diff options
-rw-r--r-- | sys/netinet/in.h | 26 | ||||
-rw-r--r-- | sys/netinet/ip_fw.h | 13 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 14 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 15 | ||||
-rw-r--r-- | sys/netinet/raw_ip.c | 15 |
5 files changed, 60 insertions, 23 deletions
diff --git a/sys/netinet/in.h b/sys/netinet/in.h index 3f2dce2..99330a5 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)in.h 8.3 (Berkeley) 1/3/94 - * $Id: in.h,v 1.18 1996/07/10 19:44:20 julian Exp $ + * $Id: in.h,v 1.19 1996/08/12 14:05:53 peter Exp $ */ #ifndef _NETINET_IN_H_ @@ -220,6 +220,13 @@ struct ip_opts { #define IP_RSVP_VIF_OFF 18 /* unset RSVP per-vif socket */ #define IP_PORTRANGE 19 /* int; range to choose for unspec port */ +#define IP_FW_ADD 50 /* add a firewall rule to chain */ +#define IP_FW_DEL 51 /* delete a firewall rule from chain */ +#define IP_FW_FLUSH 52 /* flush firewall rule chain */ +#define IP_FW_ZERO 53 /* clear all firewall counters */ +#define IP_FW_GET 54 /* get entire firewall rule chain */ +#define IP_NAT 55 /* set/get NAT opts */ + /* * Defaults and limits for options */ @@ -322,10 +329,19 @@ char *inet_ntoa __P((struct in_addr)); /* in libkern */ /* Firewall hooks */ struct ip; -typedef int ip_fw_chk_t __P((struct ip**, int, struct ifnet*, int, struct mbuf**)); -typedef int ip_fw_ctl_t __P((int, struct mbuf**)); -extern ip_fw_chk_t *ip_fw_chk_ptr; -extern ip_fw_ctl_t *ip_fw_ctl_ptr; +typedef int ip_fw_chk_t __P((struct ip**, int, struct ifnet*, int, struct mbuf**)); +typedef int ip_fw_ctl_t __P((int, struct mbuf**)); +extern ip_fw_chk_t *ip_fw_chk_ptr; +extern ip_fw_ctl_t *ip_fw_ctl_ptr; + +/* ip NAT hooks */ +typedef int ip_nat_t __P((struct ip**, struct mbuf**, int)); +typedef int ip_nat_ctl_t __P((int, struct mbuf**)); +extern ip_nat_t *ip_nat_ptr; +extern ip_nat_ctl_t *ip_nat_ctl_ptr; +#define IP_NAT_IN 0x00000001 +#define IP_NAT_OUT 0x00000002 + #endif /* KERNEL */ #endif diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 6efa66b..5dffbec 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -11,7 +11,7 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * - * $Id: ip_fw.h,v 1.21 1996/07/10 19:44:24 julian Exp $ + * $Id: ip_fw.h,v 1.22 1996/08/13 19:43:41 pst Exp $ */ /* @@ -114,17 +114,6 @@ struct ip_fw_chain { #define IP_FW_TCPF_ESTAB 0x40 /* - * New IP firewall options for [gs]etsockopt at the RAW IP level. - */ -#define IP_FW_BASE_CTL 50 - -#define IP_FW_ADD (IP_FW_BASE_CTL+0) -#define IP_FW_DEL (IP_FW_BASE_CTL+1) -#define IP_FW_FLUSH (IP_FW_BASE_CTL+2) -#define IP_FW_ZERO (IP_FW_BASE_CTL+3) -#define IP_FW_GET (IP_FW_BASE_CTL+4) - -/* * Main firewall chains definitions and global var's definitions. */ #ifdef KERNEL diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 2a17342..375a0f4 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_input.c,v 1.44 1996/06/12 19:34:33 gpalmer Exp $ + * $Id: ip_input.c,v 1.45 1996/07/10 19:44:25 julian Exp $ */ #include "opt_ipfw.h" @@ -114,6 +114,10 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW, ip_fw_chk_t *ip_fw_chk_ptr; ip_fw_ctl_t *ip_fw_ctl_ptr; +/* IP Network Address Translation (NAT) hooks */ +ip_nat_t *ip_nat_ptr; +ip_nat_ctl_t *ip_nat_ctl_ptr; + /* * We need to save the IP options in case a protocol wants to respond * to an incoming packet over the same route if the packet got here @@ -175,6 +179,10 @@ ip_init() #ifdef IPFIREWALL ip_fw_init(); #endif +#ifdef IPNAT + ip_nat_init(); +#endif + } static struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET }; @@ -265,6 +273,7 @@ ip_input(struct mbuf *m) * and it is still fresh out of network we do our black * deals with it. * - Firewall: deny/allow/divert + * - Xlate: translate packet's addr/port (NAT). * - Wrap: fake packet's addr/port <unimpl.> * - Encapsulate: put it in another IP and send out. <unimp.> */ @@ -290,6 +299,9 @@ ip_input(struct mbuf *m) } } + if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, IP_NAT_IN)) + return; + /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index bb30a9f..8bdcabc 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 - * $Id: ip_output.c,v 1.40 1996/06/08 08:18:59 bde Exp $ + * $Id: ip_output.c,v 1.41 1996/07/10 19:44:26 julian Exp $ */ #define _IP_VHL @@ -331,6 +331,19 @@ ip_output(m0, opt, ro, flags, imo) } sendit: + /* + * IpHack's section. + * - Xlate: translate packet's addr/port (NAT). + * - Firewall: deny/allow + * - Wrap: fake packet's addr/port <unimpl.> + * - Encapsulate: put it in another IP and send out. <unimp.> + */ + + if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, IP_NAT_OUT)) { + error = EACCES; + goto done; + } + #ifdef COMPAT_IPFW /* * Check with the firewall... diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index be5c13b..a6c80bf 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)raw_ip.c 8.7 (Berkeley) 5/15/95 - * $Id: raw_ip.c,v 1.32 1996/07/20 00:16:20 alex Exp $ + * $Id: raw_ip.c,v 1.33 1996/07/24 18:46:18 wollman Exp $ */ #include <sys/param.h> @@ -235,23 +235,30 @@ rip_ctloutput(op, so, level, optname, m) #ifdef COMPAT_IPFW case IP_FW_GET: - if (ip_fw_ctl_ptr==NULL || op == PRCO_SETOPT) { + if (ip_fw_ctl_ptr == NULL || op == PRCO_SETOPT) { if (*m) (void)m_free(*m); return(EINVAL); } return (*ip_fw_ctl_ptr)(optname, m); + case IP_FW_ADD: case IP_FW_DEL: case IP_FW_FLUSH: case IP_FW_ZERO: - if (ip_fw_ctl_ptr==NULL || op != PRCO_SETOPT) { + if (ip_fw_ctl_ptr == NULL || op != PRCO_SETOPT) { if (*m) (void)m_free(*m); return(EINVAL); } - return (*ip_fw_ctl_ptr)(optname, m); #endif + case IP_NAT: + if (ip_nat_ctl_ptr == NULL) { + if (*m) (void)m_free(*m); + return(EINVAL); + } + return (*ip_nat_ctl_ptr)(optname, m); + case IP_RSVP_ON: return ip_rsvp_init(so); break; |