xref: /freebsd/sbin/ipfw/nat64clat.c (revision f5e73306336f22b842da143f973f08c5dcd13671)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2019 Yandex LLC
5  * Copyright (c) 2019 Andrey V. Elsukov <ae@FreeBSD.org>
6  * Copyright (c) 2019 Boris N. Lytochkin <lytboris@gmail.com>
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32 
33 #include <sys/types.h>
34 #include <sys/socket.h>
35 
36 #include "ipfw2.h"
37 
38 #include <ctype.h>
39 #include <err.h>
40 #include <errno.h>
41 #include <inttypes.h>
42 #include <netdb.h>
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <string.h>
46 #include <sysexits.h>
47 
48 #include <net/if.h>
49 #include <netinet/in.h>
50 #include <netinet/ip_fw.h>
51 #include <netinet6/ip_fw_nat64.h>
52 #include <arpa/inet.h>
53 
54 typedef int (nat64clat_cb_t)(ipfw_nat64clat_cfg *i, const char *name,
55     uint8_t set);
56 static int nat64clat_foreach(nat64clat_cb_t *f, const char *name, uint8_t set,
57     int sort);
58 
59 static void nat64clat_create(const char *name, uint8_t set, int ac, char **av);
60 static void nat64clat_config(const char *name, uint8_t set, int ac, char **av);
61 static void nat64clat_destroy(const char *name, uint8_t set);
62 static void nat64clat_stats(const char *name, uint8_t set);
63 static void nat64clat_reset_stats(const char *name, uint8_t set);
64 static int nat64clat_show_cb(ipfw_nat64clat_cfg *cfg, const char *name,
65     uint8_t set);
66 static int nat64clat_destroy_cb(ipfw_nat64clat_cfg *cfg, const char *name,
67     uint8_t set);
68 
69 static struct _s_x nat64cmds[] = {
70       { "create",	TOK_CREATE },
71       { "config",	TOK_CONFIG },
72       { "destroy",	TOK_DESTROY },
73       { "list",		TOK_LIST },
74       { "show",		TOK_LIST },
75       { "stats",	TOK_STATS },
76       { NULL, 0 }
77 };
78 
79 static struct _s_x nat64statscmds[] = {
80       { "reset",	TOK_RESET },
81       { NULL, 0 }
82 };
83 
84 /*
85  * This one handles all nat64clat-related commands
86  *	ipfw [set N] nat64clat NAME {create | config} ...
87  *	ipfw [set N] nat64clat NAME stats [reset]
88  *	ipfw [set N] nat64clat {NAME | all} destroy
89  *	ipfw [set N] nat64clat {NAME | all} {list | show}
90  */
91 #define	nat64clat_check_name	table_check_name
92 void
93 ipfw_nat64clat_handler(int ac, char *av[])
94 {
95 	const char *name;
96 	int tcmd;
97 	uint8_t set;
98 
99 	if (g_co.use_set != 0)
100 		set = g_co.use_set - 1;
101 	else
102 		set = 0;
103 	ac--; av++;
104 
105 	NEED1("nat64clat needs instance name");
106 	name = *av;
107 	if (nat64clat_check_name(name) != 0) {
108 		if (strcmp(name, "all") == 0)
109 			name = NULL;
110 		else
111 			errx(EX_USAGE, "nat64clat instance name %s is invalid",
112 			    name);
113 	}
114 	ac--; av++;
115 	NEED1("nat64clat needs command");
116 
117 	tcmd = get_token(nat64cmds, *av, "nat64clat command");
118 	if (name == NULL && tcmd != TOK_DESTROY && tcmd != TOK_LIST)
119 		errx(EX_USAGE, "nat64clat instance name required");
120 	switch (tcmd) {
121 	case TOK_CREATE:
122 		ac--; av++;
123 		nat64clat_create(name, set, ac, av);
124 		break;
125 	case TOK_CONFIG:
126 		ac--; av++;
127 		nat64clat_config(name, set, ac, av);
128 		break;
129 	case TOK_LIST:
130 		nat64clat_foreach(nat64clat_show_cb, name, set, 1);
131 		break;
132 	case TOK_DESTROY:
133 		if (name == NULL)
134 			nat64clat_foreach(nat64clat_destroy_cb, NULL, set, 0);
135 		else
136 			nat64clat_destroy(name, set);
137 		break;
138 	case TOK_STATS:
139 		ac--; av++;
140 		if (ac == 0) {
141 			nat64clat_stats(name, set);
142 			break;
143 		}
144 		tcmd = get_token(nat64statscmds, *av, "stats command");
145 		if (tcmd == TOK_RESET)
146 			nat64clat_reset_stats(name, set);
147 	}
148 }
149 
150 
151 static void
152 nat64clat_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, uint8_t set)
153 {
154 
155 	ntlv->head.type = IPFW_TLV_EACTION_NAME(1); /* it doesn't matter */
156 	ntlv->head.length = sizeof(ipfw_obj_ntlv);
157 	ntlv->idx = 1;
158 	ntlv->set = set;
159 	strlcpy(ntlv->name, name, sizeof(ntlv->name));
160 }
161 
162 static struct _s_x nat64newcmds[] = {
163       { "plat_prefix",	TOK_PLAT_PREFIX },
164       { "clat_prefix",	TOK_CLAT_PREFIX },
165       { "log",		TOK_LOG },
166       { "-log",		TOK_LOGOFF },
167       { "allow_private", TOK_PRIVATE },
168       { "-allow_private", TOK_PRIVATEOFF },
169       { NULL, 0 }
170 };
171 
172 /*
173  * Creates new nat64clat instance
174  * ipfw nat64clat <NAME> create clat_prefix <prefix> plat_prefix <prefix>
175  * Request: [ ipfw_obj_lheader ipfw_nat64clat_cfg ]
176  */
177 #define	NAT64CLAT_HAS_CLAT_PREFIX	0x01
178 #define	NAT64CLAT_HAS_PLAT_PREFIX	0x02
179 static void
180 nat64clat_create(const char *name, uint8_t set, int ac, char *av[])
181 {
182 	char buf[sizeof(ipfw_obj_lheader) + sizeof(ipfw_nat64clat_cfg)];
183 	ipfw_nat64clat_cfg *cfg;
184 	ipfw_obj_lheader *olh;
185 	int tcmd, flags;
186 	char *p;
187 	struct in6_addr prefix;
188 	uint8_t plen;
189 
190 	memset(buf, 0, sizeof(buf));
191 	olh = (ipfw_obj_lheader *)buf;
192 	cfg = (ipfw_nat64clat_cfg *)(olh + 1);
193 
194 	/* Some reasonable defaults */
195 	inet_pton(AF_INET6, "64:ff9b::", &cfg->plat_prefix);
196 	cfg->plat_plen = 96;
197 	cfg->set = set;
198 	flags = NAT64CLAT_HAS_PLAT_PREFIX;
199 	while (ac > 0) {
200 		tcmd = get_token(nat64newcmds, *av, "option");
201 		ac--; av++;
202 
203 		switch (tcmd) {
204 		case TOK_PLAT_PREFIX:
205 		case TOK_CLAT_PREFIX:
206 			if (tcmd == TOK_PLAT_PREFIX) {
207 				NEED1("IPv6 plat_prefix required");
208 			} else {
209 				NEED1("IPv6 clat_prefix required");
210 			}
211 
212 			if ((p = strchr(*av, '/')) != NULL)
213 				*p++ = '\0';
214 			if (inet_pton(AF_INET6, *av, &prefix) != 1)
215 				errx(EX_USAGE,
216 				    "Bad prefix: %s", *av);
217 			plen = strtol(p, NULL, 10);
218 			if (ipfw_check_nat64prefix(&prefix, plen) != 0)
219 				errx(EX_USAGE,
220 				    "Bad prefix length: %s", p);
221 			if (tcmd == TOK_PLAT_PREFIX) {
222 				flags |= NAT64CLAT_HAS_PLAT_PREFIX;
223 				cfg->plat_prefix = prefix;
224 				cfg->plat_plen = plen;
225 			} else {
226 				flags |= NAT64CLAT_HAS_CLAT_PREFIX;
227 				cfg->clat_prefix = prefix;
228 				cfg->clat_plen = plen;
229 			}
230 			ac--; av++;
231 			break;
232 		case TOK_LOG:
233 			cfg->flags |= NAT64_LOG;
234 			break;
235 		case TOK_LOGOFF:
236 			cfg->flags &= ~NAT64_LOG;
237 			break;
238 		case TOK_PRIVATE:
239 			cfg->flags |= NAT64_ALLOW_PRIVATE;
240 			break;
241 		case TOK_PRIVATEOFF:
242 			cfg->flags &= ~NAT64_ALLOW_PRIVATE;
243 			break;
244 		}
245 	}
246 
247 	/* Check validness */
248 	if ((flags & NAT64CLAT_HAS_PLAT_PREFIX) != NAT64CLAT_HAS_PLAT_PREFIX)
249 		errx(EX_USAGE, "plat_prefix required");
250 	if ((flags & NAT64CLAT_HAS_CLAT_PREFIX) != NAT64CLAT_HAS_CLAT_PREFIX)
251 		errx(EX_USAGE, "clat_prefix required");
252 
253 	olh->count = 1;
254 	olh->objsize = sizeof(*cfg);
255 	olh->size = sizeof(buf);
256 	strlcpy(cfg->name, name, sizeof(cfg->name));
257 	if (do_set3(IP_FW_NAT64CLAT_CREATE, &olh->opheader, sizeof(buf)) != 0)
258 		err(EX_OSERR, "nat64clat instance creation failed");
259 }
260 
261 /*
262  * Configures existing nat64clat instance
263  * ipfw nat64clat <NAME> config <options>
264  * Request: [ ipfw_obj_header ipfw_nat64clat_cfg ]
265  */
266 static void
267 nat64clat_config(const char *name, uint8_t set, int ac, char **av)
268 {
269 	char buf[sizeof(ipfw_obj_header) + sizeof(ipfw_nat64clat_cfg)];
270 	ipfw_nat64clat_cfg *cfg;
271 	ipfw_obj_header *oh;
272 	char *opt;
273 	char *p;
274 	size_t sz;
275 	int tcmd;
276 	struct in6_addr prefix;
277 	uint8_t plen;
278 
279 	if (ac == 0)
280 		errx(EX_USAGE, "config options required");
281 	memset(&buf, 0, sizeof(buf));
282 	oh = (ipfw_obj_header *)buf;
283 	cfg = (ipfw_nat64clat_cfg *)(oh + 1);
284 	sz = sizeof(buf);
285 
286 	nat64clat_fill_ntlv(&oh->ntlv, name, set);
287 	if (do_get3(IP_FW_NAT64CLAT_CONFIG, &oh->opheader, &sz) != 0)
288 		err(EX_OSERR, "failed to get config for instance %s", name);
289 
290 	while (ac > 0) {
291 		tcmd = get_token(nat64newcmds, *av, "option");
292 		opt = *av;
293 		ac--; av++;
294 
295 		switch (tcmd) {
296 		case TOK_PLAT_PREFIX:
297 		case TOK_CLAT_PREFIX:
298 			if (tcmd == TOK_PLAT_PREFIX) {
299 				NEED1("IPv6 plat_prefix required");
300 			} else {
301 				NEED1("IPv6 clat_prefix required");
302 			}
303 
304 			if ((p = strchr(*av, '/')) != NULL)
305 				*p++ = '\0';
306 			else
307 				errx(EX_USAGE,
308 				    "Prefix length required: %s", *av);
309 			if (inet_pton(AF_INET6, *av, &prefix) != 1)
310 				errx(EX_USAGE,
311 				    "Bad prefix: %s", *av);
312 			plen = strtol(p, NULL, 10);
313 			if (ipfw_check_nat64prefix(&prefix, plen) != 0)
314 				errx(EX_USAGE,
315 				    "Bad prefix length: %s", p);
316 			if (tcmd == TOK_PLAT_PREFIX) {
317 				cfg->plat_prefix = prefix;
318 				cfg->plat_plen = plen;
319 			} else {
320 				cfg->clat_prefix = prefix;
321 				cfg->clat_plen = plen;
322 			}
323 			ac--; av++;
324 			break;
325 		case TOK_LOG:
326 			cfg->flags |= NAT64_LOG;
327 			break;
328 		case TOK_LOGOFF:
329 			cfg->flags &= ~NAT64_LOG;
330 			break;
331 		case TOK_PRIVATE:
332 			cfg->flags |= NAT64_ALLOW_PRIVATE;
333 			break;
334 		case TOK_PRIVATEOFF:
335 			cfg->flags &= ~NAT64_ALLOW_PRIVATE;
336 			break;
337 		default:
338 			errx(EX_USAGE, "Can't change %s option", opt);
339 		}
340 	}
341 
342 	if (do_set3(IP_FW_NAT64CLAT_CONFIG, &oh->opheader, sizeof(buf)) != 0)
343 		err(EX_OSERR, "nat64clat instance configuration failed");
344 }
345 
346 /*
347  * Destroys nat64clat instance.
348  * Request: [ ipfw_obj_header ]
349  */
350 static void
351 nat64clat_destroy(const char *name, uint8_t set)
352 {
353 	ipfw_obj_header oh;
354 
355 	memset(&oh, 0, sizeof(oh));
356 	nat64clat_fill_ntlv(&oh.ntlv, name, set);
357 	if (do_set3(IP_FW_NAT64CLAT_DESTROY, &oh.opheader, sizeof(oh)) != 0)
358 		err(EX_OSERR, "failed to destroy nat instance %s", name);
359 }
360 
361 /*
362  * Get nat64clat instance statistics.
363  * Request: [ ipfw_obj_header ]
364  * Reply: [ ipfw_obj_header ipfw_obj_ctlv [ uint64_t x N ] ]
365  */
366 static int
367 nat64clat_get_stats(const char *name, uint8_t set,
368     struct ipfw_nat64clat_stats *stats)
369 {
370 	ipfw_obj_header *oh;
371 	ipfw_obj_ctlv *oc;
372 	size_t sz;
373 
374 	sz = sizeof(*oh) + sizeof(*oc) + sizeof(*stats);
375 	oh = calloc(1, sz);
376 	nat64clat_fill_ntlv(&oh->ntlv, name, set);
377 	if (do_get3(IP_FW_NAT64CLAT_STATS, &oh->opheader, &sz) == 0) {
378 		oc = (ipfw_obj_ctlv *)(oh + 1);
379 		memcpy(stats, oc + 1, sizeof(*stats));
380 		free(oh);
381 		return (0);
382 	}
383 	free(oh);
384 	return (-1);
385 }
386 
387 static void
388 nat64clat_stats(const char *name, uint8_t set)
389 {
390 	struct ipfw_nat64clat_stats stats;
391 
392 	if (nat64clat_get_stats(name, set, &stats) != 0)
393 		err(EX_OSERR, "Error retrieving stats");
394 
395 	if (g_co.use_set != 0 || set != 0)
396 		printf("set %u ", set);
397 	printf("nat64clat %s\n", name);
398 
399 	printf("\t%ju packets translated from IPv6 to IPv4\n",
400 	    (uintmax_t)stats.opcnt64);
401 	printf("\t%ju packets translated from IPv4 to IPv6\n",
402 	    (uintmax_t)stats.opcnt46);
403 	printf("\t%ju IPv6 fragments created\n",
404 	    (uintmax_t)stats.ofrags);
405 	printf("\t%ju IPv4 fragments received\n",
406 	    (uintmax_t)stats.ifrags);
407 	printf("\t%ju output packets dropped due to no bufs, etc.\n",
408 	    (uintmax_t)stats.oerrors);
409 	printf("\t%ju output packets discarded due to no IPv4 route\n",
410 	    (uintmax_t)stats.noroute4);
411 	printf("\t%ju output packets discarded due to no IPv6 route\n",
412 	    (uintmax_t)stats.noroute6);
413 	printf("\t%ju packets discarded due to unsupported protocol\n",
414 	    (uintmax_t)stats.noproto);
415 	printf("\t%ju packets discarded due to memory allocation problems\n",
416 	    (uintmax_t)stats.nomem);
417 	printf("\t%ju packets discarded due to some errors\n",
418 	    (uintmax_t)stats.dropped);
419 }
420 
421 /*
422  * Reset nat64clat instance statistics specified by @oh->ntlv.
423  * Request: [ ipfw_obj_header ]
424  */
425 static void
426 nat64clat_reset_stats(const char *name, uint8_t set)
427 {
428 	ipfw_obj_header oh;
429 
430 	memset(&oh, 0, sizeof(oh));
431 	nat64clat_fill_ntlv(&oh.ntlv, name, set);
432 	if (do_set3(IP_FW_NAT64CLAT_RESET_STATS, &oh.opheader, sizeof(oh)) != 0)
433 		err(EX_OSERR, "failed to reset stats for instance %s", name);
434 }
435 
436 static int
437 nat64clat_show_cb(ipfw_nat64clat_cfg *cfg, const char *name, uint8_t set)
438 {
439 	char plat_buf[INET6_ADDRSTRLEN], clat_buf[INET6_ADDRSTRLEN];
440 
441 	if (name != NULL && strcmp(cfg->name, name) != 0)
442 		return (ESRCH);
443 
444 	if (g_co.use_set != 0 && cfg->set != set)
445 		return (ESRCH);
446 
447 	if (g_co.use_set != 0 || cfg->set != 0)
448 		printf("set %u ", cfg->set);
449 
450 	inet_ntop(AF_INET6, &cfg->clat_prefix, clat_buf, sizeof(clat_buf));
451 	inet_ntop(AF_INET6, &cfg->plat_prefix, plat_buf, sizeof(plat_buf));
452 	printf("nat64clat %s clat_prefix %s/%u plat_prefix %s/%u",
453 	    cfg->name, clat_buf, cfg->clat_plen, plat_buf, cfg->plat_plen);
454 	if (cfg->flags & NAT64_LOG)
455 		printf(" log");
456 	if (cfg->flags & NAT64_ALLOW_PRIVATE)
457 		printf(" allow_private");
458 	printf("\n");
459 	return (0);
460 }
461 
462 static int
463 nat64clat_destroy_cb(ipfw_nat64clat_cfg *cfg, const char *name __unused,
464     uint8_t set)
465 {
466 
467 	if (g_co.use_set != 0 && cfg->set != set)
468 		return (ESRCH);
469 
470 	nat64clat_destroy(cfg->name, cfg->set);
471 	return (0);
472 }
473 
474 
475 /*
476  * Compare nat64clat instances names.
477  * Honor number comparison.
478  */
479 static int
480 nat64name_cmp(const void *a, const void *b)
481 {
482 	const ipfw_nat64clat_cfg *ca, *cb;
483 
484 	ca = (const ipfw_nat64clat_cfg *)a;
485 	cb = (const ipfw_nat64clat_cfg *)b;
486 
487 	if (ca->set > cb->set)
488 		return (1);
489 	else if (ca->set < cb->set)
490 		return (-1);
491 	return (stringnum_cmp(ca->name, cb->name));
492 }
493 
494 /*
495  * Retrieves nat64clat instance list from kernel,
496  * optionally sorts it and calls requested function for each instance.
497  *
498  * Request: [ ipfw_obj_lheader ]
499  * Reply: [ ipfw_obj_lheader ipfw_nat64clat_cfg x N ]
500  */
501 static int
502 nat64clat_foreach(nat64clat_cb_t *f, const char *name, uint8_t set, int sort)
503 {
504 	ipfw_obj_lheader *olh;
505 	ipfw_nat64clat_cfg *cfg;
506 	size_t sz;
507 	uint32_t i;
508 
509 	/* Start with reasonable default */
510 	sz = sizeof(*olh) + 16 * sizeof(*cfg);
511 	for (;;) {
512 		if ((olh = calloc(1, sz)) == NULL)
513 			return (ENOMEM);
514 
515 		olh->size = sz;
516 		if (do_get3(IP_FW_NAT64CLAT_LIST, &olh->opheader, &sz) != 0) {
517 			sz = olh->size;
518 			free(olh);
519 			if (errno != ENOMEM)
520 				return (errno);
521 			continue;
522 		}
523 
524 		if (sort != 0)
525 			qsort(olh + 1, olh->count, olh->objsize,
526 			    nat64name_cmp);
527 
528 		cfg = (ipfw_nat64clat_cfg *)(olh + 1);
529 		for (i = 0; i < olh->count; i++) {
530 			(void)f(cfg, name, set); /* Ignore errors for now */
531 			cfg = (ipfw_nat64clat_cfg *)((caddr_t)cfg +
532 			    olh->objsize);
533 		}
534 		free(olh);
535 		break;
536 	}
537 	return (0);
538 }
539 
540