xref: /titanic_52/usr/src/uts/common/inet/ipf/ip_nat.c (revision f56257d84449cae424f3943cec01573a5027af36)
1 /*
2  * Copyright (C) 1995-2004 by Darren Reed.
3  *
4  * See the IPFILTER.LICENCE file for details on licencing.
5  *
6  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
7  * Use is subject to license terms.
8  */
9 
10 #if defined(KERNEL) || defined(_KERNEL)
11 # undef KERNEL
12 # undef _KERNEL
13 # define        KERNEL	1
14 # define        _KERNEL	1
15 #endif
16 #include <sys/errno.h>
17 #include <sys/types.h>
18 #include <sys/param.h>
19 #include <sys/time.h>
20 #include <sys/file.h>
21 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
22     defined(_KERNEL)
23 # include "opt_ipfilter_log.h"
24 #endif
25 #if !defined(_KERNEL)
26 # include <stdio.h>
27 # include <string.h>
28 # include <stdlib.h>
29 # define _KERNEL
30 # ifdef __OpenBSD__
31 struct file;
32 # endif
33 # include <sys/uio.h>
34 # undef _KERNEL
35 #endif
36 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
37 # include <sys/filio.h>
38 # include <sys/fcntl.h>
39 #else
40 # include <sys/ioctl.h>
41 #endif
42 #if !defined(AIX)
43 # include <sys/fcntl.h>
44 #endif
45 #if !defined(linux)
46 # include <sys/protosw.h>
47 #endif
48 #include <sys/socket.h>
49 #if defined(_KERNEL)
50 # include <sys/systm.h>
51 # if !defined(__SVR4) && !defined(__svr4__)
52 #  include <sys/mbuf.h>
53 # endif
54 #endif
55 #if defined(__SVR4) || defined(__svr4__)
56 # include <sys/filio.h>
57 # include <sys/byteorder.h>
58 # ifdef _KERNEL
59 #  include <sys/dditypes.h>
60 # endif
61 # include <sys/stream.h>
62 # include <sys/kmem.h>
63 #endif
64 #if __FreeBSD_version >= 300000
65 # include <sys/queue.h>
66 #endif
67 #include <net/if.h>
68 #if __FreeBSD_version >= 300000
69 # include <net/if_var.h>
70 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
71 #  include "opt_ipfilter.h"
72 # endif
73 #endif
74 #ifdef sun
75 # include <net/af.h>
76 #endif
77 #include <net/route.h>
78 #include <netinet/in.h>
79 #include <netinet/in_systm.h>
80 #include <netinet/ip.h>
81 
82 #ifdef RFC1825
83 # include <vpn/md5.h>
84 # include <vpn/ipsec.h>
85 extern struct ifnet vpnif;
86 #endif
87 
88 #if !defined(linux)
89 # include <netinet/ip_var.h>
90 #endif
91 #include <netinet/tcp.h>
92 #include <netinet/udp.h>
93 #include <netinet/ip_icmp.h>
94 #include "netinet/ip_compat.h"
95 #include <netinet/tcpip.h>
96 #include "netinet/ip_fil.h"
97 #include "netinet/ip_nat.h"
98 #include "netinet/ip_frag.h"
99 #include "netinet/ip_state.h"
100 #include "netinet/ip_proxy.h"
101 #include "netinet/ipf_stack.h"
102 #ifdef	IPFILTER_SYNC
103 #include "netinet/ip_sync.h"
104 #endif
105 #if (__FreeBSD_version >= 300000)
106 # include <sys/malloc.h>
107 #endif
108 /* END OF INCLUDES */
109 
110 #undef	SOCKADDR_IN
111 #define	SOCKADDR_IN	struct sockaddr_in
112 
113 #if !defined(lint)
114 static const char sccsid[] = "@(#)ip_nat.c	1.11 6/5/96 (C) 1995 Darren Reed";
115 static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.42 2005/08/11 19:51:36 darrenr Exp $";
116 #endif
117 
118 
119 /* ======================================================================== */
120 /* How the NAT is organised and works.                                      */
121 /*                                                                          */
122 /* Inside (interface y) NAT       Outside (interface x)                     */
123 /* -------------------- -+- -------------------------------------           */
124 /* Packet going          |   out, processsed by fr_checknatout() for x      */
125 /* ------------>         |   ------------>                                  */
126 /* src=10.1.1.1          |   src=192.1.1.1                                  */
127 /*                       |                                                  */
128 /*                       |   in, processed by fr_checknatin() for x         */
129 /* <------------         |   <------------                                  */
130 /* dst=10.1.1.1          |   dst=192.1.1.1                                  */
131 /* -------------------- -+- -------------------------------------           */
132 /* fr_checknatout() - changes ip_src and if required, sport                 */
133 /*             - creates a new mapping, if required.                        */
134 /* fr_checknatin()  - changes ip_dst and if required, dport                 */
135 /*                                                                          */
136 /* In the NAT table, internal source is recorded as "in" and externally     */
137 /* seen as "out".                                                           */
138 /* ======================================================================== */
139 
140 
141 static	int	nat_clearlist __P((ipf_stack_t *));
142 static	void	nat_addnat __P((struct ipnat *, ipf_stack_t *));
143 static	void	nat_addrdr __P((struct ipnat *, ipf_stack_t *));
144 static	int	fr_natgetent __P((caddr_t, ipf_stack_t *));
145 static	int	fr_natgetsz __P((caddr_t, ipf_stack_t *));
146 static	int	fr_natputent __P((caddr_t, int, ipf_stack_t *));
147 static	void	nat_tabmove __P((nat_t *, ipf_stack_t *));
148 static	int	nat_match __P((fr_info_t *, ipnat_t *));
149 static	INLINE	int nat_newmap __P((fr_info_t *, nat_t *, natinfo_t *));
150 static	INLINE	int nat_newrdr __P((fr_info_t *, nat_t *, natinfo_t *));
151 static	hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
152 				    struct in_addr, struct in_addr, u_32_t,
153 				    ipf_stack_t *));
154 static	INLINE	int nat_icmpquerytype4 __P((int));
155 static	int	nat_ruleaddrinit __P((ipnat_t *));
156 static	int	nat_siocaddnat __P((ipnat_t *, ipnat_t **, int, ipf_stack_t *));
157 static	void	nat_siocdelnat __P((ipnat_t *, ipnat_t **, int, ipf_stack_t *));
158 static	INLINE	int nat_icmperrortype4 __P((int));
159 static	INLINE	int nat_finalise __P((fr_info_t *, nat_t *, natinfo_t *,
160 				      tcphdr_t *, nat_t **, int));
161 static	INLINE	int nat_resolverule __P((ipnat_t *, ipf_stack_t *));
162 static	void	nat_mssclamp __P((tcphdr_t *, u_32_t, u_short *));
163 static	int	nat_getnext __P((ipftoken_t *, ipfgeniter_t *, ipf_stack_t *));
164 static	int	nat_iterator __P((ipftoken_t *, ipfgeniter_t *, ipf_stack_t *));
165 static	int	nat_flushtable __P((int, ipf_stack_t *));
166 
167 #define NAT_HAS_L4_CHANGED(n)	\
168  	(((n)->nat_flags & (IPN_TCPUDPICMP)) && \
169  	(n)->nat_inport != (n)->nat_outport)
170 
171 
172 /* ------------------------------------------------------------------------ */
173 /* Function:    fr_natinit                                                  */
174 /* Returns:     int - 0 == success, -1 == failure                           */
175 /* Parameters:  Nil                                                         */
176 /*                                                                          */
177 /* Initialise all of the NAT locks, tables and other structures.            */
178 /* ------------------------------------------------------------------------ */
179 int fr_natinit(ifs)
180 ipf_stack_t *ifs;
181 {
182 	int i;
183 
184 	KMALLOCS(ifs->ifs_nat_table[0], nat_t **,
185 		 sizeof(nat_t *) * ifs->ifs_ipf_nattable_sz);
186 	if (ifs->ifs_nat_table[0] != NULL)
187 		bzero((char *)ifs->ifs_nat_table[0],
188 		      ifs->ifs_ipf_nattable_sz * sizeof(nat_t *));
189 	else
190 		return -1;
191 
192 	KMALLOCS(ifs->ifs_nat_table[1], nat_t **,
193 		 sizeof(nat_t *) * ifs->ifs_ipf_nattable_sz);
194 	if (ifs->ifs_nat_table[1] != NULL)
195 		bzero((char *)ifs->ifs_nat_table[1],
196 		      ifs->ifs_ipf_nattable_sz * sizeof(nat_t *));
197 	else
198 		return -2;
199 
200 	KMALLOCS(ifs->ifs_nat_rules, ipnat_t **,
201 		 sizeof(ipnat_t *) * ifs->ifs_ipf_natrules_sz);
202 	if (ifs->ifs_nat_rules != NULL)
203 		bzero((char *)ifs->ifs_nat_rules,
204 		      ifs->ifs_ipf_natrules_sz * sizeof(ipnat_t *));
205 	else
206 		return -3;
207 
208 	KMALLOCS(ifs->ifs_rdr_rules, ipnat_t **,
209 		 sizeof(ipnat_t *) * ifs->ifs_ipf_rdrrules_sz);
210 	if (ifs->ifs_rdr_rules != NULL)
211 		bzero((char *)ifs->ifs_rdr_rules,
212 		      ifs->ifs_ipf_rdrrules_sz * sizeof(ipnat_t *));
213 	else
214 		return -4;
215 
216 	KMALLOCS(ifs->ifs_maptable, hostmap_t **,
217 		 sizeof(hostmap_t *) * ifs->ifs_ipf_hostmap_sz);
218 	if (ifs->ifs_maptable != NULL)
219 		bzero((char *)ifs->ifs_maptable,
220 		      sizeof(hostmap_t *) * ifs->ifs_ipf_hostmap_sz);
221 	else
222 		return -5;
223 
224 	ifs->ifs_ipf_hm_maplist = NULL;
225 
226 	KMALLOCS(ifs->ifs_nat_stats.ns_bucketlen[0], u_long *,
227 		 ifs->ifs_ipf_nattable_sz * sizeof(u_long));
228 	if (ifs->ifs_nat_stats.ns_bucketlen[0] == NULL)
229 		return -1;
230 	bzero((char *)ifs->ifs_nat_stats.ns_bucketlen[0],
231 	      ifs->ifs_ipf_nattable_sz * sizeof(u_long));
232 
233 	KMALLOCS(ifs->ifs_nat_stats.ns_bucketlen[1], u_long *,
234 		 ifs->ifs_ipf_nattable_sz * sizeof(u_long));
235 	if (ifs->ifs_nat_stats.ns_bucketlen[1] == NULL)
236 		return -1;
237 	bzero((char *)ifs->ifs_nat_stats.ns_bucketlen[1],
238 	      ifs->ifs_ipf_nattable_sz * sizeof(u_long));
239 
240 	if (ifs->ifs_fr_nat_maxbucket == 0) {
241 		for (i = ifs->ifs_ipf_nattable_sz; i > 0; i >>= 1)
242 			ifs->ifs_fr_nat_maxbucket++;
243 		ifs->ifs_fr_nat_maxbucket *= 2;
244 	}
245 
246 	fr_sttab_init(ifs->ifs_nat_tqb, ifs);
247 	/*
248 	 * Increase this because we may have "keep state" following this too
249 	 * and packet storms can occur if this is removed too quickly.
250 	 */
251 	ifs->ifs_nat_tqb[IPF_TCPS_CLOSED].ifq_ttl = ifs->ifs_fr_tcplastack;
252 	ifs->ifs_nat_tqb[IPF_TCP_NSTATES - 1].ifq_next = &ifs->ifs_nat_udptq;
253 	ifs->ifs_nat_udptq.ifq_ttl = ifs->ifs_fr_defnatage;
254 	ifs->ifs_nat_udptq.ifq_ref = 1;
255 	ifs->ifs_nat_udptq.ifq_head = NULL;
256 	ifs->ifs_nat_udptq.ifq_tail = &ifs->ifs_nat_udptq.ifq_head;
257 	MUTEX_INIT(&ifs->ifs_nat_udptq.ifq_lock, "nat ipftq udp tab");
258 	ifs->ifs_nat_udptq.ifq_next = &ifs->ifs_nat_icmptq;
259 	ifs->ifs_nat_icmptq.ifq_ttl = ifs->ifs_fr_defnaticmpage;
260 	ifs->ifs_nat_icmptq.ifq_ref = 1;
261 	ifs->ifs_nat_icmptq.ifq_head = NULL;
262 	ifs->ifs_nat_icmptq.ifq_tail = &ifs->ifs_nat_icmptq.ifq_head;
263 	MUTEX_INIT(&ifs->ifs_nat_icmptq.ifq_lock, "nat icmp ipftq tab");
264 	ifs->ifs_nat_icmptq.ifq_next = &ifs->ifs_nat_iptq;
265 	ifs->ifs_nat_iptq.ifq_ttl = ifs->ifs_fr_defnatipage;
266 	ifs->ifs_nat_iptq.ifq_ref = 1;
267 	ifs->ifs_nat_iptq.ifq_head = NULL;
268 	ifs->ifs_nat_iptq.ifq_tail = &ifs->ifs_nat_iptq.ifq_head;
269 	MUTEX_INIT(&ifs->ifs_nat_iptq.ifq_lock, "nat ip ipftq tab");
270 	ifs->ifs_nat_iptq.ifq_next = NULL;
271 
272 	for (i = 0; i < IPF_TCP_NSTATES; i++) {
273 		if (ifs->ifs_nat_tqb[i].ifq_ttl < ifs->ifs_fr_defnaticmpage)
274 			ifs->ifs_nat_tqb[i].ifq_ttl = ifs->ifs_fr_defnaticmpage;
275 #ifdef LARGE_NAT
276 		else if (ifs->ifs_nat_tqb[i].ifq_ttl > ifs->ifs_fr_defnatage)
277 			ifs->ifs_nat_tqb[i].ifq_ttl = ifs->ifs_fr_defnatage;
278 #endif
279 	}
280 
281 	/*
282 	 * Increase this because we may have "keep state" following
283 	 * this too and packet storms can occur if this is removed
284 	 * too quickly.
285 	 */
286 	ifs->ifs_nat_tqb[IPF_TCPS_CLOSED].ifq_ttl =
287 	    ifs->ifs_nat_tqb[IPF_TCPS_LAST_ACK].ifq_ttl;
288 
289 	RWLOCK_INIT(&ifs->ifs_ipf_nat, "ipf IP NAT rwlock");
290 	RWLOCK_INIT(&ifs->ifs_ipf_natfrag, "ipf IP NAT-Frag rwlock");
291 	MUTEX_INIT(&ifs->ifs_ipf_nat_new, "ipf nat new mutex");
292 	MUTEX_INIT(&ifs->ifs_ipf_natio, "ipf nat io mutex");
293 
294 	ifs->ifs_fr_nat_init = 1;
295 	ifs->ifs_nat_last_force_flush = ifs->ifs_fr_ticks;
296 	return 0;
297 }
298 
299 
300 /* ------------------------------------------------------------------------ */
301 /* Function:    nat_addrdr                                                  */
302 /* Returns:     Nil                                                         */
303 /* Parameters:  n(I) - pointer to NAT rule to add                           */
304 /*                                                                          */
305 /* Adds a redirect rule to the hash table of redirect rules and the list of */
306 /* loaded NAT rules.  Updates the bitmask indicating which netmasks are in  */
307 /* use by redirect rules.                                                   */
308 /* ------------------------------------------------------------------------ */
309 static void nat_addrdr(n, ifs)
310 ipnat_t *n;
311 ipf_stack_t *ifs;
312 {
313 	ipnat_t **np;
314 	u_32_t j;
315 	u_int hv;
316 	int k;
317 
318 	k = count4bits(n->in_outmsk);
319 	if ((k >= 0) && (k != 32))
320 		ifs->ifs_rdr_masks |= 1 << k;
321 	j = (n->in_outip & n->in_outmsk);
322 	hv = NAT_HASH_FN(j, 0, ifs->ifs_ipf_rdrrules_sz);
323 	np = ifs->ifs_rdr_rules + hv;
324 	while (*np != NULL)
325 		np = &(*np)->in_rnext;
326 	n->in_rnext = NULL;
327 	n->in_prnext = np;
328 	n->in_hv = hv;
329 	*np = n;
330 }
331 
332 
333 /* ------------------------------------------------------------------------ */
334 /* Function:    nat_addnat                                                  */
335 /* Returns:     Nil                                                         */
336 /* Parameters:  n(I) - pointer to NAT rule to add                           */
337 /*                                                                          */
338 /* Adds a NAT map rule to the hash table of rules and the list of  loaded   */
339 /* NAT rules.  Updates the bitmask indicating which netmasks are in use by  */
340 /* redirect rules.                                                          */
341 /* ------------------------------------------------------------------------ */
342 static void nat_addnat(n, ifs)
343 ipnat_t *n;
344 ipf_stack_t *ifs;
345 {
346 	ipnat_t **np;
347 	u_32_t j;
348 	u_int hv;
349 	int k;
350 
351 	k = count4bits(n->in_inmsk);
352 	if ((k >= 0) && (k != 32))
353 		ifs->ifs_nat_masks |= 1 << k;
354 	j = (n->in_inip & n->in_inmsk);
355 	hv = NAT_HASH_FN(j, 0, ifs->ifs_ipf_natrules_sz);
356 	np = ifs->ifs_nat_rules + hv;
357 	while (*np != NULL)
358 		np = &(*np)->in_mnext;
359 	n->in_mnext = NULL;
360 	n->in_pmnext = np;
361 	n->in_hv = hv;
362 	*np = n;
363 }
364 
365 
366 /* ------------------------------------------------------------------------ */
367 /* Function:    nat_delrdr                                                  */
368 /* Returns:     Nil                                                         */
369 /* Parameters:  n(I) - pointer to NAT rule to delete                        */
370 /*                                                                          */
371 /* Removes a redirect rule from the hash table of redirect rules.           */
372 /* ------------------------------------------------------------------------ */
373 void nat_delrdr(n)
374 ipnat_t *n;
375 {
376 	if (n->in_rnext)
377 		n->in_rnext->in_prnext = n->in_prnext;
378 	*n->in_prnext = n->in_rnext;
379 }
380 
381 
382 /* ------------------------------------------------------------------------ */
383 /* Function:    nat_delnat                                                  */
384 /* Returns:     Nil                                                         */
385 /* Parameters:  n(I) - pointer to NAT rule to delete                        */
386 /*                                                                          */
387 /* Removes a NAT map rule from the hash table of NAT map rules.             */
388 /* ------------------------------------------------------------------------ */
389 void nat_delnat(n)
390 ipnat_t *n;
391 {
392 	if (n->in_mnext != NULL)
393 		n->in_mnext->in_pmnext = n->in_pmnext;
394 	*n->in_pmnext = n->in_mnext;
395 }
396 
397 
398 /* ------------------------------------------------------------------------ */
399 /* Function:    nat_hostmap                                                 */
400 /* Returns:     struct hostmap* - NULL if no hostmap could be created,      */
401 /*                                else a pointer to the hostmapping to use  */
402 /* Parameters:  np(I)   - pointer to NAT rule                               */
403 /*              real(I) - real IP address                                   */
404 /*              map(I)  - mapped IP address                                 */
405 /*              port(I) - destination port number                           */
406 /* Write Locks: ipf_nat                                                     */
407 /*                                                                          */
408 /* Check if an ip address has already been allocated for a given mapping    */
409 /* that is not doing port based translation.  If is not yet allocated, then */
410 /* create a new entry if a non-NULL NAT rule pointer has been supplied.     */
411 /* ------------------------------------------------------------------------ */
412 static struct hostmap *nat_hostmap(np, src, dst, map, port, ifs)
413 ipnat_t *np;
414 struct in_addr src;
415 struct in_addr dst;
416 struct in_addr map;
417 u_32_t port;
418 ipf_stack_t *ifs;
419 {
420 	hostmap_t *hm;
421 	u_int hv;
422 
423 	hv = (src.s_addr ^ dst.s_addr);
424 	hv += src.s_addr;
425 	hv += dst.s_addr;
426 	hv %= HOSTMAP_SIZE;
427 	for (hm = ifs->ifs_maptable[hv]; hm; hm = hm->hm_next)
428 		if ((hm->hm_srcip.s_addr == src.s_addr) &&
429 		    (hm->hm_dstip.s_addr == dst.s_addr) &&
430 		    ((np == NULL) || (np == hm->hm_ipnat)) &&
431 		    ((port == 0) || (port == hm->hm_port))) {
432 			hm->hm_ref++;
433 			return hm;
434 		}
435 
436 	if (np == NULL)
437 		return NULL;
438 
439 	KMALLOC(hm, hostmap_t *);
440 	if (hm) {
441 		hm->hm_hnext = ifs->ifs_ipf_hm_maplist;
442 		hm->hm_phnext = &ifs->ifs_ipf_hm_maplist;
443 		if (ifs->ifs_ipf_hm_maplist != NULL)
444 			ifs->ifs_ipf_hm_maplist->hm_phnext = &hm->hm_hnext;
445 		ifs->ifs_ipf_hm_maplist = hm;
446 
447 		hm->hm_next = ifs->ifs_maptable[hv];
448 		hm->hm_pnext = ifs->ifs_maptable + hv;
449 		if (ifs->ifs_maptable[hv] != NULL)
450 			ifs->ifs_maptable[hv]->hm_pnext = &hm->hm_next;
451 		ifs->ifs_maptable[hv] = hm;
452 		hm->hm_ipnat = np;
453 		hm->hm_srcip = src;
454 		hm->hm_dstip = dst;
455 		hm->hm_mapip = map;
456 		hm->hm_ref = 1;
457 		hm->hm_port = port;
458 		hm->hm_v = 4;
459 	}
460 	return hm;
461 }
462 
463 
464 /* ------------------------------------------------------------------------ */
465 /* Function:    fr_hostmapdel                                              */
466 /* Returns:     Nil                                                         */
467 /* Parameters:  hmp(I) - pointer to pointer to hostmap structure            */
468 /* Write Locks: ipf_nat                                                     */
469 /*                                                                          */
470 /* Decrement the references to this hostmap structure by one.  If this      */
471 /* reaches zero then remove it and free it.                                 */
472 /* ------------------------------------------------------------------------ */
473 void fr_hostmapdel(hmp)
474 struct hostmap **hmp;
475 {
476 	struct hostmap *hm;
477 
478 	hm = *hmp;
479 	*hmp = NULL;
480 
481 	hm->hm_ref--;
482 	if (hm->hm_ref == 0) {
483 		if (hm->hm_next)
484 			hm->hm_next->hm_pnext = hm->hm_pnext;
485 		*hm->hm_pnext = hm->hm_next;
486 		if (hm->hm_hnext)
487 			hm->hm_hnext->hm_phnext = hm->hm_phnext;
488 		*hm->hm_phnext = hm->hm_hnext;
489 		KFREE(hm);
490 	}
491 }
492 
493 
494 /* ------------------------------------------------------------------------ */
495 /* Function:    fix_outcksum                                                */
496 /* Returns:     Nil                                                         */
497 /* Parameters:  sp(I)  - location of 16bit checksum to update               */
498 /*              n((I)  - amount to adjust checksum by                       */
499 /*                                                                          */
500 /* Adjusts the 16bit checksum by "n" for packets going out.                 */
501 /* ------------------------------------------------------------------------ */
502 void fix_outcksum(sp, n)
503 u_short *sp;
504 u_32_t n;
505 {
506 	u_short sumshort;
507 	u_32_t sum1;
508 
509 	if (n == 0)
510 		return;
511 
512 	sum1 = (~ntohs(*sp)) & 0xffff;
513 	sum1 += (n);
514 	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
515 	/* Again */
516 	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
517 	sumshort = ~(u_short)sum1;
518 	*(sp) = htons(sumshort);
519 }
520 
521 
522 /* ------------------------------------------------------------------------ */
523 /* Function:    fix_incksum                                                 */
524 /* Returns:     Nil                                                         */
525 /* Parameters:  sp(I)  - location of 16bit checksum to update               */
526 /*              n((I)  - amount to adjust checksum by                       */
527 /*                                                                          */
528 /* Adjusts the 16bit checksum by "n" for packets going in.                  */
529 /* ------------------------------------------------------------------------ */
530 void fix_incksum(sp, n)
531 u_short *sp;
532 u_32_t n;
533 {
534 	u_short sumshort;
535 	u_32_t sum1;
536 
537 	if (n == 0)
538 		return;
539 
540 	sum1 = (~ntohs(*sp)) & 0xffff;
541 	sum1 += ~(n) & 0xffff;
542 	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
543 	/* Again */
544 	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
545 	sumshort = ~(u_short)sum1;
546 	*(sp) = htons(sumshort);
547 }
548 
549 
550 /* ------------------------------------------------------------------------ */
551 /* Function:    fix_datacksum                                               */
552 /* Returns:     Nil                                                         */
553 /* Parameters:  sp(I)  - location of 16bit checksum to update               */
554 /*              n((I)  - amount to adjust checksum by                       */
555 /*                                                                          */
556 /* Fix_datacksum is used *only* for the adjustments of checksums in the     */
557 /* data section of an IP packet.                                            */
558 /*                                                                          */
559 /* The only situation in which you need to do this is when NAT'ing an       */
560 /* ICMP error message. Such a message, contains in its body the IP header   */
561 /* of the original IP packet, that causes the error.                        */
562 /*                                                                          */
563 /* You can't use fix_incksum or fix_outcksum in that case, because for the  */
564 /* kernel the data section of the ICMP error is just data, and no special   */
565 /* processing like hardware cksum or ntohs processing have been done by the */
566 /* kernel on the data section.                                              */
567 /* ------------------------------------------------------------------------ */
568 void fix_datacksum(sp, n)
569 u_short *sp;
570 u_32_t n;
571 {
572 	u_short sumshort;
573 	u_32_t sum1;
574 
575 	if (n == 0)
576 		return;
577 
578 	sum1 = (~ntohs(*sp)) & 0xffff;
579 	sum1 += (n);
580 	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
581 	/* Again */
582 	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
583 	sumshort = ~(u_short)sum1;
584 	*(sp) = htons(sumshort);
585 }
586 
587 
588 /* ------------------------------------------------------------------------ */
589 /* Function:    fr_nat_ioctl                                                */
590 /* Returns:     int - 0 == success, != 0 == failure                         */
591 /* Parameters:  data(I) - pointer to ioctl data                             */
592 /*              cmd(I)  - ioctl command integer                             */
593 /*              mode(I) - file mode bits used with open                     */
594 /*              uid(I)  - uid of caller                                     */
595 /*              ctx(I)  - pointer to give the uid context                   */
596 /*              ifs     - ipf stack instance                                */
597 /*                                                                          */
598 /* Processes an ioctl call made to operate on the IP Filter NAT device.     */
599 /* ------------------------------------------------------------------------ */
600 int fr_nat_ioctl(data, cmd, mode, uid, ctx, ifs)
601 ioctlcmd_t cmd;
602 caddr_t data;
603 int mode, uid;
604 void *ctx;
605 ipf_stack_t *ifs;
606 {
607 	ipnat_t *nat, *nt, *n = NULL, **np = NULL;
608 	int error = 0, ret, arg, getlock;
609 	ipnat_t natd;
610 
611 #if (BSD >= 199306) && defined(_KERNEL)
612 	if ((securelevel >= 2) && (mode & FWRITE))
613 		return EPERM;
614 #endif
615 
616 #if defined(__osf__) && defined(_KERNEL)
617 	getlock = 0;
618 #else
619 	getlock = (mode & NAT_LOCKHELD) ? 0 : 1;
620 #endif
621 
622 	nat = NULL;     /* XXX gcc -Wuninitialized */
623 	if (cmd == (ioctlcmd_t)SIOCADNAT) {
624 		KMALLOC(nt, ipnat_t *);
625 	} else {
626 		nt = NULL;
627 	}
628 
629 	if ((cmd == (ioctlcmd_t)SIOCADNAT) || (cmd == (ioctlcmd_t)SIOCRMNAT)) {
630 		if (mode & NAT_SYSSPACE) {
631 			bcopy(data, (char *)&natd, sizeof(natd));
632 			error = 0;
633 		} else {
634 			error = fr_inobj(data, &natd, IPFOBJ_IPNAT);
635 		}
636 
637 	}
638 
639 	if (error != 0)
640 		goto done;
641 
642 	/*
643 	 * For add/delete, look to see if the NAT entry is already present
644 	 */
645 	if ((cmd == (ioctlcmd_t)SIOCADNAT) || (cmd == (ioctlcmd_t)SIOCRMNAT)) {
646 		nat = &natd;
647 		if (nat->in_v == 0)	/* For backward compat. */
648 			nat->in_v = 4;
649 		nat->in_flags &= IPN_USERFLAGS;
650 		if ((nat->in_redir & NAT_MAPBLK) == 0) {
651 			if ((nat->in_flags & IPN_SPLIT) == 0)
652 				nat->in_inip &= nat->in_inmsk;
653 			if ((nat->in_flags & IPN_IPRANGE) == 0)
654 				nat->in_outip &= nat->in_outmsk;
655 		}
656 		MUTEX_ENTER(&ifs->ifs_ipf_natio);
657 		for (np = &ifs->ifs_nat_list; ((n = *np) != NULL);
658 		     np = &n->in_next)
659 			if (bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
660 			    IPN_CMPSIZ) == 0) {
661 				if (nat->in_redir == NAT_REDIRECT &&
662 				    nat->in_pnext != n->in_pnext)
663 					continue;
664 				break;
665 			}
666 	}
667 
668 	switch (cmd)
669 	{
670 	case SIOCGENITER :
671 	    {
672 		ipfgeniter_t iter;
673 		ipftoken_t *token;
674 
675 		error = fr_inobj(data, &iter, IPFOBJ_GENITER);
676 		if (error != 0)
677 			break;
678 
679 		token = ipf_findtoken(iter.igi_type, uid, ctx, ifs);
680 		if (token != NULL)
681 			error  = nat_iterator(token, &iter, ifs);
682 		else
683 			error = ESRCH;
684 		RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
685 		break;
686 	    }
687 #ifdef  IPFILTER_LOG
688 	case SIOCIPFFB :
689 	{
690 		int tmp;
691 
692 		if (!(mode & FWRITE))
693 			error = EPERM;
694 		else {
695 			tmp = ipflog_clear(IPL_LOGNAT, ifs);
696 			error = BCOPYOUT((char *)&tmp, (char *)data,
697 					sizeof(tmp));
698 			if (error != 0)
699 				error = EFAULT;
700 		}
701 		break;
702 	}
703 	case SIOCSETLG :
704 		if (!(mode & FWRITE)) {
705 			error = EPERM;
706 		} else {
707 			error = BCOPYIN((char *)data,
708 					(char *)&ifs->ifs_nat_logging,
709 					sizeof(ifs->ifs_nat_logging));
710 			if (error != 0)
711 				error = EFAULT;
712 		}
713 		break;
714 	case SIOCGETLG :
715 		error = BCOPYOUT((char *)&ifs->ifs_nat_logging, (char *)data,
716 				sizeof(ifs->ifs_nat_logging));
717 		if (error != 0)
718 			error = EFAULT;
719 		break;
720 	case FIONREAD :
721 		arg = ifs->ifs_iplused[IPL_LOGNAT];
722 		error = BCOPYOUT(&arg, data, sizeof(arg));
723 		if (error != 0)
724 			error = EFAULT;
725 		break;
726 #endif
727 	case SIOCADNAT :
728 		if (!(mode & FWRITE)) {
729 			error = EPERM;
730 		} else if (n != NULL) {
731 			error = EEXIST;
732 		} else if (nt == NULL) {
733 			error = ENOMEM;
734 		}
735 		if (error != 0) {
736 			MUTEX_EXIT(&ifs->ifs_ipf_natio);
737 			break;
738 		}
739 		bcopy((char *)nat, (char *)nt, sizeof(*n));
740 		error = nat_siocaddnat(nt, np, getlock, ifs);
741 		MUTEX_EXIT(&ifs->ifs_ipf_natio);
742 		if (error == 0)
743 			nt = NULL;
744 		break;
745 	case SIOCRMNAT :
746 		if (!(mode & FWRITE)) {
747 			error = EPERM;
748 			n = NULL;
749 		} else if (n == NULL) {
750 			error = ESRCH;
751 		}
752 
753 		if (error != 0) {
754 			MUTEX_EXIT(&ifs->ifs_ipf_natio);
755 			break;
756 		}
757 		nat_siocdelnat(n, np, getlock, ifs);
758 
759 		MUTEX_EXIT(&ifs->ifs_ipf_natio);
760 		n = NULL;
761 		break;
762 	case SIOCGNATS :
763 		ifs->ifs_nat_stats.ns_table[0] = ifs->ifs_nat_table[0];
764 		ifs->ifs_nat_stats.ns_table[1] = ifs->ifs_nat_table[1];
765 		ifs->ifs_nat_stats.ns_list = ifs->ifs_nat_list;
766 		ifs->ifs_nat_stats.ns_maptable = ifs->ifs_maptable;
767 		ifs->ifs_nat_stats.ns_maplist = ifs->ifs_ipf_hm_maplist;
768 		ifs->ifs_nat_stats.ns_nattab_max = ifs->ifs_ipf_nattable_max;
769 		ifs->ifs_nat_stats.ns_nattab_sz = ifs->ifs_ipf_nattable_sz;
770 		ifs->ifs_nat_stats.ns_rultab_sz = ifs->ifs_ipf_natrules_sz;
771 		ifs->ifs_nat_stats.ns_rdrtab_sz = ifs->ifs_ipf_rdrrules_sz;
772 		ifs->ifs_nat_stats.ns_hostmap_sz = ifs->ifs_ipf_hostmap_sz;
773 		ifs->ifs_nat_stats.ns_instances = ifs->ifs_nat_instances;
774 		ifs->ifs_nat_stats.ns_apslist = ifs->ifs_ap_sess_list;
775 		error = fr_outobj(data, &ifs->ifs_nat_stats, IPFOBJ_NATSTAT);
776 		break;
777 	case SIOCGNATL :
778 	    {
779 		natlookup_t nl;
780 
781 		if (getlock) {
782 			READ_ENTER(&ifs->ifs_ipf_nat);
783 		}
784 		error = fr_inobj(data, &nl, IPFOBJ_NATLOOKUP);
785 		if (nl.nl_v != 6)
786 			nl.nl_v = 4;
787 		if (error == 0) {
788 			void *ptr;
789 
790 			switch (nl.nl_v)
791 			{
792 			case 4:
793 				ptr = nat_lookupredir(&nl, ifs);
794 				break;
795 #ifdef	USE_INET6
796 			case 6:
797 				ptr = nat6_lookupredir(&nl, ifs);
798 				break;
799 #endif
800 			default:
801 				ptr = NULL;
802 				break;
803 			}
804 
805 			if (ptr != NULL) {
806 				error = fr_outobj(data, &nl, IPFOBJ_NATLOOKUP);
807 			} else {
808 				error = ESRCH;
809 			}
810 		}
811 		if (getlock) {
812 			RWLOCK_EXIT(&ifs->ifs_ipf_nat);
813 		}
814 		break;
815 	    }
816 	case SIOCIPFFL :	/* old SIOCFLNAT & SIOCCNATL */
817 		if (!(mode & FWRITE)) {
818 			error = EPERM;
819 			break;
820 		}
821 		if (getlock) {
822 			WRITE_ENTER(&ifs->ifs_ipf_nat);
823 		}
824 		error = BCOPYIN(data, &arg, sizeof(arg));
825 		if (error != 0) {
826 			error = EFAULT;
827 		} else {
828 			if (arg == FLUSH_LIST)
829 				ret = nat_clearlist(ifs);
830 			else if (VALID_TABLE_FLUSH_OPT(arg))
831 				ret = nat_flushtable(arg, ifs);
832 			else
833 				error = EINVAL;
834 		}
835 		if (getlock) {
836 			RWLOCK_EXIT(&ifs->ifs_ipf_nat);
837 		}
838 		if (error == 0) {
839 			error = BCOPYOUT(&ret, data, sizeof(ret));
840 			if (error != 0)
841 				error = EFAULT;
842 		}
843 		break;
844 	case SIOCPROXY :
845 		error = appr_ioctl(data, cmd, mode, ifs);
846 		break;
847 	case SIOCSTLCK :
848 		if (!(mode & FWRITE)) {
849 			error = EPERM;
850 		} else {
851 			error = fr_lock(data, &ifs->ifs_fr_nat_lock);
852 		}
853 		break;
854 	case SIOCSTPUT :
855 		if ((mode & FWRITE) != 0) {
856 			error = fr_natputent(data, getlock, ifs);
857 		} else {
858 			error = EACCES;
859 		}
860 		break;
861 	case SIOCSTGSZ :
862 		if (ifs->ifs_fr_nat_lock) {
863 			if (getlock) {
864 				READ_ENTER(&ifs->ifs_ipf_nat);
865 			}
866 			error = fr_natgetsz(data, ifs);
867 			if (getlock) {
868 				RWLOCK_EXIT(&ifs->ifs_ipf_nat);
869 			}
870 		} else
871 			error = EACCES;
872 		break;
873 	case SIOCSTGET :
874 		if (ifs->ifs_fr_nat_lock) {
875 			if (getlock) {
876 				READ_ENTER(&ifs->ifs_ipf_nat);
877 			}
878 			error = fr_natgetent(data, ifs);
879 			if (getlock) {
880 				RWLOCK_EXIT(&ifs->ifs_ipf_nat);
881 			}
882 		} else
883 			error = EACCES;
884 		break;
885 	case SIOCIPFDELTOK :
886 		error = BCOPYIN((caddr_t)data, (caddr_t)&arg, sizeof(arg));
887 		if (error != 0) {
888 			error = EFAULT;
889 		} else {
890 			error = ipf_deltoken(arg, uid, ctx, ifs);
891 		}
892 		break;
893 	default :
894 		error = EINVAL;
895 		break;
896 	}
897 done:
898 	if (nt)
899 		KFREE(nt);
900 	return error;
901 }
902 
903 
904 /* ------------------------------------------------------------------------ */
905 /* Function:    nat_siocaddnat                                              */
906 /* Returns:     int - 0 == success, != 0 == failure                         */
907 /* Parameters:  n(I)       - pointer to new NAT rule                        */
908 /*              np(I)      - pointer to where to insert new NAT rule        */
909 /*              getlock(I) - flag indicating if lock on ipf_nat is held     */
910 /* Mutex Locks: ipf_natio                                                   */
911 /*                                                                          */
912 /* Handle SIOCADNAT.  Resolve and calculate details inside the NAT rule     */
913 /* from information passed to the kernel, then add it  to the appropriate   */
914 /* NAT rule table(s).                                                       */
915 /* ------------------------------------------------------------------------ */
916 static int nat_siocaddnat(n, np, getlock, ifs)
917 ipnat_t *n, **np;
918 int getlock;
919 ipf_stack_t *ifs;
920 {
921 	int error = 0, i, j;
922 
923 	if (nat_resolverule(n, ifs) != 0)
924 		return ENOENT;
925 
926 	if ((n->in_age[0] == 0) && (n->in_age[1] != 0))
927 		return EINVAL;
928 
929 	n->in_use = 0;
930 	if (n->in_redir & NAT_MAPBLK)
931 		n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
932 	else if (n->in_flags & IPN_AUTOPORTMAP)
933 		n->in_space = USABLE_PORTS * ~ntohl(n->in_inmsk);
934 	else if (n->in_flags & IPN_IPRANGE)
935 		n->in_space = ntohl(n->in_outmsk) - ntohl(n->in_outip);
936 	else if (n->in_flags & IPN_SPLIT)
937 		n->in_space = 2;
938 	else if (n->in_outmsk != 0)
939 		n->in_space = ~ntohl(n->in_outmsk);
940 	else
941 		n->in_space = 1;
942 	if ((n->in_flags & NAT_TCPUDPICMPQ) && (n->in_redir != NAT_REDIRECT)) {
943 		if (ntohs(n->in_pmax) < ntohs(n->in_pmin))
944 			return EINVAL;
945 	}
946 
947 	/*
948 	 * Calculate the number of valid IP addresses in the output
949 	 * mapping range.  In all cases, the range is inclusive of
950 	 * the start and ending IP addresses.
951 	 * If to a CIDR address, lose 2: broadcast + network address
952 	 *                               (so subtract 1)
953 	 * If to a range, add one.
954 	 * If to a single IP address, set to 1.
955 	 */
956 	if (n->in_space) {
957 		if ((n->in_flags & IPN_IPRANGE) != 0)
958 			n->in_space += 1;
959 		else
960 			n->in_space -= 1;
961 	} else
962 		n->in_space = 1;
963 
964 #ifdef	USE_INET6
965 	if (n->in_v == 6 && (n->in_flags & (IPN_IPRANGE|IPN_SPLIT)) == 0 &&
966 	    !IP6_ISONES(&n->in_out[1]) && !IP6_ISZERO(&n->in_out[1]))
967 		IP6_ADD(&n->in_out[0], 1, &n->in_next6)
968 	else if (n->in_v == 6 &&
969 	    (n->in_flags & IPN_SPLIT) && (n->in_redir & NAT_REDIRECT))
970 		n->in_next6 = n->in_in[0];
971 	else if (n->in_v == 6)
972 		n->in_next6 = n->in_out[0];
973 	else
974 #endif
975 	if ((n->in_outmsk != 0xffffffff) && (n->in_outmsk != 0) &&
976 	    ((n->in_flags & (IPN_IPRANGE|IPN_SPLIT)) == 0))
977 		n->in_nip = ntohl(n->in_outip) + 1;
978 	else if ((n->in_flags & IPN_SPLIT) &&
979 		 (n->in_redir & NAT_REDIRECT))
980 		n->in_nip = ntohl(n->in_inip);
981 	else
982 		n->in_nip = ntohl(n->in_outip);
983 
984 	if (n->in_redir & NAT_MAP) {
985 		n->in_pnext = ntohs(n->in_pmin);
986 		/*
987 		 * Multiply by the number of ports made available.
988 		 */
989 		if (ntohs(n->in_pmax) >= ntohs(n->in_pmin)) {
990 			n->in_space *= (ntohs(n->in_pmax) -
991 					ntohs(n->in_pmin) + 1);
992 			/*
993 			 * Because two different sources can map to
994 			 * different destinations but use the same
995 			 * local IP#/port #.
996 			 * If the result is smaller than in_space, then
997 			 * we may have wrapped around 32bits.
998 			 */
999 			i = n->in_inmsk;
1000 			if ((i != 0) && (i != 0xffffffff)) {
1001 				j = n->in_space * (~ntohl(i) + 1);
1002 				if (j >= n->in_space)
1003 					n->in_space = j;
1004 				else
1005 					n->in_space = 0xffffffff;
1006 			}
1007 		}
1008 		/*
1009 		 * If no protocol is specified, multiple by 256 to allow for
1010 		 * at least one IP:IP mapping per protocol.
1011 		 */
1012 		if ((n->in_flags & IPN_TCPUDPICMP) == 0) {
1013 				j = n->in_space * 256;
1014 				if (j >= n->in_space)
1015 					n->in_space = j;
1016 				else
1017 					n->in_space = 0xffffffff;
1018 		}
1019 	}
1020 
1021 	/* Otherwise, these fields are preset */
1022 
1023 	if (getlock) {
1024 		WRITE_ENTER(&ifs->ifs_ipf_nat);
1025 	}
1026 	n->in_next = NULL;
1027 	*np = n;
1028 
1029 	if (n->in_age[0] != 0)
1030 	    n->in_tqehead[0] = fr_addtimeoutqueue(&ifs->ifs_nat_utqe,
1031 						  n->in_age[0], ifs);
1032 
1033 	if (n->in_age[1] != 0)
1034 	    n->in_tqehead[1] = fr_addtimeoutqueue(&ifs->ifs_nat_utqe,
1035 						  n->in_age[1], ifs);
1036 
1037 	if (n->in_redir & NAT_REDIRECT) {
1038 		n->in_flags &= ~IPN_NOTDST;
1039 		switch (n->in_v)
1040 		{
1041 		case 4 :
1042 			nat_addrdr(n, ifs);
1043 			break;
1044 #ifdef	USE_INET6
1045 		case 6 :
1046 			nat6_addrdr(n, ifs);
1047 			break;
1048 #endif
1049 		default :
1050 			break;
1051 		}
1052 	}
1053 	if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
1054 		n->in_flags &= ~IPN_NOTSRC;
1055 		switch (n->in_v)
1056 		{
1057 		case 4 :
1058 			nat_addnat(n, ifs);
1059 			break;
1060 #ifdef	USE_INET6
1061 		case 6 :
1062 			nat6_addnat(n, ifs);
1063 			break;
1064 #endif
1065 		default :
1066 			break;
1067 		}
1068 	}
1069 	n = NULL;
1070 	ifs->ifs_nat_stats.ns_rules++;
1071 	if (getlock) {
1072 		RWLOCK_EXIT(&ifs->ifs_ipf_nat);			/* WRITE */
1073 	}
1074 
1075 	return error;
1076 }
1077 
1078 
1079 /* ------------------------------------------------------------------------ */
1080 /* Function:    nat_resolvrule                                              */
1081 /* Returns:     int - 0 == success, -1 == failure                           */
1082 /* Parameters:  n(I)  - pointer to NAT rule                                 */
1083 /*                                                                          */
1084 /* Resolve some of the details inside the NAT rule.  Includes resolving	    */
1085 /* any specified interfaces and proxy labels, and determines whether or not */
1086 /* all proxy labels are correctly specified.				    */
1087 /*									    */
1088 /* Called by nat_siocaddnat() (SIOCADNAT) and fr_natputent (SIOCSTPUT).     */
1089 /* ------------------------------------------------------------------------ */
1090 static int nat_resolverule(n, ifs)
1091 ipnat_t *n;
1092 ipf_stack_t *ifs;
1093 {
1094 	n->in_ifnames[0][LIFNAMSIZ - 1] = '\0';
1095 	n->in_ifps[0] = fr_resolvenic(n->in_ifnames[0], n->in_v, ifs);
1096 
1097 	n->in_ifnames[1][LIFNAMSIZ - 1] = '\0';
1098 	if (n->in_ifnames[1][0] == '\0') {
1099 		(void) strncpy(n->in_ifnames[1], n->in_ifnames[0], LIFNAMSIZ);
1100 		n->in_ifps[1] = n->in_ifps[0];
1101 	} else {
1102 		n->in_ifps[1] = fr_resolvenic(n->in_ifnames[1], n->in_v, ifs);
1103 	}
1104 
1105 	if (n->in_plabel[0] != '\0') {
1106 		n->in_apr = appr_lookup(n->in_p, n->in_plabel, ifs);
1107 		if (n->in_apr == NULL)
1108 			return -1;
1109 	}
1110 	return 0;
1111 }
1112 
1113 
1114 /* ------------------------------------------------------------------------ */
1115 /* Function:    nat_siocdelnat                                              */
1116 /* Returns:     int - 0 == success, != 0 == failure                         */
1117 /* Parameters:  n(I)       - pointer to new NAT rule                        */
1118 /*              np(I)      - pointer to where to insert new NAT rule        */
1119 /*              getlock(I) - flag indicating if lock on ipf_nat is held     */
1120 /* Mutex Locks: ipf_natio                                                   */
1121 /*                                                                          */
1122 /* Handle SIOCADNAT.  Resolve and calculate details inside the NAT rule     */
1123 /* from information passed to the kernel, then add it  to the appropriate   */
1124 /* NAT rule table(s).                                                       */
1125 /* ------------------------------------------------------------------------ */
1126 static void nat_siocdelnat(n, np, getlock, ifs)
1127 ipnat_t *n, **np;
1128 int getlock;
1129 ipf_stack_t *ifs;
1130 {
1131 	int i;
1132 
1133 	if (getlock) {
1134 		WRITE_ENTER(&ifs->ifs_ipf_nat);
1135 	}
1136 	if (n->in_redir & NAT_REDIRECT)
1137 		nat_delrdr(n);
1138 	if (n->in_redir & (NAT_MAPBLK|NAT_MAP))
1139 		nat_delnat(n);
1140 	if (ifs->ifs_nat_list == NULL) {
1141 		ifs->ifs_nat_masks = 0;
1142 		ifs->ifs_rdr_masks = 0;
1143 		for (i = 0; i < 4; i++) {
1144 			ifs->ifs_nat6_masks[i] = 0;
1145 			ifs->ifs_rdr6_masks[i] = 0;
1146 		}
1147 	}
1148 
1149 	if (n->in_tqehead[0] != NULL) {
1150 		if (fr_deletetimeoutqueue(n->in_tqehead[0]) == 0) {
1151 			fr_freetimeoutqueue(n->in_tqehead[0], ifs);
1152 		}
1153 	}
1154 
1155 	if (n->in_tqehead[1] != NULL) {
1156 		if (fr_deletetimeoutqueue(n->in_tqehead[1]) == 0) {
1157 			fr_freetimeoutqueue(n->in_tqehead[1], ifs);
1158 		}
1159 	}
1160 
1161 	*np = n->in_next;
1162 
1163 	if (n->in_use == 0) {
1164 		if (n->in_apr)
1165 			appr_free(n->in_apr);
1166 		KFREE(n);
1167 		ifs->ifs_nat_stats.ns_rules--;
1168 	} else {
1169 		n->in_flags |= IPN_DELETE;
1170 		n->in_next = NULL;
1171 	}
1172 	if (getlock) {
1173 		RWLOCK_EXIT(&ifs->ifs_ipf_nat);			/* READ/WRITE */
1174 	}
1175 }
1176 
1177 
1178 /* ------------------------------------------------------------------------ */
1179 /* Function:    fr_natgetsz                                                 */
1180 /* Returns:     int - 0 == success, != 0 is the error value.                */
1181 /* Parameters:  data(I) - pointer to natget structure with kernel pointer   */
1182 /*                        get the size of.                                  */
1183 /*                                                                          */
1184 /* Handle SIOCSTGSZ.                                                        */
1185 /* Return the size of the nat list entry to be copied back to user space.   */
1186 /* The size of the entry is stored in the ng_sz field and the enture natget */
1187 /* structure is copied back to the user.                                    */
1188 /* ------------------------------------------------------------------------ */
1189 static int fr_natgetsz(data, ifs)
1190 caddr_t data;
1191 ipf_stack_t *ifs;
1192 {
1193 	ap_session_t *aps;
1194 	nat_t *nat, *n;
1195 	natget_t ng;
1196 	int err;
1197 
1198 	err = BCOPYIN(data, &ng, sizeof(ng));
1199 	if (err != 0)
1200 		return EFAULT;
1201 
1202 	nat = ng.ng_ptr;
1203 	if (!nat) {
1204 		nat = ifs->ifs_nat_instances;
1205 		ng.ng_sz = 0;
1206 		/*
1207 		 * Empty list so the size returned is 0.  Simple.
1208 		 */
1209 		if (nat == NULL) {
1210 			err = BCOPYOUT(&ng, data, sizeof(ng));
1211 			if (err != 0) {
1212 				return EFAULT;
1213 			} else {
1214 				return 0;
1215 			}
1216 		}
1217 	} else {
1218 		/*
1219 		 * Make sure the pointer we're copying from exists in the
1220 		 * current list of entries.  Security precaution to prevent
1221 		 * copying of random kernel data.
1222 		 */
1223 		for (n = ifs->ifs_nat_instances; n; n = n->nat_next)
1224 			if (n == nat)
1225 				break;
1226 		if (!n)
1227 			return ESRCH;
1228 	}
1229 
1230 	/*
1231 	 * Incluse any space required for proxy data structures.
1232 	 */
1233 	ng.ng_sz = sizeof(nat_save_t);
1234 	aps = nat->nat_aps;
1235 	if (aps != NULL) {
1236 		ng.ng_sz += sizeof(ap_session_t) - 4;
1237 		if (aps->aps_data != 0)
1238 			ng.ng_sz += aps->aps_psiz;
1239 	}
1240 
1241 	err = BCOPYOUT(&ng, data, sizeof(ng));
1242 	if (err != 0)
1243 		return EFAULT;
1244 	return 0;
1245 }
1246 
1247 
1248 /* ------------------------------------------------------------------------ */
1249 /* Function:    fr_natgetent                                                */
1250 /* Returns:     int - 0 == success, != 0 is the error value.                */
1251 /* Parameters:  data(I) - pointer to natget structure with kernel pointer   */
1252 /*                        to NAT structure to copy out.                     */
1253 /*                                                                          */
1254 /* Handle SIOCSTGET.                                                        */
1255 /* Copies out NAT entry to user space.  Any additional data held for a      */
1256 /* proxy is also copied, as to is the NAT rule which was responsible for it */
1257 /* ------------------------------------------------------------------------ */
1258 static int fr_natgetent(data, ifs)
1259 caddr_t data;
1260 ipf_stack_t *ifs;
1261 {
1262 	int error, outsize;
1263 	ap_session_t *aps;
1264 	nat_save_t *ipn, ipns;
1265 	nat_t *n, *nat;
1266 
1267 	error = fr_inobj(data, &ipns, IPFOBJ_NATSAVE);
1268 	if (error != 0)
1269 		return error;
1270 
1271 	if ((ipns.ipn_dsize < sizeof(ipns)) || (ipns.ipn_dsize > 81920))
1272 		return EINVAL;
1273 
1274 	KMALLOCS(ipn, nat_save_t *, ipns.ipn_dsize);
1275 	if (ipn == NULL)
1276 		return ENOMEM;
1277 
1278 	ipn->ipn_dsize = ipns.ipn_dsize;
1279 	nat = ipns.ipn_next;
1280 	if (nat == NULL) {
1281 		nat = ifs->ifs_nat_instances;
1282 		if (nat == NULL) {
1283 			if (ifs->ifs_nat_instances == NULL)
1284 				error = ENOENT;
1285 			goto finished;
1286 		}
1287 	} else {
1288 		/*
1289 		 * Make sure the pointer we're copying from exists in the
1290 		 * current list of entries.  Security precaution to prevent
1291 		 * copying of random kernel data.
1292 		 */
1293 		for (n = ifs->ifs_nat_instances; n; n = n->nat_next)
1294 			if (n == nat)
1295 				break;
1296 		if (n == NULL) {
1297 			error = ESRCH;
1298 			goto finished;
1299 		}
1300 	}
1301 	ipn->ipn_next = nat->nat_next;
1302 
1303 	/*
1304 	 * Copy the NAT structure.
1305 	 */
1306 	bcopy((char *)nat, &ipn->ipn_nat, sizeof(*nat));
1307 
1308 	/*
1309 	 * If we have a pointer to the NAT rule it belongs to, save that too.
1310 	 */
1311 	if (nat->nat_ptr != NULL)
1312 		bcopy((char *)nat->nat_ptr, (char *)&ipn->ipn_ipnat,
1313 		      sizeof(ipn->ipn_ipnat));
1314 
1315 	/*
1316 	 * If we also know the NAT entry has an associated filter rule,
1317 	 * save that too.
1318 	 */
1319 	if (nat->nat_fr != NULL)
1320 		bcopy((char *)nat->nat_fr, (char *)&ipn->ipn_fr,
1321 		      sizeof(ipn->ipn_fr));
1322 
1323 	/*
1324 	 * Last but not least, if there is an application proxy session set
1325 	 * up for this NAT entry, then copy that out too, including any
1326 	 * private data saved along side it by the proxy.
1327 	 */
1328 	aps = nat->nat_aps;
1329 	outsize = ipn->ipn_dsize - sizeof(*ipn) + sizeof(ipn->ipn_data);
1330 	if (aps != NULL) {
1331 		char *s;
1332 
1333 		if (outsize < sizeof(*aps)) {
1334 			error = ENOBUFS;
1335 			goto finished;
1336 		}
1337 
1338 		s = ipn->ipn_data;
1339 		bcopy((char *)aps, s, sizeof(*aps));
1340 		s += sizeof(*aps);
1341 		outsize -= sizeof(*aps);
1342 		if ((aps->aps_data != NULL) && (outsize >= aps->aps_psiz))
1343 			bcopy(aps->aps_data, s, aps->aps_psiz);
1344 		else
1345 			error = ENOBUFS;
1346 	}
1347 	if (error == 0) {
1348 		error = fr_outobjsz(data, ipn, IPFOBJ_NATSAVE, ipns.ipn_dsize);
1349 	}
1350 
1351 finished:
1352 	if (ipn != NULL) {
1353 		KFREES(ipn, ipns.ipn_dsize);
1354 	}
1355 	return error;
1356 }
1357 
1358 /* ------------------------------------------------------------------------ */
1359 /* Function:    nat_calc_chksum_diffs					    */
1360 /* Returns:     void							    */
1361 /* Parameters:  nat	-	pointer to NAT table entry		    */
1362 /*                                                                          */
1363 /* Function calculates chksum deltas for IP header (nat_ipsumd) and TCP/UDP */
1364 /* headers (nat_sumd). The things for L4 (UDP/TCP) get complicated when     */
1365 /* we are dealing with partial chksum offload. For these cases we need to   */
1366 /* compute a 'partial chksum delta'. The 'partial chksum delta'is stored    */
1367 /* into nat_sumd[1], while ordinary chksum delta for TCP/UDP is in 	    */
1368 /* nat_sumd[0]. 							    */
1369 /*									    */
1370 /* The function accepts initialized NAT table entry and computes the deltas */
1371 /* from nat_inip/nat_outip members. The function is called right before	    */
1372 /* the new entry is inserted into the table.				    */
1373 /*									    */
1374 /* The ipsumd (IP hedaer chksum delta adjustment) is computed as a chksum   */
1375 /* of delta between original and new IP addresses.			    */
1376 /*									    */
1377 /* the nat_sumd[0] (TCP/UDP header chksum delta adjustment) is computed as  */
1378 /* a chkusm of delta between original an new IP addrress:port tupples.	    */
1379 /*									    */
1380 /* Some facts about chksum, we should remember:				    */
1381 /*	IP header chksum covers IP header only				    */
1382 /*									    */
1383 /*	TCP/UDP chksum covers data payload and so called pseudo header	    */
1384 /*		SRC, DST IP address					    */
1385 /*		SRC, DST Port						    */
1386 /*		length of payload					    */
1387 /*									    */
1388 /* The partial chksum delta (nat_sumd[1] is used to adjust db_ckusm16	    */
1389 /* member of dblk_t structure. The db_ckusm16 member is not part of 	    */
1390 /* IP/UDP/TCP header it is 16 bit value computed by NIC driver with partial */
1391 /* chksum offload capacbility for every inbound packet. The db_cksum16 is   */
1392 /* stored along with other IP packet data in dblk_t structure and used in   */
1393 /* for IP/UDP/TCP chksum validation later in ip.c. 			    */
1394 /*									    */
1395 /* The partial chksum delta (adjustment, nat_sumd[1]) is computed as chksum */
1396 /* of delta between new and orig address. NOTE: the order of operands for   */
1397 /* partial delta operation is swapped compared to computing the IP/TCP/UDP  */
1398 /* header adjustment. It is by design see (IP_CKSUM_RECV() macro in ip.c).  */
1399 /*									    */
1400 /* ------------------------------------------------------------------------ */
1401 void nat_calc_chksum_diffs(nat)
1402 nat_t *nat;
1403 {
1404 	u_32_t	sum_orig = 0;
1405 	u_32_t	sum_changed = 0;
1406 	u_32_t	sumd;
1407 	u_32_t	ipsum_orig = 0;
1408 	u_32_t	ipsum_changed = 0;
1409 
1410 	if (nat->nat_v != 4 && nat->nat_v != 6)
1411 		return;
1412 
1413 	/*
1414 	 * the switch calculates operands for CALC_SUMD(),
1415 	 * which will compute the partial chksum delta.
1416 	 */
1417 	switch (nat->nat_dir)
1418 	{
1419 	case NAT_INBOUND:
1420 		/*
1421 		 * we are dealing with RDR rule (DST address gets
1422 		 * modified on packet from client)
1423 		 */
1424 		if (nat->nat_v == 4) {
1425 			sum_changed = LONG_SUM(ntohl(nat->nat_inip.s_addr));
1426 			sum_orig = LONG_SUM(ntohl(nat->nat_outip.s_addr));
1427 		} else {
1428 			sum_changed = LONG_SUM6(&nat->nat_inip6);
1429 			sum_orig = LONG_SUM6(&nat->nat_outip6);
1430 		}
1431 		break;
1432 	case NAT_OUTBOUND:
1433 		/*
1434 		 * we are dealing with MAP rule (SRC address gets
1435 		 * modified on packet from client)
1436 		 */
1437 		if (nat->nat_v == 4) {
1438 			sum_changed = LONG_SUM(ntohl(nat->nat_outip.s_addr));
1439 			sum_orig = LONG_SUM(ntohl(nat->nat_inip.s_addr));
1440 		} else {
1441 			sum_changed = LONG_SUM6(&nat->nat_outip6);
1442 			sum_orig = LONG_SUM6(&nat->nat_inip6);
1443 		}
1444 		break;
1445 	default: ;
1446 		break;
1447 	}
1448 
1449 	/*
1450 	 * we also preserve CALC_SUMD() operands here, for IP chksum delta
1451 	 * calculation, which happens at the end of function.
1452 	 */
1453 	ipsum_changed = sum_changed;
1454 	ipsum_orig = sum_orig;
1455 	/*
1456 	 * NOTE: the order of operands for partial chksum adjustment
1457 	 * computation has to be swapped!
1458 	 */
1459 	CALC_SUMD(sum_changed, sum_orig, sumd);
1460 	nat->nat_sumd[1] = (sumd & 0xffff) + (sumd >> 16);
1461 
1462 	if (nat->nat_flags & (IPN_TCPUDP | IPN_ICMPQUERY)) {
1463 
1464 		/*
1465 		 * switch calculates operands for CALC_SUMD(), which will
1466 		 * compute the full chksum delta.
1467 		 */
1468 		switch (nat->nat_dir)
1469 		{
1470 		case NAT_INBOUND:
1471 			if (nat->nat_v == 4) {
1472 				sum_changed = LONG_SUM(
1473 				    ntohl(nat->nat_inip.s_addr) +
1474 				    ntohs(nat->nat_inport));
1475 				sum_orig = LONG_SUM(
1476 				    ntohl(nat->nat_outip.s_addr) +
1477 				    ntohs(nat->nat_outport));
1478 			} else {
1479 				sum_changed = LONG_SUM6(&nat->nat_inip6) +
1480 				    ntohs(nat->nat_inport);
1481 				sum_orig = LONG_SUM6(&nat->nat_outip6) +
1482 				    ntohs(nat->nat_outport);
1483 			}
1484 			break;
1485 		case NAT_OUTBOUND:
1486 			if (nat->nat_v == 4) {
1487 				sum_changed = LONG_SUM(
1488 				    ntohl(nat->nat_outip.s_addr) +
1489 				    ntohs(nat->nat_outport));
1490 				sum_orig = LONG_SUM(
1491 				    ntohl(nat->nat_inip.s_addr) +
1492 				    ntohs(nat->nat_inport));
1493 			} else {
1494 				sum_changed = LONG_SUM6(&nat->nat_outip6) +
1495 				    ntohs(nat->nat_outport);
1496 				sum_orig = LONG_SUM6(&nat->nat_inip6) +
1497 				    ntohs(nat->nat_inport);
1498 			}
1499 			break;
1500 		default: ;
1501 			break;
1502 		}
1503 
1504 		CALC_SUMD(sum_orig, sum_changed, sumd);
1505 		nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
1506 
1507 		if (!(nat->nat_flags & IPN_TCPUDP)) {
1508 			/*
1509 			 * partial HW chksum offload works for TCP/UDP headers only,
1510 			 * so we need to enforce full chksum adjustment for ICMP
1511 			 */
1512 			nat->nat_sumd[1] = nat->nat_sumd[0];
1513 		}
1514 	}
1515 	else
1516 		nat->nat_sumd[0] = nat->nat_sumd[1];
1517 
1518 	/*
1519 	 * we may reuse the already computed nat_sumd[0] for IP header chksum
1520 	 * adjustment in case the L4 (TCP/UDP header) is not changed by NAT.
1521 	 */
1522 	if (nat->nat_v == 4) {
1523 		if (NAT_HAS_L4_CHANGED(nat)) {
1524 			/*
1525 			 * bad luck, NAT changes also the L4 header, use IP
1526 			 * addresses to compute chksum adjustment for IP header.
1527 			 */
1528 			CALC_SUMD(ipsum_orig, ipsum_changed, sumd);
1529 			nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16);
1530 		} else {
1531 			/*
1532 			 * the NAT does not change L4 hdr -> reuse chksum
1533 			 * adjustment for IP hdr.
1534 			 */
1535 			nat->nat_ipsumd = nat->nat_sumd[0];
1536 
1537 			/*
1538 			 * if L4 header does not use chksum - zero out deltas
1539 			 */
1540 			if (!(nat->nat_flags & IPN_TCPUDP)) {
1541 				nat->nat_sumd[0] = 0;
1542 				nat->nat_sumd[1] = 0;
1543 			}
1544 		}
1545 	}
1546 
1547 	return;
1548 }
1549 
1550 /* ------------------------------------------------------------------------ */
1551 /* Function:    fr_natputent                                                */
1552 /* Returns:     int - 0 == success, != 0 is the error value.                */
1553 /* Parameters:  data(I)    - pointer to natget structure with NAT           */
1554 /*                           structure information to load into the kernel  */
1555 /*              getlock(I) - flag indicating whether or not a write lock    */
1556 /*                           on ipf_nat is already held.                    */
1557 /*              ifs        - ipf stack instance                             */
1558 /*                                                                          */
1559 /* Handle SIOCSTPUT.                                                        */
1560 /* Loads a NAT table entry from user space, including a NAT rule, proxy and */
1561 /* firewall rule data structures, if pointers to them indicate so.          */
1562 /* ------------------------------------------------------------------------ */
1563 static int fr_natputent(data, getlock, ifs)
1564 caddr_t data;
1565 int getlock;
1566 ipf_stack_t *ifs;
1567 {
1568 	nat_save_t ipn, *ipnn;
1569 	ap_session_t *aps;
1570 	nat_t *n, *nat;
1571 	frentry_t *fr;
1572 	fr_info_t fin;
1573 	ipnat_t *in;
1574 	int error;
1575 
1576 	error = fr_inobj(data, &ipn, IPFOBJ_NATSAVE);
1577 	if (error != 0)
1578 		return error;
1579 
1580 	/*
1581 	 * Trigger automatic call to nat_flushtable() if the
1582 	 * table has reached capcity specified by hi watermark.
1583 	 */
1584 	if (NAT_TAB_WATER_LEVEL(ifs) > ifs->ifs_nat_flush_level_hi)
1585 		ifs->ifs_nat_doflush = 1;
1586 
1587 	/*
1588 	 * If automatic flushing did not do its job, and the table
1589 	 * has filled up, don't try to create a new entry.
1590 	 */
1591 	if (ifs->ifs_nat_stats.ns_inuse >= ifs->ifs_ipf_nattable_max) {
1592 		ifs->ifs_nat_stats.ns_memfail++;
1593 		return ENOMEM;
1594 	}
1595 
1596 	/*
1597 	 * Initialise early because of code at junkput label.
1598 	 */
1599 	in = NULL;
1600 	aps = NULL;
1601 	nat = NULL;
1602 	ipnn = NULL;
1603 
1604 	/*
1605 	 * New entry, copy in the rest of the NAT entry if it's size is more
1606 	 * than just the nat_t structure.
1607 	 */
1608 	fr = NULL;
1609 	if (ipn.ipn_dsize > sizeof(ipn)) {
1610 		if (ipn.ipn_dsize > 81920) {
1611 			error = ENOMEM;
1612 			goto junkput;
1613 		}
1614 
1615 		KMALLOCS(ipnn, nat_save_t *, ipn.ipn_dsize);
1616 		if (ipnn == NULL)
1617 			return ENOMEM;
1618 
1619 		error = fr_inobjsz(data, ipnn, IPFOBJ_NATSAVE, ipn.ipn_dsize);
1620 		if (error != 0) {
1621 			error = EFAULT;
1622 			goto junkput;
1623 		}
1624 	} else
1625 		ipnn = &ipn;
1626 
1627 	KMALLOC(nat, nat_t *);
1628 	if (nat == NULL) {
1629 		error = ENOMEM;
1630 		goto junkput;
1631 	}
1632 
1633 	bcopy((char *)&ipnn->ipn_nat, (char *)nat, sizeof(*nat));
1634 	/*
1635 	 * Initialize all these so that nat_delete() doesn't cause a crash.
1636 	 */
1637 	bzero((char *)nat, offsetof(struct nat, nat_tqe));
1638 	nat->nat_tqe.tqe_pnext = NULL;
1639 	nat->nat_tqe.tqe_next = NULL;
1640 	nat->nat_tqe.tqe_ifq = NULL;
1641 	nat->nat_tqe.tqe_parent = nat;
1642 
1643 	/*
1644 	 * Restore the rule associated with this nat session
1645 	 */
1646 	in = ipnn->ipn_nat.nat_ptr;
1647 	if (in != NULL) {
1648 		KMALLOC(in, ipnat_t *);
1649 		nat->nat_ptr = in;
1650 		if (in == NULL) {
1651 			error = ENOMEM;
1652 			goto junkput;
1653 		}
1654 		bzero((char *)in, offsetof(struct ipnat, in_next6));
1655 		bcopy((char *)&ipnn->ipn_ipnat, (char *)in, sizeof(*in));
1656 		in->in_use = 1;
1657 		in->in_flags |= IPN_DELETE;
1658 
1659 		ATOMIC_INC(ifs->ifs_nat_stats.ns_rules);
1660 
1661 		if (nat_resolverule(in, ifs) != 0) {
1662 			error = ESRCH;
1663 			goto junkput;
1664 		}
1665 	}
1666 
1667 	/*
1668 	 * Check that the NAT entry doesn't already exist in the kernel.
1669 	 */
1670 	if (nat->nat_v != 6)
1671 		nat->nat_v = 4;
1672 	bzero((char *)&fin, sizeof(fin));
1673 	fin.fin_p = nat->nat_p;
1674 	fin.fin_ifs = ifs;
1675 	if (nat->nat_dir == NAT_OUTBOUND) {
1676 		fin.fin_data[0] = ntohs(nat->nat_oport);
1677 		fin.fin_data[1] = ntohs(nat->nat_outport);
1678 		fin.fin_ifp = nat->nat_ifps[0];
1679 		if (getlock) {
1680 			READ_ENTER(&ifs->ifs_ipf_nat);
1681 		}
1682 
1683 		switch (nat->nat_v)
1684 		{
1685 		case 4:
1686 			fin.fin_v = nat->nat_v;
1687 			n = nat_inlookup(&fin, nat->nat_flags, fin.fin_p,
1688 			    nat->nat_oip, nat->nat_outip);
1689 			break;
1690 #ifdef USE_INET6
1691 		case 6:
1692 			n = nat6_inlookup(&fin, nat->nat_flags, fin.fin_p,
1693 			    &nat->nat_oip6.in6, &nat->nat_outip6.in6);
1694 			break;
1695 #endif
1696 		default:
1697 			n = NULL;
1698 			break;
1699 		}
1700 
1701 		if (getlock) {
1702 			RWLOCK_EXIT(&ifs->ifs_ipf_nat);
1703 		}
1704 		if (n != NULL) {
1705 			error = EEXIST;
1706 			goto junkput;
1707 		}
1708 	} else if (nat->nat_dir == NAT_INBOUND) {
1709 		fin.fin_data[0] = ntohs(nat->nat_inport);
1710 		fin.fin_data[1] = ntohs(nat->nat_oport);
1711 		fin.fin_ifp = nat->nat_ifps[1];
1712 		if (getlock) {
1713 			READ_ENTER(&ifs->ifs_ipf_nat);
1714 		}
1715 
1716 		switch (nat->nat_v)
1717 		{
1718 		case 4:
1719 			n = nat_outlookup(&fin, nat->nat_flags, fin.fin_p,
1720 			    nat->nat_inip, nat->nat_oip);
1721 			break;
1722 #ifdef USE_INET6
1723 		case 6:
1724 			n = nat6_outlookup(&fin, nat->nat_flags, fin.fin_p,
1725 			    &nat->nat_inip6.in6, &nat->nat_oip6.in6);
1726 			break;
1727 #endif
1728 		default:
1729 			n = NULL;
1730 			break;
1731 		}
1732 
1733 		if (getlock) {
1734 			RWLOCK_EXIT(&ifs->ifs_ipf_nat);
1735 		}
1736 		if (n != NULL) {
1737 			error = EEXIST;
1738 			goto junkput;
1739 		}
1740 	} else {
1741 		error = EINVAL;
1742 		goto junkput;
1743 	}
1744 
1745 	/*
1746 	 * Restore ap_session_t structure.  Include the private data allocated
1747 	 * if it was there.
1748 	 */
1749 	aps = nat->nat_aps;
1750 	if (aps != NULL) {
1751 		KMALLOC(aps, ap_session_t *);
1752 		nat->nat_aps = aps;
1753 		if (aps == NULL) {
1754 			error = ENOMEM;
1755 			goto junkput;
1756 		}
1757 		bcopy(ipnn->ipn_data, (char *)aps, sizeof(*aps));
1758 		if (in != NULL)
1759 			aps->aps_apr = in->in_apr;
1760 		else
1761 			aps->aps_apr = NULL;
1762 		if (aps->aps_psiz != 0) {
1763 			if (aps->aps_psiz > 81920) {
1764 				error = ENOMEM;
1765 				goto junkput;
1766 			}
1767 			KMALLOCS(aps->aps_data, void *, aps->aps_psiz);
1768 			if (aps->aps_data == NULL) {
1769 				error = ENOMEM;
1770 				goto junkput;
1771 			}
1772 			bcopy(ipnn->ipn_data + sizeof(*aps), aps->aps_data,
1773 			      aps->aps_psiz);
1774 		} else {
1775 			aps->aps_psiz = 0;
1776 			aps->aps_data = NULL;
1777 		}
1778 	}
1779 
1780 	/*
1781 	 * If there was a filtering rule associated with this entry then
1782 	 * build up a new one.
1783 	 */
1784 	fr = nat->nat_fr;
1785 	if (fr != NULL) {
1786 		if ((nat->nat_flags & SI_NEWFR) != 0) {
1787 			KMALLOC(fr, frentry_t *);
1788 			nat->nat_fr = fr;
1789 			if (fr == NULL) {
1790 				error = ENOMEM;
1791 				goto junkput;
1792 			}
1793 			ipnn->ipn_nat.nat_fr = fr;
1794 			(void) fr_outobj(data, ipnn, IPFOBJ_NATSAVE);
1795 			bcopy((char *)&ipnn->ipn_fr, (char *)fr, sizeof(*fr));
1796 
1797 			fr->fr_ref = 1;
1798 			fr->fr_dsize = 0;
1799 			fr->fr_data = NULL;
1800 			fr->fr_type = FR_T_NONE;
1801 
1802 			MUTEX_NUKE(&fr->fr_lock);
1803 			MUTEX_INIT(&fr->fr_lock, "nat-filter rule lock");
1804 		} else {
1805 			if (getlock) {
1806 				READ_ENTER(&ifs->ifs_ipf_nat);
1807 			}
1808 			for (n = ifs->ifs_nat_instances; n; n = n->nat_next)
1809 				if (n->nat_fr == fr)
1810 					break;
1811 
1812 			if (n != NULL) {
1813 				MUTEX_ENTER(&fr->fr_lock);
1814 				fr->fr_ref++;
1815 				MUTEX_EXIT(&fr->fr_lock);
1816 			}
1817 			if (getlock) {
1818 				RWLOCK_EXIT(&ifs->ifs_ipf_nat);
1819 			}
1820 			if (!n) {
1821 				error = ESRCH;
1822 				goto junkput;
1823 			}
1824 		}
1825 	}
1826 
1827 	if (ipnn != &ipn) {
1828 		KFREES(ipnn, ipn.ipn_dsize);
1829 		ipnn = NULL;
1830 	}
1831 
1832 	nat_calc_chksum_diffs(nat);
1833 
1834 	if (getlock) {
1835 		WRITE_ENTER(&ifs->ifs_ipf_nat);
1836 	}
1837 
1838 	nat_calc_chksum_diffs(nat);
1839 
1840 	switch (nat->nat_v)
1841 	{
1842 	case 4 :
1843 		error = nat_insert(nat, nat->nat_rev, ifs);
1844 		break;
1845 #ifdef USE_INET6
1846 	case 6 :
1847 		error = nat6_insert(nat, nat->nat_rev, ifs);
1848 		break;
1849 #endif
1850 	default :
1851 		break;
1852 	}
1853 
1854 	if ((error == 0) && (aps != NULL)) {
1855 		aps->aps_next = ifs->ifs_ap_sess_list;
1856 		ifs->ifs_ap_sess_list = aps;
1857 	}
1858 	if (getlock) {
1859 		RWLOCK_EXIT(&ifs->ifs_ipf_nat);
1860 	}
1861 
1862 	if (error == 0)
1863 		return 0;
1864 
1865 	error = ENOMEM;
1866 
1867 junkput:
1868 	if (fr != NULL)
1869 		(void) fr_derefrule(&fr, ifs);
1870 
1871 	if ((ipnn != NULL) && (ipnn != &ipn)) {
1872 		KFREES(ipnn, ipn.ipn_dsize);
1873 	}
1874 	if (nat != NULL) {
1875 		if (aps != NULL) {
1876 			if (aps->aps_data != NULL) {
1877 				KFREES(aps->aps_data, aps->aps_psiz);
1878 			}
1879 			KFREE(aps);
1880 		}
1881 		if (in != NULL) {
1882 			if (in->in_apr)
1883 				appr_free(in->in_apr);
1884 			KFREE(in);
1885 		}
1886 		KFREE(nat);
1887 	}
1888 	return error;
1889 }
1890 
1891 
1892 /* ------------------------------------------------------------------------ */
1893 /* Function:    nat_delete                                                  */
1894 /* Returns:     int	- 0 if entry deleted. Otherwise, ref count on entry */
1895 /* Parameters:  nat	- pointer to the NAT entry to delete		    */
1896 /*		logtype	- type of LOG record to create before deleting	    */
1897 /*		ifs	- ipf stack instance				    */
1898 /* Write Lock:  ipf_nat                                                     */
1899 /*                                                                          */
1900 /* Delete a nat entry from the various lists and table.  If NAT logging is  */
1901 /* enabled then generate a NAT log record for this event.                   */
1902 /* ------------------------------------------------------------------------ */
1903 int nat_delete(nat, logtype, ifs)
1904 struct nat *nat;
1905 int logtype;
1906 ipf_stack_t *ifs;
1907 {
1908 	struct ipnat *ipn;
1909 	int removed = 0;
1910 
1911 	if (logtype != 0 && ifs->ifs_nat_logging != 0)
1912 		nat_log(nat, logtype, ifs);
1913 
1914 	/*
1915 	 * Start by removing the entry from the hash table of nat entries
1916 	 * so it will not be "used" again.
1917 	 *
1918 	 * It will remain in the "list" of nat entries until all references
1919 	 * have been accounted for.
1920 	 */
1921 	if ((nat->nat_phnext[0] != NULL) && (nat->nat_phnext[1] != NULL)) {
1922 		removed = 1;
1923 
1924 		ifs->ifs_nat_stats.ns_bucketlen[0][nat->nat_hv[0]]--;
1925 		ifs->ifs_nat_stats.ns_bucketlen[1][nat->nat_hv[1]]--;
1926 
1927 		*nat->nat_phnext[0] = nat->nat_hnext[0];
1928 		if (nat->nat_hnext[0] != NULL) {
1929 			nat->nat_hnext[0]->nat_phnext[0] = nat->nat_phnext[0];
1930 			nat->nat_hnext[0] = NULL;
1931 		}
1932 		nat->nat_phnext[0] = NULL;
1933 
1934 		*nat->nat_phnext[1] = nat->nat_hnext[1];
1935 		if (nat->nat_hnext[1] != NULL) {
1936 			nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1];
1937 			nat->nat_hnext[1] = NULL;
1938 		}
1939 		nat->nat_phnext[1] = NULL;
1940 
1941 		if ((nat->nat_flags & SI_WILDP) != 0)
1942 			ifs->ifs_nat_stats.ns_wilds--;
1943 	}
1944 
1945 	/*
1946 	 * Next, remove it from the timeout queue it is in.
1947 	 */
1948 	fr_deletequeueentry(&nat->nat_tqe);
1949 
1950 	if (nat->nat_me != NULL) {
1951 		*nat->nat_me = NULL;
1952 		nat->nat_me = NULL;
1953 	}
1954 
1955 	MUTEX_ENTER(&nat->nat_lock);
1956  	if (nat->nat_ref > 1) {
1957 		nat->nat_ref--;
1958 		MUTEX_EXIT(&nat->nat_lock);
1959  		if (removed)
1960  			ifs->ifs_nat_stats.ns_orphans++;
1961 		return (nat->nat_ref);
1962 	}
1963 	MUTEX_EXIT(&nat->nat_lock);
1964 
1965 	nat->nat_ref = 0;
1966 
1967 	/*
1968 	 * If entry had already been removed,
1969 	 * it means we're cleaning up an orphan.
1970 	 */
1971  	if (!removed)
1972  		ifs->ifs_nat_stats.ns_orphans--;
1973 
1974 #ifdef	IPFILTER_SYNC
1975 	if (nat->nat_sync)
1976 		ipfsync_del(nat->nat_sync);
1977 #endif
1978 
1979 	/*
1980 	 * Now remove it from master list of nat table entries
1981 	 */
1982 	if (nat->nat_pnext != NULL) {
1983 		*nat->nat_pnext = nat->nat_next;
1984 		if (nat->nat_next != NULL) {
1985 			nat->nat_next->nat_pnext = nat->nat_pnext;
1986 			nat->nat_next = NULL;
1987 		}
1988 		nat->nat_pnext = NULL;
1989 	}
1990 
1991 	if (nat->nat_fr != NULL)
1992 		(void)fr_derefrule(&nat->nat_fr, ifs);
1993 
1994 	if (nat->nat_hm != NULL)
1995 		fr_hostmapdel(&nat->nat_hm);
1996 
1997 	/*
1998 	 * If there is an active reference from the nat entry to its parent
1999 	 * rule, decrement the rule's reference count and free it too if no
2000 	 * longer being used.
2001 	 */
2002 	ipn = nat->nat_ptr;
2003 	if (ipn != NULL) {
2004 		ipn->in_space++;
2005 		ipn->in_use--;
2006 		if (ipn->in_use == 0 && (ipn->in_flags & IPN_DELETE)) {
2007 			if (ipn->in_apr)
2008 				appr_free(ipn->in_apr);
2009 			KFREE(ipn);
2010 			ifs->ifs_nat_stats.ns_rules--;
2011 		}
2012 	}
2013 
2014 	MUTEX_DESTROY(&nat->nat_lock);
2015 
2016 	aps_free(nat->nat_aps, ifs);
2017 	ifs->ifs_nat_stats.ns_inuse--;
2018 
2019 	/*
2020 	 * If there's a fragment table entry too for this nat entry, then
2021 	 * dereference that as well.  This is after nat_lock is released
2022 	 * because of Tru64.
2023 	 */
2024 	fr_forgetnat((void *)nat, ifs);
2025 
2026 	KFREE(nat);
2027 
2028 	return (0);
2029 }
2030 
2031 
2032 /* ------------------------------------------------------------------------ */
2033 /* Function:    nat_clearlist                                               */
2034 /* Returns:     int - number of NAT/RDR rules deleted                       */
2035 /* Parameters:  Nil                                                         */
2036 /*                                                                          */
2037 /* Delete all rules in the current list of rules.  There is nothing elegant */
2038 /* about this cleanup: simply free all entries on the list of rules and     */
2039 /* clear out the tables used for hashed NAT rule lookups.                   */
2040 /* ------------------------------------------------------------------------ */
2041 static int nat_clearlist(ifs)
2042 ipf_stack_t *ifs;
2043 {
2044 	ipnat_t *n, **np = &ifs->ifs_nat_list;
2045 	int i = 0;
2046 
2047 	if (ifs->ifs_nat_rules != NULL)
2048 		bzero((char *)ifs->ifs_nat_rules,
2049 		      sizeof(*ifs->ifs_nat_rules) * ifs->ifs_ipf_natrules_sz);
2050 	if (ifs->ifs_rdr_rules != NULL)
2051 		bzero((char *)ifs->ifs_rdr_rules,
2052 		      sizeof(*ifs->ifs_rdr_rules) * ifs->ifs_ipf_rdrrules_sz);
2053 
2054 	while ((n = *np) != NULL) {
2055 		*np = n->in_next;
2056 		if (n->in_use == 0) {
2057 			if (n->in_apr != NULL)
2058 				appr_free(n->in_apr);
2059 			KFREE(n);
2060 			ifs->ifs_nat_stats.ns_rules--;
2061 		} else {
2062 			n->in_flags |= IPN_DELETE;
2063 			n->in_next = NULL;
2064 		}
2065 		i++;
2066 	}
2067 	ifs->ifs_nat_masks = 0;
2068 	ifs->ifs_rdr_masks = 0;
2069 	for (i = 0; i < 4; i++) {
2070 		ifs->ifs_nat6_masks[i] = 0;
2071 		ifs->ifs_rdr6_masks[i] = 0;
2072 	}
2073 	return i;
2074 }
2075 
2076 
2077 /* ------------------------------------------------------------------------ */
2078 /* Function:    nat_newmap                                                  */
2079 /* Returns:     int - -1 == error, 0 == success                             */
2080 /* Parameters:  fin(I) - pointer to packet information                      */
2081 /*              nat(I) - pointer to NAT entry                               */
2082 /*              ni(I)  - pointer to structure with misc. information needed */
2083 /*                       to create new NAT entry.                           */
2084 /*                                                                          */
2085 /* Given an empty NAT structure, populate it with new information about a   */
2086 /* new NAT session, as defined by the matching NAT rule.                    */
2087 /* ni.nai_ip is passed in uninitialised and must be set, in host byte order,*/
2088 /* to the new IP address for the translation.                               */
2089 /* ------------------------------------------------------------------------ */
2090 static INLINE int nat_newmap(fin, nat, ni)
2091 fr_info_t *fin;
2092 nat_t *nat;
2093 natinfo_t *ni;
2094 {
2095 	u_short st_port, dport, sport, port, sp, dp;
2096 	struct in_addr in, inb;
2097 	hostmap_t *hm;
2098 	u_32_t flags;
2099 	u_32_t st_ip;
2100 	ipnat_t *np;
2101 	nat_t *natl;
2102 	int l;
2103 	ipf_stack_t *ifs = fin->fin_ifs;
2104 
2105 	/*
2106 	 * If it's an outbound packet which doesn't match any existing
2107 	 * record, then create a new port
2108 	 */
2109 	l = 0;
2110 	hm = NULL;
2111 	np = ni->nai_np;
2112 	st_ip = np->in_nip;
2113 	st_port = np->in_pnext;
2114 	flags = ni->nai_flags;
2115 	sport = ni->nai_sport;
2116 	dport = ni->nai_dport;
2117 
2118 	/*
2119 	 * Do a loop until we either run out of entries to try or we find
2120 	 * a NAT mapping that isn't currently being used.  This is done
2121 	 * because the change to the source is not (usually) being fixed.
2122 	 */
2123 	do {
2124 		port = 0;
2125 		in.s_addr = htonl(np->in_nip);
2126 		if (l == 0) {
2127 			/*
2128 			 * Check to see if there is an existing NAT
2129 			 * setup for this IP address pair.
2130 			 */
2131 			hm = nat_hostmap(np, fin->fin_src, fin->fin_dst,
2132 					 in, 0, ifs);
2133 			if (hm != NULL)
2134 				in.s_addr = hm->hm_mapip.s_addr;
2135 		} else if ((l == 1) && (hm != NULL)) {
2136 			fr_hostmapdel(&hm);
2137 		}
2138 		in.s_addr = ntohl(in.s_addr);
2139 
2140 		nat->nat_hm = hm;
2141 
2142 		if ((np->in_outmsk == 0xffffffff) && (np->in_pnext == 0)) {
2143 			if (l > 0)
2144 				return -1;
2145 		}
2146 
2147 		if (np->in_redir == NAT_BIMAP &&
2148 		    np->in_inmsk == np->in_outmsk) {
2149 			/*
2150 			 * map the address block in a 1:1 fashion
2151 			 */
2152 			in.s_addr = np->in_outip;
2153 			in.s_addr |= fin->fin_saddr & ~np->in_inmsk;
2154 			in.s_addr = ntohl(in.s_addr);
2155 
2156 		} else if (np->in_redir & NAT_MAPBLK) {
2157 			if ((l >= np->in_ppip) || ((l > 0) &&
2158 			     !(flags & IPN_TCPUDP)))
2159 				return -1;
2160 			/*
2161 			 * map-block - Calculate destination address.
2162 			 */
2163 			in.s_addr = ntohl(fin->fin_saddr);
2164 			in.s_addr &= ntohl(~np->in_inmsk);
2165 			inb.s_addr = in.s_addr;
2166 			in.s_addr /= np->in_ippip;
2167 			in.s_addr &= ntohl(~np->in_outmsk);
2168 			in.s_addr += ntohl(np->in_outip);
2169 			/*
2170 			 * Calculate destination port.
2171 			 */
2172 			if ((flags & IPN_TCPUDP) &&
2173 			    (np->in_ppip != 0)) {
2174 				port = ntohs(sport) + l;
2175 				port %= np->in_ppip;
2176 				port += np->in_ppip *
2177 					(inb.s_addr % np->in_ippip);
2178 				port += MAPBLK_MINPORT;
2179 				port = htons(port);
2180 			}
2181 
2182 		} else if ((np->in_outip == 0) &&
2183 			   (np->in_outmsk == 0xffffffff)) {
2184 			/*
2185 			 * 0/32 - use the interface's IP address.
2186 			 */
2187 			if ((l > 0) ||
2188 			    fr_ifpaddr(4, FRI_NORMAL, fin->fin_ifp,
2189 				       &in, NULL, fin->fin_ifs) == -1)
2190 				return -1;
2191 			in.s_addr = ntohl(in.s_addr);
2192 
2193 		} else if ((np->in_outip == 0) && (np->in_outmsk == 0)) {
2194 			/*
2195 			 * 0/0 - use the original source address/port.
2196 			 */
2197 			if (l > 0)
2198 				return -1;
2199 			in.s_addr = ntohl(fin->fin_saddr);
2200 
2201 		} else if ((np->in_outmsk != 0xffffffff) &&
2202 			   (np->in_pnext == 0) && ((l > 0) || (hm == NULL)))
2203 			np->in_nip++;
2204 
2205 		natl = NULL;
2206 
2207 		if ((flags & IPN_TCPUDP) &&
2208 		    ((np->in_redir & NAT_MAPBLK) == 0) &&
2209 		    (np->in_flags & IPN_AUTOPORTMAP)) {
2210 			/*
2211 			 * "ports auto" (without map-block)
2212 			 */
2213 			if ((l > 0) && (l % np->in_ppip == 0)) {
2214 				if (l > np->in_space) {
2215 					return -1;
2216 				} else if ((l > np->in_ppip) &&
2217 					   np->in_outmsk != 0xffffffff)
2218 					np->in_nip++;
2219 			}
2220 			if (np->in_ppip != 0) {
2221 				port = ntohs(sport);
2222 				port += (l % np->in_ppip);
2223 				port %= np->in_ppip;
2224 				port += np->in_ppip *
2225 					(ntohl(fin->fin_saddr) %
2226 					 np->in_ippip);
2227 				port += MAPBLK_MINPORT;
2228 				port = htons(port);
2229 			}
2230 
2231 		} else if (((np->in_redir & NAT_MAPBLK) == 0) &&
2232 			   (flags & IPN_TCPUDPICMP) && (np->in_pnext != 0)) {
2233 			/*
2234 			 * Standard port translation.  Select next port.
2235 			 */
2236 			if (np->in_flags & IPN_SEQUENTIAL) {
2237 				port = np->in_pnext;
2238 			} else {
2239 				port = ipf_random() % (ntohs(np->in_pmax) -
2240 						       ntohs(np->in_pmin) + 1);
2241 				port += ntohs(np->in_pmin);
2242 			}
2243 			port = htons(port);
2244 			np->in_pnext++;
2245 
2246 			if (np->in_pnext > ntohs(np->in_pmax)) {
2247 				np->in_pnext = ntohs(np->in_pmin);
2248 				if (np->in_outmsk != 0xffffffff)
2249 					np->in_nip++;
2250 			}
2251 		}
2252 
2253 		if (np->in_flags & IPN_IPRANGE) {
2254 			if (np->in_nip > ntohl(np->in_outmsk))
2255 				np->in_nip = ntohl(np->in_outip);
2256 		} else {
2257 			if ((np->in_outmsk != 0xffffffff) &&
2258 			    ((np->in_nip + 1) & ntohl(np->in_outmsk)) >
2259 			    ntohl(np->in_outip))
2260 				np->in_nip = ntohl(np->in_outip) + 1;
2261 		}
2262 
2263 		if ((port == 0) && (flags & (IPN_TCPUDPICMP|IPN_ICMPQUERY)))
2264 			port = sport;
2265 
2266 		/*
2267 		 * Here we do a lookup of the connection as seen from
2268 		 * the outside.  If an IP# pair already exists, try
2269 		 * again.  So if you have A->B becomes C->B, you can
2270 		 * also have D->E become C->E but not D->B causing
2271 		 * another C->B.  Also take protocol and ports into
2272 		 * account when determining whether a pre-existing
2273 		 * NAT setup will cause an external conflict where
2274 		 * this is appropriate.
2275 		 */
2276 		inb.s_addr = htonl(in.s_addr);
2277 		sp = fin->fin_data[0];
2278 		dp = fin->fin_data[1];
2279 		fin->fin_data[0] = fin->fin_data[1];
2280 		fin->fin_data[1] = htons(port);
2281 		natl = nat_inlookup(fin, flags & ~(SI_WILDP|NAT_SEARCH),
2282 				    (u_int)fin->fin_p, fin->fin_dst, inb);
2283 		fin->fin_data[0] = sp;
2284 		fin->fin_data[1] = dp;
2285 
2286 		/*
2287 		 * Has the search wrapped around and come back to the
2288 		 * start ?
2289 		 */
2290 		if ((natl != NULL) &&
2291 		    (np->in_pnext != 0) && (st_port == np->in_pnext) &&
2292 		    (np->in_nip != 0) && (st_ip == np->in_nip))
2293 			return -1;
2294 		l++;
2295 	} while (natl != NULL);
2296 
2297 	if (np->in_space > 0)
2298 		np->in_space--;
2299 
2300 	/* Setup the NAT table */
2301 	nat->nat_inip = fin->fin_src;
2302 	nat->nat_outip.s_addr = htonl(in.s_addr);
2303 	nat->nat_oip = fin->fin_dst;
2304 	if (nat->nat_hm == NULL)
2305 		nat->nat_hm = nat_hostmap(np, fin->fin_src, fin->fin_dst,
2306 					  nat->nat_outip, 0, ifs);
2307 
2308 	if (flags & IPN_TCPUDP) {
2309 		nat->nat_inport = sport;
2310 		nat->nat_outport = port;	/* sport */
2311 		nat->nat_oport = dport;
2312 		((tcphdr_t *)fin->fin_dp)->th_sport = port;
2313 	} else if (flags & IPN_ICMPQUERY) {
2314 		((icmphdr_t *)fin->fin_dp)->icmp_id = port;
2315 		nat->nat_inport = port;
2316 		nat->nat_outport = port;
2317 	}
2318 
2319 	ni->nai_ip.s_addr = in.s_addr;
2320 	ni->nai_port = port;
2321 	ni->nai_nport = dport;
2322 	return 0;
2323 }
2324 
2325 
2326 /* ------------------------------------------------------------------------ */
2327 /* Function:    nat_newrdr                                                  */
2328 /* Returns:     int - -1 == error, 0 == success (no move), 1 == success and */
2329 /*                    allow rule to be moved if IPN_ROUNDR is set.          */
2330 /* Parameters:  fin(I) - pointer to packet information                      */
2331 /*              nat(I) - pointer to NAT entry                               */
2332 /*              ni(I)  - pointer to structure with misc. information needed */
2333 /*                       to create new NAT entry.                           */
2334 /*                                                                          */
2335 /* ni.nai_ip is passed in uninitialised and must be set, in host byte order,*/
2336 /* to the new IP address for the translation.                               */
2337 /* ------------------------------------------------------------------------ */
2338 static INLINE int nat_newrdr(fin, nat, ni)
2339 fr_info_t *fin;
2340 nat_t *nat;
2341 natinfo_t *ni;
2342 {
2343 	u_short nport, dport, sport;
2344 	struct in_addr in, inb;
2345 	u_short sp, dp;
2346 	hostmap_t *hm;
2347 	u_32_t flags;
2348 	ipnat_t *np;
2349 	nat_t *natl;
2350 	int move;
2351 	ipf_stack_t *ifs = fin->fin_ifs;
2352 
2353 	move = 1;
2354 	hm = NULL;
2355 	in.s_addr = 0;
2356 	np = ni->nai_np;
2357 	flags = ni->nai_flags;
2358 	sport = ni->nai_sport;
2359 	dport = ni->nai_dport;
2360 
2361 	/*
2362 	 * If the matching rule has IPN_STICKY set, then we want to have the
2363 	 * same rule kick in as before.  Why would this happen?  If you have
2364 	 * a collection of rdr rules with "round-robin sticky", the current
2365 	 * packet might match a different one to the previous connection but
2366 	 * we want the same destination to be used.
2367 	 */
2368 	if ((np->in_flags & (IPN_ROUNDR|IPN_STICKY)) ==
2369 	    (IPN_ROUNDR|IPN_STICKY)) {
2370 		hm = nat_hostmap(NULL, fin->fin_src, fin->fin_dst, in,
2371 				 (u_32_t)dport, ifs);
2372 		if (hm != NULL) {
2373 			in.s_addr = ntohl(hm->hm_mapip.s_addr);
2374 			np = hm->hm_ipnat;
2375 			ni->nai_np = np;
2376 			move = 0;
2377 		}
2378 	}
2379 
2380 	/*
2381 	 * Otherwise, it's an inbound packet. Most likely, we don't
2382 	 * want to rewrite source ports and source addresses. Instead,
2383 	 * we want to rewrite to a fixed internal address and fixed
2384 	 * internal port.
2385 	 */
2386 	if (np->in_flags & IPN_SPLIT) {
2387 		in.s_addr = np->in_nip;
2388 
2389 		if ((np->in_flags & (IPN_ROUNDR|IPN_STICKY)) == IPN_STICKY) {
2390 			hm = nat_hostmap(np, fin->fin_src, fin->fin_dst,
2391 					 in, (u_32_t)dport, ifs);
2392 			if (hm != NULL) {
2393 				in.s_addr = hm->hm_mapip.s_addr;
2394 				move = 0;
2395 			}
2396 		}
2397 
2398 		if (hm == NULL || hm->hm_ref == 1) {
2399 			if (np->in_inip == htonl(in.s_addr)) {
2400 				np->in_nip = ntohl(np->in_inmsk);
2401 				move = 0;
2402 			} else {
2403 				np->in_nip = ntohl(np->in_inip);
2404 			}
2405 		}
2406 
2407 	} else if ((np->in_inip == 0) && (np->in_inmsk == 0xffffffff)) {
2408 		/*
2409 		 * 0/32 - use the interface's IP address.
2410 		 */
2411 		if (fr_ifpaddr(4, FRI_NORMAL, fin->fin_ifp, &in, NULL,
2412 			   fin->fin_ifs) == -1)
2413 			return -1;
2414 		in.s_addr = ntohl(in.s_addr);
2415 
2416 	} else if ((np->in_inip == 0) && (np->in_inmsk== 0)) {
2417 		/*
2418 		 * 0/0 - use the original destination address/port.
2419 		 */
2420 		in.s_addr = ntohl(fin->fin_daddr);
2421 
2422 	} else if (np->in_redir == NAT_BIMAP &&
2423 		   np->in_inmsk == np->in_outmsk) {
2424 		/*
2425 		 * map the address block in a 1:1 fashion
2426 		 */
2427 		in.s_addr = np->in_inip;
2428 		in.s_addr |= fin->fin_daddr & ~np->in_inmsk;
2429 		in.s_addr = ntohl(in.s_addr);
2430 	} else {
2431 		in.s_addr = ntohl(np->in_inip);
2432 	}
2433 
2434 	if ((np->in_pnext == 0) || ((flags & NAT_NOTRULEPORT) != 0))
2435 		nport = dport;
2436 	else {
2437 		/*
2438 		 * Whilst not optimized for the case where
2439 		 * pmin == pmax, the gain is not significant.
2440 		 */
2441 		if (((np->in_flags & IPN_FIXEDDPORT) == 0) &&
2442 		    (np->in_pmin != np->in_pmax)) {
2443 			nport = ntohs(dport) - ntohs(np->in_pmin) +
2444 				ntohs(np->in_pnext);
2445 			nport = htons(nport);
2446 		} else
2447 			nport = np->in_pnext;
2448 	}
2449 
2450 	/*
2451 	 * When the redirect-to address is set to 0.0.0.0, just
2452 	 * assume a blank `forwarding' of the packet.  We don't
2453 	 * setup any translation for this either.
2454 	 */
2455 	if (in.s_addr == 0) {
2456 		if (nport == dport)
2457 			return -1;
2458 		in.s_addr = ntohl(fin->fin_daddr);
2459 	}
2460 
2461 	/*
2462 	 * Check to see if this redirect mapping already exists and if
2463 	 * it does, return "failure" (allowing it to be created will just
2464 	 * cause one or both of these "connections" to stop working.)
2465 	 */
2466 	inb.s_addr = htonl(in.s_addr);
2467 	sp = fin->fin_data[0];
2468 	dp = fin->fin_data[1];
2469 	fin->fin_data[1] = fin->fin_data[0];
2470 	fin->fin_data[0] = ntohs(nport);
2471 	natl = nat_outlookup(fin, flags & ~(SI_WILDP|NAT_SEARCH),
2472 		    (u_int)fin->fin_p, inb, fin->fin_src);
2473 	fin->fin_data[0] = sp;
2474 	fin->fin_data[1] = dp;
2475 	if (natl != NULL)
2476 		return (-1);
2477 
2478 	nat->nat_inip.s_addr = htonl(in.s_addr);
2479 	nat->nat_outip = fin->fin_dst;
2480 	nat->nat_oip = fin->fin_src;
2481 
2482 	ni->nai_ip.s_addr = in.s_addr;
2483 	ni->nai_nport = nport;
2484 	ni->nai_port = sport;
2485 
2486 	if (flags & IPN_TCPUDP) {
2487 		nat->nat_inport = nport;
2488 		nat->nat_outport = dport;
2489 		nat->nat_oport = sport;
2490 		((tcphdr_t *)fin->fin_dp)->th_dport = nport;
2491 	} else if (flags & IPN_ICMPQUERY) {
2492 		((icmphdr_t *)fin->fin_dp)->icmp_id = nport;
2493 		nat->nat_inport = nport;
2494 		nat->nat_outport = nport;
2495 	}
2496 
2497 	return move;
2498 }
2499 
2500 /* ------------------------------------------------------------------------ */
2501 /* Function:    nat_new                                                     */
2502 /* Returns:     nat_t* - NULL == failure to create new NAT structure,       */
2503 /*                       else pointer to new NAT structure                  */
2504 /* Parameters:  fin(I)       - pointer to packet information                */
2505 /*              np(I)        - pointer to NAT rule                          */
2506 /*              natsave(I)   - pointer to where to store NAT struct pointer */
2507 /*              flags(I)     - flags describing the current packet          */
2508 /*              direction(I) - direction of packet (in/out)                 */
2509 /* Write Lock:  ipf_nat                                                     */
2510 /*                                                                          */
2511 /* Attempts to create a new NAT entry.  Does not actually change the packet */
2512 /* in any way.                                                              */
2513 /*                                                                          */
2514 /* This fucntion is in three main parts: (1) deal with creating a new NAT   */
2515 /* structure for a "MAP" rule (outgoing NAT translation); (2) deal with     */
2516 /* creating a new NAT structure for a "RDR" rule (incoming NAT translation) */
2517 /* and (3) building that structure and putting it into the NAT table(s).    */
2518 /* ------------------------------------------------------------------------ */
2519 nat_t *nat_new(fin, np, natsave, flags, direction)
2520 fr_info_t *fin;
2521 ipnat_t *np;
2522 nat_t **natsave;
2523 u_int flags;
2524 int direction;
2525 {
2526 	tcphdr_t *tcp = NULL;
2527 	hostmap_t *hm = NULL;
2528 	nat_t *nat, *natl;
2529 	u_int nflags;
2530 	natinfo_t ni;
2531 	int move;
2532 	ipf_stack_t *ifs = fin->fin_ifs;
2533 
2534 	/*
2535 	 * Trigger automatic call to nat_flushtable() if the
2536 	 * table has reached capcity specified by hi watermark.
2537 	 */
2538 	if (NAT_TAB_WATER_LEVEL(ifs) > ifs->ifs_nat_flush_level_hi)
2539 		ifs->ifs_nat_doflush = 1;
2540 
2541 	/*
2542 	 * If automatic flushing did not do its job, and the table
2543 	 * has filled up, don't try to create a new entry.
2544 	 */
2545 	if (ifs->ifs_nat_stats.ns_inuse >= ifs->ifs_ipf_nattable_max) {
2546 		ifs->ifs_nat_stats.ns_memfail++;
2547 		return NULL;
2548 	}
2549 
2550 	move = 1;
2551 	nflags = np->in_flags & flags;
2552 	nflags &= NAT_FROMRULE;
2553 
2554 	ni.nai_np = np;
2555 	ni.nai_nflags = nflags;
2556 	ni.nai_flags = flags;
2557 
2558 	/* Give me a new nat */
2559 	KMALLOC(nat, nat_t *);
2560 	if (nat == NULL) {
2561 		ifs->ifs_nat_stats.ns_memfail++;
2562 		/*
2563 		 * Try to automatically tune the max # of entries in the
2564 		 * table allowed to be less than what will cause kmem_alloc()
2565 		 * to fail and try to eliminate panics due to out of memory
2566 		 * conditions arising.
2567 		 */
2568 		if (ifs->ifs_ipf_nattable_max > ifs->ifs_ipf_nattable_sz) {
2569 			ifs->ifs_ipf_nattable_max = ifs->ifs_nat_stats.ns_inuse - 100;
2570 			printf("ipf_nattable_max reduced to %d\n",
2571 				ifs->ifs_ipf_nattable_max);
2572 		}
2573 		return NULL;
2574 	}
2575 
2576 	if (flags & IPN_TCPUDP) {
2577 		tcp = fin->fin_dp;
2578 		ni.nai_sport = htons(fin->fin_sport);
2579 		ni.nai_dport = htons(fin->fin_dport);
2580 	} else if (flags & IPN_ICMPQUERY) {
2581 		/*
2582 		 * In the ICMP query NAT code, we translate the ICMP id fields
2583 		 * to make them unique. This is indepedent of the ICMP type
2584 		 * (e.g. in the unlikely event that a host sends an echo and
2585 		 * an tstamp request with the same id, both packets will have
2586 		 * their ip address/id field changed in the same way).
2587 		 */
2588 		/* The icmp_id field is used by the sender to identify the
2589 		 * process making the icmp request. (the receiver justs
2590 		 * copies it back in its response). So, it closely matches
2591 		 * the concept of source port. We overlay sport, so we can
2592 		 * maximally reuse the existing code.
2593 		 */
2594 		ni.nai_sport = ((icmphdr_t *)fin->fin_dp)->icmp_id;
2595 		ni.nai_dport = ni.nai_sport;
2596 	}
2597 
2598 	bzero((char *)nat, sizeof(*nat));
2599 	nat->nat_flags = flags;
2600 	nat->nat_redir = np->in_redir;
2601 
2602 	if ((flags & NAT_SLAVE) == 0) {
2603 		MUTEX_ENTER(&ifs->ifs_ipf_nat_new);
2604 	}
2605 
2606 	/*
2607 	 * Search the current table for a match.
2608 	 */
2609 	if (direction == NAT_OUTBOUND) {
2610 		/*
2611 		 * We can now arrange to call this for the same connection
2612 		 * because ipf_nat_new doesn't protect the code path into
2613 		 * this function.
2614 		 */
2615 		natl = nat_outlookup(fin, nflags, (u_int)fin->fin_p,
2616 				     fin->fin_src, fin->fin_dst);
2617 		if (natl != NULL) {
2618 			KFREE(nat);
2619 			nat = natl;
2620 			goto done;
2621 		}
2622 
2623 		move = nat_newmap(fin, nat, &ni);
2624 		if (move == -1)
2625 			goto badnat;
2626 
2627 		np = ni.nai_np;
2628 	} else {
2629 		/*
2630 		 * NAT_INBOUND is used only for redirects rules
2631 		 */
2632 		natl = nat_inlookup(fin, nflags, (u_int)fin->fin_p,
2633 				    fin->fin_src, fin->fin_dst);
2634 		if (natl != NULL) {
2635 			KFREE(nat);
2636 			nat = natl;
2637 			goto done;
2638 		}
2639 
2640 		move = nat_newrdr(fin, nat, &ni);
2641 		if (move == -1)
2642 			goto badnat;
2643 
2644 		np = ni.nai_np;
2645 	}
2646 
2647 	if ((move == 1) && (np->in_flags & IPN_ROUNDR)) {
2648 		if (np->in_redir == NAT_REDIRECT) {
2649 			nat_delrdr(np);
2650 			nat_addrdr(np, ifs);
2651 		} else if (np->in_redir == NAT_MAP) {
2652 			nat_delnat(np);
2653 			nat_addnat(np, ifs);
2654 		}
2655 	}
2656 
2657 	if (nat_finalise(fin, nat, &ni, tcp, natsave, direction) == -1) {
2658 		goto badnat;
2659 	}
2660 
2661 	nat_calc_chksum_diffs(nat);
2662 
2663 	if (flags & SI_WILDP)
2664 		ifs->ifs_nat_stats.ns_wilds++;
2665 	fin->fin_flx |= FI_NEWNAT;
2666 	goto done;
2667 badnat:
2668 	ifs->ifs_nat_stats.ns_badnat++;
2669 	if ((hm = nat->nat_hm) != NULL)
2670 		fr_hostmapdel(&hm);
2671 	KFREE(nat);
2672 	nat = NULL;
2673 done:
2674 	if ((flags & NAT_SLAVE) == 0) {
2675 		MUTEX_EXIT(&ifs->ifs_ipf_nat_new);
2676 	}
2677 	return nat;
2678 }
2679 
2680 
2681 /* ------------------------------------------------------------------------ */
2682 /* Function:    nat_finalise                                                */
2683 /* Returns:     int - 0 == sucess, -1 == failure                            */
2684 /* Parameters:  fin(I) - pointer to packet information                      */
2685 /*              nat(I) - pointer to NAT entry                               */
2686 /*              ni(I)  - pointer to structure with misc. information needed */
2687 /*                       to create new NAT entry.                           */
2688 /* Write Lock:  ipf_nat                                                     */
2689 /*                                                                          */
2690 /* This is the tail end of constructing a new NAT entry and is the same     */
2691 /* for both IPv4 and IPv6.                                                  */
2692 /* ------------------------------------------------------------------------ */
2693 /*ARGSUSED*/
2694 static INLINE int nat_finalise(fin, nat, ni, tcp, natsave, direction)
2695 fr_info_t *fin;
2696 nat_t *nat;
2697 natinfo_t *ni;
2698 tcphdr_t *tcp;
2699 nat_t **natsave;
2700 int direction;
2701 {
2702 	frentry_t *fr;
2703 	ipnat_t *np;
2704 	ipf_stack_t *ifs = fin->fin_ifs;
2705 
2706 	np = ni->nai_np;
2707 
2708 	COPYIFNAME(fin->fin_ifp, nat->nat_ifnames[0], fin->fin_v);
2709 
2710 #ifdef	IPFILTER_SYNC
2711 	if ((nat->nat_flags & SI_CLONE) == 0)
2712 		nat->nat_sync = ipfsync_new(SMC_NAT, fin, nat);
2713 #endif
2714 
2715 	nat->nat_me = natsave;
2716 	nat->nat_dir = direction;
2717 	nat->nat_ifps[0] = np->in_ifps[0];
2718 	nat->nat_ifps[1] = np->in_ifps[1];
2719 	nat->nat_ptr = np;
2720 	nat->nat_p = fin->fin_p;
2721 	nat->nat_v = fin->fin_v;
2722 	nat->nat_mssclamp = np->in_mssclamp;
2723 	fr = fin->fin_fr;
2724 	nat->nat_fr = fr;
2725 
2726 	if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0))
2727 		if (appr_new(fin, nat) == -1)
2728 			return -1;
2729 
2730 	if (nat_insert(nat, fin->fin_rev, ifs) == 0) {
2731 		if (ifs->ifs_nat_logging)
2732 			nat_log(nat, (u_int)np->in_redir, ifs);
2733 		np->in_use++;
2734 		if (fr != NULL) {
2735 			MUTEX_ENTER(&fr->fr_lock);
2736 			fr->fr_ref++;
2737 			MUTEX_EXIT(&fr->fr_lock);
2738 		}
2739 		return 0;
2740 	}
2741 
2742 	/*
2743 	 * nat_insert failed, so cleanup time...
2744 	 */
2745 	return -1;
2746 }
2747 
2748 
2749 /* ------------------------------------------------------------------------ */
2750 /* Function:   nat_insert                                                   */
2751 /* Returns:    int - 0 == sucess, -1 == failure                             */
2752 /* Parameters: nat(I) - pointer to NAT structure                            */
2753 /*             rev(I) - flag indicating forward/reverse direction of packet */
2754 /* Write Lock: ipf_nat                                                      */
2755 /*                                                                          */
2756 /* Insert a NAT entry into the hash tables for searching and add it to the  */
2757 /* list of active NAT entries.  Adjust global counters when complete.       */
2758 /* ------------------------------------------------------------------------ */
2759 int	nat_insert(nat, rev, ifs)
2760 nat_t	*nat;
2761 int	rev;
2762 ipf_stack_t *ifs;
2763 {
2764 	u_int hv1, hv2;
2765 	nat_t **natp;
2766 
2767 	/*
2768 	 * Try and return an error as early as possible, so calculate the hash
2769 	 * entry numbers first and then proceed.
2770 	 */
2771 	if ((nat->nat_flags & (SI_W_SPORT|SI_W_DPORT)) == 0) {
2772 		hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
2773 				  0xffffffff);
2774 		hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport,
2775 				  ifs->ifs_ipf_nattable_sz);
2776 		hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
2777 				  0xffffffff);
2778 		hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
2779 				  ifs->ifs_ipf_nattable_sz);
2780 	} else {
2781 		hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, 0, 0xffffffff);
2782 		hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1,
2783 				  ifs->ifs_ipf_nattable_sz);
2784 		hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, 0, 0xffffffff);
2785 		hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2,
2786 				  ifs->ifs_ipf_nattable_sz);
2787 	}
2788 
2789 	if (ifs->ifs_nat_stats.ns_bucketlen[0][hv1] >= ifs->ifs_fr_nat_maxbucket ||
2790 	    ifs->ifs_nat_stats.ns_bucketlen[1][hv2] >= ifs->ifs_fr_nat_maxbucket) {
2791 		return -1;
2792 	}
2793 
2794 	nat->nat_hv[0] = hv1;
2795 	nat->nat_hv[1] = hv2;
2796 
2797 	MUTEX_INIT(&nat->nat_lock, "nat entry lock");
2798 
2799 	nat->nat_rev = rev;
2800 	nat->nat_ref = 1;
2801 	nat->nat_bytes[0] = 0;
2802 	nat->nat_pkts[0] = 0;
2803 	nat->nat_bytes[1] = 0;
2804 	nat->nat_pkts[1] = 0;
2805 
2806 	nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0';
2807 	nat->nat_ifps[0] = fr_resolvenic(nat->nat_ifnames[0], 4, ifs);
2808 
2809 	if (nat->nat_ifnames[1][0] !='\0') {
2810 		nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0';
2811 		nat->nat_ifps[1] = fr_resolvenic(nat->nat_ifnames[1], 4, ifs);
2812 	} else {
2813 		(void) strncpy(nat->nat_ifnames[1], nat->nat_ifnames[0],
2814 			       LIFNAMSIZ);
2815 		nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0';
2816 		nat->nat_ifps[1] = nat->nat_ifps[0];
2817 	}
2818 
2819 	nat->nat_next = ifs->ifs_nat_instances;
2820 	nat->nat_pnext = &ifs->ifs_nat_instances;
2821 	if (ifs->ifs_nat_instances)
2822 		ifs->ifs_nat_instances->nat_pnext = &nat->nat_next;
2823 	ifs->ifs_nat_instances = nat;
2824 
2825 	natp = &ifs->ifs_nat_table[0][hv1];
2826 	if (*natp)
2827 		(*natp)->nat_phnext[0] = &nat->nat_hnext[0];
2828 	nat->nat_phnext[0] = natp;
2829 	nat->nat_hnext[0] = *natp;
2830 	*natp = nat;
2831 	ifs->ifs_nat_stats.ns_bucketlen[0][hv1]++;
2832 
2833 	natp = &ifs->ifs_nat_table[1][hv2];
2834 	if (*natp)
2835 		(*natp)->nat_phnext[1] = &nat->nat_hnext[1];
2836 	nat->nat_phnext[1] = natp;
2837 	nat->nat_hnext[1] = *natp;
2838 	*natp = nat;
2839 	ifs->ifs_nat_stats.ns_bucketlen[1][hv2]++;
2840 
2841 	fr_setnatqueue(nat, rev, ifs);
2842 
2843 	ifs->ifs_nat_stats.ns_added++;
2844 	ifs->ifs_nat_stats.ns_inuse++;
2845 	return 0;
2846 }
2847 
2848 
2849 /* ------------------------------------------------------------------------ */
2850 /* Function:    nat_icmperrorlookup                                         */
2851 /* Returns:     nat_t* - point to matching NAT structure                    */
2852 /* Parameters:  fin(I) - pointer to packet information                      */
2853 /*              dir(I) - direction of packet (in/out)                       */
2854 /*                                                                          */
2855 /* Check if the ICMP error message is related to an existing TCP, UDP or    */
2856 /* ICMP query nat entry.  It is assumed that the packet is already of the   */
2857 /* the required length.                                                     */
2858 /* ------------------------------------------------------------------------ */
2859 nat_t *nat_icmperrorlookup(fin, dir)
2860 fr_info_t *fin;
2861 int dir;
2862 {
2863 	int flags = 0, minlen;
2864 	icmphdr_t *orgicmp;
2865 	tcphdr_t *tcp = NULL;
2866 	u_short data[2];
2867 	nat_t *nat;
2868 	ip_t *oip;
2869 	u_int p;
2870 
2871 	/*
2872 	 * Does it at least have the return (basic) IP header ?
2873 	 * Only a basic IP header (no options) should be with an ICMP error
2874 	 * header.  Also, if it's not an error type, then return.
2875 	 */
2876 	if ((fin->fin_hlen != sizeof(ip_t)) || !(fin->fin_flx & FI_ICMPERR))
2877 		return NULL;
2878 
2879 	/*
2880 	 * Check packet size
2881 	 */
2882 	oip = (ip_t *)((char *)fin->fin_dp + 8);
2883 	minlen = IP_HL(oip) << 2;
2884 	if ((minlen < sizeof(ip_t)) ||
2885 	    (fin->fin_plen < ICMPERR_IPICMPHLEN + minlen))
2886 		return NULL;
2887 	/*
2888 	 * Is the buffer big enough for all of it ?  It's the size of the IP
2889 	 * header claimed in the encapsulated part which is of concern.  It
2890 	 * may be too big to be in this buffer but not so big that it's
2891 	 * outside the ICMP packet, leading to TCP deref's causing problems.
2892 	 * This is possible because we don't know how big oip_hl is when we
2893 	 * do the pullup early in fr_check() and thus can't gaurantee it is
2894 	 * all here now.
2895 	 */
2896 #ifdef  _KERNEL
2897 	{
2898 	mb_t *m;
2899 
2900 	m = fin->fin_m;
2901 # if defined(MENTAT)
2902 	if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > (char *)m->b_wptr)
2903 		return NULL;
2904 # else
2905 	if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN >
2906 	    (char *)fin->fin_ip + M_LEN(m))
2907 		return NULL;
2908 # endif
2909 	}
2910 #endif
2911 
2912 	if (fin->fin_daddr != oip->ip_src.s_addr)
2913 		return NULL;
2914 
2915 	p = oip->ip_p;
2916 	if (p == IPPROTO_TCP)
2917 		flags = IPN_TCP;
2918 	else if (p == IPPROTO_UDP)
2919 		flags = IPN_UDP;
2920 	else if (p == IPPROTO_ICMP) {
2921 		orgicmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
2922 
2923 		/* see if this is related to an ICMP query */
2924 		if (nat_icmpquerytype4(orgicmp->icmp_type)) {
2925 			data[0] = fin->fin_data[0];
2926 			data[1] = fin->fin_data[1];
2927 			fin->fin_data[0] = 0;
2928 			fin->fin_data[1] = orgicmp->icmp_id;
2929 
2930 			flags = IPN_ICMPERR|IPN_ICMPQUERY;
2931 			/*
2932 			 * NOTE : dir refers to the direction of the original
2933 			 *        ip packet. By definition the icmp error
2934 			 *        message flows in the opposite direction.
2935 			 */
2936 			if (dir == NAT_INBOUND)
2937 				nat = nat_inlookup(fin, flags, p, oip->ip_dst,
2938 						   oip->ip_src);
2939 			else
2940 				nat = nat_outlookup(fin, flags, p, oip->ip_dst,
2941 						    oip->ip_src);
2942 			fin->fin_data[0] = data[0];
2943 			fin->fin_data[1] = data[1];
2944 			return nat;
2945 		}
2946 	}
2947 
2948 	if (flags & IPN_TCPUDP) {
2949 		minlen += 8;		/* + 64bits of data to get ports */
2950 		if (fin->fin_plen < ICMPERR_IPICMPHLEN + minlen)
2951 			return NULL;
2952 
2953 		data[0] = fin->fin_data[0];
2954 		data[1] = fin->fin_data[1];
2955 		tcp = (tcphdr_t *)((char *)oip + (IP_HL(oip) << 2));
2956 		fin->fin_data[0] = ntohs(tcp->th_dport);
2957 		fin->fin_data[1] = ntohs(tcp->th_sport);
2958 
2959 		if (dir == NAT_INBOUND) {
2960 			nat = nat_inlookup(fin, flags, p, oip->ip_dst,
2961 					   oip->ip_src);
2962 		} else {
2963 			nat = nat_outlookup(fin, flags, p, oip->ip_dst,
2964 					    oip->ip_src);
2965 		}
2966 		fin->fin_data[0] = data[0];
2967 		fin->fin_data[1] = data[1];
2968 		return nat;
2969 	}
2970 	if (dir == NAT_INBOUND)
2971 		return nat_inlookup(fin, 0, p, oip->ip_dst, oip->ip_src);
2972 	else
2973 		return nat_outlookup(fin, 0, p, oip->ip_dst, oip->ip_src);
2974 }
2975 
2976 
2977 /* ------------------------------------------------------------------------ */
2978 /* Function:    nat_icmperror                                               */
2979 /* Returns:     nat_t* - point to matching NAT structure                    */
2980 /* Parameters:  fin(I)    - pointer to packet information                   */
2981 /*              nflags(I) - NAT flags for this packet                       */
2982 /*              dir(I)    - direction of packet (in/out)                    */
2983 /*                                                                          */
2984 /* Fix up an ICMP packet which is an error message for an existing NAT      */
2985 /* session.  This will correct both packet header data and checksums.       */
2986 /*                                                                          */
2987 /* This should *ONLY* be used for incoming ICMP error packets to make sure  */
2988 /* a NAT'd ICMP packet gets correctly recognised.                           */
2989 /* ------------------------------------------------------------------------ */
2990 nat_t *nat_icmperror(fin, nflags, dir)
2991 fr_info_t *fin;
2992 u_int *nflags;
2993 int dir;
2994 {
2995 	u_32_t sum1, sum2, sumd, psum1, psum2, psumd, sumd2;
2996 	struct in_addr in;
2997 	icmphdr_t *icmp, *orgicmp;
2998 	int dlen;
2999 	udphdr_t *udp;
3000 	tcphdr_t *tcp;
3001 	nat_t *nat;
3002 	ip_t *oip;
3003 	if ((fin->fin_flx & (FI_SHORT|FI_FRAGBODY)))
3004 		return NULL;
3005 
3006 	/*
3007 	 * nat_icmperrorlookup() looks up nat entry associated with the
3008 	 * offending IP packet and returns pointer to the entry, or NULL
3009 	 * if packet wasn't natted or for `defective' packets.
3010 	 */
3011 
3012 	if ((fin->fin_v != 4) || !(nat = nat_icmperrorlookup(fin, dir)))
3013 		return NULL;
3014 
3015 	sumd2 = 0;
3016 	*nflags = IPN_ICMPERR;
3017 	icmp = fin->fin_dp;
3018 	oip = (ip_t *)&icmp->icmp_ip;
3019 	udp = (udphdr_t *)((((char *)oip) + (IP_HL(oip) << 2)));
3020 	tcp = (tcphdr_t *)udp;
3021 	dlen = fin->fin_plen - ((char *)udp - (char *)fin->fin_ip);
3022 
3023 	/*
3024 	 * Need to adjust ICMP header to include the real IP#'s and
3025 	 * port #'s.  There are three steps required.
3026 	 *
3027 	 * Step 1
3028 	 * Fix the IP addresses in the offending IP packet and update
3029 	 * ip header checksum to compensate for the change.
3030 	 *
3031 	 * No update needed here for icmp_cksum because the ICMP checksum
3032 	 * is calculated over the complete ICMP packet, which includes the
3033 	 * changed oip IP addresses and oip->ip_sum.  These two changes
3034 	 * cancel each other out (if the delta for the IP address is x,
3035 	 * then the delta for ip_sum is minus x).
3036 	 */
3037 
3038 	if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) {
3039 		sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr));
3040 		in = nat->nat_inip;
3041 		oip->ip_src = in;
3042 	} else {
3043 		sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr));
3044 		in = nat->nat_outip;
3045 		oip->ip_dst = in;
3046 	}
3047 
3048 	sum2 = LONG_SUM(ntohl(in.s_addr));
3049 	CALC_SUMD(sum1, sum2, sumd);
3050 	fix_datacksum(&oip->ip_sum, sumd);
3051 
3052 	/*
3053 	 * Step 2
3054 	 * Perform other adjustments based on protocol of offending packet.
3055 	 */
3056 
3057 	switch (oip->ip_p) {
3058 		case IPPROTO_TCP :
3059 		case IPPROTO_UDP :
3060 
3061 			/*
3062 			* For offending TCP/UDP IP packets, translate the ports
3063 			* based on the NAT specification.
3064 			*
3065 			* Advance notice : Now it becomes complicated :-)
3066 			*
3067 			* Since the port and IP addresse fields are both part
3068 			* of the TCP/UDP checksum of the offending IP packet,
3069 			* we need to adjust that checksum as well.
3070 			*
3071 			* To further complicate things, the TCP/UDP checksum
3072 			* may not be present.  We must check to see if the
3073 			* length of the data portion is big enough to hold
3074 			* the checksum.  In the UDP case, a test to determine
3075 			* if the checksum is even set is also required.
3076 			*
3077 			* Any changes to an IP address, port or checksum within
3078 			* the ICMP packet requires a change to icmp_cksum.
3079 			*
3080 			* Be extremely careful here ... The change is dependent
3081 			* upon whether or not the TCP/UPD checksum is present.
3082 			*
3083 			* If TCP/UPD checksum is present, the icmp_cksum must
3084 			* compensate for checksum modification resulting from
3085 			* IP address change only.  Port change and resulting
3086 			* data checksum adjustments cancel each other out.
3087 			*
3088 			* If TCP/UDP checksum is not present, icmp_cksum must
3089 			* compensate for port change only.  The IP address
3090 			* change does not modify anything else in this case.
3091 			*/
3092 
3093 			psum1 = 0;
3094 			psum2 = 0;
3095 			psumd = 0;
3096 
3097 			if ((tcp->th_dport == nat->nat_oport) &&
3098 			    (tcp->th_sport != nat->nat_inport)) {
3099 
3100 				/*
3101 				 * Translate the source port.
3102 				 */
3103 
3104 				psum1 = ntohs(tcp->th_sport);
3105 				psum2 = ntohs(nat->nat_inport);
3106 				tcp->th_sport = nat->nat_inport;
3107 
3108 			} else if ((tcp->th_sport == nat->nat_oport) &&
3109 				    (tcp->th_dport != nat->nat_outport)) {
3110 
3111 				/*
3112 				 * Translate the destination port.
3113 				 */
3114 
3115 				psum1 = ntohs(tcp->th_dport);
3116 				psum2 = ntohs(nat->nat_outport);
3117 				tcp->th_dport = nat->nat_outport;
3118 			}
3119 
3120 			if ((oip->ip_p == IPPROTO_TCP) && (dlen >= 18)) {
3121 
3122 				/*
3123 				 * TCP checksum present.
3124 				 *
3125 				 * Adjust data checksum and icmp checksum to
3126 				 * compensate for any IP address change.
3127 				 */
3128 
3129 				sum1 = ntohs(tcp->th_sum);
3130 				fix_datacksum(&tcp->th_sum, sumd);
3131 				sum2 = ntohs(tcp->th_sum);
3132 				sumd2 = sumd << 1;
3133 				CALC_SUMD(sum1, sum2, sumd);
3134 				sumd2 += sumd;
3135 
3136 				/*
3137 				 * Also make data checksum adjustment to
3138 				 * compensate for any port change.
3139 				 */
3140 
3141 				if (psum1 != psum2) {
3142 					CALC_SUMD(psum1, psum2, psumd);
3143 					fix_datacksum(&tcp->th_sum, psumd);
3144 				}
3145 
3146 			} else if ((oip->ip_p == IPPROTO_UDP) &&
3147 				   (dlen >= 8) && (udp->uh_sum != 0)) {
3148 
3149 				/*
3150 				 * The UDP checksum is present and set.
3151 				 *
3152 				 * Adjust data checksum and icmp checksum to
3153 				 * compensate for any IP address change.
3154 				 */
3155 
3156 				sum1 = ntohs(udp->uh_sum);
3157 				fix_datacksum(&udp->uh_sum, sumd);
3158 				sum2 = ntohs(udp->uh_sum);
3159 				sumd2 = sumd << 1;
3160 				CALC_SUMD(sum1, sum2, sumd);
3161 				sumd2 += sumd;
3162 
3163 				/*
3164 				 * Also make data checksum adjustment to
3165 				 * compensate for any port change.
3166 				 */
3167 
3168 				if (psum1 != psum2) {
3169 					CALC_SUMD(psum1, psum2, psumd);
3170 					fix_datacksum(&udp->uh_sum, psumd);
3171 				}
3172 
3173 			} else {
3174 
3175 				/*
3176 				 * Data checksum was not present.
3177 				 *
3178 				 * Compensate for any port change.
3179 				 */
3180 
3181 				CALC_SUMD(psum2, psum1, psumd);
3182 				sumd2 += psumd;
3183 			}
3184 			break;
3185 
3186 		case IPPROTO_ICMP :
3187 
3188 			orgicmp = (icmphdr_t *)udp;
3189 
3190 			if ((nat->nat_dir == NAT_OUTBOUND) &&
3191 			    (orgicmp->icmp_id != nat->nat_inport) &&
3192 			    (dlen >= 8)) {
3193 
3194 				/*
3195 				 * Fix ICMP checksum (of the offening ICMP
3196 				 * query packet) to compensate the change
3197 				 * in the ICMP id of the offending ICMP
3198 				 * packet.
3199 				 *
3200 				 * Since you modify orgicmp->icmp_id with
3201 				 * a delta (say x) and you compensate that
3202 				 * in origicmp->icmp_cksum with a delta
3203 				 * minus x, you don't have to adjust the
3204 				 * overall icmp->icmp_cksum
3205 				 */
3206 
3207 				sum1 = ntohs(orgicmp->icmp_id);
3208 				sum2 = ntohs(nat->nat_inport);
3209 				CALC_SUMD(sum1, sum2, sumd);
3210 				orgicmp->icmp_id = nat->nat_inport;
3211 				fix_datacksum(&orgicmp->icmp_cksum, sumd);
3212 
3213 			} /* nat_dir can't be NAT_INBOUND for icmp queries */
3214 
3215 			break;
3216 
3217 		default :
3218 
3219 			break;
3220 
3221 	} /* switch (oip->ip_p) */
3222 
3223 	/*
3224 	 * Step 3
3225 	 * Make the adjustments to icmp checksum.
3226 	 */
3227 
3228 	if (sumd2 != 0) {
3229 		sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
3230 		sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
3231 		fix_incksum(&icmp->icmp_cksum, sumd2);
3232 	}
3233 	return nat;
3234 }
3235 
3236 
3237 /*
3238  * NB: these lookups don't lock access to the list, it assumed that it has
3239  * already been done!
3240  */
3241 
3242 /* ------------------------------------------------------------------------ */
3243 /* Function:    nat_inlookup                                                */
3244 /* Returns:     nat_t* - NULL == no match,                                  */
3245 /*                       else pointer to matching NAT entry                 */
3246 /* Parameters:  fin(I)    - pointer to packet information                   */
3247 /*              flags(I)  - NAT flags for this packet                       */
3248 /*              p(I)      - protocol for this packet                        */
3249 /*              src(I)    - source IP address                               */
3250 /*              mapdst(I) - destination IP address                          */
3251 /*                                                                          */
3252 /* Lookup a nat entry based on the mapped destination ip address/port and   */
3253 /* real source address/port.  We use this lookup when receiving a packet,   */
3254 /* we're looking for a table entry, based on the destination address.       */
3255 /*                                                                          */
3256 /* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.         */
3257 /*                                                                          */
3258 /* NOTE: IT IS ASSUMED THAT ipf_nat IS ONLY HELD WITH A READ LOCK WHEN      */
3259 /*       THIS FUNCTION IS CALLED WITH NAT_SEARCH SET IN nflags.             */
3260 /*                                                                          */
3261 /* flags   -> relevant are IPN_UDP/IPN_TCP/IPN_ICMPQUERY that indicate if   */
3262 /*            the packet is of said protocol                                */
3263 /* ------------------------------------------------------------------------ */
3264 nat_t *nat_inlookup(fin, flags, p, src, mapdst)
3265 fr_info_t *fin;
3266 u_int flags, p;
3267 struct in_addr src , mapdst;
3268 {
3269 	u_short sport, dport;
3270 	ipnat_t *ipn;
3271 	u_int sflags;
3272 	nat_t *nat;
3273 	int nflags;
3274 	u_32_t dst;
3275 	void *ifp;
3276 	u_int hv;
3277 	ipf_stack_t *ifs = fin->fin_ifs;
3278 
3279 	if (fin != NULL)
3280 		ifp = fin->fin_ifp;
3281 	else
3282 		ifp = NULL;
3283 	sport = 0;
3284 	dport = 0;
3285 	dst = mapdst.s_addr;
3286 	sflags = flags & NAT_TCPUDPICMP;
3287 
3288 	switch (p)
3289 	{
3290 	case IPPROTO_TCP :
3291 	case IPPROTO_UDP :
3292 		sport = htons(fin->fin_data[0]);
3293 		dport = htons(fin->fin_data[1]);
3294 		break;
3295 	case IPPROTO_ICMP :
3296 		if (flags & IPN_ICMPERR)
3297 			sport = fin->fin_data[1];
3298 		else
3299 			dport = fin->fin_data[1];
3300 		break;
3301 	default :
3302 		break;
3303 	}
3304 
3305 
3306 	if ((flags & SI_WILDP) != 0)
3307 		goto find_in_wild_ports;
3308 
3309 	hv = NAT_HASH_FN(dst, dport, 0xffffffff);
3310 	hv = NAT_HASH_FN(src.s_addr, hv + sport, ifs->ifs_ipf_nattable_sz);
3311 	nat = ifs->ifs_nat_table[1][hv];
3312 	for (; nat; nat = nat->nat_hnext[1]) {
3313 		if (nat->nat_v != 4)
3314 			continue;
3315 
3316 		if (nat->nat_ifps[0] != NULL) {
3317 			if ((ifp != NULL) && (ifp != nat->nat_ifps[0]))
3318 				continue;
3319 		} else if (ifp != NULL)
3320 			nat->nat_ifps[0] = ifp;
3321 
3322 		nflags = nat->nat_flags;
3323 
3324 		if (nat->nat_oip.s_addr == src.s_addr &&
3325 		    nat->nat_outip.s_addr == dst &&
3326 		    (((p == 0) &&
3327 		      (sflags == (nat->nat_flags & IPN_TCPUDPICMP)))
3328 		     || (p == nat->nat_p))) {
3329 			switch (p)
3330 			{
3331 #if 0
3332 			case IPPROTO_GRE :
3333 				if (nat->nat_call[1] != fin->fin_data[0])
3334 					continue;
3335 				break;
3336 #endif
3337 			case IPPROTO_ICMP :
3338 				if ((flags & IPN_ICMPERR) != 0) {
3339 					if (nat->nat_outport != sport)
3340 						continue;
3341 				} else {
3342 					if (nat->nat_outport != dport)
3343 						continue;
3344 				}
3345 				break;
3346 			case IPPROTO_TCP :
3347 			case IPPROTO_UDP :
3348 				if (nat->nat_oport != sport)
3349 					continue;
3350 				if (nat->nat_outport != dport)
3351 					continue;
3352 				break;
3353 			default :
3354 				break;
3355 			}
3356 
3357 			ipn = nat->nat_ptr;
3358 			if ((ipn != NULL) && (nat->nat_aps != NULL))
3359 				if (appr_match(fin, nat) != 0)
3360 					continue;
3361 			return nat;
3362 		}
3363 	}
3364 
3365 	/*
3366 	 * So if we didn't find it but there are wildcard members in the hash
3367 	 * table, go back and look for them.  We do this search and update here
3368 	 * because it is modifying the NAT table and we want to do this only
3369 	 * for the first packet that matches.  The exception, of course, is
3370 	 * for "dummy" (FI_IGNORE) lookups.
3371 	 */
3372 find_in_wild_ports:
3373 	if (!(flags & NAT_TCPUDP) || !(flags & NAT_SEARCH))
3374 		return NULL;
3375 	if (ifs->ifs_nat_stats.ns_wilds == 0)
3376 		return NULL;
3377 
3378 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
3379 
3380 	hv = NAT_HASH_FN(dst, 0, 0xffffffff);
3381 	hv = NAT_HASH_FN(src.s_addr, hv, ifs->ifs_ipf_nattable_sz);
3382 
3383 	WRITE_ENTER(&ifs->ifs_ipf_nat);
3384 
3385 	nat = ifs->ifs_nat_table[1][hv];
3386 	for (; nat; nat = nat->nat_hnext[1]) {
3387 		if (nat->nat_v != 4)
3388 			continue;
3389 
3390 		if (nat->nat_ifps[0] != NULL) {
3391 			if ((ifp != NULL) && (ifp != nat->nat_ifps[0]))
3392 				continue;
3393 		} else if (ifp != NULL)
3394 			nat->nat_ifps[0] = ifp;
3395 
3396 		if (nat->nat_p != fin->fin_p)
3397 			continue;
3398 		if (nat->nat_oip.s_addr != src.s_addr ||
3399 		    nat->nat_outip.s_addr != dst)
3400 			continue;
3401 
3402 		nflags = nat->nat_flags;
3403 		if (!(nflags & (NAT_TCPUDP|SI_WILDP)))
3404 			continue;
3405 
3406 		if (nat_wildok(nat, (int)sport, (int)dport, nflags,
3407 			       NAT_INBOUND) == 1) {
3408 			if ((fin->fin_flx & FI_IGNORE) != 0)
3409 				break;
3410 			if ((nflags & SI_CLONE) != 0) {
3411 				nat = fr_natclone(fin, nat);
3412 				if (nat == NULL)
3413 					break;
3414 			} else {
3415 				MUTEX_ENTER(&ifs->ifs_ipf_nat_new);
3416 				ifs->ifs_nat_stats.ns_wilds--;
3417 				MUTEX_EXIT(&ifs->ifs_ipf_nat_new);
3418 			}
3419 			nat->nat_oport = sport;
3420 			nat->nat_outport = dport;
3421 			nat->nat_flags &= ~(SI_W_DPORT|SI_W_SPORT);
3422 			nat_tabmove(nat, ifs);
3423 			break;
3424 		}
3425 	}
3426 
3427 	MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
3428 
3429 	return nat;
3430 }
3431 
3432 
3433 /* ------------------------------------------------------------------------ */
3434 /* Function:    nat_tabmove                                                 */
3435 /* Returns:     Nil                                                         */
3436 /* Parameters:  nat(I) - pointer to NAT structure                           */
3437 /* Write Lock:  ipf_nat                                                     */
3438 /*                                                                          */
3439 /* This function is only called for TCP/UDP NAT table entries where the     */
3440 /* original was placed in the table without hashing on the ports and we now */
3441 /* want to include hashing on port numbers.                                 */
3442 /* ------------------------------------------------------------------------ */
3443 static void nat_tabmove(nat, ifs)
3444 nat_t *nat;
3445 ipf_stack_t *ifs;
3446 {
3447 	nat_t **natp;
3448 	u_int hv;
3449 
3450 	if (nat->nat_flags & SI_CLONE)
3451 		return;
3452 
3453 	/*
3454 	 * Remove the NAT entry from the old location
3455 	 */
3456 	if (nat->nat_hnext[0])
3457 		nat->nat_hnext[0]->nat_phnext[0] = nat->nat_phnext[0];
3458 	*nat->nat_phnext[0] = nat->nat_hnext[0];
3459 	ifs->ifs_nat_stats.ns_bucketlen[0][nat->nat_hv[0]]--;
3460 
3461 	if (nat->nat_hnext[1])
3462 		nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1];
3463 	*nat->nat_phnext[1] = nat->nat_hnext[1];
3464 	ifs->ifs_nat_stats.ns_bucketlen[1][nat->nat_hv[1]]--;
3465 
3466 	/*
3467 	 * Add into the NAT table in the new position
3468 	 */
3469 	hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport, 0xffffffff);
3470 	hv = NAT_HASH_FN(nat->nat_oip.s_addr, hv + nat->nat_oport,
3471 			 ifs->ifs_ipf_nattable_sz);
3472 	nat->nat_hv[0] = hv;
3473 	natp = &ifs->ifs_nat_table[0][hv];
3474 	if (*natp)
3475 		(*natp)->nat_phnext[0] = &nat->nat_hnext[0];
3476 	nat->nat_phnext[0] = natp;
3477 	nat->nat_hnext[0] = *natp;
3478 	*natp = nat;
3479 	ifs->ifs_nat_stats.ns_bucketlen[0][hv]++;
3480 
3481 	hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport, 0xffffffff);
3482 	hv = NAT_HASH_FN(nat->nat_oip.s_addr, hv + nat->nat_oport,
3483 			 ifs->ifs_ipf_nattable_sz);
3484 	nat->nat_hv[1] = hv;
3485 	natp = &ifs->ifs_nat_table[1][hv];
3486 	if (*natp)
3487 		(*natp)->nat_phnext[1] = &nat->nat_hnext[1];
3488 	nat->nat_phnext[1] = natp;
3489 	nat->nat_hnext[1] = *natp;
3490 	*natp = nat;
3491 	ifs->ifs_nat_stats.ns_bucketlen[1][hv]++;
3492 }
3493 
3494 
3495 /* ------------------------------------------------------------------------ */
3496 /* Function:    nat_outlookup                                               */
3497 /* Returns:     nat_t* - NULL == no match,                                  */
3498 /*                       else pointer to matching NAT entry                 */
3499 /* Parameters:  fin(I)   - pointer to packet information                    */
3500 /*              flags(I) - NAT flags for this packet                        */
3501 /*              p(I)     - protocol for this packet                         */
3502 /*              src(I)   - source IP address                                */
3503 /*              dst(I)   - destination IP address                           */
3504 /*              rw(I)    - 1 == write lock on ipf_nat held, 0 == read lock. */
3505 /*                                                                          */
3506 /* Lookup a nat entry based on the source 'real' ip address/port and        */
3507 /* destination address/port.  We use this lookup when sending a packet out, */
3508 /* we're looking for a table entry, based on the source address.            */
3509 /*                                                                          */
3510 /* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.         */
3511 /*                                                                          */
3512 /* NOTE: IT IS ASSUMED THAT ipf_nat IS ONLY HELD WITH A READ LOCK WHEN      */
3513 /*       THIS FUNCTION IS CALLED WITH NAT_SEARCH SET IN nflags.             */
3514 /*                                                                          */
3515 /* flags   -> relevant are IPN_UDP/IPN_TCP/IPN_ICMPQUERY that indicate if   */
3516 /*            the packet is of said protocol                                */
3517 /* ------------------------------------------------------------------------ */
3518 nat_t *nat_outlookup(fin, flags, p, src, dst)
3519 fr_info_t *fin;
3520 u_int flags, p;
3521 struct in_addr src , dst;
3522 {
3523 	u_short sport, dport;
3524 	u_int sflags;
3525 	ipnat_t *ipn;
3526 	u_32_t srcip;
3527 	nat_t *nat;
3528 	int nflags;
3529 	void *ifp;
3530 	u_int hv;
3531 	ipf_stack_t *ifs = fin->fin_ifs;
3532 
3533 	ifp = fin->fin_ifp;
3534 
3535 	srcip = src.s_addr;
3536 	sflags = flags & IPN_TCPUDPICMP;
3537 	sport = 0;
3538 	dport = 0;
3539 
3540 	switch (p)
3541 	{
3542 	case IPPROTO_TCP :
3543 	case IPPROTO_UDP :
3544 		sport = htons(fin->fin_data[0]);
3545 		dport = htons(fin->fin_data[1]);
3546 		break;
3547 	case IPPROTO_ICMP :
3548 		if (flags & IPN_ICMPERR)
3549 			sport = fin->fin_data[1];
3550 		else
3551 			dport = fin->fin_data[1];
3552 		break;
3553 	default :
3554 		break;
3555 	}
3556 
3557 	if ((flags & SI_WILDP) != 0)
3558 		goto find_out_wild_ports;
3559 
3560 	hv = NAT_HASH_FN(srcip, sport, 0xffffffff);
3561 	hv = NAT_HASH_FN(dst.s_addr, hv + dport, ifs->ifs_ipf_nattable_sz);
3562 	nat = ifs->ifs_nat_table[0][hv];
3563 	for (; nat; nat = nat->nat_hnext[0]) {
3564 		if (nat->nat_v != 4)
3565 			continue;
3566 
3567 		if (nat->nat_ifps[1] != NULL) {
3568 			if ((ifp != NULL) && (ifp != nat->nat_ifps[1]))
3569 				continue;
3570 		} else if (ifp != NULL)
3571 			nat->nat_ifps[1] = ifp;
3572 
3573 		nflags = nat->nat_flags;
3574 
3575 		if (nat->nat_inip.s_addr == srcip &&
3576 		    nat->nat_oip.s_addr == dst.s_addr &&
3577 		    (((p == 0) && (sflags == (nflags & NAT_TCPUDPICMP)))
3578 		     || (p == nat->nat_p))) {
3579 			switch (p)
3580 			{
3581 #if 0
3582 			case IPPROTO_GRE :
3583 				if (nat->nat_call[1] != fin->fin_data[0])
3584 					continue;
3585 				break;
3586 #endif
3587 			case IPPROTO_TCP :
3588 			case IPPROTO_UDP :
3589 				if (nat->nat_oport != dport)
3590 					continue;
3591 				if (nat->nat_inport != sport)
3592 					continue;
3593 				break;
3594 			default :
3595 				break;
3596 			}
3597 
3598 			ipn = nat->nat_ptr;
3599 			if ((ipn != NULL) && (nat->nat_aps != NULL))
3600 				if (appr_match(fin, nat) != 0)
3601 					continue;
3602 			return nat;
3603 		}
3604 	}
3605 
3606 	/*
3607 	 * So if we didn't find it but there are wildcard members in the hash
3608 	 * table, go back and look for them.  We do this search and update here
3609 	 * because it is modifying the NAT table and we want to do this only
3610 	 * for the first packet that matches.  The exception, of course, is
3611 	 * for "dummy" (FI_IGNORE) lookups.
3612 	 */
3613 find_out_wild_ports:
3614 	if (!(flags & NAT_TCPUDP) || !(flags & NAT_SEARCH))
3615 		return NULL;
3616 	if (ifs->ifs_nat_stats.ns_wilds == 0)
3617 		return NULL;
3618 
3619 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
3620 
3621 	hv = NAT_HASH_FN(srcip, 0, 0xffffffff);
3622 	hv = NAT_HASH_FN(dst.s_addr, hv, ifs->ifs_ipf_nattable_sz);
3623 
3624 	WRITE_ENTER(&ifs->ifs_ipf_nat);
3625 
3626 	nat = ifs->ifs_nat_table[0][hv];
3627 	for (; nat; nat = nat->nat_hnext[0]) {
3628 		if (nat->nat_v != 4)
3629 			continue;
3630 
3631 		if (nat->nat_ifps[1] != NULL) {
3632 			if ((ifp != NULL) && (ifp != nat->nat_ifps[1]))
3633 				continue;
3634 		} else if (ifp != NULL)
3635 			nat->nat_ifps[1] = ifp;
3636 
3637 		if (nat->nat_p != fin->fin_p)
3638 			continue;
3639 		if ((nat->nat_inip.s_addr != srcip) ||
3640 		    (nat->nat_oip.s_addr != dst.s_addr))
3641 			continue;
3642 
3643 		nflags = nat->nat_flags;
3644 		if (!(nflags & (NAT_TCPUDP|SI_WILDP)))
3645 			continue;
3646 
3647 		if (nat_wildok(nat, (int)sport, (int)dport, nflags,
3648 			       NAT_OUTBOUND) == 1) {
3649 			if ((fin->fin_flx & FI_IGNORE) != 0)
3650 				break;
3651 			if ((nflags & SI_CLONE) != 0) {
3652 				nat = fr_natclone(fin, nat);
3653 				if (nat == NULL)
3654 					break;
3655 			} else {
3656 				MUTEX_ENTER(&ifs->ifs_ipf_nat_new);
3657 				ifs->ifs_nat_stats.ns_wilds--;
3658 				MUTEX_EXIT(&ifs->ifs_ipf_nat_new);
3659 			}
3660 			nat->nat_inport = sport;
3661 			nat->nat_oport = dport;
3662 			if (nat->nat_outport == 0)
3663 				nat->nat_outport = sport;
3664 			nat->nat_flags &= ~(SI_W_DPORT|SI_W_SPORT);
3665 			nat_tabmove(nat, ifs);
3666 			break;
3667 		}
3668 	}
3669 
3670 	MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
3671 
3672 	return nat;
3673 }
3674 
3675 
3676 /* ------------------------------------------------------------------------ */
3677 /* Function:    nat_lookupredir                                             */
3678 /* Returns:     nat_t* - NULL == no match,                                  */
3679 /*                       else pointer to matching NAT entry                 */
3680 /* Parameters:  np(I) - pointer to description of packet to find NAT table  */
3681 /*                      entry for.                                          */
3682 /*                                                                          */
3683 /* Lookup the NAT tables to search for a matching redirect                  */
3684 /* ------------------------------------------------------------------------ */
3685 nat_t *nat_lookupredir(np, ifs)
3686 natlookup_t *np;
3687 ipf_stack_t *ifs;
3688 {
3689 	fr_info_t fi;
3690 	nat_t *nat;
3691 
3692 	bzero((char *)&fi, sizeof(fi));
3693 	if (np->nl_flags & IPN_IN) {
3694 		fi.fin_data[0] = ntohs(np->nl_realport);
3695 		fi.fin_data[1] = ntohs(np->nl_outport);
3696 	} else {
3697 		fi.fin_data[0] = ntohs(np->nl_inport);
3698 		fi.fin_data[1] = ntohs(np->nl_outport);
3699 	}
3700 	if (np->nl_flags & IPN_TCP)
3701 		fi.fin_p = IPPROTO_TCP;
3702 	else if (np->nl_flags & IPN_UDP)
3703 		fi.fin_p = IPPROTO_UDP;
3704 	else if (np->nl_flags & (IPN_ICMPERR|IPN_ICMPQUERY))
3705 		fi.fin_p = IPPROTO_ICMP;
3706 
3707 	fi.fin_ifs = ifs;
3708 	/*
3709 	 * We can do two sorts of lookups:
3710 	 * - IPN_IN: we have the `real' and `out' address, look for `in'.
3711 	 * - default: we have the `in' and `out' address, look for `real'.
3712 	 */
3713 	if (np->nl_flags & IPN_IN) {
3714 		if ((nat = nat_inlookup(&fi, np->nl_flags, fi.fin_p,
3715 					np->nl_realip, np->nl_outip))) {
3716 			np->nl_inip = nat->nat_inip;
3717 			np->nl_inport = nat->nat_inport;
3718 		}
3719 	} else {
3720 		/*
3721 		 * If nl_inip is non null, this is a lookup based on the real
3722 		 * ip address. Else, we use the fake.
3723 		 */
3724 		if ((nat = nat_outlookup(&fi, np->nl_flags, fi.fin_p,
3725 					 np->nl_inip, np->nl_outip))) {
3726 
3727 			if ((np->nl_flags & IPN_FINDFORWARD) != 0) {
3728 				fr_info_t fin;
3729 				bzero((char *)&fin, sizeof(fin));
3730 				fin.fin_p = nat->nat_p;
3731 				fin.fin_data[0] = ntohs(nat->nat_outport);
3732 				fin.fin_data[1] = ntohs(nat->nat_oport);
3733 				fin.fin_ifs = ifs;
3734 				if (nat_inlookup(&fin, np->nl_flags, fin.fin_p,
3735 						 nat->nat_outip,
3736 						 nat->nat_oip) != NULL) {
3737 					np->nl_flags &= ~IPN_FINDFORWARD;
3738 				}
3739 			}
3740 
3741 			np->nl_realip = nat->nat_outip;
3742 			np->nl_realport = nat->nat_outport;
3743 		}
3744  	}
3745 
3746 	return nat;
3747 }
3748 
3749 
3750 /* ------------------------------------------------------------------------ */
3751 /* Function:    nat_match                                                   */
3752 /* Returns:     int - 0 == no match, 1 == match                             */
3753 /* Parameters:  fin(I)   - pointer to packet information                    */
3754 /*              np(I)    - pointer to NAT rule                              */
3755 /*                                                                          */
3756 /* Pull the matching of a packet against a NAT rule out of that complex     */
3757 /* loop inside fr_checknatin() and lay it out properly in its own function. */
3758 /* ------------------------------------------------------------------------ */
3759 static int nat_match(fin, np)
3760 fr_info_t *fin;
3761 ipnat_t *np;
3762 {
3763 	frtuc_t *ft;
3764 
3765 	if (fin->fin_v != 4)
3766 		return 0;
3767 
3768 	if (np->in_p && fin->fin_p != np->in_p)
3769 		return 0;
3770 
3771 	if (fin->fin_out) {
3772 		if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK)))
3773 			return 0;
3774 		if (((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip)
3775 		    ^ ((np->in_flags & IPN_NOTSRC) != 0))
3776 			return 0;
3777 		if (((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip)
3778 		    ^ ((np->in_flags & IPN_NOTDST) != 0))
3779 			return 0;
3780 	} else {
3781 		if (!(np->in_redir & NAT_REDIRECT))
3782 			return 0;
3783 		if (((fin->fin_fi.fi_saddr & np->in_srcmsk) != np->in_srcip)
3784 		    ^ ((np->in_flags & IPN_NOTSRC) != 0))
3785 			return 0;
3786 		if (((fin->fin_fi.fi_daddr & np->in_outmsk) != np->in_outip)
3787 		    ^ ((np->in_flags & IPN_NOTDST) != 0))
3788 			return 0;
3789 	}
3790 
3791 	ft = &np->in_tuc;
3792 	if (!(fin->fin_flx & FI_TCPUDP) ||
3793 	    (fin->fin_flx & (FI_SHORT|FI_FRAGBODY))) {
3794 		if (ft->ftu_scmp || ft->ftu_dcmp)
3795 			return 0;
3796 		return 1;
3797 	}
3798 
3799 	return fr_tcpudpchk(fin, ft);
3800 }
3801 
3802 
3803 /* ------------------------------------------------------------------------ */
3804 /* Function:    nat_update                                                  */
3805 /* Returns:     Nil                                                         */
3806 /* Parameters:	fin(I) - pointer to packet information			    */
3807 /*		nat(I) - pointer to NAT structure			    */
3808 /*              np(I)     - pointer to NAT rule                             */
3809 /* Locks:	nat_lock						    */
3810 /*                                                                          */
3811 /* Updates the lifetime of a NAT table entry for non-TCP packets.  Must be  */
3812 /* called with fin_rev updated - i.e. after calling nat_proto().            */
3813 /* ------------------------------------------------------------------------ */
3814 void nat_update(fin, nat, np)
3815 fr_info_t *fin;
3816 nat_t *nat;
3817 ipnat_t *np;
3818 {
3819 	ipftq_t *ifq, *ifq2;
3820 	ipftqent_t *tqe;
3821 	ipf_stack_t *ifs = fin->fin_ifs;
3822 
3823 	tqe = &nat->nat_tqe;
3824 	ifq = tqe->tqe_ifq;
3825 
3826 	/*
3827 	 * We allow over-riding of NAT timeouts from NAT rules, even for
3828 	 * TCP, however, if it is TCP and there is no rule timeout set,
3829 	 * then do not update the timeout here.
3830 	 */
3831 	if (np != NULL)
3832 		ifq2 = np->in_tqehead[fin->fin_rev];
3833 	else
3834 		ifq2 = NULL;
3835 
3836 	if (nat->nat_p == IPPROTO_TCP && ifq2 == NULL) {
3837 		(void) fr_tcp_age(&nat->nat_tqe, fin, ifs->ifs_nat_tqb, 0);
3838 	} else {
3839 		if (ifq2 == NULL) {
3840 			if (nat->nat_p == IPPROTO_UDP)
3841 				ifq2 = &ifs->ifs_nat_udptq;
3842 			else if (nat->nat_p == IPPROTO_ICMP)
3843 				ifq2 = &ifs->ifs_nat_icmptq;
3844 			else
3845 				ifq2 = &ifs->ifs_nat_iptq;
3846 		}
3847 
3848 		fr_movequeue(tqe, ifq, ifq2, ifs);
3849 	}
3850 }
3851 
3852 
3853 /* ------------------------------------------------------------------------ */
3854 /* Function:    fr_checknatout                                              */
3855 /* Returns:     int - -1 == packet failed NAT checks so block it,           */
3856 /*                     0 == no packet translation occurred,                 */
3857 /*                     1 == packet was successfully translated.             */
3858 /* Parameters:  fin(I)   - pointer to packet information                    */
3859 /*              passp(I) - pointer to filtering result flags                */
3860 /*                                                                          */
3861 /* Check to see if an outcoming packet should be changed.  ICMP packets are */
3862 /* first checked to see if they match an existing entry (if an error),      */
3863 /* otherwise a search of the current NAT table is made.  If neither results */
3864 /* in a match then a search for a matching NAT rule is made.  Create a new  */
3865 /* NAT entry if a we matched a NAT rule.  Lastly, actually change the       */
3866 /* packet header(s) as required.                                            */
3867 /* ------------------------------------------------------------------------ */
3868 int fr_checknatout(fin, passp)
3869 fr_info_t *fin;
3870 u_32_t *passp;
3871 {
3872 	ipnat_t *np = NULL, *npnext;
3873 	struct ifnet *ifp, *sifp;
3874 	icmphdr_t *icmp = NULL;
3875 	tcphdr_t *tcp = NULL;
3876 	int rval, natfailed;
3877 	u_int nflags = 0;
3878 	u_32_t ipa, iph;
3879 	int natadd = 1;
3880 	frentry_t *fr;
3881 	nat_t *nat;
3882 	ipf_stack_t *ifs = fin->fin_ifs;
3883 
3884 	if (ifs->ifs_fr_nat_lock != 0)
3885 		return 0;
3886 	if (ifs->ifs_nat_stats.ns_rules == 0 && ifs->ifs_nat_instances == NULL)
3887 		return 0;
3888 
3889 	natfailed = 0;
3890 	fr = fin->fin_fr;
3891 	sifp = fin->fin_ifp;
3892 	if ((fr != NULL) && !(fr->fr_flags & FR_DUP) &&
3893 	    fr->fr_tifs[fin->fin_rev].fd_ifp &&
3894 	    fr->fr_tifs[fin->fin_rev].fd_ifp != (void *)-1)
3895 		fin->fin_ifp = fr->fr_tifs[fin->fin_rev].fd_ifp;
3896 	ifp = fin->fin_ifp;
3897 
3898 	if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
3899 		switch (fin->fin_p)
3900 		{
3901 		case IPPROTO_TCP :
3902 			nflags = IPN_TCP;
3903 			break;
3904 		case IPPROTO_UDP :
3905 			nflags = IPN_UDP;
3906 			break;
3907 		case IPPROTO_ICMP :
3908 			icmp = fin->fin_dp;
3909 
3910 			/*
3911 			 * This is an incoming packet, so the destination is
3912 			 * the icmp_id and the source port equals 0
3913 			 */
3914 			if (nat_icmpquerytype4(icmp->icmp_type))
3915 				nflags = IPN_ICMPQUERY;
3916 			break;
3917 		default :
3918 			break;
3919 		}
3920 
3921 		if ((nflags & IPN_TCPUDP))
3922 			tcp = fin->fin_dp;
3923 	}
3924 
3925 	ipa = fin->fin_saddr;
3926 
3927 	READ_ENTER(&ifs->ifs_ipf_nat);
3928 
3929 	if ((fin->fin_p == IPPROTO_ICMP) && !(nflags & IPN_ICMPQUERY) &&
3930 	    (nat = nat_icmperror(fin, &nflags, NAT_OUTBOUND)))
3931 		/*EMPTY*/;
3932 	else if ((fin->fin_flx & FI_FRAG) && (nat = fr_nat_knownfrag(fin)))
3933 		natadd = 0;
3934 	else if ((nat = nat_outlookup(fin, nflags|NAT_SEARCH, (u_int)fin->fin_p,
3935 				      fin->fin_src, fin->fin_dst))) {
3936 		nflags = nat->nat_flags;
3937 	} else {
3938 		u_32_t hv, msk, nmsk;
3939 
3940 		/*
3941 		 * There is no current entry in the nat table for this packet.
3942 		 *
3943 		 * If the packet is a fragment, but not the first fragment,
3944 		 * then don't do anything.  Otherwise, if there is a matching
3945 		 * nat rule, try to create a new nat entry.
3946 		 */
3947 		if ((fin->fin_off != 0) && (fin->fin_flx & FI_TCPUDP))
3948 			goto nonatfrag;
3949 
3950 		msk = 0xffffffff;
3951 		nmsk = ifs->ifs_nat_masks;
3952 maskloop:
3953 		iph = ipa & htonl(msk);
3954 		hv = NAT_HASH_FN(iph, 0, ifs->ifs_ipf_natrules_sz);
3955 		for (np = ifs->ifs_nat_rules[hv]; np; np = npnext) {
3956 			npnext = np->in_mnext;
3957 			if ((np->in_ifps[1] && (np->in_ifps[1] != ifp)))
3958 				continue;
3959 			if (np->in_v != fin->fin_v)
3960 				continue;
3961 			if (np->in_p && (np->in_p != fin->fin_p))
3962 				continue;
3963 			if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags))
3964 				continue;
3965 			if (np->in_flags & IPN_FILTER) {
3966 				if (!nat_match(fin, np))
3967 					continue;
3968 			} else if ((ipa & np->in_inmsk) != np->in_inip)
3969 				continue;
3970 
3971 			if ((fr != NULL) &&
3972 			    !fr_matchtag(&np->in_tag, &fr->fr_nattag))
3973 				continue;
3974 
3975 			if (*np->in_plabel != '\0') {
3976 				if (((np->in_flags & IPN_FILTER) == 0) &&
3977 				    (np->in_dport != tcp->th_dport))
3978 					continue;
3979 				if (appr_ok(fin, tcp, np) == 0)
3980 					continue;
3981 			}
3982 
3983 			ATOMIC_INC32(np->in_use);
3984 			RWLOCK_EXIT(&ifs->ifs_ipf_nat);
3985 			WRITE_ENTER(&ifs->ifs_ipf_nat);
3986 			nat = nat_new(fin, np, NULL, nflags, NAT_OUTBOUND);
3987 			if (nat != NULL) {
3988 				np->in_use--;
3989 				np->in_hits++;
3990 				MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
3991 				break;
3992 			}
3993 			natfailed = -1;
3994 			npnext = np->in_mnext;
3995 			fr_ipnatderef(&np, ifs);
3996 			MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
3997 		}
3998 		if ((np == NULL) && (nmsk != 0)) {
3999 			while (nmsk) {
4000 				msk <<= 1;
4001 				if (nmsk & 0x80000000)
4002 					break;
4003 				nmsk <<= 1;
4004 			}
4005 			if (nmsk != 0) {
4006 				nmsk <<= 1;
4007 				goto maskloop;
4008 			}
4009 		}
4010 	}
4011 
4012 nonatfrag:
4013 	if (nat != NULL) {
4014 		rval = fr_natout(fin, nat, natadd, nflags);
4015 		if (rval == 1) {
4016 			MUTEX_ENTER(&nat->nat_lock);
4017 			nat_update(fin, nat, nat->nat_ptr);
4018 			nat->nat_bytes[1] += fin->fin_plen;
4019 			nat->nat_pkts[1]++;
4020 			fin->fin_pktnum = nat->nat_pkts[1];
4021 			MUTEX_EXIT(&nat->nat_lock);
4022 		}
4023 	} else
4024 		rval = natfailed;
4025 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
4026 
4027 	if (rval == -1) {
4028 		if (passp != NULL)
4029 			*passp = FR_BLOCK;
4030 		fin->fin_flx |= FI_BADNAT;
4031 	}
4032 	fin->fin_ifp = sifp;
4033 	return rval;
4034 }
4035 
4036 /* ------------------------------------------------------------------------ */
4037 /* Function:    fr_natout                                                   */
4038 /* Returns:     int - -1 == packet failed NAT checks so block it,           */
4039 /*                     1 == packet was successfully translated.             */
4040 /* Parameters:  fin(I)    - pointer to packet information                   */
4041 /*              nat(I)    - pointer to NAT structure                        */
4042 /*              natadd(I) - flag indicating if it is safe to add frag cache */
4043 /*              nflags(I) - NAT flags set for this packet                   */
4044 /*                                                                          */
4045 /* Translate a packet coming "out" on an interface.                         */
4046 /* ------------------------------------------------------------------------ */
4047 int fr_natout(fin, nat, natadd, nflags)
4048 fr_info_t *fin;
4049 nat_t *nat;
4050 int natadd;
4051 u_32_t nflags;
4052 {
4053 	icmphdr_t *icmp;
4054 	u_short *csump;
4055 	u_32_t sumd;
4056 	tcphdr_t *tcp;
4057 	ipnat_t *np;
4058 	int i;
4059 	ipf_stack_t *ifs = fin->fin_ifs;
4060 
4061 	if (fin->fin_v == 6) {
4062 #ifdef	USE_INET6
4063 		return fr_nat6out(fin, nat, natadd, nflags);
4064 #else
4065 		return NULL;
4066 #endif
4067 	}
4068 
4069 #if defined(SOLARIS) && defined(_KERNEL)
4070 	net_handle_t net_data_p = ifs->ifs_ipf_ipv4;
4071 #endif
4072 
4073 	tcp = NULL;
4074 	icmp = NULL;
4075 	csump = NULL;
4076 	np = nat->nat_ptr;
4077 
4078 	if ((natadd != 0) && (fin->fin_flx & FI_FRAG))
4079 		(void) fr_nat_newfrag(fin, 0, nat);
4080 
4081 	/*
4082 	 * Fix up checksums, not by recalculating them, but
4083 	 * simply computing adjustments.
4084 	 * This is only done for STREAMS based IP implementations where the
4085 	 * checksum has already been calculated by IP.  In all other cases,
4086 	 * IPFilter is called before the checksum needs calculating so there
4087 	 * is no call to modify whatever is in the header now.
4088 	 */
4089 	ASSERT(fin->fin_m != NULL);
4090 	if (fin->fin_v == 4 && !NET_IS_HCK_L3_FULL(net_data_p, fin->fin_m)) {
4091 		if (nflags == IPN_ICMPERR) {
4092 			u_32_t s1, s2;
4093 
4094 			s1 = LONG_SUM(ntohl(fin->fin_saddr));
4095 			s2 = LONG_SUM(ntohl(nat->nat_outip.s_addr));
4096 			CALC_SUMD(s1, s2, sumd);
4097 
4098 			fix_outcksum(&fin->fin_ip->ip_sum, sumd);
4099 		}
4100 #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || \
4101     defined(linux) || defined(BRIDGE_IPF)
4102 		else {
4103 			/*
4104 			 * Strictly speaking, this isn't necessary on BSD
4105 			 * kernels because they do checksum calculation after
4106 			 * this code has run BUT if ipfilter is being used
4107 			 * to do NAT as a bridge, that code doesn't exist.
4108 			 */
4109 			if (nat->nat_dir == NAT_OUTBOUND)
4110 				fix_outcksum(&fin->fin_ip->ip_sum,
4111 					    nat->nat_ipsumd);
4112 			else
4113 				fix_incksum(&fin->fin_ip->ip_sum,
4114 				 	   nat->nat_ipsumd);
4115 		}
4116 #endif
4117 	}
4118 
4119 	if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
4120 		if ((nat->nat_outport != 0) && (nflags & IPN_TCPUDP)) {
4121 			tcp = fin->fin_dp;
4122 
4123 			tcp->th_sport = nat->nat_outport;
4124 			fin->fin_data[0] = ntohs(nat->nat_outport);
4125 		}
4126 
4127 		if ((nat->nat_outport != 0) && (nflags & IPN_ICMPQUERY)) {
4128 			icmp = fin->fin_dp;
4129 			icmp->icmp_id = nat->nat_outport;
4130 		}
4131 
4132 		csump = nat_proto(fin, nat, nflags);
4133 	}
4134 
4135 	fin->fin_ip->ip_src = nat->nat_outip;
4136 
4137 	/*
4138 	 * The above comments do not hold for layer 4 (or higher) checksums...
4139 	 */
4140 	if (csump != NULL && !NET_IS_HCK_L4_FULL(net_data_p, fin->fin_m)) {
4141 		if (nflags & IPN_TCPUDP &&
4142 	   	    NET_IS_HCK_L4_PART(net_data_p, fin->fin_m))
4143 			sumd = nat->nat_sumd[1];
4144 		else
4145 			sumd = nat->nat_sumd[0];
4146 
4147 		if (nat->nat_dir == NAT_OUTBOUND)
4148 			fix_outcksum(csump, sumd);
4149 		else
4150 			fix_incksum(csump, sumd);
4151 	}
4152 #ifdef	IPFILTER_SYNC
4153 	ipfsync_update(SMC_NAT, fin, nat->nat_sync);
4154 #endif
4155 	/* ------------------------------------------------------------- */
4156 	/* A few quick notes:						 */
4157 	/*	Following are test conditions prior to calling the 	 */
4158 	/*	appr_check routine.					 */
4159 	/*								 */
4160 	/* 	A NULL tcp indicates a non TCP/UDP packet.  When dealing */
4161 	/*	with a redirect rule, we attempt to match the packet's	 */
4162 	/*	source port against in_dport, otherwise	we'd compare the */
4163 	/*	packet's destination.			 		 */
4164 	/* ------------------------------------------------------------- */
4165 	if ((np != NULL) && (np->in_apr != NULL)) {
4166 		i = appr_check(fin, nat);
4167 		if (i == 0)
4168 			i = 1;
4169 	} else
4170 		i = 1;
4171 	ifs->ifs_nat_stats.ns_mapped[1]++;
4172 	fin->fin_flx |= FI_NATED;
4173 	return i;
4174 }
4175 
4176 
4177 /* ------------------------------------------------------------------------ */
4178 /* Function:    fr_checknatin                                               */
4179 /* Returns:     int - -1 == packet failed NAT checks so block it,           */
4180 /*                     0 == no packet translation occurred,                 */
4181 /*                     1 == packet was successfully translated.             */
4182 /* Parameters:  fin(I)   - pointer to packet information                    */
4183 /*              passp(I) - pointer to filtering result flags                */
4184 /*                                                                          */
4185 /* Check to see if an incoming packet should be changed.  ICMP packets are  */
4186 /* first checked to see if they match an existing entry (if an error),      */
4187 /* otherwise a search of the current NAT table is made.  If neither results */
4188 /* in a match then a search for a matching NAT rule is made.  Create a new  */
4189 /* NAT entry if a we matched a NAT rule.  Lastly, actually change the       */
4190 /* packet header(s) as required.                                            */
4191 /* ------------------------------------------------------------------------ */
4192 int fr_checknatin(fin, passp)
4193 fr_info_t *fin;
4194 u_32_t *passp;
4195 {
4196 	u_int nflags, natadd;
4197 	ipnat_t *np, *npnext;
4198 	int rval, natfailed;
4199 	struct ifnet *ifp;
4200 	struct in_addr in;
4201 	icmphdr_t *icmp;
4202 	tcphdr_t *tcp;
4203 	u_short dport;
4204 	nat_t *nat;
4205 	u_32_t iph;
4206 	ipf_stack_t *ifs = fin->fin_ifs;
4207 
4208 	if (ifs->ifs_fr_nat_lock != 0)
4209 		return 0;
4210 	if (ifs->ifs_nat_stats.ns_rules == 0 && ifs->ifs_nat_instances == NULL)
4211 		return 0;
4212 
4213 	tcp = NULL;
4214 	icmp = NULL;
4215 	dport = 0;
4216 	natadd = 1;
4217 	nflags = 0;
4218 	natfailed = 0;
4219 	ifp = fin->fin_ifp;
4220 
4221 	if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
4222 		switch (fin->fin_p)
4223 		{
4224 		case IPPROTO_TCP :
4225 			nflags = IPN_TCP;
4226 			break;
4227 		case IPPROTO_UDP :
4228 			nflags = IPN_UDP;
4229 			break;
4230 		case IPPROTO_ICMP :
4231 			icmp = fin->fin_dp;
4232 
4233 			/*
4234 			 * This is an incoming packet, so the destination is
4235 			 * the icmp_id and the source port equals 0
4236 			 */
4237 			if (nat_icmpquerytype4(icmp->icmp_type)) {
4238 				nflags = IPN_ICMPQUERY;
4239 				dport = icmp->icmp_id;
4240 			} break;
4241 		default :
4242 			break;
4243 		}
4244 
4245 		if ((nflags & IPN_TCPUDP)) {
4246 			tcp = fin->fin_dp;
4247 			dport = tcp->th_dport;
4248 		}
4249 	}
4250 
4251 	in = fin->fin_dst;
4252 
4253 	READ_ENTER(&ifs->ifs_ipf_nat);
4254 
4255 	if ((fin->fin_p == IPPROTO_ICMP) && !(nflags & IPN_ICMPQUERY) &&
4256 	    (nat = nat_icmperror(fin, &nflags, NAT_INBOUND)))
4257 		/*EMPTY*/;
4258 	else if ((fin->fin_flx & FI_FRAG) && (nat = fr_nat_knownfrag(fin)))
4259 		natadd = 0;
4260 	else if ((nat = nat_inlookup(fin, nflags|NAT_SEARCH, (u_int)fin->fin_p,
4261 				     fin->fin_src, in))) {
4262 		nflags = nat->nat_flags;
4263 	} else {
4264 		u_32_t hv, msk, rmsk;
4265 
4266 		/*
4267 		 * There is no current entry in the nat table for this packet.
4268 		 *
4269 		 * If the packet is a fragment, but not the first fragment,
4270 		 * then don't do anything.  Otherwise, if there is a matching
4271 		 * nat rule, try to create a new nat entry.
4272 		 */
4273 		if ((fin->fin_off != 0) && (fin->fin_flx & FI_TCPUDP))
4274 			goto nonatfrag;
4275 
4276 		rmsk = ifs->ifs_rdr_masks;
4277 		msk = 0xffffffff;
4278 maskloop:
4279 		iph = in.s_addr & htonl(msk);
4280 		hv = NAT_HASH_FN(iph, 0, ifs->ifs_ipf_rdrrules_sz);
4281 		for (np = ifs->ifs_rdr_rules[hv]; np; np = npnext) {
4282 			npnext = np->in_rnext;
4283 			if (np->in_ifps[0] && (np->in_ifps[0] != ifp))
4284 				continue;
4285 			if (np->in_v != fin->fin_v)
4286 				continue;
4287 			if (np->in_p && (np->in_p != fin->fin_p))
4288 				continue;
4289 			if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags))
4290 				continue;
4291 			if (np->in_flags & IPN_FILTER) {
4292 				if (!nat_match(fin, np))
4293 					continue;
4294 			} else {
4295 				if ((in.s_addr & np->in_outmsk) != np->in_outip)
4296 					continue;
4297 				if (np->in_pmin &&
4298 				    ((ntohs(np->in_pmax) < ntohs(dport)) ||
4299 				     (ntohs(dport) < ntohs(np->in_pmin))))
4300 					continue;
4301 			}
4302 
4303 			if (*np->in_plabel != '\0') {
4304 				if (!appr_ok(fin, tcp, np)) {
4305 					continue;
4306 				}
4307 			}
4308 
4309 			ATOMIC_INC32(np->in_use);
4310 			RWLOCK_EXIT(&ifs->ifs_ipf_nat);
4311 			WRITE_ENTER(&ifs->ifs_ipf_nat);
4312 			nat = nat_new(fin, np, NULL, nflags, NAT_INBOUND);
4313 			if (nat != NULL) {
4314 				np->in_use--;
4315 				np->in_hits++;
4316 				MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
4317 				break;
4318 			}
4319 			natfailed = -1;
4320 			npnext = np->in_rnext;
4321 			fr_ipnatderef(&np, ifs);
4322 			MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
4323 		}
4324 
4325 		if ((np == NULL) && (rmsk != 0)) {
4326 			while (rmsk) {
4327 				msk <<= 1;
4328 				if (rmsk & 0x80000000)
4329 					break;
4330 				rmsk <<= 1;
4331 			}
4332 			if (rmsk != 0) {
4333 				rmsk <<= 1;
4334 				goto maskloop;
4335 			}
4336 		}
4337 	}
4338 
4339 nonatfrag:
4340 	if (nat != NULL) {
4341 		rval = fr_natin(fin, nat, natadd, nflags);
4342 		if (rval == 1) {
4343 			MUTEX_ENTER(&nat->nat_lock);
4344 			nat_update(fin, nat, nat->nat_ptr);
4345 			nat->nat_bytes[0] += fin->fin_plen;
4346 			nat->nat_pkts[0]++;
4347 			fin->fin_pktnum = nat->nat_pkts[0];
4348 			MUTEX_EXIT(&nat->nat_lock);
4349 		}
4350 	} else
4351 		rval = natfailed;
4352 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
4353 
4354 	if (rval == -1) {
4355 		if (passp != NULL)
4356 			*passp = FR_BLOCK;
4357 		fin->fin_flx |= FI_BADNAT;
4358 	}
4359 	return rval;
4360 }
4361 
4362 
4363 /* ------------------------------------------------------------------------ */
4364 /* Function:    fr_natin                                                    */
4365 /* Returns:     int - -1 == packet failed NAT checks so block it,           */
4366 /*                     1 == packet was successfully translated.             */
4367 /* Parameters:  fin(I)    - pointer to packet information                   */
4368 /*              nat(I)    - pointer to NAT structure                        */
4369 /*              natadd(I) - flag indicating if it is safe to add frag cache */
4370 /*              nflags(I) - NAT flags set for this packet                   */
4371 /* Locks Held:  ipf_nat (READ)                                              */
4372 /*                                                                          */
4373 /* Translate a packet coming "in" on an interface.                          */
4374 /* ------------------------------------------------------------------------ */
4375 int fr_natin(fin, nat, natadd, nflags)
4376 fr_info_t *fin;
4377 nat_t *nat;
4378 int natadd;
4379 u_32_t nflags;
4380 {
4381 	icmphdr_t *icmp;
4382 	u_short *csump;
4383 	tcphdr_t *tcp;
4384 	ipnat_t *np;
4385 	int i;
4386 	ipf_stack_t *ifs = fin->fin_ifs;
4387 
4388 	if (fin->fin_v == 6) {
4389 #ifdef	USE_INET6
4390 		return fr_nat6in(fin, nat, natadd, nflags);
4391 #else
4392 		return NULL;
4393 #endif
4394 	}
4395 
4396 #if defined(SOLARIS) && defined(_KERNEL)
4397 	net_handle_t net_data_p = ifs->ifs_ipf_ipv4;
4398 #endif
4399 
4400 	tcp = NULL;
4401 	csump = NULL;
4402 	np = nat->nat_ptr;
4403 	fin->fin_fr = nat->nat_fr;
4404 
4405 	if ((natadd != 0) && (fin->fin_flx & FI_FRAG))
4406 		(void) fr_nat_newfrag(fin, 0, nat);
4407 
4408 	if (np != NULL) {
4409 
4410 	/* ------------------------------------------------------------- */
4411 	/* A few quick notes:						 */
4412 	/*	Following are test conditions prior to calling the 	 */
4413 	/*	appr_check routine.					 */
4414 	/*								 */
4415 	/* 	A NULL tcp indicates a non TCP/UDP packet.  When dealing */
4416 	/*	with a map rule, we attempt to match the packet's	 */
4417 	/*	source port against in_dport, otherwise	we'd compare the */
4418 	/*	packet's destination.			 		 */
4419 	/* ------------------------------------------------------------- */
4420 		if (np->in_apr != NULL) {
4421 			i = appr_check(fin, nat);
4422 			if (i == -1) {
4423 				return -1;
4424 			}
4425 		}
4426 	}
4427 
4428 #ifdef	IPFILTER_SYNC
4429 	ipfsync_update(SMC_NAT, fin, nat->nat_sync);
4430 #endif
4431 
4432 	fin->fin_ip->ip_dst = nat->nat_inip;
4433 	fin->fin_fi.fi_daddr = nat->nat_inip.s_addr;
4434 	if (nflags & IPN_TCPUDP)
4435 		tcp = fin->fin_dp;
4436 
4437 	/*
4438 	 * Fix up checksums, not by recalculating them, but
4439 	 * simply computing adjustments.
4440 	 * Why only do this for some platforms on inbound packets ?
4441 	 * Because for those that it is done, IP processing is yet to happen
4442 	 * and so the IPv4 header checksum has not yet been evaluated.
4443 	 * Perhaps it should always be done for the benefit of things like
4444 	 * fast forwarding (so that it doesn't need to be recomputed) but with
4445 	 * header checksum offloading, perhaps it is a moot point.
4446 	 */
4447 #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || \
4448      defined(__osf__) || defined(linux)
4449 	if (nat->nat_dir == NAT_OUTBOUND)
4450 		fix_incksum(&fin->fin_ip->ip_sum, nat->nat_ipsumd);
4451 	else
4452 		fix_outcksum(&fin->fin_ip->ip_sum, nat->nat_ipsumd);
4453 #endif
4454 
4455 	if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
4456 		if ((nat->nat_inport != 0) && (nflags & IPN_TCPUDP)) {
4457 			tcp->th_dport = nat->nat_inport;
4458 			fin->fin_data[1] = ntohs(nat->nat_inport);
4459 		}
4460 
4461 
4462 		if ((nat->nat_inport != 0) && (nflags & IPN_ICMPQUERY)) {
4463 			icmp = fin->fin_dp;
4464 
4465 			icmp->icmp_id = nat->nat_inport;
4466 		}
4467 
4468 		csump = nat_proto(fin, nat, nflags);
4469 	}
4470 
4471 	/*
4472 	 * In case they are being forwarded, inbound packets always need to have
4473 	 * their checksum adjusted even if hardware checksum validation said OK.
4474 	 */
4475 	if (csump != NULL) {
4476 		if (nat->nat_dir == NAT_OUTBOUND)
4477 			fix_incksum(csump, nat->nat_sumd[0]);
4478 		else
4479 			fix_outcksum(csump, nat->nat_sumd[0]);
4480 	}
4481 
4482 #if defined(SOLARIS) && defined(_KERNEL)
4483 	if (nflags & IPN_TCPUDP &&
4484 	    NET_IS_HCK_L4_PART(net_data_p, fin->fin_m)) {
4485 		/*
4486 		 * Need to adjust the partial checksum result stored in
4487 		 * db_cksum16, which will be used for validation in IP.
4488 		 * See IP_CKSUM_RECV().
4489 		 * Adjustment data should be the inverse of the IP address
4490 		 * changes, because db_cksum16 is supposed to be the complement
4491 		 * of the pesudo header.
4492 		 */
4493 		csump = &fin->fin_m->b_datap->db_cksum16;
4494 		if (nat->nat_dir == NAT_OUTBOUND)
4495 			fix_outcksum(csump, nat->nat_sumd[1]);
4496 		else
4497 			fix_incksum(csump, nat->nat_sumd[1]);
4498 	}
4499 #endif
4500 
4501 	ifs->ifs_nat_stats.ns_mapped[0]++;
4502 	fin->fin_flx |= FI_NATED;
4503 	if (np != NULL && np->in_tag.ipt_num[0] != 0)
4504 		fin->fin_nattag = &np->in_tag;
4505 	return 1;
4506 }
4507 
4508 
4509 /* ------------------------------------------------------------------------ */
4510 /* Function:    nat_proto                                                   */
4511 /* Returns:     u_short* - pointer to transport header checksum to update,  */
4512 /*                         NULL if the transport protocol is not recognised */
4513 /*                         as needing a checksum update.                    */
4514 /* Parameters:  fin(I)    - pointer to packet information                   */
4515 /*              nat(I)    - pointer to NAT structure                        */
4516 /*              nflags(I) - NAT flags set for this packet                   */
4517 /*                                                                          */
4518 /* Return the pointer to the checksum field for each protocol so understood.*/
4519 /* If support for making other changes to a protocol header is required,    */
4520 /* that is not strictly 'address' translation, such as clamping the MSS in  */
4521 /* TCP down to a specific value, then do it from here.                      */
4522 /* ------------------------------------------------------------------------ */
4523 u_short *nat_proto(fin, nat, nflags)
4524 fr_info_t *fin;
4525 nat_t *nat;
4526 u_int nflags;
4527 {
4528 	icmphdr_t *icmp;
4529 	struct icmp6_hdr *icmp6;
4530 	u_short *csump;
4531 	tcphdr_t *tcp;
4532 	udphdr_t *udp;
4533 
4534 	csump = NULL;
4535 	if (fin->fin_out == 0) {
4536 		fin->fin_rev = (nat->nat_dir == NAT_OUTBOUND);
4537 	} else {
4538 		fin->fin_rev = (nat->nat_dir == NAT_INBOUND);
4539 	}
4540 
4541 	switch (fin->fin_p)
4542 	{
4543 	case IPPROTO_TCP :
4544 		tcp = fin->fin_dp;
4545 
4546 		csump = &tcp->th_sum;
4547 
4548 		/*
4549 		 * Do a MSS CLAMPING on a SYN packet,
4550 		 * only deal IPv4 for now.
4551 		 */
4552 		if ((nat->nat_mssclamp != 0) && (tcp->th_flags & TH_SYN) != 0)
4553 			nat_mssclamp(tcp, nat->nat_mssclamp, csump);
4554 
4555 		break;
4556 
4557 	case IPPROTO_UDP :
4558 		udp = fin->fin_dp;
4559 
4560 		if (udp->uh_sum)
4561 			csump = &udp->uh_sum;
4562 		break;
4563 
4564 	case IPPROTO_ICMP :
4565 		icmp = fin->fin_dp;
4566 
4567 		if ((nflags & IPN_ICMPQUERY) != 0) {
4568 			if (icmp->icmp_cksum != 0)
4569 				csump = &icmp->icmp_cksum;
4570 		}
4571 		break;
4572 
4573 	case IPPROTO_ICMPV6 :
4574 		icmp6 = fin->fin_dp;
4575 
4576 		if ((nflags & IPN_ICMPQUERY) != 0) {
4577 			if (icmp6->icmp6_cksum != 0)
4578 				csump = &icmp6->icmp6_cksum;
4579 		}
4580 		break;
4581 	}
4582 	return csump;
4583 }
4584 
4585 
4586 /* ------------------------------------------------------------------------ */
4587 /* Function:    fr_natunload                                                */
4588 /* Returns:     Nil                                                         */
4589 /* Parameters:  ifs - ipf stack instance                                  */
4590 /*                                                                          */
4591 /* Free all memory used by NAT structures allocated at runtime.             */
4592 /* ------------------------------------------------------------------------ */
4593 void fr_natunload(ifs)
4594 ipf_stack_t *ifs;
4595 {
4596 	ipftq_t *ifq, *ifqnext;
4597 
4598 	(void) nat_clearlist(ifs);
4599 	(void) nat_flushtable(FLUSH_TABLE_ALL, ifs);
4600 
4601 	/*
4602 	 * Proxy timeout queues are not cleaned here because although they
4603 	 * exist on the NAT list, appr_unload is called after fr_natunload
4604 	 * and the proxies actually are responsible for them being created.
4605 	 * Should the proxy timeouts have their own list?  There's no real
4606 	 * justification as this is the only complication.
4607 	 */
4608 	for (ifq = ifs->ifs_nat_utqe; ifq != NULL; ifq = ifqnext) {
4609 		ifqnext = ifq->ifq_next;
4610 		if (((ifq->ifq_flags & IFQF_PROXY) == 0) &&
4611 		    (fr_deletetimeoutqueue(ifq) == 0))
4612 			fr_freetimeoutqueue(ifq, ifs);
4613 	}
4614 
4615 	if (ifs->ifs_nat_table[0] != NULL) {
4616 		KFREES(ifs->ifs_nat_table[0],
4617 		       sizeof(nat_t *) * ifs->ifs_ipf_nattable_sz);
4618 		ifs->ifs_nat_table[0] = NULL;
4619 	}
4620 	if (ifs->ifs_nat_table[1] != NULL) {
4621 		KFREES(ifs->ifs_nat_table[1],
4622 		       sizeof(nat_t *) * ifs->ifs_ipf_nattable_sz);
4623 		ifs->ifs_nat_table[1] = NULL;
4624 	}
4625 	if (ifs->ifs_nat_rules != NULL) {
4626 		KFREES(ifs->ifs_nat_rules,
4627 		       sizeof(ipnat_t *) * ifs->ifs_ipf_natrules_sz);
4628 		ifs->ifs_nat_rules = NULL;
4629 	}
4630 	if (ifs->ifs_rdr_rules != NULL) {
4631 		KFREES(ifs->ifs_rdr_rules,
4632 		       sizeof(ipnat_t *) * ifs->ifs_ipf_rdrrules_sz);
4633 		ifs->ifs_rdr_rules = NULL;
4634 	}
4635 	if (ifs->ifs_maptable != NULL) {
4636 		KFREES(ifs->ifs_maptable,
4637 		       sizeof(hostmap_t *) * ifs->ifs_ipf_hostmap_sz);
4638 		ifs->ifs_maptable = NULL;
4639 	}
4640 	if (ifs->ifs_nat_stats.ns_bucketlen[0] != NULL) {
4641 		KFREES(ifs->ifs_nat_stats.ns_bucketlen[0],
4642 		       sizeof(u_long *) * ifs->ifs_ipf_nattable_sz);
4643 		ifs->ifs_nat_stats.ns_bucketlen[0] = NULL;
4644 	}
4645 	if (ifs->ifs_nat_stats.ns_bucketlen[1] != NULL) {
4646 		KFREES(ifs->ifs_nat_stats.ns_bucketlen[1],
4647 		       sizeof(u_long *) * ifs->ifs_ipf_nattable_sz);
4648 		ifs->ifs_nat_stats.ns_bucketlen[1] = NULL;
4649 	}
4650 
4651 	if (ifs->ifs_fr_nat_maxbucket_reset == 1)
4652 		ifs->ifs_fr_nat_maxbucket = 0;
4653 
4654 	if (ifs->ifs_fr_nat_init == 1) {
4655 		ifs->ifs_fr_nat_init = 0;
4656 		fr_sttab_destroy(ifs->ifs_nat_tqb);
4657 
4658 		RW_DESTROY(&ifs->ifs_ipf_natfrag);
4659 		RW_DESTROY(&ifs->ifs_ipf_nat);
4660 
4661 		MUTEX_DESTROY(&ifs->ifs_ipf_nat_new);
4662 		MUTEX_DESTROY(&ifs->ifs_ipf_natio);
4663 
4664 		MUTEX_DESTROY(&ifs->ifs_nat_udptq.ifq_lock);
4665 		MUTEX_DESTROY(&ifs->ifs_nat_icmptq.ifq_lock);
4666 		MUTEX_DESTROY(&ifs->ifs_nat_iptq.ifq_lock);
4667 	}
4668 }
4669 
4670 
4671 /* ------------------------------------------------------------------------ */
4672 /* Function:    fr_natexpire                                                */
4673 /* Returns:     Nil                                                         */
4674 /* Parameters:  ifs - ipf stack instance                                    */
4675 /*                                                                          */
4676 /* Check all of the timeout queues for entries at the top which need to be  */
4677 /* expired.                                                                 */
4678 /* ------------------------------------------------------------------------ */
4679 void fr_natexpire(ifs)
4680 ipf_stack_t *ifs;
4681 {
4682 	ipftq_t *ifq, *ifqnext;
4683 	ipftqent_t *tqe, *tqn;
4684 	int i;
4685 	SPL_INT(s);
4686 
4687 	SPL_NET(s);
4688 	WRITE_ENTER(&ifs->ifs_ipf_nat);
4689 	for (ifq = ifs->ifs_nat_tqb, i = 0; ifq != NULL; ifq = ifq->ifq_next) {
4690 		for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); i++) {
4691 			if (tqe->tqe_die > ifs->ifs_fr_ticks)
4692 				break;
4693 			tqn = tqe->tqe_next;
4694 			(void) nat_delete(tqe->tqe_parent, NL_EXPIRE, ifs);
4695 		}
4696 	}
4697 
4698 	for (ifq = ifs->ifs_nat_utqe; ifq != NULL; ifq = ifqnext) {
4699 		ifqnext = ifq->ifq_next;
4700 
4701 		for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); i++) {
4702 			if (tqe->tqe_die > ifs->ifs_fr_ticks)
4703 				break;
4704 			tqn = tqe->tqe_next;
4705 			(void) nat_delete(tqe->tqe_parent, NL_EXPIRE, ifs);
4706 		}
4707 	}
4708 
4709 	for (ifq = ifs->ifs_nat_utqe; ifq != NULL; ifq = ifqnext) {
4710 		ifqnext = ifq->ifq_next;
4711 
4712 		if (((ifq->ifq_flags & IFQF_DELETE) != 0) &&
4713 		    (ifq->ifq_ref == 0)) {
4714 			fr_freetimeoutqueue(ifq, ifs);
4715 		}
4716 	}
4717 
4718 	if (ifs->ifs_nat_doflush != 0) {
4719 		(void) nat_flushtable(FLUSH_TABLE_EXTRA, ifs);
4720 		ifs->ifs_nat_doflush = 0;
4721 	}
4722 
4723 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
4724 	SPL_X(s);
4725 }
4726 
4727 
4728 /* ------------------------------------------------------------------------ */
4729 /* Function:    fr_nataddrsync                                              */
4730 /* Returns:     Nil                                                         */
4731 /* Parameters:  ifp(I) -  pointer to network interface                      */
4732 /*              addr(I) - pointer to new network address                    */
4733 /*                                                                          */
4734 /* Walk through all of the currently active NAT sessions, looking for those */
4735 /* which need to have their translated address updated (where the interface */
4736 /* matches the one passed in) and change it, recalculating the checksum sum */
4737 /* difference too.                                                          */
4738 /* ------------------------------------------------------------------------ */
4739 void fr_nataddrsync(v, ifp, addr, ifs)
4740 int v;
4741 void *ifp;
4742 void *addr;
4743 ipf_stack_t *ifs;
4744 {
4745 	u_32_t sum1, sum2, sumd;
4746 	nat_t *nat;
4747 	ipnat_t *np;
4748 	SPL_INT(s);
4749 
4750 	if (ifs->ifs_fr_running <= 0)
4751 		return;
4752 
4753 	SPL_NET(s);
4754 	WRITE_ENTER(&ifs->ifs_ipf_nat);
4755 
4756 	if (ifs->ifs_fr_running <= 0) {
4757 		RWLOCK_EXIT(&ifs->ifs_ipf_nat);
4758 		return;
4759 	}
4760 
4761 	/*
4762 	 * Change IP addresses for NAT sessions for any protocol except TCP
4763 	 * since it will break the TCP connection anyway.  The only rules
4764 	 * which will get changed are those which are "map ... -> 0/32",
4765 	 * where the rule specifies the address is taken from the interface.
4766 	 */
4767 	for (nat = ifs->ifs_nat_instances; nat; nat = nat->nat_next) {
4768 		if (addr != NULL) {
4769 			if (((ifp != NULL) && ifp != (nat->nat_ifps[0])) ||
4770 			    ((nat->nat_flags & IPN_TCP) != 0))
4771 				continue;
4772 			if ((np = nat->nat_ptr) == NULL)
4773 				continue;
4774 			if (v == 4 && np->in_v == 4) {
4775 				if (np->in_nip || np->in_outmsk != 0xffffffff)
4776 					continue;
4777 				/*
4778 				 * Change the map-to address to be the same as
4779 				 * the new one.
4780 				 */
4781 				sum1 = nat->nat_outip.s_addr;
4782 				nat->nat_outip = *(struct in_addr *)addr;
4783 				sum2 = nat->nat_outip.s_addr;
4784 			} else if (v == 6 && np->in_v == 6) {
4785 				if (!IP6_ISZERO(&np->in_next6.in6) ||
4786 				    !IP6_ISONES(&np->in_out[1].in6))
4787 					continue;
4788 				/*
4789 				 * Change the map-to address to be the same as
4790 				 * the new one.
4791 				 */
4792 				nat->nat_outip6.in6 = *(struct in6_addr *)addr;
4793 			} else
4794 				continue;
4795 
4796 		} else if (((ifp == NULL) || (ifp == nat->nat_ifps[0])) &&
4797 		    !(nat->nat_flags & IPN_TCP) && (np = nat->nat_ptr)) {
4798 			if (np->in_v == 4 && (v == 4 || v == 0)) {
4799 				struct in_addr in;
4800 				if (np->in_outmsk != 0xffffffff || np->in_nip)
4801 					continue;
4802 				/*
4803 				 * Change the map-to address to be the same as
4804 				 * the new one.
4805 				 */
4806 				sum1 = nat->nat_outip.s_addr;
4807 				if (fr_ifpaddr(4, FRI_NORMAL, nat->nat_ifps[0],
4808 					       &in, NULL, ifs) != -1)
4809 					nat->nat_outip = in;
4810 				sum2 = nat->nat_outip.s_addr;
4811 			} else if (np->in_v == 6 && (v == 6 || v == 0)) {
4812 				struct in6_addr in6;
4813 				if (!IP6_ISZERO(&np->in_next6.in6) ||
4814 				    !IP6_ISONES(&np->in_out[1].in6))
4815 					continue;
4816 				/*
4817 				 * Change the map-to address to be the same as
4818 				 * the new one.
4819 				 */
4820 				if (fr_ifpaddr(6, FRI_NORMAL, nat->nat_ifps[0],
4821 					       (void *)&in6, NULL, ifs) != -1)
4822 					nat->nat_outip6.in6 = in6;
4823 			} else
4824 				continue;
4825 		} else {
4826 			continue;
4827 		}
4828 
4829 		if (sum1 == sum2)
4830 			continue;
4831 		/*
4832 		 * Readjust the checksum adjustment to take into
4833 		 * account the new IP#.
4834 		 */
4835 		CALC_SUMD(sum1, sum2, sumd);
4836 		/* XXX - dont change for TCP when solaris does
4837 		 * hardware checksumming.
4838 		 */
4839 		sumd += nat->nat_sumd[0];
4840 		nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
4841 		nat->nat_sumd[1] = nat->nat_sumd[0];
4842 	}
4843 
4844 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
4845 	SPL_X(s);
4846 }
4847 
4848 
4849 /* ------------------------------------------------------------------------ */
4850 /* Function:    fr_natifpsync                                               */
4851 /* Returns:     Nil                                                         */
4852 /* Parameters:  action(I) - how we are syncing                              */
4853 /*              ifp(I)    - pointer to network interface                    */
4854 /*              name(I)   - name of interface to sync to                    */
4855 /*                                                                          */
4856 /* This function is used to resync the mapping of interface names and their */
4857 /* respective 'pointers'.  For "action == IPFSYNC_RESYNC", resync all       */
4858 /* interfaces by doing a new lookup of name to 'pointer'.  For "action ==   */
4859 /* IPFSYNC_NEWIFP", treat ifp as the new pointer value associated with      */
4860 /* "name" and for "action == IPFSYNC_OLDIFP", ifp is a pointer for which    */
4861 /* there is no longer any interface associated with it.                     */
4862 /* ------------------------------------------------------------------------ */
4863 void fr_natifpsync(action, v, ifp, name, ifs)
4864 int action, v;
4865 void *ifp;
4866 char *name;
4867 ipf_stack_t *ifs;
4868 {
4869 #if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
4870 	int s;
4871 #endif
4872 	nat_t *nat;
4873 	ipnat_t *n;
4874 	int nv;
4875 
4876 	if (ifs->ifs_fr_running <= 0)
4877 		return;
4878 
4879 	SPL_NET(s);
4880 	WRITE_ENTER(&ifs->ifs_ipf_nat);
4881 
4882 	if (ifs->ifs_fr_running <= 0) {
4883 		RWLOCK_EXIT(&ifs->ifs_ipf_nat);
4884 		return;
4885 	}
4886 
4887 	switch (action)
4888 	{
4889 	case IPFSYNC_RESYNC :
4890 		for (nat = ifs->ifs_nat_instances; nat; nat = nat->nat_next) {
4891 			nv = (v == 0) ? nat->nat_v : v;
4892 			if (nat->nat_v != nv)
4893 				continue;
4894 			if ((ifp == nat->nat_ifps[0]) ||
4895 			    (nat->nat_ifps[0] == (void *)-1)) {
4896 				nat->nat_ifps[0] =
4897 				    fr_resolvenic(nat->nat_ifnames[0], nv, ifs);
4898 			}
4899 
4900 			if ((ifp == nat->nat_ifps[1]) ||
4901 			    (nat->nat_ifps[1] == (void *)-1)) {
4902 				nat->nat_ifps[1] =
4903 				    fr_resolvenic(nat->nat_ifnames[1], nv, ifs);
4904 			}
4905 		}
4906 
4907 		for (n = ifs->ifs_nat_list; (n != NULL); n = n->in_next) {
4908 			nv = (v == 0) ? (int)n->in_v : v;
4909 			if ((int)n->in_v != nv)
4910 				continue;
4911 			if (n->in_ifps[0] == ifp ||
4912 			    n->in_ifps[0] == (void *)-1) {
4913 				n->in_ifps[0] =
4914 				    fr_resolvenic(n->in_ifnames[0], nv, ifs);
4915 			}
4916 			if (n->in_ifps[1] == ifp ||
4917 			    n->in_ifps[1] == (void *)-1) {
4918 				n->in_ifps[1] =
4919 				    fr_resolvenic(n->in_ifnames[1], nv, ifs);
4920 			}
4921 		}
4922 		break;
4923 	case IPFSYNC_NEWIFP :
4924 		for (nat = ifs->ifs_nat_instances; nat; nat = nat->nat_next) {
4925 			if (nat->nat_v != v)
4926 				continue;
4927 			if (!strncmp(name, nat->nat_ifnames[0],
4928 				     sizeof(nat->nat_ifnames[0])))
4929 				nat->nat_ifps[0] = ifp;
4930 			if (!strncmp(name, nat->nat_ifnames[1],
4931 				     sizeof(nat->nat_ifnames[1])))
4932 				nat->nat_ifps[1] = ifp;
4933 		}
4934 		for (n = ifs->ifs_nat_list; (n != NULL); n = n->in_next) {
4935 			if ((int)n->in_v != v)
4936 				continue;
4937 			if (!strncmp(name, n->in_ifnames[0],
4938 				     sizeof(n->in_ifnames[0])))
4939 				n->in_ifps[0] = ifp;
4940 			if (!strncmp(name, n->in_ifnames[1],
4941 				     sizeof(n->in_ifnames[1])))
4942 				n->in_ifps[1] = ifp;
4943 		}
4944 		break;
4945 	case IPFSYNC_OLDIFP :
4946 		for (nat = ifs->ifs_nat_instances; nat; nat = nat->nat_next) {
4947 			if (nat->nat_v != v)
4948 				continue;
4949 			if (ifp == nat->nat_ifps[0])
4950 				nat->nat_ifps[0] = (void *)-1;
4951 			if (ifp == nat->nat_ifps[1])
4952 				nat->nat_ifps[1] = (void *)-1;
4953 		}
4954 		for (n = ifs->ifs_nat_list; (n != NULL); n = n->in_next) {
4955 			if ((int)n->in_v != v)
4956 				continue;
4957 			if (n->in_ifps[0] == ifp)
4958 				n->in_ifps[0] = (void *)-1;
4959 			if (n->in_ifps[1] == ifp)
4960 				n->in_ifps[1] = (void *)-1;
4961 		}
4962 		break;
4963 	}
4964 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
4965 	SPL_X(s);
4966 }
4967 
4968 #if SOLARIS2 >= 10
4969 /* ------------------------------------------------------------------------ */
4970 /* Function:	fr_natifindexsync					    */
4971 /* Returns:	void							    */
4972 /* Parameters:	ifp	  - interface, which is being sync'd		    */
4973 /*		newifp	  - new ifindex value for interface		    */
4974 /*              ifs	  - IPF's stack					    */
4975 /*                                                                          */
4976 /* Write Locks: assumes ipf_mutex is locked				    */
4977 /*                                                                          */
4978 /* Updates all interface index references in NAT rules and NAT entries.	    */
4979 /* the index, which is about to be updated must match ifp value.	    */
4980 /* ------------------------------------------------------------------------ */
4981 void fr_natifindexsync(ifp, newifp, ifs)
4982 void *ifp;
4983 void *newifp;
4984 ipf_stack_t *ifs;
4985 {
4986 	nat_t *nat;
4987 	ipnat_t *n;
4988 
4989 	WRITE_ENTER(&ifs->ifs_ipf_nat);
4990 
4991 	for (nat = ifs->ifs_nat_instances; nat != NULL; nat = nat->nat_next) {
4992 		if (ifp == nat->nat_ifps[0])
4993 			nat->nat_ifps[0] = newifp;
4994 
4995 		if (ifp == nat->nat_ifps[1])
4996 			nat->nat_ifps[1] = newifp;
4997 	}
4998 
4999 	for (n = ifs->ifs_nat_list; n != NULL; n = n->in_next) {
5000 		if (ifp == n->in_ifps[0])
5001 			n->in_ifps[0] = newifp;
5002 
5003 		if (ifp == n->in_ifps[1])
5004 			n->in_ifps[1] = newifp;
5005 	}
5006 
5007 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
5008 }
5009 #endif
5010 
5011 /* ------------------------------------------------------------------------ */
5012 /* Function:    nat_icmpquerytype4                                          */
5013 /* Returns:     int - 1 == success, 0 == failure                            */
5014 /* Parameters:  icmptype(I) - ICMP type number                              */
5015 /*                                                                          */
5016 /* Tests to see if the ICMP type number passed is a query/response type or  */
5017 /* not.                                                                     */
5018 /* ------------------------------------------------------------------------ */
5019 static INLINE int nat_icmpquerytype4(icmptype)
5020 int icmptype;
5021 {
5022 
5023 	/*
5024 	 * For the ICMP query NAT code, it is essential that both the query
5025 	 * and the reply match on the NAT rule. Because the NAT structure
5026 	 * does not keep track of the icmptype, and a single NAT structure
5027 	 * is used for all icmp types with the same src, dest and id, we
5028 	 * simply define the replies as queries as well. The funny thing is,
5029 	 * altough it seems silly to call a reply a query, this is exactly
5030 	 * as it is defined in the IPv4 specification
5031 	 */
5032 
5033 	switch (icmptype)
5034 	{
5035 
5036 	case ICMP_ECHOREPLY:
5037 	case ICMP_ECHO:
5038 	/* route aedvertisement/solliciation is currently unsupported: */
5039 	/* it would require rewriting the ICMP data section            */
5040 	case ICMP_TSTAMP:
5041 	case ICMP_TSTAMPREPLY:
5042 	case ICMP_IREQ:
5043 	case ICMP_IREQREPLY:
5044 	case ICMP_MASKREQ:
5045 	case ICMP_MASKREPLY:
5046 		return 1;
5047 	default:
5048 		return 0;
5049 	}
5050 }
5051 
5052 
5053 /* ------------------------------------------------------------------------ */
5054 /* Function:    nat_log                                                     */
5055 /* Returns:     Nil                                                         */
5056 /* Parameters:  nat(I)  - pointer to NAT structure                          */
5057 /*              type(I) - type of log entry to create                       */
5058 /*                                                                          */
5059 /* Creates a NAT log entry.                                                 */
5060 /* ------------------------------------------------------------------------ */
5061 void nat_log(nat, type, ifs)
5062 struct nat *nat;
5063 u_int type;
5064 ipf_stack_t *ifs;
5065 {
5066 #ifdef	IPFILTER_LOG
5067 # ifndef LARGE_NAT
5068 	struct ipnat *np;
5069 	int rulen;
5070 # endif
5071 	struct natlog natl;
5072 	void *items[1];
5073 	size_t sizes[1];
5074 	int types[1];
5075 
5076 	natl.nlg_inip = nat->nat_inip6;
5077 	natl.nlg_outip = nat->nat_outip6;
5078 	natl.nlg_origip = nat->nat_oip6;
5079 	natl.nlg_bytes[0] = nat->nat_bytes[0];
5080 	natl.nlg_bytes[1] = nat->nat_bytes[1];
5081 	natl.nlg_pkts[0] = nat->nat_pkts[0];
5082 	natl.nlg_pkts[1] = nat->nat_pkts[1];
5083 	natl.nlg_origport = nat->nat_oport;
5084 	natl.nlg_inport = nat->nat_inport;
5085 	natl.nlg_outport = nat->nat_outport;
5086 	natl.nlg_p = nat->nat_p;
5087 	natl.nlg_type = type;
5088 	natl.nlg_rule = -1;
5089 	natl.nlg_v = nat->nat_v;
5090 # ifndef LARGE_NAT
5091 	if (nat->nat_ptr != NULL) {
5092 		for (rulen = 0, np = ifs->ifs_nat_list; np;
5093 		     np = np->in_next, rulen++)
5094 			if (np == nat->nat_ptr) {
5095 				natl.nlg_rule = rulen;
5096 				break;
5097 			}
5098 	}
5099 # endif
5100 	items[0] = &natl;
5101 	sizes[0] = sizeof(natl);
5102 	types[0] = 0;
5103 
5104 	(void) ipllog(IPL_LOGNAT, NULL, items, sizes, types, 1, ifs);
5105 #endif
5106 }
5107 
5108 
5109 #if defined(__OpenBSD__)
5110 /* ------------------------------------------------------------------------ */
5111 /* Function:    nat_ifdetach                                                */
5112 /* Returns:     Nil                                                         */
5113 /* Parameters:  ifp(I) - pointer to network interface                       */
5114 /*                                                                          */
5115 /* Compatibility interface for OpenBSD to trigger the correct updating of   */
5116 /* interface references within IPFilter.                                    */
5117 /* ------------------------------------------------------------------------ */
5118 void nat_ifdetach(ifp, ifs)
5119 void *ifp;
5120 ipf_stack_t *ifs;
5121 {
5122 	frsync(ifp, ifs);
5123 	return;
5124 }
5125 #endif
5126 
5127 
5128 /* ------------------------------------------------------------------------ */
5129 /* Function:    fr_ipnatderef                                               */
5130 /* Returns:     Nil                                                         */
5131 /* Parameters:  inp(I) - pointer to pointer to NAT rule                     */
5132 /* Write Locks: ipf_nat                                                     */
5133 /*                                                                          */
5134 /* ------------------------------------------------------------------------ */
5135 void fr_ipnatderef(inp, ifs)
5136 ipnat_t **inp;
5137 ipf_stack_t *ifs;
5138 {
5139 	ipnat_t *in;
5140 
5141 	in = *inp;
5142 	*inp = NULL;
5143 	in->in_use--;
5144 	if (in->in_use == 0 && (in->in_flags & IPN_DELETE)) {
5145 		if (in->in_apr)
5146 			appr_free(in->in_apr);
5147 		KFREE(in);
5148 		ifs->ifs_nat_stats.ns_rules--;
5149 #ifdef notdef
5150 #if SOLARIS
5151 		if (ifs->ifs_nat_stats.ns_rules == 0)
5152 			ifs->ifs_pfil_delayed_copy = 1;
5153 #endif
5154 #endif
5155 	}
5156 }
5157 
5158 
5159 /* ------------------------------------------------------------------------ */
5160 /* Function:    fr_natderef                                                 */
5161 /* Returns:     Nil                                                         */
5162 /* Parameters:  natp - pointer to pointer to NAT table entry                */
5163 /*              ifs  - ipf stack instance                                   */
5164 /*                                                                          */
5165 /* Decrement the reference counter for this NAT table entry and free it if  */
5166 /* there are no more things using it.                                       */
5167 /*                                                                          */
5168 /* IF nat_ref == 1 when this function is called, then we have an orphan nat */
5169 /* structure *because* it only gets called on paths _after_ nat_ref has been*/
5170 /* incremented.  If nat_ref == 1 then we shouldn't decrement it here        */
5171 /* because nat_delete() will do that and send nat_ref to -1.                */
5172 /*                                                                          */
5173 /* Holding the lock on nat_lock is required to serialise nat_delete() being */
5174 /* called from a NAT flush ioctl with a deref happening because of a packet.*/
5175 /* ------------------------------------------------------------------------ */
5176 void fr_natderef(natp, ifs)
5177 nat_t **natp;
5178 ipf_stack_t *ifs;
5179 {
5180 	nat_t *nat;
5181 
5182 	nat = *natp;
5183 	*natp = NULL;
5184 
5185 	MUTEX_ENTER(&nat->nat_lock);
5186 	if (nat->nat_ref > 1) {
5187 		nat->nat_ref--;
5188 		MUTEX_EXIT(&nat->nat_lock);
5189 		return;
5190 	}
5191 	MUTEX_EXIT(&nat->nat_lock);
5192 
5193 	WRITE_ENTER(&ifs->ifs_ipf_nat);
5194 	(void) nat_delete(nat, NL_EXPIRE, ifs);
5195 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
5196 }
5197 
5198 
5199 /* ------------------------------------------------------------------------ */
5200 /* Function:    fr_natclone                                                 */
5201 /* Returns:     ipstate_t* - NULL == cloning failed,                        */
5202 /*                           else pointer to new NAT structure              */
5203 /* Parameters:  fin(I)   - pointer to packet information                    */
5204 /*              nat(I)   - pointer to master NAT structure                  */
5205 /* Write Lock:  ipf_nat                                                     */
5206 /*                                                                          */
5207 /* Create a "duplicate" NAT table entry from the master.                    */
5208 /* ------------------------------------------------------------------------ */
5209 nat_t *fr_natclone(fin, nat)
5210 fr_info_t *fin;
5211 nat_t *nat;
5212 {
5213 	frentry_t *fr;
5214 	nat_t *clone;
5215 	ipnat_t *np;
5216 	ipf_stack_t *ifs = fin->fin_ifs;
5217 
5218 	/*
5219 	 * Trigger automatic call to nat_flushtable() if the
5220 	 * table has reached capcity specified by hi watermark.
5221 	 */
5222 	if (NAT_TAB_WATER_LEVEL(ifs) > ifs->ifs_nat_flush_level_hi)
5223 		ifs->ifs_nat_doflush = 1;
5224 
5225 	/*
5226 	 * If automatic flushing did not do its job, and the table
5227 	 * has filled up, don't try to create a new entry.
5228 	 */
5229 	if (ifs->ifs_nat_stats.ns_inuse >= ifs->ifs_ipf_nattable_max) {
5230 		ifs->ifs_nat_stats.ns_memfail++;
5231 		return NULL;
5232 	}
5233 
5234 	KMALLOC(clone, nat_t *);
5235 	if (clone == NULL)
5236 		return NULL;
5237 	bcopy((char *)nat, (char *)clone, sizeof(*clone));
5238 
5239 	MUTEX_NUKE(&clone->nat_lock);
5240 
5241 	clone->nat_aps = NULL;
5242 	/*
5243 	 * Initialize all these so that nat_delete() doesn't cause a crash.
5244 	 */
5245 	clone->nat_tqe.tqe_pnext = NULL;
5246 	clone->nat_tqe.tqe_next = NULL;
5247 	clone->nat_tqe.tqe_ifq = NULL;
5248 	clone->nat_tqe.tqe_parent = clone;
5249 
5250 	clone->nat_flags &= ~SI_CLONE;
5251 	clone->nat_flags |= SI_CLONED;
5252 
5253 	if (clone->nat_hm)
5254 		clone->nat_hm->hm_ref++;
5255 
5256 	if (nat_insert(clone, fin->fin_rev, ifs) == -1) {
5257 		KFREE(clone);
5258 		return NULL;
5259 	}
5260 	np = clone->nat_ptr;
5261 	if (np != NULL) {
5262 		if (ifs->ifs_nat_logging)
5263 			nat_log(clone, (u_int)np->in_redir, ifs);
5264 		np->in_use++;
5265 	}
5266 	fr = clone->nat_fr;
5267 	if (fr != NULL) {
5268 		MUTEX_ENTER(&fr->fr_lock);
5269 		fr->fr_ref++;
5270 		MUTEX_EXIT(&fr->fr_lock);
5271 	}
5272 
5273 	/*
5274 	 * Because the clone is created outside the normal loop of things and
5275 	 * TCP has special needs in terms of state, initialise the timeout
5276 	 * state of the new NAT from here.
5277 	 */
5278 	if (clone->nat_p == IPPROTO_TCP) {
5279 		(void) fr_tcp_age(&clone->nat_tqe, fin, ifs->ifs_nat_tqb,
5280 				  clone->nat_flags);
5281 	}
5282 #ifdef	IPFILTER_SYNC
5283 	clone->nat_sync = ipfsync_new(SMC_NAT, fin, clone);
5284 #endif
5285 	if (ifs->ifs_nat_logging)
5286 		nat_log(clone, NL_CLONE, ifs);
5287 	return clone;
5288 }
5289 
5290 
5291 /* ------------------------------------------------------------------------ */
5292 /* Function:   nat_wildok                                                   */
5293 /* Returns:    int - 1 == packet's ports match wildcards                    */
5294 /*                   0 == packet's ports don't match wildcards              */
5295 /* Parameters: nat(I)   - NAT entry                                         */
5296 /*             sport(I) - source port                                       */
5297 /*             dport(I) - destination port                                  */
5298 /*             flags(I) - wildcard flags                                    */
5299 /*             dir(I)   - packet direction                                  */
5300 /*                                                                          */
5301 /* Use NAT entry and packet direction to determine which combination of     */
5302 /* wildcard flags should be used.                                           */
5303 /* ------------------------------------------------------------------------ */
5304 int nat_wildok(nat, sport, dport, flags, dir)
5305 nat_t *nat;
5306 int sport;
5307 int dport;
5308 int flags;
5309 int dir;
5310 {
5311 	/*
5312 	 * When called by       dir is set to
5313 	 * nat_inlookup         NAT_INBOUND (0)
5314 	 * nat_outlookup        NAT_OUTBOUND (1)
5315 	 *
5316 	 * We simply combine the packet's direction in dir with the original
5317 	 * "intended" direction of that NAT entry in nat->nat_dir to decide
5318 	 * which combination of wildcard flags to allow.
5319 	 */
5320 
5321 	switch ((dir << 1) | nat->nat_dir)
5322 	{
5323 	case 3: /* outbound packet / outbound entry */
5324 		if (((nat->nat_inport == sport) ||
5325 		    (flags & SI_W_SPORT)) &&
5326 		    ((nat->nat_oport == dport) ||
5327 		    (flags & SI_W_DPORT)))
5328 			return 1;
5329 		break;
5330 	case 2: /* outbound packet / inbound entry */
5331 		if (((nat->nat_outport == sport) ||
5332 		    (flags & SI_W_DPORT)) &&
5333 		    ((nat->nat_oport == dport) ||
5334 		    (flags & SI_W_SPORT)))
5335 			return 1;
5336 		break;
5337 	case 1: /* inbound packet / outbound entry */
5338 		if (((nat->nat_oport == sport) ||
5339 		    (flags & SI_W_DPORT)) &&
5340 		    ((nat->nat_outport == dport) ||
5341 		    (flags & SI_W_SPORT)))
5342 			return 1;
5343 		break;
5344 	case 0: /* inbound packet / inbound entry */
5345 		if (((nat->nat_oport == sport) ||
5346 		    (flags & SI_W_SPORT)) &&
5347 		    ((nat->nat_outport == dport) ||
5348 		    (flags & SI_W_DPORT)))
5349 			return 1;
5350 		break;
5351 	default:
5352 		break;
5353 	}
5354 
5355 	return(0);
5356 }
5357 
5358 
5359 /* ------------------------------------------------------------------------ */
5360 /* Function:    nat_mssclamp                                                */
5361 /* Returns:     Nil                                                         */
5362 /* Parameters:  tcp(I)    - pointer to TCP header                           */
5363 /*              maxmss(I) - value to clamp the TCP MSS to                   */
5364 /*              csump(I)  - pointer to TCP checksum                         */
5365 /*                                                                          */
5366 /* Check for MSS option and clamp it if necessary.  If found and changed,   */
5367 /* then the TCP header checksum will be updated to reflect the change in    */
5368 /* the MSS.                                                                 */
5369 /* ------------------------------------------------------------------------ */
5370 static void nat_mssclamp(tcp, maxmss, csump)
5371 tcphdr_t *tcp;
5372 u_32_t maxmss;
5373 u_short *csump;
5374 {
5375 	u_char *cp, *ep, opt;
5376 	int hlen, advance;
5377 	u_32_t mss, sumd;
5378 
5379 	hlen = TCP_OFF(tcp) << 2;
5380 	if (hlen > sizeof(*tcp)) {
5381 		cp = (u_char *)tcp + sizeof(*tcp);
5382 		ep = (u_char *)tcp + hlen;
5383 
5384 		while (cp < ep) {
5385 			opt = cp[0];
5386 			if (opt == TCPOPT_EOL)
5387 				break;
5388 			else if (opt == TCPOPT_NOP) {
5389 				cp++;
5390 				continue;
5391 			}
5392 
5393 			if (cp + 1 >= ep)
5394 				break;
5395 			advance = cp[1];
5396 			if ((cp + advance > ep) || (advance <= 0))
5397 				break;
5398 			switch (opt)
5399 			{
5400 			case TCPOPT_MAXSEG:
5401 				if (advance != 4)
5402 					break;
5403 				mss = cp[2] * 256 + cp[3];
5404 				if (mss > maxmss) {
5405 					cp[2] = maxmss / 256;
5406 					cp[3] = maxmss & 0xff;
5407 					CALC_SUMD(mss, maxmss, sumd);
5408 					fix_outcksum(csump, sumd);
5409 				}
5410 				break;
5411 			default:
5412 				/* ignore unknown options */
5413 				break;
5414 			}
5415 
5416 			cp += advance;
5417 		}
5418 	}
5419 }
5420 
5421 
5422 /* ------------------------------------------------------------------------ */
5423 /* Function:    fr_setnatqueue                                              */
5424 /* Returns:     Nil                                                         */
5425 /* Parameters:  nat(I)- pointer to NAT structure                            */
5426 /*              rev(I) - forward(0) or reverse(1) direction                 */
5427 /* Locks:       ipf_nat (read or write)                                     */
5428 /*                                                                          */
5429 /* Put the NAT entry on its default queue entry, using rev as a helped in   */
5430 /* determining which queue it should be placed on.                          */
5431 /* ------------------------------------------------------------------------ */
5432 void fr_setnatqueue(nat, rev, ifs)
5433 nat_t *nat;
5434 int rev;
5435 ipf_stack_t *ifs;
5436 {
5437 	ipftq_t *oifq, *nifq;
5438 
5439 	if (nat->nat_ptr != NULL)
5440 		nifq = nat->nat_ptr->in_tqehead[rev];
5441 	else
5442 		nifq = NULL;
5443 
5444 	if (nifq == NULL) {
5445 		switch (nat->nat_p)
5446 		{
5447 		case IPPROTO_UDP :
5448 			nifq = &ifs->ifs_nat_udptq;
5449 			break;
5450 		case IPPROTO_ICMP :
5451 			nifq = &ifs->ifs_nat_icmptq;
5452 			break;
5453 		case IPPROTO_TCP :
5454 			nifq = ifs->ifs_nat_tqb + nat->nat_tqe.tqe_state[rev];
5455 			break;
5456 		default :
5457 			nifq = &ifs->ifs_nat_iptq;
5458 			break;
5459 		}
5460 	}
5461 
5462 	oifq = nat->nat_tqe.tqe_ifq;
5463 	/*
5464 	 * If it's currently on a timeout queue, move it from one queue to
5465 	 * another, else put it on the end of the newly determined queue.
5466 	 */
5467 	if (oifq != NULL)
5468 		fr_movequeue(&nat->nat_tqe, oifq, nifq, ifs);
5469 	else
5470 		fr_queueappend(&nat->nat_tqe, nifq, nat, ifs);
5471 	return;
5472 }
5473 
5474 /* ------------------------------------------------------------------------ */
5475 /* Function:    nat_getnext                                                 */
5476 /* Returns:     int - 0 == ok, else error                                   */
5477 /* Parameters:  t(I)   - pointer to ipftoken structure                      */
5478 /*              itp(I) - pointer to ipfgeniter_t structure                  */
5479 /*              ifs - ipf stack instance                                    */
5480 /*                                                                          */
5481 /* Fetch the next nat/ipnat/hostmap structure pointer from the linked list  */
5482 /* and copy it out to the storage space pointed to by itp.  The next item   */
5483 /* in the list to look at is put back in the ipftoken struture.             */
5484 /* ------------------------------------------------------------------------ */
5485 static int nat_getnext(t, itp, ifs)
5486 ipftoken_t *t;
5487 ipfgeniter_t *itp;
5488 ipf_stack_t *ifs;
5489 {
5490 	hostmap_t *hm, *nexthm = NULL, zerohm;
5491 	ipnat_t *ipn, *nextipnat = NULL, zeroipn;
5492 	nat_t *nat, *nextnat = NULL, zeronat;
5493 	int error = 0, count;
5494 	char *dst;
5495 
5496 	if (itp->igi_nitems == 0)
5497 		return EINVAL;
5498 
5499 	READ_ENTER(&ifs->ifs_ipf_nat);
5500 
5501 	/*
5502 	 * Get "previous" entry from the token and find the next entry.
5503 	 */
5504 	switch (itp->igi_type)
5505 	{
5506 	case IPFGENITER_HOSTMAP :
5507 		hm = t->ipt_data;
5508 		if (hm == NULL) {
5509 			nexthm = ifs->ifs_ipf_hm_maplist;
5510 		} else {
5511 			nexthm = hm->hm_next;
5512 		}
5513 		break;
5514 
5515 	case IPFGENITER_IPNAT :
5516 		ipn = t->ipt_data;
5517 		if (ipn == NULL) {
5518 			nextipnat = ifs->ifs_nat_list;
5519 		} else {
5520 			nextipnat = ipn->in_next;
5521 		}
5522 		break;
5523 
5524 	case IPFGENITER_NAT :
5525 		nat = t->ipt_data;
5526 		if (nat == NULL) {
5527 			nextnat = ifs->ifs_nat_instances;
5528 		} else {
5529 			nextnat = nat->nat_next;
5530 		}
5531 		break;
5532 	default :
5533 		RWLOCK_EXIT(&ifs->ifs_ipf_nat);
5534 		return EINVAL;
5535 	}
5536 
5537 	/*
5538 	 * Note, this loop is based on the number of items that a user
5539 	 * requested. The user can request any number, potentially far more than
5540 	 * the number of items that actually exist. If a user does that, we'll
5541 	 * break out of this by setting the value of count to 1 which terminates
5542 	 * the loop.  This should be fine from an ioctl perspective, because the
5543 	 * last entry that we insert will be the zero entry which terminates the
5544 	 * chain.
5545 	 */
5546 	dst = itp->igi_data;
5547 	for (count = itp->igi_nitems; count > 0; count--) {
5548 		/*
5549 		 * If we found an entry, add a reference to it and update the token.
5550 		 * Otherwise, zero out data to be returned and NULL out token.
5551 		 */
5552 		switch (itp->igi_type)
5553 		{
5554 		case IPFGENITER_HOSTMAP :
5555 			if (nexthm != NULL) {
5556 				ATOMIC_INC32(nexthm->hm_ref);
5557 				t->ipt_data = nexthm;
5558 			} else {
5559 				bzero(&zerohm, sizeof(zerohm));
5560 				nexthm = &zerohm;
5561 				t->ipt_data = NULL;
5562 			}
5563 			break;
5564 		case IPFGENITER_IPNAT :
5565 			if (nextipnat != NULL) {
5566 				ATOMIC_INC32(nextipnat->in_use);
5567 				t->ipt_data = nextipnat;
5568 			} else {
5569 				bzero(&zeroipn, sizeof(zeroipn));
5570 				nextipnat = &zeroipn;
5571 				t->ipt_data = NULL;
5572 			}
5573 			break;
5574 		case IPFGENITER_NAT :
5575 			if (nextnat != NULL) {
5576 				MUTEX_ENTER(&nextnat->nat_lock);
5577 				nextnat->nat_ref++;
5578 				MUTEX_EXIT(&nextnat->nat_lock);
5579 				t->ipt_data = nextnat;
5580 			} else {
5581 				bzero(&zeronat, sizeof(zeronat));
5582 				nextnat = &zeronat;
5583 				t->ipt_data = NULL;
5584 			}
5585 			break;
5586 		default :
5587 			break;
5588 		}
5589 
5590 		/*
5591 		 * Now that we have ref, it's save to give up lock.
5592 		 */
5593 		RWLOCK_EXIT(&ifs->ifs_ipf_nat);
5594 
5595 		/*
5596 		 * Copy out data and clean up references and token as needed.
5597 		 */
5598 		switch (itp->igi_type)
5599 		{
5600 		case IPFGENITER_HOSTMAP :
5601 			error = COPYOUT(nexthm, dst, sizeof(*nexthm));
5602 			if (error != 0)
5603 				error = EFAULT;
5604 			if (t->ipt_data == NULL) {
5605 				ipf_freetoken(t, ifs);
5606 				count = 1;
5607 				break;
5608 			} else {
5609 				if (hm != NULL) {
5610 					WRITE_ENTER(&ifs->ifs_ipf_nat);
5611 					fr_hostmapdel(&hm);
5612 					RWLOCK_EXIT(&ifs->ifs_ipf_nat);
5613 				}
5614 				if (nexthm->hm_next == NULL) {
5615 					ipf_freetoken(t, ifs);
5616 					count = 1;
5617 					break;
5618 				}
5619 				dst += sizeof(*nexthm);
5620 				hm = nexthm;
5621 				nexthm = nexthm->hm_next;
5622 			}
5623 			break;
5624 
5625 		case IPFGENITER_IPNAT :
5626 			error = COPYOUT(nextipnat, dst, sizeof(*nextipnat));
5627 			if (error != 0)
5628 				error = EFAULT;
5629 			if (t->ipt_data == NULL) {
5630 				ipf_freetoken(t, ifs);
5631 				count = 1;
5632 				break;
5633 			} else {
5634 				if (ipn != NULL) {
5635 					WRITE_ENTER(&ifs->ifs_ipf_nat);
5636 					fr_ipnatderef(&ipn, ifs);
5637 					RWLOCK_EXIT(&ifs->ifs_ipf_nat);
5638 				}
5639 				if (nextipnat->in_next == NULL) {
5640 					ipf_freetoken(t, ifs);
5641 					count = 1;
5642 					break;
5643 				}
5644 				dst += sizeof(*nextipnat);
5645 				ipn = nextipnat;
5646 				nextipnat = nextipnat->in_next;
5647 			}
5648 			break;
5649 
5650 		case IPFGENITER_NAT :
5651 			error = COPYOUT(nextnat, dst, sizeof(*nextnat));
5652 			if (error != 0)
5653 				error = EFAULT;
5654 			if (t->ipt_data == NULL) {
5655 				ipf_freetoken(t, ifs);
5656 				count = 1;
5657 				break;
5658 			} else {
5659 				if (nat != NULL)
5660 					fr_natderef(&nat, ifs);
5661 				if (nextnat->nat_next == NULL) {
5662 					ipf_freetoken(t, ifs);
5663 					count = 1;
5664 					break;
5665 				}
5666 				dst += sizeof(*nextnat);
5667 				nat = nextnat;
5668 				nextnat = nextnat->nat_next;
5669 			}
5670 			break;
5671 		default :
5672 			break;
5673 		}
5674 
5675 		if ((count == 1) || (error != 0))
5676 			break;
5677 
5678 		READ_ENTER(&ifs->ifs_ipf_nat);
5679 	}
5680 
5681 	return error;
5682 }
5683 
5684 
5685 /* ------------------------------------------------------------------------ */
5686 /* Function:    nat_iterator                                                */
5687 /* Returns:     int - 0 == ok, else error                                   */
5688 /* Parameters:  token(I) - pointer to ipftoken structure                    */
5689 /*              itp(I) - pointer to ipfgeniter_t structure                  */
5690 /*                                                                          */
5691 /* This function acts as a handler for the SIOCGENITER ioctls that use a    */
5692 /* generic structure to iterate through a list.  There are three different  */
5693 /* linked lists of NAT related information to go through: NAT rules, active */
5694 /* NAT mappings and the NAT fragment cache.                                 */
5695 /* ------------------------------------------------------------------------ */
5696 static int nat_iterator(token, itp, ifs)
5697 ipftoken_t *token;
5698 ipfgeniter_t *itp;
5699 ipf_stack_t *ifs;
5700 {
5701 	int error;
5702 
5703 	if (itp->igi_data == NULL)
5704 		return EFAULT;
5705 
5706 	token->ipt_subtype = itp->igi_type;
5707 
5708 	switch (itp->igi_type)
5709 	{
5710 	case IPFGENITER_HOSTMAP :
5711 	case IPFGENITER_IPNAT :
5712 	case IPFGENITER_NAT :
5713 		error = nat_getnext(token, itp, ifs);
5714 		break;
5715 	case IPFGENITER_NATFRAG :
5716 		error = fr_nextfrag(token, itp, &ifs->ifs_ipfr_natlist,
5717 				    &ifs->ifs_ipfr_nattail,
5718 				    &ifs->ifs_ipf_natfrag, ifs);
5719 		break;
5720 	default :
5721 		error = EINVAL;
5722 		break;
5723 	}
5724 
5725 	return error;
5726 }
5727 
5728 
5729 /* ---------------------------------------------------------------------- */
5730 /* Function:    nat_flushtable						  */
5731 /* Returns:     int - 0 == success, -1 == failure			  */
5732 /* Parameters:  flush_option - how to flush the active NAT table	  */
5733 /*              ifs - ipf stack instance				  */
5734 /* Write Locks: ipf_nat							  */
5735 /*									  */
5736 /* Flush NAT tables.  Three actions currently defined:                    */
5737 /*									  */
5738 /* FLUSH_TABLE_ALL	: Flush all NAT table entries			  */
5739 /*									  */
5740 /* FLUSH_TABLE_CLOSING	: Flush entries with TCP connections which	  */
5741 /*			  have started to close on both ends using	  */
5742 /*			  ipf_flushclosing().				  */
5743 /*									  */
5744 /* FLUSH_TABLE_EXTRA	: First, flush entries which are "almost" closed. */
5745 /*			  Then, if needed, flush entries with TCP	  */
5746 /*			  connections which have been idle for a long	  */
5747 /*			  time with ipf_extraflush().			  */
5748 /* ---------------------------------------------------------------------- */
5749 static int nat_flushtable(flush_option, ifs)
5750 int flush_option;
5751 ipf_stack_t *ifs;
5752 {
5753         nat_t *nat, *natn;
5754         int removed;
5755         SPL_INT(s);
5756 
5757         removed = 0;
5758 
5759         SPL_NET(s);
5760         switch (flush_option)
5761         {
5762         case FLUSH_TABLE_ALL:
5763 		natn = ifs->ifs_nat_instances;
5764 		while ((nat = natn) != NULL) {
5765 			natn = nat->nat_next;
5766 			if (nat_delete(nat, NL_FLUSH, ifs) == 0)
5767 				removed++;
5768 		}
5769                 break;
5770 
5771         case FLUSH_TABLE_CLOSING:
5772                 removed = ipf_flushclosing(NAT_FLUSH,
5773 					   IPF_TCPS_CLOSE_WAIT,
5774 					   ifs->ifs_nat_tqb,
5775 					   ifs->ifs_nat_utqe,
5776 					   ifs);
5777                 break;
5778 
5779         case FLUSH_TABLE_EXTRA:
5780                 removed = ipf_flushclosing(NAT_FLUSH,
5781 					   IPF_TCPS_FIN_WAIT_2,
5782 					   ifs->ifs_nat_tqb,
5783 					   ifs->ifs_nat_utqe,
5784 					   ifs);
5785 
5786                 /*
5787                  * Be sure we haven't done this in the last 10 seconds.
5788                  */
5789                 if (ifs->ifs_fr_ticks - ifs->ifs_nat_last_force_flush <
5790                     IPF_TTLVAL(10))
5791                         break;
5792                 ifs->ifs_nat_last_force_flush = ifs->ifs_fr_ticks;
5793                 removed += ipf_extraflush(NAT_FLUSH,
5794 					  &ifs->ifs_nat_tqb[IPF_TCPS_ESTABLISHED],
5795 					  ifs->ifs_nat_utqe,
5796 					  ifs);
5797                 break;
5798 
5799         default: /* Flush Nothing */
5800                 break;
5801         }
5802 
5803         SPL_X(s);
5804         return (removed);
5805 }
5806 
5807 
5808 /* ------------------------------------------------------------------------ */
5809 /* Function:    nat_uncreate                                                */
5810 /* Returns:     Nil                                                         */
5811 /* Parameters:  fin(I) - pointer to packet information                      */
5812 /*                                                                          */
5813 /* This function is used to remove a NAT entry from the NAT table when we   */
5814 /* decide that the create was actually in error. It is thus assumed that    */
5815 /* fin_flx will have both FI_NATED and FI_NATNEW set. Because we're dealing */
5816 /* with the translated packet (not the original), we have to reverse the    */
5817 /* lookup. Although doing the lookup is expensive (relatively speaking), it */
5818 /* is not anticipated that this will be a frequent occurance for normal     */
5819 /* traffic patterns.                                                        */
5820 /* ------------------------------------------------------------------------ */
5821 void nat_uncreate(fin)
5822 fr_info_t *fin;
5823 {
5824 	ipf_stack_t *ifs = fin->fin_ifs;
5825 	int nflags;
5826 	nat_t *nat;
5827 
5828 	switch (fin->fin_p)
5829 	{
5830 	case IPPROTO_TCP :
5831 		nflags = IPN_TCP;
5832 		break;
5833 	case IPPROTO_UDP :
5834 		nflags = IPN_UDP;
5835 		break;
5836 	default :
5837 		nflags = 0;
5838 		break;
5839 	}
5840 
5841 	WRITE_ENTER(&ifs->ifs_ipf_nat);
5842 
5843 	if (fin->fin_out == 0) {
5844 		nat = nat_outlookup(fin, nflags, (u_int)fin->fin_p,
5845 				    fin->fin_dst, fin->fin_src);
5846 	} else {
5847 		nat = nat_inlookup(fin, nflags, (u_int)fin->fin_p,
5848 				   fin->fin_src, fin->fin_dst);
5849 	}
5850 
5851 	if (nat != NULL) {
5852 		ifs->ifs_nat_stats.ns_uncreate[fin->fin_out][0]++;
5853 		(void) nat_delete(nat, NL_DESTROY, ifs);
5854 	} else {
5855 		ifs->ifs_nat_stats.ns_uncreate[fin->fin_out][1]++;
5856 	}
5857 
5858 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
5859 }
5860