Wrap ipfw nat support in a new kernel config option named

"IPFIREWALL_NAT": this way nat is turned off by default and
POLA is preserved.

Reviewed by: rwatson

3 files changed, 22 insertions, 1 deletions

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 6df0374..6a60e3c 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -841,6 +841,10 @@ device		stf			#6to4 IPv6 over IPv4 encapsulation
 # packets too.  Because of this great care is required when
 # crafting the ruleset.
 #
+# IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires
+# LIBALIAS. To build an ipfw kld with nat support enabled, add 
+# "CFLAGS+= -DIPFIREWALL_NAT" to your make.conf.
+#
 # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
 # packets without touching the TTL).  This can be useful to hide firewalls
 # from traceroute and similar tools.
@@ -856,6 +860,7 @@ options 	IPFIREWALL_VERBOSE	#enable logging to syslogd(8)
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
 options 	IPFIREWALL_FORWARD	#packet destination changes
+options 	IPFIREWALL_NAT		#ipfw kernel nat support
 options 	IPDIVERT		#divert sockets
 options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
diff --git a/sys/conf/options b/sys/conf/options
index 2551246..388421e 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -374,6 +374,7 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_FORWARD	opt_ipfw.h
+IPFIREWALL_NAT		opt_ipfw.h
 IPSTEALTH
 IPX
 IPXIP			opt_ipx.h
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 8278eaf..1644f7f 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -84,9 +84,10 @@
 #include <netinet/udp.h>
 #include <netinet/udp_var.h>
 #include <netinet/sctp.h>
-
+#ifdef IPFIREWALL_NAT
 #include <netinet/libalias/alias.h>
 #include <netinet/libalias/alias_local.h>
+#endif
 #include <netgraph/ng_ipfw.h>
 
 #include <altq/if_altq.h>
@@ -307,7 +308,9 @@ static struct sysctl_oid *ip6_fw_sysctl_tree;
 #endif /* INET6 */
 #endif /* SYSCTL_NODE */
 
+#ifdef IPFIREWALL_NAT
 MODULE_DEPEND(ipfw, libalias, 1, 1, 1);
+#endif
 static int fw_deny_unknown_exthdrs = 1;
 
 
@@ -2060,6 +2063,7 @@ check_uidgid(ipfw_insn_u32 *insn,
 	return match;
 }
 
+#ifdef IPFIREWALL_NAT
 static eventhandler_tag ifaddr_event_tag;
 
 static void 
@@ -2231,6 +2235,7 @@ bad:
 	/* something really bad happened: panic! */
 	panic("%s\n", panic_err);
 }
+#endif
 
 /*
  * The main check routine for the firewall.
@@ -3474,6 +3479,7 @@ check_body:
 				    IP_FW_NETGRAPH : IP_FW_NGTEE;
 				goto done;
 
+#ifdef IPFIREWALL_NAT
 			case O_NAT: {
 				struct cfg_nat *t;
 				struct mbuf *mcl;
@@ -3644,6 +3650,7 @@ check_body:
 				retval = IP_FW_NAT; 
 				goto done;
 			}
+#endif
 
 			default:
 				panic("-- unknown opcode %d\n", cmd->opcode);
@@ -4593,6 +4600,7 @@ ipfw_ctl(struct sockopt *sopt)
 		}
 		break;
 
+#ifdef IPFIREWALL_NAT
 	case IP_FW_NAT_CFG:
 	{
 		struct cfg_nat *ptr, *ser_n;
@@ -4771,6 +4779,7 @@ ipfw_ctl(struct sockopt *sopt)
 		free(data, M_IPFW);
 	}
 	break;
+#endif
 
 	default:
 		printf("ipfw: ipfw_ctl invalid option %d\n", sopt->sopt_name);
@@ -4944,9 +4953,11 @@ ipfw_init(void)
 	ip_fw_ctl_ptr = ipfw_ctl;
 	ip_fw_chk_ptr = ipfw_chk;
 	callout_reset(&ipfw_timeout, hz, ipfw_tick, NULL);	
+#ifdef IPFIREWALL_NAT
 	LIST_INIT(&layer3_chain.nat);
 	ifaddr_event_tag = EVENTHANDLER_REGISTER(ifaddr_event, ifaddr_change, 
 	    NULL, EVENTHANDLER_PRI_ANY);
+#endif
 	return (0);
 }
 
@@ -4954,13 +4965,16 @@ void
 ipfw_destroy(void)
 {
 	struct ip_fw *reap;
+#ifdef IPFIREWALL_NAT
 	struct cfg_nat *ptr, *ptr_temp;
+#endif
 
 	ip_fw_chk_ptr = NULL;
 	ip_fw_ctl_ptr = NULL;
 	callout_drain(&ipfw_timeout);
 	IPFW_WLOCK(&layer3_chain);
 	flush_tables(&layer3_chain);
+#ifdef IPFIREWALL_NAT
 	LIST_FOREACH_SAFE(ptr, &layer3_chain.nat, _next, ptr_temp) {
 		LIST_REMOVE(ptr, _next);
 		del_redir_spool_cfg(ptr, &ptr->redir_chain);
@@ -4968,6 +4982,7 @@ ipfw_destroy(void)
 		free(ptr, M_IPFW);
 	}
 	EVENTHANDLER_DEREGISTER(ifaddr_event, ifaddr_event_tag);
+#endif
 	layer3_chain.reap = NULL;
 	free_chain(&layer3_chain, 1 /* kill default rule */);
 	reap = layer3_chain.reap, layer3_chain.reap = NULL;