diff options
Diffstat (limited to 'sys/contrib/ipfilter/netinet/ip_nat.c')
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_nat.c | 571 |
1 files changed, 423 insertions, 148 deletions
diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index 3c9476f..e1774b3 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1995-1996 by Darren Reed. + * Copyright (C) 1995-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,9 +7,9 @@ * * Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com) */ -#if !defined(lint) && defined(LIBC_SCCS) -static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.18 1997/05/24 07:34:44 darrenr Exp $"; +#if !defined(lint) +static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.3 1997/11/12 10:53:29 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -28,19 +28,23 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.18 1997/05/24 07:34:44 darrenr Exp #include <sys/file.h> #if defined(KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> -# include <sys/fnctl.h> +# include <sys/fcntl.h> #else # include <sys/ioctl.h> #endif #include <sys/fcntl.h> #include <sys/uio.h> -#include <sys/protosw.h> +#ifndef linux +# include <sys/protosw.h> +#endif #include <sys/socket.h> -#ifdef _KERNEL +#if defined(_KERNEL) && !defined(linux) # include <sys/systm.h> #endif #if !defined(__SVR4) && !defined(__svr4__) -# include <sys/mbuf.h> +# ifndef linux +# include <sys/mbuf.h> +# endif #else # include <sys/filio.h> # include <sys/byteorder.h> @@ -63,18 +67,27 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.18 1997/05/24 07:34:44 darrenr Exp #include <netinet/in_systm.h> #include <netinet/ip.h> +#ifdef __sgi +# ifdef IFF_DRVRLOCK /* IRIX6 */ +#include <sys/hashing.h> +#include <netinet/in_var.h> +# endif +#endif + #ifdef RFC1825 #include <vpn/md5.h> #include <vpn/ipsec.h> extern struct ifnet vpnif; #endif -#include <netinet/ip_var.h> +#ifndef linux +# include <netinet/ip_var.h> +#endif #include <netinet/tcp.h> #include <netinet/udp.h> -#include <netinet/tcpip.h> #include <netinet/ip_icmp.h> #include "netinet/ip_compat.h" +#include <netinet/tcpip.h> #include "netinet/ip_fil.h" #include "netinet/ip_proxy.h" #include "netinet/ip_nat.h" @@ -88,14 +101,32 @@ extern struct ifnet vpnif; nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL; ipnat_t *nat_list = NULL; -u_long fr_defnatage = 1200; +u_long fr_defnatage = 1200, /* 10 minutes (600 seconds) */ + fr_defnaticmpage = 6; /* 3 seconds */ natstat_t nat_stats; -#if SOLARIS && defined(_KERNEL) +#if (SOLARIS || defined(__sgi)) && defined(_KERNEL) extern kmutex_t ipf_nat; -extern kmutex_t ipf_natfrag; #endif -static int flush_nattable __P((void)), clear_natlist __P((void)); +static int nat_flushtable __P((void)); +static int nat_clearlist __P((void)); +static void nat_delete __P((struct nat *)); +static int nat_ifpaddr __P((nat_t *, void *, struct in_addr *)); + + +#define LONG_SUM(in) (((in) & 0xffff) + ((in) >> 16)) + +#define CALC_SUMD(s1, s2, sd) { \ + /* Do it twice */ \ + (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ + (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ + /* Do it twice */ \ + (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ + (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ + /* Because ~1 == -2, We really need ~1 == -1 */ \ + if ((s1) > (s2)) (s2)--; \ + (sd) = (s2) - (s1); \ + (sd) = ((sd) & 0xffff) + ((sd) >> 16); } void fix_outcksum(sp, n) u_short *sp; @@ -104,11 +135,9 @@ u_long n; register u_short sumshort; register u_long sum1; -#ifdef sparc - sum1 = (~(*sp)) & 0xffff; -#else + if (!n) + return; sum1 = (~ntohs(*sp)) & 0xffff; -#endif sum1 += (n); sum1 = (sum1 >> 16) + (sum1 & 0xffff); /* Again */ @@ -125,6 +154,8 @@ u_long n; register u_short sumshort; register u_long sum1; + if (!n) + return; #ifdef sparc sum1 = (~(*sp)) & 0xffff; #else @@ -164,21 +195,33 @@ u_long n; * Handle ioctls which manipulate the NAT. */ int nat_ioctl(data, cmd, mode) +#if defined(__NetBSD__) || defined(__OpenBSD__) +u_long cmd; +#else +int cmd; +#endif caddr_t data; -int cmd, mode; +int mode; { register ipnat_t *nat, *n = NULL, **np = NULL; ipnat_t natd; - int error = 0, ret, s; + int error = 0, ret; +#if defined(_KERNEL) && !SOLARIS + int s; +#endif + + nat = NULL; /* XXX gcc -Wuninitialized */ /* * For add/delete, look to see if the NAT entry is already present */ + SPL_NET(s); MUTEX_ENTER(&ipf_nat); - SPLNET(s); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { IRCOPY(data, (char *)&natd, sizeof(natd)); nat = &natd; + nat->in_inip &= nat->in_inmsk; + nat->in_outip &= nat->in_outmsk; for (np = &nat_list; (n = *np); np = &n->in_next) if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, IPN_CMPSIZ)) @@ -201,8 +244,10 @@ int cmd, mode; error = ENOMEM; break; } - IRCOPY((char *)data, (char *)n, sizeof(*n)); + bcopy((char *)nat, (char *)n, sizeof(*n)); n->in_ifp = (void *)GETUNIT(n->in_ifname); + if (!n->in_ifp) + n->in_ifp = (void *)-1; n->in_apr = ap_match(n->in_p, n->in_plabel); n->in_next = *np; n->in_use = 0; @@ -211,7 +256,7 @@ int cmd, mode; n->in_space -= 2; else n->in_space = 1; /* single IP# mapping */ - if (n->in_outmsk != 0xffffffff) + if ((n->in_outmsk != 0xffffffff) && n->in_outmsk) n->in_nip = ntohl(n->in_outip) + 1; else n->in_nip = ntohl(n->in_outip); @@ -260,9 +305,9 @@ int cmd, mode; IRCOPY((char *)data, (char *)&nl, sizeof(nl)); - if (nat_lookupredir(&nl)) + if (nat_lookupredir(&nl)) { IWCOPY((char *)&nl, (char *)data, sizeof(nl)); - else + } else error = ESRCH; break; } @@ -271,7 +316,7 @@ int cmd, mode; error = EPERM; break; } - ret = flush_nattable(); + ret = nat_flushtable(); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case SIOCCNATL : @@ -279,21 +324,25 @@ int cmd, mode; error = EPERM; break; } - ret = clear_natlist(); + ret = nat_clearlist(); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case FIONREAD : #ifdef IPFILTER_LOG - *(int *)data = iplused[IPL_LOGNAT]; + IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data, + sizeof(iplused[IPL_LOGNAT])); #endif break; } - SPLX(s); MUTEX_EXIT(&ipf_nat); + SPL_X(s); return error; } +/* + * Delete a nat entry from the various lists and table. + */ static void nat_delete(natd) struct nat *natd; { @@ -314,6 +363,11 @@ struct nat *natd; break; } + /* + * If there is an active reference from the nat entry to its parent + * rule, decrement the rule's reference count and free it too if no + * longer being used. + */ if ((ipn = natd->nat_ptr)) { ipn->in_space++; ipn->in_use--; @@ -324,18 +378,20 @@ struct nat *natd; nat_stats.ns_rules--; } } - MUTEX_ENTER(&ipf_natfrag); - if (nat->nat_frag && nat->nat_frag->ipfr_data == nat) - nat->nat_frag->ipfr_data = NULL; - MUTEX_EXIT(&ipf_natfrag); + + /* + * If there's a fragment table entry too for this nat entry, then + * dereference that as well. + */ + ipfr_forget((void *)natd); KFREE(natd); } /* - * flush_nattable - clear the NAT table of all mapping entries. + * nat_flushtable - clear the NAT table of all mapping entries. */ -static int flush_nattable() +static int nat_flushtable() { register nat_t *nat, **natp; register int j = 0; @@ -358,9 +414,9 @@ static int flush_nattable() /* - * clear_natlist - delete all entries in the active NAT mapping list. + * nat_clearlist - delete all entries in the active NAT mapping list. */ -static int clear_natlist() +static int nat_clearlist() { register ipnat_t *n, **np = &nat_list; int i = 0; @@ -384,14 +440,89 @@ static int clear_natlist() /* + * return the first IP Address associated with an interface + */ +static int nat_ifpaddr(nat, ifptr, inp) +nat_t *nat; +void *ifptr; +struct in_addr *inp; +{ +#if SOLARIS + ill_t *ill = ifptr; +#else + struct ifnet *ifp = ifptr; +#endif + struct in_addr in; + +#if SOLARIS + in.s_addr = ill->ill_ipif->ipif_local_addr; +#else /* SOLARIS */ +# if linux + ; +# else /* linux */ + struct ifaddr *ifa; + struct sockaddr_in *sin; + +# if (__FreeBSD_version >= 300000) + ifa = TAILQ_FIRST(&ifp->if_addrhead); +# else +# if defined(__NetBSD__) || defined(__OpenBSD__) + ifa = ifp->if_addrlist.tqh_first; +# else +# if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ + ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa; +# else + ifa = ifp->if_addrlist; +# endif +# endif /* __NetBSD__ || __OpenBSD__ */ +# endif /* __FreeBSD_version >= 300000 */ +# if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK)) + sin = (SOCKADDR_IN *)&ifa->ifa_addr; +# else + sin = (SOCKADDR_IN *)ifa->ifa_addr; + while (sin && ifa && + sin->sin_family != AF_INET) { +# if (__FreeBSD_version >= 300000) + ifa = TAILQ_NEXT(ifa, ifa_link); +# else +# if defined(__NetBSD__) || defined(__OpenBSD__) + ifa = ifa->ifa_list.tqe_next; +# else + ifa = ifa->ifa_next; +# endif +# endif /* __FreeBSD_version >= 300000 */ + if (ifa) + sin = (SOCKADDR_IN *)ifa->ifa_addr; + } + if (!ifa) + sin = NULL; + if (!sin) { + KFREE(nat); + return -1; + } +# endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */ + in = sin->sin_addr; + in.s_addr = ntohl(in.s_addr); +# endif /* linux */ +#endif /* SOLARIS */ + *inp = in; + return 0; +} + + +/* * Create a new NAT table entry. */ +#ifdef __STDC__ +nat_t *nat_new(ipnat_t *np, ip_t *ip, fr_info_t *fin, u_short flags, int direction) +#else nat_t *nat_new(np, ip, fin, flags, direction) ipnat_t *np; ip_t *ip; fr_info_t *fin; u_short flags; int direction; +#endif { register u_long sum1, sum2, sumd; u_short port = 0, sport = 0, dport = 0, nport = 0; @@ -419,11 +550,6 @@ int direction; * Search the current table for a match. */ if (direction == NAT_OUTBOUND) { -#if SOLARIS - ill_t *ill = fin->fin_ifp; -#else - struct ifnet *ifp = fin->fin_ifp; -#endif /* * If it's an outbound packet which doesn't match any existing * record, then create a new port @@ -432,50 +558,13 @@ int direction; port = 0; in.s_addr = np->in_nip; if (!in.s_addr && (np->in_outmsk == 0xffffffff)) { -#if SOLARIS - in.s_addr = ill->ill_ipif->ipif_local_addr; -#else - struct ifaddr *ifa; - struct sockaddr_in *sin; - -# if (__FreeBSD_version >= 300000) - ifa = TAILQ_FIRST(&ifp->if_addrhead); -# else -# ifdef __NetBSD__ - ifa = ifp->if_addrlist.tqh_first; -# else - ifa = ifp->if_addrlist; -# endif -# endif -# if BSD < 199306 - sin = (SOCKADDR_IN *)&ifa->ifa_addr; -# else - sin = (SOCKADDR_IN *)ifa->ifa_addr; - while (sin && ifa && - sin->sin_family != AF_INET) { -# if (__FreeBSD_version >= 300000) - ifa = TAILQ_NEXT(ifa, ifa_link); -# else -# ifdef __NetBSD__ - ifa = ifa->ifa_list.tqe_next; -# else - ifa = ifa->ifa_next; -# endif -# endif - sin = (SOCKADDR_IN *)ifa->ifa_addr; - } - if (!ifa) - sin = NULL; - if (!sin) { - KFREE(nat); + if (nat_ifpaddr(nat, fin->fin_ifp, &in) == -1) return NULL; - } -# endif - in = sin->sin_addr; - in.s_addr = ntohl(in.s_addr); -#endif - } - if (nflags & IPN_TCPUDP) { + } else if (!in.s_addr && !np->in_outmsk) { + in.s_addr = ntohl(ip->ip_src.s_addr); + if (nflags & IPN_TCPUDP) + port = sport; + } else if (nflags & IPN_TCPUDP) { port = htons(np->in_pnext++); if (np->in_pnext >= ntohs(np->in_pmax)) { np->in_pnext = ntohs(np->in_pmin); @@ -520,7 +609,7 @@ int direction; * internal port. */ in.s_addr = ntohl(np->in_inip); - if (!(nport = np->in_pnext)) + if (!(nport = htons(np->in_pnext))) nport = dport; nat->nat_inip.s_addr = htonl(in.s_addr); @@ -597,10 +686,10 @@ int direction; nat->nat_dir = direction; if (direction == NAT_OUTBOUND) { if (flags & IPN_TCPUDP) - tcp->th_sport = htons(port); + tcp->th_sport = port; } else { if (flags & IPN_TCPUDP) - tcp->th_dport = htons(nport); + tcp->th_dport = nport; } nat_stats.ns_added++; nat_stats.ns_inuse++; @@ -609,6 +698,132 @@ int direction; } +nat_t *nat_icmpinlookup(ip, fin) +ip_t *ip; +fr_info_t *fin; +{ + icmphdr_t *icmp; + tcphdr_t *tcp = NULL; + ip_t *oip; + int flags = 0, type; + + icmp = (icmphdr_t *)fin->fin_dp; + /* + * Does it at least have the return (basic) IP header ? + * Only a basic IP header (no options) should be with an ICMP error + * header. + */ + if ((ip->ip_hl != 5) || (ip->ip_len < sizeof(*icmp) + sizeof(ip_t))) + return NULL; + type = icmp->icmp_type; + /* + * If it's not an error type, then return. + */ + if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) && + (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) && + (type != ICMP_PARAMPROB)) + return NULL; + + oip = (ip_t *)((char *)fin->fin_dp + 8); + if (oip->ip_p == IPPROTO_TCP) + flags = IPN_TCP; + else if (oip->ip_p == IPPROTO_UDP) + flags = IPN_UDP; + if (flags & IPN_TCPUDP) { + tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); + return nat_inlookup(fin->fin_ifp, flags, oip->ip_dst, + tcp->th_dport, oip->ip_src, tcp->th_sport); + } + return nat_inlookup(fin->fin_ifp, 0, oip->ip_src, 0, oip->ip_dst, 0); +} + + +/* + * This should *ONLY* be used for incoming packets to make sure a NAT'd ICMP + * packet gets correctly recognised. + */ +nat_t *nat_icmpin(ip, fin, nflags) +ip_t *ip; +fr_info_t *fin; +int *nflags; +{ + icmphdr_t *icmp; + nat_t *nat; + ip_t *oip; + int flags = 0; + + if (!(nat = nat_icmpinlookup(ip, fin))) + return NULL; + + *nflags = IPN_ICMPERR; + icmp = (icmphdr_t *)fin->fin_dp; + oip = (ip_t *)((char *)icmp + 8); + if (oip->ip_p == IPPROTO_TCP) + flags = IPN_TCP; + else if (oip->ip_p == IPPROTO_UDP) + flags = IPN_UDP; + /* + * Need to adjust ICMP header to include the real IP#'s and + * port #'s. Only apply a checksum change relative to the + * IP address change is it will be modified again in ip_natout + * for both address and port. Two checksum changes are + * necessary for the two header address changes. Be careful + * to only modify the checksum once for the port # and twice + * for the IP#. + */ + if (flags & IPN_TCPUDP) { + tcphdr_t *tcp = (tcphdr_t *)(oip + 1); + u_long sum1, sum2, sumd; + struct in_addr in; + + if (nat->nat_dir == NAT_OUTBOUND) { + sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); + in = nat->nat_outip; + oip->ip_src = in; + tcp->th_sport = nat->nat_outport; + } else { + sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr)); + in = nat->nat_inip; + oip->ip_dst = in; + tcp->th_dport = nat->nat_inport; + } + + sum2 = LONG_SUM(in.s_addr); + + CALC_SUMD(sum1, sum2, sumd); + sumd = (sumd & 0xffff) + (sumd >> 16); + + if (nat->nat_dir == NAT_OUTBOUND) { + fix_incksum(&oip->ip_sum, sumd); + fix_incksum(&icmp->icmp_cksum, sumd); + } else { + fix_outcksum(&oip->ip_sum, sumd); + fix_outcksum(&icmp->icmp_cksum, sumd); + } + + /* + * TCP checksum doesn't make it into the 1st eight + * bytes but UDP does. + */ + if (ip->ip_p == IPPROTO_UDP) { + udphdr_t *udp = (udphdr_t *)tcp; + + if (udp->uh_sum) { + if (nat->nat_dir == NAT_OUTBOUND) + fix_incksum(&udp->uh_sum, + nat->nat_sumd); + else + fix_outcksum(&udp->uh_sum, + nat->nat_sumd); + } + } + } else + ip->ip_dst = nat->nat_outip; + nat->nat_age = fr_defnaticmpage; + return nat; +} + + /* * NB: these lookups don't lock access to the list, it assume it has already * been done! @@ -619,11 +834,15 @@ int direction; * we're looking for a table entry, based on the destination address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ +#ifdef __STDC__ +nat_t *nat_inlookup(void *ifp, int flags, struct in_addr src, u_short sport, struct in_addr mapdst, u_short mapdport) +#else nat_t *nat_inlookup(ifp, flags, src, sport, mapdst, mapdport) void *ifp; register int flags; struct in_addr src , mapdst; u_short sport, mapdport; +#endif { register nat_t *nat; @@ -648,24 +867,29 @@ u_short sport, mapdport; * we're looking for a table entry, based on the source address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ +#ifdef __STDC__ +nat_t *nat_outlookup(void *ifp, int flags, struct in_addr src, u_short sport, struct in_addr dst, u_short dport) +#else nat_t *nat_outlookup(ifp, flags, src, sport, dst, dport) void *ifp; register int flags; struct in_addr src , dst; u_short sport, dport; +#endif { register nat_t *nat; flags &= IPN_TCPUDP; nat = nat_table[0][src.s_addr % NAT_SIZE]; - for (; nat; nat = nat->nat_hnext[0]) + for (; nat; nat = nat->nat_hnext[0]) { if ((!ifp || ifp == nat->nat_ifp) && nat->nat_inip.s_addr == src.s_addr && nat->nat_oip.s_addr == dst.s_addr && flags == nat->nat_flags && (!flags || (nat->nat_inport == sport && nat->nat_oport == dport))) return nat; + } return NULL; } @@ -675,11 +899,15 @@ u_short sport, dport; * real destination address/port. We use this lookup when sending a packet * out, we're looking for a table entry, based on the source address. */ +#ifdef __STDC__ +nat_t *nat_lookupmapip(void *ifp, int flags, struct in_addr mapsrc, u_short mapsport, struct in_addr dst, u_short dport) +#else nat_t *nat_lookupmapip(ifp, flags, mapsrc, mapsport, dst, dport) void *ifp; register int flags; struct in_addr mapsrc , dst; u_short mapsport, dport; +#endif { register nat_t *nat; @@ -710,10 +938,11 @@ register natlookup_t *np; * If nl_inip is non null, this is a lookup based on the real * ip address. Else, we use the fake. */ - if ((nat = nat_outlookup(NULL, IPN_TCPUDP, np->nl_inip, np->nl_inport, - np->nl_outip, np->nl_outport))) { - np->nl_inip = nat->nat_outip; - np->nl_inport = nat->nat_outport; + if ((nat = nat_outlookup(NULL, np->nl_flags, np->nl_inip, + np->nl_inport, np->nl_outip, + np->nl_outport))) { + np->nl_realip = nat->nat_outip; + np->nl_realport = nat->nat_outport; } return nat; } @@ -731,10 +960,11 @@ fr_info_t *fin; register ipnat_t *np; register u_long ipa; tcphdr_t *tcp = NULL; - nat_t *nat; u_short nflags = 0, sport = 0, dport = 0, *csump = NULL; struct ifnet *ifp; frentry_t *fr; + nat_t *nat; + int natadd = 1; if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) && fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1) @@ -757,11 +987,12 @@ fr_info_t *fin; ipa = ip->ip_src.s_addr; MUTEX_ENTER(&ipf_nat); - if ((nat = ipfr_nat_knownfrag(ip, fin))) - ; - else if ((nat = nat_outlookup(fin->fin_ifp, nflags, ip->ip_src, sport, + if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && + (nat = ipfr_nat_knownfrag(ip, fin))) + natadd = 0; + else if ((nat = nat_outlookup(ifp, nflags, ip->ip_src, sport, ip->ip_dst, dport))) - np = nat->nat_ptr; + ; else /* * If there is no current entry in the nat table for this IP#, @@ -794,7 +1025,7 @@ fr_info_t *fin; } if (nat) { - if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG) + if (natadd && fin->fin_fi.fi_fl & FI_FRAG) ipfr_nat_newfrag(ip, fin, 0, nat); nat->nat_age = fr_defnatage; ip->ip_src = nat->nat_outip; @@ -805,7 +1036,7 @@ fr_info_t *fin; * Fix up checksums, not by recalculating them, but * simply computing adjustments. */ -#if SOLARIS +#if SOLARIS || defined(__sgi) if (nat->nat_dir == NAT_OUTBOUND) fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); else @@ -872,8 +1103,9 @@ fr_info_t *fin; register struct in_addr in; struct ifnet *ifp = fin->fin_ifp; tcphdr_t *tcp = NULL; - u_short sport = 0, dport = 0, nflags = 0, *csump = NULL; + u_short sport = 0, dport = 0, *csump = NULL; nat_t *nat; + int nflags = 0, natadd = 1; if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { if (ip->ip_p == IPPROTO_TCP) @@ -891,11 +1123,14 @@ fr_info_t *fin; MUTEX_ENTER(&ipf_nat); - if ((nat = ipfr_nat_knownfrag(ip, fin))) + if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmpin(ip, fin, &nflags))) ; + else if ((ip->ip_off & IP_OFFMASK) && + (nat = ipfr_nat_knownfrag(ip, fin))) + natadd = 0; else if ((nat = nat_inlookup(fin->fin_ifp, nflags, ip->ip_src, sport, ip->ip_dst, dport))) - np = nat->nat_ptr; + ; else /* * If there is no current entry in the nat table for this IP#, @@ -905,16 +1140,8 @@ fr_info_t *fin; if ((np->in_ifp == ifp) && (!np->in_flags || (nflags & np->in_flags)) && ((in.s_addr & np->in_outmsk) == np->in_outip) && - (np->in_redir & NAT_REDIRECT || - np->in_pmin == dport)) { - /* - * If this rule (np) is a redirection, rather - * than a mapping, then do a nat_new. - * Otherwise, if it's just a mapping, do a - * continue; - */ - if (!(np->in_redir & NAT_REDIRECT)) - continue; + (np->in_redir & NAT_REDIRECT) && + (!np->in_pmin || np->in_pmin == dport)) { if ((nat = nat_new(np, ip, fin, nflags, NAT_INBOUND))) #ifdef IPFILTER_LOG @@ -925,10 +1152,13 @@ fr_info_t *fin; break; } if (nat) { - if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG) + if (natadd && fin->fin_fi.fi_fl & FI_FRAG) ipfr_nat_newfrag(ip, fin, 0, nat); (void) ap_check(ip, tcp, fin, nat); - nat->nat_age = fr_defnatage; + + if (nflags != IPN_ICMPERR) + nat->nat_age = fr_defnatage; + ip->ip_dst = nat->nat_inip; nat->nat_bytes += ip->ip_len; nat->nat_pkts++; @@ -937,13 +1167,13 @@ fr_info_t *fin; * Fix up checksums, not by recalculating them, but * simply computing adjustments. */ -#if SOLARIS +#if SOLARIS || defined(__sgi) if (nat->nat_dir == NAT_OUTBOUND) fix_incksum(&ip->ip_sum, nat->nat_ipsumd); else fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); #endif - if (nflags && !(ip->ip_off & 0x1fff) && + if ((nflags & IPN_TCPUDP) && !(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { if (nat->nat_inport) @@ -994,14 +1224,10 @@ fr_info_t *fin; */ void ip_natunload() { - int s; - MUTEX_ENTER(&ipf_nat); - SPLNET(s); - (void) clear_natlist(); - (void) flush_nattable(); + (void) nat_clearlist(); + (void) nat_flushtable(); (void) ap_unload(); - SPLX(s) MUTEX_EXIT(&ipf_nat); } @@ -1013,10 +1239,12 @@ void ip_natunload() void ip_natexpire() { register struct nat *nat, **natp; +#if defined(_KERNEL) && !SOLARIS int s; +#endif + SPL_NET(s); MUTEX_ENTER(&ipf_nat); - SPLNET(s); for (natp = &nat_instances; (nat = *natp); ) { if (--nat->nat_age) { natp = &nat->nat_next; @@ -1029,34 +1257,83 @@ void ip_natexpire() nat_delete(nat); nat_stats.ns_expire++; } - SPLX(s); MUTEX_EXIT(&ipf_nat); + SPL_X(s); +} + + +/* + */ +#ifdef __STDC__ +void ip_natsync(void *ifp) +#else +void ip_natsync(ifp) +void *ifp; +#endif +{ + register nat_t *nat; + register u_long sum1, sum2, sumd; + struct in_addr in; + ipnat_t *np; +#if defined(_KERNEL) && !SOLARIS + int s; +#endif + + SPL_NET(s); + MUTEX_ENTER(&ipf_nat); + for (nat = nat_instances; nat; nat = nat->nat_next) + if ((ifp == nat->nat_ifp) && (np = nat->nat_ptr)) + if ((np->in_outmsk == 0xffffffff) && !np->in_nip) { + /* + * Change the map-to address to be the same + * as the new one. + */ + sum1 = nat->nat_outip.s_addr; + if (nat_ifpaddr(nat, ifp, &in) == -1) + nat->nat_outip.s_addr = htonl(in.s_addr); + sum2 = nat->nat_outip.s_addr; + + /* + * Readjust the checksum adjustment to take + * into account the new IP#. + * + * Do it twice + */ + sum1 = (sum1 & 0xffff) + (sum1 >> 16); + sum1 = (sum1 & 0xffff) + (sum1 >> 16); + + /* Do it twice */ + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + + /* Because ~1 == -2, We really need ~1 == -1 */ + if (sum1 > sum2) + sum2--; + sumd = sum2 - sum1; + sumd = (sumd & 0xffff) + (sumd >> 16); + sumd += nat->nat_sumd; + nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); + } + MUTEX_EXIT(&ipf_nat); + SPL_X(s); } #ifdef IPFILTER_LOG +# ifdef __STDC__ +void nat_log(struct nat *nat, u_short type) +# else void nat_log(nat, type) struct nat *nat; u_short type; +# endif { - struct ipnat *np; - struct natlog natl; - int rulen; - - if (iplused[IPL_LOGNAT] + sizeof(natl) > IPLLOGSIZE) { - nat_stats.ns_logfail++; - return; - } - - if (iplh[IPL_LOGNAT] == iplbuf[IPL_LOGNAT] + IPLLOGSIZE) - iplh[IPL_LOGNAT] = iplbuf[IPL_LOGNAT]; + struct ipnat *np; + struct natlog natl; + void *items[1]; + size_t sizes[1]; + int rulen, types[1]; -# ifdef sun - uniqtime(&natl); -# endif -# if BSD >= 199306 || defined(__FreeBSD__) - microtime((struct timeval *)&natl); -# endif natl.nl_inip = nat->nat_inip; natl.nl_outip = nat->nat_outip; natl.nl_origip = nat->nat_oip; @@ -1074,12 +1351,10 @@ u_short type; break; } } + items[0] = &natl; + sizes[0] = sizeof(natl); + types[0] = 0; - if (!fr_copytolog(IPL_LOGNAT, (char *)&natl, sizeof(natl))) { - iplused[IPL_LOGNAT] += sizeof(natl); - nat_stats.ns_logged++; - } else - nat_stats.ns_logfail++; - wakeup(iplbuf[IPL_LOGNAT]); + (void) ipllog(IPL_LOGNAT, 0, items, sizes, types, 1); } #endif |