1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2015-2019 Yandex LLC 5 * Copyright (c) 2015-2016 Alexander V. Chernikov <melifaro@FreeBSD.org> 6 * Copyright (c) 2015-2019 Andrey V. Elsukov <ae@FreeBSD.org> 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/types.h> 31 #include <sys/socket.h> 32 33 #include "ipfw2.h" 34 35 #include <ctype.h> 36 #include <err.h> 37 #include <errno.h> 38 #include <inttypes.h> 39 #include <netdb.h> 40 #include <stdio.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <sysexits.h> 44 45 #include <net/if.h> 46 #include <netinet/in.h> 47 #include <netinet/ip_fw.h> 48 #include <netinet6/ip_fw_nat64.h> 49 #include <arpa/inet.h> 50 51 static void nat64lsn_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, 52 uint8_t set); 53 typedef int (nat64lsn_cb_t)(ipfw_nat64lsn_cfg *cfg, const char *name, 54 uint8_t set); 55 static int nat64lsn_foreach(nat64lsn_cb_t *f, const char *name, uint8_t set, 56 int sort); 57 58 static void nat64lsn_create(const char *name, uint8_t set, int ac, char **av); 59 static void nat64lsn_config(const char *name, uint8_t set, int ac, char **av); 60 static void nat64lsn_destroy(const char *name, uint8_t set); 61 static void nat64lsn_stats(const char *name, uint8_t set); 62 static void nat64lsn_reset_stats(const char *name, uint8_t set); 63 static int nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, 64 uint8_t set); 65 static int nat64lsn_destroy_cb(ipfw_nat64lsn_cfg *cfg, const char *name, 66 uint8_t set); 67 static int nat64lsn_states_cb(ipfw_nat64lsn_cfg *cfg, const char *name, 68 uint8_t set); 69 70 static struct _s_x nat64cmds[] = { 71 { "create", TOK_CREATE }, 72 { "config", TOK_CONFIG }, 73 { "destroy", TOK_DESTROY }, 74 { "list", TOK_LIST }, 75 { "show", TOK_LIST }, 76 { "stats", TOK_STATS }, 77 { NULL, 0 } 78 }; 79 80 static uint64_t 81 nat64lsn_print_states(void *buf) 82 { 83 char s[INET6_ADDRSTRLEN], a[INET_ADDRSTRLEN], f[INET_ADDRSTRLEN]; 84 const char *proto; 85 char sflags[4], *sf; 86 ipfw_obj_header *oh; 87 ipfw_obj_data *od; 88 ipfw_nat64lsn_stg_v1 *stg; 89 ipfw_nat64lsn_state_v1 *ste; 90 uint64_t next_idx; 91 uint32_t i; 92 int sz; 93 94 oh = (ipfw_obj_header *)buf; 95 od = (ipfw_obj_data *)(oh + 1); 96 stg = (ipfw_nat64lsn_stg_v1 *)(od + 1); 97 sz = od->head.length - sizeof(*od); 98 next_idx = 0; 99 proto = NULL; 100 while (sz > 0 && next_idx != 0xFF) { 101 next_idx = stg->next.index; 102 sz -= sizeof(*stg); 103 if (stg->count == 0) { 104 stg++; 105 continue; 106 } 107 /* 108 * NOTE: addresses are in network byte order, 109 * ports are in host byte order. 110 */ 111 inet_ntop(AF_INET, &stg->alias4, a, sizeof(a)); 112 ste = (ipfw_nat64lsn_state_v1 *)(stg + 1); 113 for (i = 0; i < stg->count && sz > 0; i++) { 114 sf = sflags; 115 inet_ntop(AF_INET6, &ste->host6, s, sizeof(s)); 116 inet_ntop(AF_INET, &ste->daddr, f, sizeof(f)); 117 switch (ste->proto) { 118 case IPPROTO_TCP: 119 proto = "TCP"; 120 if (ste->flags & 0x02) 121 *sf++ = 'S'; 122 if (ste->flags & 0x04) 123 *sf++ = 'E'; 124 if (ste->flags & 0x01) 125 *sf++ = 'F'; 126 break; 127 case IPPROTO_UDP: 128 proto = "UDP"; 129 break; 130 case IPPROTO_ICMP: 131 proto = "ICMPv6"; 132 break; 133 } 134 *sf = '\0'; 135 switch (ste->proto) { 136 case IPPROTO_TCP: 137 case IPPROTO_UDP: 138 printf("%s:%d\t%s:%d\t%s\t%s\t%d\t%s:%d\n", 139 s, ste->sport, a, ste->aport, proto, 140 sflags, ste->idle, f, ste->dport); 141 break; 142 case IPPROTO_ICMP: 143 printf("%s\t%s\t%s\t\t%d\t%s\n", 144 s, a, proto, ste->idle, f); 145 break; 146 default: 147 printf("%s\t%s\t%d\t\t%d\t%s\n", 148 s, a, ste->proto, ste->idle, f); 149 } 150 ste++; 151 sz -= sizeof(*ste); 152 } 153 stg = (ipfw_nat64lsn_stg_v1 *)ste; 154 } 155 return (next_idx); 156 } 157 158 static int 159 nat64lsn_states_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set) 160 { 161 ipfw_obj_header *oh; 162 ipfw_obj_data *od; 163 void *buf; 164 uint64_t next_idx; 165 size_t sz; 166 167 if (name != NULL && strcmp(cfg->name, name) != 0) 168 return (ESRCH); 169 170 if (set != 0 && cfg->set != set) 171 return (ESRCH); 172 173 next_idx = 0; 174 sz = 4096; 175 if ((buf = calloc(1, sz)) == NULL) 176 err(EX_OSERR, NULL); 177 do { 178 oh = (ipfw_obj_header *)buf; 179 oh->opheader.version = 1; /* Force using ov new API */ 180 od = (ipfw_obj_data *)(oh + 1); 181 nat64lsn_fill_ntlv(&oh->ntlv, cfg->name, set); 182 od->head.type = IPFW_TLV_OBJDATA; 183 od->head.length = sizeof(*od) + sizeof(next_idx); 184 *((uint64_t *)(od + 1)) = next_idx; 185 if (do_get3(IP_FW_NAT64LSN_LIST_STATES, &oh->opheader, &sz)) 186 err(EX_OSERR, "Error reading nat64lsn states"); 187 next_idx = nat64lsn_print_states(buf); 188 sz = 4096; 189 memset(buf, 0, sz); 190 } while (next_idx != 0xFF); 191 192 free(buf); 193 return (0); 194 } 195 196 static struct _s_x nat64statscmds[] = { 197 { "reset", TOK_RESET }, 198 { NULL, 0 } 199 }; 200 201 static void 202 ipfw_nat64lsn_stats_handler(const char *name, uint8_t set, int ac, char *av[]) 203 { 204 int tcmd; 205 206 if (ac == 0) { 207 nat64lsn_stats(name, set); 208 return; 209 } 210 NEED1("nat64lsn stats needs command"); 211 tcmd = get_token(nat64statscmds, *av, "nat64lsn stats command"); 212 switch (tcmd) { 213 case TOK_RESET: 214 nat64lsn_reset_stats(name, set); 215 } 216 } 217 218 static struct _s_x nat64listcmds[] = { 219 { "states", TOK_STATES }, 220 { "config", TOK_CONFIG }, 221 { NULL, 0 } 222 }; 223 224 static void 225 ipfw_nat64lsn_list_handler(const char *name, uint8_t set, int ac, char *av[]) 226 { 227 int tcmd; 228 229 if (ac == 0) { 230 nat64lsn_foreach(nat64lsn_show_cb, name, set, 1); 231 return; 232 } 233 NEED1("nat64lsn list needs command"); 234 tcmd = get_token(nat64listcmds, *av, "nat64lsn list command"); 235 switch (tcmd) { 236 case TOK_STATES: 237 nat64lsn_foreach(nat64lsn_states_cb, name, set, 1); 238 break; 239 case TOK_CONFIG: 240 nat64lsn_foreach(nat64lsn_show_cb, name, set, 1); 241 } 242 } 243 244 /* 245 * This one handles all nat64lsn-related commands 246 * ipfw [set N] nat64lsn NAME {create | config} ... 247 * ipfw [set N] nat64lsn NAME stats 248 * ipfw [set N] nat64lsn {NAME | all} destroy 249 * ipfw [set N] nat64lsn {NAME | all} {list | show} [config | states] 250 */ 251 #define nat64lsn_check_name table_check_name 252 void 253 ipfw_nat64lsn_handler(int ac, char *av[]) 254 { 255 const char *name; 256 int tcmd; 257 uint8_t set; 258 259 if (g_co.use_set != 0) 260 set = g_co.use_set - 1; 261 else 262 set = 0; 263 ac--; av++; 264 265 NEED1("nat64lsn needs instance name"); 266 name = *av; 267 if (nat64lsn_check_name(name) != 0) { 268 if (strcmp(name, "all") == 0) 269 name = NULL; 270 else 271 errx(EX_USAGE, "nat64lsn instance name %s is invalid", 272 name); 273 } 274 ac--; av++; 275 NEED1("nat64lsn needs command"); 276 277 tcmd = get_token(nat64cmds, *av, "nat64lsn command"); 278 if (name == NULL && tcmd != TOK_DESTROY && tcmd != TOK_LIST) 279 errx(EX_USAGE, "nat64lsn instance name required"); 280 switch (tcmd) { 281 case TOK_CREATE: 282 ac--; av++; 283 nat64lsn_create(name, set, ac, av); 284 break; 285 case TOK_CONFIG: 286 ac--; av++; 287 nat64lsn_config(name, set, ac, av); 288 break; 289 case TOK_LIST: 290 ac--; av++; 291 ipfw_nat64lsn_list_handler(name, set, ac, av); 292 break; 293 case TOK_DESTROY: 294 if (name == NULL) 295 nat64lsn_foreach(nat64lsn_destroy_cb, NULL, set, 0); 296 else 297 nat64lsn_destroy(name, set); 298 break; 299 case TOK_STATS: 300 ac--; av++; 301 ipfw_nat64lsn_stats_handler(name, set, ac, av); 302 } 303 } 304 305 static void 306 nat64lsn_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, uint8_t set) 307 { 308 309 ntlv->head.type = IPFW_TLV_EACTION_NAME(1); /* it doesn't matter */ 310 ntlv->head.length = sizeof(ipfw_obj_ntlv); 311 ntlv->idx = 1; 312 ntlv->set = set; 313 strlcpy(ntlv->name, name, sizeof(ntlv->name)); 314 } 315 316 static void 317 nat64lsn_apply_mask(int af, void *prefix, uint16_t plen) 318 { 319 struct in6_addr mask6, *p6; 320 struct in_addr mask4, *p4; 321 322 if (af == AF_INET) { 323 p4 = (struct in_addr *)prefix; 324 mask4.s_addr = htonl(~((1 << (32 - plen)) - 1)); 325 p4->s_addr &= mask4.s_addr; 326 } else if (af == AF_INET6) { 327 p6 = (struct in6_addr *)prefix; 328 n2mask(&mask6, plen); 329 APPLY_MASK(p6, &mask6); 330 } 331 } 332 333 static void 334 nat64lsn_parse_prefix(const char *arg, int af, void *prefix, uint16_t *plen) 335 { 336 char *p, *l; 337 338 p = strdup(arg); 339 if (p == NULL) 340 err(EX_OSERR, NULL); 341 if ((l = strchr(p, '/')) != NULL) 342 *l++ = '\0'; 343 if (l == NULL) 344 errx(EX_USAGE, "Prefix length required"); 345 if (inet_pton(af, p, prefix) != 1) 346 errx(EX_USAGE, "Bad prefix: %s", p); 347 *plen = (uint16_t)strtol(l, &l, 10); 348 if (*l != '\0' || *plen == 0 || (af == AF_INET && *plen > 32) || 349 (af == AF_INET6 && *plen > 96)) 350 errx(EX_USAGE, "Bad prefix length: %s", arg); 351 nat64lsn_apply_mask(af, prefix, *plen); 352 free(p); 353 } 354 355 static uint32_t 356 nat64lsn_parse_int(const char *arg, const char *desc) 357 { 358 char *p; 359 uint32_t val; 360 361 val = (uint32_t)strtol(arg, &p, 10); 362 if (*p != '\0') 363 errx(EX_USAGE, "Invalid %s value: %s\n", desc, arg); 364 return (val); 365 } 366 367 static struct _s_x nat64newcmds[] = { 368 { "prefix6", TOK_PREFIX6 }, 369 { "jmaxlen", TOK_JMAXLEN }, 370 { "prefix4", TOK_PREFIX4 }, 371 { "host_del_age", TOK_HOST_DEL_AGE }, 372 { "pg_del_age", TOK_PG_DEL_AGE }, 373 { "tcp_syn_age", TOK_TCP_SYN_AGE }, 374 { "tcp_close_age",TOK_TCP_CLOSE_AGE }, 375 { "tcp_est_age", TOK_TCP_EST_AGE }, 376 { "udp_age", TOK_UDP_AGE }, 377 { "icmp_age", TOK_ICMP_AGE }, 378 { "states_chunks",TOK_STATES_CHUNKS }, 379 { "log", TOK_LOG }, 380 { "-log", TOK_LOGOFF }, 381 { "allow_private", TOK_PRIVATE }, 382 { "-allow_private", TOK_PRIVATEOFF }, 383 { "swap_conf", TOK_SWAPCONF }, 384 { "-swap_conf", TOK_SWAPCONFOFF }, 385 /* for compatibility with old configurations */ 386 { "max_ports", TOK_MAX_PORTS }, /* unused */ 387 { NULL, 0 } 388 }; 389 390 /* 391 * Creates new nat64lsn instance 392 * ipfw nat64lsn <NAME> create 393 * [ max_ports <N> ] 394 * Request: [ ipfw_obj_lheader ipfw_nat64lsn_cfg ] 395 */ 396 #define NAT64LSN_HAS_PREFIX4 0x01 397 #define NAT64LSN_HAS_PREFIX6 0x02 398 static void 399 nat64lsn_create(const char *name, uint8_t set, int ac, char **av) 400 { 401 char buf[sizeof(ipfw_obj_lheader) + sizeof(ipfw_nat64lsn_cfg)]; 402 ipfw_nat64lsn_cfg *cfg; 403 ipfw_obj_lheader *olh; 404 int tcmd, flags; 405 char *opt; 406 407 memset(&buf, 0, sizeof(buf)); 408 olh = (ipfw_obj_lheader *)buf; 409 cfg = (ipfw_nat64lsn_cfg *)(olh + 1); 410 411 /* Some reasonable defaults */ 412 inet_pton(AF_INET6, "64:ff9b::", &cfg->prefix6); 413 cfg->plen6 = 96; 414 cfg->set = set; 415 cfg->max_ports = NAT64LSN_MAX_PORTS; 416 cfg->jmaxlen = NAT64LSN_JMAXLEN; 417 cfg->nh_delete_delay = NAT64LSN_HOST_AGE; 418 cfg->pg_delete_delay = NAT64LSN_PG_AGE; 419 cfg->st_syn_ttl = NAT64LSN_TCP_SYN_AGE; 420 cfg->st_estab_ttl = NAT64LSN_TCP_EST_AGE; 421 cfg->st_close_ttl = NAT64LSN_TCP_FIN_AGE; 422 cfg->st_udp_ttl = NAT64LSN_UDP_AGE; 423 cfg->st_icmp_ttl = NAT64LSN_ICMP_AGE; 424 flags = NAT64LSN_HAS_PREFIX6; 425 while (ac > 0) { 426 tcmd = get_token(nat64newcmds, *av, "option"); 427 opt = *av; 428 ac--; av++; 429 430 switch (tcmd) { 431 case TOK_PREFIX4: 432 NEED1("IPv4 prefix required"); 433 nat64lsn_parse_prefix(*av, AF_INET, &cfg->prefix4, 434 &cfg->plen4); 435 flags |= NAT64LSN_HAS_PREFIX4; 436 ac--; av++; 437 break; 438 case TOK_PREFIX6: 439 NEED1("IPv6 prefix required"); 440 nat64lsn_parse_prefix(*av, AF_INET6, &cfg->prefix6, 441 &cfg->plen6); 442 if (ipfw_check_nat64prefix(&cfg->prefix6, 443 cfg->plen6) != 0 && 444 !IN6_IS_ADDR_UNSPECIFIED(&cfg->prefix6)) 445 errx(EX_USAGE, "Bad prefix6 %s", *av); 446 447 ac--; av++; 448 break; 449 case TOK_JMAXLEN: 450 NEED1("job queue length required"); 451 cfg->jmaxlen = nat64lsn_parse_int(*av, opt); 452 ac--; av++; 453 break; 454 case TOK_MAX_PORTS: 455 NEED1("Max per-user ports required"); 456 cfg->max_ports = nat64lsn_parse_int(*av, opt); 457 ac--; av++; 458 break; 459 case TOK_HOST_DEL_AGE: 460 NEED1("host delete delay required"); 461 cfg->nh_delete_delay = (uint16_t)nat64lsn_parse_int( 462 *av, opt); 463 ac--; av++; 464 break; 465 case TOK_PG_DEL_AGE: 466 NEED1("portgroup delete delay required"); 467 cfg->pg_delete_delay = (uint16_t)nat64lsn_parse_int( 468 *av, opt); 469 ac--; av++; 470 break; 471 case TOK_TCP_SYN_AGE: 472 NEED1("tcp syn age required"); 473 cfg->st_syn_ttl = (uint16_t)nat64lsn_parse_int( 474 *av, opt); 475 ac--; av++; 476 break; 477 case TOK_TCP_CLOSE_AGE: 478 NEED1("tcp close age required"); 479 cfg->st_close_ttl = (uint16_t)nat64lsn_parse_int( 480 *av, opt); 481 ac--; av++; 482 break; 483 case TOK_TCP_EST_AGE: 484 NEED1("tcp est age required"); 485 cfg->st_estab_ttl = (uint16_t)nat64lsn_parse_int( 486 *av, opt); 487 ac--; av++; 488 break; 489 case TOK_UDP_AGE: 490 NEED1("udp age required"); 491 cfg->st_udp_ttl = (uint16_t)nat64lsn_parse_int( 492 *av, opt); 493 ac--; av++; 494 break; 495 case TOK_ICMP_AGE: 496 NEED1("icmp age required"); 497 cfg->st_icmp_ttl = (uint16_t)nat64lsn_parse_int( 498 *av, opt); 499 ac--; av++; 500 break; 501 case TOK_STATES_CHUNKS: 502 NEED1("number of chunks required"); 503 cfg->states_chunks = (uint8_t)nat64lsn_parse_int( 504 *av, opt); 505 ac--; av++; 506 break; 507 case TOK_LOG: 508 cfg->flags |= NAT64_LOG; 509 break; 510 case TOK_LOGOFF: 511 cfg->flags &= ~NAT64_LOG; 512 break; 513 case TOK_PRIVATE: 514 cfg->flags |= NAT64_ALLOW_PRIVATE; 515 break; 516 case TOK_PRIVATEOFF: 517 cfg->flags &= ~NAT64_ALLOW_PRIVATE; 518 break; 519 case TOK_SWAPCONF: 520 cfg->flags |= NAT64LSN_ALLOW_SWAPCONF; 521 break; 522 case TOK_SWAPCONFOFF: 523 cfg->flags &= ~NAT64LSN_ALLOW_SWAPCONF; 524 break; 525 } 526 } 527 528 /* Check validness */ 529 if ((flags & NAT64LSN_HAS_PREFIX4) != NAT64LSN_HAS_PREFIX4) 530 errx(EX_USAGE, "prefix4 required"); 531 532 olh->count = 1; 533 olh->objsize = sizeof(*cfg); 534 olh->size = sizeof(buf); 535 strlcpy(cfg->name, name, sizeof(cfg->name)); 536 if (do_set3(IP_FW_NAT64LSN_CREATE, &olh->opheader, sizeof(buf)) != 0) 537 err(EX_OSERR, "nat64lsn instance creation failed"); 538 } 539 540 /* 541 * Configures existing nat64lsn instance 542 * ipfw nat64lsn <NAME> config <options> 543 * Request: [ ipfw_obj_header ipfw_nat64lsn_cfg ] 544 */ 545 static void 546 nat64lsn_config(const char *name, uint8_t set, int ac, char **av) 547 { 548 char buf[sizeof(ipfw_obj_header) + sizeof(ipfw_nat64lsn_cfg)]; 549 ipfw_nat64lsn_cfg *cfg; 550 ipfw_obj_header *oh; 551 size_t sz; 552 char *opt; 553 int tcmd; 554 555 if (ac == 0) 556 errx(EX_USAGE, "config options required"); 557 memset(&buf, 0, sizeof(buf)); 558 oh = (ipfw_obj_header *)buf; 559 cfg = (ipfw_nat64lsn_cfg *)(oh + 1); 560 sz = sizeof(buf); 561 562 nat64lsn_fill_ntlv(&oh->ntlv, name, set); 563 if (do_get3(IP_FW_NAT64LSN_CONFIG, &oh->opheader, &sz) != 0) 564 err(EX_OSERR, "failed to get config for instance %s", name); 565 566 while (ac > 0) { 567 tcmd = get_token(nat64newcmds, *av, "option"); 568 opt = *av; 569 ac--; av++; 570 571 switch (tcmd) { 572 case TOK_MAX_PORTS: 573 NEED1("Max per-user ports required"); 574 cfg->max_ports = nat64lsn_parse_int(*av, opt); 575 ac--; av++; 576 break; 577 case TOK_JMAXLEN: 578 NEED1("job queue length required"); 579 cfg->jmaxlen = nat64lsn_parse_int(*av, opt); 580 ac--; av++; 581 break; 582 case TOK_HOST_DEL_AGE: 583 NEED1("host delete delay required"); 584 cfg->nh_delete_delay = (uint16_t)nat64lsn_parse_int( 585 *av, opt); 586 ac--; av++; 587 break; 588 case TOK_PG_DEL_AGE: 589 NEED1("portgroup delete delay required"); 590 cfg->pg_delete_delay = (uint16_t)nat64lsn_parse_int( 591 *av, opt); 592 ac--; av++; 593 break; 594 case TOK_TCP_SYN_AGE: 595 NEED1("tcp syn age required"); 596 cfg->st_syn_ttl = (uint16_t)nat64lsn_parse_int( 597 *av, opt); 598 ac--; av++; 599 break; 600 case TOK_TCP_CLOSE_AGE: 601 NEED1("tcp close age required"); 602 cfg->st_close_ttl = (uint16_t)nat64lsn_parse_int( 603 *av, opt); 604 ac--; av++; 605 break; 606 case TOK_TCP_EST_AGE: 607 NEED1("tcp est age required"); 608 cfg->st_estab_ttl = (uint16_t)nat64lsn_parse_int( 609 *av, opt); 610 ac--; av++; 611 break; 612 case TOK_UDP_AGE: 613 NEED1("udp age required"); 614 cfg->st_udp_ttl = (uint16_t)nat64lsn_parse_int( 615 *av, opt); 616 ac--; av++; 617 break; 618 case TOK_ICMP_AGE: 619 NEED1("icmp age required"); 620 cfg->st_icmp_ttl = (uint16_t)nat64lsn_parse_int( 621 *av, opt); 622 ac--; av++; 623 break; 624 case TOK_STATES_CHUNKS: 625 NEED1("number of chunks required"); 626 cfg->states_chunks = (uint8_t)nat64lsn_parse_int( 627 *av, opt); 628 ac--; av++; 629 break; 630 case TOK_LOG: 631 cfg->flags |= NAT64_LOG; 632 break; 633 case TOK_LOGOFF: 634 cfg->flags &= ~NAT64_LOG; 635 break; 636 case TOK_PRIVATE: 637 cfg->flags |= NAT64_ALLOW_PRIVATE; 638 break; 639 case TOK_PRIVATEOFF: 640 cfg->flags &= ~NAT64_ALLOW_PRIVATE; 641 break; 642 case TOK_SWAPCONF: 643 cfg->flags |= NAT64LSN_ALLOW_SWAPCONF; 644 break; 645 case TOK_SWAPCONFOFF: 646 cfg->flags &= ~NAT64LSN_ALLOW_SWAPCONF; 647 break; 648 default: 649 errx(EX_USAGE, "Can't change %s option", opt); 650 } 651 } 652 653 if (do_set3(IP_FW_NAT64LSN_CONFIG, &oh->opheader, sizeof(buf)) != 0) 654 err(EX_OSERR, "nat64lsn instance configuration failed"); 655 } 656 657 /* 658 * Reset nat64lsn instance statistics specified by @oh->ntlv. 659 * Request: [ ipfw_obj_header ] 660 */ 661 static void 662 nat64lsn_reset_stats(const char *name, uint8_t set) 663 { 664 ipfw_obj_header oh; 665 666 memset(&oh, 0, sizeof(oh)); 667 nat64lsn_fill_ntlv(&oh.ntlv, name, set); 668 if (do_set3(IP_FW_NAT64LSN_RESET_STATS, &oh.opheader, sizeof(oh)) != 0) 669 err(EX_OSERR, "failed to reset stats for instance %s", name); 670 } 671 672 /* 673 * Destroys nat64lsn instance specified by @oh->ntlv. 674 * Request: [ ipfw_obj_header ] 675 */ 676 static void 677 nat64lsn_destroy(const char *name, uint8_t set) 678 { 679 ipfw_obj_header oh; 680 681 memset(&oh, 0, sizeof(oh)); 682 nat64lsn_fill_ntlv(&oh.ntlv, name, set); 683 if (do_set3(IP_FW_NAT64LSN_DESTROY, &oh.opheader, sizeof(oh)) != 0) 684 err(EX_OSERR, "failed to destroy nat instance %s", name); 685 } 686 687 /* 688 * Get nat64lsn instance statistics. 689 * Request: [ ipfw_obj_header ] 690 * Reply: [ ipfw_obj_header ipfw_obj_ctlv [ uint64_t x N ] ] 691 */ 692 static int 693 nat64lsn_get_stats(const char *name, uint8_t set, 694 struct ipfw_nat64lsn_stats *stats) 695 { 696 ipfw_obj_header *oh; 697 ipfw_obj_ctlv *oc; 698 size_t sz; 699 700 sz = sizeof(*oh) + sizeof(*oc) + sizeof(*stats); 701 oh = calloc(1, sz); 702 nat64lsn_fill_ntlv(&oh->ntlv, name, set); 703 if (do_get3(IP_FW_NAT64LSN_STATS, &oh->opheader, &sz) == 0) { 704 oc = (ipfw_obj_ctlv *)(oh + 1); 705 memcpy(stats, oc + 1, sizeof(*stats)); 706 free(oh); 707 return (0); 708 } 709 free(oh); 710 return (-1); 711 } 712 713 static void 714 nat64lsn_stats(const char *name, uint8_t set) 715 { 716 struct ipfw_nat64lsn_stats stats; 717 718 if (nat64lsn_get_stats(name, set, &stats) != 0) 719 err(EX_OSERR, "Error retrieving stats"); 720 721 if (g_co.use_set != 0 || set != 0) 722 printf("set %u ", set); 723 printf("nat64lsn %s\n", name); 724 printf("\t%ju packets translated from IPv6 to IPv4\n", 725 (uintmax_t)stats.opcnt64); 726 printf("\t%ju packets translated from IPv4 to IPv6\n", 727 (uintmax_t)stats.opcnt46); 728 printf("\t%ju IPv6 fragments created\n", 729 (uintmax_t)stats.ofrags); 730 printf("\t%ju IPv4 fragments received\n", 731 (uintmax_t)stats.ifrags); 732 printf("\t%ju output packets dropped due to no bufs, etc.\n", 733 (uintmax_t)stats.oerrors); 734 printf("\t%ju output packets discarded due to no IPv4 route\n", 735 (uintmax_t)stats.noroute4); 736 printf("\t%ju output packets discarded due to no IPv6 route\n", 737 (uintmax_t)stats.noroute6); 738 printf("\t%ju packets discarded due to unsupported protocol\n", 739 (uintmax_t)stats.noproto); 740 printf("\t%ju packets discarded due to memory allocation problems\n", 741 (uintmax_t)stats.nomem); 742 printf("\t%ju packets discarded due to some errors\n", 743 (uintmax_t)stats.dropped); 744 printf("\t%ju packets not matched with IPv4 prefix\n", 745 (uintmax_t)stats.nomatch4); 746 747 printf("\t%ju mbufs queued for post processing\n", 748 (uintmax_t)stats.jreinjected); 749 printf("\t%ju times the job queue was processed\n", 750 (uintmax_t)stats.jcalls); 751 printf("\t%ju job requests queued\n", 752 (uintmax_t)stats.jrequests); 753 printf("\t%ju job requests queue limit reached\n", 754 (uintmax_t)stats.jmaxlen); 755 printf("\t%ju job requests failed due to memory allocation problems\n", 756 (uintmax_t)stats.jnomem); 757 758 printf("\t%ju hosts allocated\n", (uintmax_t)stats.hostcount); 759 printf("\t%ju hosts requested\n", (uintmax_t)stats.jhostsreq); 760 printf("\t%ju host requests failed\n", (uintmax_t)stats.jhostfails); 761 762 printf("\t%ju portgroups requested\n", (uintmax_t)stats.jportreq); 763 printf("\t%ju portgroups allocated\n", (uintmax_t)stats.spgcreated); 764 printf("\t%ju portgroups deleted\n", (uintmax_t)stats.spgdeleted); 765 printf("\t%ju portgroup requests failed\n", 766 (uintmax_t)stats.jportfails); 767 printf("\t%ju portgroups allocated for TCP\n", 768 (uintmax_t)stats.tcpchunks); 769 printf("\t%ju portgroups allocated for UDP\n", 770 (uintmax_t)stats.udpchunks); 771 printf("\t%ju portgroups allocated for ICMP\n", 772 (uintmax_t)stats.icmpchunks); 773 774 printf("\t%ju states created\n", (uintmax_t)stats.screated); 775 printf("\t%ju states deleted\n", (uintmax_t)stats.sdeleted); 776 } 777 778 static int 779 nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set) 780 { 781 char abuf[INET6_ADDRSTRLEN]; 782 783 if (name != NULL && strcmp(cfg->name, name) != 0) 784 return (ESRCH); 785 786 if (g_co.use_set != 0 && cfg->set != set) 787 return (ESRCH); 788 789 if (g_co.use_set != 0 || cfg->set != 0) 790 printf("set %u ", cfg->set); 791 inet_ntop(AF_INET, &cfg->prefix4, abuf, sizeof(abuf)); 792 printf("nat64lsn %s prefix4 %s/%u", cfg->name, abuf, cfg->plen4); 793 inet_ntop(AF_INET6, &cfg->prefix6, abuf, sizeof(abuf)); 794 printf(" prefix6 %s/%u", abuf, cfg->plen6); 795 if (g_co.verbose || cfg->states_chunks > 1) 796 printf(" states_chunks %u", cfg->states_chunks); 797 if (g_co.verbose || cfg->nh_delete_delay != NAT64LSN_HOST_AGE) 798 printf(" host_del_age %u", cfg->nh_delete_delay); 799 if (g_co.verbose || cfg->pg_delete_delay != NAT64LSN_PG_AGE) 800 printf(" pg_del_age %u", cfg->pg_delete_delay); 801 if (g_co.verbose || cfg->st_syn_ttl != NAT64LSN_TCP_SYN_AGE) 802 printf(" tcp_syn_age %u", cfg->st_syn_ttl); 803 if (g_co.verbose || cfg->st_close_ttl != NAT64LSN_TCP_FIN_AGE) 804 printf(" tcp_close_age %u", cfg->st_close_ttl); 805 if (g_co.verbose || cfg->st_estab_ttl != NAT64LSN_TCP_EST_AGE) 806 printf(" tcp_est_age %u", cfg->st_estab_ttl); 807 if (g_co.verbose || cfg->st_udp_ttl != NAT64LSN_UDP_AGE) 808 printf(" udp_age %u", cfg->st_udp_ttl); 809 if (g_co.verbose || cfg->st_icmp_ttl != NAT64LSN_ICMP_AGE) 810 printf(" icmp_age %u", cfg->st_icmp_ttl); 811 if (g_co.verbose || cfg->jmaxlen != NAT64LSN_JMAXLEN) 812 printf(" jmaxlen %u", cfg->jmaxlen); 813 if (cfg->flags & NAT64LSN_ALLOW_SWAPCONF) 814 printf(" swap_conf"); 815 if (cfg->flags & NAT64_LOG) 816 printf(" log"); 817 if (cfg->flags & NAT64_ALLOW_PRIVATE) 818 printf(" allow_private"); 819 printf("\n"); 820 return (0); 821 } 822 823 static int 824 nat64lsn_destroy_cb(ipfw_nat64lsn_cfg *cfg, const char *name __unused, 825 uint8_t set) 826 { 827 828 if (g_co.use_set != 0 && cfg->set != set) 829 return (ESRCH); 830 831 nat64lsn_destroy(cfg->name, cfg->set); 832 return (0); 833 } 834 835 836 /* 837 * Compare nat64lsn instances names. 838 * Honor number comparison. 839 */ 840 static int 841 nat64name_cmp(const void *a, const void *b) 842 { 843 const ipfw_nat64lsn_cfg *ca, *cb; 844 845 ca = (const ipfw_nat64lsn_cfg *)a; 846 cb = (const ipfw_nat64lsn_cfg *)b; 847 848 if (ca->set > cb->set) 849 return (1); 850 else if (ca->set < cb->set) 851 return (-1); 852 return (stringnum_cmp(ca->name, cb->name)); 853 } 854 855 /* 856 * Retrieves nat64lsn instance list from kernel, 857 * optionally sorts it and calls requested function for each instance. 858 * 859 * Request: [ ipfw_obj_lheader ] 860 * Reply: [ ipfw_obj_lheader ipfw_nat64lsn_cfg x N ] 861 */ 862 static int 863 nat64lsn_foreach(nat64lsn_cb_t *f, const char *name, uint8_t set, int sort) 864 { 865 ipfw_obj_lheader *olh; 866 ipfw_nat64lsn_cfg *cfg; 867 size_t sz; 868 uint32_t i; 869 870 /* Start with reasonable default */ 871 sz = sizeof(*olh) + 16 * sizeof(ipfw_nat64lsn_cfg); 872 873 for (;;) { 874 if ((olh = calloc(1, sz)) == NULL) 875 return (ENOMEM); 876 877 olh->size = sz; 878 if (do_get3(IP_FW_NAT64LSN_LIST, &olh->opheader, &sz) != 0) { 879 sz = olh->size; 880 free(olh); 881 if (errno != ENOMEM) 882 return (errno); 883 continue; 884 } 885 886 if (sort != 0) 887 qsort(olh + 1, olh->count, olh->objsize, 888 nat64name_cmp); 889 890 cfg = (ipfw_nat64lsn_cfg *)(olh + 1); 891 for (i = 0; i < olh->count; i++) { 892 (void)f(cfg, name, set); /* Ignore errors for now */ 893 cfg = (ipfw_nat64lsn_cfg *)((caddr_t)cfg + 894 olh->objsize); 895 } 896 free(olh); 897 break; 898 } 899 return (0); 900 } 901 902