags)
+nat_t *nat_icmp(ip, fin, nflags, dir)
 ip_t *ip;
 fr_info_t *fin;
 u_int *nflags;
+int dir;
 {
 	u_32_t sum1, sum2, sumd;
 	struct in_addr in;
@@ -1060,7 +1517,7 @@ u_int *nflags;
 	ip_t *oip;
 	int flags = 0;
 
-	if (!(nat = nat_icmpinlookup(ip, fin)))
+	if ((ip->ip_v != 4) || !(nat = nat_icmplookup(ip, fin, dir)))
 		return NULL;
 	*nflags = IPN_ICMPERR;
 	icmp = (icmphdr_t *)fin->fin_dp;
@@ -1078,6 +1535,7 @@ u_int *nflags;
 	 * to only modify the checksum once for the port # and twice
 	 * for the IP#.
 	 */
+
 	if (nat->nat_dir == NAT_OUTBOUND) {
 		sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr));
 		in = nat->nat_inip;
@@ -1105,7 +1563,7 @@ u_int *nflags;
 		sumd += (sumd & 0xffff);
 		while (sumd > 0xffff)
 			sumd = (sumd & 0xffff) + (sumd >> 16);
-		fix_incksum(&icmp->icmp_cksum, sumd, 0);
+/*		fix_incksum(&icmp->icmp_cksum, sumd, 0); */
 	}
 
 
@@ -1163,7 +1621,7 @@ u_32_t ports;
 	sport = ports & 0xffff;
 	flags &= IPN_TCPUDP;
 
-	hv = NAT_HASH_FN(mapdst.s_addr, ipf_nattable_sz);
+	hv = NAT_HASH_FN(mapdst.s_addr, mapdport, ipf_nattable_sz);
 	nat = nat_table[1][hv];
 	for (; nat; nat = nat->nat_hnext[1]) {
 		nflags = nat->nat_flags;
@@ -1202,7 +1660,7 @@ u_32_t ports;
 	dport = ports >> 16;
 	flags &= IPN_TCPUDP;
 
-	hv = NAT_HASH_FN(src.s_addr, ipf_nattable_sz);
+	hv = NAT_HASH_FN(src.s_addr, sport, ipf_nattable_sz);
 	nat = nat_table[0][hv];
 	for (; nat; nat = nat->nat_hnext[0]) {
 		nflags = nat->nat_flags;
@@ -1221,35 +1679,6 @@ u_32_t ports;
 
 
 /*
- * check if an ip address has already been allocated for a given mapping that
- * is not doing port based translation.
- */
-nat_t *nat_maplookup(ifp, flags, src, dst)
-void *ifp;
-register u_int flags;
-struct in_addr src , dst;
-{
-	register nat_t *nat;
-	register int oflags;
-	u_int hv;
-
-	hv = NAT_HASH_FN(src.s_addr, ipf_nattable_sz);
-	nat = nat_table[0][hv];
-	for (; nat; nat = nat->nat_hnext[0]) {
-		oflags = (flags & IPN_TCPUDP) & nat->nat_ptr->in_flags;
-		if (oflags != 0)
-			continue;
-
-		if ((!ifp || ifp == nat->nat_ifp) &&
-		    nat->nat_inip.s_addr == src.s_addr &&
-		    nat->nat_oip.s_addr == dst.s_addr)
-			return nat;
-	}
-	return NULL;
-}
-
-
-/*
  * Lookup the NAT tables to search for a matching redirect
  */
 nat_t *nat_lookupredir(np)
@@ -1272,6 +1701,41 @@ register natlookup_t *np;
 }
 
 
+static int nat_match(fin, np, ip)
+fr_info_t *fin;
+ipnat_t *np;
+ip_t *ip;
+{
+	frtuc_t *ft;
+
+	if (ip->ip_v != 4)
+		return 0;
+
+	if (np->in_p && ip->ip_p != np->in_p)
+		return 0;
+	if (fin->fin_out) {
+		if (!(np->in_redir && (NAT_MAP|NAT_MAPBLK)))
+			return 0;
+		if ((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip)
+			return 0;
+		if ((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip)
+			return 0;
+	} else {
+		if (!(np->in_redir && NAT_REDIRECT))
+			return 0;
+	}
+
+	ft = &np->in_tuc;
+	if (!(fin->fin_fi.fi_fl & FI_TCPUDP)) {
+		if (ft->ftu_scmp || ft->ftu_dcmp)
+			return 0;
+		return 1;
+	}
+
+	return fr_tcpudpchk(ft, fin);
+}
+
+
 /*
  * Packets going out on the external interface go through this.
  * Here, the source address requires alteration, if anything.
@@ -1283,16 +1747,16 @@ fr_info_t *fin;
 	register ipnat_t *np = NULL;
 	register u_32_t ipa;
 	tcphdr_t *tcp = NULL;
-	u_short nflags = 0, sport = 0, dport = 0, *csump = NULL;
+	u_short sport = 0, dport = 0, *csump = NULL;
 	struct ifnet *ifp;
 	int natadd = 1;
 	frentry_t *fr;
-	u_int hv, msk;
+	u_int nflags = 0, hv, msk;
 	u_32_t iph;
 	nat_t *nat;
 	int i;
 
-	if (nat_list == NULL)
+	if (nat_list == NULL || (fr_nat_lock))
 		return 0;
 
 	if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) &&
@@ -1316,8 +1780,12 @@ fr_info_t *fin;
 	ipa = ip->ip_src.s_addr;
 
 	READ_ENTER(&ipf_nat);
-	if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
-	    (nat = ipfr_nat_knownfrag(ip, fin)))
+
+	if ((ip->ip_p == IPPROTO_ICMP) &&
+	    (nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND)))
+		;
+	else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
+			(nat = ipfr_nat_knownfrag(ip, fin)))
 		natadd = 0;
 	else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, ip->ip_src,
 				      ip->ip_dst, (dport << 16) | sport))) {
@@ -1345,15 +1813,21 @@ fr_info_t *fin;
 		i = 32;
 maskloop:
 		iph = ipa & htonl(msk);
-		hv = NAT_HASH_FN(iph, ipf_natrules_sz);
+		hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz);
 		for (np = nat_rules[hv]; np; np = np->in_mnext)
 		{
-			if ((np->in_ifp == ifp) && np->in_space &&
-			    (!(np->in_flags & IPN_RF) ||
-			     (np->in_flags & nflags)) &&
-			    ((ipa & np->in_inmsk) == np->in_inip) &&
-			    ((np->in_redir & (NAT_MAP|NAT_MAPBLK)) ||
-			     (np->in_pnext == sport))) {
+			if ((np->in_ifp && (np->in_ifp != ifp)) ||
+			    !np->in_space)
+				continue;
+			if ((np->in_flags & IPN_RF) &&
+			    !(np->in_flags & nflags))
+				continue;
+			if (np->in_flags & IPN_FILTER) {
+				if (!nat_match(fin, np, ip))
+					continue;
+			} else if ((ipa & np->in_inmsk) != np->in_inip)
+				continue;
+			if (np->in_redir & (NAT_MAP|NAT_MAPBLK)) {
 				if (*np->in_plabel && !appr_ok(ip, tcp, np))
 					continue;
 				/*
@@ -1390,11 +1864,11 @@ maskloop:
 		if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
 			ipfr_nat_newfrag(ip, fin, 0, nat);
 		ip->ip_src = nat->nat_outip;
-		MUTEX_ENTER(&ipf_rw);
+		MUTEX_ENTER(&nat->nat_lock);
 		nat->nat_age = fr_defnatage;
 		nat->nat_bytes += ip->ip_len;
 		nat->nat_pkts++;
-		MUTEX_EXIT(&ipf_rw);
+		MUTEX_EXIT(&nat->nat_lock);
 
 		/*
 		 * Fix up checksums, not by recalculating them, but
@@ -1417,14 +1891,14 @@ maskloop:
 
 			if (ip->ip_p == IPPROTO_TCP) {
 				csump = &tcp->th_sum;
-				MUTEX_ENTER(&ipf_rw);
+				MUTEX_ENTER(&nat->nat_lock);
 				fr_tcp_age(&nat->nat_age,
-					   nat->nat_tcpstate, ip, fin, 1);
+					   nat->nat_tcpstate, fin, 1);
 				if (nat->nat_age < fr_defnaticmpage)
 					nat->nat_age = fr_defnaticmpage;
 #ifdef LARGE_NAT
-				else if (nat->nat_age > DEF_NAT_AGE)
-					nat->nat_age = DEF_NAT_AGE;
+				else if (nat->nat_age > fr_defnatage)
+					nat->nat_age = fr_defnatage;
 #endif
 				/*
 				 * Increase this because we may have
@@ -1434,12 +1908,14 @@ maskloop:
 				 */
 				if (nat->nat_age == fr_tcpclosed)
 					nat->nat_age = fr_tcplastack;
-				MUTEX_EXIT(&ipf_rw);
+				MUTEX_EXIT(&nat->nat_lock);
 			} else if (ip->ip_p == IPPROTO_UDP) {
 				udphdr_t *udp = (udphdr_t *)tcp;
 
 				if (udp->uh_sum)
 					csump = &udp->uh_sum;
+			} else if (ip->ip_p == IPPROTO_ICMP) {
+				nat->nat_age = fr_defnaticmpage;
 			}
 			if (csump) {
 				if (nat->nat_dir == NAT_OUTBOUND)
@@ -1450,12 +1926,17 @@ maskloop:
 						     ip->ip_len);
 			}
 		}
+
 		if ((np->in_apr != NULL) && (np->in_dport == 0 ||
-		     (tcp != NULL && dport == np->in_dport)))
-			(void) appr_check(ip, fin, nat);
-		ATOMIC_INC(nat_stats.ns_mapped[1]);
+		     (tcp != NULL && dport == np->in_dport))) {
+			i = appr_check(ip, fin, nat);
+			if (i == 0)
+				i = 1;
+		} else
+			i = 1;
+		ATOMIC_INCL(nat_stats.ns_mapped[1]);
 		RWLOCK_EXIT(&ipf_nat);	/* READ */
-		return 1;
+		return i;
 	}
 	RWLOCK_EXIT(&ipf_nat);			/* READ/WRITE */
 	return 0;
@@ -1481,7 +1962,7 @@ fr_info_t *fin;
 	u_32_t iph;
 	int i;
 
-	if (nat_list == NULL)
+	if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock))
 		return 0;
 
 	if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
@@ -1502,7 +1983,8 @@ fr_info_t *fin;
 
 	READ_ENTER(&ipf_nat);
 
-	if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmpin(ip, fin, &nflags)))
+	if ((ip->ip_p == IPPROTO_ICMP) &&
+	    (nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND)))
 		;
 	else if ((ip->ip_off & IP_OFFMASK) &&
 		 (nat = ipfr_nat_knownfrag(ip, fin)))
@@ -1530,15 +2012,21 @@ fr_info_t *fin;
 		i = 32;
 maskloop:
 		iph = in.s_addr & htonl(msk);
-		hv = NAT_HASH_FN(iph, ipf_rdrrules_sz);
-		for (np = rdr_rules[hv]; np; np = np->in_rnext)
-			if ((np->in_ifp == ifp) &&
-			    (!np->in_flags || (nflags & np->in_flags)) &&
-			    ((in.s_addr & np->in_outmsk) == np->in_outip) &&
-			    ((src.s_addr & np->in_srcmsk) == np->in_srcip) &&
-			    (np->in_redir & NAT_REDIRECT) &&
-			    (!np->in_pmin || np->in_pmin == dport) &&
-			    (!np->in_p || np->in_p == ip->ip_p)) {
+		hv = NAT_HASH_FN(iph, 0, ipf_rdrrules_sz);
+		for (np = rdr_rules[hv]; np; np = np->in_rnext) {
+			if ((np->in_ifp && (np->in_ifp != ifp)) ||
+			    (np->in_p && (np->in_p != ip->ip_p)) ||
+			    (np->in_flags && !(nflags & np->in_flags)))
+				continue;
+			if (np->in_flags & IPN_FILTER) {
+				if (!nat_match(fin, np, ip))
+					continue;
+			} else if ((in.s_addr & np->in_outmsk) != np->in_outip)
+				continue;
+			if ((np->in_redir & NAT_REDIRECT) &&
+			    (!np->in_pmin ||
+			     ((ntohs(np->in_pmax) >= ntohs(dport)) &&
+			      (ntohs(dport) >= ntohs(np->in_pmin)))))
 				if ((nat = nat_new(np, ip, fin, nflags,
 						    NAT_INBOUND))) {
 					np->in_hits++;
@@ -1547,7 +2035,8 @@ maskloop:
 #endif
 					break;
 				}
-			}
+		}
+
 		if ((np == NULL) && (i > 0)) {
 			do {
 				i--;
@@ -1564,18 +2053,23 @@ maskloop:
 		if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
 			ipfr_nat_newfrag(ip, fin, 0, nat);
 		if ((np->in_apr != NULL) && (np->in_dport == 0 ||
-		    (tcp != NULL && sport == np->in_dport)))
-			(void) appr_check(ip, fin, nat);
+		    (tcp != NULL && sport == np->in_dport))) {
+			i = appr_check(ip, fin, nat);
+			if (i == -1) {
+				RWLOCK_EXIT(&ipf_nat);
+				return i;
+			}
+		}
 
-		MUTEX_ENTER(&ipf_rw);
+		MUTEX_ENTER(&nat->nat_lock);
 		if (nflags != IPN_ICMPERR)
 			nat->nat_age = fr_defnatage;
 
 		nat->nat_bytes += ip->ip_len;
 		nat->nat_pkts++;
-		MUTEX_EXIT(&ipf_rw);
+		MUTEX_EXIT(&nat->nat_lock);
 		ip->ip_dst = nat->nat_inip;
-		fin->fin_fi.fi_dst = nat->nat_inip;
+		fin->fin_fi.fi_daddr = nat->nat_inip.s_addr;
 
 		/*
 		 * Fix up checksums, not by recalculating them, but
@@ -1597,14 +2091,14 @@ maskloop:
 
 			if (ip->ip_p == IPPROTO_TCP) {
 				csump = &tcp->th_sum;
-				MUTEX_ENTER(&ipf_rw);
+				MUTEX_ENTER(&nat->nat_lock);
 				fr_tcp_age(&nat->nat_age,
-					   nat->nat_tcpstate, ip, fin, 0);
+					   nat->nat_tcpstate, fin, 0);
 				if (nat->nat_age < fr_defnaticmpage)
 					nat->nat_age = fr_defnaticmpage;
 #ifdef LARGE_NAT
-				else if (nat->nat_age > DEF_NAT_AGE)
-					nat->nat_age = DEF_NAT_AGE;
+				else if (nat->nat_age > fr_defnatage)
+					nat->nat_age = fr_defnatage;
 #endif
 				/*
 				 * Increase this because we may have
@@ -1614,21 +2108,26 @@ maskloop:
 				 */
 				if (nat->nat_age == fr_tcpclosed)
 					nat->nat_age = fr_tcplastack;
-				MUTEX_EXIT(&ipf_rw);
+				MUTEX_EXIT(&nat->nat_lock);
 			} else if (ip->ip_p == IPPROTO_UDP) {
 				udphdr_t *udp = (udphdr_t *)tcp;
 
 				if (udp->uh_sum)
 					csump = &udp->uh_sum;
+			} else if (ip->ip_p == IPPROTO_ICMP) {
+				nat->nat_age = fr_defnaticmpage;
 			}
+
 			if (csump) {
 				if (nat->nat_dir == NAT_OUTBOUND)
-					fix_incksum(csump, nat->nat_sumd[0], 0);
+					fix_incksum(csump, nat->nat_sumd[0],
+						    0);
 				else
-					fix_outcksum(csump, nat->nat_sumd[0], 0);
+					fix_outcksum(csump, nat->nat_sumd[0],
+						     0);
 			}
 		}
-		ATOMIC_INC(nat_stats.ns_mapped[0]);
+		ATOMIC_INCL(nat_stats.ns_mapped[0]);
 		RWLOCK_EXIT(&ipf_nat);			/* READ */
 		return 1;
 	}
@@ -1663,6 +2162,10 @@ void ip_natunload()
 		KFREES(rdr_rules, sizeof(ipnat_t *) * ipf_rdrrules_sz);
 		rdr_rules = NULL;
 	}
+	if (maptable != NULL) {
+		KFREES(maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);
+		maptable = NULL;
+	}
 }
 
 
@@ -1728,7 +2231,7 @@ void *ifp;
 			 * new one.
 			 */
 			sum1 = nat->nat_outip.s_addr;
-			if (fr_ifpaddr(ifp2, &in) != -1)
+			if (fr_ifpaddr(4, ifp2, &in) != -1)
 				nat->nat_outip = in;
 			sum2 = nat->nat_outip.s_addr;
 
@@ -1747,6 +2250,7 @@ void *ifp;
 			nat->nat_sumd[1] = nat->nat_sumd[0];
 		}
 
+<<<<<<< ip_nat.c
 	for (n = nat_list; (n != NULL); n = n->in_next)
 		if (n->in_ifp == ifp) {
 			n->in_ifp = (void *)GETUNIT(n->in_ifname);
@@ -1754,6 +2258,15 @@ void *ifp;
 				n->in_ifp = (void *)-1;
 		}
 	RWLOCK_EXIT(&ipf_nat);
+=======
+	for (n = nat_list; (n != NULL); n = n->in_next)
+		if (n->in_ifp == ifp) {
+			n->in_ifp = (void *)GETUNIT(n->in_ifname, 4);
+			if (!n->in_ifp)
+				n->in_ifp = (void *)-1;
+		}
+	RWLOCK_EXIT(&ipf_nat);
+>>>>>>> 1.1.1.8
 	SPL_X(s);
 }
 
diff --git a/sys/contrib/ipfilter/netinet/ip_nat.h b/sys/contrib/ipfilter/netinet/ip_nat.h
index c66df75..8b8092d 100644
--- a/sys/contrib/ipfilter/netinet/ip_nat.h
+++ b/sys/contrib/ipfilter/netinet/ip_nat.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1995-1998 by Darren Reed.
+ * Copyright (C) 1995-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -18,23 +18,15 @@
 #endif
 
 #if defined(__STDC__) || defined(__GNUC__)
-#define	SIOCADNAT	_IOW('r', 80, struct ipnat)
-#define	SIOCRMNAT	_IOW('r', 81, struct ipnat)
-#define	SIOCGNATS	_IOR('r', 82, struct natstat)
-#define	SIOCGNATL	_IOWR('r', 83, struct natlookup)
-#define SIOCGFRST	_IOR('r', 84, struct ipfrstat)
-#define SIOCGIPST	_IOR('r', 85, struct ips_stat)
-#define	SIOCFLNAT	_IOWR('r', 86, int)
-#define	SIOCCNATL	_IOWR('r', 87, int)
+#define	SIOCADNAT	_IOW('r', 60, struct ipnat *)
+#define	SIOCRMNAT	_IOW('r', 61, struct ipnat *)
+#define	SIOCGNATS	_IOWR('r', 62, struct natstat *)
+#define	SIOCGNATL	_IOWR('r', 63, struct natlookup *)
 #else
-#define	SIOCADNAT	_IOW(r, 80, struct ipnat)
-#define	SIOCRMNAT	_IOW(r, 81, struct ipnat)
-#define	SIOCGNATS	_IOR(r, 82, struct natstat)
-#define	SIOCGNATL	_IOWR(r, 83, struct natlookup)
-#define SIOCGFRST	_IOR(r, 84, struct ipfrstat)
-#define SIOCGIPST	_IOR(r, 85, struct ips_stat)
-#define	SIOCFLNAT	_IOWR(r, 86, int)
-#define	SIOCCNATL	_IOWR(r, 87, int)
+#define	SIOCADNAT	_IOW(r, 60, struct ipnat *)
+#define	SIOCRMNAT	_IOW(r, 61, struct ipnat *)
+#define	SIOCGNATS	_IOWR(r, 62, struct natstat *)
+#define	SIOCGNATL	_IOWR(r, 63, struct natlookup *)
 #endif
 
 #undef	LARGE_NAT	/* define this if you're setting up a system to NAT
@@ -46,14 +38,17 @@
 			 */
 #define	NAT_SIZE	127
 #define	RDR_SIZE	127
+#define	HOSTMAP_SIZE	127
 #define	NAT_TABLE_SZ	127
 #ifdef	LARGE_NAT
 #undef	NAT_SIZE
 #undef	RDR_SIZE
 #undef	NAT_TABLE_SZ
+#undef	HOSTMAP_SIZE	127
 #define	NAT_SIZE	2047
 #define	RDR_SIZE	2047
 #define	NAT_TABLE_SZ	16383
+#define	HOSTMAP_SIZE	8191
 #endif
 #ifndef	APR_LABELLEN
 #define	APR_LABELLEN	16
@@ -62,14 +57,16 @@
 
 #define	DEF_NAT_AGE	1200     /* 10 minutes (600 seconds) */
 
+struct ap_session;
+
 typedef	struct	nat	{
 	u_long	nat_age;
 	int	nat_flags;
 	u_32_t	nat_sumd[2];
 	u_32_t	nat_ipsumd;
 	void	*nat_data;
-	void	*nat_aps;		/* proxy session */
-	frentry_t	*nat_fr;	/* filter rule ptr if appropriate */
+	struct	ap_session	*nat_aps;		/* proxy session */
+	struct	frentry	*nat_fr;	/* filter rule ptr if appropriate */
 	struct	in_addr	nat_inip;
 	struct	in_addr	nat_outip;
 	struct	in_addr	nat_oip;	/* other ip */
@@ -82,17 +79,24 @@ typedef	struct	nat	{
 	u_char	nat_tcpstate[2];
 	u_char	nat_p;			/* protocol for NAT */
 	struct	ipnat	*nat_ptr;	/* pointer back to the rule */
+	struct	hostmap	*nat_hm;
 	struct	nat	*nat_next;
 	struct	nat	*nat_hnext[2];
 	struct	nat	**nat_hstart[2];
 	void	*nat_ifp;
 	int	nat_dir;
+	char	nat_ifname[IFNAMSIZ];
+#if SOLARIS || defined(_sgi)
+	kmutex_t	nat_lock;
+#endif
 } nat_t;
 
 typedef	struct	ipnat	{
 	struct	ipnat	*in_next;
 	struct	ipnat	*in_rnext;
+	struct	ipnat	**in_prnext;
 	struct	ipnat	*in_mnext;
+	struct	ipnat	**in_pmnext;
 	void	*in_ifp;
 	void	*in_apr;
 	u_long	in_space;
@@ -107,11 +111,11 @@ typedef	struct	ipnat	{
 	struct	in_addr	in_in[2];
 	struct	in_addr	in_out[2];
 	struct	in_addr	in_src[2];
+	struct	frtuc	in_tuc;
 	int	in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
 	char	in_ifname[IFNAMSIZ];
 	char	in_plabel[APR_LABELLEN];	/* proxy label */
 	char	in_p;	/* protocol */
-	u_short	in_dport;
 } ipnat_t;
 
 #define	in_pmin		in_port[0]	/* Also holds static redir port */
@@ -123,6 +127,12 @@ typedef	struct	ipnat	{
 #define	in_outmsk	in_out[1].s_addr
 #define	in_srcip	in_src[0].s_addr
 #define	in_srcmsk	in_src[1].s_addr
+#define	in_scmp		in_tuc.ftu_scmp
+#define	in_dcmp		in_tuc.ftu_dcmp
+#define	in_stop		in_tuc.ftu_stop
+#define	in_dtop		in_tuc.ftu_dtop
+#define	in_sport	in_tuc.ftu_sport
+#define	in_dport	in_tuc.ftu_dport
 
 #define	NAT_OUTBOUND	0
 #define	NAT_INBOUND	1
@@ -147,6 +157,34 @@ typedef	struct	natlookup {
 	u_short	nl_realport;
 } natlookup_t;
 
+
+typedef struct  nat_save    {
+	void	*ipn_next;
+	struct	nat	ipn_nat;
+	struct	ipnat	ipn_ipnat;
+	struct	frentry ipn_fr;
+	int	ipn_dsize;
+	char	ipn_data[4];
+} nat_save_t;
+
+#define	ipn_rule	ipn_nat.nat_fr
+
+typedef	struct	natget	{
+	void	*ng_ptr;
+	int	ng_sz;
+} natget_t;
+
+
+typedef	struct	hostmap	{
+	struct	hostmap	*hm_next;
+	struct	hostmap	**hm_pnext;
+	struct	ipnat	*hm_ipnat;
+	struct	in_addr	hm_realip;
+	struct	in_addr	hm_mapip;
+	int	hm_ref;
+} hostmap_t;
+
+
 typedef	struct	natstat	{
 	u_long	ns_mapped[2];
 	u_long	ns_rules;
@@ -155,6 +193,8 @@ typedef	struct	natstat	{
 	u_long	ns_inuse;
 	u_long	ns_logged;
 	u_long	ns_logfail;
+	u_long	ns_memfail;
+	u_long	ns_badnat;
 	nat_t	**ns_table[2];
 	ipnat_t	*ns_list;
 	void	*ns_apslist;
@@ -164,16 +204,20 @@ typedef	struct	natstat	{
 	nat_t	*ns_instances;
 } natstat_t;
 
-#define	IPN_ANY		0x00
-#define	IPN_TCP		0x01
-#define	IPN_UDP		0x02
+#define	IPN_ANY		0x000
+#define	IPN_TCP		0x001
+#define	IPN_UDP		0x002
 #define	IPN_TCPUDP	(IPN_TCP|IPN_UDP)
-#define	IPN_DELETE	0x04
-#define	IPN_ICMPERR	0x08
+#define	IPN_DELETE	0x004
+#define	IPN_ICMPERR	0x008
 #define	IPN_RF		(IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR)
-#define	IPN_AUTOPORTMAP	0x10
-#define	IPN_RANGE	0x20
-#define	IPN_USERFLAGS	(IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_RANGE)
+#define	IPN_AUTOPORTMAP	0x010
+#define	IPN_IPRANGE	0x020
+#define	IPN_USERFLAGS	(IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|\
+			 IPN_SPLIT|IPN_ROUNDR|IPN_FILTER)
+#define	IPN_FILTER	0x040
+#define	IPN_SPLIT	0x080
+#define	IPN_ROUNDR	0x100
 
 
 typedef	struct	natlog {
@@ -195,7 +239,7 @@ typedef	struct	natlog {
 #define	NL_NEWRDR	NAT_REDIRECT
 #define	NL_EXPIRE	0xffff
 
-#define	NAT_HASH_FN(k,m)	(((k) + ((k) >> 12)) % (m))
+#define	NAT_HASH_FN(k,l,m)	(((k) + ((k) >> 12) + l) % (m))
 
 #define	LONG_SUM(in)	(((in) & 0xffff) + ((in) >> 16))
 
@@ -214,6 +258,7 @@ typedef	struct	natlog {
 extern	u_int	ipf_nattable_sz;
 extern	u_int	ipf_natrules_sz;
 extern	u_int	ipf_rdrrules_sz;
+extern	int	fr_nat_lock;
 extern	void	ip_natsync __P((void *));
 extern	u_long	fr_defnatage;
 extern	u_long	fr_defnaticmpage;
@@ -222,7 +267,7 @@ extern	nat_t	*nat_instances;
 extern	ipnat_t	**nat_rules;
 extern	ipnat_t	**rdr_rules;
 extern	natstat_t	nat_stats;
-#if defined(__NetBSD__) || defined(__OpenBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
 extern	int	nat_ioctl __P((caddr_t, u_long, int));
 #else
 extern	int	nat_ioctl __P((caddr_t, int, int));
@@ -236,10 +281,10 @@ extern	nat_t	*nat_inlookup __P((void *, u_int, u_int, struct in_addr,
 extern	nat_t	*nat_maplookup __P((void *, u_int, struct in_addr,
 				struct in_addr));
 extern	nat_t	*nat_lookupredir __P((natlookup_t *));
-extern	nat_t	*nat_icmpinlookup __P((ip_t *, fr_info_t *));
-extern	nat_t	*nat_icmpin __P((ip_t *, fr_info_t *, u_int *));
+extern	nat_t	*nat_icmplookup __P((ip_t *, fr_info_t *, int));
+extern	nat_t	*nat_icmp __P((ip_t *, fr_info_t *, u_int *, int));
+extern	void	nat_insert __P((nat_t *));
 
-extern	int	ip_natout __P((ip_t *, fr_info_t *));
 extern	int	ip_natin __P((ip_t *, fr_info_t *));
 extern	void	ip_natunload __P((void)), ip_natexpire __P((void));
 extern	void	nat_log __P((struct nat *, u_int));
author	darrenr <darrenr@FreeBSD.org>	2000-05-24 04:01:30 +0000
committer	darrenr <darrenr@FreeBSD.org>	2000-05-24 04:01:30 +0000
commit	3a99aee60f0a28e131e1ae80b6da2da06700a956 (patch)
tree	82a735415c85206fcb15a0a9b5d5f6d7f92b604a /sys/contrib
parent	9c26b06dba2d89b362983cd4e3bf5f9d7d1ff971 (diff)
download	FreeBSD-src-3a99aee60f0a28e131e1ae80b6da2da06700a956.zip FreeBSD-src-3a99aee60f0a28e131e1ae80b6da2da06700a956.tar.gz