1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2015-2019 Yandex LLC 5 * Copyright (c) 2015-2016 Alexander V. Chernikov <melifaro@FreeBSD.org> 6 * Copyright (c) 2015-2019 Andrey V. Elsukov <ae@FreeBSD.org> 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD$"); 32 33 #include <sys/types.h> 34 #include <sys/socket.h> 35 36 #include "ipfw2.h" 37 38 #include <ctype.h> 39 #include <err.h> 40 #include <errno.h> 41 #include <inttypes.h> 42 #include <netdb.h> 43 #include <stdio.h> 44 #include <stdlib.h> 45 #include <string.h> 46 #include <sysexits.h> 47 48 #include <net/if.h> 49 #include <netinet/in.h> 50 #include <netinet/ip_fw.h> 51 #include <netinet6/ip_fw_nat64.h> 52 #include <arpa/inet.h> 53 54 static void nat64lsn_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, 55 uint8_t set); 56 typedef int (nat64lsn_cb_t)(ipfw_nat64lsn_cfg *cfg, const char *name, 57 uint8_t set); 58 static int nat64lsn_foreach(nat64lsn_cb_t *f, const char *name, uint8_t set, 59 int sort); 60 61 static void nat64lsn_create(const char *name, uint8_t set, int ac, char **av); 62 static void nat64lsn_config(const char *name, uint8_t set, int ac, char **av); 63 static void nat64lsn_destroy(const char *name, uint8_t set); 64 static void nat64lsn_stats(const char *name, uint8_t set); 65 static void nat64lsn_reset_stats(const char *name, uint8_t set); 66 static int nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, 67 uint8_t set); 68 static int nat64lsn_destroy_cb(ipfw_nat64lsn_cfg *cfg, const char *name, 69 uint8_t set); 70 static int nat64lsn_states_cb(ipfw_nat64lsn_cfg *cfg, const char *name, 71 uint8_t set); 72 73 static struct _s_x nat64cmds[] = { 74 { "create", TOK_CREATE }, 75 { "config", TOK_CONFIG }, 76 { "destroy", TOK_DESTROY }, 77 { "list", TOK_LIST }, 78 { "show", TOK_LIST }, 79 { "stats", TOK_STATS }, 80 { NULL, 0 } 81 }; 82 83 static uint64_t 84 nat64lsn_print_states(void *buf) 85 { 86 char s[INET6_ADDRSTRLEN], a[INET_ADDRSTRLEN], f[INET_ADDRSTRLEN]; 87 char sflags[4], *sf, *proto; 88 ipfw_obj_header *oh; 89 ipfw_obj_data *od; 90 ipfw_nat64lsn_stg_v1 *stg; 91 ipfw_nat64lsn_state_v1 *ste; 92 uint64_t next_idx; 93 int i, sz; 94 95 oh = (ipfw_obj_header *)buf; 96 od = (ipfw_obj_data *)(oh + 1); 97 stg = (ipfw_nat64lsn_stg_v1 *)(od + 1); 98 sz = od->head.length - sizeof(*od); 99 next_idx = 0; 100 while (sz > 0 && next_idx != 0xFF) { 101 next_idx = stg->next.index; 102 sz -= sizeof(*stg); 103 if (stg->count == 0) { 104 stg++; 105 continue; 106 } 107 /* 108 * NOTE: addresses are in network byte order, 109 * ports are in host byte order. 110 */ 111 inet_ntop(AF_INET, &stg->alias4, a, sizeof(a)); 112 ste = (ipfw_nat64lsn_state_v1 *)(stg + 1); 113 for (i = 0; i < stg->count && sz > 0; i++) { 114 sf = sflags; 115 inet_ntop(AF_INET6, &ste->host6, s, sizeof(s)); 116 inet_ntop(AF_INET, &ste->daddr, f, sizeof(f)); 117 switch (ste->proto) { 118 case IPPROTO_TCP: 119 proto = "TCP"; 120 if (ste->flags & 0x02) 121 *sf++ = 'S'; 122 if (ste->flags & 0x04) 123 *sf++ = 'E'; 124 if (ste->flags & 0x01) 125 *sf++ = 'F'; 126 break; 127 case IPPROTO_UDP: 128 proto = "UDP"; 129 break; 130 case IPPROTO_ICMP: 131 proto = "ICMPv6"; 132 break; 133 } 134 *sf = '\0'; 135 switch (ste->proto) { 136 case IPPROTO_TCP: 137 case IPPROTO_UDP: 138 printf("%s:%d\t%s:%d\t%s\t%s\t%d\t%s:%d\n", 139 s, ste->sport, a, ste->aport, proto, 140 sflags, ste->idle, f, ste->dport); 141 break; 142 case IPPROTO_ICMP: 143 printf("%s\t%s\t%s\t\t%d\t%s\n", 144 s, a, proto, ste->idle, f); 145 break; 146 default: 147 printf("%s\t%s\t%d\t\t%d\t%s\n", 148 s, a, ste->proto, ste->idle, f); 149 } 150 ste++; 151 sz -= sizeof(*ste); 152 } 153 stg = (ipfw_nat64lsn_stg_v1 *)ste; 154 } 155 return (next_idx); 156 } 157 158 static int 159 nat64lsn_states_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set) 160 { 161 ipfw_obj_header *oh; 162 ipfw_obj_data *od; 163 void *buf; 164 uint64_t next_idx; 165 size_t sz; 166 167 if (name != NULL && strcmp(cfg->name, name) != 0) 168 return (ESRCH); 169 170 if (set != 0 && cfg->set != set) 171 return (ESRCH); 172 173 next_idx = 0; 174 sz = 4096; 175 if ((buf = calloc(1, sz)) == NULL) 176 err(EX_OSERR, NULL); 177 do { 178 oh = (ipfw_obj_header *)buf; 179 oh->opheader.version = 1; /* Force using ov new API */ 180 od = (ipfw_obj_data *)(oh + 1); 181 nat64lsn_fill_ntlv(&oh->ntlv, cfg->name, set); 182 od->head.type = IPFW_TLV_OBJDATA; 183 od->head.length = sizeof(*od) + sizeof(next_idx); 184 *((uint64_t *)(od + 1)) = next_idx; 185 if (do_get3(IP_FW_NAT64LSN_LIST_STATES, &oh->opheader, &sz)) 186 err(EX_OSERR, "Error reading nat64lsn states"); 187 next_idx = nat64lsn_print_states(buf); 188 sz = 4096; 189 memset(buf, 0, sz); 190 } while (next_idx != 0xFF); 191 192 free(buf); 193 return (0); 194 } 195 196 static struct _s_x nat64statscmds[] = { 197 { "reset", TOK_RESET }, 198 { NULL, 0 } 199 }; 200 201 static void 202 ipfw_nat64lsn_stats_handler(const char *name, uint8_t set, int ac, char *av[]) 203 { 204 int tcmd; 205 206 if (ac == 0) { 207 nat64lsn_stats(name, set); 208 return; 209 } 210 NEED1("nat64lsn stats needs command"); 211 tcmd = get_token(nat64statscmds, *av, "nat64lsn stats command"); 212 switch (tcmd) { 213 case TOK_RESET: 214 nat64lsn_reset_stats(name, set); 215 } 216 } 217 218 static struct _s_x nat64listcmds[] = { 219 { "states", TOK_STATES }, 220 { "config", TOK_CONFIG }, 221 { NULL, 0 } 222 }; 223 224 static void 225 ipfw_nat64lsn_list_handler(const char *name, uint8_t set, int ac, char *av[]) 226 { 227 int tcmd; 228 229 if (ac == 0) { 230 nat64lsn_foreach(nat64lsn_show_cb, name, set, 1); 231 return; 232 } 233 NEED1("nat64lsn list needs command"); 234 tcmd = get_token(nat64listcmds, *av, "nat64lsn list command"); 235 switch (tcmd) { 236 case TOK_STATES: 237 nat64lsn_foreach(nat64lsn_states_cb, name, set, 1); 238 break; 239 case TOK_CONFIG: 240 nat64lsn_foreach(nat64lsn_show_cb, name, set, 1); 241 } 242 } 243 244 /* 245 * This one handles all nat64lsn-related commands 246 * ipfw [set N] nat64lsn NAME {create | config} ... 247 * ipfw [set N] nat64lsn NAME stats 248 * ipfw [set N] nat64lsn {NAME | all} destroy 249 * ipfw [set N] nat64lsn {NAME | all} {list | show} [config | states] 250 */ 251 #define nat64lsn_check_name table_check_name 252 void 253 ipfw_nat64lsn_handler(int ac, char *av[]) 254 { 255 const char *name; 256 int tcmd; 257 uint8_t set; 258 259 if (co.use_set != 0) 260 set = co.use_set - 1; 261 else 262 set = 0; 263 ac--; av++; 264 265 NEED1("nat64lsn needs instance name"); 266 name = *av; 267 if (nat64lsn_check_name(name) != 0) { 268 if (strcmp(name, "all") == 0) 269 name = NULL; 270 else 271 errx(EX_USAGE, "nat64lsn instance name %s is invalid", 272 name); 273 } 274 ac--; av++; 275 NEED1("nat64lsn needs command"); 276 277 tcmd = get_token(nat64cmds, *av, "nat64lsn command"); 278 if (name == NULL && tcmd != TOK_DESTROY && tcmd != TOK_LIST) 279 errx(EX_USAGE, "nat64lsn instance name required"); 280 switch (tcmd) { 281 case TOK_CREATE: 282 ac--; av++; 283 nat64lsn_create(name, set, ac, av); 284 break; 285 case TOK_CONFIG: 286 ac--; av++; 287 nat64lsn_config(name, set, ac, av); 288 break; 289 case TOK_LIST: 290 ac--; av++; 291 ipfw_nat64lsn_list_handler(name, set, ac, av); 292 break; 293 case TOK_DESTROY: 294 if (name == NULL) 295 nat64lsn_foreach(nat64lsn_destroy_cb, NULL, set, 0); 296 else 297 nat64lsn_destroy(name, set); 298 break; 299 case TOK_STATS: 300 ac--; av++; 301 ipfw_nat64lsn_stats_handler(name, set, ac, av); 302 } 303 } 304 305 static void 306 nat64lsn_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, uint8_t set) 307 { 308 309 ntlv->head.type = IPFW_TLV_EACTION_NAME(1); /* it doesn't matter */ 310 ntlv->head.length = sizeof(ipfw_obj_ntlv); 311 ntlv->idx = 1; 312 ntlv->set = set; 313 strlcpy(ntlv->name, name, sizeof(ntlv->name)); 314 } 315 316 static void 317 nat64lsn_apply_mask(int af, void *prefix, uint16_t plen) 318 { 319 struct in6_addr mask6, *p6; 320 struct in_addr mask4, *p4; 321 322 if (af == AF_INET) { 323 p4 = (struct in_addr *)prefix; 324 mask4.s_addr = htonl(~((1 << (32 - plen)) - 1)); 325 p4->s_addr &= mask4.s_addr; 326 } else if (af == AF_INET6) { 327 p6 = (struct in6_addr *)prefix; 328 n2mask(&mask6, plen); 329 APPLY_MASK(p6, &mask6); 330 } 331 } 332 333 static void 334 nat64lsn_parse_prefix(const char *arg, int af, void *prefix, uint16_t *plen) 335 { 336 char *p, *l; 337 338 p = strdup(arg); 339 if (p == NULL) 340 err(EX_OSERR, NULL); 341 if ((l = strchr(p, '/')) != NULL) 342 *l++ = '\0'; 343 if (l == NULL) 344 errx(EX_USAGE, "Prefix length required"); 345 if (inet_pton(af, p, prefix) != 1) 346 errx(EX_USAGE, "Bad prefix: %s", p); 347 *plen = (uint16_t)strtol(l, &l, 10); 348 if (*l != '\0' || *plen == 0 || (af == AF_INET && *plen > 32) || 349 (af == AF_INET6 && *plen > 96)) 350 errx(EX_USAGE, "Bad prefix length: %s", arg); 351 nat64lsn_apply_mask(af, prefix, *plen); 352 free(p); 353 } 354 355 static uint32_t 356 nat64lsn_parse_int(const char *arg, const char *desc) 357 { 358 char *p; 359 uint32_t val; 360 361 val = (uint32_t)strtol(arg, &p, 10); 362 if (*p != '\0') 363 errx(EX_USAGE, "Invalid %s value: %s\n", desc, arg); 364 return (val); 365 } 366 367 static struct _s_x nat64newcmds[] = { 368 { "prefix6", TOK_PREFIX6 }, 369 { "jmaxlen", TOK_JMAXLEN }, 370 { "prefix4", TOK_PREFIX4 }, 371 { "host_del_age", TOK_HOST_DEL_AGE }, 372 { "pg_del_age", TOK_PG_DEL_AGE }, 373 { "tcp_syn_age", TOK_TCP_SYN_AGE }, 374 { "tcp_close_age",TOK_TCP_CLOSE_AGE }, 375 { "tcp_est_age", TOK_TCP_EST_AGE }, 376 { "udp_age", TOK_UDP_AGE }, 377 { "icmp_age", TOK_ICMP_AGE }, 378 { "states_chunks",TOK_STATES_CHUNKS }, 379 { "log", TOK_LOG }, 380 { "-log", TOK_LOGOFF }, 381 { "allow_private", TOK_PRIVATE }, 382 { "-allow_private", TOK_PRIVATEOFF }, 383 /* for compatibility with old configurations */ 384 { "max_ports", TOK_MAX_PORTS }, /* unused */ 385 { NULL, 0 } 386 }; 387 388 /* 389 * Creates new nat64lsn instance 390 * ipfw nat64lsn <NAME> create 391 * [ max_ports <N> ] 392 * Request: [ ipfw_obj_lheader ipfw_nat64lsn_cfg ] 393 */ 394 #define NAT64LSN_HAS_PREFIX4 0x01 395 #define NAT64LSN_HAS_PREFIX6 0x02 396 static void 397 nat64lsn_create(const char *name, uint8_t set, int ac, char **av) 398 { 399 char buf[sizeof(ipfw_obj_lheader) + sizeof(ipfw_nat64lsn_cfg)]; 400 ipfw_nat64lsn_cfg *cfg; 401 ipfw_obj_lheader *olh; 402 int tcmd, flags; 403 char *opt; 404 405 memset(&buf, 0, sizeof(buf)); 406 olh = (ipfw_obj_lheader *)buf; 407 cfg = (ipfw_nat64lsn_cfg *)(olh + 1); 408 409 /* Some reasonable defaults */ 410 inet_pton(AF_INET6, "64:ff9b::", &cfg->prefix6); 411 cfg->plen6 = 96; 412 cfg->set = set; 413 cfg->max_ports = NAT64LSN_MAX_PORTS; 414 cfg->jmaxlen = NAT64LSN_JMAXLEN; 415 cfg->nh_delete_delay = NAT64LSN_HOST_AGE; 416 cfg->pg_delete_delay = NAT64LSN_PG_AGE; 417 cfg->st_syn_ttl = NAT64LSN_TCP_SYN_AGE; 418 cfg->st_estab_ttl = NAT64LSN_TCP_EST_AGE; 419 cfg->st_close_ttl = NAT64LSN_TCP_FIN_AGE; 420 cfg->st_udp_ttl = NAT64LSN_UDP_AGE; 421 cfg->st_icmp_ttl = NAT64LSN_ICMP_AGE; 422 flags = NAT64LSN_HAS_PREFIX6; 423 while (ac > 0) { 424 tcmd = get_token(nat64newcmds, *av, "option"); 425 opt = *av; 426 ac--; av++; 427 428 switch (tcmd) { 429 case TOK_PREFIX4: 430 NEED1("IPv4 prefix required"); 431 nat64lsn_parse_prefix(*av, AF_INET, &cfg->prefix4, 432 &cfg->plen4); 433 flags |= NAT64LSN_HAS_PREFIX4; 434 ac--; av++; 435 break; 436 case TOK_PREFIX6: 437 NEED1("IPv6 prefix required"); 438 nat64lsn_parse_prefix(*av, AF_INET6, &cfg->prefix6, 439 &cfg->plen6); 440 if (ipfw_check_nat64prefix(&cfg->prefix6, 441 cfg->plen6) != 0 && 442 !IN6_IS_ADDR_UNSPECIFIED(&cfg->prefix6)) 443 errx(EX_USAGE, "Bad prefix6 %s", *av); 444 445 ac--; av++; 446 break; 447 case TOK_JMAXLEN: 448 NEED1("job queue length required"); 449 cfg->jmaxlen = nat64lsn_parse_int(*av, opt); 450 ac--; av++; 451 break; 452 case TOK_MAX_PORTS: 453 NEED1("Max per-user ports required"); 454 cfg->max_ports = nat64lsn_parse_int(*av, opt); 455 ac--; av++; 456 break; 457 case TOK_HOST_DEL_AGE: 458 NEED1("host delete delay required"); 459 cfg->nh_delete_delay = (uint16_t)nat64lsn_parse_int( 460 *av, opt); 461 ac--; av++; 462 break; 463 case TOK_PG_DEL_AGE: 464 NEED1("portgroup delete delay required"); 465 cfg->pg_delete_delay = (uint16_t)nat64lsn_parse_int( 466 *av, opt); 467 ac--; av++; 468 break; 469 case TOK_TCP_SYN_AGE: 470 NEED1("tcp syn age required"); 471 cfg->st_syn_ttl = (uint16_t)nat64lsn_parse_int( 472 *av, opt); 473 ac--; av++; 474 break; 475 case TOK_TCP_CLOSE_AGE: 476 NEED1("tcp close age required"); 477 cfg->st_close_ttl = (uint16_t)nat64lsn_parse_int( 478 *av, opt); 479 ac--; av++; 480 break; 481 case TOK_TCP_EST_AGE: 482 NEED1("tcp est age required"); 483 cfg->st_estab_ttl = (uint16_t)nat64lsn_parse_int( 484 *av, opt); 485 ac--; av++; 486 break; 487 case TOK_UDP_AGE: 488 NEED1("udp age required"); 489 cfg->st_udp_ttl = (uint16_t)nat64lsn_parse_int( 490 *av, opt); 491 ac--; av++; 492 break; 493 case TOK_ICMP_AGE: 494 NEED1("icmp age required"); 495 cfg->st_icmp_ttl = (uint16_t)nat64lsn_parse_int( 496 *av, opt); 497 ac--; av++; 498 break; 499 case TOK_STATES_CHUNKS: 500 NEED1("number of chunks required"); 501 cfg->states_chunks = (uint8_t)nat64lsn_parse_int( 502 *av, opt); 503 ac--; av++; 504 break; 505 case TOK_LOG: 506 cfg->flags |= NAT64_LOG; 507 break; 508 case TOK_LOGOFF: 509 cfg->flags &= ~NAT64_LOG; 510 break; 511 case TOK_PRIVATE: 512 cfg->flags |= NAT64_ALLOW_PRIVATE; 513 break; 514 case TOK_PRIVATEOFF: 515 cfg->flags &= ~NAT64_ALLOW_PRIVATE; 516 break; 517 } 518 } 519 520 /* Check validness */ 521 if ((flags & NAT64LSN_HAS_PREFIX4) != NAT64LSN_HAS_PREFIX4) 522 errx(EX_USAGE, "prefix4 required"); 523 524 olh->count = 1; 525 olh->objsize = sizeof(*cfg); 526 olh->size = sizeof(buf); 527 strlcpy(cfg->name, name, sizeof(cfg->name)); 528 if (do_set3(IP_FW_NAT64LSN_CREATE, &olh->opheader, sizeof(buf)) != 0) 529 err(EX_OSERR, "nat64lsn instance creation failed"); 530 } 531 532 /* 533 * Configures existing nat64lsn instance 534 * ipfw nat64lsn <NAME> config <options> 535 * Request: [ ipfw_obj_header ipfw_nat64lsn_cfg ] 536 */ 537 static void 538 nat64lsn_config(const char *name, uint8_t set, int ac, char **av) 539 { 540 char buf[sizeof(ipfw_obj_header) + sizeof(ipfw_nat64lsn_cfg)]; 541 ipfw_nat64lsn_cfg *cfg; 542 ipfw_obj_header *oh; 543 size_t sz; 544 char *opt; 545 int tcmd; 546 547 if (ac == 0) 548 errx(EX_USAGE, "config options required"); 549 memset(&buf, 0, sizeof(buf)); 550 oh = (ipfw_obj_header *)buf; 551 cfg = (ipfw_nat64lsn_cfg *)(oh + 1); 552 sz = sizeof(buf); 553 554 nat64lsn_fill_ntlv(&oh->ntlv, name, set); 555 if (do_get3(IP_FW_NAT64LSN_CONFIG, &oh->opheader, &sz) != 0) 556 err(EX_OSERR, "failed to get config for instance %s", name); 557 558 while (ac > 0) { 559 tcmd = get_token(nat64newcmds, *av, "option"); 560 opt = *av; 561 ac--; av++; 562 563 switch (tcmd) { 564 case TOK_MAX_PORTS: 565 NEED1("Max per-user ports required"); 566 cfg->max_ports = nat64lsn_parse_int(*av, opt); 567 ac--; av++; 568 break; 569 case TOK_JMAXLEN: 570 NEED1("job queue length required"); 571 cfg->jmaxlen = nat64lsn_parse_int(*av, opt); 572 ac--; av++; 573 break; 574 case TOK_HOST_DEL_AGE: 575 NEED1("host delete delay required"); 576 cfg->nh_delete_delay = (uint16_t)nat64lsn_parse_int( 577 *av, opt); 578 ac--; av++; 579 break; 580 case TOK_PG_DEL_AGE: 581 NEED1("portgroup delete delay required"); 582 cfg->pg_delete_delay = (uint16_t)nat64lsn_parse_int( 583 *av, opt); 584 ac--; av++; 585 break; 586 case TOK_TCP_SYN_AGE: 587 NEED1("tcp syn age required"); 588 cfg->st_syn_ttl = (uint16_t)nat64lsn_parse_int( 589 *av, opt); 590 ac--; av++; 591 break; 592 case TOK_TCP_CLOSE_AGE: 593 NEED1("tcp close age required"); 594 cfg->st_close_ttl = (uint16_t)nat64lsn_parse_int( 595 *av, opt); 596 ac--; av++; 597 break; 598 case TOK_TCP_EST_AGE: 599 NEED1("tcp est age required"); 600 cfg->st_estab_ttl = (uint16_t)nat64lsn_parse_int( 601 *av, opt); 602 ac--; av++; 603 break; 604 case TOK_UDP_AGE: 605 NEED1("udp age required"); 606 cfg->st_udp_ttl = (uint16_t)nat64lsn_parse_int( 607 *av, opt); 608 ac--; av++; 609 break; 610 case TOK_ICMP_AGE: 611 NEED1("icmp age required"); 612 cfg->st_icmp_ttl = (uint16_t)nat64lsn_parse_int( 613 *av, opt); 614 ac--; av++; 615 break; 616 case TOK_STATES_CHUNKS: 617 NEED1("number of chunks required"); 618 cfg->states_chunks = (uint8_t)nat64lsn_parse_int( 619 *av, opt); 620 ac--; av++; 621 break; 622 case TOK_LOG: 623 cfg->flags |= NAT64_LOG; 624 break; 625 case TOK_LOGOFF: 626 cfg->flags &= ~NAT64_LOG; 627 break; 628 case TOK_PRIVATE: 629 cfg->flags |= NAT64_ALLOW_PRIVATE; 630 break; 631 case TOK_PRIVATEOFF: 632 cfg->flags &= ~NAT64_ALLOW_PRIVATE; 633 break; 634 default: 635 errx(EX_USAGE, "Can't change %s option", opt); 636 } 637 } 638 639 if (do_set3(IP_FW_NAT64LSN_CONFIG, &oh->opheader, sizeof(buf)) != 0) 640 err(EX_OSERR, "nat64lsn instance configuration failed"); 641 } 642 643 /* 644 * Reset nat64lsn instance statistics specified by @oh->ntlv. 645 * Request: [ ipfw_obj_header ] 646 */ 647 static void 648 nat64lsn_reset_stats(const char *name, uint8_t set) 649 { 650 ipfw_obj_header oh; 651 652 memset(&oh, 0, sizeof(oh)); 653 nat64lsn_fill_ntlv(&oh.ntlv, name, set); 654 if (do_set3(IP_FW_NAT64LSN_RESET_STATS, &oh.opheader, sizeof(oh)) != 0) 655 err(EX_OSERR, "failed to reset stats for instance %s", name); 656 } 657 658 /* 659 * Destroys nat64lsn instance specified by @oh->ntlv. 660 * Request: [ ipfw_obj_header ] 661 */ 662 static void 663 nat64lsn_destroy(const char *name, uint8_t set) 664 { 665 ipfw_obj_header oh; 666 667 memset(&oh, 0, sizeof(oh)); 668 nat64lsn_fill_ntlv(&oh.ntlv, name, set); 669 if (do_set3(IP_FW_NAT64LSN_DESTROY, &oh.opheader, sizeof(oh)) != 0) 670 err(EX_OSERR, "failed to destroy nat instance %s", name); 671 } 672 673 /* 674 * Get nat64lsn instance statistics. 675 * Request: [ ipfw_obj_header ] 676 * Reply: [ ipfw_obj_header ipfw_obj_ctlv [ uint64_t x N ] ] 677 */ 678 static int 679 nat64lsn_get_stats(const char *name, uint8_t set, 680 struct ipfw_nat64lsn_stats *stats) 681 { 682 ipfw_obj_header *oh; 683 ipfw_obj_ctlv *oc; 684 size_t sz; 685 686 sz = sizeof(*oh) + sizeof(*oc) + sizeof(*stats); 687 oh = calloc(1, sz); 688 nat64lsn_fill_ntlv(&oh->ntlv, name, set); 689 if (do_get3(IP_FW_NAT64LSN_STATS, &oh->opheader, &sz) == 0) { 690 oc = (ipfw_obj_ctlv *)(oh + 1); 691 memcpy(stats, oc + 1, sizeof(*stats)); 692 free(oh); 693 return (0); 694 } 695 free(oh); 696 return (-1); 697 } 698 699 static void 700 nat64lsn_stats(const char *name, uint8_t set) 701 { 702 struct ipfw_nat64lsn_stats stats; 703 704 if (nat64lsn_get_stats(name, set, &stats) != 0) 705 err(EX_OSERR, "Error retrieving stats"); 706 707 if (co.use_set != 0 || set != 0) 708 printf("set %u ", set); 709 printf("nat64lsn %s\n", name); 710 printf("\t%ju packets translated from IPv6 to IPv4\n", 711 (uintmax_t)stats.opcnt64); 712 printf("\t%ju packets translated from IPv4 to IPv6\n", 713 (uintmax_t)stats.opcnt46); 714 printf("\t%ju IPv6 fragments created\n", 715 (uintmax_t)stats.ofrags); 716 printf("\t%ju IPv4 fragments received\n", 717 (uintmax_t)stats.ifrags); 718 printf("\t%ju output packets dropped due to no bufs, etc.\n", 719 (uintmax_t)stats.oerrors); 720 printf("\t%ju output packets discarded due to no IPv4 route\n", 721 (uintmax_t)stats.noroute4); 722 printf("\t%ju output packets discarded due to no IPv6 route\n", 723 (uintmax_t)stats.noroute6); 724 printf("\t%ju packets discarded due to unsupported protocol\n", 725 (uintmax_t)stats.noproto); 726 printf("\t%ju packets discarded due to memory allocation problems\n", 727 (uintmax_t)stats.nomem); 728 printf("\t%ju packets discarded due to some errors\n", 729 (uintmax_t)stats.dropped); 730 printf("\t%ju packets not matched with IPv4 prefix\n", 731 (uintmax_t)stats.nomatch4); 732 733 printf("\t%ju mbufs queued for post processing\n", 734 (uintmax_t)stats.jreinjected); 735 printf("\t%ju times the job queue was processed\n", 736 (uintmax_t)stats.jcalls); 737 printf("\t%ju job requests queued\n", 738 (uintmax_t)stats.jrequests); 739 printf("\t%ju job requests queue limit reached\n", 740 (uintmax_t)stats.jmaxlen); 741 printf("\t%ju job requests failed due to memory allocation problems\n", 742 (uintmax_t)stats.jnomem); 743 744 printf("\t%ju hosts allocated\n", (uintmax_t)stats.hostcount); 745 printf("\t%ju hosts requested\n", (uintmax_t)stats.jhostsreq); 746 printf("\t%ju host requests failed\n", (uintmax_t)stats.jhostfails); 747 748 printf("\t%ju portgroups requested\n", (uintmax_t)stats.jportreq); 749 printf("\t%ju portgroups allocated\n", (uintmax_t)stats.spgcreated); 750 printf("\t%ju portgroups deleted\n", (uintmax_t)stats.spgdeleted); 751 printf("\t%ju portgroup requests failed\n", 752 (uintmax_t)stats.jportfails); 753 printf("\t%ju portgroups allocated for TCP\n", 754 (uintmax_t)stats.tcpchunks); 755 printf("\t%ju portgroups allocated for UDP\n", 756 (uintmax_t)stats.udpchunks); 757 printf("\t%ju portgroups allocated for ICMP\n", 758 (uintmax_t)stats.icmpchunks); 759 760 printf("\t%ju states created\n", (uintmax_t)stats.screated); 761 printf("\t%ju states deleted\n", (uintmax_t)stats.sdeleted); 762 } 763 764 static int 765 nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set) 766 { 767 char abuf[INET6_ADDRSTRLEN]; 768 769 if (name != NULL && strcmp(cfg->name, name) != 0) 770 return (ESRCH); 771 772 if (co.use_set != 0 && cfg->set != set) 773 return (ESRCH); 774 775 if (co.use_set != 0 || cfg->set != 0) 776 printf("set %u ", cfg->set); 777 inet_ntop(AF_INET, &cfg->prefix4, abuf, sizeof(abuf)); 778 printf("nat64lsn %s prefix4 %s/%u", cfg->name, abuf, cfg->plen4); 779 inet_ntop(AF_INET6, &cfg->prefix6, abuf, sizeof(abuf)); 780 printf(" prefix6 %s/%u", abuf, cfg->plen6); 781 if (co.verbose || cfg->states_chunks > 1) 782 printf(" states_chunks %u", cfg->states_chunks); 783 if (co.verbose || cfg->nh_delete_delay != NAT64LSN_HOST_AGE) 784 printf(" host_del_age %u", cfg->nh_delete_delay); 785 if (co.verbose || cfg->pg_delete_delay != NAT64LSN_PG_AGE) 786 printf(" pg_del_age %u", cfg->pg_delete_delay); 787 if (co.verbose || cfg->st_syn_ttl != NAT64LSN_TCP_SYN_AGE) 788 printf(" tcp_syn_age %u", cfg->st_syn_ttl); 789 if (co.verbose || cfg->st_close_ttl != NAT64LSN_TCP_FIN_AGE) 790 printf(" tcp_close_age %u", cfg->st_close_ttl); 791 if (co.verbose || cfg->st_estab_ttl != NAT64LSN_TCP_EST_AGE) 792 printf(" tcp_est_age %u", cfg->st_estab_ttl); 793 if (co.verbose || cfg->st_udp_ttl != NAT64LSN_UDP_AGE) 794 printf(" udp_age %u", cfg->st_udp_ttl); 795 if (co.verbose || cfg->st_icmp_ttl != NAT64LSN_ICMP_AGE) 796 printf(" icmp_age %u", cfg->st_icmp_ttl); 797 if (co.verbose || cfg->jmaxlen != NAT64LSN_JMAXLEN) 798 printf(" jmaxlen %u", cfg->jmaxlen); 799 if (cfg->flags & NAT64_LOG) 800 printf(" log"); 801 if (cfg->flags & NAT64_ALLOW_PRIVATE) 802 printf(" allow_private"); 803 printf("\n"); 804 return (0); 805 } 806 807 static int 808 nat64lsn_destroy_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set) 809 { 810 811 if (co.use_set != 0 && cfg->set != set) 812 return (ESRCH); 813 814 nat64lsn_destroy(cfg->name, cfg->set); 815 return (0); 816 } 817 818 819 /* 820 * Compare nat64lsn instances names. 821 * Honor number comparison. 822 */ 823 static int 824 nat64name_cmp(const void *a, const void *b) 825 { 826 ipfw_nat64lsn_cfg *ca, *cb; 827 828 ca = (ipfw_nat64lsn_cfg *)a; 829 cb = (ipfw_nat64lsn_cfg *)b; 830 831 if (ca->set > cb->set) 832 return (1); 833 else if (ca->set < cb->set) 834 return (-1); 835 return (stringnum_cmp(ca->name, cb->name)); 836 } 837 838 /* 839 * Retrieves nat64lsn instance list from kernel, 840 * optionally sorts it and calls requested function for each instance. 841 * 842 * Request: [ ipfw_obj_lheader ] 843 * Reply: [ ipfw_obj_lheader ipfw_nat64lsn_cfg x N ] 844 */ 845 static int 846 nat64lsn_foreach(nat64lsn_cb_t *f, const char *name, uint8_t set, int sort) 847 { 848 ipfw_obj_lheader *olh; 849 ipfw_nat64lsn_cfg *cfg; 850 size_t sz; 851 int i, error; 852 853 /* Start with reasonable default */ 854 sz = sizeof(*olh) + 16 * sizeof(ipfw_nat64lsn_cfg); 855 856 for (;;) { 857 if ((olh = calloc(1, sz)) == NULL) 858 return (ENOMEM); 859 860 olh->size = sz; 861 if (do_get3(IP_FW_NAT64LSN_LIST, &olh->opheader, &sz) != 0) { 862 sz = olh->size; 863 free(olh); 864 if (errno != ENOMEM) 865 return (errno); 866 continue; 867 } 868 869 if (sort != 0) 870 qsort(olh + 1, olh->count, olh->objsize, 871 nat64name_cmp); 872 873 cfg = (ipfw_nat64lsn_cfg *)(olh + 1); 874 for (i = 0; i < olh->count; i++) { 875 error = f(cfg, name, set); /* Ignore errors for now */ 876 cfg = (ipfw_nat64lsn_cfg *)((caddr_t)cfg + 877 olh->objsize); 878 } 879 free(olh); 880 break; 881 } 882 return (0); 883 } 884 885